The full text on this page is automatically extracted from the file linked above and may contain errors and inconsistencies.
DEPARTMENT OF THE TREASURY Office of the Comptroller of the Currency 12 CFR Part 41 [Docket No. 04-09] RIN 1557-AC85 BOARD OF GOVERNORS OF THE FEDERAL RESERVE SYSTEM 12 CFR Part 222 [Regulation V; Docket No. R-1188] FEDERAL DEPOSIT INSURANCE CORPORATION 12 CFR Part 334 RIN 3064-AC81 DEPARTMENT OF THE TREASURY Office of Thrift Supervision 12 CFR Part 571 No. 2004-16 RIN 1550-AB88 NATIONAL CREDIT UNION ADMINISTRATION 12 CFR Part 717 Fair Credit Reporting Medical Information Regulations AGENCIES: Office of the Comptroller of the Currency, Treasury (OCC); Board of Governors of the Federal Reserve System (Board); Federal Deposit Insurance Corporation (FDIC); Office of Thrift Supervision, Treasury (OTS); National Credit Union Administration (NCUA). ACTION: Notice of proposed rulemaking. SUMMARY: The OCC, Board, FDIC, OTS, and NCUA (Agencies) are publishing for comment proposed regulations implementing section 411 of the Fair and Accurate Credit Transactions Act of 2003 (FACT Act). Pub. L. 108-159, 117 Stat. 1952. The FACT Act substantially amends the Fair Credit Reporting Act (FCRA or Act), 15 U.S.C. 1681 et seq. Section 411(a) of the FACT Act adds a new section 603(g)(1) to the FCRA to restrict the circumstances under which consumer reporting agencies may furnish consumer reports that contain medical information about consumers. Section 411(a) of the FACT Act also adds a new section 604(g)(2) to the FCRA to prohibit creditors from obtaining or using medical information pertaining to a consumer in connection with any determination of the consumer’s eligibility, or continued eligibility, for credit. The Agencies are required to prescribe regulations that permit creditors to obtain or use medical information for eligibility purposes where necessary and appropriate to protect legitimate operational, transactional, risk, consumer, and other needs, consistent with the Congressional intent to restrict the use of medical information for inappropriate purposes. In addition, Section 411(b) of the FACT Act adds a new section 603(d)(3) to the FCRA to restrict the sharing of medical information and related lists or descriptions with affiliates. Specifically, section 603(d)(3) provides that the standard exclusions from the 2 definition of “consumer report” contained in section 603(d)(2)—such as sharing transaction or experience information about a consumer among affiliates or sharing other information among affiliates after providing the consumer notice and an opportunity to opt-out—do not apply if medical-related information is disclosed to an affiliate. Medical-related information includes medical information, an individualized list or description based on payment transactions for medical products or services, or an aggregate list of identified consumers based on payment transactions for medical products or services. The provisions of section 603(d)(3) do not apply if the sharing falls within certain exceptions, such as in connection with the business of insurance or annuities or for any purpose described in section 502(e) of the Gramm-Leach-Bliley Act (GLB Act), Pub. L. 106-102. Section 411(b) authorizes the Agencies to promulgate additional exceptions by regulation or order, as determined by the Agencies to be appropriate or necessary. The Agencies generally provide a 60-day period for the public to comment on the burdens associated with proposed rules. In this case, however, the Agencies believe that a 30-day comment period is appropriate because the statute was enacted in December 2003 and imposes a statutory deadline for the final rule of June 4, 2004. DATES: Comments must be received by May 28, 2004. ADDRESSES: Comments should be directed to: OCC: You should designate OCC in your comment and include Docket Number 04-09. Because paper mail in the Washington, DC area and at the OCC may be subject to delays, please submit your comments by e-mail or fax whenever possible. You may submit comments by any of the following methods: 3 • Federal eRulemaking Portal: http://www.regulations.gov. Follow the instructions for submitting comments. • OCC Web site: http://www.occ.treas.gov. Click on "Contact the OCC," scroll down and click on "Comments on proposed regulations." • E-mail address: regs.comments@occ.treas.gov. • Fax: (202) 874-4448. • Mail: Office of the Comptroller of the Currency, 250 E Street, SW., Public Information Room, Mail Stop 1-5, Washington, DC 20219. • Hand Delivery/Courier: 250 E Street, SW., Attn: Public Information Room, Mail Stop 1-5, Washington, DC 20219. Instructions: All submissions received must include the agency name (OCC) and docket number or Regulatory Information Number (RIN) for this notice of proposed rulemaking. In general, the OCC will enter all comments received into the docket without change, including any business or personal information that you provide. • Docket: For access to the docket to read background documents or comments received you may: • View docket information in person: You may personally inspect and photocopy docket information at the OCC's Public Information Room, 250 E Street, SW., Washington, DC. You can make an appointment to inspect the docket by calling (202) 874-5043. 4 • View docket information electronically: You may request that we send electronic copies of docket information to you via e-mail or mail you a CDROM containing electronic copies by contacting the OCC at regs.comments@occ.treas.gov. • Request copies: You may request copies of docket information by fax at (202) 874-4448, mailing the OCC at 250 E Street, SW., Attn: Public Information Room, Mail Stop 1-5, Washington, DC 20219, or by contacting us at (202) 874-5043. Board: You may submit comments, identified by Docket No. R-1188, by any of the following methods: • Agency Web Site: http://www.federalreserve.gov. Follow the instructions for submitting comments on the http://www.federalreserve.gov/generalinfo/foia/ProposedRegs.cfm. • Federal eRulemaking Portal: http://www.regulations.gov. Follow the instructions for submitting comments. • E-mail: regs.comments@federalreserve.gov. Include docket number in the subject line of the message. • FAX: 202/452-3819 or 202/452-3102. • Mail: Jennifer J. Johnson, Secretary, Board of Governors of the Federal Reserve System, 20th Street and Constitution Avenue, N.W., Washington, DC 20551. All public comments are available from the Board’s web site at www.federalreserve.gov/generalinfo/foia/ProposedRegs.cfm as submitted, except as necessary for technical reasons. Accordingly, your comments will not be edited to 5 remove any identifying or contact information. Public comments may also be viewed electronically or in paper in Room MP-500 of the Board’s Martin Building (20th and C Streets, N.W.) between 9:00 a.m. and 5:00 p.m. on weekdays. FDIC: You may submit comments, identified by RIN number by any of the following methods: • Agency Web Site: http://www.fdic.gov/regulations/laws/federal/propose.html. Follow instructions for submitting comments on the Agency Web Site. • E-Mail: Comments@FDIC.gov. Include the RIN number in the subject line of the message. • Mail: Robert E. Feldman, Executive Secretary, Attention: Comments, Federal Deposit Insurance Corporation, 550 17th Street, NW., Washington, DC 20429. • Hand Delivery/Courier: Guard station at the rear of the 550 17th Street Building (located on F Street) on business days between 7 a.m. and 5 p.m. • Instructions: All submissions received must include the agency name and RIN for this rulemaking. All comments received will be posted without change to http://www.fdic.gov/regulations/laws/federal/propose.html including any personal information provided. OTS: You may submit comments, identified by docket number 2004-16, by any of the following methods: • Federal eRulemaking Portal: http://www.regulations.gov. Follow the instructions for submitting comments. 6 • E-mail address: regs.comments@ots.treas.gov. Please include docket number 2004-16 in the subject line of the message and include your name and telephone number in the message. • Fax: (202) 906-6518. • Mail: Regulation Comments, Chief Counsel’s Office, Office of Thrift Supervision, 1700 G Street, NW., Washington, DC 20552, Attention: No. 2004-xx. • Hand Delivery/Courier: Guard’s Desk, East Lobby Entrance, 1700 G Street, NW., from 9:00 a.m. to 4:00 p.m. on business days, Attention: Regulation Comments, Chief Counsel’s Office, Attention: No. 2004-xx. Instructions: All submissions received must include the agency name and docket number or Regulatory Information Number (RIN) for this rulemaking. All comments received will be posted without change to the OTS Internet Site at www.ots.treas.gov, including any personal information provided. Docket: For access to the docket to read background documents or comments received, go to http://www.ots.treas.gov/pagehtml.cfm?catNumber=67&an=1. In addition, you may inspect comments at the Public Reading Room, 1700 G Street, NW, by appointment. To make an appointment for access, call (202) 906-5922, send an e-mail to public.info@ots.treas.gov, or send a facsimile transmission to (202) 906-7755. (Prior notice identifying the materials you will be requesting will assist us in serving you.) We schedule appointments on business days between 10:00 a.m. and 4:00 p.m. In most cases, appointments will be available the next business day following the date we receive a request. 7 NCUA: You may submit comments by any of the following methods (Please send comments by one method only): • Federal eRulemaking Portal: http://www.regulations.gov. Follow the instructions for submitting comments. • NCUA Web Site: ttp://www.ncua.gov/news/proposed_regs/proposed_regs.html. Follow the instructions for submitting comments. • E-mail: Address to regcomments@ncua.gov. Include "[Your name] Comments on Proposed Rule Part 717, Fair Credit Reporting – Medical Information" in the e-mail subject line. • Fax: (703) 518-6319. Use the subject line described above for e-mail. • Mail: Address to Becky Baker, Secretary of the Board, National Credit Union Administration, 1775 Duke Street, Alexandria, Virginia 22314-3428. • Hand Delivery/Courier: Becky Baker, Secretary of the Board, National Credit Union Administration, 1775 Duke Street, Alexandria, Virginia 22314-3428. FOR FURTHER INFORMATION CONTACT: OCC: Amy Friend, Assistant Chief Counsel, (202) 874-5200; Michael Bylsma, Director, or Stephen Van Meter, Assistant Director, Community and Consumer Law, (202) 874-5750; Patrick T. Tierney, Attorney, Legislative and Regulatory Activities Division, (202) 874-5090; or Carol Turner, Compliance Specialist, Compliance Department, (202) 874-4858, Office of the Comptroller of the Currency, 250 E Street, SW., Washington, DC 20219. Board: David A. Stein, Counsel; Minh-Duc T. Le, Ky Tran-Trong, or Krista P. DeLargy, Senior Attorneys, Division of Consumer and Community Affairs, (202) 452- 8 3667 or (202) 452-2412; or Andrew Miller, Counsel, Legal Division, (202) 452-3428, Board of Governors of the Federal Reserve System, 20th and C Streets, NW., Washington, DC 20551. FDIC: Robert A. Patrick, Counsel, (202) 898-3757, or Richard M. Schwartz, Counsel, Legal Division, (202) 898-7424; David LaFleur, Policy Analyst, (202) 898-6569, or Patricia Cashman, Senior Policy Analyst, Division of Supervision and Consumer Protection, (202) 898-6534, Federal Deposit Insurance Corporation, 550 17th Street, NW., Washington, DC 20429. OTS: Elizabeth Baltierra, Program Analyst (Compliance), Compliance Policy, (202) 906-6540; Richard Bennett, Counsel (Banking and Finance), (202) 906-7409; or Paul Robin, Special Counsel, Regulations and Legislation Division, (202) 906-6648, Office of Thrift Supervision, 1700 G Street, NW., Washington, DC 20552. NCUA: Regina M. Metz, Staff Attorney, Office of General Counsel, (703) 518-6540, National Credit Union Administration, 1775 Duke Street, Alexandria, VA 22314-3428. SUPPLEMENTARY INFORMATION: I. Background On December 4, 2003, the President signed into law the FACT Act, which amends the FCRA. Pub. L. 108-159, 117 Stat. 1952. In general, the FACT Act contains provisions designed to enhance the ability of consumers to combat identity theft, increase the accuracy of consumer reports, and allow consumers to exercise greater control regarding the type and amount of marketing solicitations they receive. Section 411 of the FACT Act limits the ability of creditors to obtain or use, of consumer reporting agencies to disclose, and of affiliates to share medical information. 9 Section 411(a) of the FACT Act adds a new section 604(g)(1) to the FCRA to restrict the circumstances under which consumer reporting agencies may furnish consumer reports that contain medical information about consumers. Specifically, under new section 604(g)(1), a consumer reporting agency may not furnish a consumer report that contains medical information about a consumer unless: (1) The report is furnished in connection with an insurance transaction, and the consumer affirmatively consents to the furnishing of the report; (2) The report is furnished for employment purposes or in connection with a credit transaction, the information to be furnished is relevant to process or effect the employment or credit transaction, and the consumer provides specific written consent for the furnishing of the report that describes in clear and conspicuous language the use for which the information will be furnished; or (3) The information to be furnished pertains solely to transactions, accounts, or balances relating to debts arising from the receipt of medical services, products, or devices, where such information, other than account status or amounts, is restricted or reported using codes that do not identify, or do not provide information sufficient to infer, the specific provider or the nature of such services, products, or devices. Section 411(c) of the FACT Act revises the definition of “medical information” in section 603(i) to mean information or data, whether oral or recorded, in any form or medium, created by or derived from a health care provider or the consumer, that relates to the past, present, or future physical, mental, or behavioral health or condition of an individual, the provision of health care to an individual, or the payment for the provision of health care to an individual. The definition further provides that the term “medical 10 information” does not include the age or gender of a consumer, demographic information about the consumer, including a consumer’s residence address or e-mail address, or any other information about a consumer that does not relate to the physical, mental, or behavioral health or condition of a consumer, including the existence or value of any insurance policy. Section 411(a) also amends the FCRA by adding new section 604(g)(2) to prohibit creditors from obtaining or using medical information pertaining to a consumer in connection with any determination of the consumer’s eligibility, or continued eligibility, for credit. Section 604(g)(2) contains two independent prohibitions—a prohibition on obtaining medical information and a prohibition on using medical information. The statute contains no prohibition, however, on obtaining or using medical information other than in connection with a determination of the consumer’s eligibility, or continued eligibility, for credit. Thus, section 604(g)(2) does not prohibit a creditor from obtaining medical information for employment purposes, in connection with a determination of a consumer’s eligibility for an insurance product or through processing payments for a consumer, maintaining a consumer’s account, or performing similar functions. Nevertheless, a creditor that obtains medical information in these circumstances may not use that information in connection with a determination of the consumer’s eligibility, or continued eligibility, for credit. For example, medical information about a consumer obtained and used by a creditor for employment purposes may not subsequently be used in connection with any determination of the consumer’s eligibility, or continued eligibility, for credit. New section 604(g)(5)(A) requires the Agencies to prescribe regulations that permit transactions that are determined to be 11 necessary and appropriate to protect legitimate operational, transactional, risk, consumer, and other needs (including administrative verification purposes), consistent with congressional intent to restrict the use of medical information for inappropriate purposes. Section 411(b) of the FACT Act adds a new section 603(d)(3) to the FCRA to restrict the sharing of medical-related information with affiliates if that information meets the definition of “consumer report” in section 603(d)(1) of the FCRA. Specifically, section 603(d)(3) provides that the standard exclusions from the definition of “consumer report” contained in section 603(d)(2)—such as sharing transaction or experience information among affiliates or sharing other eligibility information among affiliates after notice and an opportunity to opt-out—do not apply if medical-related information is disclosed to an affiliate. Medical-related information includes medical information, as described above, as well as an individualized list or description based on payment transactions for medical products or services, and an aggregate list of identified consumers based on payment transactions for medical products or services. New section 604(g)(3) provides several exceptions that allow creditors to disclose medical information to affiliates according to the same rules that apply to other nonmedical information. In particular, section 604(g)(3) provides that medical-related information that is transaction or experience information or that is subject to the FCRA affiliate sharing opt-out provisions or other standard exclusions in section 603(d)(2) may be shared with an affiliate of the creditor if the information is disclosed to an affiliate: (1) In connection with the business of insurance or annuities (including the activities described in section 18B of the model Privacy of Consumer Financial and 12 Health Information Regulation issued by the National Association of Insurance Commissioners, as in effect on January 1, 2003); (2) For any purpose permitted without authorization under the Standards for Individually Identifiable Health Information promulgated by the Department of Health and Human Services (HHS) pursuant to the Health Insurance Portability and Accountability Act of 1996 (HIPAA); (3) For any purpose referred to under section 1179 of HIPAA; (4) For any purpose described in section 502(e) of the Gramm-Leach-Bliley Act; or (5) As otherwise determined to be necessary and appropriate, by regulation or order, by the Federal Trade Commission (FTC), the Agencies, or an applicable State insurance authority. Section 604(g)(4), as added by section 411(a)(4) of the FACT Act, also provides that any person that receives medical information from an affiliate pursuant to an exception in section 604(g)(3) or from a consumer reporting agency under section 604(g)(1) must not disclose such information to any other person, except as necessary to carry out the purpose for which the information was initially disclosed, or as otherwise permitted by statute, regulation, or order. II. Proposed Rule The rule proposed by the Agencies would do two things. First, the proposed regulations would create exceptions to the general prohibition against obtaining or using medical information in connection with credit eligibility determinations, as required by section 604(g)(5)(A). The Agencies believe the proposed exceptions are necessary and 13 appropriate to protect legitimate operational, transactional, risk, consumer, and other needs (including administrative verification purposes), and are consistent with the congressional intent to restrict the use of medical information for inappropriate purposes. Second, the proposed regulations would, as permitted by section 604(g)(3)(C), create additional exceptions to the special restrictions in section 603(d)(3) on sharing medicalrelated information with affiliates that the Agencies believe are necessary and appropriate. The proposed regulations are discussed in more detail in the Section-bySection Analysis below. The Agencies invite comment on all aspects of the proposal. III. Section-by-Section Analysis Section .1 Purpose, scope, and effective dates Proposed § ___.1(b)(2) describes the institutions covered by the provisions of the regulations of each of the respective Agencies. Section .2 Examples Proposed § ___.2 discusses the scope and effect of the examples included in the proposed regulation. Section .3 Definitions Proposed § ___.3 contains definitions for the terms “affiliate” (as well as the related terms “company” and “control”), “consumer,” “medical information,” and “you.” Affiliate Several FCRA provisions apply to information sharing with persons “related by common ownership or affiliated by corporate control,” “related by common ownership or affiliated by common corporate control,” or “affiliated by common ownership or common corporate control.” E.g., FCRA, sections 603(d)(2), 615(b)(2), and 624(b)(2). 14 Section 2 of the FACT Act defines the term “affiliate” to mean persons that are related by common ownership or affiliated by corporate control. Proposed paragraph (b) simplifies these various formulations by defining “affiliate” to mean any company that controls, is controlled by, or is under common control with another company. The proposed definition is identical to the definition of “affiliate” in the GLB Act privacy regulations.1 Consistent with the definitions in the privacy regulations and the practical application of the FCRA, the proposal uses a definition of “control” that applies exclusively to the control of a “company,” and defines “company” to include any corporation, limited liability company, business trust, general or limited partnership, association, or similar organization. See proposed paragraphs (d) (“company”) and (i) (“control”).2 The definition of “company” omits some entities that are “persons” under the FCRA—individuals, estates, cooperatives, governments, and government in which “control” could be exercised over individuals, government agencies, and other persons that do not fit within the definition of “company.” 1 For purposes of the proposed regulation, an “affiliate” includes an operating subsidiary of a bank or savings association, and a credit union service organization that is controlled by a federal credit union. 2 For purposes of the proposed regulation, NCUA will presume a federal credit union has a controlling influence over the management or policies of a credit union service organization if it is 67 percent owned by credit unions. 