Embed Size (px)
Citation preview
Sharing Information Sharing Information With Affiliates and With Affiliates and
Third PartiesThird Parties
F. Jay MeyerF. Jay MeyerVice President & Senior CounselVice President & Senior Counsel
TD Bank, N.A.TD Bank, N.A.
Portland, MainePortland, Maine
Why Share Information?Why Share Information?
To Conduct Customer TransactionsTo Conduct Customer Transactions• With Service Providers or Third PartiesWith Service Providers or Third Parties
To Conduct Your Own BusinessTo Conduct Your Own Business• With Attorneys, Auditors or Credit AgenciesWith Attorneys, Auditors or Credit Agencies
To Market Products and ServicesTo Market Products and Services• With Affiliates, Marketing Service Providers, Joint With Affiliates, Marketing Service Providers, Joint
Marketing Partners or Third PartiesMarketing Partners or Third Parties
To Satisfy a Legal RequirementTo Satisfy a Legal Requirement• With Regulators, Law Enforcement or LitigantsWith Regulators, Law Enforcement or Litigants
Do Customers Have a Choice?Do Customers Have a Choice?
Gramm-Leach-Bliley and Regulation PGramm-Leach-Bliley and Regulation P• Routine or Required Sharing With No Opt OutRoutine or Required Sharing With No Opt Out• Affiliate Sharing With No Opt OutAffiliate Sharing With No Opt Out• Some Nonaffiliate Sharing Requires Opt OutSome Nonaffiliate Sharing Requires Opt Out
Fair Credit Reporting ActFair Credit Reporting Act• Some Affiliate Sharing Requires Opt OutSome Affiliate Sharing Requires Opt Out• Some Affiliate Use of Shared Information to Market Some Affiliate Use of Shared Information to Market
Requires Opt OutRequires Opt Out
Notice of Privacy PoliciesNotice of Privacy Policies Opt Out: Chance to Opt Out After NoticeOpt Out: Chance to Opt Out After Notice
GLBA/Regulation P: DefinitionsGLBA/Regulation P: Definitions
Financial InstitutionFinancial Institution ConsumerConsumer CustomerCustomer Nonpublic Personal InformationNonpublic Personal Information AffiliateAffiliate Nonaffiliated Third PartyNonaffiliated Third Party
Sources: 15 U.S.C. Sources: 15 U.S.C. § 6809, 12 CFR 216.3§ 6809, 12 CFR 216.3
Processing and Servicing Processing and Servicing Transactions: 12 CFR 216.14Transactions: 12 CFR 216.14
No Opt Out Required for:No Opt Out Required for: Processing Requested TransactionsProcessing Requested Transactions Servicing Accounts or LoansServicing Accounts or Loans Insurance Underwriting and AdministrationInsurance Underwriting and Administration Enforcing TransactionsEnforcing Transactions Auditing TransactionsAuditing Transactions Secondary Market Sales or SecuritizationSecondary Market Sales or Securitization Transfer of Receivables or AccountsTransfer of Receivables or Accounts
Other Uses With No Opt Out:Other Uses With No Opt Out:12 CFR 216.1512 CFR 216.15
No Opt Out Required for Sharing That Is:No Opt Out Required for Sharing That Is: With Consumer ConsentWith Consumer Consent To Prevent FraudTo Prevent Fraud To Resolve DisputesTo Resolve Disputes To Authorized Consumer RepresentativesTo Authorized Consumer Representatives To Attorneys or AccountantsTo Attorneys or Accountants To Consumer Reporting AgenciesTo Consumer Reporting Agencies Compulsory (e.g., Subpoena, Regulator)Compulsory (e.g., Subpoena, Regulator) For a Merger or AcquisitionFor a Merger or Acquisition
Service Providers and Joint Service Providers and Joint Marketing: 12 CFR 216.13Marketing: 12 CFR 216.13
No Opt Out Required for Sharing With:No Opt Out Required for Sharing With: Nonaffiliates Performing Services for the Nonaffiliates Performing Services for the
Financial InstitutionFinancial Institution Financial Institution’s Marketing ProvidersFinancial Institution’s Marketing Providers Financial Institutions Jointly Marketing Financial Institutions Jointly Marketing
Financial Products or Services by ContractFinancial Products or Services by Contract
Account Number Sharing for Marketing Is Account Number Sharing for Marketing Is Restricted by 12 CFR 216.12Restricted by 12 CFR 216.12
Oversight of Service ProvidersOversight of Service Providers
Security Program Must Include Oversight Security Program Must Include Oversight of Service Providers: Due Diligence, of Service Providers: Due Diligence, Contractual Safeguards and MonitoringContractual Safeguards and Monitoring
Service Provider Contracts Under 12 CFR Service Provider Contracts Under 12 CFR 216.13 Must Prohibit Use or Disclosure of 216.13 Must Prohibit Use or Disclosure of Information for Other PurposesInformation for Other Purposes
Sources: Sources: Interagency Guidelines Establishing Information Interagency Guidelines Establishing Information Security Standards, 12 CFR pts. 30 app. B(III)(D), 208 Security Standards, 12 CFR pts. 30 app. B(III)(D), 208 app. D-2(III)(D); app. D-2(III)(D); 112 CFR 216.13(a)(ii)2 CFR 216.13(a)(ii)
Nonaffiliate Sharing Requires Nonaffiliate Sharing Requires Opt Out Unless ExceptedOpt Out Unless Excepted
Except as authorized by Regulation P, a Except as authorized by Regulation P, a Financial Institution may not disclose Financial Institution may not disclose Nonpublic Personal Information to a Nonpublic Personal Information to a nonaffiliate without notice and a reasonable nonaffiliate without notice and a reasonable opportunity to opt out.opportunity to opt out.
