Home > Resources > Resources for Consumers > Consumer Privacy > FAQ
Consumer Privacy
Frequently Asked Questions for the Privacy Regulation
December 2001
Contents
A. Financial institutions, products, and services that are covered under the Privacy
Rule (q. 1-5)
B. Individuals who are entitled to receive notices (q. 1-5)
C. Delivering your privacy notices (q. 1-9)
D. Providing notices to joint account holders (q. 1-5)
E. Complying with the opt out provisions for joint account holders (q. 1-4)
F. Delivering opt out notices and providing consumers with a reasonable opportunity
to opt out (q. 1-7)
G. Complying with the limitations on redisclosure and reuse of nonpublic personal
information (q. 1-7)
H. Complying with the limitation on disclosing account numbers (q. 1-2)
I. Disclosing nonpublic personal information under the exceptions to the notice
and opt out provisions (q. 1-12)
J. Complying with the exception to the opt out provisions for joint marketing arrangements
(q. 1-5)
Staff of the National Credit Union Administration (NCUA), the Board of Governors
of the Federal Reserve System, the Federal Deposit Insurance Corporation, the Office
of the Comptroller of the Currency, and the Office of Thrift Supervision developed
the following Frequently Asked Questions (FAQs) to assist financial institutions
in complying with the privacy provisions of the Gramm-Leach-Bliley Act (GLB Act)
and the agencies’ consumer privacy regulations. NCUA’s consumer privacy regulation,
12 C.F.R. Part 716, differs slightly from the banking agencies’ regulations because
of the nature of credit union structure and operations. Credit unions must consider
the differences in NCUA’s regulation when using this staff guidance.
These FAQs illustrate how select provisions of the regulations apply to specific
situations a financial institution may confront. This staff guidance addresses a
financial institution’s obligations only under sections502-509 of the GLB Act and
the agencies’ consumer privacy regulations and does not address the applicability
of the Fair Credit Reporting Act or any other federal or state law that may pertain
to the questions and answers. Staff may supplement or revise these FAQs as necessary
or appropriate in light of further questions and experience.
A. Financial institutions, products, and services that are covered under the Privacy
Rule
A.1. Q. Who must comply with the Privacy Rule?
A. Any financial institution that provides financial products or services to consumers
must comply with the privacy provisions of TitleV of the Gramm-Leach-Bliley Act
(“GLB Act”) (15U.S.C.§§6801-09) and the Privacy Rule. Under the banking agencies’
and NCUA’s rules,1 you
are a financial institution if you engage in an activity that is financial in nature
or incidental to a financial activity, as described in §4(k) of the Bank Holding
Company Act of 1956 (“BHC Act”) (12 U.S.C. §1843(k)). For purposes of the banking agencies’ and NCUA’s rules, activities
“described in §4(k) of the BHC Act” include the activities specifically listed in
§4(k) and any additional activities the Board, in consultation with the Secretary
of the Treasury, determines to be financial in nature or incidental to a financial
activity in accordance with §4(k).
Section 225.86 of the Board’s Regulation Y lists or otherwise references
the activities that are financial in nature as of the date of these FAQs. See
12C.F.R. 225.86. Note, however, that additional activities the Board authorizes
in the future, such as activities approved by Board order, may not necessarily be
listed at § 225.86.
Authorized financial activities as of the date of these FAQs include but are not
limited to the following:
Lending, exchanging, transferring, investing for others, or safeguarding money or
securities;
Insuring, guaranteeing, or indemnifying against loss, harm, damage, illness, disability,
or death, or providing and issuing annuities, either as principal, agent, or broker;
and
Providing financial advice, underwriting, dealing in, or making a market in securities.
You have consumers if you provide your financial products or services to individuals
to be used primarily for their personal, family, or household purposes.
Additionally, the Privacy Rule restricts the use and disclosure of nonpublic personal
information obtained from a nonaffiliated financial institution, as discussed below.
A.2. Q. I am a small financial institution with no affiliates. I do not disclose
information about my customers or consumers to anyone, except as permitted by an
exception under §§ ___.14 and ___.15 of the Privacy Rule.2 Does the Privacy Rule apply to a small operation like
mine?
A. Yes. You have responsibilities under the Privacy Rule regardless of your size,
affiliate relationships, or information collection and disclosure practices. The
Privacy Rule is focused not only on regulating the disclosure of financial information
about customers and consumers, but also on requiring each financial institution
to provide initial and annual notices of its policies to its customers. You may,
however, provide notice in a simplified form, as illustrated by the notice described
in §___.6(c)(5).
A.3. Q. I provide trust services. In this capacity, I serve as the trustee of trusts
whose beneficiaries are individuals. Does the Privacy Rule apply to my trust operations?
A. When you act as a trustee, you have a relationship with the trust. Because the
trust itself is not an individual, it is not a consumer under the Privacy Rule.
Even if the grantor and all the beneficiaries are individuals, neither the grantor
nor any of the beneficiaries are your consumers solely because of their relationship
to the trust. If, for example, the trust requires you, as trustee, to transfer money
to a beneficiary, you provide that financial service to the trust rather than the
individual who is the beneficiary. In other words, grantors and beneficiaries of
a trust are not your consumers unless they directly obtain a financial product and
service from you for their personal, family, or household purposes. Accordingly,
you do not have any obligations under the Privacy Rule with respect to the trust.
Your duties as a fiduciary, however, may require you to maintain the confidentiality
of information about the trust, its grantor, and its beneficiaries.
A.4. Q. I act as a custodian for Individual Retirement Arrangements (“IRAs”). Are
the individuals who own the IRAs my customers?
A. Yes. An individual who establishes an IRA account for which you act as a custodian
has obtained a financial product or service that is to be used primarily for personal,
family, or household purposes; therefore, he or she is a consumer. When an individual
selects you to act as custodian for his or her IRA, the individual enters into a
continuing relationship with you and becomes your customer under the Privacy Rule.
By contrast, an individual who is a participant or a beneficiary of an employee
benefit plan that you sponsor or for which you act as trustee or fiduciary is not
your customer because your relationship in that case is with the plan.
A.5. Q. I am a tax return preparer and I understand that I may be subject to the
Privacy Rule concerning the disclosure of my clients’ nonpublic personal information.
However, I also am subject to section 7216 of the Internal Revenue Code, which restricts
the use and disclosure of my customers’ federal tax return information. Do the privacy
provisions of the GLB Act and the Privacy Rule supersede the restrictions in section
7216? May I now disclose my customers’ federal income tax return information after
I provide them with the proper notices and give my customers a reasonable opportunity
to opt out?
A. No. The Privacy Rule does not supersede the restrictions in section 7216. The
GLB Act and the Agencies’ implementing regulations do not authorize a financial
institution to disclose nonpublic personal information in a way that is prohibited
by some other law. Therefore, you may not avoid the restrictions of section 7216
by providing your customers with an opt out notice and a reasonable opportunity
to opt out.
B. Individuals who are entitled to receive notices
B.1. Q. Why does the Privacy Rule sometimes refer to consumers and other times to
customers? Aren’t customers also consumers?
