[Federal Register: November 7, 2007 (Volume 72, Number 215)]
[Rules and Regulations]
[Page 62909-62990]
From the Federal Register Online via GPO Access [wais.access.gpo.gov]
[DOCID:fr07no07-10]
[[Page 62909]]
-----------------------------------------------------------------------
Part II
Department of the Treasury
Office of the Comptroller of the Currency
12 CFR Part 41
Federal Reserve System
12 CFR Part 222
Federal Deposit Insurance Corporation
12 CFR Part 334
Department of the Treasury
Office of Thrift Supervision
12 CFR Part 571
National Credit Union Administration
12 CFR Part 717
Fair Credit Reporting Affiliate Marketing Regulations; Final Rule
[[Page 62910]]
-----------------------------------------------------------------------
DEPARTMENT OF THE TREASURY
Office of the Comptroller of the Currency
12 CFR Part 41
[Docket ID. OCC-2007-0010]
RIN 1557-AC88
FEDERAL RESERVE SYSTEM
12 CFR Part 222
[Regulation V; Docket No. R-1203]
FEDERAL DEPOSIT INSURANCE CORPORATION
12 CFR Part 334
RIN 3064-AC83
DEPARTMENT OF THE TREASURY
Office of Thrift Supervision
12 CFR Part 571
[Docket ID. OTS-2007-0020]
RIN 1550-AB90
NATIONAL CREDIT UNION ADMINISTRATION
12 CFR Part 717
Fair Credit Reporting Affiliate Marketing Regulations
AGENCIES: Office of the Comptroller of the Currency, Treasury (OCC);
Board of Governors of the Federal Reserve System (Board); Federal
Deposit Insurance Corporation (FDIC); Office of Thrift Supervision,
Treasury (OTS); and National Credit Union Administration (NCUA).
ACTION: Final rules.
-----------------------------------------------------------------------
SUMMARY: The OCC, Board, FDIC, OTS, and NCUA (Agencies) are publishing
final rules to implement the affiliate marketing provisions in section
214 of the Fair and Accurate Credit Transactions Act of 2003, which
amends the Fair Credit Reporting Act. The final rules generally
prohibit a person from using information received from an affiliate to
make a solicitation for marketing purposes to a consumer, unless the
consumer is given notice and a reasonable opportunity and a reasonable
and simple method to opt out of the making of such solicitations.
DATES: Effective Date: These rules are effective January 1, 2008.
Mandatory Compliance Date: October 1, 2008.
FOR FURTHER INFORMATION CONTACT: OCC: Amy Friend, Assistant Chief
Counsel, (202) 874-5200; Michael Bylsma, Director, or Stephen Van
Meter, Assistant Director, Community and Consumer Law, (202) 874-5750;
or Patrick T. Tierney, Senior Attorney, Legislative and Regulatory
Activities Division, (202) 874-5090, Office of the Comptroller of the
Currency, 250 E Street, SW., Washington, DC 20219.
Board: David A. Stein, Counsel; Ky Tran-Trong, Counsel; or Amy E.
Burke, Attorney, Division of Consumer and Community Affairs, (202) 452-
3667 or (202) 452-2412; or Kara Handzlik, Attorney, Legal Division,
(202) 452-3852, Board of Governors of the Federal Reserve System, 20th
and C Streets, NW., Washington, DC 20551. For users of a
Telecommunications Device for the Deaf (TDD) only, contact (202) 263-
4869.
FDIC: Ruth R. Amberg, Senior Counsel, (202) 898-3736, or Richard M.
Schwartz, Counsel, Legal Division, (202) 898-7424; April Breslaw,
Chief, Compliance Section, (202) 898-6609; David P. Lafleur, Policy
Analyst, Division of Supervision and Consumer Protection, (202) 898-
6569, Federal Deposit Insurance Corporation, 550 17th Street, NW.,
Washington, DC 20429.
OTS: Suzanne McQueen, Consumer Regulations Analyst, Compliance and
Consumer Protection Division, (202) 906-6459; or Richard Bennett,
Senior Compliance Counsel, (202) 906-7409, Office of Thrift
Supervision, 1700 G Street, NW., Washington, DC 20552.
NCUA: Linda Dent, Staff Attorney, Office of General Counsel, (703)
518-6540, National Credit Union Administration, 1775 Duke Street,
Alexandria, VA 22314-3428.
SUPPLEMENTARY INFORMATION:
I. Background
The Fair Credit Reporting Act
The Fair Credit Reporting Act (FCRA or Act), which was enacted in
1970, sets standards for the collection, communication, and use of
information bearing on a consumer's credit worthiness, credit standing,
credit capacity, character, general reputation, personal
characteristics, or mode of living. (15 U.S.C. 1681-1681x.) In 1996,
the Consumer Credit Reporting Reform Act extensively amended the FCRA.
(Pub. L. 104-208, 110 Stat. 3009.)
The FCRA, as amended, provides that a person may communicate to an
affiliate or a non-affiliated third party information solely as to
transactions or experiences between the consumer and the person without
becoming a consumer reporting agency.\1\ In addition, the communication
of such transaction or experience information among affiliates will not
result in any affiliate becoming a consumer reporting agency. See FCRA
Sec. Sec. 603(d)(2)(A)(i) and (ii).
---------------------------------------------------------------------------
\1\ The FCRA creates substantial obligations for a person that
meets the definition of a ``consumer reporting agency'' in section
603(f) of the statute.
---------------------------------------------------------------------------
Section 603(d)(2)(A)(iii) of the FCRA provides that a person may
communicate ``other'' information--that is, information that is not
transaction or experience information--among its affiliates without
becoming a consumer reporting agency if it is clearly and conspicuously
disclosed to the consumer that such information may be communicated
among affiliates and the consumer is given an opportunity, before the
information is communicated, to ``opt out'' or direct that the
information not be communicated among such affiliates, and the consumer
has not opted out.
The Fair and Accurate Credit Transactions Act of 2003
The President signed into law the Fair and Accurate Credit
Transactions Act of 2003 (FACT Act) on December 4, 2003. (Pub. L. 108-
159, 117 Stat. 1952.) In general, the FACT Act amends the FCRA to
enhance the ability of consumers to combat identity theft, increase the
accuracy of consumer reports, restrict the use of medical information
in credit eligibility determinations, and allow consumers to exercise
greater control regarding the type and number of solicitations they
receive.
Section 214 of the FACT Act added a new section 624 to the FCRA.
This provision gives consumers the right to restrict a person from
using certain information obtained from an affiliate to make
solicitations to that consumer. Section 624 generally provides that if
a person receives certain consumer eligibility information from an
affiliate, the person may not use that information to make
solicitations to the consumer about its products or services, unless
the consumer is given notice and an opportunity and a simple method to
opt out of such use of the information, and the consumer does not opt
out. The statute also provides that section 624 does not apply, for
example, to a person using eligibility information: (1) To make
solicitations to a consumer with whom the person has a pre-existing
business relationship; (2) to perform services for another affiliate
subject to certain conditions; (3) in response to a communication
initiated by the
[[Page 62911]]
consumer; or (4) to make a solicitation that has been authorized or
requested by the consumer. Unlike the FCRA affiliate sharing opt-out
and the Gramm-Leach-Bliley Act (GLBA) non-affiliate sharing opt-out,
which apply indefinitely, section 624 provides that a consumer's
affiliate marketing opt-out election must be effective for a period of
at least five years. Upon expiration of the opt-out period, the
consumer must be given a renewal notice and an opportunity to renew the
opt-out before information received from an affiliate may be used to
make solicitations to the consumer.
Section 624 governs the use of information by an affiliate, not the
sharing of information among affiliates, and thus is distinct from the
affiliate sharing opt-out under section 603(d)(2)(A)(iii) of the FCRA.
Nevertheless, the affiliate marketing and affiliate sharing opt-outs
and the information subject to the two opt-outs overlap to some extent.
As noted above, the FCRA allows transaction or experience information
to be shared among affiliates without giving the consumer notice and an
opportunity to opt out, but provides that ``other'' information, such
as information from credit reports and credit applications, may not be
shared among affiliates without giving the consumer notice and an
opportunity to opt out. The new affiliate marketing opt-out applies to
both transaction or experience information and ``other'' information.
Thus, certain information will be subject to two opt-outs, a sharing
opt-out and a marketing use opt-out.
Section 214(b) of the FACT Act requires the Agencies, the Federal
Trade Commission (FTC), and the Securities and Exchange Commission
(SEC) to prescribe regulations, in consultation and coordination with
each other, to implement the FCRA's affiliate marketing opt-out
provisions. In adopting regulations, each Agency must ensure that the
affiliate marketing notification methods provide a simple means for
consumers to make choices under section 624, consider the affiliate
sharing notification practices employed on the date of enactment by
persons subject to section 624, and ensure that notices may be
coordinated and consolidated with other notices required by law.
II. The Interagency Proposal
On July 15, 2004, the Agencies published a notice of proposed
rulemaking in the Federal Register (69 FR 42502) to implement section
214 of the FACT Act.\2\ The proposal defined the key terms ``pre-
existing business relationship'' and ``solicitation'' essentially as
defined in the statute. The Agencies did not propose to include
additional circumstances within the meaning of ``pre-existing business
relationship'' or other types of communications within the meaning of
``solicitation.''
---------------------------------------------------------------------------
\2\ The FTC published its proposed affiliate marketing rule in
the Federal Register on June 15, 2004 (69 FR 33324). The SEC
published its proposed affiliate marketing rule in the Federal
Register on July 14, 2004 (69 FR 42301).
---------------------------------------------------------------------------
To address the scope of the affiliate marketing opt-out, the
proposal defined ``eligibility information'' to mean any information
the communication of which would be a ``consumer report'' if the
statutory exclusions from the definition of ``consumer report'' in
section 603(d)(2)(A) of the FCRA for transaction or experience
information and for ``other'' information that is subject to the
affiliate-sharing opt-out did not apply. The Agencies substituted the
term ``eligibility information'' for the more complicated statutory
language regarding the communication of information that would be a
consumer report, but for clauses (i), (ii), and (iii) of section
603(d)(2)(A) of the FCRA.\3\ In addition, the proposal incorporated
each of the scope limitations contained in the statute, such as the
pre-existing business relationship exception.
---------------------------------------------------------------------------
\3\ Under section 603(d)(1) of the FCRA, a ``consumer report''
means any written, oral, or other communication of any information
by a consumer reporting agency bearing on a consumer's credit
worthiness, credit standing, credit capacity, character, general
reputation, personal characteristics, or mode of living which is
used or expected to be used or collected in whole or in part for the
purpose of serving as a factor in establishing the consumer's
eligibility for credit or insurance to be used primarily for
personal, family, or household purposes, employment purposes, or any
other purpose authorized in section 604 of the FCRA. 15 U.S.C.
1681a(d).
---------------------------------------------------------------------------
Section 624 does not state which affiliate must give the consumer
the affiliate marketing opt-out notice. The proposal provided that the
person communicating information about a consumer to its affiliate
would be responsible for satisfying the notice requirement, if
applicable. A rule of construction provided flexibility to allow the
notice to be given by the person that communicates information to its
affiliate, by the person's agent, or through a joint notice with one or
more other affiliates. The Agencies designed this approach to provide
flexibility and to facilitate the use of a single coordinated notice,
while taking into account existing affiliate sharing notification
practices. At the same time, the approach sought to ensure that the
notice would be effective because it generally would be provided by or
on behalf of an entity from which the consumer would expect to receive
important notices, and would not be provided along with solicitations.
The proposal also provided guidance on the contents of the opt-out
notice, what constitutes a reasonable opportunity to opt out,
reasonable and simple methods of opting out, and the delivery of opt-
out notices. Finally, the proposal provided guidance on the effect of
the limited duration of the opt-out and the requirement to provide an
extension notice upon expiration of the opt-out period.
III. Overview of Comments Received
Each agency received the following number of comment letters: OCC--
30, Board--42, FDIC--29, OTS--20, NCUA--18. Many commenters sent copies
of the same letter to more than one Agency. The Agencies received
comments from a variety of banks, thrifts, credit unions, credit card
companies, mortgage lenders, other non-bank creditors, and industry
trade associations. The Agencies also received comments from consumer
groups, the National Association of Attorneys General (``NAAG''), and
individual consumers. In addition, the Agencies considered comments
submitted to the FTC and the SEC.
