Regulation P and Sharing Customer Information for a Survey

Issue/Inquiry

The Bank is considering engaging a company to perform a customer survey targeting millennial customers. The Bank intends to provide the company with customer contact information, so that it can reach out to the customers directly. What must the Bank consider from a privacy standpoint in this circumstance?

Response Summary

Regulation P allows nonpublic personal financial information to be shared with non affiliated third parties only in accordance with the policy described in a financial institution’s initial privacy notice. Some information can be shared without necessitating providing the consumer with an opportunity to opt-out. If the information to be shared does not fall within the exceptions described in the initial privacy notice, a revised notice must be provided to affected customers. In addition, the agreement with the non affiliated third party providing the services may need to prohibit the use of the information, except in conjunction with the service being provided.

Response Detail

Regulation P requires a financial institution to provide a privacy notice to its customers that describes the institution’s policies for collecting and sharing nonpublic personal information about a consumer to affiliated and non affiliated third parties. In addition, the notice must provide the consumer with a reasonable opportunity to prohibit the institution from sharing such information with non affiliated third parties (i.e., to “opt-out”), except as permitted by exceptions to the regulatory requirements. 12 CFR §1016.4,6,7.

A financial institution does not need to comply with the opt-out requirements if it limits the disclosure of nonpublic personal information. Per Regulation P, exceptions to the opt-out right are as follows:

• Section 13: To a non affiliated third party to perform services for the institution or to function on its behalf, including marketing the institution’s own products or services or those offered by the institution and another financial institution, provided that institution gave notice of these arrangements in the initial notice and prohibits the third party by contract from using the information for other than the specified purposes
• Section 14: As necessary to effect, administer, or enforce a transaction that a consumer requests or authorizes, service or process a product that the consumer requests or authorizes, or maintain an account with the institution (e.g., providing an account statement, auditing an account)
• Section 15: For specified other disclosures that a financial institution normally makes, such as to protect against or prevent actual or potential fraud; to the financial institution’s attorneys, accountants, and auditors; or to comply with applicable legal requirements, such as disclosure of information to regulators. 12 CFR §1016.13,14,15.

Regulation P provides that if a function is covered by Sections 14 or 15, the institution does not have to comply with the disclosure and confidentiality requirements of Section 13. 12 CFR §1016.13(a)(2).

In this case, the disclosure of information to the non affiliated third party performing the survey must correspond either to the disclosure that was made in the privacy notice that indicates what information would be shared, or to information that may be shared under other exceptions to the opt-out requirements.

The privacy notice of the Bank in this situation indicates that the Bank does not share information for marketing its products or services to consumers. This means that the survey cannot be used for marketing, since it would not be in accordance with the privacy notice. Sharing such information would violate the disclosure requirement of Section 13.

However, if the survey is on behalf of a function described in Section 14 or 15, then the Bank can share customer information with the service provider.

A financial institution may not disclose any nonpublic personal information to non affiliated third parties except under the enumerated exceptions, unless these notices have been provided and the consumer has not opted out, where applicable. FDIC Compliance Examination Manual – June 2016, VIII – 1.4.

Therefore, if the customer survey is being used for marketing purposes, then the Bank must provide revised privacy notices to the affected customers before doing so, notifying them that their personal information will be shared for that purpose. Since the sharing would be covered by the Section 13 exception, it would not be necessary to provide the customers with an opportunity to opt-out, but the revised notice should be provided at a reasonable time prior to the information being shared, as a matter of best practice.

In addition, the Bank must ensure that its agreement with the non affiliated third party performing the survey prohibits such third party from using the nonpublic personal financial information for any purpose other than performing the survey.

 

This entry was posted on Tuesday, November 13th, 2018 at 6:00 am.