About GPO   |   Newsroom/Media   |   Congressional Relations   |   Inspector General   |   Careers   |   Contact   |   askGPO   |   Help  
 
Home   |   Customers   |   Vendors   |   Libraries  

The Electronic Code of Federal Regulations (e-CFR) is a regularly updated, unofficial editorial compilation of CFR material and Federal Register amendments produced by the National Archives and Records Administration's Office of the Federal Register (OFR) and the Government Printing Office.

Parallel Table of Authorities and Rules for the Code of Federal Regulations and the United States Code
Text | PDF

Find, review, and submit comments on Federal rules that are open for comment and published in the Federal Register using Regulations.gov.

Purchase individual CFR titles from the U.S. Government Online Bookstore.

Find issues of the CFR (including issues prior to 1996) at a local Federal depository library.

[2]
 
 

Electronic Code of Federal Regulations

e-CFR Data is current as of August 19, 2014

Title 12Chapter IISubchapter A → Part 222


Title 12: Banks and Banking


PART 222—FAIR CREDIT REPORTING (REGULATION V)


Contents

Subpart A—General Provisions

§222.1   Purpose, scope, and effective dates.
§222.2   Examples.
§222.3   Definitions.

Subpart B [Reserved]

Subpart C—Affiliate Marketing

§222.20   Coverage and definitions.
§222.21   Affiliate marketing opt-out and exceptions.
§222.22   Scope and duration of opt-out.
§222.23   Contents of opt-out notice; consolidated and equivalent notices.
§222.24   Reasonable opportunity to opt out.
§222.25   Reasonable and simple methods of opting out.
§222.26   Delivery of opt-out notices.
§222.27   Renewal of opt-out.
§222.28   Effective date, compliance date, and prospective application.

Subpart D—Medical Information

§222.30   Obtaining or using medical information in connection with a determination of eligibility for credit.
§222.31   Limits on redisclosure of information.
§222.32   Sharing medical information with affiliates.

Subpart E—Duties of Furnishers of Information

§222.40   Scope.
§222.41   Definitions.
§222.42   Reasonable policies and procedures concerning the accuracy and integrity of furnished information.
§222.43   Direct disputes.

Subpart F [Reserved]

Subpart H—Duties of Users Regarding Risk-Based Pricing

§222.70   Scope.
§222.71   Definitions.
§222.72   General requirements for risk-based pricing notices.
§222.73   Content, form, and timing of risk-based pricing notices.
§222.74   Exceptions.
§222.75   Rules of construction.

Subpart I—Duties of Users of Consumer Reports Regarding Identity Theft

§§222.80-222.81   [Reserved]
§222.82   Duties of users regarding address discrepancies.
§222.83   Disposal of consumer information.

Subpart J—Identity Theft Red Flags

§222.90   Duties regarding the detection, prevention, and mitigation of identity theft.
§222.91   Duties of card issuers regarding changes of address.
Appendix A to Part 222 [Reserved]
Appendix B to Part 222—Model Notices of Furnishing Negative Information
Appendix C to Part 222—Model Forms for Opt-Out Notices
Appendix D to Part 222 [Reserved]
Appendix E to Part 222— Interagency Guidelines Concerning the Accuracy and Integrity of Information Furnished to Consumer Reporting Agencies
Appendixes F-G to Part 222 [Reserved]
Appendix H to Part 222—Appendix H—Model Forms for Risk-Based Pricing and Credit Score Disclosure Exception Notices
Appendix I to Part 222 [Reserved]
Appendix J to Part 222—Interagency Guidelines on Identity Theft Detection, Prevention, and Mitigation

Authority: 15 U.S.C. 1681b, 1681c, 1681m and 1681s; Secs. 3, 214, and 216, Pub. L. 108-159, 117 Stat. 1952.

Source: Reg. V, 68 FR 74469, Dec. 24, 2003, unless otherwise noted.

Subpart A—General Provisions

§222.1   Purpose, scope, and effective dates.

(a) Purpose. The purpose of this part is to implement the Fair Credit Reporting Act. This part generally applies to persons that obtain and use information about consumers to determine the consumer's eligibility for products, services, or employment, share such information among affiliates, and furnish information to consumer reporting agencies.

(b) Scope. (1) [Reserved]

(2) Institutions covered. (i) Except as otherwise provided in this part, the regulations in this part apply to banks that are members of the Federal Reserve System (other than national banks) and their respective operating subsidiaries that are not functionally regulated within the meaning of section 5(c)(5) of the Bank Holding Company Act, as amended (12 U.S.C. 1844(c)(5)), branches and Agencies of foreign banks (other than Federal branches, Federal Agencies, and insured State branches of foreign banks), commercial lending companies owned or controlled by foreign banks, organizations operating under section 25 or 25A of the Federal Reserve Act (12 U.S.C. 601 et seq., and 611 et seq.), and bank holding companies and affiliates of such holding companies, but do not apply to affiliates of bank holding companies that are depository institutions regulated by another federal banking agency or to consumer reporting agencies.

(ii) For purposes of appendix B to this part, financial institutions as defined in section 509 of the Gramm-Leach-Bliley Act (12 U.S.C. 6809), may use the model notices in appendix B to this part to comply with the notice requirement in section 623(a)(7) of the Fair Credit Reporting Act (15 U.S.C. 1681s-2(a)(7)).

(c) Effective dates. The applicable provisions of the Fair and Accurate Credit Transactions Act of 2003 (FACT Act), Pub. L. 108-159, 117 Stat. 1952, shall be effective in accordance with the following schedule:

(1) Provisions effective December 31, 2003. (i) Sections 151(a)(2), 212(e), 214(c), 311(b), and 711, concerning the relation to state laws; and

(ii) Each of the provisions of the FACT Act that authorizes an agency to issue a regulation or to take other action to implement the applicable provision of the FACT Act or the applicable provision of the Fair Credit Reporting Act, as amended by the FACT Act, but only with respect to that agency's authority to propose and adopt the implementing regulation or to take such other action.

(2) Provisions effective March 31, 2004. (i) Section 111, concerning the definitions;

(ii) Section 156, concerning the statute of limitations;

(iii) Sections 312(d), (e), and (f), concerning the furnisher liability exception, liability and enforcement, and rule of construction, respectively;

(iv) Section 313(a), concerning action regarding complaints;

(v) Section 611, concerning communications for certain employee investigations; and

(vi) Section 811, concerning clerical amendments.

(3) Provisions effective December 1, 2004. (i) Section 112, concerning fraud alerts and active duty alerts;

(ii) Section 114, concerning procedures for the identification of possible instances of identity theft;

(iii) Section 115, concerning truncation of the social security number in a consumer report;

(iv) Section 151(a)(1), concerning the summary of rights of identity theft victims;

(v) Section 152, concerning blocking of information resulting from identity theft;

(vi) Section 153, concerning the coordination of identity theft complaint investigations;

(vii) Section 154, concerning the prevention of repollution of consumer reports;

(viii) Section 155, concerning notice by debt collectors with respect to fraudulent information;

(ix) Section 211(c), concerning a summary of rights of consumers;

(x) Section 212(a)-(d), concerning the disclosure of credit scores;

(xi) Section 213(c), concerning enhanced disclosure of the means available to opt out of prescreened lists;

(xii) Section 217(a), concerning the duty to provide notice to a consumer;

(xiii) Section 311(a), concerning the risk-based pricing notice;

(xiv) Section 312(a)-(c), concerning procedures to enhance the accuracy and integrity of information furnished to consumer reporting agencies;

(xv) Section 314, concerning improved disclosure of the results of reinvestigation;

(xvi) Section 315, concerning reconciling addresses;

(xvii) Section 316, concerning notice of dispute through reseller; and

(xviii) Section 317, concerning the duty to conduct a reasonable reinvestigation.

[68 FR 74469, Dec. 24, 2003, as amended at 69 FR 6530, Feb. 11, 2004; 69 FR 33284, June 15, 2004; 69 FR 77618, Dec. 28, 2004; 72 FR 62954, Nov. 7, 2007]

§222.2   Examples.

The examples in this part are not exclusive. Compliance with an example, to the extent applicable, constitutes compliance with this part. Examples in a paragraph illustrate only the issue described in the paragraph and do not illustrate any other issue that may arise in this part.

[70 FR 70678, Nov. 22, 2005]

§222.3   Definitions.

For purposes of this part, unless explicitly stated otherwise:

(a) Act means the Fair Credit Reporting Act (15 U.S.C. 1681 et seq.).

(b) Affiliate means any company that is related by common ownership or common corporate control with another company.

(c) [Reserved]

(d) Company means any corporation, limited liability company, business trust, general or limited partnership, association, or similar organization.

(e) Consumer means an individual.

(f)-(h) [Reserved]

(i) Common ownership or common corporate control means a relationship between two companies under which:

(1) One company has, with respect to the other company:

(i) Ownership, control, or power to vote 25 percent or more of the outstanding shares of any class of voting security of a company, directly or indirectly, or acting through one or more other persons;

(ii) Control in any manner over the election of a majority of the directors, trustees, or general partners (or individuals exercising similar functions) of a company; or

(iii) The power to exercise, directly or indirectly, a controlling influence over the management or policies of a company, as the Board determines; or

(2) Any other person has, with respect to both companies, a relationship described in paragraphs (i)(1)(i) through (i)(1)(iii) of this section.

(j) [Reserved]

(k) Medical information means:

(1) Information or data, whether oral or recorded, in any form or medium, created by or derived from a health care provider or the consumer, that relates to:

(i) The past, present, or future physical, mental, or behavioral health or condition of an individual;

(ii) The provision of health care to an individual; or

(iii) The payment for the provision of health care to an individual.

(2) The term does not include:

(i) The age or gender of a consumer;

(ii) Demographic information about the consumer, including a consumer's residence address or e-mail address;

(iii) Any other information about a consumer that does not relate to the physical, mental, or behavioral health or condition of a consumer, including the existence or value of any insurance policy; or

(iv) Information that does not identify a specific consumer.

(l) Person means any individual, partnership, corporation, trust, estate cooperative, association, government or governmental subdivision or agency, or other entity.

[Reg. V, 70 FR 70678, Nov. 22, 2005, as amended at 72 FR 63756, Nov. 9, 2007]

Subpart B [Reserved]

Subpart C—Affiliate Marketing

Source: Reg. V, 72 FR 62955, Nov. 7, 2007, unless otherwise noted.

§222.20   Coverage and definitions.

(a) Coverage. Subpart C of this part applies to member banks of the Federal Reserve System (other than national banks) and their respective operating subsidiaries that are not functionally regulated within the meaning of section 5(c)(5) of the Bank Holding Company Act, as amended (12 U.S.C. 1844(c)(5)), branches and Agencies of foreign banks (other than Federal branches, Federal Agencies, and insured State branches of foreign banks), commercial lending companies owned or controlled by foreign banks, and organizations operating under section 25 or 25A of the Federal Reserve Act (12 U.S.C. 601 et seq., and 611 et seq.).

(b) Definitions. For purposes of this subpart:

(1) Clear and conspicuous. The term “clear and conspicuous” means reasonably understandable and designed to call attention to the nature and significance of the information presented.

(2) Concise—(i) In general. The term “concise” means a reasonably brief expression or statement.

(ii) Combination with other required disclosures. A notice required by this subpart may be concise even if it is combined with other disclosures required or authorized by federal or state law.

(3) Eligibility information. The term “eligibility information” means any information the communication of which would be a consumer report if the exclusions from the definition of “consumer report” in section 603(d)(2)(A) of the Act did not apply. Eligibility information does not include aggregate or blind data that does not contain personal identifiers such as account numbers, names, or addresses.

(4) Pre-existing business relationship—(i) In general. The term “pre-existing business relationship” means a relationship between a person, or a person's licensed agent, and a consumer based on—

(A) A financial contract between the person and the consumer which is in force on the date on which the consumer is sent a solicitation covered by this subpart;

(B) The purchase, rental, or lease by the consumer of the person's goods or services, or a financial transaction (including holding an active account or a policy in force or having another continuing relationship) between the consumer and the person, during the 18-month period immediately preceding the date on which the consumer is sent a solicitation covered by this subpart; or

(C) An inquiry or application by the consumer regarding a product or service offered by that person during the three-month period immediately preceding the date on which the consumer is sent a solicitation covered by this subpart.

(ii) Examples of pre-existing business relationships. (A) If a consumer has a time deposit account, such as a certificate of deposit, at a depository institution that is currently in force, the depository institution has a pre-existing business relationship with the consumer and can use eligibility information it receives from its affiliates to make solicitations to the consumer about its products or services.

(B) If a consumer obtained a certificate of deposit from a depository institution, but did not renew the certificate at maturity, the depository institution has a pre-existing business relationship with the consumer and can use eligibility information it receives from its affiliates to make solicitations to the consumer about its products or services for 18 months after the date of maturity of the certificate of deposit.

(C) If a consumer obtains a mortgage, the mortgage lender has a pre-existing business relationship with the consumer. If the mortgage lender sells the consumer's entire loan to an investor, the mortgage lender has a pre-existing business relationship with the consumer and can use eligibility information it receives from its affiliates to make solicitations to the consumer about its products or services for 18 months after the date it sells the loan, and the investor has a pre-existing business relationship with the consumer upon purchasing the loan. If, however, the mortgage lender sells a fractional interest in the consumer's loan to an investor but also retains an ownership interest in the loan, the mortgage lender continues to have a pre-existing business relationship with the consumer, but the investor does not have a pre-existing business relationship with the consumer. If the mortgage lender retains ownership of the loan, but sells ownership of the servicing rights to the consumer's loan, the mortgage lender continues to have a pre-existing business relationship with the consumer. The purchaser of the servicing rights also has a pre-existing business relationship with the consumer as of the date it purchases ownership of the servicing rights, but only if it collects payments from or otherwise deals directly with the consumer on a continuing basis.

(D) If a consumer applies to a depository institution for a product or service that it offers, but does not obtain a product or service from or enter into a financial contract or transaction with the institution, the depository institution has a pre-existing business relationship with the consumer and can therefore use eligibility information it receives from an affiliate to make solicitations to the consumer about its products or services for three months after the date of the application.

(E) If a consumer makes a telephone inquiry to a depository institution about its products or services and provides contact information to the institution, but does not obtain a product or service from or enter into a financial contract or transaction with the institution, the depository institution has a pre-existing business relationship with the consumer and can therefore use eligibility information it receives from an affiliate to make solicitations to the consumer about its products or services for three months after the date of the inquiry.

(F) If a consumer makes an inquiry to a depository institution by e-mail about its products or services, but does not obtain a product or service from or enter into a financial contract or transaction with the institution, the depository institution has a pre-existing business relationship with the consumer and can therefore use eligibility information it receives from an affiliate to make solicitations to the consumer about its products or services for three months after the date of the inquiry.

(G) If a consumer has an existing relationship with a depository institution that is part of a group of affiliated companies, makes a telephone call to the centralized call center for the group of affiliated companies to inquire about products or services offered by the insurance affiliate, and provides contact information to the call center, the call constitutes an inquiry to the insurance affiliate that offers those products or services. The insurance affiliate has a pre-existing business relationship with the consumer and can therefore use eligibility information it receives from its affiliated depository institution to make solicitations to the consumer about its products or services for three months after the date of the inquiry.

(iii) Examples where no pre-existing business relationship is created. (A) If a consumer makes a telephone call to a centralized call center for a group of affiliated companies to inquire about the consumer's existing account at a depository institution, the call does not constitute an inquiry to any affiliate other than the depository institution that holds the consumer's account and does not establish a pre-existing business relationship between the consumer and any affiliate of the account-holding depository institution.

(B) If a consumer who has a deposit account with a depository institution makes a telephone call to an affiliate of the institution to ask about the affiliate's retail locations and hours, but does not make an inquiry about the affiliate's products or services, the call does not constitute an inquiry and does not establish a pre-existing business relationship between the consumer and the affiliate. Also, the affiliate's capture of the consumer's telephone number does not constitute an inquiry and does not establish a pre-existing business relationship between the consumer and the affiliate.

(C) If a consumer makes a telephone call to a depository institution in response to an advertisement that offers a free promotional item to consumers who call a toll-free number, but the advertisement does not indicate that the depository institution's products or services will be marketed to consumers who call in response, the call does not create a pre-existing business relationship between the consumer and the depository institution because the consumer has not made an inquiry about a product or service offered by the institution, but has merely responded to an offer for a free promotional item.

(5) Solicitation—(i) In general. The term “solicitation” means the marketing of a product or service initiated by a person to a particular consumer that is—

(A) Based on eligibility information communicated to that person by its affiliate as described in this subpart; and

(B) Intended to encourage the consumer to purchase or obtain such product or service.

(ii) Exclusion of marketing directed at the general public. A solicitation does not include marketing communications that are directed at the general public. For example, television, general circulation magazine, and billboard advertisements do not constitute solicitations, even if those communications are intended to encourage consumers to purchase products and services from the person initiating the communications.

(iii) Examples of solicitations. A solicitation would include, for example, a telemarketing call, direct mail, e-mail, or other form of marketing communication directed to a particular consumer that is based on eligibility information received from an affiliate.

(6) You means a person described in paragraph (a) of this section.

§222.21   Affiliate marketing opt-out and exceptions.

(a) Initial notice and opt-out requirement—(1) In general. You may not use eligibility information about a consumer that you receive from an affiliate to make a solicitation for marketing purposes to the consumer, unless—

(i) It is clearly and conspicuously disclosed to the consumer in writing or, if the consumer agrees, electronically, in a concise notice that you may use eligibility information about that consumer received from an affiliate to make solicitations for marketing purposes to the consumer;

(ii) The consumer is provided a reasonable opportunity and a reasonable and simple method to “opt out,” or prohibit you from using eligibility information to make solicitations for marketing purposes to the consumer; and

(iii) The consumer has not opted out.

(2) Example. A consumer has a homeowner's insurance policy with an insurance company. The insurance company furnishes eligibility information about the consumer to its affiliated depository institution. Based on that eligibility information, the depository institution wants to make a solicitation to the consumer about its home equity loan products. The depository institution does not have a pre-existing business relationship with the consumer and none of the other exceptions apply. The depository institution is prohibited from using eligibility information received from its insurance affiliate to make solicitations to the consumer about its home equity loan products unless the consumer is given a notice and opportunity to opt out and the consumer does not opt out.

(3) Affiliates who may provide the notice. The notice required by this paragraph must be provided:

(i) By an affiliate that has or has previously had a pre-existing business relationship with the consumer; or

(ii) As part of a joint notice from two or more members of an affiliated group of companies, provided that at least one of the affiliates on the joint notice has or has previously had a pre-existing business relationship with the consumer.

(b) Making solicitations—(1) In general. For purposes of this subpart, you make a solicitation for marketing purposes if—

(i) You receive eligibility information from an affiliate;

(ii) You use that eligibility information to do one or more of the following:

(A) Identify the consumer or type of consumer to receive a solicitation;

(B) Establish criteria used to select the consumer to receive a solicitation; or

(C) Decide which of your products or services to market to the consumer or tailor your solicitation to that consumer; and

(iii) As a result of your use of the eligibility information, the consumer is provided a solicitation.

(2) Receiving eligibility information from an affiliate, including through a common database. You may receive eligibility information from an affiliate in various ways, including when the affiliate places that information into a common database that you may access.

(3) Receipt or use of eligibility information by your service provider. Except as provided in paragraph (b)(5) of this section, you receive or use an affiliate's eligibility information if a service provider acting on your behalf (whether an affiliate or a nonaffiliated third party) receives or uses that information in the manner described in paragraphs (b)(1)(i) or (b)(1)(ii) of this section. All relevant facts and circumstances will determine whether a person is acting as your service provider when it receives or uses an affiliate's eligibility information in connection with marketing your products and services.

