|
May 25, 2001 XXX X XXXXXXXX Re: Limits on Disclosing Account Numbers Dear __________: This letter responds to your letters to the Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, National Credit Union Administration, Office of the Comptroller of the Currency, and Office of Thrift Supervision (the Agencies) XXXXXXX. You ask the Agencies to allow financial institutions to disclose unencrypted account numbers to XXXXXXXX XXXXXX XXXXX upon a customer’s express, written consent. [paragraph omitted] Section 502(d) of the Gramm-Leach-Bliley Act provides that a “financial institution shall not disclose, other than to a consumer reporting agency, an account number or similar form of access number or access code for a credit card account, deposit account, or transaction account of a consumer to any nonaffiliated third party for use in telemarketing, direct mail marketing, or other marketing through electronic mail to the consumer.” (Emphasis added.) The primary reason a marketer seeks access to a customer’s account number is to allow the marketer to initiate a charge to the customer’s account as part of the transaction. We believe that interpreting the Act to consider marketing to have ended at the time the customer accepts the product would substantially undermine the prohibition, effectively limiting its application to the sharing of account numbers for tracking purposes while not denying third party marketers access to customer accounts. Section 502(d) does not contain any exceptions to this prohibition. Moreover, the general exceptions for notice and opt out under § 502(e) of the Act, including the exception for disclosing information with the consent or at the direction of the consumer, do not apply to the account number disclosure prohibition under § 502(d). Accordingly, under the Act and the Agencies’ privacy regulations,[1] a financial institution may not provide its customers’ account numbers to a third party, such as XXXX, under the circumstances you describe. Section 504(b) of the Act provides that the Agencies may prescribe exceptions to § 502 that the Agencies deem consistent with the purposes of the Act if the Agencies adopt the exception by rule. Section __. 12 of the Agencies’ rules implements the § 502(d) prohibition and provides only two exceptions: financial institutions may disclose their account numbers a) to their agents to market the financial institution’s own products or services or b) to their partners in a private label credit card or affinity program. The XXXX disclosure does not fit within either of the limited exceptions that the Agencies have adopted by rule. The privacy rule makes clear that the statutory prohibition focuses on restricting access to customer accounts. Accordingly, the financial institution itself must retain control of its customers’ account numbers. For instance, one of the limited exceptions to the prohibition against disclosing transaction account numbers permits a financial institution to disclose a customer’s transaction account number to its third party agent or service provider solely to market the institution’s own products or services, provided the third party may not directly initiate a charge to the customer’s account. In the supplementary information to the regulations, the Agencies explain that while an institution may frequently use agents to assist in marketing, a consumer’s protections are potentially eroded by allowing agents involved in the marketing to have access to a consumer’s account. 65 Fed. Reg. 35162, 35181 (June 1, 2000); see also 65 Fed. Reg. 31722, 31733 (May 18, 2000) (NCUA). Other aspects of this section make clear that a financial institution may not provide XXXX with transaction account numbers to access customer accounts — that is, to initiate charges. For example, § __.12(c)(1) states that an encrypted account number is not protected from disclosure as long as the financial institution does not provide the third party with the code to decrypt. The Agencies explain, in the supplementary materials, that such an encrypted number “operates as an identifier attached to an account for internal tracking purposes only.” 65 Fed. Reg. at 35182; see also 65 Fed. Reg. at 31733 (NCUA). The Agencies reason that encrypting the account numbers would adequately protect consumers because the encryption would prevent the recipient from accessing the consumer’s account. Id. For similar reasons, the prohibition against disclosing transaction account numbers does not apply to any accounts to which third parties cannot initiate charges. The Agencies explain that, because a third party cannot post charges to these types of accounts, the numbers for such accounts would not be covered by the prohibition. Id. If a third party could initiate charges to the account, however, the Agencies maintain that disclosure of the account number would be prohibited. Id. While a financial institution may not provide a customer’s account number to a third party under the circumstances you describe, a financial institution may initiate charges to its customer’s account for a XXXX product where the customer has agreed to purchase the product. Of course, an individual is free to provide XXXX, or any other merchant, with his or her own account number to purchase a product. We trust that this responds to your question.
[1] See 12 C.F.R. Part 40 (OCC); 12 C.F.R. Part 216 (FRB); 12 C.F.R. Part 332 (FDIC); 12 C.F.R. Part 573 (OTS); and 12 C.F.R. Part 716 (NCUA). Each of the Agencies adopted a consumer financial privacy regulation in substantially identical form. Each Agency uses a different part number but identical section numbers in its privacy regulation. In this letter, citations to the regulations use section numbers only, leaving the part numbers blank. |