[Federal Register: June 1, 2000 (Volume 65, Number 106)] [Rules and Regulations] [Page 35161-35236] From the Federal Register Online via GPO Access [wais.access.gpo.gov] [DOCID:fr01jn00-30] [[Page 35161]] ----------------------------------------------------------------------- Part II Department of the Treasury ----------------------------------------------------------------------- Office of the Comptroller of the Currency Office of Thrift Supervision ----------------------------------------------------------------------- Federal Reserve System Federal Deposit Insurance Corporation ----------------------------------------------------------------------- 12 CFR Parts 40, 216, 332, and 573 Privacy of Consumer Financial Information; Final Rule [[Page 35162]] ----------------------------------------------------------------------- DEPARTMENT OF THE TREASURY Office of the Comptroller of the Currency 12 CFR Part 40 [Docket No. 00-10] RIN 1557-AB77 FEDERAL RESERVE SYSTEM 12 CFR Part 216 [Docket No. R-1058] FEDERAL DEPOSIT INSURANCE CORPORATION 12 CFR Part 332 RIN 3064-AC32 DEPARTMENT OF THE TREASURY Office of Thrift Supervision 12 CFR Part 573 [Docket No. 2000-45] RIN 1550-AB36 Privacy of Consumer Financial Information AGENCIES: Office of the Comptroller of the Currency (OCC), Treasury; Board of Governors of the Federal Reserve System (Board); Federal Deposit Insurance Corporation (FDIC); and Office of Thrift Supervision (OTS), Treasury. ACTION: Joint final rule. ----------------------------------------------------------------------- SUMMARY: The Office of the Comptroller of the Currency, Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, and the Office of Thrift Supervision, (collectively, the Agencies) are publishing final privacy rules pursuant to section 504 of the Gramm-Leach-Bliley Act (the GLB Act or Act). Section 504 authorizes the Agencies to issue regulations as may be necessary to implement notice requirements and restrictions on a financial institution's ability to disclose nonpublic personal information about consumers to nonaffiliated third parties. Pursuant to section 503 of the GLB Act, a financial institution must provide its customers with a notice of its privacy policies and practices. Section 502 prohibits a financial institution from disclosing nonpublic personal information about a consumer to nonaffiliated third parties unless the institution satisfies various notice and opt-out requirements and the consumer has not elected to opt out of the disclosure. These final rules implement the requirements outlined above. EFFECTIVE DATE: This joint rule is effective November 13, 2000. However, compliance will be optional until July 1, 2001. FOR FURTHER INFORMATION CONTACT: OCC: Amy Friend, Assistant Chief Counsel, (202) 874-5200; Jeffery Abrahamson, Attorney, Legislative and Regulatory Activities Division, (202) 874-5090, or Mark Tenhundfeld, Assistant Director, Legislative and Regulatory Activities Division, (202) 874-5090; Michael Bylsma, Director, Community and Consumer Law, (202) 874-5750; Steve Van Meter, Senior Attorney, Community and Consumer Law, (202) 874-5750; Karen Furst, Policy Analyst, Economic and Policy Analysis, (202) 874-4509; Paul Utterback, National Bank Examiner, Bank Supervision Policy, (202) 874-5461, Office of the Comptroller of the Currency, 250 E Street, SW., Washington, DC 20219. Board: Oliver I. Ireland, Associate General Counsel, (202) 452- 3625, Stephanie Martin, Managing Senior Counsel, (202) 452-3198, or Thomas Scanlon, Attorney, (202) 452-3594, Legal Division; or Adrienne D. Hurt, Assistant Director, (202) 452-2412, Jane J. Gell, Managing Counsel, (202) 452-3667, James H. Mann, Attorney, (202) 452-2412, or Minh-Duc T. Le, Attorney, (202) 452-3667, Division of Consumer and Community Affairs. For the hearing impaired only, contact Janice Simms, Telecommunications Device for the Deaf (TDD) (202) 872-4984, Board of Governors of the Federal Reserve System, 20th and C Streets, NW., Washington, DC 20551. FDIC: James K. Baebel, Senior Review Examiner, Division of Compliance and Consumer Affairs, (202) 736-0229; Deanna Caldwell, Community Affairs Officer, Division of Compliance and Consumer Affairs, (202) 736-0141; Robert A. Patrick, Counsel, Regulations and Legislation Section, (202) 898-3757; Marc J. Goldstrom, Counsel, Regulations and Legislation Section, (202) 898-8807; Marilyn E. Anderson, Senior Counsel, Regulations and Legislation Section, (202) 898-3522; Nancy Schucker Recchia, Counsel, Regulations and Legislation Section, (202) 898-8885, Federal Deposit Insurance Corporation, 550 17th Street, NW., Washington, DC 20429. OTS: Christine Harrington, Counsel (Banking and Finance), (202) 906-7957, or Paul Robin, Assistant Chief Counsel, (202) 906-6648, Regulations and Legislation Division; or Cindy Baltierra, Program Analyst, Compliance Policy, (202) 906-6540, Office of Thrift Supervision, 1700 G Street, NW., Washington DC 20552. SUPPLEMENTARY INFORMATION: The contents of this preamble are listed in the following outline: I. Background II. Overview of Comments Received III. Section-by-Section Analysis IV. Guidance for Certain Institutions V. Regulatory Analysis A. Paperwork Reduction Act B. Regulatory Flexibility Act C. Executive Order 12866 D. Unfunded Mandates Act of 1995 I. Background On November 12, 1999, President Clinton signed the GLB Act (Pub. L. 106-102) into law. Subtitle A of title V of the Act, captioned Disclosure of Nonpublic Personal Information (codified at 15 U.S.C. 6801 et seq.), limits the instances in which a financial institution may disclose nonpublic personal information about a consumer to nonaffiliated third parties, and requires a financial institution to disclose to all of its customers the institution's privacy policies and practices with respect to information sharing with both affiliates and nonaffiliated third parties. Title V also requires the Agencies, the Secretary of the Treasury, the National Credit Union Administration (NCUA), the Federal Trade Commission (FTC), and the Securities and Exchange Commission (SEC), after consulting with representatives of State insurance authorities designated by the National Association of Insurance Commissioners, to prescribe such regulations as may be necessary to carry out the purposes of the provisions in title V that govern disclosure of nonpublic personal information. The Agencies have prepared final rules to implement subtitle A that are consistent and comparable to the extent possible, as is required by the statute.\1\ The texts of the Agencies' proposed regulations are substantively identical, and differ only with respect to the citations of authority for each Agency's rulemaking and definitions appropriate for institutions within each Agency's primary jurisdiction. --------------------------------------------------------------------------- \1\ The NCUA, FTC, SEC, and the Treasury Department also have participated in the rulemaking process, and the NCUA, FTC, and SEC will separately issue comparable final rules. --------------------------------------------------------------------------- II. Overview of Comments Received On February 22, 2000, the Agencies published a joint notice of proposed rulemaking (the proposal or proposed rule) in the Federal Register (65 FR [[Page 35163]] 8770).\2\ The Agencies collectively received a total of 8,126 comments in response to the proposal, although many commenters sent copies of the same letter to each of the Agencies.\3\ Of these, several thousand were received from individuals, virtually all of whom encouraged the Agencies to provide greater protection of individuals' financial privacy. Many individuals noted their concerns generally about the loss of privacy and the receipt of unwanted solicitations by marketers. A large number of individuals also requested the Agencies to support legislation that the commenters believe would provide additional protections. --------------------------------------------------------------------------- \2\ The NCUA, FTC, and SEC published separate proposed rules on different dates. These proposed rules, which were consistent and comparable with the proposals published by the Agencies, appeared in the Federal Register at 65 FR 10988 (March 1, 2000) (NCUA), 65 FR 11174 (March 1, 2000) (FTC), and 65 FR 12354 (March 8, 2000) (SEC). \3\ The NCUA, FTC, and SEC received 99, 640, and 112 comments, respectively, in response to their proposed rules. --------------------------------------------------------------------------- Several letters were received from members of Congress. In two letters signed by several members of the House of Representatives, the Agencies were encouraged to exercise their rulemaking authority to provide more protections than were proposed. Other Congressmen requested, in separate letters, that the Agencies (a) create an exception under limited circumstances to the prohibition against the sharing of account numbers for marketing purposes, (b) ensure that social security numbers are considered ``nonpublic personal information,'' and (c) refrain from extending the effective date of the rule. The National Association of Insurance Commissioners (NAIC) submitted a comment on behalf of the State insurance authorities that generally supported the Agencies' proposed rule. The NAIC also proposed various measures to provide certain protections for consumers, such as specifying means to exercise the right to opt out of the disclosure of information. The NAIC further advised the Agencies to clarify the boundary of Federal and State jurisdiction over privacy regulations and ensure that the financial privacy rules under the Act are compatible with the privacy rules relating to medical information that are to be issued by the Secretary of the Department of Health and Human Services (HHS) under the Health Insurance Portability and Accountability Act (HIPPA) of 1996.