[Federal Register: June 1, 2000 (Volume 65, Number 106)]
[Rules and Regulations]
[Page 35161-35236]
From the Federal Register Online via GPO Access [wais.access.gpo.gov]
[DOCID:fr01jn00-30]
[[Page 35161]]
-----------------------------------------------------------------------
Part II
Department of the Treasury
-----------------------------------------------------------------------
Office of the Comptroller of the Currency
Office of Thrift Supervision
-----------------------------------------------------------------------
Federal Reserve System
Federal Deposit Insurance Corporation
-----------------------------------------------------------------------
12 CFR Parts 40, 216, 332, and 573
Privacy of Consumer Financial Information; Final Rule
[[Page 35162]]
-----------------------------------------------------------------------
DEPARTMENT OF THE TREASURY
Office of the Comptroller of the Currency
12 CFR Part 40
[Docket No. 00-10]
RIN 1557-AB77
FEDERAL RESERVE SYSTEM
12 CFR Part 216
[Docket No. R-1058]
FEDERAL DEPOSIT INSURANCE CORPORATION
12 CFR Part 332
RIN 3064-AC32
DEPARTMENT OF THE TREASURY
Office of Thrift Supervision
12 CFR Part 573
[Docket No. 2000-45]
RIN 1550-AB36
Privacy of Consumer Financial Information
AGENCIES: Office of the Comptroller of the Currency (OCC), Treasury;
Board of Governors of the Federal Reserve System (Board); Federal
Deposit Insurance Corporation (FDIC); and Office of Thrift Supervision
(OTS), Treasury.
ACTION: Joint final rule.
-----------------------------------------------------------------------
SUMMARY: The Office of the Comptroller of the Currency, Board of
Governors of the Federal Reserve System, Federal Deposit Insurance
Corporation, and the Office of Thrift Supervision, (collectively, the
Agencies) are publishing final privacy rules pursuant to section 504 of
the Gramm-Leach-Bliley Act (the GLB Act or Act). Section 504 authorizes
the Agencies to issue regulations as may be necessary to implement
notice requirements and restrictions on a financial institution's
ability to disclose nonpublic personal information about consumers to
nonaffiliated third parties. Pursuant to section 503 of the GLB Act, a
financial institution must provide its customers with a notice of its
privacy policies and practices. Section 502 prohibits a financial
institution from disclosing nonpublic personal information about a
consumer to nonaffiliated third parties unless the institution
satisfies various notice and opt-out requirements and the consumer has
not elected to opt out of the disclosure. These final rules implement
the requirements outlined above.
EFFECTIVE DATE: This joint rule is effective November 13, 2000.
However, compliance will be optional until July 1, 2001.
FOR FURTHER INFORMATION CONTACT:
OCC: Amy Friend, Assistant Chief Counsel, (202) 874-5200; Jeffery
Abrahamson, Attorney, Legislative and Regulatory Activities Division,
(202) 874-5090, or Mark Tenhundfeld, Assistant Director, Legislative
and Regulatory Activities Division, (202) 874-5090; Michael Bylsma,
Director, Community and Consumer Law, (202) 874-5750; Steve Van Meter,
Senior Attorney, Community and Consumer Law, (202) 874-5750; Karen
Furst, Policy Analyst, Economic and Policy Analysis, (202) 874-4509;
Paul Utterback, National Bank Examiner, Bank Supervision Policy, (202)
874-5461, Office of the Comptroller of the Currency, 250 E Street, SW.,
Washington, DC 20219.
Board: Oliver I. Ireland, Associate General Counsel, (202) 452-
3625, Stephanie Martin, Managing Senior Counsel, (202) 452-3198, or
Thomas Scanlon, Attorney, (202) 452-3594, Legal Division; or Adrienne
D. Hurt, Assistant Director, (202) 452-2412, Jane J. Gell, Managing
Counsel, (202) 452-3667, James H. Mann, Attorney, (202) 452-2412, or
Minh-Duc T. Le, Attorney, (202) 452-3667, Division of Consumer and
Community Affairs. For the hearing impaired only, contact Janice Simms,
Telecommunications Device for the Deaf (TDD) (202) 872-4984, Board of
Governors of the Federal Reserve System, 20th and C Streets, NW.,
Washington, DC 20551.
FDIC: James K. Baebel, Senior Review Examiner, Division of
Compliance and Consumer Affairs, (202) 736-0229; Deanna Caldwell,
Community Affairs Officer, Division of Compliance and Consumer Affairs,
(202) 736-0141; Robert A. Patrick, Counsel, Regulations and Legislation
Section, (202) 898-3757; Marc J. Goldstrom, Counsel, Regulations and
Legislation Section, (202) 898-8807; Marilyn E. Anderson, Senior
Counsel, Regulations and Legislation Section, (202) 898-3522; Nancy
Schucker Recchia, Counsel, Regulations and Legislation Section, (202)
898-8885, Federal Deposit Insurance Corporation, 550 17th Street, NW.,
Washington, DC 20429.
OTS: Christine Harrington, Counsel (Banking and Finance), (202)
906-7957, or Paul Robin, Assistant Chief Counsel, (202) 906-6648,
Regulations and Legislation Division; or Cindy Baltierra, Program
Analyst, Compliance Policy, (202) 906-6540, Office of Thrift
Supervision, 1700 G Street, NW., Washington DC 20552.
SUPPLEMENTARY INFORMATION: The contents of this preamble are listed in
the following outline:
I. Background
II. Overview of Comments Received
III. Section-by-Section Analysis
IV. Guidance for Certain Institutions
V. Regulatory Analysis
A. Paperwork Reduction Act
B. Regulatory Flexibility Act
C. Executive Order 12866
D. Unfunded Mandates Act of 1995
I. Background
On November 12, 1999, President Clinton signed the GLB Act (Pub. L.
106-102) into law. Subtitle A of title V of the Act, captioned
Disclosure of Nonpublic Personal Information (codified at 15 U.S.C.
6801 et seq.), limits the instances in which a financial institution
may disclose nonpublic personal information about a consumer to
nonaffiliated third parties, and requires a financial institution to
disclose to all of its customers the institution's privacy policies and
practices with respect to information sharing with both affiliates and
nonaffiliated third parties. Title V also requires the Agencies, the
Secretary of the Treasury, the National Credit Union Administration
(NCUA), the Federal Trade Commission (FTC), and the Securities and
Exchange Commission (SEC), after consulting with representatives of
State insurance authorities designated by the National Association of
Insurance Commissioners, to prescribe such regulations as may be
necessary to carry out the purposes of the provisions in title V that
govern disclosure of nonpublic personal information.
The Agencies have prepared final rules to implement subtitle A that
are consistent and comparable to the extent possible, as is required by
the statute.\1\ The texts of the Agencies' proposed regulations are
substantively identical, and differ only with respect to the citations
of authority for each Agency's rulemaking and definitions appropriate
for institutions within each Agency's primary jurisdiction.
---------------------------------------------------------------------------
\1\ The NCUA, FTC, SEC, and the Treasury Department also have
participated in the rulemaking process, and the NCUA, FTC, and SEC
will separately issue comparable final rules.
---------------------------------------------------------------------------
II. Overview of Comments Received
On February 22, 2000, the Agencies published a joint notice of
proposed rulemaking (the proposal or proposed rule) in the Federal
Register (65 FR
[[Page 35163]]
8770).
\2\ The Agencies collectively received a total of 8,126 comments
in response to the proposal, although many commenters sent copies of
the same letter to each of the Agencies.\3\ Of these, several thousand
were received from individuals, virtually all of whom encouraged the
Agencies to provide greater protection of individuals' financial
privacy. Many individuals noted their concerns generally about the loss
of privacy and the receipt of unwanted solicitations by marketers. A
large number of individuals also requested the Agencies to support
legislation that the commenters believe would provide additional
protections.
---------------------------------------------------------------------------
\2\ The NCUA, FTC, and SEC published separate proposed rules on
different dates. These proposed rules, which were consistent and
comparable with the proposals published by the Agencies, appeared in
the Federal Register at 65 FR 10988 (March 1, 2000) (NCUA), 65 FR
11174 (March 1, 2000) (FTC), and 65 FR 12354 (March 8, 2000) (SEC).
\3\ The NCUA, FTC, and SEC received 99, 640, and 112 comments,
respectively, in response to their proposed rules.
---------------------------------------------------------------------------
Several letters were received from members of Congress. In two
letters signed by several members of the House of Representatives, the
Agencies were encouraged to exercise their rulemaking authority to
provide more protections than were proposed. Other Congressmen
requested, in separate letters, that the Agencies (a) create an
exception under limited circumstances to the prohibition against the
sharing of account numbers for marketing purposes, (b) ensure that
social security numbers are considered ``nonpublic personal
information,'' and (c) refrain from extending the effective date of the
rule.
The National Association of Insurance Commissioners (NAIC)
submitted a comment on behalf of the State insurance authorities that
generally supported the Agencies' proposed rule. The NAIC also proposed
various measures to provide certain protections for consumers, such as
specifying means to exercise the right to opt out of the disclosure of
information. The NAIC further advised the Agencies to clarify the
boundary of Federal and State jurisdiction over privacy regulations and
ensure that the financial privacy rules under the Act are compatible
with the privacy rules relating to medical information that are to be
issued by the Secretary of the Department of Health and Human Services
(HHS) under the Health Insurance Portability and Accountability Act
(HIPPA) of 1996.\4\
---------------------------------------------------------------------------
\4\ These proposed regulations were published for comment at 64
FR 59918 (Nov. 3, 1999).
---------------------------------------------------------------------------
Other comments were received from consumer groups and others
advocating that the Agencies extend privacy protections in a number of
ways, such as by requiring (a) financial institutions to provide
consumers with access to their information maintained by the
institutions and the opportunity to correct errors, (b) more detailed
disclosures of the information collected and disclosed, and (c)
disclosures of a financial institution's privacy policies and practices
earlier in the process of establishing a customer relationship. In a
letter signed by 33 State Attorneys General, the Agencies were
requested to add certain consumer protections to the disclosure
requirements and to the provision permitting financial institutions to
enter into joint marketing agreements.
The majority of the remainder of comments received by the Agencies
were from insured depository institutions or their representatives.
These commenters offered a large number of suggested changes, with the
most commonly advanced suggestions including: an extension of the
effective date of the rule; an amendment to the definition of
``nonpublic personal information'' to focus more clearly on
``financial'' information; a streamlining of information required in
the initial and annual disclosures; a clarification of how one or more
of the statutory exceptions operate; an exclusion from, or
clarification of, the definitions of ``consumer'' and ``customer'' in
various contexts; and the addition of flexibility to provide initial
notices at some point other than ``prior to'' the time a customer
relationship is established.
Representatives of a wide variety of other interests, including the
health care industry, retail merchants, insurance companies, securities
firms, private investigators, and higher education, also suggested
changes to the proposed rule.
The Agencies have modified the proposed rule in light of the
comments received. These comments, and the Agencies' responses thereto,
are discussed in the following section-by-section analysis. As was done
in the preamble discussion of the proposal, the citations are to
sections only, leaving citations to the part numbers used by each
Agency blank. Following the section-by-section analysis, the Agencies
have provided guidance for certain institutions that is intended to
provide additional guidance on how these institutions may comply with
the rule in a way that avoids unnecessary burden.
III. Section-by-Section Analysis
As an initial matter, the Agencies note that the final rule, unlike
the proposal, presents the various sections in subparts that consist of
related sections. This change was made to group related concepts
together and thereby make the rule easier to follow. A derivation table
is included following this preamble to assist readers in locating
provisions as set out in the proposal. The Agencies also have added an
Appendix A to the final rule, setting out sample disclosures for
financial institutions to consider.
Section __.1 Purpose and Scope
Proposed Sec. __.1 identified the purposes and scope of the rules.
