Compliance
Examination Handbook
VIII. Privacy and Consumer Information
Gramm-Leach-Bliley Act
(Privacy of Consumer Financial Information)
1
Introduction
On November 12, 1999, President Clinton signed into law the
Gramm-Leach-Bliley Act (the Act or GLBA). Title V, Subtitle
A of the Act governs the treatment of nonpublic personal
information about consumers by financial institutions. Section
502 of the Subtitle, subject to certain exceptions, prohibits
a financial institution from disclosing nonpublic personal
information about a consumer to nonaffiliated third parties,
unless the institution satisfies various notice and opt-out
requirements, and provided that the consumer has not elected
to opt out of the disclosure. Section 503 requires the institution
to provide notice of its privacy policies and practices to its
customers. Section 504 authorizes the issuance of regulations
to implement these provisions.
Accordingly, on June 1, 2000, the four federal bank and
thrift regulators published substantively identical regulations
implementing provisions of the Act governing the privacy
of consumer financial information. The regulations establish
rules governing duties of a financial institution to provide
particular notices and limitations on its disclosure of nonpublic
personal information, as summarized below. A more complete
discussion appears later in this chapter.
- A financial institution must provide a notice of its
privacy policies, and allow the consumer to opt out of
the disclosure of the consumer's nonpublic personal
information, to a nonaffiliated third party if the disclosure
is outside of the exceptions in sections 13, 14 or 15 of the
regulations.
- Regardless of whether a financial institution shares
nonpublic personal information, the institution must
provide notices of its privacy policies to its customers.
- A financial institution generally may not disclose customer
account numbers to any nonaffiliated third party for
marketing purposes.
- A financial institution must follow reuse and redisclosure
limitations on any nonpublic personal information it
receives from a nonaffiliated financial institution.
The privacy regulations became effective on November 13,
2000. Compliance was required as of July 1, 2001.
Definitions and Key Concepts
In discussing the duties and limitations imposed by the
regulations, a number of key concepts are used. These
concepts include "financial institution"; "nonpublic personal
information"; "nonaffiliated third party"; the "opt out"
right and the exceptions to that right; and "consumer" and
"customer." Each concept is briefly discussed below. A more
complete explanation of each appears in the regulations.
"Financial institution" is any institution the business of
which is engaging in activities that are financial in nature or
incidental to such financial activities, as determined by section
4(k) of the Bank Holding Company Act of 1956. Financial
institutions can include banks, securities brokers and dealers,
insurance underwriters and agents, finance companies,
mortgage bankers, and travel agents
2.
"Nonpublic personal information" generally is any
information that is not publicly available and that:
-
a consumer provides to a financial institution to obtain a
financial product or service from the institution;
-
results from a transaction between the consumer and the
institution involving a financial product or service; or
-
a financial institution otherwise obtains about a consumer
in connection with providing a financial product or service.
Information is publicly available if an institution has a
reasonable basis to believe that the information is lawfully
made available to the general public from government records,
widely distributed media, or legally required disclosures to the
general public. Examples include information in a telephone
book or a publicly recorded document, such as a mortgage or
securities filing.
Nonpublic personal information may include individual items
of information as well as lists of information. For example,
nonpublic personal information may include names, addresses,
phone numbers, social security numbers, income, credit score,
and information obtained through Internet collection devices
(i.e., cookies).
There are special rules regarding lists. Publicly available
information would be treated as nonpublic if it were included
on a list of consumers derived from nonpublic personal
information. For example, a list of the names and addresses of
a financial institution's depositors would be nonpublic personal
information even though the names and addresses might be
published in local telephone directories because the list is
derived from the fact that a person has a deposit account with
an institution, which is not publicly available information.
However, if the financial institution has a reasonable basis
to believe that certain customer relationships are a matter of
public record, then any list of these relationships would be
considered publicly available information. For instance, a list
of mortgage customers where the mortgages are recorded
in public records would be considered publicly available
information. The institution could provide a list of such
customers, and include on that list any other publicly available
information it has about the customers on that list without
having to provide notice or opt out.
"Nonaffiliated third party" is any person except a financial
institution’s affiliate or a person employed jointly by a financial
institution and a company that is not the institution’s affiliate.
An "affiliate" of a financial institution is any company that
controls, is controlled by, or is under common control with the
financial institution.
"Opt Out" Right and Exceptions
The Right — Consumers must be given the right to "opt out"
of, or prevent, a financial institution from disclosing nonpublic
personal information about them to a nonaffiliated third party,
unless an exception to that right applies. The exceptions are
detailed in sections 13, 14, and 15 of the regulations and
described below.
As part of the opt out right, consumers must be given a
reasonable opportunity and a reasonable means to opt
out. What constitutes a reasonable opportunity to opt out
depends on the circumstances surrounding the consumer’s
transaction, but a consumer must be provided a reasonable
amount of time to exercise the opt out right. For example, it
would be reasonable if the financial institution allows 30 days
from the date of mailing a notice or 30 days after customer
acknowledgement of an electronic notice for an opt out
direction to be returned. What constitutes a reasonable means
to opt out may include check-off boxes, a reply form, or a tollfree
telephone number, again depending on the circumstances
surrounding the consumer’s transaction. It is not reasonable to
require a consumer to write his or her own letter as the only
means to opt out.
The Exceptions — Exceptions to the opt out right are detailed
in sections 13, 14, and 15 of the regulations. Financial
institutions need not comply with opt-out requirements if they
limit disclosure of nonpublic personal information:
-
To a nonaffiliated third party to perform services for the
financial institution or to function on its behalf, including
marketing the institution's own products or services or
those offered jointly by the institution and another financial
institution. The exception is permitted only if the financial
institution provides notice of these arrangements and by
contract prohibits the third party from disclosing or using
the information for other than the specified purposes. In
a contract for a joint marketing agreement, the contract
must provide that the parties to the agreement are jointly
offering, sponsoring, or endorsing a financial product or
service. However, if the service or function is covered
by the exceptions in section 14 or 15 (discussed below),
the financial institution does not have to comply with the
additional disclosure and confidentiality requirements of
section 13. Disclosure under this exception could include
the outsourcing of marketing to an advertising company.
(Section 13)
-
As necessary to effect, administer, or enforce a transaction
that a consumer requests or authorizes, or under certain
other circumstances relating to existing relationships
with customers. Disclosures under this exception could
be in connection with the audit of credit information,
administration of a rewards program, or to provide an
account statement. (Section 14)
-
For specified other disclosures that a financial institution
normally makes, such as to protect against or prevent actual
or potential fraud; to the financial institution's attorneys,
accountants, and auditors; or to comply with applicable
legal requirements, such as the disclosure of information to
regulators. (Section 15)
"Consumer and Customer" The distinction between
consumers and customers is significant because financial
institutions have additional disclosure duties with respect to
customers. All customers covered under the regulation are
consumers, but not all consumers are customers.
A "consumer" is an individual, or that individual’s legal
representative, who obtains or has obtained a financial product
or service from a financial institution that is to be used
primarily for personal, family, or household purposes.
A "financial service" includes, among other things, a
financial institution’s evaluation or brokerage of information
that the institution collects in connection with a request or an
application from a consumer for a financial product or service.
For example, a financial service includes a lender’s evaluation
of an application for a consumer loan or for opening a deposit
account even if the application is ultimately rejected or
withdrawn.
Consumers who are not customers are entitled to an initial
privacy and opt out notice only if the financial institution
wants to share their nonpublic personal information with
nonaffiliated third parties outside of the exceptions.
A "customer" is a consumer who has a "customer
relationship" with a financial institution. A "customer
relationship" is a continuing relationship between a consumer
and a financial institution under which the institution provides
one or more financial products or services to the consumer
that are to be used primarily for personal, family, or household
purposes.
-
For example, a customer relationship may be established
when a consumer engages in one of the following activities
with a financial institution:
-
maintains a deposit or investment account;
- obtains a loan;
-
enters into a lease of personal property; or
-
obtains financial, investment, or economic advisory
services for a fee.
Customers are entitled to initial and annual privacy notices
regardless of the information disclosure practices of their
financial institution.
There is a special rule for loans. When a financial
institution sells the servicing rights to a loan to another
financial institution, the customer relationship transfers
with the servicing rights. However, any information on the
borrower retained by the institution that sells the servicing
rights must be accorded the protections due any consumer.
-
Note that isolated transactions alone will not cause a
consumer to be treated as a customer. For example, if
an individual purchases a bank check from a financial
institution where the person has no account, the individual
will be a consumer but not a customer of that institution
because he or she has not established a customer
relationship. Likewise, if an individual uses the ATM of a
financial institution where the individual has no account,
even repeatedly, the individual will be a consumer, but not
a customer of that institution.
Financial Institution Duties
The regulations establish specific duties and limitations
for a financial institution based on its activities. Financial
institutions that intend to disclose nonpublic personal
information outside the exceptions will have to provide opt
out rights to their customers and to consumers who are not
customers. All financial institutions have an obligation to
provide an initial and annual notice of their privacy policies
to their customers. All financial institutions must abide by
the regulatory limits on the disclosure of account numbers to
nonaffiliated third parties and on the redisclosure and reuse of
nonpublic personal information received from nonaffiliated
financial institutions.
A brief summary of financial institution duties and limitations
appears below. A more complete explanation of each appears
in the regulations.
Notice and Opt Out Duties to Consumers
If a financial institution intends to disclose nonpublic personal
information about any of its consumers (whether or not they
are customers) to a nonaffiliated third party, and an exception
does not apply, then the financial institution must provide to
the consumer:
- an initial notice of its privacy policies;
- an opt out notice (including, among other things, a
reasonable means to opt out); and
- a reasonable opportunity, before the financial institution
discloses the information to the nonaffiliated third party, to
opt out.
The financial institution may not disclose any nonpublic
personal information to nonaffiliated third parties except under
the enumerated exceptions unless these notices have been
provided and the consumer has not opted out. Additionally, the
institution must provide a revised notice before the financial
institution begins to share a new category of nonpublic
personal information or shares information with a new
category of nonaffiliated third party in a manner that was not
described in the previous notice.
Note that a financial institution need not comply with the
initial and opt-out notice requirements for consumers who are
not customers if the institution limits disclosure of nonpublic
personal information to the exceptions.
Notice Duties to Customers
In addition to the duties described above, there are several
duties unique to customers. In particular, regardless of whether
the institution discloses or intends to disclose nonpublic
personal information, a financial institution must provide
notice to its customers of its privacy policies and practices at
various times.
- A financial institution must provide an initial notice of its
privacy policies and practices to each customer, not later
than the time a customer relationship is established. Section
4(e) of the regulations describes the exceptional cases in
which delivery of the notice is allowed subsequent to the
establishment of the customer relationship.
-
A financial institution must provide an annual notice at
least once in any period of 12 consecutive months during
the continuation of the customer relationship.
- Generally, new privacy notices are not required for each
new product or service. However, a financial institution
must provide a new notice to an existing customer when the
customer obtains a new financial product or service from
the institution, if the initial or annual notice most recently
provided to the customer was not accurate with respect to
the new financial product or service.
- When a financial institution does not disclose nonpublic
personal information (other than as permitted under section
14 and section 15 exceptions) and does not reserve the
right to do so, the institution has the option of providing a
simplified notice.
Requirements for Notices
Clear and Conspicuous. Privacy notices must be clear and
conspicuous, meaning they must be reasonably understandable
and designed to call attention to the nature and significance
of the information contained in the notice. The regulations
do not prescribe specific methods for making a notice clear
and conspicuous, but do provide examples of ways in which
to achieve the standard, such as the use of short explanatory
sentences or bullet lists, and the use of plain-language
headings and easily readable typeface and type size. Privacy
notices also must accurately reflect the institution’s privacy
practices.
Delivery Rules. Privacy notices must be provided so that each
recipient can reasonably be expected to receive actual notice
in writing, or if the consumer agrees, electronically. To meet
this standard, a financial institution could, for example, (1)
hand-deliver a printed copy of the notice to its consumers, (2)
mail a printed copy of the notice to a consumer’s last known
address, or (3) for the consumer who conducts transactions
electronically, post the notice on the institution’s web site and
require the consumer to acknowledge receipt of the notice as a
necessary step to completing the transaction.
For customers only, a financial institution must provide
the initial notice (as well as the annual notice and any
revised notice) so that a customer may be able to retain or
subsequently access the notice. A written notice satisfies this
requirement. For customers who obtain financial products or
services electronically, and agree to receive their notices on the
institution’s web site, the institution may provide the current
version of its privacy notice on its web site.
Notice Content. A privacy notice must contain specific
disclosures. However, a financial institution may provide to
consumers who are not customers a "short form" initial notice
together with an opt out notice stating that the institution’s
privacy notice is available upon request and explaining
a reasonable means for the consumer to obtain it. The
following is a list of disclosures regarding nonpublic personal
information that institutions must provide in their privacy
notices, as applicable:
- categories of information collected;
- categories of information disclosed;
- categories of affiliates and nonaffiliated third parties to
whom the institution may disclose information;
- policies with respect to the treatment of former customers’
information;
- information disclosed to service providers and joint
marketers (Section 13);
- an explanation of the opt out right and methods for opting
out;
- any opt out notices the institution must provide under
the Fair Credit Reporting Act with respect to affiliate
information sharing;
- policies for protecting the security and confidentiality of
information; and
- a statement that the institution makes disclosures to other
nonaffiliated third parties as permitted by law (Sections 14
and 15).
Limitations on Disclosure of Account Numbers
A financial institution must not disclose an account number
or similar form of access number or access code for a credit
card, deposit, or transaction account to any nonaffiliated
third party (other than a consumer reporting agency) for use
in telemarketing, direct mail marketing, or other marketing
through electronic mail to the consumer.
The disclosure of encrypted account numbers without an
accompanying means of decryption, however, is not subject
to this prohibition. The regulation also expressly allows
disclosures by a financial institution to its agent to market
the institution’s own products or services (although the
financial institution must not authorize the agent to directly
initiate charges to the customer’s account). Also not barred
are disclosures to participants in private-label or affinity card
programs, where the participants are identified to the customer
when the customer enters the program.
Redisclosure and Reuse Limitations on Nonpublic Personal
Information Received
If a financial institution receives nonpublic personal
information from a nonaffiliated financial institution, its
disclosure and use of the information is limited.
- For nonpublic personal information received under a
Section 14 or 15 exception, the financial institution is
limited to:
- Disclosing the information to the affiliates of the
financial institution from which it received the
information;
- Disclosing the information to its own affiliates, who
may, in turn, disclose and use the information only to
the extent that the financial institution can do so; and
- Disclosing and using the information pursuant to a
section 14 or 15 exception (for example, an institution
receiving information for account processing could
disclose the information to its auditors).
- For nonpublic personal information received other than
under a section 14 or 15 exception, the recipient's use
of the information is unlimited, but its disclosure of the
information is limited to:
- Disclosing the information to the affiliates of the
financial institution from which it received the
information;
- Disclosing the information to its own affiliates, who
may, in turn disclose the information only to the extent
that the financial institution can do so; and
- Disclosing the information to any other person, if
the disclosure would be lawful if made directly to
that person by the financial institution from which it
received the information. For example, an institution
that received a customer list from another financial
institution could disclose the list (1) in accordance
with the privacy policy of the financial institution that
provided the list, (2) subject to any opt out election
or revocation by the consumers on the list, and (3) in
accordance with appropriate exceptions under sections
14 and 15.
Other Matters
Fair Credit Reporting Act
The regulations do not modify, limit, or supersede the
operation of the Fair Credit Reporting Act.
State Law
The regulations do not supersede, alter, or affect any state
statute, regulation, order, or interpretation, except to the extent
that it is inconsistent with the regulations. A state statute,
regulation, order, etc. is consistent with the regulations if
the protection it affords any consumer is greater than the
protection provided under the regulations, as determined by
the FTC.
Grandfathered Service Contracts
Contracts that a financial institution has entered into, on or
before July 1, 2000, with a nonaffiliated third party to perform
services for the financial institution or functions on its behalf,
as described in section 13, will satisfy the confidentiality
requirements of section 13(a)(1)(ii) until July 1, 2002, even if
the contract does not include a requirement that the third party
maintain the confidentiality of nonpublic personal information.
Guidelines Regarding Protecting Customer Information
The regulations require a financial institution to disclose
its policies and practices for protecting the confidentiality,
security, and integrity of nonpublic personal information about
consumers (whether or not they are customers). The disclosure
need not describe these policies and practices in detail, but
instead may describe in general terms who is authorized to
have access to the information and whether the institution
has security practices and procedures in place to ensure the
confidentiality of the information in accordance with the
institution’s policies.
3
The four federal bank and thrift regulators have published
guidelines, pursuant to section 501(b) of the Gramm-
Leach-Bliley Act, that address steps a financial institution
should take in order to protect customer information. The
guidelines relate only to information about customers, rather
than all consumers. Compliance examiners should consider
the findings of a 501(b) inspection during the compliance
examination of a financial institution for purposes of
evaluating the accuracy of the institution’s disclosure regarding
data security.
Examination Objectives
- To assess the quality of a financial institution’s compliance
management policies and procedures for implementing
the privacy regulation, specifically ensuring consistency
between what the financial institution tells consumers in its
notices about its policies and practices and what it actually
does.
-
To determine the reliance that can be placed on a financial
institution’s internal controls and procedures for monitoring
the institution’s compliance with the privacy regulation.
- To determine a financial institution’s compliance with the
privacy regulation, specifically in meeting the following
requirements:
- Providing to customers notices of its privacy policies
and practices that are timely, accurate, clear and
conspicuous, and delivered so that each customer can
reasonably be expected to receive actual notice;
- Disclosing nonpublic personal information to
nonaffiliated third parties, other than under an
exception, after first meeting the applicable
requirements for giving consumers notice and the right
to opt out;
- Appropriately honoring consumer opt out directions;
- Lawfully using or disclosing nonpublic personal
information received from a nonaffiliated financial
institution; and
- Disclosing account numbers only according to the
limits in the regulations.
- To initiate effective corrective actions when violations of
law are identified, or when policies or internal controls are
deficient.
Examination Procedures
- Through discussions with management and review of
available information, identify the institution’s information
sharing practices (and changes to those practices) with
affiliates and nonaffiliated third parties; how it treats
nonpublic personal information; and how it administers
opt-outs. Consider the following as appropriate:
- Notices (initial, annual, revised, opt out, short-form,
and simplified);
- Institutional privacy policies and procedures, including
those to:
- process requests for nonpublic personal information,
including requests for aggregated data;
- deliver notices to consumers;
- manage consumer opt out directions (e.g.,
designating files, allowing a reasonable time to opt
out, providing new opt out and privacy notices when
necessary, receiving opt out directions, handling
joint account holders);
- prevent the unlawful disclosure and use of the
information received from nonaffiliated financial
institutions; and
- prevent the unlawful disclosure of account numbers;
- Information sharing agreements between the institution
and affiliates and service agreements or contracts
between the institution and nonaffiliated third parties
either to obtain or provide information or services;
- Complaint logs, telemarketing scripts, and any other
information obtained from nonaffiliated third parties
(Note: review telemarketing scripts to determine
whether the contractual terms set forth under section
13 are met and whether the institution is disclosing
account number information in violation of section 12);
- Categories of nonpublic personal information collected
from or about consumers in obtaining a financial
product or service (e.g., in the application process for
deposit, loan, or investment products; for an over-thecounter
purchase of a bank check; from E-banking
products or services, including the data collected
electronically through Internet cookies; or through
ATM transactions);
- Categories of nonpublic personal information shared
with, or received from, each nonaffiliated third party;
and
- Consumer complaints regarding the treatment of
nonpublic personal information, including those
received electronically.
- Records that reflect the bank’s categorization of its
information sharing practices under Sections 13, 14, 15,
and outside of these exceptions.
- Results of a 501(b) inspection (used to determine
the accuracy of the institution’s privacy disclosures
regarding data security).
- Use the information gathered from step A to work through
the "Privacy Notice and Opt Out Decision Tree" (page
VIII-1.7). Identify which module(s) (beginning on page
VIII-1.9) of procedures is (are) applicable.
- Use the information gathered from step A to work through
the Reuse and Redisclosure and Account Number Sharing
Decision Trees, as necessary (page VIII-1.8). Identify
which module (beginning on page VIII-1.13) is applicable.
- Determine the adequacy of the finan0cial institution’s
internal controls and procedures to ensure compliance
with the privacy regulation as applicable. Consider the
following:
- Sufficiency of internal policies and procedures, and
controls, including review of new products and services
and controls over servicing arrangements and marketing
arrangements;
- Effectiveness of management information systems,
including the use of technology for monitoring,
exception reports, and standardization of forms and
procedures;
- Frequency and effectiveness of monitoring procedures;
- Adequacy and regularity of the institution’s training
program;
- Suitability of the compliance audit program for
ensuring that:
- the procedures address all regulatory provisions as
applicable;
- the work is accurate and comprehensive with respect
to the institution’s information sharing practices;
- the frequency is appropriate;
- conclusions are appropriately reached and presented
to responsible parties;
- steps are taken to correct deficiencies and to followup
on previously identified deficiencies; and
- Knowledge level of management and personnel.
- Ascertain areas of risk associated with the financial
institution’s sharing practices (especially those within
Section 13 and those that fall outside of the exceptions) and
any weaknesses found within the compliance management
program. Keep in mind any outstanding deficiencies
identified in the audit for follow-up when completing the
modules.
- Based on the results of the foregoing initial procedures
and discussions with management, determine which
procedures if any should be completed in the applicable
module, focusing on areas of particular risk. The selection
of procedures to be employed depends upon the adequacy
of the institution’s compliance management system and
level of risk identified. Each module contains a series of
general instruction to verify compliance, cross-referenced
to cites within the regulation. Additionally, there are
cross-references to a more comprehensive checklist, which
the examiner may use if needed to evaluate compliance in
more detail.
- Evaluate any additional information or documentation
discovered during the course of the examination according
to these procedures. Note that this may reveal new or
different sharing practices necessitating reapplication of the
Decision Trees and completion of additional or different
modules.
