Revised June 26, 2024General Policy Statement: Cencap Federal Credit Union recognizes its responsibility to protect the privacy of member nonpublic personal information. The purpose of this policy is to set forth the guidelines under which such information may be shared with third parties. It is the intent of the Credit Union and any of its affiliates to abide by all applicable laws and regulations governing the privacy of nonpublic personal information including the Consumer Financial Protection Bureau (CFPB)’s Privacy of Consumer Financial Information rule (Regulation P), issued to implement the provisions of the Gramm-Leach-Bliley Act and the Right to Financial Privacy Act.
The Credit Union is committed to safeguarding the security of confidential business information of the Credit Union and personal, non-public member information. Such information includes any information regarding members’ accounts, operations of the Credit Union, development of new services, internal marketing information, all computer transactions, and all similar information related to the business of the Credit Union. Any such information or transactions must remain confidential unless disclosure is authorized by the member or required by law.
Proprietary information about the Credit Union shall not be disclosed to any third party unless authorized by the Board or Credit Union management. All employees and officials shall protect the privacy of member information and shall strictly adhere to the Credit Union’s Privacy Policy and practices and all applicable law.
DEFINITIONS. For the purpose of this privacy policy, the following definitions shall apply.
Affiliate. To be considered an affiliate, the Credit Union must have the ownership, control or power to vote 25% of the shares; control election of a majority of the directors, trustees and partners; the power to exercise a controlling influence over the company’s management or policies, or have any ownership interest in a company that is 67% owned by credit unions.
Consumer. A consumer is an individual, or such individual’s legal representative or personal representative, who has obtained a financial product or service from the Credit Union for personal, family or household purposes or for whom the Credit Union is acting as fiduciary. A consumer is not necessarily a member of the Credit Union.
Member. A member is a consumer with whom the Credit Union has, or has had in the past, a continuing relationship where the Credit Union has provided one or more financial products or services for personal, family or household purposes. Examples:
Members as defined the Credit Union’s bylaws;
A nonmember joint accountholder held with a member;
A former member.
A nonmember who has a loan that the Credit Union services;
A nonmember who has an account with the low-income designated Credit Union; and
A nonmember who has an account in a federally-insured state-chartered Credit Union pursuant to state law.
Nonpublic Personal Information. Personally identifiable financial information and any list, description, or other grouping of consumers (and publicly available information pertaining to them) that is derived without using any personally identifiable financial information, other than publicly available information. Nonpublic personal information does not include publicly available information.
Personally Identifiable Financial Information. Any information provided to the Credit Union by a consumer to obtain a financial product or service, or as a result of a transaction with the consumer. Examples:
Information a consumer provides to the Credit Union on an application to obtain membership, a loan, credit card or other financial product or service;
Account balance information, payment history, overdraft history, and credit or debit card purchase information;
The fact that an individual is or has been one of the Credit Union’s members or has obtained a financial product or service from the Credit Union;
Any information about a consumer if it is disclosed in a manner that indicates that the individual is or has been a member of the Credit Union;
Any information that a consumer provides to the Credit Union or that the Credit Union or its agent otherwise obtains in connection with collecting on a loan or servicing a loan;
Any information the Credit Union collects through an Internet “cookie” (an information collecting device from a web server); and
Information from a consumer report.
COLLECTION OF INFORMATION. In the course of delivering products and services, the Credit Union obtains nonpublic personal information, either directly from the member or from outside sources. This nonpublic personal information is used to comply with federal and state laws and regulations, to provide effective member service and to inform members of products and services which may be of interest to the member.
MAINTENANCE OF ACCURATE INFORMATION. The Credit Union will exercise reasonable caution in the gathering and maintenance of information to ensure its accuracy. When inaccurate information is discovered, it will be corrected as promptly as possible.
