[Federal Register: October 20, 2000 (Volume 65, Number 204)]
[Proposed Rules]
[Page 63119-63141]
From the Federal Register Online via GPO Access [wais.access.gpo.gov]
[DOCID:fr20oc00-24]
[[Page 63119]]
-----------------------------------------------------------------------
Part II
Department of the Treasury
-----------------------------------------------------------------------
Office of the Comptroller of the Currency
-----------------------------------------------------------------------
Office of Thrift Supervision
-----------------------------------------------------------------------
Federal Reserve System
-----------------------------------------------------------------------
Federal Deposit Insurance Corporation
-----------------------------------------------------------------------
12 CFR Parts 41, 222, 334 and 571
Fair Credit Reporting Regulations; Proposed Rule
[[Page 63120]]
-----------------------------------------------------------------------
DEPARTMENT OF THE TREASURY
Office of the Comptroller of the Currency
12 CFR Part 41
[Docket No. 00-20]
RIN 1557-AB78
FEDERAL RESERVE SYSTEM
12 CFR Part 222
[Regulation V; Docket No. R-1082]
FEDERAL DEPOSIT INSURANCE CORPORATION
12 CFR Part 334
RIN 3064-AC35
DEPARTMENT OF THE TREASURY
Office of Thrift Supervision
12 CFR Part 571
[Docket No. 2000-81]
RIN 1550-AB33
Fair Credit Reporting Regulations
AGENCIES: Office of the Comptroller of the Currency, Treasury (OCC);
Board of Governors of the Federal Reserve System (Board); Federal
Deposit Insurance Corporation (FDIC); and Office of Thrift Supervision,
Treasury (OTS).
ACTION: Joint notice of proposed rulemaking.
-----------------------------------------------------------------------
SUMMARY: The OCC, Board, FDIC, and OTS (Agencies) are publishing for
comment proposed regulations implementing the provisions of the Fair
Credit Reporting Act (FCRA) that permit institutions to communicate
consumer information to their affiliates (affiliate information
sharing) without incurring the obligations of consumer reporting
agencies. These provisions authorize institutions to communicate among
their affiliates: Information as to transactions or experiences between
the consumer and the person making the communication (transaction or
experience information); and ``other'' information (that is,
information covered by the FCRA but not transaction or experience
information), provided that the institution has given notice to the
consumer that the other information may be communicated, the
institution has provided the consumer an opportunity to ``opt out''
(i.e., to direct that the information not be communicated), and the
consumer has not opted out. The proposed regulations explain how to
comply with the affiliate information sharing provisions, addressing
such matters as the content and delivery of the notice to consumers
that ``other'' information may be communicated (opt out notice). The
proposed regulations also implement certain related provisions. The
Agencies have attempted to conform these proposed regulations to the
final regulations implementing the privacy provisions of the Gramm-
Leach-Bliley Act whenever feasible.
DATES: Comments must be received by December 4, 2000.
ADDRESSES: Comments should be directed to:
OCC: Communications Division, Office of the Comptroller of the
Currency, 250 E Street, SW., Washington, D.C. 20219, Attention: Docket
No. 00-20; FAX number (202) 874-5274 or Internet address:
regs.comments@occ.treas.gov. Comments may be inspected and photocopied
at the OCC's Public Reference Room, 250 E Street, SW., Washington D.C.
between 9:00 a.m. and 5:00 p.m. on business days. You can make an
appointment to inspect the comments by calling (202) 874-5043.
Board: Comments, which should refer to Docket No. R-1082, may be
mailed to Ms. Jennifer J. Johnson, Secretary, Board of Governors of the
Federal Reserve System, 20th and C Streets, NW., Washington, D.C. 20551
or mailed electronically to regs.comments@federalreserve.gov. Comments
addressed to Ms. Johnson also may be delivered to the Board's mail room
between 8:45 a.m. and 5:15 p.m. and to the security control room
outside of those hours. Both the mail room and the security control
room are accessible from the courtyard entrance on 20th Street between
Constitution Avenue and C Street, NW. Comments may be inspected in Room
MP-500 between 9:00 a.m. and 5:00 p.m., pursuant to Sec. 261.12, except
as provided in Sec. 261.14, of the Board's Rules Regarding the
Availability of Information, 12 CFR 261.12 and 261.14.
FDIC: Send written comments to Robert E. Feldman, Executive
Secretary, Attention: Comments/OES, Federal Deposit Insurance
Corporation, 550 17th Street, NW., Washington, DC 20429. Comments may
be hand delivered to the guard station at the rear of the 17th Street
building (located on F Street) on business days between 7 a.m. and 5
p.m. (FAX number (202) 898-3838). Comments may be inspected and
photocopied in the FDIC Public Information Center, Room 100, 801 17th
Street, NW., Washington, DC 20429, between 9:00 a.m. and 4:30 p.m. on
business days.
Comments may be submitted to the FDIC electronically over the
Internet at www.fdic.gov. Further information concerning this option
may be found below at ``FDIC's Electronic Public Comment Site.''
Comments also may be mailed electronically to comments@fdic.gov.
OTS: Mail: Send comments to Manager, Dissemination Branch,
Information Management and Services Division, Office of Thrift
Supervision, 1700 G Street, NW., Washington, DC 20552, Attention Docket
No. 2000-81.
Delivery: Hand deliver comments to the Guard's Desk, East Lobby
Entrance, 1700 G Street, NW., from 9:00 a.m. to 4:00 p.m. on business
days, Attention Docket No. 2000-81.
Facsimiles: Send facsimile transmissions to FAX Number (202) 906-
7755, Attention Docket No. 2000-81; or (202) 906-6956 (if comments are
over 25 pages).
E-Mail: Send e-mails to ``public.info@ots.treas.gov'', Attention
Docket No. 2000-81, and include your name and telephone number.
Public Inspection: Interested persons may inspect comments at the
Public Reference Room, 1700 G St. N.W., from 10:00 a.m. until 4:00 p.m.
on Tuesdays and Thursdays or obtain comments and/or an index of
comments by facsimile by telephoning the Public Reference Room at (202)
906-5900 from 9:00 a.m. until 5:00 on business days. Comments and the
related index will also be posted on the OTS Internet Site at
``www.ots.treas.gov''.
FOR FURTHER INFORMATION CONTACT:
OCC: Amy Friend, Assistant Chief Counsel, (202) 874-5200; Michael
Bylsma, Director, Community and Consumer Law, (202) 874-5750; Stephen
Van Meter, Senior Attorney, Community and Consumer Law, (202) 874-5750;
Carol Workman, Compliance Specialist, Community and Consumer Policy,
(202) 874-4858; Deborah Katz, Senior Attorney, Legislative and
Regulatory Activities Division, (202) 874-5090; or Jeffery Abrahamson,
Attorney, Enforcement and Compliance, (202) 874-4800, Office of the
Comptroller of the Currency, 250 E Street, SW., Washington, DC 20219.
Board: James H. Mann, Senior Attorney, (202) 452-2412; or David A.
Stein, Attorney, (202) 452-3667, Division of Consumer and Community
Affairs. For the hearing impaired only, contact Janice Simms,
Telecommunications Device for the Deaf (TDD) (202) 872-4984, Board of
Governors of the Federal Reserve
[[Page 63121]]
System, 20th and C Streets, NW., Washington, DC 20551.
FDIC: James K. Baebel, Assistant Director, Compliance Policy,
Division of Compliance and Consumer Affairs, (202) 942-3086; Deanna
Caldwell, Community Affairs Officer, Division of Compliance and
Consumer Affairs, (202) 736-0141; Nancy Schucker Recchia, Counsel,
Regulations and Legislation Section, (202) 898-8885; A. Ann Johnson,
Counsel, Regulations and Legislation Section, (202) 898-3573; and David
Lafleur, Senior Compliance Examiner, (415) 395-5261, Federal Deposit
Insurance Corporation, 550 17th Street, NW., Washington, DC 20429.
OTS: Christine Harrington, Counsel (Banking and Finance), (202)
906-7957; Paul Robin, Assistant Chief Counsel, (202) 906-6648; or
Elizabeth Baltierra, Program Analyst, Compliance Policy (202) 906-6540,
Office of Thrift Supervision, 1700 G Street, NW., Washington DC 20552.
SUPPLEMENTARY INFORMATION:
I. Background
The FCRA
The FCRA, enacted in 1970, sets standards for the collection,
communication, and use of information bearing on a consumer's credit
worthiness, credit standing, credit capacity, character, general
reputation, personal characteristics, or mode of living. 15 U.S.C.
1681-1681u. In 1996, the Consumer Credit Reporting Reform Act amended
the FCRA extensively (1996 Amendments). Pub. L. 104-208, 110 Stat.
3009.
For many years, to avoid the obligations of consumer reporting
agencies imposed by the FCRA, many institutions avoided making any
communications to affiliated companies of consumer information that
could constitute consumer reports.\1\ The 1996 Amendments, however,
excluded specified types of information sharing with affiliates from
the definition of ``consumer report,'' assuring institutions that
making these communications would not expose them to the obligations of
consumer reporting agencies. In particular, the 1996 Amendments
excluded from the definition of ``consumer report'' the sharing of
``other'' information among affiliates, so long as the consumer, having
been given notice and an opportunity to opt out, did not opt out.
``Other information'' refers to information that is covered by the FCRA
and that is not a report containing information solely as to
transactions or experiences between the consumer and the person making
the report.
---------------------------------------------------------------------------
\1\ The FCRA creates substantial obligations for ``consumer
reporting agencies.'' FCRA, section 603(f); see, e.g., sections 607,
611. These obligations include furnishing consumer reports only for
permissible purposes, maintaining high standards for ensuring the
accuracy of information in consumer reports, resolving customer
disputes, and other matters.
---------------------------------------------------------------------------
The 1996 Amendments prohibited the Agencies from issuing
implementing regulations. 15 U.S.C. 1681s(a)(4) (repealed). The Gramm-
Leach-Bliley Act (GLBA) repealed this prohibition and directed the
Agencies to prescribe jointly such regulations as necessary to carry
out the purposes of the FCRA. Pub. L. Sec. 506, 106-102, 15 U.S.C.
1681s(e).
Coordination With Privacy Regulations
The GLBA sets standards for financial institutions' disclosure of
nonpublic personal information to nonaffiliated third parties (privacy
provisions; Pub. L. 106-102, 15 U.S.C. 6802; see also 15 U.S.C. 6803).
The Agencies published final regulations implementing these privacy
provisions on June 1, 2000 (privacy regulations; 65 FR 35162, June 1,
2000).
The privacy regulations do not ``modify, limit, or supersede the
operation of the Fair Credit Reporting Act.'' 15 U.S.C. 6806. Thus,
both the privacy regulations and the FCRA may apply to an institution's
disclosure of consumer information. Moreover, if a financial
institution provides an opt out notice under the FCRA, that notice must
be included in certain notices mandated by the privacy regulations,
including annual notices to customers. 15 U.S.C. 6803. Therefore, the
Agencies anticipate that financial institutions will design their
information-sharing policies and practices taking into account both the
privacy regulations and the regulations implementing the FCRA.
To ease compliance and promote consistency, the Agencies are
conforming the two regulations where appropriate. For example, the
Agencies are proposing requirements regarding the content and delivery
of the FCRA opt out notice that are generally consistent with the
corresponding provisions of the privacy regulations.
This Proposal and Future Agency Issuances
The FCRA raises many significant issues in addition to affiliate
information sharing. The Agencies are analyzing these issues and expect
to address them in an Advance Notice of Proposed Rulemaking.
Additionally, the Agencies will review a series of questions and
answers regarding the FCRA (Qs & As) that the Agencies (including the
Federal Home Loan Bank Board, predecessor of the OTS) issued in 1971.
These were designed to help financial institutions develop a working
knowledge of the statute. The Agencies will modify or withdraw any Qs &
As that are inconsistent with the FCRA or obsolete.
II. Section-by-Section Analysis
Section __.1 Purpose and Scope
Proposed paragraph ____.1(a) briefly describes the purpose of the
regulations. Proposed paragraph ____.1(b) briefly describes the scope
of the regulations, including the information and institutions subject
to them. (These institutions are identified in more detail in proposed
section ____.3(m) of the Board, FDIC, and OTS regulations.)
Paragraph ____.1(b) also provides that nothing in this part
modifies, limits, or supersedes the standards governing the privacy of
individually identifiable health information promulgated by the
Secretary of Health and Human Services pursuant to sections 262 and 264
of the Health Insurance Portability and Accountability Act (HIPAA) of
1996 (42 U.S.C. 1320d-1320d-8). Certain institutions that possess
medical information about consumers may be covered by these
regulations, the GLBA privacy regulations, and rules promulgated by the
Department of Health and Human Services (HHS) under the authority of
sections 262 and 264 of HIPAA once those regulations are finalized.
Based on the proposed HIPAA rules, it appears likely that there will be
areas of overlap between the HIPAA and the FCRA affiliate information-
sharing rules. For instance under the HIPAA proposal, consumers must
provide affirmative authorization before a ``covered institution'' or
its ``business partner'' may disclose medical information in certain
instances, whereas under these proposed FCRA affiliate information
sharing rules, institutions need only provide consumers with the
opportunity to opt out of disclosures. In cases where the HIPAA
requires consumers to opt in before certain information may be shared,
but this rule allows consumers to opt out of the same sharing, opt in
would be necessary before the information may be shared. The Agencies
will consult with HHS to avoid the imposition of duplicative or
inconsistent requirements.
Section __.2 Examples
Proposed section __.2 clarifies that the examples used in the
regulations and in the sample notice are not exclusive means of
compliance; rather, they are
[[Page 63122]]
intended to provide guidance on how to comply in specific situations.
The Agencies solicit comment on whether to include additional or
different examples, and, more fundamentally, on whether including
examples in the regulations is appropriate and useful. Instead of
addressing specific fact situations through such examples, the Agencies
could periodically issue interagency staff commentaries or questions
and answers.
The Agencies note that an example that mentions a particular
activity does not, by itself, authorize an institution to engage in
that activity. Any such authority must have an independent source.
Section __.3 Definitions
Discussed below are a few key definitions, including: ``affiliate''
(as well as the related terms ``company'' and ``control''); ``clear and
conspicuous''; ``opt out''; ``opt out information''; and ``consumer
report.'' The proposal tracks the statutory language referring to
``transaction or experience information,'' but does not define that
term.
Affiliate
Several FCRA provisions apply to information sharing with persons
``related by common ownership or affiliated by corporate control,''
``related by common ownership or affiliated by common corporate
control,'' or ``affiliated by common ownership or common corporate
control.'' E.g., FCRA, sections 603(d)(2), 615(b)(2), and 624(b)(2).
Proposed paragraph (b) defines ``affiliate'' to refer to all these
relationships between and among companies, and clarifies that ``related
or affiliated by common ownership or affiliated by corporate control or
common corporate control'' means controlling, controlled by, or under
common control with another company.
Consistent with the definitions in the privacy regulations, the
proposal uses a definition of ``control'' that applies exclusively to
the control of a ``company,'' and defines ``company'' to include any
corporation, limited liability company, business trust, general or
limited partnership, association, or similar organization. See proposed
paragraphs (e) (``company'') and (i) (``control''). The definition of
``company'' omits some entities that are ``persons'' under the FCRA--
individuals, estates, cooperatives, governments, and governmental
subdivisions or agencies. The Agencies, however, are not aware of any
circumstances where ``control'' could be exercised over individuals,
government agencies, and other persons that do not fit within the
definition of ``company.'' Comment is solicited on whether the proposed
definition of ``control'' should be expanded to apply to these
additional types of persons.
