Skip Header

Federal Deposit
Insurance Corporation

Each depositor insured to at least $250,000 per insured bank

FDIC Law, Regulations, Related Acts

[Table of Contents] [Previous Page] [Next Page] [Search]

2000 - Rules and Regulations



PART 334—FAIR CREDIT REPORTING

Subpart A—General Provisions

Sec.

334.1 Purpose and scope
334.2 Examples.
334.3 Definitions

Subpart B—[Reserved]

Subpart C—Affiliate Marketing

334.20 Coverage and definitions.
334.21 Affiliate marketing opt-out and exceptions.
334.22 Scope and duration of opt-out.
334.23 Contents of opt-out notice; consolidated and equivalent notices.
334.24 Reasonable opportunity to opt out.
334.25 Reasonable and simple methods of opting out.
334.26 Delivery of opt-out notices.
334.27 Renewal of opt-out.
334.28 Effective date, compliance date, and prospective application.

Subpart D—Medical Information

334.30 Obtaining or using medical information in connection with a determination of eligibility for credit.
334.31 Limits on redisclosure of information.
334.32 Sharing medical information with affiliates.

Subpart E—Duties of Furnishers of Information

334.40 Scope
334.41 Definitions.
334.42 Reasonable policies and procedures concerning the accuracy and integrity of furnished information.
334.43 Direct Disputes.

Subpart F–H—[Reserved]

Subpart I—Duties of Users of Consumer Reports Regarding Identify Thefts

334.80—334.81   [Reserved]
334.82 Duties of users regarding address discrepancies.
334.83 Disposal of consumer information.

Subpart J—Identity Theft Red Flags

334.90 Duties regarding the detection, prevention, and mitigation of identity theft.
334.91 Duties of card issuers regarding changes of address.

Appendix A–B [Reserved]

Appendix C to Part 334—Model Forms for Opt-Out Notices.

Appendix D–I [Reserved]

Appendix J to Part 334—Interagency Guide.

AUTHORITY:  12 U.S.C. 1818 1819(Tenth) and 1831p--1; 15 U.S.C. 1681a, 1681b, 1681c, 1681m, 1681s, 1681s--3, 1681t, 1681w, 6801 and 6805, Pub. L. 108--159, 117 Stat. 1952.

SOURCE:  The provisions of this Part 334 appear at 69 Fed. Reg. 77618, December 28, 2004, effective July 1, 2005, and 70 Fed. Reg. 70685, November 22, 2005, effective date of the interim final rule published on June 10, 2005 (70 FR 33958) is delayed until April 1, 2006, the amendments in this final rule are effective April 1, 2006 except as otherwise noted.

Subpart A—General Provisions

§ 334.1  Purpose and scope.

(a)  Purpose. The purpose of this part is to implement the Fair Credit Reporting Act. This part generally applies to persons that obtain and use information about consumers to determine the consumer's eligibility for products, services, or employment, share such information among affiliates, and furnish information to consumer reporting agencies.

(b)  Scope. Except as otherwise provided in this part, the regulations in this part apply to insured state nonmember banks, insured state licensed branches of foreign banks, and subsidiaries of such entities (except brokers, dealers, persons providing insurance, investment companies, and investment advisers).

[Codified to 12, C.F.R. § 334.1]

[Section 334.1 added at 72 Fed. Reg. 62963, November 7, 2007, effective January 1, 2008, mandatory compliance date is October 1, 2008]

§ 334.2  Examples.

The examples in this part are not exclusive. Compliance with an example, to the extent applicable, constitutes compliance with this part. Examples in a paragraph illustrate only the issue described in the paragraph and do not illustrate any other issue that may arise in this part.

§ 334.3  Definitions.

For purposes of this part, unless explicitly stated otherwise:

(a)  Act means the Fair Credit Reporting Act (15 U.S.C. 1681 et seq.).

(b)  Affiliate means any company that is related by common ownership or common corporate control with another company.

(c)  [Reserved]

(d)  Company means any corporation, limited liability company, business trust, general or limited partnership, association, or similar organization.

(e)  Consumer means an individual.

(f)  [Reserved]

(g)  [Reserved]

(h)  [Reserved]

(i)  Common ownership or common corporate control means a relationship between two companies under which:

(1)  One company has, with respect to the other company:

(i)  Ownership, control, or power to vote 25 percent or more of the outstanding shares of any class of voting security of a company, directly or indirectly, or acting through one or more other persons;

(ii)  Control in any manner over the election of a majority of the directors, trustees, or general partners (or individuals exercising similar functions) of a company; or

(iii)  The power to exercise, directly or indirectly, a controlling influence over the management or policies of a company, as the FDIC determines; or

(2)  Any other person has, with respect to both companies, a relationship described in paragraphs (i)(1)(i)--(i)(1)(iii) of this section.

(j)  [Reserved]

(k)  Medical information means:

(1)  Information or data, whether oral or recorded, in any form or medium, created by or derived from a health care provider or the consumer, that relates to--

(i)  The past, present, or future physical, mental, or behavioral health or condition of an individual;

(ii)  The provision of health care to an individual; or

(iii)  The payment for the provision of health care to an individual.

(2)  The term does not include:

(i)  The age or gender of a consumer;

(ii)  Demographic information about the consumer, including a consumer's residence address or e-mail address;

(iii)  Any other information about a consumer that does not relate to the physical, mental, or behavioral health or condition of a consumer, including the existence or value of any insurance policy; or

(iv)  Information that does not identify a specific consumer.

(l)  Person means any individual, partnership, corporation, trust, estate cooperative, association, government or governmental subdivision or agency, or other entity.

[Codified to 12 C.F.R. § 334.3]

[Section 334.3 amended at 72 Fed. Reg. 63760, November 9, 2007, effective January 1, 2008, the mandatory compliance date is November 1, 2008]


Subpart B—[Reserved]

Subpart C—Affiliate Marketing

§ 334.20  Coverage and definitions.

(a)  Coverage. Subpart C of this part applies to insured state nonmember banks, insured state licensed branches of foreign banks, and subsidiaries of such entities (except brokers, dealers, persons providing insurance, investment companies, and investment advisers).

(b)  Definitions. For purposes of this subpart:

(1)  Clear and conspicuous. The term "clear and conspicuous" means reasonably understandable and designed to call attention to the nature and significance of the information presented.

(2)  Concise.(i)  In general. The term "concise" means a reasonably brief expression or statement.

(ii)  Combination with other required disclosures. A notice required by this subpart may be concise even if it is combined with other disclosures required or authorized by federal or state law.

(3)  Eligibility information. The term "eligibility information" means any information the communication of which would be a consumer report if the exclusions from the definition of "consumer report" in section 603(d)(2)(A) of the Act did not apply. Eligibility information does not include aggregate or blind data that does not contain personal identifiers such as account numbers, names, or addresses.

(4)  Pre-existing business relationship. (i)  In general. The term "pre-existing business relationship" means a relationship between a person, or a person's licensed agent, and a consumer based on--

(A)  A financial contract between the person and the consumer which is in force on the date on which the consumer is sent a solicitation covered by this subpart;

(B)  The purchase, rental, or lease by the consumer of the person's goods or services, or a financial transaction (including holding an active account or a policy in force or having another continuing relationship) between the consumer and the person, during the 18-month period immediately preceding the date on which the consumer is sent a solicitation covered by this subpart; or

(C)  An inquiry or application by the consumer regarding a product or service offered by that person during the three-month period immediately preceding the date on which the consumer is sent a solicitation covered by this subpart.

(ii)  Examples of pre-existing business relationships. (A) If a consumer has a time deposit account, such as a certificate of deposit, at a depository institution that is currently in force, the depository institution has a pre-existing business relationship with the consumer and can use eligibility information it receives from its affiliates to make solicitations to the consumer about its products or services.

(B)  If a consumer obtained a certificate of deposit from a depository institution, but did not renew the certificate at maturity, the depository institution has a pre-existing business relationship with the consumer and can use eligibility information it receives from its affiliates to make solicitations to the consumer about its products or services for 18 months after the date of maturity of the certificate of deposit.

(C)  If a consumer obtains a mortgage, the mortgage lender has a pre-existing business relationship with the consumer. If the mortgage lender sells the consumer's entire loan to an investor, the mortgage lender has a pre-existing business relationship with the consumer and can use eligibility information it receives from its affiliates to make solicitations to the consumer about its products or services for 18 months after the date it sells the loan, and the investor has a pre-existing business relationship with the consumer upon purchasing the loan. If, however, the mortgage lender sells a fractional interest in the consumer's loan to an investor but also retains an ownership interest in the loan, the mortgage lender continues to have a pre-existing business relationship with the consumer, but the investor does not have a pre-existing business relationship with the consumer. If the mortgage lender retains ownership of the loan, but sells ownership of the servicing rights to the consumer's loan, the mortgage lender continues to have a pre-existing business relationship with the consumer. The purchaser of the servicing rights also has a pre-existing business relationship with the consumer as of the date it purchases ownership of the servicing rights, but only if it collects payments from or otherwise deals directly with the consumer on a continuing basis.

(D)  If a consumer applies to a depository institution for a product or service that it offers, but does not obtain a product or service from or enter into a financial contract or transaction with the institution, the depository institution has a pre-existing business relationship with the consumer and can therefore use eligibility information it receives from an affiliate to make solicitations to the consumer about its products or services for three months after the date of the application.

(E)  If a consumer makes a telephone inquiry to a depository institution about its products or services and provides contact information to the institution, but does not obtrain a product or service from or enter into a financial contract or transaction with the institution, the depository institution has a pre-existing business relationship with the consumer and can therefore use eligibility information it receives from an affiliate to make solicitations to the consumer about its products or services for three months after the date of the inquiry.

(F)  If a consumer makes an inquiry to a depository institution by e-mail about its products or services, but does not obtain a product or service from or enter into a financial contract or transaction with the institution, the depository institution has a pre-existing business relationship with the consumer and can therefore use eligibility information it receives from an affiliate to make solicitations to the consumer about its products or services for three months after the date of the inquiry.

(G)  If a consumer has an existing relationship with a depository institution that is part of a group of affiliated companies, makes a telephone call to the centralized call center for the group of affiliated companies to inquire about products or services offered by the insurance affiliate, and provides contact information to the call center, the call constitutes an inquiry to the insurance affiliate that offers those products or services. The insurance affiliate has a pre-existing business relationship with the consumer and can therefore use eligibility information it receives from its affiliated depository institution to make solicitations to the consumer about its products or services for three months after the date of the inquiry.

(iii)  Examples where no pre-existing business relationship is created. (A)  If a consumer makes a telephone call to a centralized call center for a group of affiliated companies to inquire about the consumer's existing account at a depository institution, the call does not constitute an inquiry to any affiliate other than the depository institution that holds the consumer's account and does not establish a pre-existing business relationship between the consumer and any affiliate of the account-holding depository institution.

(B)  If a consumer who has a deposit account with a depository institution makes a telephone call to an affiliate of the institution to ask about the affiliate's retail locations and hours, but does not make an inquiry about the affiliate's products or services, the call does not constitute an inquiry and does not establish a pre-existing business relationship between the consumer and the affiliate. Also, the affiliate's capture of the consumer's telephone number does not constitute an inquiry and does not establish a pre-existing business relationship between the consumer and the affiliate.

(C)  If a consumer makes a telephone call to a depository institution in response to an advertisement that offers a free promotional item to consumers who call a toll-free number, but the advertisement does not indicate that the depository institution's products or services will be marketed to consumers who call in response, the call does not create a pre-existing business relationship between the consumer and the depository institution because the consumer has not made an inquiry about a product or service offered by the institution, but has merely responded to an offer for a free promotional item.

(5)  Solicitation.(i)  In general. The term "solicitation" means the marketing of a product or service initiated by a person to a particular consumer that is--

(A)  Based on eligibility information communicated to that person by its affiliate as described in this subpart; and

(B)  Intended to encourage the consumer to purchase or obtain such product or service.

(ii)  Exclusion of marketing directed at the general public. A solicitation does not include marketing communications that are directed at the general public. For example, television, general circulation magazine, and billboard advertisements do not constitute solicitations, even if those communications are intended to encourage consumers to purchase products and services from the person initiating the communications.

(iii)  Examples of solicitations. A solicitation would include, for example, a telemarketing call, direct mail, e-mail, or other form of marketing communication directed to a particular consumer that is based on eligibility information received from an affiliate.

(6)  You means a person described in paragraph (a) of this section.

[Codified to 12 C.F.R. § 334.20]

[Section 334.20 added at 72 Fed. Reg. 62965, November 7, 2007, effective January 1, 2008, the mandatory compliance date is October 1, 2008]

§ 334.21  Affiliate marketing opt-out and exceptions.

(a)  Initial notice and opt-out requirement.  (1)  In general. You may not use eligibility information about a consumer that you receive from an affiliate to make a solicitation for marketing purposes to the consumer, unless--

(i)  It is clearly and conspicuously disclosed to the consumer in writing or, if the consumer agrees, electronically, in a concise notice that you may use eligibility information about that consumer received from an affiliate to make solicitations for marketing purposes to the consumer;

(ii)  The consumer is provided a reasonable opportunity and a reasonable and simple method to "opt out," or prohibit you from using eligibility information to make solicitations for marketing purposes to the consumer; and

(iii)  The consumer has not opted out.

(2)  Example. A consumer has a homeowner's insurance policy with an insurance company. The insurance company furnishes eligibility information about the consumer to its affiliated depository institution. Based on that eligibility information, the depository institution wants to make a solicitation to the consumer about its home equity loan products. The depository institution does not have a pre-existing business relationship with the consumer and none of the other exceptions apply. The depository institution is prohibited from using eligibility information received from its insurance affiliate to make solicitations to the consumer about its home equity loan products unless the consumer is given a notice and opportunity to opt out and the consumer does not opt out.