\4\ --------------------------------------------------------------------------- \4\ These proposed regulations were published for comment at 64 FR 59918 (Nov. 3, 1999). --------------------------------------------------------------------------- Other comments were received from consumer groups and others advocating that the Agencies extend privacy protections in a number of ways, such as by requiring (a) financial institutions to provide consumers with access to their information maintained by the institutions and the opportunity to correct errors, (b) more detailed disclosures of the information collected and disclosed, and (c) disclosures of a financial institution's privacy policies and practices earlier in the process of establishing a customer relationship. In a letter signed by 33 State Attorneys General, the Agencies were requested to add certain consumer protections to the disclosure requirements and to the provision permitting financial institutions to enter into joint marketing agreements. The majority of the remainder of comments received by the Agencies were from insured depository institutions or their representatives. These commenters offered a large number of suggested changes, with the most commonly advanced suggestions including: an extension of the effective date of the rule; an amendment to the definition of ``nonpublic personal information'' to focus more clearly on ``financial'' information; a streamlining of information required in the initial and annual disclosures; a clarification of how one or more of the statutory exceptions operate; an exclusion from, or clarification of, the definitions of ``consumer'' and ``customer'' in various contexts; and the addition of flexibility to provide initial notices at some point other than ``prior to'' the time a customer relationship is established. Representatives of a wide variety of other interests, including the health care industry, retail merchants, insurance companies, securities firms, private investigators, and higher education, also suggested changes to the proposed rule. The Agencies have modified the proposed rule in light of the comments received. These comments, and the Agencies' responses thereto, are discussed in the following section-by-section analysis. As was done in the preamble discussion of the proposal, the citations are to sections only, leaving citations to the part numbers used by each Agency blank. Following the section-by-section analysis, the Agencies have provided guidance for certain institutions that is intended to provide additional guidance on how these institutions may comply with the rule in a way that avoids unnecessary burden. III. Section-by-Section Analysis As an initial matter, the Agencies note that the final rule, unlike the proposal, presents the various sections in subparts that consist of related sections. This change was made to group related concepts together and thereby make the rule easier to follow. A derivation table is included following this preamble to assist readers in locating provisions as set out in the proposal. The Agencies also have added an Appendix A to the final rule, setting out sample disclosures for financial institutions to consider. Section __.1 Purpose and Scope Proposed Sec. __.1 identified the purposes and scope of the rules. As stated in the proposal, the rule is intended to require a financial institution to provide notice to customers about its privacy policies and practices; to describe the conditions under which a financial institution may disclose nonpublic personal information about consumers to nonaffiliated third parties; and to provide a method for consumers to prevent a financial institution from disclosing that information to certain nonaffiliated third parties by ``opting out'' of that disclosure, subject to various exceptions as stated in the rule. The Agencies invited comment on whether the rules should apply to foreign financial institutions that solicit business in the United States but that do not have an office in the United States. Most of the comments received on this section focused on the scope of the rules. Several commenters suggested that the Agencies clarify how the rule applies to insurance companies. The Agencies note that section 505 of GLB Act, which sets out the enforcement authority of the Agencies, extends this authority to subsidiaries of entities within each Agency's primary jurisdiction. That section then explicitly excludes ``persons providing insurance'' from each Agency's enforcement authority (and, by operation of section 504(a)(1) of GLB Act, from the Agencies' rulemaking authority). The Agencies affected by this provision have concluded that the exclusion of ``persons providing insurance'' is not intended to remove insurance activities conducted directly by an insured depository institution from the scope of the rule. Consistent with this reading of the statute, each Agency's final rule states that the exclusion of persons providing insurance applies only to persons doing so in a subsidiary of an entity within the primary jurisdiction of that Agency. See Sec. 40.1(b) (OCC rule); Sec. 216.3(q) (Board rule); Sec. 332.3(q) (FDIC rule); and Sec. 573.1(b) (OTS rule). The OTS notes that, while it regulates savings and loan holding companies, a different Federal functional regulator, a state insurance authority, or the FTC may enforce privacy rules as to that holding company, under Sec. 505 of the [[Page 35164]] Act, depending on the nature of a savings and loan holding company's activities. Several other commenters asked that the final rule state that certain transactions that are exempt from the coverage of the Truth in Lending Act (TILA; 15 U.S.C. 1601 et seq.) and Regulation Z (Reg. Z, 12 CFR part 226) also be treated as beyond the scope of the privacy rule. TILA and Reg. Z, which impose disclosure requirements on credit extended to consumers under certain circumstances, exempt several transactions, including those involving business, commercial, or agricultural credit. 15 U.S.C. 1603(1); 12 CFR 226.3(a). The Agencies agree that transactions that fit within the exemptions from TILA and Reg. Z for these types of credit also would fall outside the scope of the privacy rule, and have amended Sec. __.1(b) accordingly. Thus, financial institutions may look at how this exemption is applied under Reg. Z for guidance on the scope of covered transactions under the privacy rule. It should be noted, however, that TILA exempts several other types of transactions that would be covered under the privacy rule if they are for the purpose of an individual obtaining a financial product or service as that term is defined in the privacy regulation. See 15 U.S.C. 1603(2) and (3). A few commenters stated that the rule should apply to foreign entities who solicit business from people in the United States. The OCC, FRB, and FDIC each have been given explicit authority to enforce the privacy rule with respect to foreign institutions within their respective jurisdictions that have offices in the U.S. Those commenters who favored applying the regulation to foreign offices of financial institutions that do not have offices within the U.S. suggested that an expanded scope would provide additional protections to consumers and would eliminate what they perceive to be a competitive disadvantage of domestic institutions. While the Agencies support consistent protections for consumers regardless of the entity from whom a financial product or service is obtained, at this stage the Agencies do not believe that it is appropriate to attempt to apply the rule to offshore offices of financial institutions. Several comments suggested that the rule should not apply to entities that must comply with regulations issued by HHS that implement HIPAA. Given the broad definition of ``financial institution'' under the GLB Act, certain entities, such as health insurers, are subject to these privacy rules as well as rules promulgated under HIPAA regarding the appropriate handling of protected health information. Accordingly, financial institutions may be covered both by this privacy rule and by the regulations promulgated by HHS under the authority of sections 262 and 264 of HIPAA once those regulations are