AL 2004-11
OCC ADVISORY LETTER 
Subject:   Electronic Consumer
           Disclosures and Notices
Date:  October 1, 2004
                                        
TO:  Chief Executive Officers of All National Banks, Federal
     Branches and Agencies, Service Providers, Software Vendors,
     Department and Division Heads, and All Examining Personnel.

PURPOSE

Increasingly, national banks are replacing their paper-based
consumer notices or disclosures with electronic disclosures.
However, the failure to provide such electronic disclosures in a
proper manner can expose the bank to significant compliance,
transaction, and reputation risk.  This advisory provides some
background, and highlights issues that should be considered by
national banks that provide electronic consumer disclosures.

BACKGROUND

The Electronic Signatures in Global and National Commerce Act[1] (E-
SIGN Act), enacted in June 2000, permits disclosures to be made
or delivered electronically, notwithstanding any other law that
might require a written disclosure, provided that the consumer
consents to such disclosures in accordance with the requirements
of the act.

The E-SIGN Act requires that before consumers can consent to
electronic notices or disclosures they must receive certain clear
and conspicuous disclosures.  These pre-consent disclosures
include information on any right or option to have the record
provided in a non-electronic form, the effect of the withdrawal
of consent for electronic disclosures, the scope of the consent,
how consumers can obtain a paper copy of a record after consent
is given (and any associated fees), and the hardware and software
requirements for access and retention of the electronic
disclosures.  15 USC 7001(c).

Further, the act requires that consumers must express their
consent electronically, or confirm their consent electronically,
in a manner that reasonably demonstrates that the consumer will
be able to access required notices or disclosures electronically.
Finally, the act requires that if, after consent is provided, a
change is made in the hardware or software requirements needed to
access or retain the electronic disclosures and the change
creates a material risk that the consumer will not be able to
access or retain an electronic disclosure that was the subject of
the prior consent, the consumer must be provided with an
appropriate notice of the change and must re-consent
electronically in a manner that reasonably demonstrates the
consumer's ability to access the electronic notice or disclosure.

The above-described special consumer consent requirements under
the act apply only if a "statute, regulation, or other rule .
requires that information relating to a transaction . be provided
or made available to a consumer in writing.." 15 USC 7001(c)(1).

In 2001, the Federal Reserve Board (the Board) published interim
rules on electronic disclosures for its major federal consumer
protection regulations.[2]  The interim rules required banks that
electronically deliver disclosures mandated under those
regulations and "related to a transaction" to obtain consumers'
affirmative consent in accord with the E-SIGN Act.  The interim
rules also established uniform standards for the electronic
delivery of disclosures required by the various consumer
protection laws administered by the Board, including guidance on
the timing and delivery of electronic disclosures.

Among the "timing and delivery" requirements for electronic
disclosures, the Board required that disclosures provided by e-
mail be sent to an electronic address designated by the consumer.
The Board also required that institutions make a good-faith
attempt to redeliver electronic disclosures that are returned
undelivered.  Disclosures made by posting on an Internet Web site
were required to be accompanied by a notice to consumers alerting
them to the availability of the disclosures and were to be made
available for at least 90 days to allow consumers adequate time
to access and retain information.  Finally, the Board required
that electronic disclosures be made in a manner that will assure
compliance with the timing requirements in the underlying
regulations; the Board noted that the act does not affect the
timing or content of disclosures, including any requirement that
the substantive disclosures be clear, conspicuous, and readily
understandable.

Later in 2001, the Board announced that it would not mandate
compliance with the delivery requirements of the interim
regulations because it was considering adjustments to the rules
to provide additional flexibility.[3]  However, the Board indicated
that institutions could continue to provide electronic
disclosures as long as the procedures comply with the
requirements of section 101(c) of the E-SIGN Act (described
above).  Thus, until the Board issues permanent rules, national
banks may provide electronic disclosures under federal consumer
protection rules using either their own policies and practices or
the Board's interim rules, so long as the disclosures are made in
accord with the E-SIGN Act.

ELECTRONIC DISCLOSURES BY NATIONAL BANKS

National banks contemplating making disclosures to their retail
customers by electronic means should determine whether the
special consumer consent provisions of the E-SIGN Act apply to
those disclosures.  As noted above, the consent provisions apply
only when a law, rule, or regulation mandates that disclosures be
provided "in writing."[4]  In addition, where a federal disclosure
mandate provides an option for disclosures to be made either "in
writing" or in electronic form, the E-Sign special consent
provisions do not apply.  However, national banks should be alert
to the possibility that some laws or regulations may contain
implied writing requirements.[5]  In the future, the federal
banking regulators may provide additional clarification on which
federally mandated disclosures do not "relat[e] to a transaction"
and, thus, are not covered by the E-SIGN special consent
provisions even though a written disclosure is mandated.[6]

When obtaining effective consumer consent to electronic
disclosures under the E-SIGN Act, the OCC encourages national
banks to pay particular attention to the following issues:

*    Clearly and properly identifying the scope of transactions
     to which the consent will apply;[7]
*    Providing all the required pre-consent disclosures for
     effective consent under E-SIGN (15 USC 7001(c)(1)) before the
     federally mandated substantive disclosure or notice is provided
     electronically;
*    Designing an appropriate method to obtain consumer consent
     or confirmation of consent in an electronic manner that
     reasonably demonstrates the ability of the consumer to receive
     the electronic notices and disclosures that are the subject of
     the consent;[8] and
*    Advising consumers of changes in hardware or software that
     create a material risk that the consumer will no longer be able
     to access or retain electronic disclosures.