(3)  Affiliates who may provide the notice. The notice required by this paragraph must be provided:

(i)  By an affiliate that has or has previously had a pre-existing business relationship with the consumer; or

(ii)  As part of a joint notice from two or more members of an affiliated group of companies, provided that at least one of the affiliates on the joint notice has or has previously had a pre-existing business relationship with the consumer.

(b)  Making solicitations.  (1)  In general. For purposes of this subpart, you make a solicitation for marketing purposes if--

(i)  You receive eligibility information from an affiliate;

(ii)  You use that eligibility information to do one or more of the following:

(A)  Identify the consumer or type of consumer to receive a solicitation;

(B)  Establish criteria used to select the consumer to receive a solicitation; or

(C)  Decide which of your products or services to market to the consumer or tailor your solicitation to that consumer; and

(iii)  As a result of your use of the eligibility information, the consumer is provided a solicitation.

(2)  Receiving eligibility information from an affiliate, including through a common database. You may receive eligibility information from an affiliate in various ways, including when the affiliate places that information into a common database that you may access.

(3)  Receipt or use of eligibility information by your service provider. Except as provided in paragraph (b)(5) of this section, you receive or use an affiliate's eligibility information if a service provider acting on your behalf (whether an affiliate or a nonaffiliated third party) receives or uses that information in the manner described in paragraphs (b)(1)(i) or (b)(1)(ii) of this section. All relevant facts and circumstances will determine whether a person is acting as your service provider when it receives or uses an affiliate's eligibility information in connection with marketing your products and services.

(4)  Use by an affiliate of its own eligibility information. Unless you have used eligibility information that you receive from an affiliate in the manner described in paragraph (b)(1)(ii) of this section, you do not make a solicitation subject to this subpart if your affiliate:

(i)  Uses its own eligibility information that it obtained in connection with a pre-existing business relationship it has or had with the consumer to market your products or services to the consumer; or

(ii)  Directs its service provider to use the affiliate's own eligibility information that it obtained in connection with a pre-existing business relationship it has or had with the consumer to market your products or services to the consumer, and you do not communicate directly with the service provider regarding that use.

(5)  Use of eligibility information by a service provider. (i)  In general. You do not make a solicitation subject to Subpart C of this part if a service provider (including an affiliated or third-party service provider that maintains or accesses a common database that you may access) receives eligibility information from your affiliate that your affiliate obtained in connection with a pre-existing business relationship it has or had with the consumer and uses that eligibility information to market your products or services to the consumer, so long as--

(A)  Your affiliate controls access to and use of its eligibility information by the service provider (including the right to establish the specific terms and conditions under which the service provider may use such information to market your products or services);

(B)  Your affiliate establishes specific terms and conditions under which the service provider may access and use the affiliate's eligibility information to market your products and services (or those of affiliates generally) to the consumer, such as the identity of the affiliated companies whose products or services may be marketed to the consumer by the service provider, the types of products or services of affiliated companies that may be marketed, and the number of times the consumer may receive marketing materials, and periodically evaluates the service provider's compliance with those terms and conditions;

(C)  Your affiliate requires the service provider to implement reasonable policies and procedures designed to ensure that the service provider uses the affiliate's eligibility information in accordance with the terms and conditions established by the affiliate relating to the marketing of your products or services;

(D)  Your affiliate is identified on or with the marketing materials provided to the consumer; and

(E)  You do not directly use your affiliate's eligibility information in the manner described in paragraph (b)(1)(ii) of this section.

(ii)  Writing requirements. (A) The requirements of paragraphs (b)(5)(i)(A) and (C) of this section must be set forth in a written agreement between your affiliate and the service provider; and

(B)  The specific terms and conditions established by your affiliate as provided in paragraph (b)(5)(i)(B) of this section must be set forth in writing.

(6)  Examples of making solicitations. (i)  A consumer has a deposit account with a depository institution, which is affiliated with an insurance company. The insurance company receives eligibility information about the consumer from the depository institution. The insurance company uses that eligibility information to identify the consumer to receive a solicitation about insurance products, and, as a result, the insurance company provides a solicitation to the consumer about its insurance products. Pursuant to paragraph (b)(1) of this section, the insurance company has made a solicitation to the consumer.

(ii)  The same facts as in the example in paragraph (b)(6)(i) of this section, except that after using the eligibility information to identify the consumer to receive a solicitation about insurance products, the insurance company asks the depository institution to send the solicitation to the consumer and the depository institution does so. Pursuant to paragraph (b)(1) of this section, the insurance company has made a solicitation to the consumer because it used eligibility information about the consumer that it received from an affiliate to identify the consumer to receive a solicitation about its products or services, and, as a result, a solicitation was provided to the consumer about the insurance company's products.

(iii)  The same facts as in the example in paragraph (b)(6)(i) of this section, except that eligibility information about consumers that have deposit accounts with the depository institution is placed into a common database that all members of the affiliated group of companies may independently access and use. Without using the depository institution's eligibility information, the insurance company develops selection criteria and provides those criteria, marketing materials, and related instructions to the depository institution. The depository institution reviews eligibility information about its own consumers using the selection criteria provided by the insurance company to determine which consumers should receive the insurance company's marketing materials and sends marketing materials about the insurance company's products to those consumers. Even though the insurance company has received eligibility information through the common database as provided in paragraph (b)(2) of this section, it did not use that information to identify consumers or establish selection criteria; instead, the depository institution used its own eligibility information. Therefore, pursuant to paragraph (b)(4)(i) of this section, the insurance company has not made a solicitation to the consumer.

(iv)  The same facts as in the example in paragraph (b)(6)(iii) of this section, except that the depository institution provides the insurance company's criteria to the depository institution's service provider and directs the service provider to use the depository institution's eligibility information to identify depository institution consumers who meet the criteria and to send the insurance company's marketing materials to those consumers. The insurance company does not communicate directly with the service provider regarding the use of the depository institution's information to market its products to the depository institution's consumers. Pursuant to paragraph (b)(4)(ii) of this section, the insurance company has not made a solicitation to the consumer.

(v)  An affiliated group of companies includes a depository institution, an insurance company, and a service provider. Each affiliate in the group places information about its consumers into a common database. The service provider has access to all information in the common database. The depository institution controls access to and use of its eligibility information by the service provider. This control is set forth in a written agreement between the depository institution and the service provider. The written agreement also requires the service provider to establish reasonable policies and procedures designed to ensure that the service provider uses the depository institution's eligibility information in accordance with specific terms and conditions established by the depository institution relating to the marketing of the products and services of all affiliates, including the insurance company. In a separate written communication, the depository institution specifies the terms and conditions under which the service provider may use the depository institution's eligibility information to market the insurance company's products and services to the depository institution's consumers. The specific terms and conditions are: a list of affiliated companies (including the insurance company) whose products or services may be marketed to the depository institution's consumers by the service provider; the specific products or types of products that may be marketed to the depository institution's consumers by the service provider; the categories of eligibility information that may be used by the service provider in marketing products or services to the depository institution's consumers; the types or categories of the depository institution's consumers to whom the service provider may market products or services of depository institution affiliates; the number and/or types of marketing communications that the service provider may send to the depository institution's consumers; and the length of time during which the service provider may market the products or services of the depository institution's affiliates to its consumers. The depository institution periodically evaluates the service provider's compliance with these terms and conditions. The insurance company asks the service provider to market insurance products to certain consumers who have deposit accounts with the depository institution. Without using the depository institution's eligibility information, the insurance company develops selection criteria and provides those criteria, marketing materials, and related instructions to the service provider. The service provider uses the depository institution's eligibility information from the common database to identify the depository institution's consumers to whom insurance products will be marketed. When the insurance company's marketing materials are provided to the identified consumers, the name of the depository institution is displayed on the insurance marketing materials, an introductory letter that accompanies the marketing materials, an account statement that accompanies the marketing materials, or the envelope containing the marketing materials. The requirements of paragraph (b)(5) of this section have been satisfied, and the insurance company has not made a solicitation to the consumer.

(vi)  The same facts as in the example in paragraph (b)(6)(v) of this section, except that the terms and conditions permit the service provider to use the depository institution's eligibility information to market the products and services of other affiliates to the depository institution's consumers whenever the service provider deems it appropriate to do so. The service provider uses the depository institution's eligibility information in accordance with the discretion afforded to it by the terms and conditions. Because the terms and conditions are not specific, the requirements of paragraph (b)(5) of this section have not been satisfied.

(c)  Exceptions. The provisions of this subpart do not apply to you if you use eligibility information that you receive from an affiliate:

(1)  To make a solicitation for marketing purposes to a consumer with whom you have a pre-existing business relationship;

(2)  To facilitate communications to an individual for whose benefit you provide employee benefit or other services pursuant to a contract with an employer related to and arising out of the current employment relationship or status of the individual as a participant or beneficiary of an employee benefit plan;

(3)  To perform services on behalf of an affiliate, except that this subparagraph shall not be construed as permitting you to send solicitations on behalf of an affiliate if the affiliate would not be permitted to send the solicitation as a result of the election of the consumer to opt out under this subpart;

(4)  In response to a communication about your products or services initiated by the consumer;

(5)  In response to an authorization or request by the consumer to receive solicitations; or

(6)  If your compliance with this subpart would prevent you from complying with any provision of State insurance laws pertaining to unfair discrimination in any State in which you are lawfully doing business.

(d)  Examples of exceptions.  (1)  Example of the pre-existing business relationship exception. A consumer has a deposit account with a depository institution. The consumer also has a relationship with the depository institution's securities affiliate for management of the consumer's securities portfolio. The depository institution receives eligibility information about the consumer from its securities affiliate and uses that information to make a solicitation to the consumer about the depository institution's wealth management services. The depository institution may make this solicitation even if the consumer has not been given a notice and opportunity to opt out because the depository institution has a pre-existing business relationship with the consumer.

(2)  Examples of service provider exception.(i)  A consumer has an insurance policy issued by an insurance company. The insurance company furnishes eligibility information about the consumer to its affiliated depository institution. Based on that eligibility information, the depository institution wants to make a solicitation to the consumer about its deposit products. The depository institution does not have a pre-existing business relationship with the consumer and none of the other exceptions in paragraph (c) of this section apply. The consumer has been given an opt-out notice and has elected to opt out of receiving such solicitations. The depository institution asks a service provider to send the solicitation to the consumer on its behalf. The service provider may not send the solicitation on behalf of the depository institution because, as a result of the consumer's opt-out election, the depository institution is not permitted to make the solicitation.

(ii)  The same facts as in paragraph (d)(2)(i) of his section, except the consumer has been given an opt-out notice, but has not elected to opt out. The depository institution asks a service provider to send the solicitation to the consumer on its behalf. The service provider may send the solicitation on behalf of the depository institution because, as a result of the consumer's not opting out, the depository institution is permitted to make the solicitation.

(3)  Examples of consumer-initiated communications.(i)  A consumer who has a deposit account with a depository institution initiates a communication with the depository institution's credit card affiliate to request information about a credit card. The credit card affiliate may use eligibility information about the consumer it obtains from the depository institution or any other affiliate to make solicitations regarding credit card products in response to the consumer-initiated communication.

(ii)  A consumer who has a deposit account with a depository institution contacts the institution to request information about how to save and invest for a child's college education without specifying the type of product in which the consumer may be interested. Information about a range of different products or services offered by the depository institution and one or more affiliates of the institution may be responsive to that communication. Such products or services may include the following: Mutual funds offered by the institution's mutual fund affiliate; section 529 plans offered by the institution, its mutual fund affiliate, or another securities affiliate; or trust services offered by a different financial institution in the affiliated group. Any affiliate offering investment products or services that would be responsive to the consumer's request for information about saving and investing for a child's college education may use eligibility information to make solicitations to the consumer in response to this communication.

(iii)  A credit card issuer makes a marketing call to the consumer without using eligibility information received from an affiliate. The issuer leaves a voice-mail message that invites the consumer to call a toll-free number to apply for the issuer's credit card. If the consumer calls the toll-free number to inquire about the credit card, the call is a consumer-initiated communication about a product or service that the credit card issuer may now use eligibility information it receives from its affiliates to make solicitations to the consumer.

(iv)  A consumer calls a depository institution to ask about retail locations and hours, but does not request information about products or services. The institution may not use eligibility information it receives from an affiliate to make solicitations to the consumer about its products or services because the consumer-initiated communication does not relate to the depository institution's products or services. Thus, the use of eligibility information received from an affiliate would not be responsive to the communication and the exception does not apply.

(v)  A consumer calls a depository institution to ask about retail locations and hours. The customer service representative asks the consumer if there is a particular product or service about which the consumer is seeking information. The consumer responds that the consumer wants to stop in and find out about certificates of deposit. The customer service representative offers to provide that information by telephone and mail additional information and application materials to the consumer. The consumer agrees and provides or confirms contact information for receipt of the materials to be mailed. The depository institution may use eligibility information it receives from an affiliate to make solicitations to the consumer about certificates of deposit because such solicitations would respond to the consumer-initiated communication about products or services.

(4)  Examples of consumer authorization or request for solicitations. (i) A consumer who obtains a mortgage from a mortgage lender authorizes or requests information about homeowner's insurance offered by the mortgage lender's insurance affiliate. Such authorization or request, whether given to the mortgage lender or to the insurance affiliate, would permit the insurance affiliate to use eligibility information about the consumer it obtains from the mortgage lender or any other affiliate to make solicitations to the consumer about homeowner's insurance.

(ii)  A consumer completes an online application to apply for a credit card from a credit card issuer. The issuer's online application contains a blank check box that the consumer may check to authorize or request information from the credit card issuer's affiliates. The consumer checks the box. The consumer has authorized or requested solicitations from the card issuer's affiliates.