Clear and Conspicuous
Proposed paragraph (c) defines ``clear and conspicuous'' to mean
that a notice must be reasonably understandable and designed to call
attention to the nature and significance of the information it
contains. The proposed regulations do not mandate the use of any
particular technique for making a notice clear and conspicuous;
instead, they give institutions flexibility in determining how to
comply. An institution may make its notice reasonably understandable
by, for example, using short explanatory sentences or bullet lists and
avoiding legal or highly technical business terminology whenever
possible. An institution may design its notice to call attention to the
nature and significance of the information in the notice by, for
example, using a plain-language heading and a typeface and size that
are easy to read.
Paragraph (c) is consistent with the ``clear and conspicuous''
standard in the privacy regulations. As such, it offers a more detailed
exposition of the standard (particularly with respect to what makes a
notice ``conspicuous'') than some other regulations, such as the
Board's Regulation Z. However, laws other than FCRA--for example, the
Truth in Lending Act--that require clear and conspicuous disclosures,
are beyond the scope of this rulemaking. Accordingly, the standard
proposed here does not affect disclosures required by those laws.
The Agencies request comment on whether institutions have any
particular concerns about compliance with FCRA's clear and conspicuous
standard when FCRA opt out notices are included with the GLBA privacy
provision notices.
Consumer Report
Proposed paragraph (g) parallels the definition in section 603(d)
of the FCRA. Paragraph (g)(2)(ii) excludes from the definition of
``consumer report'' communication among affiliates of a report
containing information solely as to transactions or experiences between
the consumer and the person making the report.\2\
---------------------------------------------------------------------------
\2\ Prior to the 1996 amendments to FCRA, affiliated entities
could not pool their transaction or experience information in a
common database without being considered a consumer reporting
agency. Instead, each affiliate could disclose its own transaction
or experience information to another affiliate directly only in the
same manner as an entity can disclose information to a nonaffiliated
third party. While transaction or experience information has been
excluded from the definition of ``consumer report'' since the FCRA's
initial passage, the 1996 amendments facilitated the disclosure of
such information among affiliates.
---------------------------------------------------------------------------
Paragraph (g)(2)(iii) excludes any communication of ``opt out
information'' if the conditions set out in sections __.4-__.9 are
satisfied. The FCRA, as explained above, uses the term ``other
information'' to refer to information that it covers but that is not
transaction or experience information. This proposal refers to ``other
information'' using the more descriptive term ``opt out information.''
See proposed paragraph (k).
Opt Out
Proposed paragraph (j) defines this term to mean a direction by a
consumer that an institution not communicate opt out information about
the consumer to one or more of the institution's affiliates.
Opt Out Information
As described above, the 1996 Amendments to FCRA excluded from the
definition of ``consumer report'' the sharing of ``other information''
among affiliates, so long as the consumer, having been given notice and
an opportunity to opt out, did not opt out. ``Other information''
refers to information that is covered by the FCRA and that is not a
report containing information solely as to transactions or experiences
between the consumer and the person making the report. The proposed
regulation uses the term ``opt out information'' to describe this
category of information.
Proposed paragraph (k) defines opt out information as information
that (i) bears on a consumer's credit worthiness, credit standing,
credit capacity, character, general reputation, personal
characteristics, or mode of living, (ii) is used or expected to be used
or collected for one of the permissible purposes listed in FCRA (e.g.,
credit transaction, insurance underwriting, employment purposes), and
(iii) is not solely transaction or experience information. Section
____.5(d) gives examples of categories of information that qualify as
opt out information.
Section __.4 Communication of Opt Out Information to Affiliates
Proposed section __.4 describes the conditions that an institution
must meet to ensure that its communication of opt out information to
its affiliates do not constitute consumer reports including
[[Page 63123]]
the requirement that the institution provide an opt out notice.
Section 603(d)(2)(A)(iii) of the FCRA excludes from the definition
of ``consumer report'' the sharing of opt out information among
affiliates if:
it is clearly and conspicuously disclosed to the consumer that the
information may be communicated among such persons and the consumer
is given the opportunity, before the time that the information is
initially communicated, to direct that such information not be
communicated among such persons * * *.
Proposed section ____.4 accordingly provides that opt out
information may be communicated among affiliates without the
communication being a consumer report if: (i) The institution has
provided an opt out notice; (ii) the institution has given the consumer
a reasonable opportunity and means, before the time that it
communicates the information, to opt out; and (iii) the consumer has
not opted out.
Mergers & Acquisitions
In a merger or acquisition situation, the need to provide new opt
out notices to the customers of the entity that ceases to exist will
depend on whether the notices previously given to those customers
accurately reflect the policies and practices of the surviving entity.
If they do, the surviving entity will not be required under the rule to
provide new notices.
Section __.5 Contents of Opt Out Notice
Proposed paragraph (a) provides that an opt out notice must be
clear and conspicuous, and must accurately explain: (i) The categories
of opt out information about the consumer that the institution
communicates; (ii) the categories of affiliates to which the
institution communicates the information; (iii) the consumer's ability
to opt out; and (iv) the means to do so. The Agencies invite comment on
whether financial institutions should also have to disclose in their
FCRA notices how long a consumer has to respond to the opt out notice
before the institution may begin disclosing information about that
consumer to its affiliates, as well as the fact that a consumer can opt
out at any time. These disclosures are not required in the privacy
regulations. The Agencies seek comment on whether the benefits of the
additional disclosures would outweigh the burdens, and, if so, whether
the regulation should require the disclosures to state that a financial
institution will wait 30 days in every instance before sharing consumer
information with affiliates (see proposed section __.6, below, for
additional discussion on reasonable opportunity to opt out).
Proposed paragraph (b) clarifies that an institution's notice may
describe not only the communications of opt out information that the
institution currently plans to make to its affiliates, but also the
communications that it reserves the right to make in the future.
Proposed paragraph (c) explains that an institution may, but need not,
provide the consumer with the option of an opt out that covers only
part of the information or certain affiliates. This would enable an
institution to give consumers a menu of opt out choices if it desires
to do so.
Paragraph (d) explains how an institution can satisfy the
requirement that it categorize the opt out information that it
communicates. Paragraph (d)(2) gives examples of categories of opt out
information, such as information from a consumer's application,
information from a consumer report, information obtained by verifying
representations made by a consumer, and information provided by another
person regarding that person's relationship with a consumer. The first
two categories reflect the legislative history of the 1996 Amendments,
which states in part that the opt out provision ``will clarify that
affiliates within a Holding Company structure can share any application
information * * * and consumer reports, consistent with the FCRA.'' S.
Rep. No. 185, 104th Cong., 1st Sess. 18-19 (1995). The other two
categories represent information that the Agencies believe does not
constitute transaction or experience information when communicated by
the institution that has received it. Paragraph (d)(3) gives a non-
exclusive list of examples of specific items of opt out information
within each category, including a consumer's income, credit score or
credit history, open lines of credit, employment history, marital
status and medical history.
Medical data are especially sensitive for many consumers; if such
data are among the opt out information that an institution communicates
to its affiliates, the institution satisfies the requirement to
categorize that information only if it includes examples of medical
data that it intends to share. The Agencies note that the items listed
in paragraph (d)(3) as examples of information that would be included
within the categories of opt out information are illustrative only.
Those items would not be considered opt out information in cases where
the information is obtained from a source other than those listed in
paragraph (d)(2). Comment is requested as to the appropriateness of
these examples of categories and items of opt out information, and
whether additional or different examples should be used.
The descriptions of the categories of information set out in
proposed paragraph (d)(2) differ somewhat from those in section
__.6(c)(2) of the privacy regulations. The agencies solicit comment on
the extent to which the categories in (d)(2) can be treated as
consistent with similar categories in the privacy regulations (such as
disclosures of information from consumer reporting agencies) in order
to reduce compliance burden and consumer confusion.
Proposed paragraph (e) explains how an institution can satisfy the
requirement that it categorize the affiliates to which it communicates
opt out information.
Paragraph (f) cross-references the sample notice in appendix A,
which presents a further illustration of the content of an opt out
notice.
Section __ .6 Reasonable Opportunity to Opt Out
Proposed paragraph (a) of section ____ .6 states that financial
institutions will provide a reasonable opportunity to opt out by
providing a reasonable period of time for the consumer to opt out from
the time that notice is delivered. Proposed paragraph (b) sets out
examples of what is a reasonable period of time when notices are
provided in person, by mail, or by electronic means. Comment is
requested on whether there are other situations that would suggest a
different reasonable period of time that the Agencies should note by
example. Proposed paragraph (c) explains that a consumer may opt out at
any time.
Section __ .7 Reasonable Means of Opting Out
Proposed paragraph (a) sets forth the general rule that an
institution provides a reasonable means of opting out if it provides a
reasonably convenient method to the consumer to opt out. Examples of
reasonable means of opting out and unreasonable means are set out in
proposed paragraphs (b) and (c), respectively. Proposed paragraph (d)
permits an institution to require each consumer to opt out through a
specific means, as long as that means is reasonable for that consumer.
Section __ .8 Delivery of Opt Out Notices
Proposed paragraph (a) provides that an institution must deliver an
opt out notice so that each consumer can reasonably be expected to
receive actual
[[Page 63124]]
notice. As indicated by the examples provided in proposed paragraph
(b), this is a lesser standard than actual notice. For instance, if an
institution mails a printed copy of its notice to the last known
mailing address of an existing customer, the institution has met its
obligation even if the customer has changed addresses and never
receives the notice.
An institution may give notice in writing or, if the consumer
agrees, electronically. For example, the institution may e-mail its
notice to a customer that conducts electronic transactions and has
agreed to receive electronic notice. The Agencies invite comment on
whether and how the proposed rules governing communications between a
financial institution and a consumer via an electronic medium should be
modified in light of the Electronic Signatures in Global and National
Commerce Act (the E-Sign Act).\3\
---------------------------------------------------------------------------
\3\ Congress recently enacted the E-Sign Act, Pub. L. 106-229,
which addresses the use of electronic records and signatures for
interstate and foreign commerce. This legislation contains general
rules governing the use of electronic records for providing required
information to consumers (such as disclosures and acknowledgments
required by the GLBA). The legal requirement that consumer
disclosures be in writing may be satisfied by an electronic record
if the consumer affirmatively consents and certain other
requirements of the E-Sign Act are met.
---------------------------------------------------------------------------
Proposed paragraph (c) explains that oral notice alone does not
comply with the notice requirement; however, oral notice may be
provided in conjunction with appropriate written or electronic notice.
Proposed paragraph (d) explains that an institution must provide
the notice so that the consumer can retain it or obtain it at a later
time, and gives examples of retention or accessibility.
Proposed paragraph (e) permits an institution to provide a joint
opt out notice with one or more of its affiliates that are identified
in the notice, as long as the notice is accurate with respect to each
entity jointly issuing the notice.
Proposed paragraph (f)(1) sets out rules that apply,
notwithstanding any other provision of the regulations, when two or
more consumers jointly obtain a product or service from an institution
(referred to in the proposed regulation as joint consumers), such as a
joint checking account. For example, an institution may provide a
single opt out notice to joint accountholders. The notice must indicate
whether the institution will consider an opt out by a joint
accountholder as an opt out by all of the associated accountholders, or
whether each accountholder may opt out separately. The institution may
not require all accountholders to opt out before honoring an opt out
direction by one of the joint accountholders. Paragraph (f)(2) gives
examples of these rules.
Section __ .9 Revised Opt Out Notice
Proposed section ____ .9 addresses the situation in which an
institution has provided a consumer with one or more opt out notices
but later decides to communicate opt out information to its affiliates
other than described in those notices. It explains that an institution
must send a revised opt out notice that complies with section ____ .4,
including providing a reasonable means and opportunity to opt out, and
communicating the information only if the consumer has not opted out.
Section __ .10 Time by Which Opt Out Must be Honored
Proposed section ____ .10 explains that if an institution provides
a consumer with an opt out notice, and the consumer opts out, the
institution must comply as soon as reasonably practicable after
receiving the consumer's direction. Comment is solicited on whether the
Agencies should establish a fixed number of days--for example, 30
days--that would be deemed a ``reasonably practicable'' period of time
for complying with a consumer's opt out direction.
Section __.11 Duration of Opt Out
Proposed section ____.11 provides that an opt out continues to
apply to the information and affiliates described in the applicable opt
out notice until revoked by the consumer in writing, or if the consumer
agrees, electronically, as long as the consumer continues to have a
relationship with the institution. If the consumer's relationship with
the institution terminates, the opt out will continue to apply to this
information. However, a new notice and opportunity to opt out must be
provided if the consumer establishes a new relationship with the
institution.
Section __ .12 Prohibition Against Discrimination
Proposed paragraph (a) reminds institutions that they may not
``discriminate against'' a consumer who is an ``applicant'' for credit
because the applicant opts out. The source of this prohibition is the
Equal Credit Opportunity Act (ECOA; 15 U.S.C. 1691 et seq.), which bars
discrimination on a prohibited basis in any aspect of a credit
transaction; one prohibited basis is exercising a right under the
Consumer Credit Protection Act, which includes the FCRA. Proposed
paragraph (b) provides examples of prohibited discrimination against an
applicant. Paragraph (c) notes that the terms ``applicant'' and
``discriminate against'' have the meaning ascribed to these terms in 12
CFR part 202.
Appendix A
Appendix A, which is part of these regulations, contains a sample
notice, part or all of which may be used to facilitate compliance with
the notice requirements. Although use of the sample notice is not
required, institutions using it properly to provide notices will be
deemed to be in compliance.
The Agencies solicit comment on all aspects of the proposed
regulations, including but not limited to those highlighted above.
III. FDIC's Electronic Public Comment Site
The FDIC has included a page on its web site to facilitate the
submission of electronic comments in response to this general
solicitation (the EPC site). The EPC site provides an alternative to
the written letter and may be a more convenient way for you to submit
your comments. Commenting through the EPC site will assist the FDIC to
more accurately and efficiently analyze comments submitted
electronically. If you submit your comments through the EPC site your
comments will receive the same consideration that they would receive if
submitted in hard copy to the FDIC's street address. Information
provided through the EPC site will be used by the FDIC only to assist
in its analysis of the proposed regulation. The FDIC will not use an
individual's name or any other personal identifier of an individual to
retrieve records or information submitted through the EPC site. Like
comments submitted in hard copy to the FDIC's street address, EPC site
comments will be made available in their entirety (including the
commenter's name and address if the commenter chooses to provide them)
for public inspection.
The EPC site will be available on the FDIC's home page at http://
www.fdic.gov. You will be able to provide comments directly on any of
the sections of the proposed regulation as well as the specific
questions that have been asked in the preceding Supplementary
Information section. You will also be able to view the regulation and
Supplementary Information sections that related to your comments
directly on the site. Because the GLBA authorizes promulgation of this
regulation, the FDIC encourages you to provide written comments in the
[[Page 63125]]
spaces provided. Written comments enable the FDIC to thoughtfully
consider possible changes to the proposed regulation.
The FDIC is also interested in your feedback on the EPC site. We
have provided a space for you to comment on the site itself. Answers to
this question will help the FDIC to evaluate the EPC site for use in
future rulemaking.
At the conclusion of the EPC site you will have an opportunity to
provide us with your name, indicate whether you are an individual,
insured depository institution, financial holding company, community-
based organization, trade association, government agency, or other, and
provide the name of the organization you represent, if applicable.
