Back to basics: To share or not to share…that is the question

What type of member information can be shared? Who can we share member’s information with? When can we share member’s information? NAFCU’s Compliance Team regularly fields these types of questions from our members. So, let’s get back to the basics and review the general principles of Privacy of Consumer Financial Information, which are found in  Regulation P, which  implements the Gramm-Leach Bliley Act of 1999 (“GLBA”).

It may seem complicated at first, but the main concept of Regulation P is that a credit union must create and disclose with members their privacy policies. In particular, the regulation requires credit unions to provide a notice which describe the information it gathers from its members and shares with third parties and to give members the opportunity to opt-out of having their information shared. Alternatively, a credit union can satisfy an exception within section 1016.13 through 1016.15 of Regulation P which we will get to later.

What information can be shared?

Regulation P contains a general prohibition against sharing nonpublic personal information. But what is nonpublic personal information? Section 1016.3(p) of Regulation P defines nonpublic personal information as personally identifiable financial information, including any information that is derived using any personally identifiable financial information that is not publicly available. This includes information provided on a loan application, a credit card, account balance information, payment history, credit or debit card purchase information, and even the fact that an individual is a member of the credit union. This does not include information that a credit union reasonably believes is publicly available such as member’s phone number that could be found in the white pages.


continue reading »