The federal banking agencies have issued joint guidance on compliance with the Gramm-Leach-Bliley Act privacy rules. Issued as frequently asked questions (FAQs), the guidance covers various aspects of the privacy rules, including when banks must deliver privacy and opt-out notices, limits on use and disclosure of customer information, limits on disclosure of customer account numbers and how to comply with the requirements of the joint marketing exception. The FAQs illustrate how select provisions of the regulation apply to specific situations, but are not exhaustive. For example, the FAQs do not address the applicability of the Fair Credit Reporting Act (FCRA), but the agencies may supplement or revise the guidance as needed.
The guidance reminds banks that the rule applies to consumers, not businesses. For example, a sole proprietor is a business, not a "consumer" for purposes of the rule. And, while customers are distinguished from consumers under the privacy requirements, both are entitled to the same protection from disclosures of nonpublic personal information.
The FAQs supplement existing regulation on when annual notices must be sent (generally within 12 months of the last annual notice), how joint account-holders must be notified, and how opt-out provisions can be applied broadly or tailored to specific categories of information sharing at the option of the bank. The guidance offers information on handling opt-out requests from customers. While banks must provide a convenient means of opting out from information sharing, that does not include providing a self-addressed stamped envelope.
The FAQs attempt to address a number of questions affecting day-to-day bank operations that have arisen since the final privacy rule was issued. For example, it is permissible for banks to respond to inquiries about whether there are sufficient funds to cover an outstanding check or a request from an automobile dealer for the pay-off balance on a loan. However, the regulators also warn that when a bank discloses such information, it should use safeguards to protect against fraud.
Where a bank forwards a completed mortgage application to a mortgage company for underwriting and servicing, the bank may have established a customer relationship with the borrower depending on the bank's role in completing the application. This is an important analysis for the bank to undertake, since it may obligate the bank to provide a privacy notice to the applicant.
While a bank may include marketing materials from third-party vendors in account statements, the regulators also warn that the bank should take care to ensure that the marketing materials do not facilitate a customer's unwitting disclosure of nonpublic personal information when responding to the marketing materials, e.g., through the use of a code number on the flyer that would identify the individual as a customer of the bank. And while disclosure of account numbers is strictly limited by both the statute and regulation, the FAQs assure banks that writing a depositor's account number on the back of the check is permissible in processing the payment. Similarly, disclosure of account information to state child welfare agencies is also permissible under the exceptions to the privacy rule.
Several questions address compliance with the joint marketing exception to the opt-out requirement. The guidance stresses that to qualify for the exception, information may only be shared for the purpose of jointly marketing financial products with another financial institution (e.g., insurance or securities). The financial product must be jointly marketed by both parties subject to a written agreement that restricts use of the information by the other party. Merely having a dual employee will not qualify for the exception. In addition, joint marketing arrangements must be disclosed in the privacy notice.
Finally, the guidance describes when security and confidentiality clauses must be included in contracts with the bank's service providers who have access to bank customer information.
The full text of the guidance is available at www.occ.treas.gov, www.federalreserve.gov/boarddocs/press/general/2001/200112122/default.htm or www.fdic.gov/news/news/press/2001/pr9301.html.
In addition to the FAQs, the OCC recently issued guidance on the privacy rule specifically designed for small banks. The Small Bank Compliance Guide provides an overview of a bank's obligations under the privacy rule, a summary of the rule and the just-released FAQs. The Guide is available on the OCC's Web site at www.occ.treas.gov.