15 Medical Information Under proposed paragraph (k), the term “medical information” means information or data, whether oral or recorded, in any form or medium, created by or derived from a health care provider or the consumer, that relates to (1) the past, present, or future physical, mental, or behavioral health or condition of an individual; (2) the provision of health care to an individual; or (3) the payment for the provision of health care to an individual. The term “medical information” does not include the age or gender of a consumer, demographic information about the consumer, including a consumer’s residence address or e-mail address, or any other information about a consumer that does not relate to the physical, mental, or behavioral health or condition of a consumer, including the existence or value of any insurance policy. The proposal tracks the statutory definition of “medical information.” Creditors are reminded that other laws, such as the Americans with Disabilities Act, the Fair Housing Act, the GLB Act, and other parts of the FCRA, may limit or regulate the use, collection, and sharing of consumer information, including medical information. In particular, these and other laws, such as the Equal Credit Opportunity Act, also may prohibit creditors from using certain information that is excluded from the restrictions on obtaining or using medical information, such as age or gender information, in determining eligibility for credit or for other purposes. Section ___.30 Obtaining and using medical information in connection with a determination of eligibility for credit Section 411(a) of the FACT Act adds a broad new limitation on the ability of creditors to obtain medical information in connection with credit eligibility determinations or to use medical information in connection with credit eligibility 16 determinations. Specifically, new section 604(g)(2) provides, that except as permitted by regulations, a creditor shall not obtain or use medical information pertaining to a consumer in connection with any determination of the consumer’s eligibility, or continued eligibility, for credit. A. General Prohibition on Obtaining or Using Medical Information Proposed § ___.30 contains the rules on obtaining or using medical information in connection with a determination of a consumer’s eligibility, or continued eligibility, for credit. Proposed paragraph (a)(1) incorporates the general rule prohibiting creditors from obtaining or using medical information pertaining to a consumer in connection with any determination of a consumer’s eligibility, or continued eligibility, for credit, except as provided in the regulations under Subpart D. The consumer’s eligibility for credit typically would be determined when an initial decision is made on whether to grant or deny credit to the consumer. A determination of a consumer’s continued eligibility for credit may also include decisions whether to terminate an account or adjust a credit limit following an account review. Proposed paragraph (a)(2) clarifies the definition of certain terms used in Subpart D, including “credit” and “creditor.” In addition, paragraph (a)(2) provides that the phrase “eligibility, or continued eligibility, for credit” means the consumer’s qualification or fitness to receive, or continue to receive, credit, including the terms on which credit is offered, primarily for personal, family, or household purposes. The paragraph also clarifies that the phrase “eligibility, or continued eligibility, for credit” does not include the consumer’s qualification or fitness to be offered employment, insurance products, or other non-credit products or services. Similarly, 17 “eligibility, or continued eligibility, for credit” does not include a determination of whether the provisions of a debt cancellation contract, debt suspension agreement, credit insurance product, or similar forbearance practice or program are triggered. A forbearance practice or program may include circumstances in which a creditor allows a consumer to skip one or more scheduled payments because the consumer is hospitalized for a medical condition. For example, if a consumer is hospitalized on an emergency basis and is temporarily unable to pay his mortgage, the consumer’s daughter may contact the consumer’s mortgage lender by telephone, inform the lender of the consumer’s medical condition, and request that the lender allow the deferral of one or more payments to accommodate the consumer’s particular circumstances. The creditor’s use of the medical information provided by the consumer’s daughter to defer one or more mortgage payments to accommodate the consumer’s particular circumstances would constitute a forbearance that is beyond the scope of the prohibition. Comment is requested on whether it is more appropriate to grant an exception to permit creditors to obtain and use medical information in connection with debt cancellation, debt suspension, or credit insurance products or practices, rather than issuing an interpretation that obtaining information necessary to trigger coverage under these products falls outside any determination of eligibility, or continued eligibility, for credit. In addition, comment is solicited on whether a separate exception for accommodating the particular medical condition or circumstances of the consumer should be created in lieu of or in addition to the interpretation that eligibility, or continued eligibility, for credit does not include forbearance. 18 The proposed regulation also provides that the term “eligibility, or continued eligibility, for credit” does not include authorizing, processing, or documenting a payment or transaction on behalf of a consumer in a manner that does not involve a determination of the consumer’s eligibility, or continued eligibility, for credit. Finally, the term “eligibility, or continued eligibility, for credit” does not include maintaining or servicing a consumer’s account in a manner that does not involve a determination of the consumer’s eligibility, or continued eligibility, for credit. The Agencies note that section 604(g)(2) contains two distinct prohibitions—one on obtaining medical information and one on using medical information. Nothing in the statute prohibits a creditor from obtaining medical information if the information is not obtained in connection with a determination of the consumer’s eligibility, or continued eligibility, for credit. Thus, there is no prohibition, for example, on a creditor obtaining medical information through authorizing, processing, or documenting a payment or transaction on behalf of the consumer, or managing or servicing the consumer’s account. Nevertheless, a creditor that has obtained medical information in these circumstances may not use that information in connection with a determination of the consumer’s eligibility, or continued eligibility, for credit, unless permitted by an exception provided in the regulations. However, there is no prohibition in section 411 of the FACT Act on a person that is a creditor from obtaining or using medical information for an employment purpose or in connection with a determination of the consumer’s eligibility for an insurance product. 19 B. Receiving Unsolicited Medical Information Creditors may receive unsolicited medical information without specifically asking for such information. This may occur, for example, when a consumer informs the loan officer that she needs a loan to pay for treatment for a particular medical condition, or when a consumer, in response to a general request on a credit application for information about outstanding debts, lists debts owed to hospitals and doctors for medical services. The Agencies do not believe that a creditor violates the prohibition on obtaining medical information when the creditor does not specifically ask for or request such information, yet the consumer or other person provides that information to the creditor. However, because the statutory prohibition on obtaining medical information could be interpreted broadly to cover circumstances in which medical information is obtained by a creditor without asking for it, the Agencies have proposed a rule of construction to make clear that a creditor does not violate the prohibition on obtaining medical information if the creditor receives unsolicited medical information. Proposed paragraph (b) contains this rule of construction for receiving unsolicited medical information. Under proposed paragraph (b)(1), a creditor does not obtain medical information for purposes of proposed paragraph (a)(1) if it receives medical information pertaining to a consumer in connection with any determination of the consumer’s eligibility, or continued eligibility, for credit without specifically requesting medical information, and does not use that information in determining whether to extend credit to the consumer and the terms on which credit is offered or continued. Paragraph (b)(2) provides examples for guidance. The Agencies seek comment on the 20 appropriateness of this rule of construction and on whether this provision should be drafted as an exception to the general prohibition, rather than as a rule of construction. C. Financial Information Exception for Obtaining and Using Medical Information As noted above, new section 604(g)(5)(A) of the Act gives the Agencies the authority to prescribe regulations, after notice and opportunity for comment, to permit creditors to obtain and use medical information in connection with determinations of credit eligibility that the Agencies determine to be necessary and appropriate to protect legitimate operational, transactional, risk, consumer, and other needs (including actions necessary for administrative verification purposes), consistent with the intent of the statute to restrict the use of medical information for inappropriate purposes. Applying this standard, the Agencies believe it is necessary and appropriate to permit creditors to obtain and use medical information in a number of circumstances. Proposed §§ ___.30(c)-(d) contain exceptions to the general prohibition on creditors obtaining or using medical information. Proposed paragraph (c) contains the first exception, and provides that a creditor may obtain and use medical information pertaining to a consumer in connection with any determination of the consumer’s eligibility, or continued eligibility, for credit so long as the following three elements are met. First, the information must relate to debts, expenses, income, benefits, collateral, or the purpose of the loan, including the use of proceeds. Second, the creditor must use the information in a manner and to an extent no less favorable than it would use comparable information that is not medical information in a credit transaction. Third, the creditor must not take the consumer’s physical, mental, or behavioral health, condition or history, type of treatment, or prognosis into account as part of any such determination of credit 21 eligibility. This three-part test strikes a balance between permitting creditors to obtain and use certain medical information about consumers when necessary and appropriate to satisfy prudent underwriting criteria and to ensure that credit is extended in a safe and sound manner, while restricting the use of medical information for inappropriate purposes. The first element of the test identifies certain types of information, specifically debts, expenses, income, benefits, collateral, or the purpose of the loan, that a creditor ordinarily would obtain and evaluate in connection with making a prudent credit decision, regardless of whether that information is medical or non-medical information. A creditor should not be prohibited from obtaining or using information about a debt, for example, in connection with making a credit decision, just because that debt happens to be for medical products or services. The second element of the test provides that the creditor must use the medical information in a manner and to an extent no less favorable than it would use comparable, non-medical information in a credit transaction. For example, a creditor may deny credit to the consumer because the consumer owes a debt to a hospital if the creditor would have denied credit to the consumer if the consumer had owed the same amount of debt with the same payment history to a retailer. Nothing in the rule prevents the creditor from treating information about medical debts (or expenses or income) more favorably than non-medical debts. The third element of the test provides that the creditor may not take the consumer’s physical, mental, or behavioral health, condition, or history, type of treatment, or prognosis into account as part of any determination of the consumer’s 22 eligibility, or continued eligibility, for credit. For example, the consumer may owe a debt to a hospital or other facility that specializes in treating a potentially terminal disease. While the creditor may evaluate the debt to the hospital or facility in the same manner and to the same extent as it would evaluate any non-medical debt, the creditor may not take into account the consumer’s individual physical, mental, or behavioral health, condition, or history, type of treatment, or prognosis in determining the consumer’s eligibility, or continued eligibility for credit, or the terms under which credit will be offered or continued. The Agencies seek comment on the financial information exception outlined in paragraph (c)(1). In particular, the Agencies seek comment on whether each of the three parts of the exception is necessary and whether the three parts together strike the right balance between permitting creditors to obtain and use medical information where necessary and appropriate to protect legitimate operational, transactional, risk, consumer, and other needs (including actions necessary for administrative verification purposes) and restricting the use of medical information for inappropriate purposes. Proposed paragraph (c)(2) provides several examples of when creditors generally may obtain and use medical information under the financial information exception in proposed paragraph (c)(1). These examples in proposed paragraph (c)(2) are not exclusive. The Agencies seek comment on all of the examples in proposed paragraph (c)(2), including whether any of the examples should be amended or deleted, or whether additional examples should be provided. Proposed paragraph (c)(2)(i) provides examples of the circumstances in which medical information would relate to debts, expenses, income, benefits, collateral, or the 23 purpose of the loan, including the use of proceeds. A creditor would, for example, be able to obtain and use medical information about— • The dollar amount, repayment terms, repayment history, and similar information regarding medical debts that is used to calculate, measure, or verify the repayment ability of the consumer, the use of proceeds, or the terms for granting credit; • The value, condition, and lien status of a medical device that is used as collateral to secure a loan; • The dollar amount and continued eligibility for disability income or benefits related to health or a medical condition that is relied on as a source of repayment; or • The identity of creditors to whom outstanding medical debts are owed in connection with an application for credit, including but not limited to a transaction involving the consolidation of medical debts. The Agencies propose to include five additional examples to illustrate uses of medical information consistent and inconsistent with the financial information exception. Proposed paragraph (c)(2)(ii) provides examples of uses of medical information that are consistent with the exception. The first example involves a consumer who includes two $20,000 debts on an application for credit—one debt to a hospital and the other to a retailer. The creditor contacts the hospital and the retailer in order to verify the amount and payment status of the debts and learns that both are more than 90 days past due. Any two debts of this size that are past due would disqualify the consumer under the creditor’s established underwriting criteria. The creditor decides to deny the application on the basis of the consumer’s poor repayment history on outstanding debts. Under these circumstances, the creditor obtains and uses information about medical debts the same 24 way it uses information about non-medical debts. Accordingly, the creditor has used medical information in a manner consistent with the exception. In the second example, a consumer indicates on an application for a $200,000 mortgage loan that she receives $15,000 in long-term disability income each year from her former employer and has no other income. Annual income of $15,000, regardless of source, would not be sufficient to support the requested amount of credit. The creditor denies the application on the basis that the projected debt-to-income ratio of the consumer does not meet the creditor’s underwriting criteria. In this example, the creditor analyzes the long-term disability income, which is medical information, the same way it would analyze any other income information of a potential borrower. The third example in proposed paragraph (c)(2)(ii) involves a consumer who includes on an application for a $10,000 home equity loan that he has a $50,000 debt to a medical facility that specializes in treating a potentially terminal disease. The creditor contacts the medical facility to verify the debt and obtain the repayment history and current status of the loan, and learns that the debt is current and that the applicant meets the income requirements of the creditor’s underwriting guidelines. The creditor grants the application. The creditor has used medical information in accordance with the exception. Proposed paragraph (c)(2)(iii) provides two examples of uses of medical information that are inconsistent with the exception. The first example involves a consumer who includes on an application for $25,000 of credit information about a $50,000 debt to a hospital. The creditor contacts the hospital to verify the amount and payment status of the debt and learns that the debt is current and that the consumer has no 25 delinquencies in her repayment history. If the existing debt were instead owed to a home furnishing retailer, the creditor would approve the application and extend credit based on the amount and repayment history of the outstanding debt. The creditor, however, denies the application because the consumer is indebted to a hospital. The creditor has used medical information, here the identity of the medical creditor, in a manner and to an extent that is less favorable than it would use comparable non-medical information. In the second example in proposed paragraph (c)(2)(iii), a consumer meets with a loan officer of a creditor to apply for a mortgage loan. While filling out the loan application, the consumer informs the loan officer orally that she has a potentially terminal disease. The consumer meets the creditor’s established requirements for the requested mortgage. The loan officer recommends to the credit committee that the consumer be denied credit because the consumer has that disease. The creditor has used medical information in a manner inconsistent with the exception by taking into account the consumer’s physical, mental, or behavioral health, condition, or history, type of treatment, or prognosis as part of a determination of eligibility or continued eligibility for credit. D. Specific Exceptions for Obtaining and Using Medical Information Proposed paragraph (d) contains specific exceptions to the general prohibition to allow creditors to obtain and use medical information for a limited number of particular purposes. The Agencies request comment on whether each of these specific exceptions is necessary and appropriate and, if so, whether they are properly defined. Proposed paragraph (d)(1)(i) provides that a creditor may obtain and use medical information to determine whether the use of a power of attorney or legal representative is 26 necessary and appropriate. This exception would permit a creditor to verify, in connection with a credit eligibility determination, that the exercise of a power of attorney or legal representative is triggered by the consumer’s medical condition. Under proposed paragraph (d)(1)(ii), a creditor may also use medical information to comply with applicable requirements of local, state, or federal laws. For example, some state laws may require creditors to consider medical information in certain circumstances to protect populations that may be vulnerable to financial abuse by caregivers. This exception would permit creditors to obtain and use medical information to comply with those laws. Proposed paragraph (d)(1)(iii) provides that a creditor may also obtain and use medical information to the extent such information is included in a consumer report from a consumer reporting agency in accordance with section 604(g)(1)(B) of the FCRA, and is used for the purpose for which the consumer provided specific written consent. As noted above, section 411 of the FACT Act prevents consumer reporting agencies from furnishing consumer reports containing medical information, except under specified circumstances. Consumer reports must be furnished with coding that blocks the identity of the provider of medical information and the nature of the services, products, or devices, unless a consumer provides a consumer reporting agency with specific written consent to furnish a report to a creditor containing uncoded medical information. This exception clarifies that a creditor may obtain uncoded medical information from a consumer reporting agency in accordance with section 604(g)(1)(B) of the FCRA, and use that information for the purpose for which the consumer provided specific written consent. 27 The Agencies have not proposed a separate exception for obtaining and using consumer reports in accordance with section 604(g)(1)(C) of the FCRA, which relates to consumer reports containing coded medical information. The Agencies do not believe that it is necessary to propose a separate exception. The Agencies have considered three options that would allow creditors to obtain and use consumer reports containing the information described in section 604(g)(1) of the FCRA. The Agencies have considered whether the definition of “medical information” may be interpreted in a manner that would exclude the coded information that may be furnished under section 604(g)(1)(C) of the Act. This approach would permit all creditors to obtain consumer reports with coded information (but not consumer reports with uncoded medical information furnished under section 604(g)(1)(B)) and use that information in connection with a determination of the consumer’s eligibility, or continued eligibility, for credit, even in the absence of an exception in the regulations. This approach is based on a statutory interpretation that such coded information would not relate to the physical, mental, or behavioral health of the consumer, and thus, is not medical information. The Agencies also have considered whether section 604(g) or other provisions of the FCRA may be interpreted in such a manner that no exception would be necessary to permit creditors to obtain and use medical information in consumer reports furnished by consumer reporting agencies in accordance with section 604(g)(1). For example, the Agencies have considered whether the broad prohibition in section 604(g)(2) on obtaining and using medical information in credit eligibility determinations may be construed as being qualified by the specific provisions in section 604(g)(1) that authorize 28 consumer reporting agencies to furnish consumer reports containing medical information under certain limited circumstances. This possible interpretation would be based on the Agencies’ observation that (1) it is unlikely that Congress would permit consumer reporting agencies to furnish consumer reports containing medical information in connection with credit transactions without permitting creditors to obtain and use these reports, and (2) in these circumstances, Congress may well have provided the consumer protections it deemed necessary by specifying the limitations under which consumer reporting agencies could furnish reports containing medical information. The Agencies also have considered whether creditors who intend to obtain and use this coded medical information would be able to do so in accordance with the financial information exception in § __.30(c) of the proposed regulations. Coded medical information relates to medical debts, and the creditor may use debt information in making credit eligibility determinations in a manner and to an extent that is no less favorable than it would use comparable information that is not medical information. In addition, because the medical information is coded as prescribed in the FCRA, it would not provide the creditor with specific information regarding the consumer’s health, condition, history, type of treatment, or prognosis (which may not be taken into account under the financial information exception in proposed § __.30(c)(1)(iii)). The Agencies also note that the rule of construction in § __.30(b) of the proposed regulations would enable creditors to receive consumer reports containing coded medical information without violating the limit on “obtaining” medical information prescribed by section 604(g)(2) of the FCRA, so long as they do not use that medical information in making credit eligibility determinations. 