Whether you choose to respond to these questions is entirely up to you.
Any responses received may help the FDIC to better understand the
public comments it receives.
IV. Regulatory Analysis
Paperwork Reduction Act
The Agencies invite comment on: (1) Whether the collections of
information contained in this notice of proposed rulemaking are
necessary for the proper performance of each Agency's functions,
including whether the information has practical utility; (2) the
accuracy of each Agency's estimate of the burden of the proposed
information collections; (3) ways to enhance the quality, utility, and
clarity of the information to be collected; (4) ways to minimize the
burden of the information collections on respondents, including the use
of automated collection techniques or other forms of information
technology; and (5) estimates of capital or start-up costs and costs of
operation, maintenance, and purchases of services to provide
information. No person is required to respond to these collections of
information unless the collections display a currently valid Office of
Management and Budget (OMB) control number. The Agencies are currently
requesting their respective control numbers for these information
collections from OMB.
This proposed regulation contains disclosure requirements for
certain financial institutions and their affiliates. A financial
institution that (a) has affiliates, (b) does not wish to be considered
a consumer reporting agency, and (c) wishes to share consumer
information (other than transaction and experience information) with
its affiliates, must prepare and provide a notice to all its consumers
advising them of their opportunity to opt out of information sharing
with companies in the institution's corporate family. 12 CFR ____ .4.
If a financial institution wishes to share information in a way that is
inconsistent with notices previously given to consumers, the
institution must provide consumers with revised notices. 12 CFR ____
.11. The proposed regulation also contains consumer reporting
provisions. In order for consumers to opt out, they must respond to the
institution's opt out notices. 12 CFR ____ .7. At any time during their
continued relationship with the institution, consumers have the right
to change or update their opt out status with the institution. 12 CFR
____ .10.
FCRA was amended to include disclosure and opt out provisions in
1996, but the Agencies were prohibited from issuing implementing
regulations until 1999. Thus, the collections of information contained
in this proposed rule are not new requirements. During the past three
years, financial institutions have developed systems, policies, and
procedures to bring themselves into compliance with the 1996 FCRA
amendments. In estimating the burden associated with the collections of
information in this proposed regulation, the Agencies took into account
the fact that FCRA-related disclosure and opt out requirements have
already become a usual and customary practice for covered institutions.
However, because the proposed rule is more explicit and detailed than
the statute, some institutions may need to revise their disclosure
policies or their notices, and consumers may need to respond to the
revised notices. The burden associated with these changes to current
practice is represented in the estimates below. In estimating burden,
the Agencies also assumed that if a financial institution provides an
opt out notice under the FCRA, that notice must be included in certain
notices mandated by the GLBA privacy provisions, and will not be sent
out separately. The collection of information requirements contained in
this notice of proposed rulemaking will be submitted to the Office of
Management and Budget for review in accordance with the Paperwork
Reduction Act of 1995 (44 U.S.C. 3507).
The estimated number of bank respondents includes the total
institutions supervised by each of the Agencies that have certain
affiliate relationships. The requirements of the regulation only apply
to institutions that share opt out information with affiliates that do
not wish to be consumer reporting agencies; therefore, the Agencies
cannot currently predict with certainty how many of these institutions
will be subject to the rule. The analysis assumes that all institutions
with certain affiliates will in fact, choose to share opt out
information and thus be subject to the rule.
The estimated number of consumers who will receive opt out notices
is the sum of deposit and loan consumers, and is derived from data in
Board consumer studies. Each Agency's share of the total number of
consumers is based on the share of total deposits, and consumer and
mortgage loans, held by institutions supervised by the Agencies.
Because OTS collects different information about consumer loans than
the other Agencies, OTS estimated the number of thrift borrowers by
dividing total consumer loans outstanding by the average balance, for
different types of consumer loans. The analysis assumes that
institutions will provide separate opt out notices based on product
lines such as loans and deposit accounts, rather than single, combined
notices covering all of the various relationships a consumer may have
with the institution. The Agencies seek comment as to whether
institutions would likely send separate or combined notices.
OCC: Comments on the collections of information should be sent to
the Office of Management and Budget, Paperwork Reduction Project
(1557--to be assigned), Washington, DC 20503, with copies to Jessie
Dunaway, Legislative and Regulatory Activities Division (1557--to be
assigned), Office of the Comptroller of the Currency, 250 E Street, SW,
Washington, DC 20219. The likely respondents are national banks that do
not wish to be considered consumer reporting agencies, but want to
share information (other than transaction or experience information)
with their affiliates.
Estimated number of bank respondents: 737.
Estimated average annual burden hours per bank respondent: 8 hours.
Estimated number of consumer respondents: 94,238,000.
Estimated average annual burden hours per consumer respondent: 5
minutes.
Estimated total annual reporting burden: 7,855,921 hours.
The number of consumer respondents provided by the OCC represents a
conservative estimate based upon the total number of consumers who will
receive an opt out notice. The OCC is using these conservative
estimates because it lacks more precise data on the number of consumers
who will exercise their opt out rights. The OCC expects that the actual
number of consumer respondents will be lower than the estimate provided
above, and invites comment on the number of
[[Page 63126]]
consumers who will respond to the FCRA opt out notices.
Board: In accordance with the Paperwork Reduction Act of 1995 (44
U.S.C. 3506; 5 CFR 1320, appendix A.1), the Board reviewed the notice
of proposed rulemaking under the authority delegated to the Board by
the OMB. Comments on the collections of information should be sent to
Mary M. West, Federal Reserve Board Clearance Officer, Mail Stop 97,
Board of Governors of the Federal Reserve System, Washington, DC 20551,
with a copy to the Office of Management and Budget, Paperwork Reduction
Project (7100--to be assigned), Washington, DC 20503. The likely
respondents are member banks of the Federal Reserve System (other than
national banks), branches and agencies of foreign banks (other than
Federal branches, Federal agencies, and insured State branches of
foreign banks), commercial lending companies owned or controlled by
foreign banks, and organizations operating under section 25 or 25A of
the Federal Reserve Act, that do want to share information (other than
transaction or experience information) with their affiliates.
Estimated number of bank respondents: 996.
Estimated average annual burden hours per bank respondent: 8 hours.
Estimated number of consumer respondents: 39,251,000.
Estimated average annual burden hours per consumer respondent: five
minutes.
Estimated total annual reporting burden: 3,278,885 hours.
FDIC: Comments on the collections of information should be sent to
Steven F. Hanft, Office of the Executive Secretary, Federal Deposit
Insurance Corporation, 550 17th Street, NW., Washington, DC 20429, with
a copy to the Office of Management and Budget, Paperwork Reduction
Project (3064--to be assigned), Washington, DC 20503. The likely
respondents are insured nonmember banks with affiliates, that do not
wish to be considered consumer reporting agencies, and do want to share
information (other than transaction or experience information) with
their affiliates.
Estimated number of bank respondents: 1,640.
Estimated average annual burden hours per bank respondent: 8 hours.
Estimated number of consumer respondents: 24,445,000.
Estimated average annual burden hours per consumer respondent: five
minutes.
Estimated total annual reporting burden: 2,049,389 hours.
OTS: Comments on the collection of information should be sent to
the Dissemination Branch (1550--to be assigned), Office of Thrift
Supervision, 1700 G Street, NW, Washington, DC 20552, with a copy to
the Office of Management and Budget, Paperwork Reduction Project
(1550--to be assigned), Washington, DC 20503. The likely respondents
are savings associations with affiliates that do not wish to be
considered consumer reporting agencies, and do want to share
information (other than transaction or experience information) with
their affiliates, and consumers.
Estimated number of thrift respondents: 762.
Estimated average annual burden hours per thrift respondent: 8
hours.
Estimated number of consumer respondents: 49,925,225.
Estimated average annual burden hours per consumer respondent:
.0833 hours (5 minutes).
Estimated total annual reporting burden: 4,164,867 hours.
Regulatory Flexibility Act
OCC: Pursuant to section 605(b) of the Regulatory Flexibility Act
(5 U.S.C. 601 et seq.), the OCC certifies that this proposal will not
have a significant economic impact on a substantial number of small
entities. Financial institutions have had to notify their consumers of
the right to opt out of affiliate sharing of certain information since
1997. This rulemaking provides guidance to national banks concerning
how they may comply with the statutory requirements, but requires no
new type of disclosure or opt out system. While existing forms may need
to be modified, these modifications are unlikely to result in a
significant economic impact on a substantial number of small entities.
In addition, some of the requirements in the proposed rule have
been designed to correspond to the requirements of the privacy
regulations. For example, under both regulations, financial
institutions, in certain circumstances, must deliver notices to
consumers and to provide consumers an opportunity to opt out of certain
information disclosures. This proposed rule would allow financial
institutions to combine into one notice the notice they must deliver
under FCRA and the notice that they must deliver under the privacy
regulations. Also, institutions may combine their consumers' opt out
responses into one opt out response. By combining the notices they
deliver and the opt out responses they process, financial institutions
will not need to produce additional notices or to process additional
opt out responses under this rule. Because the proposed rule is
designed to minimize FCRA's burden on financial institutions, and
because the FCRA requirements have been effective since 1997, the OCC
believes that this proposed rule will not have a significant economic
impact on a substantial number of small entities. For these reasons, a
regulatory flexibility analysis is not required.
Board: Pursuant to section 605(b) of the Regulatory Flexibility Act
(5 U.S.C. 601 et seq.), the Board certifies that the proposed rule will
not have a significant economic impact on a substantial number of small
entities. As further discussed below, the proposed rule implements law
that has been in effect for some time, corresponds as much as feasible
to the requirements of the Board's Regulation P, would allow
institutions to combine privacy and FCRA notices to consumers, and
would allow institutions to combine consumers' responses to those
notices. Accordingly, a regulatory flexibility analysis is not
required.
Since 1997, the FCRA has provided that the term ``consumer report''
does not include any communication of other information (meaning
information that is not transaction or experience information) among
persons related by common ownership or affiliated by corporate control,
if it is clearly and conspicuously disclosed to the consumer that the
information may be communicated among such persons and the consumer is
given the opportunity, before the time that the information is
initially communicated, to direct that such information not be
communicated among such persons. The proposed regulations would
implement this provision and would provide guidance to certain Board-
regulated institutions on how to comply, but would not substantively
change existing law. No new type of disclosure or opt-out system would
be required. While existing forms may need to be modified, these
modifications are unlikely to result in a significant economic impact
on a substantial number of small entities.
Additionally, the proposed rule is designed to correspond as much
as feasible to the requirements of Regulation P, which governs the
privacy of consumer financial information. Both regulations implement
statutory provisions for the delivery of information-sharing opt out
notices to consumers. The proposed rule would facilitate compliance by
financial institutions with the requirement to provide privacy notices
and the use of opt out notices under the FCRA by allowing the two
notices to be combined
[[Page 63127]]
in a single notice. Similarly, institutions would be allowed to combine
their consumers' opt out responses in a single opt out response. By
choosing to combine the notices they deliver and the opt out responses
they process, financial institutions will not need to produce
additional notices or to process additional opt out responses under
this rule. For these reasons, a regulatory flexibility analysis is not
required.
FDIC: Pursuant to section 605(b) of the Regulatory Flexibility Act
(5 U.S.C. 601 et seq.), the FDIC certifies that the proposed rule will
not have a significant economic impact on a substantial number of small
entities. This conclusion is based on the following facts. The FCRA has
required financial institutions to notify their consumers of the right
to opt out of affiliate sharing of certain information since 1997.
However, prior to the GLBA, the Agencies had no authority to issue
rules to provide financial institutions with guidance to comply with
the FCRA requirements. This proposed rulemaking does not substantively
change the existing statutory requirements, but rather provides
guidance to financial institutions that should minimize any burden
associated with complying with the subject FCRA information sharing
provisions. This proposal requires no new type of disclosure or opt out
system. While existing forms may need to be modified, these
modifications are unlikely to result in a significant economic impact
on a substantial number of small entities. The Agencies have attempted
to minimize any such economic impact by including a sample notice, part
or all of which may be used to facilitate compliance with the notice
requirements.
Further, this proposed rule is designed to be consistent with the
requirements of the regulation governing the privacy of consumer
financial information. Both rules implement statutory requirements for
financial institutions, in certain circumstances, to deliver notices to
consumers and to provide consumers an opportunity to opt out of certain
information disclosures. The Agencies have made the FCRA notice
guidance parallel to the privacy rule requirements, thus facilitating
the delivery of a single notice to consumers. Similarly, institutions
may combine their consumers' opt out responses into one opt out
response. By combining the notices they deliver and the opt out
responses they process, financial institutions will not need to produce
additional notices or to process additional opt out responses under
this rule.
For the above reasons, the FDIC believes that this proposed rule
will not have a significant economic impact on a substantial number of
small entities, and a regulatory flexibility analysis is not required.
OTS: Pursuant to section 605(b) of the Regulatory Flexibility Act
(5 U.S.C. 601 et seq.), the Director of OTS certifies that this
proposed rulemaking would not have a significant economic impact on a
substantial number of small entities. The FCRA has required thrifts to
notify their consumers of the right to opt out of affiliate sharing of
certain information since 1997. However, prior to GLBA, OTS did not
have authority to issue rules to provide thrifts with guidance to
comply with the FCRA. This proposed rulemaking does not substantively
change or add to the existing statutory requirements. It merely
provides thrifts with guidance to help minimize any burden associated
with complying with the FCRA information sharing provisions. This
proposal requires no new type of disclosure or opt out system. While
existing forms may need to be modified, these modifications are
unlikely to result in a significant economic impact on a substantial
number of small entities. The Agencies have attempted to minimize any
such economic impact by including a sample notice, part or all of which
thrifts may use to facilitate the notice requirements.
Further, this proposed rule is designed to be consistent with the
requirements of the regulation governing the privacy of consumer
financial information, 12 CFR part 573. Both rules implement statutory
requirements for financial institutions, in certain circumstances, to
deliver notices to consumers and to provide consumers an opportunity to
opt out of certain information disclosures. The Agencies have made the
FCRA notice guidance parallel to the privacy rule requirements, thus
facilitating the delivery of a single notice to consumers. Similarly,
institutions may combine a consumer's opt out responses into one opt
out response. By combining the notices they deliver and the opt out
responses they process, financial institutions will not need to produce
additional notices or to process additional opt out responses under
this rule. For these reasons, a regulatory flexibility analysis is not
required.
OCC and OTS Executive Order 12866 Determination
The OCC and OTS each has determined that its portion of the
proposed rulemaking is not a significant regulatory action under
Executive Order 12866.
OCC and OTS Unfunded Mandates Reform Act of 1995 Determination
Section 202 of the Unfunded Mandates Reform Act of 1995, 2 U.S.C.
1532 (Unfunded Mandates Act) requires that an agency prepare a
budgetary impact statement before promulgating a rule that includes a
Federal mandate that may result in expenditure by State, local, and
tribal governments, in the aggregate, or by the private sector, of $100
million or more in any one year. If a budgetary impact statement is
required, section 205 of the Unfunded Mandates Act also requires an
agency to identify and consider a reasonable number of regulatory
alternatives before promulgating a rule. The OCC and OTS each has
determined that this proposed rule will not result in expenditures by
State, local, and tribal governments, or by the private sector, of $100
million or more. Accordingly, neither the OCC nor the OTS has prepared
a budgetary impact statement or specifically addressed the regulatory
alternatives considered.
