In addition to providing the notices mentioned in your question, we recommend reviewing the information provided to your affiliate — if you are sharing credit-related information with your affiliate, you must provide customers with a notice and an opportunity to opt-out under the Fair Credit Reporting Act (FCRA).
A financial institution that provides “consumer reports” to an affiliate risks being considered a “consumer reporting agency” subject to significant oversight and requirements under the FCRA. Under the FCRA, a “consumer report” includes any information bearing on a consumer’s creditworthiness and related characteristics used to establish eligibility for credit, insurance, employment, or other defined purposes. However, information shared with affiliates related to a consumer’s transactions and experiences with the bank, such as a customer’s account history, is excluded from the definition of “consumer report” without qualification.
Conversely, “other” information shared with affiliates — that is, information that is not transaction or experience information but still meets the definition of “consumer report” — is excluded from the definition of “consumer report” only if customers receive a notice and an opportunity to opt out (which must be contained in your privacy notice). “Other” information includes information from credit reports and credit applications, such as a consumer’s credit score or information a consumer provides on an application form concerning accounts with other financial institutions. If you are sharing this kind of information with your affiliate, you should ensure that your privacy notice contains proper notice and opt-out to avoid being considered a consumer reporting agency under the FCRA.
Additionally, the FCRA and Regulation V prohibit affiliates from using a consumer’s “eligibility information” for marketing purposes unless the consumer has been provided notice and an opportunity to opt out. However, since you are not sharing information (and assuming that your affiliate is not using this information) for marketing purposes, this notice and opt-out requirement does not apply.
Otherwise, it appears that the notices you are providing will satisfy your responsibilities under Regulation P and RESPA.
As to Regulation P, we note that you are not necessarily required to provide revised privacy notices when establishing a new affiliate relationship, depending on whether your privacy notices already disclose the fact that you are sharing information with your affiliates. While you are required to disclose the categories of affiliates and nonaffiliated third parties to which you disclose nonpublic personal information on your privacy notices, you are not required to list specific affiliates and nonaffiliated third parties. Consequently, the addition of a single affiliate would not trigger the need to send a revised privacy notice — unless you need to revise the disclosure to add affiliates as a category or include notice and an opportunity to opt out under the FCRA as discussed above.
Additionally, we believe that your written affiliated business arrangement notices satisfy your notice responsibilities under RESPA. An affiliated business arrangement will not violate RESPA if customers who are referred are provided with a written affiliated business arrangement disclosure statement, as prescribed in Regulation X.
For resources related to our guidance, please see:
- FCRA, 15 USC 1681a(f) (“The term ‘consumer reporting agency’ means any person which, for monetary fees, dues, or on a cooperative nonprofit basis, regularly engages in whole or in part in the practice of assembling or evaluating consumer credit information or other information on consumers for the purpose of furnishing consumer reports to third parties, and which uses any means or facility of interstate commerce for the purpose of preparing or furnishing consumer reports.”)
- FCRA, 15 USC 1681a(d)(1) (“The term ‘consumer report’ means any written, oral, or other communication of any information by a consumer reporting agency bearing on a consumer’s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living which is used or expected to be used or collected in whole or in part for the purpose of serving as a factor in establishing the consumer’s eligibility for— (A) credit or insurance to be used primarily for personal, family, or household purposes; (B) employment purposes; or (C) any other purpose authorized under section 1681b of this title.”)
- CFPB, FCRA Examination Procedures, page 8 (October 1, 2012) (“Section 603(d) defines a consumer report to include information about a consumer such as that which bears on a consumer’s creditworthiness, character, and capacity among other factors. Communication of this information may cause a person, including a financial institution, to become a consumer reporting agency. The statutory definition contains key exceptions to this definition that enable persons to share this type of information under certain circumstances, without becoming consumer reporting agencies.”)