Most industry commenters objected to several key aspects of the
proposal. The most significant areas of concern raised by industry
commenters related to which affiliate would be responsible for
providing the notice, the scope of certain exceptions to the notice and
opt-out requirement, and the content or the inclusion of definitions
for terms such as ``clear and conspicuous'' and ``pre-existing business
relationship.'' Consumer groups and NAAG generally supported the
proposal, although these commenters believed that the proposal could be
strengthened in certain respects. A more detailed discussion of the
comments is contained in the Section-by-Section Analysis below.
IV. Section-by-Section Analysis
Section --.1 Purpose, Scope, and Effective Dates
Section --.1 of the proposal set forth the purpose and scope of
each Agency's regulations. The Agencies received few comments on this
section. Some of the Agencies have revised this section in the final
rules for clarity and to reflect the fact that the institutions subject
to the FCRA regulation will vary in different subparts of the Agencies'
FCRA rules. The coverage provision for
[[Page 62912]]
each Agency's affiliate marketing rule is set forth in Subpart C, Sec.
--.20(a).
Section --.2 Examples
Proposed Sec. ----.2 described the scope and effect of the
examples included in the proposed rule. Most commenters supported the
proposed use of non-exclusive examples to illustrate the operation of
the rules. One commenter, concerned that the use of examples would
increase the risk of litigation, urged the Agencies to delete all
examples.
The Agencies adopted Sec. --.2 as part of the final medical
information rules. See 70 FR 70664 (Nov. 22, 2005). The comments
received in this rulemaking do not warrant any revisions to Sec. --.2.
The Agencies do not believe the use of illustrative examples will
materially increase the risk of litigation, but rather will provide
useful guidance for compliance purposes, which may alleviate litigation
risks for institutions. Therefore, it is unnecessary to re-publish
Sec. --.2 in these final rules.
As Sec. --.2 states, examples in a paragraph illustrate only the
issue described in the paragraph and do not illustrate any other issue
that may arise in the part. Similarly, the examples do not illustrate
any issues that may arise under other laws or regulations.\4\
---------------------------------------------------------------------------
\4\ NCUA has modified examples in its final rule text where the
original example referenced products or services impermissible for
federal credit unions.
---------------------------------------------------------------------------
Section --.3 Definitions
Section --.3 of the proposal contained definitions for the
following terms: ``Act,'' ``affiliate'' (as well as the related terms
``company'' and ``control''); ``clear and conspicuous''; ``consumer'';
``eligibility information''; ``person''; ``pre-existing business
relationship''; ``solicitation''; and, except for the OCC's proposal,
``you.''
The Agencies have previously defined the terms ``Act,''
``affiliate,'' ``company,'' ``consumer,'' and ``person,'' along with a
definition of ``common ownership or common corporate control'' as a
substitute for the definition of ``control,'' as part of the final
medical information rules. See 70 FR 70664 (Nov. 22, 2005). Those
definitions that elicited comment are discussed below. However, it is
unnecessary to re-publish Sec. --.3 in these final rules because the
Agencies have not revised these definitions.
The Agencies have moved the definitions of ``clear and
conspicuous,'' ``eligibility information,'' ``pre-existing business
relationship,'' ``solicitation,'' and ``you'' or ``bank'' to Subpart C,
Sec. --.20(b). Three of these terms relate solely to the affiliate
marketing provisions and, thus, are more appropriately defined in
Subpart C. For the reasons discussed below, the Agencies also believe
that it is more appropriate to define ``clear and conspicuous'' for the
limited purpose of the affiliate marketing rules. Each of these
definitions is discussed in detail below.
Affiliate, Common Ownership or Common Corporate Control, and Company
Several FCRA provisions apply to information sharing with persons
``related by common ownership or affiliated by corporate control,''
``related by common ownership or affiliated by common corporate
control,'' or ``affiliated by common ownership or common corporate
control.'' E.g., FCRA, sections 603(d)(2), 615(b)(2), and 625(b)(2).
Each of these provisions was enacted as part of the 1996 amendments to
the FCRA. Similarly, section 2 of the FACT Act defines the term
``affiliate'' to mean ``persons that are related by common ownership or
affiliated by corporate control.'' In contrast, the GLBA defines
``affiliate'' to mean ``any company that controls, is controlled by, or
is under common control with another company.'' See 15 U.S.C. 6809(6).
In the proposal, the Agencies sought to harmonize the various FCRA
and FACT Act formulations by defining ``affiliate'' to mean ``any
person that is related by common ownership or common corporate control
with another person.'' Industry commenters generally supported the
Agencies' goal of harmonizing the various FCRA definitions of
``affiliate'' for consistency. Many of these commenters, however,
believed that the most effective way to do this was for the Agencies to
incorporate into the FCRA the definition of ``affiliate'' used in the
GLBA privacy regulations. In addition, a few industry commenters urged
the Agencies to incorporate into the definition of ``affiliate''
certain concepts from California's Financial Information Privacy Act so
as to exempt certain classes of corporate affiliates from the
restrictions on affiliate sharing or marketing.\5\
---------------------------------------------------------------------------
\5\ These commenters noted that the California law places no
restriction on information sharing among affiliates if they: (1) Are
regulated by the same or similar functional regulators; (2) are
involved in the same broad line of business, such as banking,
insurance, or securities; and (3) share a common brand identity.
---------------------------------------------------------------------------
In the final medical information rules, the Agencies defined the
term ``affiliate'' to mean a company that is related by common
ownership or common corporate control with another company. See 70 FR
70,664 (Nov. 22, 2005).\6\ The Agencies substituted the term
``company'' for ``person'' in the definition because they did not
believe that certain types of persons, such as individuals, could be
related by common ownership or common corporate control.
---------------------------------------------------------------------------
\6\ For purposes of the regulation, an ``affiliate'' includes an
operating subsidiary of a bank or savings association, and a credit
union service organization that is controlled by a federal credit
union.
---------------------------------------------------------------------------
The Agencies do not believe there is a substantive difference
between the FACT Act definition of ``affiliate'' and the definition of
``affiliate'' in section 509 of the GLBA. The Agencies are not aware of
any circumstances in which two entities would be affiliates for
purposes of the FCRA but not for purposes of the GLBA privacy rules, or
vice versa. Also, even though affiliated entities have had to comply
with different FCRA and GLBA formulations of the ``affiliate''
definition since 1999, commenters did not identify any specific
compliance difficulties or uncertainty resulting from the fact that the
two statutes use somewhat different wording to describe what
constitutes an affiliate.
As explained in the supplementary information to the final medical
information rules, the Agencies declined to incorporate into the
definition of ``affiliate'' exceptions for entities regulated by the
same or similar functional regulators, entities in the same line of
business, or entities that share a common brand or identity. See 70 FR
70,665 (Nov. 22, 2005). These exceptions were incorporated into the
California Financial Information Privacy Act in August 2003.\7\
Congress, however, did not incorporate these exceptions from California
law into the definition of ``affiliate'' when it enacted the FACT Act
at the end of 2003. Accordingly, the Agencies believe that the approach
followed in the final medical information rules best effectuates the
intent of Congress.
---------------------------------------------------------------------------
\7\ See Cal. Financial Code Sec. 4053(c).
---------------------------------------------------------------------------
Under the GLBA privacy rules, the definition of ``control''
determines whether two or more entities meet the definition of
``affiliate.'' \8\ The Agencies included the same definition of
``control'' in the proposal and received no comments on the proposed
definition. The Agencies interpret the phrase ``related by common
ownership or common corporate control'' used in the FACT Act to have
the same meaning
[[Page 62913]]
as ``control'' in the GLBA privacy rules. For example, if an individual
owns 25 percent of two companies, the companies would be affiliates
under both the GLBA and FCRA definitions. However, the individual would
not be considered an affiliate of the companies because the definition
of ``affiliate'' is limited to companies. For purposes of clarity, the
final medical information rules defined the term ``control'' to mean
``common ownership or common corporate control'' in order to track more
closely the terminology used in the FACT Act. See 70 FR 70,664 (Nov.
22, 2005).\9\
---------------------------------------------------------------------------
\8\ See 12 CFR 40.3(g), 216.3(g), 332.3(g), 573.3(g), and
716(g).
\9\ For purposes of the regulation, NCUA presumes that a federal
credit union has a controlling influence over the management or
policies of a credit union service organization if it is 67 percent
owned by credit unions.
---------------------------------------------------------------------------
The proposal also defined the term ``company'' to mean any
corporation, limited liability company, business trust, general or
limited partnership, association, or similar organization. The proposed
definition of ``company'' excluded some entities that are ``persons''
under the FCRA, including estates, cooperatives, and governments or
governmental subdivisions or agencies, as well as individuals. The
Agencies received no comments on the proposed definition of
``company,'' which was adopted in the final medical information rules.
The Agencies adopted definitions of ``affiliate,'' ``common
ownership and common corporate control,'' and ``company'' in the final
FCRA medical information rules. See 70 FR 70,664 (Nov. 22, 2005). It is
unnecessary to re-publish those definitions in these rules.
Consumer
Proposed paragraph (e) defined the term ``consumer'' to mean an
individual. This definition is identical to the definition of
``consumer'' in section 603(c) of the FCRA.
Several commenters asked the Agencies to narrow the proposed
definition to apply only to individuals who obtain financial products
or services primarily for personal, family, or household purposes, in
part to achieve consistency with the definition of ``consumer'' in the
GLBA. The FCRA's definition of ``consumer,'' however, differs from, and
is broader than, the definition of that term in the GLBA. The Agencies
believe that the use of distinct definitions of ``consumer'' in the two
statutes reflects differences in the scope and objectives of each
statute. Therefore, the Agencies adopted the FCRA's statutory
definition of ``consumer'' in the final medical information rules. See
70 FR 70,664 (Nov. 22, 2005). It is unnecessary to re-publish the
definition in these rules. For purposes of this definition, an
individual acting through a legal representative would qualify as a
consumer.
Person
Proposed paragraph (l) defined the term ``person'' to mean any
individual, partnership, corporation, trust, estate, cooperative,
association, government or governmental subdivision or agency, or other
entity. This definition is identical to the definition of ``person'' in
section 603(b) of the FCRA.
One commenter requested clarification of how the proposed
definition of ``person'' would affect other provisions of the affiliate
marketing rules. Specifically, this commenter asked how the
supplementary information's discussion of agents might affect the scope
provisions of the rule.
The supplementary information to the proposal stated that a person
may act through an agent, including but not limited to a licensed agent
(in the case of an insurance company) or a trustee. The supplementary
information also provided that actions taken by an agent on behalf of a
person that are within the scope of the agency relationship would be
treated as actions of that person. The Agencies included these
statements to address comprehensively the status of agents and to
eliminate the need to refer specifically to licensed agents in the
proposed definition of ``pre-existing business relationship.'' As
discussed below, many commenters believed that licensed agents should
be expressly included in the definition of ``pre-existing business
relationship.'' The Agencies have revised the final rules in response
to those comments. By specifically addressing licensed agents, the
final rules do not alter the general principles of principal-agent
relationships that apply to all agents, not just licensed agents. The
Agencies will treat actions taken by an agent on behalf of a person
that are within the scope of the agency relationship as actions of that
person, regardless of whether the agent is a licensed agent or not.
The Agencies adopted the FCRA's statutory definition of ``person''
in the final medical information rules. See 70 FR 70664 (Nov. 22,
2005). Therefore, it is unnecessary to re-publish the definition in
these rules.
Section --.20 Coverage and definitions
Coverage
Section --.20(a) of the final rules identifies the persons covered
by Subpart C of each Agency's rule. Section --.20(a) thus describes the
scope of each Agency's rule.
Definitions
Section --.20(b) of the final rules contains the definitions of six
terms for purposes of Subpart C.
Clear and Conspicuous
Proposed Sec. --.3(c) defined the term ``clear and conspicuous''
to mean reasonably understandable and designed to call attention to the
nature and significance of the information presented. Under this
definition, institutions would retain flexibility in determining how
best to meet the clear and conspicuous standard. The supplementary
information to the proposal provided guidance regarding a number of
practices that institutions might wish to consider in making their
notices clear and conspicuous. These practices were derived largely
from guidance included in the GLBA privacy rules.
