Regulators' Rulemaking Should Resolve the Conflict in Laws for Data Sharing
Funk, W. John, American Banker
A troublesome problem involving so-called "other information" under the Fair Credit Reporting Act has been lurking ever since the privacy provisions were included in the Gramm-Leach-Bliley Act.
The fair credit law distinguishes between "experience or transactional information" and "other information." The former is information relating to a person's own experience or transactions with a consumer and is not subject to the fair credit laws. In consequence, a person is not restricted under this law from sharing the information with any other person, including an affiliate.
"Other information" is any other type of facts, such as those derived from applications or credit reports, and is subject to the fair credit law. The latter classifies companies sharing this information as consumer reporting agencies and severely limits the purposes for which it may be shared. However, the sharing of "other information" among affiliated companies is exempt from the fair credit law if a company seeking to share gives notice of its intention to customers and a reasonable opportunity to opt out.
The privacy law, on the other hand, does not distinguish between these two types of information but includes both in the definition of "nonpublic personal information."
It generally prohibits a financial institution from sharing nonpublic personal information with unaffiliated entities without giving notice of its intention to customers and a reasonable opportunity to opt out. This prohibition does not apply if the sharing of such information falls into excepted categories. These include, for example, joint marketing arrangements, the use of nonaffiliated third parties to close transactions initiated by consumers, and disclosures that are required or permitted by law.
In enacting the privacy provisions, Congress made clear that, except for several technical amendments, nothing in the privacy law should be construed to modify, limit, or supersede the operation of the fair credit law. As a matter of statutory construction, it must be assumed that when Congress enacted the privacy law it believed the provisions of both it and the fair credit law were compatible. It empowered the bank regulatory agencies to prescribe regulations to achieve this compatibility.
The coexistence of the fair credit law and the privacy law raises questions as to what types of information may be shared with affiliates and nonaffiliated third parties consistent with the provisions of both schemes. The uncertainty engendered by these questions requires clarification by the bank regulatory agencies.
Here are a few of these questions:
If a financial institution enters into a joint marketing agreement with another financial institution and shares "other information" with that institution for a permitted purpose under the privacy law, would the financial institution become subject to the fair credit law? Would the result be different if the other party were an affiliate?
If a financial institution enters a service agreement with a nonaffiliated third party to examine the financial institution's records for compliance with banking regulations and shares other information with that party for a permitted purpose under the privacy law, would the financial institution become subject to the fair credit law? …