[Federal Register: February 22, 2000 (Volume 65, Number 35)]
[Proposed Rules]
[Page 8769-8816]
From the Federal Register Online via GPO Access [wais.access.gpo.gov]
[DOCID:fr22fe00-23]
[[Page 8769]]
-----------------------------------------------------------------------
Part II
Department of the Treasury
-----------------------------------------------------------------------
Officer of the Comptroller of the Currency
Office of Thrift Supervision
12 CFR Parts 40 and 573
-----------------------------------------------------------------------
Federal Reserve System
-----------------------------------------------------------------------
12 CFR Part 216
Federal Deposit Insurance Corporation
-----------------------------------------------------------------------
12 CFR Part 332
Privacy of Consumer Financial Information; Proposed Rule
[[Page 8770]]
-----------------------------------------------------------------------
DEPARTMENT OF THE TREASURY
Office of the Comptroller of the Currency
12 CFR Part 40
[Docket No. 00-05 ]
RIN 1557-AB77
FEDERAL RESERVE SYSTEM
12 CFR Part 216
[Docket No. R-1058]
FEDERAL DEPOSIT INSURANCE CORPORATION
12 CFR Part 332
RIN 3064-AC32
DEPARTMENT OF THE TREASURY
Office of Thrift Supervision
12 CFR Part 573
[Docket No. 2000-13]
RIN 1550-AB36
Privacy of Consumer Financial Information
AGENCIES: Office of the Comptroller of the Currency, Treasury; Board of
Governors of the Federal Reserve System; Federal Deposit Insurance
Corporation; and Office of Thrift Supervision, Treasury.
ACTION: Joint notice of proposed rulemaking.
-----------------------------------------------------------------------
SUMMARY: The Office of the Comptroller of the Currency, Board of
Governors of the Federal Reserve System, Federal Deposit Insurance
Corporation, and the Office of Thrift Supervision, (collectively, the
Agencies) are requesting comment on proposed privacy rules published
pursuant to section 504 of the Gramm-Leach-Bliley Act (the G-L-B Act or
Act). Section 504 authorizes the Agencies to issue regulations as may
be necessary to implement notice requirements and restrictions on a
financial institution's ability to disclose nonpublic personal
information about consumers to nonaffiliated third parties. Pursuant to
section 503 of the G-L-B Act, a financial institution must provide its
customers with a notice of its privacy policies and practices. Section
502 prohibits a financial institution from disclosing nonpublic
personal information about a consumer to nonaffiliated third parties
unless the institution satisfies various disclosure and opt-out
requirements and the consumer has not elected to opt out of the
disclosure. These proposed rules implement the requirements outlined
above.
DATES: Comments must be received by March 31, 2000.
ADDRESSES: Comments should be directed to: Office of the Comptroller of
the Currency (OCC): Communications Division, Office of the Comptroller
of the Currency, 250 E Street, SW., Washington, DC 20219, Attention:
Docket No. 00-05; FAX number (202) 874-5274 or Internet address:
regs.comments@occ.treas.gov. Comments may be inspected and photocopied
at the same location.
Board of Governors of the Federal Reserve System (Board): Comments,
which should refer to Docket No. R-1058, may be mailed to Ms. Jennifer
J. Johnson, Secretary, Board of Governors of the Federal Reserve
System, 20th and C Streets, NW, Washington, DC 20551 or mailed
electronically to regs.comments@federalreserve.gov. Comments addressed
to Ms. Johnson also may be delivered to the Board's mail room between
8:45 a.m. and 5:15 p.m. and to the security control room outside of
those hours. Both the mail room and the security control room are
accessible from the courtyard entrance on 20th Street between
Constitution Avenue and C Street, NW. Comments may be inspected in Room
MP-500 between 9 a.m. and 5 p.m., pursuant to Sec. 261.12, except as
provided in Sec. 261.14, of the Board's Rules Regarding the
Availability of Information, 12 CFR 261.12 and 261.14.
Federal Deposit Insurance Corporation (FDIC): Send written comments
to Robert E. Feldman, Executive Secretary, Attention: Comments/OES,
Federal Deposit Insurance Corporation, 550 17th Street, NW.,
Washington, DC 20429. Comments may be hand delivered to the guard
station at the rear of the 17th Street building (located on F Street)
on business days between 7 a.m. and 5 p.m. (Fax number (202) 898-3838).
Comments may be inspected and photocopied in the FDIC Public
Information Center, Room 100, 801 17th Street, NW., Washington, DC
20429, between 9 a.m. and 4:30 p.m. on business days.
Comments may be submitted to the FDIC electronically over the
Internet at www.fdic.gov. Further information concerning this option
may be found below at ``FDIC's New Electronic Public Comment Site.''
Comments also may be mailed electronically to comments@fdic.gov.
Office of Thrift Supervision (OTS): Send comments to Manager,
Dissemination Branch, Information Management & Services Division,
Office of Thrift Supervision, 1700 G Street, NW., Washington, DC 20552,
Attention Docket No. 2000-13. Hand deliver comments to Public Reference
Room, 1700 G Street, NW., lower level, from 9:00 A.M. to 5:00 P.M. on
business days. Send facsimile transmissions to FAX Number (202) 906-
7755 or (202) 906-6956 (if the comment is over 25 pages). Send e-mails
to public.info@ots.treas.gov and include your name and telephone
number. Interested persons may inspect comments at 1700 G Street, NW.,
from 9 a.m. until 4 p.m. on business days.
FOR FURTHER INFORMATION CONTACT:
0CC
Amy Friend, Assistant Chief Counsel (202) 874-5200
Mark Tenhundfeld, Assistant Director, Legislative and Regulatory
Activities Division (202) 874-5090
Michael Bylsma, Director, Community and Consumer Law (202) 874-5750
Steve Van Meter, Senior Attorney, Community and Consumer Law (202) 874-
5750
Karen Furst, Policy Analyst, Economic and Policy Analysis (202) 874-
4509
Paul Utterback, National Bank Examiner, Bank Supervision Policy (202)
874-5461, or
Jeffery Abrahamson, Attorney, Legislative and Regulatory Activities
Division (202) 874-5090
Board
Oliver I. Ireland, Associate General Counsel (202) 452-3625
Stephanie Martin, Managing Senior Counsel (202) 452-3198, or
Thomas Scanlon, Attorney (202) 452-3594, Legal Division, or
Adrienne D. Hurt, Assistant Director (202) 452-2412
Jane J. Gell, Managing Counsel (202) 452-3667, or
James H. Mann, Attorney (202) 452-2412, Division of Consumer and
Community Affairs.
For the hearing impaired only, contact Diane Jenkins,
Telecommunications Device for the Deaf (TDD) (202) 452-3544, Board of
Governors of the Federal Reserve System, 20th and C Streets, NW,
Washington, DC 20551.
FDIC
Deanna Caldwell, Community Affairs Officer, Division of Compliance and
Consumer Affairs, (202) 736-0141
James K. Baebel, Senior Review Examiner, Division of Compliance and
Consumer Affairs, (202) 736-0229
Robert A. Patrick, Counsel, Regulations and Legislation Section, (202)
898-3757
[[Page 8771]]
Marc J. Goldstrom, Counsel, Regulations and Legislation Section, (202)
898-8807
Marilyn E. Anderson, Senior Counsel, Regulations and Legislation
Section, (202) 898-3522
Nancy Schucker Recchia, Counsel, Regulations and Legislation Section,
(202) 898-8885.
OTS
Christine Harrington, Counsel (Banking and Finance), (202) 906-7957
Paul Robin, Assistant Chief Counsel, (202) 906-6648, Regulations and
Legislation Division; or
Cindy Baltierra, Program Analyst, Compliance Policy (202) 906-6540,
Office of Thrift Supervision, 1700 G Street, NW., Washington DC 20552.
SUPPLEMENTARY INFORMATION: The contents of this preamble are listed in
the following outline:
I. Background
II. Section-by-Section Analysis
III. FDIC's New Electronic Public Comment Site
IV. Regulatory Analysis
A. Paperwork Reduction Act
B. Regulatory Flexibility Act
C. Executive Order 12866
D. Unfunded Mandates Act of 1995
V. Solicitation of Comments on Use of ``Plain Language''
I. Background
On November 12, 1999, President Clinton signed the G-L-B Act (Pub.
L. 106-102, codified at 15 U.S.C. 6801 et seq.) into law. Subtitle A of
Title V of the Act, captioned Disclosure of Nonpublic Personal
Information, limits the instances in which a financial institution may
disclose nonpublic personal information about a consumer to
nonaffiliated third parties, and requires a financial institution to
disclose to all of its customers the institution's privacy policies and
practices with respect to information sharing with both affiliates and
nonaffiliated third parties. Title V also requires the Agencies, the
Secretary of the Treasury, the National Credit Union Administration
(NCUA), the Federal Trade Commission (FTC), and the Securities and
Exchange Commission (SEC), after consulting with representatives of
State insurance authorities designated by the National Association of
Insurance Commissioners, to prescribe such regulations as may be
necessary to carry out the purposes of the provisions in Title V that
govern disclosure of nonpublic personal information.
The Agencies have prepared proposed rules to implement Subtitle A
that are consistent and comparable to the extent possible, as is
required by the statute.\1\ Except where noted in the discussion of the
proposed definitions of ``nonpublic personal information,''
``personally identifiable financial information,'' and ``publicly
available information,'' the texts of the Agencies'' proposed
regulations are substantively identical. The Agencies request comment
on all aspects of the proposed rules as well as comment on the specific
provisions and issues highlighted in the section-by-section analysis
below.
---------------------------------------------------------------------------
\1\ The NCUA, FTC, SEC, and the Treasury Department also have
participated in the rulemaking process, and the NCUA, FTC, and SEC
will separately issue comparable proposed rules.
---------------------------------------------------------------------------
II. Section-by-Section Analysis
The discussion that follows applies to each of the Agencies'
proposed rules. Given that each agency will assign a different part to
its privacy rule, the citations are to sections only, leaving citations
to part numbers blank.
Sec. __.1 Purpose and Scope
Proposed paragraph (a) of this section identifies three purposes of
the rules. First, the rules require a financial institution to provide
notice to consumers about the institution's privacy policies and
practices. Second, the rules describe the conditions under which a
financial institution may disclose nonpublic personal information about
a consumer to a nonaffiliated third party. Third, the rules provide a
method for a consumer to ``opt out'' of the disclosure of that
information to nonaffiliated third parties, subject to the exceptions
in proposed Secs. __.9,__.10, and__.11, as discussed below.
Proposed paragraph (b) sets out the scope of the banking agencies'
rules and tracks the scope of enforcement set out in section 505(a) of
the G-L-B Act. This paragraph notes that the rules apply only to
information about individuals who obtain a financial product or service
from a financial institution to be used for personal, family, or
household purposes.
The G-L-B Act and the proposed rules apply to domestic offices of
United States banks and domestic branches and agencies of foreign
banks. The Agencies request comment on whether the rules should apply
to foreign financial institutions that solicit business in the United
States but that do not have an office in the United States.
Sec. __.2 Rule of Construction
Proposed Sec. __.2 of the rules sets out a rule of construction
intended to clarify the effect of the examples used in the rules. Given
the wide variety of transactions that Title V of the G-L-B Act covers,
the Agencies propose to adopt rules of general applicability and
provide examples of conduct that would, and would not, comply with the
rule. While the general rules are consistent among the Agencies'
proposals to the extent possible, the examples used by the Federal
banking agencies differ on occasion from those used by the other
agencies in order to provide guidance that may be most meaningful to
entities within a given agency's jurisdiction.
The examples are provided in furtherance of the Federal banking
agencies' obligation under section 722 of the G-L-B Act to use ``plain
language'' in all proposed and final rules published after January 1,
2000. These examples are not intended to be exhaustive; rather, they
are intended to provide guidance about how the rules would apply in
specific situations. The Agencies invite comment on whether including
examples in the rule is useful and suggestions on additional or
different examples that may be helpful in illustrating compliance with
the rule.
