Q1. Who must comply with the privacy rule?

A1. Any financial institution that provides financial products or services to consumers must comply with the privacy provisions of title V of the Gramm-Leach-Bliley Act (GLB Act) (15 USC 6801-6809) and the privacy rule. Under the banking agencies’ rules,¹ you are a financial institution if you engage in an activity that is financial in nature or incidental to a financial activity, as described in section 4(k) of the Bank Holding Company Act of 1956 (BHC Act) (12 USC 1843(k)). For purposes of the banking agencies’ rules, activities “described in section 4(k) of the BHC Act” include the activities specifically listed in section 4(k) and any additional activities the Board, in consultation with the secretary of the Treasury, determines to be financial in nature or incidental to a financial activity in accordance with section 4(k).

Q2. I am a small financial institution with no affiliates. I do not disclose information about my customers or consumers to anyone, except as permitted by an exception under sections 216.14 and 216.15 of the privacy rule. ² Does the privacy rule apply to a small operation like mine?

A2. Yes. You have responsibilities under the privacy rule regardless of your size, affiliate relationships, or information-collection and disclosure practices. The privacy rule is focused not only on regulating the disclosure of financial information about customers and consumers, but also on requiring each financial institution to provide initial and annual notices of its policies to its customers. You may, however, provide notice in a simplified form, as illustrated by the notice described in section 216.6(c)(5).

Q3. I provide trust services. In this capacity, I serve as the trustee of trusts whose beneficiaries are individuals. Does the privacy rule apply to my trust operations?

A3. When you act as a trustee, you have a relationship with the trust. Because the trust itself is not an individual, it is not a consumer under the privacy rule. Even if the grantor and all the beneficiaries are individuals, neither the grantor nor any of the beneficiaries are your consumers solely because of their relationship to the trust. If, for example, the trust requires you, as trustee, to transfer money to a beneficiary, you provide that financial service to the trust rather than the individual who is the beneficiary. In other words, grantors and beneficiaries of a trust are not your consumers unless they directly obtain a financial product and service from you for their personal, family, or household purposes. Accordingly, you do not have any obligations under the privacy rule with respect to the trust. Your duties as a fiduciary, however, may require you to maintain the confidentiality of information about the trust, its grantor, and its beneficiaries.

Q4. I act as a custodian for individual retirement arrangements (IRAs). Are the individuals who own the IRAs my customers?

A. Yes. An individual who establishes an IRA account for which you act as a custodian has obtained a financial product or service that is to be used primarily for personal, family, or household purposes; therefore, he or she is a consumer. When an individual selects you to act as custodian for his or her IRA, the individual enters into a continuing relationship with you and becomes your customer under the privacy rule. By contrast, an individual who is a participant or a beneficiary of an employee benefit plan that you sponsor or for which you act as trustee or fiduciary is not your customer because your relationship in that case is with the plan.

Q5. I am a tax-return preparer and I understand that I may be subject to the privacy rule concerning the disclosure of my clients’ nonpublic personal information. However, I also am subject to section 7216 of the Internal Revenue Code, which restricts the use and disclosure of my customers’ federal tax return information. Do the privacy provisions of the GLB Act and the privacy rule supersede the restrictions in section 7216? May I now disclose my customers’ federal income tax return information after I provide them with the proper notices and give my customers a reasonable opportunity to opt out?

A5. No. The privacy rule does not supersede the restrictions in section 7216. The GLB Act and the agencies’ implementing regulations do not authorize a financial institution to disclose nonpublic personal information in a way that is prohibited by some other law. Therefore, you may not avoid the restrictions of section 7216 by providing your customers with an opt-out notice and a reasonable opportunity to opt out.

Q1. Why does the privacy rule sometimes refer to consumers and other times to customers? Aren’t customers also consumers?

A1. All customers are consumers, but not all consumers are customers. A consumer is an individual who obtains a financial product or service from you that is primarily for personal, family, or household purposes. A financial product or service includes the evaluation or brokerage of information collected in connection with a request or application, such as a bank’s review of loan-application materials to determine whether an applicant qualifies for a loan. A customer is a type of consumer, namely, an individual who has an ongoing relationship with you under which you provide a financial product or service. Note that neither a business nor an individual who obtains a financial product or service for business purposes is a consumer or a customer under the privacy rule.

Q2. I occasionally make business loans to sole proprietors. Do I have to provide them with a privacy notice?

A. Although a sole proprietor is an individual, if the sole proprietor obtains a loan from you for business purposes he or she is not a consumer for purposes of the privacy rule. Therefore, you do not have to provide any privacy notices to the sole proprietor.

Q3. Is a guarantor or an endorser of a consumer loan considered my consumer or customer?

