The full text on this page is automatically extracted from the file linked above and may contain errors and inconsistencies.
DEPARTMENT OF THE TREASURY
Office of the Comptroller of the Currency
12 CFR Part 41
[Docket No. 00-20]
RIN 1557-AB78
FEDERAL RESERVE SYSTEM
12 CFR Part 222
[Regulation V; Docket No. R-1082]
FEDERAL DEPOSIT INSURANCE CORPORATION
12 CFR Part 334
RIN 3064-AC35
DEPARTMENT OF THE TREASURY
Office of Thrift Supervision
12 CFR Part 571
[Docket No. 2000-81]
RIN 1550-AB33
Fair Credit Reporting Regulations
AGENCIES: Office of the Comptroller of the Currency, Treasury (OCC); Board of Governors
of the Federal Reserve System (Board); Federal Deposit Insurance Corporation (FDIC); and
Office of Thrift Supervision, Treasury (OTS).
ACTION: Joint notice of proposed rulemaking.
SUMMARY: The OCC, Board, FDIC, and OTS (Agencies) are publishing for comment
proposed regulations implementing the provisions of the Fair Credit Reporting Act (FCRA) that
permit institutions to communicate consumer information to their affiliates (affiliate information
sharing) without incurring the obligations of consumer reporting agencies. These provisions
authorize institutions to communicate among their affiliates: information as to transactions or
experiences between the consumer and the person making the communication (transaction or
experience information); and “other” information (that is, information covered by the FCRA but
not transaction or experience information), provided that the institution has given notice to the
consumer that the other information may be communicated, the institution has provided the
consumer an opportunity to “opt out” (i.e., to direct that the information not be communicated),
and the consumer has not opted out. The proposed regulations explain how to comply with the
affiliate information sharing provisions, addressing such matters as the content and delivery of the
notice to consumers that “other” information may be communicated (opt out notice). The
proposed regulations also implement certain related provisions. The Agencies have attempted to
conform these proposed regulations to the final regulations implementing the privacy provisions
of the Gramm-Leach-Bliley Act, whenever feasible.
DATES: Comments must be received by December 4, 2000.
ADDRESSES: Comments should be directed to:
OCC: Communications Division, Office of the Comptroller of the Currency, 250 E Street, SW.,
Washington, D.C. 20219, Attention: Docket No. 00-20; FAX number (202) 874-5274 or Internet
address: regs.comments@occ.treas.gov. Comments may be inspected and photocopied at the
OCC’s Public Reference Room, 250 E Street, SW., Washington D.C. between 9:00 a.m. and 5:00
p.m. on business days. You can make an appointment to inspect the comments by calling (202)
874-5043.
Board: Comments, which should refer to Docket No. R-1082, may be mailed to Ms. Jennifer J.
Johnson, Secretary, Board of Governors of the Federal Reserve System, 20th and C Streets, NW.,
Washington, D.C. 20551 or mailed electronically to regs.comments@federalreserve.gov.
Comments addressed to Ms. Johnson also may be delivered to the Board’s mail room between
8:45 a.m. and 5:15 p.m. and to the security control room outside of those hours. Both the mail
room and the security control room are accessible from the courtyard entrance on 20th Street
between Constitution Avenue and C Street, NW. Comments may be inspected in Room MP-500
between 9:00 a.m. and 5:00 p.m., pursuant to § 261.12, except as provided in § 261.14, of the
Board’s Rules Regarding the Availability of Information, 12 CFR 261.12 and 261.14.
FDIC: Send written comments to Robert E. Feldman, Executive Secretary, Attention:
Comments/OES, Federal Deposit Insurance Corporation, 550 17th Street, NW., Washington, DC
20429. Comments may be hand delivered to the guard station at the rear of the 17th Street
building (located on F Street) on business days between 7 a.m. and 5 p.m. (FAX number (202)
898-3838). Comments may be inspected and photocopied in the FDIC Public Information
Center, Room 100, 801 17th Street, NW., Washington, DC 20429, between 9:00 a.m. and 4:30
p.m. on business days.
Comments may be submitted to the FDIC electronically over the Internet at
www.fdic.gov. Further information concerning this option may be found below at “FDIC’s
Electronic Public Comment Site.” Comments also may be mailed electronically to
comments@fdic.gov.
OTS: Mail: Send comments to Manager, Dissemination Branch, Information Management and
Services Division, Office of Thrift Supervision, 1700 G Street, NW., Washington, DC 20552,
Attention Docket No. 2000-81.
Delivery: Hand deliver comments to the Guard’s Desk, East Lobby Entrance, 1700 G
Street, NW., from 9:00 a.m. to 4:00 p.m. on business days, Attention Docket No. 2000-81.
Facsimiles: Send facsimile transmissions to FAX Number (202) 906-7755, Attention
Docket No. 2000-81; or (202) 906-6956 (if comments are over 25 pages).
2
E-Mail: Send e-mails to “public.info@ots.treas.gov”, Attention Docket No. 2000-81, and
include your name and telephone number.
Public Inspection: Interested persons may inspect comments at the Public Reference
Room, 1700 G St. N.W., from 10:00 a.m. until 4:00 p.m. on Tuesdays and Thursdays or obtain
comments and/or an index of comments by facsimile by telephoning the Public Reference Room at
(202) 906-5900 from 9:00 a.m. until 5:00 on business days. Comments and the related index will
also be posted on the OTS Internet Site at “www.ots.treas.gov”.
FOR FURTHER INFORMATION CONTACT:
OCC:
Amy Friend, Assistant Chief Counsel, (202) 874-5200; Michael Bylsma, Director, Community
and Consumer Law, (202) 874-5750; Stephen Van Meter, Senior Attorney, Community and
Consumer Law, (202) 874-5750; Carol Workman, Compliance Specialist, Community and
Consumer Policy, (202) 874-4858; Deborah Katz, Senior Attorney, Legislative and Regulatory
Activities Division, (202) 874-5090; or Jeffery Abrahamson, Attorney, Enforcement and
Compliance, (202) 874-4800, Office of the Comptroller of the Currency, 250 E Street, SW.,
Washington, DC 20219.
Board:
James H. Mann, Senior Attorney, (202) 452-2412; or David A. Stein, Attorney, (202) 452-3667,
Division of Consumer and Community Affairs. For the hearing impaired only, contact Janice
Simms, Telecommunications Device for the Deaf (TDD) (202) 872-4984, Board of Governors of
the Federal Reserve System, 20th and C Streets, NW., Washington, DC 20551.
FDIC:
James K. Baebel, Assistant Director, Compliance Policy, Division of Compliance and Consumer
Affairs, (202) 942-3086; Deanna Caldwell, Community Affairs Officer, Division of Compliance
and Consumer Affairs, (202) 736-0141; Nancy Schucker Recchia, Counsel, Regulations and
Legislation Section, (202) 898-8885; A. Ann Johnson, Counsel, Regulations and Legislation
Section, (202) 898-3573; and David Lafleur, Senior Compliance Examiner, (415) 395-5261,
Federal Deposit Insurance Corporation, 550 17th Street, NW., Washington, DC 20429.
OTS:
Christine Harrington, Counsel (Banking and Finance), (202) 906-7957; Paul Robin, Assistant
Chief Counsel, (202) 906-6648; or Elizabeth Baltierra, Program Analyst, Compliance Policy
(202) 906-6540, Office of Thrift Supervision, 1700 G Street, NW., Washington DC 20552.
3
SUPPLEMENTARY INFORMATION:
I. Background
The FCRA
The FCRA, enacted in 1970, sets standards for the collection, communication, and use of
information bearing on a consumer’s credit worthiness, credit standing, credit capacity, character,
general reputation, personal characteristics, or mode of living. 15 U.S.C. 1681-1681u. In 1996,
the Consumer Credit Reporting Reform Act amended the FCRA extensively (1996 Amendments).
Pub. L. 104-208, 110 Stat. 3009.
For many years, to avoid the obligations of consumer reporting agencies imposed by the
FCRA, many institutions avoided making any communications to affiliated companies of
consumer information that could constitute consumer reports.1 The 1996 Amendments, however,
excluded specified types of information sharing with affiliates from the definition of “consumer
report,” assuring institutions that making these communications would not expose them to the
obligations of consumer reporting agencies. In particular, the 1996 Amendments excluded from
the definition of “consumer report” the sharing of “other” information among affiliates, so long as
the consumer, having been given notice and an opportunity to opt out, did not opt out. “Other
information” refers to information that is covered by the FCRA and that is not a report containing
information solely as to transactions or experiences between the consumer and the person making
the report.
The 1996 Amendments prohibited the Agencies from issuing implementing regulations.
15 U.S.C. 1681s(a)(4) (repealed). The Gramm-Leach-Bliley Act (GLBA) repealed this
prohibition and directed the Agencies to prescribe jointly such regulations as necessary to carry
out the purposes of the FCRA. Pub. L. Sec. 506, 106-102, 15 U.S.C. 1681s(e).
Coordination with Privacy Regulations
The GLBA sets standards for financial institutions’ disclosure of nonpublic personal
information to nonaffiliated third parties (privacy provisions; Pub. L. 106-102, 15 U.S.C. 6802;
see also 15 U.S.C. 6803). The Agencies published final regulations implementing these privacy
provisions on June 1, 2000 (privacy regulations; 65 FR 35162, June 1, 2000).
The privacy regulations do not “modify, limit, or supersede the operation of the Fair
Credit Reporting Act.” 15 U.S.C. 6806. Thus, both the privacy regulations and the FCRA may
1
The FCRA creates substantial obligations for “consumer reporting agencies.” FCRA, section 603(f); see, e.g.,
sections 607, 611. These obligations include furnishing consumer reports only for permissible purposes, maintaining
high standards for ensuring the accuracy of information in consumer reports, resolving customer disputes, and other
matters.
4
apply to an institution’s disclosure of consumer information. Moreover, if a financial institution
provides an opt out notice under the FCRA, that notice must be included in certain notices
mandated by the privacy regulations, including annual notices to customers. 15 U.S.C. 6803.
Therefore, the Agencies anticipate that financial institutions will design their information-sharing
policies and practices taking into account both the privacy regulations and the regulations
implementing the FCRA.
To ease compliance and promote consistency, the Agencies are conforming the two
regulations where appropriate. For example, the Agencies are proposing requirements regarding
the content and delivery of the FCRA opt out notice that are generally consistent with the
corresponding provisions of the privacy regulations.
This Proposal and Future Agency Issuances
The FCRA raises many significant issues in addition to affiliate information sharing. The
Agencies are analyzing these issues and expect to address them in an Advance Notice of Proposed
Rulemaking. Additionally, the Agencies will review a series of questions and answers regarding
the FCRA (Qs & As) that the Agencies (including the Federal Home Loan Bank Board,
predecessor of the OTS) issued in 1971. These were designed to help financial institutions
develop a working knowledge of the statute. The Agencies will modify or withdraw any Qs & As
that are inconsistent with the FCRA or obsolete.
II. Section-by-Section Analysis
Section __.1 Purpose and scope
Proposed paragraph ___.1(a) briefly describes the purpose of the regulations. Proposed
paragraph .1(b) briefly describes the scope of the regulations, including the information and
institutions subject to them. (These institutions are identified in more detail in proposed section
___.3(m) of the Board, FDIC, and OTS regulations.)
Paragraph .1(b) also provides that nothing in this part modifies, limits, or supersedes the
standards governing the privacy of individually identifiable health information promulgated by the
Secretary of Health and Human Services pursuant to sections 262 and 264 of the Health
Insurance Portability and Accountability Act (HIPAA) of 1996 (42 U.S.C. 1320d-1320d-8).
Certain institutions that possess medical information about consumers may be covered by these
regulations, the GLBA privacy regulations, and rules promulgated by the Department of Health
and Human Services (HHS) under the authority of sections 262 and 264 of HIPAA once those
regulations are finalized. Based on the proposed HIPAA rules, it appears likely that there will be
areas of overlap between the HIPAA and the FCRA affiliate information-sharing rules. For
instance under the HIPAA proposal, consumers must provide affirmative authorization before a
“covered institution” or its “business partner” may disclose medical information in certain
instances, whereas under these proposed FCRA affiliate information sharing rules, institutions
5
need only provide consumers with the opportunity to opt out of disclosures. In cases where the
HIPAA requires consumers to opt in before certain information may be shared, but this rule
allows consumers to opt out of the same sharing, opt in would be necessary before the
information may be shared. The Agencies will consult with HHS to avoid the imposition of
duplicative or inconsistent requirements.
Section __.2 Examples
Proposed section __.2 clarifies that the examples used in the regulations and in the sample
notice are not exclusive means of compliance; rather, they are intended to provide guidance on
how to comply in specific situations.
The Agencies solicit comment on whether to include additional or different examples, and,
more fundamentally, on whether including examples in the regulations is appropriate and useful.
Instead of addressing specific fact situations through such examples, the Agencies could
periodically issue interagency staff commentaries or questions and answers.
The Agencies note that an example that mentions a particular activity does not, by itself,
authorize an institution to engage in that activity. Any such authority must have an independent
source.
Section __.3 Definitions
Discussed below are a few key definitions, including: “affiliate” (as well as the related
terms “company” and “control”); “clear and conspicuous”; “opt out”; “opt out information”; and
“consumer report.” The proposal tracks the statutory language referring to “transaction or
experience information,” but does not define that term.
Affiliate
Several FCRA provisions apply to information sharing with persons “related by common
ownership or affiliated by corporate control,” “related by common ownership or affiliated by
common corporate control,” or “affiliated by common ownership or common corporate control.”
E.g., FCRA, sections 603(d)(2), 615(b)(2), and 624(b)(2). Proposed paragraph (b) defines
“affiliate” to refer to all these relationships between and among companies, and clarifies that
“related or affiliated by common ownership or affiliated by corporate control or common
corporate control” means controlling, controlled by, or under common control with another
company.
Consistent with the definitions in the privacy regulations, the proposal uses a definition of
“control” that applies exclusively to the control of a “company,” and defines “company” to
include any corporation, limited liability company, business trust, general or limited partnership,
association, or similar organization. See proposed paragraphs (e) (“company”) and (i)
6
(“control”). The definition of “company” omits some entities that are “persons” under the FCRA-individuals, estates, cooperatives, governments, and governmental subdivisions or agencies. The
Agencies, however, are not aware of any circumstances where “control” could be exercised over
individuals, government agencies, and other persons that do not fit within the definition of
“company.” Comment is solicited on whether the proposed definition of “control” should be
expanded to apply to these additional types of persons.
Clear and Conspicuous
Proposed paragraph (c) defines “clear and conspicuous” to mean that a notice must be
reasonably understandable and designed to call attention to the nature and significance of the
information it contains. The proposed regulations do not mandate the use of any particular
technique for making a notice clear and conspicuous; instead, they give institutions flexibility in
determining how to comply. An institution may make its notice reasonably understandable by, for
example, using short explanatory sentences or bullet lists and avoiding legal or highly technical
business terminology whenever possible. An institution may design its notice to call attention to
the nature and significance of the information in the notice by, for example, using a plain-language
heading and a typeface and size that are easy to read.