DISCLOSING INFORMATION TO THIRD PARTIES. The Credit Union will not disclose personal nonpublic information to non-affiliated third parties without first providing the consumer a clear and conspicuous notice that accurately reflects the Credit Union’s privacy policies and practices, and providing the consumer a reasonable opportunity to opt out of such disclosure, and the consumer has not opted-out. The Credit Union may share personal nonpublic information with its affiliate, if applicable. The Credit Union also may share its experience information about the member with credit bureaus. The Credit Union’s reporting to credit bureaus is governed by the Fair Credit Reporting Act, which affords the member the right to make sure that its credit bureau reports are accurate. The requirement for the Credit Union to provide notice and a reasonable opportunity to opt out does not apply if the Credit Union’s disclosure of nonpublic personal information is necessary to effect, administer, or enforce a transaction that a consumer requests or authorizes, or in connection with any of the following:
Servicing or processing a financial product or service that a consumer requests or authorizes.
Maintaining or servicing the consumer’s account with the Credit Union, or with another entity as part of a private label credit card program or other extension of credit on behalf of such entity.
A proposed or actual securitization, secondary market sale (including sales of servicing rights) or similar transactions related to a transaction of the consumer.
With the written consent or direction of the consumer, provided the consumer has not revoked the consent or direction.
To protect the confidentiality or security of the Credit Union’s records pertaining to the consumer, the service or product, or the transaction; to protect against or prevent actual or potential fraud, unauthorized transactions, claims, or other liability; for required institutional risk control, or for resolving customer disputes or inquires; to persons holding a legal or beneficial interest relating to the consumer; or, to persons acting in a fiduciary or representative capacity on behalf of the consumer.
To the extent specifically permitted or required under other provisions of law and in accordance with the Right to Financial Privacy Act, to law enforcement agencies, self-regulatory organizations, or for an investigation on a matter related to public safety.
To provide information to insurance rate advisory organizations, guaranty funds or agencies, applicable rating agencies of the Credit Union, persons assessing the Credit Union’s compliance with industry standards, and the institution’s attorneys, accounts, and auditors.
To a credit reporting agency in accordance with the Fair Credit Reporting Act.
In connection with a proposed or actual sale, merger, transfer, or exchange of all or a portion of a business or operating unit if the disclosure of nonpublic personal information concerns solely consumers of such business or unit.
To comply with Federal, State, or local laws, rules, and other applicable legal requirements, to comply with a properly authorized civil, criminal, or regulatory investigation or subpoena or summons by Federal, State or local authorities having jurisdiction over the financial institution for examination, compliance, or other purposes as authorized by law.
Such financial records are disclosed (i) in response to an administrative subpoena; (ii) in response to a search warrant; (iii) in response to a judicial subpoena; or (iv) in response to a formal written request by a proper governmental authority.
RESPONSIBILITY OF SERVICE PROVIDERS. The Credit Union will only approve service providers with established policies of privacy similar to those of the Credit Union. The Credit Union will require contractual agreements from non-affiliated third parties that will include confidentiality of member information disclosed by the Credit Union and prohibit the service provider from disclosure and reuse of nonpublic personal information for any reason other than the intended purpose.
DISCLOSURE OF PRIVACY POLICY. The Credit Union will disclose its privacy policy as required by law, in a form that the members can keep. This disclosure will be in the form of an initial disclosure and will also be provided to members annually if changes are made to the disclosure or if the Credit Union provides an opt-out option. The Credit Union will provide the required notices in conformance with the model privacy notice contained in the regulation.
Initial Privacy Notice. The Credit Union will deliver a notice describing the Credit Union’s privacy policy to each new member/consumer who establishes a relationship with the Credit Union. This initial privacy notice will be provided at or before an establishment of a member relationship (i.e., before the member/consumer signs the account card or other applicable document). A new privacy notice need not be given for each subsequent account opening, if the privacy notice provided for the one-time mailing to existing members or the policy at new account opening has not changed from the previously provided privacy notice.
Joint Relationships. When two or more consumers jointly obtain a financial product or service, other than a loan, from the Credit Union, the Credit Union may provide one initial notice to the consumers jointly.
Annual Notice. Unless otherwise exempt, the Credit Union will provide a notice of the Credit Union’s privacy policy to all members/consumers at least annually (once during any 12 consecutive months) if the changes are made to their policy or if the Credit Union provides an opt-out option. The Credit Union need not provide an annual notice to members or consumers who no longer have a relationship with the Credit Union.
