Assuming you are talking about privacy disclosures, let's first talk about GLB privacy then about FCRA privacy. Look to the regulatory definitions of consumer and customer, in both the regulation and in the preamble discussion in the Federal Register release for GLB Privacy. You'll find citations and discussion that show that for the purposes of the bank whose name is on the application and card, the card applicant is a consumer. As such, they would be responsible for sending the applicant a copy of their privacy notice, but they would only be required to do so before sharing any nonpublic financial information with a nonaffiliated third party. They would not have an ongoing annual notice requirement. They could also use the short-form privacy notice specified under GLB. The cardholder, however, would be a customer of the servicing bank. As such, the servicing bank is obligated to provide the cardholder with both an initial disclosure by July 1 or at time of account opening if after July 1 and on an annual basis afterward, as long as the account is open.
With regard to FCRA, the issue is trickier because of the differences between the two laws, the lack of a final rule implementing FCRA privacy provisions from the regulators, and the uncertain status of any such rule. As such, under the existing statutes and FTC guidance for FCRA, the branding bank would only have a disclosure and opt-out obligation if they were going to share nonexperiential information that meets the standard of being consumer report information with their affiliates. If they wanted to engage in such sharing, they would first have to disclose this to the card applicant and provide an opportunity to opt-out of this sharing. Similarly, this requirement also applies to the servicing bank, but here the FCRA notice and opt-out can be combined with the required GLB privacy notice.
Hope this helps.
Opinions expressed are my own, and do not necessarily reflect those of my employer.