- Formulate conclusions.
- Summarize all findings.
- For violation(s) noted, determine the cause by
identifying weaknesses in internal controls, compliance
review, training, management oversight, or other areas.
- Identify action needed to correct violations and
weaknesses in the institution’s compliance system, as
appropriate.
- Discuss findings with management and obtain a
commitment for corrective action.
Privacy Notice and Opt Out Decision Tree
Reuse and Redisclosure of Nonpublic Personal Information Received from Nonaffiliated Financial Institutions
Decision Tree (Sections 11(a) and 11(b))
Account Number Sharing Decision Tree (Section 12)
*This may include sharing of encrypted account numbers but not the decryption key.
Module 1
Sharing nonpublic personal information with nonaffiliated
third parties under Sections 14 and/or 15 and outside of the
exceptions (with or without also sharing under Section 13).
NOTE: Financial institutions whose practices fall within this
category engage in the most expansive degree of information
sharing permissible. Consequently, these institutions are held
to the most comprehensive compliance standards imposed by
the Privacy regulation.
- Disclosure of Nonpublic Personal Information
- Select a sample of third party relationships with
nonaffiliated third parties and obtain a sample of data
shared between the institution and the third party
both inside and outside of the exceptions. The sample
should include a cross-section of relationships but
should emphasize those that are higher risk in nature
as determined by the initial procedures. Perform
the following comparisons to evaluate the financial
institution’s compliance with disclosure limitations.
- Compare the categories of data shared and with
whom the data were shared to those stated in the
privacy notice and verify that what the institution
tells consumers (customers and those who are not
customers) in its notices about its policies and
practices in this regard and what the institution
actually does are consistent (§§10, 6).
- Compare the data shared to a sample of opt out
directions and verify that only nonpublic personal
information covered under the exceptions or from
consumers (customers and those who are not
customers) who chose not to opt out is shared (§10).
- If the financial institution also shares information
under Section 13, obtain and review contracts with
nonaffiliated third parties that perform services for
the financial institution not covered by the exceptions
in section 14 or 15. Determine whether the contracts
prohibit the third party from disclosing or using the
information other than to carry out the purposes for
which the information was disclosed. Note that the
“grandfather” provisions of Section 18 apply to certain
of these contracts (§13(a)).
- Presentation, Content, and Delivery of Privacy Notices
- Review the financial institution’s initial, annual and
revised notices, as well as any short-form notices that
the institution may use for consumers who are not
customers. Determine whether or not these notices:
- Are clear and conspicuous (§§3(b), 4(a), 5(a)(1),
8(a)(1));
- Accurately reflect the policies and practices used
by the institution (§§4(a), 5(a)(1), 8(a)(1)). Note,
this includes practices disclosed in the notices that
exceed regulatory requirements; and
- Include, and adequately describe, all required items
of information and contain examples as applicable
(§6). Note that if the institution shares under Section
13 the notice provisions for that section shall also
apply.
- Through discussions with management, review of the
institution’s policies and procedures, and a sample of
electronic or written consumer records where available,
determine if the institution has adequate procedures in
place to provide notices to consumers, as appropriate.
Assess the following:
- Timeliness of delivery (§§4(a), 7(c), 8(a)); and
- Reasonableness of the method of delivery (e.g., by
hand; by mail; electronically, if the consumer agrees;
or as a necessary step of a transaction) (§9).
- For customers only, review the timeliness of delivery
(§§4(d), 4(e), 5(a)), means of delivery of annual
notice (§9(c)), and accessibility of or ability to retain
the notice (§9(e)).
- Opt Out Right
- Review the financial institution’s opt out notices. An
opt out notice may be combined with the institution’s
privacy notices. Regardless, determine whether the opt
out notices:
- Are clear and conspicuous (§§3(b) and 7(a)(1));
- Accurately explain the right to opt out (§7(a)(1));
- Include and adequately describe the three required
items of information (the institution’s policy
regarding disclosure of nonpublic personal
information, the consumer’s opt out right, and the
means to opt out) (§7(a)(1)); and
- Describe how the institution treats joint consumers
(customers and those who are not customers), as
applicable (§7(d)).
- Through discussions with management, review of the
institution’s policies and procedures, and a sample of
electronic or written records where available, determine
if the institution has adequate procedures in place to
provide the opt out notice and comply with opt out
directions of consumers (customers and those who are
not customers), as appropriate. Assess the following:
- Timeliness of delivery (§10(a)(1));
- Reasonableness of the method of delivery (e.g., by
hand; by mail; electronically, if the consumer agrees;
or as a necessary step of a transaction) (§9); and
- Reasonableness of the opportunity to opt out
(the time allowed to and the means by which the
consumer may opt out) (§§10(a)(1)(iii), 10(a)(3)).
- Adequacy of procedures to implement and track the
status of a consumer’s (customers and those who are not
customers) opt out direction, including those of former
customers (§7(e), (f), (g)).
- Checklist Cross References—Module1
Regulation Section |
Subject |
Checklist Questions |
4(a); 6(a, b, c, e); and 9(a, b, g)
|
Privacy notices (presentation, content, and delivery)
|
2, 8-11, 14, 18, 35, 36, 40
|
4(a, c, d, e); 5;
and 9(c, e)
|
Customer notice
delivery rules
|
1, 3-7, 37, 38
|
13
|
Section 13 notice
and contracting
rules (as
applicable)
|
12.47
|
6(d)
|
Short form notice
rules (optional
for consumers
only)
|
15-17
|
7; 8; and 10
|
Opt out rules
|
19-34, 41-43
|
14, 15
|
Exceptions
|
48, 49, 50
|
Module 2
Sharing nonpublic personal information with nonaffiliated
third parties under Sections 13, and 14 and/or 15, but not
outside of these exceptions.
- Disclosure of Nonpublic
Personal Information
- Select a sample of third party relationships
with
nonaffiliated third parties and obtain a sample of data
shared between the institution and the third party. The
sample should include a cross-section of relationships
but should emphasize those that are higher risk in
nature as determined by the initial procedures. Perform
the following comparisons to evaluate the financial
institution’s compliance with disclosure limitations.
- Compare the data shared
and with whom the data
were shared to ensure that the institution accurately
categorized its information sharing practices and is
not sharing nonpublic personal information outside
the exceptions (§§13, 14, 15).
- Compare the categories of data shared and with
whom the data were shared to those stated in the
privacy notice and verify that what the institution
tells consumers in its notices about its policies and
practices in this regard and what the institution
actually does are consistent (§§10, 6).
- Review contracts with nonaffiliated third parties
that perform services for the financial institution
not covered by the exceptions in section 14 or 15.
Determine whether the contracts adequately prohibit
the third party from disclosing or using the information
other than to carry out the purposes for which the
information was disclosed. Note that the "grandfather"
provisions of Section 18 apply to certain of these
contracts. (§13(a))
- Presentation, Content, and Delivery of Privacy Notices
- Review the financial institution’s initial and annual
privacy notices. Determine whether or not they:
- Are clear and conspicuous
(§§3(b), 4(a), 5(a)(1));
- Accurately reflect the policies and practices used by
the institution (§§4(a), 5(a)(1)). Note, this includes
practices disclosed in the notices that exceed
regulatory requirements; and
- Include, and adequately describe, all required items
of information and contain examples as applicable
(§§6, 13).
- Through discussions with management, review of the
institution’s policies and procedures, and a sample of
electronic or written consumer records where available,
determine if the institution has adequate procedures in
place to provide notices to consumers, as appropriate.
Assess the following:
- Timeliness of delivery (§4(a)); and
- Reasonableness of the method of delivery (e.g., by
hand; by mail; electronically, if the consumer agrees;
or as a necessary step of a transaction) (§9).
- For customers only, review the timeliness of delivery
(§§4(d), 4(e), and 5(a)), means of delivery of annual
notice §9(c)), and accessibility of or ability to retain
the notice (§9(e)).
- Checklist Cross References—Module 2
Regulation Section |
Subject |
Checklist Questions |
4(a); 6(a, b, c, e);
and 9(a, b, g)
|
Privacy notices (presentation, content, and delivery)
|
2, 8-11, 14, 18, 35, 36, 40
|
4(a, c, d, e); 5;
and 9(c, e)
|
Customer notice
delivery rules
|
1, 3-7, 37, 38
|
13
|
Section 13 notice
and contracting
rules (as
applicable)
|
12.47
|
14, 15
|
Exceptions
|
48, 49, 50
|
Module 3
Sharing nonpublic personal information with nonaffiliated
third parties only under Sections 14 and/or 15.
NOTE: This module applies only to customers.
- Disclosure of Nonpublic
Personal Information
- Select a sample of third party relationships
with
nonaffiliated third parties and obtain a sample of data
shared between the institution and the third party.
- Compare the data shared
and with whom the data
were shared to ensure that the institution accurately
states its information sharing practices and is not
sharing nonpublic personal information outside the
exceptions.
- Presentation, Content, and Delivery of Privacy Notices
- Obtain and review the financial institution’s initial and
annual notices, as well as any simplified notice that the
institution may use. Note that the institution may only
use the simplified notice when it does not also share
nonpublic personal information with affiliates outside
of Section 14 and 15 exceptions. Determine whether or
not these notices:
- Are clear and conspicuous
(§§3(b), 4(a), 5(a)(1));
- Accurately reflect the policies and practices used by
the institution (§§4(a), 5(a)(1)). Note, this includes
practices disclosed in the notices that exceed
regulatory requirements; and
- Include, and adequately describe, all required items
of information (§6).
- Through discussions with management, review of the
institution’s policies and procedures, and a sample of
electronic or written customer records where available,
determine if the institution has adequate procedures in
place to provide notices to customers, as appropriate.
Assess the following:
- Timeliness of delivery (§§4(a), 4(d), 4(e), 5(a)); and
- Reasonableness of the method of delivery (e.g., by
hand; by mail; electronically, if the customer agrees;
or as a necessary step of a transaction) (§9) and
accessibility of or ability to retain the notice (§9(e)).
- Checklist Cross References—Module 3
Regulation Section |
Subject |
Checklist Questions |
|
Customer notice content and presentation
|
13
|
6(c)(5);
|
Simplified notice content (optional)
|
1, 3-7, 37, 38
|
4(a, d, e); 5;
|
Customer notice delivery process
rules (as
applicable)
|
1, 3-7, 35, 40
|
14, 15
|
Exceptions
|
48, 49, 50
|
Module 4
Reuse & Redisclosure of nonpublic personal information
received from a nonaffiliated financial institution under
Sections 14 and/or 15.
- Through discussions with
management and review of the
institution’s procedures, determine whether the institution
has adequate practices to prevent the unlawful redisclosure
and reuse of the information where the institution is the
recipient of nonpublic personal information (§11(a)).
- Select a sample of data received from nonaffiliated
financial institutions, to evaluate the financial institution’s
compliance with reuse and redisclosure limitations.
- Verify that the institution’s redisclosure of the
information was only to affiliates of the financial
institution from which the information was obtained or
to the institution’s own affiliates, except as otherwis
e
allowed in the step b below (§11(a)(1)(i) and (ii)).
- Verify that the institution only uses and shares the
data pursuant to an exception in Sections 14 and 15
(§11(a)(1)(iii)).
- Checklist Cross References—Module 4
Regulation Section |
Subject |
Checklist Questions |
11(a)
|
Reuse and disclosure presentation
|
44
|
Module 5
Redisclosure of nonpublic personal information received from
a nonaffiliated financial institution outside of Sections 14 and
15.
- Through discussions with management and review of the
institution’s procedures, determine whether the institution
has adequate practices to prevent the unlawful redisclosure
of the information where the institution is the recipient of
nonpublic personal information (§11(b)).
- Select a sample of data received from nonaffiliated
financial institutions and shared with others to evaluate
the financial institution’s compliance with redisclosure
limitations.
- Verify that the institution’s redisclosure of the
information was only to affiliates of the financial
institution from which the information was obtained or
to the institution’s own affiliates, except as otherwise
allowed in the step b below (§11(b)(1)(i) and (ii)).
- If the institution shares information with entities
other than those under step a above, verify that the
institution’s information sharing practices conform to
those in the nonaffiliated financial institution’s privacy
notice (§11(b)(1)(iii)).
- Also, review the procedures used by the institution to
ensure that the information sharing reflects the opt out
status of the consumers of the nonaffiliated financial
institution (§§10, 11(b)(1)(iii)).
- Checklist Cross References—Module 5
Regulation Section |
Subject |
Checklist Questions |
11(b)
|
Reuse and redisclosure
|
45
|
Module 6
Account number sharing.
- If available, review a sample of telemarketer scripts used
when making sales calls to determine whether the scripts
indicate that the telemarketers have the account numbers of
the institution’s consumers (§12).
- Obtain and review a sample of contracts with agents or
service providers to whom the financial institution discloses
account numbers for use in connection with marketing the
institution’s own products or services. Determine whether
the institution shares account numbers with nonaffiliated
third parties only to perform marketing for the institution’s
own products and services. Ensure that the contracts do not
authorize these nonaffiliated third parties to directly initiate
charges to customer’s accounts (§12(b)(1)).
- Obtain a sample of materials and information provided
to the consumer upon entering a private label or affinity
credit card program. Determine if the participants in each
program are identified to the customer when the customer
enters into the program (§12(b)(2)).
- Checklist Cross References—Module 6
Regulation Section |
Subject |
Checklist Questions |
12
|
Account number sharing
|
46
|
Examination Checklist
Subpart A |
Yes |
No |
Initial Privacy Notice |
1. Does the institution provide a clear and conspicuous notice that accurately reflects its privacy
policies and practices to all customers not later than when the customer relationship is established,
other than as allowed in paragraph (e) of section four (4) of the regulation? [§4(a)(1))]
NOTE: no notice is required if nonpublic personal information is disclosed to nonaffiliated third
parties only under an exception in Sections 14 and 15, and there is no customer relationship.
[§4(b)] With respect to credit relationships, an institution establishes a customer relationship when
it originates a consumer loan. If the institution subsequently sells the servicing rights to the loan to
another financial institution, the customer relationship transfers with the servicing rights. [§4(c)]
|
|
|
2. Does the institution provide a clear and conspicuous notice that accurately reflects its privacy
policies and practices to all consumers, who are not customers, before any nonpublic personal
information about the consumer is disclosed to a nonaffiliated third party, other than under an
exception in §§14 or 15? [§4(a)(2)]
|
|
|
3. Does the institution provide to existing customers, who obtain a new financial product or service,
an initial privacy notice that covers the customer’s new financial product or service, if the most
recent notice provided to the customer was not accurate with respect to the new financial product or
service? [§4(d)(1)]
|
|
|
4. Does the institution provide initial notice after establishing a customer relationship only if:
|
a. the customer relationship is not established at the customer’s election; [§4(e)(1)(i)] or
|
|
|
b. to do otherwise would substantially delay the customer’s transaction (e.g. in the case of a
telephone application), and the customer agrees to the subsequent delivery? [§4 (e)(1)(ii)]
|
|
|
5. When the subsequent delivery of a privacy notice is permitted, does the institution provide notice
after establishing a customer relationship within a reasonable time? [§4(e)]
|
|
|
Annual Privacy Notice |
6. Does the institution provide a clear and conspicuous notice that accurately reflects its privacy
policies and practices at least annually (that is, at least once in any period of 12 consecutive months)
to all customers, throughout the customer relationship? [§5(a)(1)and (2)]
NOTE: annual notices are not required for former customers. [§5(b)(1)and (2)]
|
|
|
7. Does the institution provide an annual privacy notice to each customer whose loan the institution
owns the right to service? [§§5(c), 4(c)(2)]
|
|
|
Content of Privacy Notices |
8. Do the initial, annual, and revised privacy notices include each of the following, as applicable:
|
a.the categories of nonpublic personal information that the institution collects; [§6(a)(1)]
| | |
b. the categories of nonpublic personal information that the institution discloses; [§6(a)(2)]
| | |
c. the categories of affiliates and nonaffiliated third parties to whom the institution discloses
nonpublic personal information, other than parties to whom information is disclosed under an
exception in §14 or §15; [§6(a)(3)]
| | |
d. the categories of nonpublic personal information disclosed about former customers, and the
categories of affiliates and nonaffiliated third parties to whom the institution discloses that
information, other than those parties to whom the institution discloses information under an
exception in §14 or §15; [§6(a)(4)]
| | |
e. if the institution discloses nonpublic personal information to a nonaffiliated third party under
§13, and no exception under §14 or §15 applies, a separate statement of the categories of
information the institution discloses and the categories of third parties with whom the institution
has contracted; [§6(a)(5)]
| | |
f. an explanation of the opt out right, including the method(s) of opt out that the consumer can use
at the time of the notice; [§6(a)(6)]
| | |
g. any disclosures that the institution makes under §603(d)(2)(A)(iii) of the Fair Credit Reporting
Act (FCRA); [§6(a)(7)]
| | |
h. the institution’s policies and practices with respect to protecting the confidentiality and security of
nonpublic personal information; [§6(a)(8)] and
| | |
i. a general statement--with no specific reference to the exceptions or to the third parties--that the
institution makes disclosures to other nonaffiliated third parties as permitted by law? [§6(a)(9),
(b)]
NOTE: sample clauses for these items appear in Appendix A of the Regulation
| | |
9. Does the institution list the following categories of nonpublic personal information that it collects, as
applicable:
|
a. information from the consumer; [§6(c)(1)(i)]
|
|
|
b. information about the consumer’s transactions with the institution or its affiliates; [§6(c)(1)(ii)] |
|
|
c. information about the consumer’s transactions with nonaffiliated third parties; [§6(c)(1)(iii)] and
|
|
|
d. information from a consumer reporting agency? [§6(c)(1)(iv)]
|
|
|
10. Does the institution list the following categories of nonpublic personal information that it discloses,
as applicable, and a few examples of each, or alternatively state that it reserves the right to disclose
all the nonpublic personal information that it collects:
|
a. information from the consumer;
|
|
|
b. information about the consumer’s transactions with the institution or its affiliates;
|
|
|
c. information about the consumer’s transactions with nonaffiliated third parties; and
|
|
|
d. information from a consumer reporting agency? [§6(c)(2)]
NOTE: examples are recommended under §6(c)(2) although not under §6(c)(1).
|
|
|
11. Does the institution list the following categories of affiliates and nonaffiliated third parties to whom
it discloses information, as applicable, and a few examples to illustrate the types of the third parties
in each category:
|
a. financial service providers; [§6(c)(3)(i)]
|
|
|
b. non-financial companies; [§6(c)(3)(ii)] and
|
|
|
c. others? [§6(c)(3)(iii)]
|
|
|
12. Does the institution make the following disclosures regarding service providers and joint marketers
to whom it discloses nonpublic personal information under §13:
|
a. as applicable, the same categories and examples of nonpublic personal information disclosed
as described in paragraphs (a)(2) and (c)(2) of section six (6) (see questions 8b and 10); and
[§6(c)(4)(i)]
|
|
|
b. that the third party is a service provider that performs marketing on the institution’s behalf or on
behalf of the institution and another financial institution; [§6(c)(4)(ii)(A)] or
|
|
|
c. that the third party is a financial institution with which the institution has a joint marketing
agreement? [§6(c)(4)(ii)(B)]
|
|
|
13. If the institution does not disclose nonpublic personal information, and does not reserve the right to
do so, other than under exceptions in §14 and §15, does the institution provide a simplified privacy
notice that contains at a minimum:
|
a. a statement to this effect;
|
|
|
b. the categories of nonpublic personal information it collects;
|
|
|
c. the policies and practices the institution uses to protect the confidentiality and security of
nonpublic personal information; and
|
|
|
d. a general statement that the institution makes disclosures to other nonaffiliated third parties as
permitted by law? [§6(c)(5)]
NOTE: use of this type of simplified notice is optional; an institution may always use a full notice.
|
|
|
14. Does the institution describe the following about its policies and practices with respect to protecting
the confidentiality and security of nonpublic personal information:
|
a. who is authorized to have access to the information; and [§6(c)(6)(i)]
|
|
|
b. whether security practices and policies are in place to ensure the confidentiality of the
information in accordance with the institution’s policy? [§6(c)(6)(ii)]
NOTE: the institution is not required to describe technical information about the safeguards used
in this respect.
|
|
|
15. If the institution provides a short-form initial privacy notice with the opt out notice, does the
institution do so only to consumers with whom the institution does not have a customer relationship?
