|
[Main Tabs]
[Table of Contents - 2000]
[Index]
[Previous Page]
[Next Page]
[Search]
2000 - Rules and Regulations
{{12-31-07 p.2409}}
PART 334—FAIR CREDIT REPORTING
Subpart A—General Provisions
Sec.
334.1
Purpose and scope
334.2
Examples.
334.3
Definitions
Subpart B—[Reserved]
Subpart C—Affiliate Marketing
334.20
Coverage and definitions.
334.21
Affiliate marketing opt-out and exceptions.
334.22
Scope and duration of opt-out.
334.23
Contents of opt-out notice; consolidated and equivalent notices.
334.24
Reasonable opportunity to opt out.
334.25
Reasonable and simple methods of opting out.
334.26
Delivery of opt-out notices.
334.27
Renewal of opt-out.
334.28
Effective date, compliance date, and prospective application.
Subpart D—Medical Information
334.30
Obtaining or using medical information in connection with a
determination of eligibility for credit.
334.31
Limits on redisclosure of information.
334.32
Sharing medical information with affiliates.
Subpart E–H—[Reserved]
Subpart I—Duties of Users of Consumer Reports Regarding
Identify Thefts
334.80—334.81
[Reserved]
334.82
Duties of users regarding discrepancies.
334.83
Disposal of consumer information.
Subpart J—Identity Theft Red Flags
334.90
Duties regarding the detection, prevention, and mitigation of identity
theft.
334.91
Duties of card issuers regarding changes of address.
Appendix A–B
[Reserved]
Appendix C to Part
334—Model Forms for Opt-Out Notices.
Appendix D–I
[Reserved]
Appendix J to Part
334—Interagency Guide.
AUTHORITY: 12 U.S.C. 1818 1819(Tenth) and 1831p--1; 15 U.S.C.
1681a, 1681b, 1681c, 1681m, 1681s, 1681s--3, 1681t, 1681w, 6801 and
6805, Pub. L. 108--159, 117 Stat. 1952.
SOURCE: The provisions of this Part 334 appear at
69
Fed. Reg. 77618, December 28, 2004, effective July 1, 2005,
and 70 Fed. Reg. 70685, November 22, 2005, effective date of the
interim final rule published on June 10, 2005 (70 FR 33958) is delayed
until April 1, 2006, the amendments in this final rule are effective
April 1, 2006 except as otherwise noted.
Subpart A—General Provisions
§ 334.1 Purpose and scope.
(a) Purpose. The purpose of this part is to implement
the Fair Credit Reporting Act. This part generally applies to persons
that obtain and use information about consumers to determine the
consumer's eligibility for products, services, or employment, share
such information among affiliates, and furnish information to consumer
reporting agencies.
(b) Scope. Except as otherwise provided in this part,
the regulations in this part apply to insured state nonmember banks,
insured state licensed branches of foreign banks, and subsidiaries of
such entities (except brokers, dealers, persons providing insurance,
investment companies, and investment advisers).
{{12-31-07 p.2410}}
[Codified to 12, C.F.R. § 334.1]
[Section 334.1 added at 72 Fed. Reg. 62963, November 7, 2007,
effective January 1, 2008, mandatory compliance date is October 1,
2008]
§ 334.2 Examples.
The examples in this part are not exclusive. Compliance with an
example, to the extent applicable, constitutes compliance with this
part. Examples in a paragraph illustrate only the issue described in
the paragraph and do not illustrate any other issue that may arise in
this part.
§ 334.3 Definitions.
For purposes of this part, unless explicitly stated otherwise:
(a) Act means the Fair Credit Reporting Act (15 U.S.C.
1681 et seq.).
(b) Affiliate means any company that is related by
common ownership or common corporate control with another company.
(c) [Reserved]
(d) Company means any corporation, limited liability
company, business trust, general or limited partnership, association,
or similar organization.
(e) Consumer means an individual.
(f) [Reserved]
(g) [Reserved]
(h) [Reserved]
(i) Common ownership or common corporate control means a
relationship between two companies under which:
(1) One company has, with respect to the other company:
(i) Ownership, control, or power to vote 25 percent or more of
the outstanding shares of any class of voting security of a company,
directly or indirectly, or acting through one or more other persons;
(ii) Control in any manner over the election of a majority of the
directors, trustees, or general partners (or individuals exercising
similar functions) of a company; or
(iii) The power to exercise, directly or indirectly, a
controlling influence over the management or policies of a company, as
the FDIC determines; or
(2) Any other person has, with respect to both companies, a
relationship described in paragraphs (i)(1)(i)--(i)(1)(iii) of this
section.
(j) [Reserved]
(k) Medical information means:
(1) Information or data, whether oral or recorded, in any form or
medium, created by or derived from a health care provider or the
consumer, that relates to--
(i) The past, present, or future physical, mental, or behavioral
health or condition of an individual;
(ii) The provision of health care to an individual; or
(iii) The payment for the provision of health care to an
individual.
(2) The term does not include:
(i) The age or gender of a consumer;
(ii) Demographic information about the consumer, including a
consumer's residence address or e-mail address;
(iii) Any other information about a consumer that does not relate
to the physical, mental, or behavioral health or condition of a
consumer, including the existence or value of any insurance policy; or
(iv) Information that does not identify a specific consumer.
(l) Person means any individual, partnership,
corporation, trust, estate cooperative, association, government or
governmental subdivision or agency, or other entity.
[Codified to 12 C.F.R. § 334.3]
[Section 334.3 amended at 72 Fed. Reg. 63760, November 9,
2007, effective January 1, 2008, the mandatory compliance date is
November 1, 2008]
{{4-30-08 p.2411}}
Subpart B—[Reserved]
Subpart C—Affiliate Marketing
§ 334.20 Coverage and definitions.
(a) Coverage. Subpart C of this part applies to insured
state nonmember banks, insured state licensed branches of foreign
banks, and subsidiaries of such entities (except brokers, dealers,
persons providing insurance, investment companies, and investment
advisers).
(b) Definitions. For purposes of this subpart:
(1) Clear and conspicuous. The term "clear and
conspicuous" means reasonably understandable and designed to call
attention to the nature and significance of the information presented.
(2) Concise. (i) In general. The term
"concise" means a reasonably brief expression or statement.
(ii) Combination with other required disclosures. A
notice required by this subpart may be concise even if it is combined
with other disclosures required or authorized by federal or state law.
(3) Eligibility information. The term "eligibility
information" means any information the communication of which would
be a consumer report if the exclusions from the definition of
"consumer report" in section 603(d)(2)(A) of the Act did not
apply. Eligibility information does not include aggregate or blind data
that does not contain personal identifiers such as account numbers,
names, or addresses.
(4) Pre-existing business relationship. (i) In
general. The term "pre-existing business relationship" means a
relationship between a person, or a person's licensed agent, and a
consumer based on--
(A) A financial contract between the person and the consumer
which is in force on the date on which the consumer is sent a
solicitation covered by this subpart;
(B) The purchase, rental, or lease by the consumer of the
person's goods or services, or a financial transaction (including
holding an active account or a policy in force or having another
continuing relationship) between the consumer and the person, during
the 18-month period immediately preceding the date on which the
consumer is sent a solicitation covered by this subpart; or
(C) An inquiry or application by the consumer regarding a product
or service offered by that person during the three-month period
immediately preceding the date on which the consumer is sent a
solicitation covered by this subpart.
(ii) Examples of pre-existing business relationships.
(A) If a consumer has a time deposit account, such as a certificate of
deposit, at a depository institution that is currently in force, the
depository institution has a pre-existing business relationship with
the consumer and can use eligibility information it receives from its
affiliates to make solicitations to the consumer about its products or
services.
(B) If a consumer obtained a certificate of deposit from a
depository institution, but did not renew the certificate at maturity,
the depository institution has a pre-existing business relationship
with the consumer and can use eligibility information it receives from
its affiliates to make solicitations to the consumer about its products
or services for 18 months after the date of maturity of the certificate
of deposit.
(C) If a consumer obtains a mortgage, the mortgage lender has a
pre-existing business relationship with the consumer. If the mortgage
lender sells the consumer's entire loan to an investor, the mortgage
lender has a pre-existing business relationship with the consumer and
can use eligibility information it receives from its affiliates to make
solicitations to the consumer about its products or services for 18
months after the date it sells the loan, and the investor has a
pre-existing business relationship with the consumer upon purchasing
the loan. If, however, the mortgage lender sells a fractional interest
in the consumer's loan to an investor but also retains an ownership
interest in the loan, the mortgage lender continues to have a
pre-existing business relationship with the consumer, but the investor
does not have a pre-existing business relationship with the consumer.
If the
{{4-30-08 p.2412}}mortgage lender retains
ownership of the loan, but sells ownership of the servicing rights to
the consumer's loan, the mortgage lender continues to have a
pre-existing business relationship with the consumer. The purchaser of
the servicing rights also has a pre-existing business relationship with
the consumer as of the date it purchases ownership of the servicing
rights, but only if it collects payments from or otherwise deals
directly with the consumer on a continuing basis.
(D) If a consumer applies to a depository institution for a
product or service that it offers, but does not obtain a product or
service from or enter into a financial contract or transaction with the
institution, the depository institution has a pre-existing business
relationship with the consumer and can therefore use eligibility
information it receives from an affiliate to make solicitations to the
consumer about its products or services for three months after the date
of the application.
(E) If a consumer makes a telephone inquiry to a depository
institution about its products or services and provides contact
information to the institution, but does not obtrain a product or
service from or enter into a financial contract or transaction with the
institution, the depository institution has a pre-existing business
relationship with the consumer and can therefore use eligibility
information it receives from an affiliate to make solicitations to the
consumer about its products or services for three months after the date
of the inquiry.
(F) If a consumer makes an inquiry to a depository institution by
e-mail about its products or services, but does not obtain a product or
service from or enter into a financial contract or transaction with the
institution, the depository institution has a pre-existing business
relationship with the consumer and can therefore use eligibility
information it receives from an affiliate to make solicitations to the
consumer about its products or services for three months after the date
of the inquiry.
(G) If a consumer has an existing relationship with a depository
institution that is part of a group of affiliated companies, makes a
telephone call to the centralized call center for the group of
affiliated companies to inquire about products or services offered by
the insurance affiliate, and provides contact information to the call
center, the call constitutes an inquiry to the insurance affiliate that
offers those products or services. The insurance affiliate has a
pre-existing business relationship with the consumer and can therefore
use eligibility information it receives from its affiliated depository
institution to make solicitations to the consumer about its products or
services for three months after the date of the inquiry.
(iii) Examples where no pre-existing business relationship
is created. (A) If a consumer makes a telephone call to a
centralized call center for a group of affiliated companies to inquire
about the consumer's existing account at a depository institution, the
call does not constitute an inquiry to any affiliate other than the
depository institution that holds the consumer's account and does not
establish a pre-existing business relationship between the consumer and
any affiliate of the account-holding depository institution.
(B) If a consumer who has a deposit account with a depository
institution makes a telephone call to an affiliate of the institution
to ask about the affiliate's retail locations and hours, but does not
make an inquiry about the affiliate's products or services, the call
does not constitute an inquiry and does not establish a pre-existing
business relationship between the consumer and the affiliate. Also, the
affiliate's capture of the consumer's telephone number does not
constitute an inquiry and does not establish a pre-existing business
relationship between the consumer and the affiliate.
(C) If a consumer makes a telephone call to a depository
institution in response to an advertisement that offers a free
promotional item to consumers who call a toll-free number, but the
advertisement does not indicate that the depository institution's
products or services will be marketed to consumers who call in
response, the call does not create a pre-existing business relationship
between the consumer and the depository institution because the
consumer has not made an inquiry about a product or service offered by
the institution, but has merely responded to an offer for a free
promotional item.
(5) Solicitation. (i) In general. The
term "solicitation" means the marketing of a product or service
initiated by a person to a particular consumer that is--
{{12-31-07 p.2413}}
(A) Based on eligibility information communicated to that person
by its affiliate as described in this subpart; and
(B) Intended to encourage the consumer to purchase or obtain such
product or service.