- FCRA, 15 USC 1681a(d)(2) (“Except as provided in paragraph (3), the term ‘consumer report’ does not include— (A) subject to section 1681s–3 of this title, any— (i) report containing information solely as to transactions or experiences between the consumer and the person making the report; (ii) communication of that information among persons related by common ownership or affiliated by corporate control; or (iii) communication of other information among persons related by common ownership or affiliated by corporate control, if it is clearly and conspicuously disclosed to the consumer that the information may be communicated among such persons and the consumer is given the opportunity, before the time that the information is initially communicated, to direct that such information not be communicated among such persons; . . .”)
- Final Rule, Fair Credit Reporting Affiliate Marketing Regulations, 72 Fed. Reg. 62909, 62915 (November 7, 2007) (“Proposed § _.3(j) defined the term ‘eligibility information’ to mean any information the communication of which would be a consumer report if the exclusions from the definition of ‘consumer report’ in section 603(d)(2)(A) of the FCRA did not apply. As proposed, eligibility information would include a person’s own transaction or experience information, such as information about a consumer’s account history with that person, and ‘other’ information under section 603(d)(2)(A)(iii), such as information from consumer reports or applications.”)
- FTC Advisory Opinion to Novak (September 9, 1998) (“Section 603(d)(2)(A)(i) refers to ‘information solely as to transactions or experiences between the consumer and the person making the report.’ Such ‘transaction or experience’ information includes the length of time the customer has held a credit card issued by the Bank, the number of times the customer has been late in making a payment on such a credit card, and the average monthly balance in the customer’s savings account.”)
- Final Rule, Fair Credit Reporting Affiliate Marketing Regulations, 72 Fed. Reg. 62909, 62910 (November 7, 2007) (“Section 603(d)(2)(A)(iii) of the FCRA provides that a person may communicate ‘other’ information—that is, information that is not transaction or experience information—among its affiliates without becoming a consumer reporting agency if it is clearly and conspicuously disclosed to the consumer that such information may be communicated among affiliates and the consumer is given an opportunity, before the information is communicated, to ‘opt out’ or direct that the information not be communicated among such affiliates, and the consumer has not opted out.”)
- Final Rule, Fair Credit Reporting Affiliate Marketing Regulations, 72 Fed. Reg. 62909, 62911 (November 7, 2007) (“Section 624 governs the use of information by an affiliate, not the sharing of information among affiliates, and thus is distinct from the affiliate sharing opt-out under section 603(d)(2)(A)(iii) of the FCRA. Nevertheless, the affiliate marketing and affiliate sharing opt-outs and the information subject to the two opt-outs overlap to some extent. As noted above, the FCRA allows transaction or experience information to be shared among affiliates without giving the consumer notice and an opportunity to opt out, but provides that ‘other’ information, such as information from credit reports and credit applications, may not be shared among affiliates without giving the consumer notice and an opportunity to opt out. The new affiliate marketing opt-out applies to both transaction or experience information and ‘other’ information. Thus, certain information will be subject to two opt-outs, a sharing opt-out and a marketing use opt-out.”)
- CFPB, FCRA Examination Procedures, page 9 (“For example, ‘other’ information can include information a consumer provides on an application form concerning accounts with other financial institutions. It can also include information a financial institution obtains from a consumer reporting agency, such as the consumer’s credit score.”)
- Regulation P, 12 CFR 1016.6(a) (“The initial, annual, and revised privacy notices that you provide under §§ 1016.4, 1016.5, and 1016.8 of this part must include each of the following items of information, in addition to any other information you wish to provide, that applies to you and to the consumers to whom you send your privacy notice: . . . (7) Any disclosures that you make under section 603(d)(2)(A)(iii) of the Fair Credit Reporting Act (15 U.S.C. 1681a(d)(2)(A)(iii)) (that is, notices regarding the ability to opt out of disclosures of information among affiliates); . . .”)
