Tell us
what you think
Our Sponsors
 |
Our Sponsors
|
FCRA
Enter The Banking Agencies
Using the new powers conferred upon them by FinMod (a.k.a. Gramm-Leach-Bliley), the bank regulatory agencies have issued a proposed regulation on information sharing under the Fair Credit Reporting Act.
This proposal closely parallels the privacy regulation, making notices and procedures as similar as possible. It is important to remember, however, that when dealing with customer information and sharing that information, there are two regulations to deal with and consider. One won't do the trick. Your privacy program must be based on both regulations.
Process
In order to avoid being a credit reporter subject to the full requirements of FCRA, banks wishing to share information with their affiliates must notify customers of their intent to share and provide the customer with the opportunity to opt out. In short, you can't share information until the notification and opt out process is complete.
Although new as a proposed regulation (for member banks of the Federal Reserve System, it would be Regulation V) the process is not new. It has been in effect for several years since the FCRA was amended to permit sharing. The proposed regulation would provide standards, samples, and procedural guidance.
Reasonable means
Reasonableness is an important part of this proposal. In fact, almost every aspect of the regulation would be measured by reasonableness rather than by an absolute standard. This leaves banks with plenty of latitude to design a process that works efficiently for the bank. But it leaves the bank with the obligation to determine that its processes are reasonable and fair.
The customer must have a reasonable opportunity to opt out. This includes a reasonable period of time to consider the choices, make a decision and respond. It also means that the method you provide to the customer must be reasonable.
The method should be easy for the customer. Giving the customer the ability to make a phone call at the banks expense is reasonable. Giving the customer a form or response card to fill out and return is reasonable (if it is well and clearly designed.) Asking the customer to write a letter on a blank sheet of paper is not reasonable.
Delivery
The proposed regulation specifically provides for both traditional forms of notice delivery - by hand or through the mail - and electronic delivery. The delivery method must be based on a reasonable expectation that the consumer will receive it. Thus, electronic delivery may only be used if the consumer first agrees to that method. Expect this to be the standard for electronic compliance.
The proposal specifically contains a statement that oral delivery is not effective. There must be an actual notice. But the notice may be on paper or electronic.
Notice Content
The proposal identifies the elements of information that must be in the notice. An appendix to the proposed regulation also contains a model notice. (Hot tip: Use the model. Don't invent your own notice.)
The actual content of the notice should look very familiar. In fact, it looks a great deal like the privacy regulation. (So does this entire proposal, so don't expect a lot to change.)
Notices should be "clear and conspicuous." A clear and conspicuous notice is one that a reasonable consumer can identify and read without effort. The clear and conspicuous requirement exists to prevent lenders from hiding the notice or making it so complex that customers are effectively discouraged from even reading it, much less exercising their right to opt out.
The notice must explain the categories of opt-out information that you communicate to affiliates, the categories of affiliates, the consumer's ability to opt out, and a reasonable means for opting out.
Categories of information include what you gather from the application, from a credit bureau, through verifications, and from third parties. Simply describing categories of information would not be enough. The proposal would require you to also give examples of categories of information, such as credit score, open lines of credit with others, and the like.
Categories of affiliates would also be described. The proposal gives the examples of financial service providers, and non-financial companies.
Timing
There are several timing requirements in the proposal. These include the time you must allow the customer to respond and opt out, and the time in which you must implement the customer's opt-out.
The timing is "reasonable." The suggested time to meet the "reasonable" standard is 30 days. Whether hand-delivered, mailed, or electronic, the proposal suggests a reasonable (read 30 days) response time. The fundamental measurement is a good faith test. This parallels the typical billing cycle.
The proposal refers to implementing the opt-out request as "honoring" the opt-out. This term makes a statement all by itself: this is not a topic to treat lightly.
The opt-out must be honored within a "reasonable" period of time. We read this to mean two things. First, act to implement the opt-out as soon as it arrives in the bank. Second, don't try to create a window of opportunity for privacy invasion by sharing data before the customer has a genuine opportunity to get an opt-out to you.
How Long?
How long is a customer's opt-out valid? The proposed regulation answers this question clearly: forever. Banks do not have the ability to place any type of time limit on the customer's opt-out. Once a customer opts out, they are out. Unless the customer later changes their mind and opts in, they stay out.
Good Faith Exercise
Remember that provision in the ECOA and Regulation B that prohibits discrimination against customers who in good faith exercise their rights under the Consumer Credit Protection Act? FCRA is part of that Act. Just in case you had forgotten or overlooked that fact, the proposed regulation reminds you.
The proposal specifically identifies the exercise of the right to opt out as an exercise of rights that is protected. In short, you can't treat customers differently simply because they have opted out. In particular, you should not condition credit or set credit terms based on whether the customer has opted out.
Model Notice
The proposal includes a model notice which provides language for making the disclosures and illustrates how to meet certain requirements, such as describing categories of information. The model is there to help. Anyone who doesn't use it is doing things the hard and dangerous way.
What the proposal doesn't do
The proposal does not deal in any way with the recent interpretive letters issued by the Federal Trade Commission. While we may - at some point in the future - see clarification based on those two interpretations, for right now, the rule is that we live with them. Future issuances from the banking agencies may clarify how to obtain FCRA permissions from business customers and how to provide multiple FCRA adverse action notices. But for right now, follow what FTC has said.
ACTION STEPS
- Review your privacy program accomplishments to date. Consider how the proposed FCRA rule will fit into the program.
- Review all procedures for obtaining, using, and sharing customer information. Determine how this new regulation will affect your bank.
- Review any privacy notices you have prepared and compare them to the information elements and content requirements of the FCRA regulation. Save yourself some time and pain and write notices that respond to both regulations.
- Check your notices against the clear and conspicuous standard. Try out draft notices on family members, friends, and tellers. If they don't understand the notice or if they find it difficult to read, get back to work.
- Review your fair lending training to be sure that opt-out treatment is covered as a prohibited basis.
Copyright © 2000 Compliance Action. Originally appeared in Compliance Action, Vol. 5, No. 14, 12/00
Rate This Article
Current Rating For the Feature:
| Total Ratings for this Feature: 0 |
|