finalized. Based on the proposed HIPAA rules, it appears likely that there will be areas of overlap between the HIPAA and financial privacy rules. For instance, under the proposed HIPAA regulations, consumers must provide affirmative authorization before a covered institution may disclose medical information in certain instances whereas under the financial privacy rules, institutions need only provide consumers with the opportunity to opt out of disclosures. In this case, the Agencies anticipate that compliance with the affirmative authorization requirement, consistent with the procedures required under HIPAA, would satisfy the opt out requirement under the financial privacy rules. After HHS publishes its final rules, the Agencies will consult with HHS to avoid the imposition of duplicative or inconsistent requirements. Section __.2 Rule of Construction Proposed Sec. __.2 of the rules set out a rule of construction intended to clarify the effect of the examples used in the rules. As noted in the proposal, these examples are not intended to be exhaustive; rather, they are intended to provide guidance about how the rules would apply in specific situations. Commenters generally agreed that examples are helpful in clarifying how the rule will work in specific circumstances and suggested that the Agencies should include more examples. Many commenters requested the Agencies to provide examples of model disclosures. Commenters also generally agreed that it is useful to state that the list of examples is not intended to be exhaustive, and that compliance with one of the examples would be deemed compliance with the regulation. A few commenters suggested that the regulation state that a financial institution is not obligated to comply with an example but has the latitude to comply with the general rules in other ways. Others stated that the examples ought to be identical in each privacy regulation adopted by the Agencies, the FTC, NCUA, and SEC. The Agencies believe that more examples would be helpful, and have included additional examples in appropriate places throughout the rule. The Agencies also have provided sample clauses in Appendix A to each Agency's rule to aid financial institutions in their drafting of privacy notices. The sample clauses are provided to illustrate the level of detail the Agencies believe is appropriate. The Agencies caution financial institutions against relying on the sample disclosures without determining the relevance or appropriateness of the disclosure for their operations. The Agencies have used statutory terms, such as ``nonpublic personal information'' and ``nonaffiliated third parties,'' in the sample clauses to convey generally the subject of the clauses. However, a financial institution that uses these terms must provide sufficient information to enable consumers to understand what these terms mean in the context of the institution's notices. Moreover, the Agencies note that, in providing the sample disclosures, the Agencies are addressing solely the level of detail required and are not attempting to provide guidance on issues such as type size, margin width, and so on. The Agencies have not added a statement in the final rule regarding a financial institution's ability to comply with the rule in ways other than as suggested in the examples, but instead retain the statement that the examples are not exclusive. The rule also states that compliance with the examples will constitute compliance with the rule. The Agencies believe that, when read together, these provisions give financial institutions sufficient flexibility to comply with the regulation but also sufficient guidance about the use of examples. The Agencies note that an example that mentions a particular activity does not, by itself, authorize a financial institution to engage in that activity. Any such authority must have a different source. Section __.3 Definitions a. Affiliate The proposal adopted the definition of ``affiliate'' that is used in section 509(6) of the GLB Act. An affiliation exists when one company ``controls'' (which is defined in Sec. __.3(g), below), is controlled by, or is under common control with another company. The definition includes both financial institutions and entities that are not financial institutions. The Agencies received comparatively few comments in response to this definition. One commenter requested that the final rule state that a bank service company will be deemed to be an affiliate of every bank that has an interest in it. The Agencies have declined to adopt this suggestion. If the [[Page 35165]] relationship between a financial institution and a bank service company satisfies the test for affiliation set out in the statute and regulation, then an affiliation exists. In light of the comparatively few comments received and the nature of those comments, the Agencies adopt the definition of ``affiliate'' as proposed. b. Clear and Conspicuous Under the proposed rules, various notices must be ``clear and conspicuous.'' The proposed rules defined this term to mean that the notice must be reasonably understandable and designed to call attention to the nature and significance of the information contained in the notice. The proposal did not mandate the use of any particular technique for making the notices clear and conspicuous, but provided examples of how a notice may be made clear and conspicuous. As noted in the preamble to the proposed rule, each financial institution retains the flexibility to decide for itself how best to comply with this requirement. The Agencies received a large number of comments on this proposed definition. Several commenters favored adopting the definition as proposed, with some of these advocating that the final rule add a requirement that disclosures be on a separate piece of paper in order to ensure that they will be conspicuous. Others stated that the definition was unnecessary, given the experience financial institutions have in complying with requirements that disclosures mandated by other laws be clear and conspicuous. Several commenters maintained that the rule proposed is inconsistent with requirements in other consumer protection regulations such as Reg. Z and the Truth in Savings regulation (Regulation DD, 12 CFR part 230), which require only that a disclosure be reasonably understandable. Many of these commenters expressed concern that the examples would invite litigation because of ambiguities inherent in terms used in the examples in the proposed rule such as ``ample line spacing,'' ``wide margins,'' and ``explanations * * * subject to different interpretations.'' A few commenters questioned how the requirement would work in a document that contains several disclosures that each must be clearly and conspicuously disclosed, while others raised questions about how a disclosure may be clear and conspicuous on a website. These comments are addressed below. New standard for ``clear and conspicuous.'' The Agencies recognize that the proposed definition develops the concept of ``clear and conspicuous'' beyond what is currently understood by the term. However, the Agencies added the phrase ``designed to call attention to the nature and significance of the information contained'' to provide meaning to the term ``conspicuous.'' The Agencies believe that this standard, when coupled with the existing standard requiring that a disclosure be readily understandable, likely will result in notices to consumers that communicate effectively the information needed by consumers to make an informed choice about the privacy of their information, including whether to transact business with a financial institution. The standard for clear and conspicuous adopted by the Agencies in this rulemaking applies solely to disclosures required under the privacy rules. Disclosures governed by other rules requiring clear and conspicuous disclosures (such as Reg. Z) are beyond the scope of this rulemaking. Examples of ``clear and conspicuous.'' The Agencies recognize that many of the examples are imprecise. The Agencies believe, however, that more prescriptive examples, while perhaps easier to conform to, likely would result in requirements that would be inappropriate in a given circumstance. To avoid this result, the examples provide generally applicable guidance about ways in which a financial institution may make a disclosure clear and conspicuous. The Agencies note that the examples of how to make a disclosure clear and conspicuous are not mandatory. A financial institution must decide for itself how best to comply with the general rule, and may use techniques not listed in the examples. To address concerns about the imprecision of the examples, the Agencies have incorporated several of the commenters' suggestions in the final rule for ways to make the guidance more helpful. Combination of several ``clear and conspicuous'' notices. A document may combine several disclosures that each must be clear and conspicuous. The final rule provides an example, in Sec. __.3(b)(2)(ii)(E), of how a financial institution may