(iii)  A consumer completes an online application to apply for a credit card from a credit card issuer. The issuer's online application contains a pre-selected check box indicating that the consumer authorizes or requests information from the issuer's affiliates. The consumer does not deselect the check box. The consumer has not authorized or requested solicitations from the card issuer's affiliates.

(iv)  The terms and conditions of a credit card account agreement contain preprinted boilerplate language stating that by applying to open an account the consumer authorizes or requests to receive solicitations from the credit card issuer's affiliates. The consumer has not authorized or requested solicitations from the card issuer's affiliates.

(e)  Relation to affiliate-sharing notice and opt-out. Nothing in this subpart limits the responsibility of a person to comply with the notice and opt-out provisions of section 603(d)(2)(A)(iii) of the Act where applicable.

[Codified to 12 C.F.R. § 334.21]

[Section 334.21 added at 72 Fed. Reg. 62965, November 7, 2007, effective January 1, 2008, the mandatory compliance date is October 1, 2008]

§ 334.22  Scope and duration of opt-out.

(a)  Scope of opt-out.  (1)  In general. Except as otherwise provided in this section, the consumer's election to opt out prohibits any affiliate covered by the opt-out notice from using eligibility information received from another affiliate as described in the notice to make solicitations to the consumer.

(2)  Continuing relationship.(i)  In general. If the consumer establishes a continuing relationship with you or your affiliate, an opt-out notice may apply to eligibility information obtained in connection with--

(A)  A single continuing relationship or multiple continuing relationships that the consumer establishes with you or your affiliates, including continuing relationships established subsequent to delivery of the opt-out notice, so long as the notice adequately describes the continuing relationships covered by the opt-out; or

(B)  Any other transaction between the consumer and you or your affiliates as described in the notice.

(ii)  Examples of continuing relationships. A consumer has a continuing relationship with you or your affiliate if the consumer--

(A)  Opens a deposit or investment account with you or your affiliate;

(B)  Obtains a loan for which you or your affiliate owns the servicing rights;

(C)  Purchases an insurance product from you or your affiliate;

(D)  Holds an investment product through you or your affiliate, such as when you act or your affiliate acts as a custodian for securities or for assets in an individual retirement arrangement;

(E)  Enters into an agreement or understanding with you or your affiliate whereby you or your affiliate undertakes to arrange or broker a home mortgage loan for the consumer;

(F)  Enters into a lease of personal property with you or your affiliate; or

(G)  Obtains financial, investment, or economic advisory services from you or your affiliate for a fee.

(3)  No continuing relationship.(i)  In general. If there is no continuing relationship between a consumer and you or your affiliate, and you or your affiliate obtain eligibility information about a consumer in connection with a transaction with the consumer, such as an isolated transaction or a credit application that is denied, an opt-out notice provided to the consumer only applies to eligibility information obtained in connection with that transaction.

(ii)  Examples of isolated transactions. An isolated transaction occurs if--

(A)  The consumer uses your or your affiliate's ATM to withdraw cash from an account at another financial institution; or

(B)  You or your affiliate sells the consumer a cashier's check or money order, airline tickets, travel insurance, or traveler's checks in isolated transactions.

(4)  Menu of alternatives. A consumer may be given the opportunity to choose from a menu of alternatives when electing to prohibit solicitations, such as by electing to prohibit solicitations from certain types of affiliates covered by the opt-out notice but not other types of affiliates covered by the notice, electing to prohibit solicitations based on certain types of eligibility information but not other types of eligibility information, or electing to prohibit solicitations by certain methods of delivery but not other methods of delivery. However, one of the alternatives must allow the consumer to prohibit all solicitations from all of the affiliates that are covered by the notice.

(5)  Special rule for a notice following termination of all continuing relationships.  (i)  In general. A consumer must be given a new opt-out notice if, after all continuing relationships with you or your affiliate(s) are terminated, the consumer subsequently establishes another continuing relationship with you or your affiliate(s) and the consumer's eligibility information is to be used to make a solicitation. The new opt-out notice must apply, at a minimum, to eligibility information obtained in connection with the new continuing relationship. Consistent with paragraph (b) of this section, the consumer's decision not to opt out after receiving the new opt-out notice would not override a prior opt-out election by the consumer that applies to eligibility information obtained in connection with a terminated relationship, regardless of whether the new opt-out notice applies to eligibility information obtained in connection with the terminated relationship.

(ii)  Example. A consumer has a checking account with a depository institution that is part of an affiliated group. The consumer closes the checking account. One year after closing the checking account, the consumer opens a savings account with the same depository institution. The consumer must be given a new notice and opportunity to opt out before the depository institution's affiliates may make solicitations to the consumer using eligibility information obtained by the depository institution in connection with the new savings account relationship, regardless of whether the consumer opted out in connection with the checking account.

(b)  Duration of opt-out. The election of a consumer to opt out must be effective for a period of at least five years (the "opt-out period") beginning when the consumer's opt out election is received and implemented, unless the consumer subsequently revokes the opt-out in writing or, if the consumer agrees, electronically. An opt-out period of more than five years may be established, including an opt-out period that does not expire unless revoked by the consumer.

(c)  Time of opt-out. A consumer may opt out at any time.

[Codified to 12 C.F.R. § 334.22]

[Section 334.22 added at 72 Fed. Reg. 62968, November 7, 2007, effective January 1, 2008, the mandatory compliance date is October 1, 2008]

§ 334.23  Contents of opt-out notice; consolidated and equivalent notices.

(a)  Contents of opt-out notice.  (1)  In general. A notice must be clear, conspicuous, and concise, and must accurately disclose:

(i)  The name of the affiliate(s) providing the notice. If the notice is provided jointly by multiple affiliates and each affiliate shares a common name, such as "ABC," then the notice may indicate that it is being provided by multiple companies with the ABC name or multiple companies in the ABC group or family of companies, for example, by stating that the notice is provided by "all of the ABC companies," "the ABC banking, credit card, insurance, and securities companies," or by listing the name of each affiliate providing the notice. But if the affiliates providing the joint notice do not all share a common name, then the notice must either separately identify each affiliate by name or identify each of the common names used by those affiliates, for example, by stating that the notice is provided by "all of the ABC and XYZ companies" or by "the ABC banking and credit card companies and the XYZ insurance companies";

(ii)  A list of the affiliates or types of affiliates whose use of eligibility information is covered by the notice, which may include companies that become affiliates after the notice is provided to the consumer. If each affiliate covered by the notice shares a common name, such as "ABC," then the notice may indicate that it applies to multiple companies with the ABC name or multiple companies in the ABC group or family of companies, for example, by stating that the notice is provided by "all of the ABC companies," "the ABC banking, credit card, insurance, and securities companies," or by listing the name of each affiliate providing the notice. But if the affiliates covered by the notice do not all share a common name, then the notice must either separately identify each covered affiliate by name or identify each of the common names used by those affiliates, for example, by stating that the notice applies to "all of the ABC and XYZ companies" or to "the ABC banking and credit card companies and the XYZ insurance companies";

(iii)  A general description of the types of eligibility information that may be used to make solicitations to the consumer;

(iv)  That the consumer may elect to limit the use of eligibility information to make solicitations to the consumer;

(v)  That the consumer's election will apply for the specified period of time stated in the notice and, if applicable, that the consumer will be allowed to renew the election once that period expires;

(vi)  If the notice is provided to consumers who may have previously opted out, such as if a notice is provided to consumers annually, that the consumer who has chosen to limit solicitations does not need to act again until the consumer receives a renewal notice; and

(vii)  A reasonable and simple method for the consumer to opt out.

(2)  Joint relationships.  (i)  If two or more consumers jointly obtain a product or service, a single opt-out notice may be provided to the joint consumers. Any of the joint consumers may exercise the right to opt out.

(ii)  The opt-out notice must explain how an opt-out direction by a joint consumer will be treated. An opt-out direction by a joint consumer may be treated as applying to all of the associated joint consumers, or each joint consumer may be permitted to opt out separately. If each joint consumer is permitted to opt out separately, one of the joint consumers must be permitted to opt out on behalf of all of the joint consumers and the joint consumers must be permitted to exercise their separate rights to opt out in a single response.

(iii)  It is impermissible to require all joint consumers to opt out before implementing any opt-out direction.

(3)  Alternative contents. If the consumer is afforded a broader right to opt out of receiving marketing than is required by this subpart, the requirements of this section may be satisfied by providing the consumer with a clear, conspicuous, and concise notice that accurately discloses the consumer's opt-out rights.

(4)  Model notices. Model notices are provided in Appendix C of this part.

(b)  Coordinated and consolidated notices. A notice required by this subpart may be coordinated and consolidated with any other notice or disclosure required to be issued under any other provision of law by the entity providing the notice, including but not limited to the notice described in section 603(d)(2)(A)(iii) of the Act and the Gramm-Leach-Bliley Act privacy notice.

(c)  Equivalent notices. A notice or other disclosure that is equivalent to the notice required by this subpart, and that is provided to a consumer together with disclosures required by any other provision of law, satisfies the requirements of this section.

[Codified to 12 C.F.R. § 334.23]

[Section 334.23 added at 72 Fed. Reg. 62969, November 7, 2007, effective January 1, 2008, the mandatory compliance date is October 1, 2008]

§ 334.24  Reasonable opportunity to opt out.

(a)  In general. You must not use eligibility information about a consumer that you receive from an affiliate to make a solicitation to the consumer about your products or services, unless the consumer is provided a reasonable opportunity to opt out, as required by § 334.21(a)(1)(ii) of this part.

(b)  Examples of a reasonable opportunity to opt out. The consumer is given a reasonable opportunity to opt out if:

(1)  By mail. The opt-out notice is mailed to the consumer. The consumer is given 30 days from the date the notice is mailed to elect to opt out by any reasonable means.

(2)  By electronic means.(i) the opt-out notice is provided electronically to the consumer, such as by posting the notice at an Internet Web site at which the consumer has obtained a product or service. The consumer acknowledges receipt of the electronic notice. The consumer is given 30 days after the date the consumer acknowledges receipt to elect to opt out by any reasonable means.

(ii)  The opt-out notice is provided to the consumer by e-mail where the consumer has agreed to receive disclosures by e-mail from the person sending the notice. The consumer is given 30 days after the e-mail is sent to elect to opt out by any reasonable means.

(3)  At the time of an electronic transaction. The opt-out notice is provided to the consumer at the time of an electronic transaction, such as a transaction conducted on an Internet Web site. The consumer is required to decide, as a necessary part of proceeding with the transaction, whether to opt out before completing the transaction. There is a simple process that the consumer may use to opt out at that time using the same mechanism through which the transaction is conducted.

(4)  At the time of an in-person transaction. The opt-out notice is provided to the consumer in writing at the time of an in-person transaction. The consumer is required to decide, as a necessary part of proceeding with the transaction, whether to opt out before completing the transaction, and is not permitted to complete the transaction without making a choice. There is a simple process that the consumer may use during the course of the in-person transaction to opt out, such as completing a form that requires consumers to write a "yes" or "no" to indicate their opt-out preference or that requires the consumer to check one of two blank check boxes--one that allows consumers to indicate that they want to opt out and one that allows consumers to indicate that they do not want to opt out.

(5)  By including in a privacy notice. The opt-out notice is included in a Gramm-Leach-Bliley Act privacy notice. The consumer is allowed to exercise the opt-out within a reasonable period of time and in the same manner as the opt-out under that privacy notice.

[Codified to 12 C.F.R. § 334.24]

[Section 334.24 added at 72 Fed. Reg. 62969, November 7, 2007, effective January 1, 2008, the mandatory compliance date is October 1, 2008]

§ 334.25  Reasonable and simple methods of opting out.

(a)  In general. You must not use eligibility information about a consumer that you receive from an affiliate to make a solicitation to the consumer about your products or services, unless the consumer is provided a reasonable and simple method to opt out, as required by § 334.21(a)(1)(ii) of this part.

(b)  Examples.  (1)  Reasonable and simple opt-out methods. Reasonable and simple methods for exercising the opt-out right include--

(i)  Designating a check-off box in a prominent position on the opt-out form;

(ii)  Including a reply form and a self-addressed envelope together with the opt-out notice;

(iii)  Providing an electronic means to opt out, such as a form that can be electronically mailed or processed at an Internet Web site, if the consumer agrees to the electronic delivery of information;

(iv)  Providing a toll-free telephone number that consumers may call to opt out; or

(v)  Allowing consumers to exercise all of their opt-out rights described in a consolidated opt-out notice that includes the privacy opt-out under the Gramm-Leach-Bliley Act, 15 U.S.C. 6801 et seq., the affiliate sharing opt-out under the Act, and the affiliate marketing opt-out under the Act, by a single method, such as by calling a single toll-free telephone number.

(2)  Opt-out methods that are not reasonable and simple. Reasonable and simple methods for exercising an opt-out right do not include--

(i)  Requiring the consumer to write his or her own letter;

(ii)  Requiring the consumer to call or write to obtain a form for opting out, rather than including the form with the opt-out notice;

(iii)  Requiring the consumer who receives the opt-out notice in electronic form only, such as through posting at an Internet Web site, to opt out solely by paper mail or by visiting a different Web site without providing a link to that site.

(c)  Specific opt-out means. Each consumer may be required to opt out through a specific means, as long as that means is reasonable and simple for that consumer.

[Codified to 12 C.F.R. § 334.25]

[Section 334.25 added at 72 Fed. Reg. 62970, November 7, 2007, effective January 1, 2008, the mandatory compliance date is October 1, 2008]

§ 334.26  Delivery of opt-out notices.

(a)  In general. The opt-out notice must be provided so that each consumer can reasonably be expected to receive actual notice. For opt-out notices provided electronically, the notice may be provided in compliance with either the electronic disclosure provisions in this subpart or the provisions in section 101 of the Electronic Signatures in Global and National Commerce Act, 15 U.S.C. 7001 et seq.

