rules and regulations part 716 and appendix a privacy of

716–1

Part 716INFORMATION AND APPENDIXPART 716

Change 5 / September 2000

PRIVACY OF CONSUMER FINANCIAL

Privacy of Consumer FinancialInformation and Appendix

§ 716.1–§ 716.3

§ 716.1 Purpose and scope.

(a) Purpose. This part governs the treatmentof nonpublic personal information about con-sumers by the credit unions listed in paragraph(b) of this section. This part:

(1) Requires a credit union to provide noticeto members about its privacy policies and prac-tices;

(2) Describes the conditions under which acredit union may disclose nonpublic personalinformation about consumers to nonaffiliatedthird parties; and

(3) Provides a method for consumers to pre-vent a credit union from disclosing thatinformation to most nonaffiliated third partiesby ‘‘opting out’’ of that disclosure, subject to theexceptions in §§ 716.13, 716.14, and 716.15.

(b) Scope. (1) This part applies only to nonpublicpersonal information about individuals who ob-tain financial products or services for personal,family or household purposes. This part does notapply to information about companies or aboutindividuals who obtain financial products or serv-ices for business, commercial or agricultural pur-poses. This part applies to federally-insured creditunions. This part refers to a federally-insuredcredit union as ‘‘you’’ or ‘‘the credit union.’’

(2) Nothing in this part modifies, limits, orsupersedes the standards governing individuallyidentifiable financial information promulgatedby the Secretary of Health and Human Servicesunder the authority of §§ 262 and 264 of theHealth Insurance Portability and AccountabilityAct of 1996 (42 U.S.C. 1320d–1320d–8).

§ 716.2 Rule of construction.

The examples in this part and the sampleclauses in appendix A of this part are not exclusive.Compliance with an example or use of a sampleclause, to the extent applicable, constitutes com-pliance with this part.

§ 716.3 Definitions.

As used in this part, unless the context requiresotherwise:

(a)(1) Affiliate means any company that con-trols, is controlled by, or is under common controlwith another company.

(2) Examples. (i) An affiliate of a federalcredit union is a credit union service organiza-

tion (CUSO), as provided in 12 CFR part 712,that is controlled by the federal credit union.

(ii) An affiliate of a federally-insured,state-chartered credit union is a company thatis controlled by the credit union.

(b)(1) Clear and conspicuous means that a noticeis reasonably understandable and designed to callattention to the nature and significance of the in-formation in the notice.

(2) Examples. (i) Reasonably understand-able. You make your notice reasonably under-standable if you:

(A) Present the information contained inthe notice in clear, concise sentences, para-graphs and sections;

(B) Use short, explanatory sentences orbullet lists whenever possible;

(C) Use definite, concrete, everyday wordsand active voice whenever possible;

(D) Avoid multiple negatives;(E) Avoid legal and highly technical busi-

ness terminology wherever possible; and(F) Avoid explanations that are imprecise

and readily subject to different interpretations.(ii) Designed to call attention. You

design your notice to call attention to the natureand significance of the information in it if you:

(A) Use a plain-language heading to callattention to the notice;

(B) Use a typeface and type size that areeasy to read;

(C) Provide wide margins and ample linespacing;

(D) Use boldface or italics for key words;and

(E) In a form that combines your noticewith other information, use distinctive type size,style, and graphic devices, such as shading orsidebars.

(iii) Notices on web sites. If you providenotices on a web page, you design your notice to

NCUA RULES AND REGULATIONS

716–2

PART 716§ 716.3


call attention to the nature and significance ofthe information in it if you use text or visualcues to encourage scrolling down the page ifnecessary to view the entire notice and ensurethat other elements on the web site (such astext graphics, hyperlinks or sound) do not dis-tract attention form the notice, and you either:

(A) Place the notice on a screen fre-quently accessed by consumers, such as a homepage or a page on which transactions are con-ducted; or

(B) Place a link on a screen frequentlyaccessed by consumers, such as a home page ora page on which transactions are conducted,that connects directly to the notice and islabeled appropriately to convey the importance,nature and relevance of the notice.

(c) Collect means to obtain information that youorganize or can retrieve by the name of an indi-vidual or by identifying number, symbol, or otheridentifying particular assigned to the individual,irrespective of the source of the underlying infor-mation.

(d) Company means any corporation, limited li-ability company, business trust, general or limitedpartnership, association or similar organization.

(e)(1) Consumer means an individual who ob-tains or has obtained a financial product or servicefrom you, that is to be used primarily for personal,family or household purposes, or that individual’slegal representative.

(2) Examples. (i) An individual who providesnonpublic personal information to you inconnection with obtaining or seeking to obtaincredit union membership is your consumerregardless of whether you establish a memberrelationship.

(ii) An individual who provides non-public personal information to you in connectionwith using your ATM is your consumer.

(iii) If you hold ownership or servicingrights to an individual’s loan, the individual isyour consumer, even if you hold those rights inconjunction with one or more financial institu-tions. (The individual is also a consumer withrespect to the other financial institutionsinvolved). This applies, even if you, or anotherfinancial institution with those rights, hire anagent to collect on the loan or to provide proc-essing or other services.

(iv) An individual who is a consumer ofanother financial institution is not your con-sumer solely because you act as agent for, orprovide processing or other services to, thatfinancial institution.

(v) An individual is not your consumersolely because he or she is a participant or abeneficiary of an employee benefit plan that yousponsor or for which you act as a trustee orfiduciary.

(f) Consumer reporting agency has the samemeaning as in section 603(f) of the Fair CreditReporting Act (15 U.S.C. 1681a(f)).

(g) Control of a company means:(1) Ownership, control, or power to vote 25

percent or more of the outstanding shares ofany class of voting security of the company,directly or indirectly, or acting through one ormore other persons;

(2) Control in any manner over the electionof a majority of the directors, trustees or generalpartners (or individuals exercising similar func-tions) of the company; or

(3) The power to exercise, directly orindirectly, a controlling influence over themanagement or policies of the company, as theNCUA determines. With respect to state-char-tered credit unions, NCUA will consult with theappropriate state regulator prior to making itsdetermination.

(4) Example. NCUA will presume a creditunion has a controlling influence over themanagement or policies of a CUSO, if the CUSOis 67% owned by credit unions.

(h) Credit union means a federal or state-char-tered credit union that the National Credit UnionShare Insurance Fund insures.

(i) Customer means a consumer who has a cus-tomer relationship with a financial institutionother than a credit union.

(j) Customer relationship means a continuingrelationship between a consumer and a financialinstitution other than a credit union.

(k) Federal functional regulator means—(1) The National Credit Union Administra-

tion Board;(2) The Board of Governors of the Federal

Reserve System;(3) The Office of the Comptroller of the Cur-

rency;(4) The Board of Directors of the Federal

Deposit Insurance Corporation;(5) The Director of the Office of Thrift

Supervision; and(6) The Securities and Exchange Commis-

sion.(l)(1)Financial institution means any institution

the business of which is engaging in activities thatare financial in nature or incidental to such finan-

716–3

INFORMATION AND APPENDIXPART 716 § 716.3



cial activity as described in section 4(k) of the BankHolding Company Act of 1956 (12 U.S.C. 1843(k)).