[§6(d)(1)]
|
|
|
16. If the institution provides a short-form initial privacy notice according to §6(d)(1), does the shortform
initial notice:
|
a. conform to the definition of "clear and conspicuous"; [§6(d)(2)(i)]
|
|
|
b. state that the institution’s full privacy notice is available upon request; [§6(d)(2)(ii)] and
|
|
|
c. explain a reasonable means by which the consumer may obtain the notice? [§6(d)(2)(iii)]
NOTE: the institution is not required to deliver the full privacy notice with the short-form initial
notice. [§6(d)(3)]
|
|
|
17. Does the institution provide consumers who receive the short-form initial notice with a reasonable
means of obtaining the longer initial notice, such as:
|
a. a toll-free telephone number that the consumer may call to request the notice; [§6(d)(4)(i)] or
|
|
|
b. for the consumer who conducts business in person at the institution’s office, having copies
available to provide immediately by hand-delivery? [§6(d)(4)(ii)]
|
|
|
18. If the institution, in its privacy policies, reserves the right to disclose nonpublic personal information
to nonaffiliated third parties in the future, does the privacy notice include, as applicable, the:
|
a. categories of nonpublic personal information that the financial institution reserves the right to
disclose in the future, but does not currently disclose; [§6(e)(1)] and
|
|
|
b. categories of affiliates or nonaffiliated third parties to whom the financial institution reserves
the right in the future to disclose, but to whom it does not currently disclose, nonpublic personal
information? [§6(e)(2)]
|
|
|
Opt Out Notice |
19. If the institution discloses nonpublic personal information about a consumer to a nonaffiliated third
party, and the exceptions under §§13-15 do not apply, does the institution provide the consumer with
a clear and conspicuous opt out notice that accurately explains the right to opt out? [§7(a)(1)]
|
20. Does the opt out notice state:
|
a. that the institution discloses or reserves the right to disclose nonpublic personal information
about the consumer to a nonaffiliated third party; [§7(a)(1)(i)]
|
|
|
b. that the consumer has the right to opt out of that disclosure; [§7(a)(1)(ii)] and
|
|
|
c. a reasonable means by which the consumer may opt out? [§7(a)(1)(iii)]
|
|
|
21. Does the institution provide the consumer with the following information about the right to opt out:
|
a. all the categories of nonpublic personal information that the institution discloses or reserves the
right to disclose; [§7(a)(2)(i)(A)]
|
|
|
b. all the categories of nonaffiliated third parties to whom the information is disclosed;
[§7(a)(2)(i)(A)];
|
|
|
c. that the consumer has the right to opt out of the disclosure of that information; [§7(a)(2)(i)(A)]
and
|
|
|
d. the financial products or services that the consumer obtains to which the opt out direction would
apply? [§7(a)(2)(i)(B)]
|
|
|
22. Does the institution provide the consumer with at least one of the following reasonable means of
opting out, or with another reasonable means:
|
a. check-off boxes prominently displayed on the relevant forms with the opt out notice;
[§7(a)(2)(ii)(A)]
|
|
|
b. a reply form included with the opt out notice; [§7(a)(2)(ii)(B)]
|
|
|
c. an electronic means to opt out, such as a form that can be sent via electronic mail or a process
at the institution’s web site, if the consumer agrees to the electronic delivery of information;
[§7(a)(2)(ii)(C)] or
|
|
|
d. a toll-free telephone number? [§7(a)(2)(ii)(D)]
NOTE: the institution may require the consumer to use one specific means, as long as that means
is reasonable for that consumer. [§7(a)(iv)]
|
|
|
23. If the institution delivers the opt out notice after the initial notice, does the institution provide the
initial notice once again with the opt out notice? [§7(c)]
|
|
|
24. Does the institution provide an opt out notice, explaining how the institution will treat opt out
directions by the joint consumers, to at least one party in a joint consumer relationship? [§7(d)(1)]
|
|
|
25. Does the institution permit each of the joint consumers in a joint relationship to opt out? [§7(d)(2)]
|
|
|
26. Does the opt out notice to joint consumers state that either:
|
a. the institution will consider an opt out by a joint consumer as applying to all associated joint
consumers; [§7(d)(2)(i)] or
|
|
|
b. each joint consumer is permitted to opt out separately? [§7(d)(2)(ii)]
|
|
|
27. If each joint consumer may opt out separately, does the institution permit:
|
a. one joint consumer to opt out on behalf of all of the joint consumers; [§7(d)(3)]
|
|
|
b. the joint consumers to notify the institution in a single response; [§7(d)(5)] and
|
|
|
c. each joint consumer to opt out either for himself or herself, and/or for another joint consumer?
[§7(d)(5)]
|
|
|
28. Does the institution refrain from requiring all joint consumers to opt out before implementing any
opt out direction with respect to the joint account? [§7(d)(4)]
|
|
|
29. Does the institution comply with a consumer’s direction to opt out as soon as is reasonably
practicable after receiving it? [§7(e)]
|
|
|
30. Does the institution allow the consumer to opt out at any time? [§7(f)]
|
|
|
31. Does the institution continue to honor the consumer’s opt out direction until revoked by the
consumer in writing, or, if the consumer agrees, electronically? [§7(g)(1)]
|
|
|
32. When a customer relationship ends, does the institution continue to apply the customer’s opt out
direction to the nonpublic personal information collected during, or related to, that specific customer
relationship (but not to new relationships, if any, subsequently established by that customer)?
[§7(g)(2)]
|
|
|
Revised Notices |
33. Except as permitted by §§13-15, does the institution refrain from disclosing any nonpublic personal
information about a consumer to a nonaffiliated third party, other than as described in the initial
privacy notice provided to the consumer, unless:
|
a. the institution has provided the consumer with a clear and conspicuous revised notice that
accurately describes the institution’s privacy policies and practices; [§8(a)(1)]
|
|
|
b. the institution has provided the consumer with a new opt out notice; [§8(a)(2)]
|
|
|
c. the institution has given the consumer a reasonable opportunity to opt out of the disclosure,
before disclosing any information; [§8(a)(3)] and
|
|
|
d. the consumer has not opted out? [§8(a)(4)]
|
|
|
34. Does the institution deliver a revised privacy notice when it:
|
a. discloses a new category of nonpublic personal information to a nonaffiliated third party;
[§8(b)(1)(i)]
|
|
|
b. discloses nonpublic personal information to a new category of nonaffiliated third party;
[§8(b)(1)(ii)] or
|
|
|
c. discloses nonpublic personal information about a former customer to a nonaffiliated third party,
if that former customer has not had the opportunity to exercise an opt out right regarding that
disclosure? [§8(b)(1)(iii)]
NOTE: a revised notice is not required if the institution adequately described the nonaffiliated
third party or information to be disclosed in the prior privacy notice. [§8(b)(2)]
|
|
|
Delivery Methods |
35. Does the institution deliver the privacy and opt out notices, including the short-form notice, so that
the consumer can reasonably be expected to receive actual notice in writing or, if the consumer
agrees, electronically? [§9(a)]
|
|
|
36 Does the institution use a reasonable means for delivering the notices, such as:
|
a. hand-delivery of a printed copy; [§9(b)(1)(i)]
|
|
|
b. mailing a printed copy to the last known address of the consumer; [§9(b)(1)(ii)]
|
|
|
c. for the consumer who conducts transactions electronically, clearly and conspicuously posting the
notice on the institution’s electronic site and requiring the consumer to acknowledge receipt as a
necessary step to obtaining a financial product or service; [§9(b)(1)(iii)] or
|
|
|
d. for isolated transactions, such as ATM transactions, posting the notice on the screen and requiring
the consumer to acknowledge receipt as a necessary step to obtaining the financial product or
service? [§9(b)(1)(iv)]
NOTE: insufficient or unreasonable means of delivery include: exclusively oral notice, in person
or by telephone; branch or office signs or generally published advertisements; and electronic
mail to a customer who does not obtain products or services electronically. [§9 (b)(2)(i) and (ii),
and (d)]
|
|
|
37. For annual notices only, if the institution does not employ one of the methods described in question 36,
does the institution employ one of the following reasonable means of delivering the notice such as:
|
a. for the customer who uses the institution’s web site to access products and services electronically
and who agrees to receive notices at the web site, continuously posting the current privacy notice
on the web site in a clear and conspicuous manner; [§9(c)(1)] or
|
|
|
b. for the customer who has requested the institution refrain from sending any information about
the customer relationship, making copies of the current privacy notice available upon customer
request? [§9(c)(2)]
|
|
|
38. For customers only, does the institution ensure that the initial, annual, and revised notices may
be retained or obtained later by the customer in writing, or if the customer agrees, electronically?
[§9(e)(1)]
|
|
|
39. Does the institution use an appropriate means to ensure that notices may be retained or obtained
later, such as:
|
a. hand-delivery of a printed copy of the notice; [§9(e)(2)(i)]
|
|
|
b. mailing a printed copy to the last known address of the customer; [§9(e)(2)(ii)] or
|
|
|
c. making the current privacy notice available on the institution’s web site (or via a link to the notice
at another site) for the customer who agrees to receive the notice at the web site? [§9(e)(2)(iii)]
|
|
|
40. Does the institution provide at least one initial, annual, and revised notice, as applicable, to joint
consumers? [§9(g)]
|
|
|
Examination Checklist — Subpart B |
Yes |
No |
Limits on Disclosure to Nonaffiliated Third Parties |
41. Does the institution refrain from disclosing any nonpublic personal information about a consumer to
a nonaffiliated third party, other than as permitted under §§13-15, unless:
|
a. it has provided the consumer with an initial notice; [§10(a)(1)(i)]
|
|
|
b. it has provided the consumer with an opt out notice; [§10(a)(1)(ii)]
|
|
|
c. it has given the consumer a reasonable opportunity to opt out
before the disclosure; [§10(a)(1)(iii)] and
|
|
|
d. the consumer has not opted out? [§10(a)(1)(iv)]
NOTE: this disclosure limitation applies to consumers as well as to
customers [§10(b)(1)], and to all nonpublic personal information regardless
of whether collected before or after receiving an opt out direction. [§10(b)(2)]
|
|
|
42. Does the institution provide the consumer with a reasonable opportunity to opt out such as by:
|
a. mailing the notices required by §10 and allowing the consumer to respond by toll-free telephone
number, return mail, or other reasonable means (see question 22) within 30 days from the date
mailed; [§10(a)(3)(i)]
|
|
|
b. where the consumer opens an on-line account with the institution and agrees to receive the
notices required by §10 electronically, allowing the consumer to opt out by any reasonable means
(see question 22) within 30 days from consumer acknowledgement of receipt of the notice in
conjunction with opening the account; [§10(a)(3)(ii)] or
|
|
|
c. for isolated transactions, providing the notices required by §10 at the time of the transaction and
requesting that the consumer decide, as a necessary part of the transaction, whether to opt out
before the completion of the transaction? [§10(a)(3)(iii)]
|
|
|
43. Does the institution allow the consumer to select certain nonpublic personal information or certain
nonaffiliated third parties with respect to which the consumer wishes to opt out? [§10(c)]
NOTE: an institution may allow partial opt outs in addition to, but may not allow them instead of, a
comprehensive opt out.
|
|
|
Limits on Redisclosure and Reuse of Innformation |
44. If the institution receives information from a nonaffiliated financial institution under an exception in
§14 or §15, does the institution refrain from using or disclosing the information except:
|
a. to disclose the information to the affiliates of the financial institution
from which it received the information; [§11(a)(1)(i)]
|
|
|
b. to disclose the information to its own affiliates, which are in turn limited by the same disclosure
and use restrictions as the recipient institution; [§11(a)(1)(ii)] and
|
|
|
c. to disclose and use the information pursuant to an exception in §14 or §15 in the ordinary course
of business to carry out the activity covered by the exception under which the information was
received? [§11(a)(1)(iii)]
NOTE: the disclosure or use described in section c of this question need
not be directly related to the activity covered by the applicable exception.
For instance, an institution receiving information for fraud-prevention
purposes could provide the information to its auditors. But "in the ordinary
course of business" does not include marketing. [§11(a)(2)]
|
|
|
45. If the institution receives information from a nonaffiliated financial institution other than under an
exception in §14 or §15, does the institution refrain from disclosing the information except:
|
a. to the affiliates of the financial institution from which it received the information; [§11(b)(1)(i)]
|
|
|
b. to its own affiliates, which are in turn limited by the same disclosure restrictions as the recipient
institution; [§11(b)(1)(ii)] and
|
|
|
c. to any other person, if the disclosure would be lawful if made directly to that person by the
institution from which the recipient institution received the information? [§11(b)(1)(iii)]
|
|
|
Limits on Sharing Account Number Innformation for Marketing Purposes |
46. Does the institution refrain from disclosing, directly or through affiliates, account numbers or similar
forms of access numbers or access codes for a consumer’s credit card account, deposit account, or
transaction account to any nonaffiliated third party (other than to a consumer reporting agency) for
telemarketing, direct mail or electronic mail marketing to the consumer, except:
|
a. to the institution’s agents or service providers solely to market the institution’s own products or
services, as long as the agent or service provider is not authorized to directly initiate charges to
the account; [§12(b)(1)] or
|
|
|
b. to a participant in a private label credit card program or an affinity or similar program where
the participants in the program are identified to the customer when the customer enters into the
program? [§12(b)(2)]
NOTE: an "account number or similar form of access number
or access code" does not include numbers in encrypted form, so
long as the institution does not provide the recipient with a means
of decryption. [§12(c)(1)] A transaction account does not include
an account to which third parties cannot initiate charges.
[§12(c)(2)]
|
|
|
Examination Checklist — Subpart C |
Yes |
No |
Exception to Opt Out Requirements for Service Providers and Joint Marketing |
47. If the institution discloses nonpublic personal information to a nonaffiliated third party without
permitting the consumer to opt out, do the opt out requirements of §7 and §10, and the revised
notice requirements in §8, not apply because:
|
a. the institution disclosed the information to a nonaffiliated third party who performs services
for or functions on behalf of the institution (including joint marketing of financial products and
services offered pursuant to a joint agreement as defined in paragraph (b) of §13); [§13(a)(1)]
|
|
|
b. the institution has provided consumers with the initial notice; [§13(a)(1)(i)] and
|
|
|
c. the institution has entered into a contract with that party prohibiting the party from disclosing or
using the information except to carry out the purposes for which the information was disclosed,
including use under an exception in §14 or §15 in the ordinary course of business to carry out
those purposes? [§13(a)(1)(ii)]
|
|
|
Exceptions to Notice and Opt Out Requirements for Processing and Servicing Transactions |
48. If the institution discloses nonpublic personal information to nonaffiliated third parties, do the
requirements for initial notice in §4(a)(2), opt out in §§7 and 10, revised notice in §8, and for service
providers and joint marketing in §13, not apply because the information is disclosed as necessary to
effect, administer, or enforce a transaction that the consumer requests or authorizes, or in connection
with:
|
a. servicing or processing a financial product or service requested or authorized by the consumer;
[§14(a)(1)]
|
|
|
b. maintaining or servicing the consumer’s account with the institution or with another entity as
part of a private label credit card program or other credit extension on behalf of the entity; or
[§14(a)(2)]
|
|
|
c. a proposed or actual securitization, secondary market sale (including sale of servicing rights) or
other similar transaction related to a transaction of the consumer? [§14(a)(3)]
|
|
|
49. If the institution uses a Section 14 exception as necessary to effect, administer, or enforce a
transaction, is it :
|
a. required, or is one of the lawful or appropriate methods to enforce the rights of the institution
or other persons engaged in carrying out the transaction or providing the product or service;
[§14(b)(1)] or
|
|
|
b. required, or is a usual, appropriate, or acceptable method to:[§14(b)(2)]
|
|
|
i. carry out the transaction or the product or service business of which the transaction is a part,
including recording, servicing, or maintaining the consumer’s account in the ordinary course
of business; [§14(b)(2)(i)]
|
|
|
ii. administer or service benefits or claims; [§14(b)(2)(ii)]
|
|
|
iii. confirm or provide a statement or other record of the transaction or information on the status
or value of the financial service or financial product to the consumer or the consumer’s agent
or broker; [§14(b)(2)(iii)]
|
|
|
iv. accrue or recognize incentives or bonuses; [§14(b)(2)(iv)]
|
|
|
v. underwrite insurance or for reinsurance or for certain other purposes related to a consumer’s
insurance; [§14(b)(2)(v)] or
|
|
|
vi. in connection with:
|
|
|
(1) the authorization, settlement, billing, processing, clearing, transferring, reconciling, or
collection of amounts charged, debited, or otherwise paid by using a debit, credit, or other
payment card, check, or account number, or by other payment means; [§14(b)(2)(vi)(A)]
|
|
|
(2) the transfer of receivables, accounts or interests therein; [§14(b)(2)(vi)(B)] or
|
|
|
(3) the audit of debit, credit, or other payment information? [§14(b)(2)(vi)(C)]
|
|
|
Other Exceptions to Notice and Opt Out Requirements |
50. If the institution discloses nonpublic personal information to nonaffiliated third parties, do the
requirements for initial notice in §4(a)(2), opt out in §§7 and 10, revised notice in §8, and for service
providers and joint marketers in §13, not apply because the institution makes the disclosure:
|
a. with the consent or at the direction of the consumer; [§15(a)(1)]
|
|
|
b.
|
i. to protect the confidentiality or security of records; [§15(a)(2)(i)]
|
|
|
ii. to protect against or prevent actual or potential fraud, unauthorized transactions, claims, or
other liability; [§15(a)(2)(ii)]
|
|
|
iii. for required institutional risk control or for resolving consumer disputes or inquiries;
[§15(a)(2)(iii)]
|
|
|
iv. to persons holding a legal or beneficial interest relating to the consumer; [§15(a)(2)(iv)] or
|
|
|
v. to persons acting in a fiduciary or representative capacity on behalf of the consumer;
[§15(a)(2)(v)]
|
|
|
c. to insurance rate advisory organizations, guaranty
funds or agencies, agencies rating the institution, persons assessing
compliance, and the institution’s attorneys, accountants, and
auditors; [§15(a)(3)]
|
|
|
d. in compliance with the Right to Financial Privacy
Act, or to law enforcement agencies;
[§15(a)(4)]
| | |
e. to a consumer reporting agency in accordance with the FCRA or from a consumer report reported
by a consumer reporting agency; [§15(a)(5)]
| | |
f. in connection with a proposed or actual sale, merger, transfer, or exchange of all or a portion of
a business or operating unit, if the disclosure of nonpublic personal information concerns solely
consumers of such business or unit; [§15(a)(6)]
| | |
g. to comply with Federal, state, or local laws, rules, or legal requirements; [§15(a)(7)(i)]
| | |
h. to comply with a properly authorized civil, criminal, or regulatory investigation, or subpoena or summons by Federal, state, or local authorities; [§15(a)(7)(ii)] or
| | |
i. to respond to judicial process or government regulatory authorities having jurisdiction over the
institution for examination, compliance, or other purposes as authorized by law? [§15(a)(7)(iii)]
NOTE: the regulation gives the following as an example of the exception described in section
a of this question: "A consumer may specifically consent to [an institution’s] disclosure to a
nonaffiliated insurance company of the fact that the consumer has applied to [the institution] for
a mortgage so that the insurance company can offer homeowner’s insurance to the consumer."
| | |
References
Listed below are links to several Privacy resources, including
the official examination procedures and the examination
job-aid.
Job Aids
Examination Job Aid
http://fdic01/division/dsc/compliance/privacy/PrivacyComplianceJobAid.htm
FDIC Staff Response to Questions Regarding the Privacy of
Consumer Financial Information
http://fdic01/division/dsc/compliance/privacy/FDICStaffQA71101.html
Children’s Online Privacy Protection Act (COPPA)
4
Introduction
COPPA was enacted to prohibit unfair and deceptive acts or
practices in connection with the collection, use, or disclosure
of personal information from children under the age of 13 in
an online environment. Generally, the Act requires operators
of Web sites or online services directed to children, or that
have actual knowledge that they are collecting or maintaining
personal information from children online, to provide certain
notices and obtain parental consent to collect, use, or disclose
information about children. The FDIC is granted enforcement
authority under the Act. Federal Trade Commission regulations
(16 CFR 312) that implement COPPA became effective April
21, 2000.
Examiners should consider conducting a compliance review
using these procedures only when an institution is operating a
Web site or online service directed to children that collects or
maintains personal information about children, or operating
a general audience Web site or online service and knowingly
collecting or maintaining personal information from a child
online.
Examination Objectives
- To determine that reliance can be placed on a financial
institution’s compliance management policies, internal
controls, and procedures for ensuring the institution’s
compliance with the COPPA regulation.
- To require effective corrective actions when violations of
law are identified, or when policies or internal controls are
deficient.
Examination Procedures
- Determine whether the institution operates a Web site or
online service directed to children that collects or maintains
personal information about them, or operates a general
audience Web site or online service and knowingly collects
or maintains personal information from a child online.
- If the financial institution does not operate a Web site or
online service directed to children that collects or maintains
personal information about them, and does not knowingly
collect or maintain personal information from a child
online, it is not subject to COPPA. No further examination
is necessary.
- If the financial institution does operate a Web site or online
service directed to children that collects or maintains
personal information about them, or knowingly collects or
maintains personal information from a child online, it is
subject to COPPA. Continue with step 4 below.
- Determine whether the institution participates in an FTCapproved,
self-regulatory program. If it does, no further
examination is necessary. If it does not participate in such a
program, continue with the procedures below.
- Assess the quality of the institution’s compliance risk
management by determining whether procedures and
controls ensure compliance with COPPA. Consider the
following, as they pertain to COPPA:
- Knowledge level of management and staff;
- Board of Directors adoption, and management
implementation, of policies and procedures;
- Adequacy of the institution’s training program;
- Frequency of compliance monitoring;
- Effectiveness of the compliance audit program to detect
and correct compliance deficiencies; and
- Appropriate and timely handling of consumer
complaints.
- Identify any weaknesses in compliance management
policies, procedures, or controls, and the areas and level
of risk associated with the institution’s Web site or online
service subject to COPPA.
- Formulate conclusions.
- Summarize all findings, and describe the general
assessment of the quality of the institution’s compliance
management program for implementing COPPA.
- Discuss findings with management and obtain a
commitment for corrective action, as necessary.
References
Statute: Children’s Online Privacy Protection Act
http://www.ftc.gov/ogc/coppa1.pdf
Regulation: Children’s Online Privacy Protection Rule
http://www.ftc.gov/os/1999/10/64fr59888.htm
Right to Financial Privacy Act
Introduction
The 1978 Right to Financial Privacy Act (RFPA) establishes
specific procedures that federal government authorities
must follow in order to obtain information from a financial
institution about a customer’s financial records. Generally,
these requirements include obtaining subpoenas, notifying
the customer of the request, and providing the customer with
an opportunity to object. The Act imposes related limitations
and duties on financial institutions prior to the release of
information requested by federal authorities. For purposes of
RFPA, a customer is defined as any person or representative
of that person who utilized or is utilizing any service of a
financial institution, or for whom a financial institution is
acting or has acted as a fiduciary, in relation to an account
maintained in the person’s name. "Person" is defined by
the RFPA as an individual or a partnership of five or few
individuals. Therefore, restrictions in the Act do not apply
to the financial records of corporations or partnerships with
six or more partners. The RFPA has been amended several
times, most recently in 2001, to permit greater access without
customer notice to customer information requested for
criminal law enforcement purposes and for certain intelligence
activities.
