On November 12, 1999, President Clinton signed into law the Gramm-Leach-Bliley Act (the Act or GLBA). Title V, Subtitle A of the Act governs the treatment of nonpublic personal information about consumers by financial institutions. Section 502 of the Subtitle, subject to certain exceptions, prohibits a financial institution from disclosing nonpublic personal information about a consumer to nonaffiliated third parties, unless the institution satisfies various notice and opt-out requirements, and provided that the consumer has not elected to opt out of the disclosure. Section 503 requires the institution to provide notice of its privacy policies and practices to its customers. Section 504 authorizes the issuance of regulations to implement these provisions.

Accordingly, on June 1, 2000, the four federal bank and thrift regulators published substantively identical regulations implementing provisions of the Act governing the privacy of consumer financial information. The regulations establish rules governing duties of a financial institution to provide particular notices and limitations on its disclosure of nonpublic personal information, as summarized below. A more complete discussion appears later in this chapter.

The privacy regulations became effective on November 13, 2000. Compliance was required as of July 1, 2001.

In discussing the duties and limitations imposed by the regulations, a number of key concepts are used. These concepts include "financial institution"; "nonpublic personal information"; "nonaffiliated third party"; the "opt out" right and the exceptions to that right; and "consumer" and "customer." Each concept is briefly discussed below. A more complete explanation of each appears in the regulations.

"Financial institution" is any institution the business of which is engaging in activities that are financial in nature or incidental to such financial activities, as determined by section 4(k) of the Bank Holding Company Act of 1956. Financial institutions can include banks, securities brokers and dealers, insurance underwriters and agents, finance companies, mortgage bankers, and travel agents².

"Nonpublic personal information" generally is any information that is not publicly available and that:

Information is publicly available if an institution has a reasonable basis to believe that the information is lawfully made available to the general public from government records, widely distributed media, or legally required disclosures to the general public. Examples include information in a telephone book or a publicly recorded document, such as a mortgage or securities filing.

Nonpublic personal information may include individual items of information as well as lists of information. For example, nonpublic personal information may include names, addresses, phone numbers, social security numbers, income, credit score, and information obtained through Internet collection devices (i.e., cookies).

There are special rules regarding lists. Publicly available information would be treated as nonpublic if it were included on a list of consumers derived from nonpublic personal information. For example, a list of the names and addresses of a financial institution's depositors would be nonpublic personal information even though the names and addresses might be published in local telephone directories because the list is derived from the fact that a person has a deposit account with an institution, which is not publicly available information.

However, if the financial institution has a reasonable basis to believe that certain customer relationships are a matter of public record, then any list of these relationships would be considered publicly available information. For instance, a list of mortgage customers where the mortgages are recorded in public records would be considered publicly available information. The institution could provide a list of such customers, and include on that list any other publicly available information it has about the customers on that list without having to provide notice or opt out.

"Nonaffiliated third party" is any person except a financial institution’s affiliate or a person employed jointly by a financial institution and a company that is not the institution’s affiliate. An "affiliate" of a financial institution is any company that controls, is controlled by, or is under common control with the financial institution.

"Opt Out" Right and Exceptions
The Right — Consumers must be given the right to "opt out" of, or prevent, a financial institution from disclosing nonpublic personal information about them to a nonaffiliated third party, unless an exception to that right applies. The exceptions are detailed in sections 13, 14, and 15 of the regulations and described below.

As part of the opt out right, consumers must be given a reasonable opportunity and a reasonable means to opt out. What constitutes a reasonable opportunity to opt out depends on the circumstances surrounding the consumer’s transaction, but a consumer must be provided a reasonable amount of time to exercise the opt out right. For example, it would be reasonable if the financial institution allows 30 days from the date of mailing a notice or 30 days after customer acknowledgement of an electronic notice for an opt out direction to be returned. What constitutes a reasonable means to opt out may include check-off boxes, a reply form, or a tollfree telephone number, again depending on the circumstances surrounding the consumer’s transaction. It is not reasonable to require a consumer to write his or her own letter as the only means to opt out.

The Exceptions — Exceptions to the opt out right are detailed in sections 13, 14, and 15 of the regulations. Financial institutions need not comply with opt-out requirements if they limit disclosure of nonpublic personal information:

"Consumer and Customer" The distinction between consumers and customers is significant because financial institutions have additional disclosure duties with respect to customers. All customers covered under the regulation are consumers, but not all consumers are customers.

A "consumer" is an individual, or that individual’s legal representative, who obtains or has obtained a financial product or service from a financial institution that is to be used primarily for personal, family, or household purposes.

A "financial service" includes, among other things, a financial institution’s evaluation or brokerage of information that the institution collects in connection with a request or an application from a consumer for a financial product or service. For example, a financial service includes a lender’s evaluation of an application for a consumer loan or for opening a deposit account even if the application is ultimately rejected or withdrawn.

Consumers who are not customers are entitled to an initial privacy and opt out notice only if the financial institution wants to share their nonpublic personal information with nonaffiliated third parties outside of the exceptions.

A "customer" is a consumer who has a "customer relationship" with a financial institution. A "customer relationship" is a continuing relationship between a consumer and a financial institution under which the institution provides one or more financial products or services to the consumer that are to be used primarily for personal, family, or household purposes.

The regulations establish specific duties and limitations for a financial institution based on its activities. Financial institutions that intend to disclose nonpublic personal information outside the exceptions will have to provide opt out rights to their customers and to consumers who are not customers. All financial institutions have an obligation to provide an initial and annual notice of their privacy policies to their customers. All financial institutions must abide by the regulatory limits on the disclosure of account numbers to nonaffiliated third parties and on the redisclosure and reuse of nonpublic personal information received from nonaffiliated financial institutions.

A brief summary of financial institution duties and limitations appears below. A more complete explanation of each appears in the regulations.

If a financial institution intends to disclose nonpublic personal information about any of its consumers (whether or not they are customers) to a nonaffiliated third party, and an exception does not apply, then the financial institution must provide to the consumer:

The financial institution may not disclose any nonpublic personal information to nonaffiliated third parties except under the enumerated exceptions unless these notices have been provided and the consumer has not opted out. Additionally, the institution must provide a revised notice before the financial institution begins to share a new category of nonpublic personal information or shares information with a new category of nonaffiliated third party in a manner that was not described in the previous notice.

Note that a financial institution need not comply with the initial and opt-out notice requirements for consumers who are not customers if the institution limits disclosure of nonpublic personal information to the exceptions.

In addition to the duties described above, there are several duties unique to customers. In particular, regardless of whether the institution discloses or intends to disclose nonpublic personal information, a financial institution must provide notice to its customers of its privacy policies and practices at various times.

Clear and Conspicuous. Privacy notices must be clear and conspicuous, meaning they must be reasonably understandable and designed to call attention to the nature and significance of the information contained in the notice. The regulations do not prescribe specific methods for making a notice clear and conspicuous, but do provide examples of ways in which to achieve the standard, such as the use of short explanatory sentences or bullet lists, and the use of plain-language headings and easily readable typeface and type size. Privacy notices also must accurately reflect the institution’s privacy practices.

Delivery Rules. Privacy notices must be provided so that each recipient can reasonably be expected to receive actual notice in writing, or if the consumer agrees, electronically. To meet this standard, a financial institution could, for example, (1) hand-deliver a printed copy of the notice to its consumers, (2) mail a printed copy of the notice to a consumer’s last known address, or (3) for the consumer who conducts transactions electronically, post the notice on the institution’s web site and require the consumer to acknowledge receipt of the notice as a necessary step to completing the transaction.

For customers only, a financial institution must provide the initial notice (as well as the annual notice and any revised notice) so that a customer may be able to retain or subsequently access the notice. A written notice satisfies this requirement. For customers who obtain financial products or services electronically, and agree to receive their notices on the institution’s web site, the institution may provide the current version of its privacy notice on its web site.

Notice Content. A privacy notice must contain specific disclosures. However, a financial institution may provide to consumers who are not customers a "short form" initial notice together with an opt out notice stating that the institution’s privacy notice is available upon request and explaining a reasonable means for the consumer to obtain it. The following is a list of disclosures regarding nonpublic personal information that institutions must provide in their privacy notices, as applicable:

A financial institution must not disclose an account number or similar form of access number or access code for a credit card, deposit, or transaction account to any nonaffiliated third party (other than a consumer reporting agency) for use in telemarketing, direct mail marketing, or other marketing through electronic mail to the consumer.

The disclosure of encrypted account numbers without an accompanying means of decryption, however, is not subject to this prohibition. The regulation also expressly allows disclosures by a financial institution to its agent to market the institution’s own products or services (although the financial institution must not authorize the agent to directly initiate charges to the customer’s account). Also not barred are disclosures to participants in private-label or affinity card programs, where the participants are identified to the customer when the customer enters the program.

If a financial institution receives nonpublic personal information from a nonaffiliated financial institution, its disclosure and use of the information is limited.

The regulations do not modify, limit, or supersede the operation of the Fair Credit Reporting Act.

The regulations do not supersede, alter, or affect any state statute, regulation, order, or interpretation, except to the extent that it is inconsistent with the regulations. A state statute, regulation, order, etc. is consistent with the regulations if the protection it affords any consumer is greater than the protection provided under the regulations, as determined by the FTC.

Contracts that a financial institution has entered into, on or before July 1, 2000, with a nonaffiliated third party to perform services for the financial institution or functions on its behalf, as described in section 13, will satisfy the confidentiality requirements of section 13(a)(1)(ii) until July 1, 2002, even if the contract does not include a requirement that the third party maintain the confidentiality of nonpublic personal information.

The regulations require a financial institution to disclose its policies and practices for protecting the confidentiality, security, and integrity of nonpublic personal information about consumers (whether or not they are customers). The disclosure need not describe these policies and practices in detail, but instead may describe in general terms who is authorized to have access to the information and whether the institution has security practices and procedures in place to ensure the confidentiality of the information in accordance with the institution’s policies. ³

The four federal bank and thrift regulators have published guidelines, pursuant to section 501(b) of the Gramm- Leach-Bliley Act, that address steps a financial institution should take in order to protect customer information. The guidelines relate only to information about customers, rather than all consumers. Compliance examiners should consider the findings of a 501(b) inspection during the compliance examination of a financial institution for purposes of evaluating the accuracy of the institution’s disclosure regarding data security.

*This may include sharing of encrypted account numbers but not the decryption key.

Sharing nonpublic personal information with nonaffiliated third parties under Sections 14 and/or 15 and outside of the exceptions (with or without also sharing under Section 13).

Regulation Section	Subject	Checklist Questions
4(a); 6(a, b, c, e); and 9(a, b, g)	Privacy notices (presentation, content, and delivery)	2, 8-11, 14, 18, 35, 36, 40
4(a, c, d, e); 5; and 9(c, e)	Customer notice delivery rules	1, 3-7, 37, 38
13	Section 13 notice and contracting rules (as applicable)	12.47
6(d)	Short form notice rules (optional for consumers only)	15-17
7; 8; and 10	Opt out rules	19-34, 41-43
14, 15	Exceptions	48, 49, 50

Sharing nonpublic personal information with nonaffiliated third parties under Sections 13, and 14 and/or 15, but not outside of these exceptions.

Regulation Section	Subject	Checklist Questions
4(a); 6(a, b, c, e); and 9(a, b, g)	Privacy notices (presentation, content, and delivery)	2, 8-11, 14, 18, 35, 36, 40
4(a, c, d, e); 5; and 9(c, e)	Customer notice delivery rules	1, 3-7, 37, 38
13	Section 13 notice and contracting rules (as applicable)	12.47
14, 15	Exceptions	48, 49, 50

Sharing nonpublic personal information with nonaffiliated third parties only under Sections 14 and/or 15.

Regulation Section	Subject	Checklist Questions
6	Customer notice content and presentation	13
6(c)(5);	Simplified notice content (optional)	1, 3-7, 37, 38
4(a, d, e); 5;	Customer notice delivery process rules (as applicable)	1, 3-7, 35, 40
14, 15	Exceptions	48, 49, 50

Reuse & Redisclosure of nonpublic personal information received from a nonaffiliated financial institution under Sections 14 and/or 15.

