AL 99-3 Subject: Fair Credit Reporting Act Date: March 29, 1999 Purpose: TO: Chief Executive Officers and Compliance Officers of all National Banks, Department and Division Heads, and all Examining Personnel SUMMARY AND PURPOSE Recent amendments to the Fair Credit Reporting Act ("FCRA") have enhanced the ability of various businesses, including banks, to exchange customer information among affiliated companies. At the same time, technological advances permit businesses to collect, store, analyze, and disseminate increasing amounts of customer data. Survey data indicate that consumers are sensitive to how businesses, including banks, maintain, use, and analyze information about them. These customer concerns about the accumulation and use of their personal information are likely to increase with the growing use of the Internet and electronic commerce. The purpose of this advisory is to provide examples from a sampling of existing bank practices that represent effective approaches for complying with notice requirements under the FCRA regarding the sharing of customer information among affiliated companies. These examples are not examination standards and are not intended to be an exclusive description of the various ways in which banks can meet their existing legal obligations under the FCRA, nor do they impose any new obligations on banks. The examples are illustrative of approaches by some national banks that convey meaningful information to their customers about the treatment of personal data. Thus, national banks may find these examples helpful as they develop their own plans and programs to comply with the FCRA. CONTENTS Background Fair Credit Reporting Act Amendments of 1996 Developments in the Marketplace Effective Practices Content of Affiliate Sharing Notice What type of information is shared With whom is the information shared Purpose for the sharing Presentation of Notice Convenience of Customer Opt Out BACKGROUND Fair Credit Reporting Act Amendments of 1996 In 1996, Congress adopted amendments to the FCRA that, among other things, permit the efficient flow of customer information among affiliated companies. [Note 1: The Economic Growth and Regulatory Paperwork Reduction Act of 1996 substantially amended the Fair Credit Reporting Act effective September 30, 1997.] The amendments expanded the opportunity for companies "related by common ownership or affiliated by corporate control" to share, without restriction, transaction and experience information -- information that relates solely to an entity's own transactions or experiences with its customers. [Note 2: 15 U.S.C. 1681a (d)(2)(A)(ii).] This information could include, for example, a customer's outstanding balance, whether the customer is delinquent in paying bills, [Note 3: See DiGianni v. Stern’s, 26 F.3d 346, 348-49 (2nd Cir. 1994), cert. denied, 513 U.S. 897 (1994); Smith v. First National Bank of Atlanta, 837 F.2d 1575, 1578 (11th Cir. 1988), cert. denied, 488 U.S. 821 (1988); Rush v. Macy’s New York, Inc., 775 F.2d 1554, 1556-57 (11th Cir. 1985). See also FTC Official Staff Commentary 603(d) item 7A(1) and (3) (May 1990).] and the length of time a customer has held a credit card. [Note 4: FTC FCRA Staff Opinion: Kane-Novak (September 9, 1998).] The law accomplishes this by exempting transaction and experience information from the definition of a consumer report. [Note 5: 15 U.S.C. 1681a(d)(2)(A)(ii). Generally, a "consumer report" is any communication, by a "consumer reporting agency," of any information that bears on a consumer's credit-worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living that is collected or used (or expected to be collected or used) as a factor in establishing the consumer's eligibility for credit, insurance, employment, or any other purpose permissible under the Act. Id. 1681a(d)(1). Reports limited to the consumer's name and address, with no connotations to credit worthiness or other characteristics, do not constitute a "consumer report." FTC Official Staff Commentary at 603(d) item 4F. The law also permits the sharing of transaction and experience information with unaffiliated third parties by exempting such information from the definition of a consumer report. 15 U.S.C. 1681a(d)(2)(A)(i).] Further, the amendments exempt from the definition of a consumer report, the communication among affiliated companies of other information about a consumer (that is, information in addition to transaction and experience information that would ordinarily be considered a consumer report), if certain conditions are met: (1) it is clearly and conspicuously disclosed to the consumer that information may be shared among affiliated companies; and, (2) the consumer is given the opportunity, prior to the time that the information is communicated, to direct that such information not be communicated among the entities. [Note 6: 15 U.S.C. 1681a(d)(2)(A)(iii).] This provision permits a bank to freely share customer information, such as consumer reports or information from a credit application, among affiliated companies if these conditions are satisfied. [Note 7: See Federal Reserve Regulatory Service, Questions and Answers about the Fair Credit Reporting Act, The Financial Institution as a Consumer Reporting Agency, FRRS 6-1605. See also FTC FCRA Staff Opinion: Kane-Novak, supra.] Failure to comply with these conditions for affiliate information sharing can result in liability (including, administrative enforcement and/or civil action) and can make a bank a consumer reporting agency under the FCRA. A consumer reporting agency is subject to various legal obligations to maintain and safeguard consumer information, including limitations on the purposes for which information can be sold or distributed. [Note 8: 15 U.S.C. 1681b.] Consumer reporting agencies are also required to provide consumers an opportunity to review information maintained about them, as well as to establish particular error resolution procedures and consumer complaint mechanisms. [Mote 9: Consumer reporting agencies are required to provide consumers access to all information, except credit scores, maintained in the consumer’s file upon request. 