Morrison & Foerster : Legal Updates & News : Bulletins : Federal Agencies Issue Long-Awaited Affiliate-Marketing Rule

For more information on the issues discussed in this legal update, please contact:

United States

Joyita Basu
Madhavi Batliboi
Roland Brandel
John F. Delaney
L. Richard Fischer
Mark Gillett
Sherman W. Kahn
Charles H. Kennedy
Christine E. Lyon
Gabriel Meister
Obrea Poindexter
Cynthia J. Rich
Thomas E. Scanlon
Andrew M. Smith
William L. Stern
Nathan Taylor
Jarno Vanto
Timothy G. Verrall
Marian A. Waldmann
Joan Warrington
Dan Westman
Bryan Wilson
Miriam Wugmeister

Europe

Amina Adam
Teresa V. Basile
Ann Bevitt
Chris Coulter
Suzanne Horne
Alistair Maughan
Anthony Nagle
Karin Retzer

Asia

Daniel P. Levison
Paul McKenzie
Fraser Mendel
Gordon Milner
Jay Ponazecki
Toshihiro So
Nigel Stamp

Privacy Library

Please take advantage of our extensive collection of links to privacy laws, regulations, reports, and government authorities around the world:

www.mofoprivacy.com

Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

Print page

Email page

			Related Practices: Financial Services Law Privacy and Data Security

Federal Agencies Issue Long-Awaited Affiliate-Marketing Rule

November 2007
by Andrew M. Smith

Privacy Bulletin, November 28, 2007

The federal financial regulatory agencies have just issued a final rule addressing how companies can use certain consumer information received from their affiliates to market goods and services to consumers. In some instances, this rule will require that a company (1) notify a consumer before it uses information received from an affiliate to market products or services to the consumer; and (2) provide the consumer with the opportunity to opt-out of such use. This new notice is in addition to opt-out notices already required under the Fair Credit Reporting Act and Gramm-Leach-Bliley Act. Compliance with this rule will be required by October 1, 2008.

Although the Final Rule will impose significant additional compliance challenges for affiliated companies, we believe that by structuring their programs to meet the detailed requirements of the Final Rule, companies should be able to continue their cross-selling programs. For example, most affiliated companies should be able to structure their affiliate-marketing practices to fit within one or more exceptions included in the Final Rule and, as a result, could avoid providing notice and opt-out altogether. Alternatively, affiliated companies may elect to provide all of their customers with notice and an opportunity to opt out of such cross-marketing activities. In either case, the Final Rule will impose new and unique requirements that likely will require changes in existing policies and procedures for providing notices and implementing opt-outs, and for cross-marketing products or services among affiliated companies. This memorandum analyzes the Final Rule and highlights issues that companies are likely to face when complying with the Final Rule.

On November 7, 2007, the Federal Deposit Insurance Corporation, the Federal Reserve Board, the Office of the Comptroller of the Currency, the Office of Thrift Supervision and the National Credit Union Administration (collectively, the “banking agencies”) issued a joint final rule (“Final Rule”) to implement the affiliate-marketing requirements of section 624 of the Fair Credit Reporting Act (“FCRA”).[i] The Final Rule was developed jointly with the banking agencies, the Federal Trade Commission (“FTC”), and the Securities and Exchange Commission (“SEC”). The FTC has issued a similar rule.[ii] The SEC has not yet issued a rule in final form.

The Final Rule’s Compliance Date

The Final Rule will become effective on January 1, 2008.[iii] However, compliance with the Final Rule will not become mandatory until October 1, 2008.[iv] Although the mandatory compliance date is nearly a year away, the date still could pose significant operational issues for affiliated companies, particularly if they elect to combine this new opt-out notice with their broader privacy disclosures. For example, if a financial institution ordinarily provides its customers with an annual Gramm-Leach-Bliley Act (“GLBA”) privacy notice during the first quarter of the year and the institution elects to combine its FCRA affiliate-marketing notice with its GLBA notice, it could face significant challenges in preparing and providing a combined notice in time for a first-quarter mailing. If the institution is not able to prepare a combined notice in time for a first-quarter mailing, it would either have to delay its GLBA privacy notice, perhaps seeking approval to do so from its principal regulator, or to incur the additional costs of mailing a stand-alone affiliate-marketing notice.

