CUNA Regulatory Comment Call


July 1, 2004

NCUA Proposed Rule Limiting the Use of Information by Affiliated Entities for Marketing Solicitations
(Major Rule-Applies to Federal Credit Unions)

EXECUTIVE SUMMARY

Please feel free to fax your responses to CUNA at 202-638-7052; e-mail them to Associate General Counsel Mary Dunn at mdunn@cuna.coop and to Assistant General Counsel Jeff Bloch at jbloch@cuna.coop; or mail them to Mary and Jeff c/o CUNA’s Regulatory Advocacy Department, 601 Pennsylvania Avenue, NW, South Building, Suite 600, Washington, DC 20004-2601. You may also contact us at 800-356-9655, ext. 6732, if you would like a copy of the proposed rule. You may also access it on the Internet at the following address: http://www.ncua.gov/RegulationsOpinionsLaws/proposed_regs/P-717-20.pdf

BACKGROUND

Enacted in 1970, the FCRA sets standards for the collection, communication, and use of information bearing on a consumer's credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living. Until 1996, many institutions avoided disclosing such information to affiliated companies because it could be considered a "consumer report," which would subject these institutions to the significant obligations that the FCRA imposes on consumer reporting agencies.

The FCRA was amended in 1996 to exclude specific types of information sharing with affiliates from the definition of "consumer report." Institutions making these disclosures are not subject to the obligations imposed on consumer reporting agencies. These disclosures include information as to transactions or experiences between the consumer and the person making the disclosure. These disclosures also include "other" information covered by the FCRA, provided that the institution provides the consumer with notice and an opportunity to "opt-out," or direct that the information not be communicated.

President Bush this past December signed into law the FACT Act that permanently extends the federal preemptions for credit reporting under the FCRA. The new law also creates a number of important new consumer protections designed to help prevent identity theft and assist consumers who become victims of this rapidly growing crime. It also contains new restrictions on information sharing and creates a new federal commission that will coordinate financial education efforts at the national, state, and local levels.

The FACT Act will be implemented through a number of new rules that will be issued this year. Access below for a special issue of RegWatch that describes the significant provisions of the FACT Act: http://www.cuna.org/reg_advocacy/member/regwatch/regwatch.html

DESCRIPTION OF THE PROPOSED RULE

One new provision of the FACT Act provides that if an entity shares certain information with an affiliated entity, that affiliate may not use the information to make or send marketing solicitations to the consumer about its products or services, unless the consumer is given notice and a reasonable opportunity to opt-out of such uses and does not choose to do so. This new provision is in addition to the affiliate sharing provisions that were added in 1996, and these new provisions apply both to transaction or experience information and the "other" information as outlined in the 1996 amendments.

The proposed rule implements these new FACT Act provisions regarding information sharing among affiliates. These new affiliate sharing restrictions apply to information that would be a "consumer report" if the exclusions contained in the 1996 amendments did not apply (that is, transaction or experience information and "other" information subject to the affiliate sharing opt-out, as described above). This generally means communication of information bearing on the consumer’s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living that is expected to be collected or used to at least some extent as a factor in establishing credit or insurance eligibility and is used primarily for personal, family, or household purposes. The proposed rule refers to this as "eligibility information." For credit unions, this rule will generally apply to information delivered from a CUSO to a credit union and from a credit union to the CUSO.

The following are the significant definitions used in the proposed rule:

The following exceptions to the requirement to provide the notice and opt-out will not apply when:

NCUA and the other federal financial institution regulators, as well as the FTC, have proposed that the entity communicating the information about a consumer to its affiliate that plans to send the solicitation should be the one responsible for providing the notice to the consumer. This may be provided by the entity, the entity’s agent, or through a joint notice with one or more affiliates, which will provide flexibility and facilitate the use of a single notice.

If sent by an agent, the opt-out notice must be in the name of the entity or common corporate name, and the entity, not the agent, assumes responsibility for failure to comply with the notice requirements. If the agent is an affiliate of the entity, the agent may not include solicitations other than those of the entity, unless an exception applies. If it is a joint notice, the joint notice must be sent in one or more common corporate names shared by these affiliates that includes the common corporate name used by that entity.

It is also not necessary for each affiliate that communicates the same eligibility information to provide an opt-out notice, as long as the notice provided by the affiliate that initially communicated the information is broad enough to cover the use of that information by each affiliate that receives and uses it to make solicitations.

The opt-out notice must be given to the consumer in writing or electronically, if the consumer agrees. The notice must be clear, conspicuous, and concise and accurately disclose the following:

The term "concise" means reasonably brief, although the opt-out rights for these new affiliate sharing provisions may be combined with other notices required by law, such as the GLBA privacy notices. If combined with the privacy notices, the consumer should be allowed to exercise the opt-out in the same manner and be given the same amount of time as provided for any opt-out that is included in the privacy notice.

The notice may provide choices as to which types of information, affiliates, or methods of delivery may be subject to the opt-out, as long as one of the choices is to opt-out with respect to all types of eligibility information, affiliates, and methods of delivery. Entities may, of course, choose to provide broader opt-outs than permitted under the proposed rule. The proposed rule also provides model notices that may be used, but they are not required.

