Your World of Legal Intelligence
 United States | 1-800-335-6202

Credit unions: Affiliate information sharing provisions; compliance,

As Enacted ( Federal Register) Cited authorities 12 Cited in Related
Vincent

[Federal Register: October 26, 2000 (Volume 65, Number 208)]

[Proposed Rules]

[Page 64168-64176]

From the Federal Register Online via GPO Access [wais.access.gpo.gov]

[DOCID:fr26oc00-17]

NATIONAL CREDIT UNION ADMINISTRATION

12 CFR Part 706

Credit Practices

AGENCY: National Credit Union Administration.

ACTION: Notice of proposed rulemaking.

SUMMARY: The National Credit Union Administration (NCUA) is publishing for comment proposed regulations implementing provisions of the Fair Credit Reporting Act (FCRA) that permit federal credit unions (FCUs) to communicate information to their affiliates (affiliate information sharing) without incurring the obligations of consumer reporting agencies. The proposed regulations explain how to comply with the affiliate information sharing provisions, addressing such matters as the content and delivery of the notice to consumers. The proposed regulations also implement certain related provisions. NCUA participated as part of an interagency group composed of representatives from the Board of Governors of the Federal Reserve, the Federal Deposit Insurance Corporation, the Office of the Comptroller of the Currency and the Office of Thrift Supervision (collectively, the Agencies). NCUA's proposed rule is therefore comparable to the proposed rules filedjointly by the Agencies, but takes into account the unique circumstances of federal credit unions and their members. NCUA has attempted to conform these proposed regulations to the final regulations implementing the privacy provisions of the Gramm-Leach- Bliley Act.

DATES: Written comments must be received by the NCUA on or before December 26, 2000.

ADDRESSES: Direct comments to Becky Baker, Secretary of the Board. Mail or hand-deliver comments to: National Credit Union Administration, 1775 Duke Street, Alexandria, Virginia 22314-3428. You may also fax comments to (703) 518-6319. Please send comments by one method only.

FOR FURTHER INFORMATION CONTACT: Chrisanthy J. Loizos, Staff Attorney, Division of Operations, Office of General Counsel, at the above address or telephone: (703) 518-6540.

SUPPLEMENTARY INFORMATION:

  1. Background

    The FCRA

    The FCRA, enacted in 1970, sets standards for the collection, communication, and use of information bearing on a consumer's credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living. 15 U.S.C. 1681-1681u. In 1996, the Consumer Credit Reporting Reform Act amended the FCRA extensively (1996 Amendments). Pub. L. 104-208, 110 Stat. 3009.

    For many years, to avoid the obligations of consumer reporting agencies imposed by the FCRA, many financial institutions avoided making any communications to affiliates of consumer information that could constitute consumer reports.\1\ The 1996 Amendments, however, excluded specified types of information sharing with affiliates from the definition of ``consumer report'' assuring financial institutions that making these communications would not expose them to the obligations of consumer reporting agencies. In particular, the 1996 Amendments excluded from the definition of ``consumer report'' the sharing of ``other information'' among affiliates, so long as the consumer, having been given notice and an opportunity to opt out, did not opt out. ``Other information'' refers to information that is covered by the FCRA and that is not a report containing information solely as to transactions or experiences between the consumer and the person making the report.

    \1\ The FCRA creates substantial obligations for ``consumer reporting agencies.'' FCRA, section 603(f); see, e.g., sections 607, 611. These obligations include furnishing consumer reports only for permissible purposes, maintaining high standards for ensuring the accuracy of information in consumer reports, resolving customer disputes, and other matters.

    The 1996 Amendments prohibited the NCUA and the Agencies from issuing implementing regulations. 15 U.S.C. 1681s(a)(4) (repealed). The Gramm-Leach-Bliley Act (GLBA) repealed this prohibition and directed the Board to prescribe regulations as necessary to carry out the purposes of FCRA with respect to FCUs. Pub. L. 106-102 Sec. 506, 15 U.S.C. 1681s(e)(2).

    NCUA's proposed rule and a large portion of the preamble mirror the Agencies' joint notice of proposed rulemaking, although credit unions differ from other financial institutions in several ways. FCUs are not- for-profit cooperative financial institutions, formed to permit those in the field of membership specified in the credit union's charter to save, borrow, and obtain related financial services. Member ownership and control make credit unions unique from other financial institutions. FCU investment in affiliates is limited to credit union service organizations (CUSOs), which are organizations that primarily serve credit unions or their members and whose business is related to the daily

    [[Page 64169]]

    and routine operations of credit unions. 12 U.S.C. 1757(5)(D), 1757(7)(I).

    Coordination with Privacy Regulations

    The GLBA sets standards for financial institutions' disclosure of nonpublic personal information to nonaffiliated third parties (privacy provisions; Pub. L. 106-102, 15 U.S.C. 6802; see also 15 U.S.C. 6803.) NCUA published final regulations implementing these privacy provisions on May 18, 2000 (65 FR 31721, May 18, 2000).

    The privacy regulations do not ``modify, limit, or supersede the operation of the Fair Credit Reporting Act.'' 15 U.S.C. 6806. Thus, both the privacy regulations and the FCRA may apply to an FCU's disclosure of consumer information. Moreover, if an FCU provides an opt out notice under the FCRA, that notice must be included in certain notices mandated by the privacy regulations, including annual notices to customers. 15 U.S.C. 6803. Therefore, NCUA anticipates that FCUs will design their information-sharing policies and practices, taking into account both the privacy regulations and the regulations implementing the FCRA. To ease compliance and promote consistency, NCUA is conforming the two regulations where appropriate.

    Unlike the privacy regulations, these regulations do not distinguish between members and nonmembers, or customers and consumers. The FCRA is triggered when an individual's credit information is assembled or evaluated to establish the consumer's eligibility for: credit or insurance used for consumer purposes; employment purposes; or any other purpose authorized under section 604 of the FCRA. 15 U.S.C. 1681 et seq. FCUs must comply with these regulations whenever it furnishes consumer credit information to third parties. FCUs are reminded that the FCRA remains in effect prior to the mandatory compliance date; to avoid becoming consumer reporting agencies, FCUs must refrain at all times from sharing opt out information with their affiliates without providing consumers the opportunity to opt out.