29 The Agencies specifically request comment on the most appropriate way in which to deal with information contained in consumer reports, and related matters. In particular, comment is requested on these three approaches. A creditor may also obtain and use medical information for purposes of fraud prevention and detection under proposed paragraph (d)(1)(iv). Comment is solicited as to whether and to what extent it is necessary for creditors to obtain and use medical information for purposes of fraud prevention and detection in connection with the determination of a consumer’s credit eligibility and whether the exception could be narrowed to prevent the unnecessary use of medical information without compromising legitimate fraud prevention and detection programs. Proposed paragraph (d)(1)(v) provides that a creditor may obtain and use medical information in the case of credit for the purpose of financing medical products or services to determine and verify the medical purpose of a loan and the use of proceeds. Certain creditors have established specialized loan programs that finance specific medical procedures, such as vision correction surgery, but not others. In such cases, the creditor may need to obtain and use medical information in connection with determining whether the purpose of the loan is within the scope of the creditor’s established loan program. Proposed paragraph (d)(2) provides examples of this exception. The Agencies invite comment on whether the medical purpose financing exception strikes the appropriate balance between satisfying the legitimate needs of medical finance creditors and the intent of Congress to limit the use of medical information in credit eligibility determinations. 30 Proposed paragraph (d)(1)(vi) provides that a creditor may obtain and use medical information if the consumer or the consumer’s legal representative requests in writing, on a separate document signed by the consumer or the consumer’s legal representative, that the creditor use specific medical information for a specific purpose in determining the consumer’s eligibility, or continued eligibility, for credit, to accommodate the consumer’s particular circumstances. The signed, written request must describe the specific medical information that the consumer requests the creditor to use and the specific purpose for which the information will be used. This exception is designed to accommodate the particular medical condition or circumstances of the individual consumer and is not intended to allow creditors to obtain consent on a routine basis or as a part of loan applications or documentation. This exception would not be met by a form that contains a pre-printed description of various types of medical information and the uses to which it might be put. Instead, it contemplates an individualized process in which the consumer informs the creditor about the specific medical information that the consumer would like the creditor to use and for what purpose. Proposed paragraph (d)(3) provides examples of this consumer request exception. The Agencies seek comment on the need for a broader exception to permit creditors to make a “medical accommodation” where individual circumstances may warrant such an accommodation. The Agencies note that forbearance practices and programs, as discussed in the explanation of paragraph (a)(2) above, would permit creditors to take into account a consumer’s medical condition to defer scheduled payments or take certain other actions on existing accounts as a medical accommodation to the consumer. Comment is requested on whether forbearance plus the consumer 31 request exception provides sufficient flexibility to provide medical accommodations to consumers. The Agencies also request comment on whether the procedural aspects of the consumer request exception (i.e., the request must be in writing, on a separate form signed by the consumer or the consumer’s legal representative) would unnecessarily hinder the ability of a creditor to make a medical accommodation where a consumer’s medical condition and financial circumstances may justify such an accommodation, or whether these procedures are necessary to protect consumers. The Agencies seek comment on whether there is a need to establish an exception for consumer consent whereby a creditor could request that a consumer consent to the specific use of the consumer’s medical information. If so, the Agencies request specific comment on when this exception might be used and how the exception should be fashioned to ensure appropriate consumer protection. Finally, proposed paragraph (d)(1)(vii) provides that a creditor may obtain and use medical information as otherwise permitted by order of the appropriate agency. E. Limits on Redisclosure Proposed paragraph (e) incorporates the statutory provision regarding the limits on redisclosure of medical information. This paragraph provides that a person that receives medical information about a consumer from a consumer reporting agency or an affiliate is prohibited from disclosing that information to any other person, except as necessary to carry out the purposes for which the information was initially disclosed, or as otherwise permitted by statute, regulation, or order. 32 F. Request for Comment The Agencies solicit comment on each of the proposed provisions of § ___.30. Specifically, the Agencies request comment as to whether each of the proposed exceptions is, in fact, necessary and appropriate to protect legitimate operational, transactional, risk, consumer, and other needs (including actions necessary for administrative verification purposes), and consistent with the intent of Congress to restrict the use of medical information for inappropriate purposes. Comment is also requested on the examples used in this section and whether additional or different examples should be included. The Agencies also invite comment on whether any additional or different exceptions should be included in the final regulation. Commenters that recommend additional or different exceptions should explain why the exception is necessary and appropriate to protect legitimate operational, transactional, risk, consumer, and other needs, and is consistent with the intent of Congress to restrict the use of medical information for inappropriate purposes. Section ___.31 Sharing medical information with affiliates Section ___.31(a) provides that the standard exclusions from the definition of “consumer report” contained in section 603(d)(2) of the Act—including the exclusions for sharing transaction or experience information among affiliates or sharing other eligibility information among affiliates after notice and an opportunity to opt-out—do not apply if medical information, an individualized list or description based on payment transactions for medical products or services, or an aggregate list or description based on payment transactions for medical products or services is disclosed to an affiliate. 33 Paragraph (b) provides that the special restrictions on sharing the information outlined in paragraph (a) with affiliates do not apply, and the standard exclusions from the definition of consumer report remain in effect, if the information is disclosed to an affiliate in certain circumstances. Paragraph (b) incorporates the four statutory exceptions from section 604(g)(3)(A) and (B) of the Act. The first exception is when the information described in paragraph (a) is shared with an affiliate in connection with the business of insurance or annuities (including the activities described in section 18B of the model Privacy of Consumer Financial and Health Information Regulation issued by the National Association of Insurance Commissioners, as in effect on January 1, 2003). The second exception is when the information described in paragraph (a) is shared with an affiliate for any purpose permitted without authorization under the Standards for Individually Identifiable Health Information promulgated by the Department of Health and Human Services (HHS) pursuant to the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The third exception is when the information described in paragraph (a) is shared with an affiliate for any purpose referred to under section 1179 of HIPAA. Section 1179 of HIPAA provides that to the extent that an entity is engaged in activities of a financial institution or is engaged in authorizing, processing, clearing, settling, billing, transferring, reconciling or collecting payments for a financial institution, the HIPAA standards and requirements do not apply to the entity with respect to such activities. Section 1179 also provides as an example of a use or disclosure of information not covered by that statute, the use or disclosure of information for authorizing, processing, clearing, settling, billing, transferring, reconciling, or collection, a payment for, or related to, health care premiums 34 or health care. For purposes of this rulemaking, the phrase “purposes referred to under section 1179” means, at a minimum, authorizing, processing, clearing, settling, billing, transferring, reconciling or collecting payments. The fourth exception is when the information described in paragraph (a) is shared with an affiliate for any purpose described in section 502(e) of the GLB Act. The Agencies note that some of the purposes described in section 502(e) of the GLB Act may be germane to the sharing of information among affiliates—for example, sharing with the consent of the consumer, for fraud prevention purposes, or as necessary to effect, administer, or enforce a transaction requested or authorized by the consumer—while other purposes described in section 502(e) are not—for example, sharing information with law enforcement or regulatory authorities. In addition to the statutory exceptions, paragraph (b) also contains two additional exceptions that the Agencies believe are necessary and appropriate. Paragraph (b)(5) provides that the special restrictions on sharing the information described in paragraph (a) with affiliates do not apply, and the standard exclusions from the definition of consumer report remain in effect, if the information is disclosed to an affiliate in connection with a determination of the consumer’s eligibility, or continued eligibility, for credit consistent with § ___.30 of this subpart. The Agencies believe it is necessary and appropriate to allow an affiliate to share medical information with another affiliate that obtains or uses it consistent with § ___.30. Paragraph (b)(6) provides that the special restrictions on sharing medical-related information with affiliates do not apply if otherwise permitted by order of the appropriate 35 agency. This exception incorporates the authority delegated to the Agencies by Congress to create exceptions through orders. The Agencies note that prohibitions on obtaining or using medical information in § ___.30 operate independent of the exceptions that permit the sharing of that information among affiliates in accordance with the provisions of section 603(d)(2) of the Act. For example, if a mortgage lender has obtained and used medical information in accordance with one of the exceptions in § ___.30(c) or (d), the mortgage lender may share that information with its credit card affiliate without becoming a consumer reporting agency if one of the exceptions in § ___.31(b) applies. However, the credit card affiliate may not obtain or use that information in connection with any determination of the consumer’s eligibility, or continued eligibility, for credit, unless consistent with § ___.30. The Agencies invite comment on the exceptions included in proposed § ___.31(b). Specifically, comment is solicited on whether additional or different exceptions are necessary and appropriate. Additional Issues The statute provides that the final rules shall take effect on the later of 90 days after the rules are issued in final form, or the date specified in the regulations. Comment is requested on whether an effective date of 90 days after the final rules are issued is appropriate or whether a different effective date should be established. III. Regulatory Analysis Paperwork Reduction Act In accordance with the Paperwork Reduction Act of 1995 (44 U.S.C. 3506; 5 CFR 1320), the Agencies reviewed the proposed rule to implement section 411 of the Fair and 36 Accurate Credit Transactions Act of 2003 as required by the Office of Management and Budget. No collections of information pursuant to the Paperwork Reduction Act are contained in the proposed rule. Initial Regulatory Flexibility Analysis OCC: The Regulatory Flexibility Act (5 U.S.C. 601-612) (RFA) requires an agency to either provide an Initial Regulatory Flexibility Analysis with a proposed rule or certify that the proposed rule will not have a significant economic impact on a substantial number of small entities (defined for purposes of the RFA to include banks with less than $150 million in assets). A. Reasons for Proposed Rule Section 411 of the FACT Act requires the OCC, together with the other Agencies, to publish rules that are determined to be necessary and appropriate to protect legitimate operational, transactional risk, consumer, and other needs, including actions necessary for administrative verification, consistent with the intent of the section to restrict the use of medical information for inappropriate purposes, that permit the use of medical information in connection with any determination of a consumer’s eligibility, or continued eligibility for credit. Section 411 also authorizes the OCC to issue regulations that are determined to be necessary and appropriate so as to exclude medical information shared by a covered entity with an affiliate from the definition of a consumer report in section 603(d) of the Fair Credit Reporting Act, and to address the reuse and redisclosure of medical information. The OCC does not expect that this rule, if adopted, would have a significant economic impact on small entities. The proposed rule implements section 411 of the 37 FACT Act and imposes only minimal economic impact on national banks. The proposed rule would create exceptions to the FACT Act's prohibition against national banks obtaining and using a consumer's medical information in connection with credit determinations. Additionally, the proposed rule would implement the FACT Act's restrictions on the sharing of medical information among affiliates and would include exceptions to permit the sharing of medical information in certain circumstances. The proposed rule would apply to all national banks that obtain or use medical information in connection with credit determinations, regardless of bank size. However, it is likely that small national banks, because of the nature and size of their operations, will encounter fewer instances where they might obtain or use medical information. Therefore, no group of national banks, particularly small national banks, is expected to encounter a significant economic impact. However, the OCC invites comment on whether these assumptions are correct. Also, the OCC invites comment on the burden that likely will result on small institutions from this rulemaking, and has prepared the following analysis. B. Statement of Objectives and Legal Basis The objectives of the proposed rule are described in the Supplementary Information section. In sum, the objectives are: (1) to implement the general statutory prohibition on creditors obtaining and using medical information in connection with credit eligibility determinations; (2) to fulfill the statutory mandate to prescribe regulations that permit creditors to obtain and use medical information for eligibility purposes when necessary and appropriate to protect legitimate operational, transaction, risk, consumer, and other needs by granting exceptions; and (3) to implement the statutory exceptions to the special restrictions on sharing medical information with 38 affiliates and to propose two additional exceptions the Agencies believe may be necessary and appropriate. The legal bases for the proposed rule are the National Bank Act found at 12 U.S.C. 1 et seq., 24(Seventh), 481, and 484, the Depository Institutions Deregulation and Monetary Control Act of 1980 found at 12 U.S.C. 93a, and the Federal Deposit Insurance Act found at 12 U.S.C. 1818; and the Fair Credit Reporting Act found at 15 U.S.C. 1681a, 1681b, and 1681s. C. Description of Small Entities to Which the Rule Will Apply The proposed rule would apply to 1,214 national banks, Federal branches, and Federal agencies of foreign banks with assets under $150 million. D. Projected Reporting, Recordkeeping and Other Compliance Requirements The OCC does not believe that the proposed rule imposes any reporting or any specific recordkeeping requirements within the meaning of the RFA. Section 411 requires that all covered entities have the ability to identify medical information as defined by the FACT Act in order to avoid the general prohibition against obtaining or using it in connection with any eligibility determination. This may entail some training costs. However, the OCC believes that training costs will be minimal for a variety of reasons. One reason is the OCC does not believe that covered entities presently obtain or use medical information in making credit eligibility determinations on a broad basis. Another is that bank staff would already be trained on complying with other laws governing obtaining and using confidential information, including medical information, as discussed below. 39 Further, entities have the option of complying with the general statutory prohibition on obtaining and using medical information or an applicable exception. Thus, any burden that may be associated with complying with the exceptions can be avoided entirely by complying with the general prohibition. The OCC contemplates that those entities that find the exceptions to be burden reducing would opt to use them. The OCC solicits information and comment on these assumptions. The OCC also seeks information and comment on any costs, such as training costs, compliance requirements, or changes in operating procedures arising from the application of the proposed rule in addition to or which may differ from those arising from the application of the statute generally. E. Identification of Duplicative, Overlapping, or Conflicting Federal Rules The OCC is unable to identify any statutes or rules, which would overlap or conflict with the proposed regulation. The OCC seeks comment and information about any such statutes or rules, as well as any other state, local, or industry rules or policies that require a covered institution to implement business practices that would comply with the requirements of the proposed rule. F. Discussion of Significant Alternatives The proposed rule creates exceptions to the general prohibition on the use of medical information in determining the eligibility of a consumer for an initial extension or the continuation of an extension of credit. The proposed rule attempts to harmonize the circumstances under which a credit reporting agency may transfer medical information to a user of consumer reports with the ability of a financial institution to obtain and use that information. The proposed rule also provides exceptions, in addition 40 to those contained in section 411, under which a financial institution may share medical information with an affiliate and not become a consumer reporting agency. In developing the proposal, the Agencies considered numerous alternatives. In particular, the Agencies considered creating a wide variety of possible exceptions to the general prohibition on obtaining and using medical information and numerous alternatives. A number of these are discussed in the Supplementary Information, including the following: 1. The Agencies considered clarifying through an exception that obtaining and using medical information in connection with debt cancellation, debt suspension, or credit insurance products or similar forbearance practices or programs, is not prohibited, but are proposing to clarify this point through interpretation instead; 2. The Agencies considered three options that would allow creditors to obtain and use consumer reports containing the various types of information described in section 604(g)(1) of the FCRA and are soliciting comment on these approaches; 3. The Agencies considered the need for a broader exception to permit creditors to make a “medical accommodation” where individual circumstances may warrant such an accommodation; and 4. The Agencies further considered the need to establish an exception for consumer consent whereby a creditor could request that a consumer consent to the specific use of the consumer’s medical information. In all these cases and others, the Agencies have described relevant alternatives and are inviting comment on them in the Supplementary Information section. 41 The relatively narrow scope of the exceptions proposed reflects the statutory mandate to create only those exceptions “determined to be necessary and appropriate.” While the Agencies believe that the proposed exceptions would be among those useful to small entities as well as large, we are not proposing a general exception that would apply only to small entities. Comment is solicited on whether such an exception would be necessary and appropriate and whether the risk is different for a small entity than a large entity that medical information obtained might be used for the type of “inappropriate purposes” the statute prohibits. The OCC welcomes comments on any significant alternatives, consistent with the mandate in section 411 to protect the privacy of medical information, that would minimize the impact of the proposed rule on small entities. Board: Subject to certain exceptions, the Regulatory Flexibility Act (5 U.S.C. 601-612) (RFA) requires an agency to publish an initial regulatory flexibility analysis with a proposed rule whenever the agency is required to publish a general notice of proposed rulemaking for a proposed rule. The Supplementary Information above describes the reasons why the regulations are being proposed and the objectives and the legal basis of the proposed rule. The Supplementary Information section also describes the compliance requirements of the proposed rule and identifies other relevant Federal rules which may duplicate or overlap with the proposed rule. The Board, in connection with its initial regulatory flexibility analysis, requests public comment in the following areas. A. Reasons for the Proposed Rule Section 411 of the FACT Act requires the Board, together with the other Agencies, to publish rules that are determined to be necessary and appropriate to protect 42 legitimate operational, transactional risk, consumer, and other needs, including actions necessary for administrative verification, consistent with the intent of the section to restrict the use of medical information for inappropriate purposes, that permit the use of medical information in connection with any determination of a consumer’s eligibility, or continued eligibility for credit. It permits the Board to issue regulations that are determined to be necessary and appropriate so as to exclude medical information shared by a covered entity with an affiliate from the definition of a consumer report in section 603(d) of the FCRA, and to address the reuse and redisclosure of medical information. B. Statement of Objectives and Legal Basis The Supplementary Information above contains this information. The legal basis for the proposed rule is section 411 of the FACT Act. C. Description of Small Entities to Which the Rule Applies The proposed rule would apply to all banks that are members of the Federal Reserve System (other than national banks), branches and Agencies of foreign banks (other than Federal branches, Federal Agencies, and insured State branches of foreign banks), commercial lending companies owned or controlled by foreign banks, organizations operating under section 25 or 25A of the Federal Reserve Act (12 U.S.C. 601 et seq., and 611 et seq.), bank holding companies and affiliates (other than depository institutions and consumer reporting agencies) of such holding companies. The Board’s proposed rule will apply to the following institutions (numbers approximate): State member banks (932), bank holding companies (5,152), holding company non-bank subsidiaries (2,131), U.S. branches and agencies of foreign banks (289), Edge and agreement corporations (75), for a total of approximately 8,579 institutions. The Board 43 estimates that over 5,000 of these institutions could be considered small institutions with assets less than $150 million. D. Projected Reporting, Recordkeeping and Other Compliance Requirements The Board does not believe that the proposed rule imposes any new reporting or recordkeeping requirements, as defined in section 603 of the RFA. Section 411 requires that all covered entities have the ability to identify medical information as defined in order to avoid the general prohibition against obtaining or using it in connection with any eligibility determination. The Board believes that identifying that information for the purpose of either using it in eligibility determinations pursuant to the exceptions or to share the information with affiliates places no additional compliance burdens or costs on financial institutions. The Board seeks information and comment on any costs, compliance requirements, or changes in operating procedures arising from the application of the proposed rule in addition to or which may differ from those arising from the application of the statute generally. E. Identification of Duplicative, Overlapping, or Conflicting Federal Rules The Board is unable to identify any federal statutes or regulations that would duplicate, overlap, or conflict with the proposed rule. The Board seeks comment regarding any statues or regulations, including state or local statutes or regulations, that would duplicate, overlap, or conflict with the proposed rule, including particularly any that address situations in which medical information may be: (i) obtained or used in connection with a determination of credit eligibility; or (ii) shared among financial institutions and their affiliates. 