V. Solicitation of Comments on Use of Plain Language
Section 722 of the GLBA requires the Federal banking agencies to
use plain language in all proposed and final rules published after
January 1, 2000. We invite your comments on how to make this proposed
rule easier to understand. For example:
Have we organized the material to suit your needs? If not,
how could this material be better organized?
Are the requirements in the rule clearly stated? If not,
how could the rule be more clearly stated?
Do the regulations contain technical language or jargon
that is not clear? If so, which language requires clarification?
Would a different format (grouping and order of sections,
use of headings, paragraphing) make the regulation easier to
understand? If so, what changes to the format would make the regulation
easier to understand?
Would more, but shorter, sections be better? If so, which
sections should be changed?
What else could we do to make the regulation easier to
understand?
The Agencies solicit comment on whether the inclusion of examples
in the regulation is appropriate. Elevating the fact patterns to safe
harbors in the rule may generate certain problems over time. For
example, changes in technology or practices may ultimately
[[Page 63128]]
impact the fact patterns contained in the examples and require changes
to the regulation. Are there alternative methods to offer illustrative
guidance of the concepts portrayed by the examples?
List of Subjects
12 CFR Part 41
Banks, banking, Credit, National banks, Reporting and recordkeeping
requirements.
12 CFR Part 222
Banks, banking, Credit, Federal Reserve System, Reporting and
recordkeeping requirements, State member banks.
12 CFR Part 334
Banks, banking, Credit, Reporting and recordkeeping requirements.
12 CFR Part 571
Credit, Privacy, Reporting and recordkeeping requirements, Savings
associations.
Office of the Comptroller of the Currency
12 CFR Chapter I
Authority and Issuance
For the reasons set forth in the joint preamble, the OCC proposes
to amend chapter I of title 12 of the Code of Federal Regulations by
adding a new part 41 to read as follows:
PART 41--FAIR CREDIT REPORTING
Sec.
41.1 Purpose and scope.
41.2 Examples.
41.3 Definitions.
41.4 Communication of opt out information to affiliates.
41.5 Contents of opt out notice.
41.6 Reasonable opportunity to opt out.
41.7 Reasonable means of opting out.
41.8 Delivery of opt out notices.
41.9 Revised opt out notice.
41.10 Time by which opt out must be honored.
41.11 Duration of opt out.
41.12 Prohibition against discrimination.
Appendix A to Part 41--Sample Notice
Authority: 12 U.S.C. 93a; 15 U.S.C. 1681s.
Sec. 41.1 Purpose and scope.
(a) Purpose. This part governs the collection, communication, and
use, by the institutions listed in paragraph (b)(2) of this section, of
certain information bearing on a consumer's credit worthiness, credit
standing, credit capacity, character, general reputation, personal
characteristics, or mode of living.
(b) Scope. (1) Information covered. This part applies to
information that is used or expected to be used or collected in whole
or in part for the purpose of serving as a factor in establishing a
consumer's eligibility for credit, insurance, employment, or any other
purpose authorized under section 604 of the Fair Credit Reporting Act
(15 U.S.C. 1681b).
(2) Institutions covered. This part applies to national banks, and
Federal branches and Federal agencies of foreign banks (collectively
referred to as ``bank'').
(3) Relation to other laws. Nothing in this part modifies, limits,
or supersedes the standards governing the privacy of individually
identifiable health information promulgated by the Secretary of Health
and Human Services under the authority of sections 262 and 264 of the
Health Insurance Portability and Accountability Act of 1996 (42 U.S.C.
1320d-1320d-8).
Sec. 41.2 Examples.
The examples used in this part and the sample notice in appendix A
to this part are not exclusive. Compliance with an example or use of
the sample notice, to the extent applicable, constitutes compliance
with this part.
Sec. 41.3 Definitions.
As used in this part, unless the context requires otherwise:
(a) Act means the Fair Credit Reporting Act (15 U.S.C. 1681 et
seq.).
(b) Affiliate. (1) In general. The term means any company that is
related or affiliated by common ownership, or affiliated by corporate
control or common corporate control, with another company.
(2) Related or affiliated by common ownership or affiliated by
corporate control or common corporate control. This means controlling,
controlled by, or under common control with, another company.
(c) Clear and conspicuous. (1) In general. The term means that a
notice is reasonably understandable and is designed to call attention
to the nature and significance of the information it contains.
(2) Examples. (i) Reasonably understandable. A bank makes its
notice reasonably understandable if it:
(A) Presents the information in the notice in clear and concise
sentences, paragraphs, and sections;
(B) Uses short explanatory sentences or bullet lists whenever
possible;
(C) Uses definite, concrete, everyday words and active voice
whenever possible;
(D) Avoids multiple negatives;
(E) Avoids legal and highly technical business terminology whenever
possible; and
(F) Avoids explanations that are imprecise and are readily subject
to different interpretations.
(ii) Designed to call attention. A bank designs its notice to call
attention to the nature and significance of the information it contains
if it:
(A) Uses a plain-language heading to call attention to the notice;
(B) Uses a typeface and type size that are easy to read;
(C) Provides wide margins and ample line spacing;
(D) Uses boldface or italics for key words; and
(E) In a form that combines the bank's notice with other
information, uses distinctive type sizes, styles, and graphic devices,
such as shading or sidebars.
(iii) Notice on a web page. If a bank provides a notice on a web
page, the bank designs its notice to call attention to the nature and
significance of the information it contains if the bank:
(A) Places either the notice, or a link that connects directly to
the notice and that is labeled appropriately to convey the importance,
nature, and relevance of the notice, on a page that consumers access
often, such as a page on which transactions are conducted;
(B) Uses text or visual cues to encourage scrolling down the page
if necessary to view the entire notice; and
(C) Ensures that other elements on the web page (such as text,
graphics, links, or sound) do not detract attention from the notice.
(d) Communication includes written, oral, and electronic
communication; provided that the term includes electronic communication
to a consumer only if the consumer agrees to receive the communication
electronically.
(e) Company means any corporation, limited liability company,
business trust, general or limited partnership, association, or similar
organization.
(f) Consumer means an individual.
(g) Consumer report. (1) In general. The term means any written,
oral, or other communication of any information by a consumer reporting
agency bearing on a consumer's credit worthiness, credit standing,
credit capacity, character, general reputation, personal
characteristics, or mode of living which is used or expected to be used
or collected in whole or in part for the purpose of serving as a factor
in establishing the consumer's eligibility for:
(i) Credit or insurance to be used primarily for personal, family,
or household purposes;
(ii) Employment purposes; or
[[Page 63129]]
(iii) Any other purpose authorized under section 604 of the Act (15
U.S.C. 1681b).
(2) Exclusions. The term does not include:
(i) Any report containing information solely as to transactions or
experiences between the consumer and the person making the report;
(ii) Any communication of that information among affiliates;
(iii) Any communication among affiliates of opt out information if
the conditions in Secs. 41.4 through 41.9 are satisfied;
(iv) Any authorization or approval of a specific extension of
credit directly or indirectly by the issuer of a credit card or similar
device;
(v) Any report in which a person who has been requested by a third
party to make a specific extension of credit directly or indirectly to
a consumer conveys his or her decision with respect to such request, if
the third party advises the consumer of the name and address of the
person to whom the request was made, and the person makes the
disclosures to the consumer required under section 615 of the Act (15
U.S.C. 1681m); or
(vi) A communication described in section 603(o) of the Act (15
U.S.C. 1681a(o)).
(h) Consumer reporting agency means any person which, for monetary
fees, dues or on a cooperative nonprofit basis, regularly engages in
whole or in part in the practice of assembling or evaluating consumer
credit information or other information on consumers for the purpose of
furnishing consumer reports to third parties, and which uses any means
or facility of interstate commerce for the purpose of preparing or
furnishing consumer reports.
(i) Control of a company means:
(1) Ownership, control, or power to vote 25 percent or more of the
outstanding shares of any class of voting security of the company,
directly or indirectly, or acting through one or more other persons;
(2) Control in any manner over the election of a majority of the
directors, trustees, or general partners (or individuals exercising
similar functions) of the company; or
(3) The power to exercise, directly or indirectly, a controlling
influence over the management or policies of the company, as the Office
of the Comptroller of the Currency determines.
(j) Opt out means a direction by a consumer that a bank not
communicate opt out information about the consumer to one or more of
its affiliates.
(k) Opt out information means information that:
(1) Bears on a consumer's credit worthiness, credit standing,
credit capacity, character, general reputation, personal
characteristics, or mode of living;
(2) Is used or expected to be used or collected in whole or in part
to serve as a factor in establishing the consumer's eligibility for
credit or another purpose listed in section 604 of the Act (15 U.S.C.
1681b); and
(3) Is not a report containing information solely as to
transactions or experiences between the consumer and the person
reporting or communicating the information.
(l) Person means any individual, partnership, corporation, trust,
estate, cooperative, association, government or governmental
subdivision or agency, or other entity.
Sec. 41.4 Communication of opt out information to affiliates.
A bank's communication to its affiliates of opt out information
about a consumer is not a consumer report if:
(a) The bank has provided the consumer with an opt out notice;
(b) The bank has given the consumer a reasonable opportunity and
means, before the bank communicates the information to its affiliates,
to opt out; and
(c) The consumer has not opted out.
Sec. 41.5 Contents of opt out notice.
(a) In general. An opt out notice must be clear and conspicuous,
and must accurately explain:
(1) The categories of opt out information about the consumer that a
bank communicates to its affiliates;
(2) The categories of affiliates to which the bank communicates the
information;
(3) The consumer's ability to opt out; and
(4) A reasonable means for the consumer to opt out.
(b) Future communications. A bank's notice may describe:
(1) Categories of opt out information about the consumer that the
bank reserves the right to communicate to its affiliates in the future
but does not currently communicate; and
(2) Categories of affiliates to which the bank reserves the right
in the future to communicate, but to which the bank does not currently
communicate, opt out information about the consumer.
(c) Partial opt out. A bank may allow a consumer to select certain
opt out information or certain affiliates, with respect to which the
consumer wishes to opt out.
(d) Examples of categories of information that a bank communicates.
(1) A bank satisfies the requirement to categorize the opt out
information that it communicates if the bank lists the categories in
paragraph (d)(2) of this section, as applicable, and a few examples to
illustrate the types of information in each category. These examples
may include those in paragraph (d)(3) of this section, if applicable.
(2) Categories of opt out information may include information:
(i) From a consumer's application;
(ii) From a consumer credit report;
(iii) Obtained by verifying representations made by a consumer; or
(iv) Provided by another person regarding its employment, credit,
or other relationship with a consumer.
(3) Examples of information within a category listed in paragraph
(d)(2) of this section include a consumer's:
(i) Income;
(ii) Credit score or credit history with others;
(iii) Open lines of credit with others;
(iv) Employment history with others;
(v) Marital status; and
(vi) Medical history.
(4) A bank does not satisfy the requirement if it communicates or
reserves the right to communicate individually identifiable health
information (as described in section 1171(6)(B) of the Social Security
Act (42 U.S.C. 1320d(6)(B)) but omits illustrative examples of this
information.
(e) Examples of categories of affiliates. (1) A bank satisfies the
requirement to categorize the affiliates to which it communicates opt
out information if it lists the categories in paragraph (e)(2) of this
section, as applicable, and a few examples to illustrate the types of
affiliates in each category.
(2) Categories of affiliates may include:
(i) Financial service providers; and
(ii) Non-financial companies.
(f) Sample notice. A sample notice is included in appendix A to
this part.
Sec. 41.6 Reasonable opportunity to opt out.
(a) In general. A bank provides a reasonable opportunity to opt out
if it provides a reasonable period of time following the delivery of
the opt out notice for the consumer to opt out.
(b) Examples of reasonable period of time: (1) In person. A bank
hand-delivers an opt out notice to the consumer and provides at least
30 days from the date it delivered the notice.
(2) By mail. A bank mails an opt out notice to a consumer and
provides at least 30 days from the date it mailed the notice.
(3) By electronic means. A bank notifies the consumer
electronically,
[[Page 63130]]
and it provides at least 30 days after the date that the consumer
acknowledges receipt of the electronic notice.
(c) Continuing opportunity to opt out. A consumer may opt out at
any time.
Sec. 41.7 Reasonable means of opting out.
(a) General rule. A bank provides a consumer with a reasonable
means of opting out if it provides a reasonably convenient method to
opt out.
(b) Reasonably convenient methods. Examples of reasonably
convenient methods include:
(1) Designating check-off boxes in a prominent position on the
relevant forms included with the opt out notice;
(2) Including a reply form together with the opt out notice;
(3) Providing an electronic means to opt out, such as a form that
can be electronically mailed or a process at the bank's web site, if
the consumer agrees to the electronic delivery of information; or
(4) Providing a toll-free telephone number that consumers may call
to opt out.
(c) Methods not reasonably convenient. Examples of methods that are
not reasonably convenient include:
(1) Requiring a consumer to write his or her own letter to a bank;
or
(2) Referring in a revised notice to a check-off box that a bank
included with a previous notice but that the bank does not include with
the revised notice.
(d) Requiring specific means of opting out. A bank may require each
consumer to opt out through a specific means, as long as that means is
reasonable for that consumer.
Sec. 41.8 Delivery of opt out notices.
(a) In general. A bank must deliver an opt out notice so that each
consumer can reasonably be expected to receive actual notice in writing
or, if the consumer agrees, electronically.
(b) Examples of expectation of actual notice. (1) A bank may
reasonably expect that a consumer will receive actual notice if it:
(i) Hand-delivers a printed copy of the notice to the consumer;
(ii) Mails a printed copy of the notice to the last known mailing
address of the consumer; or
(iii) For the consumer who conducts transactions electronically,
posts the notice on its electronic site and requires the consumer to
acknowledge receipt of the notice as a necessary step to obtaining a
particular product or service;
(2) A bank may not reasonably expect that a consumer will receive
actual notice if it:
(i) Only posts a sign in its branch or office or generally
publishes advertisements presenting its notice; or (ii) Sends the
notice via electronic mail to a consumer who does not obtain a product
or service from the bank electronically.
(c) Oral description insufficient. A bank may not provide an opt
out notice solely by orally explaining the notice, either in person or
over the telephone.
(d) Retention or accessibility. (1) In general. A bank must provide
an opt out notice so that it can be retained or obtained at a later
time by the consumer in writing or, if the consumer agrees,
electronically.
(2) Examples of retention or accessibility. A bank provides the
notice so that it can be retained or obtained at a later time if the
bank:
(i) Hand-delivers a printed copy of the notice to the consumer;
(ii) Mails a printed copy of the notice to the last known address
of the consumer upon request of the consumer; or
(iii) Makes the bank's current notice available on a web site (or a
link to another web site) for the consumer who obtains a product or
service electronically and who agrees to receive the notice at the web
site.
(e) Joint notice with affiliates. A bank may provide a joint notice
with one or more affiliates as long as the notice identifies each
person providing it and is accurate with respect to each.
(f) Joint relationships. (1) In general. Notwithstanding any other
provision in this part, if two or more consumers jointly obtain a
product or service from a bank (joint consumers), the following rules
apply:
(i) The bank may provide a single notice to all of the joint
consumers.
(ii) Any of the joint consumers has the opportunity to opt out.
(iii) The bank may treat an opt out direction by a joint consumer
either as:
(A) Applying to all of the joint consumers; or
(B) Applying to that particular joint consumer.
(iv) The bank must explain in its opt out notice which of the two
policies set forth in paragraph (f)(1)(iii) of this section it will
follow.