Examination Objective
The objective of the examination is to ensure that the financial
institution has procedures in place to ensure compliance with
the RFPA, and to test whether its practices conform to RFPA.
Examination Procedures
- Determine whether the financial institution has established
procedures and internal controls for fulfilling requests by
government authorities for a customer’s financial records to
ensure that all requests are handled in compliance with the
Act. (Section 1100)
- Determine whether the financial institution has received
any requests covered by the RFPA for a customer’s
financial records since the last compliance examination.
(1103, 1105, 1106, 1107, 1108, 1114)
NOTE: RFPA does not apply to prohibit or limit the
FDIC’s disclosure of financial information to state
authorities, including banking, law enforcement and other
state agencies such as appraisal certification boards.
NOTE: RFPA does not prohibit the FDIC from providing
DOJ with "raw" CRA census-tract data from banks’ annual
CRA reports even if DOJ used the CRA data to assist in
enforcing anti-trust or other public laws. The FDIC should
furnish DOJ with "raw" CRA data only in conjunction or
consultation with the other federal banking agencies.
If the financial institution has received such requests since the
last compliance examination:
- Determine whether the financial institution provided a
customer’s financial records to government authorities
only after receivin
g the proper written certification. (1105,
1106, 1107, 1108)
- Determine whether internal procedures require that the
financial institution refrain from requiring a customer’s
authorization for disclosure of financial records as a
condition of doing business. (1103(d)(2) and 1104(b))
- Determine whether the financial institution keeps
appropriate records of instances when a customer’s
records are disclosed to the government authority upon
authorization by the customer, including a copy of the
request and the identity of the government authority.
(1104(c) and 1113(h)(6))
- Determine whether the financial institution provides the
customer a copy of the records upon request (unless a court
order has been obtained blocking such access). (1104(c)
and 1113(h)(6))
- Determine whether the financial institution maintains
appropriate records of all disclosures of a customer’s
records made to a government authority in connection with
a government loan, guaranty, or insurance program.
- Determine whether the financial institution allows
a customer to examine these records upon request.
(1113(h)(6))
References
Job Aids
The following is a workpaper template and instructions for its
use.
General Instructions for Workpapers
- Enter requested information on worksheet(s). If
information is not available or disclosure is not applicable,
enter "N/A."
- Use the Comments and Violations Section:
- For apparent violations (for example, subsequent
disclosures were not provided, etc.).
- Any issues requiring additional comments or review/
follow-up.
Clearly state violations. Highlight or mark in red for easy
reference.
NOTE: Document only those instances where violations or
issues worthy of comment are present.
Right to Financial Privacy Worksheet
- Enter the financial institution’s:
- Name
- Cert. #
- Branch
- Examination date
- Examiner-in-Charge
- Name of the individual who actually completes the
workpaper
- Enter the name of the customer.
- Enter the types of accounts involved in the Federal
government request, for example, loan, deposit, etc.
- Identify the Federal government authority involved in the
request.
- Identify whether financial information was given out by
customer authorization and the bank maintains the required
information for customer review when allowed.
- Indicate whether the financial institution had proper written
certification from Federal government authorities prior to
releasing financial information.
Examination Worksheet—Right to Financial Privacy
|
Bank: |
Exam Date: |
EIC: |
Branch: |
Prepared by : |
Cert#: |
Accounts Customer |
Government Involved |
Cust. Authority |
Agency Authority |
Comments & Violations |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Controlling the Assault of Non-Solicited
Pornography and Marketing Act of 2003
5
Introduction
Under Controlling the Assault of Non-Solicited Pornography
and Marketing Act of 2003 (CAN-SPAM or Act)
6 , the
Federal Trade Commission (FTC) is charged with issuing
regulations for implementing CAN-SPAM
7. The FTC has
issued regulations, effective as of March 28, 2005, that provide
criteria to determine the primary purpose of electronic mail
(e-mail) messages. The FTC has also issued regulations
that contain criteria pertaining to warning labels on sexually
oriented materials, which became effective as of May 19,
2004.
The goals of the act are to:
- Reduce spam and unsolicited pornography by prohibiting
senders of unsolicited commercial e-mail messages from
disguising the source and content of their messages.
- Give consumers the choice to cease receiving a sender’s
unsolicited commercial e-mail messages.
Compliance authority was expressly granted to the Federal
Deposit Insurance Corporation, the Office of the Comptroller
of the Currency, the Federal Reserve Board, and the Office
of Thrift Supervision to be enforced under Section 8 of the
Federal Deposit Insurance Act. The National Credit Union
Association was granted authority through the Federal Credit
Union Act 12 USC 1751.
The FTC has researched and determined that a "Do Not
Spam" registry (similar to the highly effective "Do Not Call"
registry) would not be effective or practicable at this time.
Key Definitions
"Affirmative Consent" (usage: commercial e-mail messages)
- The recipient expressly consented to receive the message,
either in response to a clear and conspicuous request for
such consent or at the recipient’s own initiative; and
- If the message is from a party other than the party to which
the recipient communicated such consent, the recipient was
given clear and conspicuous notice at the time the consent
was communicated that the recipient’s e-mail address
could be transferred to such other party for the purpose of
initiating commercial e-mail messages.
"Commercial E-mail Message" Any e-mail message the
primary purpose of which is to advertise or promote for
a commercial purpose, a commercial product or service
(including content on the Internet). An e-mail message would
not be considered to be a commercial e-mail message solely
because such message includes a reference to a commercial
entity that serves to identify the sender or a reference or link to
an Internet Web site operated for a commercial purpose.
"Dictionary Attacks" Obtaining e-mail addresses by using
an automated means that generates possible e-mail addresses
by combining names, letters, or numbers into numerous
permutations.
"Harvesting" Obtaining e-mail addresses using an automated
means from an Internet Web site or proprietary online service
operated by another person, where such service/person, at the
time the address was obtained, had provided a notice stating
that the operator of such Web site or online service would not
give, sell, or otherwise transfer electronic addresses.
"Header Information" The source, destination, and routing
information attached to the beginning of an e-mail message,
including the originating domain name and originating e-mail
address.
"Hijacking" The use of automated means to register for
multiple e-mail accounts or online user accounts from which
to transmit, or enable another person to transmit, a commercial
e-mail message that is unlawful.
"Initiate" To originate, transmit or to procure the origination
or transmission of such message but shall not include actions
that constitute routine conveyance. For purposes of the Act,
more than one person may be considered to have initiated the
same message.
"Primary Purpose" The FTC’s regulations provide further
clarification regarding determination of whether an e-mail
message has "commercial" promotion as its primary purpose.
[16 CFR 316.3]
- The primary purpose of an e-mail message will be deemed
to be commercial if it contains only the commercial
advertisement or promotion of a commercial product or
service (commercial content);
- The primary purpose of an e-mail message will be deemed
to be commercial if it contains both commercial content
and "transactional or relationship" content (see below for
definition) if either:
- a recipient reasonably interpreting the subject line
of the e-mail message would likely conclude that the
message contains commercial content; or
- the e-mail message’s "transactional or relationship"
content does not appear in whole or substantial part at
the beginning of the body of the message.
- The primary purpose of an e-mail message will be deemed
to be commercial if it contains both commercial content
as well as content that is not transactional or relationship
content if a recipient reasonably interpreting either:
- the subject line of the e-mail message would likely
conclude that the message contains commercial
content; or
- the body of the message would likely conclude that the
primary purpose of the message is commercial.
- The primary purpose of an e-mail message will be deemed
to be transactional or relationship (non-commercial) if it
contains only "transactional or relationship" content.
"Protected Computer" A computer:
- Exclusively for the use of a financial institution or the
United States government, or, in the case of a computer
not exclusively for such use, used by or for a financial
institution or the United States government and the conduct
constituting the offense affects that use by or for the
financial institution or the government; or
- Which is used in interstate or foreign commerce or
communication.
"Recipient" An authorized user of the electronic mail address
to which the message was sent or delivered.
"Sender" A person who initiates an e-mail message and
whose product, service, or Internet Web site is advertised or
promoted by the message.
"Sexually Oriented Material" Any material that depicts
sexually explicit conduct unless the depiction constitutes a
small and insignificant part of the whole.
"Transactional or Relationship E-mail Message" An e-mail
message with the primary purpose of facilitating, completing
or confirming a commercial transaction that the recipient had
previously agreed to enter into; to provide warranty, product
recall, or safety or security information; or subscription,
membership, account, loan, or other information relating to an
ongoing purchase or use.
General Requirements of the CAN-SPAM Statute:
- Prohibits the use of false or misleading transmission
information [§7704(a)(1)] such as:
- False or misleading header information;
- A "from" line that does not accurately identify any
person who initiated the message; and
- Inaccurate or misleading identification of a protected
computer used to initiate the message because the
person initiating the message knowingly uses another
protected computer to relay or retransmit the message
for purposes of disguising its origin.
- Prohibits the use of deceptive subject headings.
[§7704(a)(2)]
- Requires a functioning e-mail return address or other
Internet-based response mechanism. [§7704(a)(3)]
- Requires that commercial e-mail messages be discontinued
within 10 business days after receipt of opt-out notification
from recipient. [§7704(a)(4)]
- Requires a clear and conspicuous identification that the
message is an advertisement or solicitation; clear and
conspicuous notice of the opportunity to decline to receive
further commercial e-mail messages from the sender; and a
valid physical postal address of the sender. [§7704(a)(5)]
- Prohibits address harvesting (obtaining e-mail addresses
using an automated means from an Internet Web site or
proprietary online service operated by another person,
where such service/person, at the time the address was
obtained, had provided a notice stating that the operator
of such Web site or online service will not give, sell, or
otherwise transfer electronic addresses) and dictionary
attacks (obtaining e-mail addresses by using an automated
means that generates possible e-mail addresses by
combining names, letters, or numbers into numerous
permutations). [§7704(b)(1)]
- Prohibits hijacking, the use of automated means to register
for multiple e-mail accounts or online user accounts from
which to transmit, or enable another person to transmit, a
commercial e-mail message that is unlawful. [§7704(b)(2)]
- Prohibits any person from knowingly relaying or
retransmitting a commercial e-mail message that is
unlawful. [§7704(b)(3)]
- Requires warning labels (in the subject line and within the
message body) on commercial e-mail messages containing
sexually oriented material. [§7704(d)]
- Prohibits a person from promoting, or allowing the
promotion of, that person’s trade or business, or goods,
products, property, or services in an unlawful commercial
e-mail message. [§7705)(a)]
Examination Objectives:
- Assess the quality of a financial institution’s compliance
program for implementing CAN-SPAM by reviewing the
appropriate policies and procedures and other internal
controls.
- Determine the reliance that can be placed on a financial
institution’s audit or compliance review in monitoring the
institution’s compliance with CAN-SPAM.
- Determine a financial institution’s compliance with CANSPAM.
- Initiate effective corrective actions when violations of law
are identified, or when policies or internal controls are
deficient.
Examination Procedures
Initial Procedures
- Through discussions with appropriate management
officials, determine whether or not management has
considered the applicability of CAN-SPAM and what, if
any, steps have been taken to ensure current and future
compliance.
- Through discussions with appropriate management
officials, ascertain whether the financial institution is
subject to CAN-SPAM by determining whether the
financial institution initiates e-mail messages whose
primary purpose is "commercial."
Stop here if the financial institution does not initiate
"commercial" electronic mail. The financial institution is
not subject to CAN-SPAM, and no further examination for
CAN-SPAM is necessary.
- Determine, through a review of available information,
whether the financial institution’s internal controls
are adequate to ensure compliance with CAN-SPAM.
Consider the following:
- Organization chart to determine who is responsible for
the financial institution’s compliance with CAN-SPAM;
- Process flow charts to determine how the financial
institution’s CAN-SPAM compliance is planned for,
evaluated, and achieved;
- Policies and procedures;
- Marketing plans that reflect electronic communication
strategies; and
- Internal checklists, worksheets, and other relevant
documents.
- Review applicable audit and compliance review material,
including work papers, checklists, and reports, to determine
whether:
- Procedures address CAN-SPAM provisions applicable
to the institution;
- Effective corrective action occurred in response to
previously identified deficiencies;
- Audits and reviews performed were reasonable and
accurate;
- Deficiencies, their causes, and the effective corrective
actions are consistently reported to management or the
members of the board of directors; and
- Frequency of the compliance review is satisfactory.
- Review a sample of complaints to determine whether or not
any potential violations of CAN-SPAM exist.
- Based on the review of complaints that pertain to aspects of
CAN-SPAM, revise the scope of examination focusing on
the areas of particular risk. The verification procedures to
be employed depend upon the adequacy of the institution’s
compliance program and level of risk identified.
Verification Procedures
- Obtain a list of products or services that the financial
institution has promoted with e- mail.
- Obtain a sample of the e-mail messages to determine
whether those messages had "commercial" promotion as
their primary purpose.
- Through review of e-mail messages whose primary
purpose is "commercial," verify that the messages comply
with the CAN-SPAM provisions:
- Do not use false or misleading transmission
information [§7704(a)(1)] such as:
- False or misleading header information;
- A "from" line that does not accurately identify any
person who initiated the message; and
- Inaccurate or misleading identification of a protected
computer used to initiate the message.
- Do not use deceptive subject headings. [§7704(a)(2)]
- Provide a functioning e-mail return address or other
Internet-based response mechanism. [§7704(a)(3)]
- Provide a clear and conspicuous identification that
the message is an advertisement or solicitation; clear
and conspicuous notice of the opportunity to decline
to receive further commercial e-mail messages from
the sender; and a valid physical postal address of the
sender. [§7704(a)(5)] Note: this provision does not
apply to a commercial e-mail message if the recipient
has given prior affirmative consent to receipt of the
message.
- Do not reflect address harvesting, hijacking, or
dictionary attacks. [Section 7704(b)(1, 2)]
- Provide a warning label (in the subject and within
the message body) on commercial e-mail messages
containing sexually oriented material. [Section 7704(d)]
- Review any customer requests to opt out of receiving any
additional e-mail messages from the institution. [Section
7704(a)(4)] Confirm that there are controls in place to
discontinue commercial e-mail messages within 10 days of
receipt of opt-out notification.
Conclusions
- Summarize all findings, supervisory concerns, and
regulatory violations.
- For the violation(s), determine the root cause by identifying
weaknesses in internal controls, audit and compliance
reviews, training, management oversight, or other factors;
also, determine whether the violation(s) are repetitive or
systemic.
- Identify action needed to correct violations and weaknesses
in the institution’s compliance program.
- Discuss findings with the institution’s management and
obtain a commitment for corrective action.
- Record violations according to agency policy to facilitate
analysis and reporting.
References
Federal Trade Commission Resources
Job Aids
CAN-SPAM Examination Worksheet
This worksheet can be used to review audit work papers, to
evaluate bank policies, to perform transaction testing, and
to train as appropriate. Complete only those aspects of the
worksheet that specifically relate to the issue being reviewed,
evaluated, or tested, and retain those completed sections in the
work papers.
Examination Worksheet—CAN-SPAM |
Yes |
No |
1. Does the financial institution initiate e-mail messages where the primary purpose is “commercial?”
If No, stop here. If Yes, continue to question #2.
|
|
|
For the questions below, every “No” answer indicates a potential violation of the regulation and/or
an internal control deficiency that must be explained fully in the work papers.
|
Prohibition Against Misleading Information |
2. In the sending of commercial e-mail messages, does the financial institution prohibit the following:
[15 USC 7704(a)(1)]
|
• Use of false or misleading header information in commercial e-mail messages.
|
|
|
• Use of a “from” line that does not accurately identify the sender.
|
|
|
• Inaccurate or misleading identification of a protected computer to send commercial e-mail
messages in order to disguise the e-mail message’s origin.
|
|
|
3. Does the financial institution prohibit the use of deceptive or misleading headings in the subject line
of commercial e-mail messages? [15 USC 7704(a)(2)]
|
|
|
4. Does the financial institution use a functioning e-mail return address or other response mechanism
to which consumers can reply or opt-out of receiving future commercial e-mail messages? [15 USC
7704(a)(3)]
|
|
|
• Are these mechanisms displayed in a clear and conspicuous manner?
|
|
|
Opt-Out Provisions |
5. Does the financial institution prohibit future transmissions of commercial e-mail messages within
10 business days of receiving the opt-out request? [15 USC 7704(a)(4)]
|
|
|
Clear and Conspicuous Identification |
6. Does the financial institution’s commercial e-mail message provide the following information clearly
and conspicuously: [15 USC 7704(a)(5)]:
|
|
|
• Identification that the e-mail message is an advertisement or solicitation.
NOTE: This provision does not apply to a commercial e-mail message if the recipient has given
prior affirmative consent to receipt of the message.
|
|
|
• A notice of the option to decline further commercial e-mail messages from the sender.
|
|
|
• A valid physical postal address of the sender.
|
|
|
Transmission of Commercial E-mail Messages |
7. Does the financial institution prohibit the use of address harvesting or dictionary attacks as a means
of obtaining consumer e-mail addresses? [15 USC 7704(b)(1)]
|
|
|
8. Does the financial institution prohibit the automated creation of multiple e-mail accounts or online
accounts that falsify e-mail message identification and transmit unlawful commercial e-mail
messages? [15 USC 7704(b)(2)]
|
|
|
9. Does the financial institution prevent the transmission of unlawful commercial e-mail messages
by persons who access financial institution computers or computer network systems without
authorization? [15 USC 7704(b)(3)]
|
|
|
Sexually Oriented Material |
10. Does the financial institution refrain from transmitting sexually oriented material in commercial
e-mail messages without warning labels in the subject line and message body? [15 USC 7704(d)]
|
|
|
Telephone Consumer Protection Act
8
Introduction
The Federal Communications Commission (FCC) has
issued regulations that establish a national "Do-Not-Call"
registry and other modifications to the Telephone Consumer
Protection Action of 1991 (TCPA)
9. The FCC regulations
impose financial penalties on all commercial telemarketers
for calling phone numbers on the "Do-Not-Call" registry.
For those numbers not on the registry, the regulations set
a maximum rate on the number of abandoned calls and
require telemarketers to transmit caller ID information. The
regulations also modify the FCC’s unsolicited facsimile
advertising requirements, which in turn were modified by the
Junk Fax Prevention Act of 2005 and became effective on July
9, 2005. The FCC regulations were, generally, effective as of
October 1, 2003.
The FCC regulation expanded coverage of the national
"Do-Not-Call"
10registry by including banks, insurance
companies, credit unions, and savings associations. The
Federal Trade Commission’s (FTC) telemarketing regulations
parallel the FCC regulations
11 and apply to all other business
entities, including third parties acting as agent or on behalf of
a financial institution.
Key Definitions:
"Abandoned Call" A telephone call that is not transferred
to a live sales agent within two seconds of the recipient’s
completed greeting.
"Automatic Telephone Dialing System and Autodialer"
Equipment that has the capacity to store or produce telephone
numbers to be called using a random or sequential number
generator and the capability to dial such numbers.
"Established Business Relationship" A prior or existing
relationship between a person or entity and a residential
subscriber based on the subscriber’s purchase or transaction
with the entity within the 18 months immediately preceding
the date of the telephone call or on the basis of the subscriber’s
inquiry or application regarding products or services offered
by the entity within the three months immediately preceding
the date of the call, and neither party has previously terminated
the relationship. An individual may reasonably expect that
an affiliate is included in an established business relationship
based on products offered or the identity of the affiliate.
"Residential Subscriber" An individual who has contracted
with a common carrier to provide telephone exchange service
at a personal residence.
"Seller" The person or entity on whose behalf a telephone
call or message is initiated for the purpose of encouraging
purchase or rental of, or investment in, property, goods, or
services, which is transmitted to any person.
"Telemarketer" The person or entity that initiates a telephone
call or message for the purpose of encouraging the purchase or
rental of, or investment in, property, goods, or services, which
is transmitted to any person.
"Telemarketing" The initiation of a telephone call or
message for the purpose of encouraging the purchase or rental
of, or investment in, property, goods, or services, which is
transmitted to any person.
"Telephone Solicitation" The initiation of a telephone call
or message for the purpose of encouraging the purchase or
rental of, or investment in, property, goods, or services, which
is transmitted to any person. Telephone solicitation does not
include a call or message to any person with that person’s
permission, to any person with whom the caller has an
established business relationship, or on behalf of a tax-exempt
nonprofit organization.
"Unsolicited Advertisement" Any material that advertises
the commercial availability or quality of any property, goods,
or services, which is transmitted to any person without that
person’s prior express invitation or permission.
General Requirements of TCPA
The FCC regulations that implement the Telephone Consumer
Protection Act of 1991 provide consumers with options to
avoid unwanted telephone solicitations. The regulations
address the following:
- The FCC’s adoption of a national "Do-Not-Call" registry
that expands coverage to entities regulated by the FTC. 12
- Under the FCC’s rules, no seller or entity telemarketing on
behalf of the seller can initiate a telephone solicitation to
a residential telephone subscriber who has registered his
or her telephone number on the national "Do-Not-Call"
registry. A safe harbor exists for an inadvertent violation
of this requirement if the telemarketer can demonstrate
that the violation was an error and that its routine practices
include:
- Written procedures.
- Training of personnel.
- Maintenance of a list of telephone numbers excluded
from contact.
- Use of a version of the national "Do-Not Call"
registry obtained no more than three months prior to
the date any call is made (with records to document
compliance).
- Process to ensure that it does not sell, rent, lease,
purchase, or use the do-not-call database in any manner
except in compliance with regulations. [47 CFR
64.1200(c)(2)(i)]
- Companies must maintain company-specific do-not-call
lists reflecting the names of customers with established
business relationships who have requested to be excluded
from telemarketing. Such requests must be honored for five
years. [47 CFR 64.1200(d)(6)]
- Telemarketing calls can only be made between the hours of
8 a.m. and 9 p.m. (local time at the called party’s location).
