Q1. I offer consumer checking
accounts. I notify my customers that, among other things, I make disclosures
as permitted by law. Merchants sometimes call me and ask whether a
particular consumer’s checking account has sufficient funds to cover
a check to the merchant. How does the privacy rule apply to my
response to the merchant’s question?
A1. The
privacy rule allows you to disclose nonpublic personal information
about your consumers without providing them a reasonable opportunity
to opt out under certain circumstances. These exceptions to the opt-out
requirement are described at sections 216.13-216.15 of the privacy
rule. For example, you do not need to allow your customer to opt out
of a disclosure made in connection with processing or clearing checks
(§ 216.14(b)(2)(vi)(A)) or for the purposes of preventing actual or
potential fraud, unauthorized transactions, claims, or other liability
(§ 216.15(a)(2)(ii)). Therefore, if you have notified your customer
that you make disclosures as permitted by law, you may disclose whether
your customer’s checking account has sufficient funds to cover a check,
regardless of whether or not the customer has exercised his or her
opt-out rights.
Be aware of the possibility that the caller may be attempting
to obtain information about your customer through false or fraudulent
statements to you. Toward this end, you must ensure that you respond
to the caller in accordance with the controls you have implemented
as part of your information-security program, as required by the applicable
provisions of the banking agencies’ Interagency Guidelines Establishing
Standards for Safeguarding Customer Information (the security guidelines).
See 66 Fed. Reg. 8616 (February 1, 2001).
6-7446
Q2. While we may confirm funds availability to a merchant where
our customer seeks to pay for merchandise with a check under the exceptions
in sections 216.14 and 216.15, may we confirm funds availability to
an individual who is not a merchant for the same purpose? For instance,
if our customer wants to use a check to purchase a used car from an
individual seller, may we respond to the seller’s request about the
availability of funds in the customer’s account under these exceptions?
A2. Whether or not someone is a “merchant” is
not material to determining if you may disclose customer information
pursuant to the exceptions in sections 216.14 and 216.15. You should
determine whether the third party to whom you intend to disclose information
actually is involved in carrying out a financial transaction that
is requested or authorized by your customer. Check verification is
permitted under the exceptions to the notice and opt-out provisions,
such as in connection with processing or clearing a check under section
216.14(b)(2)(vi)(A), and under section 216.15(a)(2)(ii) to protect
against or prevent actual or potential fraud or unauthorized transactions.
As discussed in the answer above, if you make such a disclosure
you should take appropriate measures to ensure that the individual
inquiring has a legitimate need for the information and is not engaging
in an attempt to obtain customer information fraudulently. Concerns
about properly safeguarding customer information are heightened in
a situation in which you disclose nonpublic personal information to
an individual rather than to a known merchant.
6-7447
Q3. I offer consumer checking accounts. I notify my customers
that, among other things, I make disclosures as permitted by law.
My checking account customers deposit checks made payable to my customer
but drawn on a financial institution unaffiliated with me. My practice
is to write my customer’s account number on the back of the deposited
check to facilitate its processing. The check itself then goes to
the maker’s financial institution, with my customer’s account number
on the check. Is this a disclosure of nonpublic personal information
that would be subject to opt-out requirements or the prohibition against
sharing account numbers?
A3. No. The opt-out
provisions do not apply to disclosures in connection with servicing
or processing a financial product or service that a consumer requests
or authorizes. Nor do they apply to disclosures that are required,
or are a usual, appropriate, or acceptable method in connection with
settling, processing, clearing, transferring, reconciling, or collecting
amounts charged, debited or otherwise paid (§§ 216.14(a), 216.14(b)(2)(vi)(A)).
Also, because the account number is added to the check solely for
use in processing the check and is not used in connection with marketing
by a third party, this disclosure is not prohibited by the ban on
disclosing account numbers for marketing purposes (§ 216.12).
6-7448
Q4. I made a loan to a consumer who defaulted. In trying to collect
the bad loan, I wish to learn information to locate the defaulting
borrower. I believe that a financial institution unaffiliated with
me may have some helpful information about the borrower. If I were
to ask that institution for information, I would disclose nonpublic
personal information, such as the fact that I have a loan to a particular
consumer. I previously notified my borrower that, among other things,
I make disclosures as permitted by law. Must I allow my borrower to
opt out of my question to the financial institution?