A. All customers are consumers, but not all consumers are customers.
A consumer is an individual who obtains a financial product or service from you
that is primarily for personal, family, or household purposes. A financial product
or service includes the evaluation or brokerage of information collected in connection
with a request or application, such as a bank’s review of loan application materials
to determine whether an applicant qualifies for a loan. A customer is a type of
consumer, namely, an individual who has an ongoing relationship with you under which
you provide a financial product or service. Note that neither a business nor an
individual who obtains a financial product or service for business purposes is a
consumer or a customer under the Privacy Rule.
The rule distinguishes consumers from customers because your responsibilities to
provide notices to consumers and to customers differ in several respects.
You must give all your customers initial privacy notices.
You must give initial notices (or short form notices) to consumers who are not your
customers only if you intend to disclose nonpublic personal information about
those consumers to nonaffiliated third parties (unless an exception in §§___.14
or___.15 applies such that no initial notice is required prior to the disclosure).
You must give annual privacy notices to your customers as long as they remain your
customers.
You are never required to send annual notices to consumers who are not your
customers.
It is important to remember that all consumers are entitled to the same protection
from disclosures of nonpublic personal information under this regulation regardless
of whether they are customers. You therefore must not disclose the nonpublic personal
information of any consumer or any customer to any nonaffiliated third party outside
of the exceptions in §§___.13 – ___.15 unless you provide a privacy notice and a
reasonable opportunity to opt out, and the consumer or customer does not opt out.
B.2. Q. I occasionally make business loans to sole proprietors. Do I have to provide
them with a privacy notice?
A. Although a sole proprietor is an individual, if the sole proprietor obtains a
loan from you for business purposes he or she is not a “consumer” for purposes of
the Privacy Rule. Therefore, you do not have to provide any privacy notices to the
sole proprietor.
B.3. Q. Is a guarantor or an endorser of a consumer loan considered my consumer
or customer?
A. A guarantor or endorser of a consumer loan is your customer because the individual
assumes secondary liability on the loan he or she guarantees or endorses and thereby
receives an extension of credit from you. You may, however, treat the primary borrower
and the guarantor or endorser as joint account holders. As a result, you may deliver
a single privacy notice to the joint account holders in accordance with §___.9(g).
If you disclose information to nonaffiliated third parties outside of the exceptions
in §§___.13 – ___.15, you must also provide the primary borrower and the guarantor/endorser
with an opportunity to opt out. You may deliver a single opt out notice to the joint
account holders under §___.7(d).
B.4. Q. Non-U.S.-resident consumers conduct business at my U.S. offices. Do the
privacy regulations apply in cases where consumers live in another country?
A. Yes. The privacy regulations apply to all United States offices of entities for
which the federal financial institution regulators have primary supervisory authority,
regardless of where the consumer lives.
B.5. Q. Is a person who only browses my web site my consumer?
A. No. The person does not obtain a financial product or service from you merely
by browsing your web site.
C. Delivering your privacy notices
C.1. Q. I issue credit cards to consumers. Very often, I take credit card applications
by telephone and approve them within minutes. My customers wish to begin using their
new accounts right away. When must I deliver initial notices in these cases?
A. You cannot deliver your privacy notice solely by explaining it over the telephone.
However, you may provide an initial notice within a reasonable time after establishing
a customer relationship if (i) providing it when you establish that relationship
would substantially delay the customer’s transaction, and (ii) the customer agrees
to a later delivery. In the case of approving a credit card application by telephone,
waiting until you have time to mail the notice would substantially delay the customer’s
use of a new credit account. As long as your new customer agrees to receive the
notice later, you may deliver it within a reasonable time after establishing the
customer relationship.
Notwithstanding that exception, delayed delivery of an initial notice does not alter
the restrictions on disclosing nonpublic personal information. That is, if you delay
delivering your initial notice to a customer, you may not disclose that customer’s
nonpublic personal information to any nonaffiliated third party (except as permitted
by the exceptions under §§ ___.14 and ___.15) before you provide the notices and
a reasonable opportunity to opt out, in accordance with §§ ___.7 and ___.10.
C.2. Q. I am a financial institution with several subsidiaries. Must each affiliated
financial institution issue a separate privacy notice? If affiliated financial institutions
are permitted to combine their notices, how may we identify them in the notice?
A. You and your subsidiaries may share common privacy policies and practices and
you may combine your respective privacy notices into a joint notice. However, any
joint notice must be accurate as to each institution, must be clear and conspicuous,
and must identify which institutions it covers.
You do not have to list each financial institution by its particular legal name.
Instead, if each institution shares the “ABC” name, then the joint notice could
state that it applies to “all institutions with the ABC name” or “in the ABC family
of companies.” Conversely, if an affiliated institution does not have ABC in its
name, then your notice must separately identify that institution.
C.3. Q. My privacy notice must identify “categories” of nonpublic personal information
I collect and categories of affiliates and nonaffiliated third parties with which
I share that information. How detailed do the categories need to be?
A. The Privacy Rule does not require your privacy notices to describe in detail
the information you collect or disclose. Moreover, you are not required to identify
by name parties to whom you may make disclosures. Rather, you may describe the types,
or categories, of information you collect and disclose, and the types of third parties
to whom you disclose the information. These categories must be representative of
your policies and practices. Because the examples in the rule that describe categories
of information and parties to whom you disclose information are not exclusive, you
may describe the items in §___.6(a)(1)-(9) that apply to you by using other reasonably
understandable language that informs a consumer about your privacy policies and
practices. You also may use different language and may provide additional
detail as appropriate to explain your policies and practices to your consumers.
In addition, the Privacy Rule requires you to address only those items that
apply to you. Your initial notice must accurately describe your policies and procedures
as of the time you provide the notice to a consumer or customer. A notice also may
be accurate even if it reflects anticipated as well as current policies and practices.
C.4. Q. Won’t my annual notice look just like my initial notice?
A. The initial and annual notices may be identical because the required contents
for your initial notice are the same as those for your annual notice. You must,
of course, incorporate any revisions you make to your privacy policy into your annual
notice.
Your annual notice, like your initial notice, must describe any right of consumers
to opt out of disclosures you may make and must describe how consumers may opt out.
If the only opt out method you allow is for consumers to send you a specific opt
out form, then you must include that form with your initial and annual notices.
C.5. Q. After I provide an initial privacy notice to my customer, the Privacy Rule
requires me to deliver privacy notices to that customer not less than annually during
the continuation of the customer relationship. What does “annually” mean?
A. “Annually” means at least once in any period of
12 consecutive months during which a customer relationship exists. If you use the
calendar year as your notice period, you have the flexibility to give the first
annual notice to a customer at any point in the calendar year following the year
in which the customer relationship is established. Thereafter, you are expected
to provide annual notices on a consistent basis. Any period of more than 12 consecutive
months between annual notices should have an appropriate business justification.
C.6. Q. Can I combine my privacy notice with other consumer disclosures, such as
those under the Truth in Lending Act (Regulation Z) or the Truth in Savings Act
(Regulation DD)?
A. The Privacy Rule does not prohibit you from combining your privacy notices with
other information. However, you still must comply with all applicable requirements,
such as those governing form, content, and delivery of notices. For example, if
you combine your privacy notice with a disclosure under Regulation Z or Regulation
DD, each component of the combined notice/disclosure must comply with the “clear
and conspicuous” requirements in the regulation governing that component.