Industry commenters urged the Agencies not to define ``clear and
conspicuous'' in the final rules. The principal objection these
commenters raised was that this definition would significantly increase
the risk of litigation and civil liability. Although these commenters
recognized that the proposed definition was derived from the GLBA
privacy regulations, they noted that compliance with the GLBA privacy
regulations is enforced exclusively through administrative action, not
through private litigation. These commenters also stated that the Board
had withdrawn a similar proposal to define ``clear and conspicuous''
for purposes of Regulations B, E, M, Z, and DD, in part because of
concerns about civil liability. Some industry commenters believed that
it was not necessary to define the term in order for consumers to
receive clear and conspicuous disclosures based on industry's
experience in providing clear and conspicuous affiliate sharing opt-out
notices. Consumer groups believed that incorporation of the standard
and examples from the GLBA privacy regulations was not adequate because
they did not believe that the existing standard has proven sufficient
to ensure effective privacy notices.
In the final rules, the Agencies have relocated the definition of
``clear and conspicuous'' to Sec. --.20(b)(1) in order to limit its
applicability to the affiliate
[[Page 62914]]
marketing opt-out notice and renewal notice. Except for certain non-
substantive changes made for purposes of clarity, the definition of
``clear and conspicuous'' is the same as in the proposal and is
substantively the same as the definition used in the GLBA privacy
rules. The Agencies believe that the clear and conspicuous standard for
the affiliate marketing opt-out notices should be substantially similar
to the standard that applies to GLBA privacy notices because the
affiliate marketing opt-out notice may be provided on or with the GLBA
privacy notice.
In defining ``clear and conspicuous,'' the Agencies believe it is
more appropriate to focus on the affiliate marketing opt-out notices
that are the subject of this rulemaking, rather than adopting a
generally applicable definition governing all consumer disclosures
under the FCRA. This approach gives the Agencies the flexibility to
refine or clarify the clear and conspicuous requirement for different
disclosures, if necessary. In addition, this approach is consistent
with the approach the Board indicated it would take when it withdrew
its proposed clear and conspicuous rules. The Board noted that it
intended ``to focus on individual disclosures and to consider ways to
make specific improvements to the effectiveness of each disclosure.''
See 69 FR 35541, 35543 (June 25, 2004).
The statute directs the Agencies to provide specific guidance
regarding how to comply with the clear and conspicuous standard. See 15
U.S.C. 1681s-3(a)(2)(B). For that reason, the Agencies do not agree
with commenters that requested the elimination of the definition of
``clear and conspicuous'' and related guidance. Rather, the Agencies
believe it is necessary to define ``clear and conspicuous'' in the
final rules and provide specific guidance for how to satisfy that
standard in connection with this notice.
Accordingly, the final rules contain two types of specific guidance
on satisfying the requirement to provide a clear and conspicuous opt-
out notice. First, as in the proposal, the supplementary information to
the final rules describes certain techniques that may be used to make
notices clear and conspicuous. These techniques are described below.
Second, the Agencies have adopted model forms that may, but are not
required to, be used to facilitate compliance with the affiliate
marketing notice requirements. The requirement for clear and
conspicuous notices would be satisfied by the appropriate use of one of
the model forms.
As noted in the supplementary information to the proposal,
institutions may wish to consider a number of methods to make their
notices clear and conspicuous. The various methods described below for
making a notice clear and conspicuous are suggestions that institutions
may wish to consider in designing their notices. Use of any of these
methods alone or in combination is voluntary. Institutions are not
required to use any particular method or combination of methods to make
their disclosures clear and conspicuous. Rather, the particular facts
and circumstances will determine whether a disclosure is clear and
conspicuous.
A notice or disclosure may be made reasonably understandable
through various methods that include: Using clear and concise
sentences, paragraphs, and sections; using short explanatory sentences;
using bullet lists; using definite, concrete, everyday words; using
active voice; avoiding multiple negatives; avoiding legal and highly
technical business terminology; and avoiding explanations that are
imprecise and are readily subject to different interpretations. In
addition, a notice or disclosure may be designed to call attention to
the nature and significance of the information in it through various
methods that include: Using a plain-language heading; using a typeface
and type size that are easy to read; using wide margins and ample line
spacing; and using boldface or italics for key words. Further,
institutions that provide the notice on a Web page may use text or
visual cues to encourage scrolling down the page, if necessary, to view
the entire notice and may take steps to ensure that other elements on
the Web site (such as text, graphics, hyperlinks, or sound) do not
distract attention from the notice. When a notice or disclosure is
combined with other information, methods for designing the notice or
disclosure to call attention to the nature and significance of the
information in it may include using distinctive type sizes, styles,
fonts, paragraphs, headings, graphic devices, and appropriate groupings
of information. However, there is no need to use distinctive features,
such as distinctive type sizes, styles, or fonts, to differentiate an
affiliate marketing opt-out notice from other components of a required
disclosure, for example, where a GLBA privacy notice combines several
opt-out disclosures in a single notice. Moreover, nothing in the clear
and conspicuous standard requires segregation of the affiliate
marketing opt-out notice when it is combined with a GLBA privacy notice
or other required disclosures.
The Agencies recognize that it will not be feasible or appropriate
to incorporate all of the methods described above all the time. The
Agencies recommend, but do not require, that institutions consider the
methods described above in designing their opt-out notices. The
Agencies also encourage the use of consumer or other readability
testing to devise notices that are understandable to consumers.
Finally, although the Agencies understand the concerns of some
industry commenters about the potential for civil liability, the
Agencies believe that these concerns are mitigated by the safe harbors
afforded by the model forms in Appendix C. The Agencies note that the
affiliate sharing opt-out notice under section 603(d)(2)(A)(iii) of the
FCRA, which may be enforced through private rights of action, must be
included in the GLBA privacy notice. Therefore, the affiliate sharing
opt-out notice generally is disclosed in a manner consistent with the
clear and conspicuous standard set forth in the GLBA privacy
regulations. Commenters did not identify any litigation that has
resulted from the requirement to provide a clear and conspicuous
affiliate sharing opt-out notice. The Agencies believe that compliance
with the examples and use of the model forms, although optional, should
minimize the risk of litigation.
Concise
Proposed Sec. --.21(b) defined the term ``concise'' to mean a
reasonably brief expression or statement. The proposal also provided
that a notice required by Subpart C may be concise even if it is
combined with other disclosures required or authorized by federal or
state law. Such disclosures include, but are not limited to, a GLBA
privacy notice, an affiliate-sharing notice under section
603(d)(2)(A)(iii) of the FCRA, and other consumer disclosures. Finally,
the proposal clarified that the requirement for a concise notice would
be satisfied by the appropriate use of one of the model forms contained
in proposed Appendix C to each Agency's FCRA rule, although use of the
model forms is not required. The Agencies received no comments on the
proposed definition of ``concise.'' The final rules renumber the
definition of ``concise'' as Sec. --.20(b)(2). The reference to the
model forms has been moved to Appendix C, but otherwise the definition
is adopted as proposed.
[[Page 62915]]
Eligibility Information
Proposed Sec. --.3(j) defined the term ``eligibility information''
to mean any information the communication of which would be a consumer
report if the exclusions from the definition of ``consumer report'' in
section 603(d)(2)(A) of the FCRA did not apply. As proposed,
eligibility information would include a person's own transaction or
experience information, such as information about a consumer's account
history with that person, and ``other'' information under section
603(d)(2)(A)(iii), such as information from consumer reports or
applications.
Most commenters generally supported the proposed definition of
``eligibility information'' as an appropriate means of simplifying the
statutory terminology without changing the scope of the information
covered by the rule. A number of commenters requested that the Agencies
clarify that certain types of information do not constitute eligibility
information, such as name, address, telephone number, Social Security
number, and other identifying information. One commenter requested the
exclusion of publicly available information from the definition.
Another commenter requested additional clarification regarding the term
``transaction or experience information.'' A few commenters suggested
that the Agencies include examples of what is and is not included
within ``eligibility information.'' Finally, one commenter urged the
Agencies to revise the definition to restate much of the statutory
definition of ``consumer report'' to eliminate the need for cross-
references.
The final rules renumber the definition of ``eligibility
information'' as --.20(b)(3). The Agencies have revised the definition
to clarify that the term ``eligibility information'' does not include
aggregate or blind data that does not contain personal identifiers.
Examples of personal identifiers include account numbers, names, or
addresses, as indicated in the definition, as well as Social Security
numbers, driver's license numbers, telephone numbers, or other types of
information that, depending on the circumstances or when used in
combination, could identify the individual.
The Agencies also believe that further clarification of, or
exclusions from, the term ``eligibility information,'' such as the
categorical exclusion of names, addresses, telephone numbers, other
identifying information, or publicly available information, would
directly implicate the definitions of ``consumer report'' and
``consumer reporting agency'' in sections 603(d) and (f), respectively,
of the FCRA. The Agencies decided not to define the terms ``consumer
report'' and ``consumer reporting agency'' in this rulemaking and not
to interpret the meaning of terms used in those definitions, such as
``transaction or experience'' information. The Agencies anticipate
addressing the definitions of ``consumer report'' and ``consumer
reporting agency'' in a separate rulemaking after the required FACT Act
rules have been completed. The Agencies also note that financial
institutions have relied on these statutory definitions for many years.
Pre-Existing Business Relationship
Proposed Sec. --.3(m) defined the term ``pre-existing business
relationship'' to mean a relationship between a person and a consumer
based on the following:
(1) A financial contract between the person and the consumer that
is in force;
(2) The purchase, rental, or lease by the consumer of that person's
goods or services, or a financial transaction (including holding an
active account or a policy in force or having another continuing
relationship) between the consumer and that person, during the 18-month
period immediately preceding the date on which a solicitation covered
by Subpart C is sent to the consumer; or
(3) An inquiry or application by the consumer regarding a product
or service offered by that person during the three-month period
immediately preceding the date on which a solicitation covered by
Subpart C is sent to the consumer.
The proposed definition generally tracked the statutory definition
contained in section 624 of the FCRA, with certain revisions for
clarity. Although the statute gave the Agencies the authority to
identify by regulation other circumstances that qualify as a pre-
existing business relationship, the Agencies did not propose to
exercise this authority. In the final rules, the definition of ``pre-
existing business relationship'' has been renumbered as Sec.
--.20(b)(4).
Industry commenters suggested certain revisions to the proposed
definition of ``pre-existing business relationship.'' Many industry
commenters asked the Agencies to include in the definition statutory
language relating to ``a person's licensed agent.'' A number of these
commenters noted that this concept was particularly important to the
insurance industry where independent, licensed agents frequently act as
the main point of contact between the consumer and the insurance
company.
In the final rules, the phrase ``or a person's licensed agent'' has
been added to the definition of ``pre-existing business relationship''
to track the statutory language. For example, assume that a person is a
licensed agent for the affiliated ABC life, auto, and homeowners'
insurance companies. A consumer purchases an ABC auto insurance policy
through the licensed agent. The licensed agent may use eligibility
information about the consumer obtained in connection with the ABC auto
policy it sold to the consumer to market ABC life and homeowner's
insurance policies to the consumer for the duration of the pre-existing
business relationship without offering the consumer the opportunity to
opt out of that use.
Regarding the first basis for a pre-existing business relationship
(a financial contract in force), several industry commenters asked the
Agencies to clarify that a financial contract includes any in-force
contract that relates to a financial product or service covered by
title V of the GLBA. One commenter objected to the requirement that the
contract be in force on the date of the solicitation. This commenter
believed that the Agencies should interpret the statute to permit the
exception to apply if a contract is in force at the time the affiliate
uses the information, rather than when the solicitation is sent, noting
that there may be a delay between the use and the solicitation.
The Agencies have revised the first prong of the definition of
``pre-existing business relationship'' to reflect the definition's
relocation to Subpart C, but have otherwise adopted it as proposed.
