"Privacy of Consumer Financial Information"
Final OCC, Fed, FDIC, OTS Rule

The Office of the Comptroller of the Currency, the Federal Reserve Board,
the Federal Deposit Insurance Corporation and the Office of Thrift
Supervision have issued an interagency final regulation (final rule) to
implement provisions of the Gramm-Leach-Bliley Act (GLBA) that protect the
privacy of consumers' nonpublic personal information.  The final rule is
the product of an interagency working group and similar final rules are
being issued by the Federal Trade Commission, Securities and Exchange
Commission, and the NCUA.

A.	Nonpublic personal information

The final rule implements the requirements of the GLBA that banks (and
other types of "financial institutions," including securities firms,
insurance agents and insurance underwriters) notify consumers about their
privacy policies and provide consumers with an opportunity to opt out of
information sharing between the bank and certain nonaffiliated third
parties.

The notice requirement and opt out right pertain to "nonpublic personal
information" about consumers.  Nonpublic personal information is,
generally speaking, "personally identifiable financial information" that
is not "publicly available."

The final rule treats any information as "personally identifiable
financial information" if the information is provided by a consumer in
order to obtain a financial product or service, results from a transaction
with a bank involving a financial product or service, or is otherwise
obtained by the bank in connection with providing a financial product or
service to the consumer.

The final rule excludes from the definition of "nonpublic personal
information" information that is "publicly available."  Information will
be treated as publicly available if a bank has a "reasonable basis" to
believe that the information is lawfully made available to the general
public from government records, widely distributed media, or disclosures
required by law.  A bank may not assume that a consumer's information is
publicly available, but must determine that the information is of the type
that is available to the general public and whether an individual can
direct that the information not be publicly available (for example, an
unlisted telephone number).  If an individual can take steps to prevent
information from being made publicly available, a bank must determine
whether the consumer has done so.

Under the final rule, information obtained over the Internet will be
considered publicly available if it is lawfully made available on a site
that is accessible to the general public on an unrestricted basis.  A Web
site is not restricted merely because an Internet service provider or a
Web site operator requires a fee or a password so long as access is
available to the general public.  A site, such as a "look up" service,
that makes available personal information (that may combine publicly
available and confidential information on a particular individual)
compiled in response to a specific request, is not available to the
general public on an unrestricted basis.

Publicly available information is, however, treated as "nonpublic personal
information" when the information is included on a list, description, or
other grouping of consumers that is derived from personally identifiable
financial information that is not publicly available.  For example, if a
bank provides a list of its depositors, the final rule would cover all the
information on the list (including publicly available information such as
names and addresses) because the list and information would be derived
from account numbers or the existence of the customer relationship, both
of which are personally identifiable financial information that are not
publicly available.

B.	Distinction between "consumer" and "customer"

Under the GLBA, all customers are consumers, but not all consumers are
customers.  A bank must give to a customer, at the time of establishing
the customer relationship and annually thereafter, a notice informing the
customer of the bank's privacy policies and practices.  The bank must also
give the privacy notice to a consumer along with a notice of the right to
opt out of sharing nonpublic personal information with nonaffiliates (opt
out notice), before the bank discloses the information to a nonaffiliated
third party.  In other words, consumers who are not customers get the
privacy and opt out notices only if their bank wants to share their
nonpublic personal information with certain nonaffiliated third parties.

A consumer is anyone who obtains from a bank any financial product or
service that is to be used primarily for personal, family, or household
purposes.  A financial service includes a bank's evaluation of an
application for a financial product or service from the bank.  Thus, an
individual who submits an application will be considered a consumer even
if the application is denied.