C.7. Q. I do not disclose any nonpublic personal information about my customers
to any affiliates or nonaffiliated third parties, except under the conditions described
in §§___.14 and ___.15 (exceptions to notice and opt out requirements). What aspects
of my privacy policies and practices must my notice address?
A. In this case, you may use a simplified notice. A simplified notice is sufficient
if it:
Describes the categories of nonpublic personal information you collect;
States the fact that you do not share nonpublic personal information about your
customers or former customers to affiliates or nonaffiliated third parties, except
as authorized by law; and
Describes your policies and practices for protecting the confidentiality and security
of consumers’ nonpublic personal information (under §501(b) of the GLB Act).
C.8. Q. I own and operate several ATMs. Many consumers who use them are not my customers.
I disclose to nonaffiliated third parties nonpublic personal information about those
consumers other than as permitted by the exceptions in §§ ___.14 or ___.15, so I
must provide them with the required notices when they use my ATMs. But ATM screens
are very small. Am I required to purchase machines with screens large enough to
hold my privacy policy? Must I make consumers click through dozens of tiny screens
of information?
A. Neither new machines nor multiple screens are necessary. You must provide an
opt out notice, as required under §___.7. This notice must state that you disclose
nonpublic personal information about the consumer to nonaffiliated third parties,
state that the consumer has a right to opt out of that disclosure, and provide a
reasonable opportunity for the consumer to opt out (such as by requiring the consumer
to decide whether to opt out as a necessary part of the transaction). §___.10(a)(3)(iii).
In addition to the opt out notice, you must provide an initial privacy notice. For
consumers who are not your customers, you may provide a short-form initial notice
with an opt out notice. §___.6(d). This short-form notice must state that your privacy
policy is available upon request and it must describe a reasonable means for the
consumer to get your privacy notice. As with any privacy notice, the opt out notice
and the short-form initial notice must be clear, conspicuous, and accurate. These
notices must be delivered in a manner so that the consumer can agree to receive
the notices electronically, such as by acknowledging receipt of the notices as a
necessary step to completing the transaction at the ATM. §___.9(a).
C.9. Q. I am a small bank. I want to offer credit cards to my customers, but I am
too small to handle a credit card operation. Instead, I contract with others to
help me. When my customer indicates an interest in getting a credit card, I supply
an application form. That form makes clear that the lender is a large bank (“Large
Bank”). I am not affiliated with the Large Bank. The customer sends the completed
form directly to the Large Bank, so that I do not “collect” the application information
within the meaning of §___.3(c). The Large Bank issues the credit card for approved
applicants, with its name on the back. My name and logo are prominent on the front
of the credit card. Who must provide the initial privacy notice?
A. When a financial institution makes a consumer loan, as the Large Bank does in
this case, it has a customer relationship with that consumer. The Large Bank, therefore,
must provide an initial privacy notice and must provide annual notices as long as
the credit card relationship continues. You are not required to send any new notices
to your customers because you do not appear to be providing any financial product
or service to them in connection with this credit card product.
D. Providing notices to joint account holders
D.1. Q. I have two depositors who hold one account jointly. The depositors share
the same address. When notice is required, may I mail just one privacy notice?
A. Yes, you may mail one notice to two or more joint account holders at the same
address. §___.9(g).
D.2. Q. What if those same account holders have different addresses?
A. You still may mail one notice to all accountholders jointly at one account holder’s
address. § ___.9(g).
D.3. Q. One account holder, A, maintains with me a single account and a joint account
with another consumer, X. What are my obligations to send privacy notices to A and
X? Can I satisfy the initial privacy notice requirement by sending just one notice?
A. In some cases, one notice may be sufficient. For example, if A and X open the
joint account first and A subsequently opens an individual account, you need not
provide an additional initial notice to A if the most recent notice you provided
to A as part of the joint account is accurate as to the individual account. §___.4(d).
If A already has an individual account with you but X becomes your customer at the
time the joint account is opened, you must provide an initial notice to X with respect
to the joint account. §___.4(a). However, you may deliver the initial notice either
to A or to X by providing one notice to those consumers jointly. §___.9(g). For
example, you may deliver one notice addressed to both A and X. You subsequently
may satisfy the annual and revised notice requirements by sending one notice regarding
the joint account either to A or X.
D.4. Q. One depositor, A, has two different joint accounts, one with X and the other
with Y. When annual or revised notices are required as to both accounts, how many
notices must I provide?
A. Annual and revised notices pertaining to each of the joint accounts may be provided
either to A or to both of the other account holders respectively. Thus, one notice
to A is sufficient, as long as the notice is accurate as to both accounts. §___.9(g).
The Privacy Rule does not require you to mail two identical notices to A, one for
each account.
However, you must neither disclose to X that A has a joint account with Y nor disclose
to Y that A has a joint account with X, unless these facts are publicly available.
The fact that a consumer is a financial institution’s customer is nonpublic personal
information, unless you have a reasonable basis to believe that the customer relationship
is a matter of public record.
D.5. Q. Assume the same facts as Question D.4. What if the two joint account holders
with A, X and Y, have different addresses?
A. You still may provide one notice to A. However, in any communications with X
and Y, you must not disclose to X the fact that A has a joint account with Y, nor
may you disclose to Y that A has a joint account with X, unless you have a reasonable
basis to believe this information is publicly available.
E. Complying with the opt out provisions for joint account holders
E.1. Q. I have two depositors who hold one account jointly. Must I deliver a separate
opt out notice to each account holder and allow each of them to opt out individually?
Suppose I mail only one opt out notice for that
account, and one of the joint holders checks “I opt out” and returns it to me. To
whom does the opt out decision apply?
A. You may deliver either a single opt out notice to one of the account holders
or a separate notice to each account holder. In either case, the notice must permit
one joint account holder to opt out on behalf of all holders of the account. So
long as your notice fulfills this requirement, you also may permit joint account
holders to opt out individually.
The answer to your second question depends upon how you have designed your opt out
notice. Your notice must permit one joint account holder to opt out on behalf of
all holders of that account. However, you have several ways to do this. For example,
your notice may contain one box that, when checked, will result in an opt out by
the person checking the box and all other individuals on the account. Alternatively,
the opt out notice may provide boxes that enable each individual on the account
to opt out separately, as well as a box that permits one account holder to opt out
on behalf of everyone on the account.
With either option your opt out notice must clearly and conspicuously describe how
each applicable opt out selection will be treated. For example, the opt out selection
for all account holders should disclose that the customer making that selection
is opting out for all account holders with respect to information concerning that
joint account. Similarly, the “individual” opt out selection should explain that
the selection applies only to the customer making the selection.
If you already are disclosing nonpublic personal information because
you did not receive an opt out direction after sending your initial notice, each
joint account holder still may choose to opt out at a later date. You must abide
by any subsequent opt out decision as soon as reasonably practicable after you receive
it, and you must not delay complying with one individual account holder’s opt out
direction until the remaining account holder(s) opt out.
Once a consumer opts out, whether during the initial opt out period
or subsequently, you must not share the consumer’s nonpublic personal information
to which the opt out applies unless and until the consumer subsequently revokes
his or her opt out direction. §___.7(g)(1).