[47 CFR 64.1200(c)(1)]
- All telemarketers must comply with limits on "abandoned
calls" and employ other consumer-friendly practices
when using automated telephone-dialing equipment. A
telemarketer must abandon no more than 3 percent of
calls answered by a person and must deliver a prerecorded
identification message when abandoning a call. Two or
more telephone lines of a multi-line business are not to be
called simultaneously. Telemarketers must disconnect an
unanswered telemarketing call prior to at least 15 seconds
or four rings. All businesses that use autodialers to sell
services must maintain records documenting compliance
with call abandonment rules. [47 CFR 64.1200(a)(4, 5 and
6)]
- All prerecorded messages, whether delivered by automated
dialing equipment or not, must identify the name of the
entity responsible for initiating the call, along with the
telephone number of that entity that can be used during
normal business hours to ask not to be called again. [47
CFR 64.1200(b)]
- All telemarketers must transmit caller ID information,
when available, and must refrain from blocking any such
transmission(s) to the consumer. [47 CFR 64.1601(e)] 13
- Unsolicited fax transmissions must be preceded by the
advertiser’s receipt of the express written permission
and signature of the intended recipient, unless there
is an "existing business relationship." However, the
express permission cannot be conveyed through the
use of a "negative option." Businesses that advertise by
fax are required to maintain records demonstrating that
recipients have provided express permission to send
fax advertisements or that there is an existing business
relationship. [47 CFR 64.1200(a)(3) and 47 USC 227 as
amended by the Junk Fax Prevention Act of 2005
- Tax-exempt nonprofit organizations are not required to
comply with the do-not-call provisions of the TCPA. [47
CFR 64.1200(d)(7)]
Examination Objectives:
- Assess the quality of a financial institution’s compliance
program for implementing TCPA by reviewing the
appropriate policies, procedures, and other internal
controls.
- Determine the reliance that can be placed on a financial
institution’s audit or compliance review in monitoring the
institution’s compliance with TCPA.
- Determine a financial institution’s compliance with TCPA.
- Initiate effective corrective actions when violations
of law
are identified, or when policies or internal controls are
deficient.
Examination Procedures
Initial Procedures
- Through discussions with appropriate
management
officials, determine whether or not management has
considered the applicability of TCPA and what, if any, steps
have been taken to ensure current and future compliance.
- Through discussions with appropriate management
officials, ascertain whether the financial institution is
subject to TCPA by determining whether it or a third-party
telemarketing firm engages in any form of telephone
solicitation.
Stop here if the financial institution itself does not engage
directly or indirectly through a third-party telemarketing
firm, in any form of telephone solicitation via telephone or
facsimile machine. The financial institution is not subject to
TCPA, and no further examination for TCPA is necessary.
- Determine, through a review of available information,
whether the financial institution’s internal controls are
adequate to ensure compliance with TCPA. Consider the
following:
- Organization chart to determine who is responsible for
the financial institution’s compliance with TCPA;
- Process flow charts to determine how the financial
institution’s TCPA compliance is planned for, evaluated,
and achieved;
- Policies and procedures that address:
- Recording a telephone subscriber’s request not to
receive calls from a particular financial institution
and the maintenance of those recordings for five
years.
- Placement of the telephone subscriber’s name,
if given, and telephone number on the financial
institution’s do-not-call list.
- Maintenance of the list of telephone numbers that
the financial institution may not contact.
- Compliance with the national do-not-call rules.
- Use of a telephone facsimile machine, computer, or
other device to send an unsolicited advertisement to
a telephone facsimile machine.
- Training of the financial institution’s personnel engaged
in telemarketing as to the existence and use of the
financial institution’s do-not-call list and the national
do-not-call rules; [47 CFR 64.1200(d)(2)]
- Process for recording a telephone subscriber’s request
not to receive calls and to place the subscriber’s name,
if provided, and telephone number on a do-not-call list;
[47 CFR 64.1200(d)(3)]
- Process used to access the national do-not-call
database; [47 CFR 64.1200(c)(2)(i)(D)]
- Process to ensure that the financial institution (and any
third-party engaged in making telemarketing calls on
behalf of the financial institution) does not sell, rent,
lease, purchase, or use the national do-not-call database
for any purpose except for compliance with the TCPA;
[47 CFR 64.1200(c)(2)(i)(E)]
- Process to ensure that telemarketers making
telemarketing calls are providing the called party
with the name of the individual caller, the name of
the financial institution on whose behalf the call is
being made, and a telephone number (that is not a 900
number or a long distance number) or address at which
the financial institution may be contacted; [47 CRF
64.1200(d)(4)] and
- Internal checklists, worksheets, and other relevant
documents.
- Review applicable audit and compliance review material,
including work papers, checklists, and reports, to determine
whether:
- The procedures address the TCPA provisions applicable
to the institution;
- Effective corrective action occurred in response to
previously identified deficiencies;
- The audits and compliance reviews performed were
reasonable and accurate;
- Deficiencies, their causes, and the effective corrective
actions are consistently reported to management or the
members of the board of directors; and
- The frequency of the compliance review is satisfactory.
- Review a sample of complaints to determine whether or
not
any potential violations of TCPA exist.
- Based on the review of complaints that pertain to aspects
of TCPA, revise the scope of examination focusing on the
areas of particular risk. The verification procedures to be
employed depend upon the adequacy of the institution’s
compliance program and level of risk identified.
Verification Procedures
- Obtain a list of marketing or promotional programs
for products and services that the financial institution
promoted with telemarketing either directly or through a
third-party vendor.
- Obtain a sample of data, or through testing or
managements demonstration, for at least one program,
determine whether:
Do-Not-Call List
- The institution or its third-party vendor verified
whether the subscriber’s telephone number was listed
on the national "Do-Not Call" registry. [47 CFR
64.1200(c)(2)]
- If the telephone subscriber is on the national "Do-Not
Call" registry and a telemarketing call is made, the
existence of an established business relationship
between the subscriber and the financial institution can
be confirmed [47 CFR 64.1200(f)(3)] or the safe harbor
conditions have been met. [47 CFR 64.1200(d)]
- Through testing or management’s demonstration, verify
that the financial institution has a process to determine
whether it has an established business relationship with
a telephone subscriber. [47 CFR 64.1200(f)(3)]
- A telephone subscriber’s desire to be placed on a
company-specific do-not-call list was honored for five
years. [47 CFR 64.1200(d)(6)]
- The institution or its third-party vendor employs
a version of the national "Do-Not Call" registry
or portions of the database for areas called that
was obtained no more than three months prior
to the call date (three-month process). [47 CFR
64.1200(c)(2)(i)(D)]
- The institution or its third-party vendor maintains
records to support the three-month process. [47 CFR
64.1200(c)(2)(i)(D)]
- The telephone call was made between the hours of
8 a.m. and 9 p.m. local time for the called party’s
location. [47 CFR 64.1200(c)(1)]
Automated Dialing and Abandoned Calls
- Any calls that were made using artificial or prerecorded
voice messages to a residential telephone numb
er met
the requirements in 47 CFR 64.1200(a)(6)(i).
- The name, telephone number, and purpose of the
call were provided to the subscriber if the call was
abandoned. [47 CFR 64.1200(a)(6)]
- The institution or its third-party vendor maintains
appropriate documentation of abandoned calls,
sufficient to determine whether they exceed the 3
percent limit in the 30-day period reviewed. [47 CFR
64.1200(a)(6)]
- The institution or its third-party vendor transmits caller
identification information. [47 CFR 64.1601(e)]
- Ensure that the financial institution does not participate
in any purchase-sharing arrangement for access
to the national "Do-Not Call" registry. [47 CFR
64.1200(c)(2)(i)(E)]
- Observe call center operations, if appropriate, to verify
abandoned call practices regarding ring duration and
two-second transfer rule. [47 CFR 64.1200(a)(6)]
Conclusions
- Summarize all findings, supervisory concerns, and
regulatory violations.
- For the violation(s), determine the root cause by identifying
weaknesses in internal controls, audit and compliance
reviews, training, management oversight, or other factors;
also, determine whether the violation(s) are repetitive or
systemic.
- Identify action needed to correct violations and weaknesses
in the institution’s compliance program.
- Discuss findings with the institution’s management, and
obtain a commitment for corrective action.
- Record violations according to agency policy to facilitate
analysis and reporting.
References
Federal Trade Commission Resources
Job Aids
Telephone Consumer Protection Act Worksheet
This worksheet can be used to review audit work papers, to
evaluate bank policies, to perform transaction testing, and
to train as appropriate. Complete only those aspects of the
worksheet that specifically relate to the issue being reviewed,
evaluated, or tested, and retain those completed sections in the
work papers.
Examination Worksheet—Telephone Consumer Protection Act |
Yes |
No |
1. Does the financial institution or any third party vendor engage in telemarketing activities on the
financial institutions behalf?
If No, stop here. If Yes, continue to question #2.
|
|
|
For the questions below, every “No” answer indicates a potential violation of the regulation and/or
an internal control deficiency that must be explained fully in the work papers.
|
|
|
Delivery Restrictions (47 CFR 64.1200) |
2. The financial institution engaged in telemarketing is registered on the FTC’s Web site as a seller.
|
|
|
3. Each financial institution affiliate engaged in telemarketing also is registered on the FTC’s Web site
and does not rely on the financial institution’s registration.
|
|
|
4. The financial institution (or third-party engaged in making telemarketing calls on the financial
institution’s behalf) refrains from initiating any telephone call using an automatic telephone dialing
system or an artificial or prerecorded voice to:
|
• A paging service, cellular telephone service, specialized mobile radio service, or other radio
common carrier service, or any service for which the called party is charged. [47 CFR
64.1200(a)(1)]
|
|
|
• A residential line without the express prior consent of the called party. [47 CFR 64.1200(a)(2)]
|
|
|
5. The financial institution (or third-party engaged in making telemarketing calls on the financial
institution’s behalf) refrains from using a telephone facsimile machine, computer, or other device to
send an unsolicited advertisement to a telephone facsimile machine without an established business
relationship or express written permission from the recipient. [47 USC 227 as amended by the Junk
Fax Prevention Act of 2005]
|
|
|
6. The financial institution (or third-party engaged in making telemarketing calls on the financial
institution’s behalf) refrains from using an automatic telephone dialing system in such a way
that two or more telephone lines of a multi-line business are engaged simultaneously. [47 CFR
64.1200(a)(4)]
|
|
|
7. The financial institution (or third-party engaged in making telemarketing calls on the financial
institution’s behalf) refrains from disconnecting an unanswered telemarketing call prior to at least 15
seconds or four rings. [47 CFR 64.1200(a)(5)]
|
|
|
8. The financial institution (or third-party engaged in making telemarketing calls on the financial
institution’s behalf) refrains from abandoning more than 3 percent of all telemarketing calls that are
answered live by a person, measured over a 30-day period. [47 CFR 64.1200(a)(6)]
|
|
|
9. For an abandoned call, the information provided is limited to the name and telephone number of the
business, entity, or individual on whose behalf the call was placed and that the call was made for
“telemarketing purposes.” [47 CFR 64.1200(a)(6)]
|
|
|
10. The financial institution (or third-party engaged in making telemarketing calls on the financial
institution’s behalf) refrains from using any technology to dial any telephone number for
determining whether the line is a facsimile or voice line. [47 CFR 64.1200(a)(7)]
|
|
|
11. If the financial institution (or third-party engaged in making telemarketing calls on the financial
institution’s behalf) uses an automatic or prerecorded telephone message, determine whether: [47
CFR 64.1200(b)]
|
• At the beginning of the message, the business, individual, or other entity initiating the call is
clearly identified.
|
|
|
• The name of the business responsible for initiating the call is stated.
|
|
|
• The name of the business responsible for initiating the call is registered with the appropriate
regulatory authority.
|
|
|
• During the message, the telephone number for the business responsible for initiating the call is
provided.
|
|
|
• The number provided is available during regular business hours.
|
|
|
12. The financial institution (or third-party engaged in making telemarketing calls on the financial
institution’s behalf) initiates all calls to residential subscribers between the hours of 8 a.m. and 9
p.m. (local time of the called party’s location). [47 CFR 64.1200(c)(1)]
|
|
|
13. Prior to initiating any call, the financial institution (or third-party engaged in making telemarketing
calls on the financial institution’s behalf) checks the national “Do-Not Call” registry to verify that
the residential telephone subscriber’s number is not listed. [47 CFR 64.1200(c)(2)]
|
|
|
14. If the financial institution (or third-party engaged in making telemarketing calls on the financial
institution’s behalf) calls a subscriber whose number appears on the “Do-Not Call” registry, does it
meet one of the following criteria:
|
• It can demonstrate that the violation is the result of an error and that its routine business practices
meet the minimum standards set forth in the regulation [47 CFR 64.1200(c)(2)(i)]
|
|
|
• It has the subscriber’s prior express invitation or permission evidenced by a signed, written
agreement that includes a telephone number to which the calls may be placed. [47 CFR
64.1200(c)(2)(ii)]
|
|
|
• It has a personal relationship with the recipient of the call. [47 CFR 64.1200(c)(2)(iii)]
|
|
|
15. The financial institution (or third-party engaged in making telemarketing calls on the financial
institution’s behalf) has a process to provide the called party with the following information:
|
• The name of the individual caller.
|
|
|
• The name of the person or entity on whose behalf the call is being made.
|
|
|
• A telephone number or address at which the entity may be contacted. [47 CFR 64.1200(d)(4)]
|
|
|
• A telephone number or address at which the entity may be contacted. [47 CFR 64.1200(d)(4)]
|
16. The financial institution has a process in place that considers whether an established business
relationship should extend to an affiliate. [47 CFR 64.1200(f)(ii)]
|
|
|
17. The financial institution (or third-party engaged in making telemarketing calls on the financial
institution’s behalf) maintains a do-not-call record listing callers’ requests not to receive further
telemarketing calls. [47 CFR 64.1200(d)(6)]
|
|
|
18. The financial institution (or third-party engaged in making telemarketing calls on the financial
institution’s behalf) honors a caller’s request not to receive telemarketing calls for five years from the
time the request is made. [47 CFR 64.1200(d)(6)]
|
|
|
19. The financial institution (or third-party engaged in making telemarketing calls on the financial
institution’s behalf) transmits caller identification information. [47 CFR 64.1601(e)]
|
|
|
Fair Credit Reporting Act
14
Introduction
The Fair Credit Reporting Act (FCRA) (15 USC §§1681-
1681u) became effective on April 25, 1971. The FCRA is a
part of a group of acts contained in the Federal Consumer
Credit Protection Act (15 USC §1601 et seq.), such as the
Truth in Lending Act and the Fair Debt Collection Practices
Act. Congress subsequently passed the Consumer Credit
Reporting Reform Act of 1996 (Pub. L. No. 104-208, 110
Stat. 3009-426), which substantially revised the FCRA. These
revisions generally became effective on September 30, 1997.
Minor amendments to the FCRA were made in 1997 and 1998.
The Gramm-Leach-Bliley Act (Pub. L. No. 106-102, 113 Stat.
1338 (1999)) made additional changes, including provisions
removing a previous statutory prohibition against conducting
routine FCRA examinations, and permitting regulations to be
adopted to implement the requirements of the FCRA.
The FCRA was substantively amended in 2003 upon the
passage of the Fair and Accurate Credit Transactions Act
of 2003 (FACT Act) (Pub. L. No. 108-159, 117 Stat. 1952).
The FACT Act created many new responsibilities for
consumer reporting agencies and users of consumer reports.
It contained many new consumer disclosure requirements
as well as provisions to address identity theft. In addition, it
provided free annual consumer report rights for consumers
and improved access to consumer report information to
help increase the accuracy of data in the consumer reporting
system.
The FCRA contains significant responsibilities for business
entities that are consumer reporting agencies and lesser
responsibilities for those that are not. Generally, financial
institutions are not considered to function as consumer
reporting agencies; however, depending on the degree to which
their information sharing business practices approximate those
of a consumer reporting agency, they can be deemed as such.
In addition to the requirements related to financial institutions
acting as consumer reporting agencies, FCRA requirements
also apply to financial institutions that operate in the following
capacities:
- Procurers and users of information (for example, as credit
grantors, purchasers of dealer paper, or when opening
deposit accounts);
- Furnishers and transmitters of information (by reporting
information to consumer reporting agencies or other third
parties, or to affiliates);
- Marketers of credit or insurance products; or
- Employers.
Structure and Overview of Examination Modules
The examination procedures are structured as a series of
modules, grouping similar requirements together. General
information about each of the requirements is followed by the
examination steps.
Financial institutions are subject to a number of different
requirements under the FCRA, of which some are contained
directly in the statute, while others are in regulations issued
jointly by the FFIEC agencies, while others still are contained
in regulations issued by the Federal Reserve Board and/or the
Federal Trade Commission. Job Aids at the end of this section
contains a matrix of the different statutory and regulatory
cites applicable to financial institutions that are not consumer
reporting agencies. This matrix is sorted by federal regulator.
Key Definitions
There are a number of definitions used throughout the FCRA.
Key definitions include the following:
"Consumer" is defined as an individual.
"Consumer report" is any written, oral, or other
communication of any information by a consumer reporting
agency that bears on a consumer’s creditworthiness, credit
standing, credit capacity, character, general reputation,
personal characteristics, or mode of living which is used or
expected to be used or collected, in whole or in part, for the
purpose of serving as a factor in establishing the consumer’s
eligibility for:
- Credit or insurance to be used primarily for personal,
family, or household purposes;
- Employment purposes; or
- Any other purpose authorized under section 604 (15 USC
§1681b).
The term "consumer report" does not include:
- Any report containing information solely about
transactions or experiences between the consumer and the
institution making the report;
- Any communication of that transaction or experience
information among entities related by common ownership
or affiliated by corporate control (for example, different
banks that are members of the same holding company, or
subsidiary companies of a bank);
- Communication of other information among persons
related by common ownership or affiliated by corporate
control if:
- It is clearly and conspicuously disclosed to the
consumer that the information may be communicated
among such persons; and
- The consumer is given the opportunity, before the time
that the information is communicated, to direct that the
information not be communicated among such persons;
- Any authorization or approval of a specific extension of
credit directly or indirectly by the issuer of a credit card or
similar device;
- Any report in which a person who has been requested by a
third party to make a specific extension of credit directly or
indirectly to a consumer, such as a lender who has received
a request from a broker, conveys his or her decision
with respect to such request, if the third party advises
the consumer of the name and address of the person to
whom the request was made, and such person makes the
disclosures to the consumer required under section 615 (15
USC §1681m); or
- A communication described in subsection (o) or (x) of
section 603 [15 USC §1681a(o)] (which relates to certain
investigative reports and certain reports to prospective
employers).
"Person" means any individual, partnership, corporation,
trust, estate, cooperative, association, government or
governmental subdivision or agency, or other entity.
"Investigative Consumer Report" means a consumer report
or portion thereof in which information on a consumer’s
character, general reputation, personal characteristics, or
mode of living is obtained through personal interviews with
neighbors, friends, or associates of the consumer reported
on or with others with whom he is acquainted or who may
have knowledge concerning any such items of information.
However, such information does not include specific factual
information on a consumer’s credit record obtained directly
from a creditor of the consumer or from a consumer reporting
agency when such information was obtained directly from a
creditor of the consumer or from the consumer.
"Adverse Action" has the same meaning as used in
section 701(d)(6) [15 USC1691(d)(6)] of the Equal Credit
Opportunity Act ("ECOA"). Under the ECOA, it means a
denial or revocation of credit, a change in the terms of an
existing credit arrangement, or a refusal to grant credit in
substantially the same amount or on terms substantially similar
to those requested. Under the ECOA, the term does not include
a refusal to extend additional credit under an existing credit
arrangement where the applicant is delinquent or otherwise
in default, or where such additional credit would exceed a
previously established credit limit.
The term has the following additional meanings for purposes
of the FCRA:
- A denial or cancellation of, an increase in any charge for,
or a reduction or other adverse or unfavorable change in
the terms of coverage or amount of, any insurance, existing
or applied for, in connection with the underwriting of
insurance;
- A denial of employment or any other decision for
employment purposes that adversely affects any current or
prospective employee;
- A denial or cancellation of, an increase in any charge for,
or any other adverse or unfavorable change in the terms of,
any license or benefit described in section 604(a)(3)(D) [15
USC §1681b(a)(3)(D)]; and
- An action taken or determination that is (a) made in
connection with an application made by, or transaction
initiated by, any consumer, or in connection with a review
of an account to determine whether the consumer continues
to meet the terms of the account, and (b) adverse to the
interests of the consumer.
"Employment Purposes" when used in connection with
a consumer report means a report used for the purpose
of evaluating a consumer for employment, promotion,
reassignment or retention as an employee.
"Consumer Reporting Agency" means any person which,
for monetary fees, dues, or on a cooperative nonprofit basis,
regularly engages in whole or in part in the practice of
assembling or evaluating consumer credit information or
other information on consumers for the purpose of furnishing
consumer reports to third parties, and which uses any means or
facility of interstate commerce for the purpose of preparing or
furnishing consumer reports.
Examination Objectives
- To determine the financial institution’s compliance with the
FCRA.
- To assess the quality of the financial institution’s
compliance management systems and its policies and
procedures for implementing the FCRA.
- To determine the reliance that can be placed on the
financial institution’s internal controls and procedures for
monitoring the institution’s compliance with the FCRA.
- To direct corrective action when violations of law are
identified or when policies or internal controls are deficient.
Examination Procedures
Initial Procedures
The initial procedures are designed to acquaint examiners
with the individual operations and processes of the institution
under examination. These initial steps focus on an institution’s
systems, controls, policies, and procedures, including audits
and previous examination findings.
The applicability of the various sections of the FCRA and
implementing regulations depend on an institution’s unique
operations. The functional examination requirements for
these responsibilities are presented topically in Modules 1
through 6 of these procedures. (Module 6 will be included in a
subsequent amendment to these procedures.)