Examples:Examples:• Marketing of Non-Financial ProductsMarketing of Non-Financial Products
• Marketing of Financial Products Unless Jointly Marketing of Financial Products Unless Jointly Offered, Endorsed or SponsoredOffered, Endorsed or Sponsored
GLBA Privacy NoticesGLBA Privacy Notices
Notices Must Describe Collection, Use and Notices Must Describe Collection, Use and Sharing of Nonpublic Personal InformationSharing of Nonpublic Personal Information
Customers Must Receive Initial, Annual Customers Must Receive Initial, Annual and Revised Privacy Noticesand Revised Privacy Notices
Consumers Must Receive Notice Before Consumers Must Receive Notice Before Non-Routine, Non-Compulsory DisclosureNon-Routine, Non-Compulsory Disclosure
Simplified Notices Permitted for Simplified Notices Permitted for Consumers, or if Disclosure is Limited to Consumers, or if Disclosure is Limited to Routine or Compulsory ExceptionsRoutine or Compulsory Exceptions
GLBA Opt Out NoticesGLBA Opt Out Notices
If Required, Opt Out Notices Must State:If Required, Opt Out Notices Must State: That Nonpublic Personal Information May That Nonpublic Personal Information May
Be Disclosed to a NonaffiliateBe Disclosed to a Nonaffiliate The Consumer has a Right to Opt OutThe Consumer has a Right to Opt Out A Reasonable Means to Opt OutA Reasonable Means to Opt Out
Reasonable Means May Include a Reply Reasonable Means May Include a Reply Form, a Toll-Free Telephone Number, or Form, a Toll-Free Telephone Number, or Electronic Means (If the Consumer Agrees)Electronic Means (If the Consumer Agrees)
Honoring GLBA Opt OutsHonoring GLBA Opt Outs
Opt Out May Be Exercised at Any TimeOpt Out May Be Exercised at Any Time Opt Out May Be PartialOpt Out May Be Partial No Further Disclosure Subject to Opt OutNo Further Disclosure Subject to Opt Out Financial Institution Must Comply With Opt Financial Institution Must Comply With Opt
Out As Soon As Reasonably PracticableOut As Soon As Reasonably Practicable Opt Out Is Effective Until RevokedOpt Out Is Effective Until Revoked Opt Out Continues for Customer Opt Out Continues for Customer
Relationship After Relationship Terminates Relationship After Relationship Terminates
FCRA Sharing and MarketingFCRA Sharing and Marketing
Regulates Sharing and Use of Consumer Regulates Sharing and Use of Consumer Credit Information (“Consumer Reports”) Credit Information (“Consumer Reports”)
Some “Transaction or Experience” Sharing Some “Transaction or Experience” Sharing With Affiliates or Nonaffiliates Is ExceptedWith Affiliates or Nonaffiliates Is Excepted
Affiliates May Share “Other Information” Affiliates May Share “Other Information” With Notice and Opportunity to Opt OutWith Notice and Opportunity to Opt Out
FACTA Requires Opt Out for Marketing FACTA Requires Opt Out for Marketing Use of Information Shared By AffiliatesUse of Information Shared By Affiliates
Sources: 15 U.S.C. Sources: 15 U.S.C. §§ 603(d)(1)-(2)(A), 624(a)§§ 603(d)(1)-(2)(A), 624(a)
FCRA Affiliate Sharing Opt OutFCRA Affiliate Sharing Opt Out
Affiliates May Share Consumer Report Affiliates May Share Consumer Report Information Beyond Transactions or Information Beyond Transactions or Experiences Only With Notice and Opt OutExperiences Only With Notice and Opt Out
Transactions or Experiences Include Transactions or Experiences Include Balances, Histories, Some OpinionsBalances, Histories, Some Opinions
Sharing Opt Out Is Distinct From, and Sharing Opt Out Is Distinct From, and Predates, Marketing Use Opt OutPredates, Marketing Use Opt Out
No Specific Regulation, but May Be No Specific Regulation, but May Be Combined With Marketing Use Opt OutCombined With Marketing Use Opt Out
FCRA Marketing Use Opt OutFCRA Marketing Use Opt Out
Required for Affiliates to Use Shared Required for Affiliates to Use Shared “Eligibility Information” for Marketing “Eligibility Information” for Marketing
Must Provide Reasonable Opportunity and Must Provide Reasonable Opportunity and Means to Opt Out (e.g., Mail, Telephone, Means to Opt Out (e.g., Mail, Telephone, or Electronic if Agreed, as with GLBA)or Electronic if Agreed, as with GLBA)
Not Required Annually; Can Be CombinedNot Required Annually; Can Be Combined Effective for at Least 5 Years, Can Permit Effective for at Least 5 Years, Can Permit
Longer or Indefinitely Until RevokedLonger or Indefinitely Until Revoked After Expiration, Renewal Notice RequiredAfter Expiration, Renewal Notice Required
FCRA Opt Out ExceptionsFCRA Opt Out Exceptions
Marketing to Preexisting CustomersMarketing to Preexisting Customers Marketing on Behalf of an Affiliate If That Marketing on Behalf of an Affiliate If That
Affiliate Could Conduct the MarketingAffiliate Could Conduct the Marketing Responding to Requests or InquiriesResponding to Requests or Inquiries Marketing With Information Shared Prior to Marketing With Information Shared Prior to
October 1, 2008 (the Compliance Date)October 1, 2008 (the Compliance Date)
ANY QUESTIONS?ANY QUESTIONS?