Sec. __.3 Definitions
a. Affiliate. The proposed rules adopt the definition of
``affiliate'' that is used in section 509(6) of the G-L-B Act. An
affiliation will be found when one company ``controls'' (which is
defined in Sec. __.3(g), below), is controlled by, or is under common
control with another company. The definition includes both financial
institutions and entities that are not financial institutions.
b. Clear and conspicuous. Title V of the G-L-B Act and the proposed
rules require that various notices be ``clear and conspicuous.'' The
proposed rules define this term to mean that the notice is reasonably
understandable and designed to call attention to the nature and
significance of the information contained in the notice.
The proposed rules do not mandate the use of any particular
technique for making the notices clear and conspicuous, but instead
allow each financial institution the flexibility to decide for itself
how best to comply with this requirement. Ways in which a notice may
satisfy the clear and conspicuous standard would include, for instance,
using a plain-language caption, in a type set easily seen, that is
designed to call attention to the information contained in the notice.
Other plain language principles are provided in the examples that
follow the general rule.
c. Collect. The proposed rules define ``collect'' to mean obtaining
any information that is organized or retrievable on a personally
identifiable
[[Page 8772]]
basis, irrespective of the source of the underlying information.
Several sections of the proposed rule (see, e.g., Secs. __.6 and__.7)
impose obligations that arise when a financial institution collects
information about a consumer. This proposed definition clarifies that
these obligations arise when the information enables the user to
identify a particular consumer. It also clarifies that the obligations
arise regardless of whether the financial institution obtains the
information from a consumer or from some other source.
d. Company. The proposed rules define ``company,'' which is used in
the definition of ``affiliate,'' as any corporation, limited liability
company, business trust, general or limited partnership, association,
or similar organization.
e. Consumer. The proposed rules define ``consumer'' to mean an
individual who obtains, from a financial institution, financial
products or services that are to be used primarily for personal,
family, or household purposes. An individual also will be deemed to be
a consumer for purposes of a financial institution if that institution
purchases the individual's account from some other institution. The
definition also includes the legal representative of an individual.
The G-L-B Act distinguishes ``consumers'' from ``customers'' for
purposes of the notice requirements imposed by the Act. As explained
more fully in the discussion of proposed Sec. __.4, below, a financial
institution is required to give a ``consumer'' the notices required
under Title V only if the institution intends to disclose nonpublic
personal information about the consumer to a nonaffiliated third party
for a purpose that is not authorized by one of several exceptions set
out in proposed Secs. __.10 and__.11. By contrast, a financial
institution must give all ``customers,'' at the time of establishing a
customer relationship and annually thereafter during the continuation
of the customer relationship, a notice of the institution's privacy
policy.
A person is a ``consumer'' under the proposed rules if he or she
obtains a financial product or service from a financial institution.
The definition of ``financial product or service'' in proposed
Sec. __.3(k), below, includes, among other things, the evaluation by a
financial institution of an application that a person submits to obtain
a financial product or service. Thus, a financial institution that
intends to share nonpublic personal information about a consumer with
nonaffiliated third parties outside of the exceptions described in
Secs. __.10 and__.11 will have to give the requisite notices, even if
the consumer does not enter into a customer relationship with the
institution.
The examples that follow the definition of ``consumer'' clarify
when someone is a consumer. They include situations where someone
applies for a loan or provides information for the purpose of
determining whether he or she prequalifies for a loan, a person
providing information in connection with seeking to obtain financial
advisory services, and a person who negotiates a workout of a loan. The
examples also clarify the status of someone whose loan has been sold.
f. Consumer reporting agency. The proposed rules adopt the
definition of ``consumer reporting agency'' that is used in section
603(f) of the Fair Credit Reporting Act (15 U.S.C. 1681a(f)). This term
is used in proposed Secs. __.11 and__.13.
g. Control. The proposed rules define ``control'' using the tests
applied in section 23A of the Federal Reserve Act (12 U.S.C. 371c).
This definition is used to determine when companies are affiliated (see
discussion of proposed Sec. __.3(a), above), and would result in
financial institutions being considered as affiliates regardless of
whether the control is by a company or individual.
h. Customer. The proposed rules define ``customer'' as any consumer
who has a ``customer relationship'' with a particular financial
institution. As is explained more fully in the discussion of proposed
Sec. __.4, below, a consumer becomes a customer of a financial
institution at the time of entering into a continuing relationship with
the institution. Thus, for instance, a consumer would become a customer
at the time the consumer executes the documents needed to open a
deposit account or borrow money from a financial institution.
The distinction between consumers and customers determines what
notices a financial institution must provide. If a consumer never
becomes a customer, the institution is not required to provide any
notices to the consumer unless the institution intends to disclose
nonpublic personal information about that consumer to nonaffiliated
third parties outside of the exceptions as set out in Secs. __.10
and__.11. By contrast, if a consumer becomes a customer, the
institution must provide a copy of its privacy policy prior to the time
it establishes the customer relationship and at least annually
thereafter during the continuation of the customer relationship.
i. Customer relationship. The proposed rules define ``customer
relationship'' as a continuing relationship between a consumer and a
financial institution whereby the institution provides a financial
product or service that is to be used by the consumer primarily for
personal, family, or household purposes.\2\ Because the G-L-B Act
requires annual notices of the financial institution's privacy policies
to its customers, the Agencies have interpreted the Act as requiring
more than isolated transactions between a bank and a consumer to
establish a customer relationship, unless it is reasonable to expect
further contact about that transaction between the bank and consumer
afterwards. Thus, the proposed rules define ``customer relationship''
as one that generally is of a continuing nature. As noted in the
examples that follow the definition, this would include, for instance,
maintaining a deposit, loan, trust, or investment account.
---------------------------------------------------------------------------
\2\ A ``customer'' may be defined differently for purposes of
other regulations. See, e.g., 12 CFR 7.4002.
---------------------------------------------------------------------------
A one-time transaction may be sufficient to establish a customer
relationship, depending on the nature of the transaction. The examples
that follow the definition of ``customer relationship'' clarify, for
instance, that a purchase of an insurance policy would be sufficient to
establish a customer relationship because of the continuing nature of
the product, whereas using an automated teller machine (ATM) at a bank
at which a consumer transacts no other business, purchasing traveler's
checks or money orders, or cashing a check would not. While a person
engaging in one of these latter types of transactions would be a
consumer under the regulation (thereby requiring the financial
institution to provide notices if the institution intends to disclose
nonpublic personal information about the consumer to nonaffiliated
third parties outside of the exceptions), the consumer would not be a
customer. A consumer would not necessarily become a customer simply by
repeatedly engaging in isolated transactions, such as withdrawing funds
at regular intervals from an ATM owned by an institution with whom the
consumer has no account.
The examples also clarify that a consumer will have a customer
relationship with a financial institution that makes a loan to the
consumer and then sells the loan but retains the servicing rights. In
that case, the person will be a customer of both the institution that
sold the loan and the institution that bought it.
[[Page 8773]]
j. Financial institution. The proposed rules define ``financial
institution'' as any institution the business of which is engaging in
activities that are financial in nature, or incidental to such
financial activities, as described in section 4(k) of the Bank Holding
Company Act of 1956 (12 U.S.C. 1843(k)). The proposed rules also exempt
from the definition of ``financial institution'' those entities
specifically excluded by the G-L-B Act.
k. Financial product or service. The proposed rules define
``financial product or service'' as a product or service that a
financial institution could offer as an activity that is financial in
nature, or incidental to such a financial activity, under section 4(k)
of the Bank Holding Company Act of 1956, as amended. An activity that
is complementary to a financial activity, as described in section 4(k),
is not included in the definition of ``financial product or service''
under this part. The proposed rules' definition includes the financial
institution's evaluation of information collected in connection with an
application by a consumer for a financial product or service even if
the application ultimately is rejected or withdrawn. It also includes
the distribution of information about a consumer for the purpose of
assisting the consumer to obtain a financial product or service.
l. Government regulator. The proposed rules adopt the definition of
``government regulator'' that includes each of the Agencies
participating in this rulemaking, the Secretary of the Treasury, the
NCUA, FTC, SEC, and State insurance authorities under the circumstances
identified in the definition. This term is used in the exception set
out in proposed Sec. __.11(a)(4) for disclosures to law enforcement
agencies, ``including government regulators.''
m. Nonaffiliated third party. Paragraph (1) of the proposed
definition of ``nonaffiliated third party'' provides that the term
means any person (which includes natural persons as well as corporate
entities such as corporations, partnerships, trusts, and so on) except:
(1) An affiliate of a financial institution, and (2) a joint employee
of a financial institution and a third party. This paragraph is
intended to be substantively the same as the definition used in section
509(5) of the G-L-B Act. Paragraph (2) of the proposed definition
provides that ``nonaffiliated third party'' includes any company that
is an affiliate by virtue of the direct or indirect ownership or
control of the company by the financial institution or one of its
affiliates in conducting merchant banking or investment banking
activities of the type described in section 4(k)(4)(H) or insurance
company activities of the type described in section 4(k)(4)(I) of the
Bank Holding Company Act, whether or not the financial institution is
affiliated with a bank or is relying on the authority of those
sections.
n. Nonpublic personal information. Section 509(4) of the G-L-B Act
defines ``nonpublic personal information'' to mean ``personally
identifiable financial information'' (which term is not defined in the
Act) that is provided by a consumer to a financial institution, results
from any transaction with the consumer or any service performed for the
consumer, or is otherwise obtained by the financial institution. Any
list, description, or other grouping of consumers--and ``publicly
available information'' (which also is undefined in the G-L-B Act)
pertaining to them-- that is derived using any nonpublic personal
information other than publicly available information also is included
in the definition of ``nonpublic personal information.''
The proposed rules implement this provision of the G-L-B Act by
restating, in paragraph (1) of proposed Sec. __.3(n), the categories of
information described above. However, the proposed rules present two
alternatives concerning the treatment, for purposes of the definition
of ``nonpublic personal information,'' of information that can be
obtained from sources available to the general public. The alternatives
are based on differences in the definitions of ``personally
identifiable financial information'' and ``publicly available
information'' which, when read together, result in more information
being treated as ``nonpublic personal information'' under Alternative A
than would be the case under Alternative B.
Alternative A excludes publicly available information from the
scope of ``nonpublic personal information'' only in two circumstances.
The first is when the information is part of a list, description, or
other grouping of consumers that is derived without using personally
identifiable financial information. The second is when information, not
provided by a consumer and not resulting from a transaction with the
consumer, is otherwise obtained by a financial institution in
connection with providing a financial product or service to the
consumer. However, in order for the information to be considered
``publicly available'' under Alternative A, the information must be
obtained from government records, widely distributed media, or
government-mandated disclosures. The fact that the information is
available from those sources is immaterial if the financial institution
does not actually obtain the information from one of them.
Alternative B \3\ similarly excludes publicly available information
from the scope of ``nonpublic personal information'' when the
information is part of a list, description, or other grouping of
consumers that is derived without using personally identifiable
financial information. However, Alternative B also excludes any other
publicly available information, unless the information is part of a
list, description, or other grouping of consumers that is derived using
personally identifiable financial information. Under Alternative B,
information need only be available from a public source for it to be
considered ``publicly available.'' If the information is lawfully
available to the general public, then it will be publicly available and
excluded from the scope of ``nonpublic personal information''
regardless of whether the institution obtains it from a publicly
available source (unless, as previously noted, it is part of a list of
consumers that is derived using personally identifiable information).
As a result of this approach, the fact that information has been given
to a financial institution by a consumer does not automatically extend
to that information the protections afforded to nonpublic personal
information.
---------------------------------------------------------------------------
\3\ The Board's proposed rule sets out Alternative B only.
---------------------------------------------------------------------------
The two alternatives will produce the same results in many
instances. Under Alternative A, a person's name, address, and other
information that typically is thought of as publicly available is
treated as nonpublic if that information is provided by the person to a
bank in connection with obtaining a financial product or service. Thus,
a bank would be unable to disclose such information under Alternative A
to a nonaffiliated third party unless the bank complies with the notice
and opt out requirements discussed below. Under Alternative B, if the
person's name and address were available from public sources, they
would be publicly available information. However, even under
Alternative B, the bank would have to comply with the notice and opt
out requirements before sharing that information with nonaffiliated
third parties if the information was included on a customer list.
