Home > Regulation & Examinations > Laws & Regulations > Joint Advisory Opinion - Limits on Disclosing Account Numbers |
|||
Joint Advisory Opinion - Limits on Disclosing Account Numbers |
Federal Reserve Board National Credit Union Administration Office of the Comptroller of the Currency Office of Thrift Supervision May 25, 2001 Dear : This letter responds to your letters to the Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, National Credit Union Administration, Office of the Comptroller of the Currency, and Office of Thrift Supervision (the Agencies) dated . You ask the Agencies to allow financial institutions to disclose unencrypted account numbers to X upon a customer’s express, written consent. X markets insurance products by direct mail to customers of financial
institutions pursuant to joint marketing agreements between X and the
financial institutions. Under these agreements, financial institutions
disclose lists of their customers’ names, addresses, and encrypted
account numbers to Section 502(d) does not contain any exceptions to this prohibition. Moreover, the general exceptions for notice and opt out under § 502(e) of the Act, including the exception for disclosing information with the consent or at the direction of the consumer, do not apply to the account-number disclosure prohibition under § 502(d). Accordingly, under the Act, and the Agencies’ privacy regulations, 1 a financial institution may not provide its customers’ account numbers to a third party such as X under the circumstances you describe. Section 504(b) of the Act provides that the Agencies may prescribe exceptions to § 502 that the Agencies deem consistent with the purposes of the Act if the Agencies adopt the exception by rule. Section § __.12 of the Agencies’ rules implements the 502(d) prohibition and provides only two exceptions: financial institutions may disclose their account numbers a) to their agents to market the financial institution’s own products or services or b) to their partners in a private label credit card or affinity program. The X disclosure does not fit within either of the limited exceptions that the Agencies have adopted by rule. The privacy rule makes clear that the statutory prohibition focuses on restricting access to customer accounts. Accordingly, the financial institution itself must retain control of its customers’ account numbers. For instance, one of the limited exceptions to the prohibition against disclosing transaction account numbers permits a financial institution to disclose a customer’s transaction account number to its third party agent or service provider solely to market the institution’s own products or services, provided the third party may not directly initiate a charge to the customer’s account. In the supplementary information to the regulations, the Agencies explain that while an institution may frequently use agents to assist in marketing, a consumer’s protections are potentially eroded by allowing agents involved in the marketing to have access to a consumer’s account. 65 Fed. Reg. 35162, 35181 (June 1, 2000); see also 65 Fed. Reg. 31722, 31733 (May 18, 2000) (NCUA). Other aspects of this section make clear that a financial institution may not provide X with transaction account numbers to access customer accounts — that is, to initiate charges. For example, § __.12(c)(1) states that an encrypted account number is not protected from disclosure as long as the financial institution does not provide the third party with the code to decrypt. The Agencies have explained, in the supplementary materials, that such an encrypted number "operates as an identifier attached to an account for internal tracking purposes only." 65 Fed. Reg. at 35182; see also 65 Fed. Reg. at 31733 (NCUA). The Agencies reasoned that encrypting the account numbers would adequately protect consumers because the encryption would prevent the recipient from accessing the consumer’s account. Id. For similar reasons, the prohibition against disclosing transaction account numbers does not apply to any accounts to which third parties cannot initiate charges. The Agencies have explained that, because a third party cannot post charges to these types of accounts, the numbers for such accounts would not be covered by the prohibition. Id. If a third party could initiate charges to the account, however, the Agencies maintain that disclosure of the account number would be prohibited. Id. While a financial institution may not provide a customer’s account
number to a third party under the circumstances you describe, a
financial institution may initiate charges to its customer’s account
for a X product where the customer has agreed to purchase the product.
Of course, an individual is free to provide X, or any other merchant,
with his or her own account number to purchase a product. We trust
that this responds to your question. Sincerely, | ||||||
|