Regulation Section	Subject	Checklist Questions
11(a)	Reuse and disclosure presentation	44

Redisclosure of nonpublic personal information received from a nonaffiliated financial institution outside of Sections 14 and 15.

Account number sharing.

Subpart A	Yes	No
Initial Privacy Notice
1. Does the institution provide a clear and conspicuous notice that accurately reflects its privacy policies and practices to all customers not later than when the customer relationship is established, other than as allowed in paragraph (e) of section four (4) of the regulation? [§4(a)(1))] NOTE: no notice is required if nonpublic personal information is disclosed to nonaffiliated third parties only under an exception in Sections 14 and 15, and there is no customer relationship. [§4(b)] With respect to credit relationships, an institution establishes a customer relationship when it originates a consumer loan. If the institution subsequently sells the servicing rights to the loan to another financial institution, the customer relationship transfers with the servicing rights. [§4(c)]
2. Does the institution provide a clear and conspicuous notice that accurately reflects its privacy policies and practices to all consumers, who are not customers, before any nonpublic personal information about the consumer is disclosed to a nonaffiliated third party, other than under an exception in §§14 or 15? [§4(a)(2)]
3. Does the institution provide to existing customers, who obtain a new financial product or service, an initial privacy notice that covers the customer’s new financial product or service, if the most recent notice provided to the customer was not accurate with respect to the new financial product or service? [§4(d)(1)]
4. Does the institution provide initial notice after establishing a customer relationship only if:
a. the customer relationship is not established at the customer’s election; [§4(e)(1)(i)] or
b. to do otherwise would substantially delay the customer’s transaction (e.g. in the case of a telephone application), and the customer agrees to the subsequent delivery? [§4 (e)(1)(ii)]
5. When the subsequent delivery of a privacy notice is permitted, does the institution provide notice after establishing a customer relationship within a reasonable time? [§4(e)]
Annual Privacy Notice
6. Does the institution provide a clear and conspicuous notice that accurately reflects its privacy policies and practices at least annually (that is, at least once in any period of 12 consecutive months) to all customers, throughout the customer relationship? [§5(a)(1)and (2)] NOTE: annual notices are not required for former customers. [§5(b)(1)and (2)]
7. Does the institution provide an annual privacy notice to each customer whose loan the institution owns the right to service? [§§5(c), 4(c)(2)]
Content of Privacy Notices
8. Do the initial, annual, and revised privacy notices include each of the following, as applicable:
a.the categories of nonpublic personal information that the institution collects; [§6(a)(1)]
b. the categories of nonpublic personal information that the institution discloses; [§6(a)(2)]
c. the categories of affiliates and nonaffiliated third parties to whom the institution discloses nonpublic personal information, other than parties to whom information is disclosed under an exception in §14 or §15; [§6(a)(3)]
d. the categories of nonpublic personal information disclosed about former customers, and the categories of affiliates and nonaffiliated third parties to whom the institution discloses that information, other than those parties to whom the institution discloses information under an exception in §14 or §15; [§6(a)(4)]
e. if the institution discloses nonpublic personal information to a nonaffiliated third party under §13, and no exception under §14 or §15 applies, a separate statement of the categories of information the institution discloses and the categories of third parties with whom the institution has contracted; [§6(a)(5)]
f. an explanation of the opt out right, including the method(s) of opt out that the consumer can use at the time of the notice; [§6(a)(6)]
g. any disclosures that the institution makes under §603(d)(2)(A)(iii) of the Fair Credit Reporting Act (FCRA); [§6(a)(7)]
h. the institution’s policies and practices with respect to protecting the confidentiality and security of nonpublic personal information; [§6(a)(8)] and
i. a general statement--with no specific reference to the exceptions or to the third parties--that the institution makes disclosures to other nonaffiliated third parties as permitted by law? [§6(a)(9), (b)] NOTE: sample clauses for these items appear in Appendix A of the Regulation
9. Does the institution list the following categories of nonpublic personal information that it collects, as applicable:
a. information from the consumer; [§6(c)(1)(i)]
b. information about the consumer’s transactions with the institution or its affiliates; [§6(c)(1)(ii)]
c. information about the consumer’s transactions with nonaffiliated third parties; [§6(c)(1)(iii)] and
d. information from a consumer reporting agency? [§6(c)(1)(iv)]
10. Does the institution list the following categories of nonpublic personal information that it discloses, as applicable, and a few examples of each, or alternatively state that it reserves the right to disclose all the nonpublic personal information that it collects:
a. information from the consumer;
b. information about the consumer’s transactions with the institution or its affiliates;
c. information about the consumer’s transactions with nonaffiliated third parties; and
d. information from a consumer reporting agency? [§6(c)(2)] NOTE: examples are recommended under §6(c)(2) although not under §6(c)(1).
11. Does the institution list the following categories of affiliates and nonaffiliated third parties to whom it discloses information, as applicable, and a few examples to illustrate the types of the third parties in each category:
a. financial service providers; [§6(c)(3)(i)]
b. non-financial companies; [§6(c)(3)(ii)] and
c. others? [§6(c)(3)(iii)]
12. Does the institution make the following disclosures regarding service providers and joint marketers to whom it discloses nonpublic personal information under §13:
a. as applicable, the same categories and examples of nonpublic personal information disclosed as described in paragraphs (a)(2) and (c)(2) of section six (6) (see questions 8b and 10); and [§6(c)(4)(i)]
b. that the third party is a service provider that performs marketing on the institution’s behalf or on behalf of the institution and another financial institution; [§6(c)(4)(ii)(A)] or
c. that the third party is a financial institution with which the institution has a joint marketing agreement? [§6(c)(4)(ii)(B)]
13. If the institution does not disclose nonpublic personal information, and does not reserve the right to do so, other than under exceptions in §14 and §15, does the institution provide a simplified privacy notice that contains at a minimum:
a. a statement to this effect;
b. the categories of nonpublic personal information it collects;
c. the policies and practices the institution uses to protect the confidentiality and security of nonpublic personal information; and
d. a general statement that the institution makes disclosures to other nonaffiliated third parties as permitted by law? [§6(c)(5)] NOTE: use of this type of simplified notice is optional; an institution may always use a full notice.
14. Does the institution describe the following about its policies and practices with respect to protecting the confidentiality and security of nonpublic personal information:
a. who is authorized to have access to the information; and [§6(c)(6)(i)]
b. whether security practices and policies are in place to ensure the confidentiality of the information in accordance with the institution’s policy? [§6(c)(6)(ii)] NOTE: the institution is not required to describe technical information about the safeguards used in this respect.
15. If the institution provides a short-form initial privacy notice with the opt out notice, does the institution do so only to consumers with whom the institution does not have a customer relationship? [§6(d)(1)]
16. If the institution provides a short-form initial privacy notice according to §6(d)(1), does the shortform initial notice:
a. conform to the definition of "clear and conspicuous"; [§6(d)(2)(i)]
b. state that the institution’s full privacy notice is available upon request; [§6(d)(2)(ii)] and
c. explain a reasonable means by which the consumer may obtain the notice? [§6(d)(2)(iii)] NOTE: the institution is not required to deliver the full privacy notice with the short-form initial notice. [§6(d)(3)]
17. Does the institution provide consumers who receive the short-form initial notice with a reasonable means of obtaining the longer initial notice, such as:
a. a toll-free telephone number that the consumer may call to request the notice; [§6(d)(4)(i)] or
b. for the consumer who conducts business in person at the institution’s office, having copies available to provide immediately by hand-delivery? [§6(d)(4)(ii)]
18. If the institution, in its privacy policies, reserves the right to disclose nonpublic personal information to nonaffiliated third parties in the future, does the privacy notice include, as applicable, the:
a. categories of nonpublic personal information that the financial institution reserves the right to disclose in the future, but does not currently disclose; [§6(e)(1)] and
b. categories of affiliates or nonaffiliated third parties to whom the financial institution reserves the right in the future to disclose, but to whom it does not currently disclose, nonpublic personal information? [§6(e)(2)]
Opt Out Notice
19. If the institution discloses nonpublic personal information about a consumer to a nonaffiliated third party, and the exceptions under §§13-15 do not apply, does the institution provide the consumer with a clear and conspicuous opt out notice that accurately explains the right to opt out? [§7(a)(1)]
20. Does the opt out notice state:
a. that the institution discloses or reserves the right to disclose nonpublic personal information about the consumer to a nonaffiliated third party; [§7(a)(1)(i)]
b. that the consumer has the right to opt out of that disclosure; [§7(a)(1)(ii)] and
c. a reasonable means by which the consumer may opt out? [§7(a)(1)(iii)]
21. Does the institution provide the consumer with the following information about the right to opt out:
a. all the categories of nonpublic personal information that the institution discloses or reserves the right to disclose; [§7(a)(2)(i)(A)]
b. all the categories of nonaffiliated third parties to whom the information is disclosed; [§7(a)(2)(i)(A)];
c. that the consumer has the right to opt out of the disclosure of that information; [§7(a)(2)(i)(A)] and
d. the financial products or services that the consumer obtains to which the opt out direction would apply? [§7(a)(2)(i)(B)]
22. Does the institution provide the consumer with at least one of the following reasonable means of opting out, or with another reasonable means:
a. check-off boxes prominently displayed on the relevant forms with the opt out notice; [§7(a)(2)(ii)(A)]
b. a reply form included with the opt out notice; [§7(a)(2)(ii)(B)]
c. an electronic means to opt out, such as a form that can be sent via electronic mail or a process at the institution’s web site, if the consumer agrees to the electronic delivery of information; [§7(a)(2)(ii)(C)] or
d. a toll-free telephone number? [§7(a)(2)(ii)(D)] NOTE: the institution may require the consumer to use one specific means, as long as that means is reasonable for that consumer. [§7(a)(iv)]
23. If the institution delivers the opt out notice after the initial notice, does the institution provide the initial notice once again with the opt out notice? [§7(c)]
24. Does the institution provide an opt out notice, explaining how the institution will treat opt out directions by the joint consumers, to at least one party in a joint consumer relationship? [§7(d)(1)]
25. Does the institution permit each of the joint consumers in a joint relationship to opt out? [§7(d)(2)]
26. Does the opt out notice to joint consumers state that either:
a. the institution will consider an opt out by a joint consumer as applying to all associated joint consumers; [§7(d)(2)(i)] or
b. each joint consumer is permitted to opt out separately? [§7(d)(2)(ii)]
27. If each joint consumer may opt out separately, does the institution permit:
a. one joint consumer to opt out on behalf of all of the joint consumers; [§7(d)(3)]
b. the joint consumers to notify the institution in a single response; [§7(d)(5)] and
c. each joint consumer to opt out either for himself or herself, and/or for another joint consumer? [§7(d)(5)]
28. Does the institution refrain from requiring all joint consumers to opt out before implementing any opt out direction with respect to the joint account? [§7(d)(4)]
29. Does the institution comply with a consumer’s direction to opt out as soon as is reasonably practicable after receiving it? [§7(e)]
30. Does the institution allow the consumer to opt out at any time? [§7(f)]
31. Does the institution continue to honor the consumer’s opt out direction until revoked by the consumer in writing, or, if the consumer agrees, electronically? [§7(g)(1)]
32. When a customer relationship ends, does the institution continue to apply the customer’s opt out direction to the nonpublic personal information collected during, or related to, that specific customer relationship (but not to new relationships, if any, subsequently established by that customer)? [§7(g)(2)]
Revised Notices
33. Except as permitted by §§13-15, does the institution refrain from disclosing any nonpublic personal information about a consumer to a nonaffiliated third party, other than as described in the initial privacy notice provided to the consumer, unless:
a. the institution has provided the consumer with a clear and conspicuous revised notice that accurately describes the institution’s privacy policies and practices; [§8(a)(1)]
b. the institution has provided the consumer with a new opt out notice; [§8(a)(2)]
c. the institution has given the consumer a reasonable opportunity to opt out of the disclosure, before disclosing any information; [§8(a)(3)] and
d. the consumer has not opted out? [§8(a)(4)]
34. Does the institution deliver a revised privacy notice when it:
a. discloses a new category of nonpublic personal information to a nonaffiliated third party; [§8(b)(1)(i)]
b. discloses nonpublic personal information to a new category of nonaffiliated third party; [§8(b)(1)(ii)] or
c. discloses nonpublic personal information about a former customer to a nonaffiliated third party, if that former customer has not had the opportunity to exercise an opt out right regarding that disclosure? [§8(b)(1)(iii)] NOTE: a revised notice is not required if the institution adequately described the nonaffiliated third party or information to be disclosed in the prior privacy notice. [§8(b)(2)]
Delivery Methods
35. Does the institution deliver the privacy and opt out notices, including the short-form notice, so that the consumer can reasonably be expected to receive actual notice in writing or, if the consumer agrees, electronically? [§9(a)]
36 Does the institution use a reasonable means for delivering the notices, such as:
a. hand-delivery of a printed copy; [§9(b)(1)(i)]
b. mailing a printed copy to the last known address of the consumer; [§9(b)(1)(ii)]
c. for the consumer who conducts transactions electronically, clearly and conspicuously posting the notice on the institution’s electronic site and requiring the consumer to acknowledge receipt as a necessary step to obtaining a financial product or service; [§9(b)(1)(iii)] or
d. for isolated transactions, such as ATM transactions, posting the notice on the screen and requiring the consumer to acknowledge receipt as a necessary step to obtaining the financial product or service? [§9(b)(1)(iv)] NOTE: insufficient or unreasonable means of delivery include: exclusively oral notice, in person or by telephone; branch or office signs or generally published advertisements; and electronic mail to a customer who does not obtain products or services electronically. [§9 (b)(2)(i) and (ii), and (d)]
37. For annual notices only, if the institution does not employ one of the methods described in question 36, does the institution employ one of the following reasonable means of delivering the notice such as:
a. for the customer who uses the institution’s web site to access products and services electronically and who agrees to receive notices at the web site, continuously posting the current privacy notice on the web site in a clear and conspicuous manner; [§9(c)(1)] or
b. for the customer who has requested the institution refrain from sending any information about the customer relationship, making copies of the current privacy notice available upon customer request? [§9(c)(2)]
38. For customers only, does the institution ensure that the initial, annual, and revised notices may be retained or obtained later by the customer in writing, or if the customer agrees, electronically? [§9(e)(1)]
39. Does the institution use an appropriate means to ensure that notices may be retained or obtained later, such as:
a. hand-delivery of a printed copy of the notice; [§9(e)(2)(i)]
b. mailing a printed copy to the last known address of the customer; [§9(e)(2)(ii)] or
c. making the current privacy notice available on the institution’s web site (or via a link to the notice at another site) for the customer who agrees to receive the notice at the web site? [§9(e)(2)(iii)]
40. Does the institution provide at least one initial, annual, and revised notice, as applicable, to joint consumers? [§9(g)]

