Home > Regulation & Examinations > Laws & Regulations > FDIC Federal Register Citations |
|||
FDIC Federal Register Citations |
[Federal Register: October 20, 2000 (Volume 65, Number 204)] [Proposed Rules] [Page 63119-63141] From the Federal Register Online via GPO Access [wais.access.gpo.gov] [DOCID:fr20oc00-24] [[Page 63119]]
----------------------------------------------------------------------- Part II Department of the Treasury ----------------------------------------------------------------------- Office of the Comptroller of the Currency ----------------------------------------------------------------------- Office of Thrift Supervision ----------------------------------------------------------------------- Federal Reserve System ----------------------------------------------------------------------- Federal Deposit Insurance Corporation ----------------------------------------------------------------------- 12 CFR Parts 41, 222, 334 and 571 Fair Credit Reporting Regulations; Proposed Rule [[Page 63120]] ----------------------------------------------------------------------- DEPARTMENT OF THE TREASURY Office of the Comptroller of the Currency 12 CFR Part 41 [Docket No. 00-20] RIN 1557-AB78 FEDERAL RESERVE SYSTEM 12 CFR Part 222 [Regulation V; Docket No. R-1082] FEDERAL DEPOSIT INSURANCE CORPORATION 12 CFR Part 334 RIN 3064-AC35 DEPARTMENT OF THE TREASURY Office of Thrift Supervision 12 CFR Part 571 [Docket No. 2000-81] RIN 1550-AB33
Fair Credit Reporting Regulations AGENCIES: Office of the Comptroller of the Currency, Treasury (OCC); Board of Governors of the Federal Reserve System (Board); Federal Deposit Insurance Corporation (FDIC); and Office of Thrift Supervision, Treasury (OTS). ACTION: Joint notice of proposed rulemaking. ----------------------------------------------------------------------- SUMMARY: The OCC, Board, FDIC, and OTS (Agencies) are publishing for comment proposed regulations implementing the provisions of the Fair Credit Reporting Act (FCRA) that permit institutions to communicate consumer information to their affiliates (affiliate information sharing) without incurring the obligations of consumer reporting agencies. These provisions authorize institutions to communicate among their affiliates: Information as to transactions or experiences between the consumer and the person making the communication (transaction or experience information); and ``other'' information (that is, information covered by the FCRA but not transaction or experience information), provided that the institution has given notice to the consumer that the other information may be communicated, the institution has provided the consumer an opportunity to ``opt out'' (i.e., to direct that the information not be communicated), and the consumer has not opted out. The proposed regulations explain how to comply with the affiliate information sharing provisions, addressing such matters as the content and delivery of the notice to consumers that ``other'' information may be communicated (opt out notice). The proposed regulations also implement certain related provisions. The Agencies have attempted to conform these proposed regulations to the final regulations implementing the privacy provisions of the Gramm- Leach-Bliley Act whenever feasible. DATES: Comments must be received by December 4, 2000. ADDRESSES: Comments should be directed to: OCC: Communications Division, Office of the Comptroller of the Currency, 250 E Street, SW., Washington, D.C. 20219, Attention: Docket No. 00-20; FAX number (202) 874-5274 or Internet address: regs.comments@occ.treas.gov. Comments may be inspected and photocopied at the OCC's Public Reference Room, 250 E Street, SW., Washington D.C. between 9:00 a.m. and 5:00 p.m. on business days. You can make an appointment to inspect the comments by calling (202) 874-5043. Board: Comments, which should refer to Docket No. R-1082, may be mailed to Ms. Jennifer J. Johnson, Secretary, Board of Governors of the Federal Reserve System, 20th and C Streets, NW., Washington, D.C. 20551 or mailed electronically to regs.comments@federalreserve.gov. Comments addressed to Ms. Johnson also may be delivered to the Board's mail room between 8:45 a.m. and 5:15 p.m. and to the security control room outside of those hours. Both the mail room and the security control room are accessible from the courtyard entrance on 20th Street between Constitution Avenue and C Street, NW. Comments may be inspected in Room MP-500 between 9:00 a.m. and 5:00 p.m., pursuant to Sec. 261.12, except as provided in Sec. 261.14, of the Board's Rules Regarding the Availability of Information, 12 CFR 261.12 and 261.14. FDIC: Send written comments to Robert E. Feldman, Executive Secretary, Attention: Comments/OES, Federal Deposit Insurance Corporation, 550 17th Street, NW., Washington, DC 20429. Comments may be hand delivered to the guard station at the rear of the 17th Street building (located on F Street) on business days between 7 a.m. and 5 p.m. (FAX number (202) 898-3838). Comments may be inspected and photocopied in the FDIC Public Information Center, Room 100, 801 17th Street, NW., Washington, DC 20429, between 9:00 a.m. and 4:30 p.m. on business days. Comments may be submitted to the FDIC electronically over the Internet at www.fdic.gov. Further information concerning this option may be found below at ``FDIC's Electronic Public Comment Site.'' Comments also may be mailed electronically to comments@fdic.gov. OTS: Mail: Send comments to Manager, Dissemination Branch, Information Management and Services Division, Office of Thrift Supervision, 1700 G Street, NW., Washington, DC 20552, Attention Docket No. 2000-81. Delivery: Hand deliver comments to the Guard's Desk, East Lobby Entrance, 1700 G Street, NW., from 9:00 a.m. to 4:00 p.m. on business days, Attention Docket No. 2000-81. Facsimiles: Send facsimile transmissions to FAX Number (202) 906- 7755, Attention Docket No. 2000-81; or (202) 906-6956 (if comments are over 25 pages). E-Mail: Send e-mails to ``public.info@ots.treas.gov'', Attention Docket No. 2000-81, and include your name and telephone number. Public Inspection: Interested persons may inspect comments at the Public Reference Room, 1700 G St. N.W., from 10:00 a.m. until 4:00 p.m. on Tuesdays and Thursdays or obtain comments and/or an index of comments by facsimile by telephoning the Public Reference Room at (202) 906-5900 from 9:00 a.m. until 5:00 on business days. Comments and the related index will also be posted on the OTS Internet Site at FOR FURTHER INFORMATION CONTACT: OCC: Amy Friend, Assistant Chief Counsel, (202) 874-5200; Michael Bylsma, Director, Community and Consumer Law, (202) 874-5750; Stephen Van Meter, Senior Attorney, Community and Consumer Law, (202) 874-5750; Carol Workman, Compliance Specialist, Community and Consumer Policy, (202) 874-4858; Deborah Katz, Senior Attorney, Legislative and Regulatory Activities Division, (202) 874-5090; or Jeffery Abrahamson, Attorney, Enforcement and Compliance, (202) 874-4800, Office of the Comptroller of the Currency, 250 E Street, SW., Washington, DC 20219. Board: James H. Mann, Senior Attorney, (202) 452-2412; or David A. Stein, Attorney, (202) 452-3667, Division of Consumer and Community Affairs. For the hearing impaired only, contact Janice Simms, Telecommunications Device for the Deaf (TDD) (202) 872-4984, Board of Governors of the Federal Reserve [[Page 63121]] System, 20th and C Streets, NW., Washington, DC 20551. FDIC: James K. Baebel, Assistant Director, Compliance Policy, Division of Compliance and Consumer Affairs, (202) 942-3086; Deanna Caldwell, Community Affairs Officer, Division of Compliance and Consumer Affairs, (202) 736-0141; Nancy Schucker Recchia, Counsel, Regulations and Legislation Section, (202) 898-8885; A. Ann Johnson, Counsel, Regulations and Legislation Section, (202) 898-3573; and David Lafleur, Senior Compliance Examiner, (415) 395-5261, Federal Deposit Insurance Corporation, 550 17th Street, NW., Washington, DC 20429. OTS: Christine Harrington, Counsel (Banking and Finance), (202) 906-7957; Paul Robin, Assistant Chief Counsel, (202) 906-6648; or Elizabeth Baltierra, Program Analyst, Compliance Policy (202) 906-6540, Office of Thrift Supervision, 1700 G Street, NW., Washington DC 20552. SUPPLEMENTARY INFORMATION: I. Background The FCRA The FCRA, enacted in 1970, sets standards for the collection, communication, and use of information bearing on a consumer's credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living. 15 U.S.C. 1681-1681u. In 1996, the Consumer Credit Reporting Reform Act amended the FCRA extensively (1996 Amendments). Pub. L. 104-208, 110 Stat. 3009. For many years, to avoid the obligations of consumer reporting agencies imposed by the FCRA, many institutions avoided making any communications to affiliated companies of consumer information that could constitute consumer reports.\1\ The 1996 Amendments, however, excluded specified types of information sharing with affiliates from the definition of ``consumer report,'' assuring institutions that making these communications would not expose them to the obligations of consumer reporting agencies. In particular, the 1996 Amendments excluded from the definition of ``consumer report'' the sharing of ``other'' information among affiliates, so long as the consumer, having been given notice and an opportunity to opt out, did not opt out. ``Other information'' refers to information that is covered by the FCRA and that is not a report containing information solely as to transactions or experiences between the consumer and the person making the report. --------------------------------------------------------------------------- \1\ The FCRA creates substantial obligations for ``consumer reporting agencies.'' FCRA, section 603(f); see, e.g., sections 607, 611. These obligations include furnishing consumer reports only for permissible purposes, maintaining high standards for ensuring the accuracy of information in consumer reports, resolving customer disputes, and other matters. --------------------------------------------------------------------------- The 1996 Amendments prohibited the Agencies from issuing implementing regulations. 15 U.S.C. 1681s(a)(4) (repealed). The Gramm- Leach-Bliley Act (GLBA) repealed this prohibition and directed the Agencies to prescribe jointly such regulations as necessary to carry out the purposes of the FCRA. Pub. L. Sec. 506, 106-102, 15 U.S.C. 1681s(e). Coordination With Privacy Regulations The GLBA sets standards for financial institutions' disclosure of nonpublic personal information to nonaffiliated third parties (privacy provisions; Pub. L. 106-102, 15 U.S.C. 6802; see also 15 U.S.C. 6803). The Agencies published final regulations implementing these privacy provisions on June 1, 2000 (privacy regulations; 65 FR 35162, June 1, 2000). The privacy regulations do not ``modify, limit, or supersede the operation of the Fair Credit Reporting Act.'' 15 U.S.C. 6806. Thus, both the privacy regulations and the FCRA may apply to an institution's disclosure of consumer information. Moreover, if a financial institution provides an opt out notice under the FCRA, that notice must be included in certain notices mandated by the privacy regulations, including annual notices to customers. 15 U.S.C. 6803. Therefore, the Agencies anticipate that financial institutions will design their information-sharing policies and practices taking into account both the privacy regulations and the regulations implementing the FCRA. To ease compliance and promote consistency, the Agencies are conforming the two regulations where appropriate. For example, the Agencies are proposing requirements regarding the content and delivery of the FCRA opt out notice that are generally consistent with the corresponding provisions of the privacy regulations. This Proposal and Future Agency Issuances The FCRA raises many significant issues in addition to affiliate information sharing. The Agencies are analyzing these issues and expect to address them in an Advance Notice of Proposed Rulemaking. Additionally, the Agencies will review a series of questions and answers regarding the FCRA (Qs & As) that the Agencies (including the Federal Home Loan Bank Board, predecessor of the OTS) issued in 1971. These were designed to help financial institutions develop a working knowledge of the statute. The Agencies will modify or withdraw any Qs & As that are inconsistent with the FCRA or obsolete. II. Section-by-Section Analysis Section __.1 Purpose and Scope Proposed paragraph ____.1(a) briefly describes the purpose of the regulations. Proposed paragraph ____.1(b) briefly describes the scope of the regulations, including the information and institutions subject to them. (These institutions are identified in more detail in proposed section ____.3(m) of the Board, FDIC, and OTS regulations.) Paragraph ____.1(b) also provides that nothing in this part modifies, limits, or supersedes the standards governing the privacy of individually identifiable health information promulgated by the Secretary of Health and Human Services pursuant to sections 262 and 264 of the Health Insurance Portability and Accountability Act (HIPAA) of 1996 (42 U.S.C. 1320d-1320d-8). Certain institutions that possess medical information about consumers may be covered by these regulations, the GLBA privacy regulations, and rules promulgated by the Department of Health and Human Services (HHS) under the authority of sections 262 and 264 of HIPAA once those regulations are finalized. Based on the proposed HIPAA rules, it appears likely that there will be areas of overlap between the HIPAA and the FCRA affiliate information- sharing rules. For instance under the HIPAA proposal, consumers must provide affirmative authorization before a ``covered institution'' or its ``business partner'' may disclose medical information in certain instances, whereas under these proposed FCRA affiliate information sharing rules, institutions need only provide consumers with the opportunity to opt out of disclosures. In cases where the HIPAA requires consumers to opt in before certain information may be shared, but this rule allows consumers to opt out of the same sharing, opt in would be necessary before the information may be shared. The Agencies will consult with HHS to avoid the imposition of duplicative or inconsistent requirements. Section __.2 Examples Proposed section __.2 clarifies that the examples used in the regulations and in the sample notice are not exclusive means of compliance; rather, they are [[Page 63122]] intended to provide guidance on how to comply in specific situations. The Agencies solicit comment on whether to include additional or different examples, and, more fundamentally, on whether including examples in the regulations is appropriate and useful. Instead of addressing specific fact situations through such examples, the Agencies could periodically issue interagency staff commentaries or questions and answers. The Agencies note that an example that mentions a particular activity does not, by itself, authorize an institution to engage in that activity. Any such authority must have an independent source. Section __.3 Definitions Discussed below are a few key definitions, including: ``affiliate'' (as well as the related terms ``company'' and ``control''); ``clear and conspicuous''; ``opt out''; ``opt out information''; and ``consumer report.'' The proposal tracks the statutory language referring to ``transaction or experience information,'' but does not define that term. Affiliate Several FCRA provisions apply to information sharing with persons ``related by common ownership or affiliated by corporate control,'' ``related by common ownership or affiliated by common corporate control,'' or ``affiliated by common ownership or common corporate control.'' E.g., FCRA, sections 603(d)(2), 615(b)(2), and 624(b)(2). Proposed paragraph (b) defines ``affiliate'' to refer to all these relationships between and among companies, and clarifies that ``related or affiliated by common ownership or affiliated by corporate control or common corporate control'' means controlling, controlled by, or under common control with another company. Consistent with the definitions in the privacy regulations, the proposal uses a definition of ``control'' that applies exclusively to the control of a ``company,'' and defines ``company'' to include any corporation, limited liability company, business trust, general or limited partnership, association, or similar organization. See proposed paragraphs (e) (``company'') and (i) (``control''). The definition of ``company'' omits some entities that are ``persons'' under the FCRA-- individuals, estates, cooperatives, governments, and governmental subdivisions or agencies. The Agencies, however, are not aware of any circumstances where ``control'' could be exercised over individuals, government agencies, and other persons that do not fit within the definition of ``company.'' Comment is solicited on whether the proposed definition of ``control'' should be expanded to apply to these additional types of persons. Clear and Conspicuous Proposed paragraph (c) defines ``clear and conspicuous'' to mean that a notice must be reasonably understandable and designed to call attention to the nature and significance of the information it contains. The proposed regulations do not mandate the use of any particular technique for making a notice clear and conspicuous; instead, they give institutions flexibility in determining how to comply. An institution may make its notice reasonably understandable by, for example, using short explanatory sentences or bullet lists and avoiding legal or highly technical business terminology whenever possible. An institution may design its notice to call attention to the nature and significance of the information in the notice by, for example, using a plain-language heading and a typeface and size that are easy to read. Paragraph (c) is consistent with the ``clear and conspicuous'' standard in the privacy regulations. As such, it offers a more detailed exposition of the standard (particularly with respect to what makes a notice ``conspicuous'') than some other regulations, such as the Board's Regulation Z. However, laws other than FCRA--for example, the Truth in Lending Act--that require clear and conspicuous disclosures, are beyond the scope of this rulemaking. Accordingly, the standard proposed here does not affect disclosures required by those laws. The Agencies request comment on whether institutions have any particular concerns about compliance with FCRA's clear and conspicuous standard when FCRA opt out notices are included with the GLBA privacy provision notices. Consumer Report Proposed paragraph (g) parallels the definition in section 603(d) of the FCRA. Paragraph (g)(2)(ii) excludes from the definition of ``consumer report'' communication among affiliates of a report containing information solely as to transactions or experiences between the consumer and the person making the report.