(4) Use by an affiliate of its own eligibility information. Unless you have used eligibility information that you receive from an affiliate in the manner described in paragraph (b)(1)(ii) of this section, you do not make a solicitation subject to this subpart if your affiliate:

(i) Uses its own eligibility information that it obtained in connection with a pre-existing business relationship it has or had with the consumer to market your products or services to the consumer; or

(ii) Directs its service provider to use the affiliate's own eligibility information that it obtained in connection with a pre-existing business relationship it has or had with the consumer to market your products or services to the consumer, and you do not communicate directly with the service provider regarding that use.

(5) Use of eligibility information by a service provider—(i) In general. You do not make a solicitation subject to Subpart C of this part if a service provider (including an affiliated or third-party service provider that maintains or accesses a common database that you may access) receives eligibility information from your affiliate that your affiliate obtained in connection with a pre-existing business relationship it has or had with the consumer and uses that eligibility information to market your products or services to the consumer, so long as—

(A) Your affiliate controls access to and use of its eligibility information by the service provider (including the right to establish the specific terms and conditions under which the service provider may use such information to market your products or services);

(B) Your affiliate establishes specific terms and conditions under which the service provider may access and use the affiliate's eligibility information to market your products and services (or those of affiliates generally) to the consumer, such as the identity of the affiliated companies whose products or services may be marketed to the consumer by the service provider, the types of products or services of affiliated companies that may be marketed, and the number of times the consumer may receive marketing materials, and periodically evaluates the service provider's compliance with those terms and conditions;

(C) Your affiliate requires the service provider to implement reasonable policies and procedures designed to ensure that the service provider uses the affiliate's eligibility information in accordance with the terms and conditions established by the affiliate relating to the marketing of your products or services;

(D) Your affiliate is identified on or with the marketing materials provided to the consumer; and

(E) You do not directly use your affiliate's eligibility information in the manner described in paragraph (b)(1)(ii) of this section.

(ii) Writing requirements. (A) The requirements of paragraphs (b)(5)(i)(A) and (C) of this section must be set forth in a written agreement between your affiliate and the service provider; and

(B) The specific terms and conditions established by your affiliate as provided in paragraph (b)(5)(i)(B) of this section must be set forth in writing.

(6) Examples of making solicitations. (i) A consumer has a deposit account with a depository institution, which is affiliated with an insurance company. The insurance company receives eligibility information about the consumer from the depository institution. The insurance company uses that eligibility information to identify the consumer to receive a solicitation about insurance products, and, as a result, the insurance company provides a solicitation to the consumer about its insurance products. Pursuant to paragraph (b)(1) of this section, the insurance company has made a solicitation to the consumer.

(ii) The same facts as in the example in paragraph (b)(6)(i) of this section, except that after using the eligibility information to identify the consumer to receive a solicitation about insurance products, the insurance company asks the depository institution to send the solicitation to the consumer and the depository institution does so. Pursuant to paragraph (b)(1) of this section, the insurance company has made a solicitation to the consumer because it used eligibility information about the consumer that it received from an affiliate to identify the consumer to receive a solicitation about its products or services, and, as a result, a solicitation was provided to the consumer about the insurance company's products.

(iii) The same facts as in the example in paragraph (b)(6)(i) of this section, except that eligibility information about consumers that have deposit accounts with the depository institution is placed into a common database that all members of the affiliated group of companies may independently access and use. Without using the depository institution's eligibility information, the insurance company develops selection criteria and provides those criteria, marketing materials, and related instructions to the depository institution. The depository institution reviews eligibility information about its own consumers using the selection criteria provided by the insurance company to determine which consumers should receive the insurance company's marketing materials and sends marketing materials about the insurance company's products to those consumers. Even though the insurance company has received eligibility information through the common database as provided in paragraph (b)(2) of this section, it did not use that information to identify consumers or establish selection criteria; instead, the depository institution used its own eligibility information. Therefore, pursuant to paragraph (b)(4)(i) of this section, the insurance company has not made a solicitation to the consumer.

(iv) The same facts as in the example in paragraph (b)(6)(iii) of this section, except that the depository institution provides the insurance company's criteria to the depository institution's service provider and directs the service provider to use the depository institution's eligibility information to identify depository institution consumers who meet the criteria and to send the insurance company's marketing materials to those consumers. The insurance company does not communicate directly with the service provider regarding the use of the depository institution's information to market its products to the depository institution's consumers. Pursuant to paragraph (b)(4)(ii) of this section, the insurance company has not made a solicitation to the consumer.

(v) An affiliated group of companies includes a depository institution, an insurance company, and a service provider. Each affiliate in the group places information about its consumers into a common database. The service provider has access to all information in the common database. The depository institution controls access to and use of its eligibility information by the service provider. This control is set forth in a written agreement between the depository institution and the service provider. The written agreement also requires the service provider to establish reasonable policies and procedures designed to ensure that the service provider uses the depository institution's eligibility information in accordance with specific terms and conditions established by the depository institution relating to the marketing of the products and services of all affiliates, including the insurance company. In a separate written communication, the depository institution specifies the terms and conditions under which the service provider may use the depository institution's eligibility information to market the insurance company's products and services to the depository institution's consumers. The specific terms and conditions are: A list of affiliated companies (including the insurance company) whose products or services may be marketed to the depository institution's consumers by the service provider; the specific products or types of products that may be marketed to the depository institution's consumers by the service provider; the categories of eligibility information that may be used by the service provider in marketing products or services to the depository institution's consumers; the types or categories of the depository institution's consumers to whom the service provider may market products or services of depository institution affiliates; the number and/or types of marketing communications that the service provider may send to the depository institution's consumers; and the length of time during which the service provider may market the products or services of the depository institution's affiliates to its consumers. The depository institution periodically evaluates the service provider's compliance with these terms and conditions. The insurance company asks the service provider to market insurance products to certain consumers who have deposit accounts with the depository institution. Without using the depository institution's eligibility information, the insurance company develops selection criteria and provides those criteria, marketing materials, and related instructions to the service provider. The service provider uses the depository institution's eligibility information from the common database to identify the depository institution's consumers to whom insurance products will be marketed. When the insurance company's marketing materials are provided to the identified consumers, the name of the depository institution is displayed on the insurance marketing materials, an introductory letter that accompanies the marketing materials, an account statement that accompanies the marketing materials, or the envelope containing the marketing materials. The requirements of paragraph (b)(5) of this section have been satisfied, and the insurance company has not made a solicitation to the consumer.

(vi) The same facts as in the example in paragraph (b)(6)(v) of this section, except that the terms and conditions permit the service provider to use the depository institution's eligibility information to market the products and services of other affiliates to the depository institution's consumers whenever the service provider deems it appropriate to do so. The service provider uses the depository institution's eligibility information in accordance with the discretion afforded to it by the terms and conditions. Because the terms and conditions are not specific, the requirements of paragraph (b)(5) of this section have not been satisfied.

(c) Exceptions. The provisions of this subpart do not apply to you if you use eligibility information that you receive from an affiliate:

(1) To make a solicitation for marketing purposes to a consumer with whom you have a pre-existing business relationship;

(2) To facilitate communications to an individual for whose benefit you provide employee benefit or other services pursuant to a contract with an employer related to and arising out of the current employment relationship or status of the individual as a participant or beneficiary of an employee benefit plan;

(3) To perform services on behalf of an affiliate, except that this subparagraph shall not be construed as permitting you to send solicitations on behalf of an affiliate if the affiliate would not be permitted to send the solicitation as a result of the election of the consumer to opt out under this subpart;

(4) In response to a communication about your products or services initiated by the consumer;

(5) In response to an authorization or request by the consumer to receive solicitations; or

(6) If your compliance with this subpart would prevent you from complying with any provision of State insurance laws pertaining to unfair discrimination in any State in which you are lawfully doing business.

(d) Examples of exceptions—(1) Example of the pre-existing business relationship exception. A consumer has a deposit account with a depository institution. The consumer also has a relationship with the depository institution's securities affiliate for management of the consumer's securities portfolio. The depository institution receives eligibility information about the consumer from its securities affiliate and uses that information to make a solicitation to the consumer about the depository institution's wealth management services. The depository institution may make this solicitation even if the consumer has not been given a notice and opportunity to opt out because the depository institution has a pre-existing business relationship with the consumer.

(2) Examples of service provider exception. (i) A consumer has an insurance policy issued by an insurance company. The insurance company furnishes eligibility information about the consumer to its affiliated depository institution. Based on that eligibility information, the depository institution wants to make a solicitation to the consumer about its deposit products. The depository institution does not have a pre-existing business relationship with the consumer and none of the other exceptions in paragraph (c) of this section apply. The consumer has been given an opt-out notice and has elected to opt out of receiving such solicitations. The depository institution asks a service provider to send the solicitation to the consumer on its behalf. The service provider may not send the solicitation on behalf of the depository institution because, as a result of the consumer's opt-out election, the depository institution is not permitted to make the solicitation.

(ii) The same facts as in paragraph (d)(2)(i) of this section, except the consumer has been given an opt-out notice, but has not elected to opt out. The depository institution asks a service provider to send the solicitation to the consumer on its behalf. The service provider may send the solicitation on behalf of the depository institution because, as a result of the consumer's not opting out, the depository institution is permitted to make the solicitation.

(3) Examples of consumer-initiated communications. (i) A consumer who has a deposit account with a depository institution initiates a communication with the depository institution's credit card affiliate to request information about a credit card. The credit card affiliate may use eligibility information about the consumer it obtains from the depository institution or any other affiliate to make solicitations regarding credit card products in response to the consumer-initiated communication.

(ii) A consumer who has a deposit account with a depository institution contacts the institution to request information about how to save and invest for a child's college education without specifying the type of product in which the consumer may be interested. Information about a range of different products or services offered by the depository institution and one or more affiliates of the institution may be responsive to that communication. Such products or services may include the following: Mutual funds offered by the institution's mutual fund affiliate; section 529 plans offered by the institution, its mutual fund affiliate, or another securities affiliate; or trust services offered by a different financial institution in the affiliated group. Any affiliate offering investment products or services that would be responsive to the consumer's request for information about saving and investing for a child's college education may use eligibility information to make solicitations to the consumer in response to this communication.

(iii) A credit card issuer makes a marketing call to the consumer without using eligibility information received from an affiliate. The issuer leaves a voice-mail message that invites the consumer to call a toll-free number to apply for the issuer's credit card. If the consumer calls the toll-free number to inquire about the credit card, the call is a consumer-initiated communication about a product or service and the credit card issuer may now use eligibility information it receives from its affiliates to make solicitations to the consumer.

(iv) A consumer calls a depository institution to ask about retail locations and hours, but does not request information about products or services. The institution may not use eligibility information it receives from an affiliate to make solicitations to the consumer about its products or services because the consumer-initiated communication does not relate to the depository institution's products or services. Thus, the use of eligibility information received from an affiliate would not be responsive to the communication and the exception does not apply.

(v) A consumer calls a depository institution to ask about retail locations and hours. The customer service representative asks the consumer if there is a particular product or service about which the consumer is seeking information. The consumer responds that the consumer wants to stop in and find out about certificates of deposit. The customer service representative offers to provide that information by telephone and mail additional information and application materials to the consumer. The consumer agrees and provides or confirms contact information for receipt of the materials to be mailed. The depository institution may use eligibility information it receives from an affiliate to make solicitations to the consumer about certificates of deposit because such solicitations would respond to the consumer-initiated communication about products or services.

(4) Examples of consumer authorization or request for solicitations. (i) A consumer who obtains a mortgage from a mortgage lender authorizes or requests information about homeowner's insurance offered by the mortgage lender's insurance affiliate. Such authorization or request, whether given to the mortgage lender or to the insurance affiliate, would permit the insurance affiliate to use eligibility information about the consumer it obtains from the mortgage lender or any other affiliate to make solicitations to the consumer about homeowner's insurance.

(ii) A consumer completes an online application to apply for a credit card from a credit card issuer. The issuer's online application contains a blank check box that the consumer may check to authorize or request information from the credit card issuer's affiliates. The consumer checks the box. The consumer has authorized or requested solicitations from the card issuer's affiliates.

(iii) A consumer completes an online application to apply for a credit card from a credit card issuer. The issuer's online application contains a pre-selected check box indicating that the consumer authorizes or requests information from the issuer's affiliates. The consumer does not deselect the check box. The consumer has not authorized or requested solicitations from the card issuer's affiliates.

(iv) The terms and conditions of a credit card account agreement contain preprinted boilerplate language stating that by applying to open an account the consumer authorizes or requests to receive solicitations from the credit card issuer's affiliates. The consumer has not authorized or requested solicitations from the card issuer's affiliates.

(e) Relation to affiliate-sharing notice and opt-out. Nothing in this subpart limits the responsibility of a person to comply with the notice and opt-out provisions of section 603(d)(2)(A)(iii) of the Act where applicable.

§222.22   Scope and duration of opt-out.

(a) Scope of opt-out—(1) In general. Except as otherwise provided in this section, the consumer's election to opt out prohibits any affiliate covered by the opt-out notice from using eligibility information received from another affiliate as described in the notice to make solicitations to the consumer.

(2) Continuing relationship—(i) In general. If the consumer establishes a continuing relationship with you or your affiliate, an opt-out notice may apply to eligibility information obtained in connection with—

(A) A single continuing relationship or multiple continuing relationships that the consumer establishes with you or your affiliates, including continuing relationships established subsequent to delivery of the opt-out notice, so long as the notice adequately describes the continuing relationships covered by the opt-out; or

(B) Any other transaction between the consumer and you or your affiliates as described in the notice.

(ii) Examples of continuing relationships. A consumer has a continuing relationship with you or your affiliate if the consumer—

(A) Opens a deposit or investment account with you or your affiliate;

(B) Obtains a loan for which you or your affiliate owns the servicing rights;

(C) Purchases an insurance product from you or your affiliate;

(D) Holds an investment product through you or your affiliate, such as when you act or your affiliate acts as a custodian for securities or for assets in an individual retirement arrangement;

(E) Enters into an agreement or understanding with you or your affiliate whereby you or your affiliate undertakes to arrange or broker a home mortgage loan for the consumer;

(F) Enters into a lease of personal property with you or your affiliate; or

(G) Obtains financial, investment, or economic advisory services from you or your affiliate for a fee.

(3) No continuing relationship—(i) In general. If there is no continuing relationship between a consumer and you or your affiliate, and you or your affiliate obtain eligibility information about a consumer in connection with a transaction with the consumer, such as an isolated transaction or a credit application that is denied, an opt-out notice provided to the consumer only applies to eligibility information obtained in connection with that transaction.

(ii) Examples of isolated transactions. An isolated transaction occurs if—

(A) The consumer uses your or your affiliate's ATM to withdraw cash from an account at another financial institution; or

(B) You or your affiliate sells the consumer a cashier's check or money order, airline tickets, travel insurance, or traveler's checks in isolated transactions.

(4) Menu of alternatives. A consumer may be given the opportunity to choose from a menu of alternatives when electing to prohibit solicitations, such as by electing to prohibit solicitations from certain types of affiliates covered by the opt-out notice but not other types of affiliates covered by the notice, electing to prohibit solicitations based on certain types of eligibility information but not other types of eligibility information, or electing to prohibit solicitations by certain methods of delivery but not other methods of delivery. However, one of the alternatives must allow the consumer to prohibit all solicitations from all of the affiliates that are covered by the notice.

(5) Special rule for a notice following termination of all continuing relationships—(i) In general. A consumer must be given a new opt-out notice if, after all continuing relationships with you or your affiliate(s) are terminated, the consumer subsequently establishes another continuing relationship with you or your affiliate(s) and the consumer's eligibility information is to be used to make a solicitation. The new opt-out notice must apply, at a minimum, to eligibility information obtained in connection with the new continuing relationship. Consistent with paragraph (b) of this section, the consumer's decision not to opt out after receiving the new opt-out notice would not override a prior opt-out election by the consumer that applies to eligibility information obtained in connection with a terminated relationship, regardless of whether the new opt-out notice applies to eligibility information obtained in connection with the terminated relationship.

(ii) Example. A consumer has a checking account with a depository institution that is part of an affiliated group. The consumer closes the checking account. One year after closing the checking account, the consumer opens a savings account with the same depository institution. The consumer must be given a new notice and opportunity to opt out before the depository institution's affiliates may make solicitations to the consumer using eligibility information obtained by the depository institution in connection with the new savings account relationship, regardless of whether the consumer opted out in connection with the checking account.

(b) Duration of opt-out. The election of a consumer to opt out must be effective for a period of at least five years (the “opt-out period”) beginning when the consumer's opt-out election is received and implemented, unless the consumer subsequently revokes the opt-out in writing or, if the consumer agrees, electronically. An opt-out period of more than five years may be established, including an opt-out period that does not expire unless revoked by the consumer.

(c) Time of opt-out. A consumer may opt out at any time.

§222.23   Contents of opt-out notice; consolidated and equivalent notices.

(a) Contents of opt-out notice—(1) In general. A notice must be clear, conspicuous, and concise, and must accurately disclose:

(i) The name of the affiliate(s) providing the notice. If the notice is provided jointly by multiple affiliates and each affiliate shares a common name, such as “ABC,” then the notice may indicate that it is being provided by multiple companies with the ABC name or multiple companies in the ABC group or family of companies, for example, by stating that the notice is provided by “all of the ABC companies,” “the ABC banking, credit card, insurance, and securities companies,” or by listing the name of each affiliate providing the notice. But if the affiliates providing the joint notice do not all share a common name, then the notice must either separately identify each affiliate by name or identify each of the common names used by those affiliates, for example, by stating that the notice is provided by “all of the ABC and XYZ companies” or by “the ABC banking and credit card companies and the XYZ insurance companies”;

(ii) A list of the affiliates or types of affiliates whose use of eligibility information is covered by the notice, which may include companies that become affiliates after the notice is provided to the consumer. If each affiliate covered by the notice shares a common name, such as “ABC,” then the notice may indicate that it applies to multiple companies with the ABC name or multiple companies in the ABC group or family of companies, for example, by stating that the notice is provided by “all of the ABC companies,” “the ABC banking, credit card, insurance, and securities companies,” or by listing the name of each affiliate providing the notice. But if the affiliates covered by the notice do not all share a common name, then the notice must either separately identify each covered affiliate by name or identify each of the common names used by those affiliates, for example, by stating that the notice applies to “all of the ABC and XYZ companies” or to “the ABC banking and credit card companies and the XYZ insurance companies”;

(iii) A general description of the types of eligibility information that may be used to make solicitations to the consumer;

(iv) That the consumer may elect to limit the use of eligibility information to make solicitations to the consumer;

(v) That the consumer's election will apply for the specified period of time stated in the notice and, if applicable, that the consumer will be allowed to renew the election once that period expires;

(vi) If the notice is provided to consumers who may have previously opted out, such as if a notice is provided to consumers annually, that the consumer who has chosen to limit solicitations does not need to act again until the consumer receives a renewal notice; and

(vii) A reasonable and simple method for the consumer to opt out.

(2) Joint relationships. (i) If two or more consumers jointly obtain a product or service, a single opt-out notice may be provided to the joint consumers. Any of the joint consumers may exercise the right to opt out.

(ii) The opt-out notice must explain how an opt-out direction by a joint consumer will be treated. An opt-out direction by a joint consumer may be treated as applying to all of the associated joint consumers, or each joint consumer may be permitted to opt out separately. If each joint consumer is permitted to opt out separately, one of the joint consumers must be permitted to opt out on behalf of all of the joint consumers and the joint consumers must be permitted to exercise their separate rights to opt out in a single response.

(iii) It is impermissible to require all joint consumers to opt out before implementing any opt-out direction.

(3) Alternative contents. If the consumer is afforded a broader right to opt out of receiving marketing than is required by this subpart, the requirements of this section may be satisfied by providing the consumer with a clear, conspicuous, and concise notice that accurately discloses the consumer's opt-out rights.

(4) Model notices. Model notices are provided in appendix C of this part.

(b) Coordinated and consolidated notices. A notice required by this subpart may be coordinated and consolidated with any other notice or disclosure required to be issued under any other provision of law by the entity providing the notice, including but not limited to the notice described in section 603(d)(2)(A)(iii) of the Act and the Gramm-Leach-Bliley Act privacy notice.

