IBA Compliance Connection

Your go to source for compliance!

Are we required to include the option to opt-out in our privacy notice for an affiliated service provider that is 100% owned by our bank holding company? We share credit report information with the affiliate, and they provide us with underwriting services, but we do not share information with them for marketing purposes. If we are required to provide an opt-out notice for our affiliate, do we need to provide a similar opt-out notice for nonaffiliated third-party service providers?

by

admin

Yes, we believe you should be providing customers with notice and an opportunity to opt out under the Fair Credit Reporting Act (FCRA) if you are sharing credit-related information with your affiliate, and this notice and opportunity to opt-out should be included in your privacy notice.

When sharing information from credit reports and credit applications with an affiliate, you should ensure that your privacy notice contains proper notice and an opportunity to opt-out to avoid being treated as a consumer reporting agency under the FCRA (subject to significant oversight and other FCRA requirements).

Note that there is no opt-out exception when sharing information from credit reports with nonaffiliated third parties. Consequently, we do not believe that it is possible to share such information with nonaffiliated third parties without risking being considered a “consumer reporting agency” under the FCRA, even if you provide notice and an opportunity to opt out.

Additionally, the FCRA and Regulation V prohibit affiliates from using a consumer’s “eligibility information” for marketing purposes unless the consumer has been provided a separate notice and an opportunity to opt out. However, since you are not sharing information (and assuming that your affiliate is not using this information) for marketing purposes, this notice and opt-out requirement would not apply.

For resources related to our guidance, please see:

  • FCRA, 15 USC 1681a(f) (“The term ‘consumer reporting agency’ means any person which, for monetary fees, dues, or on a cooperative nonprofit basis, regularly engages in whole or in part in the practice of assembling or evaluating consumer credit information or other information on consumers for the purpose of furnishing consumer reports to third parties, and which uses any means or facility of interstate commerce for the purpose of preparing or furnishing consumer reports.”)
  • FCRA, 15 USC 1681a(d)(1) (“The term ‘consumer report’ means any written, oral, or other communication of any information by a consumer reporting agency bearing on a consumer’s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living which is used or expected to be used or collected in whole or in part for the purpose of serving as a factor in establishing the consumer’s eligibility for— (A) credit or insurance to be used primarily for personal, family, or household purposes; (B) employment purposes; or (C) any other purpose authorized under section 1681b of this title.”)
  • CFPB, FCRA Examination Procedures, page 8 (October 1, 2012) (“Section 603(d) defines a consumer report to include information about a consumer such as that which bears on a consumer’s creditworthiness, character, and capacity among other factors. Communication of this information may cause a person, including a financial institution, to become a consumer reporting agency. The statutory definition contains key exceptions to this definition that enable persons to share this type of information under certain circumstances, without becoming consumer reporting agencies.”)
  • FCRA, 15 USC 1681a(d)(2) (“Except as provided in paragraph (3), the term consumer report’ does not include — (A) subject to section 1681s–3 of this title, any (i) report containing information solely as to transactions or experiences between the consumer and the person making the report; (ii) communication of that information among persons related by common ownership or affiliated by corporate control; or (iii) communication of other information among persons related by common ownership or affiliated by corporate control, if it is clearly and conspicuously disclosed to the consumer that the information may be communicated among such persons and the consumer is given the opportunity, before the time that the information is initially communicated, to direct that such information not be communicated among such persons; . . .”)
  • CFPB, FCRA Examination Procedures, page 8–9 (October 1, 2012) (“Specifically, the term ‘consumer report’ does not include: . . . (3) Communication of other information (for example, other than transaction or experience information) among persons related by common ownership or affiliated by corporate control, if it is clearly and conspicuously disclosed to the consumer that the information will be communicated among such entities, and before the information is initially communicated, the consumer is given the opportunity to opt out of the communication. This allows a person, such as a financial institution, to share other information (that is, information other than its own transaction and experience information) that could otherwise be a consumer report, without becoming a consumer reporting agency under both of the following circumstances:

a. The sharing of the ‘other’ information is done with affiliates.

b. Consumers are provided with the notice and an opportunity to opt out of this sharing before the information is first communicated among affiliates.

     For example, ‘other’ information can include information a consumer provides on an
     application form concerning accounts with other financial institutions. It can also include
     information a financial institution obtains from a consumer reporting agency, such
     as the consumer’s credit score. If a financial institution shares other information with
     affiliates without providing a notice and an opportunity to opt out, the financial institution
     may become a consumer reporting agency subject to all of the other requirements of the
     FCRA.

     The opt-out right required by this section must be contained in a person’s, such as a financial
     institution’s, Privacy Notice as required by GLBA and its implementing regulations.”)

  • Regulation P, 12 CFR 1016.6(a) (“The initial, annual, and revised privacy notices that you provide under §§ 1016.4, 1016.5, and 1016.8 of this part must include each of the following items of information, in addition to any other information you wish to provide, that applies to you and to the consumers to whom you send your privacy notice: . . . (7) Any disclosures that you make under section 603(d)(2)(A)(iii) of the Fair Credit Reporting Act (15 U.S.C. 1681a(d)(2)(A)(iii)) (that is, notices regarding the ability to opt out of disclosures of information among affiliates); . . .”)
  • Regulation V, 12 CFR 1022.21(a)(1) (“You may not use eligibility information about a consumer that you receive from an affiliate to make a solicitation for marketing purposes to the consumer, unless: (i) It is clearly and conspicuously disclosed to the consumer in writing or, if the consumer agrees, electronically, in a concise notice that you may use eligibility information about that consumer received from an affiliate to make solicitations for marketing purposes to the consumer; (ii) The consumer is provided a reasonable opportunity and a reasonable and simple method to ‘opt out,’ or prohibit you from using eligibility information to make solicitations for marketing purposes to the consumer; and (iii) The consumer has not opted out.”)
  • Regulation V, 12 CFR 1022.20(b)(3) (“The term ‘eligibility information’ means any information the communication of which would be a consumer report if the exclusions from the definition of ‘consumer report’ in section 603(d)(2)(A) of the Act did not apply. Eligibility information does not include aggregate or blind data that does not contain personal identifiers such as account numbers, names, or addresses.”)