(2) Examples of financial institutions mayinclude, but are not limited to: credit unions;banks; insurance companies; securities brokers,dealers, and underwriters; loan brokers andservicers; tax planners and preparation services;personal property appraisers; real estateappraisers; career counselors for employees infinancial occupations; digital signature services;courier services; real estate settlement services;manufacturers of computer software and hard-ware; and travel agencies operated in connec-tion with financial services.

(3) Financial institution does not include:(i) Any person or entity with respect to

any financial activity that is subject to the juris-diction of the Commodity Futures TradingCommission under the Commodity ExchangeAct (7 U.S.C. 1 et seq.);

(ii) The Federal Agricultural MortgageCorporation or any entity chartered and oper-ating under the Farm Credit Act of 1971 (12U.S.C. 2001 et seq.); or

(iii) Institutions chartered by Congressspecifically to engage in securitizations, sec-ondary market sales (including sales of serv-icing rights) or similar transactions related to atransaction of a consumer, as long as suchinstitutions do not sell or transfer nonpublicpersonal information to a nonaffiliated thirdparty.

(m)(1) Financial product or service means anyproduct or service that a financial holding com-pany could offer by engaging in an activity thatis financial in nature or incidental to such a finan-cial activity under section 4(k) of the Bank HoldingCompany Act of 1956 (12 U.S.C. 1843(k)).

(2) Financial service includes your evalua-tion or brokerage of information that you collectin connection with a request or an applicationfrom a consumer for a financial product orservice.

(n) Member means a consumer who has a mem-ber relationship with you. For purposes of thispart only, it will include certain nonmembers.

(o)(1) Member relationship means a continuingrelationship between a consumer and you underwhich you provide one or more financial productsor services to the consumer that are to be usedprimarily for personal, family or household pur-poses. As noted in the examples, this will includecertain consumers that are not your members.

(2) Examples. (i) A consumer has a continuingrelationship with you if the consumer:

(A) Is your member as defined in yourbylaws;

(B) Is a nonmember who has a share,share draft, or credit card account with youjointly with a member;

(C) Is a nonmember who has a loan thatyou service;

(D) Is a nonmember who has an accountwith you and you are a credit union that hasbeen designated as a low-income credit union; or

(E) Is a nonmember who has an accountin a federally-insured, state-chartered creditunion pursuant to state law.

(ii) A consumer does not, however, havea member relationship with you if the consumeris a nonmember and:

(A) The consumer only obtains a financialproduct or service in isolated transactions, suchas using your ATM to withdraw cash from anaccount maintained at another financial institu-tion or purchasing travelers checks; or

(B) You sell the consumer’s loan and donot retain the rights to service that loan. (p)(1)Nonaffiliated third party means any personexcept:

(i) Your affiliate; or(ii) A person employed jointly by you

and any company that is not your affiliate (butnonaffiliated third party includes the other com-pany that jointly employs the person).

(q)(1) Nonpublic personal information means:(i) Personally identifiable financial

information; and(ii) Any list, description or other

grouping of consumers (and publicly availableinformation pertaining to them) that is derivedusing any personally identifiable financialinformation.

(2) Nonpublic personal information does notinclude:

(i) Publicly available information,except as included on a list described in para-graph (q)(1)(ii) of this section; or

(ii) Any list, description, or othergrouping of consumers (and publicly availableinformation pertaining to them) that is derivedwithout using any personally identifiable finan-cial information, other than publicly availableinformation.

(3) Examples of lists. (i) Nonpublic personalinformation includes any list of individuals’names and street addresses that is derived inwhole or in part using personally identifiablefinancial information, other than publicly avail-able information, such as account numbers.


716–4

PART 716§ 716.3


(ii) Nonpublic personal informationdoes not include any list of individuals’ namesand addresses that contains only publicly avail-able information, is not derived using personallyidentifiable financial information, other thanpublicly available information, either in wholeor in part, and is not disclosed in a manner thatindicates that any of the individuals on the listis a consumer of a credit union, other than pub-licly available information.

(r)(1) Personally identifiable financial informa-tion means any information:

(i) A consumer provides to you to obtaina financial product or service from you;

(ii) About a consumer resulting fromany transaction involving a financial product orservice between you and a consumer; or

(iii) You otherwise obtain about a con-sumer in connection with providing a financialproduct or service to that consumer.

(2) Personally identifiable financial informa-tion does not include publicly available informa-tion.

(3) Examples. (i) Information included.Personally identifiable financial informationincludes:

(A) Information a consumer provides toyou on an application to obtain membership, aloan, credit card or other financial product orservice;

(B) Account balance information, paymenthistory, overdraft history, and credit or debitcard purchase information;

(C) The fact that an individual is or hasbeen one of your members or has obtained afinancial product or service from you;

(D) Any information about your consumer if itis disclosed in a manner that indicates that theindividual is or has been your consumer;

(E) Any information that a consumer pro-vides to you or that you or your agent otherwiseobtain in connection with collecting on a loan orservicing a loan;

(F) Any information you collect throughan Internet ‘‘cookie’’ (an information collectingdevice from a web server); and

(G) Information from a consumer report.(ii) Information not included. Person-

ally identifiable financial information does notinclude:

(A) A list of names and addresses of cus-tomers of an entity that is not a financialinstitution; and

(B) Information that does not identify aconsumer, such as aggregate information or

blind data that does not contain personal identi-fiers such as account numbers, names, oraddresses.

(s)(1) Publicly available information means anyinformation that you have a reasonable basis tobelieve is lawfully made available to the generalpublic from:

(i) Federal, state or local governmentrecords;

(ii) Widely distributed media; or(iii) Disclosures to the general public

that are required to be made by federal, state orlocal law.

(2) Reasonable basis. You have a reasonablebasis to believe that information is lawfullymade available to the general public if you havetaken steps to determine:

(i) That the information is of the typethat is available to the general public; and

(ii) Whether an individual can directthat the information not be made available tothe general public and, if so, that your memberor consumer has not done so.

(3) Examples. (i) Government records. Pub-licly available information in governmentrecords includes information in government realestate records and security interest filings.

(ii) Widely distributed media. Publiclyavailable information from widely distributedmedia includes information from a telephonebook, a television or radio program, a news-paper or a web site that is available to the gen-eral public on an unrestricted basis. A web siteis not restricted merely because an Internetservice provider or site operator requires a feeor a password, so long as access is available tothe general public.

(iii) Reasonable basis. (1) You have areasonable basis to believe that mortgageinformation is lawfully made available to thegeneral public if you have determined that theinformation is of the type included on the publicrecord in the jurisdiction where the mortgagewould be recorded.

(2) You have a reasonable basis to believethat an individual’s telephone number is law-fully made available to the general public if youhave located the telephone number in the tele-phone book or have been informed by the con-sumer that the telephone number is notunlisted.

(t) You means a federally-insured credit union.

716–5

INFORMATION AND APPENDIXPART 716 § 716.3–§ 716.4



Subpart A—Privacy and Opt OutNotices

§ 716.4 Initial privacy notice toconsumers required.