44 F. Discussion of Significant Alternatives The proposed rule creates exceptions to the general prohibition to the use of medical information in determining the eligibility of a consumer for an initial extension or the continuation of an extension of credit. The proposed rule attempts to harmonize the circumstances under which a credit reporting agency may transfer medical information to a user of consumer reports with the ability of a financial institution to obtain and use that information. The proposed rule also provides exceptions, in addition to those contained in section 411, under which a financial institution may share medical information with an affiliate and not become a consumer reporting agency. The Board welcomes comments on any significant alternatives, consistent with the mandate in section 411 to protect the privacy of medical information, that would minimize the impact of the proposed rule on small entities. FDIC: Subject to certain exceptions, the Regulatory Flexibility Act (5 U.S.C. 601-612) (RFA) requires an agency to publish an initial regulatory flexibility analysis with a proposed rule whenever the agency is required to publish a general notice of proposed rulemaking for a proposed rule. The FDIC, in connection with its initial regulatory flexibility analysis, requests public comment in the following areas. A. Reasons for the Proposed Rule Section 411 of the FACT Act requires the FDIC, together with the other Agencies, to publish rules that are determined to be necessary and appropriate to protect legitimate operational, transactional risk, consumer, and other needs, including actions necessary for administrative verification, consistent with the intent of the section to restrict the use of medical information for inappropriate purposes, that permit the use of 45 medical information in connection with any determination of a consumer’s eligibility, or continued eligibility for credit. It permits the FDIC to issue regulations that are determined to be necessary and appropriate so as to exclude medical information shared by a covered entity with an affiliate from the definition of a consumer report in section 603(d) of the FCRA, and to address the reuse and redisclosure of medical information. B. Statement of Objectives and Legal Basis The Supplementary Information above contains this information. The legal basis for the proposed rule is section 411 of the FACT Act. C. Description of Small Entities to Which the Rule Applies The proposed rule would apply to all state non-member banks, approximately 3,700 of which are small entities as defined by the RFA. D. Projected Reporting, Recordkeeping and Other Compliance Requirements The FDIC does not believe that the proposed rule imposes any new reporting or recordkeeping requirements, as defined in section 603 of the RFA. Section 411 requires that all covered entities have the ability to identify medical information as defined in order to avoid the general prohibition against obtaining or using it in connection with any eligibility determination. The FDIC believes that identifying that information for the purpose of either using it in eligibility determinations pursuant to the exceptions or to share the information with affiliates places no additional compliance burdens or costs on financial institutions. The FDIC seeks information and comment on any costs, compliance requirements, or changes in operating procedures arising from the application of the 46 proposed rule in addition to or which may differ from those arising from the application of the statute generally. E. Identification of Duplicative, Overlapping, or Conflicting Federal Rules The FDIC is unable to identify any federal statutes or regulations that would duplicate, overlap, or conflict with the proposed rule. The FDIC seeks comment regarding any statues or regulations, including state or local statutes or regulations, that would duplicate, overlap, or conflict with the proposed rule, including particularly any that address situations in which medical information may be: (i) obtained or used in connection with a determination of credit eligibility; or (ii) shared among financial institutions and their affiliates. F. Discussion of Significant Alternatives The proposed rule creates exceptions to the general prohibition to the use of medical information in determining the eligibility of a consumer for an initial extension or the continuation of an extension of credit. The proposed rule attempts to harmonize the circumstances under which a credit reporting agency may transfer medical information to a user of consumer reports with the ability of a financial institution to obtain and use that information. The proposed rule also provides exceptions, in addition to those contained in section 411, under which a financial institution may share medical information with an affiliate and not become a consumer reporting agency. The FDIC welcomes comments on any significant alternatives, consistent with the mandate in section 411 to protect the privacy of medical information, that would minimize the impact of the proposed rule on small entities. 47 OTS: The Regulatory Flexibility Act (5 U.S.C. 601-612) (RFA) requires an agency to either provide an Initial Regulatory Flexibility Analysis (IRFA) with a proposed rule or certify that the proposed rule will not have a significant economic impact on a substantial number of small entities. As discussed below, OTS does not expect that this rule, if adopted, would have a significant economic impact on a substantial number of small entities. Nonetheless, it is providing this IRFA. The proposed rule implements section 411 of the FACT Act. The proposed rule would implement the statutory prohibition on creditors obtaining and using a consumer’s medical information in connection with credit determinations, while creating exceptions in certain circumstances. Additionally, the proposed rule would implement the FACT Act’s restrictions on the sharing of medical information among affiliates, while including exceptions to permit the sharing of medical information in certain circumstances. As discussed below, the proposed rule would apply to savings associations or their subsidiaries, savings and loan holding companies, or affiliates of savings associations or savings and loan holding companies other than bank holding companies, banks, or subsidiaries of bank holding companies or banks. OTS does not expect that this rule, if adopted, would have a significant economic impact on a substantial number of small entities. The general statutory prohibition on obtaining and using medical information incorporated into the rule will only apply impact entities that obtain or use medical information in connection with credit determinations, regardless of size. OTS does not believe that obtaining and using medical information for credit eligibility determinations is a widespread practice today among creditors it regulates. Small entities, because of the nature and size of their operations, may be less 48 likely than larger institutions to do so. Therefore, no group of covered entities, particularly small ones, is expected to encounter a significant economic impact. However, OTS invites comment whether these assumptions are correct. OTS further invites comment on the burden that will result on small entities from this rulemaking, and has prepared the following analysis. A. Reasons for the Proposed Rule Section 411 of the FACT Act requires OTS, together with the other Agencies, to publish rules that are determined to be necessary and appropriate to protect legitimate operational, transactional risk, consumer, and other needs, including actions necessary for administrative verification, consistent with the intent of the section to restrict the use of medical information for inappropriate purposes, that permit the use of medical information in connection with any determination of a consumer’s eligibility, or continued eligibility for credit. Section 411 also authorizes OTS to issue regulations that are determined to be necessary and appropriate so as to exclude medical information shared by a covered entity with an affiliate from the definition of a consumer report in section 603(d) of the Fair Credit Reporting Act, and to address the reuse and redisclosure of medical information. B. Statement of Objectives and Legal Basis The objectives of the proposed rule are described in the Supplementary Information section. In sum, the objectives are: (1) to implement the general statutory prohibition on creditors obtaining and using medical information in connection with credit eligibility determinations, (2) to fulfill the statutory mandate to prescribe regulations that permit creditors to obtain and use medical information for eligibility 49 purposes when necessary and appropriate to protect legitimate operational, transaction, risk, consumer, and other needs by granting exceptions, and (3) to implement the statutory exceptions to the special restrictions on sharing medical information with affiliates and to propose two additional exceptions the Agencies believe may be necessary and appropriate. The legal bases for the proposed rule are provisions of: (1) the Home Owners’ Loan Act found at 12 U.S.C. 1462a, 1463, 1464, and 1467a; (2) the Federal Deposit Insurance Act, the Bank Protection Act, and other banking laws found at 12 U.S.C. 1828, 1831p-1, and 1881-1884; (3) the Fair Credit Reporting Act found at 15 U.S.C. 1681s and 1681w; and (4) the Gramm-Leach-Bliley Act found at 15 U.S.C. 6801 and 6805(b)(1). C. Description of Small Entities to Which the Rule Applies Section 571.30(a)-(d) of the proposed rule would apply to those creditors, as defined in § 571.30(a)(2), that are savings associations or their subsidiaries, savings and loan holding companies, or affiliates of savings associations or savings and loan holding companies other than bank holding companies, banks, or subsidiaries of bank holding companies or banks. Sections 571.30(e) and 571.31 of the proposed rule would apply to all savings associations and, in accordance with 12 C.F.R. § 559.3(h)(1), to federal savings association operating subsidiaries as well. Small savings associations are generally defined, for RFA purposes, as those with assets of $150 million or less. 13 CFR 121.201 (2003). OTS calculates that of the 921 savings associations, a maximum of 479 of these are small savings associations. OTS 50 also calculates that these 479 savings associations hold 122 subordinate organizations that could possibly qualify as small entities. With regard to savings and loan holding companies, the Small Business Administration (SBA) prescribes size standards for various economic activities and industries using the North American Industry Classification System (NAICS). 13 CFR part 121. Under the SBA’s standards, companies that are primarily engaged in holding securities of (or other equity interests in) depository institutions for the purpose of controlling those companies are addressed at NAICS Codes 551111 and 551112 (Office of Bank Holding Companies and Office of Other Holding Companies). Companies within this group are considered to be small if they have annual receipts of $6 million or less. Companies that are primarily engage in holding the securities of depository institutions and operating these entities are classified under NAICS Codes 522110522190. Companies classified in this group are considered to be small if their total assets are less than $150 million. In this IRFA, OTS has analyzed the impact of this rule using both the $150 million asset size standard and the $6 million annual receipts standard. OTS specifically requests comment on its use of these standards. Commenters are invited to address whether these or other size standards are appropriate. OTS calculates that there are approximately 969 OTS-regulated savings and loan holding companies. OTS further calculates that there are maximum of 381 savings and loan holding companies that could possibly qualify as small entities. OTS estimates that there are 151 small savings and loan holding companies under an asset-based definition 51 of $150 million or less of assets and 381 small savings and loan holding companies under a revenue-based definition of $6 million or less in annual receipts. D. Projected Reporting, Recordkeeping and Other Compliance Requirements OTS does not believe that the proposed rule imposes any new reporting or any specific recordkeeping requirements within the meaning of the RFA. Implicitly, however, section 411 requires that all covered entities have the ability to identify medical information as defined by the FACT Act in order to avoid the general prohibition against obtaining or using it in connection with any eligibility determination. This may entail some training costs. However, OTS believes that training costs will be minimal for a variety of reasons. One reason is OTS does not believe that covered entities currently widely obtain or use medical information in making credit eligibility determinations. Another is that staff would already be trained on complying with other laws governing obtaining and using confidential information, including medical information, as discussed below. Further, entities have the option of complying with the general statutory prohibition on obtaining and using medical information or an applicable exception. Thus, any additional burden that may be associated with complying with the exceptions can be avoided entirely by complying with the general prohibition instead. OTS contemplates that entities that find the exceptions to be burden reducing would opt to use them and that others would choose to comply with the general prohibition. OTS solicits information and comments on these assumptions. OTS also solicits information and comment on any costs, such as training costs, as well as compliance requirements, or changes in operating procedures arising from the application of the 52 proposed rule in addition to or which may differ from those arising from the application of the statute generally. E. Identification of Duplicative, Overlapping, or Conflicting Federal Rules The Supplementary Information section describes the compliance requirements of the proposed rule and identifies other relevant Federal rules that may duplicate or overlap with the proposed rule. As discussed in the Supplementary Information, other laws and rules issued under these laws, such as the Americans with Disabilities Act, the Fair Housing Act, the Gramm-Leach-Bliley Act, and other parts of the FCRA, may limit or regulate the use, collection, and sharing of consumer information, including medical information. In particular, these and other laws and rules, such as the Equal Credit Opportunity Act and Regulation B, also may prohibit creditors from using certain information that is excluded from the restrictions on obtaining or using medical information, such as age or gender information, in determining eligibility for credit or for other purposes. In this sense, there may be some overlap between these federal statutes and regulations and the proposed rule. OTS seeks comment and information regarding any statues or rules, including state or local statutes or regulations, that would duplicate, overlap, or conflict with the proposed rule, including particularly any that address situations in which medical information may be: (i) obtained or used in connection with a determination of credit eligibility; or (ii) shared among financial institutions and their affiliates. F. Discussion of Significant Alternatives The proposed rule creates exceptions to the general prohibition to the use of medical information in determining the eligibility of a consumer for an initial extension 53 or the continuation of an extension of credit. The proposed rule attempts to harmonize the circumstances under which a credit reporting agency may transfer medical information to a user of consumer reports with the ability of a financial institution to obtain and use that information. The proposed rule also provides exceptions, in addition to those contained in section 411, under which a financial institution may share medical information with an affiliate and not become a consumer reporting agency. In developing the proposal, the Agencies considered numerous alternatives. In particular, it considered a wide variety of possible exceptions to create to the general prohibition on obtaining and using medical information and numerous alternatives. A number of these are discussed in the Supplementary Information, including the following: 1. The Agencies considered clarifying through an exception that obtaining and using medical information in connection with debt cancellation, debt suspension, or credit insurance products or similar forbearance practices or programs, is not prohibited, but are proposing to clarify this point through interpretation instead. 2. The Agencies considered three options that would allow creditors to obtain and use consumer reports containing the various types of information described in section 604(g)(1) of the FCRA and are soliciting comment on these approaches. 3. The Agencies considered the need for a broader exception to permit creditors to make a “medical accommodation” where individual circumstances may warrant such an accommodation. 54 4. The Agencies further considered the need to establish an exception for consumer consent whereby a creditor could request that a consumer consent to the specific use of the consumer’s medical information. In all these cases and others, the Agencies have described relevant alternatives and are inviting comment on them in the Supplementary Information section. The relatively narrow scope of the exceptions proposed reflects the statutory mandate to create only those exceptions “determined to be necessary and appropriate.” While the Agencies believe that the proposed exceptions would be among those useful to small entities as well as large, we are not proposing a general exception that would apply only to small entities. Comment is solicited on whether such an exception would be necessary and appropriate and whether the risk is different for a small entity than a large entity that medical information obtained might be used for the type of “inappropriate purposes” the statute prohibits. OTS welcomes comments on any significant alternatives, consistent with the mandate in section 411 to protect the privacy of medical information, which would minimize the impact of the proposed rule on small entities. NCUA: The Regulatory Flexibility Act requires the NCUA to prepare an analysis to describe any significant economic impact a proposed rule may have on a substantial number of small credit unions (those under $10 million in assets). Section 411 of the FACT Act limits the ability of creditors to obtain or use medical information in connection with credit eligibility determinations and narrows when any person can share medical information and medical-related information with affiliates without becoming a consumer reporting agency for purposes of the FCRA. The 55 statute requires the NCUA and the federal banking agencies to prescribe regulations that create exceptions to permit creditors to obtain or use medical information in connection with credit eligibility determinations where necessary and appropriate to protect legitimate operational, transactional, risk, consumer, and other needs (including administrative verification purposes), consistent with congressional intent to restrict the use of medical information for inappropriate purposes. Furthermore, the statute grants discretionary rulemaking authority to the NCUA, the federal banking agencies, and the Federal Trade Commission to create exceptions, in addition to those already provided in the statute, to allow affiliates to share medical information and medical-related information. Proposed §§ 717.30 and 717.31 of the NCUA's proposed regulations would apply to all federal credit unions, regardless of their size. The proposed rule would contain restrictions set forth in section 411 of the FACT Act on federal credit unions obtaining and using medical information in connection with credit eligibility determinations and the sharing of medical information and medical-related information with affiliates. The proposed regulations, however, also would grant exceptions to the statutory limitations to allow creditors to obtain or use medical information in enumerated situations in connection with determinations of consumer eligibility or continued eligibility for credit. The proposal would also enumerate the situations in which federal credit unions would be permitted to share medical information among affiliates. NCUA is not aware of any other federal rules that duplicate, overlap, or conflict with the proposed rule. NCUA specifically requests comment on the impact of the proposed rule on small federal credit unions. 