Paragraph (c) is consistent with the “clear and conspicuous” standard in the privacy
regulations. As such, it offers a more detailed exposition of the standard (particularly with respect
to what makes a notice “conspicuous”) than some other regulations, such as the Board’s
Regulation Z. However, laws other than FCRA -- for example, the Truth in Lending Act -- that
require clear and conspicuous disclosures, are beyond the scope of this rulemaking. Accordingly,
the standard proposed here does not affect disclosures required by those laws.
The Agencies request comment on whether institutions have any particular concerns about
compliance with FCRA’s clear and conspicuous standard when FCRA opt out notices are
included with the GLBA privacy provision notices.
7
Consumer Report
Proposed paragraph (g) parallels the definition in section 603(d) of the FCRA. Paragraph
(g)(2)(ii) excludes from the definition of “consumer report” communication among affiliates of a
report containing information solely as to transactions or experiences between the consumer and
the person making the report.2
Paragraph (g)(2)(iii) excludes any communication of “opt out information” if the
conditions set out in sections __.4-__.9 are satisfied. The FCRA, as explained above, uses the
term “other information” to refer to information that it covers but that is not transaction or
experience information. This proposal refers to “other information” using the more descriptive
term “opt out information.” See proposed paragraph (k).
Opt Out
Proposed paragraph (j) defines this term to mean a direction by a consumer that an
institution not communicate opt out information about the consumer to one or more of the
institution’s affiliates.
Opt Out Information
As described above, the 1996 Amendments to FCRA excluded from the definition of
“consumer report” the sharing of “other information” among affiliates, so long as the consumer,
having been given notice and an opportunity to opt out, did not opt out. “Other information”
refers to information that is covered by the FCRA and that is not a report containing information
solely as to transactions or experiences between the consumer and the person making the report.
The proposed regulation uses the term “opt out information” to describe this category of
information.
Proposed paragraph (k) defines opt out information as information that (i) bears on a
consumer’s credit worthiness, credit standing, credit capacity, character, general reputation,
personal characteristics, or mode of living, (ii) is used or expected to be used or collected for one
of the permissible purposes listed in FCRA (i.e., credit transaction, insurance underwriting,
2
Prior to the 1996 amendments to FCRA, affiliated entities could not pool their transaction or experience information
in a common database without being considered a consumer reporting agency. Instead, each affiliate could disclose its
own transaction or experience information to another affiliate directly only in the same manner as an entity can disclose
information to a nonaffiliated third party. While transaction or experience information has been excluded from the
definition of “consumer report” since the FCRA's initial passage, the 1996 amendments facilitated the disclosure of such
information among affiliates.
8
employment purposes), and (iii) is not solely transaction or experience information. Section
__.5(d) gives examples of categories of information that qualify as opt out information.
Section__.4 Communication of opt out information to affiliates
Proposed section __.4 describes the conditions that an institution must meet to ensure that
its communication of opt out information to its affiliates do not constitute consumer reports
including the requirement that the institution provide an opt out notice.
Section 603(d)(2)(A)(iii) of the FCRA excludes from the definition of “consumer report”
the sharing of opt out information among affiliates if:
it is clearly and conspicuously disclosed to the consumer that the
information may be communicated among such persons and the consumer
is given the opportunity, before the time that the information is initially
communicated, to direct that such information not be communicated among
such persons. . . .
Proposed section __.4 accordingly provides that opt out information may be
communicated among affiliates without the communication being a consumer report if: (i) the
institution has provided an opt out notice; (ii) the institution has given the consumer a reasonable
opportunity and means, before the time that it communicates the information, to opt out; and (iii)
the consumer has not opted out.
Mergers & Acquisitions
In a merger or acquisition situation, the need to provide new opt out notices to the
customers of the entity that ceases to exist will depend on whether the notices previously given to
those customers accurately reflect the policies and practices of the surviving entity. If they do, the
surviving entity will not be required under the rule to provide new notices.
Section __.5 Contents of opt out notice
Proposed paragraph (a) provides that an opt out notice must be clear and conspicuous,
and must accurately explain: (i) the categories of opt out information about the consumer that the
institution communicates; (ii) the categories of affiliates to which the institution communicates the
information; (iii) the consumer’s ability to opt out; and (iv) the means to do so. The Agencies
invite comment on whether financial institutions should also have to disclose in their FCRA
notices how long a consumer has to respond to the opt out notice before the institution may begin
disclosing information about that consumer to its affiliates, as well as the fact that a consumer can
opt out at any time. These disclosures are not required in the privacy regulations. The Agencies
seek comment on whether the benefits of the additional disclosures would outweigh the burdens,
and, if so, whether the regulation should require the disclosures to state that a financial institution
9
will wait 30 days in every instance before sharing consumer information with affiliates (see
proposed section __.6, below, for additional discussion on reasonable opportunity to opt out).
Proposed paragraph (b) clarifies that an institution’s notice may describe not only the
communications of opt out information that the institution currently plans to make to its affiliates,
but also the communications that it reserves the right to make in the future. Proposed paragraph
(c) explains that an institution may, but need not, provide the consumer with the option of an opt
out that covers only part of the information or certain affiliates. This would enable an institution
to give consumers a menu of opt out choices if it desires to do so.
Paragraph (d) explains how an institution can satisfy the requirement that it categorize the
opt out information that it communicates. Paragraph (d)(2) gives examples of categories of opt
out information, such as information from a consumer’s application, information from a consumer
report, information obtained by verifying representations made by a consumer, and information
provided by another person regarding that person’s relationship with a consumer. The first two
categories reflect the legislative history of the 1996 Amendments, which states in part that the opt
out provision “will clarify that affiliates within a Holding Company structure can share any
application information . . . and consumer reports, consistent with the FCRA.” S. Rep. No. 185,
104th Cong., 1st Sess. 18-19 (1995). The other two categories represent information that the
Agencies believe does not constitute transaction or experience information when communicated
by the institution that has received it. Paragraph (d)(3) gives a non-exclusive list of examples of
specific items of opt out information within each category, including a consumer’s income, credit
score or credit history, open lines of credit, employment history, marital status and medical
history.
Medical data are especially sensitive for many consumers; if such data are among the opt
out information that an institution communicates to its affiliates, the institution satisfies the
requirement to categorize that information only if it includes examples of medical data that it
intends to share. The Agencies note that the items listed in paragraph (d)(3) as examples of
information that would be included within the categories of opt out information are illustrative
only. Those items would not be considered opt out information in cases where the information is
obtained from a source other than those listed in paragraph (d)(2). Comment is requested as to
the appropriateness of these examples of categories and items of opt out information, and whether
additional or different examples should be used.
The descriptions of the categories of information set out in proposed paragraph (d)(2)
differ somewhat from those in section__.6(c)(2) of the privacy regulations. The agencies solicit
comment on the extent to which the categories in (d)(2) can be treated as consistent with similar
categories in the privacy regulations (such as disclosures of information from consumer reporting
agencies) in order to reduce compliance burden and consumer confusion.
10
Proposed paragraph (e) explains how an institution can satisfy the requirement that it
categorize the affiliates to which it communicates opt out information.
Paragraph (f) cross-references the sample notice in appendix A, which presents a further
illustration of the content of an opt out notice.
Section __.6 Reasonable opportunity to opt out
Proposed paragraph (a) of section __.6 states that financial institutions will provide a
reasonable opportunity to opt out by providing a reasonable period of time for the consumer to
opt out from the time that notice is delivered. Proposed paragraph (b) sets out examples of what
is a reasonable period of time when notices are provided in person, by mail, or by electronic
means. Comment is requested on whether there are other situations that would suggest a
different reasonable period of time that the Agencies should note by example. Proposed
paragraph (c) explains that a consumer may opt out at any time.
Section __ .7 Reasonable means of opting out
Proposed paragraph (a) sets forth the general rule that an institution provides a reasonable
means of opting out if it provides a reasonably convenient method to the consumer to opt out.
Examples of reasonable means of opting out and unreasonable means are set out in proposed
paragraphs (b) and (c), respectively. Proposed paragraph (d) permits an institution to require
each consumer to opt out through a specific means, as long as that means is reasonable for that
consumer.
Section __.8 Delivery of opt out notices
Proposed paragraph (a) provides that an institution must deliver an opt out notice so that
each consumer can reasonably be expected to receive actual notice. As indicated by the examples
provided in proposed paragraph (b), this is a lesser standard than actual notice. For instance, if an
institution mails a printed copy of its notice to the last known mailing address of an existing
customer, the institution has met its obligation even if the customer has changed addresses and
never receives the notice.
An institution may give notice in writing or, if the consumer agrees, electronically. For
example, the institution may e-mail its notice to a customer that conducts electronic transactions
and has agreed to receive electronic notice. The Agencies invite comment on whether and how
the proposed rules governing communications between a financial institution and a consumer via
11
an electronic medium should be modified in light of the Electronic Signatures in Global and
National Commerce Act (the E-Sign Act).3
Proposed paragraph (c) explains that oral notice alone does not comply with the notice
requirement; however, oral notice may be provided in conjunction with appropriate written or
electronic notice.
Proposed paragraph (d) explains that an institution must provide the notice so that the
consumer can retain it or obtain it at a later time, and gives examples of retention or accessibility.
Proposed paragraph (e) permits an institution to provide a joint opt out notice with one or
more of its affiliates that are identified in the notice, as long as the notice is accurate with respect
to each entity jointly issuing the notice.
Proposed paragraph (f)(1) sets out rules that apply, notwithstanding any other provision of
the regulations, when two or more consumers jointly obtain a product or service from an
institution (referred to in the proposed regulation as joint consumers), such as a joint checking
account. For example, an institution may provide a single opt out notice to joint accountholders.
The notice must indicate whether the institution will consider an opt out by a joint accountholder
as an opt out by all of the associated accountholders, or whether each accountholder may opt out
separately. The institution may not require all accountholders to opt out before honoring an opt
out direction by one of the joint accountholders. Paragraph (f)(2) gives examples of these rules.
Section __.9 Revised opt out notice
Proposed section __.9 addresses the situation in which an institution has provided a
consumer with one or more opt out notices but later decides to communicate opt out information
to its affiliates other than described in those notices. It explains that an institution must send a
revised opt out notice that complies with section __.4, including providing a reasonable means
and opportunity to opt out, and communicating the information only if the consumer has not
opted out.
Section __.10 Time by which opt out must be honored
Proposed section .10 explains that if an institution provides a consumer with an opt out
notice, and the consumer opts out, the institution must comply as soon as reasonably practicable
after receiving the consumer’s direction. Comment is solicited on whether the Agencies should
establish a fixed number of days -- for example, 30 days -- that would be deemed a “reasonably
3
Congress recently enacted the E-Sign Act, Pub. L. 106-229, which addresses the use of electronic records and
signatures for interstate and foreign commerce. This legislation contains general rules governing the use of electronic
records for providing required information to consumers (such as disclosures and acknowledgments required by the
GLBA). The legal requirement that consumer disclosures be in writing may be satisfied by an electronic record if the
consumer affirmatively consents and certain other requirements of the E-Sign Act are met.
12
practicable” period of time for complying with a consumer’s opt out direction.
Section __.11 Duration of opt out
Proposed section .11 provides that an opt out continues to apply to the information and
affiliates described in the applicable opt out notice until revoked by the consumer in writing, or if
the consumer agrees, electronically, as long as the consumer continues to have a relationship with
the institution. If the consumer’s relationship with the institution terminates, the opt out will
continue to apply to this information. However, a new notice and opportunity to opt out must be
provided if the consumer establishes a new relationship with the institution.
Section __.12 Prohibition against discrimination
Proposed paragraph (a) reminds institutions that they may not “discriminate against” a
consumer who is an “applicant” for credit because the applicant opts out. The source of this
prohibition is the Equal Credit Opportunity Act (ECOA; 15 U.S.C. 1691 et seq.), which bars
discrimination on a prohibited basis in any aspect of a credit transaction; one prohibited basis is
exercising a right under the Consumer Credit Protection Act, which includes the FCRA.
Proposed paragraph (b) provides examples of prohibited discrimination against an applicant.
Paragraph (c) notes that the terms “applicant” and “discriminate against” have the meaning
ascribed to these terms in 12 CFR part 202.
Appendix A
Appendix A, which is part of these regulations, contains a sample notice, part or all of
which may be used to facilitate compliance with the notice requirements. Although use of the
sample notice is not required, institutions using it properly to provide notices will be deemed to be
in compliance.
The Agencies solicit comment on all aspects of the proposed regulations, including but not
limited to those highlighted above.
III. FDIC’s Electronic Public Comment Site
The FDIC has included a page on its web site to facilitate the submission of electronic
comments in response to this general solicitation (the EPC site). The EPC site provides an
alternative to the written letter and may be a more convenient way for you to submit your
comments. Commenting through the EPC site will assist the FDIC to more accurately and
efficiently analyze comments submitted electronically. If you submit your comments through the
EPC site your comments will receive the same consideration that they would receive if submitted
in hard copy to the FDIC’s street address. Information provided through the EPC site will be
used by the FDIC only to assist in its analysis of the proposed regulation. The FDIC will not use
an individual’s name or any other personal identifier of an individual to retrieve records or
13
information submitted through the EPC site. Like comments submitted in hard copy to the
FDIC’s street address, EPC site comments will be made available in their entirety (including the
commenter’s name and address if the commenter chooses to provide them) for public inspection.
The EPC site will be available on the FDIC’s home page at http://www.fdic.gov. You will
be able to provide comments directly on any of the sections of the proposed regulation as well as
the specific questions that have been asked in the preceding Supplementary Information section.
You will also be able to view the regulation and Supplementary Information sections that related
to your comments directly on the site. Because the GLBA authorizes promulgation of this
regulation, the FDIC encourages you to provide written comments in the spaces provided.
Written comments enable the FDIC to thoughtfully consider possible changes to the proposed
regulation.
The FDIC is also interested in your feedback on the EPC site. We have provided a space
for you to comment on the site itself. Answers to this question will help the FDIC to evaluate the
EPC site for use in future rulemaking.
At the conclusion of the EPC site you will have an opportunity to provide us with your
name, indicate whether you are an individual, insured depository institution, financial holding
company, community-based organization, trade association, government agency, or other, and
provide the name of the organization you represent, if applicable. Whether you choose to
respond to these questions is entirely up to you. Any responses received may help the FDIC to
better understand the public comments it receives.
IV. Regulatory Analysis
Paperwork Reduction Act
The Agencies invite comment on: (1) whether the collections of information contained in
this notice of proposed rulemaking are necessary for the proper performance of each Agency's
functions, including whether the information has practical utility; (2) the accuracy of each
Agency's estimate of the burden of the proposed information collections; (3) ways to enhance the
quality, utility, and clarity of the information to be collected; (4) ways to minimize the burden of
the information collections on respondents, including the use of automated collection techniques
or other forms of information technology; and (5) estimates of capital or start-up costs and costs
of operation, maintenance, and purchases of services to provide information. No person is
required to respond to these collections of information unless the collections display a currently
valid Office of Management and Budget (OMB) control number. The Agencies are currently
requesting their respective control numbers for these information collections from OMB.