As stated in the proposal, the rule is intended to require a financial
institution to provide notice to customers about its privacy policies
and practices; to describe the conditions under which a financial
institution may disclose nonpublic personal information about consumers
to nonaffiliated third parties; and to provide a method for consumers
to prevent a financial institution from disclosing that information to
certain nonaffiliated third parties by ``opting out'' of that
disclosure, subject to various exceptions as stated in the rule. The
Agencies invited comment on whether the rules should apply to foreign
financial institutions that solicit business in the United States but
that do not have an office in the United States.
Most of the comments received on this section focused on the scope
of the rules. Several commenters suggested that the Agencies clarify
how the rule applies to insurance companies. The Agencies note that
section 505 of GLB Act, which sets out the enforcement authority of the
Agencies, extends this authority to subsidiaries of entities within
each Agency's primary jurisdiction. That section then explicitly
excludes ``persons providing insurance'' from each Agency's enforcement
authority (and, by operation of section 504(a)(1) of GLB Act, from the
Agencies' rulemaking authority). The Agencies affected by this
provision have concluded that the exclusion of ``persons providing
insurance'' is not intended to remove insurance activities conducted
directly by an insured depository institution from the scope of the
rule. Consistent with this reading of the statute, each Agency's final
rule states that the exclusion of persons providing insurance applies
only to persons doing so in a subsidiary of an entity within the
primary jurisdiction of that Agency. See Sec. 40.1(b) (OCC rule);
Sec. 216.3(q) (Board rule); Sec. 332.3(q) (FDIC rule); and
Sec. 573.1(b) (OTS rule). The OTS notes that, while it regulates
savings and loan holding companies, a different Federal functional
regulator, a state insurance authority, or the FTC may enforce privacy
rules as to that holding company, under Sec. 505 of the
[[Page 35164]]
Act, depending on the nature of a savings and loan holding company's
activities.
Several other commenters asked that the final rule state that
certain transactions that are exempt from the coverage of the Truth in
Lending Act (TILA; 15 U.S.C. 1601 et seq.) and Regulation Z (Reg. Z, 12
CFR part 226) also be treated as beyond the scope of the privacy rule.
TILA and Reg. Z, which impose disclosure requirements on credit
extended to consumers under certain circumstances, exempt several
transactions, including those involving business, commercial, or
agricultural credit. 15 U.S.C. 1603(1); 12 CFR 226.3(a). The Agencies
agree that transactions that fit within the exemptions from TILA and
Reg. Z for these types of credit also would fall outside the scope of
the privacy rule, and have amended Sec. __.1(b) accordingly. Thus,
financial institutions may look at how this exemption is applied under
Reg. Z for guidance on the scope of covered transactions under the
privacy rule. It should be noted, however, that TILA exempts several
other types of transactions that would be covered under the privacy
rule if they are for the purpose of an individual obtaining a financial
product or service as that term is defined in the privacy regulation.
See 15 U.S.C. 1603(2) and (3).
A few commenters stated that the rule should apply to foreign
entities who solicit business from people in the United States. The
OCC, FRB, and FDIC each have been given explicit authority to enforce
the privacy rule with respect to foreign institutions within their
respective jurisdictions that have offices in the U.S. Those commenters
who favored applying the regulation to foreign offices of financial
institutions that do not have offices within the U.S. suggested that an
expanded scope would provide additional protections to consumers and
would eliminate what they perceive to be a competitive disadvantage of
domestic institutions. While the Agencies support consistent
protections for consumers regardless of the entity from whom a
financial product or service is obtained, at this stage the Agencies do
not believe that it is appropriate to attempt to apply the rule to
offshore offices of financial institutions.
Several comments suggested that the rule should not apply to
entities that must comply with regulations issued by HHS that implement
HIPAA. Given the broad definition of ``financial institution'' under
the GLB Act, certain entities, such as health insurers, are subject to
these privacy rules as well as rules promulgated under HIPAA regarding
the appropriate handling of protected health information. Accordingly,
financial institutions may be covered both by this privacy rule and by
the regulations promulgated by HHS under the authority of sections 262
and 264 of HIPAA once those regulations are finalized. Based on the
proposed HIPAA rules, it appears likely that there will be areas of
overlap between the HIPAA and financial privacy rules. For instance,
under the proposed HIPAA regulations, consumers must provide
affirmative authorization before a covered institution may disclose
medical information in certain instances whereas under the financial
privacy rules, institutions need only provide consumers with the
opportunity to opt out of disclosures. In this case, the Agencies
anticipate that compliance with the affirmative authorization
requirement, consistent with the procedures required under HIPAA, would
satisfy the opt out requirement under the financial privacy rules.
After HHS publishes its final rules, the Agencies will consult with HHS
to avoid the imposition of duplicative or inconsistent requirements.
Section __.2 Rule of Construction
Proposed Sec. __.2 of the rules set out a rule of construction
intended to clarify the effect of the examples used in the rules. As
noted in the proposal, these examples are not intended to be
exhaustive; rather, they are intended to provide guidance about how the
rules would apply in specific situations.
Commenters generally agreed that examples are helpful in clarifying
how the rule will work in specific circumstances and suggested that the
Agencies should include more examples. Many commenters requested the
Agencies to provide examples of model disclosures. Commenters also
generally agreed that it is useful to state that the list of examples
is not intended to be exhaustive, and that compliance with one of the
examples would be deemed compliance with the regulation. A few
commenters suggested that the regulation state that a financial
institution is not obligated to comply with an example but has the
latitude to comply with the general rules in other ways. Others stated
that the examples ought to be identical in each privacy regulation
adopted by the Agencies, the FTC, NCUA, and SEC.
The Agencies believe that more examples would be helpful, and have
included additional examples in appropriate places throughout the rule.
The Agencies also have provided sample clauses in Appendix A to each
Agency's rule to aid financial institutions in their drafting of
privacy notices. The sample clauses are provided to illustrate the
level of detail the Agencies believe is appropriate. The Agencies
caution financial institutions against relying on the sample
disclosures without determining the relevance or appropriateness of the
disclosure for their operations. The Agencies have used statutory
terms, such as ``nonpublic personal information'' and ``nonaffiliated
third parties,'' in the sample clauses to convey generally the subject
of the clauses. However, a financial institution that uses these terms
must provide sufficient information to enable consumers to understand
what these terms mean in the context of the institution's notices.
Moreover, the Agencies note that, in providing the sample disclosures,
the Agencies are addressing solely the level of detail required and are
not attempting to provide guidance on issues such as type size, margin
width, and so on.
The Agencies have not added a statement in the final rule regarding
a financial institution's ability to comply with the rule in ways other
than as suggested in the examples, but instead retain the statement
that the examples are not exclusive. The rule also states that
compliance with the examples will constitute compliance with the rule.
The Agencies believe that, when read together, these provisions give
financial institutions sufficient flexibility to comply with the
regulation but also sufficient guidance about the use of examples.
The Agencies note that an example that mentions a particular
activity does not, by itself, authorize a financial institution to
engage in that activity. Any such authority must have a different
source.
Section __.3 Definitions
a. Affiliate
The proposal adopted the definition of ``affiliate'' that is used
in section 509(6) of the GLB Act. An affiliation exists when one
company ``controls'' (which is defined in Sec. __.3(g), below), is
controlled by, or is under common control with another company. The
definition includes both financial institutions and entities that are
not financial institutions.
The Agencies received comparatively few comments in response to
this definition. One commenter requested that the final rule state that
a bank service company will be deemed to be an affiliate of every bank
that has an interest in it. The Agencies have declined to adopt this
suggestion. If the
[[Page 35165]]
relationship between a financial institution and a bank service company
satisfies the test for affiliation set out in the statute and
regulation, then an affiliation exists.
In light of the comparatively few comments received and the nature
of those comments, the Agencies adopt the definition of ``affiliate''
as proposed.
b. Clear and Conspicuous
Under the proposed rules, various notices must be ``clear and
conspicuous.'' The proposed rules defined this term to mean that the
notice must be reasonably understandable and designed to call attention
to the nature and significance of the information contained in the
notice. The proposal did not mandate the use of any particular
technique for making the notices clear and conspicuous, but provided
examples of how a notice may be made clear and conspicuous. As noted in
the preamble to the proposed rule, each financial institution retains
the flexibility to decide for itself how best to comply with this
requirement.
The Agencies received a large number of comments on this proposed
definition. Several commenters favored adopting the definition as
proposed, with some of these advocating that the final rule add a
requirement that disclosures be on a separate piece of paper in order
to ensure that they will be conspicuous. Others stated that the
definition was unnecessary, given the experience financial institutions
have in complying with requirements that disclosures mandated by other
laws be clear and conspicuous. Several commenters maintained that the
rule proposed is inconsistent with requirements in other consumer
protection regulations such as Reg. Z and the Truth in Savings
regulation (Regulation DD, 12 CFR part 230), which require only that a
disclosure be reasonably understandable. Many of these commenters
expressed concern that the examples would invite litigation because of
ambiguities inherent in terms used in the examples in the proposed rule
such as ``ample line spacing,'' ``wide margins,'' and ``explanations *
* * subject to different interpretations.'' A few commenters questioned
how the requirement would work in a document that contains several
disclosures that each must be clearly and conspicuously disclosed,
while others raised questions about how a disclosure may be clear and
conspicuous on a website. These comments are addressed below.
New standard for ``clear and conspicuous.'' The Agencies recognize
that the proposed definition develops the concept of ``clear and
conspicuous'' beyond what is currently understood by the term. However,
the Agencies added the phrase ``designed to call attention to the
nature and significance of the information contained'' to provide
meaning to the term ``conspicuous.'' The Agencies believe that this
standard, when coupled with the existing standard requiring that a
disclosure be readily understandable, likely will result in notices to
consumers that communicate effectively the information needed by
consumers to make an informed choice about the privacy of their
information, including whether to transact business with a financial
institution.
The standard for clear and conspicuous adopted by the Agencies in
this rulemaking applies solely to disclosures required under the
privacy rules. Disclosures governed by other rules requiring clear and
conspicuous disclosures (such as Reg. Z) are beyond the scope of this
rulemaking.
Examples of ``clear and conspicuous.'' The Agencies recognize that
many of the examples are imprecise. The Agencies believe, however, that
more prescriptive examples, while perhaps easier to conform to, likely
would result in requirements that would be inappropriate in a given
circumstance. To avoid this result, the examples provide generally
applicable guidance about ways in which a financial institution may
make a disclosure clear and conspicuous. The Agencies note that the
examples of how to make a disclosure clear and conspicuous are not
mandatory. A financial institution must decide for itself how best to
comply with the general rule, and may use techniques not listed in the
examples. To address concerns about the imprecision of the examples,
the Agencies have incorporated several of the commenters' suggestions
in the final rule for ways to make the guidance more helpful.
Combination of several ``clear and conspicuous'' notices. A
document may combine several disclosures that each must be clear and
conspicuous. The final rule provides an example, in
Sec. __.3(b)(2)(ii)(E), of how a financial institution may make
disclosures conspicuous, including disclosures on a combined notice. In
order to avoid the potential conflicts envisioned by several commenters
between two different rules requiring that different sets of
disclosures each be provided clearly and conspicuously, the final rule
does not mandate precise specifications for how various disclosures
must be presented.
Because the Agencies believe that privacy disclosures may be clear
and conspicuous when contained in a document containing other
disclosures, the rule does not mandate that disclosures be provided on
a separate piece of paper. Such a requirement is not necessary and
would significantly increase the burden on financial institutions.