A customer, by contrast, is defined as any consumer who has a "customer
relationship" with the bank.  A "customer relationship," in turn, is
defined as a continuing relationship between a bank and a consumer for the
purpose of providing a financial product or service to the consumer.  This
would include a deposit, credit, or investment account.  A one-time
transaction may come within the definition, such as the purchase of an
insurance policy, because of the ongoing nature of the product.  On the
other hand, use (including repeated use) of an automated teller machine of
a bank at which a consumer has no account would not create a "customer
relationship." C.	Time of establishing a customer relationship

The final rule provides that a customer relationship is established at the
time a bank and a consumer enter into a continuing relationship.  This
allows a bank to provide the privacy notice at the same time it is
required to give other notices, such as those required under the
Truth-in-Lending Act.

In general, for customer relationships that are contractual in nature, a
customer relationship is established when a consumer executes the contract
that is necessary to conduct the transaction in question.  For
transactions that do not involve contracts, a customer relationship is
established when the consumer pays or agrees to pay a fee or commission
for the product or service.

D.	Time by which the privacy notices must be provided

1.	Initial privacy notice

The GLBA provides that the initial privacy notice must be provided "at the
time of establishing a customer relationship."  The final rule requires a
bank to provide the initial privacy notice not later than when the bank
and a consumer establish a customer relationship, e.g., before a consumer
enters into a binding contract.  In the case of a mortgage loan, for
instance, the relationship would be established at the time a consumer
executes the loan documents.  For credit card accounts, the relationship
is established at the time the consumer opens the account.

The final rule also requires a bank to provide the initial privacy notice
to a consumer prior to sharing nonpublic information about the consumer
with nonaffiliated third parties.  For example, if a bank wants to
disclose information it collects about an individual who uses the bank's
ATM, but otherwise has no relationship with the bank, the bank would have
to provide the initial privacy notice as part of the ATM transaction.

2.	Annual notices

The final rule requires a bank to provide its customers with a copy of the
privacy notice at least once during any twelve-month period.  The
obligation ceases when a customer no longer has a continuing relationship
with the bank.  The final rule provides several examples of how a customer
relationship may terminate, such as when there has been no communication
between the bank and the customer for twelve months.

3.	Opt out notices

A bank must provide an opt out notice to a consumer before sharing
nonpublic personal information about the consumer with nonaffiliated third
parties.  The notice must inform the consumer that the bank may disclose
this information and that the consumer has the right to direct that the
information not be shared with nonaffiliated third parties.  The notice
must either provide a reasonable means of opting out (such as a detachable
reply form or a toll-free telephone number), or inform the consumer of
some other reasonable means of opting out (such as designating an
electronic mail address if the consumer agrees to electronic delivery of
the notice).  It would not be a reasonable means of opting out, on the
other hand, if the customer must write his or her own letter to opt out,
or if the only means of opting out is a check-off box that was only
provided with the initial privacy notice received by the customer.

The bank need not provide opt out notices if the bank does not intend to
share nonpublic personal information with nonaffiliated third parties.

E.	Content of disclosures

1.	Initial and annual privacy notices

The final rule requires the following specific types of information to be
set out in a bank's initial and annual privacy notices.  However, a bank
may provide to consumers who are not customers a "short form" initial
notice together with an opt out notice stating that the bank's privacy
notice is available upon request and explaining a reasonable means for the
consumer to obtain it.

Categories of information a bank may collect.  A bank's notice must
disclose the categories of nonpublic personal information that it
collects.  This requirement may be satisfied if the bank categorizes the
information according to the sources of the information, such as
information from consumers, transaction information, and credit report
information.

Categories of information a bank may disclose.  The bank's notice also
must identify the categories of nonpublic personal information that a bank
may disclose -- either to affiliates or nonaffiliated third parties.  A
bank may categorize this information according to its source and provide
illustrative examples of the content of the information.  For example, a
bank's notice may state that it discloses application information (such as
name, address, social security number, assets and income), transaction
information (such as account balance, payment history, parties to
transactions, and credit card usage), and information from a consumer
reporting agency (such as creditworthiness and credit history).  If the
bank does not intend to make any disclosures, or only disclosures that are
exempt, it may simply state that.