Content. As required by law, the initial and annual privacy notices will contain the following information:
The categories of nonpublic personal information that the Credit Union collects;
The categories of nonpublic personal information that the Credit Union discloses;
The categories of affiliates and nonaffiliated third parties to whom the Credit Union discloses nonpublic personal information (other than such disclosures allowed by law);
The categories of nonpublic personal information about the Credit Union’s former members that is disclosed and the categories of affiliated and nonaffiliated third parties to whom such information is disclosed (other than such disclosures allowed by law);
If the Credit Union discloses nonpublic personal information to a nonaffiliated third party (and no exception applies to that disclosure), a separate statement of the categories of information the Credit Union discloses, and the categories of third parties with whom the Credit Union has contracted;
If applicable, an explanation of the consumer’s right to opt out of the disclosure of nonpublic personal information to nonaffiliated third parties, including the methods by which the consumer may exercise that right at that time;
Any disclosures made by the Credit Union under the Fair Credit Reporting Act (i.e., notices regarding the ability to opt out of disclosures of information among affiliates); and
The Credit Union’s policies and practices with respect to protecting the confidentiality and security of nonpublic personal information.
Privacy Notice May Be Combined With or In Other Documents. The Credit Union’s privacy notice may be combined with other information, so long as it is presented in a way that is “clear and conspicuous”; intact so that each consumer can retain its content, and will retain the same page orientation, content, format and order as provided in the model notice contained in the regulation.
MEMBERS’ RIGHT TO “OPT OUT”. Privacy regulations allow members to “opt out” of having their information disclosed to non-affiliated third parties in certain situations. Before the Credit Union discloses any member information to a non-affiliated third party that is not otherwise covered by a disclosure exception in the regulation, the Credit Union will properly inform members of their right to “opt out” and to record and honor “opt out” requests. The opt out notice shall include the address and toll-free phone number of the appropriate notification system used for processing of notices of opt out and will be presented in a format acceptable to the National Credit Union Administration/Federal Trade Commission.
Content. As required by law, the opt out notice will state the following information:
That the Credit Union discloses or reserves the right to disclose nonpublic personal information about the consumer to a nonaffiliated third party (including the categories of information and the categories of nonaffiliated third parties to whom it is disclosed);
That the consumer has a right to opt out of that disclosure; and
A reasonable means by which the consumer may exercise that opt out right. Examples:
Designating check-off boxes in a prominent position on the relevant forms with the opt out notice;
Including a reply form together with the opt out notice;
Providing an electronic means to opt out, such as a form that can be sent via electronic mail or a process at the Credit Union’s website, if the consumer agrees to the electronic delivery of information; or
Providing a toll-free telephone number that consumers may call to opt out.
How the Credit Union will treat an opt out direction by a joint consumer.
Delivery After Initial Notice is Provided. If the Credit Union provides the opt out notice after the initial notice is provided, the Credit Union will include a copy of the initial notice in writing or, if the consumer agrees, electronically.
Exceptions to Providing an Opt Out Notice. Under the following scenarios, an opt out notice need not be provided to members when nonpublic personal information is disclosed to nonaffiliated third parties:
Sharing nonpublic personal information with a non-affiliated third party in order to carry out a service on the Credit Union’s behalf, and with whom the Credit Union has a written agreement (i.e., joint marketing agreement) that prohibits further disclosure by the third party;
Disclosure that is necessary to effect, administer or enforce a transaction that a consumer requests or authorizes;
Disclosure with the consent of the consumer (provided it has not been revoked);
Disclosure in order to protect the confidentiality or security of the Credit Union’s records pertaining to the consumer, service, product or transaction;
To protect against or prevent actual or potential fraud, unauthorized transactions, claims or other liability;
For required institutional risk control or for resolving consumer disputes or inquiries;
Disclosure to persons acting in a fiduciary or representative capacity on behalf of a consumer;
Disclosure in order to provide information to insurance rate advisory organizations, guaranty funds or agencies, agencies that are rating the Credit Union, persons that are assessing the Credit Union’s compliance with industry standards, and the Credit Union’s attorneys, accountants and auditors;
Disclosure to the extent specifically permitted or required under other provisions of law and in accordance with the Right to Financial Privacy Act, to law enforcement agencies, a state insurance authority, self-regulatory organizations, or for an investigation on a matter related to public safety;
Disclosure to a consumer reporting agency in accordance with the Fair Credit Reporting Act;
Disclosure in connection with an actual sale, merger, transfer or exchange of all or a portion of business or operating unit if the disclosure of nonpublic personal information concerns solely consumers of such business or unit; or
To comply with federal, state or local laws, rules and other applicable legal requirements.
