Press
CUNA comments on CFPB’s privacy proposal
(July 14, 2014) — Today, the Credit Union National Association (CUNA) filed a comment letter with the Consumer Financial Protection Bureau (CFPB) that supports a proposal to provide some regulatory relief to credit unions from sending annual privacy notices. The proposed rule would allow credit unions that do not engage in certain types of information-sharing activities to stop mailing an annual privacy notice if they post the notice on their website, provide a toll-free number for requesting the notice, made no updates to their privacy policy, and meet other conditions. CUNA supports the proposed change, but suggests that all credit unions be allowed to use the alternative delivery method as long as they meet the notification requirements. CUNA also suggests that credit unions that do not currently have a toll-free number not be required to operate one just for privacy notice requests.
Full text of the letter below:
July 14, 2014
Monica Jackson
Office of the Executive Secretary
Consumer Financial Protection Bureau
1700 G Street, NW
Washington, DC 20552
Re: Amendment to the Annual Privacy Notice Requirement under the Gramm-Leach-Bliley Act (Regulation P) – Docket No. CFPB-2014-0010/RIN 3170-AA39
Dear Ms. Jackson:
The Credit Union National Association (CUNA) appreciates the opportunity to submit comments regarding the Consumer Financial Protection Bureau’s proposed amendment to the Annual Privacy Notice Requirement under the Gramm-Leach-Bliley Act (Regulation P). By way of background, CUNA is the nation’s largest credit union advocacy organization, representing our nation’s state and federal credit unions, which serve over 99 million members.
In general, CUNA supports the Consumer Financial Protection Bureau’s proposal that would allow financial institutions, including credit unions that do not engage in certain types of information sharing activities, to discontinue mailing an annual privacy disclosure, as long as certain alternative delivery requirements are met. The proposed amendments would significantly reduce the costs to credit unions of providing annual privacy notices. At the same time, the proposal would have a minimal impact on consumers who would have access to privacy disclosures through the proposed alternative delivery method. As a result, the proposal would add efficiency to financial institutions’ process of providing annual privacy notices to consumers without decreasing consumers’ access to such disclosures.
While we support the intent of the proposal, we encourage the Bureau to amend the rule so that all privacy notices can be delivered by the alternate delivery method. We do not believe consumers would be disadvantaged if the use of the alternate delivery method is expanded as discussed below since it would not reduce the availability of privacy notices to consumers. In fact, a clear and conspicuous notification on a statement or other required communication would provide a more effective notice to a consumer that he or she has a right to opt out of information sharing or that a privacy policy has been changed.
CUNA Research on Consumer Receipt of Privacy Notices
CUNA recently surveyed consumer members of credit unions regarding the receipt of privacy notices. Of the 79% of people who recall receiving an annual privacy notice, 10% disposed of the notice without opening it, 15% opened it without reading it, 53% skimmed it quickly, and only 22% reported reading the notice in its entirety, according to the survey responses. We also asked if credit union members would be more likely to read a privacy notice when there were changes to the credit union’s privacy policy. Eight percent of members said that it would not make a difference, 14% said they were less likely to read it, while 76% said that they were more likely to read a privacy notice in that situation.
While our survey was completed with proposed privacy legislation in mind, it does indicate that credit union members are more likely to read a privacy notice when there is a change to a financial institution’s privacy policy than when there is not. Further, these results indicate that notification of a change to a privacy policy is more important to credit union members than routinely sending privacy notices in the mail.
Expand Alternative Delivery Method to All Privacy Notices
Under the proposal, a financial institution would only be allowed to use the alternative delivery method for its privacy notices if the institution meets specific requirements. These would be: (1) The institution does not share information with nonaffiliated third parties other than for purposes covered by the exclusions allowed under Regulation P; (2) the institution does not include on its annual privacy notice an opt out under section 603(d)(2)(A)(iii) of the Fair Credit Reporting Act (FCRA); (3) the annual privacy notice is not the only method used to satisfy the requirements of section 624 of FCRA and subpart C of part 1022, if applicable; (4) certain required information on the annual privacy notice has not changed since the institution provided the immediately previous privacy notice; and (5) the institution uses the Regulation P model form for its annual privacy notice.
While this approach is positive, CUNA urges the Bureau to expand the availability of the alternative delivery method to all financial institutions that use the model form. After reviewing this proposal and the strong consumer protections available to them through the alternative delivery method, we think that it would be appropriate to expand its use to all financial institutions regardless of opt out rights given to a consumer.
A conspicuous notification of the availability of a privacy notice on a statement, which consumers are more likely to read than any other document that comes in an envelope from a financial institution, is more likely to attract a consumer’s attention than any other document contained within the envelope. The communication could contain the statement in proposed § 1016.9(c)(2)(iii), modified to meet notice requirements. Various versions of the approved language could include statements such as, “our privacy policy has changed” or “you have the right to opt out of certain information sharing” or another short message about the privacy notice that would be conspicuous to a consumer reading the statement.