Categories of parties to whom a bank may disclose.  The notice also must
disclose the categories of parties -- both affiliated and nonaffiliated --
to whom the bank discloses or intends to disclose nonpublic personal
information about consumers.  The bank may satisfy this requirement if it
identifies the types of businesses in which those affiliates and
nonaffiliates engage.  For example, a bank could state that it discloses
information to a company offering financial products or services and then
provide illustrative examples of the types of business of those companies.

Information about former customers.  The bank's initial and annual privacy
notices must indicate the bank's policies with respect to disclosing
nonpublic personal information about persons who have ceased to be
customers of the bank.

Information disclosed to service providers and joint marketers.  The GLBA
permits a bank to disclose nonpublic personal information about a consumer
to a nonaffiliated third party for the purpose of the third party
performing services for the bank, including marketing the bank's own
products or those offered jointly by the bank and another financial
institution.  The consumer has no right to opt out of this type of
disclosure, but the bank must inform consumers that it will be disclosing
this type of information.  The rule requires that if a bank discloses
nonpublic personal information to a nonaffiliated third party pursuant to
this exception, the bank must include in its privacy notices a separate
description of the categories of information that are disclosed and the
categories of third parties providing the services.

Right to opt out.  The bank's initial and annual privacy notices must
inform the bank's customers of their right to opt out and explain the
methods by which they can opt out.  The notices may either provide the
full set of opt out disclosures, or refer the customer to the bank's opt
out notice.

Disclosures required under the Fair Credit Reporting Act.  A bank's
initial and annual notices also must include the opt out disclosures
required under the Fair Credit Reporting Act, with respect to certain
information proposed to be shared with affiliates of the bank.

Disclosures regarding confidentiality and security of information.  The
bank's privacy notices also must disclose its policies with respect to
protecting the confidentiality and security of nonpublic personal
information.  The information need not be technical in nature, but should
address who has access to the information, and whether the bank has
security practices and procedures in place to maintain the confidentiality
of consumer information.

2.	Opt out notices

A bank must inform a consumer if the bank intends to disclose nonpublic
personal information about the consumer to certain nonaffiliated third
parties.  The final rule provides that an opt out notice would be adequate
if it identifies all of the categories of nonpublic personal information
that the bank discloses to nonaffiliated third parties as described in the
bank's initial and annual privacy notices, and states that the consumer
can opt out of the disclosure of the information.

F.	Standards governing delivery and clarity of notices

The final rule requires privacy and opt out notices to be reasonably
understandable and designed to call attention to the nature and
significance of the information contained in the notice.  The final rule
also requires that the notices accurately reflect the bank's privacy
practices.  This requirement that disclosures be accurate enables the
banking agencies to evaluate whether a bank is actually complying with its
stated privacy policies, and take appropriate action if it is not.

Notices must be provided so that each recipient can reasonably be expected
to receive actual notice.  Notices may be delivered in writing, or if the
consumer agrees, electronically.  A consumer must have the ability to
retain an electronic notice or access it at a later time.  Examples of
acceptable delivery include mailing a copy to the consumer's last known
address, or sending it via electronic mail to a consumer who obtains a
financial product or service from the bank electronically.  It is not
sufficient for a bank to post a copy of its privacy notices in a lobby,
nor is it sufficient to provide an initial privacy notice only on a Web
page unless the consumer is required to acknowledge receipt of the notice
as a necessary step to obtaining the product or service in question.  A
bank may satisfy the annual notice requirement by posting the privacy
notice on a transaction page on its Web site for customers who use the
bank's Web site to access financial products or services and who agree to
receive notices at the site.