make disclosures conspicuous, including disclosures on a combined notice. In order to avoid the potential conflicts envisioned by several commenters between two different rules requiring that different sets of disclosures each be provided clearly and conspicuously, the final rule does not mandate precise specifications for how various disclosures must be presented. Because the Agencies believe that privacy disclosures may be clear and conspicuous when contained in a document containing other disclosures, the rule does not mandate that disclosures be provided on a separate piece of paper. Such a requirement is not necessary and would significantly increase the burden on financial institutions. Disclosures on web pages. Several commenters requested guidance on how they may clearly and conspicuously disclose privacy-related information on their Internet sites. The Agencies recognize that disclosures over the Internet present some issues that will not arise in paper-based disclosures. There may be web pages within a financial institution's website that consumers may view in a different order each time they access the site, aided by hypertext links. Depending on the customer hardware and software used to access the Internet, some web pages may require consumers to scroll down to view the entire page. To address these issues, the Agencies have included a statement in the example in Sec. __.3(b)(2)(iii) concerning Internet disclosures informing financial institutions that they may comply with the rule if they use text or visual cues to encourage scrolling down the page if necessary to view the entire notice and ensure that other elements on the web site (such as text, graphics, hyperlinks, or sound) do not distract attention from the notice. In addition, a financial institution is to place either a notice or a conspicuous link on a page frequently accessed by consumers, such as a page on which transactions are conducted. Given current technology, there are a range of approaches a financial institution could take to comply with the rule. For example, a financial institution could use a dialog box that pops up to provide the disclosure before a consumer provides information to the institution. Another approach would be a simple, clearly labeled graphic located near the top of the page or in close proximity to the financial institution's logo, directing the customer, through a hypertext link or hotlink, to the privacy disclosures on a separate web page. For the reasons advanced above, the Agencies have adopted the definition of ``clear and conspicuous,'' with the changes previously described and with certain other changes intended to make the definition easier to read. c. Collect The statute requires a financial institution to include in its initial and annual notices a disclosure of the categories of nonpublic personal [[Page 35166]] information that the institution collects. The proposal defined ``collect'' to mean obtaining any information that is organized or retrievable on a personally identifiable basis, irrespective of the source of the underlying information. This definition was included to provide guidance about the information that a financial institution must include in its notices and to clarify that the obligations arise regardless of whether the financial institution obtains the information from a consumer or from some other source. Commenters suggested that the final rule treat information that is not organized and retrievable in an automated fashion as not ``collected.'' This approach would exclude separate documents not included in a file. The Agencies disagree that information should not be deemed to be collected simply because it is not retrievable in an automated fashion. The Agencies believe that the method of retrieval is irrelevant to whether information should be protected under the rule. The Agencies agree, however, that the scope of the regulation should be refined, and have changed the definition of ``collect'' by using language taken from the Privacy Act of 1974 (5 U.S.C. 552a). Other commenters requested that the rule clarify that information that is received by a financial institution but then immediately passed along without maintaining a copy of the information is not ``collected'' as this term is used in the final rule. The Agencies believe that merely receiving information without maintaining it would not be ``collecting'' the information. The final rule reflects this by stating that the information must be organized or retrievable by the financial institution. Otherwise, the definition of ``collect'' is adopted as proposed. d. Company The proposal defined ``company,'' which is used in the definition of ``affiliate,'' as any corporation, limited liability company, business trust, general or limited partnership, association, or similar organization. The Agencies received no substantive comments on this proposed definition. Accordingly, the Agencies adopt the definition of ``company'' as proposed. e. Consumer The GLB Act distinguishes ``consumers'' from ``customers'' for purposes of the notice requirements imposed by the Act. A financial institution is required to give a ``consumer'' the notices required under Title V only if the institution intends to disclose nonpublic personal information about the consumer to a nonaffiliated third party for purposes other than as permitted by section 502(e) of the statute (as implemented by Secs. __.14 and __.15 of the final rule). By contrast, a financial institution must give all ``customers'' a notice of the institution's privacy policy at the time of establishing a customer relationship and annually thereafter during the continuation of the customer relationship. The proposal defined ``consumer'' to mean an individual (and his or her legal representative) who obtains, from a financial institution, financial products or services that are to be used primarily for personal, family, or household purposes. Because ``financial product or service'' is defined to include the evaluation by a financial institution of an application to obtain a financial product or service (see further discussion of this point, below) a person becomes a consumer even if the application is denied or withdrawn. An individual also would be deemed to be a consumer for purposes of a financial institution if that institution purchases the individual's account from some other institution. The Agencies received a large number of comments on this proposed definition, raising questions about how the definition would apply in a variety of situations. These comments are addressed below. Distinction between ``consumer'' and ``customer.'' While many agreed with the distinction drawn in the proposal between ``consumer'' and ``customer,'' a few commenters suggested that no distinction between ``consumer'' and ``customer'' should be made, given that, in these commenters'' views, the statute appears to use the terms interchangeably. The Agencies believe, however, that the distinction was deliberate and that the rule should implement it accordingly. A plain reading of the statute supports the conclusion that Congress created one set of protections (i.e., a financial institution's privacy policy and opt out notice, and the right to opt out if a financial institution intends to disclose nonpublic personal information to nonaffiliated third parties) for anyone who obtains a financial product or service and an additional set of protections (i.e., the initial notices at the time of establishing a customer relationship and annual notices thereafter) for anyone who establishes a relationship of a more lasting nature than an isolated transaction with a financial institution. Thus, the statute tailors the notice requirements to the type of relationship an individual has with a financial institution. This distinction is preserved in the final rule. Applicants as consumers. Many of the comments on the proposed definition of ``consumer'' disagreed that someone should be deemed a consumer of a financial institution by virtue of the institution evaluating that individual's application for a financial product or service. These commenters maintained that the individual has not obtained a financial product or service, as is required by the GLB Act. The Agencies remain of the view, however, that it is consistent with both the spirit and the letter of the Act to consider an individual as having obtained a financial product or service when a financial institution evaluates information provided to it from the individual for the purpose of obtaining some other financial product or service. Financial institutions routinely provide several services that are integral to the delivery of a financial product. Frequently among these services is the evaluation by the financial institution of information provided by an individual. In certain instances, such as when an individual is shopping for the best rate on a mortgage loan or the lowest premium for an insurance policy, that evaluation may be the sole financial product or service delivered. In other