Examination Checklist — Subpart B	Yes	No
Limits on Disclosure to Nonaffiliated Third Parties
41. Does the institution refrain from disclosing any nonpublic personal information about a consumer to a nonaffiliated third party, other than as permitted under §§13-15, unless:
a. it has provided the consumer with an initial notice; [§10(a)(1)(i)]
b. it has provided the consumer with an opt out notice; [§10(a)(1)(ii)]
c. it has given the consumer a reasonable opportunity to opt out before the disclosure; [§10(a)(1)(iii)] and
d. the consumer has not opted out? [§10(a)(1)(iv)] NOTE: this disclosure limitation applies to consumers as well as to customers [§10(b)(1)], and to all nonpublic personal information regardless of whether collected before or after receiving an opt out direction. [§10(b)(2)]
42. Does the institution provide the consumer with a reasonable opportunity to opt out such as by:
a. mailing the notices required by §10 and allowing the consumer to respond by toll-free telephone number, return mail, or other reasonable means (see question 22) within 30 days from the date mailed; [§10(a)(3)(i)]
b. where the consumer opens an on-line account with the institution and agrees to receive the notices required by §10 electronically, allowing the consumer to opt out by any reasonable means (see question 22) within 30 days from consumer acknowledgement of receipt of the notice in conjunction with opening the account; [§10(a)(3)(ii)] or
c. for isolated transactions, providing the notices required by §10 at the time of the transaction and requesting that the consumer decide, as a necessary part of the transaction, whether to opt out before the completion of the transaction? [§10(a)(3)(iii)]
43. Does the institution allow the consumer to select certain nonpublic personal information or certain nonaffiliated third parties with respect to which the consumer wishes to opt out? [§10(c)] NOTE: an institution may allow partial opt outs in addition to, but may not allow them instead of, a comprehensive opt out.
Limits on Redisclosure and Reuse of Innformation
44. If the institution receives information from a nonaffiliated financial institution under an exception in §14 or §15, does the institution refrain from using or disclosing the information except:
a. to disclose the information to the affiliates of the financial institution from which it received the information; [§11(a)(1)(i)]
b. to disclose the information to its own affiliates, which are in turn limited by the same disclosure and use restrictions as the recipient institution; [§11(a)(1)(ii)] and
c. to disclose and use the information pursuant to an exception in §14 or §15 in the ordinary course of business to carry out the activity covered by the exception under which the information was received? [§11(a)(1)(iii)] NOTE: the disclosure or use described in section c of this question need not be directly related to the activity covered by the applicable exception. For instance, an institution receiving information for fraud-prevention purposes could provide the information to its auditors. But "in the ordinary course of business" does not include marketing. [§11(a)(2)]
45. If the institution receives information from a nonaffiliated financial institution other than under an exception in §14 or §15, does the institution refrain from disclosing the information except:
a. to the affiliates of the financial institution from which it received the information; [§11(b)(1)(i)]
b. to its own affiliates, which are in turn limited by the same disclosure restrictions as the recipient institution; [§11(b)(1)(ii)] and
c. to any other person, if the disclosure would be lawful if made directly to that person by the institution from which the recipient institution received the information? [§11(b)(1)(iii)]
Limits on Sharing Account Number Innformation for Marketing Purposes
46. Does the institution refrain from disclosing, directly or through affiliates, account numbers or similar forms of access numbers or access codes for a consumer’s credit card account, deposit account, or transaction account to any nonaffiliated third party (other than to a consumer reporting agency) for telemarketing, direct mail or electronic mail marketing to the consumer, except:
a. to the institution’s agents or service providers solely to market the institution’s own products or services, as long as the agent or service provider is not authorized to directly initiate charges to the account; [§12(b)(1)] or
b. to a participant in a private label credit card program or an affinity or similar program where the participants in the program are identified to the customer when the customer enters into the program? [§12(b)(2)] NOTE: an "account number or similar form of access number or access code" does not include numbers in encrypted form, so long as the institution does not provide the recipient with a means of decryption. [§12(c)(1)] A transaction account does not include an account to which third parties cannot initiate charges. [§12(c)(2)]

Examination Checklist — Subpart C	Yes	No
Exception to Opt Out Requirements for Service Providers and Joint Marketing
47. If the institution discloses nonpublic personal information to a nonaffiliated third party without permitting the consumer to opt out, do the opt out requirements of §7 and §10, and the revised notice requirements in §8, not apply because:
a. the institution disclosed the information to a nonaffiliated third party who performs services for or functions on behalf of the institution (including joint marketing of financial products and services offered pursuant to a joint agreement as defined in paragraph (b) of §13); [§13(a)(1)]
b. the institution has provided consumers with the initial notice; [§13(a)(1)(i)] and
c. the institution has entered into a contract with that party prohibiting the party from disclosing or using the information except to carry out the purposes for which the information was disclosed, including use under an exception in §14 or §15 in the ordinary course of business to carry out those purposes? [§13(a)(1)(ii)]
Exceptions to Notice and Opt Out Requirements for Processing and Servicing Transactions
48. If the institution discloses nonpublic personal information to nonaffiliated third parties, do the requirements for initial notice in §4(a)(2), opt out in §§7 and 10, revised notice in §8, and for service providers and joint marketing in §13, not apply because the information is disclosed as necessary to effect, administer, or enforce a transaction that the consumer requests or authorizes, or in connection with:
a. servicing or processing a financial product or service requested or authorized by the consumer; [§14(a)(1)]
b. maintaining or servicing the consumer’s account with the institution or with another entity as part of a private label credit card program or other credit extension on behalf of the entity; or [§14(a)(2)]
c. a proposed or actual securitization, secondary market sale (including sale of servicing rights) or other similar transaction related to a transaction of the consumer? [§14(a)(3)]
49. If the institution uses a Section 14 exception as necessary to effect, administer, or enforce a transaction, is it :
a. required, or is one of the lawful or appropriate methods to enforce the rights of the institution or other persons engaged in carrying out the transaction or providing the product or service; [§14(b)(1)] or
b. required, or is a usual, appropriate, or acceptable method to:[§14(b)(2)]
i. carry out the transaction or the product or service business of which the transaction is a part, including recording, servicing, or maintaining the consumer’s account in the ordinary course of business; [§14(b)(2)(i)]
ii. administer or service benefits or claims; [§14(b)(2)(ii)]
iii. confirm or provide a statement or other record of the transaction or information on the status or value of the financial service or financial product to the consumer or the consumer’s agent or broker; [§14(b)(2)(iii)]
iv. accrue or recognize incentives or bonuses; [§14(b)(2)(iv)]
v. underwrite insurance or for reinsurance or for certain other purposes related to a consumer’s insurance; [§14(b)(2)(v)] or
vi. in connection with:
(1) the authorization, settlement, billing, processing, clearing, transferring, reconciling, or collection of amounts charged, debited, or otherwise paid by using a debit, credit, or other payment card, check, or account number, or by other payment means; [§14(b)(2)(vi)(A)]
(2) the transfer of receivables, accounts or interests therein; [§14(b)(2)(vi)(B)] or
(3) the audit of debit, credit, or other payment information? [§14(b)(2)(vi)(C)]
Other Exceptions to Notice and Opt Out Requirements
50. If the institution discloses nonpublic personal information to nonaffiliated third parties, do the requirements for initial notice in §4(a)(2), opt out in §§7 and 10, revised notice in §8, and for service providers and joint marketers in §13, not apply because the institution makes the disclosure:
a. with the consent or at the direction of the consumer; [§15(a)(1)]
b.
i. to protect the confidentiality or security of records; [§15(a)(2)(i)]
ii. to protect against or prevent actual or potential fraud, unauthorized transactions, claims, or other liability; [§15(a)(2)(ii)]
iii. for required institutional risk control or for resolving consumer disputes or inquiries; [§15(a)(2)(iii)]
iv. to persons holding a legal or beneficial interest relating to the consumer; [§15(a)(2)(iv)] or
v. to persons acting in a fiduciary or representative capacity on behalf of the consumer; [§15(a)(2)(v)]
c. to insurance rate advisory organizations, guaranty funds or agencies, agencies rating the institution, persons assessing compliance, and the institution’s attorneys, accountants, and auditors; [§15(a)(3)]
d. in compliance with the Right to Financial Privacy Act, or to law enforcement agencies; [§15(a)(4)]
e. to a consumer reporting agency in accordance with the FCRA or from a consumer report reported by a consumer reporting agency; [§15(a)(5)]
f. in connection with a proposed or actual sale, merger, transfer, or exchange of all or a portion of a business or operating unit, if the disclosure of nonpublic personal information concerns solely consumers of such business or unit; [§15(a)(6)]
g. to comply with Federal, state, or local laws, rules, or legal requirements; [§15(a)(7)(i)]
h. to comply with a properly authorized civil, criminal, or regulatory investigation, or subpoena or summons by Federal, state, or local authorities; [§15(a)(7)(ii)] or
i. to respond to judicial process or government regulatory authorities having jurisdiction over the institution for examination, compliance, or other purposes as authorized by law? [§15(a)(7)(iii)] NOTE: the regulation gives the following as an example of the exception described in section a of this question: "A consumer may specifically consent to [an institution’s] disclosure to a nonaffiliated insurance company of the fact that the consumer has applied to [the institution] for a mortgage so that the insurance company can offer homeowner’s insurance to the consumer."

