Compliance Article
11/28/2007
|
On October 25, 2007, the banking regulators jointly issued final regulations implementing Section 214 of the Fair and Accurate Credit Transactions (FACT) Act. These regulations provide model language and guidance for the notices financial institutions are required to send if they share customer information with their affiliates for marketing solicitation purposes. They can be found at:
- 12 CFR §41.20-28 of the OCC regulations,
- 12 CFR §222.20-28 of the Federal Reserve regulations,
- 12 CFR §334.20-28 of the FDIC regulations,
- 12 CFR §571.20-28 of the OTS regulations, and
- 12 CFR §717.20-28 of the NCUA regulations.
The regulations are effective January 1, 2008 with a mandatory compliance date of October 1, 2008.
The new requirements provide that, with some exceptions, if a person shares certain information about a consumer with an affiliate, the affiliate may not use that information to make or send solicitations to the consumer about its products or services, unless the consumer is given notice and a reasonable opportunity to limit such use of the information and the consumer does not do so.
The new regulations are different from existing privacy opt-outs because they govern the use of information by the affiliate, not the sharing of information with or among affiliates. So, this new right to limit marketing is distinct from the existing FCRA opt out right for affiliate sharing, although these rights overlap to some extent. The FCRA previously allowed some information (called transaction or experience information) to be shared without giving the consumer notice and an opportunity to opt out, and provided that “other” information could not be shared among affiliates without giving the consumer notice and an opportunity to opt out. The new right to limit affiliate marketing generally applies to both transaction or experience information and “other” information.
The final rules apply to information obtained from the consumer’s transactions or account relationships with an affiliate, any application the consumer submitted to an affiliate, and third-party sources, such as credit reports, if the information is to be used to send marketing solicitations. Nothing in the final rules supersedes or amends a consumer’s existing rights to opt out, so it’s possible that there could be a Gramm Leach-Bliley opt-out for sharing with nonaffiliates, an FCRA opt-out for sharing non-transaction and experience information, and the new right to limit marketing for the same account.
There are exceptions to the notice requirement for customers that have a previously existing relationship with the affiliate.
The new notice must contain:
- The name of the institution(s) providing the notice (which may be common name like the ABC group of Companies);
- A list of affiliates or groups of affiliates who would use the information;
- A general description of the information;
- A statement that the consumer make elect to limit the use of the information;
- A time period of at least 5 years for the duration of the marketing limitation (or, at the option of the institution, no limit); and
- A reasonable and simple method to opt-out
One thing you will have to decide is whether to deliver this new notice with your current privacy notice or to give it as a separate form. Either of these methods is acceptable. There are some differences between the two notice requirements that might factor into that decision. The new notice does not have to be given on an annual basis as the current privacy notice does, so including it would mean that it would be given more often than necessary.
In addition, the new notice can have a time limit on the choice made by the customer, while the old privacy notice does not. If you decide to have a five year limitation and you consolidate this new notice with your existing privacy notice, you must include a statement that the consumer does not need to act again until they receive a renewal notice. After the expiration of the time period you cannot market to that consumer until you send a “renewal” notice which gives the consumer another chance to limit marketing.
Another decision you need to make is how to you will treat responses from consumers in joint relationships. Joint consumers may get one notice, but either of them must be allowed to limit marketing for the whole relationship. In addition, your notice must describe how you will handle elections to limit marketing by joint parties.
You must also decide whether you will send your notice from your institution alone, or whether you will have one affiliate marketing notice from a related group of companies of which you are a member.
Finally, you will have to decide how a consumer that wishes to limit marketing should respond. You can, for example, specify a toll-free number to call or have a check box on the notice form and the form (or the portion of it with the checkbox) can then be mailed back to your institution. You can’t require the consumer to write a letter or call to get a form.
There are model forms provided for the notices, but as you can tell from this article, compliance will not be a simple process. The new regulations apply to information that is shared after the mandatory effective date of October 1, 2008, but institutions that choose to incorporate the new notice into their existing privacy notices may have to give the notice sooner if they have an annual privacy notice mailing date earlier in the year because the annual privacy notice cannot be delayed simply because you are choosing to include the new affiliate marketing notice.
Author Recommendations
Learn more about the affiliate marketing regulation with our Implementing the Affiliate Marketing Regulation webinar.
Stay current on the latest compliance news with our free ComplianceHeadquarters Update email.