  2. Section-by-Section Analysis

    Section 706.6--What does this subpart do?

    Proposed paragraph 706.6(a) briefly describes the purpose of the regulations. Proposed paragraph 706.6(b) briefly describes the scope of the regulations, including the information and institutions subject to them.

    Proposed paragraph 706.6(c) provides that nothing in this subpart modifies, limits, or supersedes the standards governing the privacy of individually identifiable health information promulgated by the Secretary of Health and Human Services pursuant to sections 262 and 264 of the Health Insurance Portability and Accountability Act (HIPAA) of 1996 (42 U.S.C. 1320d-1320d-8). Certain FCUs that possess medical information about consumers may be covered by these regulations, the GLBA privacy regulations, and rules promulgated by the Department of Health and Human Services (HHS) under the authority of sections 262 and 264 of HIPAA once those regulations are finalized. Based on the proposed HIPAA rules, it appears likely that there will be areas of overlap between the HIPAA and the FCRA affiliate information-sharing rules. After HHS publishes its final rules, the Agencies and NCUA will consult with HHS to avoid the imposition of duplicative or inconsistent requirements.

    Section 706.7--What is the significance of the examples used in this subpart?

    Proposed Sec. 706.7 clarifies that the examples used in the subpart and in the sample notice are not exclusive means of compliance; rather, they are intended to provide guidance on how to comply in specific situations. NCUA solicits comment on whether to include additional or different examples, and, more fundamentally, on whether the use of examples within the regulations is appropriate and useful. Elevating the fact patterns to safe harbors in the rule may generate certain problems over time. For example, changes in technology or practice may ultimately impact the fact patterns contained in the examples and require changes in the regulations. NCUA solicits comments on whether alternative methods exist that offer illustrative guidance of the concepts portrayed by the examples.

    Section 706.8--What definitions apply to this subpart?

    Discussed below are a few key definitions, including: ``affiliate'' (as well as the related terms ``company'' and ``control''); ``clear and conspicuous''; ``opt out''; ``opt out information''; and ``consumer report.'' The proposal tracks the statutory language referring to ``transaction or experience information,'' but does not define that term. Affiliate

    Several FCRA provisions apply to information sharing with persons ``related by common ownership or affiliated by corporate control,'' ``related by common ownership or affiliated by common corporate control,'' or ``affiliated by common ownership or common corporate control.'' E.g., FCRA, sections 603(d)(2), 615(b)(2), and 624(b)(2). Proposed paragraph (a) defines ``affiliate'' to refer to all these relationships between and among companies, and clarifies that ``related or affiliated by common ownership or affiliated by corporate control or common corporate control'' means controlling, controlled by, or under common control with another company. This paragraph also reflects that FCU investment in affiliates is limited to CUSOs.

    Consistent with the definitions in the privacy regulations, the proposal uses a definition of ``control'' that applies exclusively to the control of a ``company,'' and defines ``company'' to include any corporation, limited liability company, business trust, general or limited partnership, association or similar organization. See proposed paragraph (d) (``company'') and (h) (``control''). The proposal also maintains the example of ``control'' used in the privacy regulations. NCUA presumes an FCU has a controlling influence over the management or policies of a CUSO if the CUSO is 67% owned by federal or state- chartered credit unions. NCUA incorporates the discussion of the definition of ``control'' within the privacy regulations into this preamble. See 65 FR 31723-24 (May 18, 2000). Clear and Conspicuous

    Proposed paragraph (b) defines ``clear and conspicuous'' to mean that a notice must be reasonably understandable and designed to call attention to the nature and significance of the information it contains. The proposed regulations do not mandate the use of any particular technique for making a notice clear and conspicuous; instead, they give FCUs flexibility in determining how to comply. An FCU may make its notice reasonably understandable, for example, by using short explanatory sentences or bullet lists and avoiding legal or highly technical business terminology whenever possible. An FCU may design its notice to call attention to the nature and significance of the information in the notice by, for example, using a plain-language heading and a typeface and size that are easy to read.

    Proposed paragraph (b) is consistent with the ``clear and conspicuous'' standard in the privacy regulations. It offers a more detailed exposition of the standard (particularly with respect to what makes a notice ``conspicuous'') than some other regulations, such as the Board's Regulation Z. However, laws

    [[Page 64170]]

    other than FCRA--for example, the Truth in Lending Act--that require clear and conspicuous disclosures, are beyond the scope of this rulemaking. Accordingly, the standard proposed here does not affect disclosures required by those laws.

    NCUA requests comment on whether FCUs have any particular concerns about compliance with FCRA's clear and conspicuous standard when FCRA opt out notices are included with the GLBA privacy provision notices. Consumer Report

    Proposed paragraph (f) parallels the definition in section 603(d) of the FCRA. Paragraph (f)(2)(ii) excludes from the definition of ``consumer report'' communication among affiliates of a report containing information solely as to transactions or experiences between the consumer and the person making the report.\2\

    \2\ Prior to the 1996 amendments to FCRA, affiliated entities could not pool their transaction or experience information in a common database without being considered a consumer reporting agency. Instead, each affiliate could disclose its own transaction or experience information to another affiliate directly only in the same manner as an entity can disclose information to a nonaffiliated third party. While transaction or experience information has been excluded from the definition of ``consumer report'' since the FCRA's initial passage, the 1996 amendments facilitated the disclosure of such information among affiliates.