(ii) Exclusion of marketing directed at the general
public. A solicitation does not include marketing communications
that are directed at the general public. For example, television,
general circulation magazine, and billboard advertisements do not
constitute solicitations, even if those communications are intended to
encourage consumers to purchase products and services from the person
initiating the communications.
(iii) Examples of solicitations. A solicitation would
include, for example, a telemarketing call, direct mail, e-mail, or
other form of marketing communication directed to a particular consumer
that is based on eligibility information received from an affiliate.
(6) You means a person described in paragraph (a) of
this section.
[Codified to 12 C.F.R. § 334.20]
[Section 334.20 added at 72 Fed. Reg. 62965, November 7, 2007,
effective January 1, 2008, the mandatory compliance date is October 1,
2008]
§ 334.21 Affiliate marketing opt-out and exceptions.
(a) Initial notice and opt-out
requirement. (1) In general. You may not use
eligibility information about a consumer that you receive from an
affiliate to make a solicitation for marketing purposes to the
consumer, unless--
(i) It is clearly and conspicuously disclosed to the consumer in
writing or, if the consumer agrees, electronically, in a concise notice
that you may use eligibility information about that consumer received
from an affiliate to make solicitations for marketing purposes to the
consumer;
(ii) The consumer is provided a reasonable opportunity and a
reasonable and simple method to "opt out," or prohibit you from
using eligibility information to make solicitations for marketing
purposes to the consumer; and
(iii) The consumer has not opted out.
(2) Example. A consumer has a homeowner's insurance
policy with an insurance company. The insurance company furnishes
eligibility information about the consumer to its affiliated depository
institution. Based on that eligibility information, the depository
institution wants to make a solicitation to the consumer about its home
equity loan products. The depository institution does not have a
pre-existing business relationship with the consumer and none of the
other exceptions apply. The depository institution is prohibited from
using eligibility information received from its insurance affiliate to
make solicitations to the consumer about its home equity loan products
unless the consumer is given a notice and opportunity to opt out and
the consumer does not opt out.
(3) Affiliates who may provide the notice. The notice
required by this paragraph must be provided:
(i) By an affiliate that has or has previously had a pre-existing
business relationship with the consumer; or
(ii) As part of a joint notice from two or more members of an
affiliated group of companies, provided that at least one of the
affiliates on the joint notice has or has previously had a pre-existing
business relationship with the consumer.
(b) Making solicitations. (1) In general.
For purposes of this subpart, you make a solicitation for
marketing purposes if--
(i) You receive eligibility information from an affiliate;
(ii) You use that eligibility information to do one or more of
the following:
(A) Identify the consumer or type of consumer to receive a
solicitation;
(B) Establish criteria used to select the consumer to receive a
solicitation; or
(C) Decide which of your products or services to market to the
consumer or tailor your solicitation to that consumer; and
{{12-31-07 p.2414}}
(iii) As a result of your use of the eligibility information, the
consumer is provided a solicitation.
(2) Receiving eligibility information from an affiliate,
including through a common database. You may receive eligibility
information from an affiliate in various ways, including when the
affiliate places that information into a common database that you may
access.
(3) Receipt or use of eligibility information by your
service provider. Except as provided in paragraph (b)(5) of this
section, you receive or use an affiliate's eligibility information if
a service provider acting on your behalf (whether an affiliate or a
nonaffiliated third party) receives or uses that information in the
manner described in paragraphs (b)(1)(i) or (b)(1)(ii) of this section.
All relevant facts and circumstances will determine whether a person is
acting as your service provider when it receives or uses an
affiliate's eligibility information in connection with marketing your
products and services.
(4) Use by an affiliate of its own eligibility information.
Unless you have used eligibility information that you receive from
an affiliate in the manner described in paragraph (b)(1)(ii) of this
section, you do not make a solicitation subject to this subpart if your
affiliate:
(i) Uses its own eligibility information that it obtained in
connection with a pre-existing business relationship it has or had with
the consumer to market your products or services to the consumer; or
(ii) Directs its service provider to use the affiliate's own
eligibility information that it obtained in connection with a
pre-existing business relationship it has or had with the consumer to
market your products or services to the consumer, and you do not
communicate directly with the service provider regarding that use.
(5) Use of eligibility information by a service
provider. (i) In general. You do not make a
solicitation subject to Subpart C of this part if a service provider
(including an affiliated or third-party service provider that maintains
or accesses a common database that you may access) receives eligibility
information from your affiliate that your affiliate obtained in
connection with a pre-existing business relationship it has or had with
the consumer and uses that eligibility information to market your
products or services to the consumer, so long as--
(A) Your affiliate controls access to and use of its eligibility
information by the service provider (including the right to establish
the specific terms and conditions under which the service provider may
use such information to market your products or services);
(B) Your affiliate establishes specific terms and conditions
under which the service provider may access and use the affiliate's
eligibility information to market your products and services (or those
of affiliates generally) to the consumer, such as the identity of the
affiliated companies whose products or services may be marketed to the
consumer by the service provider, the types of products or services of
affiliated companies that may be marketed, and the number of times the
consumer may receive marketing materials, and periodically evaluates
the service provider's compliance with those terms and conditions;
(C) Your affiliate requires the service provider to implement
reasonable policies and procedures designed to ensure that the service
provider uses the affiliate's eligibility information in accordance
with the terms and conditions established by the affiliate relating to
the marketing of your products or services;
(D) Your affiliate is identified on or with the marketing
materials provided to the consumer; and
(E) You do not directly use your affiliate's eligibility
information in the manner described in paragraph (b)(1)(ii) of this
section.
(ii) Writing requirements. (A) The requirements of
paragraphs (b)(5)(i)(A) and (C) of this section must be set forth in a
written agreement between your affiliate and the service provider; and
(B) The specific terms and conditions established by your
affiliate as provided in paragraph (b)(5)(i)(B) of this section must be
set forth in writing.
{{12-31-07 p.2414.01}}
(6) Examples of making solicitations. (i) A consumer
has a deposit account with a depository institution, which is
affiliated with an insurance company. The insurance company receives
eligibility information about the consumer from the depository
institution. The insurance company uses that eligibility information to
identify the consumer to receive a solicitation about insurance
products, and, as a result, the insurance company provides a
solicitation to the consumer about its insurance products. Pursuant to
paragraph (b)(1) of this section, the insurance company has made a
solicitation to the consumer.
(ii) The same facts as in the example in paragraph (b)(6)(i) of
this section, except that after using the eligibility information to
identify the consumer to receive a solicitation about insurance
products, the insurance company asks the depository institution to send
the solicitation to the consumer and the depository institution does
so. Pursuant to paragraph (b)(1) of this section, the insurance company
has made a solicitation to the consumer because it used eligibility
information about the consumer that it received from an affiliate to
identify the consumer to receive a solicitation about its products or
services, and, as a result, a solicitation was provided to the consumer
about the insurance company's products.
(iii) The same facts as in the example in paragraph (b)(6)(i) of
this section, except that eligibility information about consumers that
have deposit accounts with the depository institution is placed into a
common database that all members of the affiliated group of companies
may independently access and use. Without using the depository
institution's eligibility information, the insurance company develops
selection criteria and provides those criteria, marketing materials,
and related instructions to the depository institution. The depository
institution reviews eligibility information about its own consumers
using the selection criteria provided by the insurance company to
determine which consumers should receive the insurance company's
marketing materials and sends marketing materials about the insurance
company's products to those consumers. Even though the insurance
company has received eligibility information through the common
database as provided in paragraph (b)(2) of this section, it did not
use that information to identify consumers or establish selection
criteria; instead, the depository institution used its own eligibility
information. Therefore, pursuant to paragraph (b)(4)(i) of this
section, the insurance company has not made a solicitation to the
consumer.
(iv) The same facts as in the example in paragraph (b)(6)(iii) of
this section, except that the depository institution provides the
insurance company's criteria to the depository institution's service
provider and directs the service provider to use the depository
institution's eligibility information to identify depository
institution consumers who meet the criteria and to send the insurance
company's marketing materials to those consumers. The insurance
company does not communicate directly with the service provider
regarding the use of the depository institution's information to
market its products to the depository institution's consumers.
Pursuant to paragraph (b)(4)(ii) of this section, the insurance company
has not made a solicitation to the consumer.
(v) An affiliated group of companies includes a depository
institution, an insurance company, and a service provider. Each
affiliate in the group places information about its consumers into a
common database. The service provider has access to all information in
the common database. The depository institution controls access to and
use of its eligibility information by the service provider. This
control is set forth in a written agreement between the depository
institution and the service provider. The written agreement also
requires the service provider to establish reasonable policies and
procedures designed to ensure that the service provider uses the
depository institution's eligibility information in accordance with
specific terms and conditions established by the depository institution
relating to the marketing of the products and services of all
affiliates, including the insurance company. In a separate written
communication, the depository institution specifies the terms and
conditions under which the service provider may use the depository
institution's eligibility information to market the insurance
company's products and services to the depository institution's
consumers. The specific terms and conditions are: a list of affiliated
companies (including the insurance company) whose products or services
may be marketed to the depository institution's consumers by the
service provider; the specific products or types of
{{12-31-07 p.2414.02}}products that may be marketed
to the depository institution's consumers by the service provider; the
categories of eligibility information that may be used by the service
provider in marketing products or services to the depository
institution's consumers; the types or categories of the depository
institution's consumers to whom the service provider may market
products or services of depository institution affiliates; the number
and/or types of marketing communications that the service provider may
send to the depository institution's consumers; and the length of time
during which the service provider may market the products or services
of the depository institution's affiliates to its consumers. The
depository institution periodically evaluates the service provider's
compliance with these terms and conditions. The insurance company asks
the service provider to market insurance products to certain consumers
who have deposit accounts with the depository institution. Without
using the depository institution's eligibility information, the
insurance company develops selection criteria and provides those
criteria, marketing materials, and related instructions to the service
provider. The service provider uses the depository institution's
eligibility information from the common database to identify the
depository institution's consumers to whom insurance products will be
marketed. When the insurance company's marketing materials are
provided to the identified consumers, the name of the depository
institution is displayed on the insurance marketing materials, an
introductory letter that accompanies the marketing materials, an
account statement that accompanies the marketing materials, or the
envelope containing the marketing materials. The requirements of
paragraph (b)(5) of this section have been satisfied, and the insurance
company has not made a solicitation to the consumer.
(vi) The same facts as in the example in paragraph (b)(6)(v) of
this section, except that the terms and conditions permit the service
provider to use the depository institution's eligibility information
to market the products and services of other affiliates to the
depository institution's consumers whenever the service provider deems
it appropriate to do so. The service provider uses the depository
institution's eligibility information in accordance with the
discretion afforded to it by the terms and conditions. Because the
terms and conditions are not specific, the requirements of paragraph
(b)(5) of this section have not been satisfied.
(c) Exceptions. The provisions of this subpart do not
apply to you if you use eligibility information that you receive from
an affiliate:
(1) To make a solicitation for marketing purposes to a consumer
with whom you have a pre-existing business relationship;
(2) To facilitate communications to an individual for whose
benefit you provide employee benefit or other services pursuant to a
contract with an employer related to and arising out of the current
employment relationship or status of the individual as a participant or
beneficiary of an employee benefit plan;
(3) To perform services on behalf of an affiliate, except that
this subparagraph shall not be construed as permitting you to send
solicitations on behalf of an affiliate if the affiliate would not be
permitted to send the solicitation as a result of the election of the
consumer to opt out under this subpart;
(4) In response to a communication about your products or
services initiated by the consumer;
(5) In response to an authorization or request by the consumer to
receive solicitations; or
(6) If your compliance with this subpart would prevent you from
complying with any provision of State insurance laws pertaining to
unfair discrimination in any State in which you are lawfully doing
business.
(d) Examples of exceptions. (1) Example of the
pre-existing business relationship exception. A consumer has a
deposit account with a depository institution. The consumer also has a
relationship with the depository institution's securities affiliate
for management of the consumer's securities portfolio. The depository
institution receives eligibility information about the consumer from
its securities affiliate and uses that information to make a
solicitation to the consumer about the depository institution's wealth
management services.