This proposed regulation contains disclosure requirements for certain financial institutions
and their affiliates. A financial institution that (a) has affiliates, (b) does not wish to be considered
a consumer reporting agency, and (c) wishes to share consumer information (other than
14
transaction and experience information) with its affiliates, must prepare and provide a notice to all
its consumers advising them of their opportunity to opt out of information sharing with companies
in the institution’s corporate family. 12 CFR __.4. If a financial institution wishes to share
information in a way that is inconsistent with notices previously given to consumers, the
institution must provide consumers with revised notices. 12 CFR __.11. The proposed
regulation also contains consumer reporting provisions. In order for consumers to opt out, they
must respond to the institution’s opt out notices. 12 CFR __.7. At any time during their
continued relationship with the institution, consumers have the right to change or update their opt
out status with the institution. 12 CFR __.10.
FCRA was amended to include disclosure and opt out provisions in 1996, but the
Agencies were prohibited from issuing implementing regulations until 1999. Thus, the collections
of information contained in this proposed rule are not new requirements. During the past three
years, financial institutions have developed systems, policies, and procedures to bring themselves
into compliance with the 1996 FCRA amendments. In estimating the burden associated with the
collections of information in this proposed regulation, the Agencies took into account the fact that
FCRA-related disclosure and opt out requirements have already become a usual and customary
practice for covered institutions. However, because the proposed rule is more explicit and
detailed than the statute, some institutions may need to revise their disclosure policies or their
notices, and consumers may need to respond to the revised notices. The burden associated with
these changes to current practice is represented in the estimates below. In estimating burden, the
Agencies also assumed that if a financial institution provides an opt out notice under the FCRA,
that notice must be included in certain notices mandated by the GLBA privacy provisions, and will
not be sent out separately. The collection of information requirements contained in this notice of
proposed rulemaking will be submitted to the Office of Management and Budget for review in
accordance with the Paperwork Reduction Act of 1995 (44 U.S.C. 3507).
The estimated number of bank respondents includes the total institutions supervised by
each of the Agencies that have certain affiliate relationships. The requirements of the regulation
only apply to institutions that share opt out information with affiliates that do not wish to be
consumer reporting agencies; therefore, the Agencies cannot currently predict with certainty how
many of these institutions will be subject to the rule. The analysis assumes that all institutions
with certain affiliates will in fact, choose to share opt out information and thus be subject to the
rule.
The estimated number of consumers who will receive opt out notices is the sum of deposit
and loan consumers, and is derived from data in Board consumer studies. Each Agency’s share of
the total number of consumers is based on the share of total deposits, and consumer and mortgage
loans, held by institutions supervised by the Agencies. Because OTS
15
collects different information about consumer loans than the other Agencies, OTS estimated the
number of thrift borrowers by dividing total consumer loans outstanding by the average balance,
for different types of consumer loans. The analysis assumes that institutions will provide separate
opt out notices based on product lines such as loans and deposit accounts, rather than single,
combined notices covering all of the various relationships a consumer may have with the
institution. The Agencies seek comment as to whether institutions would likely send separate or
combined notices.
OCC: Comments on the collections of information should be sent to the Office of
Management and Budget, Paperwork Reduction Project (1557 -- to be assigned), Washington,
DC 20503, with copies to Jessie Dunaway, Legislative and Regulatory Activities Division (1557 - to be assigned), Office of the Comptroller of the Currency, 250 E Street, SW, Washington, DC
20219. The likely respondents are national banks that do not wish to be considered consumer
reporting agencies, but want to share information (other than transaction or experience
information) with their affiliates.
Estimated number of bank respondents: 737.
Estimated average annual burden hours per bank respondent: 8 hours.
Estimated number of consumer respondents: 94,238,000.
Estimated average annual burden hours per consumer respondent: 5 minutes.
Estimated total annual reporting burden: 7,855,921 hours.
The number of consumer respondents provided by the OCC represents a conservative
estimate based upon the total number of consumers who will receive an opt out notice. The OCC
is using these conservative estimates because it lacks more precise data on the number of
consumers who will exercise their opt out rights. The OCC expects that the actual number of
consumer respondents will be lower than the estimate provided above, and invites comment on
the number of consumers who will respond to the FCRA opt out notices.
Board: In accordance with the Paperwork Reduction Act of 1995 (44 U.S.C. 3506; 5
CFR 1320, appendix A.1), the Board reviewed the notice of proposed rulemaking under the
authority delegated to the Board by the OMB. Comments on the collections of information should
be sent to Mary M. West, Federal Reserve Board Clearance Officer, Mail Stop 97, Board of
Governors of the Federal Reserve System, Washington, DC 20551, with a copy to the Office of
Management and Budget, Paperwork Reduction Project (7100 -- to be assigned), Washington,
DC 20503. The likely respondents are member banks of the Federal Reserve System (other than
national banks), branches and agencies of foreign banks (other than Federal branches, Federal
agencies, and insured State branches of foreign banks), commercial lending companies owned or
controlled by foreign banks, and organizations operating under section 25 or 25A of the Federal
Reserve Act, that do want to share information (other than transaction or experience information)
with their affiliates.
16
Estimated number of bank respondents: 996.
Estimated average annual burden hours per bank respondent: 8 hours.
Estimated number of consumer respondents: 39,251,000.
Estimated average annual burden hours per consumer respondent: five minutes.
Estimated total annual reporting burden: 3,278,885 hours.
FDIC: Comments on the collections of information should be sent to Steven F. Hanft,
Office of the Executive Secretary, Federal Deposit Insurance Corporation, 550 17th Street, NW.,
Washington, DC 20429, with a copy to the Office of Management and Budget, Paperwork
Reduction Project (3064--to be assigned), Washington, DC 20503. The likely respondents are
insured nonmember banks with affiliates, that do not wish to be considered consumer reporting
agencies, and do want to share information (other than transaction or experience information)
with their affiliates.
Estimated number of bank respondents: 1,640.
Estimated average annual burden hours per bank respondent: 8 hours.
Estimated number of consumer respondents: 24,445,000.
Estimated average annual burden hours per consumer respondent: five minutes.
Estimated total annual reporting burden: 2,049,389 hours.
OTS: Comments on the collection of information should be sent to the Dissemination
Branch (1550--to be assigned), Office of Thrift Supervision, 1700 G Street, NW, Washington,
DC 20552, with a copy to the Office of Management and Budget, Paperwork Reduction Project
(1550--to be assigned), Washington, DC 20503. The likely respondents are savings associations
with affiliates that do not wish to be considered consumer reporting agencies, and do want to
share information (other than transaction or experience information) with their affiliates, and
consumers.
Estimated number of thrift respondents: 762
Estimated average annual burden hours per thrift respondent: 8 hours.
Estimated number of consumer respondents: 49,925,225.
Estimated average annual burden hours per consumer respondent: .0833 hours (5
minutes).
Estimated total annual reporting burden: 4,164,867 hours.
Regulatory Flexibility Act
OCC: Pursuant to section 605(b) of the Regulatory Flexibility Act (5 U.S.C. 601 et seq.),
the OCC certifies that this proposal will not have a significant economic impact on a substantial
number of small entities. Financial institutions have had to notify their consumers of the right to
opt out of affiliate sharing of certain information since 1997. This rulemaking provides guidance
to national banks concerning how they may comply with the statutory requirements, but requires
no new type of disclosure or opt out system. While existing forms may need to be modified, these
17
modifications are unlikely to result in a significant economic impact on a substantial number of
small entities.
In addition, some of the requirements in the proposed rule have been designed to
correspond to the requirements of the privacy regulations. For example, under both regulations,
financial institutions, in certain circumstances, must deliver notices to consumers and to provide
consumers an opportunity to opt out of certain information disclosures. This proposed rule
would allow financial institutions to combine into one notice the notice they must deliver under
FCRA and the notice that they must deliver under the privacy regulations. Also, institutions may
combine their consumers’ opt out responses into one opt out response. By combining the notices
they deliver and the opt out responses they process, financial institutions will not need to produce
additional notices or to process additional opt out responses under this rule. Because the
proposed rule is designed to minimize FCRA’s burden on financial institutions, and because the
FCRA requirements have been effective since 1997, the OCC believes that this proposed rule will
not have a significant economic impact on a substantial number of small entities. For these
reasons, a regulatory flexibility analysis is not required.
Board: Pursuant to section 605(b) of the Regulatory Flexibility Act (5 U.S.C. 601 et
seq.), the Board certifies that the proposed rule will not have a significant economic impact on a
substantial number of small entities. As further discussed below, the proposed rule implements
law that has been in effect for some time, corresponds as much as feasible to the requirements of
the Board’s Regulation P, would allow institutions to combine privacy and FCRA notices to
consumers, and would allow institutions to combine consumers’ responses to those notices.
Accordingly, a regulatory flexibility analysis is not required.
Since 1997, the FCRA has provided that the term “consumer report” does not include any
communication of other information (meaning information that is not transaction or experience
information) among persons related by common ownership or affiliated by corporate control, if it
is clearly and conspicuously disclosed to the consumer that the information may be communicated
among such persons and the consumer is given the opportunity, before the time that the
information is initially communicated, to direct that such information not be communicated among
such persons. The proposed regulations would implement this provision and would provide
guidance to certain Board-regulated institutions on how to comply, but would not substantively
change existing law. No new type of disclosure or opt-out system would be required. While
existing forms may need to be modified, these modifications are unlikely to result in a significant
economic impact on a substantial number of small entities.
Additionally, the proposed rule is designed to correspond as much as feasible to the
requirements of Regulation P, which governs the privacy of consumer financial information. Both
regulations implement statutory provisions for the delivery of information-sharing opt out notices
to consumers. The proposed rule would facilitate compliance by financial institutions with the
requirement to provide privacy notices and the use of opt out notices under the FCRA by
allowing the two notices to be combined in a single notice. Similarly, institutions would be
18
allowed to combine their consumers’ opt out responses in a single opt out response. By choosing
to combine the notices they deliver and the opt out responses they process, financial institutions
will not need to produce additional notices or to process additional opt out responses under this
rule. For these reasons, a regulatory flexibility analysis is not required.
FDIC: Pursuant to section 605(b) of the Regulatory Flexibility Act (5 U.S.C. 601 et
seq.), the FDIC certifies that the proposed rule will not have a significant economic impact on a
substantial number of small entities. This conclusion is based on the following facts. The FCRA
has required financial institutions to notify their consumers of the right to opt out of affiliate
sharing of certain information since 1997. However, prior to the GLBA, the Agencies had no
authority to issue rules to provide financial institutions with guidance to comply with the FCRA
requirements. This proposed rulemaking does not substantively change the existing statutory
requirements, but rather provides guidance to financial institutions that should minimize any
burden associated with complying with the subject FCRA information sharing provisions. This
proposal requires no new type of disclosure or opt out system. While existing forms may need to
be modified, these modifications are unlikely to result in a significant economic impact on a
substantial number of small entities. The Agencies have attempted to minimize any such
economic impact by including a sample notice, part or all of which may be used to facilitate
compliance with the notice requirements.
Further, this proposed rule is designed to be consistent with the requirements of the
regulation governing the privacy of consumer financial information. Both rules implement
statutory requirements for financial institutions, in certain circumstances, to deliver notices to
consumers and to provide consumers an opportunity to opt out of certain information disclosures.
The Agencies have made the FCRA notice guidance parallel to the privacy rule requirements, thus
facilitating the delivery of a single notice to consumers. Similarly, institutions may combine their
consumers’ opt out responses into one opt out response. By combining the notices they deliver
and the opt out responses they process, financial institutions will not need to produce additional
notices or to process additional opt out responses under this rule.
For the above reasons, the FDIC believes that this proposed rule will not have a significant
economic impact on a substantial number of small entities, and a regulatory flexibility analysis is
not required.
OTS: Pursuant to section 603(b) of the Regulatory Flexibility Act (5 U.S.C. 601 et seq.),
the Director of OTS certifies that this proposed rulemaking would not have a significant economic
impact on a substantial number of small entities. The FCRA has required thrifts to notify their
consumers of the right to opt out of affiliate sharing of certain information since 1997. However,
prior to GLBA, OTS did not have authority to issue rules to provide thrifts with guidance to
comply with the FCRA. This proposed rulemaking does not substantively change or add to the
existing statutory requirements. It merely provides thrifts with guidance to help minimize any
burden associated with complying with the FCRA information sharing provisions. This proposal
requires no new type of disclosure or opt out system. While existing forms may need to be
19
modified, these modifications are unlikely to result in a significant economic impact on a
substantial number of small entities. The Agencies have attempted to minimize any such
economic impact by including a sample notice, part or all of which thrifts may use to facilitate the
notice requirements.
Further, this proposed rule is designed to be consistent with the requirements of the
regulation governing the privacy of consumer financial information, 12 CFR part 573. Both rules
implement statutory requirements for financial institutions, in certain circumstances, to deliver
notices to consumers and to provide consumers an opportunity to opt out of certain information
disclosures. The Agencies have made the FCRA notice guidance parallel to the privacy rule
requirements, thus facilitating the delivery of a single notice to consumers. Similarly, institutions
may combine a consumer’s opt out responses into one opt out response. By combining the
notices they deliver and the opt out responses they process, financial institutions will not need to
produce additional notices or to process additional opt out responses under this rule. For these
reasons, a regulatory flexibility analysis is not required.
OCC and OTS Executive Order 12866 Determination
The OCC and OTS each has determined that its portion of the proposed rulemaking is not
a significant regulatory action under Executive Order 12866.
OCC and OTS Unfunded Mandates Reform Act of 1995 Determination
Section 202 of the Unfunded Mandates Reform Act of 1995, 2 U.S.C. 1532 (Unfunded
Mandates Act) requires that an agency prepare a budgetary impact statement before promulgating
a rule that includes a Federal mandate that may result in expenditure by State, local, and tribal
governments, in the aggregate, or by the private sector, of $100 million or more in any one year.
If a budgetary impact statement is required, section 205 of the Unfunded Mandates Act also
requires an agency to identify and consider a reasonable number of regulatory alternatives before
promulgating a rule. The OCC and OTS each has determined that this proposed rule will not
result in expenditures by State, local, and tribal governments, or by the private sector, of $100
million or more. Accordingly, neither the OCC nor the OTS has prepared a budgetary impact
statement or specifically addressed the regulatory alternatives considered.
V. Solicitation of Comments on Use of Plain Language
Section 722 of the GLBA requires the Federal banking agencies to use plain language in
all proposed and final rules published after January 1, 2000. We invite your comments on how to
make this proposed rule easier to understand. For example:
•
Have we organized the material to suit your needs? If not, how could this material
be better organized?
•
Are the requirements in the rule clearly stated? If not, how could the rule be more
clearly stated?
20
•
Do the regulations contain technical language or jargon that is not clear? If so,
which language requires clarification?
•
Would a different format (grouping and order of sections, use of headings,
paragraphing) make the regulation easier to understand? If so, what changes to the format would
make the regulation easier to understand?
•
Would more, but shorter, sections be better? If so, which sections should be
changed?
•
What else could we do to make the regulation easier to understand?