\2\ --------------------------------------------------------------------------- \2\ Prior to the 1996 amendments to FCRA, affiliated entities could not pool their transaction or experience information in a common database without being considered a consumer reporting agency. Instead, each affiliate could disclose its own transaction or experience information to another affiliate directly only in the same manner as an entity can disclose information to a nonaffiliated third party. While transaction or experience information has been excluded from the definition of ``consumer report'' since the FCRA's initial passage, the 1996 amendments facilitated the disclosure of such information among affiliates. --------------------------------------------------------------------------- Paragraph (g)(2)(iii) excludes any communication of ``opt out information'' if the conditions set out in sections __.4-__.9 are satisfied. The FCRA, as explained above, uses the term ``other information'' to refer to information that it covers but that is not transaction or experience information. This proposal refers to ``other information'' using the more descriptive term ``opt out information.'' See proposed paragraph (k). Opt Out Proposed paragraph (j) defines this term to mean a direction by a consumer that an institution not communicate opt out information about the consumer to one or more of the institution's affiliates. Opt Out Information As described above, the 1996 Amendments to FCRA excluded from the definition of ``consumer report'' the sharing of ``other information'' among affiliates, so long as the consumer, having been given notice and an opportunity to opt out, did not opt out. ``Other information'' refers to information that is covered by the FCRA and that is not a report containing information solely as to transactions or experiences between the consumer and the person making the report. The proposed regulation uses the term ``opt out information'' to describe this category of information. Proposed paragraph (k) defines opt out information as information that (i) bears on a consumer's credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living, (ii) is used or expected to be used or collected for one of the permissible purposes listed in FCRA (e.g., credit transaction, insurance underwriting, employment purposes), and (iii) is not solely transaction or experience information. Section ____.5(d) gives examples of categories of information that qualify as opt out information. Section __.4 Communication of Opt Out Information to Affiliates Proposed section __.4 describes the conditions that an institution must meet to ensure that its communication of opt out information to its affiliates do not constitute consumer reports including [[Page 63123]] the requirement that the institution provide an opt out notice. Section 603(d)(2)(A)(iii) of the FCRA excludes from the definition of ``consumer report'' the sharing of opt out information among affiliates if: it is clearly and conspicuously disclosed to the consumer that the information may be communicated among such persons and the consumer is given the opportunity, before the time that the information is initially communicated, to direct that such information not be communicated among such persons * * *. Proposed section ____.4 accordingly provides that opt out information may be communicated among affiliates without the communication being a consumer report if: (i) The institution has provided an opt out notice; (ii) the institution has given the consumer a reasonable opportunity and means, before the time that it communicates the information, to opt out; and (iii) the consumer has not opted out. Mergers & Acquisitions In a merger or acquisition situation, the need to provide new opt out notices to the customers of the entity that ceases to exist will depend on whether the notices previously given to those customers accurately reflect the policies and practices of the surviving entity. If they do, the surviving entity will not be required under the rule to provide new notices. Section __.5 Contents of Opt Out Notice Proposed paragraph (a) provides that an opt out notice must be clear and conspicuous, and must accurately explain: (i) The categories of opt out information about the consumer that the institution communicates; (ii) the categories of affiliates to which the institution communicates the information; (iii) the consumer's ability to opt out; and (iv) the means to do so. The Agencies invite comment on whether financial institutions should also have to disclose in their FCRA notices how long a consumer has to respond to the opt out notice before the institution may begin disclosing information about that consumer to its affiliates, as well as the fact that a consumer can opt out at any time. These disclosures are not required in the privacy regulations. The Agencies seek comment on whether the benefits of the additional disclosures would outweigh the burdens, and, if so, whether the regulation should require the disclosures to state that a financial institution will wait 30 days in every instance before sharing consumer information with affiliates (see proposed section __.6, below, for additional discussion on reasonable opportunity to opt out). Proposed paragraph (b) clarifies that an institution's notice may describe not only the communications of opt out information that the institution currently plans to make to its affiliates, but also the communications that it reserves the right to make in the future. Proposed paragraph (c) explains that an institution may, but need not, provide the consumer with the option of an opt out that covers only part of the information or certain affiliates. This would enable an institution to give consumers a menu of opt out choices if it desires to do so. Paragraph (d) explains how an institution can satisfy the requirement that it categorize the opt out information that it communicates. Paragraph (d)(2) gives examples of categories of opt out information, such as information from a consumer's application, information from a consumer report, information obtained by verifying representations made by a consumer, and information provided by another person regarding that person's relationship with a consumer. The first two categories reflect the legislative history of the 1996 Amendments, which states in part that the opt out provision ``will clarify that affiliates within a Holding Company structure can share any application information * * * and consumer reports, consistent with the FCRA.'' S. Rep. No. 185, 104th Cong., 1st Sess. 18-19 (1995). The other two categories represent information that the Agencies believe does not constitute transaction or experience information when communicated by the institution that has received it. Paragraph (d)(3) gives a non- exclusive list of examples of specific items of opt out information within each category, including a consumer's income, credit score or credit history, open lines of credit, employment history, marital status and medical history. Medical data are especially sensitive for many consumers; if such data are among the opt out information that an institution communicates to its affiliates, the institution satisfies the requirement to categorize that information only if it includes examples of medical data that it intends to share. The Agencies note that the items listed in paragraph (d)(3) as examples of information that would be included within the categories of opt out information are illustrative only. Those items would not be considered opt out information in cases where the information is obtained from a source other than those listed in paragraph (d)(2). Comment is requested as to the appropriateness of these examples of categories and items of opt out information, and whether additional or different examples should be used. The descriptions of the categories of information set out in proposed paragraph (d)(2) differ somewhat from those in section __.6(c)(2) of the privacy regulations. The agencies solicit comment on the extent to which the categories in (d)(2) can be treated as consistent with similar categories in the privacy regulations (such as disclosures of information from consumer reporting agencies) in order to reduce compliance burden and consumer confusion. Proposed paragraph (e) explains how an institution can satisfy the requirement that it categorize the affiliates to which it communicates opt out information. Paragraph (f) cross-references the sample notice in appendix A, which presents a further illustration of the content of an opt out notice. Section __ .6 Reasonable Opportunity to Opt Out Proposed paragraph (a) of section ____ .6 states that financial institutions will provide a reasonable opportunity to opt out by providing a reasonable period of time for the consumer to opt out from the time that notice is delivered. Proposed paragraph (b) sets out examples of what is a reasonable period of time when notices are provided in person, by mail, or by electronic means. Comment is requested on whether there are other situations that would suggest a different reasonable period of time that the Agencies should note by example. Proposed paragraph (c) explains that a consumer may opt out at any time. Section __ .7 Reasonable Means of Opting Out Proposed paragraph (a) sets forth the general rule that an institution provides a reasonable means of opting out if it provides a reasonably convenient method to the consumer to opt out. Examples of reasonable means of opting out and unreasonable means are set out in proposed paragraphs (b) and (c), respectively. Proposed paragraph (d) permits an institution to require each consumer to opt out through a specific means, as long as that means is reasonable for that consumer. Section __ .8 Delivery of Opt Out Notices Proposed paragraph (a) provides that an institution must deliver an opt out notice so that each consumer can reasonably be expected to receive actual [[Page 63124]] notice. As indicated by the examples provided in proposed paragraph (b), this is a lesser standard than actual notice. For instance, if an institution mails a printed copy of its notice to the last known mailing address of an existing customer, the institution has met its obligation even if the customer has changed addresses and never receives the notice. An institution may give notice in writing or, if the consumer agrees, electronically. For example, the institution may e-mail its notice to a customer that conducts electronic transactions and has agreed to receive electronic notice. The Agencies invite comment on whether and how the proposed rules governing communications between a financial institution and a consumer via an electronic medium should be modified in light of the Electronic Signatures in Global and National Commerce Act (the E-Sign Act).\3\ --------------------------------------------------------------------------- \3\ Congress recently enacted the E-Sign Act, Pub. L. 106-229, which addresses the use of electronic records and signatures for interstate and foreign commerce. This legislation contains general rules governing the use of electronic records for providing required information to consumers (such as disclosures and acknowledgments required by the GLBA). The legal requirement that consumer disclosures be in writing may be satisfied by an electronic record if the consumer affirmatively consents and certain other requirements of the E-Sign Act are met. --------------------------------------------------------------------------- Proposed paragraph (c) explains that oral notice alone does not comply with the notice requirement; however, oral notice may be provided in conjunction with appropriate written or electronic notice. Proposed paragraph (d) explains that an institution must provide the notice so that the consumer can retain it or obtain it at a later time, and gives examples of retention or accessibility. Proposed paragraph (e) permits an institution to provide a joint opt out notice with one or more of its affiliates that are identified in the notice, as long as the notice is accurate with respect to each entity jointly issuing the notice. Proposed paragraph (f)(1) sets out rules that apply, notwithstanding any other provision of the regulations, when two or more consumers jointly obtain a product or service from an institution (referred to in the proposed regulation as joint consumers), such as a joint checking account. For example, an institution may provide a single opt out notice to joint accountholders. The notice must indicate whether the institution will consider an opt out by a joint accountholder as an opt out by all of the associated accountholders, or whether each accountholder may opt out separately. The institution may not require all accountholders to opt out before honoring an opt out direction by one of the joint accountholders. Paragraph (f)(2) gives examples of these rules. Section __ .9 Revised Opt Out Notice Proposed section ____ .9 addresses the situation in which an institution has provided a consumer with one or more opt out notices but later decides to communicate opt out information to its affiliates other than described in those notices. It explains that an institution must send a revised opt out notice that complies with section ____ .4, including providing a reasonable means and opportunity to opt out, and communicating the information only if the consumer has not opted out. Section __ .10 Time by Which Opt Out Must be Honored Proposed section ____ .10 explains that if an institution provides a consumer with an opt out notice, and the consumer opts out, the institution must comply as soon as reasonably practicable after receiving the consumer's direction. Comment is solicited on whether the Agencies should establish a fixed number of days--for example, 30 days--that would be deemed a ``reasonably practicable'' period of time for complying with a consumer's opt out direction. Section __.11 Duration of Opt Out Proposed section ____.11 provides that an opt out continues to apply to the information and affiliates described in the applicable opt out notice until revoked by the consumer in writing, or if the consumer agrees, electronically, as long as the consumer continues to have a relationship with the institution. If the consumer's relationship with the institution terminates, the opt out will continue to apply to this information. However, a new notice and opportunity to opt out must be provided if the consumer establishes a new relationship with the institution. Section __ .12 Prohibition Against Discrimination Proposed paragraph (a) reminds institutions that they may not ``discriminate against'' a consumer who is an ``applicant'' for credit because the applicant opts out. The source of this prohibition is the Equal Credit Opportunity Act (ECOA; 15 U.S.C. 1691 et seq.), which bars discrimination on a prohibited basis in any aspect of a credit transaction; one prohibited basis is exercising a right under the Consumer Credit Protection Act, which includes the FCRA. Proposed paragraph (b) provides examples of prohibited discrimination against an applicant. Paragraph (c) notes that the terms ``applicant'' and ``discriminate against'' have the meaning ascribed to these terms in 12 CFR part 202. Appendix A Appendix A, which is part of these regulations, contains a sample notice, part or all of which may be used to facilitate compliance with the notice requirements. Although use of the sample notice is not required, institutions using it properly to provide notices will be deemed to be in compliance. The Agencies solicit comment on all aspects of the proposed regulations, including but not limited to those highlighted above. III. FDIC's Electronic Public Comment Site The FDIC has included a page on its web site to facilitate the submission of electronic comments in response to this general solicitation (the EPC site). The EPC site provides an alternative to the written letter and may be a more convenient way for you to submit your comments. Commenting through the EPC site will assist the FDIC to more accurately and efficiently analyze comments submitted electronically. If you submit your comments through the EPC site your comments will receive the same consideration that they would receive if submitted in hard copy to the FDIC's street address. Information provided through the EPC site will be used by the FDIC only to assist in its analysis of the proposed regulation. The FDIC will not use an individual's name or any other personal identifier of an individual to retrieve records or information submitted through the EPC site. Like comments submitted in hard copy to the FDIC's street address, EPC site comments will be made available in their entirety (including the commenter's name and address if the commenter chooses to provide them) for public inspection. The EPC site will be available on the FDIC's home page at www.fdic.gov. You will be able to provide comments directly on any of the sections of the proposed regulation as well as the specific questions that have been asked in the preceding Supplementary Information section. You will also be able to view the regulation and Supplementary Information sections that related to your comments directly on the site. Because the GLBA authorizes promulgation of this regulation, the FDIC encourages you to provide written comments in the [[Page 63125]] spaces provided. Written comments enable the FDIC to thoughtfully consider possible changes to the proposed regulation. The FDIC is also interested in your feedback on the EPC site. We have provided a space for you to comment on the site itself. Answers to this question will help the FDIC to evaluate the EPC site for use in future rulemaking. At the conclusion of the EPC site you will have an opportunity to provide us with your name, indicate whether you are an individual, insured depository institution, financial holding company, community- based organization, trade association, government agency, or other, and provide the name of the organization you represent, if applicable. Whether you choose to respond to these questions is entirely up to you. Any responses received may help the FDIC to better understand the public comments it receives. IV. Regulatory Analysis Paperwork Reduction Act The Agencies invite comment on: (1) Whether the collections of information contained in this notice of proposed rulemaking are necessary for the proper performance of each Agency's functions, including whether the information has practical utility; (2) the accuracy of each Agency's estimate of the burden of the proposed information collections; (3) ways to enhance the quality, utility, and clarity of the information to be collected; (4) ways to minimize the burden of the information collections on respondents, including the use of automated collection techniques or other forms of information technology; and (5) estimates of capital or start-up costs and costs of operation, maintenance, and purchases of services to provide information. No person is required to respond to these collections of information unless the collections display a currently valid Office of Management and Budget (OMB) control number. The Agencies are currently requesting their respective control numbers for these information collections from OMB. This proposed regulation contains disclosure requirements for certain financial institutions and their affiliates. A financial institution that (a) has affiliates, (b) does not wish to be considered a consumer reporting agency, and (c) wishes to share consumer information (other than transaction and experience information) with its affiliates, must prepare and provide a notice to all its consumers advising them of their opportunity to opt out of information sharing with companies in the institution's corporate family. 