A4. No. You may disclose nonpublic personal information
to the financial institution without complying with the opt-out provisions
as necessary to enforce a consumer loan where the disclosure is required
or is one of the lawful or appropriate methods to enforce your rights
(§ 216.14(b)(1)).
6-7449
Q5. A financial institution that
is not affiliated with me made a loan to a consumer who defaulted.
In trying to collect the bad loan, the lender wishes to learn information
to locate the defaulting borrower. The lender believes that I may
have some helpful information about the borrower and asks me to disclose
nonpublic personal information. I notify my consumers that, among
other things, I make disclosures as permitted by law. May I disclose
nonpublic personal information to help the lender try to collect a
bad loan without providing opt-out notices?
A5. Where you have notified your consumer that you make disclosures
as permitted by law, you may make disclosures to “persons holding
a legal or beneficial interest relating to the consumer,” or under
the appropriate circumstances, “to protect against or prevent actual
or potential fraud, unauthorized transactions, claims, or other liability,”
without providing opt-out notices and a reasonable opportunity for
a consumer to opt out (§§ 216.15(a)(2)(iv), 216.15(a)(2)(ii)). Thus,
disclosures to the lender may be permissible without complying with
the opt-out provisions.
As stated above, you must be aware of the possibility
that the party requesting the information may be attempting to obtain
that information about your customer through false or fraudulent statements
to you.
6-7450
Q6. I make consumer loans. I notify my customers
that, among other things, I make disclosures as permitted by law.
A state law requires me to disclose to the state the names, addresses,
Social Security numbers, and account balances of individuals the state
believes have failed to make required child support payments. Does
the privacy rule require me to allow my customers to opt out of disclosures
to the state under this state law?
A6. No.
The privacy rule exempts from the opt-out provisions any disclosures
you make “[t]o comply with federal, state, or local laws, rules and
other applicable legal requirements” (§ 216.15(a)(7)(i)).
6-7451
Q7. Must I provide a privacy notice to consumers who are not my
customers when I have to report information about denied mortgage
applicants under the Home Mortgage Disclosure Act (HMDA)?
A7. No. If the information that HMDA requires you to
disclose is not personally identifiable, the privacy rule would not
apply to your disclosure of that information. Alternatively, if you
disclose nonpublic personal information to comply with the law, you
may disclose the information under section 216.15(a)(7)(i) without
providing a privacy notice to consumers who are not your customers.
6-7452
Q8. We often receive phone calls from auto dealers
or other financial institutions requesting loan-payoff amounts on
our customers. May we respond to these requests without providing
those customers with a reasonable opportunity to opt out of that kind
of disclosure?
A8. Yes, if the disclosure
is in connection with servicing or processing a financial product
or service from the third party that the customer has requested or
authorized. In your case, for example, you may disclose loan-payoff
information to a third-party lender where your customer seeks to refinance
the bank loan with the other lender. Alternatively, you may disclose
nonpublic personal information that is required, or is a usual, appropriate,
or acceptable method to carry out the transaction that the customer
has requested or authorized (§ 216.14(a)). This would be the case,
for example, if the car dealer accepts your customer’s car as partial
consideration for the purchase of another vehicle and wants to know
the outstanding amount on the customer’s car loan with you.
As discussed in response to several
of the questions above, you should be aware of the possibility that
the caller may be attempting to obtain information about your customer
through false or fraudulent statements to you. Toward this end, you
must ensure that you respond to the caller in accordance with the
controls you have implemented as part of your information-security
program.
6-7453
Q9. During the ordinary course of business, I may
request proof of insurance from a nonaffiliated insurance agency on
an automobile that serves as our collateral on a customer’s loan.
May I disclose customer information to the insurance agency in order
to obtain this information without triggering specific notice and
opt-out requirements?
A9. Yes, you may disclose
nonpublic personal information, such as the existence of your relationship
with a particular customer, to a nonaffiliated insurance agency in
order to obtain proof of insurance under the exceptions to the specific
notice and opt-out requirements in section 216.14. For example, you
could disclose nonpublic personal information under the exception
in section 216.14(b)(1) as a lawful or appropriate method to enforce
your rights in providing the loan.
6-7454
Q10. I make
wire transfers for consumers who are not otherwise my customers. Do
I have to provide an initial privacy notice to these consumers when
I only make a wire transfer for them?