(c) Equivalent notices. A notice or other disclosure that is equivalent to the notice required by this subpart, and that is provided to a consumer together with disclosures required by any other provision of law, satisfies the requirements of this section.

§222.24   Reasonable opportunity to opt out.

(a) In general. You must not use eligibility information about a consumer that you receive from an affiliate to make a solicitation to the consumer about your products or services, unless the consumer is provided a reasonable opportunity to opt out, as required by §222.21(a)(1)(ii) of this part.

(b) Examples of a reasonable opportunity to opt out. The consumer is given a reasonable opportunity to opt out if:

(1) By mail. The opt-out notice is mailed to the consumer. The consumer is given 30 days from the date the notice is mailed to elect to opt out by any reasonable means.

(2) By electronic means. (i) The opt-out notice is provided electronically to the consumer, such as by posting the notice at an Internet Web site at which the consumer has obtained a product or service. The consumer acknowledges receipt of the electronic notice. The consumer is given 30 days after the date the consumer acknowledges receipt to elect to opt out by any reasonable means.

(ii) The opt-out notice is provided to the consumer by e-mail where the consumer has agreed to receive disclosures by e-mail from the person sending the notice. The consumer is given 30 days after the e-mail is sent to elect to opt out by any reasonable means.

(3) At the time of an electronic transaction. The opt-out notice is provided to the consumer at the time of an electronic transaction, such as a transaction conducted on an Internet Web site. The consumer is required to decide, as a necessary part of proceeding with the transaction, whether to opt out before completing the transaction. There is a simple process that the consumer may use to opt out at that time using the same mechanism through which the transaction is conducted.

(4) At the time of an in-person transaction. The opt-out notice is provided to the consumer in writing at the time of an in-person transaction. The consumer is required to decide, as a necessary part of proceeding with the transaction, whether to opt out before completing the transaction, and is not permitted to complete the transaction without making a choice. There is a simple process that the consumer may use during the course of the in-person transaction to opt out, such as completing a form that requires consumers to write a “yes” or “no” to indicate their opt-out preference or that requires the consumer to check one of two blank check boxes—one that allows consumers to indicate that they want to opt out and one that allows consumers to indicate that they do not want to opt out.

(5) By including in a privacy notice. The opt-out notice is included in a Gramm-Leach-Bliley Act privacy notice. The consumer is allowed to exercise the opt-out within a reasonable period of time and in the same manner as the opt-out under that privacy notice.

§222.25   Reasonable and simple methods of opting out.

(a) In general. You must not use eligibility information about a consumer that you receive from an affiliate to make a solicitation to the consumer about your products or services, unless the consumer is provided a reasonable and simple method to opt out, as required by §222.21(a)(1)(ii) of this part.

(b) Examples—(1) Reasonable and simple opt-out methods. Reasonable and simple methods for exercising the opt-out right include—

(i) Designating a check-off box in a prominent position on the opt-out form;

(ii) Including a reply form and a self-addressed envelope together with the opt-out notice;

(iii) Providing an electronic means to opt out, such as a form that can be electronically mailed or processed at an Internet Web site, if the consumer agrees to the electronic delivery of information;

(iv) Providing a toll-free telephone number that consumers may call to opt out; or

(v) Allowing consumers to exercise all of their opt-out rights described in a consolidated opt-out notice that includes the privacy opt-out under the Gramm-Leach-Bliley Act, 15 U.S.C. 6801 et seq., the affiliate sharing opt-out under the Act, and the affiliate marketing opt-out under the Act, by a single method, such as by calling a single toll-free telephone number.

(2) Opt-out methods that are not reasonable and simple. Reasonable and simple methods for exercising an opt-out right do not include—

(i) Requiring the consumer to write his or her own letter;

(ii) Requiring the consumer to call or write to obtain a form for opting out, rather than including the form with the opt-out notice;

(iii) Requiring the consumer who receives the opt-out notice in electronic form only, such as through posting at an Internet Web site, to opt out solely by paper mail or by visiting a different Web site without providing a link to that site.

(c) Specific opt-out means. Each consumer may be required to opt out through a specific means, as long as that means is reasonable and simple for that consumer.

§222.26   Delivery of opt-out notices.

(a) In general. The opt-out notice must be provided so that each consumer can reasonably be expected to receive actual notice. For opt-out notices provided electronically, the notice may be provided in compliance with either the electronic disclosure provisions in this subpart or the provisions in section 101 of the Electronic Signatures in Global and National Commerce Act, 15 U.S.C. 7001 et seq.

(b) Examples of reasonable expectation of actual notice. A consumer may reasonably be expected to receive actual notice if the affiliate providing the notice:

(1) Hand-delivers a printed copy of the notice to the consumer;

(2) Mails a printed copy of the notice to the last known mailing address of the consumer;

(3) Provides a notice by e-mail to a consumer who has agreed to receive electronic disclosures by e-mail from the affiliate providing the notice; or

(4) Posts the notice on the Internet Web site at which the consumer obtained a product or service electronically and requires the consumer to acknowledge receipt of the notice.

(c) Examples of no reasonable expectation of actual notice. A consumer may not reasonably be expected to receive actual notice if the affiliate providing the notice:

(1) Only posts the notice on a sign in a branch or office or generally publishes the notice in a newspaper;

(2) Sends the notice via e-mail to a consumer who has not agreed to receive electronic disclosures by e-mail from the affiliate providing the notice; or

(3) Posts the notice on an Internet Web site without requiring the consumer to acknowledge receipt of the notice.

§222.27   Renewal of opt-out.

(a) Renewal notice and opt-out requirement—(1) In general. After the opt-out period expires, you may not make solicitations based on eligibility information you receive from an affiliate to a consumer who previously opted out, unless:

(i) The consumer has been given a renewal notice that complies with the requirements of this section and §§222.24 through 222.26 of this part, and a reasonable opportunity and a reasonable and simple method to renew the opt-out, and the consumer does not renew the opt-out; or

(ii) An exception in §222.21(c) of this part applies.

(2) Renewal period. Each opt-out renewal must be effective for a period of at least five years as provided in §222.22(b) of this part.

(3) Affiliates who may provide the notice. The notice required by this paragraph must be provided:

(i) By the affiliate that provided the previous opt-out notice, or its successor; or

(ii) As part of a joint renewal notice from two or more members of an affiliated group of companies, or their successors, that jointly provided the previous opt-out notice.

(b) Contents of renewal notice. The renewal notice must be clear, conspicuous, and concise, and must accurately disclose:

(1) The name of the affiliate(s) providing the notice. If the notice is provided jointly by multiple affiliates and each affiliate shares a common name, such as “ABC,” then the notice may indicate that it is being provided by multiple companies with the ABC name or multiple companies in the ABC group or family of companies, for example, by stating that the notice is provided by “all of the ABC companies,” “the ABC banking, credit card, insurance, and securities companies,” or by listing the name of each affiliate providing the notice. But if the affiliates providing the joint notice do not all share a common name, then the notice must either separately identify each affiliate by name or identify each of the common names used by those affiliates, for example, by stating that the notice is provided by “all of the ABC and XYZ companies” or by “the ABC banking and credit card companies and the XYZ insurance companies”;

(2) A list of the affiliates or types of affiliates whose use of eligibility information is covered by the notice, which may include companies that become affiliates after the notice is provided to the consumer. If each affiliate covered by the notice shares a common name, such as “ABC,” then the notice may indicate that it applies to multiple companies with the ABC name or multiple companies in the ABC group or family of companies, for example, by stating that the notice is provided by “all of the ABC companies,” “the ABC banking, credit card, insurance, and securities companies,” or by listing the name of each affiliate providing the notice. But if the affiliates covered by the notice do not all share a common name, then the notice must either separately identify each covered affiliate by name or identify each of the common names used by those affiliates, for example, by stating that the notice applies to “all of the ABC and XYZ companies” or to “the ABC banking and credit card companies and the XYZ insurance companies”;

(3) A general description of the types of eligibility information that may be used to make solicitations to the consumer;

(4) That the consumer previously elected to limit the use of certain information to make solicitations to the consumer;

(5) That the consumer's election has expired or is about to expire;

(6) That the consumer may elect to renew the consumer's previous election;

(7) If applicable, that the consumer's election to renew will apply for the specified period of time stated in the notice and that the consumer will be allowed to renew the election once that period expires; and

(8) A reasonable and simple method for the consumer to opt out.

(c) Timing of the renewal notice—(1) In general. A renewal notice may be provided to the consumer either—

(i) A reasonable period of time before the expiration of the opt-out period; or

(ii) Any time after the expiration of the opt-out period but before solicitations that would have been prohibited by the expired opt-out are made to the consumer.

(2) Combination with annual privacy notice. If you provide an annual privacy notice under the Gramm-Leach-Bliley Act, 15 U.S.C. 6801 et seq., providing a renewal notice with the last annual privacy notice provided to the consumer before expiration of the opt-out period is a reasonable period of time before expiration of the opt-out in all cases.

(d) No effect on opt-out period. An opt-out period may not be shortened by sending a renewal notice to the consumer before expiration of the opt-out period, even if the consumer does not renew the opt out.

§222.28   Effective date, compliance date, and prospective application.

(a) Effective date. This subpart is effective January 1, 2008.

(b) Mandatory compliance date. Compliance with this subpart is required not later than October 1, 2008.

(c) Prospective application. The provisions of this subpart shall not prohibit you from using eligibility information that you receive from an affiliate to make solicitations to a consumer if you receive such information prior to October 1, 2008. For purposes of this section, you are deemed to receive eligibility information when such information is placed into a common database and is accessible by you.

Subpart D—Medical Information

Source: 70 FR 70679, Nov. 22, 2005, unless otherwise noted.

§222.30   Obtaining or using medical information in connection with a determination of eligibility for credit.

(a) Scope. This section applies to

(1) Any of the following that participates as a creditor in a transaction—

(i) A bank that is a member of the Federal Reserve System (other than national banks) and its subsidiaries;

(ii) A branch or Agency of a foreign bank (other than Federal branches, Federal Agencies, and insured State branches of foreign banks) and its subsidiaries;

(iii) A commercial lending company owned or controlled by foreign banks;

(iv) An organization operating under section 25 or 25A of the Federal Reserve Act (12 U.S.C. 601 et seq., and 611 et seq.);

(v) A bank holding company and an affiliate of such holding company (other than depository institutions and consumer reporting agencies); or

(2) Any other person that participates as a creditor in a transaction involving a person described in paragraph (a)(1) of this section.

(b) General prohibition on obtaining or using medical information. (1) In general. A creditor may not obtain or use medical information pertaining to a consumer in connection with any determination of the consumer's eligibility, or continued eligibility, for credit, except as provided in this section.

(2) Definitions. (i) Credit has the same meaning as in section 702 of the Equal Credit Opportunity Act, 15 U.S.C. 1691a.

(ii) Creditor has the same meaning as in section 702 of the Equal Credit Opportunity Act, 15 U.S.C. 1691a.

(iii) Eligibility, or continued eligibility, for credit means the consumer's qualification or fitness to receive, or continue to receive, credit, including the terms on which credit is offered. The term does not include:

(A) Any determination of the consumer's qualification or fitness for employment, insurance (other than a credit insurance product), or other non-credit products or services;

(B) Authorizing, processing, or documenting a payment or transaction on behalf of the consumer in a manner that does not involve a determination of the consumer's eligibility, or continued eligibility, for credit; or

(C) Maintaining or servicing the consumer's account in a manner that does not involve a determination of the consumer's eligibility, or continued eligibility, for credit.

(c) Rule of construction for obtaining and using unsolicited medical information—(1) In general. A creditor does not obtain medical information in violation of the prohibition if it receives medical information pertaining to a consumer in connection with any determination of the consumer's eligibility, or continued eligibility, for credit without specifically requesting medical information.

(2) Use of unsolicited medical information. A creditor that receives unsolicited medical information in the manner described in paragraph (c)(1) of this section may use that information in connection with any determination of the consumer's eligibility, or continued eligibility, for credit to the extent the creditor can rely on at least one of the exceptions in §222.30(d) or (e).

(3) Examples. A creditor does not obtain medical information in violation of the prohibition if, for example:

(i) In response to a general question regarding a consumer's debts or expenses, the creditor receives information that the consumer owes a debt to a hospital.

(ii) In a conversation with the creditor's loan officer, the consumer informs the creditor that the consumer has a particular medical condition.

(iii) In connection with a consumer's application for an extension of credit, the creditor requests a consumer report from a consumer reporting agency and receives medical information in the consumer report furnished by the agency even though the creditor did not specifically request medical information from the consumer reporting agency.

(d) Financial information exception for obtaining and using medical information—(1) In general. A creditor may obtain and use medical information pertaining to a consumer in connection with any determination of the consumer's eligibility, or continued eligibility, for credit so long as:

(i) The information is the type of information routinely used in making credit eligibility determinations, such as information relating to debts, expenses, income, benefits, assets, collateral, or the purpose of the loan, including the use of proceeds;

(ii) The creditor uses the medical information in a manner and to an extent that is no less favorable than it would use comparable information that is not medical information in a credit transaction; and

(iii) The creditor does not take the consumer's physical, mental, or behavioral health, condition or history, type of treatment, or prognosis into account as part of any such determination.

(2) Examples. (i) Examples of the types of information routinely used in making credit eligibility determinations. Paragraph (d)(1)(i) of this section permits a creditor, for example, to obtain and use information about:

(A) The dollar amount, repayment terms, repayment history, and similar information regarding medical debts to calculate, measure, or verify the repayment ability of the consumer, the use of proceeds, or the terms for granting credit;

(B) The value, condition, and lien status of a medical device that may serve as collateral to secure a loan;

(C) The dollar amount and continued eligibility for disability income, workers' compensation income, or other benefits related to health or a medical condition that is relied on as a source of repayment; or

(D) The identity of creditors to whom outstanding medical debts are owed in connection with an application for credit, including but not limited to, a transaction involving the consolidation of medical debts.

(ii) Examples of uses of medical information consistent with the exception. (A) A consumer includes on an application for credit information about two $20,000 debts. One debt is to a hospital; the other debt is to a retailer. The creditor contacts the hospital and the retailer to verify the amount and payment status of the debts. The creditor learns that both debts are more than 90 days past due. Any two debts of this size that are more than 90 days past due would disqualify the consumer under the creditor's established underwriting criteria. The creditor denies the application on the basis that the consumer has a poor repayment history on outstanding debts. The creditor has used medical information in a manner and to an extent no less favorable than it would use comparable non-medical information.

(B) A consumer indicates on an application for a $200,000 mortgage loan that she receives $15,000 in long-term disability income each year from her former employer and has no other income. Annual income of $15,000, regardless of source, would not be sufficient to support the requested amount of credit. The creditor denies the application on the basis that the projected debt-to-income ratio of the consumer does not meet the creditor's underwriting criteria. The creditor has used medical information in a manner and to an extent that is no less favorable than it would use comparable non-medical information.

(C) A consumer includes on an application for a $10,000 home equity loan that he has a $50,000 debt to a medical facility that specializes in treating a potentially terminal disease. The creditor contacts the medical facility to verify the debt and obtain the repayment history and current status of the loan. The creditor learns that the debt is current. The applicant meets the income and other requirements of the creditor's underwriting guidelines. The creditor grants the application. The creditor has used medical information in accordance with the exception.

(iii) Examples of uses of medical information inconsistent with the exception. (A) A consumer applies for $25,000 of credit and includes on the application information about a $50,000 debt to a hospital. The creditor contacts the hospital to verify the amount and payment status of the debt, and learns that the debt is current and that the consumer has no delinquencies in her repayment history. If the existing debt were instead owed to a retail department store, the creditor would approve the application and extend credit based on the amount and repayment history of the outstanding debt. The creditor, however, denies the application because the consumer is indebted to a hospital. The creditor has used medical information, here the identity of the medical creditor, in a manner and to an extent that is less favorable than it would use comparable non-medical information.

(B) A consumer meets with a loan officer of a creditor to apply for a mortgage loan. While filling out the loan application, the consumer informs the loan officer orally that she has a potentially terminal disease. The consumer meets the creditor's established requirements for the requested mortgage loan. The loan officer recommends to the credit committee that the consumer be denied credit because the consumer has that disease. The credit committee follows the loan officer's recommendation and denies the application because the consumer has a potentially terminal disease. The creditor has used medical information in a manner inconsistent with the exception by taking into account the consumer's physical, mental, or behavioral health, condition, or history, type of treatment, or prognosis as part of a determination of eligibility or continued eligibility for credit.

(C) A consumer who has an apparent medical condition, such as a consumer who uses a wheelchair or an oxygen tank, meets with a loan officer to apply for a home equity loan. The consumer meets the creditor's established requirements for the requested home equity loan and the creditor typically does not require consumers to obtain a debt cancellation contract, debt suspension agreement, or credit insurance product in connection with such loans. However, based on the consumer's apparent medical condition, the loan officer recommends to the credit committee that credit be extended to the consumer only if the consumer obtains a debt cancellation contract, debt suspension agreement, or credit insurance product from a nonaffiliated third party. The credit committee agrees with the loan officer's recommendation. The loan officer informs the consumer that the consumer must obtain a debt cancellation contract, debt suspension agreement, or credit insurance product from a nonaffiliated third party to qualify for the loan. The consumer obtains one of these products and the creditor approves the loan. The creditor has used medical information in a manner inconsistent with the exception by taking into account the consumer's physical, mental, or behavioral health, condition, or history, type of treatment, or prognosis in setting conditions on the consumer's eligibility for credit.

(e) Specific exceptions for obtaining and using medical information—(1) In general. A creditor may obtain and use medical information pertaining to a consumer in connection with any determination of the consumer's eligibility, or continued eligibility, for credit—

(i) To determine whether the use of a power of attorney or legal representative that is triggered by a medical condition or event is necessary and appropriate or whether the consumer has the legal capacity to contract when a person seeks to exercise a power of attorney or act as legal representative for a consumer based on an asserted medical condition or event;

(ii) To comply with applicable requirements of local, state, or Federal laws;

(iii) To determine, at the consumer's request, whether the consumer qualifies for a legally permissible special credit program or credit-related assistance program that is—

(A) Designed to meet the special needs of consumers with medical conditions; and

(B) Established and administered pursuant to a written plan that—

(1) Identifies the class of persons that the program is designed to benefit; and

(2) Sets forth the procedures and standards for extending credit or providing other credit-related assistance under the program;

(iv) To the extent necessary for purposes of fraud prevention or detection;

(v) In the case of credit for the purpose of financing medical products or services, to determine and verify the medical purpose of a loan and the use of proceeds;

(vi) Consistent with safe and sound practices, if the consumer or the consumer's legal representative specifically requests that the creditor use medical information in determining the consumer's eligibility, or continued eligibility, for credit, to accommodate the consumer's particular circumstances, and such request is documented by the creditor;

(vii) Consistent with safe and sound practices, to determine whether the provisions of a forbearance practice or program that is triggered by a medical condition or event apply to a consumer;

(viii) To determine the consumer's eligibility for, the triggering of, or the reactivation of a debt cancellation contract or debt suspension agreement if a medical condition or event is a triggering event for the provision of benefits under the contract or agreement; or

(ix) To determine the consumer's eligibility for, the triggering of, or the reactivation of a credit insurance product if a medical condition or event is a triggering event for the provision of benefits under the product.

(2) Example of determining eligibility for a special credit program or credit assistance program. A not-for-profit organization establishes a credit assistance program pursuant to a written plan that is designed to assist disabled veterans in purchasing homes by subsidizing the down payment for the home purchase mortgage loans of qualifying veterans. The organization works through mortgage lenders and requires mortgage lenders to obtain medical information about the disability of any consumer that seeks to qualify for the program, use that information to verify the consumer's eligibility for the program, and forward that information to the organization. A consumer who is a veteran applies to a creditor for a home purchase mortgage loan. The creditor informs the consumer about the credit assistance program for disabled veterans and the consumer seeks to qualify for the program. Assuming that the program complies with all applicable law, including applicable fair lending laws, the creditor may obtain and use medical information about the medical condition and disability, if any, of the consumer to determine whether the consumer qualifies for the credit assistance program.