{{12-31-07 p.2414.03}}The depository institution may
make this solicitation even if the consumer has not been given a notice
and opportunity to opt out because the depository institution has a
pre-existing business relationship with the consumer.
(2) Examples of service provider exception. (i) A
consumer has an insurance policy issued by an insurance company. The
insurance company furnishes eligibility information about the consumer
to its affiliated depository institution. Based on that eligibility
information, the depository institution wants to make a solicitation to
the consumer about its deposit products. The depository institution
does not have a pre-existing business relationship with the consumer
and none of the other exceptions in paragraph (c) of this section
apply. The consumer has been given an opt-out notice and has elected to
opt out of receiving such solicitations. The depository institution
asks a service provider to send the solicitation to the consumer on its
behalf. The service provider may not send the solicitation on behalf of
the depository institution because, as a result of the consumer's
opt-out election, the depository institution is not permitted to make
the solicitation.
(ii) The same facts as in paragraph (d)(2)(i) of his section,
except the consumer has been given an opt-out notice, but has not
elected to opt out. The depository institution asks a service provider
to send the solicitation to the consumer on its behalf. The service
provider may send the solicitation on behalf of the depository
institution because, as a result of the consumer's not opting out, the
depository institution is permitted to make the solicitation.
(3) Examples of consumer-initiated
communications. (i) A consumer who has a deposit account with a
depository institution initiates a communication with the depository
institution's credit card affiliate to request information about a
credit card. The credit card affiliate may use eligibility information
about the consumer it obtains from the depository institution or any
other affiliate to make solicitations regarding credit card products in
response to the consumer-initiated communication.
(ii) A consumer who has a deposit account with a depository
institution contacts the institution to request information about how
to save and invest for a child's college education without specifying
the type of product in which the consumer may be interested.
Information about a range of different products or services offered by
the depository institution and one or more affiliates of the
institution may be responsive to that communication. Such products or
services may include the following: Mutual funds offered by the
institution's mutual fund affiliate; section 529 plans offered by the
institution, its mutual fund affiliate, or another securities
affiliate; or trust services offered by a different financial
institution in the affiliated group. Any affiliate offering investment
products or services that would be responsive to the consumer's
request for information about saving and investing for a child's
college education may use eligibility information to make solicitations
to the consumer in response to this communication.
(iii) A credit card issuer makes a marketing call to the consumer
without using eligibility information received from an affiliate. The
issuer leaves a voice-mail message that invites the consumer to call a
toll-free number to apply for the issuer's credit card. If the
consumer calls the toll-free number to inquire about the credit card,
the call is a consumer-initiated communication about a product or
service that the credit card issuer may now use eligibility information
it receives from its affiliates to make solicitations to the consumer.
(iv) A consumer calls a depository institution to ask about
retail locations and hours, but does not request information about
products or services. The institution may not use eligibility
information it receives from an affiliate to make solicitations to the
consumer about its products or services because the consumer-initiated
communication does not relate to the depository institution's products
or services. Thus, the use of eligibility information received from an
affiliate would not be responsive to the communication and the
exception does not apply.
(v) A consumer calls a depository institution to ask about retail
locations and hours. The customer service representative asks the
consumer if there is a particular product or service about which the
consumer is seeking information. The consumer responds
that
{{12-31-07 p.2414.04}}the consumer wants to stop in
and find out about certificates of deposit. The customer service
representative offers to provide that information by telephone and mail
additional information and application materials to the consumer. The
consumer agrees and provides or confirms contact information for
receipt of the materials to be mailed. The depository institution may
use eligibility information it receives from an affiliate to make
solicitations to the consumer about certificates of deposit because
such solicitations would respond to the consumer-initiated
communication about products or services.
(4) Examples of consumer authorization or request for
solicitations. (i) A consumer who obtains a mortgage from a
mortgage lender authorizes or requests information about homeowner's
insurance offered by the mortgage lender's insurance affiliate. Such
authorization or request, whether given to the mortgage lender or to
the insurance affiliate, would permit the insurance affiliate to use
eligibility information about the consumer it obtains from the mortgage
lender or any other affiliate to make solicitations to the consumer
about homeowner's insurance.
(ii) A consumer completes an online application to apply for a
credit card from a credit card issuer. The issuer's online application
contains a blank check box that the consumer may check to authorize or
request information from the credit card issuer's affiliates. The
consumer checks the box. The consumer has authorized or requested
solicitations from the card issuer's affiliates.
(iii) A consumer completes an online application to apply for a
credit card from a credit card issuer. The issuer's online application
contains a pre-selected check box indicating that the consumer
authorizes or requests information from the issuer's affiliates. The
consumer does not deselect the check box. The consumer has not
authorized or requested solicitations from the card issuer's
affiliates.
(iv) The terms and conditions of a credit card account agreement
contain preprinted boilerplate language stating that by applying to
open an account the consumer authorizes or requests to receive
solicitations from the credit card issuer's affiliates. The consumer
has not authorized or requested solicitations from the card issuer's
affiliates.
(e) Relation to affiliate-sharing notice and opt-out.
Nothing in this subpart limits the responsibility of a person to comply
with the notice and opt-out provisions of section 603(d)(2)(A)(iii) of
the Act where applicable.
[Codified to 12 C.F.R. § 334.21]
[Section 334.21 added at 72 Fed. Reg. 62965, November 7, 2007,
effective January 1, 2008, the mandatory compliance date is October 1,
2008]
§ 334.22 Scope and duration of opt-out.
(a) Scope of opt-out. (1) In general.
Except as otherwise provided in this section, the consumer's election
to opt out prohibits any affiliate covered by the opt-out notice from
using eligibility information received from another affiliate as
described in the notice to make solicitations to the consumer.
(2) Continuing relationship. (i) In
general. If the consumer establishes a continuing relationship
with you or your affiliate, an opt-out notice may apply to eligibility
information obtained in connection with--
(A) A single continuing relationship or multiple continuing
relationships that the consumer establishes with you or your
affiliates, including continuing relationships established subsequent
to delivery of the opt-out notice, so long as the notice adequately
describes the continuing relationships covered by the opt-out; or
(B) Any other transaction between the consumer and you or your
affiliates as described in the notice.
(ii) Examples of continuing relationships. A consumer
has a continuing relationship with you or your affiliate if the
consumer--
(A) Opens a deposit or investment account with you or your
affiliate;
(B) Obtains a loan for which you or your affiliate owns the
servicing rights;
(C) Purchases an insurance product from you or your
affiliate;
{{12-31-07 p.2414.05}}
(D) Holds an investment product through you or your affiliate,
such as when you act or your affiliate acts as a custodian for
securities or for assets in an individual retirement arrangement;
(E) Enters into an agreement or understanding with you or your
affiliate whereby you or your affiliate undertakes to arrange or broker
a home mortgage loan for the consumer;
(F) Enters into a lease of personal property with you or your
affiliate; or
(G) Obtains financial, investment, or economic advisory services
from you or your affiliate for a fee.
(3) No continuing relationship. (i) In
general. If there is no continuing relationship between a consumer
and you or your affiliate, and you or your affiliate obtain eligibility
information about a consumer in connection with a transaction with the
consumer, such as an isolated transaction or a credit application that
is denied, an opt-out notice provided to the consumer only applies to
eligibility information obtained in connection with that transaction.
(ii) Examples of isolated transactions. An isolated
transaction occurs if--
(A) The consumer uses your or your affiliate's ATM to withdraw
cash from an account at another financial institution; or
(B) You or your affiliate sells the consumer a cashier's check
or money order, airline tickets, travel insurance, or traveler's
checks in isolated transactions.
(4) Menu of alternatives. A consumer may be given the
opportunity to choose from a menu of alternatives when electing to
prohibit solicitations, such as by electing to prohibit solicitations
from certain types of affiliates covered by the opt-out notice but not
other types of affiliates covered by the notice, electing to prohibit
solicitations based on certain types of eligibility information but not
other types of eligibility information, or electing to prohibit
solicitations by certain methods of delivery but not other methods of
delivery. However, one of the alternatives must allow the consumer to
prohibit all solicitations from all of the affiliates that are covered
by the notice.
(5) Special rule for a notice following termination of all
continuing relationships. (i) In general. A consumer
must be given a new opt-out notice if, after all continuing
relationships with you or your affiliate(s) are terminated, the
consumer subsequently establishes another continuing relationship with
you or your affiliate(s) and the consumer's eligibility information is
to be used to make a solicitation. The new opt-out notice must apply,
at a minimum, to eligibility information obtained in connection with
the new continuing relationship. Consistent with paragraph (b) of this
section, the consumer's decision not to opt out after receiving the
new opt-out notice would not override a prior opt-out election by the
consumer that applies to eligibility information obtained in connection
with a terminated relationship, regardless of whether the new opt-out
notice applies to eligibility information obtained in connection with
the terminated relationship.
(ii) Example. A consumer has a checking account with a
depository institution that is part of an affiliated group. The
consumer closes the checking account. One year after closing the
checking account, the consumer opens a savings account with the same
depository institution. The consumer must be given a new notice and
opportunity to opt out before the depository institution's affiliates
may make solicitations to the consumer using eligibility information
obtained by the depository institution in connection with the new
savings account relationship, regardless of whether the consumer opted
out in connection with the checking account.
(b) Duration of opt-out. The election of a consumer to
opt out must be effective for a period of at least five years (the
"opt-out period") beginning when the consumer's opt out election
is received and implemented, unless the consumer subsequently revokes
the opt-out in writing or, if the consumer agrees, electronically. An
opt-out period of more than five years may be established, including an
opt-out period that does not expire unless revoked by the consumer.
(c) Time of opt-out. A consumer may opt out at any time.
[Codified to 12 C.F.R. § 334.22]
[Section 334.22 added at 72 Fed. Reg. 62968, November 7,
2007, effective January 1, 2008, the mandatory compliance date is
October 1, 2008]
{{12-31-07 p.2414.06}}
§ 334.23 Contents of opt-out notice; consolidated and
equivalent notices.
(a) Contents of opt-out notice. (1) In
general. A notice must be clear, conspicuous, and concise, and
must accurately disclose:
(i) The name of the affiliate(s) providing the notice. If the
notice is provided jointly by multiple affiliates and each affiliate
shares a common name, such as "ABC," then the notice may indicate
that it is being provided by multiple companies with the ABC name or
multiple companies in the ABC group or family of companies, for
example, by stating that the notice is provided by "all of the ABC
companies," "the ABC banking, credit card, insurance, and
securities companies," or by listing the name of each affiliate
providing the notice. But if the affiliates providing the joint notice
do not all share a common name, then the notice must either separately
identify each affiliate by name or identify each of the common names
used by those affiliates, for example, by stating that the notice is
provided by "all of the ABC and XYZ companies" or by "the ABC
banking and credit card companies and the XYZ insurance companies";
(ii) A list of the affiliates or types of affiliates whose use of
eligibility information is covered by the notice, which may include
companies that become affiliates after the notice is provided to the
consumer. If each affiliate covered by the notice shares a common name,
such as "ABC," then the notice may indicate that it applies to
multiple companies with the ABC name or multiple companies in the ABC
group or family of companies, for example, by stating that the notice
is provided by "all of the ABC companies," "the ABC banking,
credit card, insurance, and securities companies," or by listing the
name of each affiliate providing the notice. But if the affiliates
covered by the notice do not all share a common name, then the notice
must either separately identify each covered affiliate by name or
identify each of the common names used by those affiliates, for
example, by stating that the notice applies to "all of the ABC and
XYZ companies" or to "the ABC banking and credit card companies
and the XYZ insurance companies";
(iii) A general description of the types of eligibility
information that may be used to make solicitations to the consumer;
(iv) That the consumer may elect to limit the use of eligibility
information to make solicitations to the consumer;
(v) That the consumer's election will apply for the specified
period of time stated in the notice and, if applicable, that the
consumer will be allowed to renew the election once that period
expires;
(vi) If the notice is provided to consumers who may have
previously opted out, such as if a notice is provided to consumers
annually, that the consumer who has chosen to limit solicitations does
not need to act again until the consumer receives a renewal notice; and
(vii) A reasonable and simple method for the consumer to opt out.
