CUNA Regulatory Comment Call
July 1, 2004
NCUA Proposed Rule Limiting the Use of Information by Affiliated
Entities for Marketing Solicitations
(Major Rule-Applies to Federal Credit Unions)
- The Fair and Accurate Credit Transactions (FACT) Act was enacted this past December and permanently extends the federal preemptions for credit reporting under the Fair Credit Reporting Act (FCRA). It also enhances the ability of consumers to combat identity theft, increases accuracy of credit reports, and allows consumers to exercise greater control regarding the marketing solicitations they receive.
- The FACT Act provides consumers with the opportunity to "opt-out" before a company uses certain information provided by an affiliate to market its products or services to the consumer.
- The National Credit Union Administration (NCUA) has issued a proposed rule to implement these provisions, which will apply to federal credit unions. The Federal Trade Commission (FTC) has previously issued a similar rule that will apply to state-chartered and privately insured credit unions.
- The proposal is a joint rule issued by NCUA and the other federal financial institution regulators. For this reason, the rule generally refers to "affiliates" and "consumers" instead of "credit union service organizations (CUSOs)," "credit unions," and "members."
- Comments on the proposed rule are due on August 16, 2004. Please submit your comments to CUNA by August 2, 2004. Comments submitted directly to NCUA should refer to "Comments on Proposed Rule Part 717, Fair Credit Reporting-Affiliate Marketing."
Please feel free to fax your responses to CUNA at 202-638-7052; e-mail them to Associate General Counsel Mary Dunn at email@example.com and to Assistant General Counsel Jeff Bloch at firstname.lastname@example.org; or mail them to Mary and Jeff c/o CUNAs Regulatory Advocacy Department, 601 Pennsylvania Avenue, NW, South Building, Suite 600, Washington, DC 20004-2601. You may also contact us at 800-356-9655, ext. 6732, if you would like a copy of the proposed rule. You may also access it on the Internet at the following address: http://www.ncua.gov/RegulationsOpinionsLaws/proposed_regs/P-717-20.pdf
Enacted in 1970, the FCRA sets standards for the collection, communication, and use of information bearing on a consumer's credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living. Until 1996, many institutions avoided disclosing such information to affiliated companies because it could be considered a "consumer report," which would subject these institutions to the significant obligations that the FCRA imposes on consumer reporting agencies.
The FCRA was amended in 1996 to exclude specific types of information sharing with affiliates from the definition of "consumer report." Institutions making these disclosures are not subject to the obligations imposed on consumer reporting agencies. These disclosures include information as to transactions or experiences between the consumer and the person making the disclosure. These disclosures also include "other" information covered by the FCRA, provided that the institution provides the consumer with notice and an opportunity to "opt-out," or direct that the information not be communicated.
President Bush this past December signed into law the FACT Act that permanently extends the federal preemptions for credit reporting under the FCRA. The new law also creates a number of important new consumer protections designed to help prevent identity theft and assist consumers who become victims of this rapidly growing crime. It also contains new restrictions on information sharing and creates a new federal commission that will coordinate financial education efforts at the national, state, and local levels.
The FACT Act will be implemented through a number of new rules that will be issued this year. Access below for a special issue of RegWatch that describes the significant provisions of the FACT Act: http://www.cuna.org/reg_advocacy/member/regwatch/regwatch.html
DESCRIPTION OF THE PROPOSED RULE
One new provision of the FACT Act provides that if an entity shares certain information with an affiliated entity, that affiliate may not use the information to make or send marketing solicitations to the consumer about its products or services, unless the consumer is given notice and a reasonable opportunity to opt-out of such uses and does not choose to do so. This new provision is in addition to the affiliate sharing provisions that were added in 1996, and these new provisions apply both to transaction or experience information and the "other" information as outlined in the 1996 amendments.
The proposed rule implements these new FACT Act provisions regarding information sharing among affiliates. These new affiliate sharing restrictions apply to information that would be a "consumer report" if the exclusions contained in the 1996 amendments did not apply (that is, transaction or experience information and "other" information subject to the affiliate sharing opt-out, as described above). This generally means communication of information bearing on the consumers credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living that is expected to be collected or used to at least some extent as a factor in establishing credit or insurance eligibility and is used primarily for personal, family, or household purposes. The proposed rule refers to this as "eligibility information." For credit unions, this rule will generally apply to information delivered from a CUSO to a credit union and from a credit union to the CUSO.