Disclosures on web pages. Several commenters requested guidance on
how they may clearly and conspicuously disclose privacy-related
information on their Internet sites. The Agencies recognize that
disclosures over the Internet present some issues that will not arise
in paper-based disclosures. There may be web pages within a financial
institution's website that consumers may view in a different order each
time they access the site, aided by hypertext links. Depending on the
customer hardware and software used to access the Internet, some web
pages may require consumers to scroll down to view the entire page. To
address these issues, the Agencies have included a statement in the
example in Sec. __.3(b)(2)(iii) concerning Internet disclosures
informing financial institutions that they may comply with the rule if
they use text or visual cues to encourage scrolling down the page if
necessary to view the entire notice and ensure that other elements on
the web site (such as text, graphics, hyperlinks, or sound) do not
distract attention from the notice. In addition, a financial
institution is to place either a notice or a conspicuous link on a page
frequently accessed by consumers, such as a page on which transactions
are conducted.
Given current technology, there are a range of approaches a
financial institution could take to comply with the rule. For example,
a financial institution could use a dialog box that pops up to provide
the disclosure before a consumer provides information to the
institution. Another approach would be a simple, clearly labeled
graphic located near the top of the page or in close proximity to the
financial institution's logo, directing the customer, through a
hypertext link or hotlink, to the privacy disclosures on a separate web
page.
For the reasons advanced above, the Agencies have adopted the
definition of ``clear and conspicuous,'' with the changes previously
described and with certain other changes intended to make the
definition easier to read.
c. Collect
The statute requires a financial institution to include in its
initial and annual notices a disclosure of the categories of nonpublic
personal
[[Page 35166]]
information that the institution collects. The proposal defined
``collect'' to mean obtaining any information that is organized or
retrievable on a personally identifiable basis, irrespective of the
source of the underlying information. This definition was included to
provide guidance about the information that a financial institution
must include in its notices and to clarify that the obligations arise
regardless of whether the financial institution obtains the information
from a consumer or from some other source.
Commenters suggested that the final rule treat information that is
not organized and retrievable in an automated fashion as not
``collected.'' This approach would exclude separate documents not
included in a file. The Agencies disagree that information should not
be deemed to be collected simply because it is not retrievable in an
automated fashion. The Agencies believe that the method of retrieval is
irrelevant to whether information should be protected under the rule.
The Agencies agree, however, that the scope of the regulation should be
refined, and have changed the definition of ``collect'' by using
language taken from the Privacy Act of 1974 (5 U.S.C. 552a).
Other commenters requested that the rule clarify that information
that is received by a financial institution but then immediately passed
along without maintaining a copy of the information is not
``collected'' as this term is used in the final rule. The Agencies
believe that merely receiving information without maintaining it would
not be ``collecting'' the information. The final rule reflects this by
stating that the information must be organized or retrievable by the
financial institution. Otherwise, the definition of ``collect'' is
adopted as proposed.
d. Company
The proposal defined ``company,'' which is used in the definition
of ``affiliate,'' as any corporation, limited liability company,
business trust, general or limited partnership, association, or similar
organization.
The Agencies received no substantive comments on this proposed
definition. Accordingly, the Agencies adopt the definition of
``company'' as proposed.
e. Consumer
The GLB Act distinguishes ``consumers'' from ``customers'' for
purposes of the notice requirements imposed by the Act. A financial
institution is required to give a ``consumer'' the notices required
under Title V only if the institution intends to disclose nonpublic
personal information about the consumer to a nonaffiliated third party
for purposes other than as permitted by section 502(e) of the statute
(as implemented by Secs. __.14 and __.15 of the final rule). By
contrast, a financial institution must give all ``customers'' a notice
of the institution's privacy policy at the time of establishing a
customer relationship and annually thereafter during the continuation
of the customer relationship.
The proposal defined ``consumer'' to mean an individual (and his or
her legal representative) who obtains, from a financial institution,
financial products or services that are to be used primarily for
personal, family, or household purposes. Because ``financial product or
service'' is defined to include the evaluation by a financial
institution of an application to obtain a financial product or service
(see further discussion of this point, below) a person becomes a
consumer even if the application is denied or withdrawn. An individual
also would be deemed to be a consumer for purposes of a financial
institution if that institution purchases the individual's account from
some other institution.
The Agencies received a large number of comments on this proposed
definition, raising questions about how the definition would apply in a
variety of situations. These comments are addressed below.
Distinction between ``consumer'' and ``customer.'' While many
agreed with the distinction drawn in the proposal between ``consumer''
and ``customer,'' a few commenters suggested that no distinction
between ``consumer'' and ``customer'' should be made, given that, in
these commenters'' views, the statute appears to use the terms
interchangeably. The Agencies believe, however, that the distinction
was deliberate and that the rule should implement it accordingly. A
plain reading of the statute supports the conclusion that Congress
created one set of protections (i.e., a financial institution's privacy
policy and opt out notice, and the right to opt out if a financial
institution intends to disclose nonpublic personal information to
nonaffiliated third parties) for anyone who obtains a financial product
or service and an additional set of protections (i.e., the initial
notices at the time of establishing a customer relationship and annual
notices thereafter) for anyone who establishes a relationship of a more
lasting nature than an isolated transaction with a financial
institution. Thus, the statute tailors the notice requirements to the
type of relationship an individual has with a financial institution.
This distinction is preserved in the final rule.
Applicants as consumers. Many of the comments on the proposed
definition of ``consumer'' disagreed that someone should be deemed a
consumer of a financial institution by virtue of the institution
evaluating that individual's application for a financial product or
service. These commenters maintained that the individual has not
obtained a financial product or service, as is required by the GLB Act.
The Agencies remain of the view, however, that it is consistent with
both the spirit and the letter of the Act to consider an individual as
having obtained a financial product or service when a financial
institution evaluates information provided to it from the individual
for the purpose of obtaining some other financial product or service.
Financial institutions routinely provide several services that are
integral to the delivery of a financial product. Frequently among these
services is the evaluation by the financial institution of information
provided by an individual. In certain instances, such as when an
individual is shopping for the best rate on a mortgage loan or the
lowest premium for an insurance policy, that evaluation may be the sole
financial product or service delivered. In other instances, that
evaluation may be one of several services provided in connection with
establishing a customer relationship. In some cases financial
institutions impose separate charges for considering applications or
assessing an individual's credit worthiness, recognizing both the cost
to the institution and the value to the individual of this service.
In addition to being consistent with the language of the statute,
the proposed definition of ``consumer'' is consistent with one of the
primary purposes of Title V of GLB Act, namely, to enable an individual
to limit the sharing of nonpublic personal information by a financial
institution with a nonaffiliated third party. The information provided
by a person to a financial institution before a customer relationship
is established is likely to contain the types of information that the
statute is designed to protect. This information is no less deserving
of protection simply because an application is denied or withdrawn. For
these reasons, the Agencies have retained within the definition of
``consumer'' individuals whose applications are evaluated by a
financial institution. See Sec. __.3(e)(2)(i).
Loan sales. Several commenters requested clarification of whether
an individual becomes a consumer in various other scenarios involving
loans.
[[Page 35167]]
Commenters posited a wide variety of examples, which, if each were to
be addressed specifically in the rule, would require a final rule of
enormous complexity and detail. The Agencies believe that a rule
setting forth a general principle that is flexible enough to be applied
in the array of loan transactions posited by the commenters is more
appropriate.
Towards this end, the Agencies have stated in the final rule, at
Sec. __.3(e)(2)(iv), that a person will be a consumer of any entity
that holds ownership or servicing rights to an individual's loan. (The
Agencies note that such a person may not be a customer, however; see
explanation of how the definition ``customer'' will be applied in the
loan context, in the discussion of the definition of ``customer''
below. See also Secs. __.4(c)(2) and__.4(c)(3)(ii) for further
discussion concerning when a borrower establishes a customer
relationship in the context of a loan sale.) The Agencies believe that
financial institutions that own or service a loan are providing a
financial product or service to the individual borrower in question. In
some cases, the product or service is the funding of the loan, directly
or indirectly. In other cases, the product or service is the processing
of payments, sending account-related notices, responding to consumer
questions and complaints about the handling of the account, and so on.
The final rule defines ``consumer'' in a way that covers individuals
receiving financial products or services in each of these situations.
Agents of financial institutions. Several commenters agreed with
the principle set out in the proposed rule that an individual should
not be considered to be a consumer of an entity that is acting as agent
for a financial institution. These commenters noted that the financial
institution that hires the agent is responsible for that agent's
conduct in carrying out the agency responsibilities. The Agencies agree
and continue to believe that the financial institution is the entity
that has a consumer relationship, even if it uses agents to help it
deliver its products or services. Accordingly, the proposed rule
retains the rule governing agents, with modifications made to improve
its clarity. See Sec. __.3(e)(2)(v).
Legal representative. The Agencies also agree with the suggestion
made by several commenters that the definition of ``consumer'' should
clarify that the obligations stemming from a consumer relationship may
be satisfied by dealing either with the individual who obtains a
financial product or service from a financial institution or that
individual's representative. The Agencies do not intend for the rule to
require a financial institution to send opt out and initial notices to
both the individual and the individual's legal representatives, and
have amended the final rule accordingly in Sec. __.3(e)(1).
Trusts. The Agencies received several comments concerning whether
an individual who obtains financial services in connection with trusts
is a consumer or customer of a financial institution. Several
commenters urged the Agencies to generally exempt a financial
institution from the requirements of the rule when it acts as a
fiduciary, or, in the alternative, clarify the categories of
individuals that are considered to be customers. Commenters proposed,
for example, that individuals who are beneficiaries with current
interests should be identified as customers, whereas individuals who
are only contingent beneficiaries should not be customers. Other
commenters stated that when the financial institution serves as trustee
of a trust, neither the grantor nor beneficiary is a consumer or
customer under the rule. In these commenters' view, the trust itself is
the institution's ``customer,'' and, therefore, the rule should not
apply to a financial institution when it acts as trustee. These
commenters also stated that when a financial institution is a trustee,
it serves as a fiduciary and is subject to other obligations to protect
the confidentiality of the beneficiaries' information that are more
stringent than those under the provisions in the GLB Act. Similarly,
these and other commenters claimed that an individual who is a
participant in an employee benefit plan administered or advised by a
financial institution does not qualify as a consumer or customer. The
commenters opined that the plan sponsor, or the plan itself, is the
``customer'' for the purposes of the proposed rule. These commenters
contended that plan participants have no direct relationship with the
financial institution and, in any event, the financial institution is
authorized to use information that would be covered under the GLB Act
only in accordance with the directions of the plan sponsor. The
commenters concluded, therefore, that the regulations should
specifically exclude individuals who are participants in an employee
benefit plan from the definition of customer.
The Agencies believe that the definition of ``consumer'' in the GLB
Act does not squarely resolve whether the beneficiary of a trust is a
consumer of the financial institution that is the trustee. The Agencies
agree with the commenters who concluded that, when the financial
institution serves as trustee of a trust, neither the grantor nor
beneficiary is a consumer or customer under the rule. Instead, the
trust itself is the institution's ``customer,'' and therefore, the rule
does not apply because the trust is not an individual. The Agencies
note that a financial institution that is a trustee assumes obligations
as a fiduciary, including the duty to protect the confidentiality of
the beneficiaries' information, that are consistent with the purposes
of the GLB Act and enforceable under state law. Accordingly, the
Agencies have excluded an individual who is a beneficiary of a trust or
a plan participant of an employee benefit plan from the definitions of
``consumer'' and ``customer.'' Nevertheless, the Agencies believe that
an individual who selects a financial institution to be a custodian of
securities or assets in an IRA is a ``consumer'' under the GLB Act. The
Agencies have included examples in the rule that appropriately
illustrate this interpretation of the GLB Act in Secs. __.3(e)(2)(vi)-
(viii) and Sec. __.3(i)(2)(i)(D).