Listed below are links to several Privacy resources, including the official examination procedures and the examination job-aid.

---

FDIC Part 332: Privacy of Consumer Financial Information
http://www.fdic.gov/regulations/laws/rules/2000-5550.html

---

FIL 01-46: Examination Procedures
http://www.fdic.gov/news/news/inactivefinancial/2001/FIL0146.html

---

FDIC Legal Advisory Opinions
http://www.fdic.gov/regulations/laws/opinions/index.html

---

Press Release: Frequently Asked Questions for the Privacy Regulation
http://www.fdic.gov/news/news/press/2001/pr9301a.html

---

DSC RD Memo 03-2001: Privacy Rule Handbook
http://www.fdic.gov/news/news/financial/2001/fil0103.html

---

Examination Job Aid
http://fdic01/division/dsc/compliance/privacy/PrivacyComplianceJobAid.htm

---

FDIC Staff Response to Questions Regarding the Privacy of Consumer Financial Information http://fdic01/division/dsc/compliance/privacy/FDICStaffQA71101.html

COPPA was enacted to prohibit unfair and deceptive acts or practices in connection with the collection, use, or disclosure of personal information from children under the age of 13 in an online environment. Generally, the Act requires operators of Web sites or online services directed to children, or that have actual knowledge that they are collecting or maintaining personal information from children online, to provide certain notices and obtain parental consent to collect, use, or disclose information about children. The FDIC is granted enforcement authority under the Act. Federal Trade Commission regulations (16 CFR 312) that implement COPPA became effective April 21, 2000.

Examiners should consider conducting a compliance review using these procedures only when an institution is operating a Web site or online service directed to children that collects or maintains personal information about children, or operating a general audience Web site or online service and knowingly collecting or maintaining personal information from a child online.

---

Statute: Children’s Online Privacy Protection Act
http://www.ftc.gov/ogc/coppa1.pdf

---

Regulation: Children’s Online Privacy Protection Rule
http://www.ftc.gov/os/1999/10/64fr59888.htm

The 1978 Right to Financial Privacy Act (RFPA) establishes specific procedures that federal government authorities must follow in order to obtain information from a financial institution about a customer’s financial records. Generally, these requirements include obtaining subpoenas, notifying the customer of the request, and providing the customer with an opportunity to object. The Act imposes related limitations and duties on financial institutions prior to the release of information requested by federal authorities. For purposes of RFPA, a customer is defined as any person or representative of that person who utilized or is utilizing any service of a financial institution, or for whom a financial institution is acting or has acted as a fiduciary, in relation to an account maintained in the person’s name. "Person" is defined by the RFPA as an individual or a partnership of five or few individuals. Therefore, restrictions in the Act do not apply to the financial records of corporations or partnerships with six or more partners. The RFPA has been amended several times, most recently in 2001, to permit greater access without customer notice to customer information requested for criminal law enforcement purposes and for certain intelligence activities.

The objective of the examination is to ensure that the financial institution has procedures in place to ensure compliance with the RFPA, and to test whether its practices conform to RFPA.

---

Right to Financial Privacy Act of 1978:12 USC §§3401 – 3422
http://www.fdic.gov/regulations/laws/rules/6500-2550.html#6500firaircao1978

The following is a workpaper template and instructions for its use.

Clearly state violations. Highlight or mark in red for easy reference.

Examination Worksheet—Right to Financial Privacy
Bank:		Exam Date:		EIC:
Branch:		Prepared by :		Cert#:
Accounts Customer	Government Involved	Cust. Authority	Agency Authority	Comments & Violations

Under Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (CAN-SPAM or Act)⁶ , the Federal Trade Commission (FTC) is charged with issuing regulations for implementing CAN-SPAM⁷. The FTC has issued regulations, effective as of March 28, 2005, that provide criteria to determine the primary purpose of electronic mail (e-mail) messages. The FTC has also issued regulations that contain criteria pertaining to warning labels on sexually oriented materials, which became effective as of May 19, 2004.

The goals of the act are to:

Compliance authority was expressly granted to the Federal Deposit Insurance Corporation, the Office of the Comptroller of the Currency, the Federal Reserve Board, and the Office of Thrift Supervision to be enforced under Section 8 of the Federal Deposit Insurance Act. The National Credit Union Association was granted authority through the Federal Credit Union Act 12 USC 1751.

The FTC has researched and determined that a "Do Not Spam" registry (similar to the highly effective "Do Not Call" registry) would not be effective or practicable at this time.

"Affirmative Consent" (usage: commercial e-mail messages)

"Commercial E-mail Message" Any e-mail message the primary purpose of which is to advertise or promote for a commercial purpose, a commercial product or service (including content on the Internet). An e-mail message would not be considered to be a commercial e-mail message solely because such message includes a reference to a commercial entity that serves to identify the sender or a reference or link to an Internet Web site operated for a commercial purpose.

"Dictionary Attacks" Obtaining e-mail addresses by using an automated means that generates possible e-mail addresses by combining names, letters, or numbers into numerous permutations.

"Harvesting" Obtaining e-mail addresses using an automated means from an Internet Web site or proprietary online service operated by another person, where such service/person, at the time the address was obtained, had provided a notice stating that the operator of such Web site or online service would not give, sell, or otherwise transfer electronic addresses.

"Header Information" The source, destination, and routing information attached to the beginning of an e-mail message, including the originating domain name and originating e-mail address.

"Hijacking" The use of automated means to register for multiple e-mail accounts or online user accounts from which to transmit, or enable another person to transmit, a commercial e-mail message that is unlawful.

"Initiate" To originate, transmit or to procure the origination or transmission of such message but shall not include actions that constitute routine conveyance. For purposes of the Act, more than one person may be considered to have initiated the same message.

"Primary Purpose" The FTC’s regulations provide further clarification regarding determination of whether an e-mail message has "commercial" promotion as its primary purpose. [16 CFR 316.3]

1. The primary purpose of an e-mail message will be deemed to be commercial if it contains only the commercial advertisement or promotion of a commercial product or service (commercial content);
2. The primary purpose of an e-mail message will be deemed to be commercial if it contains both commercial content and "transactional or relationship" content (see below for definition) if either:
• a recipient reasonably interpreting the subject line of the e-mail message would likely conclude that the message contains commercial content; or
• the e-mail message’s "transactional or relationship" content does not appear in whole or substantial part at the beginning of the body of the message.
3. The primary purpose of an e-mail message will be deemed to be commercial if it contains both commercial content as well as content that is not transactional or relationship content if a recipient reasonably interpreting either:
• the subject line of the e-mail message would likely conclude that the message contains commercial content; or
• the body of the message would likely conclude that the primary purpose of the message is commercial.
4. The primary purpose of an e-mail message will be deemed to be transactional or relationship (non-commercial) if it contains only "transactional or relationship" content.

"Protected Computer" A computer:

"Recipient" An authorized user of the electronic mail address to which the message was sent or delivered.

"Sender" A person who initiates an e-mail message and whose product, service, or Internet Web site is advertised or promoted by the message.

"Sexually Oriented Material" Any material that depicts sexually explicit conduct unless the depiction constitutes a small and insignificant part of the whole.

"Transactional or Relationship E-mail Message" An e-mail message with the primary purpose of facilitating, completing or confirming a commercial transaction that the recipient had previously agreed to enter into; to provide warranty, product recall, or safety or security information; or subscription, membership, account, loan, or other information relating to an ongoing purchase or use.

---

Consumer Website on SPAM Issues
http://www.ftc.gov/bcp/conline/edcams/spam/index.html

---

Controlling the Assault of Non-Solicited Pornography and marketing Act of 2003
http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=108_cong_public_laws&docid=f:publ187.108.pdf

This worksheet can be used to review audit work papers, to evaluate bank policies, to perform transaction testing, and to train as appropriate. Complete only those aspects of the worksheet that specifically relate to the issue being reviewed, evaluated, or tested, and retain those completed sections in the work papers.

Examination Worksheet—CAN-SPAM	Yes	No
1. Does the financial institution initiate e-mail messages where the primary purpose is “commercial?” If No, stop here. If Yes, continue to question #2.
For the questions below, every “No” answer indicates a potential violation of the regulation and/or an internal control deficiency that must be explained fully in the work papers.
Prohibition Against Misleading Information
2. In the sending of commercial e-mail messages, does the financial institution prohibit the following: [15 USC 7704(a)(1)]
• Use of false or misleading header information in commercial e-mail messages.
• Use of a “from” line that does not accurately identify the sender.
• Inaccurate or misleading identification of a protected computer to send commercial e-mail messages in order to disguise the e-mail message’s origin.
3. Does the financial institution prohibit the use of deceptive or misleading headings in the subject line of commercial e-mail messages? [15 USC 7704(a)(2)]
4. Does the financial institution use a functioning e-mail return address or other response mechanism to which consumers can reply or opt-out of receiving future commercial e-mail messages? [15 USC 7704(a)(3)]
• Are these mechanisms displayed in a clear and conspicuous manner?
Opt-Out Provisions
5. Does the financial institution prohibit future transmissions of commercial e-mail messages within 10 business days of receiving the opt-out request? [15 USC 7704(a)(4)]
Clear and Conspicuous Identification
6. Does the financial institution’s commercial e-mail message provide the following information clearly and conspicuously: [15 USC 7704(a)(5)]:
• Identification that the e-mail message is an advertisement or solicitation. NOTE: This provision does not apply to a commercial e-mail message if the recipient has given prior affirmative consent to receipt of the message.
• A notice of the option to decline further commercial e-mail messages from the sender.
• A valid physical postal address of the sender.
Transmission of Commercial E-mail Messages
7. Does the financial institution prohibit the use of address harvesting or dictionary attacks as a means of obtaining consumer e-mail addresses? [15 USC 7704(b)(1)]
8. Does the financial institution prohibit the automated creation of multiple e-mail accounts or online accounts that falsify e-mail message identification and transmit unlawful commercial e-mail messages? [15 USC 7704(b)(2)]
9. Does the financial institution prevent the transmission of unlawful commercial e-mail messages by persons who access financial institution computers or computer network systems without authorization? [15 USC 7704(b)(3)]
Sexually Oriented Material
10. Does the financial institution refrain from transmitting sexually oriented material in commercial e-mail messages without warning labels in the subject line and message body? [15 USC 7704(d)]

The Federal Communications Commission (FCC) has issued regulations that establish a national "Do-Not-Call" registry and other modifications to the Telephone Consumer Protection Action of 1991 (TCPA) ⁹. The FCC regulations impose financial penalties on all commercial telemarketers for calling phone numbers on the "Do-Not-Call" registry. For those numbers not on the registry, the regulations set a maximum rate on the number of abandoned calls and require telemarketers to transmit caller ID information. The regulations also modify the FCC’s unsolicited facsimile advertising requirements, which in turn were modified by the Junk Fax Prevention Act of 2005 and became effective on July 9, 2005. The FCC regulations were, generally, effective as of October 1, 2003.

The FCC regulation expanded coverage of the national "Do-Not-Call" ¹⁰registry by including banks, insurance companies, credit unions, and savings associations. The Federal Trade Commission’s (FTC) telemarketing regulations parallel the FCC regulations ¹¹ and apply to all other business entities, including third parties acting as agent or on behalf of a financial institution.

"Abandoned Call" A telephone call that is not transferred to a live sales agent within two seconds of the recipient’s completed greeting.

"Automatic Telephone Dialing System and Autodialer" Equipment that has the capacity to store or produce telephone numbers to be called using a random or sequential number generator and the capability to dial such numbers.

"Established Business Relationship" A prior or existing relationship between a person or entity and a residential subscriber based on the subscriber’s purchase or transaction with the entity within the 18 months immediately preceding the date of the telephone call or on the basis of the subscriber’s inquiry or application regarding products or services offered by the entity within the three months immediately preceding the date of the call, and neither party has previously terminated the relationship. An individual may reasonably expect that an affiliate is included in an established business relationship based on products offered or the identity of the affiliate.