12 CFR ____ .4. If a financial institution wishes to share information in a way that is inconsistent with notices previously given to consumers, the institution must provide consumers with revised notices. 12 CFR ____ .11. The proposed regulation also contains consumer reporting provisions. In order for consumers to opt out, they must respond to the institution's opt out notices. 12 CFR ____ .7. At any time during their continued relationship with the institution, consumers have the right to change or update their opt out status with the institution. 12 CFR ____ .10. FCRA was amended to include disclosure and opt out provisions in 1996, but the Agencies were prohibited from issuing implementing regulations until 1999. Thus, the collections of information contained in this proposed rule are not new requirements. During the past three years, financial institutions have developed systems, policies, and procedures to bring themselves into compliance with the 1996 FCRA amendments. In estimating the burden associated with the collections of information in this proposed regulation, the Agencies took into account the fact that FCRA-related disclosure and opt out requirements have already become a usual and customary practice for covered institutions. However, because the proposed rule is more explicit and detailed than the statute, some institutions may need to revise their disclosure policies or their notices, and consumers may need to respond to the revised notices. The burden associated with these changes to current practice is represented in the estimates below. In estimating burden, the Agencies also assumed that if a financial institution provides an opt out notice under the FCRA, that notice must be included in certain notices mandated by the GLBA privacy provisions, and will not be sent out separately. The collection of information requirements contained in this notice of proposed rulemaking will be submitted to the Office of Management and Budget for review in accordance with the Paperwork Reduction Act of 1995 (44 U.S.C. 3507). The estimated number of bank respondents includes the total institutions supervised by each of the Agencies that have certain affiliate relationships. The requirements of the regulation only apply to institutions that share opt out information with affiliates that do not wish to be consumer reporting agencies; therefore, the Agencies cannot currently predict with certainty how many of these institutions will be subject to the rule. The analysis assumes that all institutions with certain affiliates will in fact, choose to share opt out information and thus be subject to the rule. The estimated number of consumers who will receive opt out notices is the sum of deposit and loan consumers, and is derived from data in Board consumer studies. Each Agency's share of the total number of consumers is based on the share of total deposits, and consumer and mortgage loans, held by institutions supervised by the Agencies. Because OTS collects different information about consumer loans than the other Agencies, OTS estimated the number of thrift borrowers by dividing total consumer loans outstanding by the average balance, for different types of consumer loans. The analysis assumes that institutions will provide separate opt out notices based on product lines such as loans and deposit accounts, rather than single, combined notices covering all of the various relationships a consumer may have with the institution. The Agencies seek comment as to whether institutions would likely send separate or combined notices. OCC: Comments on the collections of information should be sent to the Office of Management and Budget, Paperwork Reduction Project (1557--to be assigned), Washington, DC 20503, with copies to Jessie Dunaway, Legislative and Regulatory Activities Division (1557--to be assigned), Office of the Comptroller of the Currency, 250 E Street, SW, Washington, DC 20219. The likely respondents are national banks that do not wish to be considered consumer reporting agencies, but want to share information (other than transaction or experience information) with their affiliates. Estimated number of bank respondents: 737. Estimated average annual burden hours per bank respondent: 8 hours. Estimated number of consumer respondents: 94,238,000. Estimated average annual burden hours per consumer respondent: 5 minutes. Estimated total annual reporting burden: 7,855,921 hours. The number of consumer respondents provided by the OCC represents a conservative estimate based upon the total number of consumers who will receive an opt out notice. The OCC is using these conservative estimates because it lacks more precise data on the number of consumers who will exercise their opt out rights. The OCC expects that the actual number of consumer respondents will be lower than the estimate provided above, and invites comment on the number of [[Page 63126]] consumers who will respond to the FCRA opt out notices. Board: In accordance with the Paperwork Reduction Act of 1995 (44 U.S.C. 3506; 5 CFR 1320, appendix A.1), the Board reviewed the notice of proposed rulemaking under the authority delegated to the Board by the OMB. Comments on the collections of information should be sent to Mary M. West, Federal Reserve Board Clearance Officer, Mail Stop 97, Board of Governors of the Federal Reserve System, Washington, DC 20551, with a copy to the Office of Management and Budget, Paperwork Reduction Project (7100--to be assigned), Washington, DC 20503. The likely respondents are member banks of the Federal Reserve System (other than national banks), branches and agencies of foreign banks (other than Federal branches, Federal agencies, and insured State branches of foreign banks), commercial lending companies owned or controlled by foreign banks, and organizations operating under section 25 or 25A of the Federal Reserve Act, that do want to share information (other than transaction or experience information) with their affiliates. Estimated number of bank respondents: 996. Estimated average annual burden hours per bank respondent: 8 hours. Estimated number of consumer respondents: 39,251,000. Estimated average annual burden hours per consumer respondent: five minutes. Estimated total annual reporting burden: 3,278,885 hours. FDIC: Comments on the collections of information should be sent to Steven F. Hanft, Office of the Executive Secretary, Federal Deposit Insurance Corporation, 550 17th Street, NW., Washington, DC 20429, with a copy to the Office of Management and Budget, Paperwork Reduction Project (3064--to be assigned), Washington, DC 20503. The likely respondents are insured nonmember banks with affiliates, that do not wish to be considered consumer reporting agencies, and do want to share information (other than transaction or experience information) with their affiliates. Estimated number of bank respondents: 1,640. Estimated average annual burden hours per bank respondent: 8 hours. Estimated number of consumer respondents: 24,445,000. Estimated average annual burden hours per consumer respondent: five minutes. Estimated total annual reporting burden: 2,049,389 hours. OTS: Comments on the collection of information should be sent to the Dissemination Branch (1550--to be assigned), Office of Thrift Supervision, 1700 G Street, NW, Washington, DC 20552, with a copy to the Office of Management and Budget, Paperwork Reduction Project (1550--to be assigned), Washington, DC 20503. The likely respondents are savings associations with affiliates that do not wish to be considered consumer reporting agencies, and do want to share information (other than transaction or experience information) with their affiliates, and consumers. Estimated number of thrift respondents: 762. Estimated average annual burden hours per thrift respondent: 8 hours. Estimated number of consumer respondents: 49,925,225. Estimated average annual burden hours per consumer respondent: .0833 hours (5 minutes). Estimated total annual reporting burden: 4,164,867 hours. Regulatory Flexibility Act OCC: Pursuant to section 605(b) of the Regulatory Flexibility Act (5 U.S.C. 601 et seq.), the OCC certifies that this proposal will not have a significant economic impact on a substantial number of small entities. Financial institutions have had to notify their consumers of the right to opt out of affiliate sharing of certain information since 1997. This rulemaking provides guidance to national banks concerning how they may comply with the statutory requirements, but requires no new type of disclosure or opt out system. While existing forms may need to be modified, these modifications are unlikely to result in a significant economic impact on a substantial number of small entities. In addition, some of the requirements in the proposed rule have been designed to correspond to the requirements of the privacy regulations. For example, under both regulations, financial institutions, in certain circumstances, must deliver notices to consumers and to provide consumers an opportunity to opt out of certain information disclosures. This proposed rule would allow financial institutions to combine into one notice the notice they must deliver under FCRA and the notice that they must deliver under the privacy regulations. Also, institutions may combine their consumers' opt out responses into one opt out response. By combining the notices they deliver and the opt out responses they process, financial institutions will not need to produce additional notices or to process additional opt out responses under this rule. Because the proposed rule is designed to minimize FCRA's burden on financial institutions, and because the FCRA requirements have been effective since 1997, the OCC believes that this proposed rule will not have a significant economic impact on a substantial number of small entities. For these reasons, a regulatory flexibility analysis is not required. Board: Pursuant to section 605(b) of the Regulatory Flexibility Act (5 U.S.C. 601 et seq.), the Board certifies that the proposed rule will not have a significant economic impact on a substantial number of small entities. As further discussed below, the proposed rule implements law that has been in effect for some time, corresponds as much as feasible to the requirements of the Board's Regulation P, would allow institutions to combine privacy and FCRA notices to consumers, and would allow institutions to combine consumers' responses to those notices. Accordingly, a regulatory flexibility analysis is not required. Since 1997, the FCRA has provided that the term ``consumer report'' does not include any communication of other information (meaning information that is not transaction or experience information) among persons related by common ownership or affiliated by corporate control, if it is clearly and conspicuously disclosed to the consumer that the information may be communicated among such persons and the consumer is given the opportunity, before the time that the information is initially communicated, to direct that such information not be communicated among such persons. The proposed regulations would implement this provision and would provide guidance to certain Board- regulated institutions on how to comply, but would not substantively change existing law. No new type of disclosure or opt-out system would be required. While existing forms may need to be modified, these modifications are unlikely to result in a significant economic impact on a substantial number of small entities. Additionally, the proposed rule is designed to correspond as much as feasible to the requirements of Regulation P, which governs the privacy of consumer financial information. Both regulations implement statutory provisions for the delivery of information-sharing opt out notices to consumers. The proposed rule would facilitate compliance by financial institutions with the requirement to provide privacy notices and the use of opt out notices under the FCRA by allowing the two notices to be combined [[Page 63127]] in a single notice. Similarly, institutions would be allowed to combine their consumers' opt out responses in a single opt out response. By choosing to combine the notices they deliver and the opt out responses they process, financial institutions will not need to produce additional notices or to process additional opt out responses under this rule. For these reasons, a regulatory flexibility analysis is not required. FDIC: Pursuant to section 605(b) of the Regulatory Flexibility Act (5 U.S.C. 601 et seq.), the FDIC certifies that the proposed rule will not have a significant economic impact on a substantial number of small entities. This conclusion is based on the following facts. The FCRA has required financial institutions to notify their consumers of the right to opt out of affiliate sharing of certain information since 1997. However, prior to the GLBA, the Agencies had no authority to issue rules to provide financial institutions with guidance to comply with the FCRA requirements. This proposed rulemaking does not substantively change the existing statutory requirements, but rather provides guidance to financial institutions that should minimize any burden associated with complying with the subject FCRA information sharing provisions. This proposal requires no new type of disclosure or opt out system. While existing forms may need to be modified, these modifications are unlikely to result in a significant economic impact on a substantial number of small entities. The Agencies have attempted to minimize any such economic impact by including a sample notice, part or all of which may be used to facilitate compliance with the notice requirements. Further, this proposed rule is designed to be consistent with the requirements of the regulation governing the privacy of consumer financial information. Both rules implement statutory requirements for financial institutions, in certain circumstances, to deliver notices to consumers and to provide consumers an opportunity to opt out of certain information disclosures. The Agencies have made the FCRA notice guidance parallel to the privacy rule requirements, thus facilitating the delivery of a single notice to consumers. Similarly, institutions may combine their consumers' opt out responses into one opt out response. By combining the notices they deliver and the opt out responses they process, financial institutions will not need to produce additional notices or to process additional opt out responses under this rule. For the above reasons, the FDIC believes that this proposed rule will not have a significant economic impact on a substantial number of small entities, and a regulatory flexibility analysis is not required. OTS: Pursuant to section 605(b) of the Regulatory Flexibility Act (5 U.S.C. 601 et seq.), the Director of OTS certifies that this proposed rulemaking would not have a significant economic impact on a substantial number of small entities. The FCRA has required thrifts to notify their consumers of the right to opt out of affiliate sharing of certain information since 1997. However, prior to GLBA, OTS did not have authority to issue rules to provide thrifts with guidance to comply with the FCRA. This proposed rulemaking does not substantively change or add to the existing statutory requirements. It merely provides thrifts with guidance to help minimize any burden associated with complying with the FCRA information sharing provisions. This proposal requires no new type of disclosure or opt out system. While existing forms may need to be modified, these modifications are unlikely to result in a significant economic impact on a substantial number of small entities. The Agencies have attempted to minimize any such economic impact by including a sample notice, part or all of which thrifts may use to facilitate the notice requirements. Further, this proposed rule is designed to be consistent with the requirements of the regulation governing the privacy of consumer financial information, 12 CFR part 573. Both rules implement statutory requirements for financial institutions, in certain circumstances, to deliver notices to consumers and to provide consumers an opportunity to opt out of certain information disclosures. The Agencies have made the FCRA notice guidance parallel to the privacy rule requirements, thus facilitating the delivery of a single notice to consumers. Similarly, institutions may combine a consumer's opt out responses into one opt out response. By combining the notices they deliver and the opt out responses they process, financial institutions will not need to produce additional notices or to process additional opt out responses under this rule. For these reasons, a regulatory flexibility analysis is not required. OCC and OTS Executive Order 12866 Determination The OCC and OTS each has determined that its portion of the proposed rulemaking is not a significant regulatory action under Executive Order 12866. OCC and OTS Unfunded Mandates Reform Act of 1995 Determination Section 202 of the Unfunded Mandates Reform Act of 1995, 2 U.S.C. 1532 (Unfunded Mandates Act) requires that an agency prepare a budgetary impact statement before promulgating a rule that includes a Federal mandate that may result in expenditure by State, local, and tribal governments, in the aggregate, or by the private sector, of $100 million or more in any one year. If a budgetary impact statement is required, section 205 of the Unfunded Mandates Act also requires an agency to identify and consider a reasonable number of regulatory alternatives before promulgating a rule. The OCC and OTS each has determined that this proposed rule will not result in expenditures by State, local, and tribal governments, or by the private sector, of $100 million or more. Accordingly, neither the OCC nor the OTS has prepared a budgetary impact statement or specifically addressed the regulatory alternatives considered. V. Solicitation of Comments on Use of Plain Language Section 722 of the GLBA requires the Federal banking agencies to use plain language in all proposed and final rules published after January 1, 2000. We invite your comments on how to make this proposed rule easier to understand. For example: Have we organized the material to suit your needs? If not, how could this material be better organized? Are the requirements in the rule clearly stated? If not, how could the rule be more clearly stated? Do the regulations contain technical language or jargon that is not clear? If so, which language requires clarification? Would a different format (grouping and order of sections, use of headings, paragraphing) make the regulation easier to understand? If so, what changes to the format would make the regulation easier to understand? Would more, but shorter, sections be better? If so, which sections should be changed? What else could we do to make the regulation easier to understand? The Agencies solicit comment on whether the inclusion of examples in the regulation is appropriate. Elevating the fact patterns to safe harbors in the rule may generate certain problems over time. For example, changes in technology or practices may ultimately [[Page 63128]] impact the fact patterns contained in the examples and require changes to the regulation. Are there alternative methods to offer illustrative guidance of the concepts portrayed by the examples? List of Subjects 12 CFR Part 41 Banks, banking, Credit, National banks, Reporting and recordkeeping requirements. 