Requirements arising from consumer relationship. While the proposed
and final rules define ``consumer'' broadly, the Agencies note that
this will not result in any additional burden to a financial
institution in situations where (a) no customer relationship is
established and (b) the institution does not intend to disclose
nonpublic personal information about a consumer to nonaffiliated third
parties. Under the approach taken in the final rule, a financial
institution is under no obligation to provide a consumer with any
privacy disclosures unless it intends to disclose the consumer's
nonpublic personal information to nonaffiliated third parties outside
the exemptions in Secs. __.14 and __.15. A financial institution that
wants to disclose a consumer's nonpublic personal information to
nonaffiliated third parties is not prohibited under the final rule from
doing so, if the requisite notices are delivered and the consumer does
not opt out. Thus, as it applies to consumers who are not customers,
the rule allows a financial institution to avoid all of the rule's
requirements if it chooses to do so. Conversely, if a financial
institution determines that the benefits of disclosing consumers'
nonpublic personal information to nonaffiliated third parties outweighs
the attendant burdens, the financial institution is free to do so,
provided it notifies consumers about the disclosure and affords them a
reasonable opportunity to opt out. In this way, the
[[Page 35168]]
rule attempts to strike a balance between protecting an individual's
nonpublic personal information and minimizing the burden on a financial
institution.
f. Consumer Reporting Agency
The proposal adopted the definition of ``consumer reporting
agency'' that is used in section 603(f) of the Fair Credit Reporting
Act (15 U.S.C. 1681a(f)). This term was used in proposed Secs. __.11
and __.13.
The Agencies received no comments suggesting any changes to this
definition. Accordingly, the definition is adopted as proposed. It is
used in Secs. __.6(f), __.12(a), and __.15(a)(5) of the final rule.
g. Control
The proposal defined ``control'' using the tests applied in section
23A of the Federal Reserve Act (12 U.S.C. 371c). This definition is
used to determine when companies are affiliated (see discussion of
Sec. __.3(a), above), and would result in financial institutions being
considered as affiliates regardless of whether the control is by a
company or individual.
The Agencies received few comments in response to this definition.
The one substantive suggestion received was to adopt a test focused
solely on percent of stock owned in a company so as to avoid the
uncertainties arising from a ``control in fact'' test. The Agencies
believe, however, that any test based only on stock ownership is
unlikely to be flexible enough to address all situations in which
companies are appropriately deemed to be affiliated. Accordingly, the
Agencies adopt the definition of ``control'' as proposed.
h. Customer
The proposal defined ``customer'' as any consumer who has a
``customer relationship'' with a particular financial institution. As
is explained more fully in the discussion of Sec. __.4, below, a
consumer is a customer of a financial institution when the consumer has
a continuing relationship with the institution.
The Agencies received a large number of comments on the definition
of ``customer'' and ``customer relationship.'' Given the
interdependence of the two terms, the following analysis of the
comments received will address both under the heading ``customer
relationship.''
i. Customer Relationship
The proposed rules defined ``customer relationship'' as a
continuing relationship between a consumer and a financial institution
whereby the institution provides a financial product or service that is
to be used by the consumer primarily for personal, family, or household
purposes. \5\ As noted in the proposal, a one-time transaction may be
sufficient to establish a customer relationship, depending on the
nature of the transaction. A consumer would not become a customer
simply by repeatedly engaging in isolated transactions that by
themselves would be insufficient to establish a customer relationship,
such as withdrawing funds at regular intervals from an ATM owned by an
institution at which the consumer has no account. The proposal also
stated that a consumer would have a customer relationship with a
financial institution that makes a loan to the consumer and then sells
the loan but retains the servicing rights. The Agencies received a
large number of comments on this definition, as discussed below.
---------------------------------------------------------------------------
\5\ As noted in the preamble to the proposed rule, ``customer''
may be defined differently for purposes of other regulations. See,
e.g., 12 CFR 7.4002.
---------------------------------------------------------------------------
Point at which one becomes a customer. The Agencies received many
comments in response to the definitions of ``customer'' and ``customer
relationship.'' Commenters criticized what they considered to be the
ill-defined line distinguishing consumers from customers. These
commenters stated that the proposed distinction makes it difficult for
a financial institution to know when the obligations attendant to a
customer relationship arise. Several suggested that the distinction
should be based on when a consumer and financial institution enter into
a written contract for a financial product or service.
The Agencies recognize that the distinction between consumers and
customers will, in some instances, require a financial institution to
make a judgment about whether a customer relationship is established.
In those cases where an individual engages in a transaction for which
it is reasonable to expect no further communication about that
transaction from the financial institution (such as ATM transactions,
purchases of money orders, or cashing of checks), the individual will
not have established a customer relationship as a result of that
transaction. In other situations where a consumer typically would
receive some measure of continued service following, or in connection
with, a transaction (such as would be the case when a consumer opens a
deposit account, borrows money, or obtains investment advice), a
customer relationship will be established. The Agencies believe that
the distinction set out in the proposed rule, as further clarified by
the examples in the final rule of when a customer relationship is, and
is not, established, provides a sufficiently clear line while retaining
flexibility to address less clear-cut situations on a case-by-case
basis.
Customer relationship defined by written contract. The Agencies
agree with those commenters who consider the execution of a written
contract by a consumer and financial institution as clear evidence that
a customer relationship has been established. The proposed rule cited
the execution of a written contract as an example of when a customer
relationship is established, and the final rule retains that example in
Sec. __.4(c)(3)(i)(B). However, a test based solely on whether there is
a written contract could inappropriately exclude situations in which an
individual is a customer of a financial institution as a result of
obtaining, for instance, financial, economic, or investment advisory
services from a financial institution. Accordingly, the final rule does
not define a customer relationship solely by the execution of a written
contract.
Use of ``isolated transaction'' test. The final rule also does not
define the distinction between consumer and customer based solely on
whether the transaction is an isolated event. The Agencies used this
concept in several examples in the proposed rule to illustrate one of
the factors that may go into whether a relationship is of a continuing
nature. Several commenters suggested that this approach was
insufficiently precise to serve as a workable distinction between
consumers and customers. The Agencies agree that the test may not be
useful in all instances, but believe that it will help clarify the
status of relationships in certain situations. Accordingly, the final
rule retains examples in Secs. __.3(i)(2)(ii)(A) and (C) that cite the
isolated nature of a given transaction as an indication that the
transaction in question does not establish a customer relationship.
Purchase of insurance. Other commenters suggested that, in the
context of financial institutions that engage in the sale of insurance
and that are regulated by the Agencies, the customer should be the
policyholder and not the beneficiary. The Agencies agree, and note that
the final rule retains the example Sec. __.3(i)(2)(i)(D) of purchasing
an insurance product as one situation in which a customer relationship
is formed. In this case, the person obtaining a financial product or
service from the financial institution is the person purchasing the
policy.
Sales of loans. As previously noted, several commenters raised
questions in the context of loan sales. Many commenters stated that,
under the final
[[Page 35169]]
rule, a person should not be considered a customer of two financial
institutions when the originating bank sells the servicing rights. A
point consistently made by these commenters was that a borrower would
be equally well protected with less risk of confusion if the borrower
is deemed to be a customer of only one entity in connection with a
loan, with that entity perhaps being the party with whom the borrower
communicates about the loan. The Agencies believe that it is
appropriate to consider a loan transaction as giving rise to only one
customer relationship, with the recognition that this customer
relationship may be transferred in connection with a sale of part or
all of the loan. In this way, the borrower will not be inundated by
privacy notices, many of which might be from secondary market
purchasers that the borrower did not know had any connection to his or
her loan. The Agencies note, however, that a customer will remain a
consumer of the entity that transfers the servicing rights, as well as
a consumer of any other entity that holds an interest in the loan.
In order to satisfy the statutory requirement that a customer
receive an annual notice from a financial institution until that
relationship terminates, the final rule provides that the borrower must
be deemed to have a customer relationship with at least one of the
entities that hold an interest in the loan. In the case of a financial
institution that makes a loan, retains it in its portfolio, and
provides servicing for the loan, the borrower clearly would have a
customer relationship with that institution. Less clear, however, are
situations in which servicing is sold or investors purchase a partial
interest in a loan. The Agencies have adopted an approach designed to
ensure that a customer receives annual notices for the duration of the
customer relationship from the most appropriate financial institution.
Under the final rule as stated in Sec. __.3(i)(2)(i)(B), a customer
relationship will be established as a general rule with the financial
institution that makes a loan to an individual. This customer
relationship then will attach to the entity providing servicing. Thus,
if the originating lender retains the servicing, it will continue to
have a customer relationship with the borrower and will be obligated to
provide annual notices for the duration of the customer relationship.
If the servicing is sold, then the purchaser of the servicing rights
will establish a customer relationship (and the originating lender will
have a consumer relationship with the borrower). See
Sec. __.3(i)(2)(ii)(B). In this way, the borrower will be entitled to
receive an initial notice and annual notices from the loan servicer,
but will not receive initial and annual notices from entities that hold
interests in the loan but are unknown to the consumer.
Mortgage brokers. Several commenters suggested that the use of a
mortgage broker should not create a customer relationship. The Agencies
disagree. A relationship between a mortgage broker and a consumer is
more than an isolated transaction, given that the mortgage broker is
likely to provide many services for a consumer, such as analyzing
financial information, performing credit checks, negotiating with other
financial institutions on the consumer's behalf, and assisting with
loan closings. In light of the similarities between the services
provided by a mortgage broker and those provided by, for instance, an
insured depository institution that makes a mortgage loan, the Agencies
believe it is appropriate to consider a mortgage broker to be a
financial institution that establishes a customer relationship when the
broker enters into an agreement or understanding with a consumer
whereby the broker undertakes to arrange or broker a home mortgage loan
for the consumer. The final rule reflects this in
Sec. __.3(i)(2)(i)(F).
Trusts. The final rule adds an example in Sec. __.3(i)(2)(i)(E) to
clarify that an individual will be deemed to establish a customer
relationship when a bank acts as a custodian for securities or assets
in an IRA. This example is consistent with the explanation set out
above in the discussion of ``consumer'' concerning trusts.
j. Federal Functional Regulator
The proposal sought comment on a definition of ``government
regulator'' that included each of the Agencies participating in this
rulemaking, the Secretary of the Treasury, the NCUA, FTC, SEC, and
State insurance authorities under the circumstances identified in the
definition. This term was used in the exception set out in proposed
Sec. __.11(a)(4) for disclosures to law enforcement agencies,
``including government regulators.''
The few comments that were received on this definition suggested
that it be expanded to include additional governmental entities. The
Agencies note that, for purposes of the privacy rule, this term is
relevant only in the discussion of when a financial institution may
disclose information to a law enforcement agency. The exception as
stated in the statute uses the term ``federal functional regulator''
(see section 502(e)(5)), which term is defined in the statute at
section 509(2) and also includes the Secretary of the Treasury for
purposes of the exception permitting disclosures to law enforcement
agencies. The Agencies have decided that it is appropriate simply to
use the term that is used in the statute and adopt its definition.
k. Financial Institution
The proposal defined ``financial institution'' as any institution
the business of which is engaging in activities that are financial in
nature, or incidental to such financial activities, as described in
section 4(k) of the Bank Holding Company Act of 1956 (12 U.S.C.
1843(k)). The proposal exempted from the definition of ``financial
institution'' those entities specifically excluded by the GLB Act.
Commenters suggested that the final rule contain several exclusions
to this definition, including those for securitization trusts, debt
buyers, and credit bureaus. The Agencies have not included these
exceptions in the final rule, in part because the Agencies believe that
it is inappropriate to exclude many of the activities suggested by
commenters and in part because the objective of the suggested
exclusions can be achieved in other ways. Even if an entity is a
financial institution as that term is used in the GLB Act, it will not
have any disclosure responsibilities under the Act or this rule if it
does not provide a financial product or service to a consumer. In most
of the situations posited by the commenters, the entity in question
will not meet that test and, therefore, will fall outside the scope of
the rule with respect to privacy disclosures. \6\
---------------------------------------------------------------------------
\6\ However, these entities will be subject to the limits on
redisclosures under Sec. _.11 with respect to any nonpublic personal
information they receive from a nonaffiliated financial institution
that has disclosure obligations under this rule.