56 OCC and OTS Executive Order 12866 Determination The OCC and OTS each has determined that its portion of the proposed rulemaking is not a significant regulatory action under Executive Order 12866. OCC and OTS Unfunded Mandates Reform Act of 1995 Determination. OCC Executive Order 13132 Determination The OCC has determined that this proposal does not have any Federalism implications, as required by Executive Order 13132. NCUA Executive Order 13132 Determination Executive Order 13132 encourages independent regulatory agencies to consider the impact of their actions on state and local interests. In adherence to fundamental federalism principles, the NCUA, an independent regulatory agency as defined in 44 U.S.C. 3502(5), voluntarily complies with the executive order. The proposed rule applies only to federally chartered credit unions and would not have substantial direct effects on the states, on the connection between the national government and the states, or on the distribution of power and responsibilities among the various levels of government. The NCUA has determined that this proposed rule does not constitute a policy that has federalism implications for purposes of the executive order. OCC and OTS Unfunded Mandates Reform Act of 1995 Determination Section 202 of the Unfunded Mandates Reform Act of 1995, Public Law 104-4 (Unfunded Mandates Act) requires that an agency prepare a budgetary impact statement before promulgating a rule that includes a Federal mandate that may result in expenditure by State, local, and tribal governments, in the aggregate, or by the private sector, of $100 million or more in any one year. If a budgetary impact statement is required, section 205 57 of the Unfunded Mandates Act also requires an agency to identify and consider a reasonable number of regulatory alternatives before promulgating a rule. The OCC and OTS each has determined that this proposed rule will not result in expenditures by State, local, and tribal governments, or by the private sector, of $100 million or more. Accordingly, neither the OCC nor the OTS has prepared a budgetary impact statement or specifically addressed the regulatory alternatives considered. NCUA: The Treasury and General Government Appropriations Act, 1999 – Assessment of Federal Regulations and Policies on Families The NCUA has determined that this proposed rule would not affect family wellbeing within the meaning of section 654 of the Treasury and General Government Appropriations Act, 1999, Pub. L. 105-277, 112 Stat. 2681 (1998). NCUA: Interpretive Ruling and Policy Statement (IRPS) 87-2, as amended by IRPS 03-2 Under NCUA's IRPS 87-2, as amended by IRPS 03-2, the NCUA Board's general policy is to provide a 60-day comment period for a proposed regulation. In this case, the NCUA Board believes that a 30-day comment period will be adequate and is appropriate given that the statutory deadline for the final rule is June 4, 2004. NCUA IRPS 87-2, 52 FR 35231, Sept. 18, 1987, as amended by IRPS 03-2, 68 FR 31949, May 29, 2003. OCC Community Bank Comment Request The OCC invites your comments on the impact of this proposal on community banks. The OCC recognizes that community banks operate with more limited resources than larger institutions and may present a different risk profile. Thus, the OCC specifically requests comment on the impact of the proposal on community banks’ current resources and available personnel with the requisite expertise, and whether the 58 goals of the proposal could be achieved, for community banks, through an alternative approach. IV. Solicitation of Comments on Use of Plain Language Section 722 of the GLB Act requires the Agencies3 to use plain language in all proposed and final rules published after January 1, 2000. We invite your comments on how to make this proposed rule easier to understand. For example: • Have we organized the material to suit your needs? If not, how could this material be better organized? • Are the requirements in the rule clearly stated? If not, how could the rule be more clearly stated? • Do the regulations contain technical language or jargon that is not clear? If so, which language requires clarification? • Would a different format (grouping and order of sections, use of headings, paragraphing) make the regulation easier to understand? If so, what changes to the format would make the regulation easier to understand? • Would more, but shorter, sections be better? If so, which sections should be changed? • What else could we do to make the regulation easier to understand? List of Subjects 12 CFR Part 41 Banks, banking, Consumer protection, National banks, Reporting and recordkeeping requirements. 59 12 CFR Part 222 Banks, banking, Consumer protection, Credit, Fair Credit Reporting Act, Holding companies, Privacy, Reporting and recordkeeping requirements, State member banks. 12 CFR Part 334 Administrative practice and procedure, Bank deposit insurance, Banks, banking, Reporting and recordkeeping requirements, Safety and soundness. 12 CFR Part 571 Consumer protection, Credit, Fair Credit Reporting Act, Privacy, Reporting and recordkeeping requirements, Savings associations. 12 CFR Part 717 Consumer protection, Credit unions, Fair credit reporting, Medical information, Privacy, Reporting and recordkeeping requirements. Office of the Comptroller of the Currency 12 CFR Chapter I Authority and Issuance For the reasons set forth in the preamble, the OCC proposes to amend Chapter I of Title 12 of the Code of Federal Regulations as follows: 1. Add part 41 to read as follows: PART 41―FAIR CREDIT Sec. Subpart A―General Provisions 41.1 Purpose and scope. 3 Section 722 of the GLB Act does not apply to NCUA, but NCUA has a similar Agency Regulatory Goal to promote clear and understandable regulations that impose minimal regulatory burden. 60 41.2 Examples. 41.3 Definitions. Subpart B [Reserved] Subpart C [Reserved] Subpart D—Medical Information 41.30 Obtaining or using medical information in connection with a determination of eligibility for credit. 41.31 Sharing medical information with affiliates. Authority: 12 U.S.C. 1 et seq., 24(Seventh), 93a, 481, 484, and 1818; 15 U.S.C. 1681a, 1681b, and 1681s. Subpart A―General Provisions § 41.1 Purpose and scope. (a) Purpose. The purpose of this part is to establish standards for national banks in key areas of regulation regarding consumer report information and fair credit. In addition, the purpose of this part is to specify the type of information, including medical information, national banks may obtain, use, or share among affiliates. This part also contains a number of measures national banks must take to combat consumer fraud and related crimes, including identity theft. (b) Scope. (1) [Reserved] (2) Institutions covered. Except as otherwise provided in this part, these regulations apply to national banks, Federal branches and Agencies of foreign banks, and their respective operating subsidiaries that are not functionally regulated within the 61 meaning of section 5(c)(5) of the Bank Holding Company Act of 1956, as amended (12 U.S.C. 1844(c)(5)). § 41.2 Examples. The examples in this part are not exclusive. Compliance with an example, to the extent applicable, constitutes compliance with this part. Examples in a paragraph illustrate only the issue described in the paragraph and do not illustrate any other issue that may arise in this part. § 41.3 Definitions. As used in this part, unless the context requires otherwise: (a) Act means the Fair Credit Reporting Act (15 U.S.C. 1681 et seq.). (b) Affiliate means any company that controls, is controlled by, or is under common control with another company. (c) [Reserved] (d) Company means any corporation, limited liability company, business trust, general or limited partnership, association, or similar organization. (e) Consumer means an individual. (f) [Reserved] (g) [Reserved] (h) [Reserved] (i) Control of a company means: (1) Ownership, control, or power to vote 25 percent or more of the outstanding shares of any class of voting security of the company, directly or indirectly, or acting through one or more other persons; 62 (2) Control in any manner over the election of a majority of the directors, trustees, or general partners (or individuals exercising similar functions) of the company; or (3) The power to exercise, directly or indirectly, a controlling influence over the management or policies of the company, as the OCC determines. (j) [Reserved] (k) Medical information means: (1) Information or data, whether oral or recorded, in any form or medium, created by or derived from a health care provider or the consumer, that relates to: (i) The past, present, or future physical, mental, or behavioral health or condition of an individual; (ii) The provision of health care to an individual; or (iii) The payment for the provision of health care to an individual. (2) The term does not include: (i) The age or gender of a consumer; (ii) Demographic information about the consumer, including a consumer’s residence address or e-mail address; or (iii) Any other information about a consumer that does not relate to the physical, mental, or behavioral health or condition of a consumer, including the existence or value of any insurance policy. (l) [Reserved] (m) [Reserved] (n) [Reserved] 63 ***** Subpart B [Reserved] Subpart C [Reserved] Subpart D—Medical Information § 41.30 Obtaining or using medical information in connection with a determination of eligibility for credit. (a) General prohibition on obtaining or using medical information--(1) In general. A bank may not obtain or use medical information pertaining to a consumer in connection with any determination of the consumer’s eligibility, or continued eligibility, for credit, except as provided in this subpart. (2) Definitions as used in this subpart--(i) Eligibility, or continued eligibility, for credit means the consumer’s qualification or fitness to receive, or continue to receive, credit, including the terms on which credit is offered, primarily for personal, family, or household purposes. The term does not include: (A) The consumer’s qualification or fitness to be offered employment, insurance products, or other non-credit products or services; (B) Any determination of whether the provisions of a debt cancellation contract, debt suspension agreement, credit insurance product, or similar forbearance practice or program are triggered; (C) Authorizing, processing, or documenting a payment or transaction on behalf of the consumer in a manner that does not involve a determination of the consumer’s eligibility, or continued eligibility, for credit; or 64 (D) Maintaining or servicing the consumer’s account in a manner that does not involve a determination of the consumer’s eligibility, or continued eligibility, for credit. (ii) Bank means an institution that: (A) is covered by this part in § 41.1(b)(2); and (B) is a “creditor” as that term is defined by section 702 of the Equal Credit Opportunity Act (15 U.S.C. 1691a). (iii) Credit has the same meaning as in section 702 of the Equal Credit Opportunity Act (15 U.S.C. 1691a). (b) Rule of construction for receiving unsolicited medical information--(1) In general. A bank does not obtain medical information for purposes of paragraph (a)(1) of this section if it: (i) Receives medical information pertaining to a consumer in connection with any determination of the consumer’s eligibility, or continued eligibility, for credit without specifically requesting medical information; and (ii) Does not use that information in determining whether to extend or continue to extend credit to the consumer and the terms on which credit is offered or continued. (2) Examples of receiving unsolicited medical information. A bank receives unsolicited medical information if, for example: (i) In response to a general question regarding a consumer’s debts or expenses, the bank receives information that the consumer has a particular medical condition and does not use that information in determining whether to extend credit to the consumer or the terms on which credit is offered. 65 (ii) In conversation with the loan officer, the consumer informs the bank that the consumer has a particular medical condition, and the bank does not use that information in determining whether to extend credit to the consumer or the terms on which credit is offered. (c) Financial information exception for obtaining and using medical information(1) In general. A bank may obtain and use medical information pertaining to a consumer in connection with any determination of the consumer’s eligibility, or continued eligibility, for credit so long as: (i) The information relates to debts, expenses, income, benefits, collateral, or the purpose of the loan, including the use of proceeds; (ii) The bank uses the medical information in a manner and to an extent that is no less favorable than it would use comparable information that is not medical information in a credit transaction; and (iii) The bank does not take the consumer’s physical, mental, or behavioral health, condition or history, type of treatment, or prognosis into account as part of any such determination. (2) Examples--(i) Examples of information related to debts, expenses, income, benefits, collateral, or the purpose of the loan. Paragraph (c)(1)(i) of this section permits a bank, for example, to obtain and use information about: (A) The dollar amount, repayment terms, repayment history, and similar information regarding medical debts that is used to calculate, measure, or verify the repayment ability of the consumer, the use of proceeds, or the terms for granting credit; 66 (B) The value, condition, and lien status of a medical device that is used as collateral to secure a loan; (C) The dollar amount and continued eligibility for disability income or benefits related to health or a medical condition that is relied on as a source of repayment; or (D) The identity of entities to whom outstanding medical debts are owed in connection with an application for credit, including but not limited to a transaction involving the consolidation of medical debts. (ii) Examples of uses of medical information consistent with the exception. (A) A consumer includes on an application for credit information about two $20,000 debts. One debt is to a hospital; the other debt is to a retailer. The bank contacts the hospital and the retailer to verify the amount and payment status of the debts. The bank learns that both debts are more than 90 days past due. Any two debts of this size that are past due would disqualify the consumer under the bank’s established underwriting criteria. The bank denies the application on the basis that the consumer has a poor repayment history on outstanding debts. The bank has used medical information in a manner and to an extent no less favorable than it would use comparable non-medical information. (B) A consumer indicates on an application for a $200,000 mortgage loan that she receives $15,000 in long-term disability income each year from her former employer and has no other income. Annual income of $15,000, regardless of source, would not be sufficient to support the requested amount of credit. The bank denies the application on the basis that the projected debt-to-income ratio of the consumer does not meet the bank’s underwriting criteria. The bank has used medical information in a manner and to an extent that is no less favorable than it would use comparable non-medical information. 67 (C) A consumer includes on an application for a $10,000 home equity loan that he has a $50,000 debt to a medical facility that specializes in treating a potentially terminal disease. The bank contacts the medical facility to verify the debt and obtain the repayment history and current status of the loan. The bank learns that the debt is current and that the applicant meets the income requirements of the bank’s underwriting guidelines. The bank grants the application. The bank has used medical information in accordance with the exception. (iii) Examples of uses of medical information inconsistent with the exception. (A) A consumer applies for $25,000 of credit and includes on the application information about a $50,000 debt to a hospital. The bank contacts the hospital to verify the amount and payment status of the debt, and learns that the debt is current and that the consumer has no delinquencies in her repayment history. If the existing debt were instead owed to a home furnishing retailer, the bank would approve the application and extend credit based on the amount and repayment history of the outstanding debt. The bank, however, denies the application because the consumer is indebted to a hospital. The bank has used medical information, here the identity of the hospital, in a manner and to an extent that is less favorable than it would use comparable non-medical information. (B) A consumer meets with a loan officer of a bank to apply for a mortgage loan. While filling out the loan application, the consumer informs the loan officer orally that she has a potentially terminal disease. The consumer meets the bank’s established requirements for the requested mortgage. The loan officer recommends to the credit committee that the consumer be denied credit because the consumer has that disease. The bank has used medical information in a manner inconsistent with the exception by 68 taking into account the consumer’s physical, mental, or behavioral health, condition, or history, type of treatment, or prognosis as part of a determination of eligibility or continued eligibility for credit. (d) Specific exceptions for obtaining and using medical information--(1) In general. A bank may obtain and use medical information pertaining to a consumer in connection with any determination of the consumer’s eligibility, or continued eligibility, for credit: (i) To determine whether the use of a power of attorney or legal representative is necessary and appropriate; (ii) To comply with applicable requirements of local, state, or federal laws; (iii) To the extent such information is included in a consumer report from a consumer reporting agency, in accordance with 15 U.S.C. 1681b(g)(1)(B), and is used for the purpose(s) for which the consumer provided specific written consent; (iv) For purposes of fraud prevention and detection; (v) In the case of credit for the purpose of financing medical products or services, to determine and verify the medical purpose of a loan and the use of proceeds; (vi) If the consumer or the consumer’s legal representative requests in writing, on a separate form signed by the consumer or the consumer’s legal representative that the bank use specific medical information for a specific purpose in determining the consumer’s eligibility, or continued eligibility, for credit, to accommodate the consumer’s particular circumstances. The signed written request must describe the specific medical information that the consumer requests the bank to use and the specific purpose for which the information will be used; or 69 (vii) As otherwise permitted by order of the OCC. (2) Examples of determining the medical purpose of the loan or the use of proceeds. (i) If a consumer applies for $10,000 of credit for the purpose of financing vision correction surgery, the bank may confirm the consumer’s medical eligibility to undergo that procedure with the surgeon. If the surgeon reports that surgery will not be performed on the consumer, the bank may use that medical information to deny the consumer’s application for credit, because the loan would not be used for the stated purpose. (ii) If a consumer applies for $10,000 of credit for the purpose of financing cosmetic surgery, the bank may confirm the cost of the procedure with the surgeon. If the surgeon reports that the cost of the procedure is $5,000, the bank may use that medical information to offer the consumer only $5,000 of credit. (iii) A bank has an established medical loan program for financing particular elective surgical procedures. The bank receives a loan application from a consumer requesting $10,000 of credit under the established loan program for an elective surgical procedure. The consumer indicates on the application that the purpose of the loan is to finance an elective surgical procedure not eligible for funding under the guidelines of the established loan program. The bank may deny the consumer’s application because the purpose of the loan is not for a particular procedure funded by the established loan program. (3) Examples of obtaining and using medical information at the request of the consumer. Consistent with safe and sound practices, and after obtaining from the consumer a signed, written document that describes the specific medical information that 70 the consumer requests the bank to use and the specific purpose for which the information will be used, the bank may obtain and use the specific medical information for the specific purpose described in the request: (i) If a consumer applies for a loan and requests that the bank consider the consumer’s medical disability at the relevant time as an explanation for adverse payment history information in his credit report, the bank may consider such medical information in evaluating the consumer’s willingness and ability to repay the requested loan. (ii) If a consumer applies for a loan and explains that his income has been and will continue to be interrupted on account of a medical condition and that he expects to repay the loan from liquidation of assets, the bank may evaluate the application using the sale of assets as the primary source of repayment. (e) Limits on redisclosure of information. If the bank receives medical information about a consumer from a consumer reporting agency or its affiliate, the bank must not disclose that information to any other person, except as necessary to carry out the purpose for which the information was initially disclosed, or as otherwise permitted by statute, regulation, or order. § 41.31 Sharing medical information with affiliates. (a) In general. The exclusions from the term “consumer report” in section 603(d)(2) of the Act that allow the sharing of information with affiliates do not apply if the bank communicates to an affiliate: (1) Medical information; (2) An individualized list or description based on the payment transactions of the consumer for medical products or services; or 71 (3) An aggregate list of identified consumers based on payment transactions for medical products or services. (b) Exceptions. The bank may rely on the exclusions from the term “consumer report” in section 603(d)(2) of the Act to communicate the information in paragraph (a) of this section to an affiliate: (1) In connection with the business of insurance or annuities (including the activities described in section 18B of the model Privacy of Consumer Financial and Health Information Regulation issued by the National Association of Insurance Commissioners, as in effect on January 1, 2003); (2) For any purpose permitted without authorization under the regulations promulgated by the U.S. Department of Health and Human Services pursuant to the Health Insurance Portability and Accountability Act of 1996 (HIPAA); (3) For any purpose referred to in section 1179 of HIPAA; (4) For any purpose described in section 502(e) of the Gramm-Leach-Bliley Act; (5) In connection with a determination of the consumer’s eligibility, or continued eligibility, for credit consistent with § 41.30; or (6) As otherwise permitted by order of the OCC. Board of Governors of the Federal Reserve System 12 CFR Chapter II Authority and Issuance For the reasons set forth in the joint preamble, Title 12, Chapter II, of the Code of Federal Regulations is proposed to be amended by revising part 222 to read as follows: 72 PART 222―FAIR CREDIT REPORTING (REGULATION V) 1. The authority citation for part 222 is amended to read as follows: Authority: 15 U.S.C. 1681b and 1681s; Secs. 3 and 217, Pub. L. 108-159, 117 Stat. 1952. 2. In Subpart A to Part 222, the following amendments are made: a. Section 222.1 is amended by adding a new paragraph (b). b. Section 222.2 is added. c. Section 222.3 is added. 3. A new Subpart D is added to Part 222. Subpart A―General Provisions § 222.1 Purpose, scope, and effective dates ***** (b) Scope. (1) [Reserved] (2) Institutions covered. (i) Except as otherwise provided in paragraph (b)(2) of this section, these regulations apply to banks that are members of the Federal Reserve System (other than national banks), branches and Agencies of foreign banks (other than Federal branches, Federal Agencies, and insured State branches of foreign banks), commercial lending companies owned or controlled by foreign banks, organizations operating under section 25 or 25A of the Federal Reserve Act (12 U.S.C. 601 et seq., and 611 et seq.), and bank holding companies and affiliates of such holding companies. (ii) [Reserved] 73 (iii) Section 222.30(a)-(d) of this part applies to persons listed in paragraph (b)(2)(i) of this section that are creditors. (iv) Section 222.31 of this part applies to banks that are members of the Federal Reserve System (other than national banks), branches and Agencies of foreign banks (other than Federal branches, Federal Agencies, and insured State branches of foreign banks), commercial lending companies owned or controlled by foreign banks, organizations operating under section 25 or 25A of the Federal Reserve Act (12 U.S.C. 601 et seq., and 611 et seq.). ***** § 222.2 Examples The examples in this part are not exclusive. Compliance with an example, to the extent applicable, constitutes compliance with this part. Examples in a paragraph illustrate only the issue described in the paragraph and do not illustrate any other issue that may arise in this part. § 222.3 Definitions As used in this part, unless the context requires otherwise: (a) Act means the Fair Credit Reporting Act (15 U.S.C. 1681 et seq.). (b) Affiliate means any company that controls, is controlled by, or is under common control with another company. (c) [Reserved] (d) Company means any corporation, limited liability company, business trust, general or limited partnership, association, or similar organization. (e) Consumer means an individual. 