12 CFR Part 222 Banks, banking, Credit, Federal Reserve System, Reporting and recordkeeping requirements, State member banks. 12 CFR Part 334 Banks, banking, Credit, Reporting and recordkeeping requirements. 12 CFR Part 571 Credit, Privacy, Reporting and recordkeeping requirements, Savings associations. Office of the Comptroller of the Currency 12 CFR Chapter I Authority and Issuance For the reasons set forth in the joint preamble, the OCC proposes to amend chapter I of title 12 of the Code of Federal Regulations by adding a new part 41 to read as follows: PART 41--FAIR CREDIT REPORTING Sec. 41.1 Purpose and scope. 41.2 Examples. 41.3 Definitions. 41.4 Communication of opt out information to affiliates. 41.5 Contents of opt out notice. 41.6 Reasonable opportunity to opt out. 41.7 Reasonable means of opting out. 41.8 Delivery of opt out notices. 41.9 Revised opt out notice. 41.10 Time by which opt out must be honored. 41.11 Duration of opt out. 41.12 Prohibition against discrimination. Appendix A to Part 41--Sample Notice Authority: 12 U.S.C. 93a; 15 U.S.C. 1681s. Sec. 41.1 Purpose and scope. (a) Purpose. This part governs the collection, communication, and use, by the institutions listed in paragraph (b)(2) of this section, of certain information bearing on a consumer's credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living. (b) Scope. (1) Information covered. This part applies to information that is used or expected to be used or collected in whole or in part for the purpose of serving as a factor in establishing a consumer's eligibility for credit, insurance, employment, or any other purpose authorized under section 604 of the Fair Credit Reporting Act (15 U.S.C. 1681b). (2) Institutions covered. This part applies to national banks, and Federal branches and Federal agencies of foreign banks (collectively referred to as ``bank''). (3) Relation to other laws. Nothing in this part modifies, limits, or supersedes the standards governing the privacy of individually identifiable health information promulgated by the Secretary of Health and Human Services under the authority of sections 262 and 264 of the Health Insurance Portability and Accountability Act of 1996 (42 U.S.C. 1320d-1320d-8). Sec. 41.2 Examples. The examples used in this part and the sample notice in appendix A to this part are not exclusive. Compliance with an example or use of the sample notice, to the extent applicable, constitutes compliance with this part. Sec. 41.3 Definitions. As used in this part, unless the context requires otherwise: (a) Act means the Fair Credit Reporting Act (15 U.S.C. 1681 et seq.). (b) Affiliate. (1) In general. The term means any company that is related or affiliated by common ownership, or affiliated by corporate control or common corporate control, with another company. (2) Related or affiliated by common ownership or affiliated by corporate control or common corporate control. This means controlling, controlled by, or under common control with, another company. (c) Clear and conspicuous. (1) In general. The term means that a notice is reasonably understandable and is designed to call attention to the nature and significance of the information it contains. (2) Examples. (i) Reasonably understandable. A bank makes its notice reasonably understandable if it: (A) Presents the information in the notice in clear and concise sentences, paragraphs, and sections; (B) Uses short explanatory sentences or bullet lists whenever possible; (C) Uses definite, concrete, everyday words and active voice whenever possible; (D) Avoids multiple negatives; (E) Avoids legal and highly technical business terminology whenever possible; and (F) Avoids explanations that are imprecise and are readily subject to different interpretations. (ii) Designed to call attention. A bank designs its notice to call attention to the nature and significance of the information it contains if it: (A) Uses a plain-language heading to call attention to the notice; (B) Uses a typeface and type size that are easy to read; (C) Provides wide margins and ample line spacing; (D) Uses boldface or italics for key words; and (E) In a form that combines the bank's notice with other information, uses distinctive type sizes, styles, and graphic devices, such as shading or sidebars. (iii) Notice on a web page. If a bank provides a notice on a web page, the bank designs its notice to call attention to the nature and significance of the information it contains if the bank: (A) Places either the notice, or a link that connects directly to the notice and that is labeled appropriately to convey the importance, nature, and relevance of the notice, on a page that consumers access often, such as a page on which transactions are conducted; (B) Uses text or visual cues to encourage scrolling down the page if necessary to view the entire notice; and (C) Ensures that other elements on the web page (such as text, graphics, links, or sound) do not detract attention from the notice. (d) Communication includes written, oral, and electronic communication; provided that the term includes electronic communication to a consumer only if the consumer agrees to receive the communication electronically. (e) Company means any corporation, limited liability company, business trust, general or limited partnership, association, or similar organization. (f) Consumer means an individual. (g) Consumer report. (1) In general. The term means any written, oral, or other communication of any information by a consumer reporting agency bearing on a consumer's credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living which is used or expected to be used or collected in whole or in part for the purpose of serving as a factor in establishing the consumer's eligibility for: (i) Credit or insurance to be used primarily for personal, family, or household purposes; (ii) Employment purposes; or [[Page 63129]] (iii) Any other purpose authorized under section 604 of the Act (15 U.S.C. 1681b). (2) Exclusions. The term does not include: (i) Any report containing information solely as to transactions or experiences between the consumer and the person making the report; (ii) Any communication of that information among affiliates; (iii) Any communication among affiliates of opt out information if the conditions in Secs. 41.4 through 41.9 are satisfied; (iv) Any authorization or approval of a specific extension of credit directly or indirectly by the issuer of a credit card or similar device; (v) Any report in which a person who has been requested by a third party to make a specific extension of credit directly or indirectly to a consumer conveys his or her decision with respect to such request, if the third party advises the consumer of the name and address of the person to whom the request was made, and the person makes the disclosures to the consumer required under section 615 of the Act (15 U.S.C. 1681m); or (vi) A communication described in section 603(o) of the Act (15 U.S.C. 1681a(o)). (h) Consumer reporting agency means any person which, for monetary fees, dues or on a cooperative nonprofit basis, regularly engages in whole or in part in the practice of assembling or evaluating consumer credit information or other information on consumers for the purpose of furnishing consumer reports to third parties, and which uses any means or facility of interstate commerce for the purpose of preparing or furnishing consumer reports. (i) Control of a company means: (1) Ownership, control, or power to vote 25 percent or more of the outstanding shares of any class of voting security of the company, directly or indirectly, or acting through one or more other persons; (2) Control in any manner over the election of a majority of the directors, trustees, or general partners (or individuals exercising similar functions) of the company; or (3) The power to exercise, directly or indirectly, a controlling influence over the management or policies of the company, as the Office of the Comptroller of the Currency determines. (j) Opt out means a direction by a consumer that a bank not communicate opt out information about the consumer to one or more of its affiliates. (k) Opt out information means information that: (1) Bears on a consumer's credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living; (2) Is used or expected to be used or collected in whole or in part to serve as a factor in establishing the consumer's eligibility for credit or another purpose listed in section 604 of the Act (15 U.S.C. 1681b); and (3) Is not a report containing information solely as to transactions or experiences between the consumer and the person reporting or communicating the information. (l) Person means any individual, partnership, corporation, trust, estate, cooperative, association, government or governmental subdivision or agency, or other entity. Sec. 41.4 Communication of opt out information to affiliates. A bank's communication to its affiliates of opt out information about a consumer is not a consumer report if: (a) The bank has provided the consumer with an opt out notice; (b) The bank has given the consumer a reasonable opportunity and means, before the bank communicates the information to its affiliates, to opt out; and (c) The consumer has not opted out. Sec. 41.5 Contents of opt out notice. (a) In general. An opt out notice must be clear and conspicuous, and must accurately explain: (1) The categories of opt out information about the consumer that a bank communicates to its affiliates; (2) The categories of affiliates to which the bank communicates the information; (3) The consumer's ability to opt out; and (4) A reasonable means for the consumer to opt out. (b) Future communications. A bank's notice may describe: (1) Categories of opt out information about the consumer that the bank reserves the right to communicate to its affiliates in the future but does not currently communicate; and (2) Categories of affiliates to which the bank reserves the right in the future to communicate, but to which the bank does not currently communicate, opt out information about the consumer. (c) Partial opt out. A bank may allow a consumer to select certain opt out information or certain affiliates, with respect to which the consumer wishes to opt out. (d) Examples of categories of information that a bank communicates. (1) A bank satisfies the requirement to categorize the opt out information that it communicates if the bank lists the categories in paragraph (d)(2) of this section, as applicable, and a few examples to illustrate the types of information in each category. These examples may include those in paragraph (d)(3) of this section, if applicable. (2) Categories of opt out information may include information: (i) From a consumer's application; (ii) From a consumer credit report; (iii) Obtained by verifying representations made by a consumer; or (iv) Provided by another person regarding its employment, credit, or other relationship with a consumer. (3) Examples of information within a category listed in paragraph (d)(2) of this section include a consumer's: (i) Income; (ii) Credit score or credit history with others; (iii) Open lines of credit with others; (iv) Employment history with others; (v) Marital status; and (vi) Medical history. (4) A bank does not satisfy the requirement if it communicates or reserves the right to communicate individually identifiable health information (as described in section 1171(6)(B) of the Social Security Act (42 U.S.C. 1320d(6)(B)) but omits illustrative examples of this information. (e) Examples of categories of affiliates. (1) A bank satisfies the requirement to categorize the affiliates to which it communicates opt out information if it lists the categories in paragraph (e)(2) of this section, as applicable, and a few examples to illustrate the types of affiliates in each category. (2) Categories of affiliates may include: (i) Financial service providers; and (ii) Non-financial companies. (f) Sample notice. A sample notice is included in appendix A to this part. Sec. 41.6 Reasonable opportunity to opt out. (a) In general. A bank provides a reasonable opportunity to opt out if it provides a reasonable period of time following the delivery of the opt out notice for the consumer to opt out. (b) Examples of reasonable period of time: (1) In person. A bank hand-delivers an opt out notice to the consumer and provides at least 30 days from the date it delivered the notice. (2) By mail. A bank mails an opt out notice to a consumer and provides at least 30 days from the date it mailed the notice. (3) By electronic means. A bank notifies the consumer electronically, [[Page 63130]] and it provides at least 30 days after the date that the consumer acknowledges receipt of the electronic notice. (c) Continuing opportunity to opt out. A consumer may opt out at any time. Sec. 41.7 Reasonable means of opting out. (a) General rule. A bank provides a consumer with a reasonable means of opting out if it provides a reasonably convenient method to opt out. (b) Reasonably convenient methods. Examples of reasonably convenient methods include: (1) Designating check-off boxes in a prominent position on the relevant forms included with the opt out notice; (2) Including a reply form together with the opt out notice; (3) Providing an electronic means to opt out, such as a form that can be electronically mailed or a process at the bank's web site, if the consumer agrees to the electronic delivery of information; or (4) Providing a toll-free telephone number that consumers may call to opt out. (c) Methods not reasonably convenient. Examples of methods that are not reasonably convenient include: (1) Requiring a consumer to write his or her own letter to a bank; or (2) Referring in a revised notice to a check-off box that a bank included with a previous notice but that the bank does not include with the revised notice. (d) Requiring specific means of opting out. A bank may require each consumer to opt out through a specific means, as long as that means is reasonable for that consumer. Sec. 41.8 Delivery of opt out notices. (a) In general. A bank must deliver an opt out notice so that each consumer can reasonably be expected to receive actual notice in writing or, if the consumer agrees, electronically. (b) Examples of expectation of actual notice. (1) A bank may reasonably expect that a consumer will receive actual notice if it: (i) Hand-delivers a printed copy of the notice to the consumer; (ii) Mails a printed copy of the notice to the last known mailing address of the consumer; or (iii) For the consumer who conducts transactions electronically, posts the notice on its electronic site and requires the consumer to acknowledge receipt of the notice as a necessary step to obtaining a particular product or service; (2) A bank may not reasonably expect that a consumer will receive actual notice if it: (i) Only posts a sign in its branch or office or generally publishes advertisements presenting its notice; or (ii) Sends the notice via electronic mail to a consumer who does not obtain a product or service from the bank electronically. (c) Oral description insufficient. A bank may not provide an opt out notice solely by orally explaining the notice, either in person or over the telephone. (d) Retention or accessibility. (1) In general. A bank must provide an opt out notice so that it can be retained or obtained at a later time by the consumer in writing or, if the consumer agrees, electronically. (2) Examples of retention or accessibility. A bank provides the notice so that it can be retained or obtained at a later time if the bank: (i) Hand-delivers a printed copy of the notice to the consumer; (ii) Mails a printed copy of the notice to the last known address of the consumer upon request of the consumer; or (iii) Makes the bank's current notice available on a web site (or a link to another web site) for the consumer who obtains a product or service electronically and who agrees to receive the notice at the web site. (e) Joint notice with affiliates. A bank may provide a joint notice with one or more affiliates as long as the notice identifies each person providing it and is accurate with respect to each. (f) Joint relationships. (1) In general. Notwithstanding any other provision in this part, if two or more consumers jointly obtain a product or service from a bank (joint consumers), the following rules apply: (i) The bank may provide a single notice to all of the joint consumers. (ii) Any of the joint consumers has the opportunity to opt out. (iii) The bank may treat an opt out direction by a joint consumer either as: (A) Applying to all of the joint consumers; or (B) Applying to that particular joint consumer. (iv) The bank must explain in its opt out notice which of the two policies set forth in paragraph (f)(1)(iii) of this section it will follow. (v) If the bank follows the policy set forth in