E.2. Q. I allow joint account holders X and Y to make independent opt out elections.
For opt outs, I use reply forms with check-off boxes. Must I mail two opt out response
forms for one joint account?
A. No, only one is necessary. However, you must allow each account holder a reasonable
amount of time to opt out before disclosing any nonpublic personal information about
him or her. For example, suppose you normally allow each consumer thirty days to
opt out, and you immediately receive an opt out instruction from X but not from
Y. You still must allow Y the standard thirty days to opt out before you may disclose
any nonpublic personal information relating to the joint account. You may disclose
nonpublic personal information about Y if Y does not opt out within the reasonable
opt out period, but only to the extent such a disclosure would not reveal nonpublic
personal information about X.
E.3. Q. I allow joint account holders to make independent opt out elections. May
I require each account holder to opt out in a separate response?
A. No. You must allow both account holders a reasonable opportunity to opt out in
one response, such as one opt out form or in one call to your toll-free opt out
line.
E.4. Q. I allow joint account holders, X and Y, to make independent opt out elections.
Suppose that X opted out, but Y did not respond. What nonpublic personal information
about X and Y may I disclose?
A. Because X has opted out, you must not disclose any nonpublic personal information
about X, except as permitted by an exception at §§___.13, ___.14, or ___.15. In
addition, you must not disclose nonpublic personal information about Y except as
permitted by an exception if the disclosure of that information also would disclose
nonpublic personal information about X.
For example, suppose that X and Y are married, share the same surname, reside at
the same address, and jointly hold a savings account with you. You may disclose
nonpublic personal information relating to that account about Y, such as the average
monthly balance in the account, as long as that disclosure does not include any
nonpublic personal information about X. Furthermore, you must not disclose the fact
that Y holds the joint account together with X.
F. Delivering opt out notices and providing consumers with a reasonable opportunity
to opt out of disclosures
F.1. Q. Must I provide opt out notices if I do not disclose nonpublic personal information
to nonaffiliated third parties, except as permitted under one of the exceptions
under §§___.13, ___.14, or ___.15?
A. No. If you disclose nonpublic personal information only under one or more of
those exceptions, you need not provide any opt out notices. Nonetheless, be aware
that if you disclose nonpublic personal information under §___.13, then you must
provide an initial notice that includes a separate statement that describes that
disclosure. Also, you must provide an annual notice to your customers regardless
of your disclosure policies and practices. §___.5.
F.2. Q. What are some reasonable means of allowing consumers an opportunity to opt
out?
A. You may provide various opt out methods that are reasonable, depending on the
circumstances surrounding the financial product or service. For example, for new
customers who open credit card accounts, you may deliver a form with a check-off
box that they can check and return to you. If you use this method, you must deliver
the check-off form with your opt out notice. You also may provide a toll-free telephone
number that consumers can call to opt out. §§___.7(a)(2)(ii), ___.10(a)(3)(i).
The Privacy Rule provides that you may require a consumer to opt out through a specific
means if that means is reasonable for that particular consumer. §___.7(a)(2)(iv).
For example, you may require a consumer who has agreed to the electronic delivery
of notices to opt out by using a process available on your web site if that consumer
uses your web site to access financial products or services. You also may require
a consumer who conducts an isolated transaction at your branch, ATM, or office in
person to decide whether to opt out as a necessary part of completing the transaction
and to use the means you specify to effect his or her opt out direction. §___.10(a)(3)(iii).
Note that you may allow any consumer to opt out by e-mail or by using a process
available on your web site, but you may not require the consumer to use an
electronic method if the consumer has not agreed to electronic delivery of notices.
Under these circumstances, you must provide other reasonable methods for the consumer
to opt out.
No particular method described in an example in the Privacy Rule is strictly required
and there may be other reasonable methods for allowing a consumer to opt out of
disclosures. Some methods to opt out, however, are unreasonable. For instance, you
must not require consumers to write their own letters to opt out as the only
opt out method. §___.7(a)(2)(iii)(A).
F.3. Q. If I allow my customers to mail a form to indicate their opt out election,
am I required to provide my customers with a postage-paid envelope so they can mail
the form back?
A. No. You are not required to provide an individual with a postage-paid envelope
to meet the requirement that you provide a reasonable means for consumers to opt
out.
F.4. Q. In our initial and annual notices, our bank would like to provide a tear-off
opt out form and our privacy policies on the front and back of a single sheet of
paper. Is this permissible?
A. Yes, provided the opt out form may be detached without removing
text from your privacy policy. However, if by detaching the opt out form the customer
removes text from the privacy policy, the practice may violate § ___.9(e). This
section requires a financial institution to provide its privacy notices in a form
in which a customer can retain them or obtain them later. If the customer would
remove text from your privacy policy by detaching the opt out notice, then you should
either redesign the privacy notice or have procedures in place to provide a customer
with the complete text of your privacy notice upon request.
F.5. Q. I provide consumer credit cards. I would like to disclose to nonaffiliated
third parties different types of nonpublic personal information about my customers,
such as their addresses and their account information. The nonaffiliated third parties
are not financial institutions with which I have a joint agreement. I realize that
I must allow my customers to opt out of all these disclosures, but may I give them
the choice to opt out of disclosures of certain categories of information as well
as all categories of information to nonaffiliated third parties?
A. Yes. You must allow your customers to opt out of all these disclosures to nonaffiliated
third parties. Additionally, you may allow your customers to choose to opt out of
some types of disclosures, rather than simply all of those disclosures. For example,
you may allow your customers to opt out of disclosures of account information and
provide a separate opportunity for customers to opt out of disclosures of their
addresses. §___.10(c).
F.6. Q. I make consumer loans. I would like to disclose my customer list to nonaffiliated
clothing retailers and to nonaffiliated automobile dealers. These nonaffiliated
third parties are not financial institutions with which I have a joint agreement.
I realize that I must allow my customers to opt out of all these disclosures. But
may I also give them the choice to opt out of disclosures to certain kinds of nonaffiliated
third parties without having to opt out of disclosures to all kinds of third parties?
A. Yes. You must allow your customers to opt out of all these disclosures. Additionally,
you may allow your customers to choose to opt out of disclosures to some kinds of
nonaffiliated third parties instead of simply all of those parties. For example,
you may allow your customers to opt out of disclosures to clothing retailers and
allow a separate opportunity for the same customers to opt out of disclosures to
automobile dealers.
F.7. Q. We deliver opt out notices by mail and allow our new customers 30 days to
opt out before we begin sharing their information with nonaffiliated third parties.
Section ___.7(e) provides that a financial institution must comply with a consumer’s
opt out direction as soon as reasonably practicable after the financial institution
receives it. It may take our bank up to five weeks to process an opt out direction.
If we mail a new customer a privacy and opt out notice on September 1 and we receive
the customer’s opt out direction on September 15, may we share that
individual’s nonpublic personal information between September 15 and October 22
-- the date by which we can process the opt out?