"Residential Subscriber" An individual who has contracted with a common carrier to provide telephone exchange service at a personal residence.

"Seller" The person or entity on whose behalf a telephone call or message is initiated for the purpose of encouraging purchase or rental of, or investment in, property, goods, or services, which is transmitted to any person.

"Telemarketer" The person or entity that initiates a telephone call or message for the purpose of encouraging the purchase or rental of, or investment in, property, goods, or services, which is transmitted to any person.

"Telemarketing" The initiation of a telephone call or message for the purpose of encouraging the purchase or rental of, or investment in, property, goods, or services, which is transmitted to any person.

"Telephone Solicitation" The initiation of a telephone call or message for the purpose of encouraging the purchase or rental of, or investment in, property, goods, or services, which is transmitted to any person. Telephone solicitation does not include a call or message to any person with that person’s permission, to any person with whom the caller has an established business relationship, or on behalf of a tax-exempt nonprofit organization.

"Unsolicited Advertisement" Any material that advertises the commercial availability or quality of any property, goods, or services, which is transmitted to any person without that person’s prior express invitation or permission.

The FCC regulations that implement the Telephone Consumer Protection Act of 1991 provide consumers with options to avoid unwanted telephone solicitations. The regulations address the following:

---

Do Not Call Website
http://www.ftc.gov/bcp/conline/edcams/donotcall/index.html

---

Telephone Disclosure and Dispute Resolution Act of 1992
http://www.law.cornell.edu/uscode/html/uscode15/usc_sup_01_15_10_83.html

---

Telemarketing and Consumer Fraud and Abuse Prevention Act
http://www.law.cornell.edu/uscode/html/uscode15/usc_sup_01_15_10_87.html

---

Telecommunication Act of 1996
http://www.law.cornell.edu/uscode/html/uscode15/usc_sec_15_00005714----000-.html

---

Do-Not-Call Implementation Act
http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=108_cong_public_laws&docid=f:publ010.108.pdf

---

Do-Not-Call Registry Act of 2003
http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=108_cong_public_laws&docid=f:publ082.108.pdf

Federal Communications Commission Resources

---

Do Not Call Registry
http://www.fcc.gov/cgb/donotcall/

---

Rules and Regulations Implementing the Telephone Consumer Protection Act of 1991
http://hraunfoss.fcc.gov/edocs_public/attachmatch/FCC-05-132A1.pdf

---

FCC Delays Effective Date for Rules Concerning Unsolicited Fax Advertisements
http://hraunfoss.fcc.gov/edocs_public/attachmatch/DOC-259689A1.pdf

---

This worksheet can be used to review audit work papers, to evaluate bank policies, to perform transaction testing, and to train as appropriate. Complete only those aspects of the worksheet that specifically relate to the issue being reviewed, evaluated, or tested, and retain those completed sections in the work papers.

Examination Worksheet—Telephone Consumer Protection Act	Yes	No
1. Does the financial institution or any third party vendor engage in telemarketing activities on the financial institutions behalf? If No, stop here. If Yes, continue to question #2.
For the questions below, every “No” answer indicates a potential violation of the regulation and/or an internal control deficiency that must be explained fully in the work papers.
Delivery Restrictions (47 CFR 64.1200)
2. The financial institution engaged in telemarketing is registered on the FTC’s Web site as a seller.
3. Each financial institution affiliate engaged in telemarketing also is registered on the FTC’s Web site and does not rely on the financial institution’s registration.
4. The financial institution (or third-party engaged in making telemarketing calls on the financial institution’s behalf) refrains from initiating any telephone call using an automatic telephone dialing system or an artificial or prerecorded voice to:
• A paging service, cellular telephone service, specialized mobile radio service, or other radio common carrier service, or any service for which the called party is charged. [47 CFR 64.1200(a)(1)]
• A residential line without the express prior consent of the called party. [47 CFR 64.1200(a)(2)]
5. The financial institution (or third-party engaged in making telemarketing calls on the financial institution’s behalf) refrains from using a telephone facsimile machine, computer, or other device to send an unsolicited advertisement to a telephone facsimile machine without an established business relationship or express written permission from the recipient. [47 USC 227 as amended by the Junk Fax Prevention Act of 2005]
6. The financial institution (or third-party engaged in making telemarketing calls on the financial institution’s behalf) refrains from using an automatic telephone dialing system in such a way that two or more telephone lines of a multi-line business are engaged simultaneously. [47 CFR 64.1200(a)(4)]
7. The financial institution (or third-party engaged in making telemarketing calls on the financial institution’s behalf) refrains from disconnecting an unanswered telemarketing call prior to at least 15 seconds or four rings. [47 CFR 64.1200(a)(5)]
8. The financial institution (or third-party engaged in making telemarketing calls on the financial institution’s behalf) refrains from abandoning more than 3 percent of all telemarketing calls that are answered live by a person, measured over a 30-day period. [47 CFR 64.1200(a)(6)]
9. For an abandoned call, the information provided is limited to the name and telephone number of the business, entity, or individual on whose behalf the call was placed and that the call was made for “telemarketing purposes.” [47 CFR 64.1200(a)(6)]
10. The financial institution (or third-party engaged in making telemarketing calls on the financial institution’s behalf) refrains from using any technology to dial any telephone number for determining whether the line is a facsimile or voice line. [47 CFR 64.1200(a)(7)]
11. If the financial institution (or third-party engaged in making telemarketing calls on the financial institution’s behalf) uses an automatic or prerecorded telephone message, determine whether: [47 CFR 64.1200(b)]
• At the beginning of the message, the business, individual, or other entity initiating the call is clearly identified.
• The name of the business responsible for initiating the call is stated.
• The name of the business responsible for initiating the call is registered with the appropriate regulatory authority.
• During the message, the telephone number for the business responsible for initiating the call is provided.
• The number provided is available during regular business hours.
12. The financial institution (or third-party engaged in making telemarketing calls on the financial institution’s behalf) initiates all calls to residential subscribers between the hours of 8 a.m. and 9 p.m. (local time of the called party’s location). [47 CFR 64.1200(c)(1)]
13. Prior to initiating any call, the financial institution (or third-party engaged in making telemarketing calls on the financial institution’s behalf) checks the national “Do-Not Call” registry to verify that the residential telephone subscriber’s number is not listed. [47 CFR 64.1200(c)(2)]
14. If the financial institution (or third-party engaged in making telemarketing calls on the financial institution’s behalf) calls a subscriber whose number appears on the “Do-Not Call” registry, does it meet one of the following criteria:
• It can demonstrate that the violation is the result of an error and that its routine business practices meet the minimum standards set forth in the regulation [47 CFR 64.1200(c)(2)(i)]
• It has the subscriber’s prior express invitation or permission evidenced by a signed, written agreement that includes a telephone number to which the calls may be placed. [47 CFR 64.1200(c)(2)(ii)]
• It has a personal relationship with the recipient of the call. [47 CFR 64.1200(c)(2)(iii)]
15. The financial institution (or third-party engaged in making telemarketing calls on the financial institution’s behalf) has a process to provide the called party with the following information:
• The name of the individual caller.
• The name of the person or entity on whose behalf the call is being made.
• A telephone number or address at which the entity may be contacted. [47 CFR 64.1200(d)(4)]
• A telephone number or address at which the entity may be contacted. [47 CFR 64.1200(d)(4)]
16. The financial institution has a process in place that considers whether an established business relationship should extend to an affiliate. [47 CFR 64.1200(f)(ii)]
17. The financial institution (or third-party engaged in making telemarketing calls on the financial institution’s behalf) maintains a do-not-call record listing callers’ requests not to receive further telemarketing calls. [47 CFR 64.1200(d)(6)]
18. The financial institution (or third-party engaged in making telemarketing calls on the financial institution’s behalf) honors a caller’s request not to receive telemarketing calls for five years from the time the request is made. [47 CFR 64.1200(d)(6)]
19. The financial institution (or third-party engaged in making telemarketing calls on the financial institution’s behalf) transmits caller identification information. [47 CFR 64.1601(e)]

The Fair Credit Reporting Act (FCRA) (15 USC §§1681- 1681u) became effective on April 25, 1971. The FCRA is a part of a group of acts contained in the Federal Consumer Credit Protection Act (15 USC §1601 et seq.), such as the Truth in Lending Act and the Fair Debt Collection Practices Act. Congress subsequently passed the Consumer Credit Reporting Reform Act of 1996 (Pub. L. No. 104-208, 110 Stat. 3009-426), which substantially revised the FCRA. These revisions generally became effective on September 30, 1997. Minor amendments to the FCRA were made in 1997 and 1998. The Gramm-Leach-Bliley Act (Pub. L. No. 106-102, 113 Stat. 1338 (1999)) made additional changes, including provisions removing a previous statutory prohibition against conducting routine FCRA examinations, and permitting regulations to be adopted to implement the requirements of the FCRA.

The FCRA was substantively amended in 2003 upon the passage of the Fair and Accurate Credit Transactions Act of 2003 (FACT Act) (Pub. L. No. 108-159, 117 Stat. 1952). The FACT Act created many new responsibilities for consumer reporting agencies and users of consumer reports. It contained many new consumer disclosure requirements as well as provisions to address identity theft. In addition, it provided free annual consumer report rights for consumers and improved access to consumer report information to help increase the accuracy of data in the consumer reporting system.

The FCRA contains significant responsibilities for business entities that are consumer reporting agencies and lesser responsibilities for those that are not. Generally, financial institutions are not considered to function as consumer reporting agencies; however, depending on the degree to which their information sharing business practices approximate those of a consumer reporting agency, they can be deemed as such.

In addition to the requirements related to financial institutions acting as consumer reporting agencies, FCRA requirements also apply to financial institutions that operate in the following capacities:

The examination procedures are structured as a series of modules, grouping similar requirements together. General information about each of the requirements is followed by the examination steps.

Financial institutions are subject to a number of different requirements under the FCRA, of which some are contained directly in the statute, while others are in regulations issued jointly by the FFIEC agencies, while others still are contained in regulations issued by the Federal Reserve Board and/or the Federal Trade Commission. Job Aids at the end of this section contains a matrix of the different statutory and regulatory cites applicable to financial institutions that are not consumer reporting agencies. This matrix is sorted by federal regulator.

There are a number of definitions used throughout the FCRA. Key definitions include the following:

"Consumer" is defined as an individual.

"Consumer report" is any written, oral, or other communication of any information by a consumer reporting agency that bears on a consumer’s creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living which is used or expected to be used or collected, in whole or in part, for the purpose of serving as a factor in establishing the consumer’s eligibility for:

The term "consumer report" does not include:

"Person" means any individual, partnership, corporation, trust, estate, cooperative, association, government or governmental subdivision or agency, or other entity.

"Investigative Consumer Report" means a consumer report or portion thereof in which information on a consumer’s character, general reputation, personal characteristics, or mode of living is obtained through personal interviews with neighbors, friends, or associates of the consumer reported on or with others with whom he is acquainted or who may have knowledge concerning any such items of information. However, such information does not include specific factual information on a consumer’s credit record obtained directly from a creditor of the consumer or from a consumer reporting agency when such information was obtained directly from a creditor of the consumer or from the consumer.

"Adverse Action" has the same meaning as used in section 701(d)(6) [15 USC1691(d)(6)] of the Equal Credit Opportunity Act ("ECOA"). Under the ECOA, it means a denial or revocation of credit, a change in the terms of an existing credit arrangement, or a refusal to grant credit in substantially the same amount or on terms substantially similar to those requested. Under the ECOA, the term does not include a refusal to extend additional credit under an existing credit arrangement where the applicant is delinquent or otherwise in default, or where such additional credit would exceed a previously established credit limit.

The term has the following additional meanings for purposes of the FCRA:

"Employment Purposes" when used in connection with a consumer report means a report used for the purpose of evaluating a consumer for employment, promotion, reassignment or retention as an employee.