The FCRA contains many different requirements that a
financial institution must follow, even if it is not a consumer
reporting agency. Subsequent to the passage of the FACT
Act, some of the individual compliance responsibilities are
set forth directly in the statute, while others are within joint,
inter-agency regulations, while still others are set forth in
regulations set by some of the regulatory agencies. The
modules present examination responsibilities by subject
matter, versus strict regulatory or statutory construction.
Initially, examiners should:
- Through discussions with management and review of
available information, determine whether the institution’s
internal controls are adequate to ensure compliance in the
area under review. Consider the following:
- Organization charts
- Process flowcharts
- Policies and procedures
- Loan documentation
- Checklists
- Computer program documentation (for example,
records illustrating the fields and types of data
reported to consumer reporting agencies; automated
records tracking customer opt outs for FCRA affiliate
information sharing; etc.)
- Review any compliance audit material including work
papers and reports to determine whether:
- The scope of the audit addresses all provisions as
applicable;
- Corrective actions were taken to follow-up on
previously identified deficiencies;
- The testing includes samples covering all product types
and decision centers;
- The work performed is accurate;
- Significant deficiencies and their causes are included in
reports to management and/or to the board of directors;
and
- The frequency of review is appropriate.
- Review the financial institution’s training materials to
determine whether:
- Appropriate training is provided to individuals
responsible for FCRA compliance and operational
procedures; and
- The training is comprehensive and covers the various
aspects of the FCRA that apply to the individual
financial institution’s operations.
- Through discussions with management, determine which
portions of the six examination modules will apply.
- Complete appropriate examination modules, document
and form conclusions regarding the quality of the financial
institution’s compliance management systems and
compliance with the FCRA.
Module 1: Obtaining Consumer Reports
Overview
Consumer reporting agencies have a significant amount of
personal information about consumers. This information is
invaluable in assessing a consumer’s creditworthiness for a
variety of products and services, including loan and deposit
accounts, insurance, and utility services, among others. Access
to this information is governed by the Fair Credit Reporting
Act (FCRA) to ensure that it is obtained for permissible
purposes and not exploited for illegitimate purposes.
The FCRA requires any prospective "user" of a consumer
report, for example a lender, insurer, landlord, or employer,
among others, to have a legally permissible purpose to obtain
a report.
Section 604 Permissible Purposes of Consumer Reports
and Section 606 Investigative Consumer Reports
Legally Permissible Purposes. The FCRA allows a consumer
reporting agency to furnish a consumer report for the
following circumstances and no other:
- In response to a court order or Federal Grand Jury
subpoena.
- In accordance with the written instructions of the
consumer.
- To a person, including a financial institution, which it has
reason to believe:
- Intends to use the report in connection with a credit
transaction involving the consumer (includes extending,
reviewing, and collecting credit);
- Intends to use the information for employment
purposes; 15
- Intends to use the information in connection with t
he
underwriting of insurance involving the consumer;
- Intends to use the information in connection with
a determination of the consumer’s eligibility for a
license or other benefit granted by a governmental
instrumentality that is required by law to consider an
applicant’s financial responsibility;
- Intends to use the information, as a potential investor
or servicer, or current insurer, in connection with
a valuation of, or an assessment of the credit or
prepayment risks associated with, an existing credit
obligation; or
- Otherwise has a legitimate business need for the
information:
- In connection with a business transaction that is
initiated by the consumer; or
- To review an account to determine whether the
consumer continues to meet the terms of the
account.
- In response to a request by the head of a State or local child
support enforcement agency (or authorized appointee) if
the person certifies various information to the consumer
reporting agency regarding the need to obtain the report.
(Generally, this particular purpose does not impact a
financial institution that is not a consumer reporting
agency.)
Prescreened Consumer Reports. Users of consumer reports,
such as financial institutions, may obtain prescreened
consumer reports to make firm offers of credit or insurance
to consumers, unless the consumers have elected to opt out
of being included on prescreened lists. The FCRA contains
many requirements, including an opt out notice requirement
when prescreened consumer reports are used. In addition to
defining prescreened consumer reports, Module 3 covers these
requirements.
Investigative Consumer Reports. Section 606 contains
specific requirements for use of an investigative consumer
report. This type of consumer report contains information
about a consumer’s character, general reputation, personal
characteristics, or mode of living that is obtained in whole or
in part through personal interviews with neighbors, friends, or
associates of the consumer. If a financial institution procures
an investigative consumer report, or causes one to be prepared,
the institution must meet the following requirements:
- The institution clearly and accurately discloses to the
consumer that an investigative consumer report may be
obtained.
- The disclosure contains a statement of the consumer’s
right to request other information about the report, and a
summary of the consumer’s rights under the FCRA.
- The disclosure is in writing and is mailed or otherwise
delivered to the consumer not later than three business days
after the date on which the report was first requested.
- The financial institution procuring the report certifies to
the consumer reporting agency that it has complied with
the disclosure requirements and will comply in the event
that the consumer requests additional disclosures about the
report.
Institution Procedures. Given the preponderance of
electronically available information and the growth of
identity theft, financial institutions should manage the risks
associated with obtaining and using consumer reports.
Financial institutions should employ procedures, controls, or
other safeguards to ensure that consumer reports are obtained
and used only in situations for which there are permissible
purposes. Access to, and storage and destruction of this
information is dealt with under an institution’s Information
Security Program; however, obtaining consumer reports
initially must be done in compliance with the FCRA.
Examination Procedures
Section 604 Permissible Purposes of Consumer Reports
and Section 606 Investigative Consumer Reports
- Determine whether the financial institution obtains
consumer reports.
- Determine whether the institution obtains prescreened
consumer reports and/or reports for employment purposes.
If so, complete the appropriate sections of Module 3.
- Determine whether the financial institution procures or
causes to be prepared an investigative consumer report. If
so, ensure that the appropriate disclosure is given to the
consumer within the required time periods. In addition,
ensure that the financial institution certified compliance
with the disclosure requirements to the consumer reporting
agency.
- Evaluate the institution’s procedures to ensure that
consumer reports are obtained only for permissible
purposes. Confirm that the institution certifies to the
consumer reporting agency the purposes for which it will
obtain reports. (The certification is usually contained in a
financial institution’s contract with the consumer reporting
agency.)
- If procedural weaknesses are noted or other risks requiring
further investigation are noted, such as the receipt of
several consumer complaints were received, review a
sample of consumer reports obtained from a consumer
reporting agency and determine whether the financial
institution had permissible purposes to obtain the reports.
- For example, obtain a copy of a billing statement or
other list of consumer reports obtained by the financial
institution from the consumer reporting agency for a
period of time.
- Compare this list, or a sample from this list to the
institution’s records to ensure that there is a permissible
purpose for the report(s) obtained. This could include
any permissible purpose, such as the consumer applied
for credit, insurance, or employment, etc. The financial
institution may also obtain a report in connection with
the review of an existing account.
Module 2: Obtaining Information and Sharing
Among Affiliates
Overview
The Fair Credit Reporting Act (FCRA) contains many
substantive compliance requirements for consumer reporting
agencies that are designed to help ensure the accuracy and
integrity of the consumer reporting system. As noted in the
definitions section, a consumer reporting agency is a person
that generally furnishes consumer reports to third parties.
By their very nature, banks, credit unions, and thrifts have
a significant amount of consumer information that could
constitute a consumer report, and thus communication of this
information could cause the institution to become a consumer
reporting agency. The FCRA contains several exceptions
that enable a financial institution to communicate this type
of information, within strict guidelines, without becoming a
consumer reporting agency.
Rather than containing strict information sharing prohibitions,
the FCRA creates a business disincentive such that if a
financial institution shares consumer report information
outside of the exceptions, then the institution is a consumer
reporting agency and will be subject to the significant,
substantive requirements of the FCRA applicable to those
entities. Typically, a financial institution will structure its
information sharing practices within the exceptions to avoid
becoming a consumer reporting agency. This examination
module generally covers the various information sharing
practices within these exceptions.
If upon completion of this module, examiners determine that
the financial institution’s information sharing practices fall
outside of these exceptions, the financial institution will be
considered a consumer reporting agency and Module 6 of the
examination procedures should be completed.
Section 603(d) Consumer Report and Information Sharing
Section 603(d) defines a consumer report to include
information about a consumer such as that which bears on a
consumer’s creditworthiness, character, and capacity among
other factors. Communication of this information may cause a
person, including a financial institution, to become a consumer
reporting agency. The statutory definition contains key
exemptions to this definition that enable financial institutions
to share this type of information under certain circumstances,
without becoming consumer reporting agencies. Specifically,
the term "consumer report" does not include:
- A report containing information solely as to transactions
or experiences between the consumer and the financial
institution making the report. A person, including a
financial institution, may share information strictly related
to its own transactions or experiences with a consumer
(such as the consumer’s payment history, or an account
with the institution) with any third party, without regard
to affiliation, without becoming a consumer reporting
agency. This type of information sharing may, however,
be restricted under the Privacy of Consumer Financial
Information regulations that implement the Gramm-
Leach-Bliley Act (GLBA) because it meets the definition
of non-public personal information under the Privacy
regulations; therefore sharing it with non-affiliated third
parties may be subject to an opt out under the privacy
regulations. In turn, the FCRA may also restrict activities
that the GLBA permits. For example, the GLBA permits
a financial institution to share a list of its customers
and information such as their credit scores with another
financial institution to jointly market or sponsor other
financial products or services. This communication may be
considered a consumer report under the FCRA and could
potentially cause the sharing financial institution to become
a consumer reporting agency.
- Communication of such transaction or experience
information among persons, including financial institutions
related by common ownership or affiliated by corporate
control.
- Communication of other information (e.g., other than
transaction or experience information) among persons
and financial institutions related by common ownership
or affiliated by corporate control, if it is clearly and
conspicuously disclosed to the consumer that the
information will be communicated among such entities,
and before the information is initially communicated,
the consumer is given the opportunity to opt out of the
communication. This allows a financial institution to
share other information (that is, information other than
its own transaction and experience information) that
could otherwise be a consumer report, without becoming
a consumer reporting agency under the following
circumstances:
- The sharing of the "other" information is done with
affiliates; and
- Consumers are provided with the notice and an
opportunity to opt out of this sharing before the
information is first communicated among affiliates.
For example, "other" information can include information
provided by a consumer on an application form concerning
accounts with other financial institutions. It can also include
information obtained by a financial institution from a
consumer reporting agency, such as the consumer’s credit
score. If a financial institution shares other information with
affiliates without providing a notice and an opportunity to opt
out, the financial institution may become a consumer reporting
agency subject to all of the other requirements of the FCRA.
The opt out right required by this section must be contained
in a financial institution’s Privacy Notice, as required by the
GLBA and its implementing regulations.
Other Exceptions
Specific extensions of credit. In addition, the term "consumer
report" does not include the communication of a specific
extension of credit directly or indirectly by the issuer of a
credit card or similar device. For example, this exception
allows a lender to communicate an authorization through
the credit card network to a retailer, to enable a consumer to
complete a purchase using a credit card.
Credit Decision to Third Party (e.g., auto dealer). The
term "consumer report" also does not include any report in
which a person, including a financial institution, who has
been requested by a third party to make a specific extension
of credit directly or indirectly to a consumer, conveys the
decision with respect to the request. The third party must
advise the consumer of the name and address of the financial
institution to which the request was made, and such financial
institution makes the adverse action disclosures required by
section 615 of the FCRA. For example, this exception allows
a lender to communicate a credit decision to an automobile
dealer who is arranging financing for a consumer purchasing
an automobile and who requires a loan to finance the
transaction.
Joint User Rule. The Federal Trade Commission staff
commentary discusses another exception known as the "Joint
User Rule." Under this exception, users of consumer reports,
including financial institutions, may share information if they
are jointly involved in the decision to approve a consumer’s
request for a product or service, provided that each has a
permissible purpose to obtain a consumer report on the
individual. For example, a consumer applies for a mortgage
loan that will have a high loan-to-value ratio, and thus the
lender will require private mortgage insurance (PMI) in
order to approve the application. The PMI will be provided
by an outside company. The lender and the PMI company
can share consumer report information about the consumer
because both entities have permissible purposes to obtain the
information and both are jointly involved in the decision to
grant the products to the consumer. This exception applies to
entities that are affiliated or non-affiliated third parties. It is
important to note that the GLBA will still apply to the sharing
of non-public, personal information with non-affiliated third
parties; therefore, financial institutions should be aware that
sharing under the FCRA joint user rule may still be limited or
prohibited by the GLBA.
Examination Procedures
Section 603(d) Consumer Report and Information Sharing
- Review the financial institution’s policies, procedures, and
practices concerning the sharing of consumer information
with third parties, including both affiliated and nonaffiliated
third parties. Determine the type of information
shared and with whom the information is shared. (This
portion of the examination process may overlap with a
review of the institution’s compliance with the Privacy
of Consumer Financial Information Regulations that
implement the Gramm-Leach-Bliley Act.)
- Determine whether the financial institution’s information
sharing practices fall within the exceptions to the definition
of a consumer report. If they do not, the financial
institution could be considered a consumer reporting
agency, in which case Module 6 of
the examination
procedures should be completed.
- If the financial institution shares information other than
transaction and experience information with affiliates
subject to an opt out, ensure that information regarding
how to opt out is contained in the institution’s GLBA
Privacy Notice, as required by the Privacy of Consumer
Financial Information regulations.
- If procedural weaknesses are noted or other risks requiring
further investigation are noted, obtain a sample of opt
out rights exercised by consumers and determine if the
financial institution honored the opt out requests by not
sharing "other information" about the consumers with the
institution’s affiliates subsequent to receiving a consumer’s
opt out direction.
Section 604(g) Protection of Medical Information
Section 604(g) generally prohibits creditors from obtaining
and using medical information in connection with any
determination of the consumer’s eligibility, or continued
eligibility, for credit. The statute contains no prohibition on
creditors obtaining or using medical information for other
purposes that are not in connection with a determination of the
consumer’s eligibility, or continued eligibility for credit.
Section 604(g)(5)(A) requires the FFIEC agencies to prescribe
regulations that permit transactions that are determined to be
necessary and appropriate to protect legitimate operational,
transactional, risk, consumer, and other needs (including
administrative verification purposes), consistent with the
Congressional intent to restrict the use of medical information
for inappropriate purposes. On November 22, 2005, the FFIEC
Agencies published final rules in the Federal Register (70 FR
70664). The rules contain the general prohibition on obtaining
or using medical information, and provide exceptions for the
limited circumstances when medical information may be used.
The rules define "credit" and "creditor" as having the same
meanings as in section 702 of the Equal Credit Opportunity
Act (15 USC 1691a).
Obtaining and Using Unsolicited Medical Information. A
creditor does not violate the prohibition on obtaining medical
information if it receives the medical information pertaining
to a consumer in connection with any determination of the
consumer’s eligibility, or continued eligibility, for credit
without specifically requesting medical information. However,
the creditor may only use this medical information in
connection with a determination of the consumer’s eligibility,
or continued eligibility, for credit in accordance with either
the financial information exception or one of the specific
other exceptions provided in the rules. These exceptions are
discussed below.
Financial Information Exception. The rules allow a creditor to
obtain and use medical information pertaining to a consumer
in connection with any determination of the consumer’s
eligibility or continued eligibility for credit, so long as:
- The information is the type of information routinely
used in making credit eligibility determinations, such as
information relating to debts, expenses, income, benefits,
assets, collateral, or the purpose of the loan, including the
use of the loan proceeds;
- The creditor uses the medical information in a manner
and to an extent that is no less favorable than it would use
comparable information that is not medical information in
a credit transaction; AND
- The creditor does not take the consumer’s physical,
mental, or behavioral health, condition or history, type of
treatment, or prognosis into account as part of any such
determination.
The financial information exception is designed in part to
allow creditors to consider a consumer’s medical debts and
expenses in the assessment of that consumer’s ability to repay
the loan according to the loan terms. In addition, the financial
information exception also allows a creditor to consider the
dollar amount and continued eligibility for disability income,
worker’s compensation income, or other benefits related to
health or a medical condition that is relied on as a source of
repayment.
The creditor may use the medical information in a manner
and to an extent that is no less favorable than it would use
comparable, non-medical information. For example, a
consumer includes on an application for credit information
about two $20,000 debts. One debt is to a hospital; the other is
to a retailer. The creditor may use and consider the debt to the
hospital in the same manner in which they consider the debt
to the retailer, such as including the debts in the calculation
of the consumer’s proposed debt-to-income ratio. In addition,
the consumer’s payment history of the debt to the hospital may
be considered in the same manner as the debt to the retailer.
For example, if the creditor does not grant loans to applicants
who have debts that are 90-days past due, the creditor could
consider the past-due status of a debt to the hospital, in the
same manner as the past-due status of a debt to the retailer.
A creditor may use medical information in a manner that
is more favorable to the consumer, according to its regular
policies and procedures. For example, if a creditor has a
routine policy of declining consumers who have a 90-day
past due installment loan to a retailer, but does not decline
consumers who have a 90-day past due debt to a hospital,
the financial information exception would allow a creditor
to continue this policy without violating the rules because in
these cases, the creditor’s treatment of the debt to the hospital
is more favorable to the consumer.
A creditor may not take the consumer’s physical, mental, or
behavioral health, condition or history, type of treatment, or
prognosis into account as part of any determination regarding
the consumer’s eligibility, or continued eligibility for credit.
The creditor may only consider the financial implications as
discussed above, such as the status of a debt to a hospital,
continuance of disability income, etc.
Specific Exceptions for Obtaining and Using Medical
Information. In addition to the financial information exception,
the rules also provide for the following nine specific
exceptions under which a creditor can obtain and use medical
information in its determination of the consumer’s eligibility,
or continued eligibility for credit:
- To determine whether the use of a power of attorney or
legal representative that is triggered by a medical condition
or event is necessary and appropriate, or whether the
consumer has the legal capacity to contract when a person
seeks to exercise a power of attorney or act as a legal
representative for a consumer based on an asserted medical
condition or event. For example, if Person A is attempting
to act on behalf of Person B under a Power of Attorney that
is invoked based on a medical event, a creditor is allowed
to obtain and use medical information to verify that Person
B has experienced a medical condition or event such that
Person A is allowed to act under the Power of Attorney.
- To comply with applicable requirements of local, state, or
Federal laws.
- To determine, at the consumer’s request, whether the
consumer qualifies for a legally permissible special credit
program or credit related assistance program that is:
- Designed to meet the special needs of consumers with
medical conditions; AND
- Established and administered pursuant to a written plan
that:
- Identifies the class of persons that the program is
designed to benefit; and
- Sets forth the procedures and standards for
extending credit or providing other credit-related
assistance under the program.
- To the extent necessary for purposes of fraud prevention or
detection.
- In the case of credit for the purpose of financing medical
products or services, to determine and verify the medical
purpose of the loan and the use of the proceeds.
- Consistent with safe and sound banking practices, if the
consumer or the consumer’s legal representative requests
that the creditor use medical information in determining the
consumer’s eligibility, or continued eligibility, for credit, to
accommodate the consumer’s particular circumstances, and
such request is documented by the creditor. For example, at
the consumer’s request, a creditor may grant an exception
to its ordinary policy to accommodate a medical condition
that the consumer has experienced. This exception
allows a creditor to consider medical information in this
context, but it does not require a creditor to make such an
accommodation nor does it require a creditor to grant a
loan that is unsafe or unsound.
- Consistent with safe and sound practices, to determine
whether the provisions of a forbearance practice or
program that is triggered by a medical condition or event
apply to a consumer. For example, if a creditor has a
policy of delaying foreclosure in cases where a consumer
is experiencing a medical hardship, this exception allows
the creditor to use medical information to determine
if the policy would apply to the consumer. Like the
exception listed in item 6 above, this exception does not
require a creditor to grant forbearance, it merely provides
an exception so that a creditor may consider medical
information in these instances.
- To determine the consumer’s eligibility for, the triggering
of, or the reactivation of a debt cancellation contract or
debt suspension agreement if a medical condition or event
is a triggering event for the provision of benefits under the
contract or agreement.
- To determine the consumer’s eligibility for, the triggering
of, or the reactivation of a credit insurance product if a
medical condition or event is a triggering event for the
provision of benefits under the product.
Limits on redisclosure of information. If a creditor subject to
the medical information rules receives medical information
about a consumer from a consumer reporting agency or its
affiliate, the creditor must not disclose that information to any
other person, except as necessary to carry out the purpose for
which the information was initially disclosed, or as otherwise
permitted by statute, regulation, or order.
Sharing medical information with affiliates. In general, the
exclusions from the definition of "consumer report" in section
603(d)(2) of the FCRA allow the sharing of information
among affiliates. With regard to medical information, section
603(d)(3) of the FCRA provides that the exclusions in section
603(d)(2) do not apply when a person subject to the medical
information rules shares the following information with an
affiliate:
- Medical information;
- An individualized list or description based on the payment
transactions of the consumer for medical products or
services; or
- An aggregate list of identified consumers based on payment
transactions for medical products or services.
If a person who is subject to the medical rules shares with
an affiliate the type of information discussed above, the
exclusions from the definition of "consumer report" do not
apply. Effectively, this means that if a person shares medical
information, that person becomes a consumer reporting
agency, subject to all of the other substantive requirements of
the FCRA.
The rules provide exceptions to these limitations on sharing
medical information with affiliates. A person, such as a bank,
thrift, or credit union, may share medical information with
its affiliates without becoming a consumer reporting agency
under the following circumstances:
- In connection with the business of insurance or annuities
(including the activities described in section 18B of
the model Privacy of Consumer Financial and Health
Information Regulation issued by the National Association
of Insurance Commissioners, as in effect on January 1,
2003);
- For any purpose permitted without authorization under
the regulations promulgated by the Department of Health
and Human Services pursuant to the Health Insurance
Portability and Accountability Act of 1996 (HIPAA);
- For any purpose referred to in section 1179 of HIPAA;
- For any purpose described in section 502(e) of the Gramm-
Leach-Bliley Act;
- In connection with a determination of the consumer’s
eligibility, or continued eligibility, for credit consistent with
the financial information exceptions or specific exceptions;
or
- As otherwise permitted by order of an FFIEC agency.