G.	Reasonable opportunity to opt out

The final rule requires that a consumer have a reasonable opportunity to
opt out before a bank discloses nonpublic personal information to
nonaffiliated third parties.  An example of a reasonable opportunity to
opt out is 30 days from the date a notice is mailed to a consumer.  The
final rule does not, however, mandate a specific waiting period before a
bank may disclose nonpublic personal information to third parties.
Instead, the examples in the rule indicate that "reasonableness" depends
on the circumstances.  Regardless of the length of time a bank waits
before sharing that information, a consumer may always opt out of the
information sharing at any time.

H.	Limits on redisclosure and reuse of information

The final rule limits a nonaffiliated third party's use and disclosure of
the nonpublic personal information it receives from a financial
institution.  When a nonaffiliated third party receives information under
an exception (discussed below under the heading "Section 502(e)
exceptions"), the third party may only use the information and disclose it
to carry out the activity for which it received the information under the
exception.  When the third party receives information that was subject to
notice and opt out, the third party may disclose the information
consistent with the privacy policy of the financial institution that
provided it (subject to a consumer's opt out election) and may also
disclose the information in accordance with an exception.

I.	Exceptions

1.	Service providers and joint marketers

As previously noted, the GLBA permits a bank to disclose nonpublic
personal information about a consumer to a nonaffiliated third party for
the purpose of the third party performing services for the bank, including
marketing products offered jointly by the bank and another financial
institution.  A consumer has no right to opt out of this disclosure, but
the bank must satisfy certain requirements in order to qualify for this
exception.  First, before the information is shared, the bank must
disclose to the consumer that it will provide this information to the
nonaffiliated third party.  Second, the bank must enter into a contract
with the third party that requires the third party to maintain the
confidentiality of the information.

The final rule requires that the contract generally prohibit the third
party from disclosing or using the information other than to carry out the
purposes for which the information was disclosed.  The final rule does not
impose additional conditions for the availability of this exception beyond
those indicated in the statute.

2.	"Section 502(e) exceptions"

Section 502(e) of GLBA lists several exceptions to the requirements that
would otherwise apply in connection with disclosure of nonpublic personal
information to nonaffiliated third parties.  These exceptions are
generally intended to permit a bank to continue sharing information as
needed to conduct routine business transactions, such as disclosures made
in connection with administration, processing, servicing, or sale of a
consumer's account.  When a bank shares information under any of these
"502(e) exceptions," it need not provide a consumer a privacy notice or
opportunity to opt out of the information sharing.

3.	Disclosures of account numbers for marketing purposes

The final rule restates the statutory prohibition against a bank
disclosing, other than to a consumer reporting agency, an account number
or similar form of access number or access code for a credit card account,
deposit account, or transaction account of a consumer, to any
nonaffiliated party for use in telemarketing, direct mail marketing, or
other marketing to the consumer through electronic mail.

The final rule provides two exceptions to this prohibition and further
clarifies its scope.  A bank may provide an account number to an agent or
service provider to market solely the bank's own products or services,
provided the bank does not authorize the agent or service provider to
initiate charges to a consumer's account.  A bank may also disclose a
consumer's account number to a participant in a private label credit card
program or an affinity program where the participants are identified to
the consumer.

An account number that is encrypted, where the bank does not provide the
key to decode the number, is not considered an account number for purposes
of the prohibition.  The final rule also provides that a transaction
account does not include an account to which third parties cannot initiate
charges.

J.	Effective date and transition rule

The final rule provides for an effective date of November 13, 2000, and
states that the time for compliance is extended until July 1, 2001.  Thus,
by July 1, 2001, banks must have provided an initial privacy notice to
existing customers as well as an opportunity for them to opt out, and must
have established a system for providing initial notices to new customers.

K.	Effect of State laws

Consistent with the GLBA, the final rule provides that the regulation does
not preempt State laws that provide greater consumer protection than is
provided under the GLBA privacy provisions.  Determinations whether a
particular State law provides greater protection are made by the Federal
Trade Commission.  (It should be noted, however, that the Fair Credit
Reporting Act preempts State laws pertaining to information sharing among
affiliated parties, until 2004.)