A question we received from a client: The CFPB’s standard Privacy Notice used by banks defines an “affiliate” as: Companies related by common ownership or control. They can be financial and nonfinancial companies. The Privacy regulation defines an “affiliate” as: Any company that controls, is controlled by, or is under common control with another company. I have not seen banks list their holding company (an affiliate) on their Privacy Notice. Shouldn’t the bank use the Privacy Regulation’s definition of an affiliate and list its holding company as an affiliate on its Privacy Notice?
Under Reg P, 12 CFR 1016.3(a)(1), affiliate means any company that controls, is controlled by, or is under common control with another company, so a holding company would be considered an affiliate. But when looking at 1016.6(a)(3) requires disclosure, in the privacy notice, of the categories of affiliates to whom the bank discloses NPI. The regulation does not require listing of all affiliates in the privacy notice, rather categories with examples are required. Some banks might list specific affiliates and some banks might be more general. 1016.6(c)(3) gives examples of how to disclose affiliates in the privacy notice: Categories of affiliates and nonaffiliated third parties to whom you disclose. You satisfy the requirement to categorize the affiliates and nonaffiliated third parties to whom you disclose nonpublic personal information if you list the following categories, as applicable, and a few examples to illustrate the types of third parties in each category.
(i) Financial service providers, followed by illustrative examples such as mortgage bankers, securities broker-dealers, and insurance agents;
(ii) Non-financial companies, followed by illustrative examples such as retailers, magazine publishers, airlines, and direct marketers; and
(iii) Others, followed by examples such as nonprofit organizations.