15 U.S.C. 1681g(a)(1). In the event a consumer questions the accuracy or completeness of any information in the consumer’s file, the reporting agency must conduct a reinvestigation. 15 U.S.C. 1681i. ] Therefore, a bank that wishes to share customer information with its affiliates, that is not limited to transaction and experience information and that otherwise meets the definition of "consumer report," without the burden of complying with these requirements on consumer reporting agencies, must adhere to the FCRA opt-out conditions. While banks may be subject to federal or state laws in other areas of consumer privacy, [Note 10: For example, the Electronic Funds Transfer Act and its implementing regulation, Regulation E, require a bank to provide its customers a description of the circumstances in the institution’s "ordinary course of business" in which it will disclose information about the consumer’s account to third parties. 15 U.S.C. 1693c(a)(9); 12 C.F.R. 205.7(b)(9). This disclosure must address all information concerning the account that may be provided to third parties and whether it will be provided to affiliates. See FRB Official Staff Commentary 205.7(b)(9)-1.] those state laws that prohibit or limit the types of information affiliates may share are expressly preempted by FCRA until the year 2004. [Note 11: 15 U.S.C. 1681t (b) and (d)(2). State laws that were preempted by the FCRA do not automatically return in force after the sunset date. Each state must enact new legislation. Id. 1681t (d)(2).] Developments in the Marketplace Technological innovations and industry consolidation are increasing the magnitude and scope of information sharing in the financial services sector. Improvements in data processing and communications technology now allow more efficient storage, analysis, and rapid dissemination of vast amounts of information. Mergers among companies with the same or diverse lines of business are resulting in companies with the ability to assemble and use large databases of customer information. These developments create new opportunities for banks to use information to custom design products and services to match their customers' needs and preferences. Bank customers benefit from the improved quality of tailor-made goods and services, as well as the increased speed of obtaining financial services. But, while these developments may increase the quantity and quality of many bank services, the expanded use of customer information has also heightened consumer concerns about confidentiality and personal privacy. Banks have a particular stake in addressing the privacy concerns of customers. Maintaining customer trust that the relationship will remain confidential is an essential component of banking relationships, and banks continually rely on the willingness of customers to provide extensive confidential information. Survey evidence indicates that much of the public's suspicion and concern about the privacy issue generally derives from a lack of knowledge about how a business handles consumer information. [Note 12: See Business Week/Harris Poll, "A Little Privacy, Please" Business Week, March 16, 1998.] The affiliate information sharing notice mandated by the FCRA can provide a convenient vehicle for banks to educate their customers about their information practices, and gives customers an opportunity to control the flow of their information. [Note 13: A recent survey of consumers indicated that 61 percent of the public believe that it is acceptable for companies to do profile marketing generally. The figure increases to 83 percent with prior notice about information uses and an opportunity to opt-out. See survey sponsored by Privacy & American Business, conducted by Louis Harris and Associates and Dr. Alan F. Westin, "Privacy, E-Commerce, and Financial Transactions" (November 1998). ] EFFECTIVE PRACTICES This section discusses examples of existing bank practices for complying with the affiliate information sharing notice provisions of the FCRA and addresses the contents of the notice, the appearance and prominence of the notice, and the convenience of a customer's opportunity to opt out. While the FCRA does not impose specific requirements for the placement or content of the notice, the following examples illustrate how some banks have used these notices to make their information handling practices more readily understandable to their customers. Likewise, the FCRA does not dictate that consumers be accorded convenient methods to opt out of information sharing. However, we have selected examples of existing practices to highlight how some banks, consistent with the spirit of the law, have made the opt out process easier for their customers to use. Content of Affiliate Sharing Notice [Note 14: Some banks have selected a question and answer format to convey information about their usage of customer data. This is one method for conveying basic information to customers in a clear and easily understood format.] What type of information is shared A simple and concise description of the types of information that a bank intends to share among affiliates enables customers to make informed choices about whether to opt out of affiliate information sharing. For example, a number of banks inform their customers, when it is the case, that they share consumer reports in addition