(a) Initial notice requirement. You must providea clear and conspicuous notice that accurately re-flects your privacy policies and practices to a:

(1) Member, not later than when you estab-lish a member relationship, except as providedin paragraph (e) of this section; and

(2) Consumer, before you disclose any non-public personal information about the consumerto any nonaffiliated third party, if you makesuch a disclosure other than as authorized by§§ 716.14 and 716.15.

(b) When initial notice to a consumer is not re-quired. You are not required to provide an initialnotice to a consumer under paragraph (a) of thissection if:

(1) You do not disclose any nonpublic per-sonal information about the consumer to anynonaffiliated third party, other than as author-ized by §§ 716.14 and 716.15; and

(2) You do not have a member relationshipwith the consumer.

(c) When you establish a member relationship.(1) General rule. You establish a member relation-ship when you and the consumer enter into a con-tinuing relationship.

(2) Special rule for loans. You establish amember relationship with a consumer when youoriginate, or acquire the servicing rights to aloan to the consumer for personal, household orfamily purposes and that is the only basis forthe member relationship. If you subsequentlytransfer the servicing rights to that loan toanother financial institution, the member rela-tionship transfers with the servicing rights.

(3)(i) Examples of establishing member rela-tionship. You establish a member relationshipwhen the consumer:

(A) Becomes your member under yourbylaws;

(B) Is a nonmember and opens a creditcard account with you jointly with a memberunder your procedures;

(C) Is a nonmember and executes the con-tract to open a share or share draft accountwith you or obtains credit from you jointly witha member, including an individual acting as aguarantor;

(D) Is a nonmember and opens an accountwith you and you are a credit union designatedas a low-income credit union;

(E) Is a nonmember and opens an accountwith you pursuant to state law and you are astate-chartered credit union.

(ii) Examples of loan rule. You establisha member relationship with a consumer whoobtains a loan for personal, family, or householdpurposes when you:

(A) Originate the loan to the consumerand retain the servicing rights; or

(B) Purchase the servicing rights to the con-sumer’s loan.

(d) Existing members. When an existing memberobtains a new financial product or service thatis to be used primarily for personal, family, orhousehold purposes, you satisfy the initial noticerequirements of paragraph (a) of this section asfollows:

(1) You may provide a revised policy notice,under § 716.8, that covers the member’s newfinancial product or service; or

(2) If the initial, revised, or annual noticethat you most recently provided to that memberwas accurate with respect to the new financialproduct or service, you do not need to provide anew privacy notice under paragraph (a) of thissection.

(e) Exceptions to allow subsequent delivery ofnotice. (1) You may provide the initial notice re-quired by paragraph (a)(1) of this section withina reasonable time after you establish a memberrelationship if:

(i) Establishing the member relation-ship is not at the member’s election;

(ii) Providing notice not later thanwhen you establish a member relationshipwould substantially delay the member’s trans-action and the member agrees to receive thenotice at a later time.

(2) Examples of exceptions. (i) Not at mem-ber’s election. Establishing a member relation-ship is not at the member’s election if youacquire a member’s deposit liability fromanother financial institution and the memberdoes not have a choice about your acquisition.

(ii) Substantial delay of member’s trans-action. Providing notice not later than when youestablish a member relationship would substan-tially delay the member’s transaction when:

(A) You and the individual agree over thetelephone to enter into a member relationshipinvolving prompt delivery of the financialproduct or service; or


716–6

PART 716§ 716.4–§ 716.6


(B) You establish a member relationship withan individual under a program authorized by TitleIV of the Higher Education Act of 1965 (20 U.S.C.1070 et seq.) or similar student loan programswhere loan proceeds are disbursed promptly with-out prior communication between you and themember.

(iii) No substantial delay of member’stransaction. Providing notice not later thanwhen you establish a member relationshipwould not substantially delay the member’stransaction when the relationship is initiated inperson at your office or through other means bywhich the member may view the notice, such ason a web site.

(f)(1) Joint relationships. If two or more con-sumers jointly obtain a financial product or serv-ice, other than a loan, from you, you may satisfythe requirements of paragraph (a) of this sectionby providing one initial notice to those consumersjointly.

(2) Special rule for loans. (i) You arerequired to provide an initial notice to a bor-rower or guarantor on a loan if you share his orher nonpublic personal information with non-affiliated third parties other than for purposesunder §§ 716.13, 716.14 and 716.15. (ii) You maysatisfy the annual notice requirements of § 716.6by providing one notice to those borrowers andguarantors jointly.

(g) Delivery. When you are required to deliveran initial privacy notice by this section, you mustdeliver it according to the methods in § 716.9. Ifyou use a short-form initial notice for nonmemberconsumers according to § 716.6(c), you may deliveryour privacy notice according to § 716.6(c)(3).

§ 716.5 Annual privacy notice tomembers required.

(a)(1) General rule. You must provide a clearand conspicuous notice to members that accu-rately reflects your privacy policies and practicesnot less than annually during the continuationof the member relationship. Annually means atleast once in any period of 12 consecutive monthsduring which that relationship exists. You maydefine the 12-consecutive-month period, but youmust apply it to the member on a consistent basis.

(2) Example. You provide a notice annuallyif you define the 12-consecutive-month period asa calendar year and provide the annual noticeto the member once in each calendar year fol-lowing the calendar year in which you provide

the initial notice. For example, if a memberopens an account on any day of year one, youmust provide an annual notice to that memberby December 31 of year two.

(b) (1) Termination of member relationship. Youare not required to provide an annual notice toa former member.

(2) Examples. Your member becomes yourformer member when:

(i) An individual is no longer yourmember as defined in your bylaws;

(ii) In the case of a nonmember’s shareor share draft account, the account is inactiveunder the credit union’s policies;

(iii) In the case of a nonmember’sclosed-end loan, the loan is paid in full, youcharge off the loan, or you sell the loan withoutretaining servicing rights;

(iv) In the case of a credit card relation-ship or other open-end credit relationship witha nonmember, you no longer provide any state-ments or notices to the nonmember concerningthat relationship or you sell the credit cardreceivables without retaining servicing rights; or

(v) You have not communicated withthe nonmember about the relationship for aperiod of twelve consecutive months, other thanto provide annual privacy notices or promotionalmaterial.

(c) Delivery. When you are required to deliveran annual privacy notice by this section, you mustdeliver it according to the methods in § 716.9.

§ 716.6 Information to be includedin initial and annual privacynotices.

(a) General rule. The initial and annual privacynotices under §§ 716.4 and 716.5 must includeeach of the following items of information thatapplies to you or to the consumers to whom yousend your privacy notice, in addition to any otherinformation you wish to provide:

(1) The categories of nonpublic personalinformation that you collect;

(2) The categories of nonpublic personalinformation that you disclose;

(3) The categories of affiliates and non-affiliated third parties to whom you disclosenonpublic personal information, other thanthose parties to whom you disclose informationunder §§ 716.14 and 716.15;

(4) The categories of nonpublic personalinformation about your former members that

716–7

INFORMATION AND APPENDIXPART 716 § 716.6



you disclose and the categories of affiliates andnonaffiliated third parties to whom you discloseit, other than those parties to whom you dis-close information under §§ 716.14 and 716.15;

(5) If you disclose nonpublic personalinformation to a nonaffiliated third party under§ 716.13 (and no other exception applies to thatdisclosure), a separate statement of the cat-egories of information you disclose and the cat-egories of third parties with whom you havecontracted;

(6) An explanation of the consumer’s rightunder § 716.10(a) to opt out of the disclosure ofnonpublic personal information to nonaffiliatedthird parties, including the methods by whichthe consumer may exercise that right at thattime;

(7) Any disclosures that you make undersection 603(d)(2)(A)(iii) of the Fair CreditReporting Act (15 U.S.C. 1681a(d)(2)(A)(iii))(that is, notices regarding the ability to opt outof disclosure of information among affiliates);

(8) Your policies and practices with respectto protecting the confidentiality and security ofnonpublic personal information; and

(9) Any disclosures you make under para-graph (b) of this section.