    Paragraph (f)(2)(iii) excludes any communication of ``opt out information'' if the conditions set out in Secs. 706.9 through 706.14 are satisfied. The FCRA, as explained above, uses the term ``other information'' to refer to information that it covers but that is not transaction or experience information. This proposal refers to ``other information'' using the more descriptive term ``opt out information.'' See proposed paragraph (k). Opt Out

    Proposed paragraph (j) defines this term to mean a direction by a consumer that an FCU not communicate opt out information about the consumer to one or more of the FCU's affiliates. Opt Out Information

    As described above, the 1996 Amendments to FCRA excluded from the definition of ``consumer report'' the sharing of ``other information'' among affiliates, so long as the consumer, having been given notice and an opportunity to opt out, did not opt out. ``Other information'' refers to information that is covered by the FCRA and that is not a report containing information solely as to transactions or experiences between the consumer and the person making the report. The proposed regulation uses the term ``opt out information'' to describe this category of information.

    Proposed paragraph (k) defines opt out information as information that (i) bears on a consumer's credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living, (ii) is used or expected to be used or collected for one or more of the permissible purposes listed in FCRA (e.g. credit transaction, employment purposes), and (iii) is not transaction or experience information. Section 706.10(d) gives examples of categories of opt out information.

    Section 706.9--How may a credit union communicate opt out information to its affiliates without the communication being a consumer report?

    Proposed Sec. 706.9 describes the conditions that an FCU must meet to ensure that its communications of opt out information to its affiliates do not constitute consumer reports, including the requirement that the FCU provide an opt out notice. Section 603(d)(2)(A)(iii) of the FCRA excludes from the definition of ``consumer report'' the sharing of opt out information among affiliates if:

    [I]t is clearly and conspicuously disclosed to the consumer that the information may be communicated among such persons and the consumer is given the opportunity, before the time that the information is initially communicated, to direct that such information not be communicated among such persons.* * *

    Proposed Sec. 706.9 accordingly provides that opt out information may be communicated among affiliates without the communication being a consumer report if: (i) The FCU has provided an opt out notice; (ii) the FCU has given the consumer a reasonable opportunity and means, before the time that it communicates the information, to opt out; and (iii) the consumer has not opted out. Mergers & Acquisitions

    In a merger or acquisition situation, the need to provide new opt out notices to the consumers of the entity that ceases to exist will depend on whether the notices previously given to those consumers accurately reflect the policies and practices of the surviving entity. If they do, the surviving entity will not be required under the rule to provide new notices.

    Section 706.10--What must be in an opt out notice?

    Proposed paragraph (a) provides that an opt out notice must be clear and conspicuous, and must accurately explain: (i) The categories of opt out information about the consumer that the FCU communicates; (ii) the categories of affiliates to which the FCU communicates the information; (iii) the consumer's ability to opt out; and (iv) the means to do so. NCUA invites comment on whether FCUs should also have to disclose in their FCRA notices how long a consumer has to respond to the opt out notice before the FCU may begin disclosing information about that consumer to its affiliates, as well as the fact that a consumer can opt out at any time. These disclosures are not required in the privacy regulations. NCUA seeks comment on whether the benefits of the additional disclosures would outweigh the burdens, and, if so, whether the regulation should require the disclosures to state that an FCU will wait 30 days in every instance before sharing consumer information with affiliates (see proposed Sec. 706.11, below, for additional discussion on reasonable opportunity to opt out).

    Proposed paragraph (b) clarifies that an FCU's notice may describe not only the communications of opt out information that the FCU currently plans to make to its affiliates, but also the communications that it reserves the right to make in the future.

    Proposed paragraph (c) explains that an FCU may provide the consumer with the option of an opt out that covers only part of the information or certain affiliates. This would enable an FCU to give consumers a menu of opt out choices if it desires to do so.

    Proposed paragraph (d) illustrates how an FCU may categorize the opt out information that it communicates to affiliates. Paragraph (d)(2) gives examples of opt out information, such as information from a consumer's application, information from a consumer report, information obtained by verifying representations made by a consumer, and information provided by another person regarding that person's relationship with the consumer. The first two categories reflect the legislative history of the 1996 Amendments, which states in part that the opt out provision ``will clarify that affiliates within a Holding Company structure can share any application information * * * and consumer reports, consistent with the FCRA.'' S. Rep. No. 185, 104th Cong., 1st Sess. 18-19 (1995). The other two categories represent information that NCUA believes does not constitute

    [[Page 64171]]

    transaction or experience information when communicated by the FCU that has received it. Paragraph (d)(3) gives a non-exclusive list of examples of specific items of opt out information within each category, including a consumer's income, credit score or credit history, open lines of credit, employment history and medical history.

    Medical data are especially sensitive for many consumers; if such data are among the opt out information that an FCU communicates to its affiliates, the FCU satisfies the requirement to categorize that information if it includes examples of medical data that it intends to share. NCUA notes that the items listed in paragraph (d)(3) as examples of information that would be included within the categories of opt out information are illustrative only. Those items would not be considered opt out information in cases where the information is obtained from a source other than those listed in paragraph (d)(2). Comment is requested as to the appropriateness of these examples of categories and items of opt out information, and whether additional or different examples should be used.

    The descriptions of the categories of information set out in proposed paragraph (d)(2) differ somewhat from those in the privacy regulations. 12 CFR 716.6. NCUA solicits comment on the extent to which the categories in (d)(2) can be treated as consistent with similar categories in the privacy regulations (such as disclosures of information from consumer reporting agencies) in order to reduce compliance burden and consumer confusion.

    Paragraph (e) explains how an FCU can satisfy the requirement that it categorize the affiliates to which it communicates opt out information. Paragraph (f) cross-references the sample notice in Appendix A, which presents a further illustration of the content of an opt out notice.

    Section 706.11--How may a credit union provide a reasonable opportunity to opt out?

    Proposed paragraph (a) sets forth that an FCU will provide a reasonable opportunity to opt out by providing a reasonable period of time for the consumer to opt out from the time the notice is delivered. Proposed paragraph (b) sets out examples of what is a reasonable period of time when notices are provided in person, by mail, or by electronic means. Comment is requested on whether there are other situations that would suggest a different reasonable period of time that NCUA should note by example. Proposed paragraph (c) explains that a consumer may opt out at any time.