A3. A guarantor or endorser of a consumer loan is your customer because the individual assumes secondary liability on the loan he or she guarantees or endorses and thereby receives an extension of credit from you. You may, however, treat the primary borrower and the guarantor or endorser as joint account holders. As a result, you may deliver a single privacy notice to the joint account holders in accordance with section 216.9(g). If you disclose information to nonaffiliated third parties outside of the exceptions in sections 216.13-216.15, you must also provide the primary borrower and the guarantor/endorser with an opportunity to opt out. You may deliver a single opt-out notice to the joint account holders under section 216.7(d).

Q4. Non-U.S.-resident consumers conduct business at my U.S. offices. Do the privacy regulations apply in cases where consumers live in another country?

A4. Yes. The privacy regulations apply to all United States offices of entities for which the federal financial institution regulators have primary supervisory authority, regardless of where the consumer lives.

Q5. Is a person who only browses my web site my consumer?

A5. No. The person does not obtain a financial product or service from you merely by browsing your web site.

Q1. I issue credit cards to consumers. Very often, I take credit card applications by telephone and approve them within minutes. My customers wish to begin using their new accounts right away. When must I deliver initial notices in these cases?

A1. You cannot deliver your privacy notice solely by explaining it over the telephone. However, you may provide an initial notice within a reasonable time after establishing a customer relationship if (i) providing it when you establish that relationship would substantially delay the customer’s transaction and (ii) the customer agrees to a later delivery. In the case of approving a credit card application by telephone, waiting until you have time to mail the notice would substantially delay the customer’s use of a new credit account. As long as your new customer agrees to receive the notice later, you may deliver it within a reasonable time after establishing the customer relationship.

Q2. I am a financial institution with several subsidiaries. Must each affiliated financial institution issue a separate privacy notice? If affiliated financial institutions are permitted to combine their notices, how may we identify them in the notice?

A2. You and your subsidiaries may share common privacy policies and practices and you may combine your respective privacy notices into a joint notice. However, any joint notice must be accurate as to each institution, must be clear and conspicuous, and must identify which institutions it covers.

Q3. My privacy notice must identify “categories” of nonpublic personal information I collect and categories of affiliates and nonaffiliated third parties with which I share that information. How detailed do the categories need to be?

A3. The privacy rule does not require your privacy notices to describe in detail the information you collect or disclose. Moreover, you are not required to identify by name parties to whom you may make disclosures. Rather, you may describe the types, or categories, of information you collect and disclose, and the types of third parties to whom you disclose the information. These categories must be representative of your policies and practices. Because the examples in the rule that describe categories of information and parties to whom you disclose information are not exclusive, you may describe the items in section 216.6(a)(1)-(9) that apply to you by using other reasonably understandable language that informs a consumer about your privacy policies and practices. You also may use different language and may provide additional detail as appropriate to explain your policies and practices to your consumers. In addition, the privacy rule requires you to address only those items that apply to you. Your initial notice must accurately describe your policies and procedures as of the time you provide the notice to a consumer or customer. A notice also may be accurate even if it reflects anticipated as well as current policies and practices.

Q4. Won’t my annual notice look just like my initial notice?

A4. The initial and annual notices may be identical because the required contents for your initial notice are the same as those for your annual notice. You must, of course, incorporate any revisions you make to your privacy policy into your annual notice.

Q5. After I provide an initial privacy notice to my customer, the privacy rule requires me to deliver privacy notices to that customer not less than annually during the continuation of the customer relationship. What does “annually” mean?

A5. “Annually” means at least once in any period of 12 consecutive months during which a customer relationship exists. If you use the calendar year as your notice period, you have the flexibility to give the first annual notice to a customer at any point in the calendar year following the year in which the customer relationship is established. Thereafter, you are expected to provide annual notices on a consistent basis. Any period of more than 12 consecutive months between annual notices should have an appropriate business justification.

Q6. Can I combine my privacy notice with other consumer disclosures, such as those under the Truth in Lending Act (Regulation Z) or the Truth in Savings Act (Regulation DD)?

A6. The privacy rule does not prohibit you from combining your privacy notices with other information. However, you still must comply with all applicable requirements, such as those governing form, content, and delivery of notices. For example, if you combine your privacy notice with a disclosure under Regulation Z or Regulation DD, each component of the combined notice/disclosure must comply with the “clear and conspicuous” requirements in the regulation governing that component.

Q7. I do not disclose any nonpublic personal information about my customers to any affiliates or nonaffiliated third parties, except under the conditions described in sections 216.14 and 216.15 (exceptions to notice and opt-out requirements). What aspects of my privacy policies and practices must my notice address?