The following are the significant definitions used in the proposed rule:
- Affiliate any person related by common ownership or common corporate control with another person. An affiliate of a credit union includes a CUSO that is controlled by a federal credit union, and a federal credit union will presumably have control over a CUSO if the CUSO is 67% owned by credit unions.
Clear and Conspicuous reasonably understandable and designed
to call attention to the nature and significance of the information.
"Reasonably understandable" may include, but is not limited to:
- Clear and concise sentences, paragraphs, and sections.
- Short explanatory sentences.
- Bullet points.
- Definite, concrete, everyday words.
- Active voice.
- Avoiding double negatives and legal and highly technical terminology.
- Avoiding explanations that are imprecise and subject to different interpretations.
"Designed to call attention" may include, but is not limited to:
- Plain language heading.
- Typeface and type size that is easy to read.
- Wide margins and ample line spacing.
- Boldface and italics for key words.
Credit unions are encouraged, but not required, to use the above examples of "clear and conspicuous." When combined with other information, it may be necessary to use distinctive type sizes, styles, fonts, paragraphs, headings, graphics devices, groups, or other devices. This will not be necessary to differentiate the affiliate marketing opt-out notice from other components of a required disclosure, such as the Gramm-Leach-Bliley Act (GLBA) privacy notice that includes several opt-out disclosures, as there is no requirement to segregate this affiliate notice when combined with the privacy notice or other required disclosures. Notice on a web page may use text or cues to encourage scrolling down the page if necessary to view the entire notice and take steps to ensure that other elements, such as pop-up ads, text, graphics, hyperlinks, or sound do not distract attention from the notice. Not all of the examples above have to be incorporated all of the time.
Pre-existing business relationship (one of the exceptions for requiring the opt-out,
as described below) Relationship between an entity and a consumer based on the following:
- a financial contract between the entity and consumer that is in force;
- a financial transaction (including an active account or policy in force or other continuing relationship) or the purchase, rental, or lease of goods or services during the 18-month period before the date the solicitation was sent to the consumer; or
- an inquiry or application by the consumer regarding a product or service offered by the entity that was made during the three-month period before the solicitation was sent to the consumer.
An inquiry includes any affirmative request by a consumer for information, such that the consumer would reasonably expect to receive information from the affiliate about its products or services. An inquiry would not occur if such a request was made if the consumer did not provide contact information to the affiliate.
- Solicitation marketing by an entity to a consumer based on eligibility information that it receives from its affiliate and is intended to encourage the consumer to purchase a product or service. This would include telemarketing, direct mail, or e-mail, but not communications directed to the general public without regard to eligibility information even if intended to encourage the purchase of products and services.
The following exceptions to the requirement to provide the notice and opt-out will not apply when:
- The affiliate receiving the information has a pre-existing business relationship with the consumer.
- Using the information to communicate with an individual for whose benefit the affiliate provides services on behalf of the individuals employer.
- The information is used to perform services for another affiliate, subject to certain conditions, such as not providing services on behalf of an affiliate that is not permitted to send solicitations because the consumer elected to opt-out.
- The information is used in response to a communication initiated by the consumer, which may be oral, written, or electronic. Requests for information not related to products or services would not be sufficient, and a consumer responding to a message left by the affiliate would also not be sufficient. The solicitation must be sent within a certain time period after the communication from the consumer, which will depend on the facts and circumstances.
- The information is used to make a solicitation that has been authorized or requested by the consumer, either in writing, orally, or electronically. A pre-selected check box or boilerplate language in a disclosure will not be sufficient. The duration of the authorization or request will depend on the facts and circumstances.
- If compliance with these provisions would prevent the affiliate from complying with state insurance laws pertaining to unfair discrimination.
NCUA and the other federal financial institution regulators, as well as the FTC, have proposed that the entity communicating the information about a consumer to its affiliate that plans to send the solicitation should be the one responsible for providing the notice to the consumer. This may be provided by the entity, the entitys agent, or through a joint notice with one or more affiliates, which will provide flexibility and facilitate the use of a single notice.
If sent by an agent, the opt-out notice must be in the name of the entity or common corporate name, and the entity, not the agent, assumes responsibility for failure to comply with the notice requirements. If the agent is an affiliate of the entity, the agent may not include solicitations other than those of the entity, unless an exception applies. If it is a joint notice, the joint notice must be sent in one or more common corporate names shared by these affiliates that includes the common corporate name used by that entity.
