Privacy Rules Reference Chart
| Rule | General Description | Applicability | Important Definitions | Required Disclosures | Guidance | Relationship With Other Rules |
|---|---|---|---|---|---|---|
| Regulation P | Prohibits disclosure of nonpublic personal information (NPPI) to nonaffiliated third-parties unless the financial institution (FI) satisfies notice and opt-out requirements and the consumer has not opted out. Requires annual notice of privacy policies. | Nonpublic personal information about individuals who obtain financial products or services for personal, family, or household purposes. Does not apply to businesses or business purposes. | Affiliate: any company that controls, is controlled by, or is under common control with the financial institution. Nonpublic personal information: personally identifiable financial information and any list, description, or other grouping of consumers that is derived using personally identifiable financial information not publicly available. |
Initial Privacy Notice Annual Privacy Notice Opt-Out Notice |
Consumer Compliance Handbook (1/06) - background, examination procedures, and checklist | Regulation P allows an FI to share a list of its customers and information such as their credit scores with another FI to jointly market products. However, this type of communication may be considered a “consumer report” under FCRA 603(d) and trigger consumer reporting agency requirements. |
| Right to Financial Privacy Act (RFPA) | Requires federal departments and agencies to follow specified procedures when requesting a customer's financial records from a bank or other financial institution. Specifies duties of FI in responding to requests under RFPA. Banks must establish policies and procedures for complying with RFPA's requirements. | All requests from federal departments and agencies for financial information about customers. | Customer: any person or authorized representative of that person who uses or has used any service of the financial institution, or for whom the FI acts as fiduciary in relation to an account maintained in the person's name. Corporations and partnerships of more than 6 people are not considered customers. Financial record: an original or copy of information derived from any record held by a financial institution pertaining to a customer's relationship with the financial institution. | None | Consumer Compliance Handbook (1/06) - background, examination procedures, and checklist | None |
| FCRA Section 624 (Affiliate Marketing Opt Out) | Gives a consumer the right to restrict an entity, with which it does not have a pre-existing business relationship from “using” eligibility information obtained from an affiliate to make solicitations to that customer. An FI may not use information from an affiliate to market its products or services to a consumer unless the consumer is given notice and a reasonable opportunity to opt out. | “Use” of information about a consumer received from an affiliate. | Eligibility information: includes transaction and experience information and information found in consumer reports. Does not include aggregate or blind data. Consumer: an individual. | Initial Notice in writing or, if the consumer agrees, electronically, that the FI may use information about the consumer that it receives from an affiliate for marketing purposes unless the consumer opts out. An opt-out notice. | Interagency Examination Procedures for the Affiliate Marketing Regulation (CA 08-6) | Notices required by this rule may be coordinated and consolidated with any other notice or disclosure required to be issued under other provisions, including section 603(d) and Regulation P. |
| FCRA Section 603(d) (Consumer Report and Information Sharing) | Defines “consumer report” and permissible purpose requirement for obtaining report; identifies exclusions when certain information can be exchanged without a permissible purpose with affiliates and third-parties but only in specified circumstances. | Any person that “shares” consumer report information with affiliates and third-parties outside of the exceptions. | Consumer report: any written, oral, or other communication of information by a consumer reporting agency bearing on a consumer's creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living which is used to establish consumer's eligibility for consumer credit/insurance or for employment purposes. Exclusions: report with information solely about transactions/experiences between consumer and person making report can be shared with affiliate; report in which third-party asks person to make specific extension of credit to consumer, the person can convey credit decision to consumer with §615 disclosures. | When third party asks someone to extend consumer credit, the person making credit decision can inform third party of its decision, provided third party advises consumer of name and address of creditor to whom request was made, and creditor makes §615 disclosures. Also, if a report contains information beyond transaction/experience information with consumer, it can be shared with affiliate if disclosed to consumer with opt-out. | Consumer Compliance Handbook (11/06) - background and examination procedures | A “consumer report” does not include information on transactions or experiences between the consumer and the FI making the report. This information may be shared with any affiliates. Sharing this type of information with nonaffiliated parties may be restricted by Regulation P because it meets the definition of NPPI and therefore may be subject to an opt-out.The opt-out right required for sharing “other” information must be contained in an FI's privacy notice required under Regulation P. |