Staff of the Federal Trade Commission has developed the following Additional Frequently Asked Questions ("AFAQs") to assist mortgage brokers in complying with sections 502-09 of the Gramm-Leach-Bliley Act (GLB Act) and the FTC's Privacy Rule. These AFAQs illustrate how select provisions of the Commission's Privacy Rule apply to specific situations a mortgage broker may confront. However, they do not address all provisions that may apply to any given situation and should be read in conjunction with the general FAQs and other materials available on the FTC's website at www.ftc.gov/privacy/glbact/index.html. Additionally, this staff guidance does not address mortgage brokers' obligations under section 501 of the GLB Act and the FTC's Safeguards Rule or the applicability of the Fair Credit Reporting Act or any other federal or state law that may pertain to the questions and answers. Staff may supplement or revise these AFAQs as necessary or appropriate in light of further questions and experience.

1. I am a mortgage broker. Am I a financial institution subject to the Privacy Rule?

Yes. Mortgage brokers are financial institutions because brokering loans is a financial activity referenced in section 4(k)(4)(F) of the Bank Holding Company Act and listed in 12 C.F.R. § 225.28(b)(1). See 15 U.S.C. § 6809(3); 16 C.F.R. § 313.3(k)(2)(xi). Mortgage brokers are subject to the FTC's enforcement authority, its Privacy Rule, and its Safeguards Rule. See 15 U.S.C. § 6805(a)(7); 16 C.F.R. § 313.1(b). The Privacy Rule applies when individuals seek your assistance in obtaining mortgage loans that are primarily for personal, family, or household purposes. Under the Privacy Rule, you establish a customer relationship when an individual enters into an agreement or understanding with you whereby you undertake to arrange or broker a residential mortgage loan for him or her. See 16 C.F.R. § 313.3(i)(2)(i)(E). You also establish a customer relationship when an individual provides any personally identifiable financial information to you in an effort to obtain a residential mortgage loan through you. See 16 C.F.R. § 313.4(c)(3)(i)(E).

 

2. When an individual is interested in a residential mortgage loan, I often have them come into the office and provide application information to me in person. May I deliver a privacy notice at the same time as individuals provide this type of information to me in person?

Yes. The Privacy Rule requires that you provide an initial privacy notice not later than when the customer relationship is established. See 16 C.F.R. § 313.4(a). A customer relationship is established as soon as an individual provides personally identifiable financial information to you in an effort to obtain a mortgage loan through you. See 16 C.F.R. § 313.4(c)(3)(i)(E). That means that you must deliver a privacy notice before or at the same time as the individual provides such information in person.

3. My website invites individuals to submit applications for residential mortgage loans online. May I deliver an initial privacy notice at the same time as individuals submit their application information online?

Yes. The Privacy Rule requires that you provide an initial privacy notice not later than when the customer relationship is established. See 16 C.F.R. § 313.4(a). A customer relationship is established as soon as an individual submits application information to you. See 16 C.F.R. § 313.4(c)(3)(i)(E). As a result, you must deliver a privacy notice not later than when the information is submitted. See 16 C.F.R. § 313.4(a). You may deliver a notice to online applicants by posting your current privacy notice clearly and conspicuously on your website if the applicants acknowledge its receipt not later than when they submit their application information. See 16 C.F.R. § 313.9(b)(1)(iii). You must also provide the notice so that your customers can retain it or obtain it later. See 16 C.F.R. § 313.9(e). One way of doing this is to make your current privacy notice available on your website for online applicants who agree to receive the notice at the website.

 

4. I take residential mortgage applications over the phone without meeting the applicants face-to-face. Under the Privacy Rule may I deliver an initial privacy notice after these individuals give me their personally identifiable financial information?

Subsequent delivery is permitted under certain circumstances. The Privacy Rule permits subsequent delivery of notices within a reasonable time after you establish a customer relationship if (1) providing notice not later than when you establish the customer relationship would substantially delay the customer's transaction, and (2) the customer agrees to receive the notice at a later time. See 16 C.F.R. § 313.4(e). Note, however, that if you delay delivering your initial notice to a customer, you may not disclose that customer's nonpublic personal information to any nonaffiliated third party (except as permitted by the exceptions under §§ 313.14 and 313.15 of the Privacy Rule) before you provide the notices and a reasonable opportunity to opt out, in accordance with §§ 313.7 and 313.10 of the Privacy Rule.

 

5. Do I need to provide an annual privacy notice to an individual who has obtained a mortgage loan through me if we're no longer in communication?

No. An individual who has obtained a loan through you becomes a former customer when you no longer provide any statements or notices to the customer concerning that relationship. (Likewise, a customer who ceases using your services without obtaining a loan through you becomes a former customer.) See 16 C.F.R. § 313.5(b)(2)(iv). You are not required to provide an annual notice to a former customer. However, you may need to provide a revised privacy notice and opt out notice if you intend to disclose nonpublic personal information about a former customer other than as described in the initial privacy notice that you provided. See 16 C.F.R. § 313.8.

 

6. In order to obtain loans for my customers, I share nonpublic personal information with lenders and credit reporting agencies, and my privacy notice notifies my customers that I make disclosures as permitted by law. Am I required to allow my customers to opt out of this type of information sharing?

No. The Privacy Rule allows you to disclose nonpublic personal information about your customers without providing them a reasonable opportunity to opt out under certain circumstances. These exceptions to the opt out requirement are described at §§ 313.13 through 313.15 of the Privacy Rule. Pursuant to § 313.14, you do not need to allow your customers to opt out of disclosures that are necessary for processing or administering financial transactions that they have requested or authorized. This would include, for example, disclosures to a prospective lender where your customer has authorized you to look for a mortgage loan and the disclosure is necessary to broker the loan. Further, the exceptions under § 313.15 include disclosures of information to a consumer reporting agency that are made in accordance with the Fair Credit Reporting Act, 15 U.S.C. § 1681 et seq.