(b)  Examples of reasonable expectation of actual notice. A consumer may reasonably be expected to receive actual notice if the affiliate providing the notice:

(1)  Hand-delivers a printed copy of the notice to the consumer.

(2)  Mails a printed copy of the notice to the last known mailing address of the consumer;

(3)  Provides a notice by e-mail to a consumer who has agreed to receive electronic disclosures by e-mail from the affiliate providing the notice; or

(4)  Posts the notice on the Internet Web site at which the consumer obtained a product or service electronically and requires the consumer to acknowledge receipt of the notice.

(c)  Examples of no reasonable expectation of actual notice. A consumer may not reasonably be expected to receive actual notice if the affiliate providing the notice:

(1)  Only posts the notice on a sign in a branch or office or generally publishes the notice in a newspaper;

(2)  Sends the notice via e-mail to a consumer who has not agreed to receive electronic disclosures by e-mail from the affiliate providing the notice; or

(3)  Posts the notice on an Internet Web site without requiring the consumer to acknowledge receipt of the notice.

[Codified to 12 C.F.R. § 334.26]

[Section 334.26 added at 72 Fed. Reg. 62970, November 7, 2007, effective January 1, 2008, the mandatory compliance date is October 1, 2008]

§ 334.27  Renewal of opt-out.

(a)  Renewal notice and opt-out requirement.  (1)  In general. After the opt-out period expires, you may not make solicitations based on eligibility information you receive from an affiliate to a consumer who previously opted out, unless:

(i)  The consumer has been given a renewal notice that complies with the requirements of this section and §§ 334.24 through 334.26 of this part, and a reasonable opportunity and a reasonable and simple method to renew the opt-out, and the consumer does not renew the opt-out; or

(ii)  An exception in § 334.21(c) of this part applies.

(2)  Renewal period. Each opt-out renewal must be effective for a period of at least five years as provided in § 334.22(b) of this part.

(3)  Affiliates who may provide the notice. The notice required by this paragraph must be provided:

(i)  By the affiliate that provided the previous opt-out notice, or its successor; or

(ii)  As part of a joint renewal notice from two or more members of an affiliated group of companies, or their successors, that jointly provided the previous opt-out notice.

(b)  Contents of renewal notice. The renewal notice must be clear, conspicuous, and concise, and must accurately disclose:

(1)  The name of the affiliate(s) providing the notice. If the notice is provided jointly by multiple affiliates and each affiliate shares a common name, such as "ABC," then the notice may indicate that it is being provided by multiple companies with the ABC name or multiple companies in the ABC group or family of companies, for example, by stating that the notice is provided by "all of the ABC companies," "the ABC banking, credit card, insurance, and securities companies," or by listing the name of each affiliate providing the notice. But if the affiliates providing the joint notice do not all share a common name, then the notice must either separately identify each affiliate by name or identify each of the common names used by those affiliates, for example, by stating that the notice is provided by "all of the ABC and XYZ companies" or by "the ABC banking and credit card companies and the XYZ insurance companies;"

(2)  A list of the affiliates or types of affiliates whose use of eligibility information is covered by the notice, which may include companies that become affiliates after the notice is provided to the consumer. If each affiliate covered by the notice shares a common name, such as "ABC," then the notice may indicate that it applies to multiple companies with the ABC name or multiple companies in the ABC group or family of companies, for example, by stating that the notice is provided by "all of the ABC companies," "the ABC banking, credit card, insurance, and securities companies," or by listing the name of each affiliate providing the notice. But if the affiliates covered by the notice do not all share a common name, then the notice must either separately identify each covered affiliate by name or identify each of the common names used by those affiliates, for example, by stating that the notice applies to "all of the ABC and XYZ companies" or to "the ABC banking and credit card companies and the XYZ insurance companies;"

(3)  A general description of the types of eligibility information that may be used to make solicitations to the consumer;

(4)  That the consumer previously elected to limit the use of certain information to make solicitations to the consumer;

(5)  That the consumer's election has expired or is about to expire;

(6)  That the consumer may elect to renew the consumer's previous election;

(7)  If applicable, that the consumer's election to renew will apply for the specified period of time stated in the notice and that the consumer will be allowed to renew the election once that period expires; and

(8)  A reasonable and simple method for the consumer to opt out.

(c)  Timing of the renewal notice.  (1)  In general. A renewal notice may be provided to the consumer either--

(i)  A reasonable period of time before the expiration of the opt-out period or

(ii)  Any time after the expiration of the opt-out period but before solicitations that would have been prohibited by the expired opt-out are made to the consumer.

(2)  Combination with annual privacy notice. If you provide an annual privacy notice under the Gramm-Leach-Bliley Act, 15 U.S.C. 6801 et seq., providing a renewal notice with the last annual privacy notice provided to the consumer before expiration of the opt-out period is a reasonable period of time before expiration of the opt-out in all cases.

(d)  No effect on opt-out period. An opt-out period may not be shortened by sending a renewal notice to the consumer before expiration of the opt-out period, even if the consumer does not renew the opt-out.

[Codified to 12 C.F.R. § 334.27]

[Section 334.27 added at 72 Fed. Reg. 62970, November 7, 2007, effective January 1, 2008, the mandatory compliance date is October 1, 2008]

§ 334.28  Effective date, compliance date, and prospective application.

(a)  Effective date. This subpart is effective January 1, 2008.

(b)  Mandatory compliance date. Compliance with this subpart is required not later than October 1, 2008.

(c)  Prospective application. The provisions of this subpart shall not prohibit you from using eligibility information that you receive from an affiliate to make solicitations to a consumer if you receive such information prior to October 1, 2008. For purposes of this section, you are deemed to receive eligibility information when such information is placed into a common database and is accessible by you.

[Codified to 12 C.F.R. § 334.28]

[Section 334.28 added at 72 Fed. Reg. 62971, November 7, 2007, effective January 1, 2008, the mandatory compliance date is October 1, 2008]

Subpart D—Medical Information

§ 334.30  Obtaining or using medical information in connection with a determination of eligibility for credit.

(a)  Scope. This section applies to:

(1)  Any of the following that participates as a creditor in a transaction--

(i)  A State bank insured by the FDIC (other than members of the Federal Reserve System);

(ii)  An insured State branch of a foreign bank; or

(2)  Any other person that participates as a creditor in a transaction involving a person described in paragraph (a)(1) of this section.

(b)  General prohibition on obtaining or using medical information. (1) In general. A creditor may not obtain or use medical information pertaining to a consumer in connection with any determination of the consumer's eligibility, or continued eligibility, for credit, except as provided in this section.

(2)  Definitions. (i)  Credit has the same meaning as in section 702 of the Equal Credit Opportunity Act, 15 U.S.C. 1691a.

(ii)  Creditor has the same meaning as in section 702 of the Equal Credit Opportunity Act, 15 U.S.C. 1691a.

(iii)  Eligibility, or continued eligibility, for credit means the consumer's qualification or fitness to receive, or continue to receive, credit, including the terms on which credit is offered. The term does not include:

(A)  Any determination of the consumer's qualification or fitness for employment, insurance (other than a credit insurance product), or other non-credit products or services;

(B)   Authorizing, processing, or documenting a payment or transaction on behalf of the consumer in a manner that does not involve a determination of the consumer's eligibility, or continued eligibility, for credit; or

(C)  Maintaining or servicing the consumer's account in a manner that does not involve a determination of the consumer's eligibility, or continued eligibility, for credit.

(c)  Rule of construction for obtaining and using unsolicited medical information. (1) In general. A creditor does not obtain medical information in violation of the prohibition if it and Regulations receives medical information pertaining to a consumer in connection with any determination of the consumer's eligibility, or continued eligibility, for credit without specifically requesting medical information.

(2)  Use of unsolicited medical information. A creditor that receives unsolicited medical information in the manner described in paragraph (c)(1) of this section may use that information in connection with any determination of the consumer's eligibility, or continued eligibility, for credit to the extent the creditor can relay on at least one of the exceptions in § 334.30(d) or (e).

(3)  Examples. A creditor does not obtain medical information in violation of the prohibition if, for example:

(i)  In response to a general question regarding a consumer's debts or expenses, the creditor receives information that the consumer owes a debt to a hospital.

(ii)  In a conversation with the creditor's loan officer, the consumer informs the creditor that the consumer has a particular medical condition.

(iii)  In connection with a consumer's application for an extension of credit, the creditor requests a consumer report from a consumer reporting agency and receives medical information in the consumer report furnished by the agency even though the creditor did not specifically request medical information from the consumer reporting agency.

(d)  Financial information exception for obtaining and using medical information. (1) In general. A creditor may obtain and use medical information pertaining to a consumer in connection with any determination of the consumer's eligibility, or continued eligibility, for credit so long as:

(i)  The information is the type of information routinely used in making credit eligibility determinations, such as information relating to debts, expenses, income, benefits, assets, collateral, or the purpose of the loan, including the use of proceeds;

(ii)  The creditor uses the medical information in a manner and to an extent that is no less favorable than it would use comparable information that is not medical information in a credit transaction; and

(iii)  The creditor does not take the consumer's physical, mental, or behavioral health, condition or history, type of treatment, or prognosis into account as part of any such determination.

(2)  Examples. (i) Examples of the types of information routinely used in making credit eligibility determinations. Paragraph (d)(1)(i) of this section permits a creditor, for example, to obtain and use information about:

(A)  The dollar amount, repayment terms, repayment history, and similar information regarding medical debts to calculate, measure, or verify the repayment ability of the consumer, the use of proceeds, or the terms for granting credit;

(B)  The value, condition, and lien status of a medical device that may serve as collateral to secure a loan;

(C)  The dollar amount and continued eligibility for disability income or benefits related to health or a medical condition that is relied on as a source of repayment; or

(D)  The identity of creditors to whom outstanding medical debts are owed in connection with an application for credit, including but not limited to, a transaction involving the consolidation of medical debts.

(ii)  Examples of uses of medical information consistent with the exception. (A)  A consumer includes on an application for credit information about two $20,000 debts. One debt is to a hospital; the other debt is to a retailer. The creditor contacts the hospital and the retailer to verify the amount and payment status of the debts. The creditor learns that both debts are more than 90 days past due. Any two debts of this size that are more than 90 days past due would disqualify the consumer under the creditor's established underwriting criteria. The creditor denies the application on the basis that the consumer has a poor repayment history on outstanding debts. The creditor has used medical information in a manner and to an extent no less favorable than it would use comparable non-medical information.

(B)  A consumer indicates on an application for a $200,000 mortgage loan that she receives $15,000 in long-term disability income each year from her former employer and has no other income. Annual income of $15,000, regardless of source, would not be sufficient to support the requested amount of credit. The creditor denies the application on the basis that the projected debt-to-income ratio of the consumer does not meet the creditor's underwriting criteria. The creditor has used medical information in a manner and to an extent that is no less favorable than it would use comparable non-medical information.

(C)  A consumer includes on an application for a $10,000 home equity loan that he has a $50,000 debt to a medical facility that specializes in treating a potentially terminal disease. The creditor contacts the medical facility to verify the debt and obtain the repayment history and current status of the loan. The creditor learns that the debt is current. The applicant meets the income and other requirements of the creditor's underwriting guidelines. The creditor grants the application. The creditor has used medical information in accordance with the exception.

(iii)  Examples of uses of medical information inconsistent with the exception. (A)  A consumer applies for $25,000 of credit and includes on the application information about a $50,000 debt to a hospital. The creditor contacts the hospital to verify the amount and payment status of the debt, and learns that the debt is current and that the consumer has no delinquencies in her repayment history. If the existing debt were instead owed to a retail department store, the creditor would approve the application and extend credit based on the amount and repayment history of the outstanding debt. The creditor, however, denies the application because the consumer is indebted to a hospital. The creditor has used medical information, here the identity of the medical creditor, in a manner and to an extent that is less favorable than it would use comparable non-medical information.

(B)  A consumer meets with a loan officer of a creditor to apply for a mortgage loan. While filling out the loan application, the consumer informs the loan officer orally that she has a potentially terminal disease. The consumer meets the creditor's established requirements for the requested mortgage loan. The loan officer recommends to the credit committee that the consumer be denied credit because the consumer has that disease. The credit committee follows the loan officer's recommendation and denies the application because the consumer has a potentially terminal disease. The creditor has used medical information in a manner inconsistent with the exception by taking into account the consumer's physical, mental, or behavioral health, condition, or history, type of treatment, or prognosis as part of a determination of eligibility or continued eligibility for credit.

(C)  A consumer who has an apparent medical condition, such as a consumer who uses a wheelchair or an oxygen tank, meets with a loan officer to apply for a home equity loan. The consumer meets the creditor's established requirements for the requested home equity loan and the creditor typically does not require consumers to obtain a debt cancellation contract, debt suspension agreement, or credit insurance product in connection with such loans. However, based on the consumer's apparent medical condition, the loan officer recommends to the credit committee that credit be extended to the consumer only if the consumer obtains a debt cancellation contract, debt suspension agreement, or credit insurance product. The credit committee agrees with the loan officer's recommendation. The loan officer informs the consumer that the consumer must obtain a debt cancellation contract, debt suspension agreement, or credit insurance product to qualify for the loan. The consumer obtains one of these products from a third party and the creditor approves the loan. The creditor has used medical information in a manner inconsistent with the exception by taking into account the consumer's physical, mental, or behavioral health, condition, or history, type of treatment, or prognosis in setting conditions on the consumer's eligibility for credit.