74 (f) [Reserved] (g) [Reserved] (h) [Reserved] (i) Control of a company means: (1) Ownership, control, or power to vote 25 percent or more of the outstanding shares of any class of voting security of the company, directly or indirectly, or acting through one or more other persons; (2) Control in any manner over the election of a majority of the directors, trustees, or general partners (or individuals exercising similar functions) of the company; or (3) The power to exercise, directly or indirectly, a controlling influence over the management or policies of the company, as the Board determines. (j) [Reserved] (k) Medical information means: (1) Information or data, whether oral or recorded, in any form or medium, created by or derived from a health care provider or the consumer, that relates to— (i) The past, present, or future physical, mental, or behavioral health or condition of an individual; (ii) The provision of health care to an individual; or (iii) The payment for the provision of health care to an individual. (2) The term does not include: (i) The age or gender of a consumer; 75 (ii) Demographic information about the consumer, including a consumer’s residence address or e-mail address; or (iii) Any other information about a consumer that does not relate to the physical, mental, or behavioral health or condition of a consumer, including the existence or value of any insurance policy. (l) [Reserved] (m) [Reserved] (n) [Reserved] (o) You means member banks of the Federal Reserve System (other than national banks), branches and Agencies of foreign banks (other than Federal branches, Federal Agencies, and insured State branches of foreign banks), commercial lending companies owned or controlled by foreign banks, organizations operating under section 25 or 25A of the Federal Reserve Act (12 U.S.C. 601 et seq., and 611 et seq.), and bank holding companies and affiliates of such holding companies (other than depository institutions and consumer reporting agencies). ***** Subpart B—[Reserved] Subpart C—[Reserved] 76 Subpart D—Medical Information Sec. § 222.30 Obtaining or using medical information in connection with a determination of eligibility for credit § 222.31 Sharing medical information with affiliates Subpart D—Medical Information § 222.30 Obtaining or using medical information in connection with a determination of eligibility for credit (a) General prohibition on obtaining or using medical information. (1) In general. A creditor may not obtain or use medical information pertaining to a consumer in connection with any determination of the consumer’s eligibility, or continued eligibility, for credit, except as provided in this subpart. (2) Definitions as used in this subpart. (i) Eligibility, or continued eligibility, for credit means the consumer’s qualification or fitness to receive, or continue to receive, credit, including the terms on which credit is offered, primarily for personal, family, or household purposes. The term does not include: (A) The consumer’s qualification or fitness to be offered employment, insurance products, or other non-credit products or services; (B) Any determination of whether the provisions of a debt cancellation contract, debt suspension agreement, credit insurance product, or similar forbearance practice or program are triggered; (C) Authorizing, processing, or documenting a payment or transaction on behalf of the consumer in a manner that does not involve a determination of the consumer’s eligibility, or continued eligibility, for credit; or 77 (D) Maintaining or servicing the consumer’s account in a manner that does not involve a determination of the consumer’s eligibility, or continued eligibility, for credit. (ii) Creditor has the same meaning as in section 702 of the Equal Credit Opportunity Act, 15 U.S.C. 1691a. (iii) Credit has the same meaning as in section 702 of the Equal Credit Opportunity Act, 15 U.S.C. 1691a. (b) Rule of construction for receiving unsolicited medical information. (1) In general. A creditor does not obtain medical information for purposes of paragraph (a)(1) of this section if it— (i) Receives medical information pertaining to a consumer in connection with any determination of the consumer’s eligibility, or continued eligibility, for credit without specifically requesting medical information; and (ii) Does not use that information in determining whether to extend or continue to extend credit to the consumer and the terms on which credit is offered or continued. (2) Examples of receiving unsolicited medical information. A creditor receives unsolicited medical information if, for example: (i) In response to a general question regarding a consumer’s debts or expenses, the creditor receives information that the consumer has a particular medical condition and does not use that information in determining whether to extend credit to the consumer or the terms on which credit is offered. (ii) In conversation with the loan officer, the consumer informs the creditor that the consumer has a particular medical condition, and the creditor does not use that 78 information in determining whether to extend credit to the consumer or the terms on which credit is offered. (c) Financial information exception for obtaining and using medical information. (1) In general. A creditor may obtain and use medical information pertaining to a consumer in connection with any determination of the consumer’s eligibility, or continued eligibility, for credit so long as: (i) The information relates to debts, expenses, income, benefits, collateral, or the purpose of the loan, including the use of proceeds; (ii) The creditor uses the medical information in a manner and to an extent that is no less favorable than it would use comparable information that is not medical information in a credit transaction; and (iii) The creditor does not take the consumer’s physical, mental, or behavioral health, condition or history, type of treatment, or prognosis into account as part of any such determination. (2) Examples. (i) Examples of information related to debts, expenses, income, benefits, collateral, or the purpose of the loan. Paragraph (c)(1)(i) of this section permits a creditor, for example, to obtain and use information about: (A) The dollar amount, repayment terms, repayment history, and similar information regarding medical debts that is used to calculate, measure, or verify the repayment ability of the consumer, the use of proceeds, or the terms for granting credit; (B) The value, condition, and lien status of a medical device that is used as collateral to secure a loan; 79 (C) The dollar amount and continued eligibility for disability income or benefits related to health or a medical condition that is relied on as a source of repayment; or (D) The identity of creditors to whom outstanding medical debts are owed in connection with an application for credit, including but not limited to a transaction involving the consolidation of medical debts. (ii) Examples of uses of medical information consistent with the exception. (A) A consumer includes on an application for credit information about two $20,000 debts. One debt is to a hospital; the other debt is to a retailer. The creditor contacts the hospital and the retailer to verify the amount and payment status of the debts. The creditor learns that both debts are more than 90 days past due. Any two debts of this size that are past due would disqualify the consumer under the creditor’s established underwriting criteria. The creditor denies the application on the basis that the consumer has a poor repayment history on outstanding debts. The creditor has used medical information in a manner and to an extent no less favorable than it would use comparable non-medical information. (B) A consumer indicates on an application for a $200,000 mortgage loan that she receives $15,000 in long-term disability income each year from her former employer and has no other income. Annual income of $15,000, regardless of source, would not be sufficient to support the requested amount of credit. The creditor denies the application on the basis that the projected debt-to-income ratio of the consumer does not meet the creditor’s underwriting criteria. The creditor has used medical information in a manner and to an extent that is no less favorable than it would use comparable non-medical information. 80 (C) A consumer includes on an application for a $10,000 home equity loan that he has a $50,000 debt to a medical facility that specializes in treating a potentially terminal disease. The creditor contacts the medical facility to verify the debt and obtain the repayment history and current status of the loan. The creditor learns that the debt is current and that the applicant meets the income requirements of the creditor’s underwriting guidelines. The creditor grants the application. The creditor has used medical information in accordance with the exception. (iii) Examples of uses of medical information inconsistent with the exception. (A) A consumer applies for $25,000 of credit and includes on the application information about a $50,000 debt to a hospital. The creditor contacts the hospital to verify the amount and payment status of the debt, and learns that the debt is current and that the consumer has no delinquencies in her repayment history. If the existing debt were instead owed to a home furnishing retailer, the creditor would approve the application and extend credit based on the amount and repayment history of the outstanding debt. The creditor, however, denies the application because the consumer is indebted to a hospital. The creditor has used medical information, here the identity of the medical creditor, in a manner and to an extent that is less favorable than it would use comparable non-medical information. (B) A consumer meets with a loan officer of a creditor to apply for a mortgage loan. While filling out the loan application, the consumer informs the loan officer orally that she has a potentially terminal disease. The consumer meets the creditor’s established requirements for the requested mortgage. The loan officer recommends to the credit committee that the consumer be denied credit because the consumer has that disease. 81 The creditor has used medical information in a manner inconsistent with the exception by taking into account the consumer’s physical, mental, or behavioral health, condition, or history, type of treatment, or prognosis as part of a determination of eligibility or continued eligibility for credit. (d) Specific exceptions for obtaining and using medical information. (1) In general. A creditor may obtain and use medical information pertaining to a consumer in connection with any determination of the consumer’s eligibility, or continued eligibility, for credit— (i) To determine whether the use of a power of attorney or legal representative is necessary and appropriate; (ii) To comply with applicable requirements of local, state, or federal laws; (iii) To the extent such information is included in a consumer report from a consumer reporting agency, in accordance with 15 U.S.C. 1681b(g)(1)(B), and is used for the purpose(s) for which the consumer provided specific written consent; (iv) For purposes of fraud prevention and detection; (v) In the case of credit for the purpose of financing medical products or services, to determine and verify the medical purpose of a loan and the use of proceeds; (vi) If the consumer or the consumer’s legal representative requests in writing, on a separate form signed by the consumer or the consumer’s legal representative that the creditor use specific medical information for a specific purpose in determining the consumer’s eligibility, or continued eligibility, for credit, to accommodate the consumer’s particular circumstances. The signed written request must describe the 82 specific medical information that the consumer requests the creditor to use and the specific purpose for which the information will be used; or (vii) As otherwise permitted by order of the Board. (2) Examples of determining the medical purpose of the loan or the use of proceeds. (i) If a consumer applies for $10,000 of credit for the purpose of financing vision correction surgery, the creditor may confirm the consumer’s medical eligibility to undergo that procedure with the surgeon. If the surgeon reports that surgery will not be performed on the consumer, the creditor may use that medical information to deny the consumer’s application for credit, because the loan would not be used for the stated purpose. (ii) If a consumer applies for $10,000 of credit for the purpose of financing cosmetic surgery, the creditor may confirm the cost of the procedure with the surgeon. If the surgeon reports that the cost of the procedure is $5,000, the creditor may use that medical information to offer the consumer only $5,000 of credit. (iii) A creditor has an established medical loan program for financing particular elective surgical procedures. The creditor receives a loan application from a consumer requesting $10,000 of credit under the established loan program for an elective surgical procedure. The consumer indicates on the application that the purpose of the loan is to finance an elective surgical procedure not eligible for funding under the guidelines of the established loan program. The creditor may deny the consumer’s application because the purpose of the loan is not for a particular procedure funded by the established loan program. 83 (3) Examples of obtaining and using medical information at the request of the consumer. Consistent with safe and sound practices, and after obtaining from the consumer a signed, written document that describes the specific medical information that the consumer requests the creditor to use and the specific purpose for which the information will be used, the creditor may obtain and use the specific medical information for the specific purpose specified in the request: (i) If a consumer applies for a loan and requests that the creditor consider the consumer’s medical disability at the relevant time as an explanation for adverse payment history information in his credit report, the creditor may consider such medical information in evaluating the consumer’s willingness and ability to repay the requested loan. (ii) If a consumer applies for a loan and explains that his income has been and will continue to be interrupted on account of a medical condition and that he expects to repay the loan from liquidation of assets, the creditor may evaluate the application using the sale of assets as the primary source of repayment. (e) Limits on redisclosure of information. If you receive medical information about a consumer from a consumer reporting agency or your affiliate, you must not disclose that information to any other person, except as necessary to carry out the purpose for which the information was initially disclosed, or as otherwise permitted by statute, regulation, or order. § 222.31 Sharing medical information with affiliates (a) In general. The exclusions from the term “consumer report” in section 603(d)(2) of the Act that allow the sharing of information with affiliates do not apply to a 84 person described in § 222.1(b)(2)(iv) of this part if that person communicates to an affiliate— (1) Medical information; (2) An individualized list or description based on the payment transactions of the consumer for medical products or services; or (3) An aggregate list of identified consumers based on payment transactions for medical products or services. (b) Exceptions. A person described in § 222.1(b)(2)(iv) of this part may rely on the exclusions from the term “consumer report” in section 603(d)(2) of the Act to communicate the information in paragraph (a) to an affiliate— (1) In connection with the business of insurance or annuities (including the activities described in section 18B of the model Privacy of Consumer Financial and Health Information Regulation issued by the National Association of Insurance Commissioners, as in effect on January 1, 2003); (2) For any purpose permitted without authorization under the regulations promulgated by the Department of Health and Human Services pursuant to the Health Insurance Portability and Accountability Act of 1996 (HIPAA); (3) For any purpose referred to in section 1179 of HIPAA; (4) For any purpose described in section 502(e) of the Gramm-Leach-Bliley Act; (5) In connection with a determination of the consumer’s eligibility, or continued eligibility, for credit consistent with § 222.30 of this part; or (6) As otherwise permitted by order of the Board. Federal Deposit Insurance Corporation 85 12 CFR Chapter III Authority and Issuance For the reasons set forth in the joint preamble, the Federal Deposit Insurance Corporation proposes to create part 334 of chapter III of title 12 of the Code of Federal Regulations to read as follows: PART 334―FAIR CREDIT REPORTING Subpart A―General Provisions Sec. § 334.1 Purpose, scope, and effective dates § 334.2 Examples § 334.3 Definitions Subpart B―[Reserved] Subpart C―[Reserved] Subpart D—Medical Information § 334.30 Obtaining or using medical information in connection with a determination of eligibility for credit § 334.31 Sharing medical information with affiliates Authority: 12 U.S.C. 1819(Tenth) and 1818; 15 U.S.C. 1681b and 1681s. Subpart A―General Provisions § 334.1 Purpose, scope, and effective dates (a) [Reserved] (b) Scope. (1) [Reserved] (2) Institutions covered. 86 (i) Except as otherwise provided in this paragraph, these regulations apply to banks insured by the FDIC (other than District Banks and members of the Federal Reserve System) and insured State branches of foreign banks and any subsidiaries and affiliates of such entities; and other entities or persons with respect to which the FDIC may exercise its enforcement authority under any provision of law. For purposes of this definition, a subsidiary does not include a broker, dealer, person providing insurance, investment company, and investment advisor. (ii) [Reserved] (iii) Section 334.30 of this part applies to creditors, as defined in § 334.30(a)(2), that are subject to the jurisdiction of the Federal Deposit Insurance Corporation under paragraph (b)(2)(i) of this section. § 334.2 Examples The examples in this part are not exclusive. Compliance with an example, to the extent applicable, constitutes compliance with this part. Examples in a paragraph illustrate only the issue described in the paragraph and do not illustrate any other issue that may arise in this part. § 334.3 Definitions As used in this part, unless the context requires otherwise: (a) Act means the Fair Credit Reporting Act (15 U.S.C. 1681 et seq.). (b) Affiliate means any company that controls, is controlled by, or is under common control with another company. (c) [Reserved] 87 (d) Company means any corporation, limited liability company, business trust, general or limited partnership, association, or similar organization. (e) Consumer means an individual. (f) [Reserved] (g) [Reserved] (h) [Reserved] (i) Control of a company means: (1) Ownership, control, or power to vote 25 percent or more of the outstanding shares of any class of voting security of the company, directly or indirectly, or acting through one or more other persons; (2) Control in any manner over the election of a majority of the directors, trustees, or general partners (or individuals exercising similar functions) of the company; or (3) The power to exercise, directly or indirectly, a controlling influence over the management or policies of the company, as the Board determines. (j) [Reserved] (k) Medical information means: (1) Information or data, whether oral or recorded, in any form or medium, created by or derived from a health care provider or the consumer, that relates to— (i) The past, present, or future physical, mental, or behavioral health or condition of an individual; (ii) The provision of health care to an individual; or (iii) The payment for the provision of health care to an individual. 