"Consumer Reporting Agency" means any person which, for monetary fees, dues, or on a cooperative nonprofit basis, regularly engages in whole or in part in the practice of assembling or evaluating consumer credit information or other information on consumers for the purpose of furnishing consumer reports to third parties, and which uses any means or facility of interstate commerce for the purpose of preparing or furnishing consumer reports.

The initial procedures are designed to acquaint examiners with the individual operations and processes of the institution under examination. These initial steps focus on an institution’s systems, controls, policies, and procedures, including audits and previous examination findings.

The applicability of the various sections of the FCRA and implementing regulations depend on an institution’s unique operations. The functional examination requirements for these responsibilities are presented topically in Modules 1 through 6 of these procedures. (Module 6 will be included in a subsequent amendment to these procedures.)

The FCRA contains many different requirements that a financial institution must follow, even if it is not a consumer reporting agency. Subsequent to the passage of the FACT Act, some of the individual compliance responsibilities are set forth directly in the statute, while others are within joint, inter-agency regulations, while still others are set forth in regulations set by some of the regulatory agencies. The modules present examination responsibilities by subject matter, versus strict regulatory or statutory construction.

Initially, examiners should:

Consumer reporting agencies have a significant amount of personal information about consumers. This information is invaluable in assessing a consumer’s creditworthiness for a variety of products and services, including loan and deposit accounts, insurance, and utility services, among others. Access to this information is governed by the Fair Credit Reporting Act (FCRA) to ensure that it is obtained for permissible purposes and not exploited for illegitimate purposes.

The FCRA requires any prospective "user" of a consumer report, for example a lender, insurer, landlord, or employer, among others, to have a legally permissible purpose to obtain a report.

Legally Permissible Purposes. The FCRA allows a consumer reporting agency to furnish a consumer report for the following circumstances and no other:

Prescreened Consumer Reports. Users of consumer reports, such as financial institutions, may obtain prescreened consumer reports to make firm offers of credit or insurance to consumers, unless the consumers have elected to opt out of being included on prescreened lists. The FCRA contains many requirements, including an opt out notice requirement when prescreened consumer reports are used. In addition to defining prescreened consumer reports, Module 3 covers these requirements.

Investigative Consumer Reports. Section 606 contains specific requirements for use of an investigative consumer report. This type of consumer report contains information about a consumer’s character, general reputation, personal characteristics, or mode of living that is obtained in whole or in part through personal interviews with neighbors, friends, or associates of the consumer. If a financial institution procures an investigative consumer report, or causes one to be prepared, the institution must meet the following requirements:

Institution Procedures. Given the preponderance of electronically available information and the growth of identity theft, financial institutions should manage the risks associated with obtaining and using consumer reports. Financial institutions should employ procedures, controls, or other safeguards to ensure that consumer reports are obtained and used only in situations for which there are permissible purposes. Access to, and storage and destruction of this information is dealt with under an institution’s Information Security Program; however, obtaining consumer reports initially must be done in compliance with the FCRA.

The Fair Credit Reporting Act (FCRA) contains many substantive compliance requirements for consumer reporting agencies that are designed to help ensure the accuracy and integrity of the consumer reporting system. As noted in the definitions section, a consumer reporting agency is a person that generally furnishes consumer reports to third parties. By their very nature, banks, credit unions, and thrifts have a significant amount of consumer information that could constitute a consumer report, and thus communication of this information could cause the institution to become a consumer reporting agency. The FCRA contains several exceptions that enable a financial institution to communicate this type of information, within strict guidelines, without becoming a consumer reporting agency.

Rather than containing strict information sharing prohibitions, the FCRA creates a business disincentive such that if a financial institution shares consumer report information outside of the exceptions, then the institution is a consumer reporting agency and will be subject to the significant, substantive requirements of the FCRA applicable to those entities. Typically, a financial institution will structure its information sharing practices within the exceptions to avoid becoming a consumer reporting agency. This examination module generally covers the various information sharing practices within these exceptions.

If upon completion of this module, examiners determine that the financial institution’s information sharing practices fall outside of these exceptions, the financial institution will be considered a consumer reporting agency and Module 6 of the examination procedures should be completed.

Section 603(d) defines a consumer report to include information about a consumer such as that which bears on a consumer’s creditworthiness, character, and capacity among other factors. Communication of this information may cause a person, including a financial institution, to become a consumer reporting agency. The statutory definition contains key exemptions to this definition that enable financial institutions to share this type of information under certain circumstances, without becoming consumer reporting agencies. Specifically, the term "consumer report" does not include:

For example, "other" information can include information provided by a consumer on an application form concerning accounts with other financial institutions. It can also include information obtained by a financial institution from a consumer reporting agency, such as the consumer’s credit score. If a financial institution shares other information with affiliates without providing a notice and an opportunity to opt out, the financial institution may become a consumer reporting agency subject to all of the other requirements of the FCRA.

The opt out right required by this section must be contained in a financial institution’s Privacy Notice, as required by the GLBA and its implementing regulations.

Specific extensions of credit. In addition, the term "consumer report" does not include the communication of a specific extension of credit directly or indirectly by the issuer of a credit card or similar device. For example, this exception allows a lender to communicate an authorization through the credit card network to a retailer, to enable a consumer to complete a purchase using a credit card.

Credit Decision to Third Party (e.g., auto dealer). The term "consumer report" also does not include any report in which a person, including a financial institution, who has been requested by a third party to make a specific extension of credit directly or indirectly to a consumer, conveys the decision with respect to the request. The third party must advise the consumer of the name and address of the financial institution to which the request was made, and such financial institution makes the adverse action disclosures required by section 615 of the FCRA. For example, this exception allows a lender to communicate a credit decision to an automobile dealer who is arranging financing for a consumer purchasing an automobile and who requires a loan to finance the transaction.

Joint User Rule. The Federal Trade Commission staff commentary discusses another exception known as the "Joint User Rule." Under this exception, users of consumer reports, including financial institutions, may share information if they are jointly involved in the decision to approve a consumer’s request for a product or service, provided that each has a permissible purpose to obtain a consumer report on the individual. For example, a consumer applies for a mortgage loan that will have a high loan-to-value ratio, and thus the lender will require private mortgage insurance (PMI) in order to approve the application. The PMI will be provided by an outside company. The lender and the PMI company can share consumer report information about the consumer because both entities have permissible purposes to obtain the information and both are jointly involved in the decision to grant the products to the consumer. This exception applies to entities that are affiliated or non-affiliated third parties. It is important to note that the GLBA will still apply to the sharing of non-public, personal information with non-affiliated third parties; therefore, financial institutions should be aware that sharing under the FCRA joint user rule may still be limited or prohibited by the GLBA.

Section 604(g) generally prohibits creditors from obtaining and using medical information in connection with any determination of the consumer’s eligibility, or continued eligibility, for credit. The statute contains no prohibition on creditors obtaining or using medical information for other purposes that are not in connection with a determination of the consumer’s eligibility, or continued eligibility for credit.

Section 604(g)(5)(A) requires the FFIEC agencies to prescribe regulations that permit transactions that are determined to be necessary and appropriate to protect legitimate operational, transactional, risk, consumer, and other needs (including administrative verification purposes), consistent with the Congressional intent to restrict the use of medical information for inappropriate purposes. On November 22, 2005, the FFIEC Agencies published final rules in the Federal Register (70 FR 70664). The rules contain the general prohibition on obtaining or using medical information, and provide exceptions for the limited circumstances when medical information may be used. The rules define "credit" and "creditor" as having the same meanings as in section 702 of the Equal Credit Opportunity Act (15 USC 1691a).

Obtaining and Using Unsolicited Medical Information. A creditor does not violate the prohibition on obtaining medical information if it receives the medical information pertaining to a consumer in connection with any determination of the consumer’s eligibility, or continued eligibility, for credit without specifically requesting medical information. However, the creditor may only use this medical information in connection with a determination of the consumer’s eligibility, or continued eligibility, for credit in accordance with either the financial information exception or one of the specific other exceptions provided in the rules. These exceptions are discussed below.

Financial Information Exception. The rules allow a creditor to obtain and use medical information pertaining to a consumer in connection with any determination of the consumer’s eligibility or continued eligibility for credit, so long as:

The financial information exception is designed in part to allow creditors to consider a consumer’s medical debts and expenses in the assessment of that consumer’s ability to repay the loan according to the loan terms. In addition, the financial information exception also allows a creditor to consider the dollar amount and continued eligibility for disability income, worker’s compensation income, or other benefits related to health or a medical condition that is relied on as a source of repayment.

The creditor may use the medical information in a manner and to an extent that is no less favorable than it would use comparable, non-medical information. For example, a consumer includes on an application for credit information about two $20,000 debts. One debt is to a hospital; the other is to a retailer. The creditor may use and consider the debt to the hospital in the same manner in which they consider the debt to the retailer, such as including the debts in the calculation of the consumer’s proposed debt-to-income ratio. In addition, the consumer’s payment history of the debt to the hospital may be considered in the same manner as the debt to the retailer.
For example, if the creditor does not grant loans to applicants who have debts that are 90-days past due, the creditor could consider the past-due status of a debt to the hospital, in the same manner as the past-due status of a debt to the retailer.

A creditor may use medical information in a manner that is more favorable to the consumer, according to its regular policies and procedures. For example, if a creditor has a routine policy of declining consumers who have a 90-day past due installment loan to a retailer, but does not decline consumers who have a 90-day past due debt to a hospital, the financial information exception would allow a creditor to continue this policy without violating the rules because in these cases, the creditor’s treatment of the debt to the hospital is more favorable to the consumer.

A creditor may not take the consumer’s physical, mental, or behavioral health, condition or history, type of treatment, or prognosis into account as part of any determination regarding the consumer’s eligibility, or continued eligibility for credit. The creditor may only consider the financial implications as discussed above, such as the status of a debt to a hospital, continuance of disability income, etc.

Specific Exceptions for Obtaining and Using Medical
Information. In addition to the financial information exception, the rules also provide for the following nine specific exceptions under which a creditor can obtain and use medical information in its determination of the consumer’s eligibility, or continued eligibility for credit:

Limits on redisclosure of information. If a creditor subject to the medical information rules receives medical information about a consumer from a consumer reporting agency or its affiliate, the creditor must not disclose that information to any other person, except as necessary to carry out the purpose for which the information was initially disclosed, or as otherwise permitted by statute, regulation, or order.

Sharing medical information with affiliates. In general, the exclusions from the definition of "consumer report" in section 603(d)(2) of the FCRA allow the sharing of information among affiliates. With regard to medical information, section 603(d)(3) of the FCRA provides that the exclusions in section 603(d)(2) do not apply when a person subject to the medical information rules shares the following information with an affiliate:

If a person who is subject to the medical rules shares with an affiliate the type of information discussed above, the exclusions from the definition of "consumer report" do not apply. Effectively, this means that if a person shares medical information, that person becomes a consumer reporting agency, subject to all of the other substantive requirements of the FCRA.

The rules provide exceptions to these limitations on sharing medical information with affiliates. A person, such as a bank, thrift, or credit union, may share medical information with its affiliates without becoming a consumer reporting agency under the following circumstances:

Section 624 of the FCRA requires consumers to be provided with a notice and an opportunity to opt out of an entity’s use of certain information received from an affiliate to make solicitations to the consumer. The federal banking agencies, the National Credit Union Administration, the Federal Trade Commission, and the Securities and Exchange Commission are in the process of developing final regulations to implement this new opt out requirement. Financial institutions will not be subject to these requirements until the final rules are implemented and effective. This section of the examination procedures will be written upon publication of the final regulations.

The Fair Credit Reporting Act (FCRA) requires financial institutions to provide consumers with various notices and information under a variety of circumstances. This module contains examination responsibilities for these various areas.

Section 604(b) has specific requirements for financial institutions that obtain consumer reports of its employees or prospective employees prior to, and/or during, the term of employment. The FCRA generally requires the written permission of the consumer to procure a consumer report for "employment purposes." Moreover, a clear and conspicuous disclosure that a consumer report may be obtained for employment purposes must be provided in writing to the consumer prior to procuring a report.

Prior to taking any adverse action involving employment that is based in whole or in part on the consumer report, the user generally must provide to the consumer:

At the time a financial institution takes adverse action in an employment situation, the consumer must also be provided with an adverse action notice, required by section 615, described later in this module.