(e)  Specific exceptions for obtaining and using medical information. (1)  In general. A creditor may obtain and use medical information pertaining to a consumer in connection with any determination of the consumer's eligibility, or continued eligibility, for credit--

(i)  To determine whether the use of a power of attorney or legal representative that is triggered by a medical event or condition is necessary and appropriate or whether the consumer has the legal capacity to contract when a person seeks to exercise a power of attorney or act as legal representative for a consumer based on an asserted medical event or condition;

(ii)  To comply with applicable requirements of local, State, or Federal laws;

(iii)  To determine, at the consumer's request, whether the consumer qualifies for a legally permissible special credit program or credit-related assistance program that is--

(A)  Designed to meet the special needs of consumers with medical conditions; and

(B)  Established and administered pursuant to a written plan that--

(1)Identifies the class of persons that the program is designed to benefit; and

(2)  Sets forth the procedures and standards for extending credit or providing other credit-related assistance under the program.

(iv)  To the extent necessary for purposes of fraud prevention or detection;

(v)  In the case of credit for the purpose of financing medical products or services, to determine and verify the medical purpose of a loan and the use of proceeds;

(vi)  Consistent with safe and sound practices, if the consumer or the consumer's legal representative specifically requests that the creditor use medical information in determining the consumer's eligibility, or continued eligibility, for credit, to accommodate the consumer's particular circumstances, and such request is documented by the creditor;

(vii)  Consistent with safe and sound practices, to determine whether the provisions of a forbearance practice or program that is triggered by a medical event or condition apply to a consumer;

(viii)  To determine the consumer's eligibility for, the triggering of, or the reactivation of a debt cancellation contract or debt suspension agreement if a medical condition or event is a triggering event for the provision of benefits under the contract or agreement; or

(ix)  To determine the consumer's eligibility for, the triggering of, or the reactivation of a credit insurance product if a medical condition or event is a triggering event for the provision of benefits under the product.

(2)  Example of determining eligibility for a special credit program or credit assistance program. A not-for-profit organization establishes a credit assistance program pursuant to a written plan that is designed to assist disabled veterans in purchasing homes by subsidizing the down payment for the home purchase mortgage loans of qualifying veterans. The organization works through mortgage lenders and requires mortgage lenders to obtain medical information about the disability of any consumer that seeks to qualify for the program, use that information to verify the consumer's eligibility for the program, and forward that information to the organization. A consumer who is a veteran applies to a creditor for a home purchase mortgage loan. The creditor informs the consumer about the credit assistance program for disabled veterans and the consumer seeks to qualify for the program. Assuming that the program complies with all applicable law, including applicable fair lending laws, the creditor may obtain and use medical information about the medical condition and disability, if any, of the consumer to determine whether the consumer qualifies for the credit assistance program.

(3)  Examples of verifying the medical purpose of the loan or the use of proceeds. (1) If a consumer applies for $10,000 of credit for the purpose of financing vision correction surgery, the creditor may verify with the surgeon that the procedure will be performed. If the surgeon reports that surgery will not be performed on the consumer, the creditor may use that medical information to deny the consumer's application for credit, because the loan would not be used for the stated purpose.

(ii)  If a consumer applies for $10,000 of credit for the purpose of financing cosmetic surgery, the creditor may confirm the cost of the procedure with the surgeon. If he surgeon reports that the cost of the procedure is $5,000, the creditor may use that medical information to offer the consumer only $5,000 of credit.

(iii)  A creditor has an established medical loan program for financing particular elective surgical procedures. The creditor receives a loan application from a consumer requesting $10,000 of credit under the established loan program for an elective surgical procedure. The consumer indicates on the application that the purpose of the loan is to finance an elective surgical procedure not eligible for funding under the guidelines of the established loan program. The creditor may deny the consumer's application because the purpose of the loan is not for a particular procedure funded by the established loan program.

(4)  Examples of obtaining and using medical information at the request of the consumer. (i) If a consumer applies for a loan and specifically requests that the creditor consider the consumer's medical disability at the relevant time as an explanation for adverse payment history information in his credit report, the creditor may consider such medical information in evaluating the consumer's willingness and ability to repay the requested loan to accommodate the consumer's particular circumstances, consistent with safe and sound practices. The creditor may also decline to consider such medical information to accommodate the consumer, but may evaluate the consumer's application in accordance with its otherwise applicable underwriting criteria. The creditor may not deny the consumer's application or otherwise treat the consumer less favorably because the consumer specifically requested a medical accommodation, if the creditor would have extended the credit or treated the consumer more favorably under the creditor's otherwise applicable underwriting criteria.

(ii)  If a consumer applies for a loan by telephone and explains that his income has been and will continue to be interrupted on account of a medical condition and that he expects to repay the loan by liquidating assets, the creditor may, but is not required to, evaluate the application using the sale of assets as the primary source of repayment, consistent with safe and sound practices, provided that the creditor documents the consumer's request by recording the oral conversation or making a notation of the request in the consumer's file.

(iii)  If a consumer applies for a loan and the application form provides a space where the consumer may provide any other information or special circumstances, whether medical or non-medical, that the consumer would like the creditor to consider in evaluating the consumer's application, the creditor may use medical information provided by the consumer in that space on that application to accommodate the consumer's application for credit, consistent with safe and sound practices, or may disregard that information.

(iv)  If a consumer specifically requests that the creditor use medical information in determining the consumer's eligibility, or continued eligibility, for credit and provides the creditor with medical information for that purpose, and the creditor determines that it needs additional information regarding the consumer's circumstances, the creditor may request, obtain, and use additional medical information about the consumer as necessary to verify the information provided by the consumer or to determine whether to make an accommodation for the consumer. The consumer may decline to provide additional information, withdraw the request for an accommodation, and have the application considered under the creditor's otherwise applicable underwriting criteria.

(v)  If a consumer completes and signs a credit application that is not for medical purpose credit and the application contains boilerplate language that routinely requests medical information from the consumer or that indicates that by applying for credit the consumer authorizes or consents to the creditor obtaining and using medical information in connection with a determination of the consumer's eligibility, or continued eligibility, for credit, the consumer has not specifically requested that the creditor obtain and use medical information to accommodate the consumer's particular circumstances.

(5)  Example of a forbearance practice or program. After an appropriate safety and soundness review, a creditor institutes a program that allows consumers who are or will be hospitalized to defer payments as needed for up to three months, without penalty, if the credit account has been open for more than one year and has not previously been in default, and the consumer provides confirming documentation at an appropriate time. A consumer is hospitalized and does not pay her bill for a particular month. This consumer has had a credit account with the creditor for more than one year and has not previously been in default. The creditor attempts to contact the consumer and speaks with the consumer's adult child, who is not the consumer's legal representative. The adult child informs the creditor that the consumer is hospitalized and is unable to pay the bill at that time. The creditor defers payments for up to three months, without penalty, for the hospitalized consumer and sends the consumer a letter confirming this practice and the date on which the next payment will be due.

[Codified to 12 C.F.R. § 334.30]

§ 334.31  Limits on redisclosure of information.

(a)  Scope. This section applies to State banks insured by the FDIC (other than members of the Federal Reserve System) and insured State branches of foreign banks.

(b)  Limits on redisclosure. If a person described in paragraph (a) of this section receives medical information about a consumer from a consumer reporting agency or its affiliate, the person must not disclose that information to any other person, except as necessary to carry out the purpose for which the information was initially disclosed, or as otherwise permitted by statute, regulation, or order.

[Codified to 12 C.F.R. § 334.31]

§ 334.32  Sharing medical information with affiliates.

(a)  Scope. This section applies to State banks insured by the FDIC (other than members of the Federal Reserve System) and insured State branches of foreign banks.

(b)  In general. The exclusions from the term "consumer report" in section 603(d)(2) of the Act that allow the sharing of information with affiliates do not apply if a person described in paragraph (a) of this section communicates to an affiliate--

(1)  Medical information;

(2)  An individualized list or description based on the payment transactions of the consumer for medical products or services; or

(3)  An aggregate list of identified consumers based on payment transactions for medical products or services.

(c)  Exceptions. A person described in paragraph (a) of this section may rely on the exclusions from the term "consumer report" in section 603(d)(2) of the Act to communicate the information in paragraph (b) of this section to an affiliate--

(1)  In connection with the business of insurance or annuities (including the activities described in section 18B of the model Privacy of Consumer Financial and Health Information Regulation issued by the National Association of Insurance Commissioners, as in effect on January 1, 2003);

(2)  For any purpose permitted without authorization under the regulations promulgated by the Department of Health and Human Services pursuant to the Health Insurance Portability and Accountability Act of 1996 (HIPAA);

(3)  For any purpose referred to in section 1179 of HIPAA;

(4)  For any purpose described in section 502(e) of the Gramm-Leach-Bliley Act;

(5)  In connection with a determination of the consumer's eligibility, or continued eligibility, for credit consistent with § 334.30; or

(6)  As otherwise permitted by order of the FDIC.

[Codified to 12 C.F.R. § 334.32]

Subpart E—Duties of Furnishers of Information

§ 334.40  Scope.

This subpart applies to a financial institution or creditor that is an insured state nonmember bank, insured state licensed branch of a foreign bank, or a subsidiary of such entities (except dealers, persons providing insurance, investment companies, and investment advisers).

[Codified to 12 C.F.R. § 334.40]

[Section 334.40 added at 74 Fed. Reg. 31517, July 1, 2009, effective July 10, 2010]

§ 334.41  Definitions.

For purposes of this subpart and Appendix E of this part, the following definitions apply:

(a)  Accuracy means that information that a furnisher provides to a consumer reporting agency about an account or other relationship with the consumer correctly:

(1)  Reflects the terms of and liability for the account or other relationship;

(2)  Reflects the consumer's performance and other conduct with respect to the account or other relationship; and

(3)  Identifies the appropriate consumer.

(b)  Direct dispute means a dispute submitted directly to a furnisher (including a furnisher that is a debt collector) by a consumer concerning the accuracy of any information contained in a consumer report and pertaining to an account or other relationship that the furnisher has or had with the consumer.

(c)  Furnisher means an entity that furnishes information relating to consumers to one or more consumer reporting agencies for inclusion in a consumer report. An entity is not a furnisher when it:

(1)  Provides information to a consumer reporting agency solely to obtain a consumer report in accordance with sections 604(a) and (f) of the Fair Credit Reporting Act;

(2)  Is acting as a "consumer reporting agency" as defined in section 603(f) of the Fair Credit Reporting Act;

(3)  Is a consumer to whom the furnished information pertains; or

(4)  Is a neighbor, friend, or associate of the consumer, or another individual with whom the consumer is acquainted or who may have knowledge about the consumer, and who provides information about the consumer's character, general reputation, personal characteristics, or mode of living in response to a specific request from a consumer reporting agency.

(d)  Identity theft has the same meaning as in 16 CFR 603.2(a).

(e)  Integrity means that information that a furnisher provides to a consumer reporting agency about an account or other relationship with the consumer:

(1)  Is substantiated by the furnisher's records at the time it is furnished;

(2)  Is furnished in a form and manner that is designed to minimize the likelihood that the information may be incorrectly reflected in a consumer report; and

(3)  Includes the information in the furnisher's possession about the account or other relationship that the FDIC has:

(i)  Determined that the absence of which would likely be materially misleading in evaluating a consumer's creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living; and

(ii)  Listed in section I.(b)(2)(iii) of Appendix E of this part.

[Codified to 12 C.F.R. § 334.41]

[Section 334.41 added at 74 Fed. Reg. 31517, July 1, 2009, effective July 1, 2010]

§ 334.42  Reasonable policies and procedures concerning the accuracy and integrity of furnished information.

(a)  Policies and procedures. Each furnisher must establish and implement reasonable written policies and procedures regarding the accuracy and integrity of the information relating to consumers that it furnishes to a consumer reporting agency. The policies and procedures must be appropriate to the nature, size, complexity, and scope of each furnisher's activities.

(b)  Guidelines. Each furnisher must consider the guidelines in Appendix E of this part in developing its policies and procedures required by this section, and incorporate those guidelines that are appropriate.

(c)  Reviewing and updating policies and procedures. Each furnisher must review its policies and procedures required by this section periodically and update them as necessary to ensure their continued effectiveness.

[Codified to 12 C.F.R. § 334.42]

[Section 334.42 added at 74 Fed. Reg. 31517, July 1, 2009, effective July 10, 2010]

§ 334.43  Direct disputes.

(a)  General Rule. Except as otherwise provided in this section, a furnisher must conduct a reasonable investigation of a direct dispute if it relates to:

(1)  The consumer's liability for a credit account or other debt with the furnisher, such as direct disputes relating to whether there is or has been identify theft or fraud against the consumer, whether there is individual or joint liability on an account, or whether the consumer is an authorized user of a credit account;

(2)  The terms of a credit account or other debt with the furnisher, such as direct disputes relating to the type of account, principal balance, scheduled payment amount or an account, or the amount of the credit limit on an open-end account;

(3)  The consumer's performance or other conduct concerning an account or other relationship with the furnisher, such as direct disputes relating to the current payment status, high balance, date a payment was made, the amount of a payment made, or the data an account was opened or closed; or

(4)  Any other information contained in a consumer report regarding an account or other relationship with the furnisher that bears on the consumer's creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living.

(b)  Exceptions. The requirements of paragraph (a) of this section to not apply to a furnisher if:

(1)  The direct dispute relates to:

(i)  The consumer's identifying information (other than a direct dispute relating to a consumer's liability for a credit account or other debt with the furnisher, as provided in paragraph (a)(1) of this section), such as name(s), date of birth, Social Security number, telephone number(s), or address(es);

(ii)  The identify of past or present employers;

(iii)  Inquiries or requests for a consumer report;

(iv)  Information derived from public records, such as judgments, bankruptcies, liens, and other legal matters (unless provided by a furnisher with an account or other relationship with the consumer);

(v)  Information related to fraud alerts or active duty alerts; or

(vi)  Information provided to a consumer reporting agency by another furnisher; or

(2)  The furnisher has a reasonable belief that the direct dispute is submitted by, is prepared on behalf of the consumer by, or is submitted on a form supplied to the consumer by, a credit repair organization, as defined in 15 U.S.C. 1679a(3), or an entity that would be a credit repair organization, but for 15 U.S.C. 1679a(3)(B)(i).

