CUNA Regulatory Comment Call

February 7, 2000

Joint Privacy Rules from the Fed, OCC, FDIC & OTS



I. Definitions

The draft regulations provide a number of definitions. The following are of particular interest:

Affiliate - This means any company that controls, is controlled by, or under common control with another company. “Control” means either control of 25% of any class of stock of another company; control over the election of a majority of directors, trustees, or general partners of another company; or power to exercise a controlling influence over the management or policies of that other company.

Nonaffiliated third party – This means any person or entity except an affiliate or joint employee of the institution and the nonaffiliate.

Nonpublic personal information – This generally includes all personally identifiable financial information or any listing, description, or grouping of consumers that is derived by using personally identifiable financial information. Although “publicly available information” is excluded, the joint rules provide two alternatives regarding this exclusion. Under one alternative, information is not public unless it is actually obtained from a public source while under the other alternative, the information is public if it could be obtained from a public source, even if it is obtained from another source. However, under either alternative, the fact that an individual is a bank customer, or credit union member, will be considered “nonpublic.”

Personally identifiable financial information - This generally means information obtained by a financial institution in connection with providing a financial service or product to a consumer

Publicly available information - This includes information available from government records, information required to be disclosed by law, and information contained in “widely available media,” which includes print, television, radio, and Internet sites that are available without a password or special fee.

II. Initial Notice of Privacy Policies

An initial notice of the privacy policy must be provided prior to the time that a “continuing relationship” with the consumer is established. (A continuing relationship is not established by engaging in isolated transactions, such as using an ATM or purchasing travelers checks or cashier’s checks from an institution where the consumer has no account.) If the continuing relationship is not established, the initial notice must be provided to the consumer prior to the time that the financial institution discloses nonpublic personal information to a nonaffiliated third party. An initial notice under these circumstances will not be required if such information is not disclosed or if such disclosure is allowed under certain exceptions, as described in Section VII below.

Oral descriptions of the information in the notice will not be permitted. In the case of a continuing relationship, the initial notice may be given after the establishment of such a relationship if: 1) the financial institution assumes the loan or deposit from another institution; or 2) the institution and the consumer orally agree to enter into the continuing relationship and the consumer agrees the receive the notice at a later time. If an institution sells a loan but keeps the servicing rights, the selling institution will still have a continuing relationship with the borrower.

The initial notice must generally be sent to the consumer. Posting the notice in a branch lobby will not be acceptable. The notice may be sent by e-mail if the consumer agrees and may be posted on a website if the consumer is required to acknowledge receipt prior to obtaining a financial service or product.

III. Annual Notice of Privacy Policies

An annual notice of privacy policies must be provided to consumers with a continuing relationship with the financial institution until the time that the relationship is terminated. The annual notice must be sent in the same manner as the initial notice.

IV. Content of the Initial and Annual Notice

The initial and annual notice must provide the following information:

As described in Section VII below, certain nonpublic personal information may be disclosed to nonaffiliated third parties without providing consumers with notice and the right to opt out. For these disclosures, the initial and annual notices need only state that such disclosures are made as permitted by law. The notices may also be based on future categories of information that may be disclosed and future categories of affiliates and nonaffiliated third parties to whom the information may be disclosed to. If the financial institution does not intend to disclose nonpublic personal information to affiliates or nonaffiliated third parties, the institution may just simply state this in the notice.

V. Limitations on Disclosure of Nonpublic Personal Information to Nonaffiliated Third Parties

Unless an exception applies, as described in Section VII below, nonpublic personal information cannot be disclosed to a nonaffiliated third party unless:

The financial institution may provide the opt out notice by mail but the individual must be given a “reasonable” time to opt out. A 30-day period would satisfy this requirement. Although the institution may then disclose the information, the consumer may always exercise an opt out at a later time and the institution must then stop disclosing the information as soon as it is reasonably practicable. For isolated transactions, such as purchase of a cashier’s check, reasonable time is sufficient if the opt out notice is provided at the time of the transaction and the individual is requested, as a necessary part of the transaction, to decide whether to opt out before completing the transaction.

