Privacy of Consumer Financial Information (Regulation P) (2024)

Title V, Subtitle A of the Gramm-Leach-Bliley Act (GLBA)^[1] governs the treatment of nonpublic personal information about consumers by financial institutions. Section 502 of the Subtitle, subject to certain exceptions, prohibits a financial institution from disclosing nonpublic personal information about a consumer to nonaffiliated third parties, unless (i) the institution satisfies various notice and opt-out requirements, and (ii) the consumer has not elected to opt out of the disclosure. Section 503 requires the institution to provide notice of its privacy policies and practices to its customers. Section 504 authorizes the issuance of regulations to implement these provisions.

Title X of the Dodd-Frank Act Wall Street Reform and Consumer Protection Act (Dodd-Frank Act)^[2] granted rulemaking authority for most provisions of Subtitle A of Title V of GLBA to the Consumer Financial Protection Bureau (CFPB) with respect to financial institutions and other entities subject to the CFPB’s jurisdiction, except securities and futures-related companies and certain motor vehicle dealers. The Dodd-Frank Act also granted authority to the CFPB to examine and enforce compliance with these statutory provisions and their implementing regulations with respect to entities under CFPB jurisdiction.^[3] In December 2011 the CFPB re-codified in Regulation P, 12 CFR Part 1016 (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) , the implementing regulations that were previously issued by the Board, the FDIC, the Federal Trade Commission (FTC), the NCUA, the OCC, and the former OTS.^[4]

On December 1, 2009, the eight federal agencies jointly released a voluntary model privacy form designed to make it easier for consumers to understand how financial institutions collect and share nonpublic personal information.^[5] The final rule adopting the model privacy form was effective on December 31, 2009.

On October 28, 2014, the CFPB published a final rule amending the requirements regarding financial institutions’ provision of their annual disclosures of privacy policies and practices to customers by creating an alternative delivery method that financial institutions can use under certain circ*mstances.^[6] The amendment was effective immediately upon publication. The alternative delivery method allows a financial institution to provide an annual privacy notice by posting the annual notice on its web site, if the financial institution meets certain conditions.

As of December 4, 2015, section 75001 of the Fixing America’s Surface Transportation Act^[7] (FAST Act) amended section 503 of GLBA to establish an exception to the annual privacy notice requirements whereby a financial institution that meets certain criteria is not required to provide an annual privacy notice to customers. The amendment was effective upon enactment.

There are fewer requirements to qualify for the exception to providing an annual privacy notice pursuant to the FAST Act GLBA amendments than there are to qualify to use the CFPB’s alternative delivery method; any institution that meets the requirements for using the alternative delivery method is effectively excepted from delivering an annual privacy notice.

Under the authority of GLBA and the Fair Credit Reporting Act, NCUA issued the Guidelines for Safeguarding Member Information (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) , 12 CFR Part 748, Appendix A (Security Guidelines). The Security Guidelines require a credit union to establish standards relating to administrative, technical, and physical safeguards to ensure the security, confidentiality, integrity, and proper disposal of information. The Security Guidelines impose requirements separate from the privacy requirements of GLBA and Regulation P and address safeguarding the confidentiality and security of information and ensuring proper disposal of information. The Security Guidelines are directed toward preventing and responding to foreseeable threats to, or unauthorized access or use of, that information. The Security Guidelines provide that credit unions must contractually require their affiliated and nonaffiliated third-party service providers that have access to the credit union’s data containing personal information to protect that information. NCUA has also released the IT Security Compliance Guide (opens new window), which is intended to help credit unions comply with the Security Guidelines.

You can find the full text of Regulation P here (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) . You can find the sections of the GLBA relevant to consumer financial privacy here (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) .

• Definitions (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).)
• Associated Risks
• Exam Objectives
• Exam Procedures
• Checklist

Associated Risks

Compliance Risk can occur when the credit union fails to implement the necessary controls to comply with Regulation P.

Reputation Risk can occur when members of the credit union learn of its failure to comply with Regulation P.