(c)  Direct dispute address. A furnisher is required to investigate a direct dispute only if a consumer submits a dispute notice to the furnisher at:

(1)  The address of a furnisher provided by a furnisher and set forth on a consumer report relating to the consumer;

(2)  An address clearly and conspicuously specified by the furnisher for submitting direct disputes that is provided to the consumer in writing or electronically (if the consumer has agreed to the electronic delivery of information from the furnisher); or

(3)  Any business address of the furnisher if the furnisher has not so specified and provided an address for submitting direct disputes under paragraph (c)(1) or (2) of this section.

(d)  Direct dispute notice contents. A dispute notice must include:

(1)  Sufficient information to identify the account or other relationship that is in dispute, such as an account number and the name, address, and telephone number of the consumer, if applicable;

(2)  The specific information that the consumer is disputing and an explanation of the basis for the dispute; and

(3)  All supporting documentation or other information reasonably required by the furnisher to substantiate the basis of the dispute. This documentation may include, for example: a copy of the relevant portion of the consumer report that contains the allegedly inaccurate information; a police report; a fraud or identify theft affidavit; a court order; or account statements.

(e)  Duty of furnisher after receiving a direct dispute notice. After receiving a dispute notice from a consumer pursuant to paragraphs (c) and (d) of this section, the furnisher must:

(1)  Conduct a reasonable investigation with respect to the disputed information;

(2)  Review all relevant information provided by the consumer with the dispute notice;

(3)  Complete its investigation of the dispute and report the results of the investigation to the consumer before the expiration of the period under section 611(a)(1) of the Fair Credit Reporting Act (15 U.S.C. 1681i(a)(1)) within which a consumer reporting agency would be required to complete its action if the consumer had elected to dispute the information under that section; and

(4)  If the investigation finds that the information reported was inaccurate, promptly notify each consumer reporting agency to which the furnisher provided inaccurate information of that determination and provide to the consumer reporting agency any correction to the information that is necessary to make the information provided by the furnisher accurate.

(f)  Frivolous or irrelevant disputes. (1) A furnisher is not required to investigate a direct dispute if the furnisher has reasonably determined that the dispute is frivolous or irrelevant. A dispute qualifies as frivolous or irrelevant if:

(i)  The consumer did not provide sufficient information to investigate the disputed information as required by paragraph (d) of this section;

(ii)  The direct dispute is substantially the same as a dispute previously submitted by or on behalf of the consumer, either directly to the furnisher or through a consumer reporting agency, with respect to which the furnisher has already satisfied the applicable requirements of the Act or this section; provided, however, that a direct dispute is not substantially the same as a dispute previously submitted if the dispute includes information listed in paragraph (d) of this section that had not previously been provided to the furnisher; or

(iii)  The furnisher is not required to investigate the direct dispute because one or more of the exceptions listed in paragraph (b) of this section applies.

(2)  Notice of determination. Upon making a determination that a dispute is frivolous or irrelevant, the furnisher must notify the consumer of the determination not later than five business days after making the determination, by mail or, if authorized by the consumer for that purpose, by any other means available to the furnisher.

(3)  Contents of notice of determination that a dispute is frivolous or irrelevant. A notice of determination that a dispute is frivolous or irrelevant must include the reasons for such determination and identify any information required to investigate the disputed information, which notice may consist of a standardized form describing the general nature of such information.

[Codified to 12 C.F.R. § 334.43]

[Section 334.43 added at 74 Fed. Reg. 31518, July 1, 2009, effective July 1, 2010]

Subpart F–H—[Reserved]

Subpart I—Duties of Users of Consumer Reports Regarding Address Discrepancies and Records Disposal

§ 334.80–334.81 [Reserved] {hang}§ 334.82  Duties of users regarding address discrepancies.

(a)  Scope. This section applies to a user of consumer reports (user) that receives a notice of address discrepancy from a consumer reporting agency described in 15 U.S.C. 1681(p) and that is an insured state nonmember bank, insured state licensed branch of a foreign bank, or a subsidiary of such entities (except brokers, dealers, persons providing insurance, investment companies, and investment advisers).

(b)  Definition. For purposes of this section, a notice of address discrepancy means a notice sent to a user by a consumer reporting agency described in 15 U.S.C. 1681(p) pursuant to 15 U.S.C. 1681c(h)(1), that informs the user of a substantial difference between the address for the consumer that the user provided to request the consumer report and the address(es) in the agency's file for the consumer.

(c)  Reasonable belief.  (1)  Requirement to form a reasonable belief. A user must develop and implement reasonable policies and procedures designed to enable the user to form a reasonable belief that a consumer report relates to the consumer about whom it has requested the report, when the user receives a notice of address discrepancy.

(2)  Examples of reasonable policies and procedures. (i) Comparing the information in the consumer report provided by the consumer reporting agency with information the user:

(A)  Obtains and uses to verify the consumer's identity in accordance with the requirements of the Customer Identification Program (CIP) rules implementing 31 U.S.C. 5318(l) (31 CFR 1020.220);

(B)  Maintains in its own records, such as applications, change of address notifications, other customer account records, or retained CIP documentation; or

(C)  Obtains from third-party sources; or

(ii)  Verifying the information in the consumer report provided by the consumer reporting agency with the consumer.

(d)  Consumer's address.  (1)  Requirement to furnish consumer's address to a consumer reporting agency. A user must develop and implement reasonable policies and procedures for furnishing an address for the consumer that the user has reasonably confirmed is accurate to the consumer reporting agency described in 15 U.S.C. 1681(p) from whom it received the notice of address discrepancy when the user:

(i)  Can form a reasonable belief that the consumer report relates to the consumer about whom the user requested the report;

(ii)  Establishes a continuing relationship with the consumer; and

(iii)  Regularly and in the ordinary course of business furnishes information to the consumer reporting agency from which the notice of address discrepancy relating to the consumer was obtained.

(2)  Examples of confirmation methods. The user may reasonably confirm an address is accurate by:

(i)  Verifying the address with the consumer about whom it has requested the report;

(ii)  Reviewing its own records to verify the address of the consumer;

(iii)  Verifying the address through third-party sources; or

(iv)  Using other reasonable means.

(3)  Timing. The policies and procedures developed in accordance with paragraph (d)(1) of this section must provide that the user will furnish the consumer's address that the user has reasonably confirmed is accurate to the consumer reporting agency described in 15 U.S.C. 1681a(p) as part of the information it regularly furnishes for the reporting period in which it establishes a relationship with the consumer.

[Codified to 12 C.F.R. § 334.82]

[Section 334.82 added at 72 Fed. Reg. 63760, November 9, 2007, effective January 1, 2008, the mandatory compliance date is November 1, 2008; 74 Fed. Reg. 22643, May 14, 2009, effective May 14, 2009, except for the amendments in instructions 4, 10, 15, 20, 26, and 34 relating to appendices C to 12 CFR parts 41, 222, 334, 571, 717 and 16 CFR part 698, respectively, which are effective January 1, 2010; amended at 76 Fed. Reg. 14793, March 18, 2011]

§ 334.83  Disposal of consumer information.

(a)  In general. You must properly dispose of any consumer information that you maintain or otherwise possess in accordance with the Interagency Guidelines Establishing Information Security Standards, as set forth in appendix B to part 364 of this chapter, prescribed pursuant to section 216 of the Fair and Accurate Credit Transactions Act of 2003 (15 U.S.C. 1681w) and section 501(b) of the Gramm-Leach-Bliley Act (15 U.S.C. 6801(b)), to the extent the Guidelines are applicable to you.

(b)  Rule of construction. Nothing in this section shall be construed to:

(1)  Require you to maintain or destroy any record pertaining to a consumer that is not imposed under any other law; or

(2)  Alter or affect any requirement imposed under any other provision of law to maintain or destroy such a record.

[Codified to 12 C.F.R. § 334.83]

Subpart J—Identity Theft Red Flags

§ 334.90  Duties regarding the detection, prevention, and mitigation of identity theft.

(a)  Scope. This section applies to a financial institution or creditor that is an insured state nonmember bank, insured state licensed branch of a foreign bank, or a subsidiary of such entities (except brokers, dealers, persons providing insurance, investment companies, and investment advisers).

(b)  Definitions. For purposes of this section and Appendix J, the following definitions apply:

(1)  Account means a continuing relationship established by a person with a financial institution or creditor to obtain a product or service for personal, family, household or business purposes. Account includes:

(i)  An extension of credit, such as the purchase of property or services involving a deferred payment; and

(ii)  A deposit account.

(2)  The term board of directors includes:

(i)  In the case of a branch or agency of a foreign bank, the managing official in charge of the branch or agency; and

(ii)  In the case of any other creditor that does not have a board of directors, a designated employee at the level of senior management.

(3)  Covered account means:

(i)  An account that a financial institution or creditor offers or maintains, primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions, such as a credit card account, mortgage loan, automobile loan, margin account, cell phone account, utility account, checking account, or savings account; and

(ii)  Any other account that the financial institution or creditor offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft, including financial, operational, compliance, reputation, or litigation risks.

(4)  Credit has the same meaning as in 15 U.S.C. 1681a(r)(5).

(5)  Creditor has the same meaning as in 15 U.S.C. 1681a(r)(5), and includes lenders such as banks, finance companies, automobile dealers, mortgage brokers, utility companies, and telecommunications companies.

(6)  Customer means a person that has a covered account with a financial institution or creditor.

(7)  Financial institution has the same meaning as in 15 U.S.C. 1681a(t).

(8)  Identity theft has the same meaning as in 16 CFR 603.2(a).

(9)  Red Flag means a pattern, practice, or specific activity that indicates the possible existence of identity theft.

(10)  Service provider means a person that provides a service directly to the financial institution or creditor.

(c)  Periodic Identification of Covered Accounts. Each financial institution or creditor must periodically determine whether it offers or maintains covered accounts. As a part of this determination, a financial institution or creditor must conduct a risk assessment to determine whether it offers or maintains covered accounts described in paragraph (b)(3)(ii) of this section, taking into consideration:

(1)  The methods it provides to open its accounts;

(2)  The methods it provides to access its accounts; and

(3)  Its previous experiences with identity theft.

(d)  Establishment of an Identity Theft Prevention Program--(1)  Program requirement. Each financial institution or creditor that offers or maintains one or more covered accounts must develop and implement a written Identity Theft Prevention Program (Program) that is designed to detect, prevent, and mitigate identity theft in connection with the opening of a covered account or any existing covered account. The Program must be appropriate to the size and complexity of the financial institution or creditor and the nature and scope of its activities.

(2)  Elements of the Program. The Program must include reasonable policies and procedures to:

(i)  Identify relevant Red Flags for the covered accounts that the financial institution or creditor offers or maintains, and incorporate those Red Flags into its Program;

(ii)  Detect Red Flags that have been incorporated into the Program of the financial institution or creditor;

(iii)  Respond appropriately to any Red Flags that are detected pursuant to paragraph (d)(2)(ii) of this section to prevent and mitigate identity theft; and

(iv)  Ensure the Program (including the Red Flags determined to be relevant) is updated periodically, to reflect changes in risks to customers and to the safety and soundness of the financial institution or creditor from identity theft.

(e)  Administration of the Program. Each financial institution or creditor that is required to implement a Program must provide for the continued administration of the Program and must:

(1)  Obtain approval of the initial written Program from either its board of directors or an appropriate committee of the board of directors;

(2)  Involve the board of directors, an appropriate committee thereof, or a designated employee at the level of senior management in the oversight, development, implementation and administration of the Program;

(3)  Train staff, as necessary, to effectively implement the Program; and

(4)  Exercise appropriate and effective oversight of service provider arrangements.

(f)  Guidelines. Each financial institution or creditor that is required to implement a Program must consider the guidelines in Appendix J of this part and include in its Program those guidelines that are appropriate.

[Codified to 12 C.F.R. § 334.90]

[Section 334.90 added at 72 Fed. Reg. 63761, November 9, 2007, effective January 1, 2008, the mandatory compliance date is November 1, 2008]

§ 334.91  Duties of card issuers regarding changes of address.

(a)  Scope. This section applies to an issuer of a debit or credit card (card issuer) that is an insured state nonmember bank, insured state licensed branch of a foreign bank, or a subsidiary of such entities (except brokers, dealers, persons providing insurance, investment companies, and investment advisers)

(b)  Definitions. For purposes of this section:

(1)  Cardholder means a consumer who has been issued a credit or debit card.

(2)  Clear and conspicuous means reasonably understandable and designed to call attention to the nature and significance of the information presented.

(c)  Address validation requirements. A card issuer must establish and implement reasonable policies and procedures to assess the validity of a change of address if it receives notification of a change of address for a consumer's debit or credit card account and, within a short period of time afterwards (during at least the first 30 days after it receives such notification), the card issuer receives a request for an additional or replacement card for the same account. Under these circumstances, the card issuer may not issue an additional or replacement card, until, in accordance with its reasonable policies and procedures and for the purpose of assessing the validity of the change of address, the card issuer:

(1)(i)  Notifies the cardholder of the request:

(A)  At the cardholder's former address; or

(B)  By any other means of communication that the card issuer and the cardholder have previously agreed to use; and

(ii)  Provides to the cardholder a reasonable means of promptly reporting incorrect address changes; or

(2)  Otherwise assesses the validity of the change of address in accordance with the policies and procedures the card issuer has established pursuant to § 334.90 of this part.