---------------------------------------------------------------------------
For the reasons discussed above, the Agencies adopt the definition
of ``financial institution'' as proposed.
l. Financial Product or Service
The proposal defined ``financial product or service'' as a product
or service that a financial institution could offer as an activity that
is financial in nature, or incidental to such a financial activity,
under section 4(k) of the Bank Holding Company Act of 1956, as amended.
An activity that is complementary to a financial activity, as described
in section 4(k), was not included in the proposed definition of
``financial product or service.'' The proposal's definition included
the financial institution's evaluation of information collected in
connection
[[Page 35170]]
with an application by a consumer for a financial product or service
even if the application ultimately is rejected or withdrawn. It also
included the distribution of information about a consumer for the
purpose of assisting the consumer in obtaining a financial product or
service.
Several commenters in response to this proposed definition
criticized the Agencies' interpretation of the Act and suggested that
the evaluation of application information should not be considered a
financial product or service. For the reasons advanced above in the
discussion of the definition of ``consumer,'' the Agencies continue to
believe that it is appropriate to retain evaluation or brokerage of
information as within the scope of financial products or services
covered by the rule. Accordingly, the final rule adopts the definition
of ``financial product or service'' as proposed.
m. Nonaffiliated Third Party
The proposal defined ``nonaffiliated third party'' as any person
(which includes natural persons as well as corporate entities) except
(1) an affiliate of a financial institution and (2) a joint employee of
a financial institution and a third party. The proposal clarified the
circumstances under which a company that is controlled by a financial
institution pursuant to that institution's merchant banking activities
or insurance company activities would be a ``nonaffiliated third
party'' of that financial institution.
The Agencies received very few comments in response to this
proposed definition. One commenter requested that the final rule state
that a disclosure of information to someone who is serving as a joint
employee of two financial institutions should be deemed to have been
disclosed to both financial institutions. The Agencies disagree with
this result. Instead, the Agencies believe it is appropriate to deem
the information to have been given to the financial institution that is
providing the financial product or service in question. Thus, for
instance, if an employee of an insured depository institution is a dual
employee with a securities firm, information received by that person in
connection with a securities transaction conducted with the securities
firm would be deemed to have been received by the securities firm.
In light of the comments received, the Agencies adopt the
definition of ``nonaffiliated third party'' as proposed.
n. Nonpublic Personal Information
Section 509(4) of the GLB Act defines ``nonpublic personal
information'' to mean ``personally identifiable financial information''
that is provided by a consumer to a financial institution, results from
any transaction with the consumer or any service performed for the
consumer, or is otherwise obtained by the financial institution. It
also includes any ``list, description, or other grouping of consumers
(and publicly available information pertaining to them) that is derived
using any nonpublic personal information other than publicly available
information.'' The statute excludes publicly available information
(unless provided as part of the list, description or other grouping
described above), as well as a list, description, or other grouping of
consumers (and publicly available information pertaining to them) that
is derived without using nonpublic personal information. The statute
does not define either ``personally identifiable financial
information'' or ``publicly available information.''
The proposed rules implemented this provision of the GLB Act by
restating the categories of information described above. The proposed
rules presented two alternative approaches to identifying what
information would be regarded as publicly available (and therefore, as
a general rule, outside the definition of ``nonpublic personal
information''). Alternative A deemed information as publicly available
only if a financial institution actually obtained the information from
a public source while Alternative B treated information as publicly
available if a financial institution could obtain it from such a
source. Both Alternatives A and B included within the definition of
``nonpublic personal information'' publicly available information that
is provided as part of a list, description, or other grouping of
consumers.
Commenters favoring Alternative A noted that it provided the
greatest protection for consumers by treating anything the consumer
gives to a financial institution to obtain a financial product or
service as nonpublic personal information. Under Alternative A, this
protection would be lost only if a financial institution actually
obtained the information from a public source. These commenters also
preferred the bright-line distinction drawn by treating as nonpublic
personal information any information given by a consumer to obtain a
financial product or service or information that results from
transactions between a financial institution and a consumer. However,
the majority of those commenting on this issue favored Alternative B,
noting that this alternative was consistent with the statute and would
be far less burdensome on financial institutions. These commenters
suggested that a requirement that the information actually be obtained
from a public source would impose needless burden on financial
institutions (by requiring, for instance, that a financial institution
``tag'' information they obtained from public records) and is not
required by the statute.
The final rule adopts an approach that the Agencies believe
incorporates the benefits of both alternatives. Under the final rule,
information will be deemed to be ``publicly available'' and therefore
excluded from the definition of ``nonpublic personal information'' if a
financial institution has a reasonable basis to believe that the
information is lawfully made available to the general public from one
of the three categories of sources listed in the rule. See
Sec. __.3(p)(1). The final rule states that a financial institution
will have a ``reasonable basis'' for believing that information is
lawfully made available if it has taken steps to determine that the
information is of the type that is available to the general public and,
if an individual could direct that the information not be made
available to the general public, whether the individual has done so. In
this way, a financial institution will be able to avoid the burden of
having to actually obtain information from a public source, but will
not be free simply to assume that information is publicly available
without some reasonable basis for that belief. The final rule cites, as
an example of information a financial institution might reasonably
believe to be publicly available, the fact that someone has a loan that
is secured by a mortgage in jurisdictions where mortgages are recorded.
See Sec. __.3(p)(3)(iii)(A). The rule also states that a financial
institution will have a reasonable basis to believe that a telephone
number is publicly available if the institution either located the
number in a telephone book or was informed by the consumer that the
number is not unlisted. See Sec. __.3(p)(3)(iii)(B).
This approach is based on the underlying principle that, if a
consumer has some measure of control over the public availability of
his or her information, a financial institution should not
automatically assume that the information is in fact publicly
available. In the case of a mortgage in most jurisdictions, the
borrower has no choice about whether the lender will
[[Page 35171]]
make the mortgage a matter of public record; a lender must do so in
order to protect its security interest. In the case of a telephone
number, a person may request that his or her number be unlisted. Thus,
in evaluating whether it is reasonable to believe that information is
publicly available, a financial institution should consider whether the
information is of a type that a consumer could keep from being a matter
of public record.
To implement the complex definition of ``nonpublic personal
information'' that is provided in the statute, the final rule adopts a
definition that consists, generally speaking, of (1) personally
identifiable financial information, plus (2) a consumer list (and
publicly available information pertaining to the consumers) that is
derived using any personally identifiable financial information that is
not publicly available. From that body of information, the final rule
excludes publicly available information (except as noted above) and any
consumer list that is derived without using personally identifiable
financial information that is not publicly available. See
Secs. __.3(n)(1) and (2). Examples are provided in Sec. __.3(n)(3) to
illustrate how this definition applies in the context of consumer
lists.
o. Personally Identifiable Financial Information
The proposed rules defined ``personally identifiable financial
information'' to include information that a consumer provides a
financial institution in order to obtain a financial product or
service, information resulting from any transaction between the
consumer and the financial institution involving a financial product or
service, and information about a consumer a financial institution
otherwise obtains in connection with providing a financial product or
service to the consumer. The proposed rule also treated the fact that
someone is a customer of a financial institution as personally
identifiable financial information. In essence, the proposed rules
treated any personally identifiable information as financial if it was
obtained by a financial institution in connection with providing a
financial product or service to a consumer. The Agencies noted in the
preamble to the proposed rule that this interpretation may result in
certain information being covered by the rules that may not be
considered intrinsically financial, such as health status.
The Agencies received a large number of comments in response to
this definition, most of which maintained that the definition
inappropriately included certain identifying information that is not
financial, such as name, address, and telephone number. Many others
maintained that ``personally identifiable financial information''
should not include the fact that someone is a customer of a financial
institution. These commenters typically noted that many customer
relationships are matters of public record (such as would be the case,
for instance, anytime a transaction results in the recordation of a
security interest) while other customer relationships are matters of
public knowledge (because consumers frequently disclose the
relationships by writing checks, using credit cards, and so on). Many
commenters stated that aggregate data about a financial institution's
customers that lack personal identifiers should not be considered
personally identifiable financial information.
Treatment of identifying information as financial. The Agencies
continue to believe that it is appropriate to treat any information as
financial information if it is requested by a financial institution for
the purpose of providing a financial product or service. The Agencies
also believe this approach is consistent with the express language of
the statute. Although the statute does not define the term
``financial,'' it does include a broad definition of ``financial
institution'' which encompasses a large number of entities (such as
travel agencies, insurance companies, and data processors) that engage
in activities not traditionally considered financial. As a consequence
of that definition, the range of information that has a bearing on the
terms and availability of a financial product or service or that is
used by a financial institution in connection with providing a
financial product or service is extremely broad and may include, for
instance, medical information and other sorts of information that might
not be thought of as financial. Further, the information that the
agencies have defined as financial is the information that the
institution itself has determined is relevant to providing a financial
product or service, as evidenced by the fact that the institution
requests the information from the consumer, obtains it from a
transaction involving a financial product or service with the consumer,
or otherwise obtains it in connection with providing a financial
product or service to a consumer.
The Agencies are sensitive to the concern expressed by many
commenters, including several hundred private investigators, about the
need for ready access to identifying information to locate people
attempting to evade their financial obligations. These commenters
consistently suggested that names, addresses, and telephone numbers
should not be treated as financial information. However, financial
institutions rely on a broad range of information, including
information such as addresses and telephone numbers, when providing
financial products or services. Location information is used by
financial institutions to provide a wide variety of financial services,
from the sending of checking account statements to the disbursing of
funds to a consumer. Other information, such as the maiden name of a
consumer's mother often will be used by a financial institution to
verify the consumer's identity. The Agencies concluded that it would be
inappropriate to exclude certain items of information from the
definition of personally identifiable financial information simply
because a particular financial institution might not rely on those
items when providing a particular financial product or service.
The Agencies note that names, addresses, and telephone numbers, if
publicly available, will not be subject to the opt out provisions of
the statute unless that information is ``derivative information''
(i.e., information that is part of a list, description, or other
grouping of consumers that is derived from personally identifiable
financial information that is not publicly available). Thus, in
instances involving specific requests about individuals, a financial
institution still may disclose information about the individual that
the institution reasonably believes to be publicly available, provided
that in so doing the institution does not disclose the existence of a
customer relationship that is not a matter of public record. Moreover,
in instances when a consumer does not opt out, a financial institution
may disclose any nonpublic personal information to a nonaffiliated
third party provided that the disclosure is consistent with the
institution's opt out and privacy notices.
Customer relationship as ``personally identifiable financial
information.'' The Agencies disagree with those commenters who maintain
that customer relationships should not be considered to be personally
identifiable financial information. Clearly, information that a
particular person has a customer relationship identifies that person,
and thus is personally identifiable. The Agencies believe that this
information also is financial under the express terms of the statute,
because it communicates that the person in question has a transaction
involving a financial product or service with a
[[Page 35172]]
financial institution. While this information could in certain cases be
a matter of public record, that does not change the analysis of whether
the information is personally identifiable financial information.
Changes made to the definition. The final rule makes various
stylistic changes to the definition that are intended to make it easier
to read and understand. In addition, the final rule adds to the
examples of information covered by the rule any information that the
institution collects through an information collecting device from a
web server, often referred to as a ``cookie.'' See Sec. __.3(o)(2)(F).
This illustrates one of the various means by which a financial
institution may ``otherwise obtain'' information about a consumer in
connection with providing a financial product or service to that
consumer.