An opt out exercised by a consumer will apply to all information collected, regardless of when the information is collected. The financial institution may also allow consumers to exercise a partial opt out of certain nonpublic personal information or certain nonaffiliated third parties.

VI. Form and Method of Providing the Opt Out Notice

The opt out notice must: 1) state that the financial institution may or will disclose information to a nonaffiliated third party; 2) state that the individual has a right to opt out of that disclosure; and 3) provide a reasonable means to exercise the opt out option.

The opt out notice cannot be provided orally. Reasonable means of providing such notice may include check-off boxes, self-addressed stamped replies, or e-mail notifications if the consumer agrees. Requiring consumers to send their own letters will not be considered reasonable. If the financial institution orally agrees to enter into a continuing relationship, the opt out may be provided within a reasonable time afterwards if the consumer agrees. The opt out notice may be provided with the initial notice. If it is provided at a later time, a copy of the initial notice must be included.

The following must be provided if the financial institution wants to disclose information other than as described in the initial notice:

The institution may then disclose the information if the consumer does not opt out within the reasonable time. A revised notice will be required if disclosing a new category of nonpublic personal information to a nonaffiliated third party or disclosing such information to a new category of nonaffiliated third party.

Again, the right to opt out may be exercised at any time and the financial institution must comply with the opt out as soon as reasonably practicable. The opt out will be effective until revoked by the consumer either in writing or electronically.

VII. Exceptions to the Opt Out Requirements

A. Service Providers and Joint Marketing

The opt out requirements will not apply when the financial institution provides nonpublic personal information about a consumer to a nonaffiliated third party that performs services for the institution or functions on the institution’s behalf. However, the institution must:

The services performed by a nonaffiliated third party under this exception may include the marketing of the institution’s own products or services or the marketing of financial products or services offered under joint agreements with other financial institutions. “Joint agreement” means a contract where the parties jointly offer, endorse, or sponsor a financial product or service.

B. Transaction Processing

The opt out requirements will also not apply if disclosure of nonpublic personal information is necessary or appropriate in order to administer or enforce a transaction that:

For this exception, and the exceptions listed below, the initial and annual notices must still be provided to those with a continuing relationship with the financial institution. When referencing these exceptions, the notices need only state that such disclosures are made as permitted by law. Such notices will not have to be provided to those without a continuing relationship with the institution.

C. Other Exceptions

The following are additional exceptions:

VIII. Reuse of Information

In general, if a financial institution receives nonpublic personal information from a nonaffiliated financial institution, it may not then be disclosed to an entity not affiliated with these two parties, unless the disclosure would have been permitted if made directly by the receiving institution. If the institution discloses nonpublic personal information to a nonaffiliated third party, that third party may not further disclose that information to an entity not affiliated with these two parties, unless the disclosure would have been permitted if made directly by the institution.

Under either situation described above, information received under an exception described in Section VII above may only be used for the purpose of that exception.

IX. No Disclosure of Account Number Information for Marketing Purposes

Other than to a consumer reporting agency, financial institutions will not be permitted to disclose account numbers or access codes for credit cards, deposit accounts, or transaction accounts to any nonaffiliated third parties for marketing purposes.

X. Relation to State Law

State laws, regulations, orders, opinions will still be valid to the extent that they are not inconsistent with these new privacy rules. Inconsistency does not include State protections that are greater than those provided by these new privacy rules, as determined by the Federal Trade Commission, after consultation with the appropriate regulatory agency.

XI. Effective Date

The effective date of this rule is contemplated to be November 13, 2000, although federal agencies have flexibility to extend this date. Within thirty days after the effective date, financial institutions must provide initial notices to those that had a continuing relationship with the institution as of the effective date.