88 (2) The term does not include: (i) The age or gender of a consumer; (ii) Demographic information about the consumer, including a consumer’s residence address or e-mail address; or (iii) Any other information about a consumer that does not relate to the physical, mental, or behavioral health or condition of a consumer, including the existence or value of any insurance policy. (l) [Reserved] (m) [Reserved] (n) [Reserved] (o) You means banks insured by the FDIC (other than District Banks and members of the Federal Reserve System) and insured State branches of foreign banks and any subsidiaries and affiliates of such entities; and other entities or persons with respect to which the FDIC may exercise its enforcement authority under any provision of law. For purposes of this definition, a subsidiary does not include a broker, dealer, person providing insurance, investment company, and investment advisor. Subpart B—[Reserved] Subpart C—[Reserved] Subpart D—Medical Information § 334.30 Obtaining or using medical information in connection with a determination of eligibility for credit (a) General prohibition on obtaining or using medical information. (1) In general. A creditor may not obtain or use medical information pertaining to a consumer 89 in connection with any determination of the consumer’s eligibility, or continued eligibility, for credit, except as provided in this subpart. (2) Definitions as used in this subpart. (i) Eligibility, or continued eligibility, for credit means the consumer’s qualification or fitness to receive, or continue to receive, credit, including the terms on which credit is offered, primarily for personal, family, or household purposes. The term does not include: (A) The consumer’s qualification or fitness to be offered employment, insurance products, or other non-credit products or services; (B) Any determination of whether the provisions of a debt cancellation contract, debt suspension agreement, credit insurance product, or similar forbearance practice or program are triggered; (C) Authorizing, processing, or documenting a payment or transaction on behalf of the consumer in a manner that does not involve a determination of the consumer’s eligibility, or continued eligibility, for credit; or (D) Maintaining or servicing the consumer’s account in a manner that does not involve a determination of the consumer’s eligibility, or continued eligibility, for credit. (ii) Creditor has the same meaning as in section 702 of the Equal Credit Opportunity Act, 15 U.S.C. 1691a. (iii) Credit has the same meaning as in section 702 of the Equal Credit Opportunity Act, 15 U.S.C. 1691a. (b) Rule of construction for receiving unsolicited medical information. (1) In general. A creditor does not obtain medical information for purposes of paragraph (a)(1) of this section if it— 90 (i) Receives medical information pertaining to a consumer in connection with any determination of the consumer’s eligibility, or continued eligibility, for credit without specifically requesting medical information; and (ii) Does not use that information in determining whether to extend or continue to extend credit to the consumer and the terms on which credit is offered or continued. (2) Examples of receiving unsolicited medical information. A creditor receives unsolicited medical information if, for example: (i) In response to a general question regarding a consumer’s debts or expenses, the creditor receives information that the consumer has a particular medical condition and does not use that information in determining whether to extend credit to the consumer or the terms on which credit is offered. (ii) In conversation with the loan officer, the consumer informs the creditor that the consumer has a particular medical condition, and the creditor does not use that information in determining whether to extend credit to the consumer or the terms on which credit is offered. (c) Financial information exception for obtaining and using medical information. (1) In general. A creditor may obtain and use medical information pertaining to a consumer in connection with any determination of the consumer’s eligibility, or continued eligibility, for credit so long as: (i) The information relates to debts, expenses, income, benefits, collateral, or the purpose of the loan, including the use of proceeds; 91 (ii) The creditor uses the medical information in a manner and to an extent that is no less favorable than it would use comparable information that is not medical information in a credit transaction; and (iii) The creditor does not take the consumer’s physical, mental, or behavioral health, condition or history, type of treatment, or prognosis into account as part of any such determination. (2) Examples. (i) Examples of information related to debts, expenses, income, benefits, collateral, or the purpose of the loan. Paragraph (c)(1)(i) of this section permits a creditor, for example, to obtain and use information about: (A) The dollar amount, repayment terms, repayment history, and similar information regarding medical debts that is used to calculate, measure, or verify the repayment ability of the consumer, the use of proceeds, or the terms for granting credit; (B) The value, condition, and lien status of a medical device that is used as collateral to secure a loan; (C) The dollar amount and continued eligibility for disability income or benefits related to health or a medical condition that is relied on as a source of repayment; or (D) The identity of creditors to whom outstanding medical debts are owed in connection with an application for credit, including but not limited to a transaction involving the consolidation of medical debts. (ii) Examples of uses of medical information consistent with the exception. (A) A consumer includes on an application for credit information about two $20,000 debts. One debt is to a hospital; the other debt is to a retailer. The creditor contacts the hospital and the retailer to verify the amount and payment status of the debts. The creditor learns 92 that both debts are more than 90 days past due. Any two debts of this size that are past due would disqualify the consumer under the creditor’s established underwriting criteria. The creditor denies the application on the basis that the consumer has a poor repayment history on outstanding debts. The creditor has used medical information in a manner and to an extent no less favorable than it would use comparable non-medical information. (B) A consumer indicates on an application for a $200,000 mortgage loan that she receives $15,000 in long-term disability income each year from her former employer and has no other income. Annual income of $15,000, regardless of source, would not be sufficient to support the requested amount of credit. The creditor denies the application on the basis that the projected debt-to-income ratio of the consumer does not meet the creditor’s underwriting criteria. The creditor has used medical information in a manner and to an extent that is no less favorable than it would use comparable non-medical information. (C) A consumer includes on an application for a $10,000 home equity loan that he has a $50,000 debt to a medical facility that specializes in treating a potentially terminal disease. The creditor contacts the medical facility to verify the debt and obtain the repayment history and current status of the loan. The creditor learns that the debt is current and that the applicant meets the income requirements of the creditor’s underwriting guidelines. The creditor grants the application. The creditor has used medical information in accordance with the exception. (iii) Examples of uses of medical information inconsistent with the exception. (A) A consumer applies for $25,000 of credit and includes on the application information about a $50,000 debt to a hospital. The creditor contacts the hospital to 93 verify the amount and payment status of the debt, and learns that the debt is current and that the consumer has no delinquencies in her repayment history. If the existing debt were instead owed to a home furnishing retailer, the creditor would approve the application and extend credit based on the amount and repayment history of the outstanding debt. The creditor, however, denies the application because the consumer is indebted to a hospital. The creditor has used medical information, here the identity of the medical creditor, in a manner and to an extent that is less favorable than it would use comparable non-medical information. (B) A consumer meets with a loan officer of a creditor to apply for a mortgage loan. While filling out the loan application, the consumer informs the loan officer orally that she has a potentially terminal disease. The consumer meets the creditor’s established requirements for the requested mortgage. The loan officer recommends to the credit committee that the consumer be denied credit because the consumer has that disease. The creditor has used medical information in a manner inconsistent with the exception by taking into account the consumer’s physical, mental, or behavioral health, condition, or history, type of treatment, or prognosis as part of a determination of eligibility or continued eligibility for credit. (d) Specific exceptions for obtaining and using medical information. (1) In general. A creditor may obtain and use medical information pertaining to a consumer in connection with any determination of the consumer’s eligibility, or continued eligibility, for credit— (i) To determine whether the use of a power of attorney or legal representative is necessary and appropriate; 94 (ii) To comply with applicable requirements of local, state, or federal laws; (iii) To the extent such information is included in a consumer report from a consumer reporting agency, in accordance with 15 U.S.C. 1681b(g)(1)(B), and is used for the purpose(s) for which the consumer provided specific written consent; (iv) For purposes of fraud prevention and detection; (v) In the case of credit for the purpose of financing medical products or services, to determine and verify the medical purpose of a loan and the use of proceeds; (vi) If the consumer or the consumer’s legal representative requests in writing, on a separate form signed by the consumer or the consumer’s legal representative that the creditor use specific medical information for a specific purpose in determining the consumer’s eligibility, or continued eligibility, for credit, to accommodate the consumer’s particular circumstances. The signed written request must describe the specific medical information that the consumer requests the creditor to use and the specific purpose for which the information will be used; or (vii) As otherwise permitted by order of the Board. (2) Examples of determining the medical purpose of the loan or the use of proceeds. (i) If a consumer applies for $10,000 of credit for the purpose of financing vision correction surgery, the creditor may confirm the consumer’s medical eligibility to undergo that procedure with the surgeon. If the surgeon reports that surgery will not be performed on the consumer, the creditor may use that medical information to deny the consumer’s application for credit, because the loan would not be used for the stated purpose. 95 (ii) If a consumer applies for $10,000 of credit for the purpose of financing cosmetic surgery, the creditor may confirm the cost of the procedure with the surgeon. If the surgeon reports that the cost of the procedure is $5,000, the creditor may use that medical information to offer the consumer only $5,000 of credit. (iii) A creditor has an established medical loan program for financing particular elective surgical procedures. The creditor receives a loan application from a consumer requesting $10,000 of credit under the established loan program for an elective surgical procedure. The consumer indicates on the application that the purpose of the loan is to finance an elective surgical procedure not eligible for funding under the guidelines of the established loan program. The creditor may deny the consumer’s application because the purpose of the loan is not for a particular procedure funded by the established loan program. (3) Examples of obtaining and using medical information at the request of the consumer. Consistent with safe and sound practices, and after obtaining from the consumer a signed, written document that describes the specific medical information that the consumer requests the creditor to use and the specific purpose for which the information will be used, the creditor may obtain and use the specific medical information for the specific purpose specified in the request: (i) If a consumer applies for a loan and requests that the creditor consider the consumer’s medical disability at the relevant time as an explanation for adverse payment history information in his credit report, the creditor may consider such medical information in evaluating the consumer’s willingness and ability to repay the requested loan. 96 (ii) If a consumer applies for a loan and explains that his income has been and will continue to be interrupted on account of a medical condition and that he expects to repay the loan from liquidation of assets, the creditor may evaluate the application using the sale of assets as the primary source of repayment. (e) Limits on redisclosure of information. If you receive medical information about a consumer from a consumer reporting agency or your affiliate, you must not disclose that information to any other person, except as necessary to carry out the purpose for which the information was initially disclosed, or as otherwise permitted by statute, regulation, or order. § 334.31 Sharing medical information with affiliates (a) In general. The exclusions from the term “consumer report” in section 603(d)(2) of the Act that allow the sharing of information with affiliates do not apply if you communicate to an affiliate— (1) Medical information; (2) An individualized list or description based on the payment transactions of the consumer for medical products or services; or (3) An aggregate list of identified consumers based on payment transactions for medical products or services. (b) Exceptions. You may rely on the exclusions from the term “consumer report” in section 603(d)(2) of the Act to communicate the information in paragraph (a) to an affiliate— (1) In connection with the business of insurance or annuities (including the activities described in section 18B of the model Privacy of Consumer Financial and 97 Health Information Regulation issued by the National Association of Insurance Commissioners, as in effect on January 1, 2003); (2) For any purpose permitted without authorization under the regulations promulgated by the Department of Health and Human Services pursuant to the Health Insurance Portability and Accountability Act of 1996 (HIPAA); (3) For any purpose referred to in section 1179 of HIPAA; (4) For any purpose described in section 502(e) of the Gramm-Leach-Bliley Act; (5) In connection with a determination of the consumer’s eligibility, or continued eligibility, for credit consistent with § 334.30 of this part; or (6) As otherwise permitted by order of the Board. Office of Thrift Supervision 12 CFR Chapter V Authority and Issuance For the reasons set forth in the joint preamble, the Office of Thrift Supervision proposes to amend chapter V of title 12 of the Code of Federal Regulations by adding a new part 571 to read as follows: PART 571―FAIR CREDIT REPORTING Subpart A―General Provisions Sec. 571.1 Purpose, scope, and effective dates 571.2 Examples 571.3 Definitions Subpart B―[Reserved] 98 Subpart C―[Reserved] Subpart D—Medical Information 571.30 Obtaining or using medical information in connection with a determination of eligibility for credit 571.31 Sharing medical information with affiliates Authority: 12 U.S.C. 1462a, 1463, 1464, 1467a, 1828, 1831p-1, 1881-1884; 15 U.S.C. 1681s and 1681w; 15 U.S.C. 6801 and 6805(b)(1). Subpart A―General Provisions § 571.1 Purpose, scope, and effective dates (a) [Reserved] (b) Scope. (1) [Reserved] (2) Institutions covered. (i) Except as otherwise provided in this paragraph (b)(2), this part applies to savings associations whose deposits are insured by the Federal Deposit Insurance Corporation (and federal savings association operating subsidiaries in accordance with § 559.3(h)(1) of this chapter). (ii) [Reserved] (iii) Section 571.30(a)-(d) of this part applies to creditors, as defined in § 571.30(a)(2), that are savings associations or their subsidiaries, savings and loan holding companies, or affiliates of savings associations or savings and loan holding companies other than bank holding companies, banks, or subsidiaries of bank holding companies or banks. § 571.2 Examples 99 The examples in this part are not exclusive. Compliance with an example, to the extent applicable, constitutes compliance with this part. Examples in a paragraph illustrate only the issue described in the paragraph and do not illustrate any other issue that may arise in this part. § 571.3 Definitions As used in this part, unless the context requires otherwise: (a) Act means the Fair Credit Reporting Act (15 U.S.C. 1681 et seq.). (b) Affiliate means any company that controls, is controlled by, or is under common control with another company. (c) [Reserved] (d) Company means any corporation, limited liability company, business trust, general or limited partnership, association, or similar organization. (e) Consumer means an individual. (f) [Reserved] (g) [Reserved] (h) [Reserved] (i) Control of a company means: (1) Ownership, control, or power to vote 25 percent or more of the outstanding shares of any class of voting security of the company, directly or indirectly, or acting through one or more other persons; (2) Control in any manner over the election of a majority of the directors, trustees, or general partners (or individuals exercising similar functions) of the company; or 100 (3) The power to exercise, directly or indirectly, a controlling influence over the management or policies of the company, as OTS determines. (j) [Reserved] (k) Medical information means: (1) Information or data, whether oral or recorded, in any form or medium, created by or derived from a health care provider or the consumer, that relates to— (i) The past, present, or future physical, mental, or behavioral health or condition of an individual; (ii) The provision of health care to an individual; or (iii) The payment for the provision of health care to an individual. (2) The term does not include: (i) The age or gender of a consumer; (ii) Demographic information about the consumer, including a consumer’s residence address or e-mail address; or (iii) Any other information about a consumer that does not relate to the physical, mental, or behavioral health or condition of a consumer, including the existence or value of any insurance policy. (l)–(n) [Reserved] (o) You means savings associations whose deposits are insured by the Federal Deposit Insurance Corporation (and federal savings association operating subsidiaries in accordance with § 559.3(h)(1) of this chapter). 101 Subpart B—[Reserved] Subpart C—[Reserved] Subpart D—Medical Information § 571.30 Obtaining or using medical information in connection with a determination of eligibility for credit (a) General prohibition on obtaining or using medical information. (1) In general. A creditor may not obtain or use medical information pertaining to a consumer in connection with any determination of the consumer’s eligibility, or continued eligibility, for credit, except as provided in this subpart. (2) Definitions as used in this subpart. (i) Eligibility, or continued eligibility, for credit means the consumer’s qualification or fitness to receive, or continue to receive, credit, including the terms on which credit is offered, primarily for personal, family, or household purposes. The term does not include: (A) The consumer’s qualification or fitness to be offered employment, insurance products, or other non-credit products or services; (B) Any determination of whether the provisions of a debt cancellation contract, debt suspension agreement, credit insurance product, or similar forbearance practice or program are triggered; (C) Authorizing, processing, or documenting a payment or transaction on behalf of the consumer in a manner that does not involve a determination of the consumer’s eligibility, or continued eligibility, for credit; or (D) Maintaining or servicing the consumer’s account in a manner that does not involve a determination of the consumer’s eligibility, or continued eligibility, for credit. 102 (ii) Creditor has the same meaning as in section 702 of the Equal Credit Opportunity Act, 15 U.S.C. 1691a. (iii) Credit has the same meaning as in section 702 of the Equal Credit Opportunity Act, 15 U.S.C. 1691a. (b) Rule of construction for receiving unsolicited medical information. (1) In general. A creditor does not obtain medical information for purposes of paragraph (a)(1) of this section if it— (i) Receives medical information pertaining to a consumer in connection with any determination of the consumer’s eligibility, or continued eligibility, for credit without specifically requesting medical information; and (ii) Does not use that information in determining whether to extend or continue to extend credit to the consumer and the terms on which credit is offered or continued. (2) Examples of receiving unsolicited medical information. A creditor receives unsolicited medical information if, for example: (i) In response to a general question regarding a consumer’s debts or expenses, the creditor receives information that the consumer has a particular medical condition and does not use that information in determining whether to extend credit to the consumer or the terms on which credit is offered. (ii) In conversation with the loan officer, the consumer informs the creditor that the consumer has a particular medical condition, and the creditor does not use that information in determining whether to extend credit to the consumer or the terms on which credit is offered. 103 (c) Financial information exception for obtaining and using medical information. (1) In general. A creditor may obtain and use medical information pertaining to a consumer in connection with any determination of the consumer’s eligibility, or continued eligibility, for credit so long as: (i) The information relates to debts, expenses, income, benefits, collateral, or the purpose of the loan, including the use of proceeds; (ii) The creditor uses the medical information in a manner and to an extent that is no less favorable than it would use comparable information that is not medical information in a credit transaction; and (iii) The creditor does not take the consumer’s physical, mental, or behavioral health, condition or history, type of treatment, or prognosis into account as part of any such determination. (2) Examples. (i) Examples of information related to debts, expenses, income, benefits, collateral, or the purpose of the loan. Paragraph (c)(1)(i) of this section permits a creditor, for example, to obtain and use information about: (A) The dollar amount, repayment terms, repayment history, and similar information regarding medical debts that is used to calculate, measure, or verify the repayment ability of the consumer, the use of proceeds, or the terms for granting credit; (B) The value, condition, and lien status of a medical device that is used as collateral to secure a loan; (C) The dollar amount and continued eligibility for disability income or benefits related to health or a medical condition that is relied on as a source of repayment; or 104 (D) The identity of creditors to whom outstanding medical debts are owed in connection with an application for credit, including but not limited to a transaction involving the consolidation of medical debts. (ii) Examples of uses of medical information consistent with the exception. (A) A consumer includes on an application for credit information about two $20,000 debts. One debt is to a hospital; the other debt is to a retailer. The creditor contacts the hospital and the retailer to verify the amount and payment status of the debts. The creditor learns that both debts are more than 90 days past due. Any two debts of this size that are past due would disqualify the consumer under the creditor’s established underwriting criteria. The creditor denies the application on the basis that the consumer has a poor repayment history on outstanding debts. The creditor has used medical information in a manner and to an extent no less favorable than it would use comparable non-medical information. (B) A consumer indicates on an application for a $200,000 mortgage loan that she receives $15,000 in long-term disability income each year from her former employer and has no other income. Annual income of $15,000, regardless of source, would not be sufficient to support the requested amount of credit. The creditor denies the application on the basis that the projected debt-to-income ratio of the consumer does not meet the creditor’s underwriting criteria. The creditor has used medical information in a manner and to an extent that is no less favorable than it would use comparable non-medical information. (C) A consumer includes on an application for a $10,000 home equity loan that he has a $50,000 debt to a medical facility that specializes in treating a potentially terminal disease. The creditor contacts the medical facility to verify the debt and obtain 105 the repayment history and current status of the loan. The creditor learns that the debt is current and that the applicant meets the income requirements of the creditor’s underwriting guidelines. The creditor grants the application. The creditor has used medical information in accordance with the exception. (iii) Examples of uses of medical information inconsistent with the exception. (A) A consumer applies for $25,000 of credit and includes on the application information about a $50,000 debt to a hospital. The creditor contacts the hospital to verify the amount and payment status of the debt, and learns that the debt is current and that the consumer has no delinquencies in her repayment history. If the existing debt were instead owed to a home furnishing retailer, the creditor would approve the application and extend credit based on the amount and repayment history of the outstanding debt. The creditor, however, denies the application because the consumer is indebted to a hospital. The creditor has used medical information, here the identity of the medical creditor, in a manner and to an extent that is less favorable than it would use comparable non-medical information. (B) A consumer meets with a loan officer of a creditor to apply for a mortgage loan. While filling out the loan application, the consumer informs the loan officer orally that she has a potentially terminal disease. The consumer meets the creditor’s established requirements for the requested mortgage. The loan officer recommends to the credit committee that the consumer be denied credit because the consumer has that disease. The creditor has used medical information in a manner inconsistent with the exception by taking into account the consumer’s physical, mental, or behavioral health, condition, or 106 history, type of treatment, or prognosis as part of a determination of eligibility or continued eligibility for credit. (d) Specific exceptions for obtaining and using medical information. (1) In general. A creditor may obtain and use medical information pertaining to a consumer in