170 likes | 183 Views
Understand the detailed regulations and exceptions for sharing customer information with affiliates and third parties. Learn why, how, and when information is shared, and customers' opt-out options. Stay compliant with GLBA and FCRA requirements.
E N D
Sharing Information With Affiliates and Third Parties F. Jay Meyer Vice President & Senior Counsel TD Bank, N.A. Portland, Maine
Why Share Information? • To Conduct Customer Transactions • With Service Providers or Third Parties • To Conduct Your Own Business • With Attorneys, Auditors or Credit Agencies • To Market Products and Services • With Affiliates, Marketing Service Providers, Joint Marketing Partners or Third Parties • To Satisfy a Legal Requirement • With Regulators, Law Enforcement or Litigants
Do Customers Have a Choice? • Gramm-Leach-Bliley and Regulation P • Routine or Required Sharing With No Opt Out • Affiliate Sharing With No Opt Out • Some Nonaffiliate Sharing Requires Opt Out • Fair Credit Reporting Act • Some Affiliate Sharing Requires Opt Out • Some Affiliate Use of Shared Information to Market Requires Opt Out • Notice of Privacy Policies • Opt Out: Chance to Opt Out After Notice
GLBA/Regulation P: Definitions • Financial Institution • Consumer • Customer • Nonpublic Personal Information • Affiliate • Nonaffiliated Third Party Sources: 15 U.S.C. § 6809, 12 CFR 216.3
Processing and Servicing Transactions: 12 CFR 216.14 No Opt Out Required for: • Processing Requested Transactions • Servicing Accounts or Loans • Insurance Underwriting and Administration • Enforcing Transactions • Auditing Transactions • Secondary Market Sales or Securitization • Transfer of Receivables or Accounts
Other Uses With No Opt Out:12 CFR 216.15 No Opt Out Required for Sharing That Is: • With Consumer Consent • To Prevent Fraud • To Resolve Disputes • To Authorized Consumer Representatives • To Attorneys or Accountants • To Consumer Reporting Agencies • Compulsory (e.g., Subpoena, Regulator) • For a Merger or Acquisition
Service Providers and Joint Marketing: 12 CFR 216.13 No Opt Out Required for Sharing With: • Nonaffiliates Performing Services for the Financial Institution • Financial Institution’s Marketing Providers • Financial Institutions Jointly Marketing Financial Products or Services by Contract Account Number Sharing for Marketing Is Restricted by 12 CFR 216.12
Oversight of Service Providers • Security Program Must Include Oversight of Service Providers: Due Diligence, Contractual Safeguards and Monitoring • Service Provider Contracts Under 12 CFR 216.13 Must Prohibit Use or Disclosure of Information for Other Purposes Sources: Interagency Guidelines Establishing Information Security Standards, 12 CFR pts. 30 app. B(III)(D), 208 app. D-2(III)(D); 12 CFR 216.13(a)(ii)
Nonaffiliate Sharing Requires Opt Out Unless Excepted Except as authorized by Regulation P, a Financial Institution may not disclose Nonpublic Personal Information to a nonaffiliate without notice and a reasonable opportunity to opt out. • Examples: • Marketing of Non-Financial Products • Marketing of Financial Products Unless Jointly Offered, Endorsed or Sponsored
GLBA Privacy Notices • Notices Must Describe Collection, Use and Sharing of Nonpublic Personal Information • Customers Must Receive Initial, Annual and Revised Privacy Notices • Consumers Must Receive Notice Before Non-Routine, Non-Compulsory Disclosure • Simplified Notices Permitted for Consumers, or if Disclosure is Limited to Routine or Compulsory Exceptions
GLBA Opt Out Notices If Required, Opt Out Notices Must State: • That Nonpublic Personal Information May Be Disclosed to a Nonaffiliate • The Consumer has a Right to Opt Out • A Reasonable Means to Opt Out Reasonable Means May Include a Reply Form, a Toll-Free Telephone Number, or Electronic Means (If the Consumer Agrees)
Honoring GLBA Opt Outs • Opt Out May Be Exercised at Any Time • Opt Out May Be Partial • No Further Disclosure Subject to Opt Out • Financial Institution Must Comply With Opt Out As Soon As Reasonably Practicable • Opt Out Is Effective Until Revoked • Opt Out Continues for Customer Relationship After Relationship Terminates
FCRA Sharing and Marketing • Regulates Sharing and Use of Consumer Credit Information (“Consumer Reports”) • Some “Transaction or Experience” Sharing With Affiliates or Nonaffiliates Is Excepted • Affiliates May Share “Other Information” With Notice and Opportunity to Opt Out • FACTA Requires Opt Out for Marketing Use of Information Shared By Affiliates Sources: 15 U.S.C. §§ 603(d)(1)-(2)(A), 624(a)
FCRA Affiliate Sharing Opt Out • Affiliates May Share Consumer Report Information Beyond Transactions or Experiences Only With Notice and Opt Out • Transactions or Experiences Include Balances, Histories, Some Opinions • Sharing Opt Out Is Distinct From, and Predates, Marketing Use Opt Out • No Specific Regulation, but May Be Combined With Marketing Use Opt Out
FCRA Marketing Use Opt Out • Required for Affiliates to Use Shared “Eligibility Information” for Marketing • Must Provide Reasonable Opportunity and Means to Opt Out (e.g., Mail, Telephone, or Electronic if Agreed, as with GLBA) • Not Required Annually; Can Be Combined • Effective for at Least 5 Years, Can Permit Longer or Indefinitely Until Revoked • After Expiration, Renewal Notice Required
FCRA Opt Out Exceptions • Marketing to Preexisting Customers • Marketing on Behalf of an Affiliate If That Affiliate Could Conduct the Marketing • Responding to Requests or Inquiries • Marketing With Information Shared Prior to October 1, 2008 (the Compliance Date)