Even where a national bank will be providing electronic
disclosures that it believes are not subject to the special
consumer consent provisions under the E-SIGN Act,[9] national banks
may wish to consider providing consumers with effective prior
notice that the bank will be electronically delivering to them
important notices, statements, or disclosures.  Banks might want
to inform consumers what technology they will need to receive and
retain those disclosures.  Likewise, banks are encouraged to
advise consumers of any special fees or charges imposed if the
consumer requests a paper copy of an electronic document and
whether (and how) consumers can withdraw their consent to
electronic disclosures and, if so, what consequences follow.

General Issues on Electronic Disclosures

In designing and implementing electronic consumer disclosures,
regardless of whether E-SIGN applies to particular disclosures,
the OCC encourages national banks to consider the following
issues:

*    Whether procedures are needed to deal with electronic
     disclosures that are returned undelivered;
*    Whether electronic disclosures are provided in a form that
     can be retained by consumers;
*    Duration of electronic notices or disclosures availability
     to consumers through the bank's systems;
*    Establishing a process to respond appropriately to consumer
     requests for paper copies of electronic notices and disclosures;
and
*    Dealing with changes in hardware or software that may create
a risk that consumers will no longer be able to access or retain
electronic disclosures.

In addition, national banks should ensure their electronic
disclosures comply with the timing, format, content, and
recordkeeping requirements of the underlying substantive rule
(e.g., Regulation Z (Truth in Lending) and Regulation B (Equal
Credit Opportunity Act)).

The technology used by the bank to provide electronic disclosures
to consumers deserves careful consideration.  National banks
should consider whether their disclosure technologies will:

*    Reasonably be expected to reliably deliver disclosures to
     consumers,
*    Maintain the security of sensitive customer information,
*    Limit or prevent fraudulent and other illegal activities,
and
*    Provide disclosures in a form that consumers can retain.

For example, in considering whether to provide disclosures by e-
mail technology, banks should be aware of the inherently insecure
nature of most conventional e-mail and consider whether such
practice is consistent with the bank's obligation to maintain the
security of sensitive customer information.[10]  Banks should
consider that many consumers are using software that filters
incoming e-mail (spam filters) that could affect the consumer's
ability to reliably receive e-mail disclosures.

Likewise, the use of  "pop-up" mobile code technology to deliver
notices and disclosures may be problematic.[11]  Frequently,
consumers are using a browser configuration or installing
software that could block disclosures delivered via mobile codes.
Additionally, disclosures delivered by pop-up technology may be
difficult for consumers to retain.

National banks should also consider a method to educate their
customers about "phishing" attacks and related types of on-line
fraud to help customers avoid becoming victims of such illegal
activities.  These educational efforts should include providing
information to help customers identify the potential risks
associated with identity theft, as well as descriptions of the
most frequently used fraudulent schemes.[12]


RESPONSIBLE OFFICE

Questions regarding this advisory letter can be directed to the
OCC Compliance Division at (202) 874-4428.


________________
Ann F. Jaedicke
Deputy Comptroller for Compliance

_______________________________
1 Pub. L No. 106-229, 114 Stat. 464 (June 30, 2000) (codified at
15 USC 7001 et seq.).
2  OCC Bulletin 2001-23 "Uniform Standards for the Electronic
Delivery of Disclosures; Regulations M, Z, B, E, and DD", (April
27, 2001).  These federal consumer protection regulations are
Regulations M (Consumer Leasing), Z (Truth in Lending), B (Equal
Credit Opportunity), E (Electronic Fund Transfers), and DD (Truth
in Savings).

3 See OCC Bulletin 2001-45 ("Uniform Standards for the Electronic
Delivery of Disclosure; Regulations M, Z, B, E, and DD", October
1, 2001).
4 See, for example, the federal regulations listed in footnote 2
above.  Some terms and phrases in OCC regulations and laws that
require a "writing" include: "advise in writing," "provide copies
on paper," "written advice," and "written notice."

5 Some OCC regulations and statutes administered by the OCC
specify a particular mode of delivery for a notice or disclosure,
e.g., "by mail" (12CFR 7.2001, 12 USC 21a and 1831r-1(b)) or "by
newspaper publication" (12 USC 214a, 15a, and 1828(c)(3)).  The
status of these "mode of delivery" requirements under the E-SIGN
Act is uncertain.  Until there is greater certainty, national
banks may wish to continue to use the specified non-electronic
modes to assure compliance with these requirements.
6  For example, the Board in its interim rules indicated that
certain application, solicitation, and advertising disclosures
might not be subject to the special consent requirements because
they may not "relate to a transaction."   See, e.g., 66 Federal
Register 17329, 17335 (2001).  The Board may provide further
guidance on this issue in its permanent rules.
7  For example, consumers should be told whether their consent
applies only to a particular transaction or to a broader group of
transactions.
8 The E-SIGN Act is not clear on precisely when the "reasonable
demonstration" must occur in time relative to the consumer's
expression of consent.  Pending greater certainty on this issue,
a national bank may wish to consider whether the consent method
it adopts encourages demonstrations that are reasonably
contemporaneous to the expression of consent and that are not
unduly delayed.  This advisory letter is not intended to
interpret the E-SIGN Act.
9  Some terms and phrases that appear in OCC regulations and laws
are format-neutral and do not expressly or implicitly require a
"writing" such as "provide notice" and "make available."
10  See Interagency Guidelines for Establishing Standards for
Safeguarding Customer Information, 12 CFR 30, appendix B.
11 A "pop up" is a screen generated by mobile code, for example
Java or Active X, when the customer clicks on a particular
hyperlink.  Mobile code is used to send small programs to the
user's browser.
12 See OCC Bulletin 2004-42 (FFIEC Customer Brochure: Protecting
Customers' Personal Financial Information).