(v) If the bank follows the policy set forth in paragraph
(f)(1)(iii)(B) of this section, by treating the opt out of a joint
consumer as applying to that particular joint consumer, the bank must
also permit:
(A) A joint consumer to opt out on behalf of other joint consumers;
and
(B) One or more joint consumers to notify the bank of their opt out
directions in a single response.
(vi) A bank may not require all joint consumers to opt out before
it implements any opt out direction.
(vii) If a bank receives an opt out by a particular joint consumer
that does not apply to the others, the bank may disclose information
about the others as long as no information is disclosed about the
consumer who opted out.
(2) Example. If consumers A and B, who have different addresses,
have a joint checking account with a bank and arrange for the bank to
send statements to A's address, the bank may do any of the following,
but it must explain in its opt out notice which opt out policy the bank
will follow. The bank may send a single opt out notice to A's address
and:
(i) Treat an opt out direction by A as applying to the entire
account. If the bank does so and A opts out, the bank may not require B
to opt out as well before implementing A's opt out direction.
(ii) Treat A's opt out direction as applying to A only. If the bank
does so, it must also permit:
(A) A and B to opt out for each other; and
(B) A and B to notify the bank of their opt out directions in a
single response (such as on a single form) if they choose to give
separate opt out directions.
(iii) If A opts out only for A, and B does not opt out, the bank
may disclose opt out information only about B, and not about A and B
jointly.
Sec. 41.9 Revised opt out notice.
If a bank has provided a consumer with one or more opt out notices
and plans to communicate opt out information to its affiliates about
the consumer other than as described in those notices, the bank must
provide the consumer with a revised opt out notice that complies with
Secs. 41.4 through 41.8.
Sec. 41.10 Time by which opt out must be honored.
If a bank provides a consumer with an opt out notice and the
consumer opts out, the bank must comply with the opt out as soon as
reasonably practicable after the bank receives it.
Sec. 41.11 Duration of opt out.
An opt out remains effective until revoked by the consumer in
writing or electronically, as long as the consumer continues to have a
relationship with the bank. If the consumer's relationship with the
bank terminates, the opt out will continue to apply to this
information. However, a new notice and opportunity to opt out must be
provided if the consumer establishes a new relationship with the bank.
Sec. 41.12 Prohibition against discrimination.
(a) In general. If a consumer is an applicant for credit, a bank
must not discriminate against the consumer if the
[[Page 63131]]
consumer opts out of the bank's communication of opt out information to
it affiliates.
(b) Examples of discrimination against an applicant. A bank
discriminates against an applicant if it:
(1) Denies the applicant credit because the applicant opts out;
(2) Varies the terms of credit adversely to the applicant such as
by providing less favorable pricing terms to an applicant who opts out;
or
(3) Applies more stringent credit underwriting standards to the
applicant because the applicant opts out.
(c) Regulation B. The terms ``applicant'' and ``discriminate
against'' in Sec. 41.12 have the same meanings ascribed to them in 12
CFR part 202.
Appendix A to Part 41--Sample Notice
This appendix contains a sample notice to facilitate compliance
with the notice requirements of this part. An institution may use
applicable disclosures in this sample to provide notices required by
this part.
Notice of Your Opportunity To Opt Out of Information Sharing With
Companies in Our Corporate Family
Information We Can Share With Our Corporate Family About You--
Unless You Tell Us Not to
What Information: Unless you tell us not to, [Financial
Institution] may share with companies in our corporate family
information about you including:
Information we obtain from your application, such as
[provide illustrative examples, such as ``your income'' or ``your
marital status''];
Information we obtain from a consumer report, such as
[provide illustrative examples, such as ``your credit score or
credit history''];
Information we obtain to verify representations made by
you, such as [provide illustrative examples, such as ``your open
lines of credit'']; and
Information we obtain from a person regarding its
employment, credit, or other relationship with you, such as [provide
illustrative examples, such as ``your employment history''].
Shared With Whom: Companies in our corporate family who may
receive this information are:
Financial service providers, such as [provide
illustrative examples, such as ``mortgage bankers, broker-dealers,
and insurance agents'']; and
Non-financial companies, such as [provide illustrative
examples, such as ``retailers, direct marketers, airlines, and
publishers''].
How To Tell Us Not To Share This Information With Our Corporate
Family
If you prefer that we not share this information with companies
in our corporate family, you may direct us not to share this
information by doing the following [insert one or more of the
reasonable means of opting out listed below \1\]: [call us toll free
at {insert toll free number}]; or [visit our web site at {insert web
site address} and {provide further instructions how to use the web
site option}]; or [e-mail us at {insert the e-mail address}]; or
[fill out and tear off the bottom of this sheet and mail to the
following address: {insert address}]; or [check the appropriate box
on the attached form {attach form} and mail to the following
address: {insert address}].
---------------------------------------------------------------------------
\1\ If the financial institution is using its web site or an e-
mail address as the only method by which a consumer may opt out, the
consumer must agree to the electronic delivery of information.
Note: Your direction in this paragraph covers certain
information about you that we might otherwise share with our
corporate family. We may share other information about you with our
---------------------------------------------------------------------------
corporate family as permitted by law.
Dated: September 22, 2000.
John D. Hawke, Jr.,
Comptroller of the Currency.
Federal Reserve System
12 CFR Chapter II
Authority and Issuance
For the reasons set forth in the joint preamble, chapter II of
title 12 of the Code of Federal Regulations is proposed to be amended
by adding a new part 222 to read as follows:
PART 222 FAIR CREDIT REPORTING (REGULATION V)
Sec.
222.1 Purpose and scope.
222.2 Examples.
222.3 Definitions.
222.4 Communication of opt out information to affiliates.
222.5 Contents of opt out notice.
222.6 Reasonable opportunity to opt out.
222.7 Reasonable means of opting out.
222.8 Delivery of opt out notices.
222.9 Revised opt out notice.
222.10 Time by which opt out must be honored.
222.11 Duration of opt out.
222.12 Prohibition against discrimination.
Appendix A to Part 222--Sample Notice
Authority: 15 U.S.C. 1681s.
Sec. 222.1 Purpose and scope.
(a) Purpose. This part governs the collection, communication, and
use, by the institutions listed in paragraph (b)(2) of this section, of
certain information bearing on a consumer's credit worthiness, credit
standing, credit capacity, character, general reputation, personal
characteristics, or mode of living.
(b) Scope. (1) Information covered. This part applies to
information that is used or expected to be used or collected in whole
or in part for the purpose of serving as a factor in establishing a
consumer's eligibility for credit, insurance, employment, or any other
purpose authorized under section 604 of the Fair Credit Reporting Act
(15 U.S.C. 1681b).
(2) Institutions covered. This part applies to member banks of the
Federal Reserve System (other than national banks), branches and
agencies of foreign banks (other than Federal branches, Federal
agencies, and insured State branches of foreign banks), commercial
lending companies owned or controlled by foreign banks, and
organizations operating under section 25 or 25A of the Federal Reserve
Act (12 U.S.C. 601-604a, 611-631).
(3) Relation to other laws. Nothing in this part modifies, limits,
or supersedes the standards governing the privacy of individually
identifiable health information promulgated by the Secretary of Health
and Human Services under the authority of sections 262 and 264 of the
Health Insurance Portability and Accountability Act of 1996 (42 U.S.C.
1320d-1320d-8).
Sec. 222.2 Examples.
The examples used in this part and the sample notice in appendix A
to this part are not exclusive. Compliance with an example or use of
the sample notice, to the extent applicable, constitutes compliance
with this part.
Sec. 222.3 Definitions.
As used in this part, unless the context requires otherwise:
(a) Act means the Fair Credit Reporting Act (15 U.S.C. 1681 et
seq.).
(b) Affiliate. (1) In general. The term means any company that is
related or affiliated by common ownership, or affiliated by corporate
control or common corporate control, with another company.
(2) Related or affiliated by common ownership or affiliated by
corporate control or common corporate control. This means controlling,
controlled by, or under common control with, another company.
(c) Clear and conspicuous. (1) In general. The term means that a
notice is reasonably understandable and is designed to call attention
to the nature and significance of the information it contains.
(2) Examples. (i) Reasonably understandable. You make your notice
reasonably understandable if you:
(A) Present the information in the notice in clear and concise
sentences, paragraphs, and sections;
(B) Use short explanatory sentences or bullet lists whenever
possible;
[[Page 63132]]
(C) Use definite, concrete, everyday words and active voice
whenever possible;
(D) Avoid multiple negatives;
(E) Avoid legal and highly technical business terminology whenever
possible; and
(F) Avoid explanations that are imprecise and are readily subject
to different interpretations.
(ii) Designed to call attention. You design your notice to call
attention to the nature and significance of the information it contains
if you:
(A) Use a plain-language heading to call attention to the notice;
(B) Use a typeface and type size that are easy to read;
(C) Provide wide margins and ample line spacing;
(D) Use boldface or italics for key words; and
(E) In a form that combines your notice with other information, use
distinctive type sizes, styles, and graphic devices, such as shading or
sidebars.
(iii) Notice on a web page. If you provide a notice on a web page,
you design your notice to call attention to the nature and significance
of the information it contains if you:
(A) Place either the notice, or a link that connects directly to
the notice and that is labeled appropriately to convey the importance,
nature, and relevance of the notice, on a page that consumers access
often, such as a page on which transactions are conducted;
(B) Use text or visual cues to encourage scrolling down the page if
necessary to view the entire notice; and
(C) Ensure that other elements on the web page (such as text,
graphics, links, or sound) do not detract attention from the notice.
(d) Communication includes written, oral, and electronic
communication; provided that the term includes electronic communication
to a consumer only if the consumer agrees to receive the communication
electronically.
(e) Company means any corporation, limited liability company,
business trust, general or limited partnership, association, or similar
organization.
(f) Consumer means an individual.
(g) Consumer report. (1) In general. The term means any written,
oral, or other communication of any information by a consumer reporting
agency bearing on a consumer's credit worthiness, credit standing,
credit capacity, character, general reputation, personal
characteristics, or mode of living which is used or expected to be used
or collected in whole or in part for the purpose of serving as a factor
in establishing the consumer's eligibility for:
(i) Credit or insurance to be used primarily for personal, family,
or household purposes;
(ii) Employment purposes; or
(iii) Any other purpose authorized under section 604 of the Act (15
U.S.C. 1681b).
(2) Exclusions. The term does not include:
(i) Any report containing information solely as to transactions or
experiences between the consumer and the person making the report;
(ii) Any communication of that information among affiliates;
(iii) Any communication among affiliates of opt out information if
the conditions in Secs. 222.4 through 222.9 are satisfied;
(iv) Any authorization or approval of a specific extension of
credit directly or indirectly by the issuer of a credit card or similar
device;
(v) Any report in which a person who has been requested by a third
party to make a specific extension of credit directly or indirectly to
a consumer conveys his or her decision with respect to such request, if
the third party advises the consumer of the name and address of the
person to whom the request was made, and the person makes the
disclosures to the consumer required under section 615 of the Act (15
U.S.C. 1681m); or
(vi) A communication described in section 603(o) of the Act (15
U.S.C. 1681a(o)).
(h) Consumer reporting agency means any person which, for monetary
fees, dues or on a cooperative nonprofit basis, regularly engages in
whole or in part in the practice of assembling or evaluating consumer
credit information or other information on consumers for the purpose of
furnishing consumer reports to third parties, and which uses any means
or facility of interstate commerce for the purpose of preparing or
furnishing consumer reports.
(i) Control of a company means:
(1) Ownership, control, or power to vote 25 percent or more of the
outstanding shares of any class of voting security of the company,
directly or indirectly, or acting through one or more other persons;
(2) Control in any manner over the election of a majority of the
directors, trustees, or general partners (or individuals exercising
similar functions) of the company;
(3) The power to exercise, directly or indirectly, a controlling
influence over the management or policies of the company, as the Board
determines.
(j) Opt out means a direction by a consumer that you not
communicate opt out information about the consumer to one or more of
your affiliates.
(k) Opt out information means information that:
(1) Bears on a consumer's credit worthiness, credit standing,
credit capacity, character, general reputation, personal
characteristics, or mode of living;
(2) Is used or expected to be used or collected in whole or in part
to serve as a factor in establishing the consumer's eligibility for
credit or another purpose listed in section 604 of the Act (15 U.S.C.
1681b); and
(3) Is not a report containing information solely as to
transactions or experiences between the consumer and the person
reporting or communicating the information.
(1) Person means any individual, partnership, corporation, trust,
estate, cooperative, association, government or governmental
subdivision or agency, or other entity.
(m) You means a member bank of the Federal Reserve System (other
than a national bank), a branch or agency of a foreign bank (other than
a Federal branch, Federal agency, or insured State branch of a foreign
bank), a commercial lending company owned or controlled by a foreign
bank, or an organization operating under section 25 or 25A of the
Federal Reserve Act (12 U.S.C. 601-604a, 611-631).
Sec. 222.4 Communication of opt out information to affiliates.
Your communication to your affiliates of opt out information about
a consumer is not a consumer report if:
(a) You have provided the consumer with an opt out notice;
(b) You have given the consumer a reasonable opportunity and means,
before you communicate the information to your affiliates, to opt out;
and
(c) The consumer has not opted out.
Sec. 222.5 Contents of opt out notice.
(a) In general. An opt out notice must be clear and conspicuous,
and must accurately explain:
(1) The categories of opt out information about the consumer that
you communicate to your affiliates;
(2) The categories of affiliates to which you communicate the
information;
(3) The consumer's ability to opt out; and
(4) A reasonable means for the consumer to opt out.
(b) Future communications. Your notice may describe:
(1) Categories of opt out information about the consumer that you
reserve the
[[Page 63133]]
right to communicate to your affiliates in the future but do not
currently communicate; and
(2) Categories of affiliates to which you reserve the right in the
future to communicate, but to which you do not currently communicate,
opt out information about the consumer.
(c) Partial opt out. You may allow a consumer to select certain opt
out information or certain affiliates, with respect to which the
consumer wishes to opt out.
(d) Examples of categories of information that you communicate. (1)
You satisfy the requirement to categorize the opt out information that
you communicate if you list the categories in paragraph (d)(2) of this
section, as applicable, and a few examples to illustrate the types of
information in each category. These examples may include those in
paragraph (d)(3) of this section, if applicable.
(2) Categories of opt out information may include information:
(i) From a consumer's application;
(ii) From a consumer credit report;
(iii) Obtained by verifying representations made by a consumer; or
(iv) Provided by another person regarding its employment, credit,
or other relationship with a consumer.
(3) Examples of information within a category listed in paragraph
(d)(2) of this section include a consumer's:
(i) Income;
(ii) Credit score or credit history with others;
(iii) Open lines of credit with others;
(iv) Employment history with others;
(v) Marital status; and
(vi) Medical history.
(4) You do not satisfy the requirement if you communicate or
reserve the right to communicate individually identifiable health
information (as described in section 1171(6)(B) of the Social Security
Act (42 U.S.C. 1320d(6)(B)) but omit illustrative examples of this
information.
(e) Examples of categories of affiliates. (1) You satisfy the
requirement to categorize the affiliates to which you communicate opt
out information if you list the categories in paragraph (e)(2) of this
section, as applicable, and a few examples to illustrate the types of
affiliates in each category.
(2) Categories of affiliates may include:
(i) Financial service providers; and
(ii) Non-financial companies.
(f) Sample notice. A sample notice is included in appendix A to
this part.
Sec. 222.6 Reasonable opportunity to opt out.
(a) In general. You provide a reasonable opportunity to opt out if
you provide a reasonable period of time following the delivery of the
opt out notice for the consumer to opt out.