A. No. Because your question concerns a new customer rather than an existing one,
the standard in §___.10(a)(1) rather than that in §___.7(e) applies. Section ___.10(a)(1)
of the Privacy Rule provides that a financial institution may not share a consumer’s
nonpublic personal information unless the institution has given the consumer an
initial privacy notice, an opt out notice, and a reasonable opportunity to opt out,
and the consumer has not opted out. If your customer opts out at any point within
the 30-day period in your example, then you would not be able to disclose that individual’s
information to nonaffiliated third parties unless the customer subsequently revoked
the opt out direction. §___.7(g)(1).
Section ___.7(e) applies only where the financial institution is already lawfully
disclosing nonpublic personal information of existing customers or consumers to
nonaffiliated third parties. Because the Privacy Rule permits consumers to opt out
at any time, § ___.7(e) provides an institution with a reasonable period of time
to process an existing consumer’s opt out election before the institution must cease
disclosing the consumer’s information. The institution must process the opt out
election as soon as reasonably practicable. For example, following the 30-day period
that you provide initially for your customers to opt out, you may disclose the nonpublic
personal information of those individuals who have not exercised their right to
opt out. However, you must honor any subsequent opt out election by any of those
customers “as soon as reasonably practicable.”
G. Complying with the limitations on redisclosure and reuse of nonpublic personal
information
I. Nonpublic personal information disclosed under an exception
I am a consumer lender, but a nonaffiliated third party (“Servicer”) services my
loans. I disclose nonpublic personal information to the Servicer under an exception
for that purpose. I have the following questions.
G.1. Q. I disclose nonpublic personal information about my customers to the Servicer
so the Servicer can process transactions that the customers have requested. May
the Servicer disclose the information it collects from me about my customers to
a retail merchant that is not affiliated with me?
A. Generally, no. When the Servicer receives nonpublic personal information about
your customers under an exception to the notice and opt out provisions, such as
in connection with servicing your loans, the Servicer’s use and disclosure of that
information is limited. The Servicer must not disclose any nonpublic personal information
to a retail merchant not affiliated with you unless the Servicer may do so under
an applicable exception in §§___.14 or ___.15. For example, the Servicer may not
provide information about your customers to the retail merchant for marketing purposes.
G.2. Q. May the Servicer disclose the nonpublic personal information to my affiliate?
A. Yes. The Privacy Rule explicitly provides that the Servicer may disclose the
information to your affiliate. §___.11(c)(1).
G.3. Q. May the Servicer disclose the information to the Servicer’s affiliate?
A. Yes, but the Servicer’s affiliate may disclose and use the information only as
the Servicer could disclose and use it. §___.11(c)(2). The Servicer’s affiliate
therefore may use the information to service your loans. The affiliate also may
disclose the information under an applicable exception in §§___.14 or ___.15 in
the ordinary course of business to carry out the activity covered by the exception
under which the Servicer received the information.
II. Nonpublic personal information disclosed outside of an exception
I am a consumer lender and am affiliated with a property insurer. In my privacy
notices I inform consumers that I disclose nonpublic personal information to my
affiliated insurance company. My privacy notice also states that, if a consumer
does not opt out, I may disclose nonpublic personal information about the consumer
to nonfinancial companies, such as retailers.
Among the nonaffiliated third parties to whom I disclose information are an automobile
dealer and a residential plumbing company. The plumbing company is affiliated with
a company that sells air conditioning products and services.
I have the following questions about disclosing information about consumers who
do not opt out.
G.4. Q. I disclose information about my customers who do not opt out to a residential
plumbing company. Can the plumbing company use the information for marketing purposes?
A. Yes. This is permissible because you disclosed nonpublic personal information
to the plumbing company in accordance with the notice and opt out provisions of
the GLB Act. § 502(a)-(b) of the Act, codified at 15 U.S.C. §6802(a)-(b). In other
words, you disclosed information about a consumer consistent with your privacy notice
and the consumer’s choice not to opt out.
As illustrated in the following questions and answers, when the plumbing company
receives from you nonpublic personal information about a consumer who has not elected
to opt out, the company is free to use the information for marketing or other purposes.
However, the plumbing company may disclose the nonpublic personal information it
receives from you only if such a disclosure is consistent with the restrictions
on disclosure of the information described in your privacy policy. §___.11(d). The
plumbing company therefore is required to honor any subsequent opt out elections
made by consumers pursuant to your privacy policy and accordingly must have a mechanism
through which it can monitor and implement subsequent opt out elections you receive.
G.5. Q. One of my affiliates sells insurance. May the plumbing company, who received
my customers’ information outside an exception, disclose that information to my
affiliated insurer?
A. Yes. The Privacy Rule explicitly provides that the plumbing company may disclose
the information to your affiliate. §___.11(d)(1).
G.6. Q. I disclosed information to the plumbing company outside an exception. The
plumbing company is affiliated with an air conditioning company. The air conditioning
company is not affiliated with me. May the plumbing company disclose my consumers’
nonpublic personal information to that air conditioning company?
A. Yes. The Privacy Rule permits a party that receives nonpublic personal information
outside of an exception to disclose that information to its affiliates. In this
case, therefore, the plumbing company may disclose the information to its affiliated
air conditioning company. However, the affiliated air conditioning company may,
in turn, disclose the information only to the extent that the plumbing company may,
consistent with your privacy notice. §___.11(d)(2).
G.7. Q. I disclosed information to the plumbing company outside an exception. May
the plumbing company disclose my consumers’ nonpublic personal information to a
nonaffiliated automobile parts retailer?
A. Yes. The Privacy Rule permits a party that receives nonpublic personal information
outside of an exception to disclose that information to another nonaffiliated third
party, provided that it would be lawful for the original financial institution to
make that disclosure directly to that party. Under your privacy notice, it would
be lawful for you to disclose nonpublic personal information about those consumers
who chose not to opt out to the automobile parts retailer. §___.11(d)(3). However,
the plumbing company could not disclose nonpublic personal information obtained
from you to other nonaffiliated retailers if your privacy policy would not permit
such disclosures.
H. Complying with the limitation on disclosing account numbers
H.1. Q. I am a depository institution. I transform my customers’ account numbers
into encrypted forms that can be used solely to identify those customers. I enter
into an arrangement with a third party telemarketing firm whereby I disclose my
customers’ names, telephone numbers, and encrypted identifying numbers. The third
party telemarketing firm uses that information to market products (other than products
I offer) to those customers. For those customers who agree to purchase the products,
the third party telemarketing firm submits their encrypted identifying numbers to
me, and I decrypt them into account numbers. At the end of this process, am I permitted
to disclose the customers’ actual account numbers to the third party telemarketing
firm so that the telemarketing firm can initiate the charges to the customers’ accounts?
A. No. Section ___.12 generally prohibits you from disclosing credit card, deposit,
or other transaction account numbers “for use in telemarketing, direct mail marketing,
or other marketing through electronic mail to the consumer.” Accordingly, you must
not provide your customers’ account numbers to the third party telemarketing firm
“for use in telemarketing.”
The primary reason a marketer seeks access to a customer’s account number is to
allow the marketer to initiate a charge to the customer’s account as part of the
transaction. Section ___.12 prohibits you from disclosing customer transaction account
numbers to the third party telemarketing firm to initiate a charge to a customer’s
account even after a customer accepts the product. Moreover, the general exceptions
for notice and opt out under §§___.14 and ___.15, including the exception for disclosing
information with the consent or at the direction of the consumer, do not apply to
disclosures of account numbers for use in marketing that are prohibited by §___.12.