(b) Description of nonaffiliated third parties sub-ject to exceptions. If you disclose nonpublic per-sonal information to third parties as authorizedunder §§ 716.14 and 716.15, you are not requiredto list those exceptions in the initial or annualprivacy notices required by §§ 716.4 and 716.5.When describing the categories with respect tothose parties, you are required to state only thatyou make disclosures to other nonaffiliated thirdparties as permitted by law.

(c) Short-form initial notice with opt out noticefor nonmember consumers. (1) You may satisfythe initial notice requirements in §§ 716.4(a)(2),716.7(b), and 716.7(c) for a consumer who is nota member by providing a short-form initial noticeat the same time as you deliver an opt out noticeas required in § 716.7.

(2) A short-form initial notice must:(i) Be clear and conspicuous;(ii) State that your privacy notice is

available upon request; and(iii) Explain a reasonable means by

which the consumer may obtain that notice.(3) You must deliver your short-form initial

notice according to § 716.9. You are not requiredto deliver your privacy notice with your shortform initial notice. You instead may simply pro-vide the consumer a reasonable means to obtain

your privacy notice. If a consumer who receivesyour short-form notice requests your privacynotice, you must deliver your privacy noticeaccording to § 716.9.

(4) Examples of obtaining privacy notice.You provide a reasonable means by which a con-sumer may obtain a copy of your privacy noticeif you:

(i) Provide a toll-free telephone numberthat the consumer may call to request thenotice; or

(ii) For a consumer who conducts busi-ness in person at your office, maintain copies ofthe notice on hand that you provide to a con-sumer immediately upon request.

(d) Future disclosures. Your notice may include:(1) Categories of nonpublic personal

information that you reserve the right to dis-close in the future, but do not currently disclose;and

(2) Categories of affiliates or nonaffiliatedthird parties to whom you reserve the right inthe future to disclose, but to whom you do notcurrently disclose, nonpublic personal informa-tion.

(e) Examples. (1) Categories of nonpublic per-sonal information that you collect.

You satisfy the requirement to categorize thenonpublic personal information that you collectif you list the following categories, as applicable:

(i) Information from the consumer;(ii) Information about the consumer’s

transactions with you or your affiliates;(iii) Information about the consumer’s

transactions with nonaffiliated third parties;and

(iv) Information from a consumerreporting agency.

(2) Categories of nonpublic personalinformation you disclose. (i) You satisfy therequirement to categorize the nonpublic per-sonal information that you disclose if you listthe categories described in paragraph (e)(1) ofthis section, as applicable, and a few examplesto illustrate the types of information in eachcategory.

(ii) If you reserve the right to discloseall of the nonpublic personal information aboutconsumers that you collect, you may simplystate that fact without describing the categoriesor examples of the nonpublic personal informa-tion you disclose.

(3) Categories of affiliates and nonaffiliatedthird parties to whom you disclose. You satisfythe requirement to categorize the affiliates and


716–8

PART 716§ 716.6–§ 716.7


nonaffiliated third parties to whom you disclosenonpublic personal information if you list thefollowing categories, as applicable, and a fewexamples to illustrate the types of third partiesin each category.

(i) Financial service providers;(ii) Non-financial companies; and(iii) Others.

(4) Disclosures under exception for serviceproviders and joint marketers. If you disclosenonpublic personal information under the excep-tion in § 716.13 to a nonaffiliated third party tomarket products or services that you offer aloneor jointly with another financial institution, yousatisfy the disclosure requirement of paragraph(a)(5) of this section if you:

(i) List the categories of nonpublic per-sonal information you disclose, using the samecategories and examples you used to meet therequirements of paragraphs (a)(2) of this sec-tion, as applicable; and

(ii) State whether the third party is:(A) A service provider that performs mar-

keting services on your behalf or on behalf ofyou and another financial institution; or

(B) A financial institution with whom youhave a joint marketing agreement.

(5) Simplified notices. If you do not disclose,and do not intend to disclose, nonpublic per-sonal information about members or formermembers to affiliates or nonaffiliated third par-ties except as authorized under §§ 716.14 and716.15, you may simply state that fact, in addi-tion to the information you must provide underparagraphs (a)(1), (a)(8), (a)(9) and (c) of thissection.

(6) Confidentiality and security. Youdescribe your policies and practices with respectto protecting the confidentiality and security ofnonpublic personal information if you do both ofthe following:

(i) Describe in general terms who isauthorized to have access to the information.

(ii) State whether you have securitypractices and procedures in place to ensure theconfidentiality of the information in accordancewith your policy. You are not required todescribe technical information about the safe-guards you use.

(7) Joint notice with affiliates. You may pro-vide a joint notice from you and one or more ofyour affiliates or other financial institutions, asspecified in the notice, as long as the notice is

accurate with respect to you and the otherinstitution.

§ 716.7 Form of opt out notice toconsumers and opt outmethods.

(a)(1) Form of opt out notice. If you are requiredto provide an opt out notice under § 716.10(a)(1),you must provide a clear and conspicuous noticeto each of your consumers that accurately explainsthe right to opt out under that section. The noticemust state:

(i) That you disclose or reserve theright to disclose nonpublic personal informationabout your consumer to a nonaffiliated thirdparty;

(ii) That the consumer has the right toopt out of that disclosure; and

(iii) A reasonable means by which the consumermay exercise the opt out right.

(2) Examples. (i) Adequate opt out notice.You provide adequate notice that the consumercan opt out of the disclosure of nonpublic per-sonal information to a nonaffiliated third partyif you:

(A) Identify all of the categories of non-public personal information that you disclose orreserve the right to disclose and all of the cat-egories of nonaffiliated third parties to whomyou disclose the information, as described in§ 716.6(a)(2) and (3) and state that the con-sumer can opt out of the disclosure of thatinformation; and

(B) Identify the financial products orservices that the consumer obtains from you,either singly or jointly, to which the opt outdirection would apply.

(ii) Reasonable opt out means. You pro-vide a reasonable means to exercise an opt outright if you:

(A) Designate check-off boxes in a promi-nent position on the relevant forms with the optout notice;

(B) Include a reply form together with theopt out notice;

(C) Provide an electronic means to optout, such as a form that can be sent via elec-tronic mail or a process at your web site, if theconsumer agrees to the electronic delivery ofinformation; or

(D) Provide a toll-free telephone numberthat consumers may call to opt out.