The Agencies solicit comment on whether the inclusion of examples in the regulation is
appropriate. Elevating the fact patterns to safe harbors in the rule may generate certain problems
over time. For example, changes in technology or practices may ultimately impact the fact
patterns contained in the examples and require changes to the regulation. Are there alternative
methods to offer illustrative guidance of the concepts portrayed by the examples?
List of subjects
12 CFR Part 41
Banks, banking, Credit, National banks, Reporting and recordkeeping requirements.
12 CFR Part 222
Banks, banking, Credit, Federal Reserve System, Reporting and recordkeeping
requirements, State member banks.
12 CFR Part 334
Banks, banking, Credit, Reporting and recordkeeping requirements.
12 CFR Part 571
Credit, Privacy, Reporting and recordkeeping requirements, Savings associations.
Office of the Comptroller of the Currency
12 CFR Chapter I
Authority and Issuance
For the reasons set forth in the joint preamble, the OCC proposes to amend chapter I of
title 12 of the Code of Federal Regulations by adding a new part 41 to read as follows:
21
PART 41 -- FAIR CREDIT REPORTING
Sec.
41.1 Purpose and scope.
41.2 Examples.
41.3 Definitions.
41.4 Communication of opt out information to affiliates.
41.5 Contents of opt out notice.
41.6 Reasonable opportunity to opt out.
41.7 Reasonable means of opting out.
41.8 Delivery of opt out notices.
41.9 Revised opt out notice.
41.10 Time by which opt out must be honored.
41.11 Duration of opt out.
41.12 Prohibition against discrimination.
Appendix A to Part 41 -- Sample Notice
Authority: 12 U.S.C. 93a; 15 U.S.C. 1681s.
§ 41.1 Purpose and scope.
(a) Purpose. This part governs the collection, communication, and use, by the institutions
listed in paragraph (b)(2) of this section, of certain information bearing on a consumer’s credit
worthiness, credit standing, credit capacity, character, general reputation, personal characteristics,
or mode of living.
(b) Scope. (1) Information covered. This part applies to information that is used or
expected to be used or collected in whole or in part for the purpose of serving as a factor in
establishing a consumer's eligibility for credit, insurance, employment, or any other purpose
authorized under section 604 of the Fair Credit Reporting Act (15 U.S.C. 1681b).
(2) Institutions covered. This part applies to national banks, and Federal branches and
Federal agencies of foreign banks (collectively referred to as "bank").
(3) Relation to other laws. Nothing in this part modifies, limits, or supersedes the
standards governing the privacy of individually identifiable health information promulgated by the
Secretary of Health and Human Services under the authority of sections 262 and 264 of the
Health Insurance Portability and Accountability Act of 1996 (42 U.S.C. 1320d-1320d-8).
§ 41.2 Examples.
The examples used in this part and the sample notice in appendix A to this part are not
exclusive. Compliance with an example or use of the sample notice, to the extent applicable,
constitutes compliance with this part.
22
§ 41.3 Definitions.
As used in this part, unless the context requires otherwise:
(a) Act means the Fair Credit Reporting Act (15 U.S.C. 1681 et seq.).
(b) Affiliate. (1) In general. The term means any company that is related or affiliated by
common ownership, or affiliated by corporate control or common corporate control, with another
company.
(2) Related or affiliated by common ownership or affiliated by corporate control or
common corporate control. This means controlling, controlled by, or under common control
with, another company.
(c) Clear and conspicuous. (1) In general. The term means that a notice is reasonably
understandable and is designed to call attention to the nature and significance of the information it
contains.
(2) Examples. (i) Reasonably understandable. A bank makes its notice reasonably
understandable if it:
(A) Presents the information in the notice in clear and concise sentences, paragraphs, and
sections;
(B) Uses short explanatory sentences or bullet lists whenever possible;
(C) Uses definite, concrete, everyday words and active voice whenever possible;
(D) Avoids multiple negatives;
(E) Avoids legal and highly technical business terminology whenever possible; and
(F) Avoids explanations that are imprecise and are readily subject to different
interpretations.
(ii) Designed to call attention. A bank designs its notice to call attention to the nature and
significance of the information it contains if it:
(A) Uses a plain-language heading to call attention to the notice;
(B) Uses a typeface and type size that are easy to read;
(C) Provides wide margins and ample line spacing;
(D) Uses boldface or italics for key words; and
(E) In a form that combines the bank's notice with other information, uses distinctive type
sizes, styles, and graphic devices, such as shading or sidebars.
(iii) Notice on a web page. If a bank provides a notice on a web page, the bank designs
its notice to call attention to the nature and significance of the information it contains if the bank:
(A) Places either the notice, or a link that connects directly to the notice and that is
labeled appropriately to convey the importance, nature, and relevance of the notice, on a page that
consumers access often, such as a page on which transactions are conducted;
(B) Uses text or visual cues to encourage scrolling down the page if necessary to view the
entire notice; and
(C) Ensures that other elements on the web page (such as text, graphics, links, or sound)
do not detract attention from the notice.
23
(d) Communication includes written, oral, and electronic communication; provided that
the term includes electronic communication to a consumer only if the consumer agrees to receive
the communication electronically.
(e) Company means any corporation, limited liability company, business trust, general or
limited partnership, association, or similar organization.
(f) Consumer means an individual.
(g) Consumer report. (1) In general. The term means any written, oral, or other
communication of any information by a consumer reporting agency bearing on a consumer’s
credit worthiness, credit standing, credit capacity, character, general reputation, personal
characteristics, or mode of living which is used or expected to be used or collected in whole or in
part for the purpose of serving as a factor in establishing the consumer’s eligibility for:
(i) Credit or insurance to be used primarily for personal, family, or household purposes;
(ii) Employment purposes; or
(iii) Any other purpose authorized under section 604 of the Act (15 U.S.C. 1681b).
(2) Exclusions. The term does not include:
(i) Any report containing information solely as to transactions or experiences between the
consumer and the person making the report;
(ii) Any communication of that information among affiliates;
(iii) Any communication among affiliates of opt out information if the conditions in §§
41.4 through 41.9 are satisfied;
(iv) Any authorization or approval of a specific extension of credit directly or indirectly
by the issuer of a credit card or similar device;
(v) Any report in which a person who has been requested by a third party to make a
specific extension of credit directly or indirectly to a consumer conveys his or her decision with
respect to such request, if the third party advises the consumer of the name and address of the
person to whom the request was made, and the person makes the disclosures to the consumer
required under section 615 of the Act (15 U.S.C. 1681m); or
(vi) A communication described in section 603(o) of the Act (15 U.S.C. 1681a(o)).
(h) Consumer reporting agency means any person which, for monetary fees, dues or on a
cooperative nonprofit basis, regularly engages in whole or in part in the practice of assembling or
evaluating consumer credit information or other information on consumers for the purpose of
furnishing consumer reports to third parties, and which uses any means or facility of interstate
commerce for the purpose of preparing or furnishing consumer reports.
(i) Control of a company means:
(1) Ownership, control, or power to vote 25 percent or more of the outstanding shares of
any class of voting security of the company, directly or indirectly, or acting through one or more
other persons;
(2) Control in any manner over the election of a majority of the directors, trustees, or
24
general partners (or individuals exercising similar functions) of the company; or
(3) The power to exercise, directly or indirectly, a controlling influence over the
management or policies of the company, as the Office of the Comptroller of the Currency
determines.
(j) Opt out means a direction by a consumer that a bank not communicate opt out
information about the consumer to one or more of its affiliates.
(k) Opt out information means information that:
(1) Bears on a consumer’s credit worthiness, credit standing, credit capacity, character,
general reputation, personal characteristics, or mode of living;
(2) Is used or expected to be used or collected in whole or in part to serve as a factor in
establishing the consumer’s eligibility for credit or another purpose listed in section 604 of the Act
(15 U.S.C. 1681b); and
(3) Is not a report containing information solely as to transactions or experiences between
the consumer and the person reporting or communicating the information.
(l) Person means any individual, partnership, corporation, trust, estate, cooperative,
association, government or governmental subdivision or agency, or other entity.
§ 41.4 Communication of opt out information to affiliates.
A bank's communication to its affiliates of opt out information about a consumer is not a
consumer report if:
(a) The bank has provided the consumer with an opt out notice;
(b) The bank has given the consumer a reasonable opportunity and means, before the
bank communicates the information to its affiliates, to opt out; and
(c) The consumer has not opted out.
§ 41.5 Contents of opt out notice.
(a) In general. An opt out notice must be clear and conspicuous, and must accurately
explain:
(1) The categories of opt out information about the consumer that a bank communicates
to its affiliates;
(2) The categories of affiliates to which the bank communicates the information;
(3) The consumer's ability to opt out; and
(4) A reasonable means for the consumer to opt out.
(b) Future communications. A bank's notice may describe:
25
(1) Categories of opt out information about the consumer that the bank reserves the right
to communicate to its affiliates in the future but does not currently communicate; and
(2) Categories of affiliates to which the bank reserves the right in the future to
communicate, but to which the bank does not currently communicate, opt out information about
the consumer.
(c) Partial opt out. A bank may allow a consumer to select certain opt out information or
certain affiliates, with respect to which the consumer wishes to opt out.
(d) Examples of categories of information that a bank communicates. (1) A bank satisfies
the requirement to categorize the opt out information that it communicates if the bank lists the
categories in paragraph (d)(2) of this section, as applicable, and a few examples to illustrate the
types of information in each category. These examples may include those in paragraph (d)(3) of
this section, if applicable.
(2) Categories of opt out information may include information:
(i) From a consumer’s application;
(ii) From a consumer credit report;
(iii) Obtained by verifying representations made by a consumer; or
(iv) Provided by another person regarding its employment, credit, or other relationship
with a consumer.
(3) Examples of information within a category listed in paragraph (d)(2) of this section
include a consumer’s:
(i) Income;
(ii) Credit score or credit history with others;
(iii) Open lines of credit with others;
(iv) Employment history with others;
(v) Marital status; and
(vi) Medical history.
(4) A bank does not satisfy the requirement if it communicates or reserves the right to
communicate individually identifiable health information (as described in section 1171(6)(B) of
the Social Security Act (42 U.S.C. 1320d(6)(B)) but omits illustrative examples of this
information.
(e) Examples of categories of affiliates. (1) A bank satisfies the requirement to
categorize the affiliates to which it communicates opt out information if it lists the categories in
paragraph (e)(2) of this section, as applicable, and a few examples to illustrate the types of
affiliates in each category.
(2) Categories of affiliates may include:
(i) Financial service providers; and
(ii) Non-financial companies.
(f) Sample notice. A sample notice is included in appendix A to this part.
26
§ 41.6 Reasonable opportunity to opt out.
(a) In general. A bank provides a reasonable opportunity to opt out if it provides a
reasonable period of time following the delivery of the opt out notice for the consumer to opt out.
(b) Examples of reasonable period of time: (1) In person. A bank hand-delivers an opt
out notice to the consumer and provides at least 30 days from the date it delivered the notice.
(2) By mail. A bank mails an opt out notice to a consumer and provides at least 30 days
from the date it mailed the notice.
(3) By electronic means. A bank notifies the consumer electronically, and it provides at
least 30 days after the date that the consumer acknowledges receipt of the electronic notice.
(c) Continuing opportunity to opt out. A consumer may opt out at any time.
§ 41.7 Reasonable means of opting out.
(a) General rule. A bank provides a consumer with a reasonable means of opting out if it
provides a reasonably convenient method to opt out.
(b) Reasonably convenient methods. Examples of reasonably convenient methods
include:
(1) Designating check-off boxes in a prominent position on the relevant forms included
with the opt out notice;
(2) Including a reply form together with the opt out notice;
(3) Providing an electronic means to opt out, such as a form that can be electronically
mailed or a process at the bank's web site, if the consumer agrees to the electronic delivery of
information; or
(4) Providing a toll-free telephone number that consumers may call to opt out.
(c) Methods not reasonably convenient. Examples of methods that are not reasonably
convenient include:
(1) Requiring a consumer to write his or her own letter to a bank; or
(2) Referring in a revised notice to a check-off box that a bank included with a previous
notice but that the bank does not include with the revised notice.
(d) Requiring specific means of opting out. A bank may require each consumer to opt
out through a specific means, as long as that means is reasonable for that consumer.
27
§ 41.8 Delivery of opt out notices.
(a) In general. A bank must deliver an opt out notice so that each consumer can
reasonably be expected to receive actual notice in writing or, if the consumer agrees,
electronically.
(b) Examples of expectation of actual notice. (1) A bank may reasonably expect that a
consumer will receive actual notice if it:
(i) Hand-delivers a printed copy of the notice to the consumer;
(ii) Mails a printed copy of the notice to the last known mailing address of the consumer;
or
(iii) For the consumer who conducts transactions electronically, posts the notice on its
electronic site and requires the consumer to acknowledge receipt of the notice as a necessary step
to obtaining a particular product or service;
(2) A bank may not reasonably expect that a consumer will receive actual notice if it:
(i) Only posts a sign in its branch or office or generally publishes advertisements
presenting its notice; or
(ii) Sends the notice via electronic mail to a consumer who does not obtain a product or
service from the bank electronically.
(c) Oral description insufficient. A bank may not provide an opt out notice solely by
orally explaining the notice, either in person or over the telephone.
(d) Retention or accessibility. (1) In general. A bank must provide an opt out notice so
that it can be retained or obtained at a later time by the consumer in writing or, if the consumer
agrees, electronically.
(2) Examples of retention or accessibility. A bank provides the notice so that it can be
retained or obtained at a later time if the bank:
(i) Hand-delivers a printed copy of the notice to the consumer;
(ii) Mails a printed copy of the notice to the last known address of the consumer upon
request of the consumer; or
(iii) Makes the bank's current notice available on a web site (or a link to another web site)
for the consumer who obtains a product or service electronically and who agrees to receive the
notice at the web site.
(e) Joint notice with affiliates. A bank may provide a joint notice with one or more
affiliates as long as the notice identifies each person providing it and is accurate with respect to
each.
(f) Joint relationships. (1) In general. Notwithstanding any other provision in this part, if
two or more consumers jointly obtain a product or service from a bank (joint consumers), the
following rules apply:
28
(i) The bank may provide a single notice to all of the joint consumers.
(ii) Any of the joint consumers has the opportunity to opt out.
(iii) The bank may treat an opt out direction by a joint consumer either as:
(A) Applying to all of the joint consumers; or
(B) Applying to that particular joint consumer.
(iv) The bank must explain in its opt out notice which of the two policies set forth in
paragraph (f)(1)(iii) of this section it will follow.
(v) If the bank follows the policy set forth in paragraph (f)(1)(iii)(B) of this section, by
treating the opt out of a joint consumer as applying to that particular joint consumer, the bank
must also permit:
(A) A joint consumer to opt out on behalf of other joint consumers; and
(B) One or more joint consumers to notify the bank of their opt out directions in a single
response.
(vi) A bank may not require all joint consumers to opt out before it implements any opt
out direction.
(vii) If a bank receives an opt out by a particular joint consumer that does not apply to the
others, the bank may disclose information about the others as long as no information is disclosed
about the consumer who opted out.