(b) Examples of reasonable period of time: (1) In person. You hand-
deliver an opt out notice to the consumer and provide at least 30 days
from the date you delivered the notice.
(2) By mail. You mail an opt out notice to a consumer and provide
at least 30 days from the date you mailed the notice.
(3) By electronic means. You notify the consumer electronically,
and you provide at least 30 days after the date that the consumer
acknowledges receipt of the electronic notice.
(c) Continuing opportunity to opt out. A consumer may opt out at
any time.
Sec. 222.7 Reasonable means of opting out.
(a) General rule. You provide a consumer with a reasonable means of
opting out if you provide a reasonably convenient method to opt out.
(b) Reasonably convenient methods. Examples of reasonably
convenient methods include:
(1) Designating check-off boxes in a prominent position on the
relevant forms included with the opt out notice;
(2) Including a reply form together with the opt out notice;
(3) Providing an electronic means to opt out, such as a form that
can be electronically mailed or a process at your web site, if the
consumer agrees to the electronic delivery of information; or
(4) Providing a toll-free telephone number that consumers may call
to opt out.
(c) Methods not reasonably convenient. Examples of methods that are
not reasonably convenient include:
(1) Requiring a consumer to write his or her own letter to you; or
(2) Referring in a revised notice to a check-off box that you
included with a previous notice but that you do not include with the
revised notice.
(d) Requiring specific means of opting out. You may require each
consumer to opt out through a specific means, as long as that means is
reasonable for that consumer.
Sec. 222.8 Delivery of opt out notices.
(a) In general. You must deliver an opt out notice so that each
consumer can reasonably be expected to receive actual notice in writing
or, if the consumer agrees, electronically.
(b) Examples of expectation of actual notice. (1) You may
reasonably expect that a consumer will receive actual notice if you:
(i) Hand-deliver a printed copy of the notice to the consumer;
(ii) Mail a printed copy of the notice to the last known mailing
address of the consumer; or
(iii) For the consumer who conducts transactions electronically,
post the notice on your electronic site and require the consumer to
acknowledge receipt of the notice as a necessary step to obtaining a
particular product or service;
(2) You may not reasonably expect that a consumer will receive
actual notice if you:
(i) Only post a sign in your branch or office or generally publish
advertisements presenting your notice; or
(ii) Send the notice via electronic mail to a consumer who does not
obtain a product or service from you electronically.
(c) Oral description insufficient. You may not provide an opt out
notice solely by orally explaining the notice, either in person or over
the telephone.
(d) Retention or accessibility. (1) In general. You must provide an
opt out notice so that it can be retained or obtained at a later time
by the consumer in writing or, if the consumer agrees, electronically.
(2) Examples of retention or accessibility. You provide the notice
so that it can be retained or obtained at a later time if you:
(i) Hand-deliver a printed copy of the notice to the consumer;
(ii) Mail a printed copy of the notice to the last known address of
the consumer upon request of the consumer; or
(iii) Make your current notice available on a web site (or a link
to another web site) for the consumer who obtains a product or service
electronically and who agrees to receive the notice at the web site.
(e) Joint notice with affiliates. You may provide a joint notice
with one or more affiliates as long as the notice identifies each
person providing it and is accurate with respect to each.
(f) Joint relationships. (1) In general. Notwithstanding any other
provision in this part, if two or more consumers jointly obtain a
product or service from you (joint consumers), the following rules
apply:
(i) You may provide a single notice to all of the joint consumers.
(ii) Any of the joint consumers has the opportunity to opt out.
(iii) You may treat an opt out direction by a joint consumer either
as:
(A) Applying to all of the joint consumers; or
(B) Applying to that particular joint consumer.
(iv) You must explain in your opt out notice which of the two
policies set
[[Page 63134]]
forth in paragraph (f)(1)(iii) of this section you will follow.
(v) If you follow the policy set forth in paragraph (f)(1)(iii)(B)
of this section, by treating the opt out of a joint consumer as
applying to that particular joint consumer, you must also permit:
(A) A joint consumer to opt out on behalf of other joint consumers;
and
(B) One or more joint consumers to notify you of their opt out
directions in a single response.
(vi) You may not require all joint consumers to opt out before you
implement any opt out direction.
(vii) If you receive an opt out by a particular joint consumer that
does not apply to the others, you may disclose information about the
others as long as no information is disclosed about the consumer who
opted out.
(2) Example. If consumers A and B, who have different addresses,
have a joint checking account with you and arrange for you to send
statements to A's address, you may do any of the following, but you
must explain in your opt out notice which opt out policy you will
follow. You may send a single opt out notice to A's address and:
(i) Treat an opt out direction by A as applying to the entire
account. If you do so and A opts out, you may not require B to opt out
as well before implementing A's opt out direction.
(ii) Treat A's opt out direction as applying to A only. If you do
so, you must also permit:
(A) A and B to opt out for each other; and
(B) A and B to notify you of their opt out directions in a single
response (such as on a single form) if they choose to give separate opt
out directions.
(iii) If A opts out only for A, and B does not opt out, you may
disclose opt out information only about B, and not about A and B
jointly.
Sec. 222.9 Revised opt out notice.
If you have provided a consumer with one or more opt out notices
and plan to communicate opt out information to your affiliates about
the consumer other than as described in those notices, you must provide
the consumer with a revised opt out notice that complies with
Secs. 222.4 through 222.8.
Sec. 222.10 Time by which opt out must be honored.
If you provide a consumer with an opt out notice and the consumer
opts out, you must comply with the opt out as soon as reasonably
practicable after you receive it.
Sec. 222.11 Duration of opt out.
An opt out remains effective until revoked by the consumer in
writing or electronically, as long as the consumer continues to have a
relationship with you. If the consumer's relationship with you
terminates, the opt out will continue to apply to this information.
However, a new notice and opportunity to opt out must be provided if
the consumer establishes a new relationship with you.
Sec. 222.12 Prohibition against discrimination.
(a) In general. If a consumer is an applicant for credit, you must
not discriminate against the consumer if the consumer opts out of your
communication of opt out information to your affiliates.
(b) Examples of discrimination against an applicant. You
discriminate against an applicant if you:
(1) Deny the applicant credit because the applicant opts out;
(2) Vary the terms of credit adversely to the applicant such as by
providing less favorable pricing terms to an applicant who opts out; or
(3) Apply more stringent credit underwriting standards to the
applicant because the applicant opts out.
(c) Regulation B. The terms ``applicant'' and ``discriminate
against'' in Sec. 222.12 have the same meanings ascribed to them in 12
CFR part 202.
Appendix A to Part 222--Sample Notice
This appendix contains a sample notice to facilitate compliance
with the notice requirements of this part. An institution may use
applicable disclosures in this sample to provide notices required by
this part.
Notice of Your Opportunity to Opt Out of Information Sharing With
Companies in Our Corporate Family
Information We Can Share With Our Corporate Family About You--
Unless You Tell Us Not To
What Information: Unless you tell us not to, [Financial
Institution] may share with companies in our Corporate family
information about you including:
Information we obtain from your application, such as
[provide illustrative examples, such as ``your income'' or ``your
marital status''];
Information we obtain from a consumer report, such as
[provide illustrative examples, such as ``your credit score or
credit history''];
Information we obtain to verify representations made by
you, such as [provide illustrative examples, such as ``your open
lines of credit'']; and
Information we obtain from a person regarding its
employment, credit, or other relationship with you, such as [provide
illustrative examples, such as ``your employment history''].
Shared With Whom: Companies in our corporate family who may
receive this information are:
Financial service providers, such as [provide
illustrative examples, such as ``mortgage bankers, broker-dealers,
and insurance agents'']; and
Non-financial companies, such as [provide illustrative
examples, such as ``retailers, direct marketers, airlines, and
publishers''].
How To Tell Us Not To Share This Information With Our Corporate
Family
If you prefer that we not share this information with companies
in our corporate family, you may direct us not to share this
information by doing the following [insert one or more of the
reasonable means of opting out listed below \1\]: [call us toll free
at {insert toll free number}]; or [visit our web site at {insert web
site address} and {provide further instructions how to use the web
site option}]; or [e-mail us at {insert the e-mail address}]; or
[fill out and tear off the bottom of this sheet and mail to the
following address: {insert address}]; or [check the appropriate box
on the attached form {attach form} and mail to the following
address: {insert address}].
\1\ If the financial institution is using its web site or an e-
mail address as the only method by which a consumer may opt out, the
consumer must agree to the electronic delivery of information.
Note: Your direction in this paragraph covers certain
information about you that we might otherwise share with our
corporate family. We may share other information about you with our
---------------------------------------------------------------------------
corporate family as permitted by law.
By order of the Board of Governors of the Federal Reserve
System, October 11, 2000.
Jennifer J. Johnson,
Secretary of the Board.
Federal Deposit Insurance Corporation
12 CFR Chapter III
Authority and Issuance
For the reasons set out in the joint preamble, chapter III of title
12 of the Code of Federal Regulations is proposed to be amended by
adding a new part 334 to read as follows:
PART 334--FAIR CREDIT REPORTING
Sec.
334.1 Purpose and scope.
334.2 Examples.
334.3 Definitions.
334.4 Communication of opt out information to affiliates.
334.5 Contents of opt out notice.
334.6 Reasonable opportunity to opt out.
334.7 Reasonable means of opting out.
334.8 Delivery of opt out notices.
334.9 Revised opt out notice.
334.10 Time by which opt out must be honored.
334.11 Duration of opt out.
334.12 Prohibition against discrimination.
Appendix A to Part 222--Sample Notice
Authority: 15 U.S.C. 1681s; 12 U.S.C. 1819(a)(Tenth).
[[Page 63135]]
Sec. 334.1 Purpose and scope.
(a) Purpose. This part governs the collection, communication, and
use, by the institutions listed in paragraph (b)(2) of this section, of
certain information bearing on a consumer's credit worthiness, credit
standing, credit capacity, character, general reputation, personal
characteristics, or mode of living.
(b) Scope. (1) Information covered. This part applies to
information that is used or expected to be used or collected in whole
or in part for the purpose of serving as a factor in establishing a
consumer's eligibility for credit, insurance, employment, or any other
purpose authorized under section 604 of the Fair Credit Reporting Act
(15 U.S.C. 1681b).
(2) Institutions covered. This part applies to banks insured by the
FDIC (other than members of the Federal Reserve System) and insured
state branches of foreign banks.
(3) Relation to other laws. Nothing in this part modifies, limits,
or supersedes the standards governing the privacy of individually
identifiable health information promulgated by the Secretary of Health
and Human Services under the authority of sections 262 and 264 of the
Health Insurance Portability and Accountability Act of 1996 (42 U.S.C.
1320d-1320d-8).
Sec. 334.2 Examples.
The examples used in this part and the sample notice in appendix A
to this part are not exclusive. Compliance with an example or use of
the sample notice, to the extent applicable, constitutes compliance
with this part.
Sec. 334.3 Definitions.
As used in this part, unless the context requires otherwise:
(a) Act means the Fair Credit Reporting Act (15 U.S.C. 1681 et
seq.).
(b) Affiliate. (1) In general. The term means any company that is
related or affiliated by common ownership, or affiliated by corporate
control or common corporate control, with another company.
(2) Related or affiliated by common ownership or affiliated by
corporate control or common corporate control. This means controlling,
controlled by, or under common control with, another company.
(c) Clear and conspicuous. (1) In general. The term means that a
notice is reasonably understandable and is designed to call attention
to the nature and significance of the information it contains.
(2) Examples. (i) Reasonably understandable. You make your notice
reasonably understandable if you:
(A) Present the information in the notice in clear and concise
sentences, paragraphs, and sections;
(B) Use short explanatory sentences or bullet lists whenever
possible;
(C) Use definite, concrete, everyday words and active voice
whenever possible;
(D) Avoid multiple negatives;
(E) Avoid legal and highly technical business terminology whenever
possible; and
(F) Avoid explanations that are imprecise and are readily subject
to different interpretations.
(ii) Designed to call attention. You design your notice to call
attention to the nature and significance of the information it contains
if you:
(A) Use a plain-language heading to call attention to the notice;
(B) Use a typeface and type size that are easy to read;
(C) Provide wide margins and ample line spacing;
(D) Use boldface or italics for key words; and
(E) In a form that combines your notice with other information, use
distinctive type sizes, styles, and graphic devices, such as shading or
sidebars.
(iii) Notice on a web page. If you provide a notice on a web page,
you design your notice to call attention to the nature and significance
of the information it contains if:
(A) You place either the notice, or a link that connects directly
to the notice and that is labeled appropriately to convey the
importance, nature, and relevance of the notice, on a page that
consumers access often, such as a page on which transactions are
conducted;
(B) You use text or visual cues to encourage scrolling down the
page if necessary to view the entire notice; and
(C) You ensure that other elements on the web page (such as text,
graphics, links, or sound) do not detract attention from the notice.
(d) Communication includes written, oral, and electronic
communication; provided that the term includes electronic communication
to a consumer only if the consumer agrees to receive the communication
electronically.
(e) Company means any corporation, limited liability company,
business trust, general or limited partnership, association, or similar
organization.
(f) Consumer means an individual.
(g) Consumer report. (1) In general. The term means any written,
oral, or other communication of any information by a consumer reporting
agency bearing on a consumer's credit worthiness, credit standing,
credit capacity, character, general reputation, personal
characteristics, or mode of living which is used or expected to be used
or collected in whole or in part for the purpose of serving as a factor
in establishing the consumer's eligibility for:
(i) Credit or insurance to be used primarily for personal, family,
or household purposes;
(ii) Employment purposes; or
(iii) Any other purpose authorized under section 604 of the Act (15
U.S.C. 1681b).
(2) Exclusions. The term does not include:
(i) Any report containing information solely as to transactions or
experiences between the consumer and the person making the report;
(ii) Any communication of that information among affiliates;
(iii) Any communication among affiliates of opt out information if
the conditions in Secs. 334.4 through 334.9 are satisfied;
(iv) Any authorization or approval of a specific extension of
credit directly or indirectly by the issuer of a credit card or similar
device;
(v) Any report in which a person who has been requested by a third
party to make a specific extension of credit directly or indirectly to
a consumer conveys his or her decision with respect to such request, if
the third party advises the consumer of the name and address of the
person to whom the request was made, and the person makes the
disclosures to the consumer required under section 615 of the Act (15
U.S.C. 1681m); or
(vi) A communication described in section 603(o) of the Act (15
U.S.C. 1681a(o)).
(h) Consumer reporting agency means any person which, for monetary
fees, dues or on a cooperative nonprofit basis, regularly engages in
whole or in part in the practice of assembling or evaluating consumer
credit information or other information on consumers for the purpose of
furnishing consumer reports to third parties, and which uses any means
or facility of interstate commerce for the purpose of preparing or
furnishing consumer reports.
(i) Control of a company means:
(1) Ownership, control, or power to vote 25 percent or more of the
outstanding shares of any class of voting security of the company,
directly or indirectly, or acting through one or more other persons;
(2) Control in any manner over the election of a majority of the
directors,
[[Page 63136]]
trustees, or general partners (or individuals exercising similar
functions) of the company; or
(3) The power to exercise, directly or indirectly, a controlling
influence over the management or policies of the company, as the FDIC
determines.
(j) Opt out means a direction by a consumer that you not
communicate opt out information about the consumer to one or more of
your affiliates.
