The five federal financial regulatory agencies have jointly issued final regulations implementing Section 214 of the Fair and Accurate Credit Transactions Act (FACTA), which amends the Fair Credit Reporting Act (FCRA). The regulations allow consumers to opt out and prevent a financial institution from using information provided by an affiliated company to market its products and services to the consumer. These regulations impose requirements for information sharing that exceed the requirements of the Gramm-Leech-Bliley Act, which impose no limitations upon information sharing with affiliates. These new regulations also do not supersede or replace existing provisions in Section 603 of FCRA concerning the consumer's right to opt out of allowing consumer information, including credit report or credit information on the consumer taken from other sources, other than transaction and experience information to be shared between affiliates. A financial institution's failure to comply with these regulations may result in the financial institution being treated as a consumer reporting agency under FCRA.
In general, the regulations prohibit a financial institution from using information received from an affiliated institution to solicit a customer unless that customer has been given notice of the intended solicitation and a reasonable opportunity and a simple method by which to opt out of such solicitations - and has chosen not to opt out.
The rule applies to information obtained from the consumer's transactions or account relationship with the affiliate of the potential advertising institution, any application the consumer has submitted to that affiliate, and any information held by third-party sources such as credit reports, if the information is to be used for marketing purposes.
The rule specifies that the opt-out must be valid for at least five years, and after the opt-out period expires, the customer must be given an opportunity to renew the opt out before marketing is permitted.
The affiliate that has, or previously had, a business relationship with the consumer must be the one to provide the consumer with notice of the opportunity to opt-out of the marketing effort. The rule contains a number of exceptions to the notice and opt-out requirements, such as situations in which the marketing affiliate has a pre-existing business relationship with the consumer, or is responding to a consumer-initiated request for information.
An appendix contains model forms to assist financial institutions in complying with the notice and opt-out requirements. Financial institutions are urged to consider combining the affiliate marketing opt-out notice under these regulations with the annual Gramm-Leech-Bliley privacy notice, so that consumers receive a single notice they can use to review and exercise all privacy opt-outs.
The rule took effect January 1, 2008, with a mandatory compliance date of October 1, 2008.