NAFCU letter to CFPB on Regulation P’s annual privacy notices

July 14, 2014

Consumer Financial Protection Bureau
Monica Jackson
Office of the Executive Secretary
1500 Pennsylvania Ave. NW
Washington, DC 20220

RE:      Docket No. CFPB-2014-0010/RIN 3170-AA39; Annual Privacy Notices

(Regulation P)

Dear Ms. Jackson:

On behalf of the National Association of Federal Credit Unions (NAFCU), the only trade association that exclusively represents federal credit unions, I am writing to you regarding the Consumer Financial Protection Bureau’s (CFPB) proposed changes to Regulation P in regards to annual privacy notices. See 79 FR 27214, (May 13, 2014). The proposed rule revises Regulation P, implementing section 503 of the Gramm-Leach-Bliley Act (GLBA) to provide an alternative delivery method for annual privacy notices under certain conditions.

NAFCU would like to, first and foremost, express our appreciation for the CFPB’s ongoing efforts to work with industry stakeholders to find opportunities to reduce regulatory burden on providers, while simultaneously enhancing protections for consumers. NAFCU has long advocated for the elimination of duplicative and costly annual privacy notices. The proposed rule constitutes an important step to achieving the goal of improved annual privacy notice requirements. As discussed below, NAFCU generally supports the proposed amendments to Regulation P, but believes that certain adjustments are necessary to provide the requisite clarity and relief that the CFPB is attempting to achieve through the proposal.

  1. Introduction

GLBA requires financial institutions and a wide variety of other businesses to issue privacy disclosure notices to consumers. The notices must be “clear and conspicuous” and disclose in detail the institution’s privacy policies if it shares customers’ non-public personal information with affiliates or third parties. The law also requires telling existing and potential customers of their right to opt out of sharing non-public personal information with third parties. Such disclosures must take place when a customer relationship is first established and annually in paper form as long as the relationship continues even if no changes have occurred. This proposal would change these annual privacy notice requirements for financial institutions that do not engage in information sharing activities for which their customers have right to opt out. Specifically, it would allow such financial institutions to post their annual privacy notices online rather than delivering them individually.

Under the proposal, a credit union would be allowed to post its privacy notice online rather than mailing the notice, if it meets the following conditions: (i) it does not share the customer’s nonpublic personal information with nonaffiliated third parties in a manner that triggers GLBA opt-out rights; (ii) it does not include on its annual privacy notice information about certain consumer opt-out rights under section 603 of the Fair Credit Reporting Act (FCRA); (iii) it’s annual privacy notice is not the only notice provided to satisfy the requirements of section 624 of the FCRA; (iv) the information included in the privacy notice has not changed since the customer received the previous notice; and (v) it uses the model form provided in GLBA implementing Regulation P.

Credit unions that choose to rely on this new method of delivering privacy notices would also be required to: (i) convey at least annually on another notice or disclosure that their privacy notice is available on its website and will be mailed upon request to a toll-free number. This notice or disclosure would have to include a specific web address that takes the customer directly to the privacy notice; (2) post their current privacy notice continuously on a page of its website that contains only the privacy notice, without requiring a login or any conditions to access the page; and (iii) promptly mail their current privacy notice to customers who request it by telephone.

  1. Qualifying for Alternative Delivery Method

NAFCU strongly supports the CFPB’s proposal to allow the posting of privacy notices online under certain conditions because we believe it will significantly reduce regulatory burden without impacting consumers’ ability to access their privacy policies. NAFCU continues to hear from our members that annual privacy notices provide little benefit, especially when there has been no change in policy or if customers have no right to opt out of information sharing because the credit union does not share nonpublic personal information in a way that triggers such rights.  Instead, the mailed privacy notices are often a source of confusion to consumers. Furthermore, they represent an unproductive expense for credit unions that could be better directed toward serving consumers. Accordingly, NAFCU and our members believe that the proposed alternative delivery method will allow consumers to be informed regarding their financial institution’s privacy policy without being inundating with redundant information. For those consumers who wish to read their annual privacy notices, NAFCU believes the notices’ availability on the website and by mail, upon request, will appropriately meet consumers’ needs in an efficient and cost effective manner for credit unions.

NAFCU appreciates the Bureau’s efforts to ease the annual privacy notice requirements. However, it urges the CFPB to allow credit unions to tailor Regulation P’s Model Privacy Notice to fit their individual policies and circumstances. Although many credit unions, like other financial institutions, use Regulation P’s model form, they often slightly modify it to fit their memberships’ specific circumstances. Under the proposal, however, using the Model Privacy Notice would become a requirement for credit unions seeking to post their privacy notices online. Because the proposal is unclear as to whether and to what extent a credit union could modify the Model Privacy Notice and still qualify for the alternative delivery method, NAFCU and its members would like additional assurances that this condition, if adopted, would allow credit unions to vary the model form in manners that comply with Regulation P.

  1. Implementing Alternative Delivery Method

While NAFCU strongly supports the proposed alternative delivery method, we question whether some of the proposal’s stipulated conditions for posting privacy notices online are appropriate.

NAFCU believes it is inappropriate to require credit unions to maintain a toll-free number for customers to call and request that a hard copy of the annual notice be mailed to them. A number of NAFCU’s members do not currently have a toll-free number and requiring one for the purpose of this proposal would impose a significant burden. Because credit unions invest significant time and energy towards member service, NAFCU and our members do not object to a requirement of providing paper copies of the annual privacy notice upon request. We do, however, object to a requirement that would mandate credit unions to bear additional, unnecessary costs.  Credit unions should be given the flexibility to develop reasonable means appropriate for their specific memberships by which a consumer can request a copy of the annual privacy notice. Accordingly, NAFCU urges that the Bureau not require credit unions to maintain a toll free number in order to post their privacy notices online. In the alternative, NAFCU proposes that the CFPB provide an exception from this proposed requirement for credit unions that do not otherwise have a toll-free telephone number.

Further, NAFCU believes that the CFPB should not require credit unions to continuously post their privacy notices on their websites. While NAFCU understands the Bureau’s intention of ensuring that consumers have consistent access to their annual privacy notices, we believe that this requirement could unintentionally expose credit unions to frivolous lawsuits. Under the proposal, credit unions that choose to post their annual privacy notices online would be required to post their current privacy notices continuously on their websites. This “continuously” verbiage would effectively require that credit unions’ website remain functional at all times. In light of the unique nature of cyberspace, however, this requirement is practically impossible. While credit unions, like all financial institutions and business, strive to operate and maintain their websites’ constant functionality, there are sometimes internet disruptions that are beyond the control of websites’ servers, servicers, or sponsors. By including the “continuously” verbiage, the CFPB opens up the door for malicious individuals to sue credit unions for minor website disruptions that are beyond their control. These frivolous lawsuits will only drive up operational costs, and, in turn, lead to higher costs for consumers.  NAFCU and our members strongly recommend that the Bureau remove “continuously” from the proposal.

NAFCU appreciated the opportunity to share its thoughts on the proposed changes to Regulation P’s annual privacy notice requirements and would like to discuss this matter further. Should you have any questions or concerns, please feel free to contact me at or (703)-842-2266.


Alicia Nealon

Regulatory Affairs Counsel


More News