A final regulation published November 7, 2007, in the Federal Register by the US banking regulators (the Federal Reserve Board, OCC, OTS, FDIC and National Credit Union Administration) implements the affiliate marketing provisions enacted as part of the Fair and Accurate Credit Transactions Act of 2003. The Federal Trade Commission published a similar rule on October 30, 2007; the SEC has not yet finalized its proposal.

Under these new regulations, which are effective January 1, 2008, with a mandatory compliance date of October 1, 2008, a bank (and certain of its subsidiaries) that is supervised by one of the US regulators mentioned above may not use a consumer's "eligibility information" (such as income, account history and credit score) that it received from its affiliate in order to market that bank's products to that consumer, unless the consumer has been given a chance to opt out of such use of that information. There are limited exceptions to the general rule, including where the banking organization has a pre-existing business relationship with the consumer, or where the affiliate uses its own information to market the bank's products to those customers who meet certain parameters provided by the bank; in the latter case, the specific consumer's information is not directly used by the bank.

The consumer may block information from being used by all or just some members of a corporate group. Each opt-out is good for at least five years, and the banking organization may extend such period indefinitely either by stating the opt-out has no end, or by not sending an opt-out renewal notice. The notice may be provided by the banking organization alone or all the companies in the group may issue a combined notice, so long as all such affiliates are identified in the notice. The notice must provide a "simple and reasonable method" for the consumer to opt out. Model forms of opt-out notices are included in the new regulation.

Consumers understandably may be confused about the various uses of their personal information by a banking organization and/or its affiliates and what their options are to block the sharing and use of such information. This final rule joins (i) the privacy regulations under the Gramm-Leach-Bliley Act, under which a financial institution may not share a person's non-public personal financial information with non-affiliates without the person being given the chance to opt out of such sharing and (ii) the regulation prohibiting a company from sharing with affiliates certain information regarding a consumer's general creditworthiness or character that might be used to determine eligibility for such purposes as obtaining credit or employment, unless the consumer has been given the opportunity to opt out of such a sharing arrangement.

These new regulations permit the use of a common form, setting out a consumer's choices under all three rules. One can only hope for the best that such a common form would indeed make communication of the consumer's choices less, and not more, confusing. The final rule may be accessed on any of the banking agencies' websites.