(2) Joint relationships. (i) If two or more
consumers jointly obtain a product or service, a single opt-out notice
may be provided to the joint consumers. Any of the joint consumers may
exercise the right to opt out.
(ii) The opt-out notice must explain how an opt-out direction by
a joint consumer will be treated. An opt-out direction by a joint
consumer may be treated as applying to all of the associated joint
consumers, or each joint consumer may be permitted to opt out
separately. If each joint consumer is permitted to opt out separately,
one of the joint consumers must be permitted to opt out on behalf of
all of the joint consumers and the joint consumers must be permitted to
exercise their separate rights to opt out in a single response.
(iii) It is impermissible to require all joint
consumers to opt out before implementing any opt-out
direction.
(3) Alternative contents. If the consumer is afforded
a broader right to opt out of receiving marketing than is required by
this subpart, the requirements of this section may be satisfied by
providing the consumer with a clear, conspicuous, and concise notice
that accurately discloses the consumer's opt-out rights.
{{4-30-08 p.2414.07}}
(4) Model notices. Model notices are provided in
Appendix C of this part.
(b) Coordinated and consolidated notices. A notice
required by this subpart may be coordinated and consolidated with any
other notice or disclosure required to be issued under any other
provision of law by the entity providing the notice, including but not
limited to the notice described in section 603(d)(2)(A)(iii) of the Act
and the Gramm-Leach-Bliley Act privacy notice.
(c) Equivalent notices. A notice or other disclosure
that is equivalent to the notice required by this subpart, and that is
provided to a consumer together with disclosures required by any other
provision of law, satisfies the requirements of this section.
[Codified to 12 C.F.R. § 334.23]
[Section 334.23 added at 72 Fed. Reg. 62969, November 7, 2007,
effective January 1, 2008, the mandatory compliance date is October 1,
2008]
§ 334.24 Reasonable opportunity to opt out.
(a) In general. You must not use eligibility information
about a consumer that you receive from an affiliate to make a
solicitation to the consumer about your products or services, unless
the consumer is provided a reasonable opportunity to opt out, as
required by § 334.21(a)(1)(ii) of this part.
(b) Examples of a reasonable opportunity to opt out. The
consumer is given a reasonable opportunity to opt out if:
(1) By mail. The opt-out notice is mailed to the
consumer. The consumer is given 30 days from the date the notice is
mailed to elect to opt out by any reasonable means.
(2) By electronic means. (i) the opt-out notice is
provided electronically to the consumer, such as by posting the notice
at an Internet Web site at which the consumer has obtained a product or
service. The consumer acknowledges receipt of the electronic notice.
The consumer is given 30 days after the date the consumer acknowledges
receipt to elect to opt out by any reasonable means.
(ii) The opt-out notice is provided to the consumer by e-mail
where the consumer has agreed to receive disclosures by e-mail from the
person sending the notice. The consumer is given 30 days after the
e-mail is sent to elect to opt out by any reasonable means.
(3) At the time of an electronic transaction. The
opt-out notice is provided to the consumer at the time of an electronic
transaction, such as a transaction conducted on an Internet Web site.
The consumer is required to decide, as a necessary part of proceeding
with the transaction, whether to opt out before completing the
transaction. There is a simple process that the consumer may use to opt
out at that time using the same mechanism through which the transaction
is conducted.
(4) At the time of an in-person transaction. The
opt-out notice is provided to the consumer in writing at the time of an
in-person transaction. The consumer is required to decide, as a
necessary part of proceeding with the transaction, whether to opt out
before completing the transaction, and is not permitted to complete the
transaction without making a choice. There is a simple process that the
consumer may use during the course of the in-person transaction to opt
out, such as completing a form that requires consumers to write a
"yes" or "no" to indicate their opt-out preference or that
requires the consumer to check one of two blank check boxes--one that
allows consumers to indicate that they want to opt out and one that
allows consumers to indicate that they do not want to opt out.
(5) By including in a privacy notice. The opt-out
notice is included in a Gramm-Leach-Bliley Act privacy notice. The
consumer is allowed to exercise the opt-out within a reasonable period
of time and in the same manner as the opt-out under that privacy
notice.
[Codified to 12 C.F.R. § 334.24]
[Section 334.24 added at 72 Fed. Reg. 62969, November 7,
2007, effective January 1, 2008, the mandatory compliance date is
October 1, 2008]
{{4-30-08 p.2414.08}}
§ 334.25 Reasonable and simple methods of opting out.
(a) In general. You must not use eligibility information
about a consumer that you receive from an affiliate to make a
solicitation to the consumer about your products or services, unless
the consumer is provided a reasonable and simple method to opt out, as
required by § 334.21(a)(1)(ii) of this part.
(b) Examples. (1) Reasonable and simple opt-out
methods. Reasonable and simple methods for exercising the opt-out
right include--
(i) Designating a check-off box in a prominent position on the
opt-out form;
(ii) Including a reply form and a self-addressed envelope
together with the opt-out notice;
(iii) Providing an electronic means to opt out, such as a form
that can be electronically mailed or processed at an Internet Web site,
if the consumer agrees to the electronic delivery of information;
(iv) Providing a toll-free telephone number that consumers may
call to opt out; or
(v) Allowing consumers to exercise all of their opt-out rights
described in a consolidated opt-out notice that includes the privacy
opt-out under the Gramm-Leach-Bliley Act, 15 U.S.C. 6801 et
seq., the affiliate sharing opt-out under the Act, and the
affiliate marketing opt-out under the Act, by a single method, such as
by calling a single toll-free telephone number.
(2) Opt-out methods that are not reasonable and simple.
Reasonable and simple methods for exercising an opt-out right
do not include--
(i) Requiring the consumer to write his or her own letter;
(ii) Requiring the consumer to call or write to obtain a form for
opting out, rather than including the form with the opt-out notice;
(iii) Requiring the consumer who receives the opt-out notice in
electronic form only, such as through posting at an Internet Web site,
to opt out solely by paper mail or by visiting a different Web site
without providing a link to that site.
(c) Specific opt-out means. Each consumer may be
required to opt out through a specific means, as long as that means is
reasonable and simple for that consumer.
[Codified to 12 C.F.R. § 334.25]
[Section 334.25 added at 72 Fed. Reg. 62970, November 7, 2007,
effective January 1, 2008, the mandatory compliance date is October 1,
2008]
§ 334.26 Delivery of opt-out notices.
(a) In general. The opt-out notice must be provided so
that each consumer can reasonably be expected to receive actual notice.
For opt-out notices provided electronically, the notice may be provided
in compliance with either the electronic disclosure provisions in this
subpart or the provisions in section 101 of the Electronic Signatures
in Global and National Commerce Act, 15 U.S.C. 7001 et seq.
(b) Examples of reasonable expectation of actual notice.
A consumer may reasonably be expected to receive actual notice if
the affiliate providing the notice:
(1) Hand-delivers a printed copy of the notice to the consumer.
(2) Mails a printed copy of the notice to the last known mailing
address of the consumer;
(3) Provides a notice by e-mail to a consumer who has agreed to
receive electronic disclosures by e-mail from the affiliate providing
the notice; or
(4) Posts the notice on the Internet Web site at which the
consumer obtained a product or service electronically and requires the
consumer to acknowledge receipt of the notice.
(c) Examples of no reasonable expectation of actual notice.
A consumer may not reasonably be expected to receive
actual notice if the affiliate providing the notice:
(1) Only posts the notice on a sign in a branch or office or
generally publishes the notice in a newspaper;
{{4-30-08 p.2414.09}}
(2) Sends the notice via e-mail to a consumer who has not agreed
to receive electronic disclosures by e-mail from the affiliate
providing the notice; or
(3) Posts the notice on an Internet Web site without requiring
the consumer to acknowledge receipt of the notice.
[Codified to 12 C.F.R. § 334.26]
[Section 334.26 added at 72 Fed. Reg. 62970, November 7, 2007,
effective January 1, 2008, the mandatory compliance date is October 1,
2008]
§ 334.27 Renewal of opt-out.
(a) Renewal notice and opt-out
requirement. (1) In general. After the opt-out period
expires, you may not make solicitations based on eligibility
information you receive from an affiliate to a consumer who previously
opted out, unless:
(i) The consumer has been given a renewal notice that complies
with the requirements of this section and §§ 334.24 through 334.26
of this part, and a reasonable opportunity and a reasonable and simple
method to renew the opt-out, and the consumer does not renew the
opt-out; or
(ii) An exception in § 334.21(c) of this part applies.
(2) Renewal period. Each opt-out renewal must be
effective for a period of at least five years as provided in
§ 334.22(b) of this part.
(3) Affiliates who may provide the notice. The notice
required by this paragraph must be provided:
(i) By the affiliate that provided the previous opt-out notice,
or its successor; or
(ii) As part of a joint renewal notice from two or more members
of an affiliated group of companies, or their successors, that jointly
provided the previous opt-out notice.
(b) Contents of renewal notice. The renewal notice must
be clear, conspicuous, and concise, and must accurately disclose:
(1) The name of the affiliate(s) providing the notice. If the
notice is provided jointly by multiple affiliates and each affiliate
shares a common name, such as "ABC," then the notice may indicate
that it is being provided by multiple companies with the ABC name or
multiple companies in the ABC group or family of companies, for
example, by stating that the notice is provided by "all of the ABC
companies," "the ABC banking, credit card, insurance, and
securities companies," or by listing the name of each affiliate
providing the notice. But if the affiliates providing the joint notice
do not all share a common name, then the notice must either separately
identify each affiliate by name or identify each of the common names
used by those affiliates, for example, by stating that the notice is
provided by "all of the ABC and XYZ companies" or by "the ABC
banking and credit card companies and the XYZ insurance companies;"
(2) A list of the affiliates or types of affiliates whose use of
eligibility information is covered by the notice, which may include
companies that become affiliates after the notice is provided to the
consumer. If each affiliate covered by the notice shares a common name,
such as "ABC," then the notice may indicate that it applies to
multiple companies with the ABC name or multiple companies in the ABC
group or family of companies, for example, by stating that the notice
is provided by "all of the ABC companies," "the ABC banking,
credit card, insurance, and securities companies," or by listing the
name of each affiliate providing the notice. But if the affiliates
covered by the notice do not all share a common name, then the notice
must either separately identify each covered affiliate by name or
identify each of the common names used by those affiliates, for
example, by stating that the notice applies to "all of the ABC and
XYZ companies" or to "the ABC banking and credit card companies
and the XYZ insurance companies;"
(3) A general description of the types of eligibility information
that may be used to make solicitations to the consumer;
(4) That the consumer previously elected to limit the use of
certain information to make solicitations to the consumer;
(5) That the consumer's election has expired or is about to
expire;
{{4-30-08 p.2414.10}}
(6) That the consumer may elect to renew the consumer's previous
election;
(7) If applicable, that the consumer's election to renew will
apply for the specified period of time stated in the notice and that
the consumer will be allowed to renew the election once that period
expires; and
(8) A reasonable and simple method for the consumer to opt out.
(c) Timing of the renewal notice. (1) In
general. A renewal notice may be provided to the consumer either--
(i) A reasonable period of time before the expiration of the
opt-out period or
(ii) Any time after the expiration of the opt-out period but
before solicitations that would have been prohibited by the expired
opt-out are made to the consumer.
(2) Combination with annual privacy notice. If you
provide an annual privacy notice under the Gramm-Leach-Bliley Act, 15
U.S.C. 6801 et seq., providing a renewal notice with the
last annual privacy notice provided to the consumer before expiration
of the opt-out period is a reasonable period of time before expiration
of the opt-out in all cases.
(d) No effect on opt-out period. An opt-out period may
not be shortened by sending a renewal notice to the consumer before
expiration of the opt-out period, even if the consumer does not renew
the opt-out.
[Codified to 12 C.F.R. § 334.27]
[Section 334.27 added at 72 Fed. Reg. 62970, November 7, 2007,
effective January 1, 2008, the mandatory compliance date is October 1,
2008]
§ 334.28 Effective date, compliance date, and prospective
application.