Examination Objectives

• To assess the quality of the credit union’s compliance management policies, procedures, and internal controls for implementing the regulation, specifically ensuring consistency between what the credit union tells consumers in its notices about its policies and practices and what it actually does.
• To determine the reliance that can be placed on the credit union’s policies, procedures, and internal controls for monitoring the credit union’s compliance with the regulation.
• To determine the credit union’s compliance with the regulation, specifically in meeting the following requirements:
  • Providing members notices of its privacy policies and practices that are timely, accurate, clear and conspicuous, and delivered so that each member can reasonably be expected to receive actual notice;
  • Disclosing nonpublic personal information to nonaffiliated third parties, other than under an exception, after first meeting the applicable requirements for giving members notice and the right to opt out;
  • Appropriately honoring member opt out directions;
  • Lawfully using or disclosing nonpublic personal information received from a nonaffiliated financial institution; and
  • Disclosing account numbers only according to the limits in the regulation.
• To initiate effective corrective actions when violations of law are identified, or when policies, procedures, or internal controls are deficient.

Examination Procedures^[8]

1. Through discussions with management and review of available information, identify the credit union’s information sharing practices (and changes to those practices) with affiliates and nonaffiliated third parties; how it treats nonpublic personal information; and how it administers opt-outs. Consider the following as appropriate:
   1. Notices (initial, annual, revised, opt-out, short-form, and simplified);
   2. Credit union privacy policies, procedures, and internal controls, including those to:
      • Process requests for nonpublic personal information, including requests for aggregated information;
      • Deliver notices to consumers;
      • Manage consumer opt out directions (e.g., designating files, allowing a reasonable time to opt out, providing new opt out and privacy notices when necessary, receiving opt out directions, handling joint account holders);
      • Prevent the unlawful disclosure and use of the information received from nonaffiliated financial institutions; and
      • Prevent the unlawful disclosure of account numbers;
   3. Information sharing agreements between the credit union and affiliates and service agreements or contracts between the credit union and nonaffiliated third parties either to obtain or provide information or services;
   4. Complaint logs, telemarketing scripts, and any other information obtained from nonaffiliated third parties (Note: review telemarketing scripts to determine whether the contractual terms set forth under §1016.13 (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) are met and whether the credit union is disclosing account number information in violation of §1016.12 (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) );
   5. Categories of nonpublic personal information collected from or about consumers in obtaining a financial product or service (e.g., in the application process for deposit, loan, or investment products; for an over-the-counter purchase of a bank check; from E-banking products or services, including information collected electronically through Internet cookies; or through ATM transactions);
   6. Categories of nonpublic personal information shared with, or received from, each nonaffiliated third party;
   7. Consumer complaints regarding the treatment of nonpublic personal information, including those received electronically;
   8. Records that reflect the credit union’s categorization of its information sharing practices under § 1016.13 (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) , § 1016.14 (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) , § 1016.15 (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) , and outside of these exceptions; and
   9. Results of a 501(b) (15 U.S.C. 6801(b) (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) ) inspection (used to determine the accuracy of the credit union’s privacy disclosures regarding information security).
2. Use the information gathered from step 1 to work through the “Privacy Notice and Opt-Out Decision Tree” below. Identify which module(s) of procedures is (are) applicable.
3. Use the information gathered from step 1 to work through the Redisclosure and Reuse and Account Number Sharing Decision Trees below, as necessary. Identify which module is applicable.
4. Determine the adequacy of the credit union’s policies, procedures, and internal controls to ensure compliance with the regulation as applicable. Consider the following:
   1. Sufficiency of internal policies, procedures, and internal controls, including review of new products and services and controls over servicing arrangements and marketing arrangements;
   2. Effectiveness of management information systems, including the use of technology for monitoring, exception reports, and standardization of forms and procedures;
   3. Frequency and effectiveness of monitoring procedures;
   4. Adequacy and regularity of the credit union’s training program;
   5. Suitability of the compliance audit program for ensuring that:
      • The procedures address all regulatory provisions as applicable;
      • The work is accurate and comprehensive with respect to the credit union’s information sharing practices;
      • The frequency is appropriate;
      • conclusions are appropriately reached and presented to responsible parties;
      • Steps are taken to correct deficiencies and to follow-up on previously identified deficiencies; and
   6. Knowledge level of management and personnel.
5. Ascertain areas of risk associated with the credit union’s sharing practices (especially those within §1016.13 (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) and those that fall outside of the exceptions) and any weaknesses found within the compliance management program. Keep in mind any outstanding deficiencies identified in the audit for follow-up when completing the modules.
6. Based on the results of the foregoing initial procedures and discussions with management, determine which procedures should be completed in the applicable module, focusing on areas of particular risk. The selection of procedures to be employed depends upon the adequacy of the credit union’s compliance management system and level of risk identified. Each module contains a series of general instruction to verify compliance, cross-referenced to citations within the regulation. Additionally, there are cross-references to a more comprehensive checklist, which the examiner may use if needed to evaluate compliance in more detail.
7. Evaluate any additional information or documentation discovered during the course of the examination according to these procedures. Note that this may reveal new or different sharing practices necessitating reapplication of the Decision Trees and completion of additional or different modules.
8. Formulate conclusions.
   1. Summarize all findings.
   2. For violation(s) noted, determine the cause by identifying weaknesses in internal controls, compliance review, training, management oversight, or other areas.
   3. Identify action needed to correct violations and to address weaknesses in the credit union’s compliance system, as appropriate.
   4. Discuss findings with management and obtain a commitment for corrective action.

