Back to the Basics: Regulation P
We get a lot of questions from credit unions about the privacy of member financial information. For example, what type of member information can be shared? Who can we share member’s information with? When can we share member’s information? So, today’s blog is going to provide an overview of the general requirements in Regulation P, which implements the Gramm-Leach Bliley Act of 1999 (GLBA).
Let’s start with privacy policies. Regulation P requires a credit union to create and disclose its privacy policy with their members. Additionally, the regulation requires a credit union to provide a notice to their members that describes the information it gathers from its members and shares with third parties. Furthermore, it must give members the opportunity to opt-out of having their information shared. Otherwise, a credit union must satisfy an exception within section 1016.13 through 1016.15 of Regulation P, which we will get to later in this blog. Before we discuss the exceptions, let’s begin with what information can be shared.
What information can be shared?
Regulation P contains a general prohibition against sharing nonpublic personal information (NPI). Section 1016.3(p) of Regulation P defines nonpublic personal information as personally identifiable financial information, including any information that is derived using any personally identifiable information that is not publicly available. This includes information provided on a loan application, a credit card, account balance information, payment history, credit or debit card purchase information, and even the fact that an individual is a member of the credit union.
NPI does not include information that a credit union reasonably believes is publicly available, such as a member’s phone number only if the credit union takes steps to determine that the phone number is listed in the white pages. Similarly, a credit union may generally consider mortgage documents and assessed values to be publicly available if state and local laws require that information be filed in the public record.
Who can information be shared with?
Regulation P, section 1016.10 prohibits a credit union from disclosing any nonpublic personal information about a consumer to a nonaffiliated third party. A nonaffiliated third party is any person or company that is not controlled by or under common control with the credit union. For example, an automobile dealership would be a nonaffiliated third party to the credit union who provided a member with an auto loan.
When can nonpublic personal information be shared with nonaffiliated third parties?
There are two ways that a credit union can share nonpublic personal information with nonaffiliated third parties. First, if a member was provided with the initial privacy policy, had a reasonable opportunity to opt out and the member didn’t opt out, under section 1016.10, a credit union could share a member’s nonpublic personal information with nonaffiliated third parties. Model privacy notices can be found in the Appendix to Regulation P. The limits on what the third party can do with the information is contained in section 1016.11(b).
Second, if the credit union satisfies one of the three exceptions from section 1016.13 through 1016.15 of Regulation P, then sharing will be permitted.
Section 1016.13 allows for sharing of a member’s information for service providers and joint marketing. This exception requires that the credit union disclose this in their initial privacy policy and have a contractual agreement with the third party that prohibits it from using the information for any purpose other than for purposes for which it received the information.
Section 1016.14 allows for sharing of member information for processing and servicing transactions. This exception allows a credit union to disclose member information freely to carry out routine business transactions such as mailing account statements, collecting a share draft, or processing payments.
Lastly, section 1016.15 contains other general exceptions such as, consumer consent, a person acting in a fiduciary capacity, a credit union complying with a properly authorized subpoena or with Federal, state, or local laws. In these scenarios, a credit union is permitted to disclose member information to nonaffiliated third parties. As noted above, section 1016.11 contains important limitations on information that can be shared.
Questions? Suggestions for future blog posts? Contact the Compliance Team at compliance@americascreditunions.org.
On August 26th, the Small Business Administration issued a letter requiring SBA lenders to investigate for potentially unlawful debanking activities. On September 16th, America’s Credit Unions sent a letter to the SBA requesting clarity on complying with the debanking letter. On September 30th, the SBA issued a second letter with a form that credit unions, with less than $30 billion in assets, can use to comply with the August 26th letter. America’s Credit Unions has heard from some credit unions that they were unaware that the SBA had issued the second letter and form. You can find that form here. Please note that the form is required to be submitted to debanking@sba.gov by January 5, 2026.