Examination Procedures
- Review the financial institution’s policies, procedures, and
practices concerning the collection and use of medical
information pertaining to a consumer in connection
with any determination of the consumer’s eligibility, or
continued eligibility for credit.
- If the financial institution’s policies, procedures,
and practices allow for obtaining and using medical
information pertaining to a consumer in the context of
a credit transaction, assess whether there are adequate
controls in place to ensure that the information is only used
subject to the financial information exception in the rules,
or under a specific exception within the rules.
- If procedural weaknesses are noted or other risks requiring
further investigation are noted, obtain samples of credit
transactions to determine if the use of medical information
pertaining to a consumer was done strictly under the
financial information exception or the specific exceptions
under the regulation.
- Determine whether the financial institution has adequate
policies and procedures in place to limit the redisclosure of
medical information about a consumer that was received
from a consumer reporting agency or an affiliate.
- Determine whether the financial institution shares medical
information about a consumer with affiliates. If information
is shared, determine whether it occurred under an exception
in the rules that enables the financial institution to share
the information without becoming a consumer reporting
agency.
Section 624 Affiliate Marketing Opt Out
Section 624 of the FCRA requires consumers to be provided
with a notice and an opportunity to opt out of an entity’s use
of certain information received from an affiliate to make
solicitations to the consumer. The federal banking agencies,
the National Credit Union Administration, the Federal Trade
Commission, and the Securities and Exchange Commission
are in the process of developing final regulations to implement
this new opt out requirement. Financial institutions will
not be subject to these requirements until the final rules are
implemented and effective. This section of the examination
procedures will be written upon publication of the final
regulations.
Module 3: Disclosures to Consumers and
Miscellaneous Requirements
Overview
The Fair Credit Reporting Act (FCRA) requires financial
institutions to provide consumers with various notices and
information under a variety of circumstances. This module
contains examination responsibilities for these various areas.
Section 604(b) Use of Consumer Reports for Employment
Purposes
Section 604(b) has specific requirements for financial
institutions that obtain consumer reports of its employees
or prospective employees prior to, and/or during, the term
of employment. The FCRA generally requires the written
permission of the consumer to procure a consumer report for
"employment purposes." Moreover, a clear and conspicuous
disclosure that a consumer report may be obtained for
employment purposes must be provided in writing to the
consumer prior to procuring a report.
Prior to taking any adverse action involving employment that
is based in whole or in part on the consumer report, the user
generally must provide to the consumer:
- A copy of the report; and
- A description in writing of the rights of the consumer
under this title, as prescribed by the FTC under section
(609)(c)(3).
At the time a financial institution takes adverse action in an
employment situation, the consumer must also be provided
with an adverse action notice, required by section 615,
described later in this module.
Examination Procedures
- Determine whether the financial institution obtains
consumer reports on current or prospective employees.
- Assess the financial institution’s policies and procedures to
ensure that appropriate disclosures are provided to current
and prospective employees when consumer reports are
obtained for employment purposes, including situations
where adverse actions are taken based on consumer report
information.
- If procedural weaknesses are noted or other risks requiring
further investigation are noted, review a sample of the
disclosures to determine if they are accurate and in
compliance with the technical FCRA requirements.
Sections 604(c) and 615(d) of FCRA - Prescreened
Consumer Reports and Opt out Notice [and Parts 642 and
698 of Federal Trade Commission Regulations]
Section 604(c)(1)(B) allows persons, including financial
institutions, to obtain and use consumer reports on any
consumer in connection with any credit or insurance
transaction that is not initiated by the consumer, to make
firm offers of credit or insurance. This process, known as
prescreening, occurs when a financial institution obtains a list
from a consumer reporting agency of consumers who meet
certain predetermined creditworthiness criteria and who have
not elected to be excluded from such lists. These lists may only
contain the following information:
- The name and address of a consumer;
- An identifier that is not unique to the consumer and that is
used by the person solely for the purpose of verifying the
identity of the consumer; and
- Other information pertaining to a consumer that does not
identify the relationship or experience of the consumer
with respect to a particular creditor or other entity.
Each name appearing on the list is considered an individual
consumer report. In order to obtain and use these lists,
financial institutions must make a "firm offer of credit or
insurance" as defined in section 603(l) to each person on the
list. An institution is not required to grant credit or insurance
if the consumer is not creditworthy or insurable, or cannot
furnish required collateral, provided that the underwriting
criteria are determined in advance, and applied consistently.
Example 1: Assume a home mortgage lender obtains a list
from a consumer reporting agency of everyone in County
X, with a current home mortgage loan and a credit score
of 700. The lender will use this list to market a 2nd lien
home equity loan product. The lender’s other non-consumer
report criteria, in addition to those used in the prescreened
list for this product, include a maximum total debt-toincome
ratio (DTI) of 50% or less. Some of the criteria can
be screened by the consumer reporting agency, but others,
such as the DTI, must be determined individually when
consumers respond to the offer. If a consumer responds to
the offer, but already has a DTI of 60%, the lender does not
have to grant the loan.
In addition, the financial institution is allowed to obtain a full
consumer report on anyone responding to the offer to verify
that the consumer continues to meet the creditworthiness
criteria. If the consumer no longer meets those criteria, the
financial institution does not have to grant the loan.
Example 2: On January 1, a credit card lender obtains a
list from a consumer reporting agency of consumers in
County Y who have credit scores of 720, and no previous
bankruptcy records. The lender mails solicitations offering
a pre-approved credit card to everyone on the list on
January 2. On January 31, a consumer responds to the
offer and the lender obtains and reviews a full consumer
report which shows that a bankruptcy record was added
on January 15. Since this consumer no longer meets the
lender’s predetermined criteria, the lender is not required to
issue the credit card.
These basic requirements help prevent financial institutions
from obtaining prescreened lists without following through
with an offer of credit or insurance. The financial institution
must maintain the criteria used for the product (including the
criteria used to generate the prescreened report and any other
criteria such as collateral requirements) on file for a period of
three years, beginning on the date that the offer was made to
the consumer.
Technical Notice and Opt Out Requirements. Section
615(d) contains consumer protections and technical notice
requirements concerning prescreened offers of credit or
insurance. The FCRA requires nationwide consumer reporting
agencies to jointly operate an "opt out" system, whereby
consumers can elect to be excluded from prescreened lists by
calling a toll-free number.
When a financial institution obtains and uses these lists,
they must provide consumers with a Prescreened Opt Out
Notice with the offer of credit or insurance. This notice alerts
consumers that they are receiving the offer because they meet
certain creditworthiness criteria. The notice must also provide
the toll-free telephone number operated by the nationwide
consumer reporting agencies for consumers to call to opt out
of prescreened lists.
The FCRA contains the basic requirement to provide notices
to consumers at the time the prescreened offers are made.
The Federal Trade Commission published an implementing
regulation containing the technical requirements of the notice
at 16 CFR Parts 642 and 698. This regulation is applicable to
anyone, including banks, credit unions, and thrifts that obtain
and use prescreened consumer reports. These requirements
became effective on August 1, 2005; however, the requirement
to provide a notice containing the toll-free opt out telephone
number has existed under the FCRA for many years.
Requirements Beginning August 1, 2005. 16 CFR 642 and
698 of the FTC regulations require a "short" notice and a
"long" notice of the prescreened opt out information be
given with each written solicitation made to consumers using
prescreened consumer reports. These regulations also contain
specific requirements concerning the content and appearance
of these notices. The requirements are listed within the
following paragraphs of these procedures. The regulations
were published on January 31, 2005, in 70 Federal Register
5022.
The short notice must be a clear and conspicuous, simple, and
easy-to-understand statement as follows:
- Content. The short notice must state that the consumer has
the right to opt out of receiving prescreened solicitations,
provide the toll-free number, and direct consumers to the
existence and location of the long notice, and shall state the
title of the long notice. The short notice may not contain
any other information.
- Form. The short notice must be in a type size larger than
the principal text on the same page, but it may not be
smaller than 12 point type. If the notice is provided by
electronic means, it must be larger than the type size of the
principal text on the same page.
- Location. The short form must be on the front side of
the first page of the principal promotional document in
the solicitation, or if provided electronically, it must be
on the same page and in close proximity to the principal
marketing message. The statement must be located so
that it is distinct from other information, such as inside a
border, and must be in a distinct type style, such as bolded,
italicized, underlined, and/or in a color that contrasts with
the principal text on the page, if the solicitation is provided
in more than one color.
The long notice must also be a clear and conspicuous, simple,
and easy to understand statement as follows:
- Content. The long notice must state the information
required by section 615(d) of the FCRA and may not
include any other information that interferes with, detracts
from, contradicts, or otherwise undermines the purpose of
the notice.
- Form. The notice must appear in the solicitation, be in
a type size that is no smaller than the type size of the
principal text on the same page, and, for solicitations
provided other than by electronic means, the type size
may not be smaller than 8-point type. The notice must
begin with a heading in capital letters and underlined, and
identifying the long notice as the "PRESCREEN & OPT
OUT NOTICE." It must be in a type style that is distinct
from the principal type style used on the same page, such
as bolded, italicized, underlined, and/or in a color that
contrasts from the principal text, if the solicitation is in
more than one color. The notice must be set apart from
other text on the page, such as by including a blank line
above and below the statement, and by indenting both the
left and right margins from other text on the page.
The FTC developed model Prescreened Opt Out Notices,
which are contained in Appendix A to 16 CFR 698 of the
FTC’s regulations. Appendix A contains complete sample
solicitations for context. The prescreen notice text is contained
in the following:
Sample Short Notice:
You can choose to stop receiving “prescreened” offers of
[credit or insurance] from this and other companies by
calling toll-free [toll-free number]. See PRESCREEN &
OPT-OUT NOTICE on other side [or other location] for
more information about prescreened offers. |
Sample Long Notice:
PRESCREEN & OPT-OUT NOTICE: This “prescreened”
offer of [credit or insurance] is based on information in
your credit report indicating that you meet certain criteria.
This offer is not guaranteed if you do not meet our criteria
[including providing acceptable property as collateral]. If
you do not want to receive prescreened offers of [credit
or insurance] from this and other companies, call the
consumer reporting agencies [or name of consumer
reporting agency] toll-free, [toll-free number]; or write:
[consumer reporting agency name and mailing address]. |
Examination Procedures
- Determine whether the financial institution obtained and
used prescreened consumer reports in connection with
offers of credit and/or insurance.
- Evaluate the institution’s policies and procedures to ensure
that criteria used for prescreened offers, including all
post-application criteria, are maintained in the institution’s
files and used consistently when consumers respond to the
offers.
- Determine whether written solicitations contain the
required disclosures of the consumers’ right to opt out of
prescreened solicitations and comply with all requirements
applicable at the time of the offer.
- If procedural weaknesses are noted or other risks requiring
further investigation are noted, obtain and review a sample
of approved and denied responses to the offers to ensure
that criteria were appropriately followed.
Section 605(g) Truncation of Credit and Debit Card
Account Numbers
Section 605(g) provides that persons, including financial
institutions that accept debit and credit cards for the
transaction of business will be prohibited from issuing
electronic receipts that contain more than the last five digits
of the card number, or the card expiration dates, at the point
of sale or transaction. This requirement applies only to
electronically developed receipts and does not apply to handwritten
receipts or those developed with an imprint of the card.
For Automatic Teller Machines (ATMs) and Point-of-Sale
(POS) terminals or other machines that were put into operation
before January 1, 2005, this requirement is effective on
December 4, 2006. For ATMs and POS terminals or other
machines that were put into operation on or after January 1,
2005, the effective date is the date of installation.
Examination Procedures
- Determine whether the financial institution’s policies and
procedures ensure that electronically generated receipts
from ATM and POS terminals or other machines do not
contain more than the last five digits of the card number
and do not contain the expiration dates.
- For ATMs and POS terminals or other machines that were
put into operation before January 1, 2005, determine if the
institution has brought the terminals into compliance or has
begun a plan to ensure that these terminals comply by the
mandatory compliance date of December 4, 2006.
- If procedural weaknesses are noted or other risks requiring
further investigation are noted, review samples of actual
receipts to ensure compliance.
Section 609(g) Disclosure of Credit Scores by Certain
Mortgage Lenders
Section 609(g) requires financial institutions that make or
arrange mortgage loans using credit scores to provide the
score with accompanying information to the applicants.
Credit score. For purposes of this section, the term "credit
score" is defined as a numerical value or a categorization
derived from a statistical tool or modeling system used
by a person who makes or arranges a loan to predict the
likelihood of certain credit behaviors, including default (and
the numerical value or the categorization derived from such
analysis may also be referred to as a "risk predictor" or "risk
score"). The credit score does not include:
- any mortgage score or rating by an automated underwriting
system that considers one or more factors in addition to
credit information, such as the loan-to-value ratio, the
amount of down payment, or the financial assets of a
consumer; or
- any other elements of the underwriting process or
underwriting decision.
Covered transactions. The disclosure requirement applies to
both closed-end and open-end loans that are for consumer
purposes and are secured by 1-to-4 family residential real
properties, including purchase and refinance transactions.
This requirement will not apply in circumstances that do not
involve a consumer purpose, such as when a borrower obtains
a loan secured by his or her residence to finance his or her
small business.
Specific required notice. Financial institutions in covered
transactions that use credit scores must provide a disclosure
containing the following specific language, which is contained
in section 609(g)(1)(D):
Notice to The Home Loan Applicant
In connection with your application for a home loan, the
lender must disclose to you the score that a consumer
reporting agency distributed to users and the lender used
in connection with your home loan, and the key factors
affecting your credit scores.
The credit score is a computer generated summary
calculated at the time of the request and based on
information that a consumer reporting agency or lender
has on file. The scores are based on data about your credit
history and payment patterns. Credit scores are important
because they are used to assist the lender in determining
whether you will obtain a loan. They may also be used to
determine what interest rate you may be offered on the
mortgage. Credit scores can change over time, depending
on your conduct, how your credit history and payment
patterns change, and how credit scoring technologies
change.
Because the score is based on information in your credit
history, it is very important that you review the creditrelated
information that is being furnished to make sure it
is accurate. Credit records may vary from one company to
another.
If you have questions about your credit score or the
credit information that is furnished to you, contact the
consumer reporting agency at the address and telephone
number provided with this notice, or contact the lender,
if the lender developed or generated the credit score. The
consumer reporting agency plays no part in the decision
to take any action on the loan application and is unable
to provide you with specific reasons for the decision on a
loan application.
If you have questions concerning the terms of the loan,
contact the lender.
|
The notice must include the name, address, and telephone
number of each consumer reporting agency that provided a
credit score that was used.
Credit score and key factors disclosed. In addition to the
notice, financial institutions must also disclose the credit
score, the range of possible scores, the date that the score was
created, and the "key factors" used in the score calculation.
"Key factors" are defined as all relevant elements or reasons
adversely affecting the credit score for the particular
individual, listed in the order of their importance based on
their effect on the credit score. The total number of factors to
be disclosed shall not exceed four factors. However, if one of
the key factors is the number of inquiries into a consumer’s
credit information, then the total number of factors shall not
exceed five. These key factors come from information supplied
by the consumer reporting agencies with any consumer
report that was furnished containing a credit score. (Section
605(d)(2)).
This disclosure requirement applies in any application for a
covered transaction, regardless of the final action taken by
the lender on the application. The FCRA requires a financial
institution to disclose all of the credit scores that were used in
these transactions. For example, if two joint applicants apply
for a mortgage loan to purchase a single-family-residence
and the lender uses both credit scores, then both need to be
disclosed. The statute specifically does not require more than
one disclosure per loan; therefore, if multiple scores are used,
all of them can be included in one disclosure containing the
Notice to the Home Loan Applicant.
If a financial institution uses a credit score that was not
obtained directly from a consumer reporting agency, but
may contain some information from a consumer reporting
agency, this disclosure requirement may be satisfied by
providing a score and associated key factor information that
were supplied by a consumer reporting agency. For example,
certain automated underwriting systems generate a score
used in a credit decision. These systems are often populated
by data obtained from a consumer reporting agency. If a
financial institution uses this automated system, the disclosure
requirement may be satisfied by providing the applicants with
a score and key factors supplied by a consumer reporting
agency based on the data, including credit score(s) that was
imported into the automated underwriting system. This will
provide applicants with information about their credit history
and its role in the credit decision, in the spirit of this section of
the statute.
Timing. With regard to the timing of the disclosure, the statute
requires that it be provided as soon as is reasonably practicable
after using a credit score.
Examination Procedures
- Determine whether the financial institution uses credit
scores in connection with applications for closed-end or
open-end loans secured by 1 to 4 family residential real
property.
- Evaluate the institution’s policies and procedures to
determine whether accurate disclosures are provided to
applicants as soon as is reasonably practicable after using
credit scores.
- If procedural weaknesses are noted or other risks
requiring further investigation are noted, review a sample
of disclosures given to home loan applicants to ensure
technical compliance with the requirements.
Section 615(a) and (b) Adverse Action Disclosures
The FCRA requires certain disclosures when adverse actions
are taken with respect to consumers, based on information
received from third parties. Specific disclosures are required
depending upon whether the source of the information is:
a consumer reporting agency, a third party other than a
consumer reporting agency, or an affiliate. The disclosure
requirements are discussed separately below.
Information Obtained From a Consumer Reporting Agency.
Section 615(a) provides that when adverse action is taken with
respect to any consumer that is based in whole or in part on
any information contained in a consumer report, the financial
institution must:
- Provide oral, written, or electronic notice of the adverse
action to the consumer;
- Provide to the consumer orally, in writing, or electronically,
- the name, address, and telephone number of the
consumer reporting agency from which it received the
information (including a toll-free telephone number
established by the agency, if the consumer reporting
agency maintains files on a nationwide basis); and
- a statement that the consumer reporting agency did
not make the decision to take the adverse action and
is unable to provide the consumer the specific reasons
why the adverse action was taken; and
- Provide the consumer an oral, written or electronic
notice of the consumer’s right to obtain a free copy of the
consumer report from the consumer reporting agency,
within 60 days of receiving notice of the adverse action,
and the consumer’s right to dispute the accuracy or
completeness of any information in the consumer report
with the consumer reporting agency.
Information Obtained from a Source Other Than a
Consumer Reporting Agency.
Section 615(b)(1) provides that
if credit for personal, family, or household purposes involving
a consumer is denied or the charge for such credit is increased,
partially or wholly on the basis of information obtained from
a person other than a consumer reporting agency and bearing
upon the consumer’s creditworthiness, credit standing, credit
capacity, character, general reputation, personal characteristics,
or mode of living, the financial institution:
- At the time an adverse action is communicated to a
consumer, must clearly and accurately disclose the
consumer’s right to file a written request for the reasons for
the adverse action; and
- If it receives such a request within 60 days after the
consumer learns of the adverse action, must disclose,
within a reasonable period of time, the nature of the
adverse information. The information should be sufficiently
detailed to enable the consumer to evaluate its accuracy.
The source of the information need not be, but may be,
disclosed. In some instances, it may be impossible to
identify the nature of certain information without also
revealing the source.
Information Obtained from an Affiliate. Section 615(b)(2)
provides that if a person, including a financial institution, takes
an adverse action involving credit (taken in connection with a
transaction initiated by a consumer), insurance or employment,
based in whole or in part on information provided by an
affiliate, it must notify the consumer that the information:
- Is furnished to the person taking the action by a person
related by common ownership or affiliated by common
corporate control, to the person taking the action;
- Bears upon the consumer’s creditworthiness, credit
standing, credit capacity, character, general reputation,
personal characteristics, or mode of living;
- Is not information solely involving transactions or
experiences between the consumer and the person
furnishing the information; and
- Is not information in a consumer report.
The notification must inform the consumer of the action and
that the consumer may obtain a disclosure of the nature of the
information relied upon by making a written request within
60 days of transmittal of the adverse action notice. If the
consumer makes such a request, the user must disclose the
nature of the information received from the affiliate not later
than 30 days after receiving the request.
Examination Procedures
- Determine whether the financial institution’s policies and
procedures adequately ensure that appropriate disclosures
are provided when adverse action is taken against
consumers based on information received from consumer
reporting agencies, other third parties, and/or affiliates.
- Review the financial institution’s policies and procedures
for responding to requests for information in response to
these adverse action notices.
- If procedural weaknesses are noted or other risks requiring
further investigation are noted, review a sample of adverse
action notices to determine if they are accurate and in
technical compliance.
Section 615(g) Debt Collector Communications
Concerning Identity Theft
Section 615(g) has specific requirements for financial
institutions that act as debt collectors, that is, the financial
institution collects debts on behalf of a third party that is a
creditor or other user of a consumer report. The requirements
do not apply when a financial institution is collecting its
own loans. When a financial institution is notified that any
information relating to a debt that it is attempting to collect
may be fraudulent or may be the result of identity theft, the
financial institution must notify the third party of this fact.
In addition, if the consumer, to whom the debt purportedly
relates, requests information about the transaction, the
financial institution must provide all of the information the
consumer would otherwise be entitled to if the consumer
wished to dispute the debt under other provisions of law
applicable to the financial institution.
Examination Procedures
- Determine whether the financial institution collects debts
for third parties.
- Determine that the financial institution has policies and
procedures to ensure that the third parties are notified
if the financial institution obtains any information that
may indicate the debt in question is the result of fraud or
identity theft.
- Determine if the institution has effective policies and
procedures to provide information to consumers to whom
the fraudulent debts relate.
- If procedural weaknesses are noted or other risks requiring
further investigation are noted, review a sample of
instances where consumers have alleged identity theft and
requested information related to transactions to ensure
that all of the appropriate information was provided to the
consumer.
Section 615(h) Risk-Based Pricing Notice
Section 615(h) of the FCRA requires users of consumer
reports who grant credit on material terms that are materially
less favorable than the most favorable terms available to a
substantial proportion of consumers who get credit from or
through that person to provide a notice to those consumers
who did not receive the most favorable terms. Implementing
regulations for this section are under development jointly by
the Federal Reserve Board and the Federal Trade Commission.