The final rule also includes, as a negative example in
Sec. __.3(o)(2)(ii)(B), a statement that aggregate information or blind
data lacking personal identifiers is not covered by the definition of
``personally identifiable financial information.'' The Agencies agree
with those commenters who opined that such data, by definition, do not
identify any individual.
p. Publicly Available Information
The proposal defined ``publicly available information'' to include
information that is lawfully available to the general public from
official public records (such as real estate recordations or security
interest filings), information from widely distributed media (such as a
telephone book, television or radio program, or newspaper), and
information that is required to be disclosed to the general public by
Federal, State, or local law (such as securities disclosure documents).
The proposed rules stated that publicly available information from
widely distributed media would include information from an Internet
site that is available to the general public without requiring a
password or similar restriction.
As previously explained in the discussion of ``nonpublic personal
information,'' the proposed rules invited comment on two versions of
the definition of ``publicly available information.'' The Agencies have
adopted an approach in the final rule that they believe closely tracks
the statute while providing much of the benefit provided under
Alternative A.
Several commenters questioned the appropriateness of excluding
information from the definition of ``publicly available information''
if a person who seeks to obtain the information over the Internet must
have a password or comply with a similar restriction. These commenters
made the point that many Internet sites are available to a large number
of people, each of whom need a user name and identification number to
access the sites. Several of these commenters suggested that it is more
appropriate to focus on whether the information was lawfully placed on
the Internet.
The Agencies agree with these comments, and have amended the final
rule to remove the reference to passwords or similar restrictions from
the example of the Internet as a ``widely distributed'' medium of
communication. In its place, the Agencies have substituted a standard
that requires the information, whether from the Internet or otherwise,
to be available on an unrestricted basis. Information that an
individual specifically requests be compiled, such as information that
a locator or ``look up'' service provides with respect to a particular
individual that may combine confidential information in addition to
publicly available information, will not be considered available to the
general public on an unrestricted basis, regardless of whether the
information is provided over the Internet or otherwise.
On the other hand, the rule states that an Internet site is not
restricted merely because an Internet service provider or a site
operator requires a fee or password as long as access is otherwise
available to the general public. The traditional use of passwords is to
confine the access of individual customers to specific, individual
information. However, website operators, in particular, may require
user identifications and passwords as a method of tracking access
rather than restricting access to the information available through the
website. Fees may be levied to obtain access to the Internet or to
particular sites rather than restrict access to particular information.
For example, Internet service providers may charge a fee for accessing
the Internet. Other sites available to the general public, such as
daily newspapers, also may charge a fee to access archived information.
Therefore, the Agencies believe that the definition of ``widely
distributed media'' should properly focus on whether the information is
lawfully available to the general public, rather than on the type of
medium from which information is obtained.
The Agencies note that the concept of information being lawfully
obtained was included in the proposal, and is retained in the final
rule. Thus, information unlawfully obtained will not be deemed to be
publicly available notwithstanding that it may be available to the
general public through widely distributed media.
To help understand how ``nonpublic personal information,''
``personally identifiable financial information,'' and ``publicly
available information'' will work under the final rule, the following
example is offered. Assume that Mary provides her bank with various
information in order to obtain a mortgage loan and to open a deposit
account. Under the final rule, all of this information would be
personally identifiable financial information. Once Mary establishes
the customer relationships she seeks, the fact that Mary is a mortgage
loan customer and a deposit accountholder at the bank also would be
personally identifiable financial information.
It may be that certain information provided by Mary, such as her
name and address, is publicly available. If the bank has a reasonable
basis to believe that this information is publicly available, and if
the information was included on a list of the bank's mortgage loan
customers that was derived using only publicly available information,
then her name and address would fall outside the definition of
``nonpublic personal information'' in those jurisdictions where
mortgages are a matter of public record. However, Mary's name and
address would be protected as nonpublic personal information if the
bank wanted to include those items on a list of its deposit
accountholders. The difference in treatment stems from the distinction
drawn in the statute between lists prepared using publicly available
information (as would be the case in the mortgage loan hypothetical)
and lists prepared using information that is not publicly available (as
would be the case in the deposit account hypothetical).
The Agencies recognize the complexity of this approach, but believe
that it is mandated by the way the statute defines ``nonpublic personal
information.'' It also is consistent with the fact that certain
relationships are matters of public record, and, therefore, arguably
deserving of less protection from disclosure.
q. You
Several Agencies used the pronoun ``you'' to refer to entities
within their primary jurisdiction in the proposal and defined ``you''
to mean those entities. \7\
---------------------------------------------------------------------------
\7\ The OCC used the term ``bank'' instead of ``you'' in its
regulation.
---------------------------------------------------------------------------
The Agencies received very few comments in response to this
definition.
[[Page 35173]]
While one commenter preferred the term ``bank'' to ``you,'' those
Agencies using the term ``you'' believe that it makes the rule easier
to read and have, therefore, adopted the definition substantially as
proposed. The Board has revised its definition of ``you'' to clarify
that insurance, broker dealer, investment adviser, and investment
company subsidiaries of the financial institutions within its primary
jurisdiction are not covered.
Section __.4 Initial Privacy Notice to Consumers Required
The GLB Act requires a financial institution to provide an initial
notice of its privacy policies and practices in two circumstances. For
customers, the notice must be provided at the time of establishing a
customer relationship. For consumers who are not customers, the notice
must be provided prior to disclosing nonpublic personal information
about the consumer to a nonaffiliated third party.
The proposed rule implemented these requirements by mandating that
a financial institution provide the initial notice to an individual
prior to the time a customer relationship is established and the opt
out notice prior to disclosing nonpublic personal information to
nonaffiliated third parties. These disclosures were required under the
rule to be clear and conspicuous and to accurately reflect the
institution's privacy policies and practices. The proposal also set out
rules governing when a customer relationship is established and how a
financial institution is to provide notice.
The Agencies received many comments raising concerns about a large
number of issues arising under proposed Sec. __.4. Most of the comments
raised questions about the time by which initial notices must be
provided, whether new notices are required for each new financial
product or service obtained by a customer, the point at which a
customer relationship is established, and how initial notices may be
provided.
Providing Initial Notices ``Prior To'' Time Customer Relationship Is
Established
Many commenters stated that, because the statute requires only that
the initial notice be provided ``at the time of establishing a customer
relationship,'' the regulation should not require that the notice be
provided ``prior to'' the point at which a customer relationship is
established. These commenters were concerned that the rule could be
interpreted as requiring a financial institution to provide disclosures
at a point different from when they must provide other federally
mandated consumer disclosures during the process of establishing a
customer relationship.
In response to these comments, the Agencies have clarified the
timing for providing initial notices. The final rule states that, as a
general rule, the initial notice must be given not later than the time
when a financial institution establishes a customer relationship. See
Sec. __.4(a)(1). As stated in the preamble to the proposed rule, the
initial notices may be provided at the same time a financial
institution is required to give other notices, such as those required
by the Board's regulations implementing the TILA. This approach, like
the approach taken in the proposed rule, strikes a balance between (1)
ensuring that consumers will receive privacy notices at a meaningful
point along the continuum of ``establishing a customer relationship''
and (2) minimizing unnecessary burden on financial institutions that
may otherwise result if the final rule were to require financial
institutions to provide consumers with a series of notices at different
times in a transaction.
Providing Notices After Customer Relationship Is Established
Several commenters stated that the rule should provide financial
institutions with the flexibility to deliver the initial notice after
the customer relationship is established under certain circumstances.
These commenters posited several situations in which a customer
relationship is established without face-to-face contact between the
consumer and financial institution. The commenters stated that delivery
of the initial notice before the customer relationship is established
in these situations would be impractical, and a requirement along those
lines would have a significant adverse effect on the ability to provide
a financial product or service to a consumer as quickly as the consumer
desires.
The Agencies believe that it is appropriate for financial
institutions to have flexibility in certain circumstances to provide
the initial notice at a point after the customer relationship is
established. To accommodate the wider range of situations presented by
the commenters, the Agencies have modified the examples set out in the
proposal of when a subsequent delivery of the initial notice is
appropriate so that they now are more broadly applicable. As stated in
the final rule in Sec. __.4(e), a financial institution may provide the
initial notice within a reasonable time after establishing a customer
relationship in two instances. First, notice may be provided after the
fact if the establishment of the customer relationship is not at the
customer's election. See Sec. __.4(e)(1)(i). This might occur, for
instance, when a deposit account is sold. Second, a notice may be sent
after establishing a customer relationship when to do otherwise would
substantially delay the consumer's transaction and the consumer agrees
to receive the notice at a later time. See Sec. __.4(e)(1)(ii). An
example of this would be when a transaction is conducted over the
telephone and the customer desires prompt delivery of the item
purchased. Another example of when this might occur is when a bank
establishes a customer relationship with an individual under a student
loan program as described in the final rule where loan proceeds are
disbursed promptly without prior communication between the bank and the
customer.
The Agencies note that in most situations, and particularly in
situations involving the establishment of a customer relationship in
person, a financial institution should give the initial notice at a
point when the consumer still has a meaningful choice about whether to
enter into the customer relationship. The exceptions listed in the
examples, while not exhaustive, are intended to illustrate the less
frequent situations when delivery either would pose a significant
impediment to the conduct of a routine business practice or the
consumer agrees to receive the notice later in order to obtain a
financial product or service immediately.
In circumstances when it is appropriate to deliver an initial
notice after the customer relationship is established, a financial
institution should deliver the notice within a reasonable time
thereafter. Several commenters requested that the final rule specify
precisely how many days a financial institution has in which to deliver
the notice under these circumstances. However, the Agencies believe
that a rule prescribing the maximum number of days would be
inappropriate because (a) the circumstances of when an after-the-fact
notice is appropriate are likely to vary significantly, and (b) a rule
that attempts to accommodate every circumstance is likely to provide
more time than is appropriate in many instances. Thus, rather than
establish a rule that the Agencies believe may be viewed as applicable
in all circumstances, the Agencies have elected to retain the more
general rule as set out in the proposal in Sec. __.4(e)(1).
[[Page 35174]]
As the Agencies noted in the preamble to the proposed rule, nothing
in the rule is intended to discourage a financial institution from
providing an individual with a privacy notice at an earlier point in
the relationship if the institution wishes to do so in order to make it
easier for the individual to compare its privacy policies and practices
with those of other institutions in advance of conducting transactions.
New Notices Not Required for Each New Financial Product or Service
Several commenters asked whether a new initial notice is required
every time a consumer obtains a financial product or service from that
financial institution. These commenters suggested that a consumer would
not materially benefit from repeated disclosures of the same
information, and that requiring additional initial notices to be
provided to the same consumer would be burdensome on financial
institutions.
The Agencies agree that it would be burdensome with little
corresponding benefit to the consumer to require a financial
institution to provide the same consumer with additional copies of its
initial notice every time the consumer obtains a financial product or
service. Accordingly, the final rule states, in Sec. __.4(d), that a
financial institution will satisfy the notice requirements when an
existing customer obtains a new financial product or service if the
institution's initial, revised, or annual notice (as appropriate) is
accurate with respect to the new financial product or service.
Joint Accountholders
The majority of comments on how to provide notice suggested that
the final rule state that a financial institution is not obligated to
provide more than one notice to joint accountholders. Several of these
commenters noted that disclosure obligations arising from joint
accounts are well settled under other rules, such as the regulations
implementing the Equal Credit Opportunity Act (Regulation B, 12 CFR
part 202, ) and TILA. Commenters noted that under both Reg. B and Reg.
Z, a financial institution is permitted to give only one notice. The
authorities cited include requirements that the financial institution
give disclosures, as appropriate, to the ``primary applicant'' if this
is readily apparent (in the case of Reg. B; see 12 CFR 202.9(f)) or to
a person ``primarily liable on the account'' (in the case of Reg. Z;
see 12 CFR 226.5(b)).