Alternative Text

Does the credit union share nonpublic personal information with nonaffiliated third parties under §1016.14 (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) and/or §1016.15 (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) and outside of the exceptions (with or without also sharing under §1016.13 (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) )?

If yes, then Module 1,

• Privacy notice (presentation, content, and delivery) (with or without § 1016.13 (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) notice & contracting)
• Short form notice (optional for consumers)
• Customer notice delivery rules
• Opt out rules

Otherwise if no,does the credit union share nonpublic personal information with nonaffiliated third parties under §1016.13 (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) , and §1016.14 (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) and/or §1016.15 (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) but not outside the exceptions?

If yes, thenModule 2,

• Privacy notice
• Customer notice delivery rules
• § 1016.13 (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) notice & contracting

Otherwise if no,does the credit union share nonpublic personal information with nonaffiliated third parties only under §1016.14 (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) and /or §1016.15 (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) ?

If yes, thenModule 3,

• Privacy notice
• Simplified notice (if applicable)
• Customer notice delivery rules

Alternative Text

Does the credit union receive nonpublic personal information from nonaffiliated financial institutions? If no, thenno review necessary.

If yes, how is that information received?

Ifunder §§ 1016.14 (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) and/or 1016.15 (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) , thenModule 4 receipt of information under §§ 1016.14 (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) and/or 1016.15 (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) .

IfOutside of §§ 1016.14 (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) and/or 1016.15 (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) ,Module 5 receipt of information outside of §§ 1016.14 (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) and/or 1016.15 (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) .

Alternative Text

Does the credit union share account numbers or similar access numbers or codes with nonaffiliated third parties (other than a consumer reporting agency) for telemarketing, direct mail or electronic mail marketing?

If no, then no review necessary.This may include sharing of encrypted account numbers but not the decryption key.

If yes, thenModule 6 Account number sharing.

Module 1 - Sharing nonpublic personal information with nonaffiliated third parties under §§ 1016.14 (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) and/or 1016.15 (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) and outside of the exceptions

(With or without also sharing under § 1016.13 (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) )

Note: Credit unions whose practices fall within this category engage in the most expansive degree of information sharing permissible. Consequently, these credit unions are held to the most comprehensive compliance standards imposed by the regulation.

Note: As of December 4, 2015, a credit union is not required to provide an annual privacy notice to its applicable customers if it: (1) solely shares nonpublic personal information in accordance with the provisions of GLBA §§ 502(b)(2) (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) (corresponding to Regulation P § 1016.13 (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) ) or 502(e) (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) (corresponding to Regulation P §§ 1016.14 (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) and 1016.15 (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) ) or regulations prescribed under GLBA § 504(b) (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) ; and (2) has not changed its policies and practices with regard to disclosing nonpublic personal information since its most recent disclosure to its customers that was made in accordance with GLBA § 503 (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) . A credit union that at any time fails to comply with either of the criteria is not eligible for the exception and is required to provide an annual privacy notice to its customers.

