Compliance Blog

Jul 21, 2017
Categories: Privacy

Fraud, Schemes and Scams: Let's talk Regulation P and Privacy

Regulation P requires credit unions to create a privacy policy that describes the information that it gathers and shares from and with third parties. Credit unions must disclose this policy to new members and to all members on an annual basis. Generally, credit unions that wish to share sensitive information with non-affiliated third parties must give affected members the right to opt out or block such sharing. This general right to "opt out," however, is subject to three large exceptions.

The first exception found in section 1016.14 allows credit unions to disclose nonpublic personal information to nonaffiliated third parties for "processing or servicing transactions" in without triggering the notice and opt out requirements.

Section 1016.15  provides other general exceptions to Regulation P's general rule. For example, a credit union may disclose nonpublic personal information where a consumer has consented and does not revoke the consent to the specific disclosure. A credit union may also disclose nonpublic personal information under this exception to comply with a properly authorized subpoena or with federal, state or local laws.

The last exception found in section 1016.13 permits a credit union to disclose nonpublic personal information to nonaffiliated third parties that perform services or functions for the credit union without providing an opt out. The credit union must satisfy conditions to qualify for this exception. The credit union must first describe the disclosure in its privacy notice. The credit union must also have an agreement with the recipient that prohibits it from using the information other than for the purposes for which it received the information and that it will properly maintain the confidentiality of the information.

Today's blog will focus on a couple of the section 1016.15 exceptions to access a member's nonpublic personal information through a subpoena or to prevent fraud.

Subpoena

Regulation P permits the credit union to disclose nonpublic personally identifiable information in order to comply with a properly authorized "civil, criminal or regulatory investigation, or subpoena or summons by Federal, state, or local authorities." 12 C.F.R. § 1016.15(a)(7)(ii).

Periodically, the NAFCU Compliance Team receives the question regarding what a credit union should do if it receives a subpoena that requires a member's nonpublic personal information. First, the credit union may want to contact local counsel. The credit union may also want to identify and calendar when it must respond to the subpoena. Since the recipient of a subpoena has a duty to identify and preserve responsive documents, the credit union may want to develop and implement a policy to ensure all responsive documents are identified, collected and preserved.

Furthermore, the credit union may want to determine potential response options. This will be a fact specific analysis to discuss with local counsel, however the credit union may have several response options, which may include:

  • Comply with the subpoena and provide the requested testimony, documents or both;
  • Serve written objections to a document subpoena;
  • Move to quash (or modify) the subpoena;
  • Move for a protective order;
  • Contact the party who served the subpoena in an attempt to informally resolve the issue;
  • Contact an adverse party (that is, party to the litigation whose interests are adverse to those of the party that issued the subpoena) in an attempt to have the adverse party exercise its rights against the party who issued the subpoena

Ultimately, the decision whether to comply or resist the subpoena will be a risk-based business decision for the credit union. Several considerations impact the decision of whether to comply with (or resist) a subpoena, including: the time, effort and cost of compliance; whether or not sound legal and practical arguments to support non-compliance are available under the circumstances; the likelihood that arguments in support of non-compliance may be successful.

This article may be a helpful resource for credit unions seeking more guidance on how to deal with a subpoena.

Fraud

Regulation P also permits the credit union to disclose nonpublic personally identifiable information "to protect against or prevent actual or potential fraud, unauthorized transactions, claims or other liability."

Absent a legal directive, the credit union will have to make a risk-based business decision as to what degree of information is necessary to protect against or prevent fraud. From a conservative perspective, the credit union may consider only disclosing the information that is necessary to strike the appropriate balance between the credit union's desire to share information and its duty to safeguard member information from unauthorized access pursuant to part 748 of NCUA's Rules and Regulations.

Remember, the NCUA also has several resources that may assist the credit union with making this risk-based business decision:

Moreover, the credit union may also want to review its member agreements for any contractual authority or obligations. Ultimately, the credit union's local counsel will be in the best position to offer further guidance.

Upcoming Webinars:

FREE: Understanding the New HMDA Submission Tool
Thursday, August 3 | 2:00 p.m. – 3:30 p.m. ET 

Speakers from the CFPB will unveil and demonstrate the HMDA submission tool—be among the first to see it so you're best prepared. 

Accounting Changes: Everything but CECL
Wednesday, August 2 | 2:00 p.m. – 3:30 p.m. ET

Understand the details of accounting changes such as the new lease accounting standard, plus explore the role of the private company council and its impacts on your credit union.