Articles & E-Books


Privacy Notice-Decoded

Sep 01, 2016

Your financial institution’s privacy practices aren’t supposed to be a secret. But trying to complete this notice properly and ensure compliance with Regulation P and the Fair Credit Reporting Act (FCRA) can sometimes make you feel like a secret agent trying to decode the regulation and the act to correctly describe your privacy practices. Throughout the years, Wipfli has continued to receive many questions about this. It’s important for you to identify exactly what information you share, with whom you share it, how the entity you share it with uses the information, and whether there is a contractual agreement in place between the parties that specifies how it can be used.

Privacy Notice Delivery

As a financial institution, you’re required to provide a privacy notice at the time you establish a customer relationship or before you share a consumer’s nonpublic personal information with any nonaffiliated third party, whichever comes first. This notice must describe how you collect, use, and share the consumer’s nonpublic personal information. What this notice says and whether you must provide it annually depends on whether you share nonpublic personal information. In all cases, this notice must be clear and conspicuous.

The good news is that if you don’t share this information with nonaffiliates in such a manner that requires you to provide consumers the opportunity to “opt-out,” you are not required to provide an annual privacy notice, thanks to the Fixing America’s Surface Transportation Act (FAST Act), signed into law by President Obama on December 4, 2015. However, if you change your marketing model and, as a result, want to change your sharing practices in such a manner that would trigger the opt-out rights, you must first provide an updated notice and opportunity to opt-out. Financial institutions subject to opt-out requirements must provide the privacy notice annually.

What Is Nonpublic Personal Information?

To begin with, let’s establish what nonpublic personal information (NPI) is. NPI is any “personally identifiable financial information” you collect about an individual in connection with providing a financial product or service, unless that information is otherwise publicly available.

NPI includes:

  • Any information an individual gives you to obtain a financial product or service—think application information: name, address, income, social security number, and so on.
  • Any information you get about an individual from a transaction involving your financial product(s) or service(s), including the fact that the individual is your customer, account number(s), payment history, balances on loans or in deposit accounts, purchases made using a debit or credit card, and the like.
  • Information you get about the individual because you provide a product or service to that individual—this includes information from a consumer report or court record.

NPI doesn’t include information you reasonably believe to be publicly available in an unrestricted way, such as a phone number in a phone book or a recorded mortgage at the courthouse.

Whether a list of information is considered NPI depends on how the list was derived. For example, a list of names and phone numbers would be considered NPI if it was derived, even partially, using a list of your borrowers—even if you have a reasonable basis to believe each and every phone number on the list is publicly available information. This is because the mere fact that the individuals on the list have a customer relationship with you is NPI. On the other hand, a list derived strictly from an online phonebook containing many of the same names and numbers would not fall into the category of NPI.

Privacy Notice Contents

The main purpose of the privacy notice is to let customers, and former customers, know how you collect, share, and protect their NPI. For all intents and purposes, there seems to be a general understanding of how to complete the whys, whats, and hows properly, but many still get tripped up on how to complete the “Reasons we can share your personal information” and “Definitions” portions of the notice. For that reason, we’ll focus our attention on these areas.

In the “Reasons we can share” section, the responses to the questions (Does the financial institution share? Can the customer limit this sharing?) will either be Yes, No; Yes, Yes; or No, We don’t share. When determining how to respond to each disclosure, it’s helpful to know the corresponding legal provisions.

  • For our everyday business purposes: Put simply, this refers to any information shared for purposes essential to the administration or enforcement of an account, service, or transaction requested or authorized by the customer. Sharing for this reason doesn’t require an opt-out.
  • For our marketing purposes: This includes sharing information with service providers, such as email marketing vendors, for your own marketing purposes. When sharing for this reason, you are not required to provide an opt-out.
  • For joint marketing with other financial companies: This incorporates sharing information under a joint marketing agreement between two or more financial institutions and with any service provider used to facilitate the joint marketing, provided you have a written contract with the financial institution(s) to jointly offer, endorse, or sponsor a financial product or service. Sharing information under a joint marketing agreement does not require an opt-out to be provided as long as the shared information is only used for the purpose of joint Marketing. In order for the joint marketing partner to use the information for any other purpose, such as account planning, the consumer must either be provided the opportunity to opt-out or they must give prior permission for sharing to take place for this purpose.
  • For our affiliates’ everyday business purposes – information about transactions and experiences: You may share this information (whether the customer pays their bills on time, the type of accounts the customer has with the bank, and so on) with your affiliates without providing the opportunity for the consumer to opt-out.
  • For our affiliates’ everyday business purposes – information about creditworthiness: This includes general creditworthiness, credit standing, credit capacity, medical information, character or general reputation when the information is used or expected to be used or collected as a factor for establishing the consumer’s eligibility for credit, insurance, employment, and the like. In order for this information to be shared, the opt-out provisions of the FCRA do apply.
  • For our affiliates to market to you: This refers to the provisions of Section 624 of the FCRA, which limits the usage of shared information and states it is only permissible for your affiliate to use information received from you to market their products or services to a consumer, if the consumer is first given the opportunity to opt-out. This line should be omitted if any of the following are true: you don’t have an affiliate, you don’t disclose personal information to an affiliate, your affiliate doesn’t use personal information to market its own products and services, or you provide the affiliate marketing notice separately.
  • For nonaffiliates to market to you: This refers to sharing NPI with nonaffiliates for their own marketing purposes. Plain and simple, sharing for this reason requires you to provide an optout.