Although a comprehensive definition of the term ``financial contract''
has not been included in the final rules, the Agencies construe the
statutory term ``financial contract'' at least to include a contract
that relates to a consumer's purchase or lease of a financial product
or service that a financial holding company could offer under section
4(k) of the Bank Holding Company Act of 1956 (12 U.S.C. 1843(k)). In
addition, a financial contract which is in force will, in virtually all
instances, qualify as a ``financial transaction,'' as that term is used
in the second prong of the definition of ``pre-existing business
relationship.'' The Agencies do not agree with the suggestion that the
financial contract should be in force on the date of use rather than on
the date the solicitation is sent. The approach taken in the proposed
and final rules is consistent with the approach used in the other two
prongs of the statutory definition.
[[Page 62916]]
Industry commenters also suggested certain clarifications to the
second basis for a pre-existing business relationship--a purchase,
rental, or lease by the consumer of the person's goods or services, or
a financial transaction between the consumer and the person during the
preceding 18 months. Several industry commenters noted that,
notwithstanding the example in the proposal regarding a lapsed
insurance policy, it was not clear from what point in time the 18-month
period begins to run in the case of many purchase, rental, lease, or
financial transactions. These commenters asked the Agencies to clarify
that the 18-month period begins to run at the time all contractual
responsibilities of either party under the purchase, rental, lease, or
financial transaction expire. In addition, some commenters indicated
that the term ``active account'' should be clarified to mean any
account with outstanding contractual responsibilities on either side of
an account relationship, regardless of whether specific transactions do
or do not occur on that account.
The Agencies have revised the second prong of the definition of
``pre-existing business relationship'' to reflect the definition's
relocation to Subpart C, but have otherwise adopted it as proposed. The
Agencies decline to interpret the term ``active account'' as requested
by some commenters. The Agencies note that section 603(r) of the FCRA
defines the term ``account'' to have the same meaning as in section 903
of the Electronic Fund Transfer Act (EFTA). Under the EFTA, the term
``account'' means a demand deposit, savings deposit, or other asset
account established primarily for personal, family, or household
purposes. Some commenters, however, apparently believed that the term
``active account'' included extensions of credit. Credit extensions
presumably would qualify as ``another continuing relationship,'' as
used in the definition of ``pre-existing business relationship.''
More generally, however, even though a ``financial transaction''
would include in virtually all cases a financial contract which is in
force, as noted above, the Agencies do not believe it is appropriate to
state that the 18-month period begins to run when all outstanding
contractual responsibilities of both parties expire, regardless of
whether specific transactions occur. Such a clarification would not
appropriately address circumstances such as charge-offs, bankruptcies,
early terminations, or extended periods of credit inactivity that could
trigger commencement of the 18 month period. In addition, some contract
provisions, such as arbitration clauses and choice of law provisions,
may continue to have legal effect after all contractual performance has
ended. The Agencies do not believe that the continued effectiveness of
such provisions should delay commencement of the 18-month period.
Nevertheless, the Agencies believe that a few examples may provide
useful guidance to facilitate compliance. For example, in the case of a
closed-end mortgage or auto loan, the 18-month period generally would
begin to run when the consumer pays off the outstanding balance on the
loan. In a lease or rental transaction, the 18-month period generally
would begin to run when the lease or rental agreement expires or is
terminated by mutual agreement. In the case of general purpose credit
cards that are issued with an expiration date, the 18-month period
generally would begin to run when the consumer pays off the outstanding
balance on the card and the card is either cancelled or expires without
being renewed.
Commenters also made certain suggestions regarding the third basis
for a pre-existing business relationship--an inquiry or application by
the consumer regarding a product or service offered by the person
during the preceding three months. Consumer groups urged the Agencies
to clarify that an inquiry must be made of the specific affiliate,
rather than a general inquiry about a product or service. Industry
commenters expressed concern about certain statements in the
supplementary information that explained the meaning of an inquiry.
The Agencies do not agree that an inquiry must be made of a
specific affiliate. Many affiliated institutions use a central call
center to handle consumer inquiries. The clarification urged by
consumer groups could preclude the establishment of a pre-existing
business relationship based on a consumer's call to a central call
center about a specific product or service offered by an affiliate.
In the supplementary information to the proposal, the Agencies
noted that certain elements of the definition of ``pre-existing
business relationship'' were substantially similar to the definition of
``established business relationship'' under the amended Telemarketing
Sales Rule (TSR) (16 CFR 310.2(n)). The TSR definition was informed by
Congress's intent that the ``established business relationship''
exemption to the ``do not call'' provisions of the Telephone Consumer
Protection Act (47 U.S.C. 227 et seq.) should be grounded on the
reasonable expectations of the consumer.\10\ The Agencies observed that
Congress's incorporation of similar language in the definition of
``pre-existing business relationship'' \11\ suggested that it would be
appropriate to consider the reasonable expectations of the consumer in
determining the scope of this exception. Thus, the Agencies explained
that, for purposes of this regulation, an inquiry would include any
affirmative request by a consumer for information after which the
consumer would reasonably expect to receive information from the
affiliate about its products or services.\12\ Moreover, a consumer
would not reasonably expect to receive information from the affiliate
if the consumer did not request information or did not provide contact
information to the affiliate.
---------------------------------------------------------------------------
\10\ H.R. Rep. No. 102-317, at 14-15 (1991). See also 68 FR
4,580, 4,591-94 (Jan. 29, 2003).
\11\ 149 Cong. Rec. S13,980 (daily ed. Nov. 5, 2003) (statement
of Senator Feinstein) (noting that the ``pre-existing business
relationship'' definition ``is the same definition developed by the
Federal Trade Commission in creating a national `Do Not Call'
registry for telemarketers'').
\12\ See 68 FR at 4,594.
---------------------------------------------------------------------------
Industry commenters objected to the discussion in the supplementary
information. Some of these commenters believed that looking to the
reasonable expectations of the consumer would narrow the scope of the
exception and impose on institutions a subjective standard that
depended upon the consumer's state of mind. These commenters also
maintained that the availability of the exception should not depend
upon the consumer both requesting information and providing contact
information to the affiliate. Some commenters noted that either
requesting information or providing contact information should suffice
to establish an expectation of receiving solicitations. Other
commenters noted that consumers would not provide contact information
if they believed that the affiliate would already have the consumer's
contact information or would obtain it from the consumer's financial
institution. Some commenters believed that the consumer should not have
to make an affirmative request for information in order to have an
inquiry. Commenters also expressed concern that the discussion in the
supplementary information would require consumers to use specific words
to trigger the exception.
The Agencies have revised the third prong of the definition of
``pre-existing business relationship'' to reflect the definition's
relocation to Subpart C, but have otherwise adopted it as proposed. The
Agencies continue to believe that it
[[Page 62917]]
is appropriate to consider what the consumer says in determining
whether the consumer has made an inquiry about a product or service. It
may not be necessary, however, for the consumer to provide contact
information in all cases. As discussed below, the Agencies have revised
the examples of inquiries to illustrate different circumstances.
Consumer groups and NAAG urged the Agencies not to expand the
definition of ``pre-existing business relationship'' to include any
additional types of relationships. Industry commenters suggested a
number of additional bases for establishing a pre-existing business
relationship. Several industry commenters believed that the term ``pre-
existing business relationship'' should be defined to include
relationships arising out of the ownership of servicing rights, a
participation interest in lending transactions, and similar
relationships. These commenters provided no further explanation for why
such an expansion was necessary. One commenter urged the Agencies to
expand the definition of ``pre-existing business relationship'' to
apply to affiliates that share a common trade name, share the same
employees or representatives, operate out of the same physical location
or locations, and offer similar products.
In addition, a number of industry commenters requested
clarification of the term ``pre-existing business relationship'' as
applied to manufacturers that make sales through dealers. These
commenters explained that automobile manufacturers do not sell vehicles
directly to consumers, but through franchised dealers. Vehicle
financing may be arranged through a manufacturer's captive finance
company or independent sources of financing. These commenters noted
that manufacturers often provide consumers with information about
warranty coverage, recall notices, and other product information.
According to these commenters, manufacturers also send solicitations to
consumers about their products and services, drawing in part on
transaction or experience information from the captive finance company.
These commenters asked the Agencies to clarify that the relationship
between a manufacturer and a consumer qualifies as a pre-existing
business relationship based on the purchase, rental, or lease of the
manufacturer's goods, or, alternatively, to exercise their authority to
add this relationship as an additional basis for a pre-existing
business relationship. One commenter asked the Agencies to clarify that
a pre-existing business relationship could be established even if the
person provides a product or service to the consumer without charging a
fee.
The Agencies do not believe it is necessary to add any additional
bases for a pre-existing business relationship. The Agencies
acknowledge that a pre-existing business relationship exists where a
person owns the servicing rights to a consumer's loan and such person
collects payments from, or otherwise deals directly with, the consumer.
In the Agencies' view, however, that situation qualifies as a financial
transaction and thus falls within the second prong of the definition of
``pre-existing business relationship.'' The Agencies have included an
example, discussed below, to illustrate how the ownership of servicing
rights can create a pre-existing business relationship.
A pre-existing business relationship does not arise, however,
solely from a participation interest in a lending transaction because
such an interest does not result in a financial contract or a financial
transaction between the consumer and the participating party. The
Agencies decline to add a specific provision for franchised dealers.
The statute contains no special provision addressing franchised
dealers, as it does for licensed agents. Moreover, a franchised dealer
and a manufacturer generally are not affiliates and thus are subject to
the GLBA privacy rules relating to information sharing with non-
affiliated third parties. The Agencies also find no basis for including
within the meaning of ``pre-existing business relationship'' any
affiliate that shares a common trade name or representatives, or that
operates from the same location or offers similar products. Finally,
the Agencies decline to add a provision that would create a pre-
existing business relationship when a consumer obtains a product or
service without charge from a person. Such a provision would be overly
broad, is not necessary given the breadth of the statutory definition
of ``pre-existing business relationship,'' and could result in
circumvention of the notice requirement.
Proposed Sec. --.20(d)(1) provided four examples of the pre-
existing business relationship exception. In the final rules, these
examples have been renumbered as Sec. --.20(b)(4)(ii) and (iii), and
revised to illustrate the definition of ``pre-existing business
relationship,'' rather than the corresponding exception.
The two examples relating to the first and second prongs of the
definition of ``pre-existing business relationship'' have been revised
in Sec. --.20(b)(4)(ii)(A) and (B) to focus on a depository
institution as the person with the pre-existing business relationship,
but are otherwise substantively similar to the proposal. One commenter
recommended expanding the example now contained in Sec.
--.20(b)(4)(ii)(A) to refer to the licensed agent that wrote the policy
or services the relationship. The Agencies believe that adding the term
``licensed agent'' to the definition is sufficient and see no reason to
further complicate this example to illustrate how the definition
applies to licensed agents.
Section --.20(b)(4)(ii)(C) is new and illustrates when a pre-
existing business relationship is created in the context of a mortgage
loan. This example specifically addresses circumstances where either
the loan or ownership of the servicing rights to the loan is sold to a
third party. As this example illustrates, sale of the entire loan by
the original lender terminates the financial transaction between the
consumer and that lender and creates a new financial transaction
between the consumer and the purchaser of the loan. However, the
original lender's sale of a fractional interest in the loan to an
investor does not create a new financial transaction between the
consumer and the investor. When the original lender sells a fractional
interest in the consumer's loan to an investor but also retains an
ownership interest in the loan, however, the original lender continues
to have a pre-existing business relationship with the consumer because
the consumer obtained a loan from the lender and the lender continues
to own an interest in the loan. In addition, the ownership of servicing
rights coupled with direct dealings with the consumer results in a
financial transaction between the consumer and the owner of the
servicing rights, thereby creating a pre-existing business relationship
between the consumer and the owner of the servicing rights. The
Agencies note that a financial institution that owns servicing rights
generally has a customer relationship with the consumer and an
obligation to provide a GLBA privacy notice to the consumer.
The example in proposed Sec. --.20(d)(1)(iii) regarding
applications and inquiries elicited comment. Some industry commenters
urged the Agencies to revise this example so that it does not depend
upon the consumer's expectations or the consumer providing contact
information. These commenters noted, for example, that the contact
information would be self-evident if the consumer makes an e-mail
request or provides a return address on an envelope. These commenters
also believed that in the case of a telephone
[[Page 62918]]
call initiated by a consumer, a captured telephone number should be
sufficient to create an inquiry if the consumer requests information
about products or services.
