In general, we recommend that your institution should wait thirty days after providing the opt-out notice before sharing information about your customers with your insurance affiliate for marketing purposes; your bank arguably could start sharing customer information after just twenty days, as discussed below, but this would be at the risk of having to prove that twenty days is “reasonable” under the circumstances.
The Fair Credit Reporting Act (FCRA) requires financial institutions who wish to disclose a consumer’s non-public personal information with affiliated third parties (such as an affiliated home mortgage company) to provide consumers with a “reasonable opportunity” to opt out from this type of disclosure. The FCRA provides a safe harbor in cases where a bank mails an opt-out notice to the consumer and waits thirty days before sharing the consumer’s information with an affiliate. This thirty-day safe harbor also applies when the opt-out notice is provided electronically or when included with your bank’s Gramm–Leach–Bliley Act (GLBA) privacy notice.
In certain cases involving electronic or in-person transactions, where the opt-out notice is provided “at the time” of the transaction, customers may be required to opt-out on the spot, in which case it does not appear that any additional waiting period is necessary before sharing customer information (provided they have not opted-out). However, your bank is providing the opt-out notice with your privacy notice, in which case the thirty-day safe harbor would apply.
However, your bank is not required to abide by the safe harbor and may choose to start sharing customer information before thirty days have passed. When the interagency affiliate marketing rules were published in 2007, the agencies noted that “[a]lthough 30 days is a safe harbor in all cases, a person providing an opt-out notice may decide, at its option, to give consumers more than 30 days in which to decide whether or not to opt out. A shorter waiting period could be adequate in certain situations, depending on the circumstances, in accordance with the general test for a reasonable opportunity to opt out.”
We are not aware of any case law in which a court addressed whether a waiting period shorter than thirty-days was adequate. Consequently, we believe that your bank could impose a waiting period of just twenty days — provided that your bank is comfortable acting outside of the safe harbor and is prepared to justify the shorter waiting period.
For resources related to our guidance, please see:
- Regulation V, 12 CFR 1022.21(a) (“You may not use eligibility information about a consumer that you receive from an affiliate to make a solicitation for marketing purposes to the consumer, unless:
(i) it is clearly and conspicuously disclosed to the consumer in writing . . .
(ii) the consumer is provided a reasonable opportunity to ‘opt out,’ or prohibit you from using eligibility information to make solicitations for marketing purposes to the consumer; and
(iii) and the consumer has not opted out.”)
- Regulation V, 12 CFR 1022.2 (“The examples in this part are not exclusive. Compliance with an example, to the extent applicable, constitutes compliance with this part. . . .”)
- Regulation V, 12 CFR 1022.24(b)(5) (“The consumer is given a reasonable opportunity to opt out if: . . . (5) The opt-out notice is included in a Gramm-Leach-Bliley Act privacy notice. The consumer is allowed to exercise the opt-out within a reasonable period of time and in the same manner as the opt-out under that privacy notice.”)
- Regulation V, 12 CFR 1022.24(b)(1) (“The consumer is given a reasonable opportunity to opt out if: (1) By mail. The opt-out notice is mailed to the consumer. The consumer is given 30 days from the date the notice is mailed to elect to opt out by any reasonable means.”)
- Regulation V, 12 CFR 1022.24(b)(2)(i) (“The consumer is given a reasonable opportunity to opt out if: . . . (2) By electronic means. (i) The opt-out notice is provided electronically to the consumer, such as by posting the notice at a Web site at which the consumer has obtained a product or service. The consumer acknowledges receipt of the electronic notice. The consumer is given 30 days after the date the consumer acknowledges receipt to elect to opt out by any reasonable means.”)
- Regulation V, 12 CFR 1022.24(b)(2)(ii) (“The consumer is given a reasonable opportunity to opt out if: . . . (2) By electronic means. . . . (ii) The opt-out notice is provided to the consumer by email where the consumer has agreed to receive disclosures by email from the person sending the notice. The consumer is given 30 days after the email is sent to elect to opt out by any reasonable means.”)
- Regulation V, 12 CFR 1022.24(b)(3) (“The consumer is given a reasonable opportunity to opt out if: . . . (3) At the time of an electronic transaction. The opt-out notice is provided to the consumer at the time of an electronic transaction, such as a transaction conducted on a Web site. The consumer is required to decide, as a necessary part of proceeding with the transaction, whether to opt out before completing the transaction. There is a simple process that the consumer may use to opt out at that time using the same mechanism through which the transaction is conducted.”)
- Regulation V, 12 CFR 1022.24(b)(4) (“The consumer is given a reasonable opportunity to opt out if: . . . (4) At the time of an in-person transaction. The opt-out notice is provided to the consumer in writing at the time of an in-person transaction. The consumer is required to decide, as a necessary part of proceeding with the transaction, whether to opt out before completing the transaction, and is not permitted to complete the transaction without making a choice. There is a simple process that the consumer may use during the course of the in-person transaction to opt out, such as completing a form that requires consumers to write a “yes” or “no” to indicate their opt-out preference or that requires the consumer to check one of two blank check boxes; one that allows consumers to indicate that they want to opt out and one that allows consumers to indicate that they do not want to opt out.”)
- Final Rule, Fair Credit Reporting Affiliate Marketing Regulations, 72 Fed. Reg. 62909, 62934 (November 7, 2007) (“The generally applicable 30-day safe harbor is retained in the final rules. The Agencies believe that providing a generally applicable safe harbor of 30 days is helpful because it affords certainty to entities that choose to follow the 30-day waiting period. Although 30 days is a safe harbor in all cases, a person providing an opt-out notice may decide, at its option, to give consumers more than 30 days in which to decide whether or not to opt out. A shorter waiting period could be adequate in certain situations, depending on the circumstances, in accordance with the general test for a reasonable opportunity to opt out.”)
- Illinois Banking Act, 205 ILCS 5/48.1(b)(6) (“This Section does not prohibit: . . . (6) The exchange in the regular course of business of (i) credit information between a bank and other banks or financial institutions or commercial enterprises, directly or through a consumer reporting agency or (ii) financial records or information derived from financial records between a bank and other banks or financial institutions or commercial enterprises for the purpose of conducting due diligence pursuant to a purchase or sale involving the bank or assets or liabilities of the bank.”)
- Savings Bank Act, 205 ILCS 205/4013(c)(15) (“This Section does not prohibit: . . . (15) The exchange in the regular course of business of information between a savings bank and any commonly owned affiliate of the savings bank, subject to the provisions of the Financial Institutions Insurance Sales Law.”)
- Financial Institutions Insurance Sales Law, 215 ILCS 5/1412 (Requirements for solicitations to loan applicants.)