Subpart C of Regulation V implements the affiliate marketing provisions in section 624 of the FCRA (added by section 214 of the FACT Act), which generally prohibit a person from using information received from an affiliate to make a marketing solicitation to a consumer unless the consumer is given notice and a reasonable opportunity and a reasonable and simple method to opt out of such solicitations. Institutions are permitted to share two types of consumer information with their affiliates without incurring the obligations of consumer reporting agencies:

The regulation explains how to comply with the requirements concerning sharing of information with affiliates, addressing such matters as the content and delivery of the notice to consumers that “other” information may be communicated (the opt-out notice).

Subpart D of Regulation V, effective April 1, 2006, implements section 411 of the FACT Act, which generally limits creditors’ ability to obtain or use medical information in connection with determinations about credit eligibility, consumer reporting agencies’ ability to disclose medical information, and institutions’ ability to share medical information among affiliates.

The regulation creates exceptions to the general statutory prohibition against creditors’ obtaining or using medical information pertaining to a consumer in connection with any determination of the consumer’s eligibility, or continued eligibility, for credit. It sets out those purposes determined to be necessary and appropriate, permitting creditors to obtain and use medical information that is typically considered in credit underwriting. Creditors are not prohibited from obtaining or using medical information for purposes that are not connected with credit-eligibility determinations.

The sharing of medically related information with affiliates is restricted if that information meets the definition of consumer report in section 603(d)(1) of the FCRA. The standard exclusions from the definition contained in section 603(d)(2)—such as sharing transaction or experience information among affiliates or sharing other information among affiliates after notice and an opportunity to opt out—do not apply if medically related information is disclosed to an affiliate. Medically related information includes medical information as well as an individualized list or description based on payment transactions for medical products or services, and an aggregate list of identified consumers based on payment transactions for medical products or services.

Under section 604(g)(4) of the FCRA, any person that receives medical information from an affiliate pursuant to an exception in section 604(g)(3) or from a consumer reporting agency under section 604(g)(1) must not disclose that information to any other person, except as necessary to carry out the purpose for which the information was initially disclosed, or as otherwise permitted by statute, regulation, or order.

Subpart I, which implements section 315 of the FACT Act, provides guidance regarding reasonable policies and procedures that a user of a consumer report should employ when the user receives a notice of address discrepancy. Subpart I also implements section 216 of the FACT Act, which requires each financial institution to develop and maintain, as part of its information security program, appropriate controls to ensure that it disposes of “consumer information” derived from a consumer report in accordance with the requirements laid out in the Interagency Guidelines Establishing Information Security Standards. The term consumer information means “any record about an individual, whether in paper, electronic, or other form, that is a consumer report or is derived from a consumer report and that is maintained or otherwise possessed by or on behalf of the [institution] for a business purpose.” The term also includes a compilation of such records. It does not, however, include “any record that does not identify an individual.”

Subpart J implements section 114 of the FACT Act, which requires that financial institutions and creditors have an identity theft prevention program to address accounts most prone to identity theft. Only those financial institutions and creditors that offer or maintain “covered accounts” must develop and implement a written program. A covered account is (1) an account primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions, or (2) any other account for which identity theft poses a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor. Financial institutions and creditors must periodically determine whether they offer or maintain a “covered account.”

Appendix B provides model notices that a financial institution may use to comply with the requirement to provide a customer with a clear and conspicuous written notice if it (1) extends credit and regularly and in the ordinary course of business furnishes information to a nationwide consumer reporting agency and (2) furnishes negative information to such an agency regarding credit extended to a customer. The Board’s model notices may be used by all financial institutions, as defined by section 217 of the FACT Act.