In the final rules, the Agencies have crafted three separate
examples from proposed Sec. --.20(d)(1)(iii). Section
--.20(b)(4)(ii)(D) provides an example where a consumer applies for a
product or service, but does not obtain the product or service for
which she applied. Contact information is not mentioned in this example
because the consumer presumably would have supplied it on the
application.
Section --.20(b)(4)(ii)(E) provides an example where a consumer
makes a telephone inquiry about a product or service offered by a
depository institution and provides contact information to the
institution, but does not obtain a product or service from or enter
into a financial transaction with the institution. The Agencies do not
believe that an institution's capture of a consumer's telephone number
during a telephone conversation with the consumer about the
institution's products or services is sufficient to create an inquiry.
In that circumstance, to ensure that an inquiry has been made, the
institution should ask the consumer to provide his or her contact
information, or confirm with the consumer that the consumer has a pre-
existing business relationship with an affiliate.
Section --.20(b)(4)(ii)(F) provides an example where the consumer
makes an e-mail inquiry about a product or service offered by a
depository institution, but does not separately provide contact
information. In that case, the consumer provides the financial
institution with contact information in the form of the consumer's e-
mail address. In addition, e-mail communications, unlike telephone
communications, do not provide institutions with the same opportunity
to ask for the consumer's contact information.
Industry commenters recommended deleting the example in proposed
Sec. --.20(d)(1)(iv) illustrating a call center scenario where a
consumer would not reasonably expect to receive information from an
affiliate. In the final rules, the Agencies have included a positive
example of an inquiry made by a consumer through a call center in Sec.
--.20(b)(4)(ii)(G), while retaining the negative example from the
proposal in Sec. --.20(b)(4)(iii)(A). In addition, the Agencies have
included in Sec. --.20(b)(4)(iii)(B) an example of a consumer call to
ask about retail locations and hours, which does not create a pre-
existing business relationship. This example is substantively similar
to the example from proposed Sec. --.20(d)(2)(iii).
A new example in Sec. --.20(b)(4)(iii)(C) illustrates a case where
a consumer responds to an advertisement that offers a free promotional
item, but the advertisement does not indicate that an affiliate's
products or services will be marketed to consumers who respond to the
advertisement. The example illustrates that the consumer's response
does not create a pre-existing business relationship because the
consumer has not made an inquiry about a product or service, but has
merely responded to an offer for a free promotional item. Similarly, if
a consumer is directed by a company with which the consumer has a pre-
existing business relationship to contact the company's affiliate to
receive a promotional item but the company does not mention the
affiliate's products or services, the consumer's contact with the
affiliate about the promotional item does not create a pre-existing
business relationship between the consumer and the affiliate.
Solicitation
Proposed Sec. --.3(n) defined the term ``solicitation'' to mean
marketing initiated by a person to a particular consumer that is based
on eligibility information communicated to that person by its affiliate
and is intended to encourage the consumer to purchase a product or
service. The proposed definition further clarified that a
communication, such as a telemarketing solicitation, direct mail, or e-
mail, would be a solicitation if it is directed to a specific consumer
based on eligibility information. The proposed definition did not,
however, include communications that were directed at the general
public without regard to eligibility information, even if those
communications were intended to encourage consumers to purchase
products and services from the person initiating the communications.
Congress gave the Agencies the authority to determine by regulation
that other communications do not constitute a solicitation. The
Agencies did not propose to exercise this authority. The Agencies
solicited comment on whether, and to what extent, various tools used in
Internet marketing, such as pop-up ads, may constitute solicitations as
opposed to communications directed at the general public, and whether
further guidance was needed to address Internet marketing.
Most commenters believed that the proposed definition tracked the
statutory definition contained in section 624 of the FCRA. A number of
industry commenters, however, believed that the proposed definition
misstated the types of marketing that would not qualify as a
solicitation. Specifically, the first sentence of proposed Sec.
--.3(n)(2) provided that ``[a] solicitation does not include
communications that are directed at the general public and distributed
without the use of eligibility information communicated by an
affiliate.'' These commenters believed that a solicitation should not
include either marketing directed at the general public or marketing
distributed without the use of eligibility information communicated by
an affiliate. Several industry commenters also requested that the
Agencies include the phrase ``of a product or service'' in the
introductory language for consistency with the statutory definition.
Some industry commenters sought clarification that certain types of
communications would not constitute solicitations, for example,
marketing announcements delivered via pre-recorded call center
messages, automated teller machine screens, or Internet sites, or
product information provided at or through educational seminars,
customer appreciation events, or newsletters.
NAAG urged the Agencies to clarify the portion of the definition
that refers to ``a particular consumer.'' NAAG believed that mass
mailings of the same or similar marketing materials to a large group of
consumers could fall within the definition of ``solicitation,'' so long
as the marketing is based on eligibility information received from an
affiliate. NAAG expressed concern that some might construe the term
``particular'' to narrow the meaning of a ``solicitation.''
With regard to Internet marketing, industry commenters urged the
Agencies not to address such practices in this rulemaking. These
commenters believed that the definition of ``solicitation'' should
provide specific guidance that ``pop-up'' ads and other forms of
Internet marketing generally were directed to the general public and
not based on eligibility information received from an affiliate, or
that such marketing would fall within an exception. NAAG believed that
such advertisements should be treated as solicitations if they were
based on any eligibility information received from an affiliate.
Consumer groups believed that if an affiliate's pop-up ads and other
Internet marketing were the result of specific actions by the consumer
or information collected based upon a consumer's experience on the
Internet,
[[Page 62919]]
then such marketing should be considered solicitations. These
commenters also believed that pop-up ads and other Internet marketing
targeted to all customers of a company should be treated as
solicitations if based on the consumer's experience on the Internet.
Section --.20(b)(5) of the final rules contains the definition of
``solicitation.'' The definition has been revised to track the
statutory language more closely. The phrase ``of a product or service''
has been added to the definition, as requested by some commenters. To
ensure consistency with the definition of ``pre-existing business
relationship,'' the phrase ``or obtain'' has been retained so that the
definition of ``solicitation'' will include marketing for the rental or
lease of goods or services, financial transactions, and financial
contracts. The Agencies have also deleted as unnecessary the reference
to communications ``distributed without the use of eligibility
information communicated by an affiliate.'' Marketing that is
undertaken without the use of eligibility information received from an
affiliate is not covered by the affiliate marketing rules. Moreover,
there is no restriction on using eligibility information received from
an affiliate in marketing directed at the general public, such as
radio, television, or billboard advertisements. The phrase ``to a
particular consumer'' has been retained because it is part of the
statutory definition. The Agencies do not believe that the phrase ``to
a particular consumer'' excludes large-scale marketing campaigns from
the definition of ``solicitation'' because, within such campaigns,
eligibility information received from an affiliate may be used to
target individual consumers.
The definition of ``solicitation'' does not distinguish between
different mediums. A determination of whether a marketing communication
constitutes a solicitation depends upon the facts and circumstances.
The Agencies have decided not to make those determinations in this
rulemaking. Thus, the Agencies are not adopting special rules or
guidance regarding Internet-based marketing; whether Internet-based
marketing is a solicitation in a particular case will be determined
according to the same criteria that apply to other means of marketing.
The Agencies also decline to exclude categorically from the definition
of ``solicitation'' marketing messages on voice response units, ATM
screens, or other forms of media. Marketing delivered via such media
may be solicitations if such marketing is targeted to a particular
consumer based on eligibility information received from an affiliate.
For example, a marketing message on an ATM screen would be a
solicitation if it is targeted to a particular consumer based on
eligibility information received from an affiliate, but would not be a
solicitation if it is delivered to all consumers that use the ATM.
Similarly, the Agencies decline to exclude educational seminars,
customer appreciation events, focus group invitations, and similar
forms of communication from the definition of ``solicitation.'' The
Agencies believe that such activities must be evaluated according to
the facts and circumstances and some of those activities may be coupled
with, or a prelude to, a solicitation. For example, an invitation to a
financial educational seminar where the invitees are selected based on
eligibility information received from an affiliate may be a
solicitation if the seminar is used to solicit the consumer to purchase
investment products or services.
You or Bank
Section --.20(b)(6) of each Agency's rule defines either ``you'' or
``bank'' to include persons covered by Subpart C of the Agency's rule,
as described in Sec. --.20(a).
Section --.21 Affiliate Marketing Opt-out and Exceptions
Initial Notice and Opt-out Requirement
The Agencies proposed to establish certain rules relating to the
requirement to provide the consumer with notice and a reasonable
opportunity and a simple method to opt out of a person's use of
eligibility information that it obtained from an affiliate for the
purpose of making or sending solicitations to the consumer. The
Agencies noted that the statute is ambiguous because it does not
specify which affiliate must provide the opt-out notice to the
consumer. The Agencies addressed this ambiguity by proposing to place
certain responsibilities on the communicating affiliate and other
responsibilities on the receiving affiliate.
Proposed Sec. --.20(a) set forth the duties of a communicating
affiliate. That section required the communicating affiliate to provide
a notice to the consumer before a receiving affiliate could use
eligibility information to make or send solicitations to the consumer.
Under the proposal, the opt-out notice would state that eligibility
information may be communicated to and used by the receiving affiliate
to make or send solicitations to the consumer regarding the affiliate's
products and services, and would give the consumer a reasonable
opportunity and a simple method to opt out.
Proposed Sec. --.20(a) also contained two rules of construction
relating to the communicating affiliate's duty to provide the notice.
The first rule of construction would have allowed the notice to be
provided either in the name of a person with which the consumer
currently does or previously has done business or in one or more common
corporate names shared by members of an affiliated group of companies
that includes the common corporate name used by that person. The rule
of construction also would have provided alternatives regarding the
manner in which the notice could be given, such as by allowing the
communicating affiliate to provide the notice either directly to the
consumer, through an agent, or through a joint notice with one or more
of its affiliates. The second rule of construction would have clarified
that, to avoid duplicate notices, it would not be necessary for each
affiliate that communicates the same eligibility information to provide
an opt-out notice to the consumer, so long as the notice provided by
the affiliate that initially communicated the information was broad
enough to cover use of that information by each affiliate that received
and used it to make solicitations. The proposal included examples to
illustrate how each of these rules of construction would work.
Proposed Sec. --.20(b) set forth the general duties of a receiving
affiliate. That section would have prohibited the receiving affiliate
from using eligibility information it received from an affiliate to
make solicitations to the consumer unless, prior to such use, the
consumer was provided an opt-out notice that applied to that
affiliate's use of eligibility information to make solicitations and a
reasonable opportunity and simple method to opt out, and the consumer
did not opt out of that use.
Most industry commenters maintained that the final rules should not
require any specific entity to provide the opt-out notice, but should
only require that the consumer be provided an opt-out notice covering
an affiliate's use of eligibility information before a solicitation is
made to the consumer. These commenters believed the final rules should
provide flexibility and allow either the receiving affiliate, the
communicating affiliate, or any other affiliate to provide the opt-out
notice. These commenters maintained that the statute is not ambiguous
and
[[Page 62920]]
does not impose any obligations on a specific entity, such as the
communicating affiliate, to provide the opt-out notice. Some of these
commenters acknowledged, however, that the communicating affiliate
would, as a practical matter, most likely give the opt-out notice.
A number of industry commenters expressed concern that the proposed
rules would create a basis for civil liability against the
communicating affiliate under section 624 because that section is
covered by the FCRA's private right of action provisions in sections
616 and 617. Some commenters noted that, to avoid exposure to civil
liability, a communicating affiliate would have to require receiving
affiliates to commit to not using the information to make
solicitations, give an opt-out notice whenever they share eligibility
information with affiliates, or never share eligibility information
with affiliates. These commenters maintained that, in many cases, none
of these solutions would be practical, for example, where a receiving
affiliate negligently failed to comply with a commitment not to make
solicitations unless notice has been given to the consumer.