The two alternatives will produce different results, however, in
the situation where a bank wants to disclose the name, address, or
other information
[[Page 8774]]
available to the general public about an individual. In that situation,
Alternative A would require compliance with the notice and opt out
requirements. Alternative B would not, because the information would
not be part of a list, description, or other grouping of consumers. The
Agencies invite comment on both alternatives.
The Agencies also specifically invite comment on whether either
definition of ``nonpublic personal information'' would cover
information about a consumer that contains no indicators of a
consumer's identity. For instance, if a mortgage lender provided
information about its mortgage loans (such as loan-to-value ratios,
interest rates, census tracts of mortgaged property, payment history,
credit scores, and income) to a nonaffiliated third party for the
purpose of preparing market studies, would the lender, without notice
or opt out to the consumer, be permitted to do so if the information
contains no personal identifiers?
o. Personally identifiable financial information. As discussed
above, the G-L-B Act defines ``nonpublic personal information'' to
include, among other things, ``personally identifiable financial
information'' but does not define the latter term.
As a general matter, the proposed rules treat any personally
identifiable information as financial if it is obtained by a financial
institution in connection with providing a financial product or service
to a consumer. The Agencies believe that this approach reasonably
interprets the word ``financial'' and creates a workable and clear
standard for distinguishing information that is financial from other
personal information. The Agencies recognize that this interpretation
may result in certain information being covered by the rules that may
not be considered intrinsically financial, such as health status, and
specifically invite comment on the proposed definition of ``personally
identifiable financial information.''
The proposed rules define ``personally identifiable financial
information'' to include three categories of information. While these
three categories are for the most part identical in both alternatives
(see discussion of category 3, below, concerning a difference between
the categories), the differences in how Alternatives A and B treat
publicly available information result in different applications of what
personally identifiable financial information is included within the
definition of ``nonpublic personal information.''
The first category of information considered to be ``personally
identifiable financial information'' is any information that a consumer
provides a financial institution in order to obtain a financial product
or service. As noted in the examples that follow the definition, this
would include information provided on an application to obtain a loan,
credit card, or other financial product or service. If, for instance,
medical information is provided on an application to obtain a financial
product or service (such as would be the case if a consumer applies for
a life insurance policy), that information would be considered
``personally identifiable financial information'' for purposes of the
proposed rules.
The second category of information covered by the proposed
definition of ``personally identifiable financial information''
includes any information resulting from any transaction between the
consumer and the financial institution involving a financial product or
service. This would include, as noted in the examples following the
definition, account balance information, payment or overdraft history,
and credit or debit card purchase information.
The third category includes any financial information about a
consumer otherwise obtained by the financial institution in connection
with providing a financial product or service to the consumer. This
would include, for example, information obtained from a consumer report
or from an outside source to verify information a consumer provides on
an application to obtain a financial product or service. There is a
difference in the statement of the third category between Alternatives
A and B. Alternative A expressly excludes from this category publicly
available information, while Alternative B does not. However, given the
definitions of ``nonpublic personal information'' and ``publicly
available information'' in Alternative B, the result is that any of the
three categories of personally identifiable information in Alternative
B will exclude publicly available information from the personally
identifiable financial information that is considered ``nonpublic
personal information.''
The examples clarify that the definition of ``personally
identifiable financial information'' does not include a list of names
and addresses of people who are customers of an entity that is not a
financial institution. Thus, the names and addresses of people who
subscribe, for instance, to a particular magazine fall outside the
definition. If, however, a financial institution includes those names
and addresses as part of a list of the institution's customers, then
the names and addresses become nonpublic personal information.
The Agencies note that there are other laws that may impose
limitations on disclosures of nonpublic personal information in
addition to those imposed by the G-L-B Act and these proposed rules.
For instance, the Fair Credit Reporting Act imposes conditions on the
sharing of application information between affiliates and nonaffiliated
third parties. The recently proposed Department of Health and Human
Services regulations \4\ that implement the Health Insurance
Portability and Accountability Act of 1996 would, if adopted in final
form, limit the circumstances under which medical information may be
disclosed. There may be State laws that affect a financial
institution's ability to disclose information. Thus, financial
institutions will need to monitor and comply with applicable
legislative and regulatory developments that affect the disclosure of
consumer information.
---------------------------------------------------------------------------
\4\ 64 FR 59918 (Nov. 3, 1999).
---------------------------------------------------------------------------
The Agencies seek comment on whether further definition of
``personally identifiable financial information'' would be helpful.
p. Publicly available information. The proposed rules contain two
versions of the definition of ``publicly available information.'' For
the most part, the definitions are identical, and differ only in that
Alternative A does not treat information as publicly available unless
it is obtained from one of the public sources listed in the proposed
rules. Alternative B, by contrast, treats information as publicly
available if it could be obtained from one of the public sources listed
in the rules, even if it was obtained from a source not listed in the
definition. The Agencies invite comments on which alternative is more
appropriate.
The remaining parts of the two alternative versions are identical.
Thus, under either alternative, the definition of ``publicly available
information'' includes information from official public records, such
as real estate recordations or security interest filings. It also
includes information from widely distributed media (such as a telephone
book, television or radio program, or newspaper) and information that
is required to be disclosed to the general public by Federal, State, or
local law (such as securities disclosure documents). The proposed rules
state that information obtained over the Internet will be considered
publicly available information if the information
[[Page 8775]]
is obtainable from a site available to the general public without
requiring a password or similar restriction. The Agencies invite
comment on what information is appropriately considered publicly
available, particularly in the context of information available over
the Internet.
q. You. For those Agencies that use the pronoun ``you'' to refer to
entities within their primary jurisdiction,\5\ the definition of this
term will vary with each of the Agencies' regulations based upon the
financial institutions under their jurisdictions.
---------------------------------------------------------------------------
\5\ The OCC has used the term ``bank'' instead of ``you'' in its
regulation.
---------------------------------------------------------------------------
Sec. __.4 Initial Notice to Consumers of Privacy Policies and
Practices Required
Initial notice required. The G-L-B Act requires a financial
institution to provide an initial notice of its privacy policies and
practices in two circumstances. For customers, the notice must be
provided at the time of establishing a customer relationship. For
consumers who do not become customers, the notice must be provided
prior to disclosing nonpublic personal information about the consumer
to a nonaffiliated third party.
Paragraph (a) of proposed Sec. __.4 states the general rule
regarding these notices. Pursuant to that paragraph, a financial
institution must provide a clear and conspicuous notice (i.e., a notice
that is reasonably understandable and designed to call attention to the
nature and significance of the information it provides) that accurately
reflects the institution's privacy policies and practices. Thus, a
financial institution may not fail to maintain the protections that it
represents in the notice that it will provide. The Agencies expect that
financial institutions will take appropriate measures to adhere to
their stated privacy policies and practices.
The proposed rules do not prohibit affiliated institutions from
using a common initial, annual, or opt out notice, so long as the
notice is delivered in accordance with the rule and is accurate for all
recipients. Similarly, the rules do not prohibit an institution from
establishing different privacy policies and practices for different
categories of consumers, customers, or products, so long as each
particular consumer or customer receives a notice that is accurate with
respect to him or her.
Notice to customers. The proposed rules require that a financial
institution provide an individual a privacy notice prior to the time
that it establishes a customer relationship. Thus, the notices may be
provided at the same time a financial institution is required to give
other notices, such as those required by the Board's regulations
implementing the Truth in Lending Act (12 CFR 226.6). This approach is
intended to strike a balance between: (1) Ensuring that consumers will
receive privacy notices at a meaningful point along the continuum of
``establishing a customer relationship''; and (2) minimizing
unnecessary burdens on financial institutions that may result if a
financial institution is required to provide a consumer with a series
of notices at different times in a transaction. Nothing in the proposed
rules is intended to discourage a financial institution from providing
an individual with a privacy notice at an earlier point in the
relationship if the institution wishes to do so in order to make it
easier for the individual to compare its privacy policies and practices
with those of other institutions in advance of conducting transactions.
Paragraph (c) of proposed Sec. __.4 identifies the time a customer
relationship is established as the point at which a financial
institution and a consumer enter into a continuing relationship. The
examples that are provided after the statement of the general rule
inform the reader that, for customer relationships that are contractual
in nature (including, for instance, deposit accounts, loans, or
purchases of a nondeposit product), a customer relationship is
established upon the execution by the consumer of the contract that is
necessary to conduct the transaction in question. In the case of a
credit card account, the customer relationship is established when the
consumer opens the account. A consumer opens a credit card account when
he or she becomes obligated on the account, such as when he or she
makes the first purchase, receives the first advance, or becomes
obligated for any fee or charges under the account other than an
application fee or refundable membership fee. For transactions that may
not involve a contract (including, for instance, providing investment
advisory services), a customer relationship will be established if the
consumer pays or agrees to pay a fee or commission for the service.
Notice to consumers. For consumers who do not establish a customer
relationship, the initial notice may be provided at any point before
the financial institution discloses nonpublic personal information to
nonaffiliated third parties. As provided in paragraph (b) of the
proposed rule, if the institution does not intend to disclose the
information in question or intends to make only those disclosures that
are authorized by one of the exceptions set out in Secs. __.10 and
__.11 of the proposed rule, it is not required to provide the initial
notice.
How to provide notice. Paragraph (d) of proposed Sec. __.4 sets out
the rules governing how financial institutions must provide the initial
notices. The general rule requires that the initial notice be provided
so that each recipient can reasonably be expected to receive actual
notice. The Agencies invite comment on who should receive a notice in
situations where there is more than one party to an account.
The notice may be delivered in writing or, if the consumer agrees,
electronically. Oral notices alone are insufficient. In the case of
customers, the notice must be given in a way so that the customer may
either retain it or access it at a later time. This requirement that
the notice be given in a manner permitting access at a later time does
not preclude a financial institution from changing its privacy policy.
See proposed Sec. __.8(c), below. Rather, the rules are intended only
to require that a customer be able to access the most recently adopted
privacy policy.
Examples of acceptable ways the notice may be delivered include
hand-delivering a copy of the notice, mailing a copy to the consumer's
last known address, or sending it via electronic mail to a consumer who
obtains a financial product or service from the institution
electronically. It would not be sufficient to provide only a posted
copy of the notice in a lobby. Similarly, it would not be sufficient to
provide the initial notice only on a Web page, unless the consumer is
required to access that page to obtain the product or service in
question. Electronic delivery generally should be in the form of
electronic mail so as to ensure that a consumer actually receives the
notice. In those circumstances where a consumer is in the process of
conducting a transaction over the Internet, electronic delivery also
may include posting the notice on a Web page as described above. If a
financial institution and consumer orally agree to enter into a
contract for a financial product or service over the telephone, the
institution may provide the consumer with the option of receiving the
initial notice after providing the product or service so as not to
delay the transaction. The Agencies invite comment on the regulatory
burden of providing the initial notices and on the methods financial
institutions anticipate using to provide the notices.
[[Page 8776]]
The Agencies recognize that in some circumstances a customer does
not have a choice as to the institution with which he or she has a
customer relationship, such as when an institution purchases the
customer's loan in the secondary market. In these situations, it may
not be practicable for the institution to provide a notice prior to
establishing the customer relationship. The proposed rules provide that
if a financial institution purchases a loan or assumes a deposit
liability from another financial institution or in the secondary market
and the customer does not have a choice about the purchase or
assumption, the acquiring financial institution may provide the initial
notice within a reasonable time thereafter. The Agencies invite comment
on whether there are other similar situations for which an exception is
necessary.
The Agencies also recognize that certain consumers may have
requested that a financial institution not send statements, notices, or
other communications to them, such as in certain private banking
relationships. The Agencies request comment on whether and how the
rules should address these situations with respect to the notices
required by these rules. The Agencies also request comment on whether
there are other situations where providing notice by mail is
impracticable.
Sec. __.5 Annual Notice to Customers Required
Section 503 of the G-L-B Act requires a financial institution to
provide notices of its privacy policies and practices at least annually
to its customers. The proposed rules implement this requirement by
requiring a clear and conspicuous notice that accurately reflects the
privacy policies and practices then in effect to be provided at least
once during any period of twelve consecutive months. The rules
governing how to provide an initial notice also apply to annual
notices.