(2) Example. If consumers A and B, who have different addresses, have a joint checking
account with a bank and arrange for the bank to send statements to A’s address, the bank may do
any of the following, but it must explain in its opt out notice which opt out policy the bank will
follow. The bank may send a single opt out notice to A’s address and:
(i) Treat an opt out direction by A as applying to the entire account. If the bank does so
and A opts out, the bank may not require B to opt out as well before implementing A’s opt out
direction.
(ii) Treat A’s opt out direction as applying to A only. If the bank does so, it must also
permit:
(A) A and B to opt out for each other; and
(B) A and B to notify the bank of their opt out directions in a single response (such as on
a single form) if they choose to give separate opt out directions.
(iii) If A opts out only for A, and B does not opt out, the bank may disclose opt out
information only about B, and not about A and B jointly.
§ 41.9 Revised opt out notice.
If a bank has provided a consumer with one or more opt out notices and plans to
communicate opt out information to its affiliates about the consumer other than as described in
those notices, the bank must provide the consumer with a revised opt out notice that complies
with §§ 41.4 through 41.8.
29
§ 41.10 Time by which opt out must be honored.
If a bank provides a consumer with an opt out notice and the consumer opts out, the bank
must comply with the opt out as soon as reasonably practicable after the bank receives it.
§ 41.11 Duration of opt out.
An opt out remains effective until revoked by the consumer in writing or electronically, as
long as the consumer continues to have a relationship with the bank. If the consumer’s
relationship with the bank terminates, the opt out will continue to apply to this information.
However, a new notice and opportunity to opt out must be provided if the consumer establishes a
new relationship with the bank.
§ 41.12 Prohibition against discrimination.
(a) In general. If a consumer is an applicant for credit, a bank must not discriminate
against the consumer if the consumer opts out of the bank’s communication of opt out
information to it affiliates.
(b) Examples of discrimination against an applicant. A bank discriminates against an
applicant if it:
(1) Denies the applicant credit because the applicant opts out;
(2) Varies the terms of credit adversely to the applicant such as by providing less
favorable pricing terms to an applicant who opts out; or
(3) Applies more stringent credit underwriting standards to the applicant because the
applicant opts out.
(c) Regulation B. The terms “applicant” and “discriminate against” in § 41 .12 have the
same meanings ascribed to them in 12 CFR part 202.
APPENDIX A to Part 41--SAMPLE NOTICE
This appendix contains a sample notice to facilitate compliance with the notice
requirements of this part. An institution may use applicable disclosures in this sample to provide
notices required by this part.
30
NOTICE OF YOUR OPPORTUNITY TO OPT OUT
OF INFORMATION SHARING WITH COMPANIES
IN OUR CORPORATE FAMILY
Information we can share with our corporate family about you -- unless you
tell us not to
C
C
C
C
C
C
What Information: Unless you tell us not to, [Financial Institution] may share with
companies in our corporate family information about you including:
information we obtain from your application, such as [provide illustrative examples, such
as “your income” or “your marital status”];
information we obtain from a consumer report, such as [provide illustrative examples,
such as “your credit score or credit history”];
information we obtain to verify representations made by you, such as [provide illustrative
examples, such as “your open lines of credit”]; and
information we obtain from a person regarding its employment, credit, or other
relationship with you, such as [provide illustrative examples, such as “your employment
history”].
Shared With Whom: Companies in our corporate family who may receive this information
are:
financial service providers, such as [provide illustrative examples, such as “mortgage
bankers, broker-dealers, and insurance agents”]; and
non-financial companies, such as [provide illustrative examples, such as “retailers, direct
marketers, airlines, and publishers”].
How to tell us not to share this information with our corporate family
If you prefer that we not share this information with companies in our corporate family, you
may direct us not to share this information by doing the following [insert one or more of the
reasonable means of opting out listed below1]: [call us toll free at {insert toll free number}];
or [visit our web site at {insert web site address} and {provide further instructions how to
use the web site option}]; or [e-mail us at {insert the e-mail address}]; or [fill out and tear
off the bottom of this sheet and mail to the following address: {insert address}]; or [check
the appropriate box on the attached form {attach form} and mail to the following address:
{insert address}].
1
If the financial institution is using its web site or an e-mail address as the only method by which a consumer may opt
out, the consumer must agree to the electronic delivery of information.
31
Note: Your direction in this paragraph covers certain information about you that we might
otherwise share with our corporate family. We may share other information about you with our
corporate family as permitted by law.
Dated: September 22, 2000
John D. Hawke, Jr.,
Comptroller of the Currency.
32
Federal Reserve System
12 CFR Chapter II
Authority and Issuance
For the reasons set forth in the joint preamble, chapter II of title 12 of the Code of Federal
Regulations is proposed to be amended by adding a new part 222 to read as follows:
PART 222 — FAIR CREDIT REPORTING (REGULATION V)
222.1 Purpose and scope.
222.2 Examples.
222.3 Definitions.
222.4 Communication of opt out information to affiliates.
222.5 Contents of opt out notice.
222.6 Reasonable opportunity to opt out.
222.7 Reasonable means of opting out.
222.8 Delivery of opt out notices.
222.9 Revised opt out notice.
222.10 Time by which opt out must be honored.
222.11 Duration of opt out.
222.12 Prohibition against discrimination.
Appendix A to Part 222 — Sample Notice
Authority: 15 U.S.C. 1681s.
§ 222.1 Purpose and scope.
(a) Purpose. This part governs the collection, communication, and use, by the institutions
listed in paragraph (b)(2) of this section, of certain information bearing on a consumer’s credit
worthiness, credit standing, credit capacity, character, general reputation, personal characteristics,
or mode of living.
(b) Scope. (1) Information covered. This part applies to information that is used or
expected to be used or collected in whole or in part for the purpose of serving as a factor in
establishing a consumer’s eligibility for credit, insurance, employment, or any other purpose
authorized under section 604 of the Fair Credit Reporting Act (15 U.S.C. 1681b).
(2) Institutions covered. This part applies to member banks of the Federal Reserve
System (other than national banks), branches and agencies of foreign banks (other than Federal
branches, Federal agencies, and insured State branches of foreign banks), commercial lending
33
companies owned or controlled by foreign banks, and organizations operating under section 25 or
25A of the Federal Reserve Act (12 U.S.C. 601-604a, 611-631).
(3) Relation to other laws. Nothing in this part modifies, limits, or supersedes the
standards governing the privacy of individually identifiable health information promulgated by the
Secretary of Health and Human Services under the authority of sections 262 and 264 of the
Health Insurance Portability and Accountability Act of 1996 (42 U.S.C. 1320d-1320d-8).
§ 222.2 Examples.
The examples used in this part and the sample notice in appendix A to this part are not
exclusive. Compliance with an example or use of the sample notice, to the extent applicable,
constitutes compliance with this part.
§ 222.3 Definitions.
As used in this part, unless the context requires otherwise:
(a) Act means the Fair Credit Reporting Act (15 U.S.C. 1681 et seq.).
(b) Affiliate. (1) In general. The term means any company that is related or affiliated by
common ownership, or affiliated by corporate control or common corporate control, with another
company.
(2) Related or affiliated by common ownership or affiliated by corporate control or
common corporate control. This means controlling, controlled by, or under common control
with, another company.
(c) Clear and conspicuous. (1) In general. The term means that a notice is reasonably
understandable and is designed to call attention to the nature and significance of the information it
contains.
(2) Examples. (i) Reasonably understandable. You make your notice reasonably
understandable if you:
(A) Present the information in the notice in clear and concise sentences, paragraphs, and
sections;
(B) Use short explanatory sentences or bullet lists whenever possible;
(C) Use definite, concrete, everyday words and active voice whenever possible;
(D) Avoid multiple negatives;
(E) Avoid legal and highly technical business terminology whenever possible; and
(F) Avoid explanations that are imprecise and are readily subject to different
interpretations.
(ii) Designed to call attention. You design your notice to call attention to the nature and
significance of the information it contains if you:
(A) Use a plain-language heading to call attention to the notice;
34
(B) Use a typeface and type size that are easy to read;
(C) Provide wide margins and ample line spacing;
(D) Use boldface or italics for key words; and
(E) In a form that combines your notice with other information, use distinctive type sizes,
styles, and graphic devices, such as shading or sidebars.
(iii) Notice on a web page. If you provide a notice on a web page, you design your notice
to call attention to the nature and significance of the information it contains if you:
(A) Place either the notice, or a link that connects directly to the notice and that is labeled
appropriately to convey the importance, nature, and relevance of the notice, on a page that
consumers access often, such as a page on which transactions are conducted;
(B) Use text or visual cues to encourage scrolling down the page if necessary to view the
entire notice; and
(C) Ensure that other elements on the web page (such as text, graphics, links, or sound)
do not detract attention from the notice.
(d) Communication includes written, oral, and electronic communication; provided that
the term includes electronic communication to a consumer only if the consumer agrees to receive
the communication electronically.
(e) Company means any corporation, limited liability company, business trust, general or
limited partnership, association, or similar organization.
(f) Consumer means an individual.
(g) Consumer report. (1) In general. The term means any written, oral, or other
communication of any information by a consumer reporting agency bearing on a consumer’s
credit worthiness, credit standing, credit capacity, character, general reputation, personal
characteristics, or mode of living which is used or expected to be used or collected in whole or in
part for the purpose of serving as a factor in establishing the consumer’s eligibility for:
(i) Credit or insurance to be used primarily for personal, family, or household purposes;
(ii) Employment purposes; or
(iii) Any other purpose authorized under section 604 of the Act (15 U.S.C. 1681b).
(2) Exclusions. The term does not include:
(i) Any report containing information solely as to transactions or experiences between the
consumer and the person making the report;
(ii) Any communication of that information among affiliates;
(iii) Any communication among affiliates of opt out information if the conditions in §§
222.4 through 222.9 are satisfied;
(iv) Any authorization or approval of a specific extension of credit directly or indirectly
by the issuer of a credit card or similar device;
(v) Any report in which a person who has been requested by a third party to make a
specific extension of credit directly or indirectly to a consumer conveys his or her decision with
respect to such request, if the third party advises the consumer of the name and address of the
35
person to whom the request was made, and the person makes the disclosures to the consumer
required under section 615 of the Act (15 U.S.C. 1681m); or
(vi) A communication described in section 603(o) of the Act (15 U.S.C. 1681a(o)).
(h) Consumer reporting agency means any person which, for monetary fees, dues or on a
cooperative nonprofit basis, regularly engages in whole or in part in the practice of assembling or
evaluating consumer credit information or other information on consumers for the purpose of
furnishing consumer reports to third parties, and which uses any means or facility of interstate
commerce for the purpose of preparing or furnishing consumer reports.
(i) Control of a company means:
(1) Ownership, control, or power to vote 25 percent or more of the outstanding shares of
any class of voting security of the company, directly or indirectly, or acting through one or more
other persons;
(2) Control in any manner over the election of a majority of the directors, trustees, or
general partners (or individuals exercising similar functions) of the company; or
(3) The power to exercise, directly or indirectly, a controlling influence over the
management or policies of the company, as the Board determines.
(j) Opt out means a direction by a consumer that you not communicate opt out
information about the consumer to one or more of your affiliates.
(k) Opt out information means information that:
(1) Bears on a consumer’s credit worthiness, credit standing, credit capacity, character,
general reputation, personal characteristics, or mode of living;
(2) Is used or expected to be used or collected in whole or in part to serve as a factor in
establishing the consumer’s eligibility for credit or another purpose listed in section 604 of the Act
(15 U.S.C. 1681b); and
(3) Is not a report containing information solely as to transactions or experiences between
the consumer and the person reporting or communicating the information.
(l) Person means any individual, partnership, corporation, trust, estate, cooperative,
association, government or governmental subdivision or agency, or other entity.
(m) You means a member bank of the Federal Reserve System (other than a national
bank), a branch or agency of a foreign bank (other than a Federal branch, Federal agency, or
insured State branch of a foreign bank), a commercial lending company owned or controlled by a
foreign bank, or an organization operating under section 25 or 25A of the Federal Reserve Act
(12 U.S.C. 601-604a, 611-631).
36
§ 222.4 Communication of opt out information to affiliates.
Your communication to your affiliates of opt out information about a consumer is not a
consumer report if:
(a) You have provided the consumer with an opt out notice;
(b) You have given the consumer a reasonable opportunity and means, before you
communicate the information to your affiliates, to opt out; and
(c) The consumer has not opted out.
§ 222.5 Contents of opt out notice.
(a) In general. An opt out notice must be clear and conspicuous, and must accurately
explain:
(1) The categories of opt out information about the consumer that you communicate to
your affiliates;
(2) The categories of affiliates to which you communicate the information;
(3) The consumer’s ability to opt out; and
(4) A reasonable means for the consumer to opt out.
(b) Future communications. Your notice may describe:
(1) Categories of opt out information about the consumer that you reserve the right to
communicate to your affiliates in the future but do not currently communicate; and
(2) Categories of affiliates to which you reserve the right in the future to communicate,
but to which you do not currently communicate, opt out information about the consumer.
(c) Partial opt out. You may allow a consumer to select certain opt out information or
certain affiliates, with respect to which the consumer wishes to opt out.
(d) Examples of categories of information that you communicate. (1) You satisfy the
requirement to categorize the opt out information that you communicate if you list the categories
in paragraph (d)(2) of this section, as applicable, and a few examples to illustrate the types of
information in each category. These examples may include those in paragraph (d)(3) of this
section, if applicable.
(2) Categories of opt out information may include information:
(i) From a consumer’s application;
(ii) From a consumer credit report;
(iii) Obtained by verifying representations made by a consumer; or
(iv) Provided by another person regarding its employment, credit, or other relationship
with a consumer.
37
(3) Examples of information within a category listed in paragraph (d)(2) of this section
include a consumer’s:
(i) Income;
(ii) Credit score or credit history with others;
(iii) Open lines of credit with others;
(iv) Employment history with others;
(v) Marital status; and
(vi) Medical history.
(4) You do not satisfy the requirement if you communicate or reserve the right to
communicate individually identifiable health information (as described in section 1171(6)(B) of
the Social Security Act (42 U.S.C. 1320d(6)(B)) but omit illustrative examples of this
information.
(e) Examples of categories of affiliates. (1) You satisfy the requirement to categorize the
affiliates to which you communicate opt out information if you list the categories in paragraph
(e)(2) of this section, as applicable, and a few examples to illustrate the types of affiliates in each
category.
(2) Categories of affiliates may include:
(i) Financial service providers; and
(ii) Non-financial companies.
(f) Sample notice. A sample notice is included in appendix A to this part.
§ 222.6 Reasonable opportunity to opt out.
(a) In general. You provide a reasonable opportunity to opt out if you provide a
reasonable period of time following the delivery of the opt out notice for the consumer to opt out.
(b) Examples of reasonable period of time: (1) In person. You hand-deliver an opt out
notice to the consumer and provide at least 30 days from the date you delivered the notice.
(2) By mail. You mail an opt out notice to a consumer and provide at least 30 days from
the date you mailed the notice.