1. Disclosure of Nonpublic Personal Information
   1. Select a sample of third party relationships with nonaffiliated third parties and obtain a sample of information shared between the credit union and the third party both inside and outside of the exceptions. The sample should include a cross-section of relationships but should emphasize those that are higher risk in nature as determined by the initial procedures. Perform the following comparisons to evaluate the credit union’s compliance with disclosure limitations.
      1. Compare the categories of information shared and with whom the information was shared to those stated in the privacy notice and verify that what the credit union tells consumers (both members and those who are not members) in its notices about its policies and practices in this regard, and what the credit union actually does, are consistent (§§ 1016.6 (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) , 1016.10 (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) ).
      2. Compare the information shared to a sample of opt out directions and verify that only nonpublic personal information covered under the exceptions or from consumers (customers and those who are not customers) who chose not to opt out is shared (§ 1016.10 (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) ).
   2. If the credit union also shares information under § 1016.13 (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) , obtain and review contracts with nonaffiliated third parties that perform services for the credit union not covered by the exceptions in §§ 1016.14 (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) or 1016.15 (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) . Determine whether the contracts prohibit the third party from disclosing or using the information other than to carry out the purposes for which the information was disclosed (§ 1016.13 (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) ).
2. Presentation, Content, and Delivery of Privacy Notices
   1. Review the credit union’s initial, annual and revised notices, as well as any short-form notices that the credit union may use for consumers who are not members. Determine whether or not these notices:
      1. Are clear and conspicuous (§§ 1016.3 (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) , 1016.4 (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) , 1016.5(a)(1) (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) , 1016.8(a)(1) (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) );
      2. Accurately reflect the credit union’s policies and practices (§§ 1016.4(a) (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) , 1016.5(a)(1) (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) , 1016.8(a)(1) (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) ). Note: this includes policies and practices disclosed in the notices that exceed regulatory requirements; and
      3. Include, and adequately describe, all required items of information and contain examples as applicable (§ 1016.6 (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) ). Note that if the credit union shares under nonpublic personal information under § 1016.13 (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) the notice provisions for that section shall also apply.
      4. If the model privacy form is used, determine that it reflects the credit union’s policies and practices. For credit unions seeking a safe harbor for compliance with the content requirements of the regulation, verify that the notice has the proper content and is in the proper format as specified in the Appendix (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) of the regulation.
   2. Through discussions with management, review of the credit union’s policies, procedures, and internal controls and a sample of electronic or written consumer records where available, determine if the credit union has adequate policies, procedures, and internal controls in place to provide notices to consumers, as appropriate. Assess the following:
      1. Timeliness of delivery (§§ 1016.4(a) (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) , 1016.7(c) (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) , 1016.8(a) (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) ); and
      2. Reasonableness of the method of delivery (e.g., by hand; by mail; electronically, if the consumer agrees; or as a necessary step of a transaction) (§ 1016.9 (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) ).
      3. For members only, review the timeliness of delivery (§§ 1016.4(d) (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) , 1016.4(e) (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) , 1016.5(a) (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) ), means of delivery of annual notice (§ 1016.9(c) (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) ), and accessibility of or ability to retain the notice (§ 1016.9(e) (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) ).
3. Opt-Out Right
   1. Review the credit union’s opt-out notices. An opt-out notice may be combined with the credit union’s privacy notices. Regardless, determine whether the opt-out notices:
      1. Are clear and conspicuous (§§ 1016.3(b) (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) and 1016.7(a)(1) (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) );
      2. Accurately explain the right to opt-out (§ 1016.7(a)(1) (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) );
      3. Include and adequately describe the three required items of information (the credit union’s policy regarding disclosure of nonpublic personal information, the consumer’s opt-out right, and the means to opt-out) (§ 1016.7(a)(1) (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) ); and
      4. Describe how the credit union treats joint relationships, as applicable (§ 1016.7(e) (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) ).
   2. Through discussions with management, review of the credit union’s policies, procedures, and internal controls and a sample of electronic or written records where available, determine if the credit union has adequate policies, procedures, and internal controls in place to provide the opt-out notice and comply with opt- out directions of consumers (members and those who are not members), as appropriate. Assess the following:
      1. Timeliness of delivery (§ 1016.10(a)(1) (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) );
      2. Reasonableness of the method of delivery (e.g., by hand; by mail; electronically, if the consumer agrees; or as a necessary step of a transaction) (§ 1016.9 (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) );
      3. Reasonableness of the opportunity to opt-out (the time allowed to and the means by which the consumer may opt-out) (§§ 1016.10(a)(1)(iii) (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) , 1016.10(a)(3) (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) ); and
      4. Adequacy of procedures to implement and track the status of a consumer's (members and those who are not members) opt-out direction, including those of former members (§§ 1016.7(e)-(g) (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) ).
4. Checklist Cross References – Module 1