Section 604(c)(1)(B) allows persons, including financial institutions, to obtain and use consumer reports on any consumer in connection with any credit or insurance transaction that is not initiated by the consumer, to make firm offers of credit or insurance. This process, known as prescreening, occurs when a financial institution obtains a list from a consumer reporting agency of consumers who meet certain predetermined creditworthiness criteria and who have not elected to be excluded from such lists. These lists may only contain the following information:

Each name appearing on the list is considered an individual consumer report. In order to obtain and use these lists, financial institutions must make a "firm offer of credit or insurance" as defined in section 603(l) to each person on the list. An institution is not required to grant credit or insurance if the consumer is not creditworthy or insurable, or cannot furnish required collateral, provided that the underwriting criteria are determined in advance, and applied consistently.

In addition, the financial institution is allowed to obtain a full consumer report on anyone responding to the offer to verify that the consumer continues to meet the creditworthiness criteria. If the consumer no longer meets those criteria, the financial institution does not have to grant the loan.

These basic requirements help prevent financial institutions from obtaining prescreened lists without following through with an offer of credit or insurance. The financial institution must maintain the criteria used for the product (including the criteria used to generate the prescreened report and any other criteria such as collateral requirements) on file for a period of three years, beginning on the date that the offer was made to the consumer.

Technical Notice and Opt Out Requirements. Section 615(d) contains consumer protections and technical notice requirements concerning prescreened offers of credit or insurance. The FCRA requires nationwide consumer reporting agencies to jointly operate an "opt out" system, whereby consumers can elect to be excluded from prescreened lists by calling a toll-free number.

When a financial institution obtains and uses these lists, they must provide consumers with a Prescreened Opt Out Notice with the offer of credit or insurance. This notice alerts consumers that they are receiving the offer because they meet certain creditworthiness criteria. The notice must also provide the toll-free telephone number operated by the nationwide consumer reporting agencies for consumers to call to opt out of prescreened lists.

The FCRA contains the basic requirement to provide notices to consumers at the time the prescreened offers are made. The Federal Trade Commission published an implementing regulation containing the technical requirements of the notice at 16 CFR Parts 642 and 698. This regulation is applicable to anyone, including banks, credit unions, and thrifts that obtain and use prescreened consumer reports. These requirements became effective on August 1, 2005; however, the requirement to provide a notice containing the toll-free opt out telephone number has existed under the FCRA for many years.

Requirements Beginning August 1, 2005. 16 CFR 642 and 698 of the FTC regulations require a "short" notice and a "long" notice of the prescreened opt out information be given with each written solicitation made to consumers using prescreened consumer reports. These regulations also contain specific requirements concerning the content and appearance of these notices. The requirements are listed within the following paragraphs of these procedures. The regulations were published on January 31, 2005, in 70 Federal Register 5022.

The short notice must be a clear and conspicuous, simple, and easy-to-understand statement as follows:

The long notice must also be a clear and conspicuous, simple, and easy to understand statement as follows:

The FTC developed model Prescreened Opt Out Notices, which are contained in Appendix A to 16 CFR 698 of the FTC’s regulations. Appendix A contains complete sample solicitations for context. The prescreen notice text is contained in the following:

Sample Short Notice:

You can choose to stop receiving “prescreened” offers of [credit or insurance] from this and other companies by calling toll-free [toll-free number]. See PRESCREEN & OPT-OUT NOTICE on other side [or other location] for more information about prescreened offers.

Sample Long Notice:

PRESCREEN & OPT-OUT NOTICE: This “prescreened” offer of [credit or insurance] is based on information in your credit report indicating that you meet certain criteria. This offer is not guaranteed if you do not meet our criteria [including providing acceptable property as collateral]. If you do not want to receive prescreened offers of [credit or insurance] from this and other companies, call the consumer reporting agencies [or name of consumer reporting agency] toll-free, [toll-free number]; or write: [consumer reporting agency name and mailing address].

Section 605(g) provides that persons, including financial institutions that accept debit and credit cards for the transaction of business will be prohibited from issuing electronic receipts that contain more than the last five digits of the card number, or the card expiration dates, at the point of sale or transaction. This requirement applies only to electronically developed receipts and does not apply to handwritten receipts or those developed with an imprint of the card. For Automatic Teller Machines (ATMs) and Point-of-Sale (POS) terminals or other machines that were put into operation before January 1, 2005, this requirement is effective on December 4, 2006. For ATMs and POS terminals or other machines that were put into operation on or after January 1, 2005, the effective date is the date of installation.

Section 609(g) requires financial institutions that make or arrange mortgage loans using credit scores to provide the score with accompanying information to the applicants.

Credit score. For purposes of this section, the term "credit score" is defined as a numerical value or a categorization derived from a statistical tool or modeling system used by a person who makes or arranges a loan to predict the likelihood of certain credit behaviors, including default (and the numerical value or the categorization derived from such analysis may also be referred to as a "risk predictor" or "risk score"). The credit score does not include:

Covered transactions. The disclosure requirement applies to both closed-end and open-end loans that are for consumer purposes and are secured by 1-to-4 family residential real properties, including purchase and refinance transactions. This requirement will not apply in circumstances that do not involve a consumer purpose, such as when a borrower obtains a loan secured by his or her residence to finance his or her small business.

Specific required notice. Financial institutions in covered transactions that use credit scores must provide a disclosure containing the following specific language, which is contained in section 609(g)(1)(D):

Notice to The Home Loan Applicant In connection with your application for a home loan, the lender must disclose to you the score that a consumer reporting agency distributed to users and the lender used in connection with your home loan, and the key factors affecting your credit scores. The credit score is a computer generated summary calculated at the time of the request and based on information that a consumer reporting agency or lender has on file. The scores are based on data about your credit history and payment patterns. Credit scores are important because they are used to assist the lender in determining whether you will obtain a loan. They may also be used to determine what interest rate you may be offered on the mortgage. Credit scores can change over time, depending on your conduct, how your credit history and payment patterns change, and how credit scoring technologies change. Because the score is based on information in your credit history, it is very important that you review the creditrelated information that is being furnished to make sure it is accurate. Credit records may vary from one company to another. If you have questions about your credit score or the credit information that is furnished to you, contact the consumer reporting agency at the address and telephone number provided with this notice, or contact the lender, if the lender developed or generated the credit score. The consumer reporting agency plays no part in the decision to take any action on the loan application and is unable to provide you with specific reasons for the decision on a loan application. If you have questions concerning the terms of the loan, contact the lender.

The notice must include the name, address, and telephone number of each consumer reporting agency that provided a credit score that was used.

Credit score and key factors disclosed. In addition to the notice, financial institutions must also disclose the credit score, the range of possible scores, the date that the score was created, and the "key factors" used in the score calculation. "Key factors" are defined as all relevant elements or reasons adversely affecting the credit score for the particular individual, listed in the order of their importance based on their effect on the credit score. The total number of factors to be disclosed shall not exceed four factors. However, if one of the key factors is the number of inquiries into a consumer’s credit information, then the total number of factors shall not exceed five. These key factors come from information supplied by the consumer reporting agencies with any consumer report that was furnished containing a credit score. (Section 605(d)(2)).

This disclosure requirement applies in any application for a covered transaction, regardless of the final action taken by the lender on the application. The FCRA requires a financial institution to disclose all of the credit scores that were used in these transactions. For example, if two joint applicants apply for a mortgage loan to purchase a single-family-residence and the lender uses both credit scores, then both need to be disclosed. The statute specifically does not require more than one disclosure per loan; therefore, if multiple scores are used, all of them can be included in one disclosure containing the Notice to the Home Loan Applicant.

If a financial institution uses a credit score that was not obtained directly from a consumer reporting agency, but may contain some information from a consumer reporting agency, this disclosure requirement may be satisfied by providing a score and associated key factor information that were supplied by a consumer reporting agency. For example, certain automated underwriting systems generate a score used in a credit decision. These systems are often populated by data obtained from a consumer reporting agency. If a financial institution uses this automated system, the disclosure requirement may be satisfied by providing the applicants with a score and key factors supplied by a consumer reporting agency based on the data, including credit score(s) that was imported into the automated underwriting system. This will provide applicants with information about their credit history and its role in the credit decision, in the spirit of this section of the statute.

Timing. With regard to the timing of the disclosure, the statute requires that it be provided as soon as is reasonably practicable after using a credit score.

The FCRA requires certain disclosures when adverse actions are taken with respect to consumers, based on information received from third parties. Specific disclosures are required depending upon whether the source of the information is: a consumer reporting agency, a third party other than a consumer reporting agency, or an affiliate. The disclosure requirements are discussed separately below.

Information Obtained From a Consumer Reporting Agency. Section 615(a) provides that when adverse action is taken with respect to any consumer that is based in whole or in part on any information contained in a consumer report, the financial institution must:

Section 615(b)(1) provides that if credit for personal, family, or household purposes involving a consumer is denied or the charge for such credit is increased, partially or wholly on the basis of information obtained from a person other than a consumer reporting agency and bearing upon the consumer’s creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living, the financial institution:

Information Obtained from an Affiliate. Section 615(b)(2) provides that if a person, including a financial institution, takes an adverse action involving credit (taken in connection with a transaction initiated by a consumer), insurance or employment, based in whole or in part on information provided by an affiliate, it must notify the consumer that the information:

The notification must inform the consumer of the action and that the consumer may obtain a disclosure of the nature of the information relied upon by making a written request within 60 days of transmittal of the adverse action notice. If the consumer makes such a request, the user must disclose the nature of the information received from the affiliate not later than 30 days after receiving the request.

Section 615(g) has specific requirements for financial institutions that act as debt collectors, that is, the financial institution collects debts on behalf of a third party that is a creditor or other user of a consumer report. The requirements do not apply when a financial institution is collecting its own loans. When a financial institution is notified that any information relating to a debt that it is attempting to collect may be fraudulent or may be the result of identity theft, the financial institution must notify the third party of this fact. In addition, if the consumer, to whom the debt purportedly relates, requests information about the transaction, the financial institution must provide all of the information the consumer would otherwise be entitled to if the consumer wished to dispute the debt under other provisions of law applicable to the financial institution.

Section 615(h) of the FCRA requires users of consumer reports who grant credit on material terms that are materially less favorable than the most favorable terms available to a substantial proportion of consumers who get credit from or through that person to provide a notice to those consumers who did not receive the most favorable terms. Implementing regulations for this section are under development jointly by the Federal Reserve Board and the Federal Trade Commission. Financial institutions do not have to provide this notice until final regulations are implemented and effective. This section of the examination procedures will be written upon publication of final rules.

The Fair Credit Reporting Act (FCRA) contains many responsibilities for financial institutions that furnish information to consumer reporting agencies. These requirements generally involve ensuring the accuracy of the data that is placed in the consumer reporting system. This examination module includes reviews of the various areas associated with furnishers of information. This module will not apply to financial institutions that do not furnish any information to consumer reporting agencies.

This subsection of the examination procedures will be amended upon completion of inter-agency guidance for institutions regarding the accuracy and integrity of information furnished to consumer reporting agencies. This guidance is required by the Fair and Accurate Credit Transactions Act of 2003 (FACT Act). An interagency working group will develop and publish guidance for comment, and will finalize this guidance at a later date. The agencies will also write, at a later date, rules regarding when furnishers must handle direct disputes from consumers.

In the interim period, institutions that furnish information to consumer reporting agencies must comply with the existing requirements in the FCRA. These requirements generally require accurate reporting and prompt investigation and resolution of accuracy disputes. The examination procedures within this sub-section are based largely on the procedures last approved by the FFIEC Task Force on Consumer Compliance in March 2000, but have been revised to include new requirements under the 2003 amendments to the FCRA that do not require implementing regulations. Upon completion of the inter-agency guidance for the accuracy and integrity of information furnished to consumer reporting agencies, this subsection will be significantly revised.