(d)  Alternative timing of address validation. A card issuer may satisfy the requirements of paragraph (c) of this section if it validates an address pursuant to the methods in paragraph (c)(1) or (c)(2) of this section when it receives an address change notification, before it receives a request for an additional or replacement card.

(e)  Form of notice. Any written or electronic notice that the card issuer provides under this paragraph must be clear and conspicuous and provided separately from its regular correspondence with the cardholder.

[Codified to 12 C.F.R. § 334.91]

[Section 334.91 added at 72 Fed. Reg. 63761, November 9, 2007, effective January 1, 2008, the mandatory compliance date is November 1, 2008]

Appendix A–B—[Reserved]

Appendix C To Part 334--Model Forms for Opt-Out Notices

a.  Although use of the model forms is not required, use of the model forms in this Appendix (as applicable) complies with the requirement in section 624 of the Act for clear, conspicuous, and concise notices.

b.  Certain changes may be made to the language or format of the model forms without losing the protection from liability afforded by use of the model forms. These changes may not be so extensive as to affect the substance, clarity, or meaningful sequence of the language in the model forms. Persons making such extensive revisions will lose the safe harbor that this Appendix provides. Acceptable changes include, for example:

1.  Rearranging the order of the references to "your income," "your account history," and "your credit score."

2.  Substituting other types of information for "income," "account history," or "credit score" for accuracy, such as "payment history," "credit history," "payroll status," or "claims history."

3.  Substituting a clearer and more accurate description of the affiliates providing or covered by the notice for phrases such as "the [ABC] group of companies," including without limitation a statement that the entity providing the notice recently purchased the consumer's account.

4.  Substituting other types of affiliates covered by the notice for "credit card," "insurance," or "securities" affiliates.

5.  Omitting items that are not accurate or applicable. For example, if a person does not limit the duration of the opt-out period, the notice may omit information about the renewal notice.

6.  Adding a statement informing consumers how much time they have to opt out before shared eligibility information may be used to make solicitations to them.

7.  Adding a statement that the consumer may exercise the right to opt out at any time.

8.  Adding the following statement, if accurate; "If you previously opted out, you do not need to do so again."

9.  Providing a place on the form for the consumer to fill in identifying information, such as his or her name and address:

10.  Adding disclosures regarding the treatment of opt-outs by joint consumers to comply with § 334.23(a)(2) of this part.

C--1  Model Form for Initial Opt-out Notice (Single-Affiliate Notice) C--2  Model Form for Initial Opt-out Notice (Joint Notice) C--3  Model Form for Renewal Notice (Single-Affiliate Notice) C--4  Model Form for Renewal Notice (Joint Notice) C--5  Model Form for Voluntary "No Marketing" Notice C--6  Model Form for Voluntary "No Marketing" Notice

C–1—Model Form for Initial Opt-out Notice (Single-Affiliate Notice)—[Your Choice To Limit Marketing]/[Marketing Opt-out]

•  [Name of Affiliate] is providing this notice.

•  [Optional: Federal law gives you the right to limit some but not all marketing from our affiliates. Federal law also requires us to give you this notice to tell you about your choice to limit marketing from our affiliates.]

•  You may limit our affiliates in the [ABC] group of companies, such as our [credit card, insurance, and securities] affiliates, from marketing their products or services to you based on your personal information that we collect and share with them. This information includes your [income], your [account history with us], and your [credit score].

•  Your choice to limit marketing offers from our affiliates will apply [until you tell us to change your choice]/[for x years from when you tell us your choice]/[for at least 5 years from when you tell us your choice]. [Include if the opt-out period expires.] Once that period expires, you will receive a renewal notice that will allow you to continue to limit marketing offers from our affiliates for [another x years]/[at least another 5 years].

•  [Include, if applicable, in a subsequent notice, including an annual notice, for consumers who may have previously opted out.] If you have already made a choice to limit marketing offers from our affiliates, you do not need to act again until you receive the renewal notice.

To limit marketing offers, contact us [include all that apply]:

•  By telephone: 1--877--###--####

•  On the Web: www.---.com

•  By mail: Check the box and complete the form below, and send the form to:

[Company name] [Company address]

_______ Do not allow your affiliates to use my personal information to market to me.

C–2—Model Form for Initial Opt-out Notice (Joint Notice)—[Your Choice To Limit Marketing]/[Marketing Opt-out]

•  The [ABC group of companies] is providing this notice.

•  [Optional: Federal law gives you the right to limit some but not all marketing from the [ABC] companies. Federal law also requires us to give you this notice to tell you about your choice to limit marketing from the [ABC] companies.]

•  You may limit the [ABC] companies, such as the [ABC credit card, insurance, and securities] affiliates, from marketing their products or services to you based on your personal information that they receive from other [ABC] companies. This information includes your [income], your [account history], and your [credit score].

•  Your choice to limit marketing offers from the [ABC] companies will apply [until you tell us to change your choice]/[for x years from when you tell us your choice]/[for at least 5 years from when you tell us your choice]. [Include if the opt-out period expires.] Once that period expires, you will receive a renewal notice that will allow you to continue to limit marketing offers from the [ABC] companies for [another x years]/[at least another 5 years].

•  [Include, if applicable, in a subsequent notice, including an annual notice, for consumers who may have previously opted out.] If you have already made a choice to limit marketing offers from the [ABC] companies, you do not need to act again until you receive the renewal notice.

To limit marketing offers, contact us [include all that apply]:

•  By telephone: 1--877--###--####

•  On the Web: www.---.com

•  By mail: Check the box and complete the form below, and send the form to:

[Company name] [Company address]

_______ Do not allow any company [in the ABC group of companies] to use my personal information to market to me.

C–3—Model Form for Renewal Notice (Single-Affiliate Notice)—[Renewing Your Choice To Limit Marketing]/[Renewing Your Marketing Opt-out]

•  [Name of Affiliate] is providing this notice.

•  [Optional: Federal law gives you the right to limit some but not all marketing from our affiliates. Federal law also requires us to give you this notice to tell you about your choice to limit marketing from our affiliates.]

•  You previously chose to limit our affiliates in the [ABC] group of companies, such as our [credit card, insurance, and securities] affiliates, from marketing their products or services to you based on your personal information that we share with them. This information includes your [income], your [account history with us], and your [credit score].

•  Your choice has expired or is about to expire.

To renew your choice to limit marketing for [x] more years, contact us [include all that apply]:

•  By telephone: 1--877--###--####

•  On the Web: www.---.com

•  By mail: Check the box and complete the form below, and send the form to:

[Company name] [Company address]

_______ Renew my choice to limit marketing for [x] more years.

C–4—Model Form for Renewal Notice (Joint Notice)—[Renewing Your Choice To Limit Marketing]/[Renewing Your Marketing Opt-out]

•  The [ABC group of companies] is providing this notice.

•  [Optional: Federal law gives you the right to limit some but not all marketing from the [ABC] companies. Federal law also requires us to give you this notice to tell you about your choice to limit marketing from the [ABC] companies.]

•  You previously chose to limit the [ABC] companies, such as the [ABC credit card, insurance, and securities] affiliates, from marketing their products or services to you based on your personal information that they receive from other ABC companies. This information includes your [income], your [account history], and your [credit score].

•  Your choice has expired or is about to expire.

To renew your choice to limit marketing for [x] more years, contact us [include all that apply];

•  By telephone: 1--877--###--####

•  On the Web: www.---.com

•  By mail: Check the box and complete the form below, and send the form to:

[Company name] [Company address]

_______ Renew my choice to limit marketing for [x] more years.

C–5—Model Form for Voluntary ``No Marketing'' Notice

Your Choice To Stop Marketing

•  [Name of Affiliate] is providing this notice.

•  You may choose to stop all marketing from us and our affiliates.

•  [Your choice to stop marketing from us and our affiliates will apply until you tell us to change your choice.]

To stop all marketing, contact us [include all that apply]:

•  By telephone: 1--877--###--####

•  On the Web: www.---.com

•  By mail: Check the box and complete the form below, and send the form to:

[Company name] [Company address]

_______ Do not market to me.

C–6—Model Form for Voluntary ``No Marketing'' Notice—Your Choice To Stop Marketing

•  [Name of Affiliate] is providing this notice.

•  You may choose to stop all marketing from us and our affiliates.

To stop all marketing, contact us [include all that apply]:

•  By telephone: 1--877--###--####

•  On the Web: www.---.com

•  By mail: Check the box and complete the form below, and send the form to:

[Company name] [Company address]

_______ Do not market to me.

[Codified to 12 C.F.R. Part 334, Appendix C]

[Appendix C added at 72 Fed. Reg. 62971, November 7, 2007, effective January 1, 2008, the mandatory compliance date is October 1, 2008; 74 Fed. Reg. 22643, May 14, 2009, effective May 14, 2009, except for amendments in instructions 4, 10, 15, 20, 26, and 34 relating to apendecies C to 12 CFR parts 41, 222, 334, 571, 717 and 16 CFR part 698, respectively, which are effective January 1, 2010]

Appendix E to Part 334—Interagency Guidelines Concerning the Accuracy and Integrity of Information Furnished to Consumer Reporting Agencies

The FDIC encourages voluntary furnishing of information to consumer reporting agencies. Section 334.42 of this part requires each furnisher to establish and implement reasonable written policies and procedures concerning the accuracy and integrity of the information it furnishes to consumer reporting agencies. Under § 334.42(b), a furnisher must consider the guidelines set forth below in developing its policies and procedures. In establishing these policies and procedures, a furnisher may include any of its existing policies and procedures that are relevant and appropriate. Section 334.42(c) requires each furnisher to review its policies and procedures periodically and update them as necessary to ensure their continued effectiveness.

I.  Nature, Scope, and Objectives of Policies and Procedures

(a)  Nature and Scope. Section 334.42(a) of this part requires that a furnisher's policies and procedures be appropriate to the nature, size, complexity, and scope of the furnisher's activities. In developing its policies and procedures, a furnisher should consider, for example:

(1)  The types of business activities in which the furnisher engages;

(2)  The nature and frequency of the information the furnisher provides to consumer reporting agencies; and

(3)  The technology used by the furnisher to furnish information to consumer reporting agencies.

(b)  Objectives. A furnisher's policies and procedures should be reasonably designed to promote the following objectives:

(1)  To furnish information about accounts or other relationships with a consumer that is accurate, such that the furnished information:

(i)  Identifies the appropriate consumer;

(ii)  Reflects the terms of and liability for those accounts or other relationships; and

(iii)  Reflects the consumer's performance and other conduct with respect to the account or other relationship;

(2)  To furnish information about accounts or other relationships with a consumer that has integrity, such that the furnished information:

(i)  Is substantiated by the furnisher's records at the time it is furnished;

(ii)  Is furnished in a form and manner that is designed to minimize the likelihood that the information may be incorrectly reflected in a consumer report; thus, the furnished information should:

(A)  Include appropriate identifying information about the consumer to whom it pertains; and

(B)  Be furnished in a standardized and clearly understandable form and manner and with a date specifying the time period to which the information pertains; and

(iii)  Includes the credit limit, if applicable and in the furnisher's possession;

(3)  To conduct reasonable investigations of consumer disputes and take appropriate actions based on the outcome of such investigations; and

(4)  To update the information it furnishes as necessary to reflect the current status of the consumer's account or other relationship, including, for example:

(i)  Any transfer of an account (e.g., by sale or assignment for collection) to a third party; and

(ii)  Any cure of the consumer's failure to abide by the terms of the account or other relationship.

II.  Establishing and Implementing Policies and Procedures

In establishing and implementing its policies and procedures, a furnisher should:

(a)  Identify practices or activities of the furnisher that can compromise the accuracy or integrity of information furnished to consumer reporting agencies, such as by:

(1)  Reviewing its existing practices and activities, including the technological means and other methods it uses to furnish information to consumer reporting agencies and the frequency and timing of its furnishing of information;

(2)  Reviewing its historical records relating to accuracy or integrity or to disputes; reviewing other information relating to the accuracy or integrity of information provided by the furnisher to consumer reporting agencies; and considering the types of errors, omissions, or other problems that may have affected the accuracy or integrity of information it has furnished about consumers to consumer reporting agencies;

(3)  Considering any feedback received from consumer reporting agencies, consumers, or other appropriate parties;

(4)  Obtaining feedback from the furnisher's staff; and

(5)  Considering the potential impact of the furnisher's policies and procedures on consumers.

(b)  Evaluate the effectiveness of existing policies and procedures of the furnisher regarding the accuracy and integrity of information furnished to consumer reporting agencies; consider whether new, additional, or different policies and procedures are necessary; and consider whether implementation of existing policies and procedures should be modified to enhance the accuracy and integrity of information about consumers furnished to consumer reporting agencies.

(c)  Evaluate the effectiveness of specific methods (including technological means) the furnisher uses to provide information to consumer reporting agencies; how those methods may affect the accuracy and integrity of the information it provides to consumer reporting agencies; and whether new, additional, or different methods (including technological means) should be used to provide information to consumer reporting agencies to enhance the accuracy and integrity of that information.

III.  Specific Components of Policies and Procedures

In developing its policies and procedures, a furnisher should address the following, as appropriate:

(a)  Establishing and implementing a system for furnishing information about consumers to consumer reporting agencies that is appropriate to the nature, size, complexity, and scope of the furnisher's business operations.

(b)  Using standard data reporting formats and standard procedures for compiling and furnishing data, where feasible, such as the electronic transmission of information about consumers to consumer reporting agencies.

(c)  Maintaining records for a reasonable period of time, not less than any applicable recordkeeping requirements, in order to substantiate the accuracy of any information about consumers it furnishes that is subject to a direct dispute.

(d)  Establishing and implementing appropriate internal controls regarding the accuracy and integrity of information about consumers furnished to consumer reporting agencies, such as by implementing standard procedures and verifying random samples of information provided to consumer reporting agencies.