    Section 706.12--What are reasonable means of opting out?

    Proposed paragraph (a) sets forth the general rule that an FCU provides a reasonable means of opting out if it provides a reasonably convenient method to the consumer to opt out. Examples of reasonable means of opting out and unreasonable means are set out in proposed paragraphs (b) and (c), respectively. Proposed paragraph (d) permits an FCU to require each consumer to opt out through a specific means, as long as that means is reasonable for that consumer.

    Section 706.13--How must a credit union deliver an opt out notice?

    Proposed paragraph (a) provides that an FCU must deliver an opt out notice so that each consumer can reasonably be expected to receive actual notice. As indicated by the examples provided in proposed paragraph (b), this is a lesser standard than actual notice. For instance, if an FCU mails a printed copy of its notice to the last known mailing address of an existing consumer, the FCU has met its obligation even if the consumer has changed addresses and never receives the notice.

    An FCU may give notice in writing or, if the consumer agrees, electronically. For example, the FCU may e-mail its notice to a consumer that conducts electronic transactions and has agreed to receive electronic notice. NCUA invites comment on whether and how the proposed rules governing communications between an FCU and a consumer via an electronic medium should be modified in light of the Electronic Signatures in Global and National Commerce (the E-Sign Act).\3\

    \3\ Congress has recently enacted the E-Sign Act, Pub. L. 106- 229, which addresses the use of electronic records and signatures for interstate and foreign commerce. This legislation contains general rules governing the use of electronic records for providing required information to consumers (such as disclosures and acknowledgements required by the GLBA). The legal requirement that consumer disclosures be in writing may be satisfied by an electronic record if the consumer affirmatively consents and certain other requirements of the E-Sign Act are met.

    Proposed paragraph (c) explains that oral notice alone does not comply with the notice requirement; however, oral notice may be provided in conjunction with appropriate written or electronic notice.

    Proposed paragraph (d) explains that an FCU must provide the notice so that the consumer can retain it or obtain it at a later time, and gives examples of retention or accessibility.

    Proposed paragraph (e) permits an FCU to provide a joint opt out notice with one or more of its affiliates that are identified in the notice, as long as the notice is accurate with respect to each entity jointly issuing the notice.

    Proposed paragraph (f)(1) sets out rules that apply, notwithstanding any other provision of the regulations, when two or more consumers jointly obtain a product or service from an FCU (referred to in the proposed regulations as joint consumers), other than a loan, such as a joint checking account. For example, an FCU may provide a single opt out notice to joint accountholders. The notice must indicate whether the FCU will consider an opt out by a joint accountholder as an opt out by all of the associated accountholders, or whether each accountholder may opt out separately. The FCU may not require all accountholders to opt out before honoring an opt out direction by one of the joint accountholders. With respect to loans, paragraph (f)(2) requires that an FCU provide an opt out notice to each borrower or loan guarantor if the FCU intends to communicate opt out information about the consumer to any of the FCU's affiliates.

    Section 706.14--When is revised opt out notice required?

    Proposed Sec. 706.14 addresses the situation in which an FCU has provided a consumer with one or more opt out notices but later decides to communicate opt out information to its affiliates other than described in those notices. It explains that an FCU must send a revised opt out notice that complies with Sec. 706.9, including providing a reasonable means and opportunity to opt out, and communicating the information only if the consumer has not opted out.

    Section 706.15--When must a credit union comply with an opt out?

    Proposed Sec. 706.15 explains that if an FCU provides a consumer with an opt out notice, and the consumer opts out, the FCU must comply as soon as reasonably practicable after receiving the consumer's direction. Comment is solicited on whether NCUA should establish a fixed number of days--for example, 30 days--that would be deemed a ``reasonably practicable'' period of time for complying with a consumer's opt out direction.

    Section 706.16--How long does an opt out last?

    Proposed Sec. 706.16 provides that an opt out continues to apply to the information and affiliates described in the applicable opt out notice until

    [[Page 64172]]

    revoked by the consumer in writing, or if the consumer agrees, electronically, as long as the consumer continues to have a relationship with the FCU. If the consumer's relationship with the FCU terminates, the opt out will continue to apply to this information. However, a new notice and opportunity to opt out must be provided if the consumer establishes a new relationship with the FCU.

    Section 706.17--May a credit union condition the availability or terms of credit on whether a consumer opts out?

    Proposed paragraph (a) reminds FCUs that they may not ``discriminate against an applicant'' for credit because the applicant opts out. The source of this prohibition is the Equal Credit Opportunity Act (ECOA; 15 U.S.C. 1691 et seq.), which bars discrimination on a prohibited basis in any aspect of a credit transaction; one prohibited basis is exercising a right under the Consumer Credit Protection Act, which includes the FCRA.

    Proposed paragraph (b) provides examples of prohibited discrimination against an applicant. Paragraph (c) notes that the terms ``applicant'' and ``discriminate against'' have the meaning ascribed to these terms in 12 CFR part 202.

    Appendix A

    Appendix A, which is part of these regulations, contains a sample notice, part or all of which may be used to facilitate compliance with the notice requirements. Although use of the sample notice is not required, FCUs using it properly to provide notices will be deemed to be in compliance.

    NCUA solicits comment on all aspects of the proposed regulations, including but not limited to those highlighted above.

  3. Regulatory Analysis

    Paperwork Reduction Act

    This proposed regulation contains disclosure requirements for FCUs and their affiliates. An FCU that (a) has affiliates, (b) does not wish to be considered a consumer reporting agency, and (c) wishes to share consumer information (other than transaction and experience information) with its affiliates, must prepare and provide a notice to all its consumers advising them of their opportunity to opt out of information sharing with its affiliates. 12 CFR 706.9. If an FCU wishes to share information in a way that is inconsistent with notices previously given to consumers, the FCU must provide consumers with revised notices. 12 CFR 706.14. The collection of information requirements contained in this notice of proposed rulemaking will be submitted to the Office of Management and Budget for review in accordance with the Paperwork Reduction Act of 1995 (44 U.S.C. 3507).