connection with any determination of the consumer’s eligibility, or continued eligibility, for credit— (i) To determine whether the use of a power of attorney or legal representative is necessary and appropriate; (ii) To comply with applicable requirements of local, state, or federal laws; (iii) To the extent such information is included in a consumer report from a consumer reporting agency, in accordance with 15 U.S.C. 1681b(g)(1)(B), and is used for the purpose(s) for which the consumer provided specific written consent; (iv) For purposes of fraud prevention and detection; (v) In the case of credit for the purpose of financing medical products or services, to determine and verify the medical purpose of a loan and the use of proceeds; (vi) If the consumer or the consumer’s legal representative requests in writing, on a separate form signed by the consumer or the consumer’s legal representative that the creditor use specific medical information for a specific purpose in determining the consumer’s eligibility, or continued eligibility, for credit, to accommodate the consumer’s particular circumstances. The signed written request must describe the specific medical information that the consumer requests the creditor to use and the specific purpose for which the information will be used; or (vii) As otherwise permitted by order of the Director of OTS. 107 (2) Examples of determining the medical purpose of the loan or the use of proceeds. (i) If a consumer applies for $10,000 of credit for the purpose of financing vision correction surgery, the creditor may confirm the consumer’s medical eligibility to undergo that procedure with the surgeon. If the surgeon reports that surgery will not be performed on the consumer, the creditor may use that medical information to deny the consumer’s application for credit, because the loan would not be used for the stated purpose. (ii) If a consumer applies for $10,000 of credit for the purpose of financing cosmetic surgery, the creditor may confirm the cost of the procedure with the surgeon. If the surgeon reports that the cost of the procedure is $5,000, the creditor may use that medical information to offer the consumer only $5,000 of credit. (iii) A creditor has an established medical loan program for financing particular elective surgical procedures. The creditor receives a loan application from a consumer requesting $10,000 of credit under the established loan program for an elective surgical procedure. The consumer indicates on the application that the purpose of the loan is to finance an elective surgical procedure not eligible for funding under the guidelines of the established loan program. The creditor may deny the consumer’s application because the purpose of the loan is not for a particular procedure funded by the established loan program. (3) Examples of obtaining and using medical information at the request of the consumer. Consistent with safe and sound practices, and after obtaining from the consumer a signed, written document that describes the specific medical information that the consumer requests the creditor to use and the specific purpose for which the 108 information will be used, the creditor may obtain and use the specific medical information for the specific purpose specified in the request: (i) If a consumer applies for a loan and requests that the creditor consider the consumer’s medical disability at the relevant time as an explanation for adverse payment history information in his credit report, the creditor may consider such medical information in evaluating the consumer’s willingness and ability to repay the requested loan. (ii) If a consumer applies for a loan and explains that his income has been and will continue to be interrupted on account of a medical condition and that he expects to repay the loan from liquidation of assets, the creditor may evaluate the application using the sale of assets as the primary source of repayment. (e) Limits on redisclosure of information. If you receive medical information about a consumer from a consumer reporting agency or your affiliate, you must not disclose that information to any other person, except as necessary to carry out the purpose for which the information was initially disclosed, or as otherwise permitted by statute, regulation, or order. § 571.31 Sharing medical information with affiliates (a) In general. The exclusions from the term “consumer report” in section 603(d)(2) of the Act that allow the sharing of information with affiliates do not apply if you communicate to an affiliate— (1) Medical information; (2) An individualized list or description based on the payment transactions of the consumer for medical products or services; or 109 (3) An aggregate list of identified consumers based on payment transactions for medical products or services. (b) Exceptions. You may rely on the exclusions from the term “consumer report” in section 603(d)(2) of the Act to communicate the information in paragraph (a) of this section to an affiliate— (1) In connection with the business of insurance or annuities (including the activities described in section 18B of the model Privacy of Consumer Financial and Health Information Regulation issued by the National Association of Insurance Commissioners, as in effect on January 1, 2003); (2) For any purpose permitted without authorization under the regulations promulgated by the Department of Health and Human Services pursuant to the Health Insurance Portability and Accountability Act of 1996 (HIPAA); (3) For any purpose referred to in section 1179 of HIPAA; (4) For any purpose described in section 502(e) of the Gramm-Leach-Bliley Act; (5) In connection with a determination of the consumer’s eligibility, or continued eligibility, for credit consistent with § 571.30 of this part; or (6) As otherwise permitted by order of the Director of OTS. National Credit Union Administration For the reasons set out in the preamble, it is proposed that 12 CFR chapter VII be amended by adding a new part 717 to read as follows: PART 717– FAIR CREDIT REPORTING Subpart A―General Provisions Sec. 110 § 717.1 Purpose, scope, and effective dates § 717.2 Examples § 717.3 Definitions Subpart B―[Reserved] Subpart C―[Reserved] Subpart D—Medical Information § 717.30 Obtaining or using medical information in connection with a determination of eligibility for credit § 717.31 Sharing medical information with affiliates Authority: 15 U.S.C. 1681b and 1681s. Subpart A―General Provisions § 717.1 Purpose, scope, and effective dates (a) [Reserved] (b) Scope. (1) [Reserved] (2) Institutions covered. These regulations apply to federal credit unions. § 717.2 Examples The examples in this part are not exclusive. Compliance with an example, to the extent applicable, constitutes compliance with this part. Examples in a paragraph illustrate only the issue described in the paragraph and do not illustrate any other issue that may arise in this part. § 717.3 Definitions As used in this part, unless the context requires otherwise: (a) Act means the Fair Credit Reporting Act (15 U.S.C. 1681 et seq.). 111 (b) Affiliate means any company that controls, is controlled by, or is under common control with another company. For example, an affiliate of a federal credit union is a credit union service organization (CUSO), as provided in 12 CFR part 712, that is controlled by the federal credit union. (c) [Reserved] (d) Company means any corporation, limited liability company, business trust, general or limited partnership, association, or similar organization. (e) Consumer means an individual. (f) [Reserved] (g) [Reserved] (h) [Reserved] (i) Control of a company means: (1) Ownership, control, or power to vote 25 percent or more of the outstanding shares of any class of voting security of the company, directly or indirectly, or acting through one or more other persons; (2) Control in any manner over the election of a majority of the directors, trustees, or general partners (or individuals exercising similar functions) of the company; or (3) The power to exercise, directly or indirectly, a controlling influence over the management or policies of the company, as the Board determines. (4) Example. NCUA will presume a credit union has a controlling influence over the management or policies of a CUSO, if the CUSO is 67% owned by credit unions. (j) [Reserved] 112 (k) Medical information means: (1) Information or data, whether oral or recorded, in any form or medium, created by or derived from a health care provider or the consumer, that relates to— (i) The past, present, or future physical, mental, or behavioral health or condition of an individual; (ii) The provision of health care to an individual; or (iii) The payment for the provision of health care to an individual. (2) The term does not include: (i) The age or gender of a consumer; (ii) Demographic information about the consumer, including a consumer’s residence address or e-mail address; or (iii) Any other information about a consumer that does not relate to the physical, mental, or behavioral health or condition of a consumer, including the existence or value of any insurance policy. (l) [Reserved] (m) [Reserved] (n) [Reserved] (o) You means a federal credit union. Subpart B—[Reserved] Subpart C—[Reserved] Subpart D—Medical Information § 717.30 Obtaining or using medical information in connection with a determination of eligibility for credit 113 (a) General prohibition on obtaining or using medical information. (1) In general. A creditor may not obtain or use medical information pertaining to a consumer in connection with any determination of the consumer’s eligibility, or continued eligibility, for credit, except as provided in this subpart. (2) Definitions as used in this subpart. (i) Eligibility, or continued eligibility, for credit means the consumer’s qualification or fitness to receive, or continue to receive, credit, including the terms on which credit is offered, primarily for personal, family, or household purposes. The term does not include: (A) The consumer’s qualification or fitness to be offered employment, insurance products, or other non-credit products or services; (B) Any determination of whether the provisions of a debt cancellation contract, debt suspension agreement, credit insurance product, or similar forbearance practice or program are triggered; (C) Authorizing, processing, or documenting a payment or transaction on behalf of the consumer in a manner that does not involve a determination of the consumer’s eligibility, or continued eligibility, for credit; or (D) Maintaining or servicing the consumer’s account in a manner that does not involve a determination of the consumer’s eligibility, or continued eligibility, for credit. (ii) Creditor has the same meaning as in section 702 of the Equal Credit Opportunity Act, 15 U.S.C. 1691a. (iii) Credit has the same meaning as in section 702 of the Equal Credit Opportunity Act, 15 U.S.C. 1691a. 114 (b) Rule of construction for receiving unsolicited medical information. (1) In general. A creditor does not obtain medical information for purposes of paragraph (a)(1) of this section if it— (i) Receives medical information pertaining to a consumer in connection with any determination of the consumer’s eligibility, or continued eligibility, for credit without specifically requesting medical information; and (ii) Does not use that information in determining whether to extend or continue to extend credit to the consumer and the terms on which credit is offered or continued. (2) Examples of receiving unsolicited medical information. A creditor receives unsolicited medical information if, for example: (i) In response to a general question regarding a consumer’s debts or expenses, the creditor receives information that the consumer has a particular medical condition and does not use that information in determining whether to extend credit to the consumer or the terms on which credit is offered. (ii) In conversation with the loan officer, the consumer informs the creditor that the consumer has a particular medical condition, and the creditor does not use that information in determining whether to extend credit to the consumer or the terms on which credit is offered. (c) Financial information exception for obtaining and using medical information. (1) In general. A creditor may obtain and use medical information pertaining to a consumer in connection with any determination of the consumer’s eligibility, or continued eligibility, for credit so long as: 115 (i) The information relates to debts, expenses, income, benefits, collateral, or the purpose of the loan, including the use of proceeds; (ii) The creditor uses the medical information in a manner and to an extent that is no less favorable than it would use comparable information that is not medical information in a credit transaction; and (iii) The creditor does not take the consumer’s physical, mental, or behavioral health, condition or history, type of treatment, or prognosis into account as part of any such determination. (2) Examples. (i) Examples of information related to debts, expenses, income, benefits, collateral, or the purpose of the loan. Paragraph (c)(1)(i) of this section permits a creditor, for example, to obtain and use information about: (A) The dollar amount, repayment terms, repayment history, and similar information regarding medical debts that is used to calculate, measure, or verify the repayment ability of the consumer, the use of proceeds, or the terms for granting credit; (B) The value, condition, and lien status of a medical device that is used as collateral to secure a loan; (C) The dollar amount and continued eligibility for disability income or benefits related to health or a medical condition that is relied on as a source of repayment; or (D) The identity of creditors to whom outstanding medical debts are owed in connection with an application for credit, including but not limited to a transaction involving the consolidation of medical debts. (ii) Examples of uses of medical information consistent with the exception. (A) A consumer includes on an application for credit information about two $20,000 debts. 116 One debt is to a hospital; the other debt is to a retailer. The creditor contacts the hospital and the retailer to verify the amount and payment status of the debts. The creditor learns that both debts are more than 90 days past due. Any two debts of this size that are past due would disqualify the consumer under the creditor’s established underwriting criteria. The creditor denies the application on the basis that the consumer has a poor repayment history on outstanding debts. The creditor has used medical information in a manner and to an extent no less favorable than it would use comparable non-medical information. (B) A consumer indicates on an application for a $200,000 mortgage loan that she receives $15,000 in long-term disability income each year from her former employer and has no other income. Annual income of $15,000, regardless of source, would not be sufficient to support the requested amount of credit. The creditor denies the application on the basis that the projected debt-to-income ratio of the consumer does not meet the creditor’s underwriting criteria. The creditor has used medical information in a manner and to an extent that is no less favorable than it would use comparable non-medical information. (C) A consumer includes on an application for a $10,000 home equity loan that he has a $50,000 debt to a medical facility that specializes in treating a potentially terminal disease. The creditor contacts the medical facility to verify the debt and obtain the repayment history and current status of the loan. The creditor learns that the debt is current and that the applicant meets the income requirements of the creditor’s underwriting guidelines. The creditor grants the application. The creditor has used medical information in accordance with the exception. 117 (iii) Examples of uses of medical information inconsistent with the exception. (A) A consumer applies for $25,000 of credit and includes on the application information about a $50,000 debt to a hospital. The creditor contacts the hospital to verify the amount and payment status of the debt, and learns that the debt is current and that the consumer has no delinquencies in her repayment history. If the existing debt were instead owed to a home furnishing retailer, the creditor would approve the application and extend credit based on the amount and repayment history of the outstanding debt. The creditor, however, denies the application because the consumer is indebted to a hospital. The creditor has used medical information, here the identity of the medical creditor, in a manner and to an extent that is less favorable than it would use comparable non-medical information. (B) A consumer meets with a loan officer of a creditor to apply for a mortgage loan. While filling out the loan application, the consumer informs the loan officer orally that she has a potentially terminal disease. The consumer meets the creditor’s established requirements for the requested mortgage. The loan officer recommends to the credit committee that the consumer be denied credit because the consumer has that disease. The creditor has used medical information in a manner inconsistent with the exception by taking into account the consumer’s physical, mental, or behavioral health, condition, or history, type of treatment, or prognosis as part of a determination of eligibility or continued eligibility for credit. (d) Specific exceptions for obtaining and using medical information. (1) In general. A creditor may obtain and use medical information pertaining to a consumer in 118 connection with any determination of the consumer’s eligibility, or continued eligibility, for credit— (i) To determine whether the use of a power of attorney or legal representative is necessary and appropriate; (ii) To comply with applicable requirements of local, state, or federal laws; (iii) To the extent such information is included in a consumer report from a consumer reporting agency, in accordance with 15 U.S.C. 1681b(g)(1)(B), and is used for the purpose(s) for which the consumer provided specific written consent; (iv) For purposes of fraud prevention and detection; (v) In the case of credit for the purpose of financing medical products or services, to determine and verify the medical purpose of a loan and the use of proceeds; (vi) If the consumer or the consumer’s legal representative requests in writing, on a separate form signed by the consumer or the consumer’s legal representative that the creditor use specific medical information for a specific purpose in determining the consumer’s eligibility, or continued eligibility, for credit, to accommodate the consumer’s particular circumstances. The signed written request must describe the specific medical information that the consumer requests the creditor to use and the specific purpose for which the information will be used; or (vii) As otherwise permitted by order of the NCUA. (2) Examples of determining the medical purpose of the loan or the use of proceeds. (i) If a consumer applies for $10,000 of credit for the purpose of financing vision correction surgery, the creditor may confirm the consumer’s medical eligibility to undergo that procedure with the surgeon. If the surgeon reports that surgery will not be 119 performed on the consumer, the creditor may use that medical information to deny the consumer’s application for credit, because the loan would not be used for the stated purpose. (ii) If a consumer applies for $10,000 of credit for the purpose of financing cosmetic surgery, the creditor may confirm the cost of the procedure with the surgeon. If the surgeon reports that the cost of the procedure is $5,000, the creditor may use that medical information to offer the consumer only $5,000 of credit. (iii) A creditor has an established medical loan program for financing particular elective surgical procedures. The creditor receives a loan application from a consumer requesting $10,000 of credit under the established loan program for an elective surgical procedure. The consumer indicates on the application that the purpose of the loan is to finance an elective surgical procedure not eligible for funding under the guidelines of the established loan program. The creditor may deny the consumer’s application because the purpose of the loan is not for a particular procedure funded by the established loan program. (3) Examples of obtaining and using medical information at the request of the consumer. Consistent with safe and sound practices, and after obtaining from the consumer a signed, written document that describes the specific medical information that the consumer requests the creditor to use and the specific purpose for which the information will be used, the creditor may obtain and use the specific medical information for the specific purpose specified in the request: (i) If a consumer applies for a loan and requests that the creditor consider the consumer’s medical disability at the relevant time as an explanation for adverse payment 120 history information in his credit report, the creditor may consider such medical information in evaluating the consumer’s willingness and ability to repay the requested loan. (ii) If a consumer applies for a loan and explains that his income has been and will continue to be interrupted on account of a medical condition and that he expects to repay the loan from liquidation of assets, the creditor may evaluate the application using the sale of assets as the primary source of repayment. (e) Limits on redisclosure of information. If you receive medical information about a consumer from a consumer reporting agency or your affiliate, you must not disclose that information to any other person, except as necessary to carry out the purpose for which the information was initially disclosed, or as otherwise permitted by statute, regulation, or order. § 717.31 Sharing medical information with affiliates (a) In general. The exclusions from the term “consumer report” in section 603(d)(2) of the Act that allow the sharing of information with affiliates do not apply if you communicate to an affiliate— (1) Medical information; (2) An individualized list or description based on the payment transactions of the consumer for medical products or services; or (3) An aggregate list of identified consumers based on payment transactions for medical products or services. 121 (b) Exceptions. You may rely on the exclusions from the term “consumer report” in section 603(d)(2) of the Act to communicate the information in paragraph (a) to an affiliate— (1) In connection with the business of insurance or annuities (including the activities described in section 18B of the model Privacy of Consumer Financial and Health Information Regulation issued by the National Association of Insurance Commissioners, as in effect on January 1, 2003); (2) For any purpose permitted without authorization under the regulations promulgated by the Department of Health and Human Services pursuant to the Health Insurance Portability and Accountability Act of 1996 (HIPAA); (3) For any purpose referred to in section 1179 of HIPAA; (4) For any purpose described in section 502(e) of the Gramm-Leach-Bliley Act; (5) In connection with a determination of the consumer’s eligibility, or continued eligibility, for credit consistent with § 717.30 of this part; or (6) As otherwise permitted by order of the NCUA. Dated: April 16, 2004 _____/signed/__________________ John D. Hawke, Jr., Comptroller of the Currency 122 By order of the Board of Governors of the Federal Reserve System, April 22, 2004. /signed/_____________ Jennifer J. Johnson Secretary of the Board Dated at Washington, D.C., the 6th day of April, 2004. By order of the Board of Directors Federal Deposit Insurance Corporation _____/signed/_____ Robert E. Feldman Executive Secretary Dated: April 6, 2004 By the Office of Thrift Supervision. __________/signed/______________ James E. Gilleran, Director. By the National Credit Union Administration Board on April 8, 2004. _/signed/____________________________ Becky Baker Secretary of the Board 123