A7. In this case, you may use a simplified notice. A simplified notice is sufficient if it—

Q8. I own and operate several ATMs. Many consumers who use them are not my customers. I disclose to nonaffiliated third parties nonpublic personal information about those consumers other than as permitted by the exceptions in sections 216.14 or 216.15, so I must provide them with the required notices when they use my ATMs. But ATM screens are very small. Am I required to purchase machines with screens large enough to hold my privacy policy? Must I make consumers click through dozens of tiny screens of information?

A8. Neither new machines nor multiple screens are necessary. You must provide an opt-out notice, as required under section 216.7. This notice must state that you disclose nonpublic personal information about the consumer to nonaffiliated third parties, state that the consumer has a right to opt out of that disclosure, and provide a reasonable opportunity for the consumer to opt out (such as by requiring the consumer to decide whether to opt out as a necessary part of the transaction) (§ 216.10(a)(3)(iii)). In addition to the opt-out notice, you must provide an initial privacy notice. For consumers who are not your customers, you may provide a short-form initial notice with an opt-out notice (§ 216.6(d)). This short-form notice must state that your privacy policy is available upon request, and it must describe a reasonable means for the consumer to get your privacy notice. As with any privacy notice, the opt-out notice and the short-form initial notice must be clear, conspicuous, and accurate. These notices must be delivered in a manner so that the consumer can agree to receive the notices electronically, such as by acknowledging receipt of the notices as a necessary step to completing the transaction at the ATM (§ 216.9(a)).

Q9. I am a small bank. I want to offer credit cards to my customers, but I am too small to handle a credit card operation. Instead, I contract with others to help me. When my customer indicates an interest in getting a credit card, I supply an application form. That form makes clear that the lender is a large bank (large bank). I am not affiliated with the large bank. The customer sends the completed form directly to the large bank, so that I do not “collect” the application information within the meaning of section 216.3(c). The large bank issues the credit card for approved applicants, with its name on the back. My name and logo are prominent on the front of the credit card. Who must provide the initial privacy notice?

A9. When a financial institution makes a consumer loan, as the large bank does in this case, it has a customer relationship with that consumer. The large bank, therefore, must provide an initial privacy notice and must provide annual notices as long as the credit card relationship continues. You are not required to send any new notices to your customers because you do not appear to be providing any financial product or service to them in connection with this credit card product.

Q1. I have two depositors who hold one account jointly. The depositors share the same address. When notice is required, may I mail just one privacy notice?

A1. Yes, you may mail one notice to two or more joint account holders at the same address (§ 216.9(g)).

Q2. What if those same account holders have different addresses?

A2. You still may mail one notice to all account holders jointly at one account holder’s address (§ 216.9(g)).

Q3. One account holder, A, maintains with me a single account and a joint account with another consumer, X. What are my obligations to send privacy notices to A and X? Can I satisfy the initial privacy notice requirement by sending just one notice?

A3. In some cases, one notice may be sufficient. For example, if A and X open the joint account first and A subsequently opens an individual account, you need not provide an additional initial notice to A if the most recent notice you provided to A as part of the joint account is accurate as to the individual account (§ 216.4(d)). If A already has an individual account with you but X becomes your customer at the time the joint account is opened, you must provide an initial notice to X with respect to the joint account (§ 216.4(a)). However, you may deliver the initial notice either to A or to X by providing one notice to those consumers jointly (§ 216.9(g)). For example, you may deliver one notice addressed to both A and X. You subsequently may satisfy the annual- and revised-notice requirements by sending one notice regarding the joint account either to A or X.

Q4. One depositor, A, has two different joint accounts, one with X and the other with Y. When annual or revised notices are required as to both accounts, how many notices must I provide?

A4. Annual and revised notices pertaining to each of the joint accounts may be provided either to A or to both of the other account holders respectively. Thus, one notice to A is sufficient, as long as the notice is accurate as to both accounts (§ 216.9(g)). The privacy rule does not require you to mail two identical notices to A, one for each account.

Q5. Assume the same facts as question D.4. What if the two joint account holders with A, X, and Y, have different addresses?

A5. You still may provide one notice to A. However, in any communications with X and Y, you must not disclose to X the fact that A has a joint account with Y, nor may you disclose to Y that A has a joint account with X, unless you have a reasonable basis to believe this information is publicly available.

Q1. I have two depositors who hold one account jointly. Must I deliver a separate opt-out notice to each account holder and allow each of them to opt out individually? Suppose I mail only one opt-out notice for that account, and one of the joint holders checks “I opt out” and returns it to me. To whom does the opt-out decision apply?

A1. You may deliver either a single opt-out notice to one of the account holders or a separate notice to each account holder. In either case, the notice must permit one joint account holder to opt out on behalf of all holders of the account. So long as your notice fulfills this requirement, you also may permit joint account holders to opt out individually.