    In estimating burden, NCUA assumed that if an FCU provides an opt out notice under the FCRA, that notice must be included in certain notices mandated by the GLBA privacy provisions, and will not be sent out separately. The analysis assumes that FCUs will provide single, combined notices covering all of the various relationships a consumer may have with an FCU, rather than separate opt out notices based on product lines such as loans and share accounts. NCUA seeks comment as to whether FCUs would likely send separate or combined notices.

    This proposed regulation contains consumer reporting requirements. In order for consumers to invoke their right to opt out, they must respond to the credit union's opt out notice. 12 CFR 706.15. NCUA requests public comment on all aspects of the collections of information contained in this proposed rule, including consumer responses to the opt out notice and consumer changes to their opt out status with a credit union. 12 CFR 706.11(c). In light of the uncertainty regarding what FCUs will do to comply with the opt out requirements and how consumers will react, NCUA estimates a nominal burden stemming from consumer responses of one hour per FCU, and will revisit this estimate in light of the comments NCUA receives.

    The Board estimates that it will take an average of ten hours total for an FCU to develop and process opt-out notices that comply with these regulations. The Board also estimates that nine hundred sixty-two FCUs have investments in CUSOs. The cumulative total annual paperwork burden is estimated to be approximately nine thousand six hundred twenty hours.

    NCUA will submit the collection of information requirements contained in the regulation to the OMB in accordance with the Paperwork Reduction Act of 1995. 44 U.S.C. 3507. The NCUA will use any comments received to develop its new burden estimates. Comments on the collections of information should be sent to Office of Management and Budget, Reports Management Branch, New Executive Office Building, Room 10202, Washington, DC 20503; Attention: Alex T. Hunt, Desk Officer for NCUA. Please send NCUA a copy of any comments you submit to OMB.

    Regulatory Flexibility Act

    Pursuant to section 605(b) of the Regulatory Flexibility Act, NCUA certifies that this proposed rulemaking will not have a significant economic impact on a substantial number of small entities. FCUs have had to notify their consumers of the right to opt out of affiliate sharing of certain information since 1997. This rulemaking provides guidance to FCUs concerning how they may comply with the statutory requirements, but requires no new types of disclosure or opt out system. While existing forms may need to be modified, these modifications are unlikely to result in a significant economic impact on a substantial number of small entities.

    In addition, some of the requirements in the proposed rule have been designed to correspond to the requirements of the privacy regulations. For example, under both regulations, FCUs, in certain circumstances, must deliver notices to consumers and to provide consumers an opportunity to opt out of certain information disclosures. This proposed rule would allow FCUs to combine into one notice the notice they must deliver under FCRA and the notice that they must deliver under the privacy regulations. Also, FCUs may combine their consumers' opt out responses into one opt out response. By combining the notices they deliver and the opt out responses they process, FCUs will not need to produce additional opt out responses under this rule. Because the proposed rule is designed to minimize FCRA's burden on FCUs, and because the FCRA requirements have been effective since 1997, NCUA believes that this proposed rule will not have a significant economic impact on a substantial number of small entities. For these reasons, a regulatory flexibility analysis is not required.

    Executive Order 13132

    Executive Order 13132 encourages independent regulatory agencies to consider the impact of their regulatory actions on state and local interests. In adherence to fundamental federalism principles, NCUA, an independent regulatory agency as defined in 44 U.S.C. 3502(5), voluntarily complies with the executive order. This proposed rule, if adopted, applies only to federally-chartered credit unions and will not have substantial direct effects on the states, on the relationship between the national government and the states, or on the distribution of power and responsibilities among the various levels of government. NCUA has determined that the proposed rule does

    [[Page 64173]]

    not constitute a policy that has federalism implications for purposes of the executive order.

    The Treasury and General Government Appropriations Act, 1999-- Assessment of Federal Regulations and Policies on Families

    The NCUA has determined that this proposed rule will not affect family well-being within the meaning of section 654 of the Treasury and General Government Appropriations Act, 1999, Pub. L. 105-277, 112 Stat. 2681 (1998).

    Agency Regulatory Goal

    NCUA's goal is to promulgate clear and understandable regulations that impose minimal regulatory burden. We request your comments on whether the proposed amendment is understandable and minimally intrusive if implemented as proposed.

    List of Subjects in 12 CFR Part 706

    Credit, Credit unions, Trade practices.

    By the National Credit Union Administration Board on October 19, 2000. Becky Baker, Secretary of the Board.

    For the reasons set forth in the preamble, it is proposed that 12 CFR chapter VII be amended as follows:

    PART 706--CREDIT PRACTICES AND FAIR CREDIT REPORTING

    1. The authority citation for part 706 is revised to read as follows:

      Authority: 15 U.S.C. 57a(f), 1681s.

    2. A heading for subpart A is added preceding Sec. 706.1 to read as follows:

      Subpart A--Credit Practices

    3. Subpart B is added to part 706 to read as follows: Subpart B--Fair Credit Reporting 706.6 What does this subpart do? 706.7 What is the significance of the examples used in this subpart? 706.8 What definitions apply to this part? 706.9 How may a credit union communicate opt out information to its affiliates without the communication being a consumer report? 706.10 What must be in an opt out notice? 706.11 How may a credit union provide a reasonable opportunity to opt out? 706.12 What are reasonable means of opting out? 706.13 How must a credit union deliver an opt out notice? 706.14 When is a revised opt out notice required? 706.15 When must a credit union comply with an opt out? 706.16 How long does an opt out last? 706.17 May a credit union condition the availability of terms of credit on whether a consumer opts out?

      Appendix A to Subpart B--Sample Notice

      Subpart B--Fair Credit Reporting

      Sec. 706.6 What does this subpart do?

      (a) Purpose. This subpart governs the collection, communication, and use by federal credit unions of certain information bearing on a consumer's credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living.