716–9




(iii) Unreasonable opt out means. Youdo not provide a reasonable means of opting outif:

(A) The only means of opting out is forthe consumer to write his or her own letter toexercise that opt out right; or

(B) The only means of opting out asdescribed in any notice subsequent to the initialnotice is to use a check-off box that was pro-vided with the initial notice but not includedwith the subsequent notice.

(iv) Specific opt out means. You mayrequire each consumer to opt out through a spe-cific means, as long as that means is reasonablefor that consumer.

(b) Same form as initial notice permitted. Youmay provide the opt out notice together with oron the same written or electronic form as the ini-tial notice you provide in accordance with § 716.4.

(c) Initial notice required when opt out noticedelivered subsequent to initial notice. If you pro-vide the opt out notice later than required for theinitial notice in accordance with § 716.4, you mustalso include a copy of the initial notice in writingor, if the consumer agrees, electronically.

(d) Joint relationships. (1) If two or more con-sumers jointly obtain a financial product or serv-ice, other than a loan, from you, you may provideonly a single opt out notice. Your opt out noticemust explain how you will treat an opt out direc-tion by a joint consumer as explained in the exam-ples in paragraph (d)(5) of this section.

(2) Any of the joint consumers may exercisethe right to opt out. You may either:

(i) Treat an opt out direction by a jointconsumer to apply to all of the associated jointconsumers; or

(ii) Permit each joint consumer to optout separately.

(3) If you permit each joint consumer to optout separately, you must permit one of the jointconsumers to opt out on behalf of all of the jointconsumers.

(4) You may not require all joint consumersto opt out before you implement any opt outdirection.

(5) Example. If John and Mary have a jointshare account with you and arrange for you tosend statements to John’s address, you may doany of the following, but you must explain inyour opt out notice which opt out policy you willfollow:

(i) Send a single opt out notice to John’saddress, but you must accept an opt out direc-tion from either John or Mary.

(ii) Treat an opt out direction by eitherJohn or Mary as applying to the entire account.If you do so, and John opts out, you may notrequire Mary to opt out as well before imple-menting John’s opt out direction.

(iii) Permit John and Mary to make dif-ferent opt out directions. If you do so, and ifJohn and Mary both opt out, you must permitone or both of them to notify you in a singleresponse (such as on a form or through a tele-phone call).

(6) Special rule for loans. (i) You arerequired to provide an initial opt out notice toa borrower or guarantor on a loan if you sharehis or her nonpublic personal information withnonaffiliated third parties other than for pur-poses under §§ 716.13, 716.14 and 716.15.

(ii) You may satisfy your annual opt outnotice requirement by providing one notice tothose borrowers and guarantors jointly.

(e) Time to comply with opt out. You must complywith the consumer’s opt out direction as soon asreasonably practicable after you receive it.

(f) Continuing right to opt out. A consumer mayexercise the right to opt out at any time.

(g) Duration of consumer’s opt out direction. (1)A consumer’s direction to opt out under this sec-tion is effective until the consumer revokes it inwriting or, if the consumer agrees, electronically.

(2) When a member relationship termi-nates, the member’s opt out direction continuesto apply to the nonpublic personal informationthat you collected during or related to the rela-tionship. If the individual subsequently estab-lishes a new member relationship with you, theopt out direction that applied to the former rela-tionship does not apply to the new relationship.

(h) Delivery. When you are required to deliveran opt out notice by this section, you must deliverit according to the methods in § 716.9.

§ 716.8 Revised privacy notices.

(a) General rule. Except as otherwise authorizedin this part, you must not, directly or throughany affiliate, disclose any nonpublic personal in-formation about a consumer to a nonaffiliatedthird party other than as described in the initialnotice that you provided to that consumer under§ 716.4, unless:

(1) You have provided to the consumer arevised notice that accurately describes yourpolicies and practices;


716–10

PART 716§ 716.8–§ 716.9


(2) You have provided to the consumer anew opt out notice;

(3) You have given the consumer a reason-able opportunity, before you disclose theinformation to the nonaffiliated third party, toopt out of the disclosure; and

(4) The consumer does not opt out.(b) Examples. (1) Except as otherwise permitted

by §§ 716.13, 716.14 and 716.15, you must providea revised notice if you—

(i) Disclose a new category of nonpublicpersonal information to any nonaffiliated thirdparty;

(ii) Disclose nonpublic personalinformation to a new category of nonaffiliatedthird party; or

(iii) Disclose nonpublic personalinformation about a former member to a non-affiliated third party, and that former memberhas not had the opportunity to exercise an optout right regarding that disclosure.

(2) A revised notice is not required if youdisclose nonpublic personal information to anew nonaffiliated third party that you ade-quately described in your prior notice.

(c) Delivery. When you are required to delivera revised privacy notice by this section, you mustdeliver it according to the methods in § 716.9.

§ 716.9 Delivering privacy and optout notices.

(a) How to provide notices. You must provideany privacy notices and opt out notices, includingshort-form initial notices, that this part requiresso that each consumer can reasonably be expectedto receive actual notice in writing or, if the con-sumer agrees, electronically.

(b) (1) Examples of reasonable expectation of ac-tual notice. You may reasonably expect that a con-sumer will receive actual notice if you:

(i) Hand-deliver a printed copy of thenotice to the consumer;

(ii) Mail a printed copy of the notice tothe last known address of the consumer;

(iii) For the consumer who conductstransactions electronically, post the notice onthe electronic site and require the consumer toacknowledge receipt of the notice as a necessarystep to obtaining a particular financial productor service;

(iv) For an isolated transaction with theconsumer, such as an ATM transaction, post thenotice on the ATM screen and require the con-

sumer to acknowledge receipt of the notice as anecessary step to obtaining the particular finan-cial product or service.

(2) Examples of unreasonable expectations ofactual notice. You may not, however, reasonablyexpect that a consumer will receive actualnotice if you:

(i) Only post a sign in your branch oroffice or generally publish advertisements ofyour privacy policies and practices;

(ii) Send the notice via electronic mailto a consumer who does not obtain a financialproduct or service from you electronically.

(c) Annual notices only. You may reasonably ex-pect that a member will receive actual notice ofyour annual privacy notice if:

(1) The member uses your web site toaccess financial products and services electroni-cally and agrees to receive notices at your website and you post your current privacy noticecontinuously in a clear and conspicuous manneron your web site; or

(2) The member has requested that yourefrain from sending any information regardingthe member relationship, and your current pri-vacy notice remains available to the memberupon request.

(d) Oral description of notice insufficient. Youmay not provide any notice required by this partsolely by orally explaining the notice, either inperson or over the telephone.

(e) Retention or accessibility of notices for mem-bers. (1) For members only, you must provide theinitial notice required by § 716.4 (a)(1), the annualnotice required by § 716.5(a) and the revised noticerequired by § 716.8 so that the member can retainthem or obtain them later in writing or, if themember agrees, electronically.

(2) Examples of retention or accessibility.You provide the privacy notice to the member sothat the member can retain it or obtain it laterif you:

(i) Hand-deliver a printed copy of thenotice to the member;

(ii) Mail a printed copy of the notice tothe last known address of the member uponrequest of the member; or

(iii) Make your current privacy noticeavailable on a web site (or a link to another website) for the member who obtains a financialproduct or service electronically and agrees toreceive the notice at the web site.