Duties of furnishers to provide accurate information. Section 623(a) states that a person, including a financial institution, may, but need not, specify an address for receipt of notices from consumers concerning inaccurate information. If the financial institution specifies such an address, then it may not furnish information relating to a consumer to any consumer reporting agency, if (a) the financial institution has been notified by the consumer, at the specified address, that the information is inaccurate, and (b) the information is in fact inaccurate. If the financial institution does not specify an address, then it may not furnish any information relating to a consumer to any consumer reporting agency if the financial institution knows or has reasonable cause to believe that the information is inaccurate.

When a financial institution that (regularly and in the ordinary course of business) furnishes information to one or more consumer reporting agencies about its transactions or experiences with any consumer determines that any such information is not complete or accurate, the financial institution must promptly notify the consumer reporting agency of that determination. Corrections to that information or any additional information necessary to make the information complete and accurate must be provided to the consumer reporting agency. Further, any information that remains incomplete or inaccurate must not thereafter be furnished to the consumer reporting agency.

If the completeness or accuracy of any information furnished by a financial institution to a consumer reporting agency is disputed by a consumer, that financial institution may not furnish the information to any consumer reporting agency without notice that the information is disputed by the consumer.

Voluntary closures of accounts. Section 623(a)(4) requires that any person, including a financial institution, that (regularly and in the ordinary course of business) furnishes information to a consumer reporting agency regarding a consumer who has a credit account with that financial institution, must notify the consumer reporting agency of the voluntary closure of the account by the consumer in information regularly furnished for the period in which the account is closed.

Notice involving delinquent accounts. Section 623(a)(5) requires that a person, including a financial institution, that furnishes information to a consumer reporting agency about a delinquent account being placed for collection, charged off, or subjected to any similar action, must, not later than 90 days after furnishing the information to the consumer reporting agency, notify the consumer reporting agency of the month and year of the commencement of the delinquency that immediately preceded the action.

Duties upon notice of dispute. Section 623(b) requires that whenever a financial institution receives a notice of dispute from a consumer reporting agency regarding the accuracy or completeness of any information provided by the financial institution to a consumer reporting agency pursuant to section 611 (Procedure in Case of Disputed Accuracy), that financial institution must, pursuant to section 623(b):

The investigations, reviews and reports required to be made must be completed within 30 days. The time period may be extended for 15 days if a consumer reporting agency receives additional relevant information from the consumer.

Section 623(a)(6) has specific requirements for furnishers of information, including financial institutions, to a consumer reporting agency that receive notice from a consumer reporting agency that furnished information may be fraudulent as a result of identity theft. Section 605B requires consumer reporting agencies to notify furnishers of information, including financial institutions, that the information may be the result of identity theft, an identity theft report has been filed, and that a block has been requested. Upon receiving such notice, section 623(a)(6) requires financial institutions to establish and follow reasonable procedures to ensure that this information is not re-reported to the consumer reporting agency, thus "re-polluting" the victim’s consumer report.

Section 623(a)(7) Negative Information Notice. Section 623(a)(7) requires financial institutions to provide consumers with a notice either before negative information is provided to a nationwide consumer reporting agency, or within 30 days after reporting the negative information.

Negative information. For these purposes, negative information means any information concerning a customer’s delinquencies, late payments, insolvency, or any form of default.

Nationwide consumer reporting agency. Section 603(p) defines a consumer reporting agency as one that compiles and maintains files on consumers on a nationwide basis and regularly engages in the practice of assembling or evaluating and maintaining the following two pieces of information about consumers residing nationwide for the purpose of furnishing consumer reports to third parties bearing on a consumer’s credit worthiness, credit standing, or credit capacity:

Institutions may provide this disclosure on or with any notice of default, any billing statement, or any other materials provided to the customer, as long as the notice is clear and conspicuous. Institutions may also choose to provide this notice to all customers as an abundance of caution. However, this notice may not be included in the initial disclosures provided under section 127(a) of the Truth in Lending Act.

Model text. As required by the FCRA, the Federal Reserve Board developed the following model text that institutions can use to comply with these requirements. The first model contains text to be used when institutions choose to provide a notice before furnishing negative information. The second model form contains text to be used when institutions provide notice within 30 days after reporting negative information:

Use of the model form(s) is not required; however, proper use of the model forms provides financial institutions with a safe harbor from liability. Financial institutions may make certain changes to the language or format of the model notices without losing the safe harbor from liability provided by the model notices. The changes to the model notices may not be so extensive as to affect the substance, clarity, or meaningful sequence of the language in the model notices. Financial institutions making such extensive revisions will lose the safe harbor from liability that the model notices provide. Acceptable changes include, for example,

The Fair Credit Reporting Act (FCRA) contains several provisions for both consumer reporting agencies and users of consumer reports including financial institutions that are designed to help combat identity theft. This module applies to financial institutions that are not consumer reporting agencies, but are users of consumer reports.

Two primary requirements exist: first, a user of a consumer report that contains a fraud or active duty alert must take steps to verify the identity of an individual to whom the consumer report relates, and second, a financial institution must disclose certain information when consumers allege that they are the victims of identity theft.

Initial fraud and active duty alerts. Consumers who suspect that they may be the victims of fraud including identity theft may request nationwide consumer reporting agencies to place initial fraud alerts in their consumer reports. These alerts must remain in a consumer’s report for no less than 90 days. In addition, members of the armed services who are called to active duty may also request that active duty alerts be placed in their consumer reports. Active duty alerts must remain in these service members’ files for no less than 12 months.

Section 605A(h)(1)(B) requires users of consumer reports, including financial institutions, to verify a consumer’s identity if a consumer report includes a fraud or active duty alert. Unless the financial institution uses reasonable policies and procedures to form a reasonable belief that they know the identity of the person making the request, the financial institution may not:

Extended Alerts. Consumers who allege that they are the victim of an identity theft may also place an extended alert, which lasts seven years, on their consumer report. Extended alerts require consumers to submit identity theft reports and appropriate proof of identity to the nationwide consumer reporting agencies.

Section 605A(h)(2)(B) requires a financial institution that obtains a consumer report that contains an extended alert to contact the consumer in person or by the method listed by the consumer in the alert prior to performing any of the three actions listed above.

Section 609(e) requires financial institutions to provide records of fraudulent transactions to victims of identity theft within 30 days after the receipt of a request for the records. These records include the application and business transaction records under the control of the financial institution whether maintained by the financial institution or another person on behalf of the institution (such as a service provider). This information should be provided to:

The request for the records must be made by the victim in writing and be sent to the financial institution to the address specified by the financial institution for this purpose. The financial institution may ask the victim to provide information, if known, regarding the date of the transaction or application, and any other identifying information such as an account or transaction number.

Unless the financial institution, at its discretion, otherwise has a high degree of confidence that it knows the identity of the victim making the request for information before disclosing any information to the victim, the financial institution must take prudent steps to positively identify the person requesting information. Proof of identity can include:

At the election of the financial institution, the victim must also provide the financial institution with proof of an identity theft complaint, which may consist of a copy of a police report evidencing the claim of identity theft and a properly completed affidavit. The affidavit can be either the standardized affidavit form prepared by the Federal Trade Commission (published in April 2005 in 70 Federal Register 21792), or an "affidavit of fact" that is acceptable to the financial institution for this purpose.

When these conditions are met, the financial institution must provide the information at no charge to the victim. However, the financial institution is not required to provide any information if, acting in good faith, the financial institution determines that:

Other resources for FCRA may be found at:

---

FIL 61-2001: Guidance on the Permissible Use of Consumer Reports in Certain Business Related Extensions of Credit
http://www.fdic.gov/news/news/financial/2001/fil0161.html

---

FIL 18-2006: Interagency Fair Credit Reporting Act
Revised Examination Procedures
http://www.fdic.gov/news/news/inactivefinancial/2006/fil06018.html

---

Electronic version of FFIEC FCRA Examination Procedures
http://fdic01/division/dsc/compliance.html

---

Statute: Fair Credit Reporting Act
http://www.fdic.gov/regulations/laws/rules/6500-1100.html#6500601

The followwing table contains the statutory or regulatory cites for each provision of the FCRA covered by these examination procedures that are applicable to financial institutions that are not consumer reporting agencies 16. Some of the requirements are self-executing by the statute, while others are contained in interagency regulations, while others still are contained in regulations published by only one or two of the regulatory agencies. Some requirements are subject to regulations that are not yet finalized and thus are listed as to-be-determined (TBD) in the table below. The regulatory agencies are listed in the first horizontal line and the various compliance responsibilities are presented in the order that they appear in the various examination modules in the first column. Financial institutions are subject to the list of cites in the column containing their primary federal regulator.

Compliance Responsibility	Federal Reserve Board	FDIC	OCC	OTS	NCUA
Module 1
Obtaining Consumer Reports the FCRA	§604 and §606 of he FCRA	§604 and §606 of the FCRA	§604 and §606 of the FCRA	§604 and §606 of the FCRA	§604 and §606 of
Module 2
Information Sharing & Affiliate Sharing Opt Out	§603(d) of the FCRA	§603(d) of the FCRA	§603(d) of the FCRA	§603(d) of the FCRA	§603(d) of the FCRA
Protection of Medical Information	§222 of FRB Regulation	§334 of FDIC Regulations	§41 of OCC Regulations	§571 of OTS Regulations	§717 of NCUA Regulations
Affiliate Marketing Opt Out	TBD	TBD	TBD	TBD	TBD
Module 3
Employment Disclosures	§604(b)(2) of the FCRA	§604(b)(2) of the FCRA	§604(b)(2) of the FCRA	§604(b)(2) of the FCRA	§604(b)(2) of the FCRA
Prescreened Consumer Reports	§604(c) & §615(d) of the FCRA and FTC Regulations Parts 642 and 698	§604(c) & §615(d) of the FCRA and FTC Regulations Parts 642 and 698	§604(c) & §615(d) of the FCRA and FTC Regulations Parts 642 and 698	§604(c) & §615(d) of the FCRA and FTC Regulations Parts 642 and 698	§604(c) & §615(d) of the FCRA and FTC Regulations Parts 642 and 698
Truncation of Credit and Debit Card Account Numbers	§605(g) of the FCRA	§605(g) of the FCRA	§605(g) of the FCRA	§605(g) of the FCRA	§605(g) of the FCRA
Credit Score Disclosures	§609(g) of the FCRA	§609(g) of the FCRA	§609(g) of the FCRA	§609(g) of the FCRA	§609(g) of the FCRA
Adverse Action Disclosures	§615 of the FCRA	§615 of the FCRA	§615 of the FCRA	§615 of the FCRA	§615 of the FCRA
Debt Collector Communications	§615(g) of the FCRA	§615(g) of the FCRA	§615(g) of the FCRA	§615(g) of the FCRA	§615(g) of the FCRA
Risk-Based Pricing Notice	TBD	TBD	TBD	TBD	TBD
Module 4
Furnishers of Information – General	§623 of the FCRA	§623 of the FCRA	§623 of the FCRA	§623 of the FCRA	§623 of the FCRA
Prevention of Re-Pollution of Reports	§623(a)(6) of the FCRA	§623(a)(6) of the FCRA	§623(a)(6) of the FCRA	§623(a)(6) of the FCRA	§623(a)(6) of the FCRA
Negative Information Notice	§623(a)(7) of the FCRA and Appen- dix B of §222 of FRB Regulation V	§623(a)(7) of the FCRA and Appen- dix B of §222 of FRB Regulation V	§623(a)(7) of the FCRA and Appen- dix B of §222 of FRB Regulation V	§623(a)(7) of the FCRA and Appen- dix B of §222 of FRB Regulation V	§623(a)(7) of the FCRA and Appen- dix B of §222 of FRB Regulation V
Module 5
Fraud & Active Duty Alerts	§605A(h)(2)(B) of the FCRA	§605A(h)(2)(B) of the FCRA	§605A(h)(2)(B) of the FCRA	§605A(h)(2)(B) of the FCRA	§605A(h)(2)(B) of the FCRA
Information Available to Victims	§609(e) of the FCRA	§609(e) of the FCRA	§609(e) of the FCRA	§609(e) of the FCRA	§609(e) of the FCRA