   Checklist Cross References – Module 1

   Regulation Section	Subject	Checklist Questions
   1016.4(a) (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) , 1016.6(a, b, c, e) (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) , and 1016.9(a, b, g) (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).)	Privacy notices (presentation, content, and delivery)	2, 8-11, 14, 18, 35, 36, 41
   1016.4(a, c, d, e) (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) , 1016.5 (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) , and 1016.9(c, e) (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).)	Customer notice delivery rules	1, 3-7, 37-39
   1016.13 (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).)	§ 1016.13 notice and contracting rules (as applicable)	12, 48
   1016.6(d) (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).)	Short form notice rules (optional for consumers only)	15-17
   1016.7 (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) , 1016.8 (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) , and 1016.10 (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).)	Opt-out rules	19-34, 42-44
   1016.14 (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) and 1016.15 (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).)	Exceptions	49-51

Module 2 - Sharing nonpublic personal information with nonaffiliated third parties under §§ 1016.13 (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) , and 1016.14 (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) and/or 1016.15 (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) but not outside of these exceptions

Note: As of December 4, 2015, a credit union is not required to provide an annual privacy notice to its applicable customers if it: (1) solely shares nonpublic personal information in accordance with the provisions of GLBA §§ 502(b)(2) (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) (corresponding to Regulation P § 1016.13 (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) ) or 502(e) (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) (corresponding to Regulation P §§1016.14 (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) and 1016.15 (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) ) or regulations prescribed under GLBA § 504(b) (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) ; and (2) has not changed its policies and practices with regard to disclosing nonpublic personal information since its most recent disclosure to its customers that was made in accordance with GLBA § 503 (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) . A credit union that at any time fails to comply with either of the criteria is not eligible for the exception and is required to provide an annual privacy notice to its customers.

1. Disclosure of Nonpublic Personal Information
   1. Select a sample of third party relationships with nonaffiliated third parties and obtain a sample of information shared between the credit union and the third party. The sample should include a cross-section of relationships but should emphasize those that are higher risk in nature as determined by the initial procedures. Perform the following comparisons to evaluate the credit union’s compliance with disclosure limitations.
      1. Compare the information shared and with whom the information was shared to ensure that the credit union accurately categorized its information sharing practices and is not sharing nonpublic personal information outside the exceptions (§§ 1016.13 (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) , 1016.14 (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) , 1016.15 (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) ).
      2. Compare the categories of information shared and with whom the information was shared to those stated in the privacy notice and verify that what the credit union tells consumers in its notices about its policies and practices in this regard and what the credit union actually does are consistent (§§ 1016.6 (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) , 1016.10 (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) ).
      3. If the model privacy form is used, determine that it reflects the credit union’s policies and practices. For credit unions seeking a safe harbor for compliance with the content requirements of the regulation, verify that the notice has the proper content and is in the proper format as specified in the Appendix (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) of the regulation.
   2. Review contracts with nonaffiliated third parties that perform services for the credit union not covered by the exceptions in §§ 1016.14 (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) or 1016.15 (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) . Determine whether the contracts adequately prohibit the third party from disclosing or using the information other than to carry out the purposes for which the information was disclosed (§1016.13(a) (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) ).
2. Presentation, Content, and Delivery of Privacy Notices
   1. Review the credit union’s initial and annual privacy notices. Determine whether or not they:
      1. Are clear and conspicuous (§§ 1016.3(b) (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) , 1016.4(a) (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) , 1016.5(a)(1) (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) );
      2. Accurately reflect the institution’s policies and practices (§§ 1016.4(a) (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) , 1016.5(a)(1) (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) ). Note, this includes policies and practices disclosed in the notices that exceed regulatory requirements; and
      3. Include, and adequately describe, all required items of information and contain examples as applicable (§§ 1016.6 (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) , 1016.13 (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) ).
   2. Through discussions with management, review of the credit union’s policies, procedures, and internal controls and a sample of electronic or written consumer records where available, determine if the credit union has adequate policies, procedures, and internal controls in place to provide notices to consumers, as appropriate. Assess the following:
      1. Timeliness of delivery (§ 1016.4(a) (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) ); and
      2. Reasonableness of the method of delivery (e.g., by hand; by mail; electronically, if the consumer agrees; as a necessary step of a transaction; or pursuant to the alternative delivery method) (§ 1016.9 (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) ).
      3. For members only, review the timeliness of delivery (§§ 1016.4(d) (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) , 1016.4(e) (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) , and 1016.5(a) (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) ), means of delivery of annual notice (§ 1016.9(c) (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) ), and accessibility of or ability to retain the notice (§ 1016.9(e) (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) ).
3. Checklist Cross References – Module 2