716–11




Subpart B—Limits on Disclosures

§ 716.10 Limits on disclosure ofnonpublic personal informationto nonaffiliated third parties.

(a) (1) Conditions for disclosure. Except as other-wise authorized in this part, you may not, directlyor through any affiliate, disclose any nonpublicpersonal information about a consumer to a non-affiliated third party unless:

(i) You have provided to the consumeran initial notice as required under § 716.4;

(ii) You have provided to the consumeran opt out notice as required in § 716.7;

(iii) You have given the consumer areasonable opportunity, before you disclose theinformation to the nonaffiliated third party, toopt out of the disclosure; and

(iv) The consumer does not opt out.(2) Opt out definition. Opt out means a

direction by the consumer that you not disclosenonpublic personal information about that con-sumer to a nonaffiliated third party, other thanas permitted by §§ 716.13, 716.14 and 716.15.

(3) Examples of reasonable opportunity toopt out. You provide a consumer with a reason-able opportunity to opt out if:

(i) By mail. You mail the noticesrequired in paragraph (a)(1) of this section tothe consumer and allow the consumer to opt outby mailing a form, calling a toll-free telephonenumber, or any other reasonable means within30 days from the date you mailed the notices.

(ii) By electronic means. A memberopens an on-line account with you and agrees toreceive the notices required in paragraph (a)(1)of this section electronically, and you make thenotices available to the member on your website and allow the member to opt out by anyreasonable means within 30 days after the datethat the member acknowledges receipt of thenotices.

(iii) Isolated transaction with consumer.For an isolated transaction, such as the pur-chase of a traveler’s check by a consumer, youprovide the consumer with a reasonable oppor-tunity to opt out if you provide the noticesrequired in paragraph (a)(1) of this section atthe time of the transaction and request that theconsumer decide, as a necessary part of thetransaction, whether to opt out before com-pleting the transaction.

(b) Application of opt out to all consumers andall nonpublic personal information. (1) You mustcomply with this section, regardless of whetheryou and the consumer have established a memberrelationship.

(2) Unless you comply with this section, youmay not, directly or through an affiliate, dis-close any nonpublic personal information abouta consumer that you have collected, regardlessof whether you collected it before or afterreceiving the direction to opt out from the con-sumer.

(c) Partial opt out. You may allow a consumerto select certain nonpublic personal informationor certain nonaffiliated third parties with respectto which the consumer wishes to opt out.

§ 716.11 Limits on redisclosure andreuse of information.

(a)(1) Information you receive under an excep-tion. If you receive nonpublic personal informationfrom a nonaffiliated financial institution underan exception in § 716.14 or 716.15 of this part,your disclosure and use of that information is lim-ited as follows:

(i) You may disclose the information tothe affiliates of the financial institution fromwhich you received the information; and

(ii) You may disclose the information toyour affiliates, but your affiliates may, in turn,disclose and use the information only to theextent that you may disclose and use theinformation; and

(iii) You may disclose and use theinformation pursuant to an exception in § 716.14or 716.15 in the ordinary course of business tocarry out the activity covered by the exceptionunder which you received the information.

(2) Example. If you receive a member listfrom a credit union in order to provide cor-respondent services under the exception in§ 716.14(a), you may disclose that informationunder any exception in § 716.14 or 716.15 inorder to provide those services. For example,you could disclose the information in responseto a properly authorized subpoena or to yourattorneys, accountants, and auditors. You couldnot disclose that information to a third party formarketing purposes or use that information foryour own marketing purposes.

(b)(1) Information you receive outside of an ex-ception. If you receive nonpublic personal informa-tion from a nonaffiliated financial institution


716–12

PART 716§ 716.11–§ 716.12


other than under an exception in § 716.14 or716.15 of this part, you may disclose the informa-tion only:

(i) To the affiliates of the financialinstitution from which you received the informa-tion;

(ii) To your affiliates, but your affiliatesmay, in turn, disclose the information only tothe extent that you can disclose the information;

(iii) To any other person, if the disclo-sure would be lawful if made directly to thatperson by the financial institution from whichyou received the information; and

(iv) Pursuant to an exception in§ 716.14 or 716.15.

(2) Example. If you obtain a customer listfrom a nonaffiliated financial institution outsideof the exceptions in §§ 716.14 and 716.15,

(i) You may use the list for your ownpurposes;

(ii) You may disclose that list toanother non-affiliated third party only if thefinancial institution from which you purchasedthe list could have disclosed the list to thatthird party, that is you may disclose the list inaccordance with the privacy policy of the finan-cial institution from which you received the list,as limited by the opt out direction of each con-sumer whose nonpublic personal informationyou intend to disclose; and

(iii) You may disclose that list as per-mitted by § 716.14 or 716.15, such as to yourattorneys or accountants.

(c) Information you disclose under an exception.If you disclose nonpublic personal information toa nonaffiliated third party under an exception in§ 716.14 or 716.15 of this part, the disclosure anduse of that information by the third party is limitedas follows:

(1) The third party may disclose theinformation to your affiliates;

(2) The third party may disclose theinformation to its affiliates, but its affiliatesmay, in turn, disclose and use the informationonly to the extent that the third party may dis-close and use the information; and

(3) The third party may disclose and usethe information pursuant to an exception in§ 716.14 or 716.15 in the ordinary course ofbusiness to carry out the activity covered by theexception under which it received the informa-tion.

(d) Information you disclose outside of an excep-tion. If you disclose nonpublic personal informa-

tion to a nonaffiliated third party other than underan exception in § 716.14 or 716.15 of this part,the third party may disclose the information only:

(1) To your affiliates;(2) To its affiliates, but its affiliates, in

turn, may disclose the information only to theextent the third party can disclose the informa-tion;

(3) To any other person, if the disclosurewould be lawful if made directly to that personby you; and

(4) Pursuant to an exception in § 716.14 or716.15.

§ 716.12 Limits on sharing ofaccount number information formarketing purposes.

(a) General prohibition on disclosure of accountnumbers. You must not, directly or through anaffiliate, disclose, other than to a consumer report-ing agency, an account number or similar formof access number or access code for a consumer’scredit card account, share account or transactionaccount to any nonaffiliated third party for usein telemarketing, direct mail marketing or othermarketing through electronic mail to the con-sumer.

(b) Exceptions. Paragraph (a) of this section doesnot apply if you disclose an account number orsimilar form of access number or access code:

(1) To your agent or service provider solelyin order to perform marketing for your ownproducts or services, as long as the agent orservice provider cannot directly initiate chargesto the account; or

(2) To a participant in a private label creditcard program or an affinity or similar programwhere the participants in the program areidentified to the member when the memberenters into the program.

(c) Examples. (1) Account number. An accountnumber, or similar form of access number or accesscode, does not include a number or code in anencrypted form, as long as you do not provide therecipient with a means to decode the number orcode.

(2) Transaction account. A transactionaccount is an account other than a share orcredit card account. A transaction account doesnot include an account to which a third partycannot initiate a charge.

716–13




Subpart C—Exceptions

§ 716.13 Exception to opt outrequirements for serviceproviders and joint marketing.