Sharing With Affiliates

When sharing NPI with your affiliates, it’s not enough to determine what information you can share and how the sharing of information must be disclosed on the privacy notice. Section 624 of the FCRA gives a consumer the right to restrict an entity, with which it doesn’t have a pre-existing business relationship, from using certain information obtained from an affiliate to make solicitations to that consumer. This provision is distinct from Section 603(d)(2)(A)(iii), which gives the consumer the right to restrict the sharing of certain consumer information among affiliates. What this means is that you are not only responsible for the information you share with your affiliate but you must also be aware of how that information is used. If your affiliate intends to use the information you’ve shared for their own marketing purposes, it must be reflected on your privacy notice and you must provide your customers with the opportunity to opt-out of sharing for this purpose.

If you don’t have any affiliates or you don’t share NPI with your affiliates, you don’t have to describe the categories of affiliates in this definition. It’s sufficient to state: “[Name of financial institution] has no affiliates.” “[Name of financial institution] does not share with our affiliates.” Remember, for the purpose of Regulation P, your holding company IS considered to be an affiliate. That means if your financial institution is owned by a holding company, but you don’t share NPI with the holding company, you could use the latter of the two definitions above. On the other hand, if you do share NPI with your affiliates, the definition should include the categories of affiliates with whom you share NPI. You may use the following example and leave out any categories that don’t apply to your NPI sharing practices: “Our affiliates include financial companies such as a mortgage broker, insurance company, title company, appraisal company, and financial service provider; nonfinancial companies such as [insert as applicable]; and others, such as [insert as applicable].”

Nonaffiliates Defined

This definition section of the privacy notice is intended to reflect only those nonaffiliates with whom you share NPI for their marketing purposes. If you don’t share NPI with nonaffiliates for the nonaffiliates’ own marketing purposes, the notice may simply state: “[Name of financial institution] does not share with nonaffiliates so they can market to you.” Otherwise, this definition should only include the categories of nonaffiliates with whom NPI is shared for this purpose. For example, “Nonaffiliates we share with can include mortgage companies, insurance companies, direct marketing companies, and nonprofit organizations.”

More About Joint Marketing

We often hear “We have a relationship with a financial advisor. Does our privacy policy need to reflect the fact that we occasionally do some joint marketing?” The answer is, “That depends.” It depends on whether NPI is shared with the nonaffiliate. If NPI is not shared with the nonaffiliate, there’s no reason to mention the joint marketing agreement anywhere on the privacy notice, not even in the joint marketing definition section. If, on the other hand, NPI is shared for joint marketing purposes, your privacy notice should reflect this fact. If both of the following are true, you are not required to provide the consumer the opportunity to opt-out of sharing for this purpose:

  1. Prior notice has been provided that reflects this sharing practice, and
  2. You have entered into a contractual agreement with the nonaffiliated party, prohibiting them from sharing or using the information for any reason other than to carry out the joint marketing purposes for which you shared the information.

To complete the joint marketing definition section, keep the following in mind:

  • If you don’t participate in joint marketing, it is sufficient to state: “[Name of financial institution] doesn’t jointly market.”
  • If you don’t share NPI for joint marketing purposes, you may state: “[Name of financial institution] does not share with our joint marketing partners.”
  • If you do share for joint marketing purposes, list the categories of companies with whom you share for this purpose. For example, “Our joint marketing partners include financial services providers, mortgage companies, credit card companies, check printing companies, and direct marketing companies.” Be sure to include direct marketing companies in your list when a third party is used by your joint marketing partner to facilitate a marketing campaign. 

Prohibition on Sharing Account Numbers

The privacy rule prohibits you from sharing account numbers or access codes for credit card, deposit, or transaction accounts with any nonaffiliated third party for use in marketing. There are two narrow exceptions to this general prohibition. You may share account numbers in conjunction with marketing your own products, as long as the service provider isn’t authorized to directly initiate charges to the accounts. You may also disclose account numbers to a participant in a private label or affinity credit card program when the participants are identified to the customer. A number or code in encrypted form is not considered to be an account number as long as you don’t also provide a means to decode the number.

Putting it All Together

Next time you review your privacy policy and privacy notice, take time to document or update your record of each entity with which you share NPI. For each, indicate whether they are an affiliate or nonaffiliate, the purpose for sharing, whether the recipient is using the information for marketing purposes, and the terms of any contractual agreement in place with regard to the sharing of NPI and whether you are required to provide consumers the opportunity to opt-out based on the terms of the agreement. This documentation will help ensure your privacy notice accurately reflects your collection, usage, and sharing of nonpublic personal information.