SearchGo
RSS
Contact Us
About UsProfessionalsPractice AreasIndustriesPro BonoDiversityOfficesMedia CenterNews & ViewsCareer CenterEventsLinks



Search News and Views By:
OR by
Keywords
Alerts

Patton Boggs Mortgage Banking Update - Week of November 2, 2009
November 2, 2009

Click here to download this update. [PDF]

Model Privacy Form Nearing Final Approval

Federal agencies appear to be nearing the final stages of approving revisions to the form of privacy notice under the Gramm-Leach-Bliley Act (GLBA). In late October 2009 the Federal Deposit Insurance Corporation (FDIC) approved a draft final rule (http://www.fdic.gov/news/board/notice20Oct2009.html) containing new model privacy notices. The other federal agencies involved in the promulgation of the privacy rules are expected to approve the revisions. The agencies are the FDIC, Office of the Comptroller of the Currency (OCC), Federal Reserve Board (Fed), Office of Thrift Supervision (OTS), National Credit Union Administration (NCUA), Federal Trade Commission (FTC), Commodity Futures Trading Commission (CFTC) and Securities and Exchange Commission (SEC) (collectively, the “Agencies”).

In March 2007 the Agencies issued a proposed rule to provide for a model form of privacy notice that would be in stark contrast to the typical forms of notices used by financial institutions under existing privacy rules. Many existing privacy notices use various sample clauses contained in the privacy rules. The proposed model notice was in a tabular format and provided for a more standardized approach to the disclosure of a financial institution’s privacy practices. The Agencies based the proposed notice on consumer research. After receiving comments on the proposed notice, the Agencies conducted further consumer research and testing and decided to adopt the tabular format for three forms of model notices. As with the existing sample clauses, use of a model notice is not required, but parties that correctly use a model notice are entitled to a safe harbor. That is, correct use of a model notice constitutes compliance with the privacy rules.

Assuming all of the Agencies adopt the draft final rule, it will become effective 30 days after publication in the Federal Register. During a transition period, financial institutions will continue to be able to rely on the safe harbor under the existing privacy rules for initial and annual privacy notices that utilize the sample clauses. Specifically, the safe harbor will be available for initial or annual privacy notices issued on or before December 31, 2010. The sample clauses will be removed from the privacy rules effective January 1, 2012.

Each model notice is a two-page document that may be printed on both sides of single sheet of paper, or on two sheets of paper. The addition of a third page will be permitted if needed to include certain permitted information. In general, a minimum 10-point font size will apply to the model form, and there must be sufficient spacing between the lines of type. The preamble to the draft final rule includes optional guidance on satisfying the requirement for sufficient spacing. A model notice must printed on white or light color paper (such as cream) with black or contrasting ink color. Spot color may be used to achieve visual interest, so long as the color contrast is distinctive and the color does not detract from the readability of the model form.

One form of model privacy notice is for use when the financial institution’s information sharing practices do not trigger a right of the consumer to direct that the institution not share his or her non-public personal financial information (i.e., an opt-out right). This form of notice contains seven main sections:
  • “Facts;”
  • “Reasons we can share your personal information;”
  • “Questions;”
  • “Who we are;”
  • “What we do;”
  • “Definitions;” and
  • “Other important information.”

There are two forms of model privacy notices for use when the financial institution’s information sharing practices require that the consumer be provided with an opt-out right. The model notice for use when the consumer may exercise the opt-out right by telephone or online contains an additional section (“To limit our sharing”) that provides information on how to exercise the opt-out right. The model notice for use when the consumer can opt-out by telephone, online or by mailing a form includes both the “To limit our sharing” section and a mail-in form that the consumer can complete and detach from the notice.

The “Facts” section includes three subsections, “Why?,” “What?” and “How?” The “Why?” subsection advises the consumer that financial companies choose how they share personal information, that federal law gives the consumer the right to limit some, but not all sharing, and that under federal law the financial company must advise the consumer of its sharing practices. The “What?” subsection addresses the type of information that the financial company will collect and share based on the applicable product or service. In this subsection, all financial institutions must include “Social Security number” as the first item, and include five additional items of information from a list of items. The “How?” subsection advises that financial companies must share a customer’s personal information to run their everyday business and explains that the notice lists reasons why financial companies share information and whether, for each of the listed reasons, the particular financial company shares information.

The “Reasons we can share your personal information” section contains three columns. The first column lists seven reasons for which personal information is shared. For each reason a financial institution must (1) enter “Yes” or “No” in the second column to indicate whether or not it shares information for that reason, and (2) indicate in the third column if the consumer can limit sharing. The seven reasons are:
  • “For our everyday business purposes;”
  • “For our marketing purposes;”
  • “For joint marketing with other financial companies;”
  • “For our affiliates’ everyday business purposes” (with respect to transaction and experience information under the Fair Credit Report Act (FCRA));
  • “For our affiliates’ everyday business purposes” (with respect to FCRA-covered information regarding creditworthiness, other than transaction and experience information);
  • “For our affiliates to market to you;” and
  • “For nonaffiliates to market to you.”

A financial institution must include all of the reasons, except the “For our affiliates to market to you” reason may be excluded if the institution provides a separate affiliate marketing notice or if the institution’s information is not used in a manner that triggers the requirement to provide an affiliate marketing opt-out right.

Currently when a financial institution shares information with nonaffiliated third parties exclusively pursuant to the exceptions from the requirement to provide an opt-out right, the financial institution may disclose that it shares information with nonaffiliated third parties “as permitted by law.” Except for the FTC, the Agencies will permit financial institutions that share exclusively pursuant to exceptions to state that the disclosures to nonaffiliated third parties are made either “For our everyday business purposes, such as [include all that apply] to process transactions, maintain account(s), respond to court orders and legal investigations, or report to credit bureaus” or “As permitted by law.” However, each model form of privacy notice contains only the “For our everyday business purposes” statement. The FTC will require the use of the statement “For our everyday business purposes, such as to process transactions, maintain account(s), respond to court orders and legal investigations, and report to credit bureaus.”

In the “Questions” section a financial institution must enter a customer service phone number and/or website address that the consumer may contact with any questions regarding the privacy notice.

The “Who we are” section provides for the disclosure of the financial institution(s) providing the notice. If only a single financial institution is providing the notice, the section may be omitted if the institution is clearly identified in the title of the model notice.

The “What we do” section addresses four issues:
  • “How does [name of financial institution] protect my personal information?”;
  • “How does [name of financial institution] collect my personal information?”;
  • “Why can’t I limit all sharing?”; and
  • “What happens when I limit sharing for an account I hold jointly with someone else?”.

For the first item, the model notices contain standard language regarding how information is protected. A financial institution may add additional information regarding its information safeguarding practices. Any additional information may not exceed 30 words.

For the second item, financial institutions must state that they collect personal information when the consumer engages in specific activities, and institutions must list five activities from a group of activities that include, for example, “open an account,” “give us your income information” and “give us your contact information.” A financial institution that collects personal information from its affiliates and/or credit bureaus must also include the statement “We also collect your personal information from others, such as credit bureaus, affiliates, or other companies.” A financial institution that does not collect personal information from its affiliates or credit bureaus, but does collect such information from other companies, must include the statement “We also collect your personal information from other companies.”

The third item includes disclosures regarding the types of sharing that the consumer may limit under Federal law, and notes that state laws and individual companies may provide additional rights to limit sharing. A statement “See below for more on your rights under state law” must be included if the financial institution addresses state law privacy rights in the “Other important information” section.

For the fourth item, financial institutions must indicate if the exercise of an opt-out right by one joint account holder is effective for all joint account holders or only the specific joint account holder.

The “Definitions” section contains a definition for “Affiliates,” “Nonaffiliates” and “Joint marketing.” For the definition of “Affiliates,” the section includes a definition and a financial institution must insert, as applicable, that it has no affiliates, that it has affiliates but does not share information with the affiliates or, if the financial institution shares information with affiliates, the applicable portions of the statement “Our affiliates include companies with [common corporate identity of financial institution] name; financial companies such as [insert illustrative list of companies]; nonfinancial companies, such as [insert illustrative list of companies;] and others, such as [insert illustrative list].” The information that is inserted must be set forth in italicized lettering to set off the information from the definition.

For the definition of “Nonaffiliates” the section includes a definition and the financial institution must insert, as applicable, that it does or does not share information with nonaffiliated third parties. If the financial institution shares information with such parties, the institution must list categories of companies, such as mortgage companies, insurance companies, direct marketing companies and nonprofit organizations. The information that is inserted must be set forth in italicized lettering to set off the information from the definition.

For the definition of “Joint marketing” the section includes a definition and the financial institution must insert, as applicable, that it does or does not jointly market. If the financial institution jointly markets, the institution must list categories of companies with which it jointly markets, such as credit card companies. The information that is inserted must be set forth in italicized lettering to set off the information from the definition.

The “Other important information” section is optional. The section can be used only to address state and/or international privacy law information and/or to include an acknowledgment of receipt form.

DID YOU KNOW?
  • The federal S.A.F.E. Act and a significant number of state laws pertaining to the implementation of the S.A.F.E. Act place new advertising-related requirements on mortgage loan originators. A number of jurisdictions now require, or will require, mortgage loan originator licensees to include their unique, Nationwide Mortgage Licensing System identifier on any marketing materials, including business cards, and on certain loan documents, such as the loan application.
  • Effective October 27, 2009, the Nevada Division of Mortgage Lending enacted regulations that address a number of licensing requirements and responsibilities for mortgage broker and mortgage agent licensees or license applicants. For example, the newly enacted regulations provide that a natural person seeking an initial license as either a mortgage broker or a mortgage agent must complete at least 30 hours of prelicensure education, of which at least 15 hours must involvelive classroom instruction. Individuals applying to renew their mortgage broker or mortgage agent license must complete at least 10 hours of continuing education.

Creditors Get Another Reprieve on Red Flag Implementation

On October 30, 2009, the Federal Trade Commission (FTC) announced that it is pushing back the compliance deadline for the Red Flags Rule yet again. Entities under the FTC’s Fair Credit Reporting Act (FCRA) jurisdiction, including nondepository lenders and brokers, now have until June 1, 2010 to develop and implement a program to identify, detect and respond to activities that could indicate identity theft. The Federal Banking Regulators, the National Credit Union Administration (NCUA) and the FTC published a rule in late 2007 that provided guidelines on instituting these so-called “red flag” programs. Entities under the jurisdiction of the Federal Banking Regulators and the NCUA did not receive similar delays in their implementation deadline of November 1, 2008.


    © 2010 PATTON BOGGS LLP