The final privacy regulations adopted by the federal banking agencies in mid-May are a marked improvement over the initial proposals issued in February. They ease the impact on financial institutions and provide much-needed clarification through sample disclosure language and other examples.
However, these final regulations retain the expansive interpretations of key terms that will place additional categories of consumer data under the regulations' restrictions on disclosures to nonaffiliated third parties. Also, despite the agencies' frequent use of examples, the regulations are not always a model of clarity, with answers to a number of practical questions either not readily apparent or left for another day.
The basic requirements for banks and thrifts are fairly straightforward. Individuals obtaining financial products and services primarily for personal, family, or household purposes, are defined as "consumers" in the rules. Consumers must receive initial notices setting forth their institutions' privacy and information-sharing policies when they establish a customer relationship with a financial institution. For as long as such individuals remain customers, they must also receive annual privacy notices.
Customers must also be notified of their opt-out right to prevent an institution from disclosing nonpublic personal information about them to nonaffiliated third parties, and be given a reasonable opportunity to exercise that right. However, customers will not have the right to opt out if such information is shared with nonaffiliated third parties under the terms of a joint marketing or service agreement, or pursuant to one of the other statutory exemptions available.
The most important good news coming out of the final rules is that compliance with the privacy requirements will not be mandatory until July 1, 2001.
Another significant improvement to the final rules is the inclusion of sample disclosure language in a new appendix. Many institutions had feared that they would need to prepare lengthy and detailed initial and annual privacy and opt-out notices. The sample clauses in the appendix, which are relatively short and general in nature, should largely dispel such concerns.
As an added incentive to use the regulations' model language, the federal agencies have included a safe harbor provision that those institutions that either use sample disclosure language in their notices or follow an example given in the regulations will be deemed to be in compliance with the applicable disclosure requirements.
Some of the other agency decisions and clarifications incorporated into the final regulations that are likely to ease banks' and thrifts' compliance burden include:
- Only one set of initial, annual, and opt-out notices need be sent for a joint deposit account or a loan with co-borrowers.
- Customers need not receive new privacy notices when they get new financial products or services as long as the institution's most recent notice is still accurate.
- Initial privacy notices may be sent after a customer relationship is established in order to avoid "substantial delay" (for example, for financial transactions conducted over the telephone) or when the customer's account or loan is transferred from one financial institution to another.
- Disclosures of nonpublic personal information to nonaffiliated third parties to verify the availability of funds, or to obtain loan payoff information, are permitted without prior customer consent.
The final regulations also contain extensive guidance on how the applicable notice and opt-out requirements will apply to former customers, Internet customers, and borrowers whose loans are either serviced by or sold to third parties.While the federal banking agencies were able to respond to industry concerns to some degree in the final regulations, they were unwilling to reverse themselves on two key issues.
First, the agencies continue to treat individuals who have applied (but have not yet been approved) for a financial product or service such as a loan or insurance policy as "consumers," based on the somewhat attenuated notion that they are obtaining a financial service when a financial institution evaluates their applications. Thus a bank or thrift could not furnish any nonpublic information that it had collected about rejected loan applicants to an unaffiliated finance company unless it first complied with the notice and opt-out requirements.
Second, the federal agencies stood by their earlier decision that the existence of a customer relationship is by itself nonpublic personal information. Consequently, a customer will be able to prevent a bank or thrift from including his or her name and address on a customer list given to nonaffiliated third parties.
As banks and thrifts begin to implement the new rules, more practical questions left largely unanswered by the final regulations are sure to arise. To mention just a few:
- Will a bank or thrift be required to include an opt-out reply form with its annual privacy notices if it does not provide customers with a toll-free number they can call to opt out?
- Will an institution be able to condition a financial product or service such as an ATM withdrawal upon a consumer's agreement not to exercise his or her opt-out rights?
How can an institution disclose publicly available information about a customer to nonaffiliated third parties without revealing the existence of a customer relationship?In view of these and other likely uncertainties, the federal banking agencies should issue further interagency guidance in a Q&A or other similar format as they have already done for the Community Reinvestment Act.
Mr. Buchman is a partner at Holland & Knight LLP, a Washington law firm.