The Agencies agree that a financial institution should be allowed
to provide initial notices in a manner consistent with other disclosure
obligations. Accordingly, the final rule clarifies, in Sec. __.9(g),
that only one notice is required to be sent in connection with a joint
account. A financial institution may, in its discretion, provide
notices to each party to the account. This situation might arise, for
instance, when a financial institution does not want one opt out
election to apply automatically to all joint accountholders (see
discussion of how to provide opt out notices, below).
Mergers
A few commenters requested guidance on what notices are required in
the event of a merger of two financial institutions or an acquisition
of one financial institution by another. In such a situation, the need
to provide new initial (and opt out) notices to the customers of the
entity that ceases to exist will depend on whether the notices
previously given to those customers accurately reflect the policies and
practices of the surviving entity. If they do, the surviving entity
will not be required under the rule to provide new notices.
As was stated in the preamble to the proposed rule, a financial
institution may not fail to maintain the protections that it represents
in the notice that it will provide. The Agencies expect that financial
institutions will take appropriate measures to adhere to their stated
policies and practices.
Section __.5 Annual Privacy Notice to Customers Required
Section 503 of the GLB Act requires a financial institution to
provide notices of its privacy policies and practices at least annually
to its customers ``during the continuation'' of a customer
relationship. The proposed rules implemented this requirement by
requiring a clear and conspicuous notice that accurately reflects the
privacy policies and practices then in effect to be provided at least
once during any period of twelve consecutive months. The proposed rules
noted that rules governing how to provide an initial notice also would
apply to annual notices, and stated that a financial institution would
not be required to provide annual notices to a customer with whom it no
longer has a continuing relationship.
Several commenters requested that the final rule permit annual
notices to be given each calendar year, instead of every twelve months.
A variation suggested by a few commenters was to state that notices
must be provided during each calendar year, with no more than 15 months
elapsing between mailings. To clarify the extent of financial
institutions' flexibility, the final rule retains the general rule
requiring annual notices but then provides an example, in
Sec. __.5(a)(2)(ii), stating that a financial institution may select a
calendar year as the 12-month period within which notices will be
provided and provide the first annual notice at any point in the
calendar year following the year in which the customer relationship was
established. The final rule also requires that a financial institution
apply the 12-month cycle to its consumers on a consistent basis.
Several commenters suggested that a financial institution be
permitted to make the annual notice available upon request only,
particularly if there have been no material changes to the notice since
it was last delivered. These commenters maintained that little value is
added by providing customers with additional copies each year of the
same information. Some suggested that financial institutions be
permitted to provide a ``short-form'' annual notice, in which the
institution informs its customers that there has been no change to its
privacy policies and practices and that the customers may obtain a copy
upon request.
The Agencies have not amended the final rule to permit this
approach, for two reasons. First, the Agencies view the statute as
contemplating complete disclosures annually to all customers during the
duration of the customer relationship. Section 503 of the GLB Act
states that ``not less than annually during the continuation of [a
customer] relationship, a financial institution shall provide a clear
and conspicuous disclosure to such consumer [i.e., one with whom a
customer relationship has been formed], * * * of such financial
institution's policies and practices with respect to'' the information
enumerated in the statute. The Agencies believe that this provision
contemplates a full set of disclosures to each customer once a year.
Second, the clarifications made in the final rule to the disclosure
provisions make it clear that a financial institution is not required
to provide a lengthy and detailed privacy notice to comply with the
rule. Small institutions that do not share information with third
parties beyond the statutory exceptions should be able to provide a
short, streamlined notice. The rule also permits a financial
institution to provide annual notices to customers over the
institution's web site if the customer conducts transactions
electronically and agrees to such disclosures (see additional
discussion of this flexibility, below, in Sec. __.9). As a
[[Page 35175]]
result, the final rule achieves much of the burden reduction sought by
those requesting a short-form annual notice option.
Most of the remaining comments received in response to proposed
Sec. __.5 addressed the rules governing when a customer relationship is
terminated. Several focused on whether ``dormancy'' of a deposit
account, which was presented as an example in the proposed rule of when
a customer relationship is terminated, should be determined according
to state law or a financial institution's internal policies. These
commenters were unanimous in their view that ``dormancy'' should be
determined according to an institution's own policies, without reliance
on state laws that may produce conflicting results and unnecessary
burden for institutions operating in more than one state. A few
commenters suggested that the final rule use ``inactive'' instead of
``dormant'' in order to avoid unintended consequences of classifying an
account as dormant. In light of these comments, the final rule retains
in the examples of when a customer relationship will be terminated the
situation where there is no activity in a deposit account according to
a financial institution's policies. The Agencies also have used the
term ``inactive'' rather than ``dormant'' in Sec. __.5(b)(2)(i) to
avoid the unintended consequences posited by the comments.
A few commenters stated that the example of no communication with a
customer for twelve months should be amended to clarify that
promotional materials would not be considered a communication about the
relationship sufficient to extend the duration of the customer
relationship. These commenters generally suggested that the rule be
tied to communications initiated by the customer. The Agencies agree
that a communication that merely informs a person about, or seeks to
encourage use of, a financial institution's products or services is not
the type of communication that signifies an ongoing relationship. The
final rule has been amended in Sec. __.5(b)(2)(iv) to reflect that the
distribution of promotional materials will not prolong a customer
relationship under the rule. The Agencies disagree, however, that the
test should focus on whether there has been any customer-initiated
contact, because there will be instances in which the customer will not
initiate a contact with a financial institution within the relevant
time period but nonetheless has an ongoing relationship.
Section __.6 Information To Be Included in Initial and Annual Privacy
Notices
Section 503 of the GLB Act identifies the items of information that
must be included in a financial institution's initial and annual
notices. Section 503(a) of the GLB Act sets out the general requirement
that a financial institution must provide customers with a notice
describing the institution's policies and practices with respect to,
among other things, disclosing nonpublic personal information to
affiliates and nonaffiliated third parties. Section 503(b) of the Act
identifies certain elements that must be addressed in that notice.
The proposed rule implemented section 503 by requiring a financial
institution to provide information concerning:
<bullet> The categories of nonpublic personal information that a
financial institution may collect;
<bullet> The categories of nonpublic personal information that a
financial institution may disclose;
<bullet> The categories of affiliates and nonaffiliated third
parties to whom a financial institution discloses nonpublic personal
information, other than those to whom information is disclosed pursuant
to an exception in section 502(e) of the GLB Act;
<bullet> The financial institution's policies with respect to
sharing information about former customers;
<bullet> The categories of information that are disclosed pursuant
to agreements with third party service providers and joint marketers
and the categories of third parties providing the services;
<bullet> A consumer's right to opt out of the disclosure of
nonpublic personal information to nonaffiliated third parties;
<bullet> Any disclosures regarding affiliate information sharing
opt outs a financial institution is providing under the FCRA; and
<bullet> The bank's policies and practices with respect to
protecting the confidentiality, security, and integrity of nonpublic
personal information.
The Agencies received a large number of comments concerning these
requirements, with the majority of comments making the points
summarized below.
Level of Detail Required
Many commenters offered the general observation that the level of
detail that would be required under the proposed rule would result in
lengthy, complicated, and ultimately confusing disclosures. These
comments have led the Agencies to conclude that additional
clarification is required concerning the level of detail that the
Agencies expect a financial institution's initial and annual
disclosures to contain.
The Agencies do not believe that the statute requires--nor do the
Agencies intend to require--a financial institution to publish lengthy
disclosures that identify with precision every type of information
collected or disclosed, the name of every entity with whom the
financial institution shares information, and a complete description of
the technical specifications of how the institution protects its
customers' records or the identity of each employee who has access to
such records. Instead, the Agencies have concluded that the statute, by
focusing on ``categories'' of information and recipients of
information, is intended to require notices that provide consumers with
a general description of the third parties to whom a financial
institution discloses nonpublic personal information, the types of
information it discloses, and the other information about the
institution's privacy policies and practices listed above. The final
rule, like the proposal, permits a financial institution to comply with
these notice requirements by providing a description that is
representative of its privacy policies and practices. The Agencies
believe that in most cases the initial and annual disclosure
requirements can be satisfied by disclosures contained in a tri-fold
brochure.
To address commenters' concerns about the likelihood that consumers
will not read long, detailed disclosures, the Agencies have revised the
examples of the disclosures set out in proposed Sec. __.6(c) to clarify
the level of detail that the Agencies think is appropriate under the
statute. Sample clauses have been provided in Appendix A to the rules,
and guidance for certain institutions has been set out later in this
preamble. Because the examples are not exclusive, the final rule
permits a financial institution to use different categories than those
provided in the examples, thereby providing additional flexibility for
financial institutions in complying with the disclosure requirements.
In addition, the language in Sec. __.6(a) that precedes the items of
information to be addressed in the initial notice has been amended to
clarify that a financial institution is required only to address those
items that apply to the institution. Thus, for instance, if a financial
institution does not disclose nonpublic personal information to third
parties, it may simply omit any reference to the categories of
affiliates and nonaffiliated third parties to whom the institution
[[Page 35176]]
discloses nonpublic personal information.
As was noted in the preamble to the proposed rule, the required
content is the same for both the initial and annual notices of privacy
policies and practices. While the information contained in the notices
must be accurate as of the time the notices are provided, a financial
institution may prepare its notices based on current and anticipated
policies and practices.
Short-Form Initial Notice
The Agencies have reconsidered the need to give consumers a copy of
a financial institution's complete initial notice when there is no
customer relationship. In these circumstances, the Agencies believe
that the objectives of the statute can be accomplished in a less
burdensome way than was proposed. Accordingly, the Agencies have
exercised their exemptive authority as provided in section 504(b) to
create an exception to the general rule that otherwise requires a
financial institution to provide both the initial and opt out notices
to a consumer before disclosing nonpublic personal information about
that consumer to nonaffiliated third parties.
This exception is set out in Sec. __.6(d) of the final rule, which
states that a financial institution may provide a ``short-form''
initial privacy policy notice along with the opt out notice to a
consumer with whom the institution does not have a customer
relationship. The short-form notice must clearly and conspicuously
state that the disclosure containing information about the
institution's privacy policies and practices is available upon request
and provide one or more reasonable means by which the consumer may
obtain a copy of the notice. This approach reflects the Agencies'
belief that a consumer who does not become a customer of a financial
institution generally may have less interest in certain elements of the
institution's privacy policies. Relative to other aspects of the
transaction, the consumer may receive greater benefit from obtaining a
concise, but meaningful, opt out notice that informs the consumer about
the categories of his or her information the institution may disclose
and the categories of nonaffiliated third parties that may receive the
information. The rule also requires a financial institution to provide
a consumer who is interested in the more complete privacy disclosures
with a reasonable means to obtain them.
Information About Affiliate Sharing
Another point made by several commenters in response to proposed
Sec. __.6 was that the rule should not include a requirement that
categories of affiliates with whom a financial institution shares
information be included in the initial and annual notices. These
commenters pointed out that the statute specifically requires
disclosures of categories of nonaffiliated third parties only, and that
the only statutorily mandated disclosures concerning affiliate sharing
are disclosures required, if any, concerning affiliate sharing pursuant
to section 603(d)(2)(A)(iii) of the Fair Credit Reporting Act (FCRA)
(15 U.S.C. 1681a(d)(2)(A)(iii)). \8\ These commenters concluded that
the Agencies, by expanding the disclosure requirements in the manner
prescribed in the proposed rule, would be exceeding their rulemaking
authority and imposing unnecessary burden on financial institutions.
---------------------------------------------------------------------------
\8\ Section 603(d)(2)(A)(iii) excludes from the definition of
``consumer report'' the communication of certain consumer
information among affiliated entities if the consumer is notified
about the disclosure of such information and given an opportunity to
opt out of the disclosure of that information. The information that
can be disclosed to affiliates under this provision includes, for
instance, information from consumer reports and applications for
financial products or services. In general, this information
represents personal information provided directly by the consumer to
the institution, such as income and assets, in addition to
information contained within consumer reports.