Section ___.12 provides only three exceptions. A financial institution may disclose
its customers’ account numbers to: (i) a consumer reporting agency; (ii) its agent
to market the institution’s own products or services, provided that the agent is
not authorized to directly initiate charges to the account; or (iii) another participant
in a private label credit card or an affinity or similar program involving the institution.
Because none of these exceptions applies in your case, you must not provide your
customers’ account numbers to a third party telemarketing firm so that it can initiate
the charges to the customers’ accounts.
H.2. Q. I would like to enter into an arrangement with a nonaffiliated insurance
agency that markets its products to my customers through direct mail solicitations.
The proposed arrangement contemplates that I would disclose a customer’s account
number to the insurance agency’s affiliate. The affiliate then would use the account
number to debit the purchase price from my customer’s account in response to these
solicitations. The affiliate’s only role in the arrangement would be initiating
the charges. Does the Privacy Rule allow me to disclose a customer’s account number
to the insurance agency’s affiliate under these circumstances?
A. No. The Privacy Rule prohibits you from disclosing your customers’ account numbers
to any nonaffiliated third party for use in marketing. §___.12(a). Although
the affiliate in your hypothetical does not distribute marketing materials but only
initiates charges, its conduct of that activity is an integral part of your marketing
arrangement with the insurance company. The disclosure of a customer’s account number
to the insurance company’s affiliate under these circumstances therefore would be
a disclosure for use in marketing that violates the Privacy Rule.
I. Disclosing nonpublic personal information under the exceptions to the notice and
opt out provisions
I.1. Q. I offer consumer checking accounts. I notify my customers that, among other
things, I make disclosures as permitted by law. Merchants sometimes call me and
ask whether a particular consumer’s checking account has sufficient funds to cover
a check to the merchant. How does the Privacy Rule apply to my response to the merchant’s
question?
A. The Privacy Rule allows you to disclose nonpublic personal information about
your consumers without providing them a reasonable opportunity to opt out under
certain circumstances. These exceptions to the opt out requirement are described
at §§ ___.13 – ___.15 of the Privacy Rule. For example, you do not need to allow
your customer to opt out of a disclosure made in connection with processing or clearing
checks (§___.14(b)(2)(vi)(A)) or for the purposes of preventing actual or potential
fraud, unauthorized transactions, claims, or other liability (§___.15(a)(2)(ii)).
Therefore, if you have notified your customer that you make disclosures as permitted
by law, you may disclose whether your customer’s checking account has sufficient
funds to cover a check, regardless of whether or not the customer has exercised
his or her opt out rights.
Be aware of the possibility that the caller may be attempting to obtain information
about your customer through false or fraudulent statements to you. Toward this end,
you must ensure that you respond to the caller in accordance with the controls you
have implemented as part of your information security program, as provided for by
the applicable provisions of the banking agencies’ Interagency Guidelines Establishing
Standards for Safeguarding Customer Information and the NCUA’s Guidelines for Safeguarding
Member Information (the “security guidelines”). See 66Fed.Reg.8616 (February
1, 2001) and 66Fed.Reg.8152 (January 30, 2001).
I.2. Q. While we may confirm funds availability to a merchant where our customer
seeks to pay for merchandise with a check under the exceptions in §§ ___.14 and
___.15, may we confirm funds availability to an individual who is not a merchant
for the same purpose? For instance, if our customer wants to use a check to purchase
a used car from an individual seller, may we respond to the seller’s request about
the availability of funds in the customer’s account under these exceptions?
A. Whether or not someone is a “merchant” is not material to determining if you
may disclose customer information pursuant to the exceptions in §§ ___.14 and ___.15.
You should determine whether the third party to whom you intend to disclose information
actually is involved in carrying out a financial transaction that is requested or
authorized by your customer. Check verification is permitted under the exceptions
to the notice and opt out provisions, such as in connection with processing or clearing
a check under § ___.14(b)(2)(vi)(A), and under § ___.15(a)(2)(ii) to protect against
or prevent actual or potential fraud or unauthorized transactions.
As discussed in the answer above, if you make such a disclosure you should take
appropriate measures to ensure that the individual inquiring has a legitimate need
for the information and is not engaging in an attempt to obtain customer information
fraudulently. Concerns about properly safeguarding customer information are heightened
in a situation in which you disclose nonpublic personal information to an individual
rather than to a known merchant.
I.3. Q. I offer consumer checking accounts. I notify my customers that, among other
things, I make disclosures as permitted by law. My checking account customers deposit
checks made payable to my customer but drawn on a financial institution unaffiliated
with me. My practice is to write my customer’s account number on the back of the
deposited check to facilitate its processing. The check itself then goes to the
maker’s financial institution, with my customer’s account number on the check. Is
this a disclosure of nonpublic personal information that would be subject to opt
out requirements or the prohibition against sharing account numbers?
A. No. The opt out provisions do not apply to disclosures in connection with servicing
or processing a financial product or service that a consumer requests or authorizes.
Nor do they apply to disclosures that are required, or are a usual, appropriate,
or acceptable method in connection with settling, processing, clearing, transferring,
reconciling or collecting amounts charged, debited or otherwise paid. §§ ___.14(a),
___.14(b)(2)(vi)(A). Also, because the account number is added to the check solely
for use in processing the check and is not used in connection with marketing by
a third party, this disclosure is not prohibited by the ban on disclosing account
numbers for marketing purposes. § ___.12.
I.4. Q. I made a loan to a consumer who defaulted. In trying to collect the bad
loan, I wish to learn information to locate the defaulting borrower. I believe that
a financial institution unaffiliated with me may have some helpful information about
the borrower. If I were to ask that institution for information, I would disclose
nonpublic personal information, such as the fact that I have a loan to a particular
consumer. I previously notified my borrower that, among other things, I make disclosures
as permitted by law. Must I allow my borrower to opt out of my question to the financial
institution?
A. No. You may disclose nonpublic personal information to the financial institution
without complying with the opt out provisions as necessary to enforce a consumer
loan where the disclosure is required or is one of the lawful or appropriate methods
to enforce your rights. §___.14(b)(1).
I.5. Q. A financial institution that is not affiliated with me made a loan to a
consumer who defaulted. In trying to collect the bad loan, the lender wishes to
learn information to locate the defaulting borrower. The lender believes that I
may have some helpful information about the borrower and asks me to disclose nonpublic
personal information. I notify my consumers that, among other things, I make disclosures
as permitted by law. May I disclose nonpublic personal information to help the lender
try to collect a bad loan without providing opt out notices?
A. Where you have notified your consumer that you make disclosures as permitted
by law, you may make disclosures to “persons holding a legal or beneficial interest
relating to the consumer,” or under the appropriate circumstances, “to protect against
or prevent actual or potential fraud, unauthorized transactions, claims, or other
liability,” without providing opt out notices and a reasonable opportunity for a
consumer to opt out. §___.15(a)(2)(iv); §___.15(a)(2)(ii). Thus, disclosures to
the lender may be permissible without complying with the opt out provisions.
As stated above, you must be aware of the possibility that the party requesting
the information may be attempting to obtain that information about your customer
through false or fraudulent statements to you.