(3) Examples of verifying the medical purpose of the loan or the use of proceeds. (i) If a consumer applies for $10,000 of credit for the purpose of financing vision correction surgery, the creditor may verify with the surgeon that the procedure will be performed. If the surgeon reports that surgery will not be performed on the consumer, the creditor may use that medical information to deny the consumer's application for credit, because the loan would not be used for the stated purpose.

(ii) If a consumer applies for $10,000 of credit for the purpose of financing cosmetic surgery, the creditor may confirm the cost of the procedure with the surgeon. If the surgeon reports that the cost of the procedure is $5,000, the creditor may use that medical information to offer the consumer only $5,000 of credit.

(iii) A creditor has an established medical loan program for financing particular elective surgical procedures. The creditor receives a loan application from a consumer requesting $10,000 of credit under the established loan program for an elective surgical procedure. The consumer indicates on the application that the purpose of the loan is to finance an elective surgical procedure not eligible for funding under the guidelines of the established loan program. The creditor may deny the consumer's application because the purpose of the loan is not for a particular procedure funded by the established loan program.

(4) Examples of obtaining and using medical information at the request of the consumer. (i) If a consumer applies for a loan and specifically requests that the creditor consider the consumer's medical disability at the relevant time as an explanation for adverse payment history information in his credit report, the creditor may consider such medical information in evaluating the consumer's willingness and ability to repay the requested loan to accommodate the consumer's particular circumstances, consistent with safe and sound practices. The creditor may also decline to consider such medical information to accommodate the consumer, but may evaluate the consumer's application in accordance with its otherwise applicable underwriting criteria. The creditor may not deny the consumer's application or otherwise treat the consumer less favorably because the consumer specifically requested a medical accommodation, if the creditor would have extended the credit or treated the consumer more favorably under the creditor's otherwise applicable underwriting criteria.

(ii) If a consumer applies for a loan by telephone and explains that his income has been and will continue to be interrupted on account of a medical condition and that he expects to repay the loan by liquidating assets, the creditor may, but is not required to, evaluate the application using the sale of assets as the primary source of repayment, consistent with safe and sound practices, provided that the creditor documents the consumer's request by recording the oral conversation or making a notation of the request in the consumer's file.

(iii) If a consumer applies for a loan and the application form provides a space where the consumer may provide any other information or special circumstances, whether medical or non-medical, that the consumer would like the creditor to consider in evaluating the consumer's application, the creditor may use medical information provided by the consumer in that space on that application to accommodate the consumer's application for credit, consistent with safe and sound practices, or may disregard that information.

(iv) If a consumer specifically requests that the creditor use medical information in determining the consumer's eligibility, or continued eligibility, for credit and provides the creditor with medical information for that purpose, and the creditor determines that it needs additional information regarding the consumer's circumstances, the creditor may request, obtain, and use additional medical information about the consumer as necessary to verify the information provided by the consumer or to determine whether to make an accommodation for the consumer. The consumer may decline to provide additional information, withdraw the request for an accommodation, and have the application considered under the creditor's otherwise applicable underwriting criteria.

(v) If a consumer completes and signs a credit application that is not for medical purpose credit and the application contains boilerplate language that routinely requests medical information from the consumer or that indicates that by applying for credit the consumer authorizes or consents to the creditor obtaining and using medical information in connection with a determination of the consumer's eligibility, or continued eligibility, for credit, the consumer has not specifically requested that the creditor obtain and use medical information to accommodate the consumer's particular circumstances.

(5) Example of a forbearance practice or program. After an appropriate safety and soundness review, a creditor institutes a program that allows consumers who are or will be hospitalized to defer payments as needed for up to three months, without penalty, if the credit account has been open for more than one year and has not previously been in default, and the consumer provides confirming documentation at an appropriate time. A consumer is hospitalized and does not pay her bill for a particular month. This consumer has had a credit account with the creditor for more than one year and has not previously been in default. The creditor attempts to contact the consumer and speaks with the consumer's adult child, who is not the consumer's legal representative. The adult child informs the creditor that the consumer is hospitalized and is unable to pay the bill at that time. The creditor defers payments for up to three months, without penalty, for the hospitalized consumer and sends the consumer a letter confirming this practice and the date on which the next payment will be due. The creditor has obtained and used medical information to determine whether the provisions of a medically-triggered forbearance practice or program apply to a consumer.

§222.31   Limits on redisclosure of information.

(a) Scope. This section applies to banks that are members of the Federal Reserve System (other than national banks) and their respective operating subsidiaries, branches and agencies of foreign banks (other than Federal branches, Federal Agencies, and insured State branches of foreign banks), commercial lending companies owned or controlled by foreign banks, organizations operating under section 25 or 25A of the Federal Reserve Act (12 U.S.C. 601 et seq., and 611 et seq.), and bank holding companies and affiliates of such holding companies (other than depository institutions and consumer reporting agencies).

(b) Limits on redisclosure. If a person described in paragraph (a) of this section receives medical information about a consumer from a consumer reporting agency or its affiliate, the person must not disclose that information to any other person, except as necessary to carry out the purpose for which the information was initially disclosed, or as otherwise permitted by statute, regulation, or order.

§222.32   Sharing medical information with affiliates.

(a) Scope. This section applies to banks that are members of the Federal Reserve System (other than national banks) and their respective operating subsidiaries, branches and agencies of foreign banks (other than Federal branches, Federal Agencies, and insured State branches of foreign banks), commercial lending companies owned or controlled by foreign banks, organizations operating under section 25 or 25A of the Federal Reserve Act (12 U.S.C. 601 et seq., and 611 et seq.).

(b) In general. The exclusions from the term “consumer report” in section 603(d)(2) of the Act that allow the sharing of information with affiliates do not apply to a person described in paragraph (a) of this section if that person communicates to an affiliate:

(1) Medical information;

(2) An individualized list or description based on the payment transactions of the consumer for medical products or services; or

(3) An aggregate list of identified consumers based on payment transactions for medical products or services.

(c) Exceptions. A person described in paragraph (a) of this section may rely on the exclusions from the term “consumer report” in section 603(d)(2) of the Act to communicate the information in paragraph (b) of this section to an affiliate:

(1) In connection with the business of insurance or annuities (including the activities described in section 18B of the model Privacy of Consumer Financial and Health Information Regulation issued by the National Association of Insurance Commissioners, as in effect on January 1, 2003);

(2) For any purpose permitted without authorization under the regulations promulgated by the Department of Health and Human Services pursuant to the Health Insurance Portability and Accountability Act of 1996 (HIPAA);

(3) For any purpose referred to in section 1179 of HIPAA;

(4) For any purpose described in section 502(e) of the Gramm-Leach-Bliley Act;

(5) In connection with a determination of the consumer's eligibility, or continued eligibility, for credit consistent with §222.30 of this part; or

(6) As otherwise permitted by order of the Board.

Subpart E—Duties of Furnishers of Information

Source: 74 FR 31514, July 1, 2009, unless otherwise noted.

§222.40   Scope.

Subpart E of this part applies to member banks of the Federal Reserve System (other than national banks) and their respective operating subsidiaries that are not functionally regulated within the meaning of section 5(c)(5) of the Bank Holding Company Act, as amended (12 U.S.C. 1844(c)(5)), branches and Agencies of foreign banks (other than Federal branches, Federal Agencies, and insured State branches of foreign banks), commercial lending companies owned or controlled by foreign banks, and organizations operating under section 25 or 25A of the Federal Reserve Act (12 U.S.C. 601 et seq., and 611 et seq.).

§222.41   Definitions.

For purposes of this subpart and appendix E of this part, the following definitions apply:

(a) Accuracy means that information that a furnisher provides to a consumer reporting agency about an account or other relationship with the consumer correctly:

(1) Reflects the terms of and liability for the account or other relationship;

(2) Reflects the consumer's performance and other conduct with respect to the account or other relationship; and

(3) Identifies the appropriate consumer.

(b) Direct dispute means a dispute submitted directly to a furnisher (including a furnisher that is a debt collector) by a consumer concerning the accuracy of any information contained in a consumer report and pertaining to an account or other relationship that the furnisher has or had with the consumer.

(c) Furnisher means an entity that furnishes information relating to consumers to one or more consumer reporting agencies for inclusion in a consumer report. An entity is not a furnisher when it:

(1) Provides information to a consumer reporting agency solely to obtain a consumer report in accordance with sections 604(a) and (f) of the Fair Credit Reporting Act;

(2) Is acting as a “consumer reporting agency” as defined in section 603(f) of the Fair Credit Reporting Act;

(3) Is a consumer to whom the furnished information pertains; or

(4) Is a neighbor, friend, or associate of the consumer, or another individual with whom the consumer is acquainted or who may have knowledge about the consumer, and who provides information about the consumer's character, general reputation, personal characteristics, or mode of living in response to a specific request from a consumer reporting agency.

(d) Identity theft has the same meaning as in 16 CFR 603.2(a).

(e) Integrity means that information that a furnisher provides to a consumer reporting agency about an account or other relationship with the consumer:

(1) Is substantiated by the furnisher's records at the time it is furnished;

(2) Is furnished in a form and manner that is designed to minimize the likelihood that the information may be incorrectly reflected in a consumer report; and

(3) Includes the information in the furnisher's possession about the account or other relationship that the Board has:

(i) Determined that the absence of which would likely be materially misleading in evaluating a consumer's creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living; and

(ii) Listed in section I.(b)(2)(iii) of appendix E of this part.

§222.42   Reasonable policies and procedures concerning the accuracy and integrity of furnished information.

(a) Policies and procedures. Each furnisher must establish and implement reasonable written policies and procedures regarding the accuracy and integrity of the information relating to consumers that it furnishes to a consumer reporting agency. The policies and procedures must be appropriate to the nature, size, complexity, and scope of each furnisher's activities.

(b) Guidelines. Each furnisher must consider the guidelines in appendix E of this part in developing its policies and procedures required by this section, and incorporate those guidelines that are appropriate.

(c) Reviewing and updating policies and procedures. Each furnisher must review its policies and procedures required by this section periodically and update them as necessary to ensure their continued effectiveness.

§222.43   Direct disputes.

(a) General rule. Except as otherwise provided in this section, a furnisher must conduct a reasonable investigation of a direct dispute if it relates to:

(1) The consumer's liability for a credit account or other debt with the furnisher, such as direct disputes relating to whether there is or has been identity theft or fraud against the consumer, whether there is individual or joint liability on an account, or whether the consumer is an authorized user of a credit account;

(2) The terms of a credit account or other debt with the furnisher, such as direct disputes relating to the type of account, principal balance, scheduled payment amount on an account, or the amount of the credit limit on an open-end account;

(3) The consumer's performance or other conduct concerning an account or other relationship with the furnisher, such as direct disputes relating to the current payment status, high balance, date a payment was made, the amount of a payment made, or the date an account was opened or closed; or

(4) Any other information contained in a consumer report regarding an account or other relationship with the furnisher that bears on the consumer's creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living.

(b) Exceptions. The requirements of paragraph (a) of this section do not apply to a furnisher if:

(1) The direct dispute relates to:

(i) The consumer's identifying information (other than a direct dispute relating to a consumer's liability for a credit account or other debt with the furnisher, as provided in paragraph (a)(1) of this section) such as name(s), date of birth, Social Security number, telephone number(s), or address(es);

(ii) The identity of past or present employers;

(iii) Inquiries or requests for a consumer report;

(iv) Information derived from public records, such as judgments, bankruptcies, liens, and other legal matters (unless provided by a furnisher with an account or other relationship with the consumer);

(v) Information related to fraud alerts or active duty alerts; or

(vi) Information provided to a consumer reporting agency by another furnisher; or

(2) The furnisher has a reasonable belief that the direct dispute is submitted by, is prepared on behalf of the consumer by, or is submitted on a form supplied to the consumer by, a credit repair organization, as defined in 15 U.S.C. 1679a(3), or an entity that would be a credit repair organization, but for 15 U.S.C. 1679a(3)(B)(i).

(c) Direct dispute address. A furnisher is required to investigate a direct dispute only if a consumer submits a dispute notice to the furnisher at:

(1) The address of a furnisher provided by a furnisher and set forth on a consumer report relating to the consumer;

(2) An address clearly and conspicuously specified by the furnisher for submitting direct disputes that is provided to the consumer in writing or electronically (if the consumer has agreed to the electronic delivery of information from the furnisher); or

(3) Any business address of the furnisher if the furnisher has not so specified and provided an address for submitting direct disputes under paragraphs (c)(1) or (2) of this section.

(d) Direct dispute notice contents. A dispute notice must include:

(1) Sufficient information to identify the account or other relationship that is in dispute, such as an account number and the name, address, and telephone number of the consumer, if applicable;

(2) The specific information that the consumer is disputing and an explanation of the basis for the dispute; and

(3) All supporting documentation or other information reasonably required by the furnisher to substantiate the basis of the dispute. This documentation may include, for example: a copy of the relevant portion of the consumer report that contains the allegedly inaccurate information; a police report; a fraud or identity theft affidavit; a court order; or account statements.

(e) Duty of furnisher after receiving a direct dispute notice. After receiving a dispute notice from a consumer pursuant to paragraphs (c) and (d) of this section, the furnisher must:

(1) Conduct a reasonable investigation with respect to the disputed information;

(2) Review all relevant information provided by the consumer with the dispute notice;

(3) Complete its investigation of the dispute and report the results of the investigation to the consumer before the expiration of the period under section 611(a)(1) of the Fair Credit Reporting Act (15 U.S.C. 1681i(a)(1)) within which a consumer reporting agency would be required to complete its action if the consumer had elected to dispute the information under that section; and

(4) If the investigation finds that the information reported was inaccurate, promptly notify each consumer reporting agency to which the furnisher provided inaccurate information of that determination and provide to the consumer reporting agency any correction to that information that is necessary to make the information provided by the furnisher accurate.

(f) Frivolous or irrelevant disputes. (1) A furnisher is not required to investigate a direct dispute if the furnisher has reasonably determined that the dispute is frivolous or irrelevant. A dispute qualifies as frivolous or irrelevant if:

(i) The consumer did not provide sufficient information to investigate the disputed information as required by paragraph (d) of this section;

(ii) The direct dispute is substantially the same as a dispute previously submitted by or on behalf of the consumer, either directly to the furnisher or through a consumer reporting agency, with respect to which the furnisher has already satisfied the applicable requirements of the Act or this section; provided, however, that a direct dispute is not substantially the same as a dispute previously submitted if the dispute includes information listed in paragraph (d) of this section that had not previously been provided to the furnisher; or

(iii) The furnisher is not required to investigate the direct dispute because one or more of the exceptions listed in paragraph (b) of this section applies.

(2) Notice of determination. Upon making a determination that a dispute is frivolous or irrelevant, the furnisher must notify the consumer of the determination not later than five business days after making the determination, by mail or, if authorized by the consumer for that purpose, by any other means available to the furnisher.

(3) Contents of notice of determination that a dispute is frivolous or irrelevant. A notice of determination that a dispute is frivolous or irrelevant must include the reasons for such determination and identify any information required to investigate the disputed information, which notice may consist of a standardized form describing the general nature of such information.

Subpart F [Reserved]

Subpart H—Duties of Users Regarding Risk-Based Pricing

Source: 75 FR 2752, January 15, 2010, unless otherwise noted.

§222.70   Scope.

(a) Coverage—(1) In general. This subpart applies to any person that both—

(i) Uses a consumer report in connection with an application for, or a grant, extension, or other provision of, credit to a consumer that is primarily for personal, family, or household purposes; and

(ii) Based in whole or in part on the consumer report, grants, extends, or otherwise provides credit to the consumer on material terms that are materially less favorable than the most favorable material terms available to a substantial proportion of consumers from or through that person.

(2) Business credit excluded. This subpart does not apply to an application for, or a grant, extension, or other provision of, credit to a consumer or to any other applicant primarily for a business purpose.

(b) Relation to Federal Trade Commission rules. These rules are substantively identical to the Federal Trade Commission's (Commission's) risk-based pricing rules in 16 CFR 640. Both rules apply to the covered person described in paragraph (a) of this section. Compliance with either the Board's rules or the Commission's rules satisfies the requirements of the statute (15 U.S.C. 1681m(h)).

(c) Enforcement. The provisions of this subpart will be enforced in accordance with the enforcement authority set forth in sections 621(a) and (b) of the FCRA.

§222.71   Definitions.

For purposes of this subpart, the following definitions apply:

(a) Adverse action has the same meaning as in 15 U.S.C. 1681a(k)(1)(A).

(b) Annual percentage rate has the same meaning as in 12 CFR 226.14(b) with respect to an open-end credit plan and as in 12 CFR 226.22 with respect to closed-end credit.

(c) Closed-end credit has the same meaning as in 12 CFR 226.2(a)(10).

(d) Consumer has the same meaning as in 15 U.S.C. 1681a(c).

(e) Consummation has the same meaning as in 12 CFR 226.2(a)(13).

(f) Consumer report has the same meaning as in 15 U.S.C. 1681a(d).

(g) Consumer reporting agency has the same meaning as in 15 U.S.C. 1681a(f).

(h) Credit has the same meaning as in 15 U.S.C. 1681a(r)(5).

(i) Creditor has the same meaning as in 15 U.S.C. 1681a(r)(5).

(j) Credit card has the same meaning as in 15 U.S.C. 1681a(r)(2).

(k) Credit card issuer has the same meaning as in 15 U.S.C. 1681a(r)(1)(A).

(l) Credit score has the same meaning as in 15 U.S.C. 1681g(f)(2)(A).

(m) Firm offer of credit has the same meaning as in 15 U.S.C. 1681a(l).

(n) Material terms means—

(1) (i) Except as otherwise provided in paragraphs (n)(1)(ii) and (n)(3) of this section, in the case of credit extended under an open-end credit plan, the annual percentage rate required to be disclosed under 12 CFR 226.6(a)(1)(ii) or 12 CFR 226.6(b)(2)(i), excluding any temporary initial rate that is lower than the rate that will apply after the temporary rate expires, any penalty rate that will apply upon the occurrence of one or more specific events, such as a late payment or an extension of credit that exceeds the credit limit, and any fixed annual percentage rate option for a home equity line of credit;

(ii) In the case of a credit card (other than a credit card that is used to access a home equity line of credit or a charge card), the annual percentage rate required to be disclosed under 12 CFR 226.6(b)(2)(i) that applies to purchases (“purchase annual percentage rate”) and no other annual percentage rate, or in the case of a credit card that has no purchase annual percentage rate, the annual percentage rate that varies based on information in a consumer report and that has the most significant financial impact on consumers;

(2) In the case of closed-end credit, the annual percentage rate required to be disclosed under 12 CFR 226.17(c) and 226.18(e); and

(3) In the case of credit for which there is no annual percentage rate, the financial term that varies based on information in a consumer report and that has the most significant financial impact on consumers, such as a deposit required in connection with credit extended by a telephone company or utility or an annual membership fee for a charge card.

(o) Materially less favorable means, when applied to material terms, that the terms granted, extended, or otherwise provided to a consumer differ from the terms granted, extended, or otherwise provided to another consumer from or through the same person such that the cost of credit to the first consumer would be significantly greater than the cost of credit granted, extended, or otherwise provided to the other consumer. For purposes of this definition, factors relevant to determining the significance of a difference in cost include the type of credit product, the term of the credit extension, if any, and the extent of the difference between the material terms granted, extended, or otherwise provided to the two consumers.

(p) Open-end credit plan has the same meaning as in 15 U.S.C. 1602(i), as interpreted by the Board of Governors of the Federal Reserve System in Regulation Z (12 CFR part 226) and the Official Staff Commentary to Regulation Z (Supplement I to 12 CFR Part 226).

(q) Person has the same meaning as in 15 U.S.C. 1681a(b).

§222.72   General requirements for risk-based pricing notices.

(a) In general. Except as otherwise provided in this subpart, a person must provide to a consumer a notice (“risk-based pricing notice”) in the form and manner required by this subpart if the person both—

(1) Uses a consumer report in connection with an application for, or a grant, extension, or other provision of, credit to that consumer that is primarily for personal, family, or household purposes; and

(2) Based in whole or in part on the consumer report, grants, extends, or otherwise provides credit to that consumer on material terms that are materially less favorable than the most favorable material terms available to a substantial proportion of consumers from or through that person.

(b) Determining which consumers must receive a notice. A person may determine whether paragraph (a) of this section applies by directly comparing the material terms offered to each consumer and the material terms offered to other consumers for a specific type of credit product. For purposes of this section, a “specific type of credit product” means one or more credit products with similar features that are designed for similar purposes. Examples of a specific type of credit product include student loans, unsecured credit cards, secured credit cards, new automobile loans, used automobile loans, fixed-rate mortgage loans, and variable-rate mortgage loans. As an alternative to making this direct comparison, a person may make the determination by using one of the following methods:

(1) Credit score proxy method—(i) In general. A person that sets the material terms of credit granted, extended, or otherwise provided to a consumer, based in whole or in part on a credit score, may comply with the requirements of paragraph (a) of this section by—

(A) Determining the credit score (hereafter referred to as the “cutoff score”) that represents the point at which approximately 40 percent of the consumers to whom it grants, extends, or provides credit have higher credit scores and approximately 60 percent of the consumers to whom it grants, extends, or provides credit have lower credit scores; and

(B) Providing a risk-based pricing notice to each consumer to whom it grants, extends, or provides credit whose credit score is lower than the cutoff score.

(ii) Alternative to the 40/60 cutoff score determination. In the case of credit that has been granted, extended, or provided on the most favorable material terms to more than 40 percent of consumers, a person may, at its option, set its cutoff score at a point at which the approximate percentage of consumers who historically have been granted, extended, or provided credit on material terms other than the most favorable terms would receive risk-based pricing notices under this section.

(iii) Determining the cutoff score—(A) Sampling approach. A person that currently uses risk-based pricing with respect to the credit products it offers must calculate the cutoff score by considering the credit scores of all or a representative sample of the consumers to whom it has granted, extended, or provided credit for a specific type of credit product.

(B) Secondary source approach in limited circumstances. A person that is a new entrant into the credit business, introduces new credit products, or starts to use risk-based pricing with respect to the credit products it currently offers may initially determine the cutoff score based on information derived from appropriate market research or relevant third-party sources for a specific type of credit product, such as research or data from companies that develop credit scores. A person that acquires a credit portfolio as a result of a merger or acquisition may determine the cutoff score based on information from the party which it acquired, with which it merged, or from which it acquired the portfolio.

(C) Recalculation of cutoff scores. A person using the credit score proxy method must recalculate its cutoff score(s) no less than every two years in the manner described in paragraph (b)(1)(iii)(A) of this section. A person using the credit score proxy method using market research, third-party data, or information from a party which it acquired, with which it merged, or from which it acquired the portfolio as permitted by paragraph (b)(1)(iii)(B) of this section generally must calculate a cutoff score(s) based on the scores of its own consumers in the manner described in paragraph (b)(1)(iii)(A) of this section within one year after it begins using a cutoff score derived from market research, third-party data, or information from a party which it acquired, with which it merged, or from which it acquired the portfolio. If such a person does not grant, extend, or provide credit to new consumers during that one-year period such that it lacks sufficient data with which to recalculate a cutoff score based on the credit scores of its own consumers, the person may continue to use a cutoff score derived from market research, third-party data, or information from a party which it acquired, with which it merged, or from which it acquired the portfolio as provided in paragraph (b)(1)(iii)(B) until it obtains sufficient data on which to base the recalculation. However, the person must recalculate its cutoff score(s) in the manner described in paragraph (b)(1)(iii)(A) of this section within two years, if it has granted, extended, or provided credit to some new consumers during that two-year period.

(D) Use of two or more credit scores. A person that generally uses two or more credit scores in setting the material terms of credit granted, extended, or provided to a consumer must determine the cutoff score using the same method the person uses to evaluate multiple scores when making credit decisions. These evaluation methods may include, but are not limited to, selecting the low, median, high, most recent, or average credit score of each consumer to whom it grants, extends, or provides credit. If a person that uses two or more credit scores does not consistently use the same method for evaluating multiple credit scores (e.g., if the person sometimes chooses the median score and other times calculates the average score), the person must determine the cutoff score using a reasonable means. In such cases, use of any one of the methods that the person regularly uses or the average credit score of each consumer to whom it grants, extends, or provides credit is deemed to be a reasonable means of calculating the cutoff score.

(iv) Credit score not available. For purposes of this section, a person using the credit score proxy method who grants, extends, or provides credit to a consumer for whom a credit score is not available must assume that the consumer receives credit on material terms that are materially less favorable than the most favorable credit terms offered to a substantial proportion of consumers from or through that person and must provide a risk-based pricing notice to the consumer.

(v) Examples. (A) A credit card issuer engages in risk-based pricing and the annual percentage rates it offers to consumers are based in whole or in part on a credit score. The credit card issuer takes a representative sample of the credit scores of consumers to whom it issued credit cards within the preceding three months. The credit card issuer determines that approximately 40 percent of the sampled consumers have a credit score at or above 720 (on a scale of 350 to 850) and approximately 60 percent of the sampled consumers have a credit score below 720. Thus, the card issuer selects 720 as its cutoff score. A consumer applies to the credit card issuer for a credit card. The card issuer obtains a credit score for the consumer. The consumer's credit score is 700. Since the consumer's 700 credit score falls below the 720 cutoff score, the credit card issuer must provide a risk-based pricing notice to the consumer.

(B) A credit card issuer engages in risk-based pricing, and the annual percentage rates it offers to consumers are based in whole or in part on a credit score. The credit card issuer takes a representative sample of the consumers to whom it issued credit cards over the preceding six months. The credit card issuer determines that approximately 80 percent of the sampled consumers received credit at its lowest annual percentage rate, and 20 percent received credit at a higher annual percentage rate. Approximately 80 percent of the sampled consumers have a credit score at or above 750 (on a scale of 350 to 850), and 20 percent have a credit score below 750. Thus, the card issuer selects 750 as its cutoff score. A consumer applies to the credit card issuer for a credit card. The card issuer obtains a credit score for the consumer. The consumer's credit score is 740. Since the consumer's 740 credit score falls below the 750 cutoff score, the credit card issuer must provide a risk-based pricing notice to the consumer.

(C) An auto lender engages in risk-based pricing, obtains credit scores from one of the nationwide consumer reporting agencies, and uses the credit score proxy method to determine which consumers must receive a risk-based pricing notice. A consumer applies to the auto lender for credit to finance the purchase of an automobile. A credit score about that consumer is not available from the consumer reporting agency from which the lender obtains credit scores. The lender nevertheless grants, extends, or provides credit to the consumer. The lender must provide a risk-based pricing notice to the consumer.

(2) Tiered pricing method—(i) In general. A person that sets the material terms of credit granted, extended, or provided to a consumer by placing the consumer within one of a discrete number of pricing tiers for a specific type of credit product, based in whole or in part on a consumer report, may comply with the requirements of paragraph (a) of this section by providing a risk-based pricing notice to each consumer who is not placed within the top pricing tier or tiers, as described below.

(ii) Four or fewer pricing tiers. If a person using the tiered pricing method has four or fewer pricing tiers, the person complies with the requirements of paragraph (a) of this section by providing a risk-based pricing notice to each consumer to whom it grants, extends, or provides credit who does not qualify for the top tier (that is, the lowest-priced tier). For example, a person that uses a tiered pricing structure with annual percentage rates of 8, 10, 12, and 14 percent would provide the risk-based pricing notice to each consumer to whom it grants, extends, or provides credit at annual percentage rates of 10, 12, and 14 percent.

(iii) Five or more pricing tiers. If a person using the tiered pricing method has five or more pricing tiers, the person complies with the requirements of paragraph (a) of this section by providing a risk-based pricing notice to each consumer to whom it grants, extends, or provides credit who does not qualify for the top two tiers (that is, the two lowest-priced tiers) and any other tier that, together with the top tiers, comprise no less than the top 30 percent but no more than the top 40 percent of the total number of tiers. Each consumer placed within the remaining tiers must receive a risk-based pricing notice. For example, if a person has nine pricing tiers, the top three tiers (that is, the three lowest-priced tiers) comprise no less than the top 30 percent but no more than the top 40 percent of the tiers. Therefore, a person using this method would provide a risk-based pricing notice to each consumer to whom it grants, extends, or provides credit who is placed within the bottom six tiers.

(c) Application to credit card issuers—(1) In general. A credit card issuer subject to the requirements of paragraph (a) of this section may use one of the methods set forth in paragraph (b) of this section to identify consumers to whom it must provide a risk-based pricing notice. Alternatively, a credit card issuer may satisfy its obligations under paragraph (a) of this section by providing a risk-based pricing notice to a consumer when—

(i) A consumer applies for a credit card either in connection with an application program, such as a direct-mail offer or a take-one application, or in response to a solicitation under 12 CFR 226.5a, and more than a single possible purchase annual percentage rate may apply under the program or solicitation; and

(ii) Based in whole or in part on a consumer report, the credit card issuer provides a credit card to the consumer with an annual percentage rate referenced in §222.71(n)(1)(ii) that is greater than the lowest annual percentage rate referenced in §222.71(n)(1)(ii) available in connection with the application or solicitation.

(2) No requirement to compare different offers. A credit card issuer is not subject to the requirements of paragraph (a) of this section and is not required to provide a risk-based pricing notice to a consumer if—

(i) The consumer applies for a credit card for which the card issuer provides a single annual percentage rate referenced in §222.71(n)(1)(ii), excluding a temporary initial rate that is lower than the rate that will apply after the temporary rate expires and a penalty rate that will apply upon the occurrence of one or more specific events, such as a late payment or an extension of credit that exceeds the credit limit; or

(ii) The credit card issuer offers the consumer the lowest annual percentage rate referenced in §222.71(n)(1)(ii) available under the credit card offer for which the consumer applied, even if a lower annual percentage rate referenced in §222.71(n)(1)(ii) is available under a different credit card offer issued by the card issuer.

(3) Examples. (i) A credit card issuer sends a solicitation to the consumer that discloses several possible purchase annual percentage rates that may apply, such as 10, 12, or 14 percent, or a range of purchase annual percentage rates from 10 to 14 percent. The consumer applies for a credit card in response to the solicitation. The card issuer provides a credit card to the consumer with a purchase annual percentage rate of 12 percent based in whole or in part on a consumer report. Unless an exception applies under §222.74, the card issuer may satisfy its obligations under paragraph (a) of this section by providing a risk-based pricing notice to the consumer because the consumer received credit at a purchase annual percentage rate greater than the lowest purchase annual percentage rate available under that solicitation.

(ii) The same facts as in the example in paragraph (c)(3)(i) of this section, except that the card issuer provides a credit card to the consumer at a purchase annual percentage rate of 10 percent. The card issuer is not required to provide a risk-based pricing notice to the consumer even if, under a different credit card solicitation, that consumer or other consumers might qualify for a purchase annual percentage rate of 8 percent.

(d) Account review—(1) In general. Except as otherwise provided in this subpart, a person is subject to the requirements of paragraph (a) of this section and must provide a risk-based pricing notice to a consumer in the form and manner required by this subpart if the person—

(i) Uses a consumer report in connection with a review of credit that has been extended to the consumer; and

(ii) Based in whole or in part on the consumer report, increases the annual percentage rate (the annual percentage rate referenced in §222.71(n)(1)(ii) in the case of a credit card).

(2) Example. A credit card issuer periodically obtains consumer reports for the purpose of reviewing the terms of credit it has extended to consumers in connection with credit cards. As a result of this review, the credit card issuer increases the purchase annual percentage rate applicable to a consumer's credit card based in whole or in part on information in a consumer report. The credit card issuer is subject to the requirements of paragraph (a) of this section and must provide a risk-based pricing notice to the consumer.

§222.73   Content, form, and timing of risk-based pricing notices.

(a) Content of the notice—(1) In general. The risk-based pricing notice required by §222.72(a) or (c) must include:

(i) A statement that a consumer report (or credit report) includes information about the consumer's credit history and the type of information included in that history;

(ii) A statement that the terms offered, such as the annual percentage rate, have been set based on information from a consumer report;

(iii) A statement that the terms offered may be less favorable than the terms offered to consumers with better credit histories;

(iv) A statement that the consumer is encouraged to verify the accuracy of the information contained in the consumer report and has the right to dispute any inaccurate information in the report;

(v) The identity of each consumer reporting agency that furnished a consumer report used in the credit decision;

(vi) A statement that federal law gives the consumer the right to obtain a copy of a consumer report from the consumer reporting agency or agencies identified in the notice without charge for 60 days after receipt of the notice;

(vii) A statement informing the consumer how to obtain a consumer report from the consumer reporting agency or agencies identified in the notice and providing contact information (including a toll-free telephone number, where applicable) specified by the consumer reporting agency or agencies;

(viii) A statement directing consumers to the Web sites of the Federal Reserve Board and Federal Trade Commission to obtain more information about consumer reports; and

(ix) If a credit score of the consumer to whom a person grants, extends, or otherwise provides credit is used in setting the material terms of credit:

(A) A statement that a credit score is a number that takes into account information in a consumer report, that the consumer's credit score was used to set the terms of credit offered, and that a credit score can change over time to reflect changes in the consumer's credit history;

(B) The credit score used by the person in making the credit decision;

(C) The range of possible credit scores under the model used to generate the credit score;

(D) All of the key factors that adversely affected the credit score, which shall not exceed four key factors, except that if one of the key factors is the number of enquiries made with respect to the consumer report, the number of key factors shall not exceed five;

(E) The date on which the credit score was created; and

(F) The name of the consumer reporting agency or other person that provided the credit score.

(2) Account review. The risk-based pricing notice required by §222.72(d) must include:

(i) A statement that a consumer report (or credit report) includes information about the consumer's credit history and the type of information included in that credit history;

(ii) A statement that the person has conducted a review of the account using information from a consumer report;

(iii) A statement that as a result of the review, the annual percentage rate on the account has been increased based on information from a consumer report;

(iv) A statement that the consumer is encouraged to verify the accuracy of the information contained in the consumer report and has the right to dispute any inaccurate information in the report;

(v) The identity of each consumer reporting agency that furnished a consumer report used in the account review;

(vi) A statement that federal law gives the consumer the right to obtain a copy of a consumer report from the consumer reporting agency or agencies identified in the notice without charge for 60 days after receipt of the notice;

(vii) A statement informing the consumer how to obtain a consumer report from the consumer reporting agency or agencies identified in the notice and providing contact information (including a toll-free telephone number, where applicable) specified by the consumer reporting agency or agencies;

(viii) A statement directing consumers to the Web sites of the Federal Reserve Board and Federal Trade Commission to obtain more information about consumer reports; and

(ix) If a credit score of the consumer whose extension of credit is under review is used in increasing the annual percentage rate:

(A) A statement that a credit score is a number that takes into account information in a consumer report, that the consumer's credit score was used to set the terms of credit offered, and that a credit score can change over time to reflect changes in the consumer's credit history;

(B) The credit score used by the person in making the credit decision;

(C) The range of possible credit scores under the model used to generate the credit score;

(D) All of the key factors that adversely affected the credit score, which shall not exceed four key factors, except that if one of the key factors is the number of enquires made with respect to the consumer report, the number of key factors shall not exceed five;

(E) The date on which the credit score was created; and

(F) The name of the consumer reporting agency or other person that provided the credit score.

(b) Form of the notice—(1) In general. The risk-based pricing notice required by §222.72(a), (c), or (d) must be:

(i) Clear and conspicuous; and

(ii) Provided to the consumer in oral, written, or electronic form.

(2) Model forms. Model forms of the risk-based pricing notice required by §222.72(a) and (c) are contained in Appendices H-1 and H-6 of this part. Appropriate use of Model Form H-1 or H-6 is deemed to comply with the requirements of §222.72(a) and (c). Model forms of the risk-based pricing notice required by §222.72(d) are contained in Appendices H-2 and H-7 of this part. Appropriate use of Model Form H-2 or H-7 is deemed to comply with the requirements of §222.72(d). Use of the model forms is optional.

(c) Timing—(1) General. Except as provided in paragraph (c)(3) of this section, a risk-based pricing notice must be provided to the consumer—

(i) In the case of a grant, extension, or other provision of closed-end credit, before consummation of the transaction, but not earlier than the time the decision to approve an application for, or a grant, extension, or other provision of, credit, is communicated to the consumer by the person required to provide the notice;

(ii) In the case of credit granted, extended, or provided under an open-end credit plan, before the first transaction is made under the plan, but not earlier than the time the decision to approve an application for, or a grant, extension, or other provision of, credit is communicated to the consumer by the person required to provide the notice; or

(iii) In the case of a review of credit that has been extended to the consumer, at the time the decision to increase the annual percentage rate (annual percentage rate referenced in §222.71(n)(1)(ii) in the case of a credit card) based on a consumer report is communicated to the consumer by the person required to provide the notice, or if no notice of the increase in the annual percentage rate is provided to the consumer prior to the effective date of the change in the annual percentage rate (to the extent permitted by law), no later than five days after the effective date of the change in the annual percentage rate.

(2) Application to certain automobile lending transactions. When a person to whom a credit obligation is initially payable grants, extends, or provides credit to a consumer for the purpose of financing the purchase of an automobile from an auto dealer or other party that is not affiliated with the person, any requirement to provide a risk-based pricing notice pursuant to this subpart is satisfied if the person:

(i) Provides a notice described in §§222.72(a), 222.74(e), or 222.74(f) to the consumer within the time periods set forth in paragraph (c)(1)(i) of this section, §222.74(e)(3), or §222.74(f)(4), as applicable; or

(ii) Arranges to have the auto dealer or other party provide a notice described in §§222.72(a), 222.74(e), or 222.74(f) to the consumer on its behalf within the time periods set forth in paragraph (c)(1)(i) of this section, §222.74(e)(3), or §222.74(f)(4), as applicable, and maintains reasonable policies and procedures to verify that the auto dealer or other party provides such notice to the consumer within the applicable time periods. If the person arranges to have the auto dealer or other party provide a notice described in §222.74(e), the person's obligation is satisfied if the consumer receives a notice containing a credit score obtained by the dealer or other party, even if a different credit score is obtained and used by the person on whose behalf the notice is provided.

(3) Timing requirements for contemporaneous purchase credit. When credit under an open-end credit plan is granted, extended, or provided to a consumer in person or by telephone for the purpose of financing the contemporaneous purchase of goods or services, any risk-based pricing notice required to be provided pursuant to this subpart (or the disclosures permitted under §222.74(e) or (f)) may be provided at the earlier of:

(i) The time of the first mailing by the person to the consumer after the decision is made to approve the grant, extension, or other provision of open-end credit, such as in a mailing containing the account agreement or a credit card; or

(ii) Within 30 days after the decision to approve the grant, extension, or other provision of credit.

(d) Multiple credit scores—(1) In general. When a person obtains or creates two or more credit scores and uses one of those credit scores in setting the material terms of credit, for example, by using the low, middle, high, or most recent score, the notices described in paragraphs (a)(1) and (2) of this section must include that credit score and information relating to that credit score required by paragraphs (a)(1)(ix) and (a)(2)(ix). When a person obtains or creates two or more credit scores and uses multiple credit scores in setting the material terms of credit by, for example, computing the average of all the credit scores obtained or created, the notices described in paragraphs (a)(1) and (2) of this section must include one of those credit scores and information relating to credit scores required by paragraphs (a)(1)(ix) and (a)(2)(ix). The notice may, at the person's option, include more than one credit score, along with the additional information specified in paragraphs (a)(1)(ix) and (a)(2)(ix) of this section for each credit score disclosed.

(2) Examples. (i) A person that uses consumer reports to set the material terms of credit cards granted, extended, or provided to consumers regularly requests credit scores from several consumer reporting agencies and uses the low score when determining the material terms it will offer to the consumer. That person must disclose the low score in the notices described in paragraphs (a)(1) and (2) of this section.

(ii) A person that uses consumer reports to set the material terms of automobile loans granted, extended, or provided to consumers regularly requests credit scores from several consumer reporting agencies, each of which it uses in an underwriting program in order to determine the material terms it will offer to the consumer. That person may choose one of these scores to include in the notices described in paragraph (a)(1) and (2) of this section.

[75 FR 2752, Jan. 15, 2010, as amended at 76 FR 41616, July 15, 2011]

§222.74   Exceptions.

(a) Application for specific terms—(1) In general. A person is not required to provide a risk-based pricing notice to the consumer under §222.72(a) or (c) if the consumer applies for specific material terms and is granted those terms, unless those terms were specified by the person using a consumer report after the consumer applied for or requested credit and after the person obtained the consumer report. For purposes of this section, “specific material terms” means a single material term, or set of material terms, such as an annual percentage rate of 10 percent, and not a range of alternatives, such as an annual percentage rate that may be 8, 10, or 12 percent, or between 8 and 12 percent.

(2) Example. A consumer receives a firm offer of credit from a credit card issuer. The terms of the firm offer are based in whole or in part on information from a consumer report that the credit card issuer obtained under the FCRA's firm offer of credit provisions. The solicitation offers the consumer a credit card with a single purchase annual percentage rate of 12 percent. The consumer applies for and receives a credit card with an annual percentage rate of 12 percent. Other customers with the same credit card have a purchase annual percentage rate of 10 percent. The exception applies because the consumer applied for specific material terms and was granted those terms. Although the credit card issuer specified the annual percentage rate in the firm offer of credit based in whole or in part on a consumer report, the credit card issuer specified that material term before, not after, the consumer applied for or requested credit.

(b) Adverse action notice. A person is not required to provide a risk-based pricing notice to the consumer under §222.72(a), (c), or (d) if the person provides an adverse action notice to the consumer under section 615(a) of the FCRA.

(c) Prescreened solicitations—(1) In general. A person is not required to provide a risk-based pricing notice to the consumer under §222.72(a) or (c) if the person:

(i) Obtains a consumer report that is a prescreened list as described in section 604(c)(2) of the FCRA; and

(ii) Uses the consumer report for the purpose of making a firm offer of credit to the consumer.

(2) More favorable material terms. This exception applies to any firm offer of credit offered by a person to a consumer, even if the person makes other firm offers of credit to other consumers on more favorable material terms.

(3) Example. A credit card issuer obtains two prescreened lists from a consumer reporting agency. One list includes consumers with high credit scores. The other list includes consumers with low credit scores. The issuer mails a firm offer of credit to the high credit score consumers with a single purchase annual percentage rate of 10 percent. The issuer also mails a firm offer of credit to the low credit score consumers with a single purchase annual percentage rate of 14 percent. The credit card issuer is not required to provide a risk-based pricing notice to the low credit score consumers who receive the 14 percent offer because use of a consumer report to make a firm offer of credit does not trigger the risk-based pricing notice requirement.

(d) Loans secured by residential real property—credit score disclosure. (1) In general. A person is not required to provide a risk-based pricing notice to a consumer under §222.72(a) or (c) if:

(i) The consumer requests from the person an extension of credit that is or will be secured by one to four units of residential real property; and

(ii) The person provides to each consumer described in paragraph (d)(1)(i) of this section a notice that contains the following—

(A) A statement that a consumer report (or credit report) is a record of the consumer's credit history and includes information about whether the consumer pays his or her obligations on time and how much the consumer owes to creditors;

(B) A statement that a credit score is a number that takes into account information in a consumer report and that a credit score can change over time to reflect changes in the consumer's credit history;

(C) A statement that the consumer's credit score can affect whether the consumer can obtain credit and what the cost of that credit will be;

(D) The information required to be disclosed to the consumer pursuant to section 609(g) of the FCRA;

(E) The distribution of credit scores among consumers who are scored under the same scoring model that is used to generate the consumer's credit score using the same scale as that of the credit score that is provided to the consumer, presented in the form of a bar graph containing a minimum of six bars that illustrates the percentage of consumers with credit scores within the range of scores reflected in each bar or by other clear and readily understandable graphical means, or a clear and readily understandable statement informing the consumer how his or her credit score compares to the scores of other consumers. Use of a graph or statement obtained from the person providing the credit score that meets the requirements of this paragraph (d)(1)(ii)(E) is deemed to comply with this requirement;

(F) A statement that the consumer is encouraged to verify the accuracy of the information contained in the consumer report and has the right to dispute any inaccurate information in the report;

(G) A statement that federal law gives the consumer the right to obtain copies of his or her consumer reports directly from the consumer reporting agencies, including a free report from each of the nationwide consumer reporting agencies once during any 12-month period;

(H) Contact information for the centralized source from which consumers may obtain their free annual consumer reports; and

(I) A statement directing consumers to the Web sites of the Federal Reserve Board and Federal Trade Commission to obtain more information about consumer reports.

(2) Form of the notice. The notice described in paragraph (d)(1)(ii) of this section must be:

(i) Clear and conspicuous;

(ii) Provided on or with the notice required by section 609(g) of the FCRA;

(iii) Segregated from other information provided to the consumer, except for the notice required by section 609(g) of the FCRA; and

(iv) Provided to the consumer in writing and in a form that the consumer may keep.

(3) Timing. The notice described in paragraph (d)(1)(ii) of this section must be provided to the consumer at the time the disclosure required by section 609(g) of the FCRA is provided to the consumer, but in any event at or before consummation in the case of closed-end credit or before the first transaction is made under an open-end credit plan.

(4) Multiple credit scores—(i) In General. When a person obtains two or more credit scores from consumer reporting agencies and uses one of those credit scores in setting the material terms of credit granted, extended, or otherwise provided to a consumer, for example, by using the low, middle, high, or most recent score, the notice described in paragraph (d)(1)(ii) of this section must include that credit score and the other information required by that paragraph. When a person obtains two or more credit scores from consumer reporting agencies and uses multiple credit scores in setting the material terms of credit granted, extended, or otherwise provided to a consumer, for example, by computing the average of all the credit scores obtained, the notice described in paragraph (d)(1)(ii) of this section must include one of those credit scores and the other information required by that paragraph. The notice may, at the person's option, include more than one credit score, along with the additional information specified in paragraph (d)(1)(ii) of this section for each credit score disclosed.

(ii) Examples. (A) A person that uses consumer reports to set the material terms of mortgage credit granted, extended, or provided to consumers regularly requests credit scores from several consumer reporting agencies and uses the low score when determining the material terms it will offer to the consumer. That person must disclose the low score in the notice described in paragraph (d)(1)(ii) of this section.

(B) A person that uses consumer reports to set the material terms of mortgage credit granted, extended, or provided to consumers regularly requests credit scores from several consumer reporting agencies, each of which it uses in an underwriting program in order to determine the material terms it will offer to the consumer. That person may choose one of these scores to include in the notice described in paragraph (d)(1)(ii) of this section.

(5) Model form. A model form of the notice described in paragraph (d)(1)(ii) of this section consolidated with the notice required by section 609(g) of the FCRA is contained in Appendix H-3 of this part. Appropriate use of Model Form H-3 is deemed to comply with the requirements of §222.74(d). Use of the model form is optional.

(e) Other extensions of credit—credit score disclosure—(1) In general. A person is not required to provide a risk-based pricing notice to a consumer under §222.72(a) or (c) if:

(i) The consumer requests from the person an extension of credit other than credit that is or will be secured by one to four units of residential real property; and

(ii) The person provides to each consumer described in paragraph (e)(1)(i) of this section a notice that contains the following—

(A) A statement that a consumer report (or credit report) is a record of the consumer's credit history and includes information about whether the consumer pays his or her obligations on time and how much the consumer owes to creditors;

(B) A statement that a credit score is a number that takes into account information in a consumer report and that a credit score can change over time to reflect changes in the consumer's credit history;

(C) A statement that the consumer's credit score can affect whether the consumer can obtain credit and what the cost of that credit will be;

(D) The current credit score of the consumer or the most recent credit score of the consumer that was previously calculated by the consumer reporting agency for a purpose related to the extension of credit;

(E) The range of possible credit scores under the model used to generate the credit score;

(F) The distribution of credit scores among consumers who are scored under the same scoring model that is used to generate the consumer's credit score using the same scale as that of the credit score that is provided to the consumer, presented in the form of a bar graph containing a minimum of six bars that illustrates the percentage of consumers with credit scores within the range of scores reflected in each bar, or by other clear and readily understandable graphical means, or a clear and readily understandable statement informing the consumer how his or her credit score compares to the scores of other consumers. Use of a graph or statement obtained from the person providing the credit score that meets the requirements of this paragraph (e)(1)(ii)(F) is deemed to comply with this requirement;

(G) The date on which the credit score was created;

(H) The name of the consumer reporting agency or other person that provided the credit score;

(I) A statement that the consumer is encouraged to verify the accuracy of the information contained in the consumer report and has the right to dispute any inaccurate information in the report;

(J) A statement that federal law gives the consumer the right to obtain copies of his or her consumer reports directly from the consumer reporting agencies, including a free report from each of the nationwide consumer reporting agencies once during any 12-month period;

(K) Contact information for the centralized source from which consumers may obtain their free annual consumer reports; and

(L) A statement directing consumers to the web sites of the Federal Reserve Board and Federal Trade Commission to obtain more information about consumer reports.

(2) Form of the notice. The notice described in paragraph (e)(1)(ii) of this section must be:

(i) Clear and conspicuous;

(ii) Segregated from other information provided to the consumer; and

(iii) Provided to the consumer in writing and in a form that the consumer may keep.

(3) Timing. The notice described in paragraph (e)(1)(ii) of this section must be provided to the consumer as soon as reasonably practicable after the credit score has been obtained, but in any event at or before consummation in the case of closed-end credit or before the first transaction is made under an open-end credit plan.

(4) Multiple credit scores—(i) In General. When a person obtains two or more credit scores from consumer reporting agencies and uses one of those credit scores in setting the material terms of credit granted, extended, or otherwise provided to a consumer, for example, by using the low, middle, high, or most recent score, the notice described in paragraph (e)(1)(ii) of this section must include that credit score and the other information required by that paragraph. When a person obtains two or more credit scores from consumer reporting agencies and uses multiple credit scores in setting the material terms of credit granted, extended, or otherwise provided to a consumer, for example, by computing the average of all the credit scores obtained, the notice described in paragraph (e)(1)(ii) of this section must include one of those credit scores and the other information required by that paragraph. The notice may, at the person's option, include more than one credit score, along with the additional information specified in paragraph (e)(1)(ii) of this section for each credit score disclosed.

(ii) Examples. The manner in which multiple credit scores are to be disclosed under this section are substantially identical to the manner set forth in the examples contained in paragraph (d)(4)(ii) of this section.

(5) Model form. A model form of the notice described in paragraph (e)(1)(ii) of this section is contained in Appendix H-4 of this part. Appropriate use of Model Form H-4 is deemed to comply with the requirements of §222.74(e). Use of the model form is optional.

(f) Credit score not available—(1) In general. A person is not required to provide a risk-based pricing notice to a consumer under §222.72(a) or (c) if the person:

(i) Regularly obtains credit scores from a consumer reporting agency and provides credit score disclosures to consumers in accordance with paragraphs (d) or (e) of this section, but a credit score is not available from the consumer reporting agency from which the person regularly obtains credit scores for a consumer to whom the person grants, extends, or provides credit;

(ii) Does not obtain a credit score from another consumer reporting agency in connection with granting, extending, or providing credit to the consumer; and

(iii) Provides to the consumer a notice that contains the following—

(A) A statement that a consumer report (or credit report) includes information about the consumer's credit history and the type of information included in that history;

(B) A statement that a credit score is a number that takes into account information in a consumer report and that a credit score can change over time in response to changes in the consumer's credit history;

(C) A statement that credit scores are important because consumers with higher credit scores generally obtain more favorable credit terms;

(D) A statement that not having a credit score can affect whether the consumer can obtain credit and what the cost of that credit will be;

(E) A statement that a credit score about the consumer was not available from a consumer reporting agency, which must be identified by name, generally due to insufficient information regarding the consumer's credit history;

(F) A statement that the consumer is encouraged to verify the accuracy of the information contained in the consumer report and has the right to dispute any inaccurate information in the consumer report;

(G) A statement that federal law gives the consumer the right to obtain copies of his or her consumer reports directly from the consumer reporting agencies, including a free consumer report from each of the nationwide consumer reporting agencies once during any 12-month period;

(H) The contact information for the centralized source from which consumers may obtain their free annual consumer reports; and

(I) A statement directing consumers to the web sites of the Federal Reserve Board and Federal Trade Commission to obtain more information about consumer reports.

(2) Example. A person that uses consumer reports to set the material terms of non-mortgage credit granted, extended, or provided to consumers regularly requests credit scores from a particular consumer reporting agency and provides those credit scores and additional information to consumers to satisfy the requirements of paragraph (e) of this section. That consumer reporting agency provides to the person a consumer report on a particular consumer that contains one trade line, but does not provide the person with a credit score on that consumer. If the person does not obtain a credit score from another consumer reporting agency and, based in whole or in part on information in a consumer report, grants, extends, or provides credit to the consumer, the person may provide the notice described in paragraph (f)(1)(iii) of this section. If, however, the person obtains a credit score from another consumer reporting agency, the person may not rely upon the exception in paragraph (f) of this section, but may satisfy the requirements of paragraph (e) of this section.

(3) Form of the notice. The notice described in paragraph (f)(1)(iii) of this section must be:

(i) Clear and conspicuous;

(ii) Segregated from other information provided to the consumer; and

(iii) Provided to the consumer in writing and in a form that the consumer may keep.

(4) Timing. The notice described in paragraph (f)(1)(iii) of this section must be provided to the consumer as soon as reasonably practicable after the person has requested the credit score, but in any event not later than consummation of a transaction in the case of closed-end credit or when the first transaction is made under an open-end credit plan.

(5) Model form. A model form of the notice described in paragraph (f)(1)(iii) of this section is contained in Appendix H-5 of this part. Appropriate use of Model Form H-5 is deemed to comply with the requirements of §222.74(f). Use of the model form is optional.

§222.75   Rules of construction.

For purposes of this subpart, the following rules of construction apply:

(a) One notice per credit extension. A consumer is entitled to no more than one risk-based pricing notice under §222.72(a) or (c), or one notice under §222.74(d), (e), or (f), for each grant, extension, or other provision of credit. Notwithstanding the foregoing, even if a consumer has previously received a risk-based pricing notice in connection with a grant, extension, or other provision of credit, another risk-based pricing notice is required if the conditions set forth in §222.72(d) have been met.

(b) Multi-party transactions—(1) Initial creditor. The person to whom a credit obligation is initially payable must provide the risk-based pricing notice described in §222.72(a) or (c), or satisfy the requirements for and provide the notice required under one of the exceptions in §222.74(d), (e), or (f), even if that person immediately assigns the credit agreement to a third party and is not the source of funding for the credit.

(2) Purchasers or assignees. A purchaser or assignee of a credit contract with a consumer is not subject to the requirements of this subpart and is not required to provide the risk-based pricing notice described in §222.72(a) or (c), or satisfy the requirements for and provide the notice required under one of the exceptions in §222.74(d), (e), or (f).

(3) Examples. (i) A consumer obtains credit to finance the purchase of an automobile. If the auto dealer is the person to whom the loan obligation is initially payable, such as where the auto dealer is the original creditor under a retail installment sales contract, the auto dealer must provide the risk-based pricing notice to the consumer (or satisfy the requirements for and provide the notice required under one of the exceptions noted above), even if the auto dealer immediately assigns the loan to a bank or finance company. The bank or finance company, which is an assignee, has no duty to provide a risk-based pricing notice to the consumer.

(ii) A consumer obtains credit to finance the purchase of an automobile. If a bank or finance company is the person to whom the loan obligation is initially payable, the bank or finance company must provide the risk-based pricing notice to the consumer (or satisfy the requirements for and provide the notice required under one of the exceptions noted above) based on the terms offered by that bank or finance company only. The auto dealer has no duty to provide a risk-based pricing notice to the consumer. However, the bank or finance company may comply with this rule if the auto dealer has agreed to provide notices to consumers before consummation pursuant to an arrangement with the bank or finance company, as permitted under §222.73(c).

(c) Multiple consumers—(1) Risk-based pricing notices. In a transaction involving two or more consumers who are granted, extended, or otherwise provided credit, a person must provide a notice to each consumer to satisfy the requirements of §222.72(a) or (c). Whether the consumers have the same address or not, the person must provide a separate notice to each consumer if a notice includes a credit score(s). Each separate notice that includes a credit score(s) must contain only the credit score(s) of the consumer to whom the notice is provided, and not the credit score(s) of the other consumer. If the consumers have the same address, and the notice does not include a credit score(s), a person may satisfy the requirements by providing a single notice addressed to both consumers.

(2) Credit score disclosure notices. In a transaction involving two or more consumers who are granted, extended, or otherwise provided credit, a person must provide a separate notice to each consumer to satisfy the exceptions in §222.74(d), (e), or (f). Whether the consumers have the same address or not, the person must provide a separate notice to each consumer. Each separate notice must contain only the credit score(s) of the consumer to whom the notice is provided, and not the credit score(s) of the other consumer.

(3) Examples. (i) Two consumers jointly apply for credit with a creditor. The creditor obtains credit scores on both consumers. Based in part on the credit scores, the creditor grants credit to the consumers on material terms that are materially less favorable than the most favorable terms available to other consumers from the creditor. The creditor provides risk-based pricing notices to satisfy its obligations under this subpart. The creditor must provide a separate risk-based pricing notice to each consumer whether the consumers have the same address or not. Each risk-based pricing notice must contain only the credit score(s) of the consumer to whom the notice is provided.

(ii) Two consumers jointly apply for credit with a creditor. The two consumers reside at the same address. The creditor obtains credit scores on each of the two consumer applicants. The creditor grants credit to the consumers. The creditor provides credit score disclosure notices to satisfy its obligations under this subpart. Even though the two consumers reside at the same address, the creditor must provide a separate credit score disclosure notice to each of the consumers. Each notice must contain only the credit score of the consumer to whom the notice is provided.

[75 FR 2752, Jan. 15, 2010, as amended at 76 FR 41617, July 15, 2011]

Subpart I—Duties of Users of Consumer Reports Regarding Identity Theft

Source: 69 FR 77618, Dec. 28, 2004, unless otherwise noted.

§§222.80-222.81   [Reserved]

§222.82   Duties of users regarding address discrepancies.

(a) Scope. This section applies to a user of consumer reports (user) that receives a notice of address discrepancy from a consumer reporting agency described in 15 U.S.C. 1681a(p), and that is a member bank of the Federal Reserve System (other than a national bank) and its respective operating subsidiaries, a branch or agency of a foreign bank (other than a Federal branch, Federal agency, or insured State branch of a foreign bank), commercial lending company owned or controlled by a foreign bank, and an organization operating under section 25 or 25A of the Federal Reserve Act (12 U.S.C. 601 et seq., and 611 et seq.).

(b) Definition. For purposes of this section, a notice of address discrepancy means a notice sent to a user by a consumer reporting agency described in 15 U.S.C. 1681a(p) pursuant to 15 U.S.C. 1681c(h)(1), that informs the user of a substantial difference between the address for the consumer that the user provided to request the consumer report and the address(es) in the agency's file for the consumer.

