Regulations

Prove a lawful, transparent, and secure basis for each personal-data use.

Disclose data practices and support California privacy choices.

Be accountable for fair, consent-based collection, use, retention, and access.

Detect, assess, notify, and remediate quickly under state-specific deadlines.

Send commercial electronic messages only with consent, identification, and unsubscribe controls.

Make outbound emails truthful, identifiable, and easy to opt out of.

Do not call or text unless the consent trail supports the outreach method.

Screen out under-13 respondents unless a study is built for parental notice, consent, and controls.

Do not accept PHI unless the legal basis, contract, and safeguards are set first.

Collect verification clips only with explicit notice, narrow purpose, strict retention, and controlled client access.

Do not make privacy, security, AI, or quality promises unless operations can prove them.

Use nonpublic personal information only to perform the bank-authorized service and protect it under bank-grade safeguards.

Make research representative and explainable without enabling discrimination in credit access or terms.

Do not let research create misleading, coercive, unsupported, or unfair consumer outcomes for the bank.

Do not draft, simplify, or change credit-cost claims unless the bank has approved the disclosure and advertising treatment.

Use credit and eligibility data only for the bank-approved research purpose and keep it out of ordinary deliverables.

Present lease cost, term, and obligation information only in the form the bank has approved under Regulation M.

Present EFT rights, error-resolution procedures, and liability disclosures only in bank-approved form — never substitute or paraphrase Reg E language.

Use only bank-approved billing error and dispute language in stimuli — never paraphrase a consumer's statutory dispute rights.

Ensure no research material, script, or concept mimics, tests, or recommends a communication that would constitute a prohibited debt collection practice.

Ensure research materials do not blur the distinction between FDIC-insured deposits and non-deposit products sold at bank locations.

Present deposit account rates, yields, and fees only in the form the bank has approved under Regulation DD — never independently simplify or restate APY.

Apply heightened care and additional disclosure review to any research touching servicemember credit, allotments, or financial well-being.

Only test alternative mortgage disclosures and concepts using bank-approved, federally pre-empted terms — never draft or simplify them independently.

Use only bank-approved PMI cancellation and termination language in research stimuli — never state PMI rights independently.

Handle HMDA data only for the approved fair-lending or market-research purpose; surface disparate patterns and flag them to the bank.

Only test high-cost mortgage disclosures using bank-approved copy; never independently characterize whether a loan is high-cost.

Use only bank-approved TRID disclosure copy in research stimuli and never draft or simplify Loan Estimate or Closing Disclosure language independently.

Do not facilitate or simulate unlicensed mortgage origination activity in research; validate MLO respondent credentials when studies depend on them.

Do not substitute research stimuli for required ILSFDA property reports or let concept-test materials misstate material land or development facts.