A10. No.
Processing a wire transfer for a consumer on a one-time basis would
not create a customer relationship, even if the consumer repeatedly
requests that one-time service. Accordingly, you do not owe the consumer
an initial notice on that basis. Furthermore, this disclosure would
fall under the exception for processing a transaction that a consumer
has requested or authorized (§ 216.14(a)(1)). Consequently, you would
not be required to provide any privacy notices unless you also disclosed
nonpublic personal information about the consumer to nonaffiliated
third parties outside of an exception under section 216.14 or section
216.15. See section 216.4(a)(2).
6-7455
Q11. I use
a nonaffiliated third party to service consumer loans, and in this
arrangement I disclose to the servicer nonpublic personal information
about my borrowers. This arrangement seems to qualify for an exception
from both the notice and opt-out requirements, under section 216.14(a)(1).
At the same time, this arrangement seems to qualify for an exception
from opt-out requirements—but not from notice requirements—under section
216.13(a)(1). The latter exception requires me to provide notice to
consumers of the disclosures, and requires language in our contract
that restricts the servicer’s further disclosure and use of the nonpublic
personal information. When a servicing arrangement qualifies for two
differing exceptions, which applies?
A11. When
a disclosure qualifies for both the section 216.13 exception and a
section 216.14 or section 216.15 exception, you do not need
to comply with the notice and confidentiality provisions under section
216.13. Instead, you may make that disclosure solely in accordance
with an exception under section 216.14 or section 216.15.
6-7456
Q12. A community bank has an agreement with a mortgage company
to prequalify mortgage loan applicants prior to referring them to
the mortgage company for underwriting. As part of this agreement,
the community bank, among other things, (1) educates applicants about
home buying and about different types of loan products available;
(2) collects financial information and related documents; (3) assists
the applicant in understanding and resolving credit problems; and
(4) maintains regular contact with the applicant during the loan process
to apprise the applicant of the status of the application.
The community bank forwards the completed loan application
to the mortgage company for underwriting, origination and servicing.
After the loan is approved, the community bank has no further contact
with the applicant with respect to the applicant’s loan.
Does the bank have to provide
an initial privacy notice to the applicant? If so, does the bank have
to disclose this information-sharing arrangement in its privacy notice,
or is it covered by an exception in section 216.14 or section 216.15?
A12. If the bank does not already have a customer
relationship with the loan applicant, the services that the bank performs
pursuant to this program appear to give rise to a customer relationship
between the applicant and the bank as described in section 216.3(i)(2)(i)(F),
at least until the applicant has completed the loan process. As a
result, the bank would have to provide an initial privacy notice.
Whether the bank must disclose the information-sharing arrangement
with the mortgage company in its privacy notice depends on whether
the disclosure is permitted under one of the exceptions in section
216.13, 216.14, or 216.15.
If the bank and the mortgage company have an agreement
to jointly offer, endorse, or sponsor the mortgage company’s loan
product as described in section 216.13 and otherwise comply with the
confidentiality requirements of this section, the bank would have
to describe this arrangement in its privacy notice in accordance with
section 216.6(a)(5).
Where the bank discloses to the applicant that the mortgage
loan will be made by the mortgage company and not the bank, the bank’s
disclosure of the applicant’s nonpublic personal information to the
mortgage company would fall within the exception in section 216.14(a)(1),
to service or process a financial product the consumer has requested.
The bank would not have to specifically describe this information-sharing
arrangement in its privacy notice as long as the notice states that
the bank makes disclosures to nonaffiliated third parties as “permitted
by law” (§ 216.6(b)).
Finally, the bank could obtain the applicant’s specific
consent to disclose the applicant’s nonpublic personal information
to the mortgage company so the applicant may obtain the loan. In that
event, the disclosure would fall within the exception in section 216.15(a)(1).
The bank’s privacy notice may refer to this disclosure as “permitted
by law” (§ 216.6(b)).
Where the disclosure of information may be made pursuant
to an exception under both section 216.13 and either section 216.14
or section 216.15, the bank may rely on the latter exceptions, and
therefore would not have to specifically describe in its privacy notice
its disclosure arrangements under section 216.6(a)(5).
The mortgage company also will establish
a customer relationship with any applicant for whom it originates
a loan and will have to provide a notice of its privacy policies not
later than when it establishes the customer relationship.