instances, that evaluation may be one of several services provided in connection with establishing a customer relationship. In some cases financial institutions impose separate charges for considering applications or assessing an individual's credit worthiness, recognizing both the cost to the institution and the value to the individual of this service. In addition to being consistent with the language of the statute, the proposed definition of ``consumer'' is consistent with one of the primary purposes of Title V of GLB Act, namely, to enable an individual to limit the sharing of nonpublic personal information by a financial institution with a nonaffiliated third party. The information provided by a person to a financial institution before a customer relationship is established is likely to contain the types of information that the statute is designed to protect. This information is no less deserving of protection simply because an application is denied or withdrawn. For these reasons, the Agencies have retained within the definition of ``consumer'' individuals whose applications are evaluated by a financial institution. See Sec. __.3(e)(2)(i). Loan sales. Several commenters requested clarification of whether an individual becomes a consumer in various other scenarios involving loans. [[Page 35167]] Commenters posited a wide variety of examples, which, if each were to be addressed specifically in the rule, would require a final rule of enormous complexity and detail. The Agencies believe that a rule setting forth a general principle that is flexible enough to be applied in the array of loan transactions posited by the commenters is more appropriate. Towards this end, the Agencies have stated in the final rule, at Sec. __.3(e)(2)(iv), that a person will be a consumer of any entity that holds ownership or servicing rights to an individual's loan. (The Agencies note that such a person may not be a customer, however; see explanation of how the definition ``customer'' will be applied in the loan context, in the discussion of the definition of ``customer'' below. See also Secs. __.4(c)(2) and__.4(c)(3)(ii) for further discussion concerning when a borrower establishes a customer relationship in the context of a loan sale.) The Agencies believe that financial institutions that own or service a loan are providing a financial product or service to the individual borrower in question. In some cases, the product or service is the funding of the loan, directly or indirectly. In other cases, the product or service is the processing of payments, sending account-related notices, responding to consumer questions and complaints about the handling of the account, and so on. The final rule defines ``consumer'' in a way that covers individuals receiving financial products or services in each of these situations. Agents of financial institutions. Several commenters agreed with the principle set out in the proposed rule that an individual should not be considered to be a consumer of an entity that is acting as agent for a financial institution. These commenters noted that the financial institution that hires the agent is responsible for that agent's conduct in carrying out the agency responsibilities. The Agencies agree and continue to believe that the financial institution is the entity that has a consumer relationship, even if it uses agents to help it deliver its products or services. Accordingly, the proposed rule retains the rule governing agents, with modifications made to improve its clarity. See Sec. __.3(e)(2)(v). Legal representative. The Agencies also agree with the suggestion made by several commenters that the definition of ``consumer'' should clarify that the obligations stemming from a consumer relationship may be satisfied by dealing either with the individual who obtains a financial product or service from a financial institution or that individual's representative. The Agencies do not intend for the rule to require a financial institution to send opt out and initial notices to both the individual and the individual's legal representatives, and have amended the final rule accordingly in Sec. __.3(e)(1). Trusts. The Agencies received several comments concerning whether an individual who obtains financial services in connection with trusts is a consumer or customer of a financial institution. Several commenters urged the Agencies to generally exempt a financial institution from the requirements of the rule when it acts as a fiduciary, or, in the alternative, clarify the categories of individuals that are considered to be customers. Commenters proposed, for example, that individuals who are beneficiaries with current interests should be identified as customers, whereas individuals who are only contingent beneficiaries should not be customers. Other commenters stated that when the financial institution serves as trustee of a trust, neither the grantor nor beneficiary is a consumer or customer under the rule. In these commenters' view, the trust itself is the institution's ``customer,'' and, therefore, the rule should not apply to a financial institution when it acts as trustee. These commenters also stated that when a financial institution is a trustee, it serves as a fiduciary and is subject to other obligations to protect the confidentiality of the beneficiaries' information that are more stringent than those under the provisions in the GLB Act. Similarly, these and other commenters claimed that an individual who is a participant in an employee benefit plan administered or advised by a financial institution does not qualify as a consumer or customer. The commenters opined that the plan sponsor, or the plan itself, is the ``customer'' for the purposes of the proposed rule. These commenters contended that plan participants have no direct relationship with the financial institution and, in any event, the financial institution is authorized to use information that would be covered under the GLB Act only in accordance with the directions of the plan sponsor. The commenters concluded, therefore, that the regulations should specifically exclude individuals who are participants in an employee benefit plan from the definition of customer. The Agencies believe that the definition of ``consumer'' in the GLB Act does not squarely resolve whether the beneficiary of a trust is a consumer of the financial institution that is the trustee. The Agencies agree with the commenters who concluded that, when the financial institution serves as trustee of a trust, neither the grantor nor beneficiary is a consumer or customer under the rule. Instead, the trust itself is the institution's ``customer,'' and therefore, the rule does not apply because the trust is not an individual. The Agencies note that a financial institution that is a trustee assumes obligations as a fiduciary, including the duty to protect the confidentiality of the beneficiaries' information, that are consistent with the purposes of the GLB Act and enforceable under state law. Accordingly, the Agencies have excluded an individual who is a beneficiary of a trust or a plan participant of an employee benefit plan from the definitions of ``consumer'' and ``customer.'' Nevertheless, the Agencies believe that an individual who selects a financial institution to be a custodian of securities or assets in an IRA is a ``consumer'' under the GLB Act. The Agencies have included examples in the rule that appropriately illustrate this interpretation of the GLB Act in Secs. __.3(e)(2)(vi)- (viii) and Sec. __.3(i)(2)(i)(D). Requirements arising from consumer relationship. While the proposed and final rules define ``consumer'' broadly, the Agencies note that this will not result in any additional burden to a financial institution in situations where (a) no customer relationship is established and (b) the institution does not intend to disclose nonpublic personal information about a consumer to nonaffiliated third parties. Under the approach taken in the final rule, a financial institution is under no obligation to provide a consumer with any privacy disclosures unless it intends to disclose the consumer's nonpublic personal information to nonaffiliated third parties outside the exemptions in Secs. __.14 and __.15. A financial institution that wants to disclose a consumer's nonpublic personal information to nonaffiliated third parties is not prohibited under the final rule from doing so, if the requisite notices are delivered and the consumer does not opt out. Thus, as it applies to consumers who are not customers, the rule allows a financial institution to avoid all of the rule's requirements if it chooses to do so. Conversely, if a financial institution determines that the benefits of disclosing consumers' nonpublic personal information to nonaffiliated third parties outweighs the attendant burdens, the financial institution is free to do so, provided it notifies consumers about the disclosure and affords them a reasonable opportunity to opt out. In this way, the [[Page 35168]] rule attempts to strike a balance