Consumer Compliance Outlook: Fourth Quarter 2008

Affiliate Marketing Rules

The Federal Financial Institutions Examination Council (FFIEC) recently approved examination procedures for the affiliate marketing rules1 of §624 of the Fair Credit Reporting Act2 (FCRA), which the Board of Governors of the Federal Reserve System implements for the institutions it supervises through Regulation V. This article reviews the regulatory requirements for affiliate marketing.

Section 624's Requirements

The rules apply to information obtained from the consumer's transactions or account relationships with an affiliate, from any application the consumer submitted to an affiliate, and from third-party sources such as credit reports, if the information is to be used to make marketing solicitations to the consumer. The deadline for mandatory compliance was October 1, 2008.

Under the rules, a consumer can restrict an entity, with which it does not have a pre-existing business relationship, from using certain information obtained from an affiliate to make solicitations to that consumer. This provision is distinct from other sections of the FCRA that allow consumers to restrict the sharing of consumer information among affiliates.

A bank and its subsidiaries may not use eligibility information about a consumer that they receive from an affiliate for marketing purposes unless certain exceptions apply. Before the information may be used, it must be clearly and conspicuously disclosed that the information about that consumer may be used to make marketing solicitations. In addition, the consumer must have a reasonable opportunity and simple method to “opt out” and to prohibit the bank and its subsidiaries from using eligibility information for marketing purposes. The opt-out notice must be provided by an affiliate that has or had a pre-existing business relationship with the consumer or as part of a joint notice, where at least one of the affiliates providing the joint notice has or had a pre-existing business relationship with the consumer.


For consistency, the following terms are defined in the rules.

Eligibility information includes not only transaction and experience information but also the type of information found in consumer reports, such as information from third-party sources and credit scores. Eligibility information does not include aggregate or blind data that do not contain personal identifiers, such as account numbers, names, or addresses.

A pre-existing business relationship means a relationship between a person,3 such as a financial institution, and a consumer based on:

The types of solicitations covered include telemarketing, regular mail, e-mail, or other forms of marketing communication directed to a particular consumer that is based on eligibility information received from an affiliate. A solicitation does not include marketing communications that are directed at the general public (e.g., television, general circulation magazines, and billboard advertisements).

For example, a consumer has a homeowner's insurance policy with an insurance company. The insurance company shares eligibility information about the consumer with its affiliated bank. The bank wants to use that information to market its home equity loan products to the consumer but does not have a pre-existing business relationship with the consumer. The bank may not use eligibility information it received from the insurance company to make solicitations to the consumer unless the insurance company gave the consumer a notice and the opportunity to opt out, and the consumer did not opt out.

Constructive sharing occurs when the bank provides criteria that were not derived from eligibility information to its affiliate for consumers to whom it would like the affiliate to market the bank's products. Then, based on these criteria, the affiliate uses eligibility information that the affiliate obtained in connection with its own pre-existing business relationship with the consumer to market the bank's products or services. Constructive sharing also occurs when a service provider, applying the bank's criteria, uses information from an affiliate, such as that in a shared database, to market the bank's products or services to the consumer. Constructive sharing does not involve the use of eligibility information; therefore, the affiliate marketing rules do not apply.

Opting Out

The consumer must be given a reasonable and simple method for opting out and may opt out at any time. The opt-out period must be at least five years, but it can be longer. The consumer may revoke the opt-out in writing or electronically.

The opt-out notice must be provided so that each consumer can reasonably be expected to receive the notice. For example, if the affiliate sends the notice via e-mail to a consumer who has not agreed to receive electronic disclosures from it, the notice is not reasonable.

An affiliate that has or previously had a pre-existing business relationship with the consumer can provide the notice either individually or as part of a joint notice from two or more members of an affiliated group of companies.

After the opt-out period expires, a bank may not make solicitations based on eligibility information it receives from an affiliate to a consumer who previously opted out, unless the consumer received an opportunity to opt out and did not renew the opt-out. A bank could also make solicitations if one of the exceptions to the notice and opt-out requirements, which are discussed below, applies.


Opt-out and renewal notices must be clear, conspicuous, and concise. The initial notice must accurately disclose items such as:

The renewal notice must accurately disclose most of the elements of the original opt-out notice. In addition, it must notify consumers that their previous opt-out is expiring and must include information about the renewal of the opt-out. Each opt-out renewal must be effective for at least five years. The renewal notice must be given by the affiliate that provided the previous opt-out notice or as part of a joint renewal notice from members of an affiliated group of companies that jointly provided the previous opt-out notice. A renewal notice may be provided either a reasonable period of time before the expiration of the opt-out period or any time after the expiration of the opt-out period but before a new solicitation is sent. Further, an opt-out period may not be shortened by sending a renewal notice before the expiration of the opt-out period. The renewal notice may be included in the annual privacy notice required by the Gramm-Leach-Bliley Act.

To facilitate compliance, Regulation V contains five model forms that may be used to satisfy the requirements for clear, conspicuous, and concise notices. These forms are available in Appendix C External Link of Regulation V. Use of a model form is not required. A bank may change the language or format of the model forms without losing the protection from liability. However, if the changes are so extensive that they affect the substance, clarity, or meaningful sequence of the language in the model forms, the bank will lose the safe harbor that Appendix C provides. Examples of acceptable changes are also provided in Appendix C.

Exceptions and Constructive Sharing

The initial notice and opt-out requirements for affiliate marketing are subject to exceptions. The requirements do not apply if a bank uses information it receives from an affiliate under any of the following circumstances:

Finally, the requirements do not apply if complying with them would prevent the bank from complying with state insurance laws pertaining to unfair discrimination in any state in which the bank lawfully does business.

A bank may use eligibility information received from an affiliate to make solicitations if it was received prior to October 1, 2008, the mandatory compliance date for the affiliate marketing rules. For example, if the information was in a common database prior to October 1, the information may be used for marketing purposes.

The Board's implementing regulations for affiliate marketing, 12 C.F.R. sections 222.20-.28, are available at GPO Access External Link.4 Specific issues and questions should be raised with the consumer compliance contact at your Reserve Bank or with your primary regulator.5