paragraph (f)(1)(iii)(B) of this section, by treating the opt out of a joint consumer as applying to that particular joint consumer, the bank must also permit: (A) A joint consumer to opt out on behalf of other joint consumers; and (B) One or more joint consumers to notify the bank of their opt out directions in a single response. (vi) A bank may not require all joint consumers to opt out before it implements any opt out direction. (vii) If a bank receives an opt out by a particular joint consumer that does not apply to the others, the bank may disclose information about the others as long as no information is disclosed about the consumer who opted out. (2) Example. If consumers A and B, who have different addresses, have a joint checking account with a bank and arrange for the bank to send statements to A's address, the bank may do any of the following, but it must explain in its opt out notice which opt out policy the bank will follow. The bank may send a single opt out notice to A's address and: (i) Treat an opt out direction by A as applying to the entire account. If the bank does so and A opts out, the bank may not require B to opt out as well before implementing A's opt out direction. (ii) Treat A's opt out direction as applying to A only. If the bank does so, it must also permit: (A) A and B to opt out for each other; and (B) A and B to notify the bank of their opt out directions in a single response (such as on a single form) if they choose to give separate opt out directions. (iii) If A opts out only for A, and B does not opt out, the bank may disclose opt out information only about B, and not about A and B jointly. Sec. 41.9 Revised opt out notice. If a bank has provided a consumer with one or more opt out notices and plans to communicate opt out information to its affiliates about the consumer other than as described in those notices, the bank must provide the consumer with a revised opt out notice that complies with Secs. 41.4 through 41.8. Sec. 41.10 Time by which opt out must be honored. If a bank provides a consumer with an opt out notice and the consumer opts out, the bank must comply with the opt out as soon as reasonably practicable after the bank receives it. Sec. 41.11 Duration of opt out. An opt out remains effective until revoked by the consumer in writing or electronically, as long as the consumer continues to have a relationship with the bank. If the consumer's relationship with the bank terminates, the opt out will continue to apply to this information. However, a new notice and opportunity to opt out must be provided if the consumer establishes a new relationship with the bank. Sec. 41.12 Prohibition against discrimination. (a) In general. If a consumer is an applicant for credit, a bank must not discriminate against the consumer if the [[Page 63131]] consumer opts out of the bank's communication of opt out information to it affiliates. (b) Examples of discrimination against an applicant. A bank discriminates against an applicant if it: (1) Denies the applicant credit because the applicant opts out; (2) Varies the terms of credit adversely to the applicant such as by providing less favorable pricing terms to an applicant who opts out; or (3) Applies more stringent credit underwriting standards to the applicant because the applicant opts out. (c) Regulation B. The terms ``applicant'' and ``discriminate against'' in Sec. 41.12 have the same meanings ascribed to them in 12 CFR part 202. Appendix A to Part 41--Sample Notice This appendix contains a sample notice to facilitate compliance with the notice requirements of this part. An institution may use applicable disclosures in this sample to provide notices required by this part. Notice of Your Opportunity To Opt Out of Information Sharing With Companies in Our Corporate Family Information We Can Share With Our Corporate Family About You-- Unless You Tell Us Not to What Information: Unless you tell us not to, [Financial Institution] may share with companies in our corporate family information about you including: Information we obtain from your application, such as [provide illustrative examples, such as ``your income'' or ``your marital status'']; Information we obtain from a consumer report, such as [provide illustrative examples, such as ``your credit score or credit history'']; Information we obtain to verify representations made by you, such as [provide illustrative examples, such as ``your open lines of credit'']; and Information we obtain from a person regarding its employment, credit, or other relationship with you, such as [provide illustrative examples, such as ``your employment history'']. Shared With Whom: Companies in our corporate family who may receive this information are: Financial service providers, such as [provide illustrative examples, such as ``mortgage bankers, broker-dealers, and insurance agents'']; and Non-financial companies, such as [provide illustrative examples, such as ``retailers, direct marketers, airlines, and publishers'']. How To Tell Us Not To Share This Information With Our Corporate Family If you prefer that we not share this information with companies in our corporate family, you may direct us not to share this information by doing the following [insert one or more of the reasonable means of opting out listed below \1\]: [call us toll free at {insert toll free number}]; or [visit our web site at {insert web site address} and {provide further instructions how to use the web site option}]; or [e-mail us at {insert the e-mail address}]; or [fill out and tear off the bottom of this sheet and mail to the following address: {insert address}]; or [check the appropriate box on the attached form {attach form} and mail to the following address: {insert address}]. --------------------------------------------------------------------------- \1\ If the financial institution is using its web site or an e- mail address as the only method by which a consumer may opt out, the consumer must agree to the electronic delivery of information. Note: Your direction in this paragraph covers certain information about you that we might otherwise share with our corporate family. We may share other information about you with our --------------------------------------------------------------------------- corporate family as permitted by law. Dated: September 22, 2000. John D. Hawke, Jr., Comptroller of the Currency. Federal Reserve System 12 CFR Chapter II Authority and Issuance For the reasons set forth in the joint preamble, chapter II of title 12 of the Code of Federal Regulations is proposed to be amended by adding a new part 222 to read as follows: PART 222 FAIR CREDIT REPORTING (REGULATION V) Sec. 222.1 Purpose and scope. 222.2 Examples. 222.3 Definitions. 222.4 Communication of opt out information to affiliates. 222.5 Contents of opt out notice. 222.6 Reasonable opportunity to opt out. 222.7 Reasonable means of opting out. 222.8 Delivery of opt out notices. 222.9 Revised opt out notice. 222.10 Time by which opt out must be honored. 222.11 Duration of opt out. 222.12 Prohibition against discrimination. Appendix A to Part 222--Sample Notice Authority: 15 U.S.C. 1681s. Sec. 222.1 Purpose and scope. (a) Purpose. This part governs the collection, communication, and use, by the institutions listed in paragraph (b)(2) of this section, of certain information bearing on a consumer's credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living. (b) Scope. (1) Information covered. This part applies to information that is used or expected to be used or collected in whole or in part for the purpose of serving as a factor in establishing a consumer's eligibility for credit, insurance, employment, or any other purpose authorized under section 604 of the Fair Credit Reporting Act (15 U.S.C. 1681b). (2) Institutions covered. This part applies to member banks of the Federal Reserve System (other than national banks), branches and agencies of foreign banks (other than Federal branches, Federal agencies, and insured State branches of foreign banks), commercial lending companies owned or controlled by foreign banks, and organizations operating under section 25 or 25A of the Federal Reserve Act (12 U.S.C. 601-604a, 611-631). (3) Relation to other laws. Nothing in this part modifies, limits, or supersedes the standards governing the privacy of individually identifiable health information promulgated by the Secretary of Health and Human Services under the authority of sections 262 and 264 of the Health Insurance Portability and Accountability Act of 1996 (42 U.S.C. 1320d-1320d-8). Sec. 222.2 Examples. The examples used in this part and the sample notice in appendix A to this part are not exclusive. Compliance with an example or use of the sample notice, to the extent applicable, constitutes compliance with this part. Sec. 222.3 Definitions. As used in this part, unless the context requires otherwise: (a) Act means the Fair Credit Reporting Act (15 U.S.C. 1681 et seq.). (b) Affiliate. (1) In general. The term means any company that is related or affiliated by common ownership, or affiliated by corporate control or common corporate control, with another company. (2) Related or affiliated by common ownership or affiliated by corporate control or common corporate control. This means controlling, controlled by, or under common control with, another company. (c) Clear and conspicuous. (1) In general. The term means that a notice is reasonably understandable and is designed to call attention to the nature and significance of the information it contains. (2) Examples. (i) Reasonably understandable. You make your notice reasonably understandable if you: (A) Present the information in the notice in clear and concise sentences, paragraphs, and sections; (B) Use short explanatory sentences or bullet lists whenever possible; [[Page 63132]] (C) Use definite, concrete, everyday words and active voice whenever possible; (D) Avoid multiple negatives; (E) Avoid legal and highly technical business terminology whenever possible; and (F) Avoid explanations that are imprecise and are readily subject to different interpretations. (ii) Designed to call attention. You design your notice to call attention to the nature and significance of the information it contains if you: (A) Use a plain-language heading to call attention to the notice; (B) Use a typeface and type size that are easy to read; (C) Provide wide margins and ample line spacing; (D) Use boldface or italics for key words; and (E) In a form that combines your notice with other information, use distinctive type sizes, styles, and graphic devices, such as shading or sidebars. (iii) Notice on a web page. If you provide a notice on a web page, you design your notice to call attention to the nature and significance of the information it contains if you: (A) Place either the notice, or a link that connects directly to the notice and that is labeled appropriately to convey the importance, nature, and relevance of the notice, on a page that consumers access often, such as a page on which transactions are conducted; (B) Use text or visual cues to encourage scrolling down the page if necessary to view the entire notice; and (C) Ensure that other elements on the web page (such as text, graphics, links, or sound) do not detract attention from the notice. (d) Communication includes written, oral, and electronic communication; provided that the term includes electronic communication to a consumer only if the consumer agrees to receive the communication electronically. (e) Company means any corporation, limited liability company, business trust, general or limited partnership, association, or similar organization. (f) Consumer means an individual. (g) Consumer report. (1) In general. The term means any written, oral, or other communication of any information by a consumer reporting agency bearing on a consumer's credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living which is used or expected to be used or collected in whole or in part for the purpose of serving as a factor in establishing the consumer's eligibility for: (i) Credit or insurance to be used primarily for personal, family, or household purposes; (ii) Employment purposes; or (iii) Any other purpose authorized under section 604 of the Act (15 U.S.C. 1681b). (2) Exclusions. The term does not include: (i) Any report containing information solely as to transactions or experiences between the consumer and the person making the report; (ii) Any communication of that information among affiliates; (iii) Any communication among affiliates of opt out information if the conditions in Secs. 222.4 through 222.9 are satisfied; (iv) Any authorization or approval of a specific extension of credit directly or indirectly by the issuer of a credit card or similar device; (v) Any report in which a person who has been requested by a third party to make a specific extension of credit directly or indirectly to a consumer conveys his or her decision with respect to such request, if the third party advises the consumer of the name and address of the person to whom the request was made, and the person makes the disclosures to the consumer required under section 615 of the Act (15 U.S.C. 1681m); or (vi) A communication described in section 603(o) of the Act (15 U.S.C. 1681a(o)). (h) Consumer reporting agency means any person which, for monetary fees, dues or on a cooperative nonprofit basis, regularly engages in whole or in part in the practice of assembling or evaluating consumer credit information or other information on consumers for the purpose of furnishing consumer reports to third parties, and which uses any means or facility of interstate commerce for the purpose of preparing or furnishing consumer reports. (i) Control of a company means: (1) Ownership, control, or power to vote 25 percent or more of the outstanding shares of any class of voting security of the company, directly or indirectly, or acting through one or more other persons; (2) Control in any manner over the election of a majority of the directors, trustees, or general partners (or individuals exercising similar functions) of the company; (3) The power to exercise, directly or indirectly, a controlling influence over the management or policies of the company, as the Board determines. (j) Opt out means a direction by a consumer that you not communicate opt out information about the consumer to one or more of your affiliates. (k) Opt out information means information that: (1) Bears on a consumer's credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living; (2) Is used or expected to be used or collected in whole or in part to serve as a factor in establishing the consumer's eligibility for credit or another purpose listed in section 604 of the Act (15 U.S.C. 1681b); and (3) Is not a report containing information solely as to transactions or experiences between the consumer and the person reporting or communicating the information. (1) Person means any individual, partnership, corporation, trust, estate, cooperative, association, government or governmental subdivision or agency, or other entity. (m) You means a member bank of the Federal Reserve System (other than a national bank), a branch or agency of a foreign bank (other than a Federal branch, Federal agency, or insured State branch of a foreign bank), a commercial lending company owned or controlled by a foreign bank, or an organization operating under section 25 or 25A of the Federal Reserve Act (12 U.S.C. 601-604a, 611-631). Sec. 222.4 Communication of opt out information to affiliates. Your communication to your affiliates of opt out information about a consumer is not a consumer report if: (a) You have provided the consumer with an opt out notice; (b) You have given the consumer a reasonable opportunity and means, before you communicate the information to your affiliates, to opt out; and (c) The consumer has not opted out. Sec. 222.5 Contents of opt out notice. (a) In general. An opt out notice must be clear and conspicuous, and must accurately explain: (1) The categories of opt out information about the consumer that you communicate to your affiliates; (2) The categories of affiliates to which you communicate the information; (3) The consumer's ability to opt out; and (4) A reasonable means for the consumer to opt out. (b) Future communications. Your notice may describe: (1) Categories of opt out information about the consumer that you reserve the [[Page 63133]] right to communicate to your affiliates in the future but do not currently communicate; and (2) Categories of affiliates to which you reserve the right in the future to communicate, but to which you do not currently communicate, opt out information about the consumer. (c) Partial opt out. You may allow a consumer to select certain opt out information or certain affiliates, with respect to which the consumer wishes to opt out. (d) Examples of categories of information that you communicate. (1) You satisfy the requirement to categorize the opt out information that you communicate if you list the categories in paragraph (d)(2) of this section, as applicable, and a few examples to illustrate the types of information in each category. These examples may include those in paragraph (d)(3) of this section, if applicable. (2) Categories of opt out information may include information: (i) From a consumer's application; (ii) From a consumer credit report; (iii) Obtained by verifying representations made by a consumer; or (iv) Provided by another person regarding its employment, credit, or other relationship with a consumer. (3) Examples of information within a category listed in paragraph (d)(2) of this section include a consumer's: (i) Income; (ii) Credit score or credit history with others; (iii) Open lines of credit with others; (iv) Employment history with others; (v) Marital status; and (vi) Medical history. (4) You do not satisfy the requirement if you communicate or reserve the right to communicate individually identifiable health information (as described in section 1171(6)(B) of the Social Security Act (42 U.S.C. 1320d(6)(B)) but omit illustrative examples of this information. (e) Examples of categories of affiliates. (1) You satisfy the requirement to categorize the affiliates to which you communicate opt out information if you list the categories in paragraph (e)(2) of this section, as applicable, and a few examples to illustrate the types of affiliates in each category. (2) Categories of affiliates may include: (i) Financial service providers; and (ii) Non-financial companies. (f) Sample notice. A sample notice is included in appendix A to this part. Sec. 222.6 Reasonable opportunity to opt out. (a) In general. You provide a reasonable opportunity to opt out if you provide a reasonable period of time following the delivery of the opt out notice