I.6. Q. I make consumer loans. I notify my customers that, among other things, I
make disclosures as permitted by law. A state law requires me to disclose to the
state the names, addresses, social security numbers, and account balances of individuals
the state believes have failed to make required child support payments. Does the
Privacy Rule require me to allow my customers to opt out of disclosures to the state
under this state law?
A. No. The Privacy Rule exempts from the opt out provisions any disclosures you
make “[t]o comply with Federal, State, or local laws, rules and other applicable
legal requirements.” §___.15(a)(7)(i).
I.7. Q. Must I provide a privacy notice to consumers who are not my customers when
I have to report information about denied mortgage applicants under the Home Mortgage
Disclosure Act (“HMDA”)?
A. No. If the information that HMDA requires you to disclose is not personally identifiable,
the Privacy Rule would not apply to your disclosure of that information. Alternatively,
if you disclose nonpublic personal information to comply with the law, you may disclose
the information under § ___.15(a)(7)(i) without providing a privacy notice to consumers
who are not your customers.
I.8. Q. We often receive phone calls from auto dealers or other financial institutions
requesting loan pay-off amounts on our customers. May we respond to these requests
without providing those customers with a reasonable opportunity to opt out of that
kind of disclosure?
A. Yes, if the disclosure is in connection with servicing or processing a financial
product or service from the third party that the customer has requested or authorized.
In your case, for example, you may disclose loan pay-off information to a third
party lender where your customer seeks to refinance the bank loan with the other
lender. Alternatively, you may disclose nonpublic personal information that is required,
or is a usual, appropriate or acceptable method to carry out the transaction that
the customer has requested or authorized. §___.14(a). This would be the case, for
example, if the car dealer accepts your customer’s car as partial consideration
for the purchase of another vehicle and wants to know the outstanding amount on
the customer’s car loan with you.
As discussed in response to several of the questions above, you should be aware
of the possibility that the caller may be attempting to obtain information about
your customer through false or fraudulent statements to you. Toward this end, you
must ensure that you respond to the caller in accordance with the controls you have
implemented as part of your information security program.
I.9. Q. During the ordinary course of business, I may request proof of insurance
from a nonaffiliated insurance agency on an automobile that serves as our collateral
on a customer’s loan. May I disclose customer information to the insurance agency
in order to obtain this information without triggering specific notice and opt out
requirements?
A. Yes, you may disclose nonpublic personal information, such as the existence of
your relationship with a particular customer, to a nonaffiliated insurance agency
in order to obtain proof of insurance under the exceptions to the specific notice
and opt out requirements in § ___.14. For example, you could disclose nonpublic
personal information under the exception in § ___.14(b)(1) as a lawful or appropriate
method to enforce your rights in providing the loan.
I.10. Q. I make wire transfers for consumers who are not otherwise my customers.
Do I have to provide an initial privacy notice to these consumers when I only make
a wire transfer for them?
A. No. Processing a wire transfer for a consumer on a one-time basis would not create
a customer relationship, even if the consumer repeatedly requests that one-time
service. Accordingly, you do not owe the consumer an initial notice on that basis.
Furthermore, this disclosure would fall under the exception for processing a transaction
that a consumer has requested or authorized. §___.14(a)(1). Consequently, you would
not be required to provide any privacy notices unless you also disclosed nonpublic
personal information about the consumer to nonaffiliated third parties outside of
an exception under §___.14 or §___.15. See §___.4(a)(2).
I.11. Q. I use a nonaffiliated third party to service consumer loans, and in this
arrangement I disclose to the servicer nonpublic personal information about my borrowers.
This arrangement seems to qualify for an exception from both the notice and opt
out requirements, under § ___.14(a)(1). At the same time, this arrangement seems
to qualify for an exception from opt out requirements—but not from notice requirements—under
§___.13(a)(1). The latter exception requires me to provide notice to consumers of
the disclosures, and requires language in our contract that restricts the servicer’s
further disclosure and use of the nonpublic personal information. When a servicing
arrangement qualifies for two differing exceptions, which applies?
A. When a disclosure qualifies for both the § ___.13 exception and a § ___.14 or
§___.15 exception, you do not need to comply with the notice and confidentiality
provisions under § ___.13. Instead, you may make that disclosure solely in accordance
with an exception under § ___.14 or §___.15.
I.12. Q. A community bank has an agreement with a mortgage company to prequalify
mortgage loan applicants prior to referring them to the mortgage company for underwriting.
As part of this agreement, the community bank, among other things, (1) educates
applicants about home buying and about different types of loan products available;
(2) collects financial information and related documents; (3) assists the applicant
in understanding and resolving credit problems; and (4) maintains regular contact
with the applicant during the loan process to apprise the applicant of the status
of the application.
The community bank forwards the completed loan application to the mortgage company
for underwriting, origination and servicing. After the loan is approved, the community
bank has no further contact with the applicant with respect to the applicant’s loan.
Does the bank have to provide an initial privacy notice to the applicant? If so,
does the bank have to disclose this information sharing arrangement in its privacy
notice, or is it covered by an exception in §___.14 or §___.15?
A. If the bank does not already have a customer relationship with the loan applicant,
the services that the bank performs pursuant to this program appear to give rise
to a customer relationship between the applicant and the bank as described in §___.3(i)(2)(i)(F),
at least until the applicant has completed the loan process. As a result, the bank
would have to provide an initial privacy notice. Whether the bank must disclose
the information sharing arrangement with the mortgage company in its privacy notice
depends on whether the disclosure is permitted under one of the exceptions in §§___.13,
___.14, or ___.15.
If the bank and the mortgage company have an agreement to jointly offer, endorse,
or sponsor the mortgage company’s loan product as described in §___.13 and otherwise
comply with the confidentiality requirements of this section, the bank would have
to describe this arrangement in its privacy notice in accordance with §___.6(a)(5).
Where the bank discloses to the applicant that the mortgage loan will be made by
the mortgage company and not the bank, the bank’s disclosure of the applicant’s
nonpublic personal information to the mortgage company would fall within the exception
in §___.14(a)(1), to service or process a financial product the consumer has requested.
The bank would not have to specifically describe this information sharing arrangement
in its privacy notice as long as the notice states that the bank makes disclosures
to nonaffiliated third parties “as permitted by law.” §___.6(b)
Finally, the bank could obtain the applicant’s specific consent to disclose the
applicant’s nonpublic personal information to the mortgage company so the applicant
may obtain the loan. In that event, the disclosure would fall within the exception
in §___.15(a)(1). The bank’s privacy notice may refer to this disclosure as “permitted
by law.” §___.6(b).
Where the disclosure of information may be made pursuant to an exception under both
§___.13 and either §___.14 or §___.15, the bank may rely on the latter exceptions,
and therefore would not have to specifically describe in its privacy notice its
disclosure arrangements under §___.6(a)(5).
The mortgage company also will establish a customer relationship with any applicant
for whom it originates a loan, and will have to provide a notice of its privacy
policies not later than when it establishes the customer relationship.
J. Complying with the exception to the opt out provisions for joint marketing arrangements
J.1. Q. I disclose my consumer borrowers’ names and addresses to a nonaffiliated
insurance company. The insurance company sends the borrowers a letter, on my letterhead,
offering insurance. I do not sell insurance. Does this arrangement qualify for the
§___.13 joint marketing agreement exception? Must the products described in the
marketing materials be our products?