(3) By electronic means. You notify the consumer electronically, and you provide at least
30 days after the date that the consumer acknowledges receipt of the electronic notice.
(c) Continuing opportunity to opt out. A consumer may opt out at any time.
§ 222.7 Reasonable means of opting out.
(a) General rule. You provide a consumer with a reasonable means of opting out if you
provide a reasonably convenient method to opt out.
(b) Reasonably convenient methods. Examples of reasonably convenient methods
38
include:
(1) Designating check-off boxes in a prominent position on the relevant forms included
with the opt out notice;
(2) Including a reply form together with the opt out notice;
(3) Providing an electronic means to opt out, such as a form that can be electronically
mailed or a process at your web site, if the consumer agrees to the electronic delivery of
information; or
(4) Providing a toll-free telephone number that consumers may call to opt out.
(c) Methods not reasonably convenient. Examples of methods that are not reasonably
convenient include:
(1) Requiring a consumer to write his or her own letter to you; or
(2) Referring in a revised notice to a check-off box that you included with a previous
notice but that you do not include with the revised notice.
(d) Requiring specific means of opting out. You may require each consumer to opt out
through a specific means, as long as that means is reasonable for that consumer.
§ 222.8 Delivery of opt out notices.
(a) In general. You must deliver an opt out notice so that each consumer can reasonably
be expected to receive actual notice in writing or, if the consumer agrees, electronically.
(b) Examples of expectation of actual notice. (1) You may reasonably expect that a
consumer will receive actual notice if you:
(i) Hand-deliver a printed copy of the notice to the consumer;
(ii) Mail a printed copy of the notice to the last known mailing address of the consumer;
or
(iii) For the consumer who conducts transactions electronically, post the notice on your
electronic site and require the consumer to acknowledge receipt of the notice as a necessary step
to obtaining a particular product or service;
(2) You may not reasonably expect that a consumer will receive actual notice if you:
(i) Only post a sign in your branch or office or generally publish advertisements
presenting your notice; or
(ii) Send the notice via electronic mail to a consumer who does not obtain a product or
service from you electronically.
(c) Oral description insufficient. You may not provide an opt out notice solely by orally
explaining the notice, either in person or over the telephone.
39
(d) Retention or accessibility. (1) In general. You must provide an opt out notice so
that it can be retained or obtained at a later time by the consumer in writing or, if the consumer
agrees, electronically.
(2) Examples of retention or accessibility. You provide the notice so that it can be
retained or obtained at a later time if you:
(i) Hand-deliver a printed copy of the notice to the consumer;
(ii) Mail a printed copy of the notice to the last known address of the consumer upon
request of the consumer; or
(iii) Make your current notice available on a web site (or a link to another web site) for
the consumer who obtains a product or service electronically and who agrees to receive the notice
at the web site.
(e) Joint notice with affiliates. You may provide a joint notice with one or more affiliates
as long as the notice identifies each person providing it and is accurate with respect to each.
(f) Joint relationships. (1) In general. Notwithstanding any other provision in this part, if
two or more consumers jointly obtain a product or service from you (joint consumers), the
following rules apply:
(i) You may provide a single notice to all of the joint consumers.
(ii) Any of the joint consumers has the opportunity to opt out.
(iii) You may treat an opt out direction by a joint consumer either as:
(A) Applying to all of the joint consumers; or
(B) Applying to that particular joint consumer.
(iv) You must explain in your opt out notice which of the two policies set forth in
paragraph (f)(1)(iii) of this section you will follow.
(v) If you follow the policy set forth in paragraph (f)(1)(iii)(B) of this section, by treating
the opt out of a joint consumer as applying to that particular joint consumer, you must also
permit:
(A) A joint consumer to opt out on behalf of other joint consumers; and
(B) One or more joint consumers to notify you of their opt out directions in a single
response.
(vi) You may not require all joint consumers to opt out before you implement any opt out
direction.
(vii) If you receive an opt out by a particular joint consumer that does not apply to the
others, you may disclose information about the others as long as no information is disclosed about
the consumer who opted out.
(2) Example. If consumers A and B, who have different addresses, have a joint checking
account with you and arrange for you to send statements to A’s address, you may do any of the
following, but you must explain in your opt out notice which opt out policy you will follow. You
may send a single opt out notice to A’s address and:
(i) Treat an opt out direction by A as applying to the entire account. If you do so and A
opts out, you may not require B to opt out as well before implementing A’s opt out direction.
(ii) Treat A’s opt out direction as applying to A only. If you do so, you must also permit:
40
(A) A and B to opt out for each other; and
(B) A and B to notify you of their opt out directions in a single response (such as on a
single form) if they choose to give separate opt out directions.
(iii) If A opts out only for A, and B does not opt out, you may disclose opt out
information only about B, and not about A and B jointly.
§ 222.9 Revised opt out notice.
If you have provided a consumer with one or more opt out notices and plan to
communicate opt out information to your affiliates about the consumer other than as described
inthose notices, you must provide the consumer with a revised opt out notice that complies with
§§ 222.4 through 222.8.
§ 222.10 Time by which opt out must be honored.
If you provide a consumer with an opt out notice and the consumer opts out, you must
comply with the opt out as soon as reasonably practicable after you receive it.
§ 222.11 Duration of opt out.
An opt out remains effective until revoked by the consumer in writing or electronically, as
long as the consumer continues to have a relationship with you. If the consumer’s relationship
with you terminates, the opt out will continue to apply to this information. However, a new
notice and opportunity to opt out must be provided if the consumer establishes a new relationship
with you.
§ 222.12 Prohibition against discrimination.
(a) In general. If a consumer is an applicant for credit, you must not discriminate against
the consumer if the consumer opts out of your communication of opt out information to your
affiliates.
(b) Examples of discrimination against an applicant. You discriminate against an
applicant if you:
(1) Deny the applicant credit because the applicant opts out;
(2) Vary the terms of credit adversely to the applicant such as by providing less favorable
pricing terms to an applicant who opts out; or
(3) Apply more stringent credit underwriting standards to the applicant because the
applicant opts out.
41
(c) Regulation B. The terms “applicant” and “discriminate against” in § 222.12 have the
same meanings ascribed to them in 12 CFR part 202.
APPENDIX A to Part 222--SAMPLE NOTICE
This appendix contains a sample notice to facilitate compliance with the notice
requirements of this part. An institution may use applicable disclosures in this sample to provide
notices required by this part.
NOTICE OF YOUR OPPORTUNITY TO OPT OUT
OF INFORMATION SHARING WITH COMPANIES
IN OUR CORPORATE FAMILY
Information we can share with our corporate family about you -- unless you
tell us not to
C
C
C
C
C
C
What Information: Unless you tell us not to, [Financial Institution] may share with
companies in our corporate family information about you including:
information we obtain from your application, such as [provide illustrative examples, such
as “your income” or “your marital status”];
information we obtain from a consumer report, such as [provide illustrative examples,
such as “your credit score or credit history”];
information we obtain to verify representations made by you, such as [provide illustrative
examples, such as “your open lines of credit”]; and
information we obtain from a person regarding its employment, credit, or other
relationship with you, such as [provide illustrative examples, such as “your employment
history”].
Shared With Whom: Companies in our corporate family who may receive this information
are:
financial service providers, such as [provide illustrative examples, such as “mortgage
bankers, broker-dealers, and insurance agents”]; and
non-financial companies, such as [provide illustrative examples, such as “retailers, direct
marketers, airlines, and publishers”].
How to tell us not to share this information with our corporate family
If you prefer that we not share this information with companies in our corporate family, you
may direct us not to share this information by doing the following [insert one or more of the
42
reasonable means of opting out listed below1]: [call us toll free at {insert toll free number}];
or [visit our web site at {insert web site address} and {provide further instructions how to
use the web site option}]; or [e-mail us at {insert the e-mail address}]; or [fill out and tear
off the bottom of this sheet and mail to the following address: {insert address}]; or [check
the appropriate box on the attached form {attach form} and mail to the following address:
{insert address}].
Note: Your direction in this paragraph covers certain information about you that we might
otherwise share with our corporate family. We may share other information about you with our
corporate family as permitted by law.
By order of the Board of Governors of the Federal Reserve System, October 11, 2000.
Jennifer J. Johnson,
Secretary of the Board.
1
If the financial institution is using its web site or an e-mail address as the only method by which a consumer may opt
out, the consumer must agree to the electronic delivery of information.
43
Federal Deposit Insurance Corporation
12 CFR Chapter III
Authority and Issuance
For the reasons set out in the joint preamble, chapter III of title 12 of the Code of Federal
Regulations is proposed to be amended by adding a new part 334 to read as follows:
PART 334--FAIR CREDIT REPORTING
334.1 Purpose and scope.
334.2 Examples.
334.3 Definitions.
334.4 Communication of opt out information to affiliates.
334.5 Contents of opt out notice.
334.6 Reasonable opportunity to opt out.
334.7 Reasonable means of opting out.
334.8 Delivery of opt out notices.
334.9 Revised opt out notice.
334.10 Time by which opt out must be honored.
334.11 Duration of opt out.
334.12 Prohibition against discrimination.
Appendix A to Part 222 -- Sample Notice
Authority: 15 U.S.C. 1681s; 12 U.S.C. 1819(a)(Tenth).
§ 334.1 Purpose and scope.
(a) Purpose. This part governs the collection, communication, and use, by the institutions
listed in paragraph (b)(2) of this section, of certain information bearing on a consumer’s credit
worthiness, credit standing, credit capacity, character, general reputation, personal characteristics,
or mode of living.
(b) Scope. (1) Information covered. This part applies to information that is used or
expected to be used or collected in whole or in part for the purpose of serving as a factor in
establishing a consumer's eligibility for credit, insurance, employment, or any other purpose
authorized under section 604 of the Fair Credit Reporting Act (15 U.S.C. 1681b).
(2) Institutions covered. This part applies to banks insured by the FDIC (other than
members of the Federal Reserve System) and insured state branches of foreign banks.
(3) Relation to other laws. Nothing in this part modifies, limits, or supersedes the
standards governing the privacy of individually identifiable health information promulgated by the
44
Secretary of Health and Human Services under the authority of sections 262 and 264 of the
Health Insurance Portability and Accountability Act of 1996 (42 U.S.C. 1320d-1320d-8).
§ 334.2 Examples.
The examples used in this part and the sample notice in appendix A to this part are not
exclusive. Compliance with an example or use of the sample notice, to the extent applicable,
constitutes compliance with this part.
§ 334.3 Definitions.
As used in this part, unless the context requires otherwise:
(a) Act means the Fair Credit Reporting Act (15 U.S.C. 1681 et seq.).
(b) Affiliate. (1) In general. The term means any company that is related or affiliated by
common ownership, or affiliated by corporate control or common corporate control, with another
company.
(2) Related or affiliated by common ownership or affiliated by corporate control or
common corporate control. This means controlling, controlled by, or under common control
with, another company.
(c) Clear and conspicuous. (1) In general. The term means that a notice is reasonably
understandable and is designed to call attention to the nature and significance of the information it
contains.
(2) Examples. (i) Reasonably understandable. You make your notice reasonably
understandable if you:
(A) Present the information in the notice in clear and concise sentences, paragraphs, and
sections;
(B) Use short explanatory sentences or bullet lists whenever possible;
(C) Use definite, concrete, everyday words and active voice whenever possible;
(D) Avoid multiple negatives;
(E) Avoid legal and highly technical business terminology whenever possible; and
(F) Avoid explanations that are imprecise and are readily subject to different
interpretations.
(ii) Designed to call attention. You design your notice to call attention to the nature and
significance of the information it contains if you:
(A) Use a plain-language heading to call attention to the notice;
(B) Use a typeface and type size that are easy to read;
(C) Provide wide margins and ample line spacing;
(D) Use boldface or italics for key words; and
(E) In a form that combines your notice with other information, use distinctive type sizes,
styles, and graphic devices, such as shading or sidebars.
45
(iii) Notice on a web page. If you provide a notice on a web page, you design your notice
to call attention to the nature and significance of the information it contains if:
(A) You place either the notice, or a link that connects directly to the notice and that is
labeled appropriately to convey the importance, nature, and relevance of the notice, on a page that
consumers access often, such as a page on which transactions are conducted;
(B) You use text or visual cues to encourage scrolling down the page if necessary to view
the entire notice; and
(C) You ensure that other elements on the web page (such as text, graphics, links, or
sound) do not detract attention from the notice.
(d) Communication includes written, oral, and electronic communication; provided that
the term includes electronic communication to a consumer only if the consumer agrees to receive
the communication electronically.
(e) Company means any corporation, limited liability company, business trust, general or
limited partnership, association, or similar organization.
(f) Consumer means an individual.
(g) Consumer report. (1) In general. The term means any written, oral, or other
communication of any information by a consumer reporting agency bearing on a consumer’s
credit worthiness, credit standing, credit capacity, character, general reputation, personal
characteristics, or mode of living which is used or expected to be used or collected in whole or in
part for the purpose of serving as a factor in establishing the consumer’s eligibility for:
(i) Credit or insurance to be used primarily for personal, family, or household purposes;
(ii) Employment purposes; or
(iii) Any other purpose authorized under section 604 of the Act (15 U.S.C. 1681b).
(2) Exclusions. The term does not include:
(i) Any report containing information solely as to transactions or experiences between the
consumer and the person making the report;
(ii) Any communication of that information among affiliates;
(iii) Any communication among affiliates of opt out information if the conditions in §§
334.4 through 334.9 are satisfied;
(iv) Any authorization or approval of a specific extension of credit directly or indirectly
by the issuer of a credit card or similar device;
(v) Any report in which a person who has been requested by a third party to make a
specific extension of credit directly or indirectly to a consumer conveys his or her decision with
respect to such request, if the third party advises the consumer of the name and address of the
person to whom the request was made, and the person makes the disclosures to the consumer
required under section 615 of the Act (15 U.S.C. 1681m); or
(vi) A communication described in section 603(o) of the Act (15 U.S.C. 1681a(o)).
(h) Consumer reporting agency means any person which, for monetary fees, dues or on a
46
cooperative nonprofit basis, regularly engages in whole or in part in the practice of assembling or
evaluating consumer credit information or other information on consumers for the purpose of
furnishing consumer reports to third parties, and which uses any means or facility of interstate
commerce for the purpose of preparing or furnishing consumer reports.
(i) Control of a company means:
(1) Ownership, control, or power to vote 25 percent or more of the outstanding shares of
any class of voting security of the company, directly or indirectly, or acting through one or more
other persons;
(2) Control in any manner over the election of a majority of the directors, trustees, or
general partners (or individuals exercising similar functions) of the company; or
(3) The power to exercise, directly or indirectly, a controlling influence over the
management or policies of the company, as the FDIC determines.
(j) Opt out means a direction by a consumer that you not communicate opt out
information about the consumer to one or more of your affiliates.
(k) Opt out information means information that:
(1) Bears on a consumer’s credit worthiness, credit standing, credit capacity, character,
general reputation, personal characteristics, or mode of living;
(2) Is used or expected to be used or collected in whole or in part to serve as a factor in
establishing the consumer’s eligibility for credit or another purpose listed in section 604 of the Act
(15 U.S.C. 1681b); and
(3) Is not a report containing information solely as to transactions or experiences between
the consumer and the person reporting or communicating the information.