      (b) Scope. This subpart applies to information that is used or expected to be used or collected in whole or in part for the purpose of serving as a factor in establishing a consumer's eligibility for credit, insurance, employment, or any other purpose authorized under section 604 of the Fair Credit Reporting Act (15 U.S.C. 1681b). This subpart applies to federal credit unions.

      (c) Relation to other laws. Nothing in this subpart modifies, limits, or supercedes the standards governing the privacy of individually identifiable health information promulgated by the Secretary of Health and Human Services under the authority of sections 262 and 264 of the Health Insurance Portability and Accountability Act of 1996 (42 U.S.C. 1320d-1320d-8).

      Sec. 706.7 What is the significance of the examples used in this subpart?

      The examples in this subpart and the sample notice in appendix A to subpart B are not exclusive. Compliance with an example or the use of the sample notice, to the extent applicable, constitutes compliance with this subpart.

      Sec. 706.8 What definitions apply to this subpart?

      As used in these regulations, unless the context requires otherwise--

      (a) Affiliate--(1) In general. The term means any company that is related or affiliated by common ownership, or affiliated by corporate control or common corporate control, with another company.

      (2) Related or affiliated by common ownership or affiliated by corporate control or common corporate control. This means controlling, controlled by, or under common control with, another company.

      (3) Example. An affiliate of a federal credit union is a credit union service organization (CUSO), as provided in 12 CFR part 712, that is controlled by the federal credit union.

      (b) Clear and conspicuous--(1) In general. The term means that a notice is reasonably understandable and designed to call attention to the nature and significance of the information contained in the notice.

      (2) Examples--(i) Reasonably understandable. You may make your notice reasonably understandable if you:

      (A) Present the information in the notice in clear and concise sentences, paragraphs, and sections;

      (B) Use short explanatory sentences or bullet lists whenever possible;

      (C) Use definite, concrete, everyday words and active voice whenever possible;

      (D) Avoid multiple negatives;

      (E) Avoid legal and highly technical business terminology whenever possible; and

      (F) Avoid explanations that are imprecise and readily subject to different interpretations.

      (ii) Designed to call attention. You design your notice to call attention to the nature and significance of the information it contains if you:

      (A) Use a plain-language heading to call attention to the notice;

      (B) Use a typeface and type size that are easy to read;

      (C) Provide wide margins and ample line spacing;

      (D) Use boldface or italics for key words; and (E) In a form that combines your notice with other information, use distinctive type sizes, styles, and graphic devices, such as shading and sidebars.

      (iii) Notice on a web page. If you provide a notice on a web page, you design your notice to call attention to the nature and significance of the information it contains if:

      (A) You place either the notice, or a link that connects directly to the notice and that is labeled appropriately to convey the importance, nature, and relevance of the notice, on a page that consumers access often, such as a page on which transactions are conducted;

      (B) You use text or visual cues to encourage scrolling down the page if necessary to view the entire notice; and

      (C) You ensure that other elements on the web page (such as text, graphics, links, or sound) do not detract attention from the notice.

      (c) Communciation includes written, oral, and electronic communication; provided that the term includes electronic communication to a consumer only if the consumer agrees to receive the communication electronically.

      (d) Company means any corporation, limited liability company, business trust, general or limited partnership, association, or similar organization.

      (e) Consumer means an individual.

      (f) Consumer report--(1) In general. The term means any written, oral, or

      [[Page 64174]]

      other communication of any information by a consumer reporting agency bearing on a consumer's credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living which is used or expected to be used or collected in whole or in part for the purpose of serving as a factor in establishing the consumer's eligibility for:

      (i) Credit or insurance to be used primarily for personal, family, or household purposes;

      (ii) Employment purposes; or (iii) Any other purpose authorized under section 604 of the Fair Credit Reporting Act (15 U.S.C. 1681b).

      (2) Exclusions. The term does not include:

      (i) Any report containing information solely as to transactions or experiences between the consumer and the person making the report;

      (ii) Any communication of that information among affiliates;

      (iii) Any communication among affiliates of opt out information if the conditions in Secs. 706.9 through 706.14 are satisfied;

      (iv) Any authorization or approval of a specific extension of credit directly or indirectly by the issuer of a credit card or similar device;

      (v) Any report in which a person who has been requested by a third party to make a specific extension of credit directly or indirectly to a consumer conveys his or her decision with respect to such request, if the third party advises the consumer of the name and address of the person to whom the request was made, and the person makes the disclosures to the consumer required under section 615 of the Fair Credit Reporting Act (15 U.S.C. 1681m); or

      (vi) A communication described in section 603(o) of the Fair Credit Reporting Act (15 U.S.C. 1681a(o)).

      (g) Consumer reporting agency means any person which, for monetary fees, dues or on a cooperative nonprofit basis, regularly engages in whole or in part in the practice of assembling or evaluating consumer credit information or other information on consumers for the purpose of furnishing consumer reports to third parties, and which uses any means or facility of interstate commerce for the purpose of preparing or furnishing consumer reports.

      (h) Control of a company means:

      (1) Ownership, control, or power to vote 25 percent or more of the outstanding shares of any class of voting security of the company, directly or indirectly, or acting through one or more other persons;

      (2) Control in any manner over the election of a majority of the directors, trustees, or general partners (or individuals exercising similar functions) of the company; or

      (3) The power to exercise, directly or indirectly, a controlling influence over the management or policies of the company, as the NCUA determines.

      (4) Example. NCUA will presume a credit union has a controlling influence over the management or policies of a CUSO, if the CUSO is 67% owned by federal or state-chartered credit unions.

      (i) Credit union means a federal credit union.

      (j) Opt out means a direction by a consumer that you not communicate opt out information about the consumer to one or more of your affiliates.

      (k) Opt out information means information that:

      (1) Bears on a consumer's credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living;

      (2) Is used or expected to be used or collected in whole or in part to serve as a factor in establishing the consumer's eligibility for credit or another purpose listed in section 604 of the Fair Credit Reporting Act (15 U.S.C. 1681b); and

      (3) Is not a report containing information solely as to transactions or experiences between the consumer and the person reporting or communicating the information.