between protecting an individual's nonpublic personal information and minimizing the burden on a financial institution. f. Consumer Reporting Agency The proposal adopted the definition of ``consumer reporting agency'' that is used in section 603(f) of the Fair Credit Reporting Act (15 U.S.C. 1681a(f)). This term was used in proposed Secs. __.11 and __.13. The Agencies received no comments suggesting any changes to this definition. Accordingly, the definition is adopted as proposed. It is used in Secs. __.6(f), __.12(a), and __.15(a)(5) of the final rule. g. Control The proposal defined ``control'' using the tests applied in section 23A of the Federal Reserve Act (12 U.S.C. 371c). This definition is used to determine when companies are affiliated (see discussion of Sec. __.3(a), above), and would result in financial institutions being considered as affiliates regardless of whether the control is by a company or individual. The Agencies received few comments in response to this definition. The one substantive suggestion received was to adopt a test focused solely on percent of stock owned in a company so as to avoid the uncertainties arising from a ``control in fact'' test. The Agencies believe, however, that any test based only on stock ownership is unlikely to be flexible enough to address all situations in which companies are appropriately deemed to be affiliated. Accordingly, the Agencies adopt the definition of ``control'' as proposed. h. Customer The proposal defined ``customer'' as any consumer who has a ``customer relationship'' with a particular financial institution. As is explained more fully in the discussion of Sec. __.4, below, a consumer is a customer of a financial institution when the consumer has a continuing relationship with the institution. The Agencies received a large number of comments on the definition of ``customer'' and ``customer relationship.'' Given the interdependence of the two terms, the following analysis of the comments received will address both under the heading ``customer relationship.'' i. Customer Relationship The proposed rules defined ``customer relationship'' as a continuing relationship between a consumer and a financial institution whereby the institution provides a financial product or service that is to be used by the consumer primarily for personal, family, or household purposes. \5\ As noted in the proposal, a one-time transaction may be sufficient to establish a customer relationship, depending on the nature of the transaction. A consumer would not become a customer simply by repeatedly engaging in isolated transactions that by themselves would be insufficient to establish a customer relationship, such as withdrawing funds at regular intervals from an ATM owned by an institution at which the consumer has no account. The proposal also stated that a consumer would have a customer relationship with a financial institution that makes a loan to the consumer and then sells the loan but retains the servicing rights. The Agencies received a large number of comments on this definition, as discussed below. --------------------------------------------------------------------------- \5\ As noted in the preamble to the proposed rule, ``customer'' may be defined differently for purposes of other regulations. See, e.g., 12 CFR 7.4002. --------------------------------------------------------------------------- Point at which one becomes a customer. The Agencies received many comments in response to the definitions of ``customer'' and ``customer relationship.'' Commenters criticized what they considered to be the ill-defined line distinguishing consumers from customers. These commenters stated that the proposed distinction makes it difficult for a financial institution to know when the obligations attendant to a customer relationship arise. Several suggested that the distinction should be based on when a consumer and financial institution enter into a written contract for a financial product or service. The Agencies recognize that the distinction between consumers and customers will, in some instances, require a financial institution to make a judgment about whether a customer relationship is established. In those cases where an individual engages in a transaction for which it is reasonable to expect no further communication about that transaction from the financial institution (such as ATM transactions, purchases of money orders, or cashing of checks), the individual will not have established a customer relationship as a result of that transaction. In other situations where a consumer typically would receive some measure of continued service following, or in connection with, a transaction (such as would be the case when a consumer opens a deposit account, borrows money, or obtains investment advice), a customer relationship will be established. The Agencies believe that the distinction set out in the proposed rule, as further clarified by the examples in the final rule of when a customer relationship is, and is not, established, provides a sufficiently clear line while retaining flexibility to address less clear-cut situations on a case-by-case basis. Customer relationship defined by written contract. The Agencies agree with those commenters who consider the execution of a written contract by a consumer and financial institution as clear evidence that a customer relationship has been established. The proposed rule cited the execution of a written contract as an example of when a customer relationship is established, and the final rule retains that example in Sec. __.4(c)(3)(i)(B). However, a test based solely on whether there is a written contract could inappropriately exclude situations in which an individual is a customer of a financial institution as a result of obtaining, for instance, financial, economic, or investment advisory services from a financial institution. Accordingly, the final rule does not define a customer relationship solely by the execution of a written contract. Use of ``isolated transaction'' test. The final rule also does not define the distinction between consumer and customer based solely on whether the transaction is an isolated event. The Agencies used this concept in several examples in the proposed rule to illustrate one of the factors that may go into whether a relationship is of a continuing nature. Several commenters suggested that this approach was insufficiently precise to serve as a workable distinction between consumers and customers. The Agencies agree that the test may not be useful in all instances, but believe that it will help clarify the status of relationships in certain situations. Accordingly, the final rule retains examples in Secs. __.3(i)(2)(ii)(A) and (C) that cite the isolated nature of a given transaction as an indication that the transaction in question does not establish a customer relationship. Purchase of insurance. Other commenters suggested that, in the context of financial institutions that engage in the sale of insurance and that are regulated by the Agencies, the customer should be the policyholder and not the beneficiary. The Agencies agree, and note that the final rule retains the example Sec. __.3(i)(2)(i)(D) of purchasing an insurance product as one situation in which a customer relationship is formed. In this case, the person obtaining a financial product or service from the financial institution is the person purchasing the policy. Sales of loans. As previously noted, several commenters raised questions in the context of loan sales. Many commenters stated that, under the final [[Page 35169]] rule, a person should not be considered a customer of two financial institutions when the originating bank sells the servicing rights. A point consistently made by these commenters was that a borrower would be equally well protected with less risk of confusion if the borrower is deemed to be a customer of only one entity in connection with a loan, with that entity perhaps being the party with whom the borrower communicates about the loan. The Agencies believe that it is appropriate to consider a loan transaction as giving rise to only one customer relationship, with the recognition that this customer relationship may be transferred in connection with a sale of part or all of the loan. In this way, the borrower will not be inundated by privacy notices, many of which might be from secondary market purchasers that the borrower did not know had any connection to his or her loan. The Agencies note, however, that a customer will remain a consumer of the entity that transfers the servicing rights, as well as a consumer of any other entity that holds an interest in the loan. In order to satisfy the statutory requirement that a customer receive an annual notice from a financial institution until that relationship terminates, the final rule provides that the borrower must be deemed to have a customer relationship with at least one of the entities that hold an interest in the loan. In the case of a financial institution that makes a loan, retains it in its portfolio, and