Q2. I allow joint account holders X and Y to make independent opt-out elections. For opt outs, I use reply forms with check-off boxes. Must I mail two opt-out response forms for one joint account?

A2. No, only one is necessary. However, you must allow each account holder a reasonable amount of time to opt out before disclosing any nonpublic personal information about him or her. For example, suppose you normally allow each consumer 30 days to opt out, and you immediately receive an opt-out instruction from X but not from Y. You still must allow Y the standard 30 days to opt out before you may disclose any nonpublic personal information relating to the joint account. You may disclose nonpublic personal information about Y if Y does not opt out within the reasonable opt out period, but only to the extent such a disclosure would not reveal nonpublic personal information about X.

Q3. I allow joint account holders to make independent opt-out elections. May I require each account holder to opt out in a separate response?

A3. No. You must allow both account holders a reasonable opportunity to opt out in one response, such as one opt-out form or in one call to your toll-free opt-out line.

Q4. I allow joint account holders, X and Y, to make independent opt-out elections. Suppose that X opted out, but Y did not respond. What nonpublic personal information about X and Y may I disclose?

A4. Because X has opted out, you must not disclose any nonpublic personal information about X, except as permitted by an exception at section 216.13, 216.14, or 216.15. In addition, you must not disclose nonpublic personal information about Y except as permitted by an exception if the disclosure of that information also would disclose nonpublic personal information about X.

Q1. Must I provide opt-out notices if I do not disclose nonpublic personal information to nonaffiliated third parties, except as permitted under one of the exceptions under section 216.13, 216.14, or 216.15?

A1. No. If you disclose nonpublic personal information only under one or more of those exceptions, you need not provide any opt-out notices. Nonetheless, be aware that if you disclose nonpublic personal information under section 216.13, then you must provide an initial notice that includes a separate statement that describes that disclosure. Also, you must provide an annual notice to your customers regardless of your disclosure policies and practices (§ 216.5).

Q2. What are some reasonable means of allowing consumers an opportunity to opt out?

A2. You may provide various opt-out methods that are reasonable, depending on the circumstances surrounding the financial product or service. For example, for new customers who open credit card accounts, you may deliver a form with a check-off box that they can check and return to you. If you use this method, you must deliver the check-off form with your opt-out notice. You also may provide a toll-free telephone number that consumers can call to opt out (§§ 216.7(a)(2)(ii), 216.10(a)(3)(i)).

Q3. If I allow my customers to mail a form to indicate their opt-out election, am I required to provide my customers with a postage-paid envelope so they can mail the form back?

A3. No. You are not required to provide an individual with a postage-paid envelope to meet the requirement that you provide a reasonable means for consumers to opt out.

Q4. In our initial and annual notices, our bank would like to provide a tear-off opt-out form and our privacy policies on the front and back of a single sheet of paper. Is this permissible?

A4. Yes, provided the opt-out form may be detached without removing text from your privacy policy. However, if by detaching the opt-out form the customer removes text from the privacy policy, the practice may violate section 216.9(e). This section requires a financial institution to provide its privacy notices in a form in which a customer can retain them or obtain them later. If the customer would remove text from your privacy policy by detaching the opt-out notice, then you should either redesign the privacy notice or have procedures in place to provide a customer with the complete text of your privacy notice upon request.

Q5. I provide consumer credit cards. I would like to disclose to nonaffiliated third parties different types of nonpublic personal information about my customers, such as their addresses and their account information. The nonaffiliated third parties are not financial institutions with which I have a joint agreement. I realize that I must allow my customers to opt out of all these disclosures, but may I give them the choice to opt out of disclosures of certain categories of information as well as all categories of information to nonaffiliated third parties?

A5. Yes. You must allow your customers to opt out of all these disclosures to nonaffiliated third parties. Additionally, you may allow your customers to choose to opt out of some types of disclosures, rather than simply all of those disclosures. For example, you may allow your customers to opt out of disclosures of account information and provide a separate opportunity for customers to opt out of disclosures of their addresses (§ 216.10(c)).

Q6. I make consumer loans. I would like to disclose my customer list to nonaffiliated clothing retailers and to nonaffiliated automobile dealers. These nonaffiliated third parties are not financial institutions with which I have a joint agreement. I realize that I must allow my customers to opt out of all these disclosures. But may I also give them the choice to opt out of disclosures to certain kinds of nonaffiliated third parties without having to opt out of disclosures to all kinds of third parties?

A6. Yes. You must allow your customers to opt out of all these disclosures. Additionally, you may allow your customers to choose to opt out of disclosures to some kinds of nonaffiliated third parties instead of simply all of those parties. For example, you may allow your customers to opt out of disclosures to clothing retailers and allow a separate opportunity for the same customers to opt out of disclosures to automobile dealers.

Q7. We deliver opt-out notices by mail and allow our new customers 30 days to opt out before we begin sharing their information with nonaffiliated third parties. Section 216.7(e) provides that a financial institution must comply with a consumer’s opt-out direction as soon as reasonably practicable after the financial institution receives it. It may take our bank up to five weeks to process an opt-out direction. If we mail a new customer a privacy and opt-out notice on September 1 and we receive the customer’s opt-out direction on September 15, may we share that individual’s nonpublic personal information between September 15 and October 21, the date by which we can process the opt out?

A7. No. Because your question concerns a new customer rather than an existing one, the standard in section 216.10(a)(1) rather than that in section 216.7(e) applies. Section 216.10(a)(1) of the privacy rule provides that a financial institution may not share a consumer’s nonpublic personal information unless the institution has given the consumer an initial privacy notice, an opt-out notice, and a reasonable opportunity to opt out, and the consumer has not opted out. If your customer opts out at any point within the 30-day period in your example, then you would not be able to disclose that individual’s information to nonaffiliated third parties unless the customer subsequently revoked the opt-out direction (§ 216.7(g)(1)).

Q1. I disclose nonpublic personal information about my customers to the servicer so the servicer can process transactions that the customers have requested. May the servicer disclose the information it collects from me about my customers to a retail merchant that is not affiliated with me?

A1. Generally, no. When the servicer receives nonpublic personal information about your customers under an exception to the notice and opt-out provisions, such as in connection with servicing your loans, the servicer’s use and disclosure of that information is limited. The servicer must not disclose any nonpublic personal information to a retail merchant not affiliated with you unless the servicer may do so under an applicable exception in section 216.14 or 216.15. For example, the servicer may not provide information about your customers to the retail merchant for marketing purposes.

Q2. May the servicer disclose the nonpublic personal information to my affiliate?

A2. Yes. The privacy rule explicitly provides that the servicer may disclose the information to your affiliate (§ 216.11(c)(1)).

Q3. May the servicer disclose the information to the servicer’s affiliate?

A3. Yes, but the servicer’s affiliate may disclose and use the information only as the servicer could disclose and use it (§ 216.11(c)(2)). The servicer’s affiliate therefore may use the information to service your loans. The affiliate also may disclose the information under an applicable exception in section 216.14 or 216.15 in the ordinary course of business to carry out the activity covered by the exception under which the servicer received the information.

Q4. I disclose information about my customers who do not opt out to a residential plumbing company. Can the plumbing company use the information for marketing purposes?

A4. Yes. This is permissible because you disclosed nonpublic personal information to the plumbing company in accordance with the notice and opt-out provisions of the GLB Act (§ 502(a)-(b) of the act, codified at 15 USC 6802(a)-(b)). In other words, you disclosed information about a consumer consistent with your privacy notice and the consumer’s choice not to opt out.

Q5. One of my affiliates sells insurance. May the plumbing company, who received my customers’ information outside an exception, disclose that information to my affiliated insurer?

A5. Yes. The privacy rule explicitly provides that the plumbing company may disclose the information to your affiliate (§ 216.11(d)(1)).

Q6. I disclosed information to the plumbing company outside an exception. The plumbing company is affiliated with an air conditioning company. The air conditioning company is not affiliated with me. May the plumbing company disclose my consumers’ nonpublic personal information to that air conditioning company?

A6. Yes. The privacy rule permits a party that receives nonpublic personal information outside of an exception to disclose that information to its affiliates. In this case, therefore, the plumbing company may disclose the information to its affiliated air conditioning company. However, the affiliated air conditioning company may, in turn, disclose the information only to the extent that the plumbing company may, consistent with your privacy notice (§ 216.11(d)(2)).

Q7. I disclosed information to the plumbing company outside an exception. May the plumbing company disclose my consumers’ nonpublic personal information to a nonaffiliated automobile parts retailer?

A7. Yes. The privacy rule permits a party that receives nonpublic personal information outside of an exception to disclose that information to another nonaffiliated third party, provided that it would be lawful for the original financial institution to make that disclosure directly to that party. Under your privacy notice, it would be lawful for you to disclose nonpublic personal information about those consumers who chose not to opt out to the automobile parts retailer (§ 216.11(d)(3)). However, the plumbing company could not disclose nonpublic personal information obtained from you to other nonaffiliated retailers if your privacy policy would not permit such disclosures.

Q1. I am a depository institution. I transform my customers’ account numbers into encrypted forms that can be used solely to identify those customers. I enter into an arrangement with a third-party telemarketing firm whereby I disclose my customers’ names, telephone numbers, and encrypted identifying numbers. The third-party telemarketing firm uses that information to market products (other than products I offer) to those customers. For those customers who agree to purchase the products, the third-party telemarketing firm submits their encrypted identifying numbers to me, and I decrypt them into account numbers. At the end of this process, am I permitted to disclose the customers’ actual account numbers to the third-party telemarketing firm so that the telemarketing firm can initiate the charges to the customers’ accounts?

A1. No. Section 216.12 generally prohibits you from disclosing credit card, deposit, or other transaction account numbers “for use in telemarketing, direct-mail marketing, or other marketing through electronic mail to the consumer.” Accordingly, you must not provide your customers’ account numbers to the third-party telemarketing firm “for use in telemarketing.”

Q2. I would like to enter into an arrangement with a nonaffiliated insurance agency that markets its products to my customers through direct-mail solicitations. The proposed arrangement contemplates that I would disclose a customer’s account number to the insurance agency’s affiliate. The affiliate then would use the account number to debit the purchase price from my customer’s account in response to these solicitations. The affiliate’s only role in the arrangement would be initiating the charges. Does the privacy rule allow me to disclose a customer’s account number to the insurance agency’s affiliate under these circumstances?

A2. No. The privacy rule prohibits you from disclosing your customers’ account numbers to any nonaffiliated third party for use in marketing (§ 216.12(a)). Although the affiliate in your hypothetical does not distribute marketing materials but only initiates charges, its conduct of that activity is an integral part of your marketing arrangement with the insurance company. The disclosure of a customer’s account number to the insurance company’s affiliate under these circumstances therefore would be a disclosure for use in marketing that violates the privacy rule.

Q1. I offer consumer checking accounts. I notify my customers that, among other things, I make disclosures as permitted by law. Merchants sometimes call me and ask whether a particular consumer’s checking account has sufficient funds to cover a check to the merchant. How does the privacy rule apply to my response to the merchant’s question?

A1. The privacy rule allows you to disclose nonpublic personal information about your consumers without providing them a reasonable opportunity to opt out under certain circumstances. These exceptions to the opt-out requirement are described at sections 216.13-216.15 of the privacy rule. For example, you do not need to allow your customer to opt out of a disclosure made in connection with processing or clearing checks (§ 216.14(b)(2)(vi)(A)) or for the purposes of preventing actual or potential fraud, unauthorized transactions, claims, or other liability (§ 216.15(a)(2)(ii)). Therefore, if you have notified your customer that you make disclosures as permitted by law, you may disclose whether your customer’s checking account has sufficient funds to cover a check, regardless of whether or not the customer has exercised his or her opt-out rights.

Q2. While we may confirm funds availability to a merchant where our customer seeks to pay for merchandise with a check under the exceptions in sections 216.14 and 216.15, may we confirm funds availability to an individual who is not a merchant for the same purpose? For instance, if our customer wants to use a check to purchase a used car from an individual seller, may we respond to the seller’s request about the availability of funds in the customer’s account under these exceptions?

A2. Whether or not someone is a “merchant” is not material to determining if you may disclose customer information pursuant to the exceptions in sections 216.14 and 216.15. You should determine whether the third party to whom you intend to disclose information actually is involved in carrying out a financial transaction that is requested or authorized by your customer. Check verification is permitted under the exceptions to the notice and opt-out provisions, such as in connection with processing or clearing a check under section 216.14(b)(2)(vi)(A), and under section 216.15(a)(2)(ii) to protect against or prevent actual or potential fraud or unauthorized transactions.

Q3. I offer consumer checking accounts. I notify my customers that, among other things, I make disclosures as permitted by law. My checking account customers deposit checks made payable to my customer but drawn on a financial institution unaffiliated with me. My practice is to write my customer’s account number on the back of the deposited check to facilitate its processing. The check itself then goes to the maker’s financial institution, with my customer’s account number on the check. Is this a disclosure of nonpublic personal information that would be subject to opt-out requirements or the prohibition against sharing account numbers?

A3. No. The opt-out provisions do not apply to disclosures in connection with servicing or processing a financial product or service that a consumer requests or authorizes. Nor do they apply to disclosures that are required, or are a usual, appropriate, or acceptable method in connection with settling, processing, clearing, transferring, reconciling, or collecting amounts charged, debited or otherwise paid (§§ 216.14(a), 216.14(b)(2)(vi)(A)). Also, because the account number is added to the check solely for use in processing the check and is not used in connection with marketing by a third party, this disclosure is not prohibited by the ban on disclosing account numbers for marketing purposes (§ 216.12).

Q4. I made a loan to a consumer who defaulted. In trying to collect the bad loan, I wish to learn information to locate the defaulting borrower. I believe that a financial institution unaffiliated with me may have some helpful information about the borrower. If I were to ask that institution for information, I would disclose nonpublic personal information, such as the fact that I have a loan to a particular consumer. I previously notified my borrower that, among other things, I make disclosures as permitted by law. Must I allow my borrower to opt out of my question to the financial institution?

A4. No. You may disclose nonpublic personal information to the financial institution without complying with the opt-out provisions as necessary to enforce a consumer loan where the disclosure is required or is one of the lawful or appropriate methods to enforce your rights (§ 216.14(b)(1)).

Q5. A financial institution that is not affiliated with me made a loan to a consumer who defaulted. In trying to collect the bad loan, the lender wishes to learn information to locate the defaulting borrower. The lender believes that I may have some helpful information about the borrower and asks me to disclose nonpublic personal information. I notify my consumers that, among other things, I make disclosures as permitted by law. May I disclose nonpublic personal information to help the lender try to collect a bad loan without providing opt-out notices?

A5. Where you have notified your consumer that you make disclosures as permitted by law, you may make disclosures to “persons holding a legal or beneficial interest relating to the consumer,” or under the appropriate circumstances, “to protect against or prevent actual or potential fraud, unauthorized transactions, claims, or other liability,” without providing opt-out notices and a reasonable opportunity for a consumer to opt out (§§ 216.15(a)(2)(iv), 216.15(a)(2)(ii)). Thus, disclosures to the lender may be permissible without complying with the opt-out provisions.

Q6. I make consumer loans. I notify my customers that, among other things, I make disclosures as permitted by law. A state law requires me to disclose to the state the names, addresses, Social Security numbers, and account balances of individuals the state believes have failed to make required child support payments. Does the privacy rule require me to allow my customers to opt out of disclosures to the state under this state law?

A6. No. The privacy rule exempts from the opt-out provisions any disclosures you make “[t]o comply with federal, state, or local laws, rules and other applicable legal requirements” (§ 216.15(a)(7)(i)).

Q7. Must I provide a privacy notice to consumers who are not my customers when I have to report information about denied mortgage applicants under the Home Mortgage Disclosure Act (HMDA)?

A7. No. If the information that HMDA requires you to disclose is not personally identifiable, the privacy rule would not apply to your disclosure of that information. Alternatively, if you disclose nonpublic personal information to comply with the law, you may disclose the information under section 216.15(a)(7)(i) without providing a privacy notice to consumers who are not your customers.

Q8. We often receive phone calls from auto dealers or other financial institutions requesting loan-payoff amounts on our customers. May we respond to these requests without providing those customers with a reasonable opportunity to opt out of that kind of disclosure?

A8. Yes, if the disclosure is in connection with servicing or processing a financial product or service from the third party that the customer has requested or authorized. In your case, for example, you may disclose loan-payoff information to a third-party lender where your customer seeks to refinance the bank loan with the other lender. Alternatively, you may disclose nonpublic personal information that is required, or is a usual, appropriate, or acceptable method to carry out the transaction that the customer has requested or authorized (§ 216.14(a)). This would be the case, for example, if the car dealer accepts your customer’s car as partial consideration for the purchase of another vehicle and wants to know the outstanding amount on the customer’s car loan with you.

Q9. During the ordinary course of business, I may request proof of insurance from a nonaffiliated insurance agency on an automobile that serves as our collateral on a customer’s loan. May I disclose customer information to the insurance agency in order to obtain this information without triggering specific notice and opt-out requirements?

A9. Yes, you may disclose nonpublic personal information, such as the existence of your relationship with a particular customer, to a nonaffiliated insurance agency in order to obtain proof of insurance under the exceptions to the specific notice and opt-out requirements in section 216.14. For example, you could disclose nonpublic personal information under the exception in section 216.14(b)(1) as a lawful or appropriate method to enforce your rights in providing the loan.

Q10. I make wire transfers for consumers who are not otherwise my customers. Do I have to provide an initial privacy notice to these consumers when I only make a wire transfer for them?

A10. No. Processing a wire transfer for a consumer on a one-time basis would not create a customer relationship, even if the consumer repeatedly requests that one-time service. Accordingly, you do not owe the consumer an initial notice on that basis. Furthermore, this disclosure would fall under the exception for processing a transaction that a consumer has requested or authorized (§ 216.14(a)(1)). Consequently, you would not be required to provide any privacy notices unless you also disclosed nonpublic personal information about the consumer to nonaffiliated third parties outside of an exception under section 216.14 or section 216.15. See section 216.4(a)(2).

Q11. I use a nonaffiliated third party to service consumer loans, and in this arrangement I disclose to the servicer nonpublic personal information about my borrowers. This arrangement seems to qualify for an exception from both the notice and opt-out requirements, under section 216.14(a)(1). At the same time, this arrangement seems to qualify for an exception from opt-out requirements—but not from notice requirements—under section 216.13(a)(1). The latter exception requires me to provide notice to consumers of the disclosures, and requires language in our contract that restricts the servicer’s further disclosure and use of the nonpublic personal information. When a servicing arrangement qualifies for two differing exceptions, which applies?

A11. When a disclosure qualifies for both the section 216.13 exception and a section 216.14 or section 216.15 exception, you do not need to comply with the notice and confidentiality provisions under section 216.13. Instead, you may make that disclosure solely in accordance with an exception under section 216.14 or section 216.15.

Q12. A community bank has an agreement with a mortgage company to prequalify mortgage loan applicants prior to referring them to the mortgage company for underwriting. As part of this agreement, the community bank, among other things, (1) educates applicants about home buying and about different types of loan products available; (2) collects financial information and related documents; (3) assists the applicant in understanding and resolving credit problems; and (4) maintains regular contact with the applicant during the loan process to apprise the applicant of the status of the application.

A12. If the bank does not already have a customer relationship with the loan applicant, the services that the bank performs pursuant to this program appear to give rise to a customer relationship between the applicant and the bank as described in section 216.3(i)(2)(i)(F), at least until the applicant has completed the loan process. As a result, the bank would have to provide an initial privacy notice. Whether the bank must disclose the information-sharing arrangement with the mortgage company in its privacy notice depends on whether the disclosure is permitted under one of the exceptions in section 216.13, 216.14, or 216.15.

Q1. I disclose my consumer borrowers’ names and addresses to a nonaffiliated insurance company. The insurance company sends the borrowers a letter, on my letterhead, offering insurance. I do not sell insurance. Does this arrangement qualify for the section 216.13 joint-marketing-agreement exception? Must the products described in the marketing materials be our products?

A1. The exception to the opt-out requirement in section 216.13 applies to disclosures you make to nonaffiliated third parties pursuant to a joint written agreement between you and one or more financial institutions under which you and the other financial institution(s) jointly offer, endorse, or sponsor a financial product or service. You may disclose your consumer borrowers’ names and addresses to the insurance company under section 216.13 because (i) the insurance company is a financial institution, (ii) insurance is a financial product or service, and (iii) you and the insurance company market the insurance together. The financial product you offer, sponsor, or endorse under a joint agreement with another financial institution need not be your product.

Q2. I disclose my consumer borrowers’ names and addresses to a nonaffiliated retail merchant that sells household goods, hardware, and clothing. The retail merchant wants to send notices, on my letterhead, offering household products. Would this arrangement qualify for the section 216.13 joint-marketing-agreement exception?

A2. No. To qualify for the section 216.13 exception, a joint-marketing arrangement must be an agreement between financial institutions for offering, endorsing, or sponsoring financial products or services.

Q3. Each month I mail account statements to my customers. May I include marketing materials for a third-party vendor’s products in my mailings to my customers? I do not have a joint-marketing agreement under section 216.13 with the vendor.

A3. Yes. However, you must be careful not to facilitate your customer’s unwitting disclosure of his or her nonpublic personal information to the vendor by virtue of a response to the marketing materials. For example, the vendor may have printed a reference code on its marketing materials that indicates that the offer for that product was sent to your customers who share certain financial characteristics. From this code, the vendor would be able to determine that the individual who responds to the marketing materials that you delivered is your customer or holds certain kinds of assets. In that case, you would have disclosed nonpublic personal information about the customer to the vendor.

Q4. I am a bank. I have a financial advisory center on my premises that is operated by people employed both by me and by an insurance company. The shared employees do not sell bank products. They sell insurance products and services offered by the insurance company pursuant to a third-party arrangement. We provide the employees with information about our customers so that they may solicit our customers on behalf of the insurance company. Do we have to provide our customers with an opportunity to opt out of these disclosures?

A4. You must provide a reasonable opportunity for your customers to opt out of any disclosure of their nonpublic personal information to a nonaffiliated third party unless one of the exceptions applies. Although a dual employee himself or herself is not a “nonaffiliated third party,” providing customer information to a dual employee for purposes of marketing the insurance company’s products and services to your customers is deemed to be providing the information directly to the insurance company. Because the insurance company is a nonaffiliated third party, you must provide your customers a reasonable opportunity to opt out of disclosure of their nonpublic personal information prior to disclosing such information to the dual employees unless the disclosure is covered by an exception.

Q5. Must I have a confidentiality and security clause in all my contracts with service providers who have access to customer information?

A5. Both the privacy regulations and the banking agencies’ security guidelines require financial institutions to enter into contracts with service providers that address customer information in particular circumstances. The requirements differ, however, and those differences are as follows.