It is important to note, however, that, unlike the FCRA affiliate-sharing notice,[v] neither the Final Rule nor the GLBA rules require that the FCRA affiliate-marketing notice be combined with the annual GLBA privacy notice.[vi] More specifically, while the Final Rule permits the FCRA affiliate-marketing notice to be coordinated and consolidated with the annual GLBA privacy notice, neither the FCRA nor the Final Rule requires that the affiliate-marketing notice be provided annually with the privacy notice. Such a requirement would turn the one-time,[vii] affiliate-marketing notice into an annual opportunity to opt out of affiliate marketing, as is the case with the FCRA affiliate-sharing notice.[viii]

The Affiliate-Marketing Notice and Opt-Out Requirement

The Final Rule generally prohibits a company from using “eligibility information” received from an affiliate to market to a consumer, unless an exception applies or the consumer is provided with notice and an opportunity to opt out. Specifically, the Final Rule provides that a company may not use “eligibility information” relating to a consumer that the company receives from an affiliate “to make a solicitation for marketing purposes to the consumer” unless: (1) it is “clearly and conspicuously” disclosed by the affiliate(s) providing the notice that the company may use such information to make marketing solicitations to the consumer; (2) the consumer is provided with a reasonable opportunity to opt out; and (3) the consumer has not opted out.[ix] As a result, in order for the notice and opt-out requirements to apply to an affiliate cross-marketing program, a number of factors must be present.

Eligibility Information

First, a company must use “eligibility information.” The Final Rule defines the term “eligibility information” as “any information the communication of which would be a consumer report if the exclusions from the definition of ‘consumer report’ in section 603(d)(2)(A) of the [FCRA] did not apply.”[x] In this regard, section 603(d)(2)(A) of the FCRA excludes the following information from the definition of “consumer report”: (1) any “report containing information solely as to transactions or experiences between the consumer and the person making the report”; (2) any communication of transaction or experience information among affiliates; and (3) any communication of “other information” among affiliates if the consumer to whom the information relates is provided with notice and an opportunity to opt out before the information is communicated.[xi] As a result, the Final Rule limits the ability of a company to use, for marketing purposes, any transaction or experience information-such as account balance information, or information subject to the FCRA affiliate-sharing requirement, such as consumer reports or application information-that is received from an affiliate. Nevertheless, the requirements of the Final Rule should not apply to the use of contact information, such as names and addresses (which should not constitute “consumer reports” regardless of section 603(d)(2)(A)), or demographic, census, or other similar information purchased by one or more affiliates for marketing purposes, rather than eligibility purposes.

In addition, a company should be able to use eligibility information received from an affiliate for marketing purposes, without being subject to the Final Rule, if the information is depersonalized or aggregated. In this regard, the Final Rule clarifies that “eligibility information” does not include “aggregate or blind data that does not contain personal identifiers such as account numbers, names, or addresses.”[xii] However, the Supplementary Information to the Final Rule (“Supplementary Information”) indicates that “personal identifiers” also include “Social Security numbers, driver’s license numbers, telephone numbers, or other types of information that, depending on the circumstances or when used in combination, could identify the” consumer.[xiii]

Eligibility Information Received from an Affiliate

In addition, the eligibility information used by a company must have been “received from an affiliate.” As a result, the notice and opt-out requirement would not apply if a company uses its own, as opposed to an affiliate’s, eligibility information or if the company uses only information received from an unaffiliated third party. It is important to note that the Final Rule highlights the fact that a company may receive “eligibility information” from an affiliate “when the affiliate places that information into a common database that [the company] may access.”[xiv] However, the Supplementary Information clarifies that “[i]n the case of a common database, use of the eligibility information will be the key element in determining whether a person has made a solicitation.”[xv] Thus, not only must a company receive information from an affiliate, it also must use that information to make a solicitation in order to trigger the application of the Final Rule.

Eligibility Information Used to Make a Solicitation

In addition, a company must use the eligibility information received from an affiliate to “make a solicitation for marketing purposes to the consumer.”[xvi] In this regard, the Final Rule provides that an institution “make[s] a solicitation for marketing purposes” if: (1) the company receives eligibility information from an affiliate; (2) the company uses that information to: (a) identify the consumer or “type of consumer” to receive a solicitation; (b) establish the criteria used to select the consumer to receive a solicitation; or (c) decide which of the company’s products or services to market to the consumer or tailor the solicitation to that consumer; and (3) the consumer is provided a solicitation “[a]s a result of” the company’s use of the eligibility information.[xvii]

Although not expressly stated in the Final Rule, it is important to note that the FCRA specifies that the affiliate-marketing notice and opt-out requirement applies to a company, absent an applicable exception, when a company uses eligibility information received from an affiliate to market “its [own] products or services.”[xviii] As a result, the limitation on using information received from an affiliate should not apply to a company when it markets the products or services of the affiliate whose information is being used or an unaffiliated third party’s products or services, regardless of whether the company uses eligibility information received from an affiliate. However, in light of the Final Rule’s description of when a company “make[s] a solicitation,” when a company markets an affiliate’s products or services, the affiliate still must consider whether it has made a solicitation for purposes of the Final Rule.

Exceptions to the Notice and Opt-Out Requirement

The Final Rule includes all of the statutory exceptions to the affiliate-marketing requirements contained in section 624 of the FCRA. As a result, the Final Rule does not apply to a company’s use of eligibility information received from an affiliate: (1) to make a solicitation for marketing purposes to a consumer with whom the company has a “pre-existing business relationship”, (2) to facilitate certain communications to a consumer for whose benefit the company has provided employee benefits or other services; (3) to perform services on behalf of an affiliate, although the exception does not apply if the affiliate would not be permitted to send the solicitation on its own behalf as a result of a consumer’s opt out; (4) in response to a communication initiated by a consumer concerning the company’s products or services; (5) in response to a consumer’s authorization or request to receive a solicitation; or (6) if compliance with the Final Rule would prevent the company from complying with state insurance laws relating to unfair discrimination in a state in which the institution is lawfully doing business.[xix]

Thus, if one of these exceptions applies, a company may use eligibility information relating to a consumer that the company received from an affiliate to make a solicitation for marketing purposes to the consumer, without the consumer first being provided with notice and opportunity to opt out.

Pre-Existing Business Relationship Exception

The Final Rule provides an exception for a company that has a “pre-existing business relationship” with a consumer.[xx] The Final Rule defines the term “pre-existing business relationship” as a relationship between a company and a consumer that is based on: (1) a financial contract that is “in force on the date on which the consumer is sent a solicitation”;[xxi] (2) a purchase, rental, or lease of the company’s goods or services, or “a financial transaction (including holding an active account or a policy in force or having another continuing relationship) between the consumer and the [company], during the 18-month period immediately preceding the date on which the consumer is sent a solicitation”;[xxii] or (3) an inquiry or application by the consumer regarding the company’s products or services “during the three-month period immediately preceding the date on which the consumer is sent a solicitation.”[xxiii]

It is important to note that the relevant date for purposes of determining whether a company has a pre-existing business relationship with a consumer is the date on which a solicitation is “sent.” In most instances, the date a solicitation is “sent” will be later than the date on which eligibility information is used to establish the criteria for selection, or even the date on which the consumer is selected to receive the solicitation. As a result, a company seeking to rely on this exception must ensure that it has such a relationship with the consumer not only on the date when the information is used or the date the consumer is selected to receive the solicitation, but also on the date when the solicitation is actually “sent” to the consumer.

The Final Rule includes several examples of when a company either has or does not have a pre-existing business relationship with a consumer, one of which merits further discussion. Specifically, the Final Rule provides that a company has a pre-existing business relationship with a consumer if the “consumer makes a telephone inquiry to [the company] about its products or services and provides contact information to the [company], but does not obtain a product or service from or enter into a financial contract or transaction with the” company.[xxiv] As a result, if a company wants to rely on a consumer’s product inquiry to establish a qualifying relationship, a consumer must not only ask about the company’s products or services, but also must provide the company with his or her contact information. In this regard, the Supplementary Information notes that “[t]he Agencies continue to believe that it is appropriate to consider what the consumer says in determining whether the consumer has made an inquiry about a product or service. It may not be necessary, however, for the consumer to provide contact information in all cases.”[xxv] Nonetheless, whether or not a consumer provides a company with contact information, the “consumer-initiated communication” exception, discussed below, may apply.