It is also not necessary for each affiliate that communicates the same eligibility information to provide an opt-out notice, as long as the notice provided by the affiliate that initially communicated the information is broad enough to cover the use of that information by each affiliate that receives and uses it to make solicitations.
The opt-out notice must be given to the consumer in writing or electronically, if the consumer agrees. The notice must be clear, conspicuous, and concise and accurately disclose the following:
- That the consumer may elect to limit an entitys affiliate from using eligibility information that it obtains from that entity to send solicitations to the consumer.
- The election will apply for a period of time, at least five years, and that the consumer will be permitted to extend the election, unless the opt-out election is permanent until revoked by the consumer.
- A reasonable and simple method for the consumer to opt-out.
The term "concise" means reasonably brief, although the opt-out rights for these new affiliate sharing provisions may be combined with other notices required by law, such as the GLBA privacy notices. If combined with the privacy notices, the consumer should be allowed to exercise the opt-out in the same manner and be given the same amount of time as provided for any opt-out that is included in the privacy notice.
The notice may provide choices as to which types of information, affiliates, or methods of delivery may be subject to the opt-out, as long as one of the choices is to opt-out with respect to all types of eligibility information, affiliates, and methods of delivery. Entities may, of course, choose to provide broader opt-outs than permitted under the proposed rule. The proposed rule also provides model notices that may be used, but they are not required.
After the notice is delivered, the consumer must be given a realistic period of time to decide whether to opt-out before solicitations are sent. This period of time will depend on the circumstances. Thirty days will be considered sufficient, although shorter time periods may be adequate under certain circumstances. The time period does not have to be disclosed in the notice.
These reasonable opportunities to opt-out, such as by mail or electronically, are similar to those that apply to the GLBA privacy notices. For electronic opt-outs, one example would be to provide the notice through a non-bypassable link to a page that provides the opt-out option, which would require the consumer to check a box to either opt-out or decline to opt-out before continuing with the transaction. This example would not include requiring the consumer to send a separate e-mail or visit a separate website in order to opt-out. An "opt-in" may also be used, which means solicitations would not be sent unless the consumer affirmatively agrees. This choice has to be documented, and a pre-selected check box would be an example that would not be considered an affirmative consent.
The proposed rule outlines reasonable and simple methods for opting out, which are similar to those in the GLBA privacy notices. These include a self-addressed envelope included with the reply form and opt-out notice or a toll-free telephone number, which must be adequately designed and staffed to enable consumers to opt-out in a single phone call. Unreasonable methods would include requiring the consumer to write a letter or call an entity to obtain the opt-out form, rather than including it in the notice. Also, consumers electing to receive the opt-out notice electronically, such as by e-mail or through the Internet, should be permitted to exercise the opt-out electronically and should not be required to do so in writing or by telephone.
The proposed rule requires that the entity must deliver the opt-out notice so that the consumer can reasonably be expected to receive the actual notice. For electronic delivery, if agreed to by the consumer, this could include sending an e-mail or provide a notice on the Internet website. In general, this requirement does not require "actual" notice. For example, sending the notice to the last known address will be sufficient, even if it does not reach the consumer.
For two or more consumers obtaining a product or service, such as joint account-holders, a single opt-out notice may be sent, but the notice must indicate whether an opt-out by one will be considered an opt-out by both or whether each consumer may opt-out separately. However, requiring both to opt-out before honoring the request will not be permitted.
The election by a consumer to opt-out of these affiliate sharing arrangements will be effective for at least five years, beginning as soon as reasonably practicable after the opt-out is received, unless the consumer revokes it, either in writing or electronically. The opt-out period may be longer than five years and there is no requirement that there be an expiration date, in which case the opt-out applies until revoked by the consumer.
If there is an expiration date, the consumer must be given a reasonable chance to extend the opt-out for at least another five year period after the initial opt-out expires by receiving a new notice, and solicitations cannot be sent to the consumer until after he or she has this opportunity and does not elect to opt-out. The consumer must have this opportunity after the expiration of each successive opt-out period. If the consumer opts-out again prior to the expiration date, a new period of at least five years begins upon receipt of that opt-out notice.