After the notice is delivered, the consumer must be given a realistic period of time to decide whether to opt-out before solicitations are sent. This period of time will depend on the circumstances. Thirty days will be considered sufficient, although shorter time periods may be adequate under certain circumstances. The time period does not have to be disclosed in the notice.

These reasonable opportunities to opt-out, such as by mail or electronically, are similar to those that apply to the GLBA privacy notices. For electronic opt-outs, one example would be to provide the notice through a non-bypassable link to a page that provides the opt-out option, which would require the consumer to check a box to either opt-out or decline to opt-out before continuing with the transaction. This example would not include requiring the consumer to send a separate e-mail or visit a separate website in order to opt-out. An "opt-in" may also be used, which means solicitations would not be sent unless the consumer affirmatively agrees. This choice has to be documented, and a pre-selected check box would be an example that would not be considered an affirmative consent.

The proposed rule outlines reasonable and simple methods for opting out, which are similar to those in the GLBA privacy notices. These include a self-addressed envelope included with the reply form and opt-out notice or a toll-free telephone number, which must be adequately designed and staffed to enable consumers to opt-out in a single phone call. Unreasonable methods would include requiring the consumer to write a letter or call an entity to obtain the opt-out form, rather than including it in the notice. Also, consumers electing to receive the opt-out notice electronically, such as by e-mail or through the Internet, should be permitted to exercise the opt-out electronically and should not be required to do so in writing or by telephone.

The proposed rule requires that the entity must deliver the opt-out notice so that the consumer can reasonably be expected to receive the actual notice. For electronic delivery, if agreed to by the consumer, this could include sending an e-mail or provide a notice on the Internet website. In general, this requirement does not require "actual" notice. For example, sending the notice to the last known address will be sufficient, even if it does not reach the consumer.

For two or more consumers obtaining a product or service, such as joint account-holders, a single opt-out notice may be sent, but the notice must indicate whether an opt-out by one will be considered an opt-out by both or whether each consumer may opt-out separately. However, requiring both to opt-out before honoring the request will not be permitted.

The election by a consumer to opt-out of these affiliate sharing arrangements will be effective for at least five years, beginning as soon as reasonably practicable after the opt-out is received, unless the consumer revokes it, either in writing or electronically. The opt-out period may be longer than five years and there is no requirement that there be an expiration date, in which case the opt-out applies until revoked by the consumer.

If there is an expiration date, the consumer must be given a reasonable chance to extend the opt-out for at least another five year period after the initial opt-out expires by receiving a new notice, and solicitations cannot be sent to the consumer until after he or she has this opportunity and does not elect to opt-out. The consumer must have this opportunity after the expiration of each successive opt-out period. If the consumer opts-out again prior to the expiration date, a new period of at least five years begins upon receipt of that opt-out notice.

The extensions may be provided either a reasonable time period before the expiration of the opt-out period, which may include sending it with the last GLBA annual privacy notice prior to the expiration of the opt-out, or any time after expiration but before solicitations are sent to the consumer. However, if the GLBA privacy notice has a statement that the consumer does not need to opt-out again with regard to privacy, then the notice must be clear that it is necessary to so again with regard to these affiliate sharing provisions.

Such extensions would not be necessary if the initial opt-out does not have an expiration date, unless it is revoked by the consumer. Entities have flexibility with regard to the content of these expiration notices, as long as it is clear and conspicuous. The proposed rule also provides a model form that may be used, but it is not required.

If the consumer does not extend the opt-out, all eligible information received from an affiliate may be used, including information received during the opt-out period, but which was not used at that time to send solicitations. However, if that consumer opts-out after a period of time after the initial opt-out lapses, no eligible information may be used, including information received during the time that the opt-out was not in effect.

The consumer may opt-out at any time, even if it is not in response to the initial opt-out notice, and the opt-out period must still be effective for at least five years. The opt-out will still be in effect after the consumer terminates the relationship with the entity, unless it is revoked by the consumer. The opt-out notice will not be required if none of the affiliates receiving the eligible information uses it to send solicitations to the consumer. However, if the consumer opts-out, neither the entity nor the affiliate may send marketing solicitations to that consumer.

These rules will be effective six months after they are issued in final form. The final rules are scheduled to be issued by September 4, 2004, which means they will be effective by March 4, 2005. The proposed rule will not apply to information covered under this rule that was received prior to this effective date.

QUESTIONS TO CONSIDER REGARDING THE PROPOSED RULE ON LIMITING USE OF INFORMATION BY AFFILIATED ENTITIES FOR MARKETING PURPOSES
(NCUA has specifically requested comment on most of the issues raised in these questions.)

Eric Richard • General Counsel • (202) 508-6742 • erichard@cuna.com
Mary Mitchell Dunn • SVP & Associate General Counsel • (202) 508-6736 • mdunn@cuna.com
Jeffrey Bloch • Assistant General Counsel • (202) 508-6732 • jbloch@cuna.com
Catherine Orr • Senior Regulatory Counsel • (202) 508-6743 • corr@cuna.com