(a) General rule. (1) The opt out requirementsin §§ 716.7 and 716.10 do not apply when you pro-vide nonpublic personal information to a non-affiliated third party to perform services for youor functions on your behalf, if you:

(i) Provide the initial notice in accord-ance with § 716.4; and

(ii) Enter into a contractual agreementwith the third party that prohibits the thirdparty from disclosing or using the informationother than to carry out the purposes for whichyou disclosed the information, including useunder an exception in § 716.14 or 716.15 in theordinary course of business to carry out thosepurposes.

(2) Example. If you disclose nonpublic per-sonal information under this section to a finan-cial institution with which you perform jointmarketing, your contractual agreement withthat institution meets the requirements of para-graph (a)(1)(ii) of this section if it prohibits theinstitution from disclosing or using the non-public personal information except as necessaryto carry out the joint marketing or under anexception in § 716.14 or 716.15 in the ordinarycourse of business to carry out that joint mar-keting.

(b) Service may include joint marketing. Theservices that a nonaffiliated third party performsfor you under paragraph (a) of this section mayinclude marketing of your own products or servicesor marketing of financial products or services of-fered pursuant to joint agreements between youand one or more financial institutions.

(c) Definition of joint agreement. For purposesof this section, joint agreement means a writtencontract pursuant to which you and one or morefinancial institutions jointly offer, endorse, orsponsor a financial product or service.

§ 716.14 Exceptions to notice andopt out requirements forprocessing and servicingtransactions.

(a) Exceptions for processing transactions at con-sumer’s request. The requirements for initial no-

tice in § 716.4(a)(2), the opt out in §§ 716.7 and716.10 and service providers and joint marketingin § 716.13 do not apply if you disclose nonpublicpersonal information as necessary to effect, ad-minister, or enforce a transaction that a consumerrequests or authorizes, or in connection with:

(1) Servicing or processing a financialproduct or service that a consumer requests orauthorizes;

(2) Maintaining or servicing the consumer’saccount with you, or with another entity as partof a private label credit card program or otherextension of credit on behalf of such entity; or

(3) A proposed or actual securitization, sec-ondary market sale (including sales of servicingrights) or similar transaction related to a trans-action of the consumer.

(b) Necessary to effect, administer, or enforce atransaction means that the disclosure is:

(1) Required, or is one of the lawful orappropriate methods, to enforce your rights orthe rights of other persons engaged in carryingout the financial transaction or providing theproduct or service; or

(2) Required, or is a usual, appropriate oracceptable method:

(i) To carry out the transaction or theproduct or service business of which the trans-action is a part, and record, service or maintainthe consumer’s account in the ordinary course ofproviding the financial service or financialproduct;

(ii) To administer or service benefits orclaims relating to the transaction or the productor service business of which it is a part;

(iii) To provide a confirmation, state-ment or other record of the transaction, orinformation on the status or value of the finan-cial service or financial product to the consumeror the consumer’s agent or broker;

(iv) To accrue or recognize incentives orbonuses associated with the transaction that areprovided by you or any other party;

(v) In connection with:(A) The authorization, settlement, billing,

processing, clearing, transferring, reconciling orcollection of amounts charged, debited, or other-wise paid using a debit, credit or other paymentcard, check or account number, or by other pay-ment means;

(B) The transfer of receivables, accountsor interests therein; or


716–14

PART 716§ 716.14–§ 716.17


(C) The audit of debit, credit or other pay-ment information.

§ 716.15 Other exceptions to noticeand opt out requirements.

(a) Exceptions to opt out requirements. The re-quirements for initial notice to consumers in§ 716.4(a)(2), the opt out in §§ 716.7 and 716.10and service providers and joint marketing in§ 716.13 do not apply when you disclose nonpublicpersonal information:

(1) With the consent or at the direction ofthe consumer, provided that the consumer hasnot revoked the consent or direction;

(2)(i) To protect the confidentiality or secu-rity of your records pertaining to the consumer,service, product or transaction;

(ii) To protect against or prevent actualor potential fraud, unauthorized transactions,claims or other liability;

(iii) For required institutional risk con-trol or for resolving consumer disputes orinquiries;

(iv) To persons holding a legal or bene-ficial interest relating to the consumer; or

(v) To persons acting in a fiduciary orrepresentative capacity on behalf of the con-sumer;

(3) To provide information to insurance rateadvisory organizations, guaranty funds or agen-cies, agencies that are rating you, persons thatare assessing your compliance with industrystandards, and your attorneys, accountants, andauditors;

(4) To the extent specifically permitted orrequired under other provisions of law and inaccordance with the Right to Financial PrivacyAct of 1978 (12 U.S.C. 3401 et seq.), to lawenforcement agencies (including a federal func-tional regulator, the Secretary of the Treasury,with respect to 31 U.S.C. Chapter 53, Sub-chapter II (Records and Reports on MonetaryInstruments and Transactions) and 12 U.S.C.Chapter 21 (Financial Recordkeeping), a stateinsurance authority, with respect to any persondomiciled in that insurance authority’s statethat is engaged in providing insurance, and theFederal Trade Commission), self-regulatoryorganizations, or for an investigation on amatter related to public safety;

(5)(i) To a consumer reporting agency inaccordance with the Fair Credit Reporting Act(15 U.S.C. 1681 et seq.), or

(ii) From a consumer report reported bya consumer reporting agency;

(6) In connection with a proposed or actualsale, merger, transfer, or exchange of all or aportion of a business or operating unit if thedisclosure of nonpublic personal informationconcerns solely consumers of such business orunit; or

(7)(i) To comply with federal, state or locallaws, rules and other applicable legal require-ments;

(ii) To comply with a properly author-ized civil, criminal or regulatory investigation,or subpoena or summons by federal, state orlocal authorities; or

(iii) To respond to judicial process orgovernment regulatory authorities having juris-diction over you for examination, compliance orother purposes as authorized by law.

(b) Examples of consent and revocation of con-sent. (1) A consumer may specifically consent toyour disclosure to a nonaffiliated insurance com-pany of the fact that the consumer has appliedto you for a mortgage so that the insurance com-pany can offer homeowner’s insurance to the con-sumer.

(2) A consumer may revoke consent by sub-sequently exercising the right to opt out offuture disclosures of nonpublic personalinformation as permitted under § 716.7(f).

Subpart D—Relation to Other Laws;Effective Date

§ 716.16 Protection of Fair CreditReporting Act.

Nothing in this part shall be construed to mod-ify, limit, or supersede the operation of the FairCredit Reporting Act (15 U.S.C. 1681 et seq.), andno inference shall be drawn on the basis of theprovisions of this part regarding whether informa-tion is transaction or experience informationunder section 603 of that Act.

§ 716.17 Relation to state laws.

(a) In general. This part shall not be construedas superseding, altering, or affecting any statute,regulation, order or interpretation in effect in anystate, except to the extent that such state statute,regulation, order or interpretation is inconsistent

716–15

INFORMATION AND APPENDIXPART 716 § 716.17–Appendix A



with the provisions of this part, and then onlyto the extent of the inconsistency.

(b) Greater protection under state law. For pur-poses of this section, a state statute, regulation,order or interpretation is not inconsistent withthe provisions of this part if the protection suchstatute, regulation, order or interpretation affordsany consumer is greater than the protection pro-vided under this part, as determined by the Fed-eral Trade Commission, after consultation withthe National Credit Union Administration, on theFederal Trade Commission’s own motion or uponthe petition of any interested party.

