FCRA - sharing with affiliates

My bank is owned by a holding company which also owns a mortgage company ~ our affiliate. We want the mortgage company to share info. with us for the purposes of generating home equity lines and 2nd mortgages. The bank does NOT intend to share any info. with the mortgage company. Does the bank have to offer an opt-out even though we will not share our information? or will just the mortgage company have to offer the opt-out? And these notices can be (should be) included on our privacy notices, correct?

Each organization must provide notice of its own practices. So if you do not share data about bank customers with your affiliated mortgage company, the FCRA section of the Bank's privacy notice should reflect that fact.

The circumstances surrounding the mortgage company's sharing data with you should also be properly disclosed. If the mortgage co shares data automatically, then an opt-out notice for FCRA compliance should be provided.

When we began the process of identifying our subsidiaries and affiliates last year, I was surprised at the problems I encountered in just trying to understand who everyone was! You probably don't need this reminder, but just in case, make sure you truly understand the affiliate relationship--affiliate, subsidiary or division. A little word makes a big difference in your policies and disclosures.

Karen Sue, I think the most important part of this question is: what, specifically, is being shared?

Under FCRA, you CAN share 'transaction & experience' information WITHOUT opt-out. It's when you share more than that (going in either direction) that opt-out comes into question.

The thing we've been grappling with is how to make a CRM / MCIF system work corporation-wide. For instance, I can share T&E from bank to insurance company without opt-out, but where does basic demographic stuff fall (like date of birth, home phone number, employer, etc.)?

Now, we understand that things we capture from a credit report like credit score or the fact that the customer has a mortgage with Chase can not be shared without opt-out. But what about this stuff that isn't directly addressed under FCRA? Makes the whole corporate-wide CRM system much more difficult to manage.

I guess my best advice is, know what specific information is made available to employees of the different affiliates, and make a determination whether the FCRA opt out applies.