Section 503(a) of the G-L-B Act requires that the annual notices be
provided ``during the continuation'' of a customer relationship. To
implement this requirement, the proposed rules state that a financial
institution is not required to provide annual notices to a customer
with whom it no longer has a continuing relationship. The examples that
follow this general rule provide guidance on when there no longer is a
continuing relationship for purposes of the rules. These include, for
instance, deposit accounts that are treated as dormant by a financial
institution, loans that are paid in full or charged off, or assets sold
without retaining servicing rights.
There will be certain customer relationships (such as obtaining
investment advice from a stock broker) that do not present a clear
event after which there is no longer a customer relationship. The
proposed rules contain an example intended to cover these situations,
stating that a relationship will no longer be deemed continuing for
purposes of the proposed rules if the financial institution has not
communicated with a customer, other than providing an annual privacy
policy notice, for a period of 12 consecutive months.
The Agencies invite comment generally on whether the examples
provided in proposed Sec. __.5 are adequate and on whether the proposed
standard deeming an account relationship to have terminated after 12
months of no communication is appropriate. The Agencies specifically
request comment on whether, in the example of dormant accounts, the
applicable standard should be the institution's policies or applicable
State law. The Agencies also invite comment on the regulatory burden of
providing the annual notices and on the methods financial institutions
anticipate using to provide the notices.
Sec. __.6 Information To Be Included in Initial and Annual Notices of
Privacy Policies and Practices
Section 503 of the G-L-B Act identifies the items of information
that must be included in a financial institution's initial and annual
notices. Section 503(a) of the G-L-B Act sets out the general
requirement that a financial institution must provide customers with a
notice describing the institution's policies and practices with respect
to, among other things, disclosing nonpublic personal information to
affiliates and nonaffiliated third parties. Section 503(b) of the Act
identifies certain elements that must be addressed in that notice.
The required content is the same for both the initial and annual
notices of privacy policies and practices. While the information
contained in the notices must be accurate as of the time the notices
are provided, a financial institution may prepare its notices based on
current and anticipated policies and practices.
The information to be included is as follows:
1. Categories of Nonpublic Personal Information That a Financial
Institution May Collect
Section 503(b)(2) requires a financial institution to inform its
customers about the categories of nonpublic personal information that
the institution collects. The proposed rules implement this requirement
in Sec. __.6(a)(1) and provide an example of how to comply with this
requirement that focuses the notice on the source of the information
collected. As noted in the example, a financial institution will
satisfy this requirement if it categorizes the information according to
the sources, such as application information, transaction information,
and consumer report information. Financial institutions may provide
more detail about the categories of information collected but are not
required to do so by the proposed rules.
2. Categories of Nonpublic Personal Information That a Financial
Institution May Disclose
Section 503(a)(1) of the G-L-B Act requires the financial
institution's initial and annual notice to provide information about
the categories of nonpublic personal information that may be disclosed
either to affiliates or nonaffiliated third parties.
The proposed rules implement this requirement in proposed
Sec. __.6(a)(2). The examples of how to comply with this rule focus on
the content of information to be disclosed. As stated in the relevant
examples, a financial institution may satisfy this requirement by
categorizing information according to source and providing illustrative
examples of the content of the information. These categories might
include application information (such as assets and income),
identifying information (such as name, address, and social security
number), transaction information (such as information about account
activity, account balances, and purchases), and information from
consumer reports (such as credit history).
Financial institutions are free to provide more detailed
information in the initial and annual notices if they choose to do so.
Conversely, if a financial institution does not disclose, and does not
intend to disclose, nonpublic personal information to affiliates or
nonaffiliated third parties, its initial and annual notices may simply
state this fact without further elaboration about categories of
information disclosed.
[[Page 8777]]
3. Categories of Affiliates and Nonaffiliated Third Parties to Whom a
Financial Institution Discloses Nonpublic Personal Information
As previously noted, section 503(a) includes a general requirement
that a financial institution provide a notice to its customers of the
institution's policies and practices with respect to disclosing
nonpublic personal information to affiliates and nonaffiliated third
parties. Section 503(b) states that the notice required by section
503(a) shall include certain specified items. Among those is the
requirement, set out in section 503(b)(1), that a financial institution
inform its customers about its policies and practices with respect to
disclosing nonpublic personal information to nonaffiliated third
parties. The Agencies believe that, when read together, sections 503(a)
and 503(b) of the G-L-B Act require a financial institution's notice to
address disclosures of nonpublic personal information to both
affiliates and nonaffiliated third parties.
The proposed rules implement this requirement in Sec. __.6(a)(3).
The example illustrating how a financial institution may comply with
the rules states that a financial institution will adequately
categorize the affiliates and nonaffiliated third parties to whom it
discloses nonpublic personal information about consumers if it
identifies the types of businesses in which they engage. Types of
businesses may be described by general terms, such as financial
products or services, if the financial institution provides
illustrative examples of the significant lines of businesses of the
recipient, such as retail banking, mortgage lending, life insurance, or
securities brokerage.
The G-L-B Act does not require a financial institution to list the
categories of persons to whom information may be disclosed pursuant to
one of the exceptions set out in proposed Secs. __.10 and __.11. The
proposed rules state that a financial institution is required only to
inform consumers that it makes disclosures as permitted by law to
nonaffiliated third parties in addition to those described in the
notice. The Agencies invite comment on whether such a notice would be
adequate.
If a financial institution does not disclose, and does not intend
to disclose, nonpublic personal information to affiliates or
nonaffiliated third parties, its initial and annual notices may simply
state this fact without further elaboration about categories of third
parties.
4. Information About Former Customers
Section 503(a)(2) of the Act requires the financial institution's
initial and annual privacy notices to include the institution's
policies and practices with respect to disclosing nonpublic personal
information of persons who have ceased to be customers of the
institution. Section 503(b)(1)(B) requires that this information be
provided with respect to information disclosed to nonaffiliated third
parties.
The Agencies have concluded that, when read together, sections
503(a)(2) and 503(b)(1)(B) require a financial institution to include
in the initial and annual notices the institution's policies and
practices with respect to sharing information about former customers
with all affiliates and nonaffiliated third parties. This requirement
is set out in the proposed rules at Sec. __.6(a)(4). This requirement
does not require a financial institution to provide a notice and
opportunity to opt out to a former customer before sharing nonpublic
personal information about that former customer with an affiliate.
5. Information Disclosed to Service Providers
Section 502(b)(2) of the G-L-B Act permits a financial institution
to disclose nonpublic personal information about a consumer to a
nonaffiliated third party for the purpose of the third party performing
services for the institution, including marketing financial products or
services under a joint agreement between the financial institution and
at least one other financial institution. In this case, a consumer has
no right to opt out, but the financial institution must inform the
consumer that it will be disclosing the information in question unless
the service falls within one of the exceptions listed in section 502(e)
of the Act.
The proposed rules implement these provisions, in Sec. __.6(a)(5),
by requiring that, if a financial institution discloses nonpublic
personal information to a nonaffiliated third party pursuant to the
exception for service providers and joint marketing, the institution is
to include in the initial and annual notices a separate description of
the categories of information that are disclosed and the categories of
third parties providing the services. A financial institution may
comply with these requirements by providing the same level of detail in
the notice as is required to satisfy the requirements in proposed
Secs. __.6(a)(2) and (3).
6. Right to Opt Out
As previously noted, sections 503(a)(1) and 503(b)(1) of the G-L-B
Act require a financial institution to provide customers with a notice
of its privacy policies and practices concerning, among other things,
disclosing nonpublic personal information consistent with section 502
of the Act.
The proposed rules implement this requirement, in proposed
Sec. __.6(a)(6), by requiring the initial and annual notices to explain
the right to opt out of disclosures of nonpublic personal information
to nonaffiliated third parties, including the methods available to
exercise that right.
7. Disclosures Made Under the Fair Credit Reporting Act (FCRA)
Section 503(b)(4) of the G-L-B Act requires a financial
institution's initial and annual notice to include the disclosures
required, if any, under section 603(d)(2)(A)(iii) of the FCRA. Section
603(d)(2)(A)(iii) excludes from the definition of ``consumer report''
the communication of certain consumer information among affiliated
entities if the consumer is notified about the disclosure of such
information and given an opportunity to opt out of that information
sharing. The information that can be shared among affiliates under this
provision includes, for instance, information from consumer reports and
applications for financial products or services. In general, this
information represents personal information provided directly by the
consumer to the institution, such as income and social security number,
in addition to information contained within credit bureau reports.
The proposed rules implement section 503(b)(4) of the G-L-B Act by
including the requirement that a financial institution's initial and
annual notice include any disclosures a financial institution makes
under section 603(d)(2)(A)(iii) of the FCRA.
8. Confidentiality, Security, and Integrity
Section 503(a)(3) of the G-L-B Act requires the initial and annual
notices to provide information about a financial institution's policies
and practices with respect to protecting the nonpublic personal
information of consumers. Section 503(b)(3) of the Act requires the
notices to include the policies that the institution maintains to
protect the confidentiality and security of nonpublic personal
information, in accordance with section 501 (which requires the
Agencies to establish standards governing the administrative,
[[Page 8778]]
technical, and physical safeguards of customer information).
The proposed rules implement these provisions by requiring a
financial institution to include in the initial and annual notices the
institution's policies and practices with respect to protecting the
confidentiality, security, and integrity of nonpublic personal
information. The relevant example in the proposed rules states that a
financial institution may comply with the requirement as it concerns
confidentiality and security if the institution explains matters such
as who has access to the information and the circumstances under which
the information may be accessed. The information about integrity should
focus on the measures the institution takes to protect against
reasonably anticipated threats or hazards. The proposed rules do not
require a financial institution to provide technical or proprietary
information about how it safeguards consumer information.
The Agencies are in the process of preparing the section 501
standards relating to administrative, technical, and physical
safeguards, and anticipate having those standards in place at the time
of the issuance of the final privacy rules. This will enable financial
institutions to develop the initial and annual notices in light of
those standards.
Sec. __.7 Limitation on disclosure of nonpublic personal information
about consumers to nonaffiliated third parties.
Section 502(a) of the G-L-B Act generally prohibits a financial
institution from sharing nonpublic personal information about a
consumer with a nonaffiliated third party unless the institution
provides the consumer with a notice of the institution's privacy
policies and practices. Section 502(b) further requires that the
financial institution provide the consumer with a clear and conspicuous
notice that the consumer's nonpublic personal information may be
disclosed to nonaffiliated third parties, that the consumer be given an
opportunity to opt out of that disclosure, and that the consumer be
informed of how to opt out.
Section __.7 of the proposed rules implements these provisions.
Paragraph (a)(1) of Sec. __.7 sets out the criteria that a financial
institution must satisfy before disclosing nonpublic personal
information to nonaffiliated third parties. As stated in the text of
the proposed rules, these criteria apply to direct and indirect
disclosures through an affiliate. The Agencies invite comment on how
the right to opt out should apply in the case of joint accounts.
Should, for instance, a financial institution require all parties to an
account to opt out before the opt out becomes effective? If not and
only one of the parties opts out, should the opt out apply only to
information about the party opting out or should it apply to
information about all parties to the account? The Agencies also request
comment on how the opt out right should apply to commingled trust
accounts, where a trustee manages a single account on behalf of
multiple beneficiaries.
Paragraph (a)(2) defines ``opt out'' in a way that incorporates the
exceptions to the right to opt out stated in proposed Secs. __.9,
__.10, and __.11.
The proposed rules implement the requirement that a consumer be
given an opportunity to opt out before information is disclosed by
requiring that the opportunity be reasonable. The examples that follow
the general rule provide guidance in situations involving notices that
are mailed and notices that are provided in connection with isolated
transactions. In the former case, a consumer will have a reasonable
opportunity to opt out if the financial institution provides 30 days in
which to opt out. In the latter case, an opportunity will be reasonable
if the consumer must decide as part of the transaction whether to opt
out before completing the transaction. The Agencies invite comment on
whether 30 days is a reasonable opportunity to opt out in the case of
notices sent by mail, and on whether an example in the context of
transactions conducted using an electronic medium would be helpful.