(a) Effective date. This subpart is effective January 1,
2008.
(b) Mandatory compliance date. Compliance with this
subpart is required not later than October 1, 2008.
(c) Prospective application. The provisions of this
subpart shall not prohibit you from using eligibility information that
you receive from an affiliate to make solicitations to a consumer if
you receive such information prior to October 1, 2008. For purposes of
this section, you are deemed to receive eligibility information when
such information is placed into a common database and is accessible by
you.
[Codified to 12 C.F.R. § 334.28]
[Section 334.28 added at 72 Fed. Reg. 62971, November 7, 2007,
effective January 1, 2008, the mandatory compliance date is October 1,
2008]
Subpart D—Medical Information
§ 334.30 Obtaining or using medical information in connection
with a determination of eligibility for credit.
(a) Scope. This section applies to:
(1) Any of the following that participates as a creditor in a
transaction--
(i) A State bank insured by the FDIC (other than members of the
Federal Reserve System);
(ii) An insured State branch of a foreign bank; or
(2) Any other person that participates as a creditor in a
transaction involving a person described in paragraph (a)(1) of this
section.
(b) General prohibition on obtaining or using medical
information. (1) In general. A creditor may not obtain
or use medical information pertaining to a consumer in connection with
any determination of the consumer's eligibility, or continued
eligibility, for credit, except as provided in this section.
(2) Definitions. (i) Credit has the same
meaning as in section 702 of the Equal Credit Opportunity Act, 15
U.S.C. 1691a.
(ii) Creditor has the same meaning as in section 702
of the Equal Credit Opportunity Act, 15 U.S.C. 1691a.
{{4-30-08 p.2414.11}}
(iii) Eligibility, or continued eligibility, for
credit means the consumer's qualification or fitness to receive,
or continue to receive, credit, including the terms on which credit is
offered. The term does not include:
(A) Any determination of the consumer's qualification or fitness
for employment, insurance (other than a credit insurance product), or
other non-credit products or services;
(B) Authorizing, processing, or documenting a payment or
transaction on behalf of the consumer in a manner that does not involve
a determination of the consumer's eligibility, or continued
eligibility, for credit; or
(C) Maintaining or servicing the consumer's account in a manner
that does not involve a determination of the consumer's eligibility,
or continued eligibility, for credit.
(c) Rule of construction for obtaining and using unsolicited
medical information. (1) In general. A creditor does
not obtain medical information in violation of the prohibition if it
and Regulations receives medical information pertaining to a consumer
in connection with any determination of the consumer's eligibility, or
continued eligibility, for credit without specifically requesting
medical information.
(2) Use of unsolicited medical information. A creditor
that receives unsolicited medical information in the manner described
in paragraph (c)(1) of this section may use that information in
connection with any determination of the consumer's eligibility, or
continued eligibility, for credit to the extent the creditor can relay
on at least one of the exceptions in § 334.30(d) or (e).
(3) Examples. A creditor does not obtain medical
information in violation of the prohibition if, for example:
(i) In response to a general question regarding a consumer's
debts or expenses, the creditor receives information that the consumer
owes a debt to a hospital.
(ii) In a conversation with the creditor's loan officer, the
consumer informs the creditor that the consumer has a particular
medical condition.
(iii) In connection with a consumer's application for an
extension of credit, the creditor requests a consumer report from a
consumer reporting agency and receives medical information in the
consumer report furnished by the agency even though the creditor did
not specifically request medical information from the consumer
reporting agency.
(d) Financial information exception for obtaining and using
medical information. (1) In general. A creditor may
obtain and use medical information pertaining to a consumer in
connection with any determination of the consumer's eligibility, or
continued eligibility, for credit so long as:
(i) The information is the type of information routinely used in
making credit eligibility determinations, such as information relating
to debts, expenses, income, benefits, assets, collateral, or the
purpose of the loan, including the use of proceeds;
(ii) The creditor uses the medical information in a manner and to
an extent that is no less favorable than it would use comparable
information that is not medical information in a credit transaction;
and
(iii) The creditor does not take the consumer's physical,
mental, or behavioral health, condition or history, type of treatment,
or prognosis into account as part of any such determination.
(2) Examples. (i) Examples of the types of
information routinely used in making credit eligibility determinations.
Paragraph (d)(1)(i) of this section permits a creditor, for
example, to obtain and use information about:
(A) The dollar amount, repayment terms, repayment history, and
similar information regarding medical debts to calculate, measure, or
verify the repayment ability of the consumer, the use of proceeds, or
the terms for granting credit;
(B) The value, condition, and lien status of a medical device
that may serve as collateral to secure a loan;
(C) The dollar amount and continued eligibility for disability
income or benefits related to health or a medical condition that is
relied on as a source of repayment; or
{{4-30-08 p.2414.12}}
(D) The identity of creditors to whom outstanding medical debts
are owed in connection with an application for credit, including but
not limited to, a transaction involving the consolidation of medical
debts.
(ii) Examples of uses of medical information consistent
with the exception. (A) A consumer includes on an application for
credit information about two $20,000 debts. One debt is to a hospital;
the other debt is to a retailer. The creditor contacts the hospital and
the retailer to verify the amount and payment status of the debts. The
creditor learns that both debts are more than 90 days past due. Any two
debts of this size that are more than 90 days past due would disqualify
the consumer under the creditor's established underwriting criteria.
The creditor denies the application on the basis that the consumer has
a poor repayment history on outstanding debts. The creditor has used
medical information in a manner and to an extent no less favorable than
it would use comparable non-medical information.
(B) A consumer indicates on an application for a $200,000
mortgage loan that she receives $15,000 in long-term disability income
each year from her former employer and has no other income. Annual
income of $15,000, regardless of source, would not be sufficient to
support the requested amount of credit. The creditor denies the
application on the basis that the projected debt-to-income ratio of the
consumer does not meet the creditor's underwriting criteria. The
creditor has used medical information in a manner and to an extent that
is no less favorable than it would use comparable non-medical
information.
(C) A consumer includes on an application for a $10,000 home
equity loan that he has a $50,000 debt to a medical facility that
specializes in treating a potentially terminal disease. The creditor
contacts the medical facility to verify the debt and obtain the
repayment history and current status of the loan. The creditor learns
that the debt is current. The applicant meets the income and other
requirements of the creditor's underwriting guidelines. The creditor
grants the application. The creditor has used medical information in
accordance with the exception.
(iii) Examples of uses of medical information inconsistent
with the exception. (A) A consumer applies for $25,000 of credit
and includes on the application information about a $50,000 debt to a
hospital. The creditor contacts the hospital to verify the amount and
payment status of the debt, and learns that the debt is current and
that the consumer has no delinquencies in her repayment history. If the
existing debt were instead owed to a retail department store, the
creditor would approve the application and extend credit based on the
amount and repayment history of the outstanding debt. The creditor,
however, denies the application because the consumer is indebted to a
hospital. The creditor has used medical information, here the identity
of the medical creditor, in a manner and to an extent that is less
favorable than it would use comparable non-medical information.
(B) A consumer meets with a loan officer of a creditor to apply
for a mortgage loan. While filling out the loan application, the
consumer informs the loan officer orally that she has a potentially
terminal disease. The consumer meets the creditor's established
requirements for the requested mortgage loan. The loan officer
recommends to the credit committee that the consumer be denied credit
because the consumer has that disease. The credit committee follows the
loan officer's recommendation and denies the application because the
consumer has a potentially terminal disease. The creditor has used
medical information in a manner inconsistent with the exception by
taking into account the consumer's physical, mental, or behavioral
health, condition, or history, type of treatment, or prognosis as part
of a determination of eligibility or continued eligibility for credit.
(C) A consumer who has an apparent medical condition, such as a
consumer who uses a wheelchair or an oxygen tank, meets with a loan
officer to apply for a home equity loan. The consumer meets the
creditor's established requirements for the requested home equity loan
and the creditor typically does not require consumers to obtain a debt
cancellation contract, debt suspension agreement, or credit insurance
product in connection with such loans. However, based on the
consumer's apparent medical condition, the loan officer recommends to
the credit committee that credit be extended to the consumer only
if
{{4-30-08 p.2414.13}}the consumer obtains a debt
cancellation contract, debt suspension agreement, or credit insurance
product. The credit committee agrees with the loan officer's
recommendation. The loan officer informs the consumer that the consumer
must obtain a debt cancellation contract, debt suspension agreement, or
credit insurance product to qualify for the loan. The consumer obtains
one of these products from a third party and the creditor approves the
loan. The creditor has used medical information in a manner
inconsistent with the exception by taking into account the consumer's
physical, mental, or behavioral health, condition, or history, type of
treatment, or prognosis in setting conditions on the consumer's
eligibility for credit.
(e) Specific exceptions for obtaining and using medical
information. (1) In general. A creditor may obtain and
use medical information pertaining to a consumer in connection with any
determination of the consumer's eligibility, or continued eligibility,
for credit--
(i) To determine whether the use of a power of attorney or legal
representative that is triggered by a medical event or condition is
necessary and appropriate or whether the consumer has the legal
capacity to contract when a person seeks to exercise a power of
attorney or act as legal representative for a consumer based on an
asserted medical event or condition;
(ii) To comply with applicable requirements of local, State, or
Federal laws;
(iii) To determine, at the consumer's request, whether the
consumer qualifies for a legally permissible special credit program or
credit-related assistance program that is--
(A) Designed to meet the special needs of consumers with medical
conditions; and
(B) Established and administered pursuant to a written plan
that--
(1) Identifies the class of persons that the program
is designed to benefit; and
(2) Sets forth the procedures and standards for
extending credit or providing other credit-related assistance under the
program.
(iv) To the extent necessary for purposes of fraud prevention or
detection;
(v) In the case of credit for the purpose of financing medical
products or services, to determine and verify the medical purpose of a
loan and the use of proceeds;
(vi) Consistent with safe and sound practices, if the consumer or
the consumer's legal representative specifically requests that the
creditor use medical information in determining the consumer's
eligibility, or continued eligibility, for credit, to accommodate the
consumer's particular circumstances, and such request is documented by
the creditor;
(vii) Consistent with safe and sound practices, to determine
whether the provisions of a forbearance practice or program that is
triggered by a medical event or condition apply to a consumer;
(viii) To determine the consumer's eligibility for, the
triggering of, or the reactivation of a debt cancellation contract or
debt suspension agreement if a medical condition or event is a
triggering event for the provision of benefits under the contract or
agreement; or
(ix) To determine the consumer's eligibility for, the triggering
of, or the reactivation of a credit insurance product if a medical
condition or event is a triggering event for the provision of benefits
under the product.
(2) Example of determining eligibility for a special credit
program or credit assistance program. A not-for-profit
organization establishes a credit assistance program pursuant to a
written plan that is designed to assist disabled veterans in purchasing
homes by subsidizing the down payment for the home purchase mortgage
loans of qualifying veterans. The organization works through mortgage
lenders and requires mortgage lenders to obtain medical information
about the disability of any consumer that seeks to qualify for the
program, use that information to verify the consumer's eligibility for
the program, and forward that information to the organization. A
consumer who is a veteran applies to a creditor for a home purchase
mortgage loan. The creditor informs the consumer about the credit
assistance program for disabled veterans and the consumer seeks to
qualify for the program. Assuming that the program complies with all
applicable law, including applicable
{{4-30-08 p.2414.14}}fair lending laws, the creditor
may obtain and use medical information about the medical condition and
disability, if any, of the consumer to determine whether the consumer
qualifies for the credit assistance program.
(3) Examples of verifying the medical purpose of the loan
or the use of proceeds. (1) If a consumer applies for $10,000 of
credit for the purpose of financing vision correction surgery, the
creditor may verify with the surgeon that the procedure will be
performed. If the surgeon reports that surgery will not be performed on
the consumer, the creditor may use that medical information to deny the
consumer's application for credit, because the loan would not be used
for the stated purpose.
(ii) If a consumer applies for $10,000 of credit for the purpose
of financing cosmetic surgery, the creditor may confirm the cost of the
procedure with the surgeon. If he surgeon reports that the cost of the
procedure is $5,000, the creditor may use that medical information to
offer the consumer only $5,000 of credit.
