How GDPR Will Affect U.S. Credit Unions

The experts at law firm Farleigh Wada Witt share what the European Union’s General Data Protection (GDPR), effective May 25, will mean for American credit unions.

2/13/18

Cybersecurity GraphicWith the effective date of the European Union’s General Date Protection (GDPR) around the corner, a number of credit unions have begun to ask what it will mean to them. Law firm Farleigh Wada Witt shares the following analysis to help Northwest credit unions understand the

How will this affect U.S. credit unions?

The European Union’s “General Data Protection Regulation” (GDPR) takes effect on May 25, 2018. As the implementation date approaches, the question of how (or if) the GDPR applies to U.S. credit unions has received increased attention, but little actual guidance.

The GDPR imposes stringent data protection standards on any organization that possesses and processes personal information of consumers in the European Union (EU). These standards go beyond those imposed by U.S. financial regulators, offering consumers a variety of rights to terminate the organization’s use of data or retention of data. Most U.S. credit unions are not equipped to comply with GDPR requirements. In spite of that fact, many larger vendors are asking credit unions to sign contract amendments or acknowledgments related to GDPR compliance. This adds to the need for clear guidance.

For the reasons outlined below, we believe the GDPR will not apply to most U.S. credit unions that do not have specific member groups in the EU and do not otherwise target marketing and service efforts toward EU nations. 

GDPR Coverage Analysis

The language in the GDPR does not clearly answer whether it is intended to apply to U.S. financial institutions whose only contact with EU residents is account relationships established while they were in the U.S. However, the recitals that precede the GDPR indicate that unless the credit union makes a specific and directed effort to serve members in a particular EU nation, the credit union is not subject to the GDPR.

Although the recitals are not part of the GDPR articles, they were adopted by the EU governing body in the same document as the GDPR articles – somewhat similar to the supplementary information that accompanies a regulation issued by the NCUA or CFPB.

Article 3.2 of the GDPR provides that the regulation applies to:

The processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:

(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
(b) the monitoring of their behavior as far as their behavior takes place within the Union.

GDPR, Article 3.2.

Recital 23 provides: “In order to determine whether such a controller or processor is offering goods or services to data subjects who are in the Union, it should be ascertained whether it is apparent that the controller or processor envisages offering services to data subjects in one or more Member States in the Union. Whereas the mere accessibility of the controller’s, processor’s or an intermediary’s website in the Union, of an email address or of other contact details, or the use of a language generally used in the third country where the controller is established, is insufficient to ascertain such intention, factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the Union, may make it apparent that the controller envisages offering goods or services to data subjects in the Union.”

In other words, the fact that a credit union may have members residing in or visiting the EU who can access the credit union’s services online or via telephone does not automatically subject the credit union to GDPR coverage. If a credit union does not offer its services based in any EU currency or any language of an EU country and does not otherwise direct its activity toward EU residents, it is likely that the credit union is not subject to the GDPR.

GDPR Vendor/Contract Issues

A number of vendors are beginning to take protective actions to ensure their own compliance (or shift the burden for compliance) with the GDPR. Some vendors are asking credit unions to sign contract addenda or acknowledgments verifying the credit union’s compliance with applicable GDPR requirements.

Do not sign these documents without careful legal review for any necessary revisions. A credit union should not represent to a vendor that it complies with the GDPR unless it actually does so, and should not acknowledge that the GDPR applies unless it agrees it is subject to the GDPR. Some vendor documents are not carefully drafted and can commit the credit union to unintended obligations or admissions regarding the GDPR. We recommend a legal review of any such documents provided by a vendor in order to avoid unintended consequences.

This article was authored by Hal Scoggins, Brian Witt, and Kelley Washburn of Farleigh Wada Witt. Questions? Contact the Compliance Hotline: 1.800.546.4465, compliance@nwcua.org.

Question of the Week

My CU has a UTTMA account, and the custodian died. Who should control the money now? The minor is 16 years old.

In Washington, for the Uniform Transfers to Minors Act accounts (UTTMA) on which the custodian has passed away, and the minor is below the age of 18, the following can occur: The custodian could have designated a successor custodian. If not, the guardian of the minor becomes the new custodian. If the minor does not have a guardian, the transferor, the legal representative of the transferor or custodian who has passed, an adult member of the minor’s family, or any other interested person may petition the court be become the new custodian.

Note: A minor who is 16 years old may petition the state high court for emancipation.  If emancipation is granted by the court, the minor takes responsibility for his or her own finances.

In Oregon, a minor who is above 14 years in age can designate a new custodian.

In Idaho, a minor who is above 14 years in age can designate a successor custodian.

Resources

Legal Briefs

Consumer Financial Protection Bureau (CFPB)

CFPB Acting Director Mulvaney announced that he has named Kirsten Sutton Mork as chief of staff for the CFPB.

The CFPB announced that it has issued a Request for Information regarding its enforcement process. The Bureau is seeking information and comments related to the overall efficiency and effectiveness of its process.

Federal Reserve Board (FRB)

The FRB released its January 2018 Senior Loan Officer Opinion Survey on Bank Lending Practices.

The FRB, jointly with the FCA, FDIC, FHFA, and OCC, issued a proposed rule to amend swap margin requirements to conform with rule changes that impose new restrictions on certain qualified financial contracts of systemically important banking organizations.

The FRB released results of a survey that indicate that payments fraud losses are still a problem for financial institutions.

Federal Housing Finance Agency (FHFA)

The FHFA announced its 2018-2020 housing goals for Fannie Mae and Freddie Mac, which includes the publication of a final rule that establishes these goals in accordance with the Housing and Economic Recovery Act of 2008.

Office of the Comptroller of the Currency (OCC)

OCC Comptroller Otting issued a statement regarding his meeting with Acting CFPB Director Mick Mulvaney.

Department of Justice (DOJ)

The DOJ announced that Rabobank N.A., will forfeit over $360 million for BSA and AML program violations. The announcement includes details about the bank’s attempts to hide its deficiencies.

Federal Trade Commission (FTC)

The FTC announced that there is a scam occurring right now regarding individuals impersonating FEMA employees. The impersonators are asking for personal information and using that information to steal identities and filed for FEMA benefits.

Federal Deposit Insurance Corporation (FDIC)

The FDIC announced the release of economic scenarios that will be used by certain institutions for the 2018 stress testing required under the Dodd-Frank Act.

Financial Crimes Enforcement Network (FinCEN)

FinCEN announced that it has updated its SAR filing format, which will go live in June of 2018. The new SAR form includes new and modified types and subtypes of suspicious activity including cyber events and gaming activities.

Office of Foreign Assets Control (OFAC)

OFAC has updated the SDN list as of February 9, 2018. The last update prior to this was February 7, 2018.

Questions? Contact the Compliance Hotline: 1.800.546.4465; compliance@nwcua.org.