E. Other Federal Laws and Guidelines 5. Gramm-Leach-Bliley Act (GLB) -Privacy, FTC Safeguard Rules and Do-Not-Call
f. Permissible hours for telephone calls
Without a consumer's prior consent, it is an abusive telemarketing act or practice for a telemarketer to call a person's residence at any time other than between 8:00 a.m. and 9:00 p.m. local time at the called person's location.
i. Purpose of the National Do-Not-Call Registry
The Do-Not-Call Implementation Act authorized the creation of a national Do-Not-Call Registry that enables consumers to register their phone numbers (including cell phone numbers) as numbers not to be called by telemarketers. Once registered, a phone number remains on the list until it is removed or service is discontinued. The FTC Telemarketing Sales Rules as they relate to the Do-Not-Call Registry are administered jointly by the FTC and the Federal Communications Commission (FCC).
d. Requirement for written privacy policy disclosures (Safeguards Rule)
A financial institution must have a written information security program that is appropriate to its size and complexity, to the nature and scope of its activities, and to the sensitivity of the customer information it handles. As part of its program, the financial institution must: assign one or more employees to oversee the program. conduct a risk assessment. put safeguards in place to control the risks identified in the assessment and regularly test and monitor them. require service providers, by written contract, to protect customers' personal information. periodically update its security program.
j. Permissible solicitation scenarios
An established business relationship means a relationship between the company and a consumer based on the consumer's: purchase, rental or lease of the seller's goods or services or a financial transaction between the consumer and seller, within the 18 months immediately preceding the date of a telemarketing call; or inquiry or application regarding an offered product or service, within the three months immediately preceding the date of a telemarketing call.
l. Retention of information after a solicitation
Any seller or telemarketer must keep records relating to its telemarketing activities for a period of 24 months from the date the record is produced, including: all advertising, brochures, telemarketing scripts, and promotional materials. the name and last known address of each customer. the goods or services purchased. the date the goods or services were shipped or provided the amount paid by the customer for the goods or services. for all current and former employees directly involved in telephone sales or solicitations: o the employee's name. o any fictitious name used, if fictitious names are permitted by the telemarketer. Each fictitious name must be traceable to only one specific employee. o the last known home address and telephone number o the employee's job title. all verifiable authorizations or records of express informed consent or express agreement legally required to be provided or received. the name and last known address of each prize recipient and the prize awarded for prizes with a value of $25 or more.
b. Permissible use of non-public information regarding a customer
However, with full disclosure to the consumer and a contractual confidentiality agreement, a financial institution can provide nonpublic personal information to a nonaffiliated third party to perform services for it or perform functions on its behalf. A financial institution may, for example, share information with CRAs or with service providers that will assist it in marketing its own products or services, or financial products or services offered under joint agreements with other financial institutions. Therefore, a lender may disclose customer information to a service provider that will mail account statements and will use the information only for the limited purpose of mailing those statements, but the lender may not sell the information to other organizations or use it for marketing
c. Purpose of Act
In order to protect the privacy of consumer information, the Gramm-Leach-Bliley Financial Modernization Act of 1999 (GLBA) and Regulation P implementing it require a financial institution to give consumers privacy notices that explain its information-sharing practices. In turn, consumers have the right to limit some, but not all, sharing of their information. GLBA applies to financial institutions (i.e., companies that offer to individuals financial products or services, such as loans, financial or investment advice, or insurance). The transfer to the CFPB of the enforcement and rulemaking authority over these privacy provisions in the GLBA occurred on July 21, 2011.
e. Acceptable delivery methods for a privacy notice
It may be delivered by mail, in person or by posting on the institution's website, provided the consumer acknowledges receipt of the notice in order to obtain a particular financial product or service. It cannot be delivered by only an oral explanation, either in person or over the telephone.
a. Non-public information regarding a customer
Nonpublic personal information (NPI) is any personally identifiable financial information that a financial institution collects about an individual in connection with providing a financial product or service. It includes any information: provided by an individual to get a financial product or service (e.g., name, address, income, Social Security number, or other information on an application). obtained about an individual from a transaction involving a financial product or service, such as the fact that an individual is a consumer or customer of a particular product or service, account numbers, payment history, loan or deposit balances, and credit or debit card purchases. obtained about an individual in connection with providing a financial product or service, such as information from court records or from a consumer report.