- Regulation V, 12 CFR 1022.21(a)(1) (“You may not use eligibility information about a consumer that you receive from an affiliate to make a solicitation for marketing purposes to the consumer, unless: (i) It is clearly and conspicuously disclosed to the consumer in writing or, if the consumer agrees, electronically, in a concise notice that you may use eligibility information about that consumer received from an affiliate to make solicitations for marketing purposes to the consumer; (ii) The consumer is provided a reasonable opportunity and a reasonable and simple method to “opt out,” or prohibit you from using eligibility information to make solicitations for marketing purposes to the consumer; and (iii) The consumer has not opted out.”)
- Regulation V, 12 CFR 1022.20(b)(3) (“The term ‘eligibility information’ means any information the communication of which would be a consumer report if the exclusions from the definition of ‘consumer report’ in section 603(d)(2)(A) of the Act did not apply. Eligibility information does not include aggregate or blind data that does not contain personal identifiers such as account numbers, names, or addresses.”)
- Regulation P, 12 CFR 1016.8(a) (“Except as otherwise authorized in this part, you must not, directly or through any affiliate, disclose any nonpublic personal information about a consumer to a nonaffiliated third party other than as described in the initial notice that you provided to that consumer under § 1016.4 of this part, unless:
(1) You have provided to the consumer a clear and conspicuous revised notice that accurately describes your policies and practices;
(2) You have provided to the consumer a new opt out notice;
(3) You have given the consumer a reasonable opportunity, before you disclose the information to the nonaffiliated third party, to opt out of the disclosure; and
(4) The consumer does not opt out.”)
- Regulation P, 12 CFR 1016.8(b)(1) (“Except as otherwise permitted by §§ 1016.13, 1016.14, and 1016.15 of this part, you must provide a revised notice before you:
(i) Disclose a new category of nonpublic personal information to any nonaffiliated third party;
(ii) Disclose nonpublic personal information to a new category of nonaffiliated third party; or
(iii) Disclose nonpublic personal information about a former customer to a nonaffiliated third party, if that former customer has not had the opportunity to exercise an opt out right regarding that disclosure.
- Regulation P, 12 CFR 1016.8(b)(2) (“A revised notice is not required if you disclose nonpublic personal information to a new nonaffiliated third party that you adequately described in your prior notice.”)
- Regulation P, 12 CFR 1016.6(a) (“The initial, annual, and revised privacy notices that you provide under §§ 1016.4, 1016.5, and 1016.8 of this part must include each of the following items of information, in addition to any other information you wish to provide, that applies to you and to the consumers to whom you send your privacy notice: . . . (3) The categories of affiliates and nonaffiliated third parties to whom you disclose nonpublic personal information, other than those parties to whom you disclose information under §§ 1016.14 and 1016.15 of this part; (4) The categories of nonpublic personal information about your former customers that you disclose and the categories of affiliates and nonaffiliated third parties to whom you disclose nonpublic personal information about your former customers, other than those parties to whom you disclose information under §§ 1016.14 and 1016.15; (5) If you disclose nonpublic personal information to a nonaffiliated third party under § 1016.13 (and no other exception in § 1016.14 or § 1016.15 applies to that disclosure), a separate statement of the categories of information you disclose and the categories of third parties with whom you have contracted; . . .”)
- Regulation X, 12 CFR 1024.15(b) (“An affiliated business arrangement is not a violation of section 8 of RESPA (12 U.S.C. 2607) and of § 1024.14 if the conditions set forth in this section are satisfied. Paragraph (b)(1) of this section shall not apply to the extent it is inconsistent with section 8(c)(4)(A) of RESPA (12 U.S.C. 2607(c)(4)(A)).
(1) The person making each referral has provided to each person whose business is referred a written disclosure, in the format of the Affiliated Business Arrangement Disclosure Statement set forth in appendix D of this part, of the nature of the relationship (explaining the ownership and financial interest) between the provider of settlement services (or business incident thereto) and the person making the referral and of an estimated charge or range of charges generally made by such provider (which describes the charge using the same terminology, as far as practical, as section L of the HUD-1 settlement statement). . . .”)