for the consumer to opt out. (b) Examples of reasonable period of time: (1) In person. You hand- deliver an opt out notice to the consumer and provide at least 30 days from the date you delivered the notice. (2) By mail. You mail an opt out notice to a consumer and provide at least 30 days from the date you mailed the notice. (3) By electronic means. You notify the consumer electronically, and you provide at least 30 days after the date that the consumer acknowledges receipt of the electronic notice. (c) Continuing opportunity to opt out. A consumer may opt out at any time. Sec. 222.7 Reasonable means of opting out. (a) General rule. You provide a consumer with a reasonable means of opting out if you provide a reasonably convenient method to opt out. (b) Reasonably convenient methods. Examples of reasonably convenient methods include: (1) Designating check-off boxes in a prominent position on the relevant forms included with the opt out notice; (2) Including a reply form together with the opt out notice; (3) Providing an electronic means to opt out, such as a form that can be electronically mailed or a process at your web site, if the consumer agrees to the electronic delivery of information; or (4) Providing a toll-free telephone number that consumers may call to opt out. (c) Methods not reasonably convenient. Examples of methods that are not reasonably convenient include: (1) Requiring a consumer to write his or her own letter to you; or (2) Referring in a revised notice to a check-off box that you included with a previous notice but that you do not include with the revised notice. (d) Requiring specific means of opting out. You may require each consumer to opt out through a specific means, as long as that means is reasonable for that consumer. Sec. 222.8 Delivery of opt out notices. (a) In general. You must deliver an opt out notice so that each consumer can reasonably be expected to receive actual notice in writing or, if the consumer agrees, electronically. (b) Examples of expectation of actual notice. (1) You may reasonably expect that a consumer will receive actual notice if you: (i) Hand-deliver a printed copy of the notice to the consumer; (ii) Mail a printed copy of the notice to the last known mailing address of the consumer; or (iii) For the consumer who conducts transactions electronically, post the notice on your electronic site and require the consumer to acknowledge receipt of the notice as a necessary step to obtaining a particular product or service; (2) You may not reasonably expect that a consumer will receive actual notice if you: (i) Only post a sign in your branch or office or generally publish advertisements presenting your notice; or (ii) Send the notice via electronic mail to a consumer who does not obtain a product or service from you electronically. (c) Oral description insufficient. You may not provide an opt out notice solely by orally explaining the notice, either in person or over the telephone. (d) Retention or accessibility. (1) In general. You must provide an opt out notice so that it can be retained or obtained at a later time by the consumer in writing or, if the consumer agrees, electronically. (2) Examples of retention or accessibility. You provide the notice so that it can be retained or obtained at a later time if you: (i) Hand-deliver a printed copy of the notice to the consumer; (ii) Mail a printed copy of the notice to the last known address of the consumer upon request of the consumer; or (iii) Make your current notice available on a web site (or a link to another web site) for the consumer who obtains a product or service electronically and who agrees to receive the notice at the web site. (e) Joint notice with affiliates. You may provide a joint notice with one or more affiliates as long as the notice identifies each person providing it and is accurate with respect to each. (f) Joint relationships. (1) In general. Notwithstanding any other provision in this part, if two or more consumers jointly obtain a product or service from you (joint consumers), the following rules apply: (i) You may provide a single notice to all of the joint consumers. (ii) Any of the joint consumers has the opportunity to opt out. (iii) You may treat an opt out direction by a joint consumer either as: (A) Applying to all of the joint consumers; or (B) Applying to that particular joint consumer. (iv) You must explain in your opt out notice which of the two policies set [[Page 63134]] forth in paragraph (f)(1)(iii) of this section you will follow. (v) If you follow the policy set forth in paragraph (f)(1)(iii)(B) of this section, by treating the opt out of a joint consumer as applying to that particular joint consumer, you must also permit: (A) A joint consumer to opt out on behalf of other joint consumers; and (B) One or more joint consumers to notify you of their opt out directions in a single response. (vi) You may not require all joint consumers to opt out before you implement any opt out direction. (vii) If you receive an opt out by a particular joint consumer that does not apply to the others, you may disclose information about the others as long as no information is disclosed about the consumer who opted out. (2) Example. If consumers A and B, who have different addresses, have a joint checking account with you and arrange for you to send statements to A's address, you may do any of the following, but you must explain in your opt out notice which opt out policy you will follow. You may send a single opt out notice to A's address and: (i) Treat an opt out direction by A as applying to the entire account. If you do so and A opts out, you may not require B to opt out as well before implementing A's opt out direction. (ii) Treat A's opt out direction as applying to A only. If you do so, you must also permit: (A) A and B to opt out for each other; and (B) A and B to notify you of their opt out directions in a single response (such as on a single form) if they choose to give separate opt out directions. (iii) If A opts out only for A, and B does not opt out, you may disclose opt out information only about B, and not about A and B jointly. Sec. 222.9 Revised opt out notice. If you have provided a consumer with one or more opt out notices and plan to communicate opt out information to your affiliates about the consumer other than as described in those notices, you must provide the consumer with a revised opt out notice that complies with Secs. 222.4 through 222.8. Sec. 222.10 Time by which opt out must be honored. If you provide a consumer with an opt out notice and the consumer opts out, you must comply with the opt out as soon as reasonably practicable after you receive it. Sec. 222.11 Duration of opt out. An opt out remains effective until revoked by the consumer in writing or electronically, as long as the consumer continues to have a relationship with you. If the consumer's relationship with you terminates, the opt out will continue to apply to this information. However, a new notice and opportunity to opt out must be provided if the consumer establishes a new relationship with you. Sec. 222.12 Prohibition against discrimination. (a) In general. If a consumer is an applicant for credit, you must not discriminate against the consumer if the consumer opts out of your communication of opt out information to your affiliates. (b) Examples of discrimination against an applicant. You discriminate against an applicant if you: (1) Deny the applicant credit because the applicant opts out; (2) Vary the terms of credit adversely to the applicant such as by providing less favorable pricing terms to an applicant who opts out; or (3) Apply more stringent credit underwriting standards to the applicant because the applicant opts out. (c) Regulation B. The terms ``applicant'' and ``discriminate against'' in Sec. 222.12 have the same meanings ascribed to them in 12 CFR part 202. Appendix A to Part 222--Sample Notice This appendix contains a sample notice to facilitate compliance with the notice requirements of this part. An institution may use applicable disclosures in this sample to provide notices required by this part. Notice of Your Opportunity to Opt Out of Information Sharing With Companies in Our Corporate Family Information We Can Share With Our Corporate Family About You-- Unless You Tell Us Not To What Information: Unless you tell us not to, [Financial Institution] may share with companies in our Corporate family information about you including: Information we obtain from your application, such as [provide illustrative examples, such as ``your income'' or ``your marital status'']; Information we obtain from a consumer report, such as [provide illustrative examples, such as ``your credit score or credit history'']; Information we obtain to verify representations made by you, such as [provide illustrative examples, such as ``your open lines of credit'']; and Information we obtain from a person regarding its employment, credit, or other relationship with you, such as [provide illustrative examples, such as ``your employment history'']. Shared With Whom: Companies in our corporate family who may receive this information are: Financial service providers, such as [provide illustrative examples, such as ``mortgage bankers, broker-dealers, and insurance agents'']; and Non-financial companies, such as [provide illustrative examples, such as ``retailers, direct marketers, airlines, and publishers'']. How To Tell Us Not To Share This Information With Our Corporate Family If you prefer that we not share this information with companies in our corporate family, you may direct us not to share this information by doing the following [insert one or more of the reasonable means of opting out listed below \1\]: [call us toll free at {insert toll free number}]; or [visit our web site at {insert web site address} and {provide further instructions how to use the web site option}]; or [e-mail us at {insert the e-mail address}]; or [fill out and tear off the bottom of this sheet and mail to the following address: {insert address}]; or [check the appropriate box on the attached form {attach form} and mail to the following address: {insert address}]. \1\ If the financial institution is using its web site or an e- mail address as the only method by which a consumer may opt out, the consumer must agree to the electronic delivery of information. Note: Your direction in this paragraph covers certain information about you that we might otherwise share with our corporate family. We may share other information about you with our --------------------------------------------------------------------------- corporate family as permitted by law. By order of the Board of Governors of the Federal Reserve System, October 11, 2000. Jennifer J. Johnson, Secretary of the Board. Federal Deposit Insurance Corporation 12 CFR Chapter III Authority and Issuance For the reasons set out in the joint preamble, chapter III of title 12 of the Code of Federal Regulations is proposed to be amended by adding a new part 334 to read as follows: PART 334--FAIR CREDIT REPORTING Sec. 334.1 Purpose and scope. 334.2 Examples. 334.3 Definitions. 334.4 Communication of opt out information to affiliates. 334.5 Contents of opt out notice. 334.6 Reasonable opportunity to opt out. 334.7 Reasonable means of opting out. 334.8 Delivery of opt out notices. 334.9 Revised opt out notice. 334.10 Time by which opt out must be honored. 334.11 Duration of opt out. 334.12 Prohibition against discrimination. Appendix A to Part 222--Sample Notice Authority: 15 U.S.C. 1681s; 12 U.S.C. 1819(a)(Tenth). [[Page 63135]] Sec. 334.1 Purpose and scope. (a) Purpose. This part governs the collection, communication, and use, by the institutions listed in paragraph (b)(2) of this section, of certain information bearing on a consumer's credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living. (b) Scope. (1) Information covered. This part applies to information that is used or expected to be used or collected in whole or in part for the purpose of serving as a factor in establishing a consumer's eligibility for credit, insurance, employment, or any other purpose authorized under section 604 of the Fair Credit Reporting Act (15 U.S.C. 1681b). (2) Institutions covered. This part applies to banks insured by the FDIC (other than members of the Federal Reserve System) and insured state branches of foreign banks. (3) Relation to other laws. Nothing in this part modifies, limits, or supersedes the standards governing the privacy of individually identifiable health information promulgated by the Secretary of Health and Human Services under the authority of sections 262 and 264 of the Health Insurance Portability and Accountability Act of 1996 (42 U.S.C. 1320d-1320d-8). Sec. 334.2 Examples. The examples used in this part and the sample notice in appendix A to this part are not exclusive. Compliance with an example or use of the sample notice, to the extent applicable, constitutes compliance with this part. Sec. 334.3 Definitions. As used in this part, unless the context requires otherwise: (a) Act means the Fair Credit Reporting Act (15 U.S.C. 1681 et seq.). (b) Affiliate. (1) In general. The term means any company that is related or affiliated by common ownership, or affiliated by corporate control or common corporate control, with another company. (2) Related or affiliated by common ownership or affiliated by corporate control or common corporate control. This means controlling, controlled by, or under common control with, another company. (c) Clear and conspicuous. (1) In general. The term means that a notice is reasonably understandable and is designed to call attention to the nature and significance of the information it contains. (2) Examples. (i) Reasonably understandable. You make your notice reasonably understandable if you: (A) Present the information in the notice in clear and concise sentences, paragraphs, and sections; (B) Use short explanatory sentences or bullet lists whenever possible; (C) Use definite, concrete, everyday words and active voice whenever possible; (D) Avoid multiple negatives; (E) Avoid legal and highly technical business terminology whenever possible; and (F) Avoid explanations that are imprecise and are readily subject to different interpretations. (ii) Designed to call attention. You design your notice to call attention to the nature and significance of the information it contains if you: (A) Use a plain-language heading to call attention to the notice; (B) Use a typeface and type size that are easy to read; (C) Provide wide margins and ample line spacing; (D) Use boldface or italics for key words; and (E) In a form that combines your notice with other information, use distinctive type sizes, styles, and graphic devices, such as shading or sidebars. (iii) Notice on a web page. If you provide a notice on a web page, you design your notice to call attention to the nature and significance of the information it contains if: (A) You place either the notice, or a link that connects directly to the notice and that is labeled appropriately to convey the importance, nature, and relevance of the notice, on a page that consumers access often, such as a page on which transactions are conducted; (B) You use text or visual cues to encourage scrolling down the page if necessary to view the entire notice; and (C) You ensure that other elements on the web page (such as text, graphics, links, or sound) do not detract attention from the notice. (d) Communication includes written, oral, and electronic communication; provided that the term includes electronic communication to a consumer only if the consumer agrees to receive the communication electronically. (e) Company means any corporation, limited liability company, business trust, general or limited partnership, association, or similar organization. (f) Consumer means an individual. (g) Consumer report. (1) In general. The term means any written, oral, or other communication of any information by a consumer reporting agency bearing on a consumer's credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living which is used or expected to be used or collected in whole or in part for the purpose of serving as a factor in establishing the consumer's eligibility for: (i) Credit or insurance to be used primarily for personal, family, or household purposes; (ii) Employment purposes; or (iii) Any other purpose authorized under section 604 of the Act (15 U.S.C. 1681b). (2) Exclusions. The term does not include: (i) Any report containing information solely as to transactions or experiences between the consumer and the person making the report; (ii) Any communication of that information among affiliates; (iii) Any communication among affiliates of opt out information if the conditions in Secs. 334.4 through 334.9 are satisfied; (iv) Any authorization or approval of a specific extension of credit directly or indirectly by the issuer of a credit card or similar device; (v) Any report in which a person who has been requested by a third party to make a specific extension of credit directly or indirectly to a consumer conveys his or her decision with respect to such request, if the third party advises the consumer of the name and address of the person to whom the request was made, and the person makes the disclosures to the consumer required under section 615 of the Act (15 U.S.C. 1681m); or (vi) A communication described in section 603(o) of the Act (15 U.S.C. 1681a(o)). (h) Consumer reporting agency means any person which, for monetary fees, dues or on a cooperative nonprofit basis, regularly engages in whole or in part in the practice of assembling or evaluating consumer credit information or other information on consumers for the purpose of furnishing consumer reports to third parties, and which uses any means or facility of interstate commerce for the purpose of preparing or furnishing consumer reports. (i) Control of a company means: (1) Ownership, control, or power to vote 25 percent or more of the outstanding shares of any class of voting security of the company, directly or indirectly, or acting through one or more other persons; (2) Control in any manner over the election of a majority of the directors, [[Page 63136]] trustees, or general partners (or individuals exercising similar functions) of the company; or (3) The power to exercise, directly or indirectly, a controlling influence over the management or policies of the company, as the FDIC determines. (j) Opt out means a direction by a consumer that you not communicate opt out information about the consumer to one or more of your affiliates. (k) Opt out information means information that: (1) Bears on a consumer's credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living; (2) Is used or expected to be used or collected in whole or in