Several industry commenters noted that the language in section
624(a)(1)(A) that ``information may be communicated'' could be included
in an opt-out notice provided by the receiving affiliate. These
commenters also believed that the statutory requirement that the
Agencies consider existing affiliate sharing notification practices and
permit coordinated and consolidated notices did not imply that the
communicating affiliate should be responsible for providing the opt-out
notice.
Industry commenters made several suggestions for revising the
language of the proposal. Some suggested revising proposed Sec.
--.20(a) to omit any reference to the communicating affiliate and to
incorporate the passive voice used in the statute. Others suggested
various ways of merging proposed Sec. --.20(b) into proposed Sec.
--.20(a) to focus exclusively on the responsibilities of the receiving
affiliate. One commenter identified certain drafting problems it
believed arose from the fact that the proposal focused alternately on
the communicating affiliate and the receiving affiliate and that those
two entities may be regulated by different regulatory agencies.
A few industry commenters acknowledged that the Agencies had raised
legitimate concerns in the supplementary information to the proposal
about how meaningful a notice could be when provided by a receiving
affiliate that the consumer may not recognize. These commenters
believed that this concern could be addressed through other means. One
commenter, for example, suggested the following introductory language
in paragraph (a)(2): ``The notice required by this paragraph (a) may be
provided either in the name of the bank receiving the information
(provided that such bank also identifies the affiliate which provided
such information), in the name of the affiliate which provided such
information, or in one or more common corporate names shared by such
bank and the affiliate which provided the information, and may be
provided in the following manner * * * '' Another industry commenter
expressed support for the rules of construction with revisions to allow
the use of brand names and trade names, as well as the actual
``corporate'' name, and to allow an agent or affiliate to send a common
notice that uses more than one common name in a non-deceptive manner.
Consumer group commenters supported making the communicating
affiliate responsible for providing the notice and opportunity to opt
out. These commenters believed that allowing the receiving affiliate to
send the opt-out notice would invite consumer confusion as to whether
or not the opt-out notice itself is a solicitation. These commenters
also believed that the Agencies should require the names of the
receiving affiliates to be clearly disclosed to the consumer. Consumer
groups also believed that the proposed rules of construction struck a
reasonable balance by allowing commonly named affiliates to share a
notice while making clear that a notice from an affiliate with whom the
consumer is not familiar will not be effective. They also suggested
that the company with the pre-existing business relationship should be
clearly marked on the opt-out notice.
NAAG believed that a receiving affiliate should not be permitted to
give the opt-out notice solely on its own behalf because a receiving
affiliate is unlikely to be an entity from which the consumer would
expect to receive important communications. NAAG also requested that
the Agencies revise certain portions of the proposed rules of
construction, for example, by deleting from proposed Sec.
--.20(a)(2)(i) the phrase ``or previously has done business'' based on
concerns that it would render the notice partially ineffective because,
even without this phrase, the notice would not be required for 18
months after a customer relationship ends. NAAG also requested that the
Agencies revise proposed Sec. Sec. --.20(a)(2)(B)(2) and (a)(2)(C) to
clarify that the common name used must be one that includes the name
used by the person providing the opt-out notice.
In the proposal, the Agencies did not require the opt-out notice to
be provided in writing. The Agencies noted, however, that they
contemplated that the opt-out notice would be provided to the consumer
in writing or, if the consumer agrees, electronically. The proposal
solicited comment on whether there were circumstances in which it would
be necessary and appropriate to allow oral notice and opt out and how
an oral notice could satisfy the clear and conspicuous standard in the
statute.
Industry commenters believed that the final rules should permit
oral notices. These commenters identified circumstances in which a
relationship is established by telephone as an example of when oral
notice would be appropriate. Some industry commenters also noted that
an oral notice should be permitted because the affiliate sharing opt-
out notice under section 603(d)(2)(A)(iii) may be given orally, as well
as in writing or electronically. Several industry commenters noted that
the FTC in the Telemarketing Sales Rule and the OCC in regulations
relating to debt cancellation contracts and debt suspension agreements
have permitted clear and conspicuous oral notices. These commenters did
not believe that allowing oral notice in these circumstances had
created any enforcement difficulties for the FTC or OCC. Other industry
commenters noted that institutions could demonstrate compliance through
the use of scripts or by monitoring or recording calls.
Consumer groups believed that a written opt-out notice should be
required in all cases. These commenters believed that, with an oral
notice, it is impossible to ensure that a consumer receives the
appropriate notice or information on the right to opt out. They
believed that allowing oral notices would create enforcement barriers
for regulators. Consumer groups also believed that institutions have
strong economic incentives to prevent consumers from opting out and
would engage in misrepresentations or otherwise use language in their
scripts that is designed to discourage consumers from opting out. NAAG
believed that oral notices would not meet the statutory requirement for
a clear, conspicuous, and concise notice, that consumers would be less
likely to comprehend oral notices, and enforcement would be more
difficult if oral opt-out notices were allowed.
Section --.21(a) of the final rules contains the revised provisions
[[Page 62921]]
regarding the initial notice and opt out requirement. Although the
language of this section has been revised and simplified, the substance
of this provision is substantially similar to the proposal.
Section --.21(a)(1) sets forth the general rule. This section
contains the three conditions that must be met before a person may use
eligibility information about a consumer that it receives from an
affiliate to make a solicitation for marketing purposes to the
consumer. First, it must be clearly and conspicuously disclosed to the
consumer in writing or, if the consumer agrees, electronically, in a
concise notice that the person may use shared eligibility information
to make solicitations to the consumer. Second, the consumer must be
provided a reasonable opportunity and a reasonable and simple method to
opt out of the use of that eligibility information to make
solicitations to the consumer. Third, the consumer must not have opted
out. Section --.21(a)(2) of the final rules provides an example of the
general rule.
The Agencies have concluded that the opt-out notice may not be
provided orally, but must be provided in writing or, if the consumer
agrees, electronically. The statute requires the Agencies to consider
the affiliate sharing notification practices employed on the date of
enactment and to ensure that notices and disclosures may be coordinated
and consolidated in promulgating regulations. The affiliate sharing
notice under section 603(d)(2)(A)(iii) of the FCRA generally must be
included in the GLBA privacy notice, which must be provided in writing,
or if the consumer agrees, electronically. Requiring the affiliate
marketing opt-out notice to be provided in writing, or if the consumer
agrees, electronically, is thus consistent with existing affiliate
sharing notification practices and promotes coordination and
consolidation of the three privacy-related opt-out notices. The
Agencies are not persuaded that there are any circumstances where it
would be necessary to provide an oral opt-out notice. A number of key
exceptions to the initial notice and opt-out requirement, such as the
pre-existing business relationship exception, consumer-initiated
communication exception, and consumer authorization or request
exception, may be triggered by an oral communication with the consumer.
It also could be more difficult for the Agencies to monitor and enforce
compliance with the final rules if oral opt-out notices were allowed.
Accordingly, the final rules require the opt-out notice to be provided
in writing or, if the consumer agrees, electronically.
Section --.21(a)(3) identifies those affiliates who may provide the
initial opt-out notice. This section provides that the initial opt-out
notice must be provided either by an affiliate that has or has
previously had a pre-existing business relationship with the consumer,
or as part of a joint notice from two or more members of an affiliated
group of companies, provided that at least one of the affiliates on the
joint notice has or has previously had a pre-existing business
relationship with the consumer. The final rules follow the general
approach taken in the proposal to ensure that the notice is provided by
an entity known to the consumer, while eliminating potentially
ambiguous and confusing terms like ``communicating affiliate'' and
``receiving affiliate.''
The Agencies also have eliminated as unnecessary the rules of
construction. Joint notices are now addressed directly in Sec.
--.21(a)(3). The Agencies also have concluded that the provisions from
the proposal relating to notice provided by an agent are unnecessary.
General agency principles, however, continue to apply. An affiliate
that has or has previously had a pre-existing business relationship
with the consumer may direct its agent to provide the opt-out notice on
its behalf.
The Agencies have concluded that the statute's silence with regard
to which affiliates may provide the opt-out notice makes the statute
ambiguous on this point, despite industry comments to the contrary. The
Agencies also continue to believe that consumers are more likely to pay
attention to a notice provided by a person known to the consumer. The
Agencies remain concerned that a notice provided by an entity unknown
to the consumer may not provide meaningful or effective notice, and
that consumers may ignore or discard notices provided by unknown
entities. Industry comments on the proposal did little to address those
concerns. For practical reasons, the Agencies believe that affiliate
marketing opt-out notices typically would be provided by an affiliate
that has or has previously had a pre-existing business relationship
with the consumer, or as part of a joint notice, whether or not
required by the rule.
The Agencies appreciate industry concerns about civil liability and
have revised the final rules to address those concerns. Specifically,
in contrast to the proposal, the final rules do not impose duties on
any affiliate other than the affiliate that intends to use shared
eligibility information to make solicitations to the consumer. Although
an opt-out notice must be provided by an affiliate that has or has
previously had a pre-existing business relationship with the consumer
(or as part of a joint notice), that affiliate has no duty to provide
such a notice. Instead, the final rule provides that absent such a
notice, an affiliate must not use shared eligibility information to
make solicitations to the consumer. Industry concerns about civil
liability also may be mitigated to some extent by the Supreme Court's
recent decision in Safeco Ins. Co. of America v. Burr, 127 S. Ct. 2201
(June 4, 2007).
Finally, many institutions currently require consumers to provide
their Social Security numbers when exercising their existing GLBA and
FCRA opt-out rights. The Agencies believe that institutions likely
would follow their existing practice with regard to affiliate marketing
opt-outs. To combat identity theft and prevent ``phishing,'' however,
the Agencies, along with many institutions, have been educating
consumers not to provide their Social Security numbers to unknown
entities. Furthermore, as participants in the President's Identity
Theft Task Force, the Agencies have made a commitment to examine and
recommend ways to limit the private sector's use of Social Security
numbers.
The approach recommended by industry commenters would allow an
unknown entity not only to provide an affiliate marketing opt-out
notice to the consumer, but also to require the consumer to reveal his
or her Social Security number to that unknown entity in order to
exercise the opt-out right. Such an approach would send conflicting
messages to consumers about providing Social Security numbers to
unknown entities. This approach also would be inconsistent with the
Agencies' current efforts to develop a comprehensive record on the uses
of the Social Security number in the private sector and evaluate their
necessity, as recommended by the President's Identity Theft Task
Force.\13\
---------------------------------------------------------------------------
\13\ See Combating Identity Theft: A Strategic Plan at 26-27
(April 2007) (available at http://www.idtheft.gov).
---------------------------------------------------------------------------
Making Solicitations
The proposal repeatedly referred to ``making or sending''
solicitations. Several commenters suggested revising the regulations to
eliminate all references to ``sending'' solicitations. These commenters
believed that the statute only concerns the use of eligibility
information to ``make'' solicitations and does not address ``sending''
solicitations. Commenters expressed concern that by referring to
[[Page 62922]]
``sending'' solicitations, the proposal would apply the notice and opt-
out requirements to servicers that send solicitations on behalf of
another entity.
The Agencies have revised the final rules to eliminate all combined
references to ``making or sending'' solicitations. The general rule in
section 624(a)(1), along with the duration provisions in section
624(a)(3) and the pre-existing business relationship exception in
section 624(a)(4)(A), refer to ``making'' or ``to make'' a
solicitation. Other provisions of the statute, such as the consumer
choice provision in section 624(a)(2)(A), the service provider
exception in section 624(a)(4)(C), the non-retroactivity provision in
section 624(a)(5), and the definition of ``pre-existing business
relationship'' in section 624(d)(1), refer to ``sending'' or ``to
send'' a solicitation. The verb ``to send,'' as used in the statute,
refers to a ministerial act that a service provider, such as a mail
house, performs for the person making the solicitation, (see 15 U.S.C.
1681s-3(a)(4)(C)), or indicates the point in time after which
solicitations are no longer permitted. See 15 U.S.C. 1681s-3(d)(1)(B)
and (C).
The Agencies conclude that ``making'' and ``sending'' solicitations
are different activities and that the focus of the statute is primarily
on the ``making'' of solicitations. For example, a service provider may
send a solicitation on behalf of another entity, but it is the entity
on whose behalf the solicitation is sent that is making the
solicitation and thus is subject to the general prohibition on making a
solicitation, unless the consumer is given notice and an opportunity to
opt out. Accordingly, the Agencies have revised the final rules to
refer to ``making'' a solicitation, except where the statute
specifically refers to ``sending'' solicitations.