§ 716.18 Effective date; transitionrule.

(a) Effective date. This part is effective Novem-ber 13, 2000. In order to provide sufficient timefor you to establish policies and systems to complywith the requirements of this part, the NationalCredit Union Administration Board has extendedthe time for compliance with this part until July1, 2001.

(b)(1) Notice requirement for consumers whowere your members on the compliance date. ByJuly 1, 2001, you must provide an initial notice,as required by § 716.4, to consumers who are yourmembers on July 1, 2001.

(2) Example. You provide an initial notice toconsumers who are your members on July 1,2001, if, by that date, you have established asystem for providing an initial notice to all newmembers and have mailed the initial notice toall your existing members.

(c) Two-year grandfathering of service agree-ments. Until July 1, 2002, a contract that you haveentered into with a nonaffiliated third party toperform services for you or functions on your be-half satisfies the provisions of § 716.13(a)(2) of thispart, even if the contract does not include a re-quirement that the third party maintain the con-fidentiality of nonpublic personal information, aslong as the agreement was entered into on or be-fore July 1, 2000.

Appendix A to Part 716—Sample Clauses

Credit unions, including a group of affiliatesthat use a common privacy notice, may use thefollowing sample clauses, if the clause is accuratefor each institution that uses the notice.

A–1—Categories of information you collect (allcredit unions)

You may use this clause, as applicable, to meetthe requirement of § 716.6(a)(1) to describe thecategories of nonpublic personal information youcollect.

Sample Clause A–1:

We collect nonpublic personal information aboutyou from the following sources:

∑ Information we receive from you on applica-tions or other forms;

∑ Information about your transactions with us,our affiliates, or others; and

∑ Information we receive from a consumer re-porting agency.

A–2—Categories of information you disclose(credit unions that disclose outside of the excep-tions)

You may use one of these clauses, as applicable,to meet the requirement of § 716.6(a)(2) to describethe categories of nonpublic personal informationyou disclose. These clauses may be used if youdisclose nonpublic personal information otherthan as permitted by the exceptions in §§ 716.13,716.14, and 716.15.

Sample Clause A–2, Alternative 1:

We may disclose the following kinds of non-public personal information about you:

∑ Information we receive from you on applica-tions or other forms, such as [provide illustrativeexamples, such as ‘‘your name, address, social secu-rity number, assets, and income’’];

∑ Information about your transactions with us,our affiliates, or others, such as [provide illus-trative examples, such as ‘‘your account balance,payment history, parties to transactions, and creditcard usage’’]; and

∑ Information we receive from a consumer re-porting agency, such as [provide illustrative exam-ples, such as ‘‘your creditworthiness and credit his-tory’’].


We may disclose all of the information that wecollect, as described [describe location in the notice,such as ‘‘above’’ or ‘‘below’’].


716–16

PART 716Appendix A


A–3—Categories of information you disclose andparties to whom you disclose (credit unions thatdo not disclose outside of the exceptions)

You may use this clause, as applicable, to meetthe requirements of § 716.6(a)(2), (3) and (4) todescribe the categories of nonpublic personal infor-mation about members and former members thatyou disclose and the categories of affiliates andnonaffiliated third parties to whom you disclose.This clause may be used if you do not disclosenonpublic personal information to any party, otherthan as permitted by the exceptions in §§ 716.14,and 716.15.


We do not disclose any nonpublic personal infor-mation about our members and former membersto anyone, except as permitted by law.

A–4—Categories of parties to whom you disclose(credit unions that disclose outside of the excep-tions)

You may use this clause, as applicable, to meetthe requirement of § 716.6(a)(3) to describe thecategories of affiliates and nonaffiliated third par-ties to whom you disclose nonpublic personal infor-mation. This clause may be used if you disclosenonpublic personal information other than as per-mitted by the exceptions in §§ 716.13, 716.14, and716.15, as well as when permitted by the excep-tions in §§ 716.14, and 716.15.


We may disclose nonpublic personal informa-tion about you to the following types of third par-ties:

∑ Financial service providers, such as [provideillustrative examples, such as ‘‘mortgage bankers,securities broker-dealers, and insurance agents’’];

∑ Non-financial companies, such as [provide il-lustrative examples, such as ‘‘retailers, direct mar-keters, airlines, and publishers’’]; and

∑ Others, such as [provide illustrative exam-ples, such as ‘‘non-profit organizations’’].

We may also disclose nonpublic personal infor-mation about you to nonaffiliated third partiesas permitted by law.

A–5—Service provider/joint marketing exception

You may use one of these clauses, as applicable,to meet the requirements of § 716.6(a)(5) related

to the exception for service providers and jointmarketers in § 716.13. If you disclose nonpublicpersonal information under this exception, youmust describe the categories of nonpublic personalinformation you disclose and the categories ofthird parties with whom you have contracted.


We may disclose the following information tocompanies that perform marketing services on ourbehalf or to other financial institutions with whomwe have joint marketing agreements:

∑ Information we receive from you on applica-tions or other forms, such as [provide illustrativeexamples, such as ‘‘your name, address, social secu-rity number, assets, and income’’];

∑ Information about your transactions with us,our affiliates, or others, such as [provide illus-trative examples, such as ‘‘your account balance,payment history, parties to transactions, and creditcard usage’’]; and

∑ Information we receive from a consumer re-porting agency, such as [provide illustrative exam-ples, such as ‘‘your creditworthiness and credit his-tory’’].


We may disclose all of the information we collect,as described [describe location in the notice, suchas ‘‘above’’ or ‘‘below’’] to companies that performmarketing services on our behalf or to other finan-cial institutions with whom we have joint mar-keting agreements.

A–6—Explanation of opt out right (credit unionsthat disclose outside of the exceptions)

You may use this clause, as applicable, to meetthe requirement of § 716.6(a)(6) to provide an ex-planation of the consumer’s right to opt out ofthe disclosure of nonpublic personal informationto nonaffiliated third parties, including the meth-od(s) by which the consumer may exercise thatright. This clause may be used if you disclose non-public personal information other than as per-mitted by the exceptions in §§ 716.13, 716.14, and716.15.


If you prefer that we not disclose nonpublic per-sonal information about you to nonaffiliated thirdparties, you may opt out of those disclosures, thatis, you may direct us not to make those disclosures

716–17

INFORMATION AND APPENDIXPART 716 Appendix A



(other than disclosures permitted by law). If youwish to opt out of disclosures to nonaffiliated thirdparties, you may [describe a reasonable means ofopting out, such as ‘‘call the following toll-free num-ber: (insert number)].

A–7—Confidentiality and security (all creditunions)

You may use this clause, as applicable, to meetthe requirement of § 716.6(a)(8) to describe yourpolicies and practices with respect to protecting

the confidentiality and security of nonpublic per-sonal information.


We restrict access to nonpublic personal infor-mation about you to [provide an appropriate de-scription, such as ‘‘those employees who need toknow that information to provide products or serv-ices to you’’]. We maintain physical, electronic, andprocedural safeguards that comply with federalregulations to guard your nonpublic personal in-formation.

rules and regulations part 716 and appendix a privacy of

Documents