NCUA Letter 16-CU-03 Annual Privacy Notice Requirement

The NCUA issued Letter 16-CU-03 clarifying their position on the annual privacy notice requirement as a result of the changes to the Gramm-Leach-Bliley Act (GLBA).  We previously blogged about the requirements at https://complianceservicesgroup.com/annual-privacy-notice-requirement/.

The Letter states:

Based on the amendment, your credit union need not provide an annual privacy notice if:

  • Your policies and practices have not changed since your credit union provided its most recent privacy notice to consumers; and
  • You share nonpublic personal information with nonaffiliated third parties only in accordance with requirements for certain existing GLBA exceptions, including those related to:
    • Performing services for, or functions on behalf of, the credit union, pursuant to a joint marketing agreement;
    • Administering, servicing, or processing a transaction a consumer requests or authorizes; maintaining or servicing certain consumer accounts; or performing securitizations, secondary market sales, or similar transactions; or
    • Other specified operational and legal purposes, including disclosure with the consumer’s consent or at the consumer’s direction and disclosure to protect the confidentiality and security of records related to the consumer, service, product, or transaction.

NCUA examiners have been notified that if your credit union meets the applicable requirements, you need not send annual privacy notices unless and until your credit union no longer meets those requirements. NCUA examiners will only expect annual privacy notices to be provided if your credit union does not meet the new requirements described in this letter.

An initial privacy notice, and an amended privacy notice when your sharing practices change, are still required

Leave a Reply

Your email address will not be published. Required fields are marked *