(iii) A creditor has an established medical loan program for
financing particular elective surgical procedures. The creditor
receives a loan application from a consumer requesting $10,000 of
credit under the established loan program for an elective surgical
procedure. The consumer indicates on the application that the purpose
of the loan is to finance an elective surgical procedure not eligible
for funding under the guidelines of the established loan program. The
creditor may deny the consumer's application because the purpose of
the loan is not for a particular procedure funded by the established
loan program.
(4) Examples of obtaining and using medical information at
the request of the consumer. (i) If a consumer applies for a loan
and specifically requests that the creditor consider the consumer's
medical disability at the relevant time as an explanation for adverse
payment history information in his credit report, the creditor may
consider such medical information in evaluating the consumer's
willingness and ability to repay the requested loan to accommodate the
consumer's particular circumstances, consistent with safe and sound
practices. The creditor may also decline to consider such medical
information to accommodate the consumer, but may evaluate the
consumer's application in accordance with its otherwise applicable
underwriting criteria. The creditor may not deny the consumer's
application or otherwise treat the consumer less favorably because the
consumer specifically requested a medical accommodation, if the
creditor would have extended the credit or treated the consumer more
favorably under the creditor's otherwise applicable underwriting
criteria.
(ii) If a consumer applies for a loan by telephone and explains
that his income has been and will continue to be interrupted on account
of a medical condition and that he expects to repay the loan by
liquidating assets, the creditor may, but is not required to, evaluate
the application using the sale of assets as the primary source of
repayment, consistent with safe and sound practices, provided that the
creditor documents the consumer's request by recording the oral
conversation or making a notation of the request in the consumer's
file.
(iii) If a consumer applies for a loan and the application form
provides a space where the consumer may provide any other information
or special circumstances, whether medical or non-medical, that the
consumer would like the creditor to consider in evaluating the
consumer's application, the creditor may use medical information
provided by the consumer in that space on that application to
accommodate the consumer's application for credit, consistent with
safe and sound practices, or may disregard that information.
(iv) If a consumer specifically requests that the creditor use
medical information in determining the consumer's eligibility, or
continued eligibility, for credit and provides the creditor with
medical information for that purpose, and the creditor determines that
it needs additional information regarding the consumer's
circumstances, the creditor may request, obtain, and use additional
medical information about the consumer as necessary to verify the
information provided by the consumer or to determine whether to make an
accommodation for the consumer. The consumer may decline to provide
additional information,
{{4-30-08 p.2414.15}}withdraw the request for an
accommodation, and have the application considered under the
creditor's otherwise applicable underwriting criteria.
(v) If a consumer completes and signs a credit application that
is not for medical purpose credit and the application contains
boilerplate language that routinely requests medical information from
the consumer or that indicates that by applying for credit the consumer
authorizes or consents to the creditor obtaining and using medical
information in connection with a determination of the consumer's
eligibility, or continued eligibility, for credit, the consumer has not
specifically requested that the creditor obtain and use medical
information to accommodate the consumer's particular circumstances.
(5) Example of a forbearance practice or program.
After an appropriate safety and soundness review, a creditor
institutes a program that allows consumers who are or will be
hospitalized to defer payments as needed for up to three months,
without penalty, if the credit account has been open for more than one
year and has not previously been in default, and the consumer provides
confirming documentation at an appropriate time. A consumer is
hospitalized and does not pay her bill for a particular month. This
consumer has had a credit account with the creditor for more than one
year and has not previously been in default. The creditor attempts to
contact the consumer and speaks with the consumer's adult child, who
is not the consumer's legal representative. The adult child informs
the creditor that the consumer is hospitalized and is unable to pay the
bill at that time. The creditor defers payments for up to three months,
without penalty, for the hospitalized consumer and sends the consumer a
letter confirming this practice and the date on which the next payment
will be due.
[Codified to 12 C.F.R. § 334.30]
§ 334.31 Limits on redisclosure of information.
(a) Scope. This section applies to State banks insured
by the FDIC (other than members of the Federal Reserve System) and
insured State branches of foreign banks.
(b) Limits on redisclosure. If a person described in
paragraph (a) of this section receives medical information about a
consumer from a consumer reporting agency or its affiliate, the person
must not disclose that information to any other person, except as
necessary to carry out the purpose for which the information was
initially disclosed, or as otherwise permitted by statute, regulation,
or order.
[Codified to 12 C.F.R. § 334.31]
§ 334.32 Sharing medical information with affiliates.
(a) Scope. This section applies to State banks insured
by the FDIC (other than members of the Federal Reserve System) and
insured State branches of foreign banks.
(b) In general. The exclusions from the term
"consumer report" in section
603(d)(2) of the Act that allow the sharing of information with
affiliates do not apply if a person described in paragraph (a) of this
section communicates to an affiliate--
(1) Medical information;
(2) An individualized list or description based on the payment
transactions of the consumer for medical products or services; or
(3) An aggregate list of identified consumers based on payment
transactions for medical products or services.
(c) Exceptions. A person described in paragraph (a) of
this section may rely on the exclusions from the term "consumer
report" in section 603(d)(2) of the Act to communicate the
information in paragraph (b) of this section to an affiliate--
(1) In connection with the business of insurance or annuities
(including the activities described in section 18B of the model Privacy
of Consumer Financial and Health Information Regulation issued by the
National Association of Insurance Commissioners, as in effect on
January 1, 2003);
{{4-30-08 p.2414.16}}
(2) For any purpose permitted without authorization under the
regulations promulgated by the Department of Health and Human Services
pursuant to the Health Insurance Portability and Accountability Act of
1996 (HIPAA);
(3) For any purpose referred to in section 1179 of HIPAA;
(4) For any purpose described in section 502(e) of the
Gramm-Leach-Bliley Act;
(5) In connection with a determination of the consumer's
eligibility, or continued eligibility, for credit consistent with
§ 334.30; or
(6) As otherwise permitted by order of the FDIC.
[Codified to 12 C.F.R. § 334.32]
Subpart E–H—[Reserved]
Subpart I—Duties of Users of Consumer Reports Regarding Address
Discrepancies and Records Disposal
§ 334.80–334.81 [Reserved]
{hang}§ 334.82 Duties of users regarding address discrepancies.
(a) Scope. This section applies to a user of consumer
reports (user) that receives a notice of address discrepancy from a
consumer reporting agency and that is an insured state nonmember bank,
insured state licensed branch of a foreign bank, or a subsidiary of
such entities (except brokers, dealers, persons providing insurance,
investment companies, and investment advisers).
(b) Definition. For purposes of this section, a
notice of address discrepancy means a notice sent to a user
by a consumer reporting agency pursuant to 15 U.S.C. 1681c(h)(1), that
informs the user of a substantial difference between the address for
the consumer that the user provided to request the consumer report and
the address(es) in the agency's file for the consumer.
(c) Reasonable belief. (1) Requirement to form a
reasonable belief. A user must develop and implement reasonable
policies and procedures designed to enable the user to form a
reasonable belief that a consumer report relates to the consumer about
whom it has requested the report, when the user receives a notice of
address discrepancy.
(2) Examples of reasonable policies and procedures.
(i) Comparing the information in the consumer report provided by the
consumer reporting agency with information the user:
(A) Obtains and uses to verify the consumer's identity in
accordance with the requirements of the Customer Information Program
(CIP) rules implementing 31 U.S.C. 5318(l) (31 CFR 103.121);
(B) Maintains in its own records, such as applications, change of
address notifications, other customer account records, or retained CIP
documentation; or
(C) Obtains from third-party sources; or
(ii) Verifying the information in the consumer report provided by
the consumer reporting agency with the consumer.
(d) Consumer's address. (1) Requirement to
furnish consumer's address to a consumer reporting agency. A user
must develop and implement reasonable policies and procedures for
furnishing an address for the consumer that the user has reasonably
confirmed is accurate to the consumer reporting agency from whom it
received the notice of address discrepancy when the user:
(i) Can form a reasonable belief that the consumer report relates
to the consumer about whom the user requested the report;
(ii) Establishes a continuing relationship with the consumer; and
(iii) Regularly and in the ordinary course of business furnishes
information to the consumer reporting agency from which the notice of
address discrepancy relating to the consumer was obtained.
(2) Examples of confirmation methods. The user may
reasonably confirm an address is accurate by:
{{4-30-08 p.2414.17}}
(i) Verifying the address with the consumer about whom it has
requested the report;
(ii) Reviewing its own records to verify the address of the
consumer;
(iii) Verifying the address through third-party sources; or
(iv) Using other reasonable means.
(3) Timing. The policies and procedures developed in
accordance with paragraph (d)(1) of this section must provide that the
user will furnish the consumer's address that the user has reasonably
confirmed is accurate to the consumer reporting agency as part of the
information it regularly furnishes for the reporting period in which it
establishes a relationship with the consumer.
[Codified to 12 C.F.R. § 334.82]
[Section 334.82 added at 72 Fed. Reg. 63760, November 9, 2007,
effective January 1, 2008, the mandatory compliance date is November 1,
2008]
§ 334.83 Disposal of consumer
information.
(a) In general. You must properly dispose of any
consumer information that you maintain or otherwise possess in
accordance with the
Interagency Guidelines
Establishing Information Security Standards, as set forth in
appendix B to part 364 of this chapter, prescribed pursuant to section
216 of the Fair and Accurate Credit Transactions Act of 2003
(15 U.S.C. 1681w) and section
501(b) of the Gramm-Leach-Bliley Act (15 U.S.C. 6801(b)), to the extent
the Guidelines are applicable to you.
(b) Rule of construction. Nothing in this section shall
be construed to:
(1) Require you to maintain or destroy any record pertaining to a
consumer that is not imposed under any other law; or
(2) Alter or affect any requirement imposed under any other
provision of law to maintain or destroy such a record.
[Codified to 12 C.F.R. § 334.83]
Subpart J—Identity Theft Red Flags
§ 334.90 Duties regarding the detection, prevention, and
mitigation of identity theft.
(a) Scope. This section applies to a financial
institution or creditor that is an insured state nonmember bank,
insured state licensed branch of a foreign bank, or a subsidiary of
such entities (except brokers, dealers, persons providing insurance,
investment companies, and investment advisers).
(b) Definitions. For purposes of this section and
Appendix J, the following definitions apply:
(1) Account means a continuing relationship
established by a person with a financial institution or creditor to
obtain a product or service for personal, family, household or business
purposes. Account includes:
(i) An extension of credit, such as the purchase of property or
services involving a deferred payment; and
(ii) A deposit account.
(2) The term board of directors includes:
(i) In the case of a branch or agency of a foreign bank, the
managing official in charge of the branch or agency; and
(ii) In the case of any other creditor that does not have a board
of directors, a designated employee at the level of senior management.
(3) Covered account means:
(i) An account that a financial institution or creditor offers or
maintains, primarily for personal, family, or household purposes, that
involves or is designed to permit multiple
{{4-30-08 p.2414.18}}payments or transactions, such
as a credit card account, mortgage loan, automobile loan, margin
account, cell phone account, utility account, checking account, or
savings account; and
(ii) Any other account that the financial institution or creditor
offers or maintains for which there is a reasonably foreseeable risk to
customers or to the safety and soundness of the financial institution
or creditor from identity theft, including financial, operational,
compliance, reputation, or litigation risks.
(4) Credit has the same meaning as in 15 U.S.C.
1681a(r)(5).
(5) Creditor has the same meaning as in 15 U.S.C.
1681a(r)(5), and includes lenders such as banks, finance companies,
automobile dealers, mortgage brokers, utility companies, and
telecommunications companies.
(6) Customer means a person that has a covered account
with a financial institution or creditor.
(7) Financial institution has the same meaning as in
15 U.S.C. 1681a(t).
(8) Identity theft has the same meaning as in 16 CFR
603.2(a).
(9) Red Flag means a pattern, practice, or specific
activity that indicates the possible existence of identity theft.
(10) Service provider means a person that provides a
service directly to the financial institution or creditor.