Joint Relationships. When two or more consumers jointly obtain a financial product or service, other than a loan, from the Credit Union, the Credit Union may provide only a single opt out notice.
Duration of Opt Out. A consumer’s direction to opt out is effective until the consumer revokes it in writing or, if the consumer agrees, electronically.
When a member relationship terminates, the member’s opt out direction continues to apply to the nonpublic personal information that the Credit Union collected during or related to the relationship. If the individual later establishes a new relationship with the Credit Union, the opt out direction that applied to the former relationship does not apply to the new relationship.
DELIVERY OF PRIVACY AND OPT OUT NOTICES. The Credit Union may reasonably expect that a consumer will receive actual notice of the privacy notice and opt-out right (if applicable) if the Credit Union uses one of the following methods of delivery:
Hand-delivery to the consumer, or mailing a printed copy of the notice to the consumer’s last known address;
For a consumer who conducts transactions electronically, posting the notice on the electronic site and requiring the consumer to acknowledge receipt of the notice as a necessary step to obtaining a particular financial product or service; or
For an isolated transaction with a consumer (such as an ATM transaction), posting the notice on the ATM screen and requiring the consumer to acknowledge receipt of the notice as a necessary step to obtaining a particular financial product or service.
REVISED PRIVACY NOTICES. The Credit Union will provide a revised privacy notice (and a new opt out notice, if and when applicable) in the following circumstances:
The Credit Union discloses a new category of nonpublic personal information to any nonaffiliated third party;
The Credit Union discloses nonpublic personal information to a new category of non-affiliated third party; or
The Credit Union discloses nonpublic personal information about a former member to a non-affiliated third party, and that former member has not had the opportunity to exercise an opt out right regarding that disclosure.
CONFIDENTIALITY AND SECURITY SAFEGUARDS. The Credit Union maintains strict policies and security controls to assure that nonpublic personal information in the Credit Union’s computer systems and files is protected.
Credit Union employees and certain contractors are permitted access to nonpublic personal information that they may need to perform their jobs and to provide service to the members.
Credit Union employees and contractors will have access to such nonpublic personal information only as necessary to conduct a transaction or respond to a member’s inquiries.
All Credit Union employees and contractors will be required to respect member privacy through confidentiality and information security provisions included in the Credit Union’s employee policy manual and service agreements with the contractors.
No one except Credit Union employees and authorized contractors will have regular access to the Credit Union computer system and records storage. The Credit Union has established internal security controls, including physical, electronic and procedural safeguards to protect the member nonpublic personal information provided to the Credit Union and the information the Credit Union collects about the member. The Credit Union will continue to review its internal security controls to safeguard member nonpublic personal information as the Credit Union employs new technology in the future.
PRIVACY OF ELECTRONIC TRANSACTIONS.
Encryption. Electronic interfaces with members (such as Internet transactions) will be encrypted using Secure Socket Layer (SSL) 128-bit encryption.
Account Access. Member account information and transactions will be protected by a password that must be used in conjunction with a username or account number. Members must apply for this capability and be registered with the Credit Union for authentication purposes.
“Cookies”. The Credit Union may use “cookies” as part of its website interface. A “cookie” is a small file that is placed on the user’s computer. While it contains no member information, it identifies the member’s computer and allows the Credit Union to measure usage of the website and customize the website experience.
The Credit Union will disclose whether it collects cookies on its website.
Links. The Credit Union will frequently link to other sites as a convenience to our members. The Credit Union will seek to link with other sites that adhere to similar privacy standards. For all third-party links, the Credit Union will disclose the following information:
The member is leaving the Credit Union’s website;
The member is linking to an alternate website not operated by the Credit Union;
The Credit Union is not responsible for the content of the alternate website;
The Credit Union does not represent either the third party or the member if the two enter into a transaction; and
Privacy and security policies may differ from those practiced by the Credit Union.
Online Privacy of Children’s Information. The Credit Union will not collect, use or disclose online information received from children under age 13 without prior parental notification and consent, which will include an opportunity for the parent to prevent use of information and participation in the activity. Online information will only be used to respond directly to the child’s request and will not be used for other purposes without prior parental consent.