The requirement that a consumer have a reasonable opportunity to
opt out does not mean that a consumer forfeits that right once the
opportunity lapses. The consumer always has the right to opt out (as
discussed further in proposed Sec. __.8, below). However, if an
individual does not exercise that opt out right when first presented
with an opportunity, the financial institution would be permitted to
disclose nonpublic personal information to nonaffiliated third parties
for the period of time necessary to implement the consumer's opt out
direction.
Paragraph (b) of proposed Sec. __.7 clarifies that the right to opt
out applies regardless of whether a consumer has established a customer
relationship with a financial institution. As noted above, all
customers are consumers under the proposed rules. Thus, the fact that a
consumer establishes a customer relationship with a financial
institution does not change the institution's obligations to comply
with the requirements of proposed Sec. __.7(a) before sharing nonpublic
personal information about that consumer with nonaffiliated third
parties. This also applies in the context of a consumer who had a
customer relationship with a financial institution but then terminated
that relationship. Paragraph (b) also clarifies that the consumer
protections afforded by paragraph (a) of proposed Sec. __.7 apply to
all nonpublic personal information collected by a financial
institution, regardless of when collected. Thus, if a consumer elects
to opt out of information sharing with nonaffiliated third parties,
that election applies to all nonpublic personal information about that
consumer in the financial institution's possession, regardless of when
the information is obtained.
Paragraph (c) of proposed Sec. __.7 states that a financial
institution may, but is not required to, provide consumers with the
option of a partial opt out in addition to the opt out required by this
section. This could enable a consumer to limit, for instance, the types
of information disclosed to nonaffiliated third parties or the types of
recipients of the nonpublic personal information about that consumer.
If the partial opt out option is provided, a financial institution must
state this option in a way that clearly informs the consumer about the
choices available and consequences thereof.
Sec. __.8 Form and Method of Providing Opt Out Notice to Consumers
Paragraph (a) of proposed Sec. __.8 requires that any opt out
notice provided by a financial institution pursuant to proposed
Sec. __.7 be clear and conspicuous and accurately explain the right to
opt out. The notice must inform the consumer that the institution may
disclose nonpublic personal information to nonaffiliated third parties,
state that the consumer has a right to opt out, and provide the
consumer with a reasonable means by which to opt out.
The examples that follow the general rule state that a financial
institution will adequately provide notice of the right to opt out if
it identifies the categories of information that may be disclosed and
the categories of nonaffiliated third parties to whom the information
may be disclosed and that the consumer may opt out of those
disclosures. A financial institution that plans to disclose only
limited types of information or to only a specific type of
nonaffiliated third party may provide a correspondingly narrow notice
to consumers. However, to minimize the number of opt out notices a
financial institution must provide, the institution may wish to
[[Page 8779]]
base its notices on current and anticipated information sharing plans.
A new opt out notice is not required for disclosures to different types
of nonaffiliated third parties or of different types of information,
provided that the most recent opt out notice is sufficiently broad to
cover the entities or information in question. Nor is a financial
institution required to provide subsequent opt out notices when a
consumer establishes a new type of customer relationship with that
financial institution, unless the institution's opt out policies differ
depending on the type of customer relationship.
The examples also suggest several ways in which a financial
institution may provide reasonable means to opt out, including check-
off boxes, reply forms, and electronic mail addresses. A financial
institution does not provide a reasonable means to opt out if the only
means provided is for a consumer to write his or her own letter to the
institution to exercise the right, although an institution may honor
such a letter if received.
Paragraph (b) applies the same rules to delivery of the opt out
notice that apply to delivery of the initial and annual notices. In
addition, paragraph (b) clarifies that the opt out notice may be
provided together with, or on the same form as, the initial and annual
notices. However, if the opt out notice is provided after the initial
notice, a financial institution must provide a copy of the initial
notice along with the opt out notice. If a financial institution and
consumer orally agree to enter into a customer relationship, the
institution may provide the opt out notice within a reasonable time
thereafter if the consumer agrees. The Agencies invite comment on
whether a more specific time by which the notice must be given would be
appropriate.
Paragraph (c) sets out the rules governing a financial
institution's obligations in the event the institution changes its
disclosure policies. As stated in that paragraph, a financial
institution may not disclose nonpublic personal information to a
nonaffiliated third party unless the institution first provides a
revised notice and new opportunity to opt out. The institution must
wait a reasonable period of time before disclosing information
according to the terms of the revised notice in order to afford the
consumer a reasonable opportunity to opt out. A financial institution
must provide the revised notice of its policies and practices and opt
out notice to a consumer using the means permitted for providing the
initial notice and opt out notice to that consumer under Sec. __.4(c)
and Sec. __.8(b), respectively, which require that the notices be given
in a manner so that each consumer can reasonably be expected to receive
actual notice in writing or, if the consumer agrees, in electronic
form.
Paragraph (d) states that a consumer has the right to opt out at
any time. The Agencies considered whether to include a time limit by
which financial institutions must effectuate a consumer's opt out
election, but decided that the wide variety of practices of financial
institutions made one limit inappropriate. Instead, the Agencies' rules
require that disclosures stop as soon as reasonably practicable.
Paragraph (e) states that an opt out will continue until a consumer
revokes it. The rules require that such revocation be in writing, or,
if the consumer has agreed, electronically.
The Agencies invite comment on the likely burden of complying with
the requirement to provide opt out notices, the methods financial
institutions anticipate using to deliver the opt out notices, and the
approximate number of opt out notices they expect to deliver and
process.
Sec. __.9 Exception to Opt Out Requirements for Service Providers and
Joint Marketing
Section 502(b) of the G-L-B Act creates an exception to the opt out
rules for the disclosure of information to a nonaffiliated third party
for use by the third party to perform services for, or functions on
behalf of, the financial institution, including the marketing of the
financial institution's own products or services or financial products
or services offered pursuant to a joint agreement between two or more
financial institutions. A consumer will not have the right to opt out
of disclosing nonpublic personal information about the consumer to
nonaffiliated third parties under these circumstances, if the financial
institution satisfies certain requirements.
First, the institution must, as stated in section 502(b), ``fully
disclose'' to the consumer that it will provide this information to the
nonaffiliated third party before the information is shared. This
disclosure should be provided as part of the initial notice that is
required by Sec. __.4. The Agencies invite comment on whether the
proposed rules appropriately implement the ``fully disclose''
requirement in section 502(b)(2).
Second, the financial institution must enter into a contract with
the third party that requires the third party to maintain the
confidentiality of the information. This contract should be designed to
ensure that the third party: (a) Will maintain the confidentiality of
the information at least to the same extent as is required for the
financial institution that discloses it; and (b) will use the
information solely for the purposes for which the information is
disclosed or as otherwise permitted by Secs. __.10 and __.11 of the
proposed rules. The Agencies invite comment on the application of
proposed Sec. __.9(a)(2)(ii) in the context of financial institutions
that contract with credit scoring vendors to evaluate borrower
creditworthiness. Specifically, would that section prohibit the vendor
from also using the consumers' information without the indicators of
personal identity to help improve its scoring models?
The G-L-B Act allows the Agencies to impose requirements on the
disclosure of information pursuant to the exception for service
providers beyond those imposed in the statute. The Agencies have not
done so in the proposed rules, but invite comment on whether additional
requirements should be imposed, and, if so, what those requirements
should address. The Agencies note, for instance, that joint agreements
have the potential to create reputation risk and legal risk for a
financial institution entering into such an agreement. The Agencies
seek comment on whether the rules should require a financial
institution to take steps to assure itself that the product being
jointly marketed and the other participants in the joint marketing
agreement do not present undue risks for the institution. These steps
might include, for instance, ensuring that the financial institution's
sponsorship of the product or service in question is evident from the
marketing of that product or service. The Agencies also invite comments
on any other requirements that would be appropriate to protect a
consumer's financial privacy, and on whether the rules should provide
examples of the types of joint agreements that are covered.
Sec. __.10 Exceptions to Notice and Opt Out Requirements for
Processing and Servicing Transactions
Section 502(e) of the G-L-B Act creates exceptions to the
requirements that apply to the disclosure of nonpublic personal
information to nonaffiliated third parties. Paragraph (1) of that
section sets out certain exceptions for disclosures made, generally
speaking, in connection with the administration, processing, servicing,
and sale of a consumer's account.
[[Page 8780]]
Paragraph (a) of proposed Sec. __.10 sets out those exceptions,
making only stylistic changes to the statutory text that are intended
to make the exceptions easier to read. Paragraph (b) sets out the
definition of ``necessary to effect, administer, or enforce'' that is
contained in section 509(7) of the G-L-B Act, making only stylistic
changes intended to clarify the definition.
The exceptions set out in proposed Sec. __.10, and the exceptions
discussed in proposed Sec. __.11, below, do not affect a financial
institution's obligation to provide initial notices of its privacy
policies and practices prior to the time it establishes a customer
relationship and annual notices thereafter. Those notices must be
provided to all customers, even if the institution intends to disclose
the nonpublic personal information only pursuant to the exceptions in
proposed Sec. __.10.
Sec. __.11 Other exceptions to notice and opt out requirements.
As noted above, section 502(e) contains several exceptions to the
requirements that otherwise would apply to the disclosures of nonpublic
personal information to nonaffiliated third parties. Proposed
Sec. __.11 sets out those exceptions that are not made in connection
with the administration, processing, servicing, and sale of a
consumer's account, and makes stylistic changes intended to clarify the
exceptions.
One of the exceptions stated in proposed Sec. __.11 is for
disclosures made with the consent or at the direction of the consumer,
provided the consumer has not revoked the consent. Following the list
of exceptions is an example of consent in which a financial institution
that has received an application from a consumer for a mortgage loan
informs a nonaffiliated insurance company that the consumer has applied
for a loan so that the insurance company can contact the person about
homeowner's insurance. Consent in such a situation would enable the
financial institution to make the disclosure to the third party without
first providing the initial notice required by Sec. __.4 or the opt out
notice required by Sec. __.7, but the disclosure must not exceed the
purposes for which consent was given. The example also states that
consent may be revoked by a consumer at any time by the consumer
exercising the right to opt out of future disclosures. The Agencies
invite comment on whether safeguards should be added to the exception
for consent in order to minimize the potential for consumer confusion.
Such safeguards might include, for instance, a requirement that consent
be written, that it be indicated on a separate signature line in a
relevant document or on a distinct Web page, or that it may be
effective for only a limited period of time.
Sec. __.12 Limits on Redisclosure and Reuse of Information
Section __.12 of the proposed rules implements the Act's
limitations on redisclosure and reuse of nonpublic personal information
about consumers. Section 502(c) of the Act provides that a
nonaffiliated third party that receives nonpublic personal information
from a financial institution shall not, directly or indirectly through
an affiliate, disclose the information to any person that is not
affiliated with either the financial institution or the third party,
unless the disclosure would be lawful if made directly by the financial
institution. Paragraph (a)(1) sets out the Act's redisclosure
limitation as it applies to a financial institution that receives
information from another nonaffiliated financial institution. Paragraph
(b)(1) mirrors the provisions of paragraph (a)(1), but applies the
redisclosure limits to any nonaffiliated third party that receives
nonpublic personal information from a financial institution.
The Act appears to place the institution that receives the
information into the shoes of the institution that disclosed the
information for purposes of determining whether redisclosures by the
receiving institution are ``lawful.'' Thus, the Act appears to permit
the receiving institution to redisclose the information to: (1) An
entity to whom the original transferring institution could disclose the
information pursuant to one of the exceptions in Secs. __.9, __.10, or
;__.11, or (2) an entity to whom the original transferring institution
could have disclosed the information as described under its notice of
privacy policies and practices, unless the consumer has exercised the
right to opt out of that disclosure. Because a consumer can exercise
the right to opt out of a disclosure at any time, the Act may
effectively preclude third parties that receive information to which
the opt out right applies from redisclosing the information, except
pursuant to one of the exceptions in Secs. __.9, __.10, or __.11. The
Agencies invite comment on whether the rules should require a financial
institution that discloses nonpublic personal information to a
nonaffiliated third party to develop policies and procedures to ensure
that the third party complies with the limits on redisclosure of that
information.