(c) Reasonable belief—(1) Requirement to form a reasonable belief. A user must develop and implement reasonable policies and procedures designed to enable the user to form a reasonable belief that a consumer report relates to the consumer about whom it has requested the report, when the user receives a notice of address discrepancy.

(2) Examples of reasonable policies and procedures. (i) Comparing the information in the consumer report provided by the consumer reporting agency with information the user:

(A) Obtains and uses to verify the consumer's identity in accordance with the requirements of the Customer Identification Program (CIP) rules implementing 31 U.S.C. 5318(l) (31 CFR 103.121);

(B) Maintains in its own records, such as applications, change of address notifications, other customer account records, or retained CIP documentation; or

(C) Obtains from third-party sources; or

(ii) Verifying the information in the consumer report provided by the consumer reporting agency with the consumer.

(d) Consumer's address—(1) Requirement to furnish consumer's address to a consumer reporting agency. A user must develop and implement reasonable policies and procedures for furnishing an address for the consumer that the user has reasonably confirmed is accurate to the consumer reporting agency described in 15 U.S.C. 1681a(p) from whom it received the notice of address discrepancy when the user:

(i) Can form a reasonable belief that the consumer report relates to the consumer about whom the user requested the report;

(ii) Establishes a continuing relationship with the consumer; and

(iii) Regularly and in the ordinary course of business furnishes information to the consumer reporting agency from which the notice of address discrepancy relating to the consumer was obtained.

(2) Examples of confirmation methods. The user may reasonably confirm an address is accurate by:

(i) Verifying the address with the consumer about whom it has requested the report;

(ii) Reviewing its own records to verify the address of the consumer;

(iii) Verifying the address through third-party sources; or

(iv) Using other reasonable means.

(3) Timing. The policies and procedures developed in accordance with paragraph (d)(1) of this section must provide that the user will furnish the consumer's address that the user has reasonably confirmed is accurate to the consumer reporting agency described in 15 U.S.C. 1681a(p) as part of the information it regularly furnishes for the reporting period in which it establishes a relationship with the consumer.

[Reg. V, 72 FR 63756, Nov. 9, 2007, as amended at 74 FR 22642, May 14, 2009]

§222.83   Disposal of consumer information.

(a) Definitions as used in this section. (1) You means member banks of the Federal Reserve System (other than national banks) and their respective operating subsidiaries, branches and agencies of foreign banks (other than Federal branches, Federal agencies and insured State branches of foreign banks), commercial lending companies owned or controlled by foreign banks, and organizations operating under section 25 or 25A of the Federal Reserve Act (12 U.S.C. 601 et seq., 611 et seq.).

(b) In general. You must properly dispose of any consumer information that you maintain or otherwise possess in accordance with the Interagency Guidelines Establishing Information Security Standards, as required under sections 208.3(d) (Regulation H), 211.5(l) and 211.24(i) (Regulation K) of this chapter, to the extent that you are covered by the scope of the Guidelines.

(c) Rule of construction. Nothing in this section shall be construed to:

(1) Require you to maintain or destroy any record pertaining to a consumer that is not imposed under any other law; or

(2) Alter or affect any requirement imposed under any other provision of law to maintain or destroy such a record.

Subpart J—Identity Theft Red Flags

Source: Reg. V, 72 FR 63758, Nov. 9, 2007, unless otherwise noted.

§222.90   Duties regarding the detection, prevention, and mitigation of identity theft.

(a) Scope. This section applies to financial institutions and creditors that are member banks of the Federal Reserve System (other than national banks) and their respective operating subsidiaries that are not functionally regulated within the meaning of section 5(c)(5) of the Bank Holding Company Act, as amended (12 U.S.C. 1844(c)(5)), branches and agencies of foreign banks (other than Federal branches, Federal agencies, and insured State branches of foreign banks), commercial lending companies owned or controlled by foreign banks, and organizations operating under section 25 or 25A of the Federal Reserve Act (12 U.S.C. 601 et seq., and 611 et seq.).

(b) Definitions. For purposes of this section and appendix J, the following definitions apply:

(1) Account means a continuing relationship established by a person with a financial institution or creditor to obtain a product or service for personal, family, household or business purposes. Account includes:

(i) An extension of credit, such as the purchase of property or services involving a deferred payment; and

(ii) A deposit account.

(2) The term board of directors includes:

(i) In the case of a branch or agency of a foreign bank, the managing official in charge of the branch or agency; and

(ii) In the case of any other creditor that does not have a board of directors, a designated employee at the level of senior management.

(3) Covered account means:

(i) An account that a financial institution or creditor offers or maintains, primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions, such as a credit card account, mortgage loan, automobile loan, margin account, cell phone account, utility account, checking account, or savings account; and

(ii) Any other account that the financial institution or creditor offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft, including financial, operational, compliance, reputation, or litigation risks.

(4) Credit has the same meaning as in 15 U.S.C. 1681a(r)(5).

(5) Creditor has the same meaning as in 15 U.S.C. 1681m(e)(4).

(6) Customer means a person that has a covered account with a financial institution or creditor.

(7) Financial institution has the same meaning as in 15 U.S.C. 1681a(t).

(8) Identity theft has the same meaning as in 16 CFR 603.2(a).

(9) Red Flag means a pattern, practice, or specific activity that indicates the possible existence of identity theft.

(10) Service provider means a person that provides a service directly to the financial institution or creditor.

(c) Periodic Identification of Covered Accounts. Each financial institution or creditor must periodically determine whether it offers or maintains covered accounts. As a part of this determination, a financial institution or creditor must conduct a risk assessment to determine whether it offers or maintains covered accounts described in paragraph (b)(3)(ii) of this section, taking into consideration:

(1) The methods it provides to open its accounts;

(2) The methods it provides to access its accounts; and

(3) Its previous experiences with identity theft.

(d) Establishment of an Identity Theft Prevention Program—(1) Program requirement. Each financial institution or creditor that offers or maintains one or more covered accounts must develop and implement a written Identity Theft Prevention Program (Program) that is designed to detect, prevent, and mitigate identity theft in connection with the opening of a covered account or any existing covered account. The Program must be appropriate to the size and complexity of the financial institution or creditor and the nature and scope of its activities.

(2) Elements of the Program. The Program must include reasonable policies and procedures to:

(i) Identify relevant Red Flags for the covered accounts that the financial institution or creditor offers or maintains, and incorporate those Red Flags into its Program;

(ii) Detect Red Flags that have been incorporated into the Program of the financial institution or creditor;

(iii) Respond appropriately to any Red Flags that are detected pursuant to paragraph (d)(2)(ii) of this section to prevent and mitigate identity theft; and

(iv) Ensure the Program (including the Red Flags determined to be relevant) is updated periodically, to reflect changes in risks to customers and to the safety and soundness of the financial institution or creditor from identity theft.

(e) Administration of the Program. Each financial institution or creditor that is required to implement a Program must provide for the continued administration of the Program and must:

(1) Obtain approval of the initial written Program from either its board of directors or an appropriate committee of the board of directors;

(2) Involve the board of directors, an appropriate committee thereof, or a designated employee at the level of senior management in the oversight, development, implementation and administration of the Program;

(3) Train staff, as necessary, to effectively implement the Program; and

(4) Exercise appropriate and effective oversight of service provider arrangements.

(f) Guidelines. Each financial institution or creditor that is required to implement a Program must consider the guidelines in appendix J of this part and include in its Program those guidelines that are appropriate.

[Reg. V, 72 FR 63758, Nov. 9, 2007, as amended at 74 FR 22642, May 14, 2009; 79 FR 30711, May 29, 2014]

§222.91   Duties of card issuers regarding changes of address.

(a) Scope. This section applies to a person described in §222.90(a) that issues a debit or credit card (card issuer).

(b) Definitions. For purposes of this section:

(1) Cardholder means a consumer who has been issued a credit or debit card.

(2) Clear and conspicuous means reasonably understandable and designed to call attention to the nature and significance of the information presented.

(c) Address validation requirements. A card issuer must establish and implement reasonable policies and procedures to assess the validity of a change of address if it receives notification of a change of address for a consumer's debit or credit card account and, within a short period of time afterwards (during at least the first 30 days after it receives such notification), the card issuer receives a request for an additional or replacement card for the same account. Under these circumstances, the card issuer may not issue an additional or replacement card, until, in accordance with its reasonable policies and procedures and for the purpose of assessing the validity of the change of address, the card issuer:

(1)(i) Notifies the cardholder of the request:

(A) At the cardholder's former address; or

(B) By any other means of communication that the card issuer and the cardholder have previously agreed to use; and

(ii) Provides to the cardholder a reasonable means of promptly reporting incorrect address changes; or

(2) Otherwise assesses the validity of the change of address in accordance with the policies and procedures the card issuer has established pursuant to §222.90 of this part.

(d) Alternative timing of address validation. A card issuer may satisfy the requirements of paragraph (c) of this section if it validates an address pursuant to the methods in paragraph (c)(1) or (c)(2) of this section when it receives an address change notification, before it receives a request for an additional or replacement card.

(e) Form of notice. Any written or electronic notice that the card issuer provides under this paragraph must be clear and conspicuous and provided separately from its regular correspondence with the cardholder.

Appendix A to Part 222 [Reserved]

Appendix B to Part 222—Model Notices of Furnishing Negative Information

a. Although use of the model notices is not required, a financial institution that is subject to section 623(a)(7) of the FCRA shall be deemed to be in compliance with the notice requirement in section 623(a)(7) of the FCRA if the institution properly uses the model notices in this appendix (as applicable).

b. A financial institution may use Model Notice B-1 if the institution provides the notice prior to furnishing negative information to a nationwide consumer reporting agency.

c. A financial institution may use Model Notice B-2 if the institution provides the notice after furnishing negative information to a nationwide consumer reporting agency.

d. Financial institutions may make certain changes to the language or format of the model notices without losing the safe harbor from liability provided by the model notices. The changes to the model notices may not be so extensive as to affect the substance, clarity, or meaningful sequence of the language in the model notices. Financial institutions making such extensive revisions will lose the safe harbor from liability that this appendix provides. Acceptable changes include, for example,

1. Rearranging the order of the references to “late payment(s),” or “missed payment(s)”

2. Pluralizing the terms “credit bureau,” “credit report,” and “account”

3. Specifying the particular type of account on which information may be furnished, such as “credit card account”

4. Rearranging in Model Notice B-1 the phrases “information about your account” and “to credit bureaus” such that it would read “We may report to credit bureaus information about your account.”

Model Notice B-1

We may report information about your account to credit bureaus. Late payments, missed payments, or other defaults on your account may be reflected in your credit report.

Model Notice B-2

We have told a credit bureau about a late payment, missed payment or other default on your account. This information may be reflected in your credit report.

[69 FR 33285, June 15, 2004]

Appendix C to Part 222—Model Forms for Opt-Out Notices

a. Although use of the model forms is not required, use of the model forms in this appendix (as applicable) complies with the requirement in section 624 of the Act for clear, conspicuous, and concise notices.

b. Certain changes may be made to the language or format of the model forms without losing the protection from liability afforded by use of the model forms. These changes may not be so extensive as to affect the substance, clarity, or meaningful sequence of the language in the model forms. Persons making such extensive revisions will lose the safe harbor that this appendix provides. Acceptable changes include, for example:

1. Rearranging the order of the references to “your income,” “your account history,” and “your credit score.”

2. Substituting other types of information for “income,” “account history,” or “credit score” for accuracy, such as “payment history,” “credit history,” “payoff status,” or “claims history.”

3. Substituting a clearer and more accurate description of the affiliates providing or covered by the notice for phrases such as “the [ABC] group of companies,” including without limitation a statement that the entity providing the notice recently purchased the consumer's account.

4. Substituting other types of affiliates covered by the notice for “credit card,” “insurance,” or “securities” affiliates.

5. Omitting items that are not accurate or applicable. For example, if a person does not limit the duration of the opt-out period, the notice may omit information about the renewal notice.

6. Adding a statement informing consumers how much time they have to opt out before shared eligibility information may be used to make solicitations to them.

7. Adding a statement that the consumer may exercise the right to opt out at any time.

8. Adding the following statement, if accurate: “If you previously opted out, you do not need to do so again.”

9. Providing a place on the form for the consumer to fill in identifying information, such as his or her name and address.

10. Adding disclosures regarding the treatment of opt-outs by joint consumers to comply with §222.23(a)(2) of this part.

C-1 Model Form for Initial Opt-out Notice (Single-Affiliate Notice)

C-2 Model Form for Initial Opt-out Notice (Joint Notice)

C-3 Model Form for Renewal Notice (Single-Affiliate Notice)

C-4 Model Form for Renewal Notice (Joint Notice)

C-5 Model Form for Voluntary “No Marketing” Notice

C-6 Model Form for Voluntary “No Marketing” Notice

C-1—Model Form for Initial Opt-out Notice (Single-Affiliate Notice)—[Your Choice To Limit Marketing]/[Marketing Opt-out]

  [Name of Affiliate] is providing this notice.

  [Optional: Federal law gives you the right to limit some but not all marketing from our affiliates. Federal law also requires us to give you this notice to tell you about your choice to limit marketing from our affiliates.]

  You may limit our affiliates in the [ABC] group of companies, such as our [credit card, insurance, and securities] affiliates, from marketing their products or services to you based on your personal information that we collect and share with them. This information includes your [income], your [account history with us], and your [credit score].

  Your choice to limit marketing offers from our affiliates will apply [until you tell us to change your choice]/[for x years from when you tell us your choice]/[for at least 5 years from when you tell us your choice]. [Include if the opt-out period expires.] Once that period expires, you will receive a renewal notice that will allow you to continue to limit marketing offers from our affiliates for [another x years]/[at least another 5 years].

  [Include, if applicable, in a subsequent notice, including an annual notice, for consumers who may have previously opted out.] If you have already made a choice to limit marketing offers from our affiliates, you do not need to act again until you receive the renewal notice.

To limit marketing offers, contact us [include all that apply]:

  By telephone: 1-877-###-####

  On the Web: www.—.com

  By mail: Check the box and complete the form below, and send the form to:

[Company name]

[Company address]

_Do not allow your affiliates to use my personal information to market to me.

C-2—Model Form for Initial Opt-out Notice (Joint Notice)—[Your Choice To Limit Marketing]/[Marketing Opt-out]

  The [ABC group of companies] is providing this notice.

  [Optional: Federal law gives you the right to limit some but not all marketing from the [ABC] companies. Federal law also requires us to give you this notice to tell you about your choice to limit marketing from the [ABC] companies.]

  You may limit the [ABC] companies, such as the [ABC credit card, insurance, and securities] affiliates, from marketing their products or services to you based on your personal information that they receive from other [ABC] companies. This information includes your [income], your [account history], and your [credit score].

  Your choice to limit marketing offers from the [ABC] companies will apply [until you tell us to change your choice]/[for x years from when you tell us your choice]/[for at least 5 years from when you tell us your choice]. [Include if the opt-out period expires.] Once that period expires, you will receive a renewal notice that will allow you to continue to limit marketing offers from the [ABC] companies for [another x years]/[at least another 5 years].

  [Include, if applicable, in a subsequent notice, including an annual notice, for consumers who may have previously opted out.] If you have already made a choice to limit marketing offers from the [ABC] companies, you do not need to act again until you receive the renewal notice.

To limit marketing offers, contact us [include all that apply]:

  By telephone: 1-877-###-####

  On the Web: www.—.com

  By mail: Check the box and complete the form below, and send the form to:

[Company name]

[Company address]

_Do not allow any company [in the ABC group of companies] to use my personal information to market to me.

C-3—Model Form for Renewal Notice (Single-Affiliate Notice)—[Renewing Your Choice To Limit Marketing]/[Renewing Your Marketing Opt-Out]

  [Name of Affiliate] is providing this notice.

  [Optional: Federal law gives you the right to limit some but not all marketing from our affiliates. Federal law also requires us to give you this notice to tell you about your choice to limit marketing from our affiliates.]

  You previously chose to limit our affiliates in the [ABC] group of companies, such as our [credit card, insurance, and securities] affiliates, from marketing their products or services to you based on your personal information that we share with them. This information includes your [income], your [account history with us], and your [credit score].

  Your choice has expired or is about to expire.

To renew your choice to limit marketing for [x] more years, contact us [include all that apply]:

  By telephone: 1-877-###-####

  On the Web: www.—.com

  By mail: Check the box and complete the form below, and send the form to:

[Company name]

[Company address]

_Renew my choice to limit marketing for [x] more years.

C-4—Model Form for Renewal Notice (Joint Notice)—[Renewing Your Choice To Limit Marketing]/[Renewing Your Marketing Opt-Out]

  The [ABC group of companies] is providing this notice.

  [Optional: Federal law gives you the right to limit some but not all marketing from the [ABC] companies. Federal law also requires us to give you this notice to tell you about your choice to limit marketing from the [ABC] companies.]

  You previously chose to limit the [ABC] companies, such as the [ABC credit card, insurance, and securities] affiliates, from marketing their products or services to you based on your personal information that they receive from other ABC companies. This information includes your [income], your [account history], and your [credit score].

  Your choice has expired or is about to expire.

To renew your choice to limit marketing for [x] more years, contact us [include all that apply]:

  By telephone: 1-877-###-####

  On the Web: www.—.com

  By mail: Check the box and complete the form below, and send the form to:

[Company name]

[Company address]

_Renew my choice to limit marketing for [x] more years.

C-5—Model Form for Voluntary “No Marketing” Notice

Your Choice To Stop Marketing

  [Name of Affiliate] is providing this notice.

  You may choose to stop all marketing from us and our affiliates.

  [Your choice to stop marketing from us and our affiliates will apply until you tell us to change your choice.]

To stop all marketing, contact us [include all that apply]:

  By telephone: 1-877-###-####

  On the Web: www.—.com

  By mail: Check the box and complete the form below, and send the form to:

[Company name]

[Company address]

_Do not market to me.

[Reg. V, 72 FR 62962, Nov. 7, 2007, as amended at 74 FR 22642, May 14, 2009]

Appendix D to Part 222 [Reserved]

Appendix E to Part 222— Interagency Guidelines Concerning the Accuracy and Integrity of Information Furnished to Consumer Reporting Agencies

The Board encourages voluntary furnishing of information to consumer reporting agencies. Section 222.42 of this part requires each furnisher to establish and implement reasonable written policies and procedures concerning the accuracy and integrity of the information it furnishes to consumer reporting agencies. Under §222.42(b) of this part, a furnisher must consider the guidelines set forth below in developing its policies and procedures. In establishing these policies and procedures, a furnisher may include any of its existing policies and procedures that are relevant and appropriate. Section 222.42(c) requires each furnisher to review its policies and procedures periodically and update them as necessary to ensure their continued effectiveness.

I. Nature, Scope, and Objectives of Policies and Procedures

(a) Nature and Scope. Section 222.42(a) of this part requires that a furnisher's policies and procedures be appropriate to the nature, size, complexity, and scope of the furnisher's activities. In developing its policies and procedures, a furnisher should consider, for example:

(1) The types of business activities in which the furnisher engages;

(2) The nature and frequency of the information the furnisher provides to consumer reporting agencies; and

(3) The technology used by the furnisher to furnish information to consumer reporting agencies.

(b) Objectives. A furnisher's policies and procedures should be reasonably designed to promote the following objectives:

(1) To furnish information about accounts or other relationships with a consumer that is accurate, such that the furnished information:

(i) Identifies the appropriate consumer;

(ii) Reflects the terms of and liability for those accounts or other relationships; and

(iii) Reflects the consumer's performance and other conduct with respect to the account or other relationship;

(2) To furnish information about accounts or other relationships with a consumer that has integrity, such that the furnished information:

(i) Is substantiated by the furnisher's records at the time it is furnished;

(ii) Is furnished in a form and manner that is designed to minimize the likelihood that the information may be incorrectly reflected in a consumer report; thus, the furnished information should:

(A) Include appropriate identifying information about the consumer to whom it pertains; and

(B) Be furnished in a standardized and clearly understandable form and manner and with a date specifying the time period to which the information pertains; and

(iii) Includes the credit limit, if applicable and in the furnisher's possession;

(3) To conduct reasonable investigations of consumer disputes and take appropriate actions based on the outcome of such investigations; and

(4) To update the information it furnishes as necessary to reflect the current status of the consumer's account or other relationship, including, for example:

(i) Any transfer of an account (e.g., by sale or assignment for collection) to a third party; and

(ii) Any cure of the consumer's failure to abide by the terms of the account or other relationship.

II. Establishing and Implementing Policies and Procedures

In establishing and implementing its policies and procedures, a furnisher should:

(a) Identify practices or activities of the furnisher that can compromise the accuracy or integrity of information furnished to consumer reporting agencies, such as by:

(1) Reviewing its existing practices and activities, including the technological means and other methods it uses to furnish information to consumer reporting agencies and the frequency and timing of its furnishing of information;

(2) Reviewing its historical records relating to accuracy or integrity or to disputes; reviewing other information relating to the accuracy or integrity of information provided by the furnisher to consumer reporting agencies; and considering the types of errors, omissions, or other problems that may have affected the accuracy or integrity of information it has furnished about consumers to consumer reporting agencies;

(3) Considering any feedback received from consumer reporting agencies, consumers, or other appropriate parties;

(4) Obtaining feedback from the furnisher's staff; and

(5) Considering the potential impact of the furnisher's policies and procedures on consumers.

(b) Evaluate the effectiveness of existing policies and procedures of the furnisher regarding the accuracy and integrity of information furnished to consumer reporting agencies; consider whether new, additional, or different policies and procedures are necessary; and consider whether implementation of existing policies and procedures should be modified to enhance the accuracy and integrity of information about consumers furnished to consumer reporting agencies.

(c) Evaluate the effectiveness of specific methods (including technological means) the furnisher uses to provide information to consumer reporting agencies; how those methods may affect the accuracy and integrity of the information it provides to consumer reporting agencies; and whether new, additional, or different methods (including technological means) should be used to provide information to consumer reporting agencies to enhance the accuracy and integrity of that information.

III. Specific Components of Policies and Procedures

In developing its policies and procedures, a furnisher should address the following, as appropriate:

(a) Establishing and implementing a system for furnishing information about consumers to consumer reporting agencies that is appropriate to the nature, size, complexity, and scope of the furnisher's business operations.

(b) Using standard data reporting formats and standard procedures for compiling and furnishing data, where feasible, such as the electronic transmission of information about consumers to consumer reporting agencies.

(c) Maintaining records for a reasonable period of time, not less than any applicable recordkeeping requirement, in order to substantiate the accuracy of any information about consumers it furnishes that is subject to a direct dispute.

(d) Establishing and implementing appropriate internal controls regarding the accuracy and integrity of information about consumers furnished to consumer reporting agencies, such as by implementing standard procedures and verifying random samples of information provided to consumer reporting agencies.

(e) Training staff that participates in activities related to the furnishing of information about consumers to consumer reporting agencies to implement the policies and procedures.

(f) Providing for appropriate and effective oversight of relevant service providers whose activities may affect the accuracy or integrity of information about consumers furnished to consumer reporting agencies to ensure compliance with the policies and procedures.

(g) Furnishing information about consumers to consumer reporting agencies following mergers, portfolio acquisitions or sales, or other acquisitions or transfers of accounts or other obligations in a manner that prevents re-aging of information, duplicative reporting, or other problems that may similarly affect the accuracy or integrity of the information furnished.

(h) Deleting, updating, and correcting information in the furnisher's records, as appropriate, to avoid furnishing inaccurate information.

(i) Conducting reasonable investigations of disputes.

(j) Designing technological and other means of communication with consumer reporting agencies to prevent duplicative reporting of accounts, erroneous association of information with the wrong consumer(s), and other occurrences that may compromise the accuracy or integrity of information provided to consumer reporting agencies.

(k) Providing consumer reporting agencies with sufficient identifying information in the furnisher's possession about each consumer about whom information is furnished to enable the consumer reporting agency properly to identify the consumer.

(l) Conducting a periodic evaluation of its own practices, consumer reporting agency practices of which the furnisher is aware, investigations of disputed information, corrections of inaccurate information, means of communication, and other factors that may affect the accuracy or integrity of information furnished to consumer reporting agencies.

(m) Complying with applicable requirements under the Fair Credit Reporting Act and its implementing regulations.

[Reg. V, 74 FR 31516, July 1, 2009]

Appendixes F-G to Part 222 [Reserved]

Appendix H to Part 222—Appendix H—Model Forms for Risk-Based Pricing and Credit Score Disclosure Exception Notices

1. This appendix contains four model forms for risk-based pricing notices and three model forms for use in connection with the credit score disclosure exceptions. Each of the model forms is designated for use in a particular set of circumstances as indicated by the title of that model form.

2. Model form H-1 is for use in complying with the general risk-based pricing notice requirements in Sec. 222.72 if a credit score is not used in setting the material terms of credit. Model form H-2 is for risk-based pricing notices given in connection with account review if a credit score is not used in increasing the annual percentage rate. Model form H-3 is for use in connection with the credit score disclosure exception for loans secured by residential real property. Model form H-4 is for use in connection with the credit score disclosure exception for loans that are not secured by residential real property. Model form H-5 is for use in connection with the credit score disclosure exception when no credit score is available for a consumer. Model form H-6 is for use in complying with the general risk-based pricing notice requirements in Sec. 222.72 if a credit score is used in setting the material terms of credit. Model form H-7 is for risk-based pricing notices given in connection with account review if a credit score is used in increasing the annual percentage rate. All forms contained in this appendix are models; their use is optional.

3. A person may change the forms by rearranging the format or by making technical modifications to the language of the forms, in each case without modifying the substance of the disclosures. Any such rearrangement or modification of the language of the model forms may not be so extensive as to materially affect the substance, clarity, comprehensibility, or meaningful sequence of the forms. Persons making revisions with that effect will lose the benefit of the safe harbor for appropriate use of Appendix H model forms. A person is not required to conduct consumer testing when rearranging the format of the model forms.

a. Acceptable changes include, for example

i. Corrections or updates to telephone numbers, mailing addresses, or Web site addresses that may change over time.

ii. The addition of graphics or icons, such as the person's corporate logo.

iii. Alteration of the shading or color contained in the model forms.

iv. Use of a different form of graphical presentation to depict the distribution of credit scores.

v. Substitution of the words “credit” and “creditor” or “finance” and “finance company” for the terms “loan” and “lender.”

vi. Including pre-printed lists of the sources of consumer reports or consumer reporting agencies in a “check-the-box” format.

vii. Including the name of the consumer, transaction identification numbers, a date, and other information that will assist in identifying the transaction to which the form pertains.

viii. Including the name of an agent, such as an auto dealer or other party, when providing the “Name of the Entity Providing the Notice.”

b. Unacceptable changes include, for example

i. Providing model forms on register receipts or interspersed with other disclosures.

ii. Eliminating empty lines and extra spaces between sentences within the same section.

4. Optional language in model forms H-6 and H-7 may be used to direct the consumer to the entity (which may be a consumer reporting agency or the creditor itself, for a proprietary score that meets the definition of a credit score) that provided the credit score for any questions about the credit score, along with the entity's contact information. Creditors may use or not use the additional language without losing the safe harbor, since the language is optional.

H-1 Model form for risk-based pricing notice.

H-2 Model form for account review risk-based pricing notice.

H-3 Model form for credit score disclosure exception for credit secured by one to four units of residential real property.

H-4 Model form for credit score disclosure exception for loans not secured by residential real property.

H-5 Model form for credit score disclosure exception for loans where credit score is not available.

H-6 Model form for risk-based pricing notice with credit score information

H-7 Model form for account review risk-based pricing notice with credit score information

eCFR graphic er15ja10.000.gif

View or download PDF

eCFR graphic er15ja10.001.gif

View or download PDF

eCFR graphic er15ja10.002.gif

View or download PDF

eCFR graphic er15ja10.003.gif

View or download PDF

eCFR graphic er15ja10.004.gif

View or download PDF

eCFR graphic er15ja10.005.gif

View or download PDF

eCFR graphic er15ja10.006.gif

View or download PDF

eCFR graphic er15ja10.007.gif

View or download PDF

eCFR graphic er15jy11.000.gif

View or download PDF

eCFR graphic er15jy11.001.gif

View or download PDF

eCFR graphic er15jy11.002.gif

View or download PDF

eCFR graphic er15jy11.003.gif

View or download PDF

[75 FR 2759, Jan. 15, 2010, as amended at 76 FR 41617, July 15, 2011]

Appendix I to Part 222 [Reserved]

Appendix J to Part 222—Interagency Guidelines on Identity Theft Detection, Prevention, and Mitigation

Section 222.90 of this part requires each financial institution and creditor that offers or maintains one or more covered accounts, as defined in §222.90(b)(3) of this part, to develop and provide for the continued administration of a written Program to detect, prevent, and mitigate identity theft in connection with the opening of a covered account or any existing covered account. These guidelines are intended to assist financial institutions and creditors in the formulation and maintenance of a Program that satisfies the requirements of §222.90 of this part.

I. The Program

In designing its Program, a financial institution or creditor may incorporate, as appropriate, its existing policies, procedures, and other arrangements that control reasonably foreseeable risks to customers or to the safety and soundness of the financial institution or creditor from identity theft.

II. Identifying Relevant Red Flags

(a) Risk Factors. A financial institution or creditor should consider the following factors in identifying relevant Red Flags for covered accounts, as appropriate:

(1) The types of covered accounts it offers or maintains;

(2) The methods it provides to open its covered accounts;

(3) The methods it provides to access its covered accounts; and

(4) Its previous experiences with identity theft.

(b) Sources of Red Flags. Financial institutions and creditors should incorporate relevant Red Flags from sources such as:

(1) Incidents of identity theft that the financial institution or creditor has experienced;

(2) Methods of identity theft that the financial institution or creditor has identified that reflect changes in identity theft risks; and

(3) Applicable supervisory guidance.

(c) Categories of Red Flags. The Program should include relevant Red Flags from the following categories, as appropriate. Examples of Red Flags from each of these categories are appended as Supplement A to this appendix J.

(1) Alerts, notifications, or other warnings received from consumer reporting agencies or service providers, such as fraud detection services;

(2) The presentation of suspicious documents;

(3) The presentation of suspicious personal identifying information, such as a suspicious address change;

(4) The unusual use of, or other suspicious activity related to, a covered account; and

(5) Notice from customers, victims of identity theft, law enforcement authorities, or other persons regarding possible identity theft in connection with covered accounts held by the financial institution or creditor.

III. Detecting Red Flags

The Program's policies and procedures should address the detection of Red Flags in connection with the opening of covered accounts and existing covered accounts, such as by:

(a) Obtaining identifying information about, and verifying the identity of, a person opening a covered account, for example, using the policies and procedures regarding identification and verification set forth in the Customer Identification Program rules implementing 31 U.S.C. 5318(l) (31 CFR 103.121); and

(b) Authenticating customers, monitoring transactions, and verifying the validity of change of address requests, in the case of existing covered accounts.

IV. Preventing and Mitigating Identity Theft

The Program's policies and procedures should provide for appropriate responses to the Red Flags the financial institution or creditor has detected that are commensurate with the degree of risk posed. In determining an appropriate response, a financial institution or creditor should consider aggravating factors that may heighten the risk of identity theft, such as a data security incident that results in unauthorized access to a customer's account records held by the financial institution, creditor, or third party, or notice that a customer has provided information related to a covered account held by the financial institution or creditor to someone fraudulently claiming to represent the financial institution or creditor or to a fraudulent website. Appropriate responses may include the following:

(a) Monitoring a covered account for evidence of identity theft;

(b) Contacting the customer;

(c) Changing any passwords, security codes, or other security devices that permit access to a covered account;

(d) Reopening a covered account with a new account number;

(e) Not opening a new covered account;

(f) Closing an existing covered account;

(g) Not attempting to collect on a covered account or not selling a covered account to a debt collector;

(h) Notifying law enforcement; or

(i) Determining that no response is warranted under the particular circumstances.

V. Updating the Program

Financial institutions and creditors should update the Program (including the Red Flags determined to be relevant) periodically, to reflect changes in risks to customers or to the safety and soundness of the financial institution or creditor from identity theft, based on factors such as:

(a) The experiences of the financial institution or creditor with identity theft;

(b) Changes in methods of identity theft;

(c) Changes in methods to detect, prevent, and mitigate identity theft;

(d) Changes in the types of accounts that the financial institution or creditor offers or maintains; and

(e) Changes in the business arrangements of the financial institution or creditor, including mergers, acquisitions, alliances, joint ventures, and service provider arrangements.

VI. Methods for Administering the Program

(a) Oversight of Program. Oversight by the board of directors, an appropriate committee of the board, or a designated employee at the level of senior management should include:

(1) Assigning specific responsibility for the Program's implementation;

(2) Reviewing reports prepared by staff regarding compliance by the financial institution or creditor with §222.90 of this part; and

(3) Approving material changes to the Program as necessary to address changing identity theft risks.

(b) Reports. (1) In general. Staff of the financial institution or creditor responsible for development, implementation, and administration of its Program should report to the board of directors, an appropriate committee of the board, or a designated employee at the level of senior management, at least annually, on compliance by the financial institution or creditor with §222.90 of this part.

(2) Contents of report. The report should address material matters related to the Program and evaluate issues such as: the effectiveness of the policies and procedures of the financial institution or creditor in addressing the risk of identity theft in connection with the opening of covered accounts and with respect to existing covered accounts; service provider arrangements; significant incidents involving identity theft and management's response; and recommendations for material changes to the Program.

(c) Oversight of service provider arrangements. Whenever a financial institution or creditor engages a service provider to perform an activity in connection with one or more covered accounts the financial institution or creditor should take steps to ensure that the activity of the service provider is conducted in accordance with reasonable policies and procedures designed to detect, prevent, and mitigate the risk of identity theft. For example, a financial institution or creditor could require the service provider by contract to have policies and procedures to detect relevant Red Flags that may arise in the performance of the service provider's activities, and either report the Red Flags to the financial institution or creditor, or to take appropriate steps to prevent or mitigate identity theft.

VII. Other Applicable Legal Requirements

Financial institutions and creditors should be mindful of other related legal requirements that may be applicable, such as:

(a) For financial institutions and creditors that are subject to 31 U.S.C. 5318(g), filing a Suspicious Activity Report in accordance with applicable law and regulation;

(b) Implementing any requirements under 15 U.S.C. 1681c-1(h) regarding the circumstances under which credit may be extended when the financial institution or creditor detects a fraud or active duty alert;

(c) Implementing any requirements for furnishers of information to consumer reporting agencies under 15 U.S.C. 1681s-2, for example, to correct or update inaccurate or incomplete information, and to not report information that the furnisher has reasonable cause to believe is inaccurate; and

(d) Complying with the prohibitions in 15 U.S.C. 1681m on the sale, transfer, and placement for collection of certain debts resulting from identity theft.

Supplement A to Appendix J

In addition to incorporating Red Flags from the sources recommended in section II.b. of the Guidelines in appendix J of this part, each financial institution or creditor may consider incorporating into its Program, whether singly or in combination, Red Flags from the following illustrative examples in connection with covered accounts:

Alerts, Notifications or Warnings from a Consumer Reporting Agency

1. A fraud or active duty alert is included with a consumer report.

2. A consumer reporting agency provides a notice of credit freeze in response to a request for a consumer report.

3. A consumer reporting agency provides a notice of address discrepancy, as defined in 12 CFR 1022.82(b).

4. A consumer report indicates a pattern of activity that is inconsistent with the history and usual pattern of activity of an applicant or customer, such as:

a. A recent and significant increase in the volume of inquiries;

b. An unusual number of recently established credit relationships;

c. A material change in the use of credit, especially with respect to recently established credit relationships; or

d. An account that was closed for cause or identified for abuse of account privileges by a financial institution or creditor.

Suspicious Documents

5. Documents provided for identification appear to have been altered or forged.

6. The photograph or physical description on the identification is not consistent with the appearance of the applicant or customer presenting the identification.

7. Other information on the identification is not consistent with information provided by the person opening a new covered account or customer presenting the identification.

8. Other information on the identification is not consistent with readily accessible information that is on file with the financial institution or creditor, such as a signature card or a recent check.

9. An application appears to have been altered or forged, or gives the appearance of having been destroyed and reassembled.

Suspicious Personal Identifying Information

10. Personal identifying information provided is inconsistent when compared against external information sources used by the financial institution or creditor. For example:

a. The address does not match any address in the consumer report; or

b. The Social Security Number (SSN) has not been issued, or is listed on the Social Security Administration's Death Master File.

11. Personal identifying information provided by the customer is not consistent with other personal identifying information provided by the customer. For example, there is a lack of correlation between the SSN range and date of birth.

12. Personal identifying information provided is associated with known fraudulent activity as indicated by internal or third-party sources used by the financial institution or creditor. For example:

a. The address on an application is the same as the address provided on a fraudulent application; or

b. The phone number on an application is the same as the number provided on a fraudulent application.

13. Personal identifying information provided is of a type commonly associated with fraudulent activity as indicated by internal or third-party sources used by the financial institution or creditor. For example:

a. The address on an application is fictitious, a mail drop, or a prison; or

b. The phone number is invalid, or is associated with a pager or answering service.

14. The SSN provided is the same as that submitted by other persons opening an account or other customers.

15. The address or telephone number provided is the same as or similar to the address or telephone number submitted by an unusually large number of other persons opening accounts or by other customers.

16. The person opening the covered account or the customer fails to provide all required personal identifying information on an application or in response to notification that the application is incomplete.

17. Personal identifying information provided is not consistent with personal identifying information that is on file with the financial institution or creditor.

18. For financial institutions and creditors that use challenge questions, the person opening the covered account or the customer cannot provide authenticating information beyond that which generally would be available from a wallet or consumer report.

Unusual Use of, or Suspicious Activity Related to, the Covered Account

19. Shortly following the notice of a change of address for a covered account, the institution or creditor receives a request for a new, additional, or replacement card or a cell phone, or for the addition of authorized users on the account.

20. A new revolving credit account is used in a manner commonly associated with known patterns of fraud. For example:

a. The majority of available credit is used for cash advances or merchandise that is easily convertible to cash (e.g., electronics equipment or jewelry); or

b. The customer fails to make the first payment or makes an initial payment but no subsequent payments.

21. A covered account is used in a manner that is not consistent with established patterns of activity on the account. There is, for example:

a. Nonpayment when there is no history of late or missed payments;

b. A material increase in the use of available credit;

c. A material change in purchasing or spending patterns;

d. A material change in electronic fund transfer patterns in connection with a deposit account; or

e. A material change in telephone call patterns in connection with a cellular phone account.

22. A covered account that has been inactive for a reasonably lengthy period of time is used (taking into consideration the type of account, the expected pattern of usage and other relevant factors).

23. Mail sent to the customer is returned repeatedly as undeliverable although transactions continue to be conducted in connection with the customer's covered account.

24. The financial institution or creditor is notified that the customer is not receiving paper account statements.

25. The financial institution or creditor is notified of unauthorized charges or transactions in connection with a customer's covered account.

Notice from Customers, Victims of Identity Theft, Law Enforcement Authorities, or Other Persons Regarding Possible Identity Theft in Connection with Covered Accounts Held by the Financial Institution or Creditor

26. The financial institution or creditor is notified by a customer, a victim of identity theft, a law enforcement authority, or any other person that it has opened a fraudulent account for a person engaged in identity theft.

[Reg. V, 72 FR 63758, Nov. 9, 2007, as amended at 74 FR 22642, May 14, 2009; 79 FR 30711, May 29, 2014]



For questions or comments regarding e-CFR editorial content, features, or design, email ecfr@nara.gov.
For questions concerning e-CFR programming and delivery issues, email webteam@gpo.gov.