The Credit Union will not distribute to third parties, other than its affiliate, personally identifiable information without prior parental consent.
The Credit Union will not post or otherwise distribute personally identifiable information without prior parental consent.
The Credit Union will not entice by the prospect of a special game, prize or other activity, to divulge more information than is needed to participate in the activity.
Personally identifiable information that is collected online from their children may be reviewed by a parent or guardian upon written request. The parent or guardian has the right to have information deleted and instruct the Credit Union to cease collecting further information from their child.
PRIVACY COMPLIANCE. The Credit Union and all of its affiliates will comply with all applicable laws and regulations governing the privacy,
confidentiality, security, and integrity of nonpublic personal information including the Consumer Financial Protection Bureau (CFPB)’s Privacy of Consumer Financial Information rule (Regulation P) and all other applicable state and federal privacy laws and regulations as amended.
ADMINISTRATION AND AMENDMENTS.
Protecting member privacy is an ongoing process and the Credit Union will continue to evaluate and review the measures taken to safeguard member information.
The Credit Union will provide training to employees on how to recognize and control risk to nonpublic personal information, how to handle nonpublic personal information, and how to report unauthorized or fraudulent attempts to gain access to nonpublic personal information.
The Credit Union will create controls and procedures whereby any new product, service, or delivery method shall be reviewed and modified to ensure that it conforms to existing Credit Union privacy policies with regards to nonpublic personal information.
If nonpublic personal information is shared with vendors for a business purposes, all contracts and agreements between the vendors and the Credit Union will include a guarantee that the vendor will safeguard such information.
Because no policy can address every possible contingency and circumstances, Credit Union management shall use its good faith business judgment in administering this privacy policy and expects that all officers, volunteers and employees will use good faith in their actions to protect the privacy of Credit Union members.
The Credit Union reserves the right to amend this privacy policy in any respect with disclosure to members as required by law.
ACCESS TO FINANCIAL RECORDS BY FEDERAL GOVERNMENT AUTHORITIES. To obtain a member’s financial records, the Right to Financial Privacy Act requires the federal governmental authority to first obtain:
An authorization, signed and dated by the member, that:
Authorizes such disclosure for a period not to exceed 3 months;
States that the member may revoke such authorization at any time before the financial records are disclosed;
Identifies the financial records authorized to be disclosed;
Specifies the purposes for which, and the government authority to which, such records may be disclosed; and
States the member’s rights under the Act.
An administrative subpoena or summons.
It is important to keep dates regarding the subpoena. The Credit Union needs written notice that all required elements have been compiled by the federal agency prior to mailing required information back to the agency.
The Credit Union may release member information only if:
The Credit Union has reason to believe that the records sought are related to a legitimate law enforcement inquiry;
The member has been served with a copy of the subpoena on or before the Credit Union is served, and the Credit Union receives a copy of a notice sent to the member specifically describing the nature of the inquiry; and
The Credit Union waits 10 days from the date the member was served (or 14 days if the member was served by mail) to see if notice is received that the member has filed a motion to stop the subpoena.
A search warrant.
A judicial subpoena.
If the member does not challenge the subpoena in court, upon expiration of 10 days from the date of service by the court (or 14 days if the notice was mailed to the member), the records may be made available to the federal government agency.
It is important to keep dates regarding the subpoena. The Credit Union needs written notice that all required elements have been compiled by the federal agency prior to mailing required information back to the agency.
A formal written request by a government agency (to only be used if no other authority is available).
If the member does not challenge the formal written request in court, upon expiration of 10 days from the date of service by the court (or 14 days if the notice was mailed to the member), the records may be made available to the federal government agency.
CERTIFICATION. Upon receipt of a request for financial records by a federal government agency, the Credit Union must assemble the requested records and be prepared to deliver them. The records may not be released until the Credit Union receives a written certification from the federal government agency that it has complied with the Act.