Financial institutions do not have to provide this notice until
final regulations are implemented and effective. This section of
the examination procedures will be written upon publication of
final rules.
Module 4: Financial Institutions as Furnishers of
Information
Overview
The Fair Credit Reporting Act (FCRA) contains many
responsibilities for financial institutions that furnish
information to consumer reporting agencies. These
requirements generally involve ensuring the accuracy of the
data that is placed in the consumer reporting system. This
examination module includes reviews of the various areas
associated with furnishers of information. This module will
not apply to financial institutions that do not furnish any
information to consumer reporting agencies.
Section 623 Furnishers of Information - General
This subsection of the examination procedures will be
amended upon completion of inter-agency guidance for
institutions regarding the accuracy and integrity of information
furnished to consumer reporting agencies. This guidance is
required by the Fair and Accurate Credit Transactions Act
of 2003 (FACT Act). An interagency working group will
develop and publish guidance for comment, and will finalize
this guidance at a later date. The agencies will also write, at a
later date, rules regarding when furnishers must handle direct
disputes from consumers.
In the interim period, institutions that furnish information to
consumer reporting agencies must comply with the existing
requirements in the FCRA. These requirements generally
require accurate reporting and prompt investigation and
resolution of accuracy disputes. The examination procedures
within this sub-section are based largely on the procedures last
approved by the FFIEC Task Force on Consumer Compliance
in March 2000, but have been revised to include new
requirements under the 2003 amendments to the FCRA that
do not require implementing regulations. Upon completion
of the inter-agency guidance for the accuracy and integrity of
information furnished to consumer reporting agencies, this
subsection will be significantly revised.
Duties of furnishers to provide accurate information. Section
623(a) states that a person, including a financial institution,
may, but need not, specify an address for receipt of notices
from consumers concerning inaccurate information. If the
financial institution specifies such an address, then it may not
furnish information relating to a consumer to any consumer
reporting agency, if (a) the financial institution has been
notified by the consumer, at the specified address, that the
information is inaccurate, and (b) the information is in fact
inaccurate. If the financial institution does not specify an
address, then it may not furnish any information relating to a
consumer to any consumer reporting agency if the financial
institution knows or has reasonable cause to believe that the
information is inaccurate.
When a financial institution that (regularly and in the
ordinary course of business) furnishes information to one
or more consumer reporting agencies about its transactions
or experiences with any consumer determines that any
such information is not complete or accurate, the financial
institution must promptly notify the consumer reporting
agency of that determination. Corrections to that information
or any additional information necessary to make the
information complete and accurate must be provided to the
consumer reporting agency. Further, any information that
remains incomplete or inaccurate must not thereafter be
furnished to the consumer reporting agency.
If the completeness or accuracy of any information furnished
by a financial institution to a consumer reporting agency is
disputed by a consumer, that financial institution may not
furnish the information to any consumer reporting agency
without notice that the information is disputed by the
consumer.
Voluntary closures of accounts. Section 623(a)(4) requires
that any person, including a financial institution, that (regularly
and in the ordinary course of business) furnishes information
to a consumer reporting agency regarding a consumer who
has a credit account with that financial institution, must notify
the consumer reporting agency of the voluntary closure of the
account by the consumer in information regularly furnished
for the period in which the account is closed.
Notice involving delinquent accounts. Section 623(a)(5)
requires that a person, including a financial institution, that
furnishes information to a consumer reporting agency about
a delinquent account being placed for collection, charged
off, or subjected to any similar action, must, not later than
90 days after furnishing the information to the consumer
reporting agency, notify the consumer reporting agency of the
month and year of the commencement of the delinquency that
immediately preceded the action.
Duties upon notice of dispute. Section 623(b) requires that
whenever a financial institution receives a notice of dispute
from a consumer reporting agency regarding the accuracy or
completeness of any information provided by the financial
institution to a consumer reporting agency pursuant to section
611 (Procedure in Case of Disputed Accuracy), that financial
institution must, pursuant to section 623(b):
- Conduct an investigation regarding the disputed
information;
- Review all relevant information provided by the consumer
reporting agency along with the notice;
- Report the results of the investigation to the consumer
reporting agency;
- If the disputed information is found to be incomplete or
inaccurate, report those results to all nationwide consumer
reporting agencies to which the financial institution
previously provided the information; and
- If the disputed information is incomplete, inaccurate, or
not verifiable by the financial institution, the financial
institution must promptly, for purposes of reporting to the
consumer reporting agency:
- Modify the item of information,
- Delete the item of information, or
- Permanently block the reporting of that item of
information.
The investigations, reviews and reports required to be made
must be completed within 30 days. The time period may be
extended for 15 days if a consumer reporting agency receives
additional relevant information from the consumer.
Examination Procedures
- Determine whether the institution
provides information to
consumer reporting agencies.
- Review the institution’s policies and procedures to ensure
compliance with the FCRA requirements for furnishing
information to consumer reporting agencies.
- If procedural weaknesses are noted or other risks requiring
further investigation are noted, such as a high number
of consumer complaints regarding the accuracy of their
consumer report information from the financial institution,
select a sample of reported items and the corresponding
loan or collection file to determine that the financial
institution:
- Did not report information
that it knew, or had
reasonable cause to believe, was inaccurate. Section
623(a)(1)(A) [15 U.S.C §1681s-2(a)(1)(A)];
- Did not report information to a consumer reporting
agency if it was notified by the consumer that the
information was inaccurate and the information was, in
fact, inaccurate. Section 623(a)(1)(B) [15USC §1681s-
2(a)(1)(B)];
- Did provide the consumer reporting agency with
corrections or additional information to make the
information complete and accurate, and thereafter did
not send the consumer reporting agency the inaccurate
or incomplete information in situations where the
incomplete or inaccurate information was provided.
Section 623(a)(2) [15 USC §1681s-2(a)(2)];
- Furnished a notice to a consumer reporting agency
of a dispute in situations where a consumer disputed
the completeness or accuracy of any information the
institution furnished, and the institution continued
furnishing the information to a consumer reporting
agency. Section 623(a)(3) [15 U.S.C §1681s-2(a)(3)];
- Notified the consumer reporting agency of a voluntary
account-closing by the consumer, and did so as part of
the information regularly furnished for the period in
which the account was closed. Section 623(a)(4) [15
USC§1681s-2(a)(4)]; and
- Notified the consumer reporting agency of the month
and year of commencement of a delinquency that
immediately preceded the action. The notification to
the consumer reporting agency must be made within
90 days of furnishing information about a delinquent
account that was being placed for collection, chargedoff,
or subjected to any similar action. Section 623(a)(5)
[15 USC §1681s-2(a)(5)].
- If weaknesses within the financial institution’s procedures
for investigating errors are revealed, review a sample of
notices of disputes received from a consumer reporting
agency and determine whether the institution:
- Conducted an investigation
with respect to the disputed
information. Section 623(b)(1)(A) [15 USC §1681s-
2(b)(1)(A)];
- Reviewed all relevant information provided by the
consumer reporting agency. Section 623(b)(1)(B) [15
USC §1681s-2(b)(1)(B)];
- Reported the results of the investigation to the
consumer reporting agency. Section 623(b)(1)(C) [15
USC §1681s-2(b)(1)(C);
- Reported the results of the investigation to all other
nationwide consumer reporting agencies to which
the information was furnished, if the investigation
found that the reported information was inaccurate or
incomplete. Section 623(b)(1)(D) [15 USC §1681s-
2)(b)(1)(D)]; and
- Modified, deleted, or blocked the reporting of
information that could not be verified.
Section 623(a)(6) Prevention of Re-Pollution of Consumer
Reports
Section 623(a)(6) has specific requirements for furnishers of
information, including financial institutions, to a consumer
reporting agency that receive notice from a consumer
reporting agency that furnished information may be fraudulent
as a result of identity theft. Section 605B requires consumer
reporting agencies to notify furnishers of information,
including financial institutions, that the information may be
the result of identity theft, an identity theft report has been
filed, and that a block has been requested. Upon receiving
such notice, section 623(a)(6) requires financial institutions
to establish and follow reasonable procedures to ensure that
this information is not re-reported to the consumer reporting
agency, thus "re-polluting" the victim’s consumer report.
Examination Procedures
- If the financial institution provides information to a
consumer reporting agency, review the institution’s policies
and procedures to ensure that items of information blocked
due to an alleged identity theft are not re-reported to the
consumer reporting agency.
- If weaknesses are noted within the financial institution’s
policies and procedures, review a sample of notices from
a consumer reporting agency of allegedly fraudulent
information due to identity theft furnished by the financial
institution to ensure that the institution does not re-report
the item to a consumer reporting agency.
- If procedural weaknesses are noted or other risks requiring
further investigation are noted, verify that the financial
institution has not sold or transferred a debt that was
caused by an alleged identity theft.
NOTE: Section 615(f) of the FCRA also prohibits a financial
institution from selling or transferring debt caused by an
alleged identity theft.
Section 623(a)(7) Negative Information Notice. Section
623(a)(7) requires financial institutions to provide consumers
with a notice either before negative information is provided
to a nationwide consumer reporting agency, or within 30 days
after reporting the negative information.
Negative information. For these purposes, negative
information means any information concerning a customer’s
delinquencies, late payments, insolvency, or any form of
default.
Nationwide consumer reporting agency. Section 603(p)
defines a consumer reporting agency as one that compiles
and maintains files on consumers on a nationwide basis and
regularly engages in the practice of assembling or evaluating
and maintaining the following two pieces of information about
consumers residing nationwide for the purpose of furnishing
consumer reports to third parties bearing on a consumer’s
credit worthiness, credit standing, or credit capacity:
- Public Record Information.
- Credit account information from persons who furnish
that information regularly and in the ordinary course of
business.
Institutions may provide this disclosure on or with any notice
of default, any billing statement, or any other materials
provided to the customer, as long as the notice is clear and
conspicuous. Institutions may also choose to provide this
notice to all customers as an abundance of caution. However,
this notice may not be included in the initial disclosures
provided under section 127(a) of the Truth in Lending Act.
Model text. As required by the FCRA, the Federal Reserve
Board developed the following model text that institutions
can use to comply with these requirements. The first model
contains text to be used when institutions choose to provide
a notice before furnishing negative information. The second
model form contains text to be used when institutions provide
notice within 30 days after reporting negative information:
- Notice prior to communicating negative information
(Model B-1):
"We may report information about your account to credit
bureaus. Late payments, missed payments, or other defaults
on your account may be reflected in your credit report."
- Notice within 30 days after communicating negative
information (Model B-2):
"We have told a credit bureau about a late payment, missed
payment or other default on your account. This information
may be reflected in your credit report."
Use of the model form(s) is not required; however, proper
use of the model forms provides financial institutions with
a safe harbor from liability. Financial institutions may make
certain changes to the language or format of the model notices
without losing the safe harbor from liability provided by the
model notices. The changes to the model notices may not be
so extensive as to affect the substance, clarity, or meaningful
sequence of the language in the model notices. Financial
institutions making such extensive revisions will lose the
safe harbor from liability that the model notices provide.
Acceptable changes include, for example,
- Rearranging the order of the references to "late
payment(s)," or "missed payment(s);"
- Pluralizing the terms "credit bureau," "credit report," and
"account;"
- Specifying the particular type of account on which
information may be furnished, such as "credit card
account;" or
- Rearranging in Model Notice B-1 the phrases "information
about your account" and "to credit bureaus" such that it
would read "We may report to credit bureaus information
about your account."
Examination Procedures
- If the financial institution provides negative information
to a nationwide consumer reporting agency, verify that
the institution’s policies and procedures ensure that the
appropriate notices are provided to customers.
- If procedural weaknesses are noted or other risks requiring
further investigation are noted, review a sample of notices
provided to consumers to determine compliance with the
technical content and timing requirements.
Module 5: Consumer Alerts and Identity Theft
Protections
Overview
The Fair Credit Reporting Act (FCRA) contains several
provisions for both consumer reporting agencies and users
of consumer reports including financial institutions that are
designed to help combat identity theft. This module applies to
financial institutions that are not consumer reporting agencies,
but are users of consumer reports.
Two primary requirements exist: first, a user of a consumer
report that contains a fraud or active duty alert must take steps
to verify the identity of an individual to whom the consumer
report relates, and second, a financial institution must disclose
certain information when consumers allege that they are the
victims of identity theft.
Section 605A(h) Fraud and Active Duty Alerts
Initial fraud and active duty alerts. Consumers who suspect
that they may be the victims of fraud including identity theft
may request nationwide consumer reporting agencies to place
initial fraud alerts in their consumer reports. These alerts
must remain in a consumer’s report for no less than 90 days.
In addition, members of the armed services who are called to
active duty may also request that active duty alerts be placed in
their consumer reports. Active duty alerts must remain in these
service members’ files for no less than 12 months.
Section 605A(h)(1)(B) requires users of consumer reports,
including financial institutions, to verify a consumer’s identity
if a consumer report includes a fraud or active duty alert.
Unless the financial institution uses reasonable policies
and procedures to form a reasonable belief that they know
the identity of the person making the request, the financial
institution may not:
- Establish a new credit plan or extension credit (other
than under an open-end credit plan) in the name of the
consumer;
- Issue an additional card on an existing account; or
- Increase a credit limit.
Extended Alerts. Consumers who allege that they are the
victim of an identity theft may also place an extended alert,
which lasts seven years, on their consumer report. Extended
alerts require consumers to submit identity theft reports and
appropriate proof of identity to the nationwide consumer
reporting agencies.
Section 605A(h)(2)(B) requires a financial institution that
obtains a consumer report that contains an extended alert to
contact the consumer in person or by the method listed by
the consumer in the alert prior to performing any of the three
actions listed above.
Examination Procedures
- Determine whether the financial institution has effective
polices and procedures in place to verify the identity of
consumers in situations where consumer reports include
fraud and/or active duty military alerts.
- Determine if the financial institution has effective policies
and procedures in place to contact consumers in situations
where consumer reports include extended alerts.
- If procedural weaknesses are noted or other risks requiring
further investigation are noted, review a sample of
transactions in which consumer reports including these
types of alerts were obtained. Verify that the financial
institution complied with the identity verification and/or
consumer contact requirements.
Section 609(e) Information Available to Victims
Section 609(e) requires financial institutions to provide
records of fraudulent transactions to victims of identity theft
within 30 days after the receipt of a request for the records.
These records include the application and business transaction
records under the control of the financial institution whether
maintained by the financial institution or another person on
behalf of the institution (such as a service provider). This
information should be provided to:
- The victim;
- Any federal, state, or local government law enforcement
agency or officer specified by the victim in the request; or
- Any law enforcement agency investigating the identity theft
that was authorized by the victim to take receipt of these
records.
The request for the records must be made by the victim in
writing and be sent to the financial institution to the address
specified by the financial institution for this purpose. The
financial institution may ask the victim to provide information,
if known, regarding the date of the transaction or application,
and any other identifying information such as an account or
transaction number.
Unless the financial institution, at its discretion, otherwise has
a high degree of confidence that it knows the identity of the
victim making the request for information before disclosing
any information to the victim, the financial institution must
take prudent steps to positively identify the person requesting
information. Proof of identity can include:
- A government-issued identification card;
- Personally identifying information of the same type
that was provided to the financial institution by the
unauthorized person; or
- Personally identifiable information that the financial
institution typically requests from new applicants or for
new transactions.
At the election of the financial institution, the victim must
also provide the financial institution with proof of an identity
theft complaint, which may consist of a copy of a police report
evidencing the claim of identity theft and a properly completed
affidavit. The affidavit can be either the standardized affidavit
form prepared by the Federal Trade Commission (published
in April 2005 in 70 Federal Register 21792), or an "affidavit
of fact" that is acceptable to the financial institution for this
purpose.
When these conditions are met, the financial institution must
provide the information at no charge to the victim. However,
the financial institution is not required to provide any
information if, acting in good faith, the financial institution
determines that:
- Section 609(e) does not require disclosure of the
information;
- The financial institution does not have a high degree of
confidence in knowing the true identity of the requestor,
based on the identification and/or proof provided;
- The request for information is based on a misrepresentation
of fact by the requestor; or
- The information requested is Internet navigational data or
similar information about a person’s visit to a web site or
online service.
Examination Procedures
- Review financial institution policies, procedures, and/or
practices to ensure that identities and claims of fraudulent
transactions are verified and that information is properly
disclosed to victims of identity theft and/or appropriately
authorized law enforcement agents.
- If procedural weaknesses are noted or other risks requiring
further investigation are noted, review a sample of these
types of requests to ensure that the financial institution
properly verified the requestor’s identity prior to disclosing
the information.
References
Other resources for FCRA may be found at:
FIL 61-2001: Guidance on the Permissible Use of Consumer
Reports in Certain Business Related Extensions of Credit
http://www.fdic.gov/news/news/financial/2001/fil0161.html
FIL 18-2006: Interagency Fair Credit Reporting Act
Revised Examination Procedures
http://www.fdic.gov/news/news/inactivefinancial/2006/fil06018.html
Electronic version of FFIEC FCRA Examination Procedures
http://fdic01/division/dsc/compliance.html
Statute: Fair Credit Reporting Act
http://www.fdic.gov/regulations/laws/rules/6500-1100.html#6500601
Job Aids
Statutory and Regulatory Matrix
The followwing table contains the statutory or regulatory cites
for each provision of the FCRA covered by these examination
procedures that are applicable to financial institutions that are
not consumer reporting agencies
16. Some of the requirements
are self-executing by the statute, while others are contained
in interagency regulations, while others still are contained in
regulations published by only one or two of the regulatory
agencies. Some requirements are subject to regulations that are
not yet finalized and thus are listed as to-be-determined (TBD)
in the table below. The regulatory agencies are listed in the
first horizontal line and the various compliance responsibilities
are presented in the order that they appear in the various
examination modules in the first column. Financial institutions
are subject to the list of cites in the column containing their
primary federal regulator.
Compliance Responsibility |
Federal Reserve Board |
FDIC |
OCC |
OTS |
NCUA |
Module 1 |
Obtaining Consumer Reports the FCRA
|
§604 and §606 of he FCRA
|
§604 and §606
of the FCRA
|
§604 and §606 of the FCRA
|
§604 and §606 of the FCRA
|
§604 and §606 of
|
Module 2 |
Information Sharing & Affiliate Sharing Opt Out
|
§603(d) of the FCRA
|
§603(d)
of the FCRA
|
§603(d) of the FCRA
|
§603(d) of the FCRA
|
§603(d) of the FCRA
|
Protection of Medical Information
|
§222 of FRB Regulation
|
§334 of
FDIC Regulations
|
§41 of OCC Regulations
|
§571 of OTS Regulations
|
§717 of NCUA Regulations
|
Affiliate Marketing Opt Out
|
TBD
|
TBD
|
TBD
|
TBD
|
TBD
|
Module 3 |
Employment Disclosures
|
§604(b)(2) of the FCRA
|
§604(b)(2)
of the FCRA
|
§604(b)(2) of the FCRA
|
§604(b)(2) of the FCRA
|
§604(b)(2) of the FCRA
|
Prescreened Consumer Reports
|
§604(c) & §615(d) of the FCRA and FTC Regulations Parts 642 and 698
|
§604(c) & §615(d)
of the FCRA and FTC Regulations Parts 642 and 698
|
§604(c) & §615(d) of the FCRA and FTC Regulations Parts 642 and 698
|
§604(c) & §615(d) of the FCRA and FTC Regulations Parts 642 and 698
|
§604(c) & §615(d) of the FCRA and FTC Regulations Parts 642 and 698
|
Truncation of Credit and Debit Card Account Numbers
|
§605(g) of the FCRA
|
§605(g)
of the FCRA
|
§605(g) of the FCRA
|
§605(g) of the FCRA
|
§605(g) of the FCRA
|
Credit Score Disclosures
|
§609(g) of the FCRA
|
§609(g)
of the FCRA
|
§609(g) of the FCRA
|
§609(g) of the FCRA
|
§609(g) of the FCRA
|
Adverse Action Disclosures
|
§615 of the FCRA
|
§615
of the FCRA
|
§615 of the FCRA
|
§615 of the FCRA
|
§615 of the FCRA
|
Debt Collector Communications
|
§615(g) of the FCRA
|
§615(g)
of the FCRA
|
§615(g) of the FCRA
|
§615(g) of the FCRA
|
§615(g) of the FCRA
|
Risk-Based Pricing Notice
|
TBD
|
TBD
|
TBD
|
TBD
|
TBD
|
Module 4 |
Furnishers of Information – General
|
§623 of the FCRA
|
§623 of the
FCRA
|
§623 of the FCRA
|
§623 of the FCRA
|
§623 of the FCRA
|
Prevention of Re-Pollution of Reports
|
§623(a)(6) of the FCRA
|
§623(a)(6)
of the FCRA
|
§623(a)(6) of the FCRA
|
§623(a)(6) of the FCRA
|
§623(a)(6) of the FCRA
|
Negative Information Notice
|
§623(a)(7) of the FCRA and Appen- dix B of §222 of FRB Regulation V
|
§623(a)(7) of the FCRA and Appen- dix B of §222
of FRB Regulation V
|
§623(a)(7) of the FCRA and Appen- dix B of §222 of FRB Regulation V
|
§623(a)(7) of the FCRA and Appen- dix B of §222 of FRB Regulation V
|
§623(a)(7) of the FCRA and Appen- dix B of §222 of FRB Regulation V
|
Module 5 |
Fraud & Active Duty Alerts
|
§605A(h)(2)(B) of the FCRA
|
§605A(h)(2)(B)
of the FCRA
|
§605A(h)(2)(B) of the FCRA
|
§605A(h)(2)(B) of the FCRA
|
§605A(h)(2)(B) of the FCRA
|
Information Available to Victims
|
§609(e) of the FCRA
|
§609(e) of
the FCRA
|
§609(e) of the FCRA
|
§609(e) of the FCRA
|
§609(e) of the FCRA
|
Footnotes: