Download:
pdf |
pdfPt. 716
12 CFR Ch. VII (1–1–16 Edition)
PART 717—FAIR CREDIT REPORTING
Subpart A—General Provisions
Sec.
717.1
717.2
717.3
Purpose, scope, and effective dates.
Examples.
Definitions.
Subpart B [Reserved]
Subpart C—Affiliate Marketing
717.20 Coverage and definitions.
717.21 Affiliate marketing opt-out and exceptions.
717.22 Scope and duration of opt-out.
717.23 Contents of opt-out notice; consolidated and equivalent notices.
717.24 Reasonable opportunity to opt out.
717.25 Reasonable and simple methods of
opting out.
717.26 Delivery of opt-out notices.
717.27 Renewal of opt-out.
717.28 Effective date, compliance date, and
prospective application.
Subpart D—Medical Information
717.30 Obtaining or using medical information in connection with a determination
of eligibility for credit.
717.31 Limits on redisclosure of information.
717.32 Sharing medical information with affiliates.
Subpart E—Duties of Furnishers of
Information
717.40 Scope.
717.41 Definitions.
717.42 Reasonable policies and procedures
concerning the accuracy and integrity of
furnished information.
717.43 Direct disputes.
Subparts F–H [Reserved]
Subpart Subpart I—Duties of Users of Consumer Reports Regarding Address Discrepancies and Records Disposal
717.80–717.81 [Reserved]
717.82 Duties of users regarding address discrepancies.
717.83 Disposal of consumer information.
lpowell on DSK54DXVN1OFR with $$_JOB
Subpart J—Identity Theft Red Flags
717.90 Duties regarding the detection, prevention, and mitigation of identity theft.
717.91 Duties of card issuers regarding
changes of address.
APPENDIXES A–B TO PART 717 [RESERVED]
APPENDIX C TO PART 717—MODEL FORMS FOR
OPT-OUT NOTICES
818
VerDate Sep<11>2014
10:04 Feb 11, 2016
Jkt 238041
PO 00000
Frm 00828
Fmt 8010
Sfmt 8010
Q:\12\12V7.TXT
31
�National Credit Union Administration
§ 717.3
APPENDIX D TO PART 717 [RESERVED]
APPENDIX E TO PART 717—INTERAGENCY
GUIDELINES CONCERNING THE ACCURACY
AND INTEGRITY OF INFORMATION FURNISHED TO CONSUMER REPORTING AGENCIES
APPENDIXES F–I TO PART 717 [RESERVED]
APPENDIX J TO PART 717—INTERAGENCY
GUIDELINES ON IDENTITY THEFT DETECTION, PREVENTION, AND MITIGATION
AUTHORITY: 12 U.S.C. 1751 et seq.; 15 U.S.C.
1681a, 1681b, 1681c, 1681m, 1681s, 1681s–1, 1681t,
1681w, 6801 and 6805, Public Law 108–159, 117
Stat. 1952.
SOURCE: 69 FR 69273, Nov. 29, 2004, unless
otherwise noted.
Subpart A—General Provisions
SOURCE: 70 FR 70692, Nov. 22, 2005, unless
otherwise noted.
§ 717.1 Purpose, scope, and effective
dates.
(a) Purpose. The purpose of this part
is to implement the provisions of the
Fair Credit Reporting Act. This part
generally applies to federal credit
unions that obtain and use information
about consumers to determine the consumer’s eligibility for products, services, or employment, share such information among affiliates, and furnish
information to consumer reporting
agencies.
(b) Scope. (1) [Reserved]
(2) Institutions covered. (i) Except as
otherwise provided in this part, the
regulations in this part apply to federal credit unions.
[72 FR 62981, Nov. 7, 2007]
lpowell on DSK54DXVN1OFR with $$_JOB
§ 717.2 Examples.
The examples in this part are not exclusive. Compliance with an example,
to the extent applicable, constitutes
compliance with this part. Examples in
a paragraph illustrate only the issue
described in the paragraph and do not
illustrate any other issue that may
arise in this part.
§ 717.3 Definitions.
For purposes of this part, unless explicitly stated otherwise:
(a) Act means the Fair Credit Reporting Act (15 U.S.C. 1681 et seq.).
(b) Affiliate means any company that
is related by common ownership or
common corporate control with another company. For example, an affiliate of a Federal credit union is a credit union service corporation (CUSO), as
provided in 12 CFR part 712, that is
controlled by the Federal credit union.
(c) [Reserved]
(d) Company means any corporation,
limited liability company, business
trust, general or limited partnership,
association, or similar organization.
(e) Consumer means an individual.
(f)–(h) [Reserved]
(i) Common ownership or common corporate control means a relationship between two companies under which:
(1) One company has, with respect to
the other company:
(i) Ownership, control, or power to
vote 25 percent or more of the outstanding shares of any class of voting
security of a company, directly or indirectly, or acting through one or more
other persons;
(ii) Control in any manner over the
election of a majority of the directors,
trustees, or general partners (or individuals exercising similar functions) of
a company; or
(iii) The power to exercise, directly
or indirectly, a controlling influence
over the management or policies of a
company, as the NCUA determines; or
(iv) Example. NCUA will presume a
credit union has a controlling influence
over the management or policies of a
CUSO, if the CUSO is 67% owned by
credit unions.
(2) Any other person has, with respect to both companies, a relationship
described
in
paragraphs
(i)(1)(i)
through (i)(1)(iii) of this section.
(j) [Reserved]
(k) Medical information means:
(1) Information or data, whether oral
or recorded, in any form or medium,
created by or derived from a health
care provider or the consumer, that relates to:
(i) The past, present, or future physical, mental, or behavioral health or
condition of an individual;
(ii) The provision of health care to an
individual; or
(iii) The payment for the provision of
health care to an individual.
(2) The term does not include:
(i) The age or gender of a consumer;
819
VerDate Sep<11>2014
10:04 Feb 11, 2016
Jkt 238041
PO 00000
Frm 00829
Fmt 8010
Sfmt 8010
Q:\12\12V7.TXT
31
�§ 717.20
12 CFR Ch. VII (1–1–16 Edition)
(ii) Demographic information about
the consumer, including a consumer’s
residence address or e-mail address;
(iii) Any other information about a
consumer that does not relate to the
physical, mental, or behavioral health
or condition of a consumer, including
the existence or value of any insurance
policy; or
(iv) Information that does not identify a specific consumer.
(l) Person means any individual, partnership, corporation, trust, estate, cooperative, association, government or
governmental subdivision or agency, or
other entity.
[70 FR 70692, Nov. 22, 2005, as amended at 72
FR 63768, Nov. 9, 2007; 75 FR 34621, June 18,
2010]
Subpart B [Reserved]
Subpart C—Affiliate Marketing
SOURCE: 72 FR 62981, Nov. 7, 2007, unless
otherwise noted.
lpowell on DSK54DXVN1OFR with $$_JOB
§ 717.20
Coverage and definitions.
(a) Coverage. Subpart C of this part
applies to federal credit unions and
their affiliates as defined in § 717.3(a) of
Subpart A.
(b) Definitions. For purposes of this
subpart:
(1) Clear and conspicuous. The term
‘‘clear and conspicuous’’ means reasonably understandable and designed to
call attention to the nature and significance of the information presented.
(2) Concise. (i) In general. The term
‘‘concise’’ means a reasonably brief expression or statement.
(ii) Combination with other required
disclosures. A notice required by this
subpart may be concise even if it is
combined with other disclosures required or authorized by federal or state
law.
(3) Eligibility information. The term
‘‘eligibility information’’ means any
information the communication of
which would be a consumer report if
the exclusions from the definition of
‘‘consumer
report’’
in
section
603(d)(2)(A) of the Act did not apply.
Eligibility information does not include aggregate or blind data that does
not contain personal identifiers such as
account numbers, names, or addresses.
(4) Pre-existing business relationship. (i)
In general. The term ‘‘pre-existing business relationship’’ means a relationship between a person, or a person’s licensed agent, and a consumer based
on—
(A) A financial contract between the
person and the consumer which is in
force on the date on which the consumer is sent a solicitation covered by
this subpart;
(B) The purchase, rental, or lease by
the consumer of the person’s goods or
services, or a financial transaction (including holding an active account or a
policy in force or having another continuing relationship) between the consumer and the person, during the 18month period immediately preceding
the date on which the consumer is sent
a solicitation covered by this subpart;
or
(C) An inquiry or application by the
consumer regarding a product or service offered by that person during the
three-month period immediately preceding the date on which the consumer
is sent a solicitation covered by this
subpart.
(ii) Examples of pre-existing business relationships. (A) If a consumer has a
time deposit account, such as a share
certificate, at a federal credit union
that is currently in force, the federal
credit union has a pre-existing business
relationship with the consumer and
can use eligibility information it receives from its affiliates to make solicitations to the consumer about its
products or services.
(B) If a consumer obtained a share
certificate from a federal credit union,
but did not renew the certificate at
maturity, the federal credit union has
a pre-existing business relationship
with the consumer and can use eligibility information it receives from its
affiliates to make solicitations to the
consumer about its products or services for 18 months after the date of maturity of the share certificate.
(C) If a consumer obtains a mortgage,
the mortgage lender has a pre-existing
business relationship with the consumer. If the mortgage lender sells the
consumer’s entire loan to an investor,
the mortgage lender has a pre-existing
820
VerDate Sep<11>2014
10:04 Feb 11, 2016
Jkt 238041
PO 00000
Frm 00830
Fmt 8010
Sfmt 8010
Q:\12\12V7.TXT
31
�lpowell on DSK54DXVN1OFR with $$_JOB
National Credit Union Administration
§ 717.20
business relationship with the consumer and can use eligibility information it receives from its affiliates to
make solicitations to the consumer
about its products or services for 18
months after the date it sells the loan,
and the investor has a pre-existing
business relationship with the consumer upon purchasing the loan. If,
however, the mortgage lender sells a
fractional interest in the consumer’s
loan to an investor but also retains an
ownership interest in the loan, the
mortgage lender continues to have a
pre-existing business relationship with
the consumer, but the investor does
not have a pre-existing business relationship with the consumer. If the
mortgage lender retains ownership of
the loan, but sells ownership of the
servicing rights to the consumer’s
loan, the mortgage lender continues to
have a pre-existing business relationship with the consumer. The purchaser
of the servicing rights also has a preexisting business relationship with the
consumer as of the date it purchases
ownership of the servicing rights, but
only if it collects payments from or
otherwise deals directly with the consumer on a continuing basis.
(D) If a consumer applies to a federal
credit union for a product or service
that it offers, but does not obtain a
product or service from or enter into a
financial contract or transaction with
the institution, the federal credit
union has a pre-existing business relationship with the consumer and can
therefore use eligibility information it
receives from an affiliate to make solicitations to the consumer about its
products or services for three months
after the date of the application.
(E) If a consumer makes a telephone
inquiry to a federal credit union about
its products or services and provides
contact information to the institution,
but does not obtain a product or service from or enter into a financial contract or transaction with the institution, the federal credit union has a preexisting business relationship with the
consumer and can therefore use eligibility information it receives from an
affiliate to make solicitations to the
consumer about its products or services for three months after the date of
the inquiry.
(F) If a consumer makes an inquiry
to a federal credit union by e-mail
about its products or services, but does
not obtain a product or service from or
enter into a financial contract or
transaction with the institution, the
federal credit union has a pre-existing
business relationship with the consumer and can therefore use eligibility
information it receives from an affiliate to make solicitations to the consumer about its products or services
for three months after the date of the
inquiry.
(G) If a consumer has an existing relationship with a federal credit union
that is part of a group of affiliated
companies, makes a telephone call to
the centralized call center for the
group of affiliated companies to inquire about products or services offered
by the insurance brokerage affiliate,
and provides contact information to
the call center, the call constitutes an
inquiry to the insurance brokerage affiliate that offers those products or
services. The insurance brokerage affiliate has a pre-existing business relationship with the consumer and can
therefore use eligibility information it
receives from its affiliated federal credit union to make solicitations to the
consumer about its products or services for three months after the date of
the inquiry.
(iii) Examples where no pre-existing
business relationship is created. (A) If a
consumer makes a telephone call to a
centralized call center for a group of
affiliated companies to inquire about
the consumer’s existing account at a
federal credit union, the call does not
constitute an inquiry to any affiliate
other than the federal credit union
that holds the consumer’s account and
does not establish a pre-existing business relationship between the consumer and any affiliate of the accountholding federal credit union.
(B) If a consumer who has a deposit
account with a federal credit union
makes a telephone call to an affiliate
of the institution to ask about the affiliate’s retail locations and hours, but
does not make an inquiry about the affiliate’s products or services, the call
does not constitute an inquiry and does
not establish a pre-existing business relationship between the consumer and
821
VerDate Sep<11>2014
10:04 Feb 11, 2016
Jkt 238041
PO 00000
Frm 00831
Fmt 8010
Sfmt 8010
Q:\12\12V7.TXT
31
�lpowell on DSK54DXVN1OFR with $$_JOB
§ 717.21
12 CFR Ch. VII (1–1–16 Edition)
the affiliate. Also, the affiliate’s capture of the consumer’s telephone number does not constitute an inquiry and
does not establish a pre-existing business relationship between the consumer and the affiliate.
(C) If a consumer makes a telephone
call to a federal credit union in response to an advertisement that offers
a free promotional item to consumers
who call a toll-free number, but the advertisement does not indicate that the
federal credit union’s products or services will be marketed to consumers
who call in response, the call does not
create a pre-existing business relationship between the consumer and the federal credit union because the consumer
has not made an inquiry about a product or service offered by the institution, but has merely responded to an
offer for a free promotional item.
(5) Solicitation. (i) In general. The
term ‘‘solicitation’’ means the marketing of a product or service initiated
by a person to a particular consumer
that is—
(A) Based on eligibility information
communicated to that person by its affiliate as described in this subpart; and
(B) Intended to encourage the consumer to purchase or obtain such product or service.
(ii) Exclusion of marketing directed at
the general public. A solicitation does
not include marketing communications that are directed at the general
public. For example, television, general
circulation magazine, and billboard advertisements do not constitute solicitations, even if those communications
are intended to encourage consumers
to purchase products and services from
the person initiating the communications.
(iii) Examples of solicitations. A solicitation would include, for example, a
telemarketing call, direct mail, e-mail,
or other form of marketing communication directed to a particular consumer that is based on eligibility information received from an affiliate.
(6) You means a person described in
paragraph (a) of this section.
[70 FR 70692, Nov. 22, 2005, as amended at 75
FR 34621, June 18, 2010]
§ 717.21 Affiliate marketing
and exceptions.
(a) Initial notice and opt-out requirement—(1) In general. You may not use
eligibility information about a consumer that you receive from an affiliate to make a solicitation for marketing purposes to the consumer, unless—
(i) It is clearly and conspicuously disclosed to the consumer in writing or, if
the consumer agrees, electronically, in
a concise notice that you may use eligibility information about that consumer received from an affiliate to
make solicitations for marketing purposes to the consumer;
(ii) The consumer is provided a reasonable opportunity and a reasonable
and simple method to ‘‘opt out,’’ or
prohibit you from using eligibility information to make solicitations for
marketing purposes to the consumer;
and
(iii) The consumer has not opted out.
(2) Example. A consumer has a homeowner’s insurance policy obtained
through an insurance brokerage. The
insurance brokerage furnishes eligibility information about the consumer
to its affiliated federal credit union.
Based on that eligibility information,
the federal credit union wants to make
a solicitation to the consumer about
its home equity loan products. The federal credit union does not have a preexisting business relationship with the
consumer and none of the other exceptions apply. The federal credit union is
prohibited from using eligibility information received from its insurance
brokerage affiliate to make solicitations to the consumer about its home
equity loan products unless the consumer is given a notice and opportunity to opt out and the consumer
does not opt out.
(3) Affiliates who may provide the notice. The notice required by this paragraph must be provided:
(i) By an affiliate that has or has previously had a pre-existing business relationship with the consumer; or
(ii) As part of a joint notice from two
or more members of an affiliated group
of companies, provided that at least
one of the affiliates on the joint notice
822
VerDate Sep<11>2014
10:04 Feb 11, 2016
Jkt 238041
PO 00000
Frm 00832
Fmt 8010
opt-out
Sfmt 8010
Q:\12\12V7.TXT
31
�lpowell on DSK54DXVN1OFR with $$_JOB
National Credit Union Administration
§ 717.21
has or has previously had a pre-existing business relationship with the consumer.
(b) Making solicitations—(1) In general.
For purposes of this subpart, you make
a solicitation for marketing purposes
if—
(i) You receive eligibility information from an affiliate;
(ii) You use that eligibility information to do one or more of the following:
(A) Identify the consumer or type of
consumer to receive a solicitation;
(B) Establish criteria used to select
the consumer to receive a solicitation;
or
(C) Decide which of your products or
services to market to the consumer or
tailor your solicitation to that consumer; and
(iii) As a result of your use of the eligibility information, the consumer is
provided a solicitation.
(2) Receiving eligibility information
from an affiliate, including through a
common database. You may receive eligibility information from an affiliate
in various ways, including when the affiliate places that information into a
common database that you may access.
(3) Receipt or use of eligibility information by your service provider. Except as
provided in paragraph (b)(5) of this section, you receive or use an affiliate’s
eligibility information if a service provider acting on your behalf (whether an
affiliate or a nonaffiliated third party)
receives or uses that information in
the manner described in paragraphs
(b)(1)(i) or (b)(1)(ii) of this section. All
relevant facts and circumstances will
determine whether a person is acting
as your service provider when it receives or uses an affiliate’s eligibility
information in connection with marketing your products and services.
(4) Use by an affiliate of its own eligibility information. Unless you have used
eligibility information that you receive from an affiliate in the manner
described in paragraph (b)(1)(ii) of this
section, you do not make a solicitation
subject to this subpart if your affiliate:
(i) Uses its own eligibility information that it obtained in connection
with a pre-existing business relationship it has or had with the consumer to
market your products or services to
the consumer; or
(ii) Directs its service provider to use
the affiliate’s own eligibility information that it obtained in connection
with a pre-existing business relationship it has or had with the consumer to
market your products or services to
the consumer, and you do not communicate directly with the service provider regarding that use.
(5) Use of eligibility information by a
service provider—(i) In general. You do
not make a solicitation subject to subpart C of this part if a service provider
(including an affiliated or third-party
service provider that maintains or accesses a common database that you
may access) receives eligibility information from your affiliate that your
affiliate obtained in connection with a
pre-existing business relationship it
has or had with the consumer and uses
that eligibility information to market
your products or services to the consumer, so long as—
(A) Your affiliate controls access to
and use of its eligibility information by
the service provider (including the
right to establish the specific terms
and conditions under which the service
provider may use such information to
market your products or services);
(B) Your affiliate establishes specific
terms and conditions under which the
service provider may access and use
the affiliate’s eligibility information to
market your products and services (or
those of affiliates generally) to the
consumer, such as the identity of the
affiliated companies whose products or
services may be marketed to the consumer by the service provider, the
types of products or services of affiliated companies that may be marketed,
and the number of times the consumer
may receive marketing materials, and
periodically evaluates the service provider’s compliance with those terms
and conditions;
(C) Your affiliate requires the service
provider to implement reasonable policies and procedures designed to ensure
that the service provider uses the affiliate’s eligibility information in accordance with the terms and conditions
established by the affiliate relating to
the marketing of your products or
services;
823
VerDate Sep<11>2014
10:04 Feb 11, 2016
Jkt 238041
PO 00000
Frm 00833
Fmt 8010
Sfmt 8010
Q:\12\12V7.TXT
31
�lpowell on DSK54DXVN1OFR with $$_JOB
§ 717.21
12 CFR Ch. VII (1–1–16 Edition)
(D) Your affiliate is identified on or
with the marketing materials provided
to the consumer; and
(E) You do not directly use your affiliate’s eligibility information in the
manner described in paragraph (b)(1)(ii)
of this section.
(ii) Writing requirements. (A) The requirements of paragraphs (b)(5)(i)(A)
and (C) of this section must be set
forth in a written agreement between
your affiliate and the service provider;
and
(B) The specific terms and conditions
established by your affiliate as provided in paragraph (b)(5)(i)(B) of this
section must be set forth in writing.
(6) Examples of making solicitations. (i)
A consumer has a deposit account with
a federal credit union, which is affiliated with an insurance brokerage. The
insurance brokerage receives eligibility information about the consumer
from the federal credit union. The insurance brokerage uses that eligibility
information to identify the consumer
to receive a solicitation about insurance brokerage services, and, as a result, the insurance brokerage provides
a solicitation to the consumer about
its services. Pursuant to paragraph
(b)(1) of this section, the insurance brokerage has made a solicitation to the
consumer.
(ii) The same facts as in the example
in paragraph (b)(6)(i) of this section,
except that after using the eligibility
information to identify the consumer
to receive a solicitation about insurance brokerage services, the insurance
brokerage asks the federal credit union
to send the solicitation to the consumer and the federal credit union does
so. Pursuant to paragraph (b)(1) of this
section, the insurance brokerage has
made a solicitation to the consumer
because it used eligibility information
about the consumer that it received
from an affiliate to identify the consumer to receive a solicitation about
its products or services, and, as a result, a solicitation was provided to the
consumer
about
the
insurance
brokerage’s services.
(iii) The same facts as in the example
in paragraph (b)(6)(i) of this section,
except that eligibility information
about consumers that have deposit accounts with the federal credit union is
placed into a common database that all
members of the affiliated group of companies may independently access and
use. Without using the federal credit
union’s eligibility information, the insurance brokerage develops selection
criteria and provides those criteria,
marketing materials, and related instructions to the federal credit union.
The federal credit union reviews eligibility information about its own consumers using the selection criteria provided by the insurance brokerage to determine which consumers should receive the insurance brokerage’s marketing materials and sends marketing
materials
about
the
insurance
brokerage’s services to those consumers. Even though the insurance
brokerage has received eligibility information through the common database as provided in paragraph (b)(2) of
this section, it did not use that information to identify consumers or establish selection criteria; instead, the federal credit union used its own eligibility information. Therefore, pursuant
to paragraph (b)(4)(i) of this section,
the insurance brokerage has not made
a solicitation to the consumer.
(iv) The same facts as in the example
in paragraph (b)(6)(iii) of this section,
except that the federal credit union
provides the insurance brokerage’s criteria to the federal credit union’s service provider and directs the service
provider to use the federal credit
union’s eligibility information to identify federal credit union consumers
who meet the criteria and to send the
insurance brokerage’s marketing materials to those consumers. The insurance brokerage does not communicate
directly with the service provider regarding the use of the federal credit
union’s information to market its services to the federal credit union’s consumers.
Pursuant
to
paragraph
(b)(4)(ii) of this section, the insurance
brokerage has not made a solicitation
to the consumer.
(v) An affiliated group of companies
includes a federal credit union, an insurance brokerage, and a service provider. Each affiliate in the group places
information about its consumers into a
common database. The service provider
has access to all information in the
common database. The federal credit
824
VerDate Sep<11>2014
10:04 Feb 11, 2016
Jkt 238041
PO 00000
Frm 00834
Fmt 8010
Sfmt 8010
Q:\12\12V7.TXT
31
�lpowell on DSK54DXVN1OFR with $$_JOB
National Credit Union Administration
§ 717.21
union controls access to and use of its
eligibility information by the service
provider. This control is set forth in a
written agreement between the federal
credit union and the service provider.
The written agreement also requires
the service provider to establish reasonable policies and procedures designed to ensure that the service provider uses the federal credit union’s
eligibility information in accordance
with specific terms and conditions established by the federal credit union
relating to the marketing of the products and services of all affiliates, including the insurance brokerage. In a
separate written communication, the
federal credit union specifies the terms
and conditions under which the service
provider may use the federal credit
union’s eligibility information to market the insurance brokerage’s products
and services to the federal credit
union’s consumers. The specific terms
and conditions are: a list of affiliated
companies (including the insurance
brokerage) whose products or services
may be marketed to the federal credit
union’s consumers by the service provider; the specific products or types of
products that may be marketed to the
federal credit union’s consumers by the
service provider; the categories of eligibility information that may be used
by the service provider in marketing
products or services to the federal credit union’s consumers; the types or categories of the federal credit union’s
consumers to whom the service provider may market products or services
of federal credit union affiliates; the
number and/or types of marketing communications that the service provider
may send to the federal credit union’s
consumers; and the length of time during which the service provider may
market the products or services of the
federal credit union’s affiliates to its
consumers. The federal credit union periodically evaluates the service provider’s compliance with these terms
and conditions. The insurance brokerage asks the service provider to market
insurance products to certain consumers who have deposit accounts with
the federal credit union. Without using
the federal credit union’s eligibility information, the insurance brokerage develops selection criteria and provides
those criteria, marketing materials,
and related instructions to the service
provider. The service provider uses the
federal credit union’s eligibility information from the common database to
identify the federal credit union’s consumers to whom insurance brokerage
services will be marketed. When the insurance brokerage’s marketing materials are provided to the identified consumers, the name of the federal credit
union is displayed on the brokerage
marketing materials, an introductory
letter that accompanies the marketing
materials, an account statement that
accompanies the marketing materials,
or the envelope containing the marketing materials. The requirements of
paragraph (b)(5) of this section have
been satisfied, and the insurance brokerage has not made a solicitation to
the consumer.
(vi) The same facts as in the example
in paragraph (b)(6)(v) of this section,
except that the terms and conditions
permit the service provider to use the
federal credit union’s eligibility information to market the products and
services of other affiliates to the federal credit union’s consumers whenever
the service provider deems it appropriate to do so. The service provider
uses the federal credit union’s eligibility information in accordance with
the discretion afforded to it by the
terms and conditions. Because the
terms and conditions are not specific,
the requirements of paragraph (b)(5) of
this section have not been satisfied.
(c) Exceptions. The provisions of this
subpart do not apply to you if you use
eligibility information that you receive from an affiliate:
(1) To make a solicitation for marketing purposes to a consumer with
whom you have a pre-existing business
relationship;
(2) To facilitate communications to
an individual for whose benefit you
provide employee benefit or other services pursuant to a contract with an employer related to and arising out of the
current employment relationship or
status of the individual as a participant or beneficiary of an employee benefit plan;
825
VerDate Sep<11>2014
10:04 Feb 11, 2016
Jkt 238041
PO 00000
Frm 00835
Fmt 8010
Sfmt 8010
Q:\12\12V7.TXT
31
�lpowell on DSK54DXVN1OFR with $$_JOB
§ 717.21
12 CFR Ch. VII (1–1–16 Edition)
(3) To perform services on behalf of
an affiliate, except that this subparagraph shall not be construed as permitting you to send solicitations on behalf
of an affiliate if the affiliate would not
be permitted to send the solicitation as
a result of the election of the consumer
to opt out under this subpart;
(4) In response to a communication
about your products or services initiated by the consumer;
(5) In response to an authorization or
request by the consumer to receive solicitations; or
(6) If your compliance with this subpart would prevent you from complying with any provision of State insurance laws pertaining to unfair discrimination in any State in which you
are lawfully doing business.
(d) Examples of exceptions. (1) Example
of the pre-existing business relationship
exception. A consumer has a deposit account with a federal credit union. The
consumer also has a relationship with
the federal credit union’s securities
brokerage affiliate. The federal credit
union receives eligibility information
about the consumer from its securities
brokerage affiliate and uses that information to make a solicitation to the
consumer about the federal credit
union’s wealth management services.
The federal credit union may make
this solicitation even if the consumer
has not been given a notice and opportunity to opt out because the federal
credit union has a pre-existing business
relationship with the consumer.
(2) Examples of service provider exception. (i) A consumer has an insurance
policy obtained through an insurance
brokerage. The insurance brokerage
furnishes eligibility information about
the consumer to its affiliated federal
credit union. Based on that eligibility
information, the federal credit union
wants to make a solicitation to the
consumer about membership and its
deposit products. The federal credit
union does not have a pre-existing
business relationship with the consumer and none of the other exceptions
in paragraph (c) of this section apply.
The consumer has been given an optout notice and has elected to opt out of
receiving such solicitations. The federal credit union asks a service provider to send the solicitation to the
consumer on its behalf. The service
provider may not send the solicitation
on behalf of the federal credit union because, as a result of the consumer’s
opt-out election, the federal credit
union is not permitted to make the solicitation.
(ii) The same facts as in paragraph
(d)(2)(i) of this section, except the consumer has been given an opt-out notice, but has not elected to opt out.
The federal credit union asks a service
provider to send the solicitation to the
consumer on its behalf. The service
provider may send the solicitation on
behalf of the federal credit union because, as a result of the consumer’s not
opting out, the federal credit union is
permitted to make the solicitation.
(3) Examples of consumer-initiated communications. (i) A consumer who has a
deposit account with a federal credit
union initiates a communication with
the federal credit union’s credit card
affiliate to request information about a
credit card. The credit card affiliate
may use eligibility information about
the consumer it obtains from the federal credit union or any other affiliate
to make solicitations regarding credit
card products in response to the consumer-initiated communication.
(ii) A consumer who has a deposit account with a federal credit union contacts the institution to request information about how to save and invest
for a child’s college education without
specifying the type of product in which
the consumer may be interested. Information about a range of different products or services offered by the federal
credit union and one or more affiliates
of the institution may be responsive to
that communication. Such products or
services may include the following:
Mutual funds offered by the institution; section 529 plans offered by the
institution or its securities brokerage
affiliate; or trust services offered by
the institution or its trust services affiliate. Any affiliate offering investment counseling services that would be
responsive to the consumer’s request
for information about saving and investing for a child’s college education
may use eligibility information to
make solicitations to the consumer in
response to this communication.
826
VerDate Sep<11>2014
10:04 Feb 11, 2016
Jkt 238041
PO 00000
Frm 00836
Fmt 8010
Sfmt 8010
Q:\12\12V7.TXT
31
�lpowell on DSK54DXVN1OFR with $$_JOB
National Credit Union Administration
§ 717.22
(iii) A credit card issuer makes a
marketing call to the consumer without using eligibility information received from an affiliate. The issuer
leaves a voice-mail message that invites the consumer to call a toll-free
number to apply for the issuer’s credit
card. If the consumer calls the toll-free
number to inquire about the credit
card, the call is a consumer-initiated
communication about a product or
service and the credit card issuer may
now use eligibility information it receives from its affiliates to make solicitations to the consumer.
(iv) A consumer calls a federal credit
union to ask about retail locations and
hours, but does not request information about products or services. The institution may not use eligibility information it receives from an affiliate to
make solicitations to the consumer
about its products or services because
the consumer-initiated communication
does not relate to the federal credit
union’s products or services. Thus, the
use of eligibility information received
from an affiliate would not be responsive to the communication and the exception does not apply.
(v) A consumer calls a federal credit
union to ask about retail locations and
hours. The customer service representative asks the consumer if there is a
particular product or service about
which the consumer is seeking information. The consumer responds that
the consumer wants to stop in and find
out about share certificates. The customer service representative offers to
provide that information by telephone
and mail additional information and
application materials to the consumer.
The consumer agrees and provides or
confirms contact information for receipt of the materials to be mailed.
The federal credit union may use eligibility information it receives from an
affiliate to make solicitations to the
consumer about share certificates because such solicitations would respond
to the consumer-initiated communication about products or services.
(4) Examples of consumer authorization
or request for solicitations. (i) A consumer who obtains a mortgage from a
federal credit union authorizes or requests information about obtaining
homeowner’s insurance through the
federal credit union’s insurance brokerage affiliate. Such authorization or
request, whether given to the federal
credit union or to the insurance brokerage affiliate, would permit the insurance brokerage to use eligibility information about the consumer it obtains from the federal credit union or
any other affiliate to make solicitations to the consumer about its homeowner’s insurance services.
(ii) A consumer completes an online
application to apply for a credit card
from a credit card issuer. The issuer’s
online application contains a blank
check box that the consumer may
check to authorize or request information from the credit card issuer’s affiliates. The consumer checks the box.
The consumer has authorized or requested solicitations from the card
issuer’s affiliates.
(iii) A consumer completes an online
application to apply for a credit card
from a credit card issuer. The issuer’s
online application contains a pre-selected check box indicating that the
consumer authorizes or requests information from the issuer’s affiliates. The
consumer does not deselect the check
box. The consumer has not authorized
or requested solicitations from the
card issuer’s affiliates.
(iv) The terms and conditions of a
credit card account agreement contain
preprinted boilerplate language stating
that by applying to open an account
the consumer authorizes or requests to
receive solicitations from the credit
card issuer’s affiliates. The consumer
has not authorized or requested solicitations from the card issuer’s affiliates.
(e) Relation to affiliate-sharing notice
and opt-out. Nothing in this subpart
limits the responsibility of a person to
comply with the notice and opt-out
provisions of section 603(d)(2)(A)(iii) of
the Act where applicable.
§ 717.22
Scope and duration of opt-out.
(a) Scope of opt-out—(1) In general. Except as otherwise provided in this section, the consumer’s election to opt
out prohibits any affiliate covered by
827
VerDate Sep<11>2014
10:04 Feb 11, 2016
Jkt 238041
PO 00000
Frm 00837
Fmt 8010
Sfmt 8010
Q:\12\12V7.TXT
31
�lpowell on DSK54DXVN1OFR with $$_JOB
§ 717.22
12 CFR Ch. VII (1–1–16 Edition)
the opt-out notice from using eligibility information received from another affiliate as described in the notice to make solicitations to the consumer.
(2) Continuing relationship—(i) In general. If the consumer establishes a continuing relationship with you or your
affiliate, an opt-out notice may apply
to eligibility information obtained in
connection with—
(A) A single continuing relationship
or multiple continuing relationships
that the consumer establishes with you
or your affiliates, including continuing
relationships established subsequent to
delivery of the opt-out notice, so long
as the notice adequately describes the
continuing relationships covered by
the opt-out; or
(B) Any other transaction between
the consumer and you or your affiliates
as described in the notice.
(ii) Examples of continuing relationships. A consumer has a continuing relationship with you or your affiliate if
the consumer—
(A) Opens a deposit or investment account with you or your affiliate;
(B) Obtains a loan for which you or
your affiliate owns the servicing
rights;
(C) Purchases an insurance product
from you or your affiliate;
(D) Holds an investment product
through you or your affiliate, such as
when you act or your affiliate acts as a
custodian for securities or for assets in
an individual retirement arrangement;
(E) Enters into an agreement or understanding with you or your affiliate
whereby you or your affiliate undertakes to arrange or broker a home
mortgage loan for the consumer;
(F) Enters into a lease of personal
property with you or your affiliate; or
(G) Obtains financial, investment, or
economic advisory services from you or
your affiliate for a fee.
(3) No continuing relationship—(i) In
general. If there is no continuing relationship between a consumer and you
or your affiliate, and you or your affiliate obtain eligibility information
about a consumer in connection with a
transaction with the consumer, such as
an isolated transaction or a credit application that is denied, an opt-out notice provided to the consumer only ap-
plies to eligibility information obtained in connection with that transaction.
(ii) Examples of isolated transactions.
An isolated transaction occurs if—
(A) The consumer uses your or your
affiliate’s ATM to withdraw cash from
an account at another financial institution; or
(B) You or your affiliate sells the
consumer a cashier’s check or money
order, airline tickets, travel insurance,
or traveler’s checks in isolated transactions.
(4) Menu of alternatives. A consumer
may be given the opportunity to
choose from a menu of alternatives
when electing to prohibit solicitations,
such as by electing to prohibit solicitations from certain types of affiliates
covered by the opt-out notice but not
other types of affiliates covered by the
notice, electing to prohibit solicitations based on certain types of eligibility information but not other types
of eligibility information, or electing
to prohibit solicitations by certain
methods of delivery but not other
methods of delivery. However, one of
the alternatives must allow the consumer to prohibit all solicitations from
all of the affiliates that are covered by
the notice.
(5) Special rule for a notice following
termination of all continuing relationships—(i) In general. A consumer must
be given a new opt-out notice if, after
all continuing relationships with you
or your affiliate(s) are terminated, the
consumer subsequently establishes another continuing relationship with you
or your affiliate(s) and the consumer’s
eligibility information is to be used to
make a solicitation. The new opt-out
notice must apply, at a minimum, to
eligibility information obtained in connection with the new continuing relationship. Consistent with paragraph (b)
of this section, the consumer’s decision
not to opt out after receiving the new
opt-out notice would not override a
prior opt-out election by the consumer
that applies to eligibility information
obtained in connection with a terminated
relationship,
regardless
of
whether the new opt-out notice applies
to eligibility information obtained in
connection with the terminated relationship.
828
VerDate Sep<11>2014
10:04 Feb 11, 2016
Jkt 238041
PO 00000
Frm 00838
Fmt 8010
Sfmt 8010
Q:\12\12V7.TXT
31
�National Credit Union Administration
§ 717.23
(ii) Example. A consumer is a member
of a federal credit union that is part of
an affiliated group. The consumer terminates his membership. One year
later, the consumer rejoins and opens a
savings account with the same federal
credit union. The consumer must be
given a new notice and opportunity to
opt out before the federal credit
union’s affiliates may make solicitations to the consumer using eligibility
information obtained by the federal
credit union in connection with the
newly established account relationship,
regardless of whether the consumer
opted out in connection with accounts
held during the previous member relationship.
(b) Duration of opt-out. The election
of a consumer to opt out must be effective for a period of at least five years
(the ‘‘opt-out period’’) beginning when
the consumer’s opt-out election is received and implemented, unless the
consumer subsequently revokes the
opt-out in writing or, if the consumer
agrees, electronically. An opt-out period of more than five years may be established, including an opt-out period
that does not expire unless revoked by
the consumer.
(c) Time of opt-out. A consumer may
opt out at any time.
lpowell on DSK54DXVN1OFR with $$_JOB
§ 717.23 Contents of opt-out notice;
consolidated and equivalent notices.
(a) Contents of opt-out notice—(1) In
general. A notice must be clear, conspicuous, and concise, and must accurately disclose:
(i) The name of the affiliate(s) providing the notice. If the notice is provided jointly by multiple affiliates and
each affiliate shares a common name,
such as ‘‘ABC,’’ then the notice may
indicate that it is being provided by
multiple companies with the ABC
name or multiple companies in the
ABC group or family of companies, for
example, by stating that the notice is
provided by ‘‘all of the ABC companies,’’ ‘‘the ABC federal credit union,
credit card, insurance brokerage, and
securities brokerage companies,’’ or by
listing the name of each affiliate providing the notice. But if the affiliates
providing the joint notice do not all
share a common name, then the notice
must either separately identify each
affiliate by name or identify each of
the common names used by those affiliates, for example, by stating that
the notice is provided by ‘‘all of the
ABC and XYZ companies’’ or by ‘‘the
ABC federal credit union and credit
card companies and the XYZ insurance
brokerage company’’
(ii) A list of the affiliates or types of
affiliates whose use of eligibility information is covered by the notice, which
may include companies that become affiliates after the notice is provided to
the consumer. If each affiliate covered
by the notice shares a common name,
such as ‘‘ABC,’’ then the notice may
indicate that it applies to multiple
companies with the ABC name or multiple companies in the ABC group or
family of companies, for example, by
stating that the notice is provided by
‘‘all of the ABC companies,’’ ‘‘the ABC
federal credit union, credit card, insurance brokerage, and securities brokerage companies,’’ or by listing the name
of each affiliate providing the notice.
But if the affiliates covered by the notice do not all share a common name,
then the notice must either separately
identify each covered affiliate by name
or identify each of the common names
used by those affiliates, for example,
by stating that the notice applies to
‘‘all of the ABC and XYZ companies’’
or to ‘‘the ABC federal credit union and
credit card companies and the XYZ insurance brokerage company’’
(iii) A general description of the
types of eligibility information that
may be used to make solicitations to
the consumer;
(iv) That the consumer may elect to
limit the use of eligibility information
to make solicitations to the consumer;
(v) That the consumer’s election will
apply for the specified period of time
stated in the notice and, if applicable,
that the consumer will be allowed to
renew the election once that period expires;
(vi) If the notice is provided to consumers who may have previously opted
out, such as if a notice is provided to
consumers annually, that the consumer who has chosen to limit solicitations does not need to act again until
the consumer receives a renewal notice; and
829
VerDate Sep<11>2014
10:04 Feb 11, 2016
Jkt 238041
PO 00000
Frm 00839
Fmt 8010
Sfmt 8010
Q:\12\12V7.TXT
31
�lpowell on DSK54DXVN1OFR with $$_JOB
§ 717.24
12 CFR Ch. VII (1–1–16 Edition)
(vii) A reasonable and simple method
for the consumer to opt out.
(2) Joint relationships. (i) If two or
more consumers jointly obtain a product or service, a single opt-out notice
may be provided to the joint consumers. Any of the joint consumers
may exercise the right to opt out.
(ii) The opt-out notice must explain
how an opt-out direction by a joint
consumer will be treated. An opt-out
direction by a joint consumer may be
treated as applying to all of the associated joint consumers, or each joint
consumer may be permitted to opt-out
separately. If each joint consumer is
permitted to opt out separately, one of
the joint consumers must be permitted
to opt out on behalf of all of the joint
consumers and the joint consumers
must be permitted to exercise their
separate rights to opt out in a single
response.
(iii) It is impermissible to require all
joint consumers to opt out before implementing any opt-out direction.
(3) Alternative contents. If the consumer is afforded a broader right to opt
out of receiving marketing than is required by this subpart, the requirements of this section may be satisfied
by providing the consumer with a
clear, conspicuous, and concise notice
that accurately discloses the consumer’s opt-out rights.
(4) Model notices. Model notices are
provided in appendix C of this part.
(b) Coordinated and consolidated notices. A notice required by this subpart
may be coordinated and consolidated
with any other notice or disclosure required to be issued under any other
provision of law by the entity providing the notice, including but not
limited to the notice described in section 603(d)(2)(A)(iii) of the Act and the
Gramm-Leach-Bliley Act privacy notice.
(c) Equivalent notices. A notice or
other disclosure that is equivalent to
the notice required by this subpart,
and that is provided to a consumer together with disclosures required by any
other provision of law, satisfies the requirements of this section.
§ 717.24 Reasonable opportunity to opt
out.
(a) In general. You must not use eligibility information about a consumer
that you receive from an affiliate to
make a solicitation to the consumer
about your products or services, unless
the consumer is provided a reasonable
opportunity to opt out, as required by
§ 717.21(a)(1)(ii) of this part.
(b) Examples of a reasonable opportunity to opt out. The consumer is given
a reasonable opportunity to opt out if:
(1) By mail. The opt-out notice is
mailed to the consumer. The consumer
is given 30 days from the date the notice is mailed to elect to opt out by
any reasonable means.
(2) By electronic means. (i) The opt-out
notice is provided electronically to the
consumer, such as by posting the notice at an Internet Web site at which
the consumer has obtained a product or
service. The consumer acknowledges
receipt of the electronic notice. The
consumer is given 30 days after the
date the consumer acknowledges receipt to elect to opt out by any reasonable means.
(ii) The opt-out notice is provided to
the consumer by e-mail where the consumer has agreed to receive disclosures
by e-mail from the person sending the
notice. The consumer is given 30 days
after the e-mail is sent to elect to opt
out by any reasonable means.
(3) At the time of an electronic transaction. The opt-out notice is provided
to the consumer at the time of an electronic transaction, such as a transaction conducted on an Internet Web
site. The consumer is required to decide, as a necessary part of proceeding
with the transaction, whether to opt
out before completing the transaction.
There is a simple process that the consumer may use to opt out at that time
using the same mechanism through
which the transaction is conducted.
(4) At the time of an in-person transaction. The opt-out notice is provided
to the consumer in writing at the time
of an in-person transaction. The consumer is required to decide, as a necessary part of proceeding with the
transaction, whether to opt out before
completing the transaction, and is not
permitted to complete the transaction
without making a choice. There is a
830
VerDate Sep<11>2014
10:04 Feb 11, 2016
Jkt 238041
PO 00000
Frm 00840
Fmt 8010
Sfmt 8010
Q:\12\12V7.TXT
31
�National Credit Union Administration
§ 717.26
lpowell on DSK54DXVN1OFR with $$_JOB
simple process that the consumer may
use during the course of the in-person
transaction to opt out, such as completing a form that requires consumers
to write a ‘‘yes’’ or ‘‘no’’ to indicate
their opt-out preference or that requires the consumer to check one of
two blank check boxes—one that allows consumers to indicate that they
want to opt out and one that allows
consumers to indicate that they do not
want to opt out.
(5) By including in a privacy notice.
The opt-out notice is included in a
Gramm-Leach-Bliley Act privacy notice. The consumer is allowed to exercise the opt-out within a reasonable period of time and in the same manner as
the opt-out under that privacy notice.
§ 717.25 Reasonable and simple methods of opting out.
(a) In general. You must not use eligibility information about a consumer
that you receive from an affiliate to
make a solicitation to the consumer
about your products or services, unless
the consumer is provided a reasonable
and simple method to opt out, as required by § 717.21(a)(1)(ii) of this part.
(b) Examples—(1) Reasonable and simple opt-out methods. Reasonable and
simple methods for exercising the optout right include—
(i) Designating a check-off box in a
prominent position on the opt-out
form;
(ii) Including a reply form and a selfaddressed envelope together with the
opt-out notice;
(iii) Providing an electronic means to
opt out, such as a form that can be
electronically mailed or processed at
an Internet Web site, if the consumer
agrees to the electronic delivery of information;
(iv) Providing a toll-free telephone
number that consumers may call to opt
out; or
(v) Allowing consumers to exercise
all of their opt-out rights described in
a consolidated opt-out notice that includes the privacy opt-out under the
Gramm-Leach-Bliley Act, 15 U.S.C. 6801
et seq., the affiliate sharing opt-out
under the Act, and the affiliate marketing opt-out under the Act, by a single method, such as by calling a single
toll-free telephone number.
(2) Opt-out methods that are not reasonable and simple. Reasonable and simple methods for exercising an opt-out
right do not include—
(i) Requiring the consumer to write
his or her own letter;
(ii) Requiring the consumer to call or
write to obtain a form for opting out,
rather than including the form with
the opt-out notice;
(iii) Requiring the consumer who receives the opt-out notice in electronic
form only, such as through posting at
an Internet Web site, to opt out solely
by paper mail or by visiting a different
Web site without providing a link to
that site.
(c) Specific opt-out means. Each consumer may be required to opt out
through a specific means, as long as
that means is reasonable and simple
for that consumer.
[70 FR 70692, Nov. 22, 2005, as amended at 75
FR 34621, June 18, 2010]
§ 717.26 Delivery of opt-out notices.
(a) In general. The opt-out notice
must be provided so that each consumer can reasonably be expected to
receive actual notice. For opt-out notices provided electronically, the notice may be provided in compliance
with either the electronic disclosure
provisions in this subpart or the provisions in section 101 of the Electronic
Signatures in Global and National
Commerce Act, 15 U.S.C. 7001 et seq.
(b) Examples of reasonable expectation
of actual notice. A consumer may reasonably be expected to receive actual
notice if the affiliate providing the notice:
(1) Hand-delivers a printed copy of
the notice to the consumer;
(2) Mails a printed copy of the notice
to the last known mailing address of
the consumer;
(3) Provides a notice by e-mail to a
consumer who has agreed to receive
electronic disclosures by e-mail from
the affiliate providing the notice; or
(4) Posts the notice on the Internet
Web site at which the consumer obtained a product or service electronically and requires the consumer to acknowledge receipt of the notice.
(c) Examples of no reasonable expectation of actual notice. A consumer may
not reasonably be expected to receive
831
VerDate Sep<11>2014
10:04 Feb 11, 2016
Jkt 238041
PO 00000
Frm 00841
Fmt 8010
Sfmt 8010
Q:\12\12V7.TXT
31
�§ 717.27
12 CFR Ch. VII (1–1–16 Edition)
lpowell on DSK54DXVN1OFR with $$_JOB
actual notice if the affiliate providing
the notice:
(1) Only posts the notice on a sign in
a branch or office or generally publishes the notice in a newspaper;
(2) Sends the notice via e-mail to a
consumer who has not agreed to receive electronic disclosures by e-mail
from the affiliate providing the notice;
or
(3) Posts the notice on an Internet
Web site without requiring the consumer to acknowledge receipt of the
notice.
§ 717.27 Renewal of opt-out.
(a) Renewal notice and opt-out requirement—(1) In general. After the opt-out
period expires, you may not make solicitations based on eligibility information you receive from an affiliate to a
consumer who previously opted out,
unless:
(i) The consumer has been given a renewal notice that complies with the requirements of this section and §§ 717.24
through 717.26 of this part, and a reasonable opportunity and a reasonable
and simple method to renew the optout, and the consumer does not renew
the opt-out; or
(ii) An exception in § 717.21(c) of this
part applies.
(2) Renewal period. Each opt-out renewal must be effective for a period of
at least five years as provided in
§ 717.22(b) of this part.
(3) Affiliates who may provide the notice. The notice required by this paragraph must be provided:
(i) By the affiliate that provided the
previous opt-out notice, or its successor; or
(ii) As part of a joint renewal notice
from two or more members of an affiliated group of companies, or their successors, that jointly provided the previous opt-out notice.
(b) Contents of renewal notice. The renewal notice must be clear, conspicuous, and concise, and must accurately disclose:
(1) The name of the affiliate(s) providing the notice. If the notice is provided jointly by multiple affiliates and
each affiliate shares a common name,
such as ‘‘ABC,’’ then the notice may
indicate that it is being provided by
multiple companies with the ABC
name or multiple companies in the
ABC group or family of companies, for
example, by stating that the notice is
provided by ‘‘all of the ABC companies,’’ ‘‘the ABC federal credit union,
credit card, insurance brokerage, and
securities brokerage companies,’’ or by
listing the name of each affiliate providing the notice. But if the affiliates
providing the joint notice do not all
share a common name, then the notice
must either separately identify each
affiliate by name or identify each of
the common names used by those affiliates, for example, by stating that
the notice is provided by ‘‘all of the
ABC and XYZ companies’’ or by ‘‘the
ABC federal credit union and credit
card companies and the XYZ insurance
brokerage company’’;
(2) A list of the affiliates or types of
affiliates whose use of eligibility information is covered by the notice, which
may include companies that become affiliates after the notice is provided to
the consumer. If each affiliate covered
by the notice shares a common name,
such as ‘‘ABC,’’ then the notice may
indicate that it applies to multiple
companies with the ABC name or multiple companies in the ABC group or
family of companies, for example, by
stating that the notice is provided by
‘‘all of the ABC companies,’’ ‘‘the ABC
federal credit union, credit card, insurance brokerage, and securities brokerage companies,’’ or by listing the name
of each affiliate providing the notice.
But if the affiliates covered by the notice do not all share a common name,
then the notice must either separately
identify each covered affiliate by name
or identify each of the common names
used by those affiliates, for example,
by stating that the notice applies to
‘‘all of the ABC and XYZ companies’’
or to ‘‘the ABC federal credit union and
credit card companies and the XYZ insurance brokerage company’’;
(3) A general description of the types
of eligibility information that may be
used to make solicitations to the consumer;
(4) That the consumer previously
elected to limit the use of certain information to make solicitations to the
consumer;
(5) That the consumer’s election has
expired or is about to expire;
832
VerDate Sep<11>2014
10:04 Feb 11, 2016
Jkt 238041
PO 00000
Frm 00842
Fmt 8010
Sfmt 8010
Q:\12\12V7.TXT
31
�National Credit Union Administration
§ 717.30
(6) That the consumer may elect to
renew the consumer’s previous election;
(7) If applicable, that the consumer’s
election to renew will apply for the
specified period of time stated in the
notice and that the consumer will be
allowed to renew the election once that
period expires; and
(8) A reasonable and simple method
for the consumer to opt out.
(c) Timing of the renewal notice. (1) In
general. A renewal notice may be provided to the consumer either—
(i) A reasonable period of time before
the expiration of the opt-out period; or
(ii) Any time after the expiration of
the opt-out period but before solicitations that would have been prohibited
by the expired opt-out are made to the
consumer.
(2) Combination with annual privacy
notice. If you provide an annual privacy
notice under the Gramm-Leach-Bliley
Act, 15 U.S.C. 6801 et seq., providing a
renewal notice with the last annual
privacy notice provided to the consumer before expiration of the opt-out
period is a reasonable period of time
before expiration of the opt-out in all
cases.
(d) No effect on opt-out period. An optout period may not be shortened by
sending a renewal notice to the consumer before expiration of the opt-out
period, even if the consumer does not
renew the opt out.
[70 FR 70692, Nov. 22, 2005, as amended at 75
FR 34621, June 18, 2010]
lpowell on DSK54DXVN1OFR with $$_JOB
§ 717.28 Effective
date,
compliance
date, and prospective application.
(a) Effective date. This subpart is effective January 1, 2008.
(b) Mandatory compliance date. Compliance with this subpart is required
not later than October 1, 2008.
(c) Prospective application. The provisions of this subpart shall not prohibit
you from using eligibility information
that you receive from an affiliate to
make solicitations to a consumer if
you receive such information prior to
October 1, 2008. For purposes of this
section, you are deemed to receive eligibility information when such information is placed into a common database and is accessible by you.
Subpart D—Medical Information
SOURCE: 70 FR 70693, Nov. 22, 2005, and 70
FR 75931, Dec. 22, 2005, unless otherwise
noted.
§ 717.30 Obtaining or using medical information in connection with a determination of eligibility for credit.
(a) Scope. This section applies to:
(1) A Federal credit union that participates as a creditor in a transaction;
or
(2) Any other person that participates as a creditor in a transaction involving a person described in paragraph
(a)(1) of this section.
(b) General prohibition on obtaining or
using medical information—(1) In general.
A creditor may not obtain or use medical information pertaining to a consumer in connection with any determination of the consumer’s eligibility,
or continued eligibility, for credit, except as provided in this section.
(2) Definitions. (i) Credit has the same
meaning as in section 702 of the Equal
Credit Opportunity Act, 15 U.S.C. 1691a.
(ii) Creditor has the same meaning as
in section 702 of the Equal Credit Opportunity Act, 15 U.S.C. 1691a.
(iii) Eligibility, or continued eligibility,
for credit means the consumer’s qualification or fitness to receive, or continue to receive, credit, including the
terms on which credit is offered. The
term does not include:
(A) Any determination of the consumer’s qualification or fitness for employment, insurance (other than a
credit insurance product), or other
non-credit products or services;
(B) Authorizing, processing, or documenting a payment or transaction on
behalf of the consumer in a manner
that does not involve a determination
of the consumer’s eligibility, or continued eligibility, for credit; or
(C) Maintaining or servicing the consumer’s account in a manner that does
not involve a determination of the consumer’s eligibility, or continued eligibility, for credit.
(c) Rule of construction for obtaining
and using unsolicited medical information—(1) In general. A creditor does not
obtain medical information in violation of the prohibition if it receives
medical information pertaining to a
833
VerDate Sep<11>2014
10:04 Feb 11, 2016
Jkt 238041
PO 00000
Frm 00843
Fmt 8010
Sfmt 8010
Q:\12\12V7.TXT
31
�lpowell on DSK54DXVN1OFR with $$_JOB
§ 717.30
12 CFR Ch. VII (1–1–16 Edition)
consumer in connection with any determination of the consumer’s eligibility, or continued eligibility, for
credit without specifically requesting
medical information.
(2) Use of unsolicited medical information. A creditor that receives unsolicited medical information in the manner described in paragraph (c)(1) of this
section may use that information in
connection with any determination of
the consumer’s eligibility, or continued eligibility, for credit to the extent
the creditor can rely on at least one of
the exceptions in § 717.30(d) or (e).
(3) Examples. A creditor does not obtain medical information in violation
of the prohibition if, for example:
(i) In response to a general question
regarding a consumer’s debts or expenses, the creditor receives information that the consumer owes a debt to
a hospital.
(ii) In a conversation with the creditor’s loan officer, the consumer informs the creditor that the consumer
has a particular medical condition.
(iii) In connection with a consumer’s
application for an extension of credit,
the creditor requests a consumer report from a consumer reporting agency
and receives medical information in
the consumer report furnished by the
agency even though the creditor did
not specifically request medical information from the consumer reporting
agency.
(d) Financial information exception for
obtaining and using medical information—(1) In general. A creditor may obtain and use medical information pertaining to a consumer in connection
with any determination of the consumer’s eligibility, or continued eligibility, for credit so long as:
(i) The information is the type of information routinely used in making
credit eligibility determinations, such
as information relating to debts, expenses, income, benefits, assets, collateral, or the purpose of the loan, including the use of proceeds;
(ii) The creditor uses the medical information in a manner and to an extent that is no less favorable than it
would use comparable information that
is not medical information in a credit
transaction; and
(iii) The creditor does not take the
consumer’s physical, mental, or behavioral health, condition or history, type
of treatment, or prognosis into account
as part of any such determination.
(2) Examples—(i) Examples of the types
of information routinely used in making
credit eligibility determinations. Paragraph (d)(1)(i) of this section permits a
creditor, for example, to obtain and use
information about:
(A) The dollar amount, repayment
terms, repayment history, and similar
information regarding medical debts to
calculate, measure, or verify the repayment ability of the consumer, the use
of proceeds, or the terms for granting
credit;
(B) The value, condition, and lien
status of a medical device that may
serve as collateral to secure a loan;
(C) The dollar amount and continued
eligibility for disability income, workers’ compensation income, or other
benefits related to health or a medical
condition that is relied on as a source
of repayment; or
(D) The identity of creditors to whom
outstanding medical debts are owed in
connection with an application for
credit, including but not limited to, a
transaction involving the consolidation
of medical debts.
(ii) Examples of uses of medical information consistent with the exception. (A)
A consumer includes on an application
for credit information about two $20,000
debts. One debt is to a hospital; the
other debt is to a retailer. The creditor
contacts the hospital and the retailer
to verify the amount and payment status of the debts. The creditor learns
that both debts are more than 90 days
past due. Any two debts of this size
that are more than 90 days past due
would disqualify the consumer under
the creditor’s established underwriting
criteria. The creditor denies the application on the basis that the consumer
has a poor repayment history on outstanding debts. The creditor has used
medical information in a manner and
to an extent no less favorable than it
would use comparable non-medical information.
(B) A consumer indicates on an application for a $200,000 mortgage loan that
she receives $15,000 in long-term disability income each year from her
834
VerDate Sep<11>2014
10:04 Feb 11, 2016
Jkt 238041
PO 00000
Frm 00844
Fmt 8010
Sfmt 8010
Q:\12\12V7.TXT
31
�lpowell on DSK54DXVN1OFR with $$_JOB
National Credit Union Administration
§ 717.30
former employer and has no other income. Annual income of $15,000, regardless of source, would not be sufficient
to support the requested amount of
credit. The creditor denies the application on the basis that the projected
debt-to-income ratio of the consumer
does not meet the creditor’s underwriting criteria. The creditor has used
medical information in a manner and
to an extent that is no less favorable
than it would use comparable non-medical information.
(C) A consumer includes on an application for a $10,000 home equity loan
that he has a $50,000 debt to a medical
facility that specializes in treating a
potentially terminal disease. The creditor contacts the medical facility to
verify the debt and obtain the repayment history and current status of the
loan. The creditor learns that the debt
is current. The applicant meets the income and other requirements of the
creditor’s underwriting guidelines. The
creditor grants the application. The
creditor has used medical information
in accordance with the exception.
(iii) Examples of uses of medical information inconsistent with the exception.
(A) A consumer applies for $25,000 of
credit and includes on the application
information about a $50,000 debt to a
hospital. The creditor contacts the hospital to verify the amount and payment status of the debt, and learns
that the debt is current and that the
consumer has no delinquencies in her
repayment history. If the existing debt
were instead owed to a retail department store, the creditor would approve
the application and extend credit based
on the amount and repayment history
of the outstanding debt. The creditor,
however, denies the application because the consumer is indebted to a
hospital. The creditor has used medical
information, here the identity of the
medical creditor, in a manner and to
an extent that is less favorable than it
would use comparable non-medical information.
(B) A consumer meets with a loan officer of a creditor to apply for a mortgage loan. While filling out the loan
application, the consumer informs the
loan officer orally that she has a potentially terminal disease. The consumer
meets the creditor’s established re-
quirements for the requested mortgage
loan. The loan officer recommends to
the credit committee that the consumer be denied credit because the
consumer has that disease. The credit
committee follows the loan officer’s
recommendation and denies the application because the consumer has a potentially terminal disease. The creditor has used medical information in a
manner inconsistent with the exception by taking into account the consumer’s physical, mental, or behavioral
health, condition, or history, type of
treatment, or prognosis as part of a determination of eligibility or continued
eligibility for credit.
(C) A consumer who has an apparent
medical condition, such as a consumer
who uses a wheelchair or an oxygen
tank, meets with a loan officer to
apply for a home equity loan. The consumer meets the creditor’s established
requirements for the requested home
equity loan and the creditor typically
does not require consumers to obtain a
debt cancellation contract, debt suspension agreement, or credit insurance
product in connection with such loans.
However, based on the consumer’s apparent medical condition, the loan officer recommends to the credit committee that credit be extended to the
consumer only if the consumer obtains
a debt cancellation contract, debt suspension agreement, or credit insurance
product from a nonaffiliated third
party. The credit committee agrees
with the loan officer’s recommendation. The loan officer informs the consumer that the consumer must obtain
a debt cancellation contract, debt suspension agreement, or credit insurance
product from a nonaffiliated third
party to qualify for the loan. The consumer obtains one of these products
and the creditor approves the loan. The
creditor has used medical information
in a manner inconsistent with the exception by taking into account the
consumer’s physical, mental, or behavioral health, condition, or history, type
of treatment, or prognosis in setting
conditions on the consumer’s eligibility for credit.
(e) Specific exceptions for obtaining and
using medical information—(1) In general.
A creditor may obtain and use medical
information pertaining to a consumer
835
VerDate Sep<11>2014
10:04 Feb 11, 2016
Jkt 238041
PO 00000
Frm 00845
Fmt 8010
Sfmt 8010
Q:\12\12V7.TXT
31
�lpowell on DSK54DXVN1OFR with $$_JOB
§ 717.30
12 CFR Ch. VII (1–1–16 Edition)
in connection with any determination
of the consumer’s eligibility, or continued eligibility, for credit:
(i) To determine whether the use of a
power of attorney or legal representative that is triggered by a medical condition or event is necessary and appropriate or whether the consumer has the
legal capacity to contract when a person seeks to exercise a power of attorney or act as legal representative for a
consumer based on an asserted medical
condition or event;
(ii) To comply with applicable requirements of local, state, or Federal
laws;
(iii) To determine, at the consumer’s
request, whether the consumer qualifies for a legally permissible special
credit program or credit-related assistance program that is:
(A) Designed to meet the special
needs of consumers with medical conditions; and
(B) Established and administered
pursuant to a written plan that:
(1) Identifies the class of persons that
the program is designed to benefit; and
(2) Sets forth the procedures and
standards for extending credit or providing other credit-related assistance
under the program;
(iv) To the extent necessary for purposes of fraud prevention or detection;
(v) In the case of credit for the purpose of financing medical products or
services, to determine and verify the
medical purpose of a loan and the use
of proceeds;
(vi) Consistent with safe and sound
practices, if the consumer or the consumer’s legal representative specifically requests that the creditor use
medical information in determining
the consumer’s eligibility, or continued eligibility, for credit, to accommodate the consumer’s particular circumstances, and such request is documented by the creditor;
(vii) Consistent with safe and sound
practices, to determine whether the
provisions of a forbearance practice or
program that is triggered by a medical
condition or event apply to a consumer;
(viii) To determine the consumer’s
eligibility for, the triggering of, or the
reactivation of a debt cancellation contract or debt suspension agreement if a
medical condition or event is a triggering event for the provision of benefits under the contract or agreement;
or
(ix) To determine the consumer’s eligibility for, the triggering of, or the reactivation of a credit insurance product if a medical condition or event is a
triggering event for the provision of
benefits under the product.
(2) Example of determining eligibility for
a special credit program or credit assistance program. A not-for-profit organization establishes a credit assistance program pursuant to a written plan that is
designed to assist disabled veterans in
purchasing homes by subsidizing the
down payment for the home purchase
mortgage loans of qualifying veterans.
The organization works through mortgage lenders and requires mortgage
lenders to obtain medical information
about the disability of any consumer
that seeks to qualify for the program,
use that information to verify the consumer’s eligibility for the program, and
forward that information to the organization. A consumer who is a veteran
applies to a creditor for a home purchase mortgage loan. The creditor informs the consumer about the credit
assistance program for disabled veterans and the consumer seeks to qualify for the program. Assuming that the
program complies with all applicable
law, including applicable fair lending
laws, the creditor may obtain and use
medical information about the medical
condition and disability, if any, of the
consumer to determine whether the
consumer qualifies for the credit assistance program.
(3) Examples of verifying the medical
purpose of the loan or the use of proceeds.
(i) If a consumer applies for $10,000 of
credit for the purpose of financing vision correction surgery, the creditor
may verify with the surgeon that the
procedure will be performed. If the surgeon reports that surgery will not be
performed on the consumer, the creditor may use that medical information
to deny the consumer’s application for
credit, because the loan would not be
used for the stated purpose.
(ii) If a consumer applies for $10,000 of
credit for the purpose of financing cosmetic surgery, the creditor may confirm the cost of the procedure with the
836
VerDate Sep<11>2014
10:04 Feb 11, 2016
Jkt 238041
PO 00000
Frm 00846
Fmt 8010
Sfmt 8010
Q:\12\12V7.TXT
31
�lpowell on DSK54DXVN1OFR with $$_JOB
National Credit Union Administration
§ 717.30
surgeon. If the surgeon reports that the
cost of the procedure is $5,000, the creditor may use that medical information
to offer the consumer only $5,000 of
credit.
(iii) A creditor has an established
medical loan program for financing
particular elective surgical procedures.
The creditor receives a loan application from a consumer requesting $10,000
of credit under the established loan
program for an elective surgical procedure. The consumer indicates on the
application that the purpose of the
loan is to finance an elective surgical
procedure not eligible for funding
under the guidelines of the established
loan program. The creditor may deny
the consumer’s application because the
purpose of the loan is not for a particular procedure funded by the established loan program.
(4) Examples of obtaining and using
medical information at the request of the
consumer. (i) If a consumer applies for a
loan and specifically requests that the
creditor consider the consumer’s medical disability at the relevant time as
an explanation for adverse payment
history information in his credit report, the creditor may consider such
medical information in evaluating the
consumer’s willingness and ability to
repay the requested loan to accommodate the consumer’s particular circumstances, consistent with safe and
sound practices. The creditor may also
decline to consider such medical information to accommodate the consumer,
but may evaluate the consumer’s application in accordance with its otherwise
applicable underwriting criteria. The
creditor may not deny the consumer’s
application or otherwise treat the consumer less favorably because the consumer specifically requested a medical
accommodation, if the creditor would
have extended the credit or treated the
consumer more favorably under the
creditor’s otherwise applicable underwriting criteria.
(ii) If a consumer applies for a loan
by telephone and explains that his income has been and will continue to be
interrupted on account of a medical
condition and that he expects to repay
the loan by liquidating assets, the
creditor may, but is not required to,
evaluate the application using the sale
of assets as the primary source of repayment, consistent with safe and
sound practices, provided that the
creditor documents the consumer’s request by recording the oral conversation or making a notation of the request in the consumer’s file.
(iii) If a consumer applies for a loan
and the application form provides a
space where the consumer may provide
any other information or special circumstances, whether medical or nonmedical, that the consumer would like
the creditor to consider in evaluating
the consumer’s application, the creditor may use medical information provided by the consumer in that space on
that application to accommodate the
consumer’s application for credit, consistent with safe and sound practices,
or may disregard that information.
(iv) If a consumer specifically requests that the creditor use medical information in determining the consumer’s eligibility, or continued eligibility, for credit and provides the creditor with medical information for that
purpose, and the creditor determines
that it needs additional information regarding the consumer’s circumstances,
the creditor may request, obtain, and
use additional medical information
about the consumer as necessary to
verify the information provided by the
consumer or to determine whether to
make an accommodation for the consumer. The consumer may decline to
provide additional information, withdraw the request for an accommodation, and have the application considered under the creditor’s otherwise applicable underwriting criteria.
(v) If a consumer completes and signs
a credit application that is not for
medical purpose credit and the application contains boilerplate language that
routinely requests medical information
from the consumer or that indicates
that by applying for credit the consumer authorizes or consents to the
creditor obtaining and using medical
information in connection with a determination of the consumer’s eligibility, or continued eligibility, for
credit, the consumer has not specifically requested that the creditor obtain and use medical information to
accommodate the consumer’s particular circumstances.
837
VerDate Sep<11>2014
10:04 Feb 11, 2016
Jkt 238041
PO 00000
Frm 00847
Fmt 8010
Sfmt 8010
Q:\12\12V7.TXT
31
�§ 717.31
12 CFR Ch. VII (1–1–16 Edition)
(5) Example of a forbearance practice or
program. After an appropriate safety
and soundness review, a creditor institutes a program that allows consumers
who are or will be hospitalized to defer
payments as needed for up to three
months, without penalty, if the credit
account has been open for more than
one year and has not previously been in
default, and the consumer provides
confirming documentation at an appropriate time. A consumer is hospitalized
and does not pay her bill for a particular month. This consumer has had
a credit account with the creditor for
more than one year and has not previously been in default. The creditor
attempts to contact the consumer and
speaks with the consumer’s adult child,
who is not the consumer’s legal representative. The adult child informs
the creditor that the consumer is hospitalized and is unable to pay the bill
at that time. The creditor defers payments for up to three months, without
penalty, for the hospitalized consumer
and sends the consumer a letter confirming this practice and the date on
which the next payment will be due.
The creditor has obtained and used
medical information to determine
whether the provisions of a medicallytriggered forbearance practice or program apply to a consumer.
§ 717.31 Limits on redisclosure of information
(a) Scope. This section applies to Federal credit unions.
(b) Limits on redisclosure. If a Federal
credit union receives medical information about a consumer from a consumer reporting agency or its affiliate,
the person must not disclose that information to any other person, except
as necessary to carry out the purpose
for which the information was initially
disclosed, or as otherwise permitted by
statute, regulation, or order.
lpowell on DSK54DXVN1OFR with $$_JOB
§ 717.32 Sharing medical information
with affiliates.
(a) Scope. This section applies to Federal credit unions.
(b) In general. The exclusions from
the term ‘‘consumer report’’ in section
603(d)(2) of the Act that allow the sharing of information with affiliates do
not apply if a Federal credit union
communicates to an affiliate:
(1) Medical information;
(2) An individualized list or description based on the payment transactions of the consumer for medical
products or services; or
(3) An aggregate list of identified
consumers based on payment transactions for medical products or services.
(c) Exceptions. A Federal credit union
may rely on the exclusions from the
term ‘‘consumer report’’ in section
603(d)(2) of the Act to communicate the
information in paragraph (b) to an affiliate:
(1) In connection with the business of
insurance or annuities (including the
activities described in section 18B of
the model Privacy of Consumer Financial and Health Information Regulation issued by the National Association
of Insurance Commissioners, as in effect on January 1, 2003);
(2) For any purpose permitted without authorization under the regulations promulgated by the Department
of Health and Human Services pursuant to the Health Insurance Portability and Accountability Act of 1996
(HIPAA);
(3) For any purpose referred to in section 1179 of HIPAA;
(4) For any purpose described in section 502(e) of the Gramm-Leach-Bliley
Act;
(5) In connection with a determination of the consumer’s eligibility, or
continued eligibility, for credit consistent with § 717.30; or
(6) As otherwise permitted by order
of the NCUA.
Subpart E—Duties of Furnishers of
Information
SOURCE: 74 FR 31522, July 1, 2009, unless
otherwise noted.
§ 717.40 Scope.
This subpart applies to a Federal
credit union that furnishes information
to a consumer reporting agency.
§ 717.41 Definitions.
For purposes of this subpart and appendix E of this part, the following
definitions apply:
838
VerDate Sep<11>2014
10:04 Feb 11, 2016
Jkt 238041
PO 00000
Frm 00848
Fmt 8010
Sfmt 8010
Q:\12\12V7.TXT
31
�lpowell on DSK54DXVN1OFR with $$_JOB
National Credit Union Administration
§ 717.43
(a) Accuracy means that information
that a furnisher provides to a consumer
reporting agency about an account or
other relationship with the consumer
correctly:
(1) Reflects the terms of and liability
for the account or other relationship;
(2) Reflects the consumer’s performance and other conduct with respect to
the account or other relationship; and
(3) Identifies the appropriate consumer.
(b) Direct dispute means a dispute submitted directly to a furnisher (including a furnisher that is a debt collector)
by a consumer concerning the accuracy
of any information contained in a consumer report and pertaining to an account or other relationship that the
furnisher has or had with the consumer.
(c) Furnisher means an entity that
furnishes information relating to consumers to one or more consumer reporting agencies for inclusion in a consumer report. An entity is not a furnisher when it:
(1) Provides information to a consumer reporting agency solely to obtain a consumer report in accordance
with sections 604(a) and (f) of the Fair
Credit Reporting Act;
(2) Is acting as a ‘‘consumer reporting agency’’ as defined in section 603(f)
of the Fair Credit Reporting Act;
(3) Is a consumer to whom the furnished information pertains; or
(4) Is a neighbor, friend, or associate
of the consumer, or another individual
with whom the consumer is acquainted
or who may have knowledge about the
consumer, and who provides information about the consumer’s character,
general reputation, personal characteristics, or mode of living in response to
a specific request from a consumer reporting agency.
(d) Identity theft has the same meaning as in 16 CFR 603.2(a).
(e) Integrity means that information
that a furnisher provides to a consumer
reporting agency about an account or
other relationship with the consumer:
(1) Is substantiated by the furnisher’s
records at the time it is furnished;
(2) Is furnished in a form and manner
that is designed to minimize the likelihood that the information may be in-
correctly reflected in a consumer report; and
(3) Includes the information in the
furnisher’s possession about the account or other relationship that the
NCUA has:
(i) Determined that the absence of
which would likely be materially misleading in evaluating a consumer’s
creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode
of living; and
(ii) Listed in section I.(b)(2)(iii) of appendix E of this part.
§ 717.42 Reasonable policies and procedures concerning the accuracy
and integrity of furnished information.
(a) Policies and procedures. Each furnisher must establish and implement
reasonable written policies and procedures regarding the accuracy and integrity of the information relating to
consumers that it furnishes to a consumer reporting agency. The policies
and procedures must be appropriate to
the nature, size, complexity, and scope
of each furnisher’s activities.
(b) Guidelines. Each furnisher must
consider the guidelines in appendix E
of this part in developing its policies
and procedures required by this section, and incorporate those guidelines
that are appropriate.
(c) Reviewing and updating policies and
procedures. Each furnisher must review
its policies and procedures required by
this section periodically and update
them as necessary to ensure their continued effectiveness.
§ 717.43
Direct disputes.
(a) General rule. Except as otherwise
provided in this section, a furnisher
must conduct a reasonable investigation of a direct dispute if it relates to:
(1) The consumer’s liability for a
credit account or other debt with the
furnisher, such as direct disputes relating to whether there is or has been
identity theft or fraud against the consumer, whether there is individual or
joint liability on an account, or whether the consumer is an authorized user
of a credit account;
(2) The terms of a credit account or
other debt with the furnisher, such as
839
VerDate Sep<11>2014
10:04 Feb 11, 2016
Jkt 238041
PO 00000
Frm 00849
Fmt 8010
Sfmt 8010
Q:\12\12V7.TXT
31
�lpowell on DSK54DXVN1OFR with $$_JOB
§ 717.43
12 CFR Ch. VII (1–1–16 Edition)
direct disputes relating to the type of
account, principal balance, scheduled
payment amount on an account, or the
amount of the credit limit on an openend account;
(3) The consumer’s performance or
other conduct concerning an account
or other relationship with the furnisher, such as direct disputes relating
to the current payment status, high
balance, date a payment was made, the
amount of a payment made, or the date
an account was opened or closed; or
(4) Any other information contained
in a consumer report regarding an account or other relationship with the
furnisher that bears on the consumer’s
creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode
of living.
(b) Exceptions. The requirements of
paragraph (a) of this section do not
apply to a furnisher if:
(1) The direct dispute relates to:
(i) The consumer’s identifying information (other than a direct dispute relating to a consumer’s liability for a
credit account or other debt with the
furnisher, as provided in paragraph
(a)(1) of this section) such as name(s),
date of birth, Social Security number,
telephone number(s), or address(es);
(ii) The identity of past or present
employers;
(iii) Inquiries or requests for a consumer report;
(iv) Information derived from public
records, such as judgments, bankruptcies, liens, and other legal matters
(unless provided by a furnisher with an
account or other relationship with the
consumer);
(v) Information related to fraud
alerts or active duty alerts; or
(vi) Information provided to a consumer reporting agency by another furnisher; or
(2) The furnisher has a reasonable belief that the direct dispute is submitted
by, is prepared on behalf of the consumer by, or is submitted on a form
supplied to the consumer by, a credit
repair organization, as defined in 15
U.S.C. 1679a(3), or an entity that would
be a credit repair organization, but for
15 U.S.C. 1679a(3)(B)(i).
(c) Direct dispute address. A furnisher
is required to investigate a direct dis-
pute only if a consumer submits a dispute notice to the furnisher at:
(1) The address of a furnisher provided by a furnisher and set forth on a
consumer report relating to the consumer;
(2) An address clearly and conspicuously specified by the furnisher for submitting direct disputes that is provided
to the consumer in writing or electronically (if the consumer has agreed
to the electronic delivery of information from the furnisher); or
(3) Any business address of the furnisher if the furnisher has not so specified and provided an address for submitting direct disputes under paragraphs (c)(1) or (2) of this section.
(d) Direct dispute notice contents. A
dispute notice must include:
(1) Sufficient information to identify
the account or other relationship that
is in dispute, such as an account number and the name, address, and telephone number of the consumer, if applicable;
(2) The specific information that the
consumer is disputing and an explanation of the basis for the dispute; and
(3) All supporting documentation or
other information reasonably required
by the furnisher to substantiate the
basis of the dispute. This documentation may include, for example: a copy
of the relevant portion of the consumer
report that contains the allegedly inaccurate information; a police report; a
fraud or identity theft affidavit; a
court order; or account statements.
(e) Duty of furnisher after receiving a
direct dispute notice. After receiving a
dispute notice from a consumer pursuant to paragraphs (c) and (d) of this
section, the furnisher must:
(1) Conduct a reasonable investigation with respect to the disputed information;
(2) Review all relevant information
provided by the consumer with the dispute notice;
(3) Complete its investigation of the
dispute and report the results of the investigation to the consumer before the
expiration of the period under section
611(a)(1) of the Fair Credit Reporting
Act (15 U.S.C. 1681i(a)(1)) within which
a consumer reporting agency would be
required to complete its action if the
840
VerDate Sep<11>2014
10:04 Feb 11, 2016
Jkt 238041
PO 00000
Frm 00850
Fmt 8010
Sfmt 8010
Q:\12\12V7.TXT
31
�lpowell on DSK54DXVN1OFR with $$_JOB
National Credit Union Administration
§ 717.82
consumer had elected to dispute the information under that section; and
(4) If the investigation finds that the
information reported was inaccurate,
promptly notify each consumer reporting agency to which the furnisher provided inaccurate information of that
determination and provide to the consumer reporting agency any correction
to that information that is necessary
to make the information provided by
the furnisher accurate.
(f) Frivolous or irrelevant disputes. (1)
A furnisher is not required to investigate a direct dispute if the furnisher
has reasonably determined that the
dispute is frivolous or irrelevant. A dispute qualifies as frivolous or irrelevant
if:
(i) The consumer did not provide sufficient information to investigate the
disputed information as required by
paragraph (d) of this section;
(ii) The direct dispute is substantially the same as a dispute previously
submitted by or on behalf of the consumer, either directly to the furnisher
or through a consumer reporting agency, with respect to which the furnisher
has already satisfied the applicable requirements of the Act or this section;
provided, however, that a direct dispute is not substantially the same as a
dispute previously submitted if the dispute includes information listed in
paragraph (d) of this section that had
not previously been provided to the
furnisher; or
(iii) The furnisher is not required to
investigate the direct dispute because
one or more of the exceptions listed in
paragraph (b) of this section applies.
(2) Notice of determination. Upon making a determination that a dispute is
frivolous or irrelevant, the furnisher
must notify the consumer of the determination not later than five business
days after making the determination,
by mail or, if authorized by the consumer for that purpose, by any other
means available to the furnisher.
(3) Contents of notice of determination
that a dispute is frivolous or irrelevant. A
notice of determination that a dispute
is frivolous or irrelevant must include
the reasons for such determination and
identify any information required to
investigate the disputed information,
which notice may consist of a stand-
ardized form describing the general nature of such information.
Subparts F–H [Reserved]
Subpart I—Duties of Users of Consumer Reports Regarding Address
Discrepancies
and
Records Disposal
§§ 717.80–717.81
[Reserved]
§ 717.82 Duties of users regarding address discrepancies.
(a) Scope. This section applies to a
user of consumer reports (user) that receives a notice of address discrepancy
from a consumer reporting agency described in 15 U.S.C. 1681a(p), and that is
federal credit union.
(b) Definition. For purposes of this
section, a notice of address discrepancy
means a notice sent to a user by a consumer reporting agency described in 15
U.S.C. 1681a(p) pursuant to 15 U.S.C.
1681c(h)(1), that informs the user of a
substantial difference between the address for the consumer that the user
provided to request the consumer report and the address(es) in the agency’s
file for the consumer.
(c) Reasonable belief—(1) Requirement
to form a reasonable belief. A user must
develop and implement reasonable policies and procedures designed to enable
the user to form a reasonable belief
that a consumer report relates to the
consumer about whom it has requested
the report, when the user receives a notice of address discrepancy.
(2) Examples of reasonable policies and
procedures. (i) Comparing the information in the consumer report provided
by the consumer reporting agency with
information the user:
(A) Obtains and uses to verify the
consumer’s identity in accordance with
the requirements of the Customer Identification Program (CIP) rules implementing 31 U.S.C. 5318(l) (31 CFR
1020.220);
(B) Maintains in its own records,
such as applications, change of address
notifications, other member account
records, or retained CIP documentation; or
(C) Obtains from third-party sources;
or
841
VerDate Sep<11>2014
10:04 Feb 11, 2016
Jkt 238041
PO 00000
Frm 00851
Fmt 8010
Sfmt 8010
Q:\12\12V7.TXT
31
�§ 717.83
12 CFR Ch. VII (1–1–16 Edition)
(ii) Verifying the information in the
consumer report provided by the consumer reporting agency with the consumer.
(d) Consumer’s address—(1) Requirement to furnish consumer’s address to a
consumer reporting agency. A user must
develop and implement reasonable policies and procedures for furnishing an
address for the consumer that the user
has reasonably confirmed is accurate
to the consumer reporting agency described in 15 U.S.C. 1681a(p) from whom
it received the notice of address discrepancy when the user:
(i) Can form a reasonable belief that
the consumer report relates to the consumer about whom the user requested
the report;
(ii) Establishes a continuing relationship with the consumer; and
(iii) Regularly and in the ordinary
course of business furnishes information to the consumer reporting agency
from which the notice of address discrepancy relating to the consumer was
obtained.
(2) Examples of confirmation methods.
The user may reasonably confirm an
address is accurate by:
(i) Verifying the address with the
consumer about whom it has requested
the report;
(ii) Reviewing its own records to
verify the address of the consumer;
(iii) Verifying the address through
third-party sources; or
(iv) Using other reasonable means.
(3) Timing. The policies and procedures developed in accordance with
paragraph (d)(1) of this section must
provide that the user will furnish the
consumer’s address that the user has
reasonably confirmed is accurate to
the consumer reporting agency described in 15 U.S.C. 1681a(p) as part of
the information it regularly furnishes
for the reporting period in which it establishes a relationship with the consumer.
lpowell on DSK54DXVN1OFR with $$_JOB
[72 FR 63768, Nov. 9, 2007, as amended at 74
FR 22644, May 14, 2009; 76 FR 18365, Apr. 4,
2011]
§ 717.83 Disposal of consumer information.
(a) In general. You must properly dispose of any consumer information that
you maintain or otherwise possess in a
manner consistent with the Guidelines
for Safeguarding Member Information,
in appendix A to part 748 of this chapter.
(b) Examples. Appropriate measures
to properly dispose of consumer information include the following examples.
These examples are illustrative only
and are not exclusive or exhaustive
methods for complying with this section.
(1) Burning, pulverizing, or shredding
papers containing consumer information so that the information cannot
practicably be read or reconstructed.
(2) Destroying or erasing electronic
media containing consumer information so that the information cannot
practicably be read or reconstructed.
(c) Rule of construction. This section
does not:
(1) Require you to maintain or destroy any record pertaining to a consumer that is not imposed under any
other law; or
(2) Alter or affect any requirement
imposed under any other provision of
law to maintain or destroy such a
record.
(d) Definitions. As used in this section:
(1) Consumer information means any
record about an individual, whether in
paper, electronic, or other form, that is
a consumer report or is derived from a
consumer report and that is maintained or otherwise possessed by or on
behalf of the credit union for a business
purpose. Consumer information also
means a compilation of such records.
The term does not include any record
that does not identify an individual.
(i) Consumer information includes:
(A) A consumer report that you obtain;
(B) Information from a consumer report that you obtain from your affiliate after the consumer has been given
a notice and has elected not to opt out
of that sharing;
(C) Information from a consumer report that you obtain about an individual who applies for but does not receive a loan, including any loan sought
by an individual for a business purpose;
(D) Information from a consumer report that you obtain about an individual who guarantees a loan (including a loan to a business entity); or
842
VerDate Sep<11>2014
10:04 Feb 11, 2016
Jkt 238041
PO 00000
Frm 00852
Fmt 8010
Sfmt 8010
Q:\12\12V7.TXT
31
�National Credit Union Administration
§ 717.90
(E) Information from a consumer report that you obtain about an employee or prospective employee.
(ii) Consumer information does not include:
(A) Aggregate information, such as
the mean credit score, derived from a
group of consumer reports; or
(B) Blind data, such as payment history on accounts that are not personally identifiable, you use for developing credit scoring models or for
other purposes.
(2) Consumer report has the same
meaning as set forth in the Fair Credit
Reporting Act, 15 U.S.C. 1681a(d). The
meaning of consumer report is broad
and subject to various definitions, conditions and exceptions in the Fair
Credit Reporting Act. It includes written or oral communications from a
consumer reporting agency to a third
party of information used or collected
for use in establishing eligibility for
credit or insurance used primarily for
personal, family or household purposes,
and eligibility for employment purposes. Examples include credit reports,
bad check lists, and tenant screening
reports.
Subpart J—Identity Theft Red Flags
lpowell on DSK54DXVN1OFR with $$_JOB
SOURCE: 72 FR 63768, Nov. 9, 2007, unless
otherwise noted.
§ 717.90 Duties regarding the detection, prevention, and mitigation of
identity theft.
(a) Scope. This section applies to a financial institution or creditor that is a
federal credit union.
(b) Definitions. For purposes of this
section and appendix J, the following
definitions apply:
(1) Account means a continuing relationship established by a person with a
federal credit union to obtain a product
or service for personal, family, household or business purposes. Account includes:
(i) An extension of credit, such as the
purchase of property or services involving a deferred payment; and
(ii) A share or deposit account.
(2) The term board of directors refers
to a federal credit union’s board of directors.
(3) Covered account means:
(i) An account that a federal credit
union offers or maintains, primarily
for personal, family, or household purposes, that involves or is designed to
permit multiple payments or transactions, such as a credit card account,
mortgage
loan,
automobile
loan,
checking account, or share account;
and
(ii) Any other account that the federal credit union offers or maintains
for which there is a reasonably foreseeable risk to members or to the safety
and soundness of the federal credit
union from identity theft, including financial, operational, compliance, reputation, or litigation risks.
(4) Credit has the same meaning as in
15 U.S.C. 1681a(r)(5).
(5) Creditor has the same meaning as
in 15 U.S.C. 1681a(r)(5).
(6) Customer means a member that
has a covered account with a federal
credit union.
(7) Financial institution has the same
meaning as in 15 U.S.C. 1681a(t).
(8) Identity theft has the same meaning as in 16 CFR 603.2(a).
(9) Red Flag means a pattern, practice, or specific activity that indicates
the possible existence of identity theft.
(10) Service provider means a person
that provides a service directly to the
federal credit union.
(c) Periodic Identification of Covered
Accounts. Each federal credit union
must periodically determine whether it
offers or maintains covered accounts.
As a part of this determination, a federal credit union must conduct a risk
assessment to determine whether it offers or maintains covered accounts described in paragraph (b)(3)(ii) of this
section, taking into consideration:
(1) The methods it provides to open
its accounts;
(2) The methods it provides to access
its accounts; and
(3) Its previous experiences with identity theft.
(d) Establishment of an Identity Theft
Prevention Program—(1) Program requirement. Each federal credit union that offers or maintains one or more covered
accounts must develop and implement
a written Identity Theft Prevention
Program (Program) that is designed to
detect, prevent, and mitigate identity
theft in connection with the opening of
843
VerDate Sep<11>2014
10:04 Feb 11, 2016
Jkt 238041
PO 00000
Frm 00853
Fmt 8010
Sfmt 8010
Q:\12\12V7.TXT
31
�§ 717.91
12 CFR Ch. VII (1–1–16 Edition)
lpowell on DSK54DXVN1OFR with $$_JOB
a covered account or any existing covered account. The Program must be appropriate to the size and complexity of
the federal credit union and the nature
and scope of its activities.
(2) Elements of the Program. The Program must include reasonable policies
and procedures to:
(i) Identify relevant Red Flags for the
covered accounts that the federal credit union offers or maintains, and incorporate those Red Flags into its Program;
(ii) Detect Red Flags that have been
incorporated into the Program of the
federal credit union;
(iii) Respond appropriately to any
Red Flags that are detected pursuant
to paragraph (d)(2)(ii) of this section to
prevent and mitigate identity theft;
and
(iv) Ensure the Program (including
the Red Flags determined to be relevant) is updated periodically, to reflect changes in risks to members and
to the safety and soundness of the federal credit union from identity theft.
(e) Administration of the Program.
Each federal credit union that is required to implement a Program must
provide for the continued administration of the Program and must:
(1) Obtain approval of the initial
written Program from either its board
of directors or an appropriate committee of the board of directors;
(2) Involve the board of directors, an
appropriate committee thereof, or a
designated employee at the level of
senior management in the oversight,
development, implementation and administration of the Program;
(3) Train staff, as necessary, to effectively implement the Program; and
(4) Exercise appropriate and effective
oversight of service provider arrangements.
(f) Guidelines. Each federal credit
union that is required to implement a
Program must consider the guidelines
in appendix J of this part and include
in its Program those guidelines that
are appropriate.
§ 717.91 Duties of card issuers regarding changes of address.
(a) Scope. This section applies to an
issuer of a debit or credit card (card
issuer) that is a federal credit union.
(b) Definitions. For purposes of this
section:
(1) Cardholder means a member who
has been issued a credit or debit card.
(2) Clear and conspicuous means reasonably understandable and designed
to call attention to the nature and significance of the information presented.
(c) Address validation requirements. A
card issuer must establish and implement reasonable policies and procedures to assess the validity of a change
of address if it receives notification of
a change of address for a member’s
debit or credit card account and, within a short period of time afterwards
(during at least the first 30 days after
it receives such notification), the card
issuer receives a request for an additional or replacement card for the
same account. Under these circumstances, the card issuer may not
issue an additional or replacement
card, until, in accordance with its reasonable policies and procedures and for
the purpose of assessing the validity of
the change of address, the card issuer:
(1)(i) Notifies the cardholder of the
request:
(A) At the cardholder’s former address; or
(B) By any other means of communication that the card issuer and the
cardholder have previously agreed to
use; and
(ii) Provides to the cardholder a reasonable means of promptly reporting
incorrect address changes; or
(2) Otherwise assesses the validity of
the change of address in accordance
with the policies and procedures the
card issuer has established pursuant to
§ 717.90 of this part.
(d) Alternative timing of address validation. A card issuer may satisfy the requirements of paragraph (c) of this section if it validates an address pursuant
to the methods in paragraph (c)(1) or
(c)(2) of this section when it receives an
address change notification, before it
receives a request for an additional or
replacement card.
(e) Form of notice. Any written or
electronic notice that the card issuer
provides under this paragraph must be
clear and conspicuous and provided
separately from its regular correspondence with the cardholder.
844
VerDate Sep<11>2014
10:04 Feb 11, 2016
Jkt 238041
PO 00000
Frm 00854
Fmt 8010
Sfmt 8010
Q:\12\12V7.TXT
31
�National Credit Union Administration
Pt. 717, App. C
APPENDIXES A–B TO PART 717
[RESERVED]
lpowell on DSK54DXVN1OFR with $$_JOB
APPENDIX C TO PART 717—MODEL FORMS
FOR OPT-OUT NOTICES
a. Although use of the model forms is not
required, use of the model forms in this appendix (as applicable) complies with the requirement in section 624 of the Act for clear,
conspicuous, and concise notices.
b. Certain changes may be made to the language or format of the model forms without
losing the protection from liability afforded
by use of the model forms. These changes
may not be so extensive as to affect the substance, clarity, or meaningful sequence of
the language in the model forms. Persons
making such extensive revisions will lose the
safe harbor that this appendix provides. Acceptable changes include, for example:
1. Rearranging the order of the references
to ‘‘your income,’’ ‘‘your account history,’’
and ‘‘your credit score.’’
2. Substituting other types of information
for ‘‘income,’’ ‘‘account history,’’ or ‘‘credit
score’’ for accuracy, such as ‘‘payment history,’’ ‘‘credit history,’’ ‘‘payoff status,’’ or
‘‘claims history.’’
3. Substituting a clearer and more accurate description of the affiliates providing or
covered by the notice for phrases such as
‘‘the [ABC] group of companies,’’ including
without limitation a statement that the entity providing the notice recently purchased
the consumer’s account.
4. Substituting other types of affiliates
covered by the notice for ‘‘credit card,’’ ‘‘insurance brokerage,’’ or ‘‘securities brokerage’’ affiliates.
5. Omitting items that are not accurate or
applicable. For example, if a person does not
limit the duration of the opt-out period, the
notice may omit information about the renewal notice.
6. Adding a statement informing consumers how much time they have to opt out
before shared eligibility information may be
used to make solicitations to them.
7. Adding a statement that the consumer
may exercise the right to opt out at any
time.
8. Adding the following statement, if accurate: ‘‘If you previously opted out, you do
not need to do so again.’’
9. Providing a place on the form for the
consumer to fill in identifying information,
such as his or her name and address:
10. Adding disclosures regarding the treatment of opt-outs by joint consumers to comply with § 717.23(a)(2) of this part.
C–1 Model Form for Initial Opt-out Notice
(Single-Affiliate Notice)
C–2 Model Form for Initial Opt-out Notice
(Joint Notice)
C–3 Model Form for Renewal Notice (SingleAffiliate Notice)
C–4 Model Form for Renewal Notice (Joint
Notice)
C–5 Model Form for Voluntary ‘‘No Marketing’’ Notice
C–1—Model Form for Initial Opt-out Notice
(Single-Affiliate Notice)—[Your Choice To
Limit Marketing]/[Marketing Opt-out]
• [Name of Affiliate] is providing this notice.
• [Optional: Federal law gives you the
right to limit some but not all marketing
from our affiliates. Federal law also requires
us to give you this notice to tell you about
your choice to limit marketing from our affiliates.]
• You may limit our affiliates in the [ABC]
group of companies, such as our [credit card,
insurance brokerage, and securities brokerage] affiliates, from marketing their products or services to you based on your personal information that we collect and share
with them. This information includes your
[income], your [account history with us], and
your [credit score].
• Your choice to limit marketing offers
from our affiliates will apply [until you tell
us to change your choice]/[for x years from
when you tell us your choice]/[for at least 5
years from when you tell us your choice].
[Include if the opt-out period expires.] Once
that period expires, you will receive a renewal notice that will allow you to continue
to limit marketing offers from our affiliates
for [another x years]/[at least another 5
years].
• [Include, if applicable, in a subsequent
notice, including an annual notice, for consumers who may have previously opted out.]
If you have already made a choice to limit
marketing offers from our affiliates, you do
not need to act again until you receive the
renewal notice.
To limit marketing offers, contact us [include all that apply]:
• By telephone: 1–877–###–####
• On the Web: www.—.com
• By mail: Check the box and complete the
form below, and send the form to:
[Company name]
[Company address]
lDo not allow your affiliates to use my
personal information to market to me.
C–2—Model Form for Initial Opt-out Notice
(Joint Notice)—[Your Choice To Limit Marketing]/[Marketing Opt-out]
• The [ABC group of companies] is providing this notice.
• [Optional: Federal law gives you the
right to limit some but not all marketing
from the [ABC] companies. Federal law also
requires us to give you this notice to tell you
about your choice to limit marketing from
the [ABC] companies.]
845
VerDate Sep<11>2014
10:04 Feb 11, 2016
Jkt 238041
PO 00000
Frm 00855
Fmt 8010
Sfmt 8002
Q:\12\12V7.TXT
31
�Pt. 717, App. C
12 CFR Ch. VII (1–1–16 Edition)
• You may limit the [ABC] companies,
such as the [ABC credit card, insurance brokerage, and securities brokerage] affiliates,
from marketing their products or services to
you based on your personal information that
they receive from other [ABC] companies.
This information includes your [income],
your [account history], and your [credit
score].
• Your choice to limit marketing offers
from the [ABC] companies will apply [until
you tell us to change your choice]/[for x
years from when you tell us your choice]/[for
at least 5 years from when you tell us your
choice]. [Include if the opt-out period expires.] Once that period expires, you will receive a renewal notice that will allow you to
continue to limit marketing offers from the
[ABC] companies for [another x years]/[at
least another 5 years].
• [Include, if applicable, in a subsequent
notice, including an annual notice, for consumers who may have previously opted out.]
If you have already made a choice to limit
marketing offers from the [ABC] companies,
you do not need to act again until you receive the renewal notice.
To limit marketing offers, contact us [include all that apply]:
• By telephone: 1–877–###–####
• On the Web: www.—.com
• By mail: Check the box and complete the
form below, and send the form to:
[Company name]
[Company address]
lDo not allow any company [in the ABC
group of companies] to use my personal information to market to me.
lpowell on DSK54DXVN1OFR with $$_JOB
C–3—Model Form for Renewal Notice (SingleAffiliate Notice)—[Renewing Your Choice To
Limit Marketing]/[Renewing Your Marketing
Opt-out]
• [Name of Affiliate] is providing this notice.
• [Optional: Federal law gives you the
right to limit some but not all marketing
from our affiliates. Federal law also requires
us to give you this notice to tell you about
your choice to limit marketing from our affiliates.]
• You previously chose to limit our affiliates in the [ABC] group of companies, such
as our [credit card, insurance brokerage, and
securities brokerage] affiliates, from marketing their products or services to you
based on your personal information that we
share with them. This information includes
your [income], your [account history with
us], and your [credit score].
• Your choice has expired or is about to expire.
To renew your choice to limit marketing
for [x] more years, contact us [include all
that apply]:
• By telephone: 1–877–###–####
• On the Web: www.—.com
• By mail: Check the box and complete the
form below, and send the form to:
[Company name]
[Company address]
lRenew my choice to limit marketing for
[x] more years.
C–4—Model Form for Renewal Notice (Joint Notice)—[Renewing Your Choice To Limit Marketing]/[Renewing Your Marketing Opt-out]
• The [ABC group of companies] is providing this notice.
• [Optional: Federal law gives you the
right to limit some but not all marketing
from the [ABC] companies. Federal law also
requires us to give you this notice to tell you
about your choice to limit marketing from
the [ABC] companies.]
• You previously chose to limit the [ABC]
companies, such as the [ABC credit card, insurance brokerage, and securities brokerage]
affiliates, from marketing their products or
services to you based on your personal information that they receive from other ABC
companies. This information includes your
[income], your [account history], and your
[credit score].
• Your choice has expired or is about to expire.
To renew your choice to limit marketing
for [x] more years, contact us [include all
that apply]:
• By telephone: 1–877–###–####
• On the Web: www.—.com
• By mail: Check the box and complete the
form below, and send the form to:
[Company name]
[Company address]
lRenew my choice to limit marketing for
[x] more years.
C–5—MODEL FORM FOR VOLUNTARY ‘‘NO
MARKETING’’ NOTICE
YOUR CHOICE TO STOP MARKETING
• [Name of Affiliate] is providing this notice.
• You may choose to stop all marketing
from us and our affiliates.
• [Your choice to stop marketing from us
and our affiliates will apply until you tell us
to change your choice.]
To stop all marketing, contact us [include
all that apply]:
• By telephone: 1–877–###–####
• On the Web: www.—.com
• By mail: Check the box and complete the
form below, and send the form to:
[Company name]
[Company address]
lDo not market to me.
[72 FR 62989, Nov. 7, 2007, as amended at 74
FR 22644, May 14, 2009]
846
VerDate Sep<11>2014
10:04 Feb 11, 2016
Jkt 238041
PO 00000
Frm 00856
Fmt 8010
Sfmt 8002
Q:\12\12V7.TXT
31
�National Credit Union Administration
Pt. 717, App. E
APPENDIX D TO PART 717 [RESERVED]
in a consumer report; thus, the furnished information should:
(A) Include appropriate identifying information about the consumer to whom it pertains; and
(B) Be furnished in a standardized and
clearly understandable form and manner and
with a date specifying the time period to
which the information pertains; and
(iii) Includes the credit limit, if applicable
and in the furnisher’s possession;
(3) To conduct reasonable investigations of
consumer disputes and take appropriate actions based on the outcome of such investigations; and
(4) To update the information it furnishes
as necessary to reflect the current status of
the consumer’s account or other relationship, including, for example:
(i) Any transfer of an account (e.g., by sale
or assignment for collection) to a third
party; and
(ii) Any cure of the consumer’s failure to
abide by the terms of the account or other
relationship.
APPENDIX E TO PART 717—INTERAGENCY
GUIDELINES CONCERNING THE ACCURACY AND INTEGRITY OF INFORMATION FURNISHED TO CONSUMER REPORTING AGENCIES
The NCUA encourages voluntary furnishing of information to consumer reporting agencies. Section 717.42 of this part requires each furnisher to establish and implement reasonable written policies and procedures concerning the accuracy and integrity
of the information it furnishes to consumer
reporting agencies. Under § 717.42(b), a furnisher must consider the guidelines set forth
below in developing its policies and procedures. In establishing these policies and procedures, a furnisher may include any of its
existing policies and procedures that are relevant and appropriate. Section 717.42(c) requires each furnisher to review its policies
and procedures periodically and update them
as necessary to ensure their continued effectiveness.
lpowell on DSK54DXVN1OFR with $$_JOB
I. NATURE, SCOPE, AND OBJECTIVES OF
POLICIES AND PROCEDURES
(a) Nature and Scope. Section 717.42(a) of
this part requires that a furnisher’s policies
and procedures be appropriate to the nature,
size, complexity, and scope of the furnisher’s
activities. In developing its policies and procedures, a furnisher should consider, for example:
(1) The types of business activities in
which the furnisher engages;
(2) The nature and frequency of the information the furnisher provides to consumer
reporting agencies; and
(3) The technology used by the furnisher to
furnish information to consumer reporting
agencies.
(b) Objectives. A furnisher’s policies and
procedures should be reasonably designed to
promote the following objectives:
(1) To furnish information about accounts
or other relationships with a consumer that
is accurate, such that the furnished information:
(i) Identifies the appropriate consumer;
(ii) Reflects the terms of and liability for
those accounts or other relationships; and
(iii) Reflects the consumer’s performance
and other conduct with respect to the account or other relationship;
(2) To furnish information about accounts
or other relationships with a consumer that
has integrity, such that the furnished information:
(i) Is substantiated by the furnisher’s
records at the time it is furnished;
(ii) Is furnished in a form and manner that
is designed to minimize the likelihood that
the information may be incorrectly reflected
II. ESTABLISHING AND IMPLEMENTING POLICIES
AND PROCEDURES
In establishing and implementing its policies and procedures, a furnisher should:
(a) Identify practices or activities of the
furnisher that can compromise the accuracy
or integrity of information furnished to consumer reporting agencies, such as by:
(1) Reviewing its existing practices and activities, including the technological means
and other methods it uses to furnish information to consumer reporting agencies and
the frequency and timing of its furnishing of
information;
(2) Reviewing its historical records relating to accuracy or integrity or to disputes;
reviewing other information relating to the
accuracy or integrity of information provided by the furnisher to consumer reporting
agencies; and considering the types of errors,
omissions, or other problems that may have
affected the accuracy or integrity of information it has furnished about consumers to
consumer reporting agencies;
(3) Considering any feedback received from
consumer reporting agencies, consumers, or
other appropriate parties;
(4) Obtaining feedback from the furnisher’s
staff; and
(5) Considering the potential impact of the
furnisher’s policies and procedures on consumers.
(b) Evaluate the effectiveness of existing
policies and procedures of the furnisher regarding the accuracy and integrity of information furnished to consumer reporting
agencies; consider whether new, additional,
or different policies and procedures are necessary; and consider whether implementation of existing policies and procedures
should be modified to enhance the accuracy
847
VerDate Sep<11>2014
10:04 Feb 11, 2016
Jkt 238041
PO 00000
Frm 00857
Fmt 8010
Sfmt 8002
Q:\12\12V7.TXT
31
�Pt. 717, App. J
12 CFR Ch. VII (1–1–16 Edition)
and integrity of information about consumers furnished to consumer reporting
agencies.
(c) Evaluate the effectiveness of specific
methods (including technological means) the
furnisher uses to provide information to consumer reporting agencies; how those methods may affect the accuracy and integrity of
the information it provides to consumer reporting agencies; and whether new, additional, or different methods (including technological means) should be used to provide
information to consumer reporting agencies
to enhance the accuracy and integrity of
that information.
lpowell on DSK54DXVN1OFR with $$_JOB
III. SPECIFIC COMPONENTS OF POLICIES AND
PROCEDURES
In developing its policies and procedures, a
furnisher should address the following, as appropriate:
(a) Establishing and implementing a system for furnishing information about consumers to consumer reporting agencies that
is appropriate to the nature, size, complexity, and scope of the furnisher’s business
operations.
(b) Using standard data reporting formats
and standard procedures for compiling and
furnishing data, where feasible, such as the
electronic transmission of information about
consumers to consumer reporting agencies.
(c) Maintaining records for a reasonable
period of time, not less than any applicable
recordkeeping requirement, in order to substantiate the accuracy of any information
about consumers it furnishes that is subject
to a direct dispute.
(d) Establishing and implementing appropriate internal controls regarding the accuracy and integrity of information about consumers furnished to consumer reporting
agencies, such as by implementing standard
procedures and verifying random samples of
information provided to consumer reporting
agencies.
(e) Training staff that participates in activities related to the furnishing of information about consumers to consumer reporting
agencies to implement the policies and procedures.
(f) Providing for appropriate and effective
oversight of relevant service providers whose
activities may affect the accuracy or integrity of information about consumers furnished to consumer reporting agencies to ensure compliance with the policies and procedures.
(g) Furnishing information about consumers to consumer reporting agencies following mergers, portfolio acquisitions or
sales, or other acquisitions or transfers of
accounts or other obligations in a manner
that prevents re-aging of information, duplicative reporting, or other problems that may
similarly affect the accuracy or integrity of
the information furnished.
(h) Deleting, updating, and correcting information in the furnisher’s records, as appropriate, to avoid furnishing inaccurate information.
(i) Conducting reasonable investigations of
disputes.
(j) Designing technological and other
means of communication with consumer reporting agencies to prevent duplicative reporting of accounts, erroneous association of
information with the wrong consumer(s), and
other occurrences that may compromise the
accuracy or integrity of information provided to consumer reporting agencies.
(k) Providing consumer reporting agencies
with sufficient identifying information in
the furnisher’s possession about each consumer about whom information is furnished
to enable the consumer reporting agency
properly to identify the consumer.
(l) Conducting a periodic evaluation of its
own practices, consumer reporting agency
practices of which the furnisher is aware, investigations of disputed information, corrections of inaccurate information, means of
communication, and other factors that may
affect the accuracy or integrity of information furnished to consumer reporting agencies.
(m) Complying with applicable requirements under the Fair Credit Reporting Act
and its implementing regulations.
[74 FR 31524, July 1, 2009]
APPENDIXES F–I TO PART 717
[RESERVED]
APPENDIX J TO PART 717—INTERAGENCY
GUIDELINES ON IDENTITY THEFT DETECTION, PREVENTION, AND MITIGATION
Section 717.90 of this part requires each
federal credit union that offers or maintains
one or more covered accounts, as defined in
§ 717.90(b)(3) of this part, to develop and provide for the continued administration of a
written Program to detect, prevent, and
mitigate identity theft in connection with
the opening of a covered account or any existing covered account. These guidelines are
intended to assist federal credit unions in
the formulation and maintenance of a Program that satisfies the requirements of
§ 717.90 of this part.
I. The Program
In designing its Program, a federal credit
union may incorporate, as appropriate, its
existing policies, procedures, and other arrangements that control reasonably foreseeable risks to members or to the safety and
soundness of the federal credit union from
identity theft.
848
VerDate Sep<11>2014
10:04 Feb 11, 2016
Jkt 238041
PO 00000
Frm 00858
Fmt 8010
Sfmt 8002
Q:\12\12V7.TXT
31
�National Credit Union Administration
Pt. 717, App. J
II. Identifying Relevant Red Flags
IV. Preventing and Mitigating Identity Theft
(a) Risk Factors. A federal credit union
should consider the following factors in identifying relevant Red Flags for covered accounts, as appropriate:
(1) The types of covered accounts it offers
or maintains;
(2) The methods it provides to open its covered accounts;
(3) The methods it provides to access its
covered accounts; and
(4) Its previous experiences with identity
theft.
(b) Sources of Red Flags. Federal credit
unions should incorporate relevant Red
Flags from sources such as:
(1) Incidents of identity theft that the federal credit union has experienced;
(2) Methods of identity theft that the federal credit union has identified that reflect
changes in identity theft risks; and
(3) Applicable supervisory guidance.
(c) Categories of Red Flags. The Program
should include relevant Red Flags from the
following categories, as appropriate. Examples of Red Flags from each of these categories are appended as Supplement A to
this appendix J.
(1) Alerts, notifications, or other warnings
received from consumer reporting agencies
or service providers, such as fraud detection
services;
(2) The presentation of suspicious documents;
(3) The presentation of suspicious personal
identifying information, such as a suspicious
address change;
(4) The unusual use of, or other suspicious
activity related to, a covered account; and
(5) Notice from members, victims of identity theft, law enforcement authorities, or
other persons regarding possible identity
theft in connection with covered accounts
held by the federal credit union.
The Program’s policies and procedures
should provide for appropriate responses to
the Red Flags the federal credit union has
detected that are commensurate with the degree of risk posed. In determining an appropriate response, a federal credit union should
consider aggravating factors that may
heighten the risk of identity theft, such as a
data security incident that results in unauthorized access to a member’s account
records held by the federal credit union or a
third party, or notice that a member has
provided information related to a covered account held by the federal credit union to
someone fraudulently claiming to represent
the federal credit union or to a fraudulent
website. Appropriate responses may include
the following:
(a) Monitoring a covered account for evidence of identity theft;
(b) Contacting the member;
(c) Changing any passwords, security
codes, or other security devices that permit
access to a covered account;
(d) Reopening a covered account with a
new account number;
(e) Not opening a new covered account;
(f) Closing an existing covered account;
(g) Not attempting to collect on a covered
account or not selling a covered account to
a debt collector;
(h) Notifying law enforcement; or
(i) Determining that no response is warranted under the particular circumstances.
lpowell on DSK54DXVN1OFR with $$_JOB
III. Detecting Red Flags
The Program’s policies and procedures
should address the detection of Red Flags in
connection with the opening of covered accounts and existing covered accounts, such
as by:
(a) Obtaining identifying information
about, and verifying the identity of, a person
opening a covered account; for example,
using the policies and procedures regarding
identification and verification set forth in
the Customer Identification Program rules
implementing 31 U.S.C. 5318(l) (31 CFR
1020.220); and
(b) Authenticating members, monitoring
transactions, and verifying the validity of
change of address requests, in the case of existing covered accounts.
V. Updating the Program
Federal credit unions should update the
Program (including the Red Flags determined to be relevant) periodically, to reflect
changes in risks to members or to the safety
and soundness of the federal credit union
from identity theft, based on factors such as:
(a) The experiences of the federal credit
union with identity theft;
(b) Changes in methods of identity theft;
(c) Changes in methods to detect, prevent,
and mitigate identity theft;
(d) Changes in the types of accounts that
the federal credit union offers or maintains;
and
(e) Changes in the business arrangements
of the federal credit union, including mergers, acquisitions, alliances, joint ventures,
and service provider arrangements.
VI. Methods for Administering the Program
(a) Oversight of Program. Oversight by the
board of directors, an appropriate committee
of the board, or a designated employee at the
level of senior management should include:
(1) Assigning specific responsibility for the
Program’s implementation;
(2) Reviewing reports prepared by staff regarding compliance by the federal credit
union with § 717.90 of this part; and
849
VerDate Sep<11>2014
10:04 Feb 11, 2016
Jkt 238041
PO 00000
Frm 00859
Fmt 8010
Sfmt 8002
Q:\12\12V7.TXT
31
�Pt. 717, App. J
12 CFR Ch. VII (1–1–16 Edition)
(3) Approving material changes to the Program as necessary to address changing identity theft risks.
(b) Reports. (1) In general. Staff of the federal credit union responsible for development, implementation, and administration
of its Program should report to the board of
directors, an appropriate committee of the
board, or a designated employee at the level
of senior management, at least annually, on
compliance by the federal credit union with
§ 717.90 of this part.
(2) Contents of report. The report should address material matters related to the Program and evaluate issues such as: the effectiveness of the policies and procedures of the
federal credit union in addressing the risk of
identity theft in connection with the opening of covered accounts and with respect to
existing covered accounts; service provider
arrangements; significant incidents involving identity theft and management’s response; and recommendations for material
changes to the Program.
(c) Oversight of service provider arrangements. Whenever a federal credit union engages a service provider to perform an activity in connection with one or more covered
accounts the federal credit union should
take steps to ensure that the activity of the
service provider is conducted in accordance
with reasonable policies and procedures designed to detect, prevent, and mitigate the
risk of identity theft. For example, a federal
credit union could require the service provider by contract to have policies and procedures to detect relevant Red Flags that may
arise in the performance of the service provider’s activities, and either report the Red
Flags to the federal credit union, or to take
appropriate steps to prevent or mitigate
identity theft.
lpowell on DSK54DXVN1OFR with $$_JOB
VII. Other Applicable Legal Requirements
Federal credit unions should be mindful of
other related legal requirements that may be
applicable, such as:
(a) Filing a Suspicious Activity Report
under 31 U.S.C. 5318(g) and 12 CFR 748.1(c);
(b) Implementing any requirements under
15 U.S.C. 1681c–1(h) regarding the circumstances under which credit may be extended when the federal credit union detects
a fraud or active duty alert;
(c) Implementing any requirements for furnishers of information to consumer reporting
agencies under 15 U.S.C. 1681s–2, for example,
to correct or update inaccurate or incomplete information, and to not report information that the furnisher has reasonable cause
to believe is inaccurate; and
(d) Complying with the prohibitions in 15
U.S.C. 1681m on the sale, transfer, and placement for collection of certain debts resulting
from identity theft.
Supplement A to Appendix J
In addition to incorporating Red Flags
from the sources recommended in section
II.b. of the Guidelines in appendix J of this
part, each federal credit union may consider
incorporating into its Program, whether singly or in combination, Red Flags from the
following illustrative examples in connection with covered accounts:
Alerts, Notifications or Warnings From a
Consumer Reporting Agency
1. A fraud or active duty alert is included
with a consumer report.
2. A consumer reporting agency provides a
notice of credit freeze in response to a request for a consumer report.
3. A consumer reporting agency provides a
notice of address discrepancy, as defined in
§ 717.82(b) of this part.
4. A consumer report indicates a pattern of
activity that is inconsistent with the history
and usual pattern of activity of an applicant
or member, such as:
a. A recent and significant increase in the
volume of inquiries;
b. An unusual number of recently established credit relationships;
c. A material change in the use of credit,
especially with respect to recently established credit relationships; or
d. An account that was closed for cause or
identified for abuse of account privileges by
a financial institution or creditor.
Suspicious Documents
5. Documents provided for identification
appear to have been altered or forged.
6. The photograph or physical description
on the identification is not consistent with
the appearance of the applicant or member
presenting the identification.
7. Other information on the identification
is not consistent with information provided
by the person opening a new covered account
or member presenting the identification.
8. Other information on the identification
is not consistent with readily accessible information that is on file with the federal
credit union, such as a signature card or a
recent check.
9. An application appears to have been altered or forged, or gives the appearance of
having been destroyed and reassembled.
Suspicious Personal Identifying Information
10. Personal identifying information provided is inconsistent when compared against
external information sources used by the federal credit union. For example:
a. The address does not match any address
in the consumer report; or
b. The Social Security Number (SSN) has
not been issued, or is listed on the Social Security Administration’s Death Master File.
850
VerDate Sep<11>2014
10:04 Feb 11, 2016
Jkt 238041
PO 00000
Frm 00860
Fmt 8010
Sfmt 8002
Q:\12\12V7.TXT
31
�National Credit Union Administration
Pt. 721
11. Personal identifying information provided by the member is not consistent with
other personal identifying information provided by the member. For example, there is
a lack of correlation between the SSN range
and date of birth.
12. Personal identifying information provided is associated with known fraudulent
activity as indicated by internal or thirdparty sources used by the federal credit
union. For example:
a. The address on an application is the
same as the address provided on a fraudulent
application; or
b. The phone number on an application is
the same as the number provided on a fraudulent application.
13. Personal identifying information provided is of a type commonly associated with
fraudulent activity as indicated by internal
or third-party sources used by the federal
credit union. For example:
a. The address on an application is fictitious, a mail drop, or prison; or
b. The phone number is invalid, or is associated with a pager or answering service.
14. The SSN provided is the same as that
submitted by other persons opening an account or other members.
15. The address or telephone number provided is the same as or similar to the address
or telephone number submitted by an unusually large number of other persons opening
accounts or by other members.
16. The person opening the covered account
or the member fails to provide all required
personal identifying information on an application or in response to notification that the
application is incomplete.
17. Personal identifying information provided is not consistent with personal identifying information that is on file with the
federal credit union.
18. For federal credit unions that use challenge questions, the person opening the covered account or the member cannot provide
authenticating information beyond that
which generally would be available from a
wallet or consumer report.
b. The member fails to make the first payment or makes an initial payment but no
subsequent payments.
21. A covered account is used in a manner
that is not consistent with established patterns of activity on the account. There is, for
example:
a. Nonpayment when there is no history of
late or missed payments;
b. A material increase in the use of available credit;
c. A material change in purchasing or
spending patterns;
d. A material change in electronic fund
transfer patterns in connection with a deposit account; or
e. A material change in telephone call patterns in connection with a cellular phone account.
22. A covered account that has been inactive for a reasonably lengthy period of time
is used (taking into consideration the type of
account, the expected pattern of usage and
other relevant factors).
23. Mail sent to the member is returned repeatedly as undeliverable although transactions continue to be conducted in connection with the member’s covered account.
24. The federal credit union is notified that
the member is not receiving paper account
statements.
25. The federal credit union is notified of
unauthorized charges or transactions in connection with a member’s covered account.
Notice From Members, Victims of Identity Theft,
Law Enforcement Authorities, or Other Persons Regarding Possible Identity Theft in
Connection With Covered Accounts Held by
the Federal Credit Union
26. The federal credit union is notified by a
member, a victim of identity theft, a law enforcement authority, or any other person
that it has opened a fraudulent account for a
person engaged in identity theft.
[72 FR 63769, Nov. 9, 2007, as amended at 74
FR 22644, May 14, 2009; 76 FR 18365, Apr. 4,
2011]
lpowell on DSK54DXVN1OFR with $$_JOB
Unusual Use of, or Suspicious Activity Related
to, the Covered Account
19. Shortly following the notice of a change
of address for a covered account, the institution or creditor receives a request for a new,
additional, or replacement card or a cell
phone, or for the addition of authorized users
on the account.
20. A new revolving credit account is used
in a manner commonly associated with
known patterns of fraud. For example:
a. The majority of available credit is used
for cash advances or merchandise that is easily convertible to cash (e.g., electronics
equipment or jewelry); or
851
VerDate Sep<11>2014
10:04 Feb 11, 2016
Jkt 238041
PO 00000
Frm 00861
Fmt 8010
Sfmt 8010
Q:\12\12V7.TXT
31
�
| File Type | application/pdf |
| File Title | CFR-2016-title12-vol7-part717.pdf |
| Author | DWOLFGANG |
| File Modified | 2017-02-08 |
| File Created | 2017-02-08 |