(k) Opt out information means information that:
(1) Bears on a consumer's credit worthiness, credit standing,
credit capacity, character, general reputation, personal
characteristics, or mode of living;
(2) Is used or expected to be used or collected in whole or in part
to serve as a factor in establishing the consumer's eligibility for
credit or another purpose listed in section 604 of the Act (15 U.S.C.
1681b); and
(3) Is not a report containing information solely as to
transactions or experiences between the consumer and the person
reporting or communicating the information.
(l) Person means any individual, partnership, corporation, trust,
estate, cooperative, association, government or governmental
subdivision or agency, or other entity.
(m) You means banks insured by the FDIC (other than members of the
Federal Reserve System) and insured state branches of foreign banks.
Sec. 334.4 Communication of opt out information to affiliates.
Your communication to your affiliates of opt out information about
a consumer is not a consumer report if:
(a) You have provided the consumer with an opt out notice;
(b) You have given the consumer a reasonable opportunity and means,
before you communicate the information to your affiliates, to opt out;
and
(c) The consumer has not opted out.
Sec. 334.5 Contents of opt out notice.
(a) In general. An opt out notice must be clear and conspicuous,
and must accurately explain:
(1) The categories of opt out information about the consumer that
you communicate to your affiliates;
(2) The categories of affiliates to which you communicate the
information;
(3) The consumer's ability to opt out; and
(4) A reasonable means for the consumer to opt out.
(b) Future communications. Your notice may describe:
(1) Categories of opt out information about the consumer that you
reserve the right to communicate to your affiliates in the future but
do not currently communicate; and
(2) Categories of affiliates to which you reserve the right in the
future to communicate, but to which you do not currently communicate,
opt out information about the consumer.
(c) Partial opt out. You may allow a consumer to select certain opt
out information or certain affiliates, with respect to which the
consumer wishes to opt out.
(d) Examples of categories of information that you communicate. (1)
You satisfy the requirement to categorize the opt out information that
you communicate if you list the categories in paragraph (d)(2) of this
section, as applicable, and a few examples to illustrate the types of
information in each category. These examples may include those in
paragraph (d)(3) of this section, if applicable.
(2) Categories of opt out information may include information:
(i) From a consumer's application;
(ii) From a consumer credit report;
(iii) Obtained by verifying representations made by a consumer; and
(iv) Provided by another person regarding its employment, credit,
or other relationship with a consumer.
(3) Examples of information within a category listed in paragraph
(d)(2) of this section include a consumer's:
(i) Income;
(ii) Credit score or credit history with others;
(iii) Open lines of credit with others;
(iv) Employment history with others;
(v) Marital status; and
(vi) Medical history.
(4) You do not satisfy the requirement if you communicate or
reserve the right to communicate individually identifiable health
information (as described in section 1171(6)(B) of the Social Security
Act (42 U.S.C. 1320d(6)(B)) but omit illustrative examples of this
information.
(e) Examples of categories of affiliates. (1) You satisfy the
requirement to categorize the affiliates to which you communicate opt
out information if you list the categories in paragraph (e)(2) of this
section, as applicable, and a few examples to illustrate the types of
affiliates in each category.
(2) Categories of affiliates may include:
(i) Financial service providers; and
(ii) Non-financial companies.
(f) Sample notice. A sample notice is included in appendix A to
this part.
Sec. 334.6 Reasonable opportunity to opt out.
(a) In general. You provide a reasonable opportunity to opt out if
you provide a reasonable period of time following the delivery of the
opt out notice for the consumer to opt out.
(b) Examples of reasonable period of time: (1) In person. You hand-
deliver an opt out notice to the consumer and provide at least 30 days
from the date you delivered the notice.
(2) By mail. You mail an opt out notice to a consumer and provide
at least 30 days from the date you mailed the notice.
(3) By electronic means. You notify the consumer electronically,
and you provide at least 30 days after the date that the consumer
acknowledges receipt of the electronic notice.
(c) Continuing opportunity to opt out. A consumer may opt out at
any time.
Sec. 334.7 Reasonable means of opting out.
(a) General rule. You provide a consumer with a reasonable means of
opting out if you provide a reasonably convenient method to opt out.
(b) Reasonably convenient methods. Examples of reasonably
convenient methods include:
(1) Designating check-off boxes in a prominent position on the
relevant forms included with the opt out notice;
(2) Including a reply form together with the opt out notice;
(3) Providing an electronic means to opt out, such as a form that
can be electronically mailed or a process at your web site, if the
consumer agrees to the electronic delivery of information; or
(4) Providing a toll-free telephone number that consumers may call
to opt out.
(c) Methods not reasonably convenient. Examples of methods that are
not reasonably convenient include:
(1) Requiring a consumer to write his or her own letter to you; or
(2) Referring in a revised notice to a check-off box that you
included with a previous notice but that you do not include with the
revised notice.
(d) Requiring specific means of opting out. You may require each
consumer to opt out through a specific means, as long as that means is
reasonable for that consumer.
Sec. 334.8 Delivery of opt out notices.
(a) In general. You must deliver an opt out notice so that each
consumer can reasonably be expected to receive actual notice in writing
or, if the consumer agrees, electronically.
(b) Examples of expectation of actual notice. (1) You may
reasonably expect that a consumer will receive actual notice if you:
[[Page 63137]]
(i) Hand-deliver a printed copy of the notice to the consumer;
(ii) Mail a printed copy of the notice to the last known mailing
address of the consumer; or
(iii) For the consumer who conducts transactions electronically,
post the notice on your electronic site and require the consumer to
acknowledge receipt of the notice as a necessary step to obtaining a
particular product or service;
(2) You may not reasonably expect that a consumer will receive
actual notice if you:
(i) Only post a sign in your branch or office or generally publish
advertisements presenting your notice; or
(ii) Send the notice via electronic mail to a consumer who does not
obtain a product or service from you electronically.
(c) Oral description insufficient. You may not provide an opt out
notice solely by orally explaining the notice, either in person or over
the telephone.
(d) Retention or accessibility. (1) In general. You must provide an
opt out notice so that it can be retained or obtained at a later time
by the consumer in writing or, if the consumer agrees, electronically.
(2) Examples of retention or accessibility. You provide the notice
so that it can be retained or obtained at a later time if you:
(i) Hand-deliver a printed copy of the notice to the consumer;
(ii) Mail a printed copy of the notice to the last known address of
the consumer upon request of the consumer; or
(iii) Make your current notice available on a web site (or a link
to another web site) for the consumer who obtains a product or service
electronically and who agrees to receive the notice at the web site.
(e) Joint notice with affiliates. You may provide a joint notice
with one or more affiliates as long as the notice identifies each
person providing it and is accurate with respect to each.
(f) Joint relationships. (1) In general. Notwithstanding any other
provision in this part, if two or more consumers jointly obtain a
product or service from you (joint consumers), the following rules
apply:
(i) You may provide a single notice to all of the joint consumers.
(ii) Any of the joint consumers has the opportunity to opt out.
(iii) You may treat an opt out direction by a joint consumer either
as:
(A) Applying to all of the joint consumers; or
(B) Applying to that particular joint consumer.
(iv) You must explain in your opt out notice which of the two
policies set forth in paragraph (f)(1)(iii) of this section you will
follow.
(v) If you follow the policy set forth in paragraph (f)(1)(iii)(B)
of this section, by treating the opt out of a joint consumer as
applying to that particular joint consumer, you must also permit:
(A) A joint consumer to opt out on behalf of other joint consumers;
and
(B) One or more joint consumers to notify you of their opt out
directions in a single response.
(vi) You may not require all joint consumers to opt out before you
implement any opt out direction.
(vii) If you receive an opt out by a particular joint consumer that
does not apply to the others, you may disclose information about the
others as long as no information is disclosed about the consumer who
opted out.
(2) Example. If consumers A and B, who have different addresses,
have a joint checking account with you and arrange for you to send
statements to A's address, you may do any of the following, but you
must explain in your opt out notice which opt out policy you will
follow. You may send a single opt out notice to A's address and:
(i) Treat an opt out direction by A as applying to the entire
account. If you do so and A opts out, you may not require B to opt out
as well before implementing A's opt out direction.
(ii) Treat A's opt out direction as applying to A only. If you do
so, you must also permit:
(A) A and B to opt out for each other; and
(B) A and B to notify you of their opt out directions in a single
response (such as on a single form) if they choose to give separate opt
out directions.
(iii) If A opts out only for A, and B does not opt out, you may
disclose opt out information only about B, and not about A and B
jointly.
Sec. 334.9 Revised opt out notice.
If you have provided a consumer with one or more opt out notices
and plan to communicate opt out information to your affiliates about
the consumer, other than as described in those notices, you must
provide the consumer with a revised opt out notice that complies with
Secs. 334.4 through 334.8.
Sec. 334.10 Time by which opt out must be honored.
If you provide a consumer with an opt out notice and the consumer
opts out, you must comply with the opt out as soon as reasonably
practicable after you receive it.
Sec. 334.11 Duration of opt out.
An opt out remains effective until revoked by the consumer in
writing or electronically, as long as the consumer continues to have a
relationship with the institution. If the consumer's relationship with
the institution terminates, the opt out will continue to apply to this
information. However, a new notice and opportunity to opt out must be
provided if the consumer establishes a new relationship with the
institution.
Sec. 334.12 Prohibition against discrimination.
(a) In general. If a consumer is an applicant for credit, you must
not discriminate against the consumer if the consumer opts out of the
your communication of opt out information to your affiliates.
(b) Examples of discrimination against an applicant. You
discriminate against an applicant if you:
(1) Deny the applicant credit because the applicant opts out;
(2) Vary the terms of credit adversely to the applicant such as by
providing less favorable pricing terms to an applicant who opts out; or
(3) Apply more stringent credit underwriting standards to the
applicant because the applicant opts out.
(c) Regulation B. The terms ``applicant'' and ``discriminate
against'' in Sec. 334.12 have the same meanings ascribed to them in 12
CFR part 202.
Appendix A to Part 334--Sample Notice
This appendix contains a sample notice to facilitate compliance
with the notice requirements of this part. An institution may use
applicable disclosures in this sample to provide notices required by
this part.
Notice of Your Opportunity To Opt Out of Information Sharing With
Companies in Our Corporate Family
Information We Can Share With Our Corporate Family About You--
Unless You Tell Us Not to
What Information: Unless you tell us not to, [Financial
Institution] may share with companies in our corporate family
information about you including:
Information we obtain from your application, such as
[provide illustrative examples, such as ``your income'' or ``your
marital status''];
Information we obtain from a consumer report, such as
[provide illustrative examples, such as ``your credit score or
credit history''];
Information we obtain to verify representations made by
you, such as [provide illustrative examples, such as ``your open
lines of credit'']; and
Information we obtain from a person regarding its
employment, credit, or other relationship with you, such as [provide
[[Page 63138]]
illustrative examples, such as ``your employment history''].
Shared With Whom: Companies in our corporate family who may
receive this information are:
Financial service providers, such as [provide
illustrative examples, such as ``mortgage bankers, broker-dealers,
and insurance agents'']; and
Non-financial companies, such as [provide illustrative
examples, such as ``retailers, direct marketers, airlines, and
publishers''].
How To Tell Us Not To Share This Information With Our Corporate
Family
If you prefer that we not share this information with companies
in our corporate family, you may direct us not to share this
information by doing the following [insert one or more of the
reasonable means of opting out listed below\1\]: [call us toll free
at {insert toll free number}]; or [visit our web site at {insert web
site address} and {provide further instructions how to use the web
site option}]; or [e-mail us at {insert the e-mail address}]; or
[fill out and tear off the bottom of this sheet and mail to the
following address: {insert address}]; or [check the appropriate box
on the attached form {attach form} and mail to the following
address: {insert address}].
---------------------------------------------------------------------------
\1\ If the financial institution is using its web site or an e-
mail address as the only method by which a consumer may opt out, the
consumer must agree to the electronic delivery of information.
Note: Your direction in this paragraph covers certain
information about you that we might otherwise share with our
corporate family. We may share other information about you with our
---------------------------------------------------------------------------
corporate family as permitted by law.
By order of the Board of Directors, Federal Deposit Insurance
Corporation.
Dated at Washington, D.C., this 25th day of September, 2000.
Robert E. Feldman,
Executive Secretary.
Office of Thrift Supervision
12 CFR Chapter V
Authority and Issuance
For the reasons set out in the joint preamble, OTS proposes to
amend chapter V of title 12 of the Code of Federal Regulations by
adding a new part 571 to read as follows:
PART 571--FAIR CREDIT REPORTING
Sec.
571.1 Purpose and scope.
571.2 Examples.
571.3 Definitions.
571.4 Communication of opt out information to affiliates.
571.5 Content of opt out notice.
571.6 Reasonable opportunity to opt out.
571.7 Reasonable means of opting out.
571.8 Delivery of opt out notice.
571.9 Revised opt out notice.
571.10 Time by which opt out must be honored.
571.11 Duration of opt out.
571.12 Prohibition against discrimination.
Appendix A to Part 571--Sample Notice
Authority: 12 U.S.C. 1462a, 1463, 1464, 1467a, 1828; 15 U.S.C.
1681s.
Sec. 571.1 Purpose and scope.
(a) Purpose. This part governs the collection, communication, and
use, by the institutions listed in paragraph (b)(2) of this section, of
certain information bearing on a consumer's credit worthiness, credit
standing, credit capacity, character, general reputation, personal
characteristics, or mode of living.
(b) Scope. (1) Information covered. This part applies to
information that is used or expected to be used or collected in whole
or in part for the purpose of serving as a factor in establishing a
consumer's eligibility for credit, insurance, employment, or any other
purpose authorized under section 604 of the Fair Credit Reporting Act
(15 U.S.C. 1681b).
(2) Institutions covered. This part applies to savings associations
whose deposits are insured by the Federal Deposit Insurance
Corporation.
(3) Relation to other laws. Nothing in this part modifies, limits,
or supersedes the standards governing the privacy of individually
identifiable health information promulgated by the Secretary of Health
and Human Services under the authority of sections 262 and 264 of the
Health Insurance Portability and Accountability Act of 1996 (42 U.S.C.
1320d-1320d-8).
Sec. 571.2 Examples.
The examples used in this part and the model form in appendix A to
this part are not exclusive. Compliance with an example or use of the
sample notice, to the extent applicable, constitutes compliance with
this part.
Sec. 571.3 Definitions.
As used in this part, unless the context requires otherwise:
(a) Act means the Fair Credit Reporting Act (15 U.S.C. 1681 et
seq.).
(b) Affiliate. (1) In general. The term means any company that is
related or affiliated by common ownership, or affiliated by corporate
control or common corporate control, with another company.
(2) Related or affiliated by common ownership or affiliated by
corporate control or common corporate control. This means controlling,
controlled by, or under common control with, another company.
(c) Clear and conspicuous. (1) In general. The term means that a
notice is reasonably understandable and is designed to call attention
to the nature and significance of the information it contains.
(2) Examples. (i) Reasonably understandable. You make your notice
reasonably understandable if you:
(A) Present the information in the notice in clear and concise
sentences, paragraphs, and sections;
(B) Use short explanatory sentences or bullet lists whenever
possible;
(C) Use definite, concrete, everyday words and active voice
whenever possible;
(D) Avoid multiple negatives;
(E) Avoid legal and highly technical business terminology whenever
possible; and
(F) Avoid explanations that are imprecise and are readily subject
to different interpretations.