   Checklist Cross References – Module 2

   Regulation Section	Subject	Checklist Questions
   1016.4(a) (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) , 1016.6(a, b, c, e) (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) , and 1016.9(a, b, i) (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).)	Privacy notices (presentation, content, and delivery)	2, 8-11, 14, 18, 35, 36, 41
   1016.4(a, c, d, e) (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) , 1016.5 (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) , and 1016.9(c, e) (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).)	Customer notice delivery rules	1, 3-7, 37-39
   1016.13 (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).)	Exceptions to Opt-Out	12, 48
   1016.14 (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) and 1016.15 (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).)	Exceptions	49-51

Module 3 - Sharing nonpublic personal information with nonaffiliated third parties only under §§ 1016.14 (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) and/or 1016.15 (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).)

NOTE: This module applies only to members.

Note: As of December 4, 2015, a credit union is not required to provide an annual privacy notice to its applicable customers if it: (1) solely shares nonpublic personal information in accordance with the provisions of GLBA §§ 502(b)(2) (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) (corresponding to Regulation P § 1016.13 (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) ) or 502(e) (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) (corresponding to Regulation P §§ 1016.14 (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) and 1016.15 (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) ) or regulations prescribed under GLBA § 504(b) (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) ; and (2) has not changed its policies and practices with regard to disclosing nonpublic personal information since its most recent disclosure to its customers that was made in accordance with GLBA § 503 (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) . A credit union that at any time fails to comply with either of the criteria is not eligible for the exception and is required to provide an annual privacy notice to its customers.

1. Disclosure of Nonpublic Personal Information
   1. Select a sample of third party relationships with nonaffiliated third parties and obtain a sample of information shared between the credit union and the third party.
      1. Compare the information shared and with whom the information was shared to ensure that the credit union accurately states its information sharing practices and is not sharing nonpublic personal information outside the exceptions.
2. Presentation, Content, and Delivery of Privacy Notices
   1. Obtain and review the credit union’s initial and annual notices, as well as any simplified notice that the credit union may use. Note that the credit union may only use the simplified notice when it does not also share nonpublic personal information with affiliates outside of §§ 1016.14 (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) and 1016.15 (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) exceptions. Determine whether or not these notices:
      1. Are clear and conspicuous (§§ 1016.3(b) (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) , 1016.4(a) (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) , 1016.5(a)(1) (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) );
      2. Accurately reflect the credit union’s policies and practices (§§ 1016.4(a) (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) , 1016.5(a)(1) (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) ). Note, this includes policies and practices disclosed in the notices that exceed regulatory requirements; and
      3. Include, and adequately describe, all required items of information (§ 1016.6 (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) ).
      4. If the model privacy form is used, determine that it reflects the credit union’s policies and practices. For credit unions seeking a safe harbor for compliance with the content requirements of the regulation, verify that the notice has the proper content and is in the proper format as specified in the Appendix (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) of the regulation.
   2. Through discussions with management, review of the credit union’s policies, procedures, and internal controls and a sample of electronic or written member records where available, determine if the credit union has adequate policies, procedures, and internal controls in place to provide notices to members, as appropriate. Assess the following:
      1. Timeliness of delivery (§§ 1016.4(a) (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) , 1016.4(d) (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) , 1016.4(e) (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) , 1016.5(a) (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) ); and
      2. Reasonableness of the method of delivery (e.g., by hand; by mail; electronically, if the member agrees; as a necessary step of a transaction; or pursuant to the alternative delivery method) (§ 1016.9 (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) ) and accessibility of or ability to retain the notice (§ 1016.9(e) (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) ).
3. Checklist Cross References – Module 3

   Checklist Cross References – Module 3

   Regulation Section	Subject	Checklist Questions
   1016.4 (a, d, e) (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) , 1016.5 (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) , and 1016.9 (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).)	Member notice delivery process	1, 3-7, 35-41
   1016.6 (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).)	Member notice content and presentation	8-11, 14, 18
   1016.6 (c)(5) (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).)	Simplified notice content (optional)	13
   1016.14 (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) and 1016.15 (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).)	Exceptions	49-51

Module 4 - Redisclosure and Reuse of nonpublic personal information received from a nonaffiliated financial institution under §§ 1016.14 (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) and/or 1016.15 (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).)