The extensions may be provided either a reasonable time period before the expiration of the opt-out period, which may include sending it with the last GLBA annual privacy notice prior to the expiration of the opt-out, or any time after expiration but before solicitations are sent to the consumer. However, if the GLBA privacy notice has a statement that the consumer does not need to opt-out again with regard to privacy, then the notice must be clear that it is necessary to so again with regard to these affiliate sharing provisions.
Such extensions would not be necessary if the initial opt-out does not have an expiration date, unless it is revoked by the consumer. Entities have flexibility with regard to the content of these expiration notices, as long as it is clear and conspicuous. The proposed rule also provides a model form that may be used, but it is not required.
If the consumer does not extend the opt-out, all eligible information received from an affiliate may be used, including information received during the opt-out period, but which was not used at that time to send solicitations. However, if that consumer opts-out after a period of time after the initial opt-out lapses, no eligible information may be used, including information received during the time that the opt-out was not in effect.
The consumer may opt-out at any time, even if it is not in response to the initial opt-out notice, and the opt-out period must still be effective for at least five years. The opt-out will still be in effect after the consumer terminates the relationship with the entity, unless it is revoked by the consumer. The opt-out notice will not be required if none of the affiliates receiving the eligible information uses it to send solicitations to the consumer. However, if the consumer opts-out, neither the entity nor the affiliate may send marketing solicitations to that consumer.
These rules will be effective six months after they are issued in final form. The final rules are scheduled to be issued by September 4, 2004, which means they will be effective by March 4, 2005. The proposed rule will not apply to information covered under this rule that was received prior to this effective date.
QUESTIONS TO CONSIDER REGARDING THE PROPOSED RULE ON LIMITING USE OF INFORMATION BY
AFFILIATED ENTITIES FOR MARKETING PURPOSES
(NCUA has specifically requested comment on most of the
issues raised in these questions.)
- Should the entity receiving the information be permitted to provide the opt-out
notice, instead of its affiliate that communicates the information to the entity?
Should the receiving affiliate be able to provide the notice without sending a solicitation
with it and would that be effective?
- Is the term "eligible information" as used in the rule adequately defined?
- Are there other circumstances that should be deemed "pre-existing business relationships"
for purposes of this exception for providing the opt-out notice? Should other types of
information not be considered a "solicitation?" To what extent should Internet marketing,
such as pop-up ads, be considered solicitations, as opposed to communications directed at the
general public? Is further guidance needed to address Internet marketing?
- Is the definition of "affiliate" clear, especially regarding the relationship between
credit unions and CUSOs?
- Should the rule apply to affiliated entities seeking to avoid providing notices by
engaging in "constructive sharing," an example being Entity A soliciting on behalf of
Entity B, collecting eligible information as a result and then submitting that back to
Entity B? Are there other means of circumventing these rules that the final rule should
- Are there circumstances in which oral opt-out notices should be allowed? Is there a
practical way this can be accomplished in a "clear and conspicuous manner?
- Should the mandatory compliance date for the final rule be different than the effective
date? If so, what should that date be? Should the date be delayed to incorporate this notice
with the next annual GLBA privacy notice?
- An example in the rule for opting out electronically would be a non-bypassable link on
a website in which there would be a process of choosing whether to opt-out, such as a check-off
box that is used to indicate the decision of the consumer. Is this a good example or are
additional clarifications needed?
- Should information about a joint account be used for making solicitations to a joint
consumer who has not opted out when the other joint consumer has opted out?
- Would you plan to put a limit on the opt-out, which must be at least five years, or would
it be permanent, unless revoked? What are the benefits and burdens of these approaches?
- Will you consolidate the new affiliate marketing opt-out notice with the GLBA privacy
notices or the existing affiliate sharing opt-out notices currently required under the FCRA?
If so, has NCUA provided sufficient guidance on consolidating these notices? Will consolidation
be helpful to consumers?
- The rule includes model forms for the opt-out notice, the extension notice, and a notice
that entities may use if they offer consumers a broader right to opt-out of marketing than is
required by law. Do you believe these are useful and will they help consumers understand their
- Please submit your name, address, and phone number.
Eric Richard General Counsel (202) 508-6742 email@example.com |
Mary Mitchell Dunn SVP & Associate General Counsel (202) 508-6736 firstname.lastname@example.org
Jeffrey Bloch Assistant General Counsel (202) 508-6732 email@example.com
Catherine Orr Senior Regulatory Counsel (202) 508-6743 firstname.lastname@example.org