(ii) Designed to call attention. You design your notice to call
attention to the nature and significance of the information it contains
if you:
(A) Use a plain-language heading to call attention to the notice;
(B) Use a typeface and type size that are easy to read;
(C) Provide wide margins and ample line spacing;
(D) Use boldface or italics for key words; and
(E) In a form that combines your notice with other information, use
distinctive type sizes, styles, and graphic devices, such as shading or
sidebars.
(iii) Notice on a web page. If you provide a notice on a web page,
you design your notice to call attention to the nature and significance
of the information it contains if:
(A) You place either the notice, or a link that connects directly
to the notice and that is labeled appropriately to convey the
importance, nature, and relevance of the notice, on a page that
consumers access often, such as a page on which transactions are
conducted;
(B) You use text or visual cues to encourage scrolling down the
page if necessary to view the entire notice; and
(C) You ensure that other elements on the web page (such as text,
graphics, links, or sound) do not detract attention from the notice.
(d) Communication includes written, oral, and electronic
communication; provided that the term includes electronic communication
to a consumer only if the consumer agrees to receive the communication
electronically.
(e) Company means any corporation, limited liability company,
business
[[Page 63139]]
trust, general or limited partnership, association, or similar
organization.
(f) Consumer means an individual.
(g) Consumer report. (1) In general. The term means any written,
oral, or other communication of any information by a consumer reporting
agency bearing on a consumer's credit worthiness, credit standing,
credit capacity, character, general reputation, personal
characteristics, or mode of living which is used or expected to be used
or collected in whole or in part for the purpose of serving as a factor
in establishing the consumer's eligibility for:
(i) Credit or insurance to be used primarily for personal, family,
or household purposes;
(ii) Employment purposes; or
(iii) Any other purpose authorized under section 604 of the Act (15
U.S.C. 1681b).
(2) Exclusions. The term does not include:
(i) Any report containing information solely as to transactions or
experiences between the consumer and the person making the report;
(ii) Any communication of that information among affiliates;
(iii) Any communication among affiliates of opt out information if
the conditions in Secs. 571.4 through 571.9 are satisfied;
(iv) Any authorization or approval of a specific extension of
credit directly or indirectly by the issuer of a credit card or similar
device;
(v) Any report in which a person who has been requested by a third
party to make a specific extension of credit directly or indirectly to
a consumer conveys his or her decision with respect to such request, if
the third party advises the consumer of the name and address of the
person to whom the request was made, and the person makes the
disclosures to the consumer required under section 615 of the Act (15
U.S.C. 1681m); or
(vi) A communication described in section 603(o) of the Act (15
U.S.C. 1681a(o)).
(h) Consumer reporting agency means any person which, for monetary
fees, dues or on a cooperative nonprofit basis, regularly engages in
whole or in part in the practice of assembling or evaluating consumer
credit information or other information on consumers for the purpose of
furnishing consumer reports to third parties, and which uses any means
or facility of interstate commerce for the purpose of preparing or
furnishing consumer reports.
(i) Control of a company means:
(1) Ownership, control, or power to vote 25 percent or more of the
outstanding shares of any class of voting security of the company,
directly or indirectly, or acting through one or more other persons;
(2) Control in any manner over the election of a majority of the
directors, trustees, or general partners (or individuals exercising
similar functions) of the company; or
(3) The power to exercise, directly or indirectly, a controlling
influence over the management or policies of the company, as OTS
determines.
(j) Opt out means a direction by a consumer that you not
communicate opt out information about the consumer to one or more of
your affiliates.
(k) Opt out information means information that:
(1) Bears on a consumer's credit worthiness, credit standing,
credit capacity, character, general reputation, personal
characteristics, or mode of living;
(2) Is used or expected to be used or collected in whole or in part
to serve as a factor in establishing the consumer's eligibility for
credit or another purpose listed in section 604 of the Act (15 U.S.C.
1681b); and
(3) Is not a report containing information solely as to
transactions or experiences between the consumer and the person
reporting or communicating the information.
(l) Person means any individual, partnership, corporation, trust,
estate, cooperative, association, government or governmental
subdivision or agency, or other entity.
(m) You means savings associations whose deposits are insured by
the Federal Deposit Insurance Corporation.
Sec. 571.4 Communication of opt out information to affiliates.
Your communication to your affiliates of opt out information about
a consumer is not a consumer report if:
(a) You have provided the consumer with an opt out notice;
(b) You have given the consumer a reasonable opportunity and means,
before you communicate the information to your affiliates, to opt out;
and
(c) The consumer has not opted out.
Sec. 571.5 Content of opt out notice.
(a) In general. An opt out notice must be clear and conspicuous,
and must accurately explain:
(1) The categories of opt out information about the consumer that
you communicate to your affiliates;
(2) The categories of affiliates to which you communicate the
information;
(3) The consumer's ability to opt out; and
(4) A reasonable means for the consumer to opt out.
(b) Future communications. Your notice may describe:
(1) Categories of opt out information about the consumer that you
reserve the right to communicate to your affiliates in the future but
do not currently communicate; and
(2) Categories of affiliates to which you reserve the right in the
future to communicate, but to which you do not currently communicate,
opt out information about the consumer.
(c) Partial opt out. You may allow a consumer to select certain opt
out information or certain affiliates, with respect to which the
consumer wishes to opt out.
(d) Examples of categories of information that you communicate. (1)
You satisfy the requirement to categorize the opt out information that
you communicate if you list the categories in paragraph (d)(2) of this
section, as applicable, and a few examples to illustrate the types of
information in each category. These examples may include those in
paragraph (d)(3) of this section, if applicable.
(2) Categories of opt out information may include information:
(i) From a consumer's application;
(ii) From a consumer credit report;
(iii) Obtained by verifying representations made by a consumer; or
(iv) Provided by another person regarding its employment, credit,
or other relationship with a consumer.
(3) Examples of information within a category listed in paragraph
(d)(2) of this section include a consumer's:
(i) Income;
(ii) Credit score or credit history with others;
(iii) Open lines of credit with others;
(iv) Employment history with others;
(v) Marital status; and
(vi) Medical history.
(4) You do not satisfy the requirement if you communicate or
reserve the right to communicate individually identifiable health
information (as described in section 1171(6)(B) of the Social Security
Act (42 U.S.C. 1320d(6)(B)) but omit illustrative examples of this
information.
(e) Examples of categories of affiliates. (1) You satisfy the
requirement to categorize the affiliates to which you communicate opt
out information if you list the categories in paragraph (e)(2) of this
section, as applicable, and a few examples to illustrate the types of
affiliates in each category.
(2) Categories of affiliates may include:
(i) Financial service providers; and
[[Page 63140]]
(ii) Non-financial companies.
(f) Sample notice. A sample notice is included in appendix A to
this part.
Sec. 571.6 Reasonable opportunity to opt out.
(a) In general. You provide a reasonable opportunity to opt out if
you provide a reasonable period of time following the delivery of the
opt out notice for the consumer to opt out.
(b) Examples of reasonable period of time: (1) In person. You hand-
deliver an opt out notice to the consumer and provide at least 30 days
from the date you delivered the notice.
(2) By mail. You mail an opt out notice to a consumer and provide
at least 30 days from the date you mailed the notice.
(3) By electronic means. You notify the consumer electronically,
and you provide at least 30 days after the date that the consumer
acknowledges receipt of the electronic notice.
(c) Continuing opportunity to opt out. A consumer may opt out at
any time.
Sec. 571.7 Reasonable means of opting out.
(a) General rule. You provide a consumer with a reasonable means of
opting out if you provide a reasonably convenient method to opt out.
(b) Reasonably convenient methods. Examples of reasonably
convenient methods include:
(1) Designating check-off boxes in a prominent position on the
relevant forms included with the opt out notice;
(2) Including a reply form together with the opt out notice;
(3) Providing an electronic means to opt out, such as a form that
can be electronically mailed or a process at your web site, if the
consumer agrees to the electronic delivery of information; or
(4) Providing a toll-free telephone number that consumers may call
to opt out.
(c) Methods that are not reasonably convenient. Examples of methods
that are not reasonably convenient include:
(1) Requiring a consumer to write his or her own letter to you; or
(2) Referring in a revised notice to a check-off box that you
included with a previous notice but that you do not include with the
revised notice.
(d) Requiring specific means of opting out. You may require each
consumer to opt out through a specific means, as long as that means is
reasonable for that consumer.
Sec. 571.8 Delivery of opt out notice.
(a) In general. You must deliver an opt out notice so that each
consumer can reasonably be expected to receive actual notice in writing
or, if the consumer agrees, electronically.
(b) Examples of expectation of actual notice. (1) You may
reasonably expect that a consumer will receive actual notice if you:
(i) Hand-deliver a printed copy of the notice to the consumer;
(ii) Mail a printed copy of the notice to the last known mailing
address of the consumer; or
(iii) For the consumer who conducts transactions electronically,
post the notice on your electronic site and require the consumer to
acknowledge receipt of the notice as a necessary step to obtaining a
particular product or service;
(iv) You may not reasonably expect that a consumer will receive
actual notice if you:
(A) Only post a sign in your branch or office or generally publish
advertisements presenting your notice; or
(B) Send the notice via electronic mail to a consumer who does not
obtain a product or service from you electronically.
(c) Oral description insufficient. You may not provide an opt out
notice solely by orally explaining the notice, either in person or over
the telephone.
(d) Retention or accessibility. (1) In general. You must provide an
opt out notice so that it can be retained or obtained at a later time
by the consumer in writing or, if the consumer agrees, electronically.
(2) Examples of retention or accessibility. You provide the notice
so that it can be retained or obtained at a later time if you:
(i) Hand-deliver a printed copy of the notice to the consumer;
(ii) Mail a printed copy of the notice to the last known address of
the consumer upon request of the consumer; or
(iii) Make your current notice available on a web site (or a link
to another web site) for the consumer who obtains a product or service
electronically and who agrees to receive the notice at the web site.
(e) Joint notice with affiliates. You may provide a joint notice
with one or more affiliates as long as the notice identifies each
person providing it and is accurate with respect to each.
(f) Joint relationships. (1) In general. Notwithstanding any other
provision in this part, if two or more consumers jointly obtain a
product or service from you (joint consumers), the following rules
apply:
(i) You may provide a single notice to all of the joint consumers.
(ii) Any of the joint consumers has the opportunity to opt out.
(iii) You may treat an opt out direction by a joint consumer either
as:
(A) Applying to all of the joint consumers; or
(B) Applying to that particular joint consumer.
(iv) You must explain in your opt out notice which of the two
policies set forth in paragraph (f)(1)(iii) of this section you will
follow.
(v) If you follow the policy set forth in paragraph (f)(1)(iii)(B)
of this section, by treating the opt out of a joint consumer as
applying to that particular joint consumer, you must also permit:
(A) A joint consumer to opt out on behalf of other joint consumers;
and
(B) One or more joint consumers to notify you of their opt out
directions in a single response.
(vi) You may not require all joint consumers to opt out before you
implement any opt out direction.
(vii) If you receive an opt out by a particular joint consumer that
does not apply to the others, you may disclose information about the
others as long as no information is disclosed about the consumer who
opted out.
(2) Example. If consumers A and B, who have different addresses,
have a joint checking account with you and arrange for you to send
statements to A's address, you may do any of the following, but you
must explain in your opt out notice which opt out policy you will
follow. You may send a single opt out notice to A's address and:
(i) Treat an opt out direction by A as applying to the entire
account. If you do so and A opts out, you may not require B to opt out
as well before implementing A's opt out direction.
(ii) Treat A's opt out direction as applying to A only. If you do
so, you must also permit:
(A) A and B to opt out for each other; and
(B) A and B to notify you of their opt out directions in a single
response (such as on a single form) if they choose to give separate opt
out directions.
(iii) If A opts out only for A, and B does not opt out, you may
disclose opt out information only about B, and not about A and B
jointly.
Sec. 571.9 Revised opt out notice.
If you have provided a consumer with one or more opt out notices
and plan to communicate opt out information to your affiliates about
the consumer, other than as described in those notices, you must
provide the consumer with a revised opt out notice that complies with
Secs. 571.4 through 571.8.
Sec. 571.10 Time by which opt out must be honored.
If you provide a consumer with an opt out notice and the consumer
opts out,
[[Page 63141]]
you must comply with the opt out as soon as reasonably practicable
after you receive it.
Sec. 571.11 Duration of opt out.
An opt out remains effective until revoked by the consumer in
writing or electronically, as long as the consumer continues to have a
relationship with the institution. If the consumer's relationship with
the institution terminates, the opt out will continue to apply to this
information. However, a new notice and opportunity to opt out must be
provided if the consumer establishes a new relationship with the
institution.
Sec. 571.12 Prohibition against discrimination.
(a) In general. You must not discriminate against a consumer who is
an applicant for credit because the consumer opts out of your
communication of opt out information to your affiliates.
(b) Examples of discrimination against an applicant. You
discriminate against an applicant if you:
(1) Deny the applicant credit because the applicant opts out;
(2) Vary the terms of credit adversely to the applicant such as by
providing less favorable pricing terms to an applicant who opts out; or
(3) Apply more stringent credit underwriting standards to the
applicant because the applicant opts out.
(c) Regulation B. The terms ``applicant'' and ``discriminate
against'' in this section have the same meanings ascribed to them in 12
CFR part 202.
Appendix A to Part 571--Sample Notice
This appendix contains a sample notice to facilitate compliance
with the notice requirements of this part. An institution may use
applicable disclosures in this sample to provide notices required by
this part.
Notice of Your Opportunity to Opt Out of Information Sharing With
Companies in Our Corporate Family
Information We Can Share With Our Corporate Family About You--
Unless You Tell Us Not to
What Information: Unless you tell us not to, [Financial
Institution] may share with companies in our corporate family
information about you including:
Information we obtain from your application, such as
[provide illustrative examples, such as ``your income'' or ``your
marital status''];
Information we obtain from a consumer report, such as
[provide illustrative examples, such as ``your credit score or
credit history''];
Information we obtain to verify representations made by
you, such as [provide illustrative examples, such as ``your open
lines of credit'']; and
Information we obtain from a person regarding its
employment, credit, or other relationship with you, such as [provide
illustrative examples, such as ``your employment history''].
Shared With Whom: Companies in our corporate family who may
receive this information are:
Financial service providers, such as [provide
illustrative examples, such as ``mortgage bankers, broker-dealers,
and insurance agents'']; and
Non-financial companies, such as [provide illustrative
examples, such as ``retailers, direct marketers, airlines, and
publishers''].
How To Tell Us Not To Share This Information With Our Corporate
Family
If you prefer that we not share this information with companies
in our corporate family, you may direct us not to share this
information by doing the following [insert one or more of the
reasonable means of opting out listed below\1\]: [call us toll free
at {insert toll free number}]; or [visit our web site at {insert web
site address} and {provide further instructions how to use the web
site option}]; or [e-mail us at {insert the e-mail address}]; or
[fill out and tear off the bottom of this sheet and mail to the
following address: {insert address}]; or [check the appropriate box
on the attached form {attach form} and mail to the following
address: {insert address}].
Note: Your direction in this paragraph covers certain
information about you that we might otherwise share with our
corporate family. We may share other information about you with our
corporate family as permitted by law.
\1\ If the financial institution is using its web site or an e-
mail address as the only method by which a consumer may opt out, the
consumer must agree to the electronic delivery of information.
Dated: September 29, 2000.
By the Office of Thrift Supervision.
Ellen Seidman,
Director.
[FR Doc. 00-26601 Filed 10-19-00; 8:45 am]
BILLING CODE 4810-33-P; 6210-01P; 6714-01-P; 6720-01-P