The statute, however, does not describe what a person must do in
order ``to make'' a solicitation. Similarly, the legislative history
does not contain guidance as to the meaning of ``making'' a
solicitation. Nevertheless, the Agencies believe it is important to
provide clear guidance regarding what activities result in making a
solicitation.
One commenter suggested that the test for making a solicitation
should turn on whether an affiliate having a pre-existing business
relationship with the consumer retains the discretion to determine
whether or not to send the solicitation. This commenter provided an
example where a financial institution obtains a list of an affiliate's
customers from a common shared database, applies its own criteria to
this list, and then requests the affiliate with an existing business
relationship to solicit the affiliate's own customers to purchase the
financial institution's products or services. (Thus, the financial
institution would be using eligibility information to select a list of
its affiliate's customers to receive the financial institution's
marketing materials.) This commenter believed that section 624 should
not apply so long as the affiliate with the existing business
relationship has discretion to determine whether or not to send the
solicitations. This commenter also maintained that the applicability of
section 624's notice and opt-out requirement should depend on who
markets the product and not on what the product is or whose product it
is.
Nothing in the statute indicates that the discretion of the
affiliate providing the eligibility information to determine whether or
not to send a solicitation on behalf of a person who has received
eligibility information from that affiliate is the test for what
constitutes making a solicitation. Rather, the statute focuses on
whether the person receiving eligibility information from an affiliate
uses that information to market its products or services to consumers.
A ``discretion to send'' test would also inappropriately link the terms
``making'' and ``sending'' in a manner that would promote confusion and
undercut arguments made by commenters urging the Agencies to
disassociate the two terms. Finally, a ``discretion to send'' test
could foster circumvention of the notice and opt-out requirement,
restrict the ability of consumers to prohibit solicitations in a manner
not contemplated by the statute, and make it difficult for the Agencies
to administer and enforce the statute.
Section --.21(b) of the final rules clarifies what constitutes
``making'' a solicitation for purposes of Subpart C. Section
--.21(b)(1) provides that a person makes a solicitation for marketing
purposes to a consumer if: (a) The person receives eligibility
information from an affiliate; (b) the person uses that eligibility
information to do one of the following--identify the consumer or type
of consumer to receive a solicitation, establish the criteria used to
select the consumer to receive a solicitation, or decide which of its
products or services to market to the consumer or tailor its
solicitation to that consumer; and (c) as a result of the person's use
of the eligibility information, the consumer is provided a solicitation
about the person's products or services.
The Agencies recognize that several common industry practices may
complicate application of the rule outlined in Sec. --.21(b)(1).
First, affiliated groups often use a common database as the repository
for eligibility information obtained by various affiliates, and
information in that database may be accessible to multiple affiliates.
Second, affiliated companies often use service providers to perform
marketing activities, and some of those service providers may provide
services for a number of different affiliates. Third, an affiliate may
use its own eligibility information to market the products or services
of another affiliate. Sections --.21(b)(2)-(5) address these issues.
Section --.21(b)(2) clarifies that a person may receive eligibility
information from an affiliate in various ways, including when the
affiliate places that information into a common database that the
person may access. Of course, receipt of eligibility information from
an affiliate is only one element of the rule outlined in Sec.
--.21(b)(1). In the case of a common database, use of the eligibility
information will be the key element in determining whether a person has
made a solicitation.
Section --.21(b)(3) provides that a person receives or uses an
affiliate's eligibility information if a service provider acting on
behalf of the person receives or uses that information in the manner
described in Sec. Sec. --.21(b)(1)(i) or (b)(1)(ii), except as
provided in Sec. --.21(b)(5), which is discussed below. Section
--.21(b)(3) also provides that all relevant facts and circumstances
will determine whether a service provider is acting on behalf of a
person when it receives or uses an affiliate's eligibility information
in connection with marketing that person's products or services.
Section --.21(b)(4) addresses constructive sharing. In the
supplementary information to the proposal, the Agencies solicited
comment on whether the notice and opt-out requirements of these rules
should apply to circumstances that involve a ``constructive sharing''
of eligibility information to conduct marketing, given the policy
objectives of section 214 of the FACT Act. By way of example, in a
``constructive sharing'' scenario, a consumer has a relationship with a
financial institution, and the financial institution is affiliated with
an insurance company. The insurance company develops specific
eligibility criteria, such as consumers having combined deposit
balances in excess of $50,000 or average monthly demand account
deposits in excess of $10,000, without the use of eligibility
information received from the financial institution. The insurance
company provides its criteria to the financial
[[Page 62923]]
institution and asks the institution to identify financial institution
consumers that meet the eligibility criteria and send insurance company
marketing materials to those consumers. The financial institution sends
the marketing materials to those consumers who meet the insurance
company's eligibility criteria. A consumer who meets the eligibility
criteria contacts the insurance company after receiving the insurance
company marketing materials in the manner specified in those materials.
The consumer's response provides the insurance company with discernible
eligibility information, such as through a response form that is coded
to identify the consumer as an individual who meets the specific
eligibility criteria.\14\
---------------------------------------------------------------------------
\14\ The supplementary information to the proposal noted that
the notice and opt-out requirement would not apply if, for example,
an insurance company asked its affiliated financial institution to
include insurance company marketing material in periodic statements
sent to consumers by the financial institution without regard to
eligibility information.
---------------------------------------------------------------------------
Industry commenters urged the Agencies not to apply the notice and
opt-out requirement to ``constructive sharing'' situations. The
principal arguments made by these commenters in support of their
position were as follows. First, in a constructive sharing scenario,
there is no sharing of eligibility information among affiliates.
Rather, the consumer provides information to an affiliate when
responding. Second, section 624 applies when a person uses eligibility
information furnished by its affiliate to make a solicitation for its
own products or services to the consumer. In constructive sharing,
however, the person does not use eligibility information and does not
make a solicitation as defined in the statute. Third, the affiliate
that sends the marketing material has a pre-existing business
relationship with the consumer and is thus exempt from the notice and
opt-out requirements. Fourth, if the consumer responds to the marketing
materials, for example, by returning a response card to an affiliate,
one or more of the exceptions to the notice and opt-out requirement
would apply, such as the consumer-initiated communication exception,
the pre-existing business relationship exception, or both.
Consumer groups believed that constructive sharing contravenes the
intent of Congress and amounts to a loophole that should be fixed.
Similarly, NAAG believed that the letter and spirit of section 624
required subjecting constructive sharing to the notice and opt-out
requirements and that to find otherwise would create a significant and
unwarranted exception.
After considering the constructive sharing issue, the Agencies
conclude that the statute only covers situations where a person uses
eligibility information that it received from an affiliate to make a
solicitation to the consumer about its products or services. In a
``constructive sharing'' scenario like that described above, a pre-
existing business relationship is established between the consumer and
the insurance company when the consumer contacts the insurance company
to inquire about or apply for insurance products as a result of the
consumer's receipt of the insurance marketing materials. This pre-
existing business relationship is established before the insurance
company uses any shared eligibility information to make solicitations
to the consumer. Because the insurance company does not use shared
eligibility information to make solicitations to the consumer before it
establishes a pre-existing business relationship with the consumer, the
statute does not apply.
The Agencies acknowledge the concerns expressed by consumer groups
and NAAG regarding the decision not to apply the notice and opt-out
requirements to constructive sharing situations. The statute's
affiliate marketing provisions, however, only limit the use of
eligibility information received from an affiliate to make
solicitations to a consumer. A separate provision of the FCRA, section
603(d)(2)(A)(iii), regulates the sharing of eligibility information
among affiliates and prohibits the sharing of non-transaction or
experience information, such as credit scores from a consumer report or
income from an application, among affiliates, unless the consumer is
given notice and an opportunity to opt out of such sharing. The FCRA
does not restrict the sharing of transaction or experience information
among affiliates unless that information is medical information.
Section 603(d)(2)(A)(iii) operates independent of the affiliate
marketing rules. Thus, the existence of a pre-existing business
relationship between a consumer and an affiliate that seeks to use
shared eligibility information, such as credit scores or income, to
market to that consumer (or the applicability of another exception to
these affiliate marketing rules) does not relieve the entity sharing
the credit score or income information of the requirement to comply
with the affiliate sharing notice and opt-out provisions of section
603(d)(2)(A)(iii) of the FCRA before it shares that non-transaction or
experience information with its affiliate.\15\
---------------------------------------------------------------------------
\15\ A sharing of information occurs if a reference code
included in marketing materials reveals one affiliate's information
about a consumer to another affiliate upon receipt of a consumer's
response.
---------------------------------------------------------------------------
Section --.21(b)(4) describes two situations where a person is
deemed not to have made a solicitation subject to Subpart C. Both
situations assume that the person has not used eligibility information
received from an affiliate in the manner described in Sec.
--.21(b)(1)(ii). First, a person does not make a solicitation subject
to Subpart C if that person's affiliate uses its own eligibility
information that it obtained in connection with a pre-existing business
relationship it has or had with the consumer to market the person's
products or services to the consumer. Second, if, in the situation just
described, the person's affiliate directs its service provider to use
the affiliate's own eligibility information to market the person's
products or services to the consumer, and the person does not
communicate directly with the service provider regarding that use of
the eligibility information, then the person has not made a
solicitation subject to Subpart C.
The core concept underlying the second prong of this provision is
that the affiliate that obtained the eligibility information in
connection with a pre-existing business relationship with the consumer
controls the actions of the service provider using that information.
Therefore, the service provider's use of the eligibility information
should not be attributed to the person whose products or services will
be marketed to consumers. In such circumstances, the service provider
is acting on behalf of the affiliate that obtained the eligibility
information in connection with a pre-existing business relationship
with the consumer, and not on behalf of the person whose products or
services will be marketed to that affiliate's consumers.
The Agencies also recognize that there may be situations where the
person whose products or services are being marketed does communicate
with the affiliate's service provider. This may be the case, for
example, where the service provider performs services for various
affiliates relying on information maintained in and accessed from a
common database. In certain circumstances, the person whose products or
services are being marketed may communicate with the affiliate's
service provider, yet the service provider is still acting on behalf of
the affiliate when it uses the affiliate's
[[Page 62924]]
eligibility information in connection with marketing the person's
products or services. Section --.21(b)(5) describes the conditions
under which a service provider would be deemed to be acting on behalf
of the affiliate with the pre-existing business relationship, rather
than the person whose products or services are being marketed,
notwithstanding direct communications between the person and the
service provider.
Section --.21(b)(5) builds upon the concept of control of a service
provider and thus is a natural outgrowth of Sec. --.21(b)(4). Under
the conditions set out in Sec. --.21(b)(5), the service provider is
acting on behalf of an affiliate that obtained the eligibility
information in connection with a pre-existing business relationship
with the consumer because, among other things, the affiliate controls
the actions of the service provider in connection with the service
provider's receipt and use of the eligibility information. This
provision is designed to minimize uncertainty that may arise from
application of the facts and circumstances test in Sec. --.21(b)(3) to
cases that involve direct communications between a service provider and
a person whose products and services will be marketed to consumers.
Section --.21(b)(5) provides that a person does not make a
solicitation subject to Subpart C if a service provider (including an
affiliated or third-party service provider that maintains or accesses a
common database that the person may access) receives eligibility
information from the person's affiliate that the person's affiliate
obtained in connection with a pre-existing business relationship it has
or had with the consumer and uses that eligibility information to
market the person's products or services to the consumer, so long as
the following five conditions are met.
First, the person's affiliate controls access to and use of its
eligibility information by the service provider (including the right to
establish specific terms and conditions under which the service
provider may use such information to market the person's products or
services). This requirement must be set forth in a written agreement
between the person's affiliate and the service provider. The person's
affiliate may demonstrate control by, for example, establishing and
implementing reasonable policies and procedures applicable to the
service provider's access to and use of its eligibility information.
