TCA has received questions from several clients recently regarding privacy notices and opt-out requirements, so we felt it was time to provide a refresher. Questions on whether written agreements meet the requirements for joint marketing arrangements should be referred to legal counsel.
What information is covered?
The GLB Privacy Rule protects a consumer’s “nonpublic personal information” or NPI which is defined as any personally identifiable financial information that a financial institution collects about an individual in connection with providing a financial product or service, unless that information is otherwise publicly available.
Under the rule, a consumer is someone who obtains or has obtained a financial product or service from the financial institution that is to be used primarily for personal, family or household purposes, or that person’s legal representative. Consumer privacy rules do not apply to commercial clients who have business purpose accounts.
A sub-category of consumers is “customers.” Customers are defined as those who have a continuing relationship with a financial institution. Individuals who use your services for unrelated transactions may not be customers. For example, a person who uses your ATMs but does not have an account with you is not a customer but would be a consumer of the bank’s products and services. Former customers are consumers.
Examples of NPI include name, address, income, social security number or other information on an application; information from a transaction involving the consumer, such as the fact that the consumer is a consumer or customer; account number, payment history, account balances, card purchases, etc.; or any information the financial institution has about an individual in connection with providing a financial product or service such as court records, consumer reports, etc. Protect telephone numbers as non-public information, as the customer may not wish this information to be public.
Examples of publicly available information (not protected) include federal, state or local government records such as a recorded mortgage; information that is widely available in media such as newspapers or websites that are available to the general public on an unrestricted basis.
Opt-Out Notice Requirements
If you share NPI with nonaffiliated third parties outside of the exceptions below, you must give consumers and customers an “opt-out notice” that clearly and conspicuously describes their right to opt out of the information being shared. An opt-out notice must be delivered with or as part of the privacy notice. The opt-out notice must describe a reasonable means for consumers and customers to opt out.
The opt-out notice must give the consumer and customer a reasonable opportunity to exercise their right to opt out. A reasonable amount of time is at least 30 days. In some cases, such as an isolated money order purchase, the financial institution may require an opt-out decision before completing the transaction.
Fair Credit Reporting Act Notice: While the GLB Privacy Rule does not require you to provide an opt-out notice if you only disclose NPI to affiliates, if you share certain information (such as consumer report or application information) with your affiliates, you may have an obligation to provide an opt-out notice under the Fair Credit Reporting Act. That opt-out notice must be included in your GLB privacy notice.
Exceptions With No Opt-Out Requirements
There are exceptions to the notice and opt-out requirements. If you share information only under these sets of exceptions, consumers may not opt out of these disclosures.
Section 13 Exceptions: Service Providers and Joint Marketing
This exception applies to certain third-party service providers who do not fall within the Section 14 exceptions and for certain marketing activities. Examples of Section 13 exceptions include hiring nonaffiliated third parties to provide services in connection with marketing your products or to market financial products jointly for you and another financial institution, or to perform a general analysis of your customer transactions.
Section 13 exceptions also apply to marketing financial products or services offered through a “joint marketing agreement” with one or more other financial institutions. The “joint agreement” requirement means that you have entered into a written contract with one or more financial institutions about your joint offering, endorsement, or sponsorship of a financial product or service. The written contract with the nonaffiliated third parties must guarantee the confidentiality of the information by prohibiting the third party from using or disclosing the information for any purpose other than the one for which it was received.
The term “financial institution” under the privacy rules includes businesses significantly engaged in the following activities:
- Lending, exchanging, transferring, investing for others or safeguarding money or securities such as lenders, check cashers, wire transfer services, and sellers of money orders.
- Providing financial, investment or economic advisory services. Examples are credit counselors, financial planners, tax preparers, accountants, and investment advisors.
- Brokering loans.
- Servicing loans.
- Debt collecting.
- Providing real estate settlement services.
- Career counseling in the financial services industry.
Section 14 Exceptions apply to information sharing necessary to process or administer a financial transaction requested or authorized by a consumer. Examples are service providers who process transactions for the financial institution or disclosures to creditors listed by a consumer on a credit application to perform a credit check.
Section 15 Exceptions apply to certain types of information sharing, including disclosures for purposes of preventing fraud, responding to judicial process or subpoena, or complying with federal, state or local laws. Examples are technical service providers who maintain the security of your records, attorneys, auditors, a purchaser of a portfolio of consumer loans you own and a consumer reporting agency, consistent with the Fair Credit Reporting Act.
As a reminder, if your financial institution only shares within the Section 13, 14 and 15 exceptions which do not require opt-outs, you are not required to provide annual privacy notices. If your privacy policy changes or if you share information requiring an opt-out, then you are still required to provide annual privacy notices.
Additional Opt-Out Choices
The model form permits institutions to provide for voluntary or state law-required opt-outs. For example, institutions may voluntarily allow customers to opt out of their own marketing or joint marketing if they choose to do so, by stating “Yes” in the third column of the model form next to either of these categories of information sharing.
Institutions must also comply with various state privacy law requirements. Your institution’s legal counsel or state banking association are good resources for determining what is required by the states in which you do business. The model form provides space in the “Other Important Information” box for state and/or international privacy law information and/or an acknowledgment of receipt form. Any opt-out options notes in this section must be the same opt-out options that are provided in the above sections of the Privacy notice.
TCA is your source for up‐to‐date compliance information. Contact us at [email protected] or at (800) 934-7347.