      (l) Person means any individual, partnership, corporation, trust, estate, cooperative, association, government or governmental subdivision or agency, or other entity.

      (m) You means a federal credit union.

      Sec. 706.9 How may a credit union communicate opt out information to its affiliates without the communication being a consumer report?

      In general, your communication to your affiliates of opt out information about a consumer is not a consumer report if:

      (a) You have provided the consumer with an opt out notice;

      (b) You have given the consumer a reasonable opportunity and means before you communicate the information to your affiliates, to opt out; and

      (c) The consumer has not opted out.

      Sec. 706.10 What must be in an opt out notice?

      (a) In general. An opt out notice must be clear and conspicuous, and must accurately explain:

      (1) The categories of opt out information about the consumer that you communicate to your affiliates;

      (2) The categories of affiliates to which you communicate the information and;

      (3) The consumer's ability to opt out; and

      (4) A reasonable means for the consumer to opt out.

      (b) Future communications. Your notice may describe:

      (1) Categories of opt out information about the consumer that you reserve the right to communicate to your affiliates in the future but do not currently communicate; and

      (2) Categories of affiliates to which you reserve the right in the future to communicate, but to which you do not currently communicate, opt out information about the consumer.

      (c) Partial opt out. You may allow a consumer to select certain opt out information or certain affiliates, with respect to which the consumer wishes to opt out.

      (d) Examples of categories of information that you communicate. (1) You satisfy the requirement to categorize the opt out information that you communicate if you list the categories in paragraph (d)(2) of this section, as applicable, and a few examples to illustrate the types of information in each category. These examples may include those in paragraph (d)(3) of this section, if applicable.

      (2) Categories of opt out information may include information:

      (i) From a consumer's application;

      (ii) From a consumer credit report;

      (iii) Obtained by verifying representations made by a consumer; or

      (iv) Provided by another person regarding its employment, credit, or other relationship with a consumer.

      (3) Examples of information within a category listed in paragraph (d)(2) of this section include a consumer's:

      (i) Income;

      (ii) Credit score or credit history with others;

      (iii) Open lines of credit with others;

      (iv) Employment history with others;

      (v) Marital status; and

      (vi) Medical history.

      (4) You do not satisfy the requirement if you communicate or reserve the right to communicate individually identifiable health information (as described in section 1171(6)(B) of the Social Security Act (42 U.S.C. 1320d(6)(B)) but omit illustrative examples of this information.

      (e) Examples of categories of affiliates. (1) You satisfy the requirement to categorize the affiliates to which you communicate opt out information if you list the categories in paragraph (e)(2) of this section, as applicable, and a few

      [[Page 64175]]

      examples to illustrate the types of affiliates in each category.

      (2) Categories of affiliates may include:

      (i) Financial service providers; and

      (ii) Non-financial companies.

      (f) Sample notice. A sample notice is included in appendix A to this subpart.

      Sec. 706.11 How may a credit union provide a reasonable time period to opt out?

      (a) In general. You provide a reasonable opportunity to opt out if you provide a reasonable period of time following the delivery of the opt out notice for the consumer to opt out.

      (b) Examples of reasonable period of time:

      (1) In person. You hand-deliver an opt out notice to the consumer and provide at least 30 days from the date you delivered the notice.

      (2) By mail. You mail an opt out notice to a consumer and provide at least 30 days from the date you mailed the notice.

      (3) By electronic means. You notify the consumer electronically, and you provide at least 30 days after the date that the consumer acknowledges receipt of the electronic notice.

      (c) Continuing opportunity to opt out. A consumer may opt out at any time.

      Sec. 706.12 What are reasonable means of opting out?

      (a) General rule. You provide a consumer with a reasonable means of opting out if you provide a reasonably convenient method to opt out.

      (b) Reasonably convenient methods. Examples of reasonably convenient methods include:

      (1) Designating check-off boxes in a prominent position on the relevant forms included with the opt out notice;

      (2) Including a reply form together with the opt out notice;

      (3) Providing an electronic means to opt out, such as a form that can be electronically mailed or a process at your web site, if the consumer agrees to the electronic delivery of information; or

      (4) Providing a toll-free telephone number that consumers may call to opt out.

      (c) Methods not reasonably convenient. Examples of methods that are not reasonably convenient:

      (1) Requiring a consumer to write his or her own letter to you; or

      (2) Referring in a revised notice to a check-off box that you included with a previous notice but that you do not include with the revised notice.

      (d) Requiring specific means of opting out. You may require each consumer to opt out through a specific means, as long as that means is reasonable for that consumer.

      Sec. 706.13 How must a credit union deliver an opt out notice?

      (a) In general. You must deliver an opt out notice so that each consumer can reasonably be expected to receive actual notice in writing or, if the consumer agrees, electronically.

      (b) Examples of expectation of actual notice. (1) You may reasonably expect that a consumer will receive actual notice if you:

      (i) Hand-deliver a printed copy of the notice to the consumer;

      (ii) Mail a printed copy of the notice to the last known address of the consumer; or

      (iii) For the consumer who conducts transactions electronically, post the notice on your electronic site and require the consumer to acknowledge receipt of the notice as a necessary step to obtaining a particular product or service.

      (2) You may not reasonably expect that a consumer will receive actual notice if you:

      (i) Only post a sign at your office or generally publish advertisements presenting your notice; or

      (ii) Send the notice via electronic mail to a consumer who does not obtain a product or service from you electronically.

      (c) Oral description insufficient. You may not provide an opt out notice solely by orally explaining the notice, either in person or over the telephone.

      (d) Retention or accessibility. (1) In general. You must provide an opt out notice so that it can be retained or obtained at a later time by the consumer in writing or, if the consumer agrees, electronically.

      (2) Examples of retention or accessibility. You provide the notice so that it can be retained or obtained at a later time if you:

      (i) Hand-deliver a printed copy of the notice to the consumer;

      (ii) Mail a printed copy of the notice to the last known address of the consumer upon request of the consumer; or

      (iii) Make your current notice available on a web site (or link to another web site) for the consumer who obtains a product or service electronically and who agrees to receive the notice at the web site.