DELAYED NOTICE. The Credit Union may be required to delay the disclosure to the member that records have been obtained or that a request for records has been made for 90 days or indefinitely if a judge finds that:
The investigation being conducted is with the lawful jurisdiction of the government authority seeking the financial records;
There is reason to believe that the records being sought are relevant to a legitimate law enforcement inquiry; and
There is reason to believe that such notice will result in:
Endangering life or physical safety of any person;
Flight from prosecution;
Destruction of or tampering with evidence;
Intimidation of potential witnesses; or
Otherwise seriously jeopardizing an investigation or official proceeding or unduly delaying a trial or ongoing official proceeding.
EXCEPTIONS. The Act’s notification and certification requirements do not apply to the following types of disclosures to federal government agencies:
When the disclosure is pursuant to the filing of a Suspicious Activity Report when the Credit Union believes that information may be relevant to a possible violation of a statute or regulation.
When the disclosure is accordance with procedures authorized by the Internal Revenue Code.
When the request for disclosure is not identified with a particular member, which also includes records or information that is not identifiable as being derived from the financial records of a particular member.
When the request for disclosure is pursuant to the exercise of supervisory, regulatory or monetary functions with respect to financial institutions (for example, examinations).
When the request is for disclosure is sought under the Federal Rules of Civil or Criminal Procedure, or comparable rules of other courts in connection with litigation to which the government authority and the members are parties.
When the request is pursuant to lawful proceeding or investigation directed at a financial institution or legal entity.
When the disclosure is incident to perfection of a security interest, proving a claim in bankruptcy, collecting a debt or processing an application with regard to a government loan, loan guarantee or loan insurance agreement.
When it is necessary for the government to use or transfer financial records to process, service or foreclose a loan, or to collect on a debt to the government resulting from a member’s default.
When the Credit Union discloses what is necessary in order to properly administer programs related to the withholding of taxes on nonresident aliens, Federal Old-Age Survivors, Disability Insurance Benefits and Railroad Retirement Act Benefits.
When the request is pursuant to the authority of the Federal Reserve System, Federal Reserve Bank, Federal Housing Finance Agency, or the Federal Home Loan Banks to extend credit to the Credit Union or others.
When the request is necessary to administer certain veteran benefits laws.
When the request is pursuant to an administrative subpoena issued by an administrative law judge in an adjudicatory proceeding.
When the request is pursuant to legitimate law enforcement inquiries and the information sought is the name, address, account number and type of account of any member.
When the request is pursuant to a grand jury subpoena. (These MUST be kept confidential.)
When records are sought by the General Accounting Office pursuant to an authorized proceeding, investigation, examination or audit directed at a government authority.
When the Credit Union or supervisory agency provides any record of any officer, director or employee to the Attorney General, a state law enforcement agency, or the Secretary of the Treasury if there is no reason to believe there were crimes against the Credit Union by the insider.
When the disclosure is required pursuant to federal law or regulation.
SPECIAL PROCEDURES.
Access to Financial Records for Certain Intelligence and Protective Purposes. Aside from the exceptions above, the Credit Union may provide records to:
A government authority authorized to conduct foreign counter- or foreign positive-intelligence activities;
The Secret Service for the purpose of conducting its protective functions;
A government authority to conduct investigations of, or intelligence or counterintelligence analyses related to, international terrorism for the purpose of conducting such investigations or analyses; or
The Federal Bureau of Investigation (FBI) when the Director of the FBI (or the Director’s designee) certifies in writing to the Credit Union that such records are sought for foreign counter-intelligence purposes to protect against international terrorism or clandestine intelligence activities, provided that such an investigation of a U.S. person is not conducted solely upon the basis of activities protected by the first amendment to the U.S. Constitution.
In these cases, the government authority must submit a certificate to the Credit Union signed by a supervisory official of a rank designated by the head of the government authority.
The Credit Union may not disclose to anyone that a government authority described above has sought or obtained access to a member’ financial records.
Emergency Access to Financial Records. The Credit Union may release information to a government authority if the government authority determines that delay in obtaining access to such records would create imminent danger of:
Physical injury to any person;
Serious property damage; or
Flight to avoid prosecution.
In these cases, the government authority must submit a certificate to the Credit Union signed by a supervisory official of a rank designated by the head of the government authority.
COST REIMBURSEMENT. The government will reimburse the Credit Union for the reasonable cost directly incurred in searching for, reproducing, or transporting books, papers, records or other data required or requested to be produced