(c) Periodic Identification of Covered Accounts. Each
financial institution or creditor must periodically determine whether
it offers or maintains covered accounts. As a part of this
determination, a financial institution or creditor must conduct a risk
assessment to determine whether it offers or maintains covered accounts
described in paragraph (b)(3)(ii) of this section, taking into
consideration:
(1) The methods it provides to open its accounts;
(2) The methods it provides to access its accounts; and
(3) Its previous experiences with identity theft.
(d) Establishment of an Identity Theft Prevention
Program--(1) Program requirement. Each financial
institution or creditor that offers or maintains one or more covered
accounts must develop and implement a written Identity Theft Prevention
Program (Program) that is designed to detect, prevent, and mitigate
identity theft in connection with the opening of a covered account or
any existing covered account. The Program must be appropriate to the
size and complexity of the financial institution or creditor and the
nature and scope of its activities.
(2) Elements of the Program. The Program must include
reasonable policies and procedures to:
(i) Identify relevant Red Flags for the covered accounts that the
financial institution or creditor offers or maintains, and incorporate
those Red Flags into its Program;
(ii) Detect Red Flags that have been incorporated into the
Program of the financial institution or creditor;
(iii) Respond appropriately to any Red Flags that are detected
pursuant to paragraph (d)(2)(ii) of this section to prevent and
mitigate identity theft; and
(iv) Ensure the Program (including the Red Flags determined to be
relevant) is updated periodically, to reflect changes in risks to
customers and to the safety and soundness of the financial institution
or creditor from identity theft.
(e) Administration of the Program. Each financial
institution or creditor that is required to implement a Program must
provide for the continued administration of the Program and must:
(1) Obtain approval of the initial written Program from either
its board of directors or an appropriate committee of the board of
directors;
(2) Involve the board of directors, an appropriate committee
thereof, or a designated employee at the level of senior management in
the oversight, development, implementation and administration of the
Program;
(3) Train staff, as necessary, to effectively implement the
Program; and
(4) Exercise appropriate and effective oversight of service
provider arrangements.
{{12-31-07 p.2414.19}}
(f) Guidelines. Each financial institution or creditor
that is required to implement a Program must consider the guidelines in
Appendix J of this part and include in its Program those guidelines
that are appropriate.
[Codified to 12 C.F.R. § 334.90]
[Section 334.90 added at 72 Fed. Reg. 63761, November 9, 2007,
effective January 1, 2008, the mandatory compliance date is November 1,
2008]
§ 334.91 Duties of card issuers regarding changes of address.
(a) Scope. This section applies to an issuer of a debit
or credit card (card issuer) that is an insured state nonmember bank,
insured state licensed branch of a foreign bank, or a subsidiary of
such entities (except brokers, dealers, persons providing insurance,
investment companies, and investment advisers)
(b) Definitions. For purposes of this section:
(1) Cardholder means a consumer who has been issued a
credit or debit card.
(2) Clear and conspicuous means reasonably
understandable and designed to call attention to the nature and
significance of the information presented.
(c) Address validation requirements. A card issuer must
establish and implement reasonable policies and procedures to assess
the validity of a change of address if it receives notification of a
change of address for a consumer's debit or credit card account and,
within a short period of time afterwards (during at least the first 30
days after it receives such notification), the card issuer receives a
request for an additional or replacement card for the same account.
Under these circumstances, the card issuer may not issue an additional
or replacement card, until, in accordance with its reasonable policies
and procedures and for the purpose of assessing the validity of the
change of address, the card issuer:
(1)(i) Notifies the cardholder of the request:
(A) At the cardholder's former address; or
(B) By any other means of communication that the card issuer and
the cardholder have previously agreed to use; and
(ii) Provides to the cardholder a reasonable means of promptly
reporting incorrect address changes; or
(2) Otherwise assesses the validity of the change of address in
accordance with the policies and procedures the card issuer has
established pursuant to § 334.90 of this part.
(d) Alternative timing of address validation. A card
issuer may satisfy the requirements of paragraph (c) of this section if
it validates an address pursuant to the methods in paragraph (c)(1) or
(c)(2) of this section when it receives an address change notification,
before it receives a request for an additional or replacement card.
(e) Form of notice. Any written or electronic notice
that the card issuer provides under this paragraph must be clear and
conspicuous and provided separately from its regular correspondence
with the cardholder.
[Codified to 12 C.F.R. § 334.91]
[Section 334.91 added at 72 Fed. Reg. 63761, November 9, 2007,
effective January 1, 2008, the mandatory compliance date is November 1,
2008]
Appendix A–B—[Reserved]
Appendix C To Part 334--Model Forms
for Opt-Out Notices
a. Although use of the model forms is not required, use of the
model forms in this Appendix (as applicable) complies with the
requirement in section 624 of the Act for clear, conspicuous, and
concise notices.
b. Certain changes may be made to the language or format of the
model forms without losing the protection from liability afforded by
use of the model forms. These changes may not be so extensive as to
affect the substance, clarity, or meaningful sequence of
the
{{12-31-07 p.2414.20}}language in the
model forms. Persons making such extensive revisions will lose the safe
harbor that this Appendix provides. Acceptable changes include, for
example:
1. Rearranging the order of the references to "your income,"
"your account history," and "your credit score."
2. Substituting other types of information for "income,"
"account history," or "credit score" for accuracy, such as
"payment history," "credit history," "payroll
status," or "claims history."
3. Substituting a clearer and more accurate description of the
affiliates providing or covered by the notice for phrases such as
"the [ABC] group of companies," including without limitation a
statement that the entity providing the notice recently purchased the
consumer's account.
4. Substituting other types of affiliates covered by the notice for
"credit card," "insurance," or "securities"
affiliates.
5. Omitting items that are not accurate or applicable. For example,
if a person does not limit the duration of the opt-out period, the
notice may omit information about the renewal notice.
6. Adding a statement informing consumers how much time they have
to opt out before shared eligibility information may be used to make
solicitations to them.
7. Adding a statement that the consumer may exercise the right to
opt out at any time.
8. Adding the following statement, if accurate; "If you
previously opted out, you do not need to do so again."
9. Providing a place on the form for the consumer to fill in
identifying information, such as his or her name and address:
C--1 Model Form for Initial Opt-out Notice (Single-Affiliate
Notice) C--2 Model Form for Initial Opt-out Notice (Joint
Notice) C--3 Model Form for Renewal Notice (Single-Affiliate
Notice) C--4 Model Form for Renewal Notice (Joint
Notice) C--5 Model Form for Voluntary "No Marketing" Notice
C–1—Model Form for Initial Opt-out Notice
(Single-Affiliate Notice)—[Your Choice To Limit
Marketing]/[Marketing Opt-out]
• [Name of Affiliate] is providing this notice.
• [Optional: Federal law gives you the right to limit some but
not all marketing from our affiliates. Federal law also requires us to
give you this notice to tell you about your choice to limit marketing
from our affiliates.]
• You may limit our affiliates in the [ABC] group of companies,
such as our [credit card, insurance, and securities] affiliates, from
marketing their products or services to you based on your personal
information that we collect and share with them. This information
includes your [income], your [account history with us], and your
[credit score].
• Your choice to limit marketing offers from our affiliates will
apply [until you tell us to change your choice]/[for x years from
when you tell us your choice]/[for at least 5 years from when you
tell us your choice]. [Include if the opt-out period expires.] Once
that period expires, you will receive a renewal notice that will allow
you to continue to limit marketing offers from our affiliates for
[another x years]/[at least another 5 years].
• [Include, if applicable, in a subsequent notice, including an
annual notice, for consumers who may have previously opted out.] If
you have already made a choice to limit marketing offers from our
affiliates, you do not need to act again until you receive the renewal
notice.
To limit marketing offers, contact us [include all that apply]:
• By telephone: 1--877--###--####
• On the Web: www.---.com
• By mail: Check the box and complete the form below, and send
the form to:
[Company name] [Company address]
_______ Do not allow your affiliates to use my personal
information to market to me.
{{12-31-07 p.2414.21}}
C–2—Model Form for Initial Opt-out Notice (Joint
Notice)—[Your Choice To Limit Marketing]/[Marketing Opt-out]
• The [ABC group of companies] is providing this notice.
• [Optional: Federal law gives you the right to limit some but
not all marketing from the [ABC] companies. Federal law also requires
us to give you this notice to tell you about your choice to limit
marketing from the [ABC] companies.]
• You may limit the [ABC] companies, such as the [ABC credit
card, insurance, and securities] affiliates, from marketing their
products or services to you based on your personal information that
they receive from other [ABC] companies. This information includes
your [income], your [account history], and your [credit score].
• Your choice to limit marketing offers from the [ABC]
companies will apply [until you tell us to change your choice]/[for
x years from when you tell us your choice]/[for at least 5 years from
when you tell us your choice]. [Include if the opt-out period
expires.] Once that period expires, you will receive a renewal notice
that will allow you to continue to limit marketing offers from the
[ABC] companies for [another x years]/[at least another 5 years].
• [Include, if applicable, in a subsequent notice, including an
annual notice, for consumers who may have previously opted out.] If
you have already made a choice to limit marketing offers from the
[ABC] companies, you do not need to act again until you receive the
renewal notice.
To limit marketing offers, contact us [include all that apply]:
• By telephone: 1--877--###--####
• On the Web: www.---.com
• By mail: Check the box and complete the form below, and send
the form to:
[Company name] [Company address]
_______ Do not allow any company [in the ABC group of
companies] to use my personal information to market to me.
C–3—Model Form for Renewal Notice (Single-Affiliate
Notice)—[Renewing Your Choice To Limit Marketing]/[Renewing Your
Marketing Opt-out]
• [Name of Affiliate] is providing this notice.
• [Optional: Federal law gives you the right to limit some but
not all marketing from our affiliates. Federal law also requires us to
give you this notice to tell you about your choice to limit marketing
from our affiliates.]
• You previously chose to limit our affiliates in the [ABC]
group of companies, such as our [credit card, insurance, and
securities] affiliates, from marketing their products or services to
you based on your personal information that we share with them. This
information includes your [income], your [account history with us],
and your [credit score].
• Your choice has expired or is about to expire.
To renew your choice to limit marketing for [x] more years,
contact us [include all that apply]:
• By telephone: 1--877--###--####
• On the Web: www.---.com
• By mail: Check the box and complete the form below, and send
the form to:
[Company name] [Company address]
_______ Renew my choice to limit marketing for [x] more
years.
C–4—Model Form for Renewal Notice (Joint
Notice)—[Renewing Your Choice To Limit Marketing]/[Renewing Your
Marketing Opt-out]
• The [ABC group of companies] is providing this notice.
• [Optional: Federal law gives you the right to limit some but
not all marketing from the [ABC] companies. Federal law also requires
us to give you this notice to tell you about your choice to limit
marketing from the [ABC] companies.]
{{12-31-07 p.2414.22}}
• You previously chose to limit the [ABC] companies, such as
the [ABC credit card, insurance, and securities] affiliates, from
marketing their products or services to you based on your personal
information that they receive from other ABC companies. This
information includes your [income], your [account history], and
your [credit score].
• Your choice has expired or is about to expire.
To renew your choice to limit marketing for [x] more years,
contact us [include all that apply];
• By telephone: 1--877--###--####
• On the Web: www.---.com
• By mail: Check the box and complete the form below, and send
the form to:
[Company name] [Company address]
_______ Renew my choice to limit marketing for [x] more
years.
C–5—Model Form for Voluntary ``No Marketing''
Notice—Your Choice To Stop Marketing
• [Name of Affiliate] is providing this notice.
• You may choose to stop all marketing from us and our
affiliates.