(l) Person means any individual, partnership, corporation, trust, estate, cooperative,
association, government or governmental subdivision or agency, or other entity.
(m) You means banks insured by the FDIC (other than members of the Federal Reserve
System) and insured state branches of foreign banks.
§ 334.4 Communication of opt out information to affiliates.
Your communication to your affiliates of opt out information about a consumer is not a
consumer report if:
(a) You have provided the consumer with an opt out notice;
(b) You have given the consumer a reasonable opportunity and means, before you
communicate the information to your affiliates, to opt out; and
(c) The consumer has not opted out.
47
§ 334.5 Contents of opt out notice.
(a) In general. An opt out notice must be clear and conspicuous, and must accurately
explain:
(1) The categories of opt out information about the consumer that you communicate to
your affiliates;
(2) The categories of affiliates to which you communicate the information;
(3) The consumer's ability to opt out; and
(4) A reasonable means for the consumer to opt out.
(b) Future communications. Your notice may describe:
(1) Categories of opt out information about the consumer that you reserve the right to
communicate to your affiliates in the future but do not currently communicate; and
(2) Categories of affiliates to which you reserve the right in the future to communicate,
but to which you do not currently communicate, opt out information about the consumer.
(c) Partial opt out. You may allow a consumer to select certain opt out information or
certain affiliates, with respect to which the consumer wishes to opt out.
(d) Examples of categories of information that you communicate. (1) You satisfy the
requirement to categorize the opt out information that you communicate if you list the categories
in paragraph (d)(2) of this section, as applicable, and a few examples to illustrate the types of
information in each category. These examples may include those in paragraph (d)(3) of this
section, if applicable.
(2) Categories of opt out information may include information:
(i) From a consumer’s application;
(ii) From a consumer credit report;
(iii) Obtained by verifying representations made by a consumer; and
(iv) Provided by another person regarding its employment, credit, or other relationship
with a consumer.
(3) Examples of information within a category listed in paragraph (d)(2) of this section
include a consumer’s:
(i) Income;
(ii) Credit score or credit history with others;
(iii) Open lines of credit with others;
(iv) Employment history with others;
(v) Marital status; and
(vi) Medical history.
(4) You do not satisfy the requirement if you communicate or reserve the right to
communicate individually identifiable health information (as described in section 1171(6)(B) of
the Social Security Act (42 U.S.C. 1320d(6)(B)) but omit illustrative examples of this
information.
48
(e) Examples of categories of affiliates. (1) You satisfy the requirement to categorize the
affiliates to which you communicate opt out information if you list the categories in paragraph
(e)(2) of this section, as applicable, and a few examples to illustrate the types of affiliates in each
category.
(2) Categories of affiliates may include:
(i) Financial service providers; and
(ii) Non-financial companies.
(f) Sample notice. A sample notice is included in appendix A to this part.
§ 334.6 Reasonable opportunity to opt out.
(a) In general. You provide a reasonable opportunity to opt out if you provide a
reasonable period of time following the delivery of the opt out notice for the consumer to opt out.
(b) Examples of reasonable period of time: (1) In person. You hand-deliver an opt out
notice to the consumer and provide at least 30 days from the date you delivered the notice.
(2) By mail. You mail an opt out notice to a consumer and provide at least 30 days from
the date you mailed the notice.
(3) By electronic means. You notify the consumer electronically, and you provide at
least 30 days after the date that the consumer acknowledges receipt of the electronic notice.
(c) Continuing opportunity to opt out. A consumer may opt out at any time.
§ 334.7 Reasonable means of opting out.
(a) General rule. You provide a consumer with a reasonable means of opting out if you
provide a reasonably convenient method to opt out.
(b) Reasonably convenient methods. Examples of reasonably convenient methods include:
(1) Designating check-off boxes in a prominent position on the relevant forms included
with the opt out notice;
(2) Including a reply form together with the opt out notice;
(3) Providing an electronic means to opt out, such as a form that can be electronically
mailed or a process at your web site, if the consumer agrees to the electronic delivery of
information; or
(4) Providing a toll-free telephone number that consumers may call to opt out.
(c) Methods not reasonably convenient. Examples of methods that are not reasonably
convenient include:
(1) Requiring a consumer to write his or her own letter to you; or
49
(2) Referring in a revised notice to a check-off box that you included with a previous
notice but that you do not include with the revised notice.
(d) Requiring specific means of opting out. You may require each consumer to opt out
through a specific means, as long as that means is reasonable for that consumer.
§ 334.8 Delivery of opt out notices.
(a) In general. You must deliver an opt out notice so that each consumer can reasonably
be expected to receive actual notice in writing or, if the consumer agrees, electronically.
(b) Examples of expectation of actual notice. (1) You may reasonably expect that a
consumer will receive actual notice if you:
(i) Hand-deliver a printed copy of the notice to the consumer;
(ii) Mail a printed copy of the notice to the last known mailing address of the consumer;
or
(iii) For the consumer who conducts transactions electronically, post the notice on your
electronic site and require the consumer to acknowledge receipt of the notice as a necessary step
to obtaining a particular product or service;
(2) You may not reasonably expect that a consumer will receive actual notice if you:
(i) Only post a sign in your branch or office or generally publish advertisements
presenting your notice; or
(ii) Send the notice via electronic mail to a consumer who does not obtain a product or
service from you electronically.
(c) Oral description insufficient. You may not provide an opt out notice solely by orally
explaining the notice, either in person or over the telephone.
(d) Retention or accessibility. (1) In general. You must provide an opt out notice so that
it can be retained or obtained at a later time by the consumer in writing or, if the consumer
agrees, electronically.
(2) Examples of retention or accessibility. You provide the notice so that it can be
retained or obtained at a later time if you:
(i) Hand-deliver a printed copy of the notice to the consumer;
(ii) Mail a printed copy of the notice to the last known address of the consumer upon
request of the consumer; or
(iii) Make your current notice available on a web site (or a link to another web site) for
the consumer who obtains a product or service electronically and who agrees to receive the
notice at the web site.
(e) Joint notice with affiliates. You may provide a joint notice with one or more affiliates
as long as the notice identifies each person providing it and is accurate with respect to each.
50
(f) Joint relationships. (1) In general. Notwithstanding any other provision in this part, if
two or more consumers jointly obtain a product or service from you (joint consumers), the
following rules apply:
(i) You may provide a single notice to all of the joint consumers.
(ii) Any of the joint consumers has the opportunity to opt out.
(iii) You may treat an opt out direction by a joint consumer either as:
(A) Applying to all of the joint consumers; or
(B) Applying to that particular joint consumer.
(iv) You must explain in your opt out notice which of the two policies set forth in
paragraph (f)(1)(iii) of this section you will follow.
(v) If you follow the policy set forth in paragraph (f)(1)(iii)(B) of this section, by treating
the opt out of a joint consumer as applying to that particular joint consumer, you must also
permit:
(A) A joint consumer to opt out on behalf of other joint consumers; and
(B) One or more joint consumers to notify you of their opt out directions in a single
response.
(vi) You may not require all joint consumers to opt out before you implement any opt
out direction.
(vii) If you receive an opt out by a particular joint consumer that does not apply to the
others, you may disclose information about the others as long as no information is disclosed about
the consumer who opted out.
(2) Example. If consumers A and B, who have different addresses, have a joint checking
account with you and arrange for you to send statements to A’s address, you may do any of the
following, but you must explain in your opt out notice which opt out policy you will follow. You
may send a single opt out notice to A’s address and:
(i) Treat an opt out direction by A as applying to the entire account. If you do so and A
opts out, you may not require B to opt out as well before implementing A’s opt out direction.
(ii) Treat A’s opt out direction as applying to A only. If you do so, you must also permit:
(A) A and B to opt out for each other; and
(B) A and B to notify you of their opt out directions in a single response (such as on a
single form) if they choose to give separate opt out directions.
(iii) If A opts out only for A, and B does not opt out, you may disclose opt out
information only about B, and not about A and B jointly.
§ 334.9 Revised opt out notice.
If you have provided a consumer with one or more opt out notices and plan to
communicate opt out information to your affiliates about the consumer, other than as described in
those notices, you must provide the consumer with a revised opt out notice that complies with §§
334.4 through 334.8.
51
§ 334.10 Time by which opt out must be honored.
If you provide a consumer with an opt out notice and the consumer opts out, you must
comply with the opt out as soon as reasonably practicable after you receive it.
§ 334.11 Duration of opt out.
An opt out remains effective until revoked by the consumer in writing or electronically, as
long as the consumer continues to have a relationship with the institution. If the consumer’s
relationship with the institution terminates, the opt out will continue to apply to this information.
However, a new notice and opportunity to opt out must be provided if the consumer establishes a
new relationship with the institution.
§ 334.12 Prohibition against discrimination.
(a) In general. If a consumer is an applicant for credit, you must not discriminate against
the consumer if the consumer opts out of the your communication of opt out information to your
affiliates.
(b) Examples of discrimination against an applicant. You discriminate against an
applicant if you:
(1) Deny the applicant credit because the applicant opts out;
(2) Vary the terms of credit adversely to the applicant such as by providing less favorable
pricing terms to an applicant who opts out; or
(3) Apply more stringent credit underwriting standards to the applicant because the
applicant opts out.
(c) Regulation B. The terms “applicant” and “discriminate against” in § 334.12 have the
same meanings ascribed to them in 12 CFR part 202.
APPENDIX A to Part 334 --SAMPLE NOTICE
This appendix contains a sample notice to facilitate compliance with the notice
requirements of this part. An institution may use applicable disclosures in this sample to provide
notices required by this part.
52
NOTICE OF YOUR OPPORTUNITY TO OPT OUT
OF INFORMATION SHARING WITH COMPANIES
IN OUR CORPORATE FAMILY
Information we can share with our corporate family about you -- unless you
tell us not to
C
C
C
C
C
C
What Information: Unless you tell us not to, [Financial Institution] may share with
companies in our corporate family information about you including:
information we obtain from your application, such as [provide illustrative examples, such
as “your income” or “your marital status”];
information we obtain from a consumer report, such as [provide illustrative examples,
such as “your credit score or credit history”];
information we obtain to verify representations made by you, such as [provide illustrative
examples, such as “your open lines of credit”]; and
information we obtain from a person regarding its employment, credit, or other
relationship with you, such as [provide illustrative examples, such as “your employment
history”].
Shared With Whom: Companies in our corporate family who may receive this information
are:
financial service providers, such as [provide illustrative examples, such as “mortgage
bankers, broker-dealers, and insurance agents”]; and
non-financial companies, such as [provide illustrative examples, such as “retailers, direct
marketers, airlines, and publishers”].
How to tell us not to share this information with our corporate family
If you prefer that we not share this information with companies in our corporate family, you
may direct us not to share this information by doing the following [insert one or more of the
reasonable means of opting out listed below1]: [call us toll free at {insert toll free number}];
or [visit our web site at {insert web site address} and {provide further instructions how to
use the web site option}]; or [e-mail us at {insert the e-mail address}]; or [fill out and tear
off the bottom of this sheet and mail to the following address: {insert address}]; or [check
the appropriate box on the attached form {attach form} and mail to the following address:
{insert address}].
1
If the financial institution is using its web site or an e-mail address as the only method by which a consumer may opt
out, the consumer must agree to the electronic delivery of information.
53
Note: Your direction in this paragraph covers certain information about you that we might
otherwise share with our corporate family. We may share other information about you with our
corporate family as permitted by law.
By order of the Board of Directors, Federal Deposit Insurance Corporation.
Dated at Washington, D.C., this 25th day of September, 2000.
Robert E. Feldman,
Executive Secretary.
54
Office of Thrift Supervision
12 CFR Chapter V
Authority and Issuance
For the reasons set out in the joint preamble, OTS proposes to amend chapter V of title 12
of the Code of Federal Regulations by adding a new part 571 to read as follows:
PART 571--FAIR CREDIT REPORTING
Sec.
571.1 Purpose and scope.
571.2 Examples.
571.3 Definitions.
571.4 Communication of opt out information to affiliates.
571.5 Content of opt out notice.
571.6 Reasonable opportunity to opt out.
571.7 Reasonable means of opting out.
571.8 Delivery of opt out notice.
571.9 Revised opt out notice.
571.10 Time by which opt out must be honored.
571.11 Duration of opt out.
571.12 Prohibition against discrimination.
Appendix A to Part 571 -- Sample Notice
Authority: 12 U.S.C. 1462a, 1463, 1464, 1467a, 1828; 15 U.S.C. 1681s.
§ 571.1 Purpose and scope.
(a) Purpose. This part governs the collection, communication, and use, by the institutions
listed in paragraph (b)(2) of this section, of certain information bearing on a consumer’s credit
worthiness, credit standing, credit capacity, character, general reputation, personal characteristics,
or mode of living.
(b) Scope. (1) Information covered. This part applies to information that is used or
expected to be used or collected in whole or in part for the purpose of serving as a factor in
establishing a consumer's eligibility for credit, insurance, employment, or any other purpose
authorized under section 604 of the Fair Credit Reporting Act (15 U.S.C. 1681b).
(2) Institutions covered. This part applies to savings associations whose deposits are
insured by the Federal Deposit Insurance Corporation.
55
(3) Relation to other laws. Nothing in this part modifies, limits, or supersedes the
standards governing the privacy of individually identifiable health information promulgated by the
Secretary of Health and Human Services under the authority of sections 262 and 264 of the
Health Insurance Portability and Accountability Act of 1996 (42 U.S.C. 1320d-1320d-8).
§ 571.2 Examples.
The examples used in this part and the model form in appendix A to this part are not
exclusive. Compliance with an example or use of the sample notice, to the extent applicable,
constitutes compliance with this part.
§ 571.3 Definitions.
As used in this part, unless the context requires otherwise:
(a) Act means the Fair Credit Reporting Act (15 U.S.C. 1681 et seq.).
(b) Affiliate. (1) In general. The term means any company that is related or affiliated by
common ownership, or affiliated by corporate control or common corporate control, with another
company.
(2) Related or affiliated by common ownership or affiliated by corporate control or
common corporate control. This means controlling, controlled by, or under common control
with, another company.
(c) Clear and conspicuous. (1) In general. The term means that a notice is reasonably
understandable and is designed to call attention to the nature and significance of the information it
contains.
(2) Examples. (i) Reasonably understandable. You make your notice reasonably
understandable if you:
(A) Present the information in the notice in clear and concise sentences, paragraphs, and
sections;
(B) Use short explanatory sentences or bullet lists whenever possible;
(C) Use definite, concrete, everyday words and active voice whenever possible;
(D) Avoid multiple negatives;
(E) Avoid legal and highly technical business terminology whenever possible; and
(F) Avoid explanations that are imprecise and are readily subject to different
interpretations.
(ii) Designed to call attention. You design your notice to call attention to the nature and
significance of the information it contains if you:
(A) Use a plain-language heading to call attention to the notice;
(B) Use a typeface and type size that are easy to read;
(C) Provide wide margins and ample line spacing;
(D) Use boldface or italics for key words; and
56
(E) In a form that combines your notice with other information, use distinctive type sizes,
styles, and graphic devices, such as shading or sidebars.