(e)  Training staff that participates in activities related to the furnishing of information about consumers to consumer reporting agencies to implement the policies and procedures.

(f)  Providing for appropriate and effective oversight of relevant service providers whose activities may affect the accuracy or integrity of information about consumers furnished to consumer reporting agencies to ensure compliance with the policies and procedures.

(g)  Furnishing information about consumers to consumer reporting agencies following mergers, portfolio acquisitions or sales, or other acquisitions or transfers of accounts or other obligations in a manner that prevents re-aging of information, duplicative reporting, or other problems that may similarly affect the accuracy or integrity of the information furnished.

(h)  Deleting, updating, and correcting information in the furnisher's records, as appropriate, to avoid furnishing inaccurate information.

(i)  Conducting reasonable investigations of disputes.

(j)  Designing technological and other means of communication with consumer reporting agencies to prevent duplicative reporting of accounts, erroneous association of information with the wrong consumer(s), and other occurrences that may compromise the accuracy or integrity of information provided to consumer reporting agencies.

(k)  Providing consumer reporting agencies with sufficient identifying information in the furnisher's possession about each consumer about whom information is furnished to enable the consumer reporting agency properly to identify the consumer.

(l)  Conducting a periodic evaluation of its own practices, consumer reporting agency practices of which the furnisher is aware, investigations of disputed information, corrections of inaccurate information, means of communication, and other factors that may affect the accuracy or integrity of information furnished to consumer reporting agencies.

(m)  Complying with applicable requirements under the Fair Credit Reporting Act and its implementing regulations.

[Codified to 12 C.F.R. Part 334, Appendix E]

[Appendix E added at 74 Fed. Reg. 31519, July 1, 2009, effective July 1, 2010]


Appendix D, F–I [Reserved]

Appendix J to Part 334Interagency Guidelines on Identity Theft Detection, Prevention, and Mitigation

Section 334.90 of this part requires each financial institution and creditor that offers or maintains one or more covered accounts, as defined in § 334.90(b)(3) of this part, to develop and provide for the continued administration of a written Program to detect, prevent, and mitigate identity theft in connection with the opening of a covered account or any existing covered account. These guidelines are intended to assist financial institutions and creditors in the formulation and maintenance of a Program that satisfies the requirements of § 334.90 of this part.

I.  The Program

In designing its Program, a financial institution or creditor may incorporate, as appropriate, its existing policies, procedures, and other arrangements that control reasonably foreseeable risks to customers or to the safety and soundness of the financial institution or creditor from identity theft.

II.  Identifying Relevant Red Flags

(a)  Risk Factors. A financial institution or creditor should consider the following factors in identifying relevant Red Flags for covered accounts, as appropriate:

(1)  The types of covered accounts it offers or maintains;

(2)  The methods it provides to open its covered accounts;

(3)  The methods it provides to access its covered accounts; and

(4)  Its previous experiences with identity theft.

(b)  Sources of Red Flags. Financial institutions and creditors should incorporate relevant Red Flags from sources such as:

(1)  Incidents of identity theft that the financial institution or creditor has experienced;

(2)  Methods of identity theft that the financial institution or creditor has identified that reflect changes in identity theft risks; and

(3)  Applicable supervisory guidance.

(c)  Categories of Red Flags. The Program should include relevant Red Flags from the following categories, as appropriate. Examples of Red Flags from each of these categories are appended as Supplement A to this Appendix J.

(1)  Alerts, notifications, or other warnings received from consumer reporting agencies or service providers, such as fraud detection services;

(2)  The presentation of suspicious documents;

(3)  The presentation of suspicious personal identifying information, such as a suspicious address change;

(4)  The unusual use of, or other suspicious activity related to, a covered account; and

(5)  Notice from customers, victims of identity theft, law enforcement authorities, or other persons regarding possible identity theft in connection with covered accounts held by the financial institution or creditor.

III.  Detecting Red Flags.

The Program's policies and procedures should address the detection of Red Flags in connection with the opening of covered accounts and existing covered accounts, such as by:

(a)  Obtaining identifying information about, and verifying the identity of, a person opening a covered account, for example, using the policies and procedures regarding identification and verification set forth in the Customer Identification Program rules implementing 31 U.S.C. 5318(l) (31 CFR 1020.220); and

(b)  Authenticating customers, monitoring transactions, and verifying the validity of change of address requests, in the case of existing covered accounts.

IV.  Preventing and Mitigating Identity Theft.

The Program's policies and procedures should provide for appropriate responses to the Red Flags the financial institution or creditor has detected that are commensurate with the degree of risk posed. In determining an appropriate response, a financial institution or creditor should consider aggravating factors that may heighten the risk of identity theft, such as a data security incident that results in unauthorized access to a customer's account records held by the financial institution, creditor, or third party, or notice that a customer has provided information related to a covered account held by the financial institution or creditor to someone fraudulently claiming to represent the financial institution or creditor or to a fraudulent Web site. Appropriate responses may include the following:

(a)  Monitoring a covered account for evidence of identity theft;

(b)  Contacting the customer;

(c)  Changing any passwords, security codes, or other security devices that permit access to a covered account;

(d)  Reopening a covered account with a new account number;

(e)  Not opening a new covered account;

(f)  Closing an existing covered account;

(g)  Not attempting to collect on a covered account or not selling a covered account to a debt collector;

(h)  Notifying law enforcement; or

(i)  Determining that no response is warranted under the particular circumstances.

V.  Updating the Program.

Financial institutions and creditors should update the Program (including the Red Flags determined to be relevant) periodically, to reflect changes in risks to customers or to the safety and soundness of the financial institution or creditor from identity theft, based on factors such as:

(a)  The experiences of the financial institution or creditor with identity theft;

(b)  Changes in methods of identity theft;

(c)  Changes in methods to detect, prevent, and mitigate identity theft;

(d)  Changes in the types of accounts that the financial institution or creditor offers or maintains; and

(e)  Changes in the business arrangements of the financial institution or creditor, including mergers, acquisitions, alliances, joint ventures, and service provider arrangements.

VI.  Methods for Administering the Program

(a)  Oversight of Program. Oversight by the board of directors, an appropriate committee of the board, or a designated employee at the level of senior management should include:

(1)  Assigning specific responsibility for the Program's implementation;

(2)  Reviewing reports prepared by staff regarding compliance by the financial institution or creditor with § 334.90 of this part; and

(3)  Approving material changes to the Program as necessary to address changing identity theft risks.

(b)  Reports.(1)  In general. Staff of the financial institution or creditor responsible for development, implementation, and administration of its Program should report to the board of directors, an appropriate committee of the board, or a designated employee at the level of senior management, at least annually, on compliance by the financial institution or creditor with § 334.90 of this part.

(2)  Contents of report. The report should address material matters related to the Program and evaluate issues such as: the effectiveness of the policies and procedures of the financial institution or creditor in addressing the risk of identity theft in connection with the opening of covered accounts and with respect to existing covered accounts; service provider arrangements; significant incidents involving identity theft and management's response; and recommendations for material changes to the Program.

(c)  Oversight of service provider arrangements. Whenever a financial institution or creditor engages a service provider to perform an activity in connection with one or more covered accounts the financial institution or creditor should take steps to ensure that the activity of the service provider is conducted in accordance with reasonable policies and procedures designed to detect, prevent, and mitigate the risk of identity theft. For example, a financial institution or creditor could require the service provider by contract to have policies and procedures to detect relevant Red Flags that may arise in the performance of the service provider's activities, and either report the Red Flags to the financial institution or creditor, or to take appropriate steps to prevent or mitigate identity theft.

VII.  Other Applicable Legal Requirements

Financial institutions and creditors should be mindful of other related legal requirements that may be applicable, such as:

(a)  For financial institutions and creditors that are subject to 31 U.S.C. 5318(g), filing a Suspicious Activity Report in accordance with applicable law and regulation;

(b)  Implementing any requirements under 15 U.S.C. 1681c--1(h) regarding the circumstances under which credit may be extended when the financial institution or creditor detects a fraud or active duty alert;

(c)  Implementing any requirements for furnishers of information to consumer reporting agencies under 15 U.S.C. 1681s--2, for example, to correct or update inaccurate or incomplete information, and to not report information that the furnisher has reasonable cause to believe is inaccurate; and

(d)  Complying with the prohibitions in 15 U.S.C. 1681m on the sale, transfer, and placement for collection of certain debts resulting from identity theft.

Supplement A to Appendix J

In addition to incorporating Red Flags from the sources recommended in section II.b of the Guidelines in Appendix J of this part, each financial institution or creditor may consider incorporating into its Program, whether singly or in combination, Red Flags from the following illustrative examples in connection with covered accounts.

Alerts, Notifications or Warnings from a Consumer Reporting Agency

1.  A fraud or active duty alert is included with a consumer report.

2.  A consumer reporting agency provides a notice of credit freeze in response to a request for a consumer report.

3.  A consumer reporting agency provides a notice of address discrepancy, as defined in § 334.82(b) of this part.

4.  A consumer report indicates a pattern of activity that is inconsistent with the history and usual pattern of activity of an applicant or customer, such as:

a.  A recent and significant increase in the volume of inquiries;

b.  An unusual number of recently established credit relationships;

c.  A material change in the use of credit, especially with respect to recently established credit relationships; or

d.  An account that was closed for cause or identified for abuse of account privileges by a financial institution or creditor.

Suspicious Documents

5.  Documents provided for identification appear to have been altered or forged.

6.  The photograph or physical description on the identification is not consistent with the appearance of the applicant or customer presenting the identification.

7.  Other information on the identification is not consistent with information provided by the person opening a new covered account or customer presenting the identification.

8.  Other information on the identification is not consistent with readily accessible information that is on file with the financial institution or creditor, such as a signature card or a recent check.

9.  An application appears to have been altered or forged, or gives the appearance of having been destroyed and reassembled.

Suspicious Personal Identifying Information

10.  Personal identifying information provided is inconsistent when compared against external information sources used by the financial institution or creditor. For example:

a.  The address does not match any address in the consumer report; or

b.  The Social Security Number (SSN) has not been issued, or is listed on the Social Security Administration's Death Master File.

11.  Personal identifying information provided by the customer is not consistent with other personal identifying information provided by the customer. For example, there is a lack of correlation between the SSN range and date of birth.

12.  Personal identifying information provided is associated with known fraudulent activity as indicated by internal or third-party sources used by the financial institution or creditor. For example:

a.  The address on an application is the same as the address provided on a fraudulent application; or

b.  The phone number on an application is the same as the number provided on a fraudulent application.

13.  Personal identifying information provided is of a type commonly associated with fraudulent activity as indicated by internal or third-party sources used by the financial institution or creditor. For example:

a.  The address on an application is fictitious, a mail drop, or a prison; or

b.  The phone number is invalid, or is associated with a pager or answering service.

14.  The SSN provided is the same as that submitted by other persons opening an account or other customers.

15.  The address or telephone number provided is the same as or similar to the address or telephone number submitted by an unusually large number of other persons opening accounts or by other customers.

16.  The person opening the covered account or the customer fails to provide all required personal identifying information on an application or in response to notification that the application is incomplete.

17.  Personal identifying information provided is not consistent with personal identifying information that is on file with the financial institution or creditor.

18.  For financial institutions and creditors that use challenge questions, the person opening the covered account or the customer cannot provide authenticating information beyond that which generally would be available from a wallet or consumer report.

Unusual Use of, or Suspicious Activity Related to, the Covered Account

19.  Shortly following the notice of a change of address for a covered account, the institution or creditor receives a request for a new, additional, or replacement card or a cell phone, or for the addition of authorized users on the account.

20.  A new revolving credit account is used in a manner commonly associated with known patterns of fraud. For example:

a.  The majority of available credit is used for cash advances or merchandise that is easily convertible to cash (e.g., electronics equipment or jewelry); or

b.  The customer fails to make the first payment or makes an initial payment but no subsequent payments.

21.  A covered account is used in a manner that is not consistent with established patterns of activity on the account. There is, for example:

a.  Nonpayment when there is no history of late or missed payments;

b.  A material increase in the use of available credit;

c.  A material change in purchasing or spending patterns;

d.  A material change in electronic fund transfer patterns in connection with a deposit account; or

e.  A material change in telephone call patterns in connection with a cellular phone account.

22.  A covered account that has been inactive for a reasonably lengthy period of time is used (taking into consideration the type of account, the expected pattern of usage and other relevant factors).

23.  Mail sent to the customer is returned repeatedly as undeliverable although transactions continue to be conducted in connection with the customer's covered account.

24.  The financial institution or creditor is notified that the customer is not receiving paper account statements.

25.  The financial institution or creditor is notified of unauthorized charges or transactions in connection with a customer's covered account.

Notice From Customers, Victims of Identity Theft, Law Enforcement Authorities, or Other Persons Regarding Possible Identity Theft in Connection With Covered Accounts Held by the Financial Institution or Creditor

26.  The financial institution or creditor is notified by a customer, a victim of identity theft, a law enforcement authority, or any other person that it has opened a fraudulent account for a person engaged in identity theft.

[Codified to 12 C.F.R. Part 334, Appendix J]

[Appendix J added at 72 Fed. Reg. 63762, November 9, 2007, effective January 1, 2008, the mandatory compliance date is November 1, 2008; 74 Fed. Reg. 22643, May 14, 2009, effective May 14, 2009, except for the amendments in instructions 4, 10, 15, 20, 26, and 34 relating to appendices C to 12 CFR parts 41, 222, 334, 571, 717 and 16 CFR part 698, respectively, which are effective January 1, 2010; amended at 76 Fed. Reg. 14793, March 18, 2011]


[Table of Contents] [Previous Page] [Next Page] [Search]