A. The exception to the opt out requirement in § ___.13 applies to disclosures you
make to nonaffiliated third parties pursuant to a joint written agreement between
you and one or more financial institutions under which you and the other financial
institution(s) jointly offer, endorse, or sponsor a financial product or service.
You may disclose your consumer borrowers’ names and addresses to the insurance company
under §___.13 because (i)the insurance company is a financial institution, (ii)
insurance is a financial product or service, and (iii) you and the insurance company
market the insurance together. The financial product you offer, sponsor or endorse
under a joint agreement with another financial institution need not be your product.
You and the insurance company must have a written agreement that restricts the insurance
company from disclosing or using the borrowers’ nonpublic personal information for
any purpose other than selling insurance to the borrowers. Furthermore, you must
describe this type of arrangement in your privacy notice in accordance with §___.6(a)(5).
J.2. Q. I disclose my consumer borrowers’ names and addresses to a nonaffiliated
retail merchant that sells household goods, hardware, and clothing. The retail merchant
wants to send notices, on my letterhead, offering household products. Would this
arrangement qualify for the §___.13 joint marketing agreement exception?
A. No. To qualify for the §___.13 exception, a joint marketing arrangement must
be an agreement between financial institutions for offering, endorsing, or sponsoring
financial products or services.
J.3. Q. Each month I mail account statements to my customers. May I include marketing
materials for a third party vendor’s products in my mailings to my customers? I
do not have a joint marketing agreement under §___.13 with the vendor.
A. Yes. However, you must be careful not to facilitate your customer’s unwitting
disclosure of his or her nonpublic personal information to the vendor by virtue
of a response to the marketing materials. For example, the vendor may have printed
a reference code on its marketing materials that indicates that the offer for that
product was sent to your customers who share certain financial characteristics.
From this code, the vendor would be able to determine that the individual who responds
to the marketing materials that you delivered is your customer or holds certain
kinds of assets. In that case, you would have disclosed nonpublic personal information
about the customer to the vendor.
To comply with the Privacy Rule under these circumstances, you must either describe
these types of marketing arrangements in your initial, annual, or revised privacy
notice and provide your customer with a reasonable opportunity to opt out or obtain
your customer’s specific consent to such arrangements. Alternatively, you may structure
the marketing materials so your customer knows that by responding he or she would
be disclosing certain categories of nonpublic personal information about himself
or herself.
J.4. Q. I am a bank. I have a financial advisory center on my premises that is operated
by people employed both by me and by an insurance company. The shared employees
do not sell bank products. They sell insurance products and services offered by
the insurance company pursuant to a third-party arrangement. We provide the employees
with information about our customers so that they may solicit our customers on behalf
of the insurance company. Do we have to provide our customers with an opportunity
to opt out of these disclosures?
A. You must provide a reasonable opportunity for your customers to opt out of any
disclosure of their nonpublic personal information to a nonaffiliated third party
unless one of the exceptions applies. Although a dual employee himself or herself
is not a “nonaffiliated third party,” providing customer information to a dual employee
for purposes of marketing the insurance company’s products and services to your
customers is deemed to be providing the information directly to the insurance company.
Because the insurance company is a nonaffiliated third party, you must provide your
customers a reasonable opportunity to opt out of disclosure of their nonpublic personal
information prior to disclosing such information to the dual employees unless the
disclosure is covered by an exception.
The exception at § ___.13 specifically permits you to disclose nonpublic personal
information about your customer to the nonaffiliated insurance company without providing
the customer an opportunity to opt out if three requirements are met:
The insurance company must market financial products or services offered under a
joint agreement between you and the insurance company. The joint agreement must
be a written agreement under which you and the insurance company “jointly offer,
endorse, or sponsor” a financial product or service. Simply agreeing to share customer
information with the insurance company would not satisfy this contractual requirement.
Rather, your agreement with the insurance company must provide for the joint offering,
endorsement, or sponsorship of the financial product or service. For example, a
third-party agreement that provides the insurance company will use your name in
its marketing materials or offer insurance products and services on your premises
would demonstrate that you are jointly offering, endorsing, or sponsoring the products
or services with the insurance company;
You must have provided your customers with an initial privacy notice, including
a separate statement describing your joint marketing that satisfies § ___.6(a)(5);
and
You must have a written contract that restricts the insurance company from disclosing
or using your customer’s nonpublic personal information for any purpose other than
to offer insurance products and services to those customers.
In addition to the foregoing requirements, the prohibition against disclosing a
consumer’s account number for use in telemarketing, direct mail marketing, or other
marketing through electronic mail, as set forth in §___.12, applies to your arrangement
with the insurance company.
J.5. Q. Must I have a confidentiality and security clause in all my contracts with
service providers who have access to customer information?
A. Both the privacy regulations and the banking agencies’ and NCUA’s security guidelines
provide for financial institutions to enter into contracts with service providers
that address customer information in particular circumstances. The provisions differ,
however, and those differences are as follows:
Under §___.13 of the Privacy Rule, you may share nonpublic personal information
with a servicer, without providing a consumer with the right to opt out of this
disclosure, if you have a contract with the servicer that limits the servicer’s ability
to further use or disclose this information. The Privacy Rule does not require
you to have such a contract clause in place prior to disclosing information to any
servicer —only those servicing arrangements that fall within §___.13. If the servicing
arrangement is within the scope of the exceptions in §§___.14 and ___.15, you may
disclose information to the servicer without a contract that limits the servicer’s
ability to use or disclose nonpublic personal information. In those instances, the
servicer will be subject to the limits on reuse and redisclosure under §___.11.
Under III.D.2 of the security guidelines, you should provide by contract with each
of your service providers that has access to customer information that it undertakes
security measures that will protect your customer information. The supplementary
materials to the guidelines explain that a service provider must implement controls
that satisfy the objectives of the guidelines, yet need not have a security program
that is identical to the program that financial institutions themselves must implement
under the guidelines.
There is a different transition rule for each of these contract clauses. Section
___.18 of the Privacy Rule states that a contract entered into on or before July
1, 2000, must be brought into compliance with the provisions of §___.13 by July
1, 2002. Contracts entered into after July 1, 2000, should have been brought into
compliance by July 1, 2001. The security guidelines provide that a contract entered
into on or before March 5, 2001, between a bank and service provider should be brought
into compliance with the security guidelines by July 1, 2003. Contracts entered
into after March5, 2001, should have been brought into compliance by July 1, 2001.
1
The scope of the privacy regulation promulgated by the Federal Trade Commission
(“FTC”) is more limited than that of the other agencies. Under the FTC’s privacy
regulation, financial institution means “any institution the business of which is
engaging in financial activities as described in §4(k) of the Bank Holding Company
Act of 1956.” See 16 C.F.R. 313.3(k)(1). Moreover, an institution is not
a financial institution unless it is significantly engaged in financial activities.
Id. In addition, the FTC’s regulation does not automatically apply to institutions
significantly engaged in activities that the Board determines, after November 12,
1999, to be financial in nature. See 16 C.F.R. 313.18(a)(2).