Second, the person's affiliate establishes specific terms and
conditions under which the service provider may access and use that
eligibility information to market the person's products or services (or
those of affiliates generally) to the consumer, and periodically
evaluates the service provider's compliance with those terms and
conditions. These terms and conditions may include the identity of the
affiliated companies whose products or services may be marketed to the
consumer by the service provider, the types of products or services of
affiliated companies that may be marketed, and the number of times the
consumer may receive marketing materials. The specific terms and
conditions established by the person's affiliate must be set forth in
writing, but need not be set forth in a written agreement between the
person's affiliate and the service provider. If a periodic evaluation
by the person's affiliate reveals that the service provider is not
complying with those terms and conditions, the Agencies expect the
person's affiliate to take appropriate corrective action.
Third, the person's affiliate requires the service provider to
implement reasonable policies and procedures designed to ensure that
the service provider uses the affiliate's eligibility information in
accordance with the terms and conditions established by the affiliate
relating to the marketing of the person's products or services. This
requirement must be set forth in a written agreement between the
person's affiliate and the service provider.
Fourth, the person's affiliate is identified on or with the
marketing materials provided to the consumer. This requirement will be
construed flexibly. For example, the person's affiliate may be
identified directly on the marketing materials, on an introductory
cover letter, on other documents included with the marketing materials,
such as a periodic statement, or on the envelope which contains the
marketing materials.
Fifth, the person does not directly use the affiliate's eligibility
information in the manner described in Sec. --.21(b)(1)(ii).
These five conditions together ensure that the service provider is
acting on behalf of the affiliate that obtained the eligibility
information in connection with a pre-existing business relationship
with the consumer because that affiliate controls the service
provider's receipt and use of that affiliate's eligibility information.
Section --.21(b)(6) provides six illustrative examples of the rules
relating to making solicitations as set forth in Sec. Sec.
--.21(b)(1)-(5).
Exceptions
Proposed Sec. --.20(c) contained exceptions to the requirements of
Subpart C and incorporated each of the statutory exceptions to the
affiliate marketing notice and opt-out requirements that are set forth
in section 624(a)(4) of the FCRA. The Agencies have revised the preface
to the exceptions for clarity to provide that the provisions of Subpart
C do not apply to ``you'' or ``the bank'' if a person uses eligibility
information that it receives from an affiliate in certain
circumstances. In addition, each of the exceptions has been moved to
Sec. --.21(c) in the final rules and is discussed below.
Pre-Existing Business Relationship Exception
Proposed Sec. --.20(c)(1) provided that the provisions of Subpart
C would not apply to an affiliate using eligibility information to make
a solicitation to a consumer with whom the affiliate has a pre-existing
business relationship. As noted above, a pre-existing business
relationship exists when: (1) There is a financial contract in force
between the affiliate and the consumer; (2) the consumer and the
affiliate have engaged in a financial transaction (including holding an
active account or a policy in force or having another continuing
relationship) during the 18 months immediately preceding the date of
the solicitation; (3) the consumer has purchased, rented, or leased the
affiliate's goods or services during the 18 months immediately
preceding the date of the solicitation; or (4) the consumer has
inquired about or applied for a product or service offered by the
affiliate during the 3-month period immediately preceding the date of
the solicitation. Proposed Sec. --.20(d)(1) provided examples of the
pre-existing business relationship exception. As explained above, the
Agencies have revised the examples from proposed Sec. --.20(d)(1) in
the final rules and included them as examples of the definition of
``pre-existing business relationship'' rather than as examples of the
pre-existing business relationship exception.
Section --.21(c)(1) of the final rules revises the pre-existing
business relationship exception to delete the word ``send'' and to
eliminate as unnecessary the cross-reference to the location of the
definition of ``pre-existing business relationship.'' As discussed
above, commenters made a number of suggestions regarding the definition
of ``pre-existing business relationship.'' The Agencies have
[[Page 62925]]
addressed those comments elsewhere. Most commenters supported the
proposed text of the pre-existing business relationship exception,
which generally tracks the statutory language.
Some commenters, however, apparently believed that the pre-existing
business relationship exception is broader than it actually is. For
example, assume that an insurance company has a pre-existing business
relationship with a consumer and shares eligibility information about
the consumer with its affiliates by putting that information into a
common database that is accessible by all affiliates. The insurance
company's depository institution affiliate accesses the database,
reviews the data on the insurance company's consumers and, based on its
review, decides to market to some of the insurance company's consumers.
Rather than sending the solicitations itself, the depository
institution asks the insurance company with the pre-existing business
relationship to send solicitations on its behalf to the insurance
company's consumers. As noted above, one commenter believed that in
this circumstance the pre-existing business relationship exception
would apply so long as the insurance company retained the discretion to
decide whether or not to send the solicitations on behalf of the
depository institution. However, the Agencies conclude that this
situation does not fall within the pre-existing business relationship
exception. Instead, the depository institution makes the solicitation
because it used eligibility information received from an affiliate to
select the consumer to receive a solicitation about its products or
services and, as a result, the consumer is provided a solicitation. To
eliminate any confusion and clarify the scope of the exception, the
Agencies have added an example in Sec. --.21(d)(1) of the final rules
to illustrate a situation where the pre-existing business relationship
exception would apply.
Employee Benefit Plan Exception
Proposed Sec. --.20(c)(2) provided that the provisions of Subpart
C would not apply to an affiliate using the information to facilitate
communications to an individual for whose benefit the affiliate
provides employee benefit or other services under a contract with an
employer related to and arising out of a current employment
relationship or an individual's status as a participant or beneficiary
of an employee benefit plan. One commenter believed that the exception
should be revised to permit communications ``to an affiliate about an
individual for whose benefit an entity provides employee benefit or
other services pursuant to a contract with an employer related to and
arising out of the current employment relationship or status of the
individual as a participant or beneficiary of an employee benefit
plan.'' This commenter also suggested deleting the phrase ``you receive
from an affiliate'' in the introduction to proposed Sec. --.20(c).
This commenter believed that this exception should permit an employer
or plan sponsor to share information with its affiliates in order to
offer other financial services, such as brokerage accounts or IRAs, to
its employees. This commenter further requested clarification on
whether the exception applies only if related to products offered as an
employee benefit.
Section --.21(c)(2) of the final rules adopts the employee benefit
exception as proposed. The Agencies decline to adopt the changes
suggested by the one commenter. First, the suggestion to make the
exception applicable to communications ``to an affiliate about an
individual for whose benefit an entity provides employee benefit or
other services'' differs from the language of the statute. The language
of the proposed and final rules focuses on facilitating communications
``to an individual for whose benefit the person provides employee
benefit or other services,'' which tracks the statutory language better
than the alternative language proposed by the commenter.
Second, the only person to whom section 624 might apply is a person
that receives eligibility information from an affiliate. Specifically,
the statutory preface to the exceptions provides that ``[t]his section
shall not apply to a person'' using information to do certain things.
The language of the statute thus makes clear that the exceptions in
section 624(a)(4) of the FCRA were meant to apply to persons that
otherwise would be subject to section 624. In the case of the employee
benefit exception, the person using the information is also ``the
person provid[ing] employee benefit or other services pursuant to a
contract with an employer.'' Therefore, the Agencies conclude that this
exception, like the other provisions of Subpart C, should apply only to
a person that uses eligibility information it receives from an
affiliate to make solicitations to consumers about its products or
services.
Service Provider Exception
Proposed Sec. --.20(c)(3) provided that the provisions of Subpart
C would not apply to an affiliate using the information to perform
services for another affiliate, unless the services involve making or
sending solicitations on its own behalf or on behalf of an affiliate
and the service provider or such affiliate is not permitted to make or
send such solicitations as a result of the consumer's election to opt
out. Thus, under the proposal, when the notice has been provided to a
consumer and the consumer has opted out, an affiliate subject to the
consumer's opt-out election may not circumvent the opt-out by
instructing the person with the consumer relationship or another
affiliate to send solicitations to the consumer on its behalf.
Several industry commenters urged the Agencies to revise the
proposed exception to conform to the statutory language. Specifically,
with respect to the exclusion from the service provider exception,
these commenters recommended that the Agencies delete the references to
solicitations on behalf of the service provider. Some of these
commenters maintained that the references to solicitations on behalf of
the service provider itself would impose additional burdens and costs
on companies that use a single affiliate to provide various
administrative services to other affiliates and would make it more
difficult to provide general educational materials to consumers. Some
of these commenters also asked the Agencies to clarify that the
limitation in the service provider exception has no applicability to
any other exception.
Section --.21(c)(3) of the final rules revises the service provider
exception to delete as surplusage the references to solicitations by a
service provider on its own behalf. The Agencies note that the general
rule in Sec. --.21(a)(1) prohibits a service provider from using
eligibility information it received from an affiliate to make
solicitations to the consumer about its own products or services unless
the consumer is given notice and an opportunity to opt out or unless
one of the other exceptions applies. The service provider exception
simply allows a service provider to do what the affiliate on whose
behalf it is acting may do, such as using shared eligibility
information to make solicitations to consumers to whom the affiliate is
permitted to make such solicitations. The final rules also delete the
word ``make'' from the exception to the service provider exception
because, as discussed above, ``making'' and ``sending'' solicitations
are distinct activities and this provision of the statute uses the verb
``to send.'' The Agencies note that, although the statute contains
separate service provider and
[[Page 62926]]
pre-existing business relationship exceptions, nothing in those
exceptions prevents an affiliate that has a pre-existing business
relationship with the consumer from relying upon the service provider
exception, where appropriate. Section --.21(d)(2) of the final rules
provides examples of the service provider exception.
Consumer-Initiated Communication Exception
Proposed Sec. --.20(c)(4) provided that the provisions of Subpart
C would not apply to an affiliate using the information to make
solicitations in response to a communication initiated by the consumer.
The proposed rule further clarified that this exception may be
triggered by an oral, electronic, or written communication initiated by
the consumer.
The supplementary information noted that to be covered by the
proposed exception, the use of eligibility information must be
responsive to the communication initiated by the consumer. The
supplementary information also explained that the time period during
which solicitations remain responsive to the consumer's communication
would depend on the facts and circumstances. As illustrated in the
example in proposed Sec. --.20(d)(2)(iii), if a consumer were to call
an affiliate to ask about retail locations and hours, the affiliate
could not use eligibility information to make solicitations to the
consumer about specific products because those solicitations would not
be responsive to the consumer's communication. Conversely, the example
in proposed Sec. --.20(d)(2)(i) illustrated that if the consumer calls
an affiliate to ask about its products or services and provides contact
information, solicitations related to those products or services would
be responsive to the communication and thus permitted under the
exception. Finally, as illustrated by the example in proposed Sec.
--.20(d)(2)(ii), the Agencies also contemplated that a consumer would
not initiate a communication if an affiliate made the initial call and
left a message for the consumer to call back, and the consumer
responded.
Commenters generally supported the text of the proposed consumer-
initiated communication exception. Several commenters, however, urged
the Agencies to either delete the phrase ``orally, electronically, or
in writing'' from the regulation or modify the language to read
``whether orally, electronically, or in writing.'' These commenters
maintained that other means of communication may be used by consumers
in the future and should not be precluded by the regulations. Another
commenter welcomed the reference to oral communications and requested
that the Agencies clarify that electronic communications refers to both
e-mail and facsimile transmissions.
Many industry commenters objected to the statement in the
supplementary information that to qualify for this exception, the use
of eligibility information ``must be responsive'' to the communication
initiated by the consumer. These commenters believed that the concept
of ``responsiveness'' creates a vague, subjective, and narrow standard
that could subject institutions to compliance risk. These commenters
noted that the Agencies did not and could not provide a clear
definition of what would be ``responsive.'' Some of these commenters
noted that consumers may not be familiar with the various types of
products or services available to them and the different affiliates
that offer those products or services and may rely on the institution
to inform them about available options. For this reason, most of these
commenters maintained that the exception should not limit an affiliate
from responding with solicitations about any product or service. Some
of these commenters believed that it would be difficult to monitor
compliance with or to develop scripts for a ``responsiveness'' standard
by customer service representatives. One commenter noted that the
Senate bill used more restrictive language in this exception than the
final bill passed by Congress. Some commenters also objected to the
statement that the time period during which solicitations remain
responsive would depend on the facts and circumstances.
NAAG supported the statement in the supplementary information that,
to qualif