FDIC Home - Federal Deposit Insurance Corporation
FDIC - 75 years
FDIC Home - Federal Deposit Insurance Corporation

 
Skip Site Summary Navigation   Home     Deposit Insurance     Consumer Protection     Industry Analysis     Regulations & Examinations     Asset Sales     News & Events     About FDIC  


Home > Regulation & Examinations > Laws & Regulations > Joint Advisory Opinion - Limits on Disclosing Account Numbers



Joint Advisory Opinion - Limits on Disclosing Account Numbers


Federal Deposit Insurance Corporation

Federal Reserve Board

National Credit Union Administration

Office of the Comptroller of the Currency

Office of Thrift Supervision

May 25, 2001

Re: Limits on Disclosing Account Numbers

Dear :

This letter responds to your letters to the Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, National Credit Union Administration, Office of the Comptroller of the Currency, and Office of Thrift Supervision (the Agencies) dated . You ask the Agencies to allow financial institutions to disclose unencrypted account numbers to X upon a customer’s express, written consent.

X markets insurance products by direct mail to customers of financial institutions pursuant to joint marketing agreements between X and the financial institutions. Under these agreements, financial institutions disclose lists of their customers’ names, addresses, and encrypted account numbers to
X. Using this information, X mails materials to market its insurance products to financial institution customers. When a customer decides to enroll in an insurance plan, the customer signs an authorization for the customer’s financial institution to provide the customer’s unencrypted account number to X. Upon receiving that unencrypted number, X charges the customer’s account.

Section 502(d) of the Gramm-Leach-Bliley Act provides that a "financial institution shall not disclose, other than to a consumer reporting agency, an account number or similar form of access number or access code for a credit card account, deposit account, or transaction account of a consumer to any nonaffiliated third party for use in telemarketing, direct mail marketing, or other marketing through electronic mail to the consumer." (Emphasis added). , The primary reason a marketer seeks access to a customer’s account number is to allow the marketer to initiate a charge to the customer’s account as part of the transaction. We believe that interpreting the Act to consider marketing to have ended at the time the customer accepts the product, would substantially undermine the prohibition, effectively limiting its application to the sharing of account numbers for tracking purposes, while not denying third-party marketers access to customer accounts.

Section 502(d) does not contain any exceptions to this prohibition. Moreover, the general exceptions for notice and opt out under §  502(e) of the Act, including the exception for disclosing information with the consent or at the direction of the consumer, do not apply to the account-number disclosure prohibition under § 502(d). Accordingly, under the Act, and the Agencies’ privacy regulations, 1 a financial institution may not provide its customers’ account numbers to a third party such as X under the circumstances you describe.

Section 504(b) of the Act provides that the Agencies may prescribe exceptions to § 502 that the Agencies deem consistent with the purposes of the Act if the Agencies adopt the exception by rule. Section § __.12 of the Agencies’ rules implements the 502(d) prohibition and provides only two exceptions: financial institutions may disclose their account numbers a) to their agents to market the financial institution’s own products or services or b) to their partners in a private label credit card or affinity program. The X disclosure does not fit within either of the limited exceptions that the Agencies have adopted by rule.

The privacy rule makes clear that the statutory prohibition focuses on restricting access to customer accounts. Accordingly, the financial institution itself must retain control of its customers’ account numbers. For instance, one of the limited exceptions to the prohibition against disclosing transaction account numbers permits a financial institution to disclose a customer’s transaction account number to its third party agent or service provider solely to market the institution’s own products or services, provided the third party may not directly initiate a charge to the customer’s account. In the supplementary information to the regulations, the Agencies explain that while an institution may frequently use agents to assist in marketing, a consumer’s protections are potentially eroded by allowing agents involved in the marketing to have access to a consumer’s account. 65 Fed. Reg. 35162, 35181 (June 1, 2000); see also 65 Fed. Reg. 31722, 31733 (May 18, 2000) (NCUA).

Other aspects of this section make clear that a financial institution may not provide X with transaction account numbers to access customer accounts — that is, to initiate charges. For example, § __.12(c)(1) states that an encrypted account number is not protected from disclosure as long as the financial institution does not provide the third party with the code to decrypt. The Agencies have explained, in the supplementary materials, that such an encrypted number "operates as an identifier attached to an account for internal tracking purposes only." 65 Fed. Reg. at 35182; see also 65 Fed. Reg. at 31733 (NCUA). The Agencies reasoned that encrypting the account numbers would adequately protect consumers because the encryption would prevent the recipient from accessing the consumer’s account.    Id. For similar reasons, the prohibition against disclosing transaction account numbers does not apply to any accounts to which third parties cannot initiate charges. The Agencies have explained that, because a third party cannot post charges to these types of accounts, the numbers for such accounts would not be covered by the prohibition. Id. If a third party could initiate charges to the account, however, the Agencies maintain that disclosure of the account number would be prohibited. Id.

While a financial institution may not provide a customer’s account number to a third party under the circumstances you describe, a financial institution may initiate charges to its customer’s account for a X product where the customer has agreed to purchase the product. Of course, an individual is free to provide X, or any other merchant, with his or her own account number to purchase a product.

1 See 12 C.F.R. Part 40 (OCC); 12 C.F.R. Part 216 (FRB); 12 C.F.R. Part 332 (FDIC); 12 C.F.R. Part 573 (OTS);
and 12 C.F.R. Part 716 (NCUA). Each of the Agencies adopted a consumer financial privacy regulation in
substantially identical form. Each Agency uses a different part number but identical section numbers in its
privacy regulation. In this letter, citations to the regulations use section numbers only, leaving the part numbers blank.

We trust that this responds to your question. 

Sincerely, 
J. Virgil Mattingly
General Counsel
Board of Governors of the Federal Reserve		 William F. Kroener, III
General Counsel
Federal Deposit Insurance Corporation
Robert M. Fenner
General Counsel
National Credit Union Administration		 Julie L. Williams
First Senior Deputy Comptroller
and Chief Counsel
Office of the Comptroller of the Currency
Carolyn J. Buck
Chief Counsel
Office of Thrift Supervision
Last Updated 06/11/2001 regs@fdic.gov

Home    Contact Us    Search    Help    SiteMap    Forms
Freedom of Information Act (FOIA) Service Center    Website Policies    USA.gov
FDIC Office of Inspector General