to other types of information, such as information from a customer's application, unless a customer opts out, rather then simply tell their customers they intend to share "other information" -- the terminology employed by the statute. Some banks provide additional disclosures to make their information sharing practices more transparent to their customers. For instance, some banks explain that they share the following types of information with affiliates: identification information (such as name and address), transaction and experience information (such as loan repayment history), and other personal information (such as information obtained from an application or consumer report). The banks explain that, unlike transaction and experience information that they may share among affiliates by law, customers may direct that certain other personal information (i.e., information contained in an application, information from consumer reports) not be similarly shared. With whom is the information shared Some banks inform customers of the names of their affiliated companies with which information will be shared and/or a description of their lines of business. In situations involving numerous affiliates, a generally stated description of the types of business they conduct is used instead. Other banks provide their customers with an expressly stated representative sample of the names or lines of business of their affiliates. (Banks that identify their affiliates by name or business type should be aware of the potential need to update their notices if there is a change in circumstances.) In describing their affiliates, some banks choose to use a term other than "affiliate" to avoid potential customer confusion, such as "members of the corporate family." Purpose for the sharing Notices may also contain basic information about the reasons why the bank shares personal data. Some banks describe specific ways in which information sharing benefits their customers. For example, certain banks explain that by knowing that a particular individual owns a home, the bank can direct that consumer to a home equity loan to finance a purchase because of the favorable tax consequences, rather than an unsecured installment loan. Other purposes for information sharing may be to reduce the customer's burden in having to provide duplicative information each time the customer applies for a new product or service from an affiliated company, or to identify customers for better pricing on products or services. Banks sometimes disclose these types of specific benefits in addition to more general disclosures that sharing customers' information enables a bank to design or improve products and services, such as new types of account or investment services. These types of disclosures also provide the bank a good opportunity to promote and distinguish its customer service. Presentation of Notice There are various ways that banks make FCRA notices clear and conspicuous to customers. Some banks provide customers with the notice in a stand alone document. [Note 15: Banks must not only provide this notice to new customers, but must also provide notice to existing customers. Some banks have sent separate mailings, such as postcards, to their customers to provide the requisite notice. Other banks have sent this notice to existing customers in their regular customer statements.] Other banks have chosen to include the notice in a document containing additional information, such as an account agreement. Banks can employ a number of devices to highlight the notice, including (1) putting a box around it, (2) putting it in bold type, (3) putting it in type that is larger than other portions of the text, (4) putting the notice in a different color than other portions of the agreement, (5) captioning the notice to call attention to its contents, (6) underlining the notice, or (7) doing a combination of several of these steps. As part of its FCRA notice, one bank provides a telephone number its customers can call with questions about information sharing and opt out. Convenience of Customer Opt Out For bank customers who are concerned about maintaining the privacy of their personal information, being furnished with a convenient mechanism for opting out of affiliate information sharing is a value-added service. Banks have many options to provide customers convenient opportunities to opt out of information sharing, including providing their customers with detachable opt out forms as part of the affiliate information sharing notice or self-addressed opt out postcards. Additionally, some banks allow for opt out by telephone or by electronic means (for instance, by personal computer via the bank's Web site). [Note 16: If a bank chooses to permit opt out by means other than in writing, the bank should create a record of the opt out.] One bank provides a check-off box in a prominent position on its credit applications -- within the box containing the signature line -- that customers can mark to elect to opt out of information sharing. CONCLUSION Banks that share particular personal information with their affiliates may use the notice requirements of the FCRA as an opportunity to inform their customers about their information handling practices and further provide their customers with convenient mechanisms for opting out of such sharing. At a time of growing public sensitivity and concern about the proper treatment of personal information, this type of meaningful communication may enhance customer confidence and trust in their financial institutions. FURTHER INFORMATION For further information or questions relating to this advisory, please contact Amy Friend, Assistant Chief Counsel, (202)874-5200. ____________________ Julie L. Williams Chief Counsel