      (e) Joint notice with affiliates. You may provide a joint notice with one or more affiliates as long as the notice identifies each person providing it and is accurate with respect to each.

      (f) Joint relationships--(1) General rule. Notwithstanding any other provision of this subpart, if two or more consumers jointly obtain a product or service from you (joint consumers), other than a loan, the following rules apply:

      (i) You may provide a single notice to all joint consumers.

      (ii) Any of the joint consumers have the opportunity to opt out.

      (iii) You may treat an opt out direction by a consumer either as:

      (A) Applying to all of the joint consumers; or

      (B) Applying to that particular joint consumer.

      (iv) You must explain in your opt out notice which of the two policies set forth in paragraph (f)(1)(iii) of this section you will follow.

      (v) If you follow the policy set forth in paragraph (f)(1)(iii)(B) of this section, by treating the opt out of a joint consumer as applying to that particular joint consumer, you must also permit:

      (A) A joint consumer to opt out on behalf of other joint consumers; and

      (B) One or more joint consumers to notify you of their opt out directions in a single response.

      (vi) You may not require all joint consumers to opt out before you implement any opt out direction.

      (vii) If you receive an opt out by a particular joint consumer that does not apply to the others, you may disclose information about the others as long as no information is disclosed about the consumer who opted out.

      (2) Example. If consumers A and B, who have different addresses, have a joint checking account with you and arrange for you to send statements to A's address, you may do any of the following, but you must explain in your opt out notice which opt out policy you will follow. You may send a single opt out notice to A's address and:

      (i) Treat an opt out direction by A as applying to the entire account. If you do so and A opts out, you may not require B to opt out as well before implementing A's opt out direction.

      (ii) Treat A's opt out direction as applying to A only. If you do so, you must also permit;

      (A) A and B to opt out for each other; and

      (B) A and B to notify you of their opt out direction in a single response (such as on a single form) if they choose to give you separate opt out directions.

      (iii) If A opts out only for A, and B does not opt out, you may disclose opt out information only about B, and not about A and B jointly.

      (3) Special rule for loans. You must provide an opt out notice to each borrower and loan guarantor if you intend to communicate opt out

      [[Page 64176]]

      information about such consumer to your affiliate.

      Sec. 706.14 When is a revised opt out notice required?

      If you have provided a consumer with one or more opt notices and plan to communicate opt out information to your affiliates about the consumer, other than as described in those notices, you must provide the consumer with a revised opt out notice that complies with Secs. 706.9 through 706.13.

      Sec. 706.15 When must a credit union comply with an opt out?

      If you provide a consumer with an opt out notice and the consumer opts out, you must comply with the opt out as soon as reasonably practicable after you receive it.

      Sec. 706.16 How long does an opt out last?

      An opt out remains effective until revoked by the consumer in writing or electronically, as long as the consumer continues to have a relationship with you. If the consumer's relationship with you terminates, the opt out will apply to this information. However, a new notice and opportunity to opt out must be provided if the consumer establishes a new relationship with you.

      Sec. 706.17 May a credit union condition the availability or terms of credit on whether a consumer opts out?

      (a) General rule. If a consumer is an applicant for credit, you must not ``discriminate against'' the consumer if the consumer opts out of your communication of opt out information to your affiliates.

      (b) Examples of discrimination against an applicant. You discriminate against an applicant if you:

      (1) Deny the applicant credit because the applicant opts out;

      (2) Vary the terms of credit adversely to the applicant such as by providing less favorable pricing terms to an applicant who opts out; or

      (3) Apply more stringent credit underwriting standards to the applicant because the applicant opts out.

      (c) Regulation B. The terms ``applicant'' and ``discriminate against'' in Sec. 706.17 have the same meanings ascribed to them in 12 CFR part 202.

      Appendix A to Subpart B--Sample Notice

      This Appendix contains a sample notice to facilitate compliance with the notice requirements of these regulations. A credit union may use applicable disclosures in this sample to provide notices required by these regulations.

      Notice of Your Opportunity to Opt Out of Information Sharing With Our Affiliates

      Information we can share--unless you tell us not to

      What Information: Unless you tell us not to, [Credit Union] may share with our affiliates information about you including:

      information we obtain from your application, such as

      [provide illustrative examples, such as ``your income'' or ``your marital status''] ;

      information we obtain from a consumer report, such as

      [provide illustrative examples, such as ``your credit score or credit history''] ;

      information we obtain to verify representations made by you, such as [provide illustrative examples, such as ``your open lines of credit'']; and

      information we obtain from a person regarding an employment, credit, or other relationship with you, such as [provide illustrative examples, such as ``your employment history''].

      Shared With Whom: Our affiliates who may receive this information are:

      financial service providers, such as [provide illustrative examples, such as ``mortgage bankers, broker-dealers, and insurance agents'']; and

      non-financial companies, such as [provide illustrative examples, such as ``direct marketers''].

      How to tell us to not share this information with our affiliates

      If you prefer that we not share this information with our affiliates, you may direct us not to share this information by doing the following [insert one or more of the reasonable means of opting out listed below \1\]: [call us toll free at {insert toll free number}]; or [visit our web site at {insert web site address} and {provide further instructions how to use the web site option}]; or

      [e-mail us at {insert the e-mail address}] ; or [fill out and tear off the bottom of this sheet and mail to the following address: {insert address}]; or [check the appropriate box on the attached form {attach form} and mail to the following address: {insert address}].

      \1\ If the credit union is using its web site or an e-mail address as the only method by which a consumer may opt out, the consumer must agree to the electronic delivery of information.

      Note: Your direction in this paragraph covers certain information about you that we might otherwise share with our affiliates. We may share other information about you with our

      affiliates as permitted by law.

      [FR Doc. 00-27363Filed10-25-00; 8:45 am]

      BILLING CODE 7535-01-P

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT