WASHINGTON-Regulators and financial institutions are scurrying about in an attempt to get matters in order before the July 1 effective date for the privacy regulations promulgated under the Gramm-Leach-Bliley Act The five federal bank, thrift, and credit union regulators jointly released a legal opinion letter recently stating that a financial institution may not disclose unencrypted consumer account numbers to an unaffiliated third party other than credit reporting agencies under the Gramm-Leach-Bliley Act. "The primary reason a marketer seeks access to a customer's account number is to allow the marketer to initiate a charge to the customer's account as part of the transaction," the letter read. "We believe that interpreting the Act to consider marketing to have ended at the time the customer accepts the product would substantially undermine the prohibition, effectively limiting its application to the sharing of account numbers for tracking purposes while not denying third party marketers access to customer accounts." The agencies note that the law allows for no exceptions to this provision. However, the act permits the agencies to create exceptions to this section of the law. The agencies, whose regulations are substantively similar, permit only two exceptions: a financial institution is permitted to disclose account numbers to its own agents for the purpose of marketing its own products and services or to partners in a private label credit card or affinity program. "The privacy rule makes clear that the statutory prohibition focuses on restricting access (agencies' emphasis) to customer accounts," the opinion letter reads. "Accordingly, the financial institution itself must retain control of its customer account numbers." However, financial institutions may share account numbers to which third parties cannot post charges and encrypted account numbers for identification and tracking purposes. CUNA Senior Vice President and Associate General Counsel for Regulatory Compliance Kathy Thompson said that CUNA supports this clarification to the privacy rules. "Basically the privacy law is a disclosure law. This is the absolute one prohibition of sharing account numbers for marketing purposes, even, in this case, if you have a joint marketing agreement," she explained. On the other hand credit unions are not pleased with one question in a proposed Q&A regarding privacy that the regulators may issue. Thompson said, the regulator's Q&A asks, "What does jointly mean?" The A, rather than the Q, is what CUNA finds troublesome. "The agencies are considering putting out a Q&A that would tell banks and credit unions that have contract arrangements with other financial institutions that the consumer getting a promo from this third-party…will have to…be able to figure out where the company got their name," Thompson explained. "This is nothing that was anticipated in the regulation that was finalized over a year ago." She added that CUNA felt that the agencies should have either addressed the issue a year ago or should be subject to notice and comment. "This is an issue that we're concerned that suddenly may appear in mid-June, days before the July 1 effective date and it would create logistical problems at the least," Thompson said. She has been in contact with her counterparts at the banking trade associations, who also questioned this interpretation. "This is a potential clarification that we're trying to cut off at the pass," she said. NAFCU also did not report any problems with the regulators' opinion expressed in the letter. "We haven't heard from any of our members and the letter seems to conform to the statutory language," NAFCU Communications Manager John Zimmerman said. In other privacy news, the Office of the Comptroller of the Currency (OCC) has released its privacy examination guidelines, which are expected to be very similar to how the credit union examination should look. According to the OCC, the examination objectives are to assess the quality of the institutions compliance management policies; determine the reliance that can be placed on the financial institution's internal controls; determine the institution's compliance in creating policies and notices, disclosure, honoring opt-out directions, and other areas of the privacy reg; and initiating corrections as necessary. Additionally, the federal financial institution regulatory agencies are working jointly on small entity compliance guide for privacy. Too little, too late, according to Thompson. "I said, I think it's a wonderful program but I think you're a little late. We're already into June and you haven't released it," she said. It is expected to be out very shortly. -

[email protected]