To stop all marketing, contact us [include all that apply]:
• By telephone: 1--877--###--####
• On the Web: www.---.com
• By mail: Check the box and complete the form below, and send
the form to:
[Company name] [Company address]
_______ Do not market to me.
[Codified to 12 C.F.R. Part 334, Appendix C]
[Appendix C added at 72 Fed. Reg. 62971, November 7, 2007,
effective January 1, 2008, the mandatory compliance date is October 1,
2008]
Appendix D–I [Reserved]
Appendix J to Part 334Interagency Guidelines on Identity Theft
Detection, Prevention, and Mitigation
Section 334.90 of this part requires each financial institution and
creditor that offers or maintains one or more covered accounts, as
defined in § 334.90(b)(3) of this part, to develop and provide for
the continued administration of a written Program to detect, prevent,
and mitigate identity theft in connection with the opening of a covered
account or any existing covered account. These guidelines are intended
to assist financial institutions and creditors in the formulation and
maintenance of a Program that satisfies the requirements of § 334.90
of this part.
I. The Program
In designing its Program, a financial institution or creditor may
incorporate, as appropriate, its existing policies, procedures, and
other arrangements that control reasonably foreseeable risks to
customers or to the safety and soundness of the financial institution
or creditor from identity theft.
II. Identifying Relevant Red Flags
(a) Risk Factors. A financial institution or creditor
should consider the following factors in identifying relevant Red Flags
for covered accounts, as appropriate:
(1) The types of covered accounts it offers or maintains;
(2) The methods it provides to open its covered accounts;
(3) The methods it provides to access its covered accounts; and
(4) Its previous experiences with identity theft.
(b) Sources of Red Flags. Financial institutions and
creditors should incorporate relevant Red Flags from sources such as:
(1) Incidents of identity theft that the financial institution or
creditor has experienced;
(2) Methods of identity theft that the financial institution or
creditor has identified that reflect changes in identity theft risks;
and
{{12-31-07 p.2414.23}}
(3) Applicable supervisory guidance.
(c) Categories of Red Flags. The Program should include
relevant Red Flags from the following categories, as appropriate.
Examples of Red Flags from each of these categories are appended as
Supplement A to this Appendix J.
(1) Alerts, notifications, or other warnings received from
consumer reporting agencies or service providers, such as fraud
detection services;
(2) The presentation of suspicious documents;
(3) The presentation of suspicious personal identifying
information, such as a suspicious address change;
(4) The unusual use of, or other suspicious activity related to,
a covered account; and
(5) Notice from customers, victims of identity theft, law
enforcement authorities, or other persons regarding possible identity
theft in connection with covered accounts held by the financial
institution or creditor.
III. Detecting Red Flags.
The Program's policies and procedures should address the detection
of Red Flags in connection with the opening of covered accounts and
existing covered accounts, such as by:
(a) Obtaining identifying information about, and verifying the
identity of, a person opening a covered account, for example, using the
policies and procedures regarding identification and verification set
forth in the Customer Identification Program rules implementing 31
U.S.C. 5318(l)(31 CFR 103.121); and
(b) Authenticating customers, monitoring transactions, and
verifying the validity of change of address requests, in the case of
existing covered accounts.
IV. Preventing and Mitigating Identity Theft.
The Program's policies and procedures should provide for
appropriate responses to the Red Flags the financial institution or
creditor has detected that are commensurate with the degree of risk
posed. In determining an appropriate response, a financial institution
or creditor should consider aggravating factors that may heighten the
risk of identity theft, such as a data security incident that results
in unauthorized access to a customer's account records held by the
financial institution, creditor, or third party, or notice that a
customer has provided information related to a covered account held by
the financial institution or creditor to someone fraudulently claiming
to represent the financial institution or creditor or to a fraudulent
Web site. Appropriate responses may include the following:
(a) Monitoring a covered account for evidence of identity theft;
(b) Contacting the customer;
(c) Changing any passwords, security codes, or other security
devices that permit access to a covered account;
(d) Reopening a covered account with a new account number;
(e) Not opening a new covered account;
(f) Closing an existing covered account;
(g) Not attempting to collect on a covered account or not selling a
covered account to a debt collector;
(h) Notifying law enforcement; or
(i) Determining that no response is warranted under the particular
circumstances.
V. Updating the Program.
Financial institutions and creditors should update the Program
(including the Red Flags determined to be relevant) periodically, to
reflect changes in risks to customers or to the safety and soundness of
the financial institution or creditor from identity theft, based on
factors such as:
(a) The experiences of the financial institution or creditor with
identity theft;
(b) Changes in methods of identity theft;
(c) Changes in methods to detect, prevent, and mitigate identity
theft;
(d) Changes in the types of accounts that the financial institution
or creditor offers or maintains; and
(e) Changes in the business arrangements of the financial
institution or creditor, including mergers, acquisitions, alliances,
joint ventures, and service provider arrangements.
{{12-31-07 p.2414.24}}
VI. Methods for Administering the Program
(a) Oversight of Program. Oversight by the board of
directors, an appropriate committee of the board, or a designated
employee at the level of senior management should include:
(1) Assigning specific responsibility for the Program's
implementation;
(2) Reviewing reports prepared by staff regarding compliance by
the financial institution or creditor with § 334.90 of this part; and
(3) Approving material changes to the Program as necessary to
address changing identity theft risks.
(b) Reports. (1) In general. Staff of the
financial institution or creditor responsible for development,
implementation, and administration of its Program should report to the
board of directors, an appropriate committee of the board, or a
designated employee at the level of senior management, at least
annually, on compliance by the financial institution or creditor with
§ 334.90 of this part.
(2) Contents of report. The report should address
material matters related to the Program and evaluate issues such as:
the effectiveness of the policies and procedures of the financial
institution or creditor in addressing the risk of identity theft in
connection with the opening of covered accounts and with respect to
existing covered accounts; service provider arrangements; significant
incidents involving identity theft and management's response; and
recommendations for material changes to the Program.
(c) Oversight of service provider arrangements. Whenever
a financial institution or creditor engages a service provider to
perform an activity in connection with one or more covered accounts the
financial institution or creditor should take steps to ensure that the
activity of the service provider is conducted in accordance with
reasonable policies and procedures designed to detect, prevent, and
mitigate the risk of identity theft. For example, a financial
institution or creditor could require the service provider by contract
to have policies and procedures to detect relevant Red Flags that may
arise in the performance of the service provider's activities, and
either report the Red Flags to the financial institution or creditor,
or to take appropriate steps to prevent or mitigate identity theft.
VII. Other Applicable Legal Requirements
Financial institutions and creditors should be mindful of other
related legal requirements that may be applicable, such as:
(a) For financial institutions and creditors that are subject to 31
U.S.C. 5318(g), filing a Suspicious Activity Report in accordance with
applicable law and regulation;
(b) Implementing any requirements under 15 U.S.C. 1681c--1(h)
regarding the circumstances under which credit may be extended when the
financial institution or creditor detects a fraud or active duty alert;
(c) Implementing any requirements for furnishers of information to
consumer reporting agencies under 15 U.S.C. 1681s--2, for example, to
correct or update inaccurate or incomplete information, and to not
report information that the furnisher has reasonable cause to believe
is inaccurate; and
(d) Complying with the prohibitions in 15 U.S.C. 1681m on the sale,
transfer, and placement for collection of certain debts resulting from
identity theft.
Supplement A to Appendix J
In addition to incorporating Red Flags from the sources recommended
in section II.b of the Guidelines in Appendix J of this part, each
financial institution or creditor may consider incorporating into its
Program, whether singly or in combination, Red Flags from the following
illustrative examples in connection with covered accounts.
Alerts, Notifications or Warnings from a Consumer Reporting
Agency
1. A fraud or active duty alert is included with a consumer report.
2. A consumer reporting agency provides a notice of credit freeze
in response to a request for a consumer report.
3. A consumer reporting agency provides a notice of address
discrepancy, as defined in § 334.82(b) of this part.
4. A consumer report indicates a pattern of activity that is
inconsistent with the history and usual pattern of activity of an
applicant or customer, such as:
{{12-31-07 p.2414.25}}
a. A recent and significant increase in the volume of inquiries;
b. An unusual number of recently established credit
relationships;
c. A material change in the use of credit, especially with
respect to recently established credit relationships; or
d. An account that was closed for cause or identified for abuse
of account privileges by a financial institution or creditor.
Suspicious Documents
5. Documents provided for identification appear to have been
altered or forged.
6. The photograph or physical description on the identification is
not consistent with the appearance of the applicant or customer
presenting the identification.
7. Other information on the identification is not consistent with
information provided by the person opening a new covered account or
customer presenting the identification.
8. Other information on the identification is not consistent with
readily accessible information that is on file with the financial
institution or creditor, such as a signature card or a recent check.
9. An application appears to have been altered or forged, or gives
the appearance of having been destroyed and reassembled.
Suspicious Personal Identifying Information
10. Personal identifying information provided is inconsistent when
compared against external information sources used by the financial
institution or creditor. For example:
a. The address does not match any address in the consumer report;
or
b. The Social Security Number (SSN) has not been issued, or is
listed on the Social Security Administration's Death Master File.
11. Personal identifying information provided by the customer is
not consistent with other personal identifying information provided by
the customer. For example, there is a lack of correlation between the
SSN range and date of birth.
12. Personal identifying information provided is associated with
known fraudulent activity as indicated by internal or third-party
sources used by the financial institution or creditor. For example:
a. The address on an application is the same as the address
provided on a fraudulent application; or
b. The phone number on an application is the same as the number
provided on a fraudulent application.
13. Personal identifying information provided is of a type commonly
associated with fraudulent activity as indicated by internal or
third-party sources used by the financial institution or creditor. For
example:
a. The address on an application is fictitious, a mail drop, or a
prison; or
b. The phone number is invalid, or is associated with a pager or
answering service.
14. The SSN provided is the same as that submitted by other persons
opening an account or other customers.
15. The address or telephone number provided is the same as or
similar to the account number or telephone number submitted by an
unusually large number of other persons opening accounts or other
customers.
16. The person opening the covered account or the customer fails to
provide all required personal identifying information on an application
or in response to notification that the application is incomplete.
17. Personal identifying information provided is not consistent
with personal identifying information that is on file with the
financial institution or creditor.
18. For financial institutions and creditors that use challenge
questions, the person opening the covered account or the customer
cannot provide authenticating information beyond that which generally
would be available from a wallet or consumer report.
Unusual Use of, or Suspicious Activity Related to, the
Covered Account
19. Shortly following the notice of a change of address for a
covered account, the institution or creditor receives a request for a
new, additional, or replacement card or a cell phone, or for the
addition of authorized users on the account.
{{12-31-07 p.2414.26}}
20. A new revolving credit account is used in a manner commonly
associated with known patterns of fraud patterns. For example:
a. The majority of available credit is used for cash advances or
merchandise that is easily convertible to cash (e.g., electronics
equipment or jewelry); or
b. The customer fails to make the first payment or makes an
initial payment but no subsequent payments.
21. A covered account is used in a manner that is not consistent
with established patterns of activity on the account. There is, for
example:
a. Nonpayment when there is no history of late or missed
payments;
b. A material increase in the use of available credit;
c. A material change in purchasing or spending patterns;
d. A material change in electronic fund transfer patterns in
connection with a deposit account; or
e. A material change in telephone call patterns in connection
with a cellular phone account.
22. A covered account that has been inactive for a reasonably
lengthy period of time is used (taking into consideration the type of
account, the expected pattern of usage and other relevant factors).
23. Mail sent to the customer is returned repeatedly as
undeliverable although transactions continue to be conducted in
connection with the customer's covered account.
24. The financial institution or creditor is notified that the
customer is not receiving paper account statements.
25. The financial institution or creditor is notified of
unauthorized charges or transactions in connection with a customer's
covered account.
Notice From Customers, Victims of Identity Theft, Law
Enforcement Authorities, or Other Persons Regarding Possible Identity
Theft in Connection With Covered Accounts Held by the Financial
Institution or Creditor
26. The financial institution or creditor is notified by a
customer, a victim of identity theft, a law enforcement authority, or
any other person that it has opened a fraudulent account for a person
engaged in identity theft.
[Codified to 12 C.F.R. Part 334, Appendix J]
[Appendix J added at 72 Fed. Reg. 63762, November 9, 2007,
effective January 1, 2008, the mandatory compliance date is November 1,
2008]
[The page following this is 2415.]
[Main Tabs]
[Table of Contents - 2000]
[Index]
[Previous Page]
[Next Page]
[Search]
|