---------------------------------------------------------------------------
The Agencies believe that the language and legislative history of
section 503 support requiring disclosures of affiliate sharing beyond
what may be required by the FCRA. First, section 503(b) does not state
that the items listed therein are to be the only items set out in a
financial institution's initial and annual disclosures. Instead, it
uses the nonrestrictive phrase ``shall include'' when discussing the
contents of the disclosures, thereby preserving flexibility for the
Agencies (which were expressly granted authority under section 503(a)
to prescribe rules governing these notices) to require that additional
items be addressed in the disclosures consistent with those
specifically enumerated.
Second, section 503(a) states that the financial institution shall
provide in its initial and annual notices ``a clear and conspicuous
disclosure * * * of such financial institution's policies and practices
with respect to--(1) disclosing nonpublic personal information to
affiliates and nonaffiliated third parties, consistent with section
502, including the categories of information that may be disclosed; * *
*'' While the FCRA disclosures would be a subset of the disclosures
required by section 503(a)(1), they may not be sufficient to fully
satisfy that requirement.
Third, the legislative history of the GLB Act suggests that
Congress intended for the disclosures to provide more information about
affiliate sharing than what may be required under the FCRA.\9\ That
history underscores the Congressional intent of ensuring that
individuals are given the opportunity to make informed decisions about
the privacy policies and practices of financial institutions. The
Agencies believe that limiting the disclosures about affiliate sharing
just to those disclosures that may be required under the FCRA would
frustrate that purpose.
---------------------------------------------------------------------------
\9\ See, e.g., remarks of Sen. Gramm (noting that the privacy
bill contains ``for the first time a full disclosure requirement. It
requires every bank in America, when you open your account to tell
you precisely what their policy is: Do they share personal financial
information within the bank? Do they share it outside the bank?''),
145 Cong. Rec. S13786 (daily ed. Nov. 3, 1999); remarks of Sen.
Hagel, id. at S13876 (``Financial institutions would be required to
disclose their privacy policies to their customers on a timely
basis. If customers do not believe adequate protections exist at
their institution, they can take their business elsewhere.'').
---------------------------------------------------------------------------
Disclosures of the FCRA Opt Out Right
Another commonly advanced argument was that a financial institution
should not be required to include FCRA disclosures in its annual
notices. As previously discussed, section 503(b)(4) of the GLB Act
requires a financial institution's initial and annual notice to include
the disclosures required, if any, under section 603(d)(2)(A)(iii) of
the FCRA. The proposed rules implemented section 503(b)(4) of the GLB
Act by including the requirement that a financial institution's initial
and annual notice include any disclosures a financial institution makes
under section 603(d)(2)(A)(iii) of the FCRA. Several commenters pointed
out that the FCRA requires disclosures of a consumer's right to opt out
of affiliate sharing only once. They noted that the GLB Act states, in
section 506(c), that nothing in the GLB Act is to be construed to
modify, limit, or supersede the operation of the FCRA. These commenters
maintain that the ``if any'' language of section 503(b)(4), read in the
context of section 506, suggests that, since at most only one notice
must be provided under the FCRA, section 503 should require only one
FCRA disclosure under the privacy rule. The commenters concluded that,
by requiring more notices than are required
[[Page 35177]]
under the FCRA, the Agencies would be violating this express
preservation of the FCRA.
As discussed above, the Agencies believe that a financial
institution, in order to comply with the requirement that it disclose
its policies and practices with respect to sharing information with
affiliated and nonaffiliated third parties, must describe the
circumstances under which it will be sharing information with
affiliates. Clearly, the ability of consumers to opt out of affiliate
information sharing under the FCRA affects a financial institution's
policies and practices with respect to disclosing information to its
affiliates. Failing to include this information and an explanation of
how the opt out right may be exercised would, in the view of the
Agencies, make the disclosures incomplete. Thus, a financial
institution will need to include this information in its initial and
annual notices.
The Agencies note, moreover, that they disagree with the
commenters' reading of sections 503 and 506. Section 503 does not
distinguish between the disclosures to be provided in the initial
notice from those to be provided in the annual notice. Thus, a plain
reading of section 503 suggests that any disclosures that are required
under the FCRA must be included in both the initial and annual notices.
The Agencies interpret the ``if any'' language as a recognition
that not all institutions provide FCRA notices because not all
institutions engage in the type of affiliate sharing covered by the
FCRA. By requiring the FCRA notice to appear as part of the annual
notice under the privacy rule, the Agencies believe that they are not
modifying, limiting, or superseding the operation of the FCRA;
financial institutions will have exactly the same FCRA obligations
following the effective date of the privacy rule as they had before.
The only difference will be that, as is required by the GLB Act, a
financial institution's initial and annual disclosures about its
privacy policy and practices will need to reflect how the financial
institution complies with the affiliate sharing provisions of the FCRA.
Disclosures of the Right to Opt Out
Other commenters suggested that the final rule eliminate the
requirement that the initial and annual notices contain disclosures
about a consumer's right to opt out. These commenters pointed out that
the statute does not specifically require these disclosures.
As previously discussed, section 503(a) of the statute requires a
financial institution to disclose its policies and practices with
respect to sharing information, both with affiliated and nonaffiliated
third parties. Given that a financial institution's practices with
respect to sharing nonpublic personal information with nonaffiliated
third parties will be affected by the opt out rights created by the
statute, an institution will need to describe these opt out rights in
order to provide a complete disclosure that satisfies the statute.
Other Comments
The Agencies received many comments expressing support for a number
of the provisions in proposed Sec. __.6. For instance, several
commenters noted their agreement with the approach of permitting a
financial institution to state generally that it makes disclosures to
nonaffiliated third parties ``as permitted by law'' to describe
disclosures made pursuant to one of the exceptions. Others agreed with
the proposed flexibility to allow a disclosure to be based on current
and contemplated information sharing. In light of these comments, the
Agencies have adopted proposed Sec. __.6 with changes as discussed
above. The final rule makes several other stylistic changes to the
material in Sec. __.6 that are intended to make the rule easier to
read. \10\
---------------------------------------------------------------------------
\10\ The Agencies expect to publish proposed standards in the
near future relating to administrative, technical, and physical
safeguards as required by section 501(b) of the GLB Act.
---------------------------------------------------------------------------
Section __.7 Form of Opt Out Notice to Consumers; Opt Out Methods
Paragraph (a) of proposed Sec. __.8 required that any opt out
notice provided by a financial institution be clear and conspicuous and
accurately explain the right to opt out. The proposed rule also
required a financial institution to provide the consumer with a
reasonable means by which to opt out, required a financial institution
to honor an opt out election as soon as reasonably practicable, and
stated that an opt out election survived until revoked by the consumer.
The Agencies received a large number of comments in response to each of
these provisions, addressing the application of these rules to joint
accounts, the means by which an opt out right may be exercised,
duration of an opt out, the level of detail required in the opt out
notice, and the time by which an opt out election must be honored.
These points are addressed below.
Joint Accounts
Most of the commenters on this issue stated that a financial
institution should have the option of providing one notice per account,
regardless of the number of persons on the account. The Agencies agree
that this is appropriate, and have added a new Sec. __.7(d) to address
this issue. Under the final rule, a financial institution has the
option of providing only one initial, annual, and opt out notice per
account. However, any of the accountholders must have the right to opt
out. The final rule requires a financial institution to state in the
opt out notice provided to a joint accountholder whether the
institution will consider an opt out by a joint accountholder as an opt
out by all of the associated accountholders or whether each
accountholder is permitted to opt out separately.
Means of Opting Out
Another issue addressed by many commenters concerned the means by
which consumers may opt out. Several suggested that a financial
institution, after having provided reasonable means of opting out,
should be able to require consumers to use those means exclusively. The
Agencies agree with this suggestion, recognizing that a financial
institution may not have trained personnel or systems in place to
handle opt out elections at each point of contact between a consumer
and financial institution. Assuming a financial institution offers one
or more of the opt out means provided in the examples in the final rule
or a means of opting out that is comparably convenient for a consumer,
the institution may require consumers to opt out in accordance with
those means and choose not to honor opt out elections communicated to
the institution through alternative means. A new paragraph (iv) has
been added to Sec. __.7(a)(2)(iv) to reflect this.
The final rule adds an example of a toll-free telephone number in
Sec. __.7(a)(2)(ii)(D) as another way by which financial institutions
may allow consumers to opt out. As stated in Sec. __.7(a)(2)(iii)(A), a
financial institution may not require a consumer to write his or her
own letter in order to opt out.
Duration of Opt Out
Several commenters requested that the rule concerning duration of
an opt out, as provided in Sec. __.8(e) of the proposal, be changed to
require a more workable approach. These commenters noted that, under
the proposal, a financial institution would be required to keep track
of opt out elections forever. To illustrate their point, the commenters
posited the example of a person who opts out during the course of
establishing a customer relationship with a financial institution,
terminates that relationship, and then establishes
[[Page 35178]]
another customer relationship several years later, perhaps under a
different name or with someone on a joint account. The commenters
suggested that it would be more appropriate in these circumstances to
treat the opt out election made in connection with the first
relationship as applying solely to that relationship.
The Agencies agree with the commenters' suggestions. Thus, under
the final rule, a financial institution is to treat an opt out election
made by a customer in connection with a prior customer relationship as
applying solely to the nonpublic personal information that the
financial institution collected during, or related to, that
relationship. That opt out will continue until the customer revokes it.
However, if the customer relationship terminates and a new one is
established at a later point, the financial institution must then
provide a new opt out notice to the customer in connection with the new
relationship and any prior opt out election does not apply to the new
relationship.
Level of Detail Required in Opt Out Notice
A few commenters expressed concern about the level of detail they
perceived the proposed rule to require in an opt out notice. These
commenters interpreted the statement in proposed Sec. __.8(a)(2) that a
financial institution ``provides adequate notice * * * if [the
institution] identifies all of the categories of nonpublic personal
information that [the institution] discloses or reserves the right to
disclose to nonaffiliated third parties as described in [Sec. __.6]''
as requiring a more detailed disclosure of categories of nonpublic
personal information and nonaffiliated third parties than is required
in the initial and annual notices.
The Agencies did not intend this result, and specifically referred
to Sec. __.6 in the proposed opt out provision to address precisely the
concern raised by these commenters. The disclosures in the initial and
annual notices of the categories of nonpublic personal information
being disclosed and the categories of nonaffiliated third parties to
whom the information is disclosed will suffice for purposes of the opt
out notices as well. If the opt out notice is a part of the same
document that contains the disclosures that must be included in the
initial notice, then the financial institution is not required to
restate the same information in the opt out notice. In this instance,
the rule requires only that the categories of nonpublic personal
information the institution intends to share and the categories of
nonaffiliated third parties with whom it will share are clearly
disclosed to the consumer when the opt out and privacy notices are read
together.
One commenter suggested that, while a financial institution should
have the option of providing an opt out notice that is sufficiently
broad to cover anticipated disclosures, the financial institution also
should be permitted to provide a customer who already has opted out
with a new opt out notice in connection with a new financial product or
service and, if the consumer does not opt out a second time, be free to
disclose nonpublic personal information obtained in connection with
that financial product or service to nonaffiliated third parties. The
Agencies believe that a financial institution should be permitted the
flexibility to provide opt out notices that are either narrowly
tailored to specific types of nonpublic personal information and types
of nonaffiliated third parties or that are more broadly worded to
anticipate future disclosure plans. However, if a consumer opts out
after receiving an opt out notice from a financial institution that is
broad enough to cover the new type of information sharing desired by
that institution, the failure of the consumer to opt out again does not
revoke the earlier opt out election.
Time by Which Opt Out Must Be Honored
Under the proposal, a financial institution is directed to comply
wit