Regulation P and Sharing Information Under a Joint Marketing Agreement

Issue/Inquiry

The Bank has a joint marketing agreement with a credit card company, which issues credit cards in the Bank’s name but performs the underwriting and makes the credit decision. The company has requested a list of customer names, addresses, and social security numbers, so that they can run a credit search and decide on what card to offer a customer. The Bank’s Privacy Policy allows it to share personal information for joint marketing with other financial companies. Would the Bank be permitted to provide this customer information to the credit card company?

Response Summary

The Bank will be permitted to share the nonpublic personal information of its customers with the credit card company if it is pursuant to a joint marketing agreement that fulfills regulatory requirements and if this type of arrangement was disclosed to the customers in the initial privacy notice.

Response Detail

Under Regulation P, the opt-out requirements for sharing the nonpublic personal information of a customer do not apply when the financial institution provides such information to nonaffiliated third parties performing services for it, provided:

• The sharing is disclosed in the initial privacy notice
• The institution has entered into a contractual agreement with the third party that prohibits the third party from disclosing or using the information other than to carry out the purposes for which the information was disclosed. 12 CFR §1016.13(a).

The services a nonaffiliated third party performs for the institution may include the marketing of the institution’s own products or services or the marketing of financial products or services offered pursuant to joint agreements between the institution and one or more other financial institution. A “joint agreement” in this regard means a written contract pursuant to which the financial institution and one or more other financial institution jointly offer, endorse, or sponsor a financial product or service. 12 CFR §1016.13(b)(c).

A “financial institution” is any institution the business of which is engaging in financial activities as described in the Bank Holding Company Act of 1956. A credit card company issuing a credit card to consumers would be considered a financial institution for the purposes of Regulation P because extending credit is a financial activity described in the Bank Holding Company Act of 1956. 12 CFR §1016.3(l)(3)(i),(ii).

In this case, there must be a joint marketing agreement that covers the product being offered by the credit card company and restricts the credit card company from disclosing or using the nonpublic personal information of the Bank’s customers for any purpose other than marketing that product. The particular product offered, sponsored, or endorsed under the joint agreement need not be the Bank’s own product (i.e., the credit cards issued in the Bank’s name). The Bank must also have disclosed this type of arrangement in its initial privacy notice.

If these conditions are fulfilled, then the Bank may provide customer information to the credit card company.

This entry was posted on Monday, July 30th, 2018 at 6:00 am.