A troublesome problem involving so-called "other information" under the Fair Credit Reporting Act has been lurking ever since the privacy provisions were included in the Gramm-Leach-Bliley Act.
The fair credit law distinguishes between "experience or transactional information" and "other information." The former is information relating to a person's own experience or transactions with a consumer and is not subject to the fair credit laws. In consequence, a person is not restricted under this law from sharing the information with any other person, including an affiliate.
"Other information" is any other type of facts, such as those derived from applications or credit reports, and is subject to the fair credit law. The latter classifies companies sharing this information as consumer reporting agencies and severely limits the purposes for which it may be shared. However, the sharing of "other information" among affiliated companies is exempt from the fair credit law if a company seeking to share gives notice of its intention to customers and a reasonable opportunity to opt out.
The privacy law, on the other hand, does not distinguish between these two types of information but includes both in the definition of "nonpublic personal information."
It generally prohibits a financial institution from sharing nonpublic personal information with unaffiliated entities without giving notice of its intention to customers and a reasonable opportunity to opt out. This prohibition does not apply if the sharing of such information falls into excepted categories. These include, for example, joint marketing arrangements, the use of nonaffiliated third parties to close transactions initiated by consumers, and disclosures that are required or permitted by law.
In enacting the privacy provisions, Congress made clear that, except for several technical amendments, nothing in the privacy law should be construed to modify, limit, or supersede the operation of the fair credit law. As a matter of statutory construction, it must be assumed that when Congress enacted the privacy law it believed the provisions of both it and the fair credit law were compatible. It empowered the bank regulatory agencies to prescribe regulations to achieve this compatibility.
The coexistence of the fair credit law and the privacy law raises questions as to what types of information may be shared with affiliates and nonaffiliated third parties consistent with the provisions of both schemes. The uncertainty engendered by these questions requires clarification by the bank regulatory agencies.
Here are a few of these questions:
- If a financial institution enters into a joint marketing agreement with another financial institution and shares "other information" with that institution for a permitted purpose under the privacy law, would the financial institution become subject to the fair credit law? Would the result be different if the other party were an affiliate?
- If a financial institution enters a service agreement with a nonaffiliated third party to examine the financial institution's records for compliance with banking regulations and shares other information with that party for a permitted purpose under the privacy law, would the financial institution become subject to the fair credit law?
- If a financial institution uses an affiliate to effect a transaction that has been authorized by a customer and other information is shared with the affiliate for a permitted purpose under the privacy law, would the fair credit law require that the institution give an opt-out notice to the consumer and a reasonable opportunity to opt out before such information may be shared? Alternatively, could the financial institution simply obtain the customer's written consent?
- If the third example involved a nonaffiliated third party rather than an affiliate, would the financial institution become subject to the fair credit law?
The common thread in all these examples is that the financial institution could be subject to the fair credit law if it shares other information with affiliates and nonaffiliated third parties in the very manner contemplated and permitted by the privacy law but fails to comply with its opt-out provision or otherwise fails to obtain the consumer's written consent.Is there a way to reconcile the apparent inconsistency?
The Federal Trade Commission, which has been interpreting the fair credit law for years, has said that a consumer reporting agency is a person who regularly assembles or evaluates consumer credit information or other information for the purpose of furnishing consumer reports to third parties and is paid or gets other benefits as part of a nonprofit cooperative arrangement for doing so.
Before enactment of the privacy law, financial institutions shared information with other persons to protect or further their own interests or to fulfill their obligations to consumers, shareholders, regulators, or in litigation without being deemed consumer reporting agencies under the fair credit law. The point the regulators should consider is that there is a difference whether information is assembled or evaluated by a person for its own purposes or for the purpose of sharing that information with other persons for their own purposes. In the former instance, a person should not be subject to the fair credit law; in the latter it should be.
It is reasonable to assume that Congress was aware that the sharing of information in these circumstances is an acceptable meeting point between the fair credit law and privacy law legislative schemes and codified this sharing by creating exceptions in the privacy law. Any interpretation of the privacy law that creates violations of the fair credit law through compliance with the privacy law exceptions can only render such compliance, difficult as it already is, almost impossible. It would also undermine the significance of such exceptions.
A careful review of the privacy regulations adopted by the bank regulatory agencies and the FTC suggests that they concur in this view.
In the final fair credit law regulations, the regulators have an opportunity to remove any doubt and make clear that if other information is shared as permitted under the privacy law exceptions, a financial institution will not be subject to the fair credit law.
Mr. Funk specializes in financial services law at Gallagher, Callahan, & Gartrell, a law firm in Concord, N.H.