Our research indicates that a consumer is much more likely to read a privacy disclosure when he or she is aware that the language has been changed or amended. We believe that a consumer would more likely be informed that a privacy policy has been changed or that he or she has opt out rights if a notification is contained in a conspicuous place on the statement. Further, a brief statement that a consumer has the right to opt out of information sharing or that the privacy statement has been amended would likely provide a more useful notification to a consumer than the annual inclusion of a privacy statement with no further explanation.
Alternative Delivery Method
The proposed rule would allow a financial institution to fulfill its annual privacy notice requirement by providing the notice through an alternative delivery method. The alternative delivery method consists of several steps. First, a financial institution must inform consumers of the availability of the annual privacy notice. The financial institution must subsequently provide the notice via a website or through a toll-free number for consumers to call and request the mailing of a hard copy of the annual privacy notice.
We support the alternative delivery method, but we recommend that the Bureau consider making a few small changes that would make it easier and more cost-effective for small institutions to comply with. The alternative delivery method requires that a financial institution convey at least annually on another notice or disclosure that its privacy notice is available on its website or via a toll-free number. This annual notification serves to inform the consumer that a privacy notice is available and informs the consumer how to obtain the privacy notice. CUNA supports this notification method as it comports with the current requirement to deliver an actual privacy notice annually.
We question however, the need for a dedicated toll-free number. If a financial institution has a toll-free number in place, then it should be able to use the existing number to meet the alternative delivery requirement.
We also suggest that the agency look at alternatives to the toll-free number for small institutions that do not already have a toll-free number. Many small credit unions operate in geographically restricted areas. These credit unions often do not have toll-free numbers due to the expense involved in procuring one, and because the credit union’s members are contained in such a small area. Furthermore, many consumers use mobile phones, which generally do not charge tolls for long distance calls. For these reasons, we urge the Bureau to waive this requirement for a credit union that does not currently have a toll-free number.
We support allowing the placement privacy notifications on statements or other required notifications. The proposal would require a financial institution “to convey in a clear and conspicuous manner not less than annually on a notice or disclosure the institution is required or expressly and specifically permitted to use under any other provision of law that its privacy notice has not changed, that the notice is available on its Web site and that a hard copy of the notice will be mailed to customers if they call a toll-free number to request one.” We support proposed § 1016.3(b)(2)(ii)(E), as it provides an adequate description detailing type size, style, and graphic devices, such as shading or sidebars.
We recommend that the Bureau consider devising a “safe harbor notification box” that can be placed by a financial institution on a statement or other communication that meets the requirements in § 1016.9(c)(2)(ii)(A). We realize that current § 1016.3(b)(2)(ii)(E) states the requirement for text size and box shading to make the communication conspicuous; however, a specific requirement for a safe harbor would ensure uniformity across financial institutions and educate consumers to look to the box for privacy notifications. We request this as an addition to the § 1016.9(c)(2)(ii)(A) requirements because a financial institution would have even greater flexibility if it has compliance alternatives under the rule.
Financial institutions should be allowed to provide a notice of availability of the privacy statement on any notice required by law. Proposed § 1016.9(c)(2)(ii)(A) does not specify in detail the type of statement on which the notice of availability must be conveyed, which gives financial institution flexibility in placing the notice on communications that are required to be sent. We do suggest that the Bureau investigate ways for smaller credit unions to provide notice of availability if they do not send statements to members. These institutions should be allowed to provide notices via branch bulletin boards or other types of communications, such as advertisements.
Model Privacy Notice
The Bureau solicits comment on whether adoption of the model form should be considered a change in the annual notice pursuant to proposed § 1016.9(c)(2)(i)(D). Adoption of the model notice should not be considered a change if the substance and privacy policies of the institution remain the same.
Also, the Bureau should provide guidance as to what does and does not constitute use of the model notice. Many vendors provide notices to financial institutions and it is not unusual for small, inconsequential, and non-material changes to be included in the notice. Additional guidance could help reduce confusion as to what changes could be made without triggering compliance concerns.
Conclusion
Thank you for the opportunity to comment on the Bureau’s proposed amendments to the annual privacy notification requirements. While we generally support these amendments as proposed, they would be more beneficial to financial institutions and consumers if the Bureau adopted CUNA’s recommendations described above. If you have any questions concerning our letter, please feel free to contact CUNA’s Senior Vice President and Deputy General Counsel Mary Dunn or me at (202) 508-6705.
Sincerely,
Lance Noggle
Assistant General Counsel
Credit Union National Association