Sections 502(b)(2) and 502(e) (as implemented by Secs. __.9, __.10,
and __.11 of the proposed rules) describe when a financial institution
may disclose nonpublic personal information without providing the
consumer with the initial privacy notice and an opportunity to opt out,
but those exceptions apply only when the information is used for the
specific purposes set out in those sections. Paragraph (a)(2) of
proposed Sec. __.12 clarifies this limitation on reuse as it applies to
financial institutions. Paragraph (a)(2) provides that a financial
institution may use nonpublic personal information about a consumer
that it receives from a nonaffiliated financial institution in
accordance with an exception under Secs. __.9, __.10, or __.11 only for
the purpose of that exception. Paragraph (b)(2) applies the same limits
on reuse to any nonaffiliated third party that receives nonpublic
personal information from a financial institution. The Agencies request
comment on whether proposed Secs. __.12(a)(2) and __.12(b)(2) would
restrict a nonaffiliated third party from using information obtained in
accordance with the exceptions in Secs. __.9, __.10, and __.11 for
purposes beyond the scope of those exceptions if the information is not
used in a personally identifiable form. This might occur, for example,
in the case of a credit scoring vendor using information to improve its
scoring models.
The Agencies invite comments on the meaning of the word ``lawful''
as that term is used in section 502(c). The Agencies specifically
solicit comment on whether it would be lawful for a nonaffiliated third
party to disclose information pursuant to the exception provided in
proposed Sec. __.9 of the rules. Under that exception, a financial
institution must comply with certain requirements before disclosing
information to a nonaffiliated third party. Given that the statute and
proposed rules impose those requirements on the financial institution
making the initial disclosure, the Agencies invite comment on whether
subsequent disclosures by the third party could satisfy the requirement
that those disclosures be lawful when the financial institution is not
party to the subsequent disclosure.
Sec. __.13 Limits on Sharing of Account Number Information for
Marketing Purposes
Section 502(d) of the G-L-B Act prohibits a financial institution
from disclosing, other than to a consumer reporting agency, account
numbers or similar form of access number or access code for a credit
card account, deposit account, or transaction account of a
[[Page 8781]]
consumer to any nonaffiliated third party for use in telemarketing,
direct mail marketing, or other marketing through electronic mail to
the consumer. Proposed Sec. __.13 applies this statutory prohibition to
disclosures made directly or indirectly by a financial institution.
The Agencies note that there is no exception in Title V to the flat
prohibition established by section 502(d). The Statement of Managers
contained in the Conference Report to S. 900 encourages the Agencies to
adopt an exception to section 502(d) to permit disclosures of account
numbers in limited instances. It states:
In exercising their authority under section 504(b) [which vests
the Agencies with authority to grant exceptions to section 502(a)-
(d) beyond those set out in the statute], the agencies and
authorities described in section 504(a)(1) may consider it
consistent with the purposes of this subtitle to permit the
disclosure of customer account numbers or similar forms of access
numbers or access codes in an encrypted, scrambled, or similarly
coded form, where the disclosure is expressly authorized by the
customer and is necessary to service or process a transaction
expressly requested or authorized by the customer.
Managers' Statement at 18. The Agencies have not proposed an exception
to the prohibition of section 502(d) because of the risks associated
with third parties' direct access to a consumer's account. The Agencies
seek comment on whether an exception to the section 502(d) prohibition
that permits third parties access to account numbers is appropriate,
the circumstances under which an exception would be appropriate, and
how such an exception should be formulated to provide consumers with
adequate protection. The Agencies also seek comment on whether a flat
prohibition as set out in section 502(d) might unintentionally disrupt
certain routine practices, such as the disclosure of account numbers to
a service provider who handles the preparation and distribution of
monthly checking account statements for a financial institution coupled
with a request by the institution that the service provider include
literature with the statement about a product. In addition, the
Agencies invite comment on whether a consumer ought to be able to
consent to the disclosure of his or her account number, notwithstanding
the general prohibition in section 502(d) and, if so, what standards
should apply. The Agencies also seek comment on whether section 502(d)
prohibits the disclosure by a financial institution to a marketing firm
of encrypted account numbers if the financial institution does not
provide the marketer the key to decrypt the number.
Sec. __.14 Protection of Fair Credit Reporting Act
Section 506 makes several amendments to the FCRA to vest rulemaking
authority in various agencies and to restore the Agencies' regular
examination authority. Paragraph (c) of section 506 states that, except
for the amendments noted regarding rulemaking authority, nothing in
Title V is to be construed to modify, limit, or supersede the operation
of the FCRA, and no inference is to be drawn on the basis of the
provisions of Title V whether information is transaction or experience
information under section 603 of the FCRA.
Proposed Sec. __.14 implements section 506(c) of the G-L-B Act by
restating the statute, making only minor stylistic changes intended to
make the rule clearer.
Sec. __.15 Relation to State Laws
Section 507 of the G-L-B Act states, in essence, that Title V does
not preempt any State law that provides greater protections than are
provided by Title V. Determinations of whether a State law or Title V
provides greater protections are to be made by the Federal Trade
Commission (FTC) after consultation with the agency that regulates
either the party filing a complaint or the financial institution about
whom the complaint was filed. Determinations of whether State or
Federal law afford greater protections may be initiated by any
interested party or on the FTC's own motion.
Proposed Sec. __.15 is substantively identical to section 507,
noting that the proposed rules (as opposed to the statute) do not
preempt State laws that provide greater protection for consumers than
do the rules.
Sec. __.16 Effective Date; Transition Rule
Section 510 of the G-L-B Act states that, as a general rule, the
relevant provisions of Title V take effect 6 months after the date on
which rules are required to be prescribed. However, section 510(1)
authorizes the Agencies to prescribe a later date in the rules enacted
pursuant to section 504.
Proposed Sec. __.16 states, in paragraph (a), an effective date of
November 13, 2000. This assumes that a final rule will be adopted
within the time frame prescribed by section 504(a)(3). The Agencies
intend to provide at least six months following the adoption of a final
rule for financial institutions to bring their policies and procedures
into compliance with the requirements of the final rule. The Agencies
invite comment on whether six months following adoption of final rules
is sufficient to enable financial institutions to comply with the
rules.
Paragraph (b) of proposed Sec. __.16 provides a transition rule for
consumers who were customers as of the effective date of the rules.
Since those customer relationships already will have been established
as of the rules' effective date (thereby making it inappropriate to
require a financial institution to provide those customers with a copy
of the institution's initial notice at the time of establishing a
customer relationship), the rules require instead that the initial
notice be provided within 30 days of the effective date. The Agencies
invite comment on whether 30 days is enough time to permit a financial
institution to deliver the required notices, bearing in mind that the
G-L-B Act contemplates at least a six-month delayed effective date from
the date the rules are adopted.
If a financial institution intends to disclose nonpublic personal
information about someone who was a consumer before the effective date,
the institution must provide the notices required by Secs. __.4 and
__.7 and provide a reasonable opportunity to opt out before the
effective date. If, in this instance, the institution already is
disclosing information about such a consumer, it may continue to do so
without interruption until the consumer opts out, in which case the
institution must stop disclosing nonpublic personal information about
that consumer to nonaffiliated third parties as soon as reasonably
practicable.
III. FDIC's New Electronic Public Comment Site
The FDIC has developed a new page on its web site to facilitate the
submission of electronic comments in response to this general
solicitation (the EPC site). The EPC site provides an alternative to
the written letter and may be a more convenient way for you to submit
your comments. Commenting through the EPC site will assist the FDIC to
more accurately and efficiently analyze comments submitted
electronically. If you submit your comments through the EPC site your
comments will receive the same consideration that they would receive if
submitted in hard copy to the FDIC's street address. Information
provided through the EPC site will be used by the FDIC only to assist
in its analysis of the proposed regulation. The FDIC will not use an
individual's name or any other personal identifier of an individual to
retrieve records or information
[[Page 8782]]
submitted through the EPC site. Like comments submitted in hard copy to
the FDIC's street address, EPC site comments will be made available in
their entirety (including the commenter's name and address if the
commenter chooses to provide them) for public inspection.
The EPC site will be available on the FDIC's home page at http://
www.fdic. gov. You will be able to provide general comments or comments
on any specific sections of, or questions on, the proposed rule. You
will also be able to view the regulation and Supplementary Information
sections that relate to your comments directly on the site. Once you
have finished commenting on the sections of interest to you, you may
indicate your general approval or disapproval of the proposed
regulation by answering the following question: Does the proposed
regulation appropriately implement the G-L-B Act to provide the full
extent of privacy protections intended by the Act? [Yes/No].
If you choose to answer this question, your response will be used
in the FDIC's analysis of public comment on the regulation. The FDIC
encourages you to provide written comments in the spaces provided in
addition to responding to this specific question. Written comments
enable the FDIC to thoughtfully consider possible changes to the
proposed regulation.
The FDIC is also interested in your feedback on the EPC site. We
have provided a space for you to comment on the site itself. Answers to
this question will help the FDIC evaluate the EPC site for use in
future rulemaking.
At the conclusion of the EPC site you will have an opportunity to
provide us with your name, indicate whether you are an individual,
bank, trade association, or government agency, and provide the name of
the organization you represent, if applicable. Whether you choose to
respond to these questions is entirely up to you. Any responses
received may help the FDIC to better understand the public comments it
receives.
IV. Regulatory Analysis
A. Paperwork Reduction Act
The Agencies invite comment on:
(1) Whether the collections of information contained in this notice
of proposed rulemaking are necessary for the proper performance of each
Agency's functions, including whether the information has practical
utility;
(2) The accuracy of each Agency's estimate of the burden of the
proposed information collections;
(3) Ways to enhance the quality, utility, and clarity of the
information to be collected;
(4) Ways to minimize the burden of the information collections on
respondents, including the use of automated collection techniques or
other forms of information technology; and
(5) Estimates of capital or start-up costs and costs of operation,
maintenance, and purchases of services to provide information.
Recordkeepers are not required to respond to these collections of
information unless they display a currently valid Office of Management
and Budget (OMB) control number. The agencies are currently requesting
their respective control numbers for these information collections from
OMB.
This proposed regulation contains several disclosure requirements.
The respondents must prepare and provide the initial notice to all
current customers and all new customers at the time of establishing a
customer relationship (proposed Sec. __.4(a)). Subsequently, an annual
notice must be provided to all customers at least once during a twelve-
month period during the continuation of the customer relationship
(proposed Sec. __.5(a)). The opt out notice (and partial opt out
notice, if applicable; see proposed Sec. __.7(a)(1)(iii)) must be
provided prior to disclosing nonpublic personal information to certain
nonaffiliated third parties. If a financial institution wishes to
disclose information in a way that is inconsistent with the notices
previously given to a consumer, the institution must provide consumers
with revised notices (proposed Sec. __.8(c)).
The proposed regulation also contains consumer reporting
requirements. In order for consumers to opt out, they must respond to
the institution's opt out notice (proposed Secs. __.7(a)(2), (a)(3)(i),
and (c)). At any time during their continued relationship with the
institution, consumers have the right to change or update their opt out
status with the institution (proposed Secs. __.8(d) and (e)). The
Agencies request public comment on all aspects of the collections of
information contained in this proposed rule, including consumer
responses to the opt-out notice and consumer changes to their opt-out
status with an institution. In light of the uncertainty regarding what
institutions will do to comply with the opt-out requirements and how
consumers will react, the Agencies estimate a nominal burden stemming
from consumer responses of one hour per institution, and will revisit
this estimate in light of the comments received.
OCC: The collection of information requirements contained in this
notice of proposed rulemaking have been submitted to the Office of
Management and Budget for review in accordance with the Paperwork
Reduction Act of 1995 (44 U.S.C. 3507(d)). Comments on the collections
of information should be sent to the Office of Management and Budget,
Paperwork Reduction Project (1557--to be assigned), Washington, DC
20503, with copies to the Legislative and Regulatory Activities
Division (1557--to be assigned), Office of the Comptroller of the
Currency, 250 E Street, SW, Washington, DC 20219.
The likely respondents are national banks, District of Columbia
banks, and Federal branches and agencies of foreign banks.
Estimated average annual burden hours per bank respondent: 45.
Estimated number of bank respondents: 2,400.
Estimated total annual reporting burden: 108,000 hours.
Board: In accordance with section 3506 of the Paperwork Reduction
Act of 1995 (44 U.S.C. Ch. 35; 5 CFR 1320, appendix A.1), the Board
reviewed the notice of proposed rulemaking under the authority
delegated to the Board by the OMB. Comments on the collections of
information should be sent to Mary M. West, Chief, Financial Reports
Section, Division of Research and Statistics, Mail Stop 97, Board of
Governors of the Federal Reserve System, Washington, DC 20551, with a
copy to the Office of Management and Budget, Paperwork Reduction
Project (7100--to be assigned), Washington, DC 20503.
The likely respondents are state member banks, bank holding
companies, affiliates and certain non-bank subsidiaries of bank holding
companies, uninsured state agencies and branches of foreign banks,
commercial lending companies owned or controlled by foreign banks, and
Edge and agreement corporations.
Estimated number of respondents: 9500.
Estimated average annual burden hours per respondent: 45 hours.
Estimated total annual reporting and disclosure burden: 427,500.
FDIC: The collections of information contained in the notice of
proposed rulemaking will be submitted to the OMB in accordance with the
Paperwork Reduction Act of 1995. 44 U.S.C. 3507. The FDIC will use any
comments received to develop its new burden estimates. Comments on the
collections
[[Page 8783]]
of information should be sent to Steven F. Hanft, Office of the
Executive Secretary, Federal Deposit Insurance Corporation, 550 17th
Street, NW, Washington, DC 20429, with a copy to the Office of
Management and Budget, Paperwork Reduction Project (3064--to be
assigned), Washington, DC 20503.
The likely respondents are insured nonmember banks.
Estimated number of respondents: 5,764.
Estimated average annual burden hours per respondent: 45 hours.
Estimated total annual reporting and disclosure burden: 259,380
hours.
OTS: The collection of information requirements contained in the
notice of proposed rulemaking will be submitted to the OMB in
accordance with the Paperwork Reduction Act of 1995. 44 U.S.C. 3507.
The OTS will use any comments received to develop its new burden
estimates. Comments on the collection of information should be sent to
the Dissemination Branch (1550-AB36), Office of Thrift Supervision,
1700 G Street, NW, Washington, DC 20552, with a copy to the Office of
Management and Budget, Paperwork Reduction Project (1550-AB36),
Washington, DC 20503.
The likely respondents are savings associations.
Estimated number of respondents: 1,104.
Estimated average annual burden hours per respondent: 45 hours.
Estimated total annual disclosure and recordkeeping burden: 49,680
hours.
B. Regulatory Flexibility Act
OCC: Under the Regulatory Flexibility Act (RFA), the OCC must
either provide an Initial Regulatory Flexibility Analysis (IRFA) with a
proposed rule or certify that the proposed rule would not have a
significant economic impact on a substantial number of small entities.
The OCC has decided to publish the following analysis and invites the
public's comments on the propose rule's impact on small entities (i.e.,
for purposes of RFA, small entities include banks with less than $100
million in assets).
A. Reasons for and Objectives of the Proposed Rule; Legal Basis for
Rule
The proposed rule implements provisions of Title V, Subtitle A of
the G-L-B Act addressing consumer privacy. In general, these statutory
provisions require banks to provide notice to consumers about an
institution's privacy policies and practices, restrict the ability of a
bank to share nonpublic personal information about consumers to
nonaffiliated third parties, and permit consumers to prevent the
institution from disclosing nonpublic personal information about them
to certain non-affiliated third parties by ``opting out'' of that
disclosure.
The notice and opt out requirements are imposed by Title V,
Subtitle A of the G-L-B Act, and are to become effective within one
year from the date the Act was signed into law. Section 504 of the G-L-
B Act authorizes the OCC to prescribe ``such regulations as may be
necessary'' to carry out the purposes of Title V, Subtitle A. The OCC
believes that a regulatory promulgation gives the private sector
greater certainty on how to comply with the statute and clearer
guidance regarding how it will be enforced.
B. Requirements of the Proposed Rule; Description of Small Entities to
Whom Rule Would Apply
Subject to certain exceptions explained below, the proposed rule
generally requires that a bank provide all of its customers the
following notices: (1) An initial privacy notice (prior to the time the
customer relationship is established or, for existing customers, within
30 days of the rule's effective date); (2) an opt out notice (prior to
the disclosing of the individual's nonpublic personal information to
nonaffiliated third parties); and (3) an annual privacy notice for the
duration of the customer relationship. A bank's ``customer'' is a
consumer with whom the bank has a ``continuing relationship'' (e.g., an
ongoing deposit or loan relationship--but does not include a transient
relationship, such as the mere purchase of traveler's checks from the
bank).
The proposed rule also requires a bank to provide its consumers an
initial privacy notice and an opt out notice prior to disclosing the
individual's nonpublic personal information with nonaffiliated third
parties. If the bank does not intend to share such information about
its consumers, then no privacy or opt out notice need be given. A
bank's ``consumer,'' which is a broader concept than ``customer,''
includes: (1) Individuals who have applied to the bank for a financial
service or product; and (2) individuals who have purchased a product or
service that results in a transient (as opposed to continuing)
relationship (e.g., mere purchase of traveler's checks from a bank).
There are a host of exceptions to the general rules stated above. A
bank may share a consumer's nonpublic personal information with
nonaffiliated third parties without having to give a privacy and opt
out notice if, for example, such sharing is necessary: (1) To effect,
administer, or enforce a transaction requested or authorized by the
consumer; (2) to protect the security of records pertaining to the
consumer, service, product, or transaction; (3) to protect against or
prevent actual or potential fraud, unauthorized transactions, claims or
other liability; or (4) to provide information to rating agencies or
the bank's attorneys, auditors, and accountants. Also, in cases where a
bank enters into a contract with a nonaffiliated third party to
undertake joint marketing or to have the third party perform certain
functions on behalf of the bank, no opt out notice must be given. In
such an instance, the bank must disclose to the consumer that it is
providing the information and enter into a contract with the third
party that restricts the third party's use of the information and
requires the third party to maintain confidentiality of the
information.
Because the relevant statute did not provide a general exception
for small banks, the proposed rule would apply to all banks, regardless
of size, including those with assets of $100 million or less. As of
September 30, 1999, 1213 (of 2,383 total) national banks had assets of
$100 million or less.
Compliance requirements will vary depending, for example, upon a
bank's information sharing practices, whether the bank already has or
discloses a privacy policy, and whether the bank already has an opt-out
mechanism in place pursuant to the Fair Credit Reporting Act.
As part of the requirement to provide a privacy notice, a bank's
practices regarding its collection, sharing, and safeguarding of
certain nonpublic personal information must be summarized in writing in
a form that is required or permitted by the proposed regulation.
However, if the bank does not share such information (or shares only to
the extent permitted under the exceptions), its privacy notice may be
streamlined. Various surveys suggest that a majority of banks already
have privacy policies in place as part of usual and customary business
practices. For these institutions, the costs for translating that
policy into a notice format should be minimal.
Further, to minimize the burden and costs of distributing privacy
policies, the proposed regulation allows each bank to choose the method
by which it will distribute required notices. For example, banks may
include an annual privacy notice with periodic account statements that
the bank already sends to the customer. Also, the initial privacy
[[Page 8784]]
notice may be provided with other already-required disclosure
statements, such as those required under the Truth in Lending Act.
The OCC believes that the burden imposed by the opt out requirement
will be minimized to the extent that a bank must give opt out notices
under the FCRA. Under the FCRA, a bank must have an opt out mechanism
in place if the bank: (1) Shares certain consumer information (i.e.,
application or credit report information) with its affiliates, and (2)
does not want to be treated as a consumer reporting agency (as will
usually be the case). For a bank that gives FCRA notices and that wants
to share nonpublic personal information with nonaffiliated third
parties, the bank should be able to adapt its existing opt out
mechanism to accommodate the requirements of the proposed rule. Of
course, a bank need not provide any opt-out notices or set up any opt-
out mechanism if it will only be sharing nonpublic information with
nonaffiliated third parties to the extent permitted by one of the many
exceptions permitted in the proposed rule.
Professional skills needed to comply with the proposed rule may
include clerical, computer systems, personnel training, as well as
legal drafting and advice. The information collection requirements
imposed by the G-L-B Act and the proposed rule are further addressed in
the section titled, ``Paperwork Reduction Act.''
C. Relevant Federal Rules Which May Duplicate, Overlap or Conflict With
the Proposed Rule
While the scope of the proposed regulation (pursuant to the G-L-B
Act) is unique, there may be some overlap in certain circumstances with
the following: As noted above, the Fair Credit Reporting Act requires a
bank that: (1) Does not want to be treated as a consumer reporting
agency; and (2) desires to share certain consumer information (i.e.,
application or credit report information) with its affiliates, to
provide the consumer with a clear and conspicuous notice and an
opportunity to opt out of such information sharing. Also, at the time a
consumer contracts for an electronic fund transfer service, the
Electronic Funds Transfer Act requires the terms and conditions of such
transfer to be disclosed, including under what circumstances the bank
will in the ordinary course of business disclose information concerning
the consumer's account to third persons. The recently proposed
Department of Health and Human Services regulations \6\ that implement
the Health Insurance Portability and Accountability Act of 1996 would,
if adopted in final form, limit the circumstances under which medical
information may be disclosed. Finally, the Children's Online Privacy
Protection Act (under which the Federal banking agencies are charged
with enforcement of implementing regulations promulgated by the Federal
Trade Commission) generally requires online service operators
collecting personal information from a child to obtain parental consent
and post a privacy notice on the web site. The OCC seeks comment on
additional Federal rules that may duplicate, overlap, or conflict with
the proposal.
---------------------------------------------------------------------------
\6\ 64 FR 59918 (Nov. 3, 1999).
---------------------------------------------------------------------------
D. Significant Alternatives to the Proposed Rule That Minimize the
Impact on Small Entities
As previously noted, the proposed rule's requirements are expressly
mandated by the G-L-B Act. The proposed rule attempts to clarify,
consolidate, and simplify the statutory requirements for all covered
entities, including small entities. The proposed rule also provides
substantial flexibility so that any bank, regardless of size, may
tailor its practices to its individual needs. While the OCC may grant
exceptions to the opt out requirements set out in sections 502 (a)
through (d), section 504(b) of the G-L-B Act requires such exceptions
to be ``consistent with the purposes of this subtitle [i.e., Subtitle A
of Title V].'' As stated in section 501(a) of the Act, ``It is the
policy of the Congress that each financial institution has an
affirmative and continuing obligation to respect the privacy of its
customers and to protect the security and confidentiality of those
customers' nonpublic personal information.'' (Emphasis added.) The OCC
believes that an exception that would create different levels of
protections for consumers based on the size of the institution with
whom they conduct business would not be consistent with the purposes of
Subtitle A. The OCC welcomes comment on any significant alternatives,
consistent with the G-L-B Act, that would minimize the impact on small
entities.
Board: The Regulatory Flexibility Act (5 U.S.C. 603) requires an
agency to publish an initial regulatory flexibility analysis with any
notice of proposed rulemaking. A description of the reasons why action
by the agency is being considered and a statement of the objectives of,
and legal basis for, the proposed rule, are contained in the
supplementary material above. The Board's proposed rule will apply to
the following institutions (numbers approximate):
------------------------------------------------------------------------
Approx.
Type of institution No.
------------------------------------------------------------------------
State member banks.......................................... 1,000
Bank holding companies...................................... 5,900
Bank holding company subsidiaries........................... 2,100
U.S. branches and agencies of foreign banks................. 400
Edge/Agreement corporations, commercial lending companies... 100
-----------
Total................................................... 9,500
------------------------------------------------------------------------
The Board estimates that over 4,500 of the respondents could be
considered small institutions with assets less than $100 million.
Overlap with other Federal rules. While the scope of the proposed
regulation (pursuant to the G-L-B Act) is unique, it may, in certain
circumstances, overlap with the following statutes and regulations:
1. The Fair Credit Reporting Act (15 U.S.C. 1681a(d)(2)) requires a
bank that: (1) Does not want to be treated as a consumer reporting
agency; and (2) desires to share certain consumer information (that is,
application or credit report information) with its affiliates, to
provide the consumer with a clear and conspicuous notice and an
opportunity to opt out of such information sharing.
2. At the time a consumer contracts for an electronic fund transfer
service, the Electronic Funds Transfer Act (15 U.S.C. 1693c(a)(9))
requires the terms and conditions of such transfer to be disclosed,
including under what circumstances the bank will in the ordinary course
of business disclose information concerning the consumer's account to
third persons.
3. The recently proposed Department of Health and Human Services
regulations \7\ that implement the Health Insurance Portability and
Accountability Act of 1996 (42 U.S.C. 3120d-1 et seq.) would, if
adopted in final form, limit the circumstances under which medical
information may be disclosed.
---------------------------------------------------------------------------
\7\ 64 FR 59918 (Nov. 3, 1999).
---------------------------------------------------------------------------
4. The Children's Online Privacy Protection Act of 1998 (15 U.S.C.
6502) (under which the Federal banking agencies are charged with
enforcement of implementing regulations promulgated by the Federal
Trade Commission) generally requires online service operators
collecting personal information from a child to obtain
[[Page 8785]]
parental consent and post a privacy notice on the web site.
New compliance requirements. The proposed rule contains new
compliance requirements for all covered institutions, most of which are
required by the G-L-B Act. The institutions will be required to prepare
notices of their privacy policies and practices and provide those
notices to consumers as specified in the rule. Institutions that
disclose nonpublic personal information about consumers to
nonaffiliated third parties will be required to provide opt out notices
to consumers as well as a reasonable opportunity to opt out of certain
disclosures. These institutions will have to develop systems for
keeping track of consumers' opt out directions. Some institutions,
particularly those that disclose nonpublic information about consumers
to nonaffiliated third parties, will likely need the advice of legal
counsel to ensure that they comply with the rule, and may also require
computer programming changes and additional staff training. The Board
does not have a practicable or reliable basis for quantifying the costs
of the proposed rule or any alternatives, but seeks comment on the
potential costs.
Exemptions for small institutions. The Board believes the
requirements of the Act and this rule will create additional burden for
covered institutions, particularly those that disclose nonpublic
personal information about consumers to nonaffiliated third parties.
The rule applies to all covered institutions, regardless of size. The
Act does not provide the Board with the authority to exempt a small
institution from the requirement to provide a notice of its privacy
policies and practices to a consumer with whom it establishes a
customer relationship. Although the Board could exempt small
institutions from providing a notice and opportunity for consumers to
opt out of certain information disclosures, the Board does not believe
that such an exemption would be appropriate, given the purpose of the
Act to protect the confidentiality and security of nonpublic personal
information about consumers. The Board believes that the burden is
relatively small for institutions that do not disclose nonpublic
personal information about consumers to nonaffiliated third parties.
These institutions may provide relatively simple initial and annual
notices to consumers with whom they establish customer relationships.
The Board recognizes that the Congressional Conferees on the Act
wished to ensure that smaller financial institutions are not placed at
a competitive disadvantage by a statutory regime that permits certain
information to be shared freely within an affiliate structure while
limiting the ability to share that same information with nonaffiliated
third parties. The Conferees stated that, in prescribing regulations,
the federal regulatory agencies should take into consideration any
adverse competitive effects upon small commercial banks, thrifts, and
credit unions.\8\ At this time, it is not clear the extent to which
small institutions will be placed at a disadvantage by information-
sharing among affiliates in large institutional families. The Board
believes that further experience under the regulation would be
appropriate before considering any exemptions in this area for small
institutions.
---------------------------------------------------------------------------
\8\ H. R. Conf. Rep. No. 106-434, at 173 (1999).
---------------------------------------------------------------------------
The Board requests comment on the burdens associated with the
proposed rule and whether any exemptions for small institutions would
be appropriate.
FDIC: The Regulatory Flexibility Act (5 U.S.C. 601-612) (RFA)
requires an agency to publish an initial regulatory flexibility
analysis with this proposed rule, except to the extent provided in the
RFA, whenever the agency is required to publish a general notice of
proposed rulemaking for a proposed rule. The FDIC cannot at this time
determine whether the proposed rule would have a significant economic
impact on a substantial number of small entities as defined by the
RFA.\9\ Therefore, pursuant to subsections 603 (b) and (c) of the RFA,
the FDIC provides the following initial regulatory flexibility
analysis.
---------------------------------------------------------------------------
\9\ The RFA defines the term ``small entity'' in 5 U.S.C. 601 by
reference to definitions published by the Small Business
Administration (SBA). The SBA has defined a ``small entity for
banking purposes as a national or commercial bank, savings
institution or credit union with less than $100 million in assets.''
See 13 CFR 121.201.
---------------------------------------------------------------------------
Reasons for Proposed Rule
The FDIC is requesting comment on proposed privacy rules published
pursuant to section 504 of the G-L-B Act. Section 504 requires the
Agencies in consultation with representatives of State insurance
authorities to issue regulations implementing notice requirements and
restrictions on a financial institution's ability to disclose nonpublic
personal information about consumers to nonaffiliated third parties.
These requirements are expressly mandated by the G-L-B Act. It is the
view of the FDIC that the G-L-B Act's requirements account for most, if
not, all of the economic impact of the proposed rule.
Statement of Objectives and Legal Basis
The Supplementary Information section above contains this
information. The legal basis for the proposed rule is the G-L-B Act.
Description/Estimate of the Small Entities to Which the Rule Applies
The proposed rule would apply to all FDIC-insured State nonmember
banks, approximately 3,700 of which are small entities as defined by
the RFA.
Projected Reporting, Recordkeeping and Other Compliance Requirements
The information collection requirements imposed by G-L-B Act and
the proposed rule are discussed above in the section titled,
``Paperwork Reduction Act.''
General Requirements
Pursuant to section 503 of the G-L-B Act and Secs. 332.4--332.6 of
the regulation, a financial institution must provide its customers with
a notice of its privacy policies and practices. Section 502 of the G-L-
B Act and Secs. 332.7-332.12 of the regulation prohibit a financial
institution from disclosing nonpublic personal information about a
consumer to nonaffiliated third parties unless the institution
satisfies various disclosure requirements and the consumer has elected
not to opt out of the disclosure.
The statute and proposed rule require a financial institution to
disclose to all of its customers the institution's privacy policies and
practices with respect to information sharing with both affiliates and
non-affiliated third parties. Institutions are required to provide this
notice at the time of establishing a customer relationship and annually
thereafter. Recent experience has shown that it is a usual and
customary business practice of financial institutions. KPMG reported in
a recent industry survey of large and small banks that 71% of bankers
said their institutions already had privacy policies in place either
company-wide or in some selected units.\10\ Another recent survey of
Internet banking sites conducted by federal banking regulators
concluded that over 62% of financial institutions that collected
personal information online provided a privacy policy or information
practice statement.\11\ Furthermore, a number of industry groups have
developed model privacy policies that are available as part of their
[[Page 8786]]
self-regulatory efforts in the privacy area.\12\ The FDIC believes the
establishment of a privacy policy is a usual and customary business
practice and the costs for translating that policy into a disclosure
format should be minimal. The FDIC seeks any information or comment on
the costs for creating privacy policy disclosures.
---------------------------------------------------------------------------
\10\ ``KPMG Analysis Consumer Privacy Policies: Write Now.''
Online Reuters 19 Jan. 2000.
\11\ ``Interagency Financial Institution Web Site Privacy Survey
Report.'' FDIC Press Release 9 November 1999.
\12\ ``Banks Should Tell Customers of Policies to Protect
Privacy, Banking Groups Say.'' Online BNA Electronic Commerce & Law
16 September 1998.
---------------------------------------------------------------------------
To minimize the burden and costs to financial institutions of
distributing privacy policies, the proposed regulation allows each bank
to choose the method by which it will distribute required disclosure
statements. Institutions may provide customers with a privacy
disclosure statement with periodic statements, with other required
disclosure statements, via electronic mail to consumers who obtain a
financial product or service electronically, and other acceptable means
described in the proposed regulation. The FDIC believes that the cost
of distributing privacy disclosure statements will be minimal and seeks
any information or comment on the costs for distributing privacy policy
disclosures.
The statute and proposed rule describe the conditions under which a
financial institution may disclose nonpublic personal information about
a consumer to a nonaffiliated third party. A number of exceptions are
provided for nonaffiliated third parties performing services for the
institution. The rules require institutions to develop a method to
allow customers to opt out of non-affiliated third party information
sharing. Only those institutions that intend to share nonpublic
personal information with third parties outside of the exemptions
provided are required to establish ``opt out'' disclosure and
processing procedures. Furthermore, only those institutions that share
nonpublic personal information with third parties outside of the
exemptions provided could be expected to encounter any reduction in
revenue as a result of the diminished value of information sales. The
FDIC informally surveyed its regional offices to determine the costs of
implementing the opt out provisions of the proposed regulation. Based
on the observations by FDIC examiners, the FDIC believes that the costs
to implement opt out provisions of the regulation for small insured
nonmember banks will be minimal. Few nonaffiliated third party
information sharing arrangements could be identified that would fall
outside the exceptions provided in the regulation. Congress recognized
the lack of information available on affiliate information sharing
practices by requiring the regulators to conduct a ``Study of
Information Sharing Among Financial Affiliates'' that focuses on the
practice of institutions sharing confidential customer information with
affiliates and non-affiliated third parties. This study is due
subsequent to release of this regulation. The FDIC seeks further
comment on the information sharing practices and actual costs of
implementing the opt out disclosure and processing requirements of the
proposed regulation.
Identification of Duplicative, Overlapping, or Conflicting Federal
Rules
While the scope of the proposed regulation (pursuant to the G-L-B
Act) is unique, there may be some overlap in certain circumstances with
the following: As noted above, the FCRA requires a bank that: (1) Does
not want to be treated as a consumer reporting agency; and (2) desires
to share certain consumer information (i.e., application or credit
report information) with its affiliates, to provide the consumer with a
clear and conspicuous notice and an opportunity to opt out of such
information sharing. Also, at the time a consumer contracts for an
electronic fund transfer service, the Electronic Funds Transfer Act
requires the terms and conditions of such transfer to be disclosed,
including under what circumstances the bank will in the ordinary course
of business disclose information concerning the consumer's account to
third persons. Finally, the Children's Online Privacy Protection Act
(under which the Federal banking agencies are charged with enforcement
of implementing regulations promulgated by the Federal Trade
Commission) generally requires online service operators collecting
personal information from a child to obtain parental consent and post a
privacy notice on the web site. The FDIC seeks comments and information
about any such rules, as well as any other state, local, or industry
rules or policies that require financial institutions to implement
business practices that would comply with the requirements of the
proposed rule.
Discussion of Significant Alternatives
As previously noted, the proposed rule's requirements are expressly
mandated by the G-L-B Act. The proposed rule attempts to clarify,
consolidate, and simplify the statutory requirements for all covered
entities, including small entities. The proposed rule also provides
substantial flexibility so that any bank, regardless of size, may
tailor its practices to its individual needs. While the FDIC may grant
exceptions to the opt out requirements set out in sections 502(a)
through (d), section 504(b) of the G-L-B Act requires such exceptions
to be ``consistent with the purposes of this subtitle [i.e., Subtitle A
of Title V].'' As stated in section 501(a) of the Act, ``It is the
policy of the Congress that each financial institution has an
affirmative and continuing obligation to respect the privacy of its
customers and to protect the security and confidentiality of those
customers' nonpublic personal information.'' (Emphasis added.) The FDIC
believes that an exception that would create different levels of
protections for consumers based on the size of the institution with
whom they conduct business would not be consistent with the purposes of
Subtitle A. The FDIC welcomes comment on any significant alternatives,
consistent with the G-L-B Act, that would minimize the impact on small
entities.
OTS: The Regulatory Flexibility Act requires federal agencies to
either prepare an initial regulatory flexibility analysis (IRFA) with
this proposed rule or certify that the proposed rule would not have a
significant economic impact on a substantial number of small entities.
\13\ The OTS cannot, at this time, determine whether the proposed rule
would have a significant economic impact on a substantial number of
small institutions. Therefore, OTS includes the following IRFA.
---------------------------------------------------------------------------
\13\ 5 U.S.C. 605(b)