part to serve as a factor in establishing the consumer's eligibility for credit or another purpose listed in section 604 of the Act (15 U.S.C. 1681b); and (3) Is not a report containing information solely as to transactions or experiences between the consumer and the person reporting or communicating the information. (l) Person means any individual, partnership, corporation, trust, estate, cooperative, association, government or governmental subdivision or agency, or other entity. (m) You means banks insured by the FDIC (other than members of the Federal Reserve System) and insured state branches of foreign banks. Sec. 334.4 Communication of opt out information to affiliates. Your communication to your affiliates of opt out information about a consumer is not a consumer report if: (a) You have provided the consumer with an opt out notice; (b) You have given the consumer a reasonable opportunity and means, before you communicate the information to your affiliates, to opt out; and (c) The consumer has not opted out. Sec. 334.5 Contents of opt out notice. (a) In general. An opt out notice must be clear and conspicuous, and must accurately explain: (1) The categories of opt out information about the consumer that you communicate to your affiliates; (2) The categories of affiliates to which you communicate the information; (3) The consumer's ability to opt out; and (4) A reasonable means for the consumer to opt out. (b) Future communications. Your notice may describe: (1) Categories of opt out information about the consumer that you reserve the right to communicate to your affiliates in the future but do not currently communicate; and (2) Categories of affiliates to which you reserve the right in the future to communicate, but to which you do not currently communicate, opt out information about the consumer. (c) Partial opt out. You may allow a consumer to select certain opt out information or certain affiliates, with respect to which the consumer wishes to opt out. (d) Examples of categories of information that you communicate. (1) You satisfy the requirement to categorize the opt out information that you communicate if you list the categories in paragraph (d)(2) of this section, as applicable, and a few examples to illustrate the types of information in each category. These examples may include those in paragraph (d)(3) of this section, if applicable. (2) Categories of opt out information may include information: (i) From a consumer's application; (ii) From a consumer credit report; (iii) Obtained by verifying representations made by a consumer; and (iv) Provided by another person regarding its employment, credit, or other relationship with a consumer. (3) Examples of information within a category listed in paragraph (d)(2) of this section include a consumer's: (i) Income; (ii) Credit score or credit history with others; (iii) Open lines of credit with others; (iv) Employment history with others; (v) Marital status; and (vi) Medical history. (4) You do not satisfy the requirement if you communicate or reserve the right to communicate individually identifiable health information (as described in section 1171(6)(B) of the Social Security Act (42 U.S.C. 1320d(6)(B)) but omit illustrative examples of this information. (e) Examples of categories of affiliates. (1) You satisfy the requirement to categorize the affiliates to which you communicate opt out information if you list the categories in paragraph (e)(2) of this section, as applicable, and a few examples to illustrate the types of affiliates in each category. (2) Categories of affiliates may include: (i) Financial service providers; and (ii) Non-financial companies. (f) Sample notice. A sample notice is included in appendix A to this part. Sec. 334.6 Reasonable opportunity to opt out. (a) In general. You provide a reasonable opportunity to opt out if you provide a reasonable period of time following the delivery of the opt out notice for the consumer to opt out. (b) Examples of reasonable period of time: (1) In person. You hand- deliver an opt out notice to the consumer and provide at least 30 days from the date you delivered the notice. (2) By mail. You mail an opt out notice to a consumer and provide at least 30 days from the date you mailed the notice. (3) By electronic means. You notify the consumer electronically, and you provide at least 30 days after the date that the consumer acknowledges receipt of the electronic notice. (c) Continuing opportunity to opt out. A consumer may opt out at any time. Sec. 334.7 Reasonable means of opting out. (a) General rule. You provide a consumer with a reasonable means of opting out if you provide a reasonably convenient method to opt out. (b) Reasonably convenient methods. Examples of reasonably convenient methods include: (1) Designating check-off boxes in a prominent position on the relevant forms included with the opt out notice; (2) Including a reply form together with the opt out notice; (3) Providing an electronic means to opt out, such as a form that can be electronically mailed or a process at your web site, if the consumer agrees to the electronic delivery of information; or (4) Providing a toll-free telephone number that consumers may call to opt out. (c) Methods not reasonably convenient. Examples of methods that are not reasonably convenient include: (1) Requiring a consumer to write his or her own letter to you; or (2) Referring in a revised notice to a check-off box that you included with a previous notice but that you do not include with the revised notice. (d) Requiring specific means of opting out. You may require each consumer to opt out through a specific means, as long as that means is reasonable for that consumer. Sec. 334.8 Delivery of opt out notices. (a) In general. You must deliver an opt out notice so that each consumer can reasonably be expected to receive actual notice in writing or, if the consumer agrees, electronically. (b) Examples of expectation of actual notice. (1) You may reasonably expect that a consumer will receive actual notice if you: [[Page 63137]] (i) Hand-deliver a printed copy of the notice to the consumer; (ii) Mail a printed copy of the notice to the last known mailing address of the consumer; or (iii) For the consumer who conducts transactions electronically, post the notice on your electronic site and require the consumer to acknowledge receipt of the notice as a necessary step to obtaining a particular product or service; (2) You may not reasonably expect that a consumer will receive actual notice if you: (i) Only post a sign in your branch or office or generally publish advertisements presenting your notice; or (ii) Send the notice via electronic mail to a consumer who does not obtain a product or service from you electronically. (c) Oral description insufficient. You may not provide an opt out notice solely by orally explaining the notice, either in person or over the telephone. (d) Retention or accessibility. (1) In general. You must provide an opt out notice so that it can be retained or obtained at a later time by the consumer in writing or, if the consumer agrees, electronically. (2) Examples of retention or accessibility. You provide the notice so that it can be retained or obtained at a later time if you: (i) Hand-deliver a printed copy of the notice to the consumer; (ii) Mail a printed copy of the notice to the last known address of the consumer upon request of the consumer; or (iii) Make your current notice available on a web site (or a link to another web site) for the consumer who obtains a product or service electronically and who agrees to receive the notice at the web site. (e) Joint notice with affiliates. You may provide a joint notice with one or more affiliates as long as the notice identifies each person providing it and is accurate with respect to each. (f) Joint relationships. (1) In general. Notwithstanding any other provision in this part, if two or more consumers jointly obtain a product or service from you (joint consumers), the following rules apply: (i) You may provide a single notice to all of the joint consumers. (ii) Any of the joint consumers has the opportunity to opt out. (iii) You may treat an opt out direction by a joint consumer either as: (A) Applying to all of the joint consumers; or (B) Applying to that particular joint consumer. (iv) You must explain in your opt out notice which of the two policies set forth in paragraph (f)(1)(iii) of this section you will follow. (v) If you follow the policy set forth in paragraph (f)(1)(iii)(B) of this section, by treating the opt out of a joint consumer as applying to that particular joint consumer, you must also permit: (A) A joint consumer to opt out on behalf of other joint consumers; and (B) One or more joint consumers to notify you of their opt out directions in a single response. (vi) You may not require all joint consumers to opt out before you implement any opt out direction. (vii) If you receive an opt out by a particular joint consumer that does not apply to the others, you may disclose information about the others as long as no information is disclosed about the consumer who opted out. (2) Example. If consumers A and B, who have different addresses, have a joint checking account with you and arrange for you to send statements to A's address, you may do any of the following, but you must explain in your opt out notice which opt out policy you will follow. You may send a single opt out notice to A's address and: (i) Treat an opt out direction by A as applying to the entire account. If you do so and A opts out, you may not require B to opt out as well before implementing A's opt out direction. (ii) Treat A's opt out direction as applying to A only. If you do so, you must also permit: (A) A and B to opt out for each other; and (B) A and B to notify you of their opt out directions in a single response (such as on a single form) if they choose to give separate opt out directions. (iii) If A opts out only for A, and B does not opt out, you may disclose opt out information only about B, and not about A and B jointly. Sec. 334.9 Revised opt out notice. If you have provided a consumer with one or more opt out notices and plan to communicate opt out information to your affiliates about the consumer, other than as described in those notices, you must provide the consumer with a revised opt out notice that complies with Secs. 334.4 through 334.8. Sec. 334.10 Time by which opt out must be honored. If you provide a consumer with an opt out notice and the consumer opts out, you must comply with the opt out as soon as reasonably practicable after you receive it. Sec. 334.11 Duration of opt out. An opt out remains effective until revoked by the consumer in writing or electronically, as long as the consumer continues to have a relationship with the institution. If the consumer's relationship with the institution terminates, the opt out will continue to apply to this information. However, a new notice and opportunity to opt out must be provided if the consumer establishes a new relationship with the institution. Sec. 334.12 Prohibition against discrimination. (a) In general. If a consumer is an applicant for credit, you must not discriminate against the consumer if the consumer opts out of the your communication of opt out information to your affiliates. (b) Examples of discrimination against an applicant. You discriminate against an applicant if you: (1) Deny the applicant credit because the applicant opts out; (2) Vary the terms of credit adversely to the applicant such as by providing less favorable pricing terms to an applicant who opts out; or (3) Apply more stringent credit underwriting standards to the applicant because the applicant opts out. (c) Regulation B. The terms ``applicant'' and ``discriminate against'' in Sec. 334.12 have the same meanings ascribed to them in 12 CFR part 202. Appendix A to Part 334--Sample Notice This appendix contains a sample notice to facilitate compliance with the notice requirements of this part. An institution may use applicable disclosures in this sample to provide notices required by this part. Notice of Your Opportunity To Opt Out of Information Sharing With Companies in Our Corporate Family Information We Can Share With Our Corporate Family About You-- Unless You Tell Us Not to What Information: Unless you tell us not to, [Financial Institution] may share with companies in our corporate family information about you including: Information we obtain from your application, such as [provide illustrative examples, such as ``your income'' or ``your marital status'']; Information we obtain from a consumer report, such as [provide illustrative examples, such as ``your credit score or credit history'']; Information we obtain to verify representations made by you, such as [provide illustrative examples, such as ``your open lines of credit'']; and Information we obtain from a person regarding its employment, credit, or other relationship with you, such as [provide [[Page 63138]] illustrative examples, such as ``your employment history'']. Shared With Whom: Companies in our corporate family who may receive this information are: Financial service providers, such as [provide illustrative examples, such as ``mortgage bankers, broker-dealers, and insurance agents'']; and Non-financial companies, such as [provide illustrative examples, such as ``retailers, direct marketers, airlines, and publishers'']. How To Tell Us Not To Share This Information With Our Corporate Family If you prefer that we not share this information with companies in our corporate family, you may direct us not to share this information by doing the following [insert one or more of the reasonable means of opting out listed below\1\]: [call us toll free at {insert toll free number}]; or [visit our web site at {insert web site address} and {provide further instructions how to use the web site option}]; or [e-mail us at {insert the e-mail address}]; or [fill out and tear off the bottom of this sheet and mail to the following address: {insert address}]; or [check the appropriate box on the attached form {attach form} and mail to the following address: {insert address}]. --------------------------------------------------------------------------- \1\ If the financial institution is using its web site or an e- mail address as the only method by which a consumer may opt out, the consumer must agree to the electronic delivery of information. Note: Your direction in this paragraph covers certain information about you that we might otherwise share with our corporate family. We may share other information about you with our --------------------------------------------------------------------------- corporate family as permitted by law. By order of the Board of Directors, Federal Deposit Insurance Corporation. Dated at Washington, D.C., this 25th day of September, 2000. Robert E. Feldman, Executive Secretary. Office of Thrift Supervision 12 CFR Chapter V Authority and Issuance For the reasons set out in the joint preamble, OTS proposes to amend chapter V of title 12 of the Code of Federal Regulations by adding a new part 571 to read as follows: PART 571--FAIR CREDIT REPORTING Sec. 571.1 Purpose and scope. 571.2 Examples. 571.3 Definitions. 571.4 Communication of opt out information to affiliates. 571.5 Content of opt out notice. 571.6 Reasonable opportunity to opt out. 571.7 Reasonable means of opting out. 571.8 Delivery of opt out notice. 571.9 Revised opt out notice. 571.10 Time by which opt out must be honored. 571.11 Duration of opt out. 571.12 Prohibition against discrimination. Appendix A to Part 571--Sample Notice Authority: 12 U.S.C. 1462a, 1463, 1464, 1467a, 1828; 15 U.S.C. 1681s. Sec. 571.1 Purpose and scope. (a) Purpose. This part governs the collection, communication, and use, by the institutions listed in paragraph (b)(2) of this section, of certain information bearing on a consumer's credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living. (b) Scope. (1) Information covered. This part applies to information that is used or expected to be used or collected in whole or in part for the purpose of serving as a factor in establishing a consumer's eligibility for credit, insurance, employment, or any other purpose authorized under section 604 of the Fair Credit Reporting Act (15 U.S.C. 1681b). (2) Institutions covered. This part applies to savings associations whose deposits are insured by the Federal Deposit Insurance Corporation. (3) Relation to other laws. Nothing in this part modifies, limits, or supersedes the standards governing the privacy of individually identifiable health information promulgated by the Secretary of Health and Human Services under the authority of sections 262 and 264 of the Health Insurance Portability and Accountability Act of 1996 (42 U.S.C. 1320d-1320d-8). Sec. 571.2 Examples. The examples used in this part and the model form in appendix A to this part are not exclusive. Compliance with an example or use of the sample notice, to the extent applicable, constitutes compliance with this part. Sec. 571.3 Definitions. As used in this part, unless the context requires otherwise: (a) Act means the Fair Credit Reporting Act (15 U.S.C. 1681 et seq.). (b) Affiliate. (1) In general. The term means any company that is related or affiliated by common ownership, or affiliated by corporate control or common corporate control, with another company. (2) Related or affiliated by common ownership or affiliated by corporate control or common corporate control. This means controlling, controlled by, or under common control with, another company. (c) Clear and conspicuous. (1) In general. The term means that a notice is reasonably understandable and is designed to call attention to the nature and significance of the information it contains. (2) Examples. (i) Reasonably understandable. You make your notice reasonably understandable if you: (A) Present the information in the notice in clear and concise sentences, paragraphs, and sections; (B) Use short explanatory sentences or bullet lists whenever possible; (C) Use definite, concrete, everyday words and active voice whenever possible; (D) Avoid multiple negatives; (E) Avoid legal and highly technical business terminology whenever possible; and (F) Avoid explanations that are imprecise and are readily subject to different interpretations. (ii) Designed to call attention. You design your notice to call attention to the nature and significance of the information it contains if you: (A) Use a plain-language heading to call attention to the notice; (B) Use a typeface and type size that are easy to read; (C) Provide wide margins and ample line spacing; (D) Use boldface or italics for key words; and (E) In a form that combines your notice with other information, use distinctive type sizes, styles, and graphic