(iii) Notice on a web page. If you provide a notice on a web page, you design your notice
to call attention to the nature and significance of the information it contains if:
(A) You place either the notice, or a link that connects directly to the notice and that is
labeled appropriately to convey the importance, nature, and relevance of the notice, on a page that
consumers access often, such as a page on which transactions are conducted;
(B) You use text or visual cues to encourage scrolling down the page if necessary to view
the entire notice; and
(C) You ensure that other elements on the web page (such as text, graphics, links, or
sound) do not detract attention from the notice.
(d) Communication includes written, oral, and electronic communication; provided that
the term includes electronic communication to a consumer only if the consumer agrees to receive
the communication electronically.
(e) Company means any corporation, limited liability company, business trust, general or
limited partnership, association, or similar organization.
(f) Consumer means an individual.
(g) Consumer report. (1) In general. The term means any written, oral, or other
communication of any information by a consumer reporting agency bearing on a consumer’s
credit worthiness, credit standing, credit capacity, character, general reputation, personal
characteristics, or mode of living which is used or expected to be used or collected in whole or in
part for the purpose of serving as a factor in establishing the consumer’s eligibility for:
(i) Credit or insurance to be used primarily for personal, family, or household purposes;
(ii) Employment purposes; or
(iii) Any other purpose authorized under section 604 of the Act (15 U.S.C. 1681b).
(2) Exclusions. The term does not include:
(i) Any report containing information solely as to transactions or experiences between the
consumer and the person making the report;
(ii) Any communication of that information among affiliates;
(iii) Any communication among affiliates of opt out information if the conditions in §§
571.4 through 571.9 are satisfied;
(iv) Any authorization or approval of a specific extension of credit directly or indirectly
by the issuer of a credit card or similar device;
(v) Any report in which a person who has been requested by a third party to make a
specific extension of credit directly or indirectly to a consumer conveys his or her decision with
respect to such request, if the third party advises the consumer of the name and address of the
person to whom the request was made, and the person makes the disclosures to the consumer
required under section 615 of the Act (15 U.S.C. 1681m); or
(vi) A communication described in section 603(o) of the Act (15 U.S.C. 1681a(o)).
57
(h) Consumer reporting agency means any person which, for monetary fees, dues or on a
cooperative nonprofit basis, regularly engages in whole or in part in the practice of assembling or
evaluating consumer credit information or other information on consumers for the purpose of
furnishing consumer reports to third parties, and which uses any means or facility of interstate
commerce for the purpose of preparing or furnishing consumer reports.
(i) Control of a company means:
(1) Ownership, control, or power to vote 25 percent or more of the outstanding shares of
any class of voting security of the company, directly or indirectly, or acting through one or more
other persons;
(2) Control in any manner over the election of a majority of the directors, trustees, or
general partners (or individuals exercising similar functions) of the company; or
(3) The power to exercise, directly or indirectly, a controlling influence over the
management or policies of the company, as OTS determines.
(j) Opt out means a direction by a consumer that you not communicate opt out
information about the consumer to one or more of your affiliates.
(k) Opt out information means information that:
(1) Bears on a consumer’s credit worthiness, credit standing, credit capacity, character,
general reputation, personal characteristics, or mode of living;
(2) Is used or expected to be used or collected in whole or in part to serve as a factor in
establishing the consumer’s eligibility for credit or another purpose listed in section 604 of the Act
(15 U.S.C. 1681b); and
(3) Is not a report containing information solely as to transactions or experiences between
the consumer and the person reporting or communicating the information.
(l) Person means any individual, partnership, corporation, trust, estate, cooperative,
association, government or governmental subdivision or agency, or other entity.
(m) You means savings associations whose deposits are insured by the Federal Deposit
Insurance Corporation.
§ 571.4 Communication of opt out information to affiliates.
Your communication to your affiliates of opt out information about a consumer is not a
consumer report if:
(a) You have provided the consumer with an opt out notice;
(b) You have given the consumer a reasonable opportunity and means, before you
communicate the information to your affiliates, to opt out; and
(c) The consumer has not opted out.
58
§ 571.5 Content of opt out notice.
(a) In general. An opt out notice must be clear and conspicuous, and must accurately
explain:
(1) The categories of opt out information about the consumer that you communicate to
your affiliates;
(2) The categories of affiliates to which you communicate the information;
(3) The consumer's ability to opt out; and
(4) A reasonable means for the consumer to opt out.
(b) Future communications. Your notice may describe:
(1) Categories of opt out information about the consumer that you reserve the right to
communicate to your affiliates in the future but do not currently communicate; and
(2) Categories of affiliates to which you reserve the right in the future to communicate,
but to which you do not currently communicate, opt out information about the consumer.
(c) Partial opt out. You may allow a consumer to select certain opt out information or
certain affiliates, with respect to which the consumer wishes to opt out.
(d) Examples of categories of information that you communicate. (1) You satisfy the
requirement to categorize the opt out information that you communicate if you list the categories
in paragraph (d)(2) of this section, as applicable, and a few examples to illustrate the types of
information in each category. These examples may include those in paragraph (d)(3)of this
section, if applicable.
(2) Categories of opt out information may include information:
(i) From a consumer’s application;
(ii) From a consumer credit report;
(iii) Obtained by verifying representations made by a consumer; or
(iv) Provided by another person regarding its employment, credit, or other relationship
with a consumer.
(3) Examples of information within a category listed in paragraph (d)(2) of this section
include a consumer’s:
(i) Income;
(ii) Credit score or credit history with others;
(iii) Open lines of credit with others;
(iv) Employment history with others;
(v) Marital status; and
(vi) Medical history.
(4) You do not satisfy the requirement if you communicate or reserve the right to
communicate individually identifiable health information (as described in section 1171(6)(B) of
the Social Security Act (42 U.S.C. 1320d(6)(B)) but omit illustrative examples of this
information.
59
(e) Examples of categories of affiliates. (1) You satisfy the requirement to categorize the
affiliates to which you communicate opt out information if you list the categories in paragraph
(e)(2) of this section, as applicable, and a few examples to illustrate the types of affiliates in each
category.
(2) Categories of affiliates may include:
(i) Financial service providers; and
(ii) Non-financial companies.
(f) Sample notice. A sample notice is included in appendix A to this part.
§ 571. 6 Reasonable opportunity to opt out.
(a) In general. You provide a reasonable opportunity to opt out if you provide a
reasonable period of time following the delivery of the opt out notice for the consumer to opt out.
(b) Examples of reasonable period of time: (1) In person. You hand-deliver an opt out
notice to the consumer and provide at least 30 days from the date you delivered the notice.
(2) By mail. You mail an opt out notice to a consumer and provide at least 30 days from
the date you mailed the notice.
(3) By electronic means. You notify the consumer electronically, and you provide at
least 30 days after the date that the consumer acknowledges receipt of the electronic notice.
(c) Continuing opportunity to opt out. A consumer may opt out at any time.
§ 571.7 Reasonable means of opting out.
(a) General rule. You provide a consumer with a reasonable means of opting out if you
provide a reasonably convenient method to opt out.
(b) Reasonably convenient methods. Examples of reasonably convenient methods
include:
(1) Designating check-off boxes in a prominent position on the relevant forms included
with the opt out notice;
(2) Including a reply form together with the opt out notice;
(3) Providing an electronic means to opt out, such as a form that can be electronically
mailed or a process at your web site, if the consumer agrees to the electronic delivery of
information; or
(4) Providing a toll-free telephone number that consumers may call to opt out.
(c) Methods that are not reasonably convenient. Examples of methods that are not
reasonably convenient include:
(1) Requiring a consumer to write his or her own letter to you; or
60
(2) Referring in a revised notice to a check-off box that you included with a previous
notice but that you do not include with the revised notice.
(d) Requiring specific means of opting out. You may require each consumer to opt out
through a specific means, as long as that means is reasonable for that consumer.
§ 571.8 Delivery of opt out notice.
(a) In general. You must deliver an opt out notice so that each consumer can reasonably
be expected to receive actual notice in writing or, if the consumer agrees, electronically.
(b) Examples of expectation of actual notice. (1) You may reasonably expect that a
consumer will receive actual notice if you:
(i) Hand-deliver a printed copy of the notice to the consumer;
(ii) Mail a printed copy of the notice to the last known mailing address of the consumer;
or
(iii) For the consumer who conducts transactions electronically, post the notice on your
electronic site and require the consumer to acknowledge receipt of the notice as a necessary step
to obtaining a particular product or service;
(iv) You may not reasonably expect that a consumer will receive actual notice if you:
(i) Only post a sign in your branch or office or generally publish advertisements
presenting your notice; or
(ii) Send the notice via electronic mail to a consumer who does not obtain a product or
service from you electronically.
(c) Oral description insufficient. You may not provide an opt out notice solely by orally
explaining the notice, either in person or over the telephone.
(d) Retention or accessibility. (1) In general. You must provide an opt out notice so that
it can be retained or obtained at a later time by the consumer in writing or, if the consumer
agrees, electronically.
(2) Examples of retention or accessibility. You provide the notice so that it can be
retained or obtained at a later time if you:
(i) Hand-deliver a printed copy of the notice to the consumer;
(ii) Mail a printed copy of the notice to the last known address of the consumer upon
request of the consumer; or
(iii) Make your current notice available on a web site (or a link to another web site) for
the consumer who obtains a product or service electronically and who agrees to receive the
notice at the web site.
61
(e) Joint notice with affiliates. You may provide a joint notice with one or more affiliates
as long as the notice identifies each person providing it and is accurate with respect to each.
(f) Joint relationships. (1) In general. Notwithstanding any other provision in this part, if
two or more consumers jointly obtain a product or service from you (joint consumers), the
following rules apply:
(i) You may provide a single notice to all of the joint consumers.
(ii) Any of the joint consumers has the opportunity to opt out.
(iii) You may treat an opt out direction by a joint consumer either as:
(A) Applying to all of the joint consumers; or
(B) Applying to that particular joint consumer.
(iv) You must explain in your opt out notice which of the two policies set forth in
paragraph (f)(1)(iii) of this section you will follow.
(v) If you follow the policy set forth in paragraph (f)(1)(iii)(B) of this section, by treating
the opt out of a joint consumer as applying to that particular joint consumer, you must also
permit:
(A) A joint consumer to opt out on behalf of other joint consumers; and
(B) One or more joint consumers to notify you of their opt out directions in a single
response.
(vi) You may not require all joint consumers to opt out before you implement any opt
out direction.
(vii) If you receive an opt out by a particular joint consumer that does not apply to the
others, you may disclose information about the others as long as no information is disclosed about
the consumer who opted out.
(2) Example. If consumers A and B, who have different addresses, have a joint checking
account with you and arrange for you to send statements to A’s address, you may do any of the
following, but you must explain in your opt out notice which opt out policy you will follow. You
may send a single opt out notice to A’s address and:
(i) Treat an opt out direction by A as applying to the entire account. If you do so and A
opts out, you may not require B to opt out as well before implementing A’s opt out direction.
(ii) Treat A’s opt out direction as applying to A only. If you do so, you must also permit:
(A) A and B to opt out for each other; and
(B) A and B to notify you of their opt out directions in a single response (such as on a
single form) if they choose to give separate opt out directions.
(iii) If A opts out only for A, and B does not opt out, you may disclose opt out
information only about B, and not about A and B jointly.
§ 571.9 Revised opt out notice.
If you have provided a consumer with one or more opt out notices and plan to
communicate opt out information to your affiliates about the consumer, other than as described
62
in those notices, you must provide the consumer with a revised opt out notice that complies with
§§ 571.4 through 571.8.
§ 571.10 Time by which opt out must be honored.
If you provide a consumer with an opt out notice and the consumer opts out, you must
comply with the opt out as soon as reasonably practicable after you receive it.
§ 571.11 Duration of opt out.
An opt out remains effective until revoked by the consumer in writing or electronically, as
long as the consumer continues to have a relationship with the institution. If the consumer’s
relationship with the institution terminates, the opt out will continue to apply to this information.
However, a new notice and opportunity to opt out must be provided if the consumer establishes a
new relationship with the institution.
§ 571.12 Prohibition against discrimination.
(a) In general. You must not discriminate against a consumer who is an applicant for
credit because the consumer opts out of your communication of opt out information to your
affiliates.
(b) Examples of discrimination against an applicant. You discriminate against an
applicant if you:
(1) Deny the applicant credit because the applicant opts out;
(2) Vary the terms of credit adversely to the applicant such as by providing less favorable
pricing terms to an applicant who opts out; or
(3) Apply more stringent credit underwriting standards to the applicant because the
applicant opts out.
(c) Regulation B. The terms “applicant” and “discriminate against” in this section have
the same meanings ascribed to them in 12 CFR part 202.
APPENDIX A to Part 571 --SAMPLE NOTICE
This appendix contains a sample notice to facilitate compliance with the notice
63
requirements of this part. An institution may use applicable disclosures in this sample to provide
notices required by this part.
NOTICE OF YOUR OPPORTUNITY TO OPT OUT
OF INFORMATION SHARING WITH COMPANIES
IN OUR CORPORATE FAMILY
Information we can share with our corporate family about you -- unless you
tell us not to
What Information: Unless you tell us not to, [Financial Institution] may share with companies
in our corporate family information about you including:
C
C
C
C
information we obtain from your application, such as [provide illustrative examples, such as
“your income” or “your marital status”];
information we obtain from a consumer report, such as [provide illustrative examples, such as
“your credit score or credit history”];
information we obtain to verify representations made by you, such as [provide illustrative
examples, such as “your open lines of credit”]; and
information we obtain from a person regarding its employment, credit, or other relationship with
you, such as [provide illustrative examples, such as “your employment history”].
Shared With Whom: Companies in our corporate family who may receive this information are:
C
C
financial service providers, such as [provide illustrative examples, such as “mortgage bankers,
broker-dealers, and insurance agents”]; and
non-financial companies, such as [provide illustrative examples, such as “retailers, direct
marketers, airlines, and publishers”].
How to tell us not to share this information with our corporate family
If you prefer that we not share this information with companies in our corporate family, you may
direct us not to share this information by doing the following [insert one or more of the
reasonable means of opting out listed below1]: [call us toll free at {insert toll free number}];
or [visit our web site at {insert web site address} and {provide further instructions how to
use the web site option}]; or [e-mail us at {insert the e-mail address}]; or [fill out and tear off
the bottom of this sheet and mail to the following address: {insert address}]; or [check the
appropriate box on the attached form {attach form} and mail to the following address:
1
If the financial institution is using its web site or an e-mail address as the only method by which a consumer may opt
out, the consumer must agree to the electronic delivery of information.
64
{insert address}].
Note: Your direction in this paragraph covers certain information about you that we might otherwise
share with our corporate family. We may share other information about you with our corporate family
as permitted by law.
Dated: September 29, 2000
By the Office of Thrift Supervision.
Ellen Seidman,
Director.
BILLING CODES: 4810-33-P; 6210-01-P; 6714-01-P; 6720-01-P
65