1. Through discussions with management and review of the credit union’s policies, procedures, and internal controls, determine whether the credit union has adequate policies, procedures, and internal controls to prevent the unlawful redisclosure and reuse of the information where the credit union is the recipient of nonpublic personal information (§ 1016.11(a) (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) ).
2. Select a sample of information received from nonaffiliated financial institutions, to evaluate the credit union’s compliance with redisclosure and reuse limitations.
   1. Verify that the credit union’s redisclosure of the information was only to affiliates of the credit union from which the information was obtained or to the credit union’s own affiliates, except as otherwise allowed in the step 2 below (§ 1016.11(a)(1)(i) and (ii) (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) ).
   2. Verify that the credit union only uses and shares the information pursuant to an exception in §§ 1016.14 (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) and 1016.15 (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) (§ 1016.11(a)(1)(iii) (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) ).
3. Checklist Cross References – Module 4

   Checklist Cross References – Module 4

   Regulation Section	Subject	Checklist Question
   1016.11(a) (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).)	Redisclosure and reuse	45
   1016.14 (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) , 1016.15 (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).)	Exceptions	49-51

Module 5 - Redisclosure of nonpublic personal information received from a nonaffiliated financial institution outside of §§ 1016.14 (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) and 1016.15 (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).)

1. Through discussions with management and review of the credit union’s policies, procedures, and internal controls, determine whether the credit union has adequate policies, procedures, and internal controls to prevent the unlawful redisclosure of the information where the credit union is the recipient of nonpublic personal information (§ 1016.11(b) (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) ).
2. Select a sample of information received from nonaffiliated financial institutions and shared with others to evaluate the credit union’s compliance with redisclosure limitations.
   1. Verify that the credit union’s redisclosure of the information was only to affiliates of the credit union from which the information was obtained or to the credit union’s own affiliates, except as otherwise allowed in the step 2 below (§ 1016.11(b)(1)(i) and (ii) (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) ).
   2. If the credit union shares information with entities other than those under step 1 above, verify that the credit union’s information sharing practices conform to those in the nonaffiliated financial institution’s privacy notice (§ 1016.11(b)(1)(iii) (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) ).
   3. Also, review the procedures used by the credit union to ensure that the information sharing reflects the opt-out status of the consumers of the nonaffiliated financial institution (§§ 1016.10 (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) , 1016.11(b)(1)(iii) (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) ).
3. Checklist Cross References – Module 5

   Checklist Cross References – Module 5

   Regulation Section	Subject	Checklist Question
   1016.11(b) (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).)	Redisclosure	46

Module 6 - Account number sharing

^[2] Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010, Pub. L. No. 111-203, Title X, 124 Stat. 1983 (2010).

^[3] Dodd-Frank Act §§1002(12)(J), 1024(b)-(c), and 1025(b)-(c); 12 U.S.C. §§5481(12)(J), 5514(b)-(c), and 5515(b)-(c). Section 1002(12)(J) of the Dodd-Frank Act, however, excluded financial institutions’ information security safeguards under GLBA section 501(b) from the CFPB’s rulemaking, examination, and enforcement authority.

^[4] 76 FR 79025 (Dec. 21, 2011). Pursuant to GLBA, the FTC retains rulemaking authority over any financial institution that is a person described in 12 U.S.C. §5519 (with certain statutory exceptions, the FTC generally retains rulemaking authority for motor vehicle dealers predominantly engaged in the sale and servicing of motor vehicles, the leasing and servicing of motor vehicles, or both).

^[5] 74 FR 62890.

^[6] 79 FR 64057.

^[7] Fixing America’s Surface Transportation Act of 2015, Pub. L. No. 114-94 (2015), 129 Stat. 1312 (2015).

^[8] These reflect FFIEC-approved examination procedures.