devices, such as shading or sidebars. (iii) Notice on a web page. If you provide a notice on a web page, you design your notice to call attention to the nature and significance of the information it contains if: (A) You place either the notice, or a link that connects directly to the notice and that is labeled appropriately to convey the importance, nature, and relevance of the notice, on a page that consumers access often, such as a page on which transactions are conducted; (B) You use text or visual cues to encourage scrolling down the page if necessary to view the entire notice; and (C) You ensure that other elements on the web page (such as text, graphics, links, or sound) do not detract attention from the notice. (d) Communication includes written, oral, and electronic communication; provided that the term includes electronic communication to a consumer only if the consumer agrees to receive the communication electronically. (e) Company means any corporation, limited liability company, business [[Page 63139]] trust, general or limited partnership, association, or similar organization. (f) Consumer means an individual. (g) Consumer report. (1) In general. The term means any written, oral, or other communication of any information by a consumer reporting agency bearing on a consumer's credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living which is used or expected to be used or collected in whole or in part for the purpose of serving as a factor in establishing the consumer's eligibility for: (i) Credit or insurance to be used primarily for personal, family, or household purposes; (ii) Employment purposes; or (iii) Any other purpose authorized under section 604 of the Act (15 U.S.C. 1681b). (2) Exclusions. The term does not include: (i) Any report containing information solely as to transactions or experiences between the consumer and the person making the report; (ii) Any communication of that information among affiliates; (iii) Any communication among affiliates of opt out information if the conditions in Secs. 571.4 through 571.9 are satisfied; (iv) Any authorization or approval of a specific extension of credit directly or indirectly by the issuer of a credit card or similar device; (v) Any report in which a person who has been requested by a third party to make a specific extension of credit directly or indirectly to a consumer conveys his or her decision with respect to such request, if the third party advises the consumer of the name and address of the person to whom the request was made, and the person makes the disclosures to the consumer required under section 615 of the Act (15 U.S.C. 1681m); or (vi) A communication described in section 603(o) of the Act (15 U.S.C. 1681a(o)). (h) Consumer reporting agency means any person which, for monetary fees, dues or on a cooperative nonprofit basis, regularly engages in whole or in part in the practice of assembling or evaluating consumer credit information or other information on consumers for the purpose of furnishing consumer reports to third parties, and which uses any means or facility of interstate commerce for the purpose of preparing or furnishing consumer reports. (i) Control of a company means: (1) Ownership, control, or power to vote 25 percent or more of the outstanding shares of any class of voting security of the company, directly or indirectly, or acting through one or more other persons; (2) Control in any manner over the election of a majority of the directors, trustees, or general partners (or individuals exercising similar functions) of the company; or (3) The power to exercise, directly or indirectly, a controlling influence over the management or policies of the company, as OTS determines. (j) Opt out means a direction by a consumer that you not communicate opt out information about the consumer to one or more of your affiliates. (k) Opt out information means information that: (1) Bears on a consumer's credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living; (2) Is used or expected to be used or collected in whole or in part to serve as a factor in establishing the consumer's eligibility for credit or another purpose listed in section 604 of the Act (15 U.S.C. 1681b); and (3) Is not a report containing information solely as to transactions or experiences between the consumer and the person reporting or communicating the information. (l) Person means any individual, partnership, corporation, trust, estate, cooperative, association, government or governmental subdivision or agency, or other entity. (m) You means savings associations whose deposits are insured by the Federal Deposit Insurance Corporation. Sec. 571.4 Communication of opt out information to affiliates. Your communication to your affiliates of opt out information about a consumer is not a consumer report if: (a) You have provided the consumer with an opt out notice; (b) You have given the consumer a reasonable opportunity and means, before you communicate the information to your affiliates, to opt out; and (c) The consumer has not opted out. Sec. 571.5 Content of opt out notice. (a) In general. An opt out notice must be clear and conspicuous, and must accurately explain: (1) The categories of opt out information about the consumer that you communicate to your affiliates; (2) The categories of affiliates to which you communicate the information; (3) The consumer's ability to opt out; and (4) A reasonable means for the consumer to opt out. (b) Future communications. Your notice may describe: (1) Categories of opt out information about the consumer that you reserve the right to communicate to your affiliates in the future but do not currently communicate; and (2) Categories of affiliates to which you reserve the right in the future to communicate, but to which you do not currently communicate, opt out information about the consumer. (c) Partial opt out. You may allow a consumer to select certain opt out information or certain affiliates, with respect to which the consumer wishes to opt out. (d) Examples of categories of information that you communicate. (1) You satisfy the requirement to categorize the opt out information that you communicate if you list the categories in paragraph (d)(2) of this section, as applicable, and a few examples to illustrate the types of information in each category. These examples may include those in paragraph (d)(3) of this section, if applicable. (2) Categories of opt out information may include information: (i) From a consumer's application; (ii) From a consumer credit report; (iii) Obtained by verifying representations made by a consumer; or (iv) Provided by another person regarding its employment, credit, or other relationship with a consumer. (3) Examples of information within a category listed in paragraph (d)(2) of this section include a consumer's: (i) Income; (ii) Credit score or credit history with others; (iii) Open lines of credit with others; (iv) Employment history with others; (v) Marital status; and (vi) Medical history. (4) You do not satisfy the requirement if you communicate or reserve the right to communicate individually identifiable health information (as described in section 1171(6)(B) of the Social Security Act (42 U.S.C. 1320d(6)(B)) but omit illustrative examples of this information. (e) Examples of categories of affiliates. (1) You satisfy the requirement to categorize the affiliates to which you communicate opt out information if you list the categories in paragraph (e)(2) of this section, as applicable, and a few examples to illustrate the types of affiliates in each category. (2) Categories of affiliates may include: (i) Financial service providers; and [[Page 63140]] (ii) Non-financial companies. (f) Sample notice. A sample notice is included in appendix A to this part. Sec. 571.6 Reasonable opportunity to opt out. (a) In general. You provide a reasonable opportunity to opt out if you provide a reasonable period of time following the delivery of the opt out notice for the consumer to opt out. (b) Examples of reasonable period of time: (1) In person. You hand- deliver an opt out notice to the consumer and provide at least 30 days from the date you delivered the notice. (2) By mail. You mail an opt out notice to a consumer and provide at least 30 days from the date you mailed the notice. (3) By electronic means. You notify the consumer electronically, and you provide at least 30 days after the date that the consumer acknowledges receipt of the electronic notice. (c) Continuing opportunity to opt out. A consumer may opt out at any time. Sec. 571.7 Reasonable means of opting out. (a) General rule. You provide a consumer with a reasonable means of opting out if you provide a reasonably convenient method to opt out. (b) Reasonably convenient methods. Examples of reasonably convenient methods include: (1) Designating check-off boxes in a prominent position on the relevant forms included with the opt out notice; (2) Including a reply form together with the opt out notice; (3) Providing an electronic means to opt out, such as a form that can be electronically mailed or a process at your web site, if the consumer agrees to the electronic delivery of information; or (4) Providing a toll-free telephone number that consumers may call to opt out. (c) Methods that are not reasonably convenient. Examples of methods that are not reasonably convenient include: (1) Requiring a consumer to write his or her own letter to you; or (2) Referring in a revised notice to a check-off box that you included with a previous notice but that you do not include with the revised notice. (d) Requiring specific means of opting out. You may require each consumer to opt out through a specific means, as long as that means is reasonable for that consumer. Sec. 571.8 Delivery of opt out notice. (a) In general. You must deliver an opt out notice so that each consumer can reasonably be expected to receive actual notice in writing or, if the consumer agrees, electronically. (b) Examples of expectation of actual notice. (1) You may reasonably expect that a consumer will receive actual notice if you: (i) Hand-deliver a printed copy of the notice to the consumer; (ii) Mail a printed copy of the notice to the last known mailing address of the consumer; or (iii) For the consumer who conducts transactions electronically, post the notice on your electronic site and require the consumer to acknowledge receipt of the notice as a necessary step to obtaining a particular product or service; (iv) You may not reasonably expect that a consumer will receive actual notice if you: (A) Only post a sign in your branch or office or generally publish advertisements presenting your notice; or (B) Send the notice via electronic mail to a consumer who does not obtain a product or service from you electronically. (c) Oral description insufficient. You may not provide an opt out notice solely by orally explaining the notice, either in person or over the telephone. (d) Retention or accessibility. (1) In general. You must provide an opt out notice so that it can be retained or obtained at a later time by the consumer in writing or, if the consumer agrees, electronically. (2) Examples of retention or accessibility. You provide the notice so that it can be retained or obtained at a later time if you: (i) Hand-deliver a printed copy of the notice to the consumer; (ii) Mail a printed copy of the notice to the last known address of the consumer upon request of the consumer; or (iii) Make your current notice available on a web site (or a link to another web site) for the consumer who obtains a product or service electronically and who agrees to receive the notice at the web site. (e) Joint notice with affiliates. You may provide a joint notice with one or more affiliates as long as the notice identifies each person providing it and is accurate with respect to each. (f) Joint relationships. (1) In general. Notwithstanding any other provision in this part, if two or more consumers jointly obtain a product or service from you (joint consumers), the following rules apply: (i) You may provide a single notice to all of the joint consumers. (ii) Any of the joint consumers has the opportunity to opt out. (iii) You may treat an opt out direction by a joint consumer either as: (A) Applying to all of the joint consumers; or (B) Applying to that particular joint consumer. (iv) You must explain in your opt out notice which of the two policies set forth in paragraph (f)(1)(iii) of this section you will follow. (v) If you follow the policy set forth in paragraph (f)(1)(iii)(B) of this section, by treating the opt out of a joint consumer as applying to that particular joint consumer, you must also permit: (A) A joint consumer to opt out on behalf of other joint consumers; and (B) One or more joint consumers to notify you of their opt out directions in a single response. (vi) You may not require all joint consumers to opt out before you implement any opt out direction. (vii) If you receive an opt out by a particular joint consumer that does not apply to the others, you may disclose information about the others as long as no information is disclosed about the consumer who opted out. (2) Example. If consumers A and B, who have different addresses, have a joint checking account with you and arrange for you to send statements to A's address, you may do any of the following, but you must explain in your opt out notice which opt out policy you will follow. You may send a single opt out notice to A's address and: (i) Treat an opt out direction by A as applying to the entire account. If you do so and A opts out, you may not require B to opt out as well before implementing A's opt out direction. (ii) Treat A's opt out direction as applying to A only. If you do so, you must also permit: (A) A and B to opt out for each other; and (B) A and B to notify you of their opt out directions in a single response (such as on a single form) if they choose to give separate opt out directions. (iii) If A opts out only for A, and B does not opt out, you may disclose opt out information only about B, and not about A and B jointly. Sec. 571.9 Revised opt out notice. If you have provided a consumer with one or more opt out notices and plan to communicate opt out information to your affiliates about the consumer, other than as described in those notices, you must provide the consumer with a revised opt out notice that complies with Secs. 571.4 through 571.8. Sec. 571.10 Time by which opt out must be honored. If you provide a consumer with an opt out notice and the consumer opts out, [[Page 63141]] you must comply with the opt out as soon as reasonably practicable after you receive it. Sec. 571.11 Duration of opt out. An opt out remains effective until revoked by the consumer in writing or electronically, as long as the consumer continues to have a relationship with the institution. If the consumer's relationship with the institution terminates, the opt out will continue to apply to this information. However, a new notice and opportunity to opt out must be provided if the consumer establishes a new relationship with the institution. Sec. 571.12 Prohibition against discrimination. (a) In general. You must not discriminate against a consumer who is an applicant for credit because the consumer opts out of your communication of opt out information to your affiliates. (b) Examples of discrimination against an applicant. You discriminate against an applicant if you: (1) Deny the applicant credit because the applicant opts out; (2) Vary the terms of credit adversely to the applicant such as by providing less favorable pricing terms to an applicant who opts out; or (3) Apply more stringent credit underwriting standards to the applicant because the applicant opts out. (c) Regulation B. The terms ``applicant'' and ``discriminate against'' in this section have the same meanings ascribed to them in 12 CFR part 202. Appendix A to Part 571--Sample Notice This appendix contains a sample notice to facilitate compliance with the notice requirements of this part. An institution may use applicable disclosures in this sample to provide notices required by this part. Notice of Your Opportunity to Opt Out of Information Sharing With Companies in Our Corporate Family Information We Can Share With Our Corporate Family About You-- Unless You Tell Us Not to What Information: Unless you tell us not to, [Financial Institution] may share with companies in our corporate family information about you including: Information we obtain from your application, such as [provide illustrative examples, such as ``your income'' or ``your marital status'']; Information we obtain from a consumer report, such as [provide illustrative examples, such as ``your credit score or credit history'']; Information we obtain to verify representations made by you, such as [provide illustrative examples, such as ``your open lines of credit'']; and Information we obtain from a person regarding its employment, credit, or other relationship with you, such as [provide illustrative examples, such as ``your employment history'']. Shared With Whom: Companies in our corporate family who may receive this information are: Financial service providers, such as [provide illustrative examples, such as ``mortgage bankers, broker-dealers, and insurance agents'']; and Non-financial companies, such as [provide illustrative examples, such as ``retailers, direct marketers, airlines, and publishers'']. How To Tell Us Not To Share This Information With Our Corporate Family If you prefer that we not share this information with companies in our corporate family, you may direct us not to share this information by doing the following [insert one or more of the reasonable means of opting out listed below\1\]: [call us toll free at {insert toll free number}]; or [visit our web site at {insert web site address} and {provide further instructions how to use the web site option}]; or [e-mail us at {insert the e-mail address}]; or [fill out and tear off the bottom of this sheet and mail to the following address: {insert address}]; or [check the appropriate box on the attached form {attach form} and mail to the following address: {insert address}]. Note: Your direction in this paragraph covers certain information about you that we might otherwise share with our corporate family. We may share other information about you with our corporate family as permitted by law. \1\ If the financial institution is using its web site or an e- mail address as the only method by which a consumer may opt out, the consumer must agree to the electronic delivery of information. Dated: September 29, 2000. By the Office of Thrift Supervision. Ellen Seidman, Director. [FR Doc. 00-26601 Filed 10-19-00; 8:45 am] BILLING CODE 4810-33-P; 6210-01P; 6714-01-P; 6720-01-P |
Last Updated10/20/2000 | regs@fdic.gov |