Limitation on the Pre-Existing Business Relationship Exception

The Final Rule appears to significantly limit the “pre-existing business relationship” exception. Specifically, in drafting the exception so that it does not preclude “constructive sharing,”[xxvi] the Final Rule states that, provided a company has not used eligibility information from an affiliate to identify the consumer or “type of consumer” to receive a solicitation, establish the criteria used to select the consumer to receive a solicitation, or decide which of the company’s products or services to market to the consumer or tailor the solicitation to that consumer, the notice and opt-out requirement does not apply if the company’s affiliate: (1) “[u]ses its own eligibility information that it obtained in connection with a pre-existing business relationship it has or had with the consumer to market [the company’s] products or services to the consumer”; or (2) “[d]irects its [own] service provider to use the affiliate’s own eligibility information that it obtained in connection with a pre-existing business relationship it has or had with the consumer to market [the company’s] products or services to the consumer, and [the company] does not communicate directly with the service provider regarding that use.”[xxvii]

As a result, the Final Rule could be read to prohibit, without notice and opt-out, a company from providing its own customers with marketing solicitations relating to an affiliate’s products or services if the affiliate whose products or services will be marketed established the criteria used to select the consumers who will receive the solicitation through use of eligibility information received from the company or from another affiliate. In this regard, the Final Rule provides the following example that, although relating to when a company “make[s] a solicitation,” appears to reinforce this limitation on the “pre-existing business relationship” exception:

A consumer has a deposit account with a depository institution, which is affiliated with an insurance company. The insurance company receives eligibility information about the consumer from the depository institution. The insurance company uses that eligibility information to identify the consumer to receive a solicitation about insurance products . . . [T]he insurance company asks the depository institution to send the solicitation to the consumer and the depository institution does so. . . . [T]he insurance company has made a solicitation to the consumer because it used eligibility information about the consumer that it received from an affiliate to identify the consumer to receive a solicitation about its products or services, and, as a result, a solicitation was provided to the consumer about the insurance company’s products.[xxviii]

This would mean that the affiliate whose products or services are being marketed would either have to establish the marketing criteria without use of eligibility information received from an affiliate, or do so using depersonalized or aggregated “eligibility information,” as discussed above.

Service Providers

The Final Rule also limits the ability of a service provider to use “eligibility information” to distribute marketing solicitations. While the Final Rule is not a model of clarity in this respect, the Supplementary Information indicates that these limitations are intended to delineate “the conditions under which a service provider would be deemed to be acting on behalf of the affiliate with the pre-existing business relationship, rather than the person whose products or services are being marketed, notwithstanding direct communications between the person and the service provider.”[xxix]

Specifically, the Final Rule provides that the notice and opt-out requirements do not apply “if a service provider . . . receives eligibility information from [a company’s] affiliate that [the] affiliate obtained in connection with a pre-existing business relationship it has or had with the consumer and uses that eligibility information to market [the company’s] products or services to the consumer” and if a number of detailed requirements are met.[xxx] For example, the affiliate must control access to, and use of, its eligibility information by the service provider.[xxxi] In addition, the affiliate must “establish[] specific terms and conditions under which the service provider may access and use the affiliate’s eligibility information to market [the institution’s] products and services (or those of affiliates generally) to the consumer” and “periodically evaluate[] the service provider’s compliance with those terms and conditions.”[xxxii] Moreover, the Final Rule requires that these requirements be “set forth in a written agreement between [the] affiliate and the service provider,”[xxxiii] or otherwise be set forth “in writing.”[xxxiv]

As a result, if a company seeks to rely on the “pre-existing business relationship” exception and will use a service provider to conduct the marketing, the company must ensure that it complies with these detailed control and audit requirements. It also will be important for a company to ensure that the specific terms and conditions under which the service provider may use the company’s eligibility information are spelled out, including specifying: (1) the identity of the affiliated company whose products or services may be marketed to the consumer by the service provider; (2) the types of products or services of the affiliated company that may be marketed; and (3) the number of times the consumer may receive marketing materials. Accordingly, the Final Rule indicates, in an example, that general terms and conditions, such as a service provider being permitted to use a company’s eligibility information for marketing purposes “whenever the service provider deems it appropriate to do so,” will not satisfy these requirements.[xxxv]

Consumer-Initiated Communication Exception

The Final Rule provides an exception for a company that uses eligibility information received from an affiliate “[i]n response to a communication about [the company’s] products or services initiated by the consumer.”[xxxvi] The Final Rule provides the following example of this exception:

A consumer who has a deposit account with a depository institution contacts the institution to request information about how to save and invest for a child’s college education without specifying the type of product in which the consumer may be interested. Information about a range of different products or services offered by the depository institution and one or more affiliates of the institution may be responsive to that communication. . . . Any affiliate offering investment products or services that would be responsive to the consumer’s request . . . may use eligibility information to make solicitations to the consumer in response to this communication.[xxxvii]

Unlike the agencies’ interpretation of the “inquiry” prong of the pre-existing business relationship exception, this example does not indicate that the consumer must provide his or her contact information. In addition, although one affiliate may receive the consumer’s communication, another affiliate, or other affiliates, that offer products or services responsive to the consumer’s communication may rely on this exception.

Which Affiliate Must Provide Notice

The “Initial” Notice

The Final Rule sets forth specific requirements that must be followed when providing the affiliate-marketing notice. For example, the “initial” notice must be provided: (1) by an affiliate that “has or has previously had” a pre-existing business relationship with the consumer; or (2) as part of a joint notice from more than one affiliate, provided that at least one of those affiliates “has or has previously had” a pre-existing business relationship with the consumer.[xxxviii] The Supplementary Information indicates that this requirement is intended “to ensure that the notice is provided by an entity known to the consumer.”[xxxix] Although the Supplementary Information indicates that an institution “may direct its agent to provide the opt-out notice on its behalf,”[xl] this requirement could pose operational issues for many companies. For example, in light of the fact that one or more affiliates within a holding company likely will not have or have had a pre-existing relationship with all the consumers related to the affiliated companies, multiple companies within a holding company may be required to provide an opt-out notice, and, as a result, some consumers may receive multiple notices from different companies within the holding company. To some extent, these issues could be addressed by having one company provide the notice on behalf of all of the other companies; however, the Final Rule also requires that the notice identify “[t]he name of the affiliate(s) providing the notice.”[xli] As a result, within a holding company, multiple notices may have to be developed to reflect the different companies providing those notices, or all of the companies that have or have had pre-existing business relationships with the consumer receiving the notice may need to be identified in a single notice.[xlii]

The “Renewal” Notice

The Final Rule generally provides that a consumer’s opt-out “must be effective for a period of at least five years.”[xliii] Moreover, unless an exception to the notice and opt-out requirement applies, after a consumer’s opt out expires, a company may not make new solicitations to the consumer unless the consumer is provided with a “renewal” notice and opportunity to opt-out, as required by the Final Rule.[xliv] In this regard, the Final Rule also specifies which affiliate must provide the “renewal” notice. Specifically, the “renewal” notice must be provided: (1) “[b]y the affiliate that provided the previous opt-out notice, or its successor”; or (2) as part of a joint “renewal” notice from more than one affiliate, or their successors, “that jointly provided the previous opt-out notice.”[xlv] This “renewal” notice requirement could pose significant operational issues. For example, in addition to the issues addressed above, in light of the fact that a consumer can opt out “at any time,”[xlvi] a company may have to provide the “renewal” notice on an individual consumer basis. Moreover, it is not clear which affiliate must provide the “renewal” notice if the affiliate that provided the “initial” notice no longer exists and has no successor.

Scope of a Consumer’s Opt-Out

The Final Rule provides that, if a consumer opts out, “any affiliate covered by the opt-out notice [is prohibited] from using eligibility information . . . as described in the notice to make solicitations to the consumer.”[xlvii] In this regard, if a consumer establishes a “continuing relationship” with a company or its affiliate, an opt-out notice provided to the consumer “may apply to eligibility information obtained in connection with: (1) “[a] single continuing relationship or multiple continuing relationships that the consumer establishes with [the company or its] affiliates, including continuing relationships established subsequent to delivery of the opt-out notice, so long as the notice adequately describes the continuing relationships covered by the opt-out”; or (2) “[a]ny other transaction between the consumer and [the company or its] affiliates as described in the notice.”[xlviii] The Final Rule provides examples of “continuing relationships,” including a consumer opening a deposit or investment account with a company or its affiliates or obtaining a loan for which the company or its affiliate owns the servicing rights.[xlix] As a result, a company should have the flexibility to determine whether a notice covers subsequent relationships and transactions that arise after the consumer is provided with notice. However, if a company chooses not to cover subsequent relationships or transactions in a notice and such a relationship or transaction occurs, the company may have to provide the consumer with another notice in order for affiliates to use eligibility information relating to such relationship or transaction for marketing purposes.

In addition, if there is not a “continuing relationship” between a consumer and a company or its affiliates and that company or its affiliates obtain eligibility information about the consumer in connection with a transaction with the consumer, “such as an isolated transaction or a credit application that is denied, an opt-out notice . . . only applies to eligibility information obtained in connection with that transaction.”[l] The Final Rule provides examples of “isolated transactions,” including a consumer using an institution’s ATM to withdraw cash from an account at another institution.[li]

The Final Rule also includes specific requirements for when a consumer ends all continuing relationships with a company or its affiliates. Specifically, the Final Rule provides that “[a] consumer must be given a new opt-out notice if, after all continuing relationships with [a company or its] affiliate(s) are terminated, the consumer subsequently establishes another continuing relationship with [the company or its] affiliate(s) and the consumer’s eligibility information is to be used to make a solicitation.”[lii] The Final Rule clarifies that a “consumer’s decision not to opt out after receiving the new opt-out notice would not override a prior opt-out election by the consumer that applies to eligibility information obtained in connection with a terminated relationship, regardless of whether the new opt-out notice applies to eligibility information obtained in connection with a terminated relationship, regardless of whether the new opt-out notice applies to eligibility information obtained in connection with the terminated relationship.

[i] 72 Fed. Reg. 62,910 (Nov. 7, 2007).

[ii] 72 Fed. Reg. 61,424 (Oct. 30, 2007).

[iii] 12 C.F.R. § ___.28(a).

[iv] 12 C.F.R. § ___.28(b).

[v] 15 U.S.C. § 1681a(d)(2)(A)(iii).

[vi] See, e.g., 12 C.F.R. § 216.6(a) (FRB).

[vii] Of course, as discussed below, if a consumer opts out and this opt-out expires after five years, the consumer must be provided with a “renewal” notice if a company thereafter intends to use eligibility information received from an affiliate to market to that consumer. See 12 C.F.R. § ___.27(a)(1).

[viii] 12 C.F.R. § ___.23(b).

[ix] 12 C.F.R. § ___.21(a)(1).

[x] 12 C.F.R. § ___.20(b)(3).

[xi] 15 U.S.C. § 1681a(d)(2)(A).

[xii] 12 C.F.R. § ___.20(b)(3).

[xiii] 72 Fed. Reg. at 62,915.

[xiv] 12 C.F.R. § ___.21(b)(2).

[xv] 72 Fed. Reg. at 62,922.

[xvi] The Supplementary Information highlights that the agencies believe that “‘making’ and ‘sending’ solicitations are different activities and that the focus of the statute is primarily on the ‘making’ of solicitations. For example, a service provider may send a solicitation on behalf of another entity, but it is the entity on whose behalf the solicitation is sent that is making the solicitation and thus is subject to the general” requirements of the Final Rule. Id.

[xvii] 12 C.F.R. § ___.21(b)(1).

[xviii] 15 U.S.C. § 1681s-3(a)(1).

[xix] 12 C.F.R. § ___.21(c).

[xx] 12 C.F.R. § ___.21(c)(1).

[xxi] 12 C.F.R. § ___.20(b)(4)(i)(A). The Supplementary Information indicates that the agencies “construe the statutory term ‘financial contract’ at least to include a contract that relates to a consumer’s purchase or lease of a financial product or service that a financial holding company could offer under section 4(k) of the Bank Holding Company Act of 1956 (12 U.S.C. 1843(k)).” 72 Fed. Reg. at 62,915.

[xxii] 12 C.F.R. § ___.20(b)(4)(i)(B).

[xxiii] 12 C.F.R. § ___.20(b)(4)(i)(C).

[xxiv] 12 C.F.R. ___.20(b)(4)(ii)(E) (emphasis added).

[xxv] 72 Fed. Reg. at 62,916-62,917.

[xxvi] The Supplementary Information states that “[a]fter considering the constructive sharing issue, the Agencies conclude that the statute only covers situations where a person uses eligibility information that it received from an affiliate to make a solicitation to the consumer about its products or services.” Id. at 62,923.

[xxvii] 12 C.F.R. § ___.21(b)(4)(i)-(ii).

[xxviii] 12 C.F.R. §§ ___.21(b)(6)(i)-(ii).

[xxix] 72 Fed. Reg. at 62,924.

[xxx] 12 C.F.R. § ___.21(b)(5).

[xxxi] 12 C.F.R. § ___.21(b)(5)(i)(A).

[xxxii] 12 C.F.R. § ___.21(b)(5)(i)(B). The Final Rule is not clear on what the scope of a “periodic evaluation” entails. For example, it is not clear whether actual, in-person audits are required and, if so, how often these audits must be conducted. In this regard, it should be noted that there is no comparable requirement for utilizing service providers to market the products or services of unaffiliated third parties.

[xxxiii] 12 C.F.R. § ___.21(b)(5)(ii)(A).

[xxxiv] 12 C.F.R. § ___.21(b)(5)(ii)(B).

[xxxv] 12 C.F.R. § ___.21(b)(6)(vi).

[xxxvi] 12 C.F.R. § ___.21(c)(4).

[xxxvii] 12 C.F.R. § ___.21(d)(3)(ii).

[xxxviii] 12 C.F.R. § ___.21(a)(3). The Supplementary Information highlights that this requirement should address concerns with civil liability. Specifically, the Agencies state that in contrast to the proposed rules, the Final Rules do “not impose duties on any affiliate other than the affiliate that intends to use shared eligibility information to make solicitations to the consumer. Although an opt-out notice must be provided by an affiliate that has or has previously had a pre-existing business relationship with the consumer (or as part of a joint notice), that affiliate has no duty to provide such a notice. Instead, the [F]inal [R]ule provides that absent such a notice, an affiliate must not use shared eligibility information to make solicitations to the consumer.” 72 Fed. Reg. at 62,921.

[xxxix] Id.

[xl] Id.

[xli] 12 C.F.R. § ___.23(a)(1)(i).

[xlii] The Final Rule does provide that if the opt-out notice is provided by more than one affiliate and those affiliates share a common name, the notice may indicate that it is being provided by multiple companies that share the common name or that are within the family of companies to which that name relates, including, for example, “all of the ABC companies” or “the ABC banking, credit card, insurance, and securities companies.” Id. However, if the notice is provided by more than one affiliate and those affiliates do not all share a common name, the notice “must either separately identify each affiliate by name or identify each of the common names used by those affiliates.” Id.

[xliii] 12 C.F.R. § ___.22(b). The consumer’s opt-out is effective “beginning when the consumer’s opt-out election is received and implemented.” Id.

[xliv] 12 C.F.R. § ___.27(a)(1).

[xlv] 12 C.F.R. § ___.27(a)(3).

[xlvi] 12 C.F.R. § ___.22(c).

[xlvii] 12 C.F.R. § ___.22(a)(1).

[xlviii] 12 C.F.R. § ___.22(a)(2)(i) (emphasis added).

[xlix] 12 C.F.R. § ___.22(a)(2)(ii)

[l] 12 C.F.R. § ___.22(a)(3)(i).

[li] 12 C.F.R. § ___.22(a)(3)(ii)(A).

[lii] 12 C.F.R. § ___.22(a)(5)(i). The Supplementary Information indicates that “where a consumer was not given an opt-out notice in connection with the initial continuing relationship because eligibility information obtained in connection with that continuing relationship was not shared with affiliates for use in making solicitations, an opt-out notice provided in connection with a new continuing relationship would have to apply to any eligibility information obtained in connection with the terminated relationship that is to be shared with affiliates for use in making future solicitations.” 72 Fed. Reg. at 62,930.