provides servicing for the loan, the borrower clearly would have a customer relationship with that institution. Less clear, however, are situations in which servicing is sold or investors purchase a partial interest in a loan. The Agencies have adopted an approach designed to ensure that a customer receives annual notices for the duration of the customer relationship from the most appropriate financial institution. Under the final rule as stated in Sec. __.3(i)(2)(i)(B), a customer relationship will be established as a general rule with the financial institution that makes a loan to an individual. This customer relationship then will attach to the entity providing servicing. Thus, if the originating lender retains the servicing, it will continue to have a customer relationship with the borrower and will be obligated to provide annual notices for the duration of the customer relationship. If the servicing is sold, then the purchaser of the servicing rights will establish a customer relationship (and the originating lender will have a consumer relationship with the borrower). See Sec. __.3(i)(2)(ii)(B). In this way, the borrower will be entitled to receive an initial notice and annual notices from the loan servicer, but will not receive initial and annual notices from entities that hold interests in the loan but are unknown to the consumer. Mortgage brokers. Several commenters suggested that the use of a mortgage broker should not create a customer relationship. The Agencies disagree. A relationship between a mortgage broker and a consumer is more than an isolated transaction, given that the mortgage broker is likely to provide many services for a consumer, such as analyzing financial information, performing credit checks, negotiating with other financial institutions on the consumer's behalf, and assisting with loan closings. In light of the similarities between the services provided by a mortgage broker and those provided by, for instance, an insured depository institution that makes a mortgage loan, the Agencies believe it is appropriate to consider a mortgage broker to be a financial institution that establishes a customer relationship when the broker enters into an agreement or understanding with a consumer whereby the broker undertakes to arrange or broker a home mortgage loan for the consumer. The final rule reflects this in Sec. __.3(i)(2)(i)(F). Trusts. The final rule adds an example in Sec. __.3(i)(2)(i)(E) to clarify that an individual will be deemed to establish a customer relationship when a bank acts as a custodian for securities or assets in an IRA. This example is consistent with the explanation set out above in the discussion of ``consumer'' concerning trusts. j. Federal Functional Regulator The proposal sought comment on a definition of ``government regulator'' that included each of the Agencies participating in this rulemaking, the Secretary of the Treasury, the NCUA, FTC, SEC, and State insurance authorities under the circumstances identified in the definition. This term was used in the exception set out in proposed Sec. __.11(a)(4) for disclosures to law enforcement agencies, ``including government regulators.'' The few comments that were received on this definition suggested that it be expanded to include additional governmental entities. The Agencies note that, for purposes of the privacy rule, this term is relevant only in the discussion of when a financial institution may disclose information to a law enforcement agency. The exception as stated in the statute uses the term ``federal functional regulator'' (see section 502(e)(5)), which term is defined in the statute at section 509(2) and also includes the Secretary of the Treasury for purposes of the exception permitting disclosures to law enforcement agencies. The Agencies have decided that it is appropriate simply to use the term that is used in the statute and adopt its definition. k. Financial Institution The proposal defined ``financial institution'' as any institution the business of which is engaging in activities that are financial in nature, or incidental to such financial activities, as described in section 4(k) of the Bank Holding Company Act of 1956 (12 U.S.C. 1843(k)). The proposal exempted from the definition of ``financial institution'' those entities specifically excluded by the GLB Act. Commenters suggested that the final rule contain several exclusions to this definition, including those for securitization trusts, debt buyers, and credit bureaus. The Agencies have not included these exceptions in the final rule, in part because the Agencies believe that it is inappropriate to exclude many of the activities suggested by commenters and in part because the objective of the suggested exclusions can be achieved in other ways. Even if an entity is a financial institution as that term is used in the GLB Act, it will not have any disclosure responsibilities under the Act or this rule if it does not provide a financial product or service to a consumer. In most of the situations posited by the commenters, the entity in question will not meet that test and, therefore, will fall outside the scope of the rule with respect to privacy disclosures. \6\ --------------------------------------------------------------------------- \6\ However, these entities will be subject to the limits on redisclosures under Sec. _.11 with respect to any nonpublic personal information they receive from a nonaffiliated financial institution that has disclosure obligations under this rule. --------------------------------------------------------------------------- For the reasons discussed above, the Agencies adopt the definition of ``financial institution'' as proposed. l. Financial Product or Service The proposal defined ``financial product or service'' as a product or service that a financial institution could offer as an activity that is financial in nature, or incidental to such a financial activity, under section 4(k) of the Bank Holding Company Act of 1956, as amended. An activity that is complementary to a financial activity, as described in section 4(k), was not included in the proposed definition of ``financial product or service.'' The proposal's definition included the financial institution's evaluation of information collected in connection [[Page 35170]] with an application by a consumer for a financial product or service even if the application ultimately is rejected or withdrawn. It also included the distribution of information about a consumer for the purpose of assisting the consumer in obtaining a financial product or service. Several commenters in response to this proposed definition criticized the Agencies' interpretation of the Act and suggested that the evaluation of application information should not be considered a financial product or service. For the reasons advanced above in the discussion of the definition of ``consumer,'' the Agencies continue to believe that it is appropriate to retain evaluation or brokerage of information as within the scope of financial products or services covered by the rule. Accordingly, the final rule adopts the definition of ``financial product or service'' as proposed. m. Nonaffiliated Third Party The proposal defined ``nonaffiliated third party'' as any person (which includes natural persons as well as corporate entities) except (1) an affiliate of a financial institution and (2) a joint employee of a financial institution and a third party. The proposal clarified the circumstances under which a company that is controlled by a financial institution pursuant to that institution's merchant banking activities or insurance company activities would be a ``nonaffiliated third party'' of that financial institution. The Agencies received very few comments in response to this proposed definition. One commenter requested that the final rule state that a disclosure of information to someone who is serving as a joint employee of two financial institutions should be deemed to have been disclosed to both financial institutions. The Agencies disagree with this result. Instead, the Agencies believe it is appropriate to deem the information to have been given to the financial institution that is providing the financial product or service in question. Thus, for instance, if an employee of an insured depository institution is a dual employee with a securities firm, information received by that person in connection with a securities transaction conducted with the securities firm would be deemed to have been received by the securities firm. In light of the comments received, the Agencies adopt the definition of ``nonaffiliated third party'' as proposed. n. Nonpublic Personal Information Section 509(4) of the GLB Act defines ``nonpublic personal information'' to mean ``personally identifiable financial information'' that is provided by a consumer to a financial institution, results from any transaction with the consumer or any service performed for the consumer, or is otherwise obtained by the financial institution. It also includes any ``list, description, or other grouping of consumers (and publicly available information pertaining to them) that is derived using any nonpublic personal information other than publicly available information.'' The statute excludes publicly available information (unless provided as part of the list, description or other grouping described above), as well as a list, description, or other grouping of consumers (and publicly available information pertaining to them) that is derived without using nonpublic personal information. The statute does not define either ``personally identifiable financial information'' or ``publicly available information.'' The proposed rules implemented this provision of the GLB Act by restating the categories of information described above. The proposed rules presented two alternative approaches to identifying what information would be regarded as publicly available (and therefore, as a general rule, outside the definition of ``nonpublic personal information''). Alternative A deemed information as publicly available only if a financial institution actually obtained the information from a public source while Alternative B treated information as publicly available if a financial institution could obtain it from such a source. Both Alternatives A and B included within the definition of ``nonpublic personal information'' publicly available information that is provided as part of a list, description, or other grouping of consumers. Commenters favoring Alternative A noted that it provided the greatest protection for consumers by treating anything the consumer gives to a financial institution to obtain a financial product or service as nonpublic personal information. Under Alternative A, this protection would be lost only if a financial institution actually obtained the information from a public source. These commenters also preferred the bright-line distinction drawn by treating as nonpublic personal information any information given by a consumer to obtain a financial product or service or information that results from transactions between a financial institution and a consumer. However, the majority of those commenting on this issue favored Alternative B, noting that this alternative was consistent with the statute and would be far less burdensome on financial institutions. These commenters suggested that a requirement that the information actually be obtained from a public source would impose needless burden on financial institutions (by requiring, for instance, that a financial institution ``tag'' information they obtained from public records) and is not required by the statute. The final rule adopts an approach that the Agencies believe incorporates the benefits of both alternatives. Under the final rule, information will be deemed to be ``publicly available'' and therefore excluded from the definition of ``nonpublic personal information'' if a financial institution has a reasonable basis to believe that the information is lawfully made available to the general public from one of the three categories of sources listed in the rule. See Sec. __.3(p)(1). The final rule states that a financial institution will have a ``reasonable basis'' for believing that information is lawfully made available if it has taken steps to determine that the information is of the type that is available to the general public and, if an individual could direct that the information not be made available to the general public, whether the individual has done so. In this way, a financial institution will be able to avoid the burden of having to actually obtain information from a public source, but will not be free simply to assume that information is publicly available without some reasonable basis for that belief. The final rule cites, as an example of information a financial institution might reasonably believe to be publicly available, the fact that someone has a loan that is secured by a mortgage in jurisdictions where mortgages are recorded. See Sec. __.3(p)(3)(iii)(A). The rule also states that a financial institution will have a reasonable basis to believe that a telephone number is publicly available if the institution either located the number in a telephone book or was informed by the consumer that the number is not unlisted. See Sec. __.3(p)(3)(iii)(B). This approach is based on the underlying principle that, if a consumer has some measure of control over the public availability of his or her information, a financial institution should not automatically assume that the information is in fact publicly available. In the case of a mortgage in most jurisdictions, the borrower has no choice about whether the lender will [[Page 35171]] make the mortgage a matter of public record; a lender must do so in order to protect its security interest. In the case of a telephone number, a person may request that his or her number be unlisted. Thus, in evaluating whether it is reasonable to believe that information is publicly available, a financial institution should consider whether the information is of a type that a consumer could keep from being a matter of public record. To implement the complex definition of ``nonpublic personal information'' that is provided in the statute, the final rule adopts a definition that consists, generally speaking, of (1) personally identifiable financial information, plus (2) a consumer list (and publicly available information pertaining to the consumers) that is derived using any personally identifiable financial information that is not publicly available. From that body of information, the final rule excludes publicly available information (except as noted above) and any consumer list that is derived without using personally identifiable financial information that is not publicly available. See Secs. __.3(n)(1) and (2). Examples are provided in Sec. __.3(n)(3) to illustrate how this definition applies in the context of consumer lists. o. Personally Identifiable Financial Information The proposed rules defined ``personally identifiable financial information'' to include information that a consumer provides a financial institution in order to obtain a financial product or service, information resulting from any transaction between the consumer and the financial institution involving a financial product or service, and information about a consumer a financial institution otherwise obtains in connection with providing a financial product or service to the consumer. The proposed rule also treated the fact that someone is a customer of a financial institution as personally identifiable financial information. In essence, the proposed rules treated any personally identifiable information as financial if it was obtained by a financial institution in connection with providing a financial product or service to a consumer. The Agencies noted in the preamble to the proposed rule that this interpretation may result in certain information being covered by the rules that may not be considered intrinsically financial, such as health status. The Agencies received a large number of comments in response to this definition, most of which maintained that the definition inappropriately included certain identifying information that is not financial, such as name, address, and telephone number. Many others maintained that ``personally identifiable financial information'' should not include the fact that someone is a customer of a financial institution. These commenters typically noted that many customer relationships are matters of public record (such as would be the case, for instance, anytime a transaction results in the recordation of a security interest) while other customer relationships are matters of public knowledge (because consumers frequently disclose the relationships by writing checks, using credit cards, and so on). Many commenters stated that aggregate data about a financial institution's customers that lack personal identifiers should not be considered personally identifiable financial information. Treatment of identifying information as financial. The Agencies continue to believe that it is appropriate to treat any information as financial information if it is requested by a financial institution for the purpose of providing a financial product or service. The Agencies also believe this approach is consistent with the express language of the statute. Although the statute does not define the term ``financial,'' it does include a broad definition of ``financial institution'' which encompasses a large number of entities (such as travel agencies, insurance companies, and data processors) that engage in activities not traditionally considered financial. As a consequence of that definition, the range of information that has a bearing on the terms and availability of a financial product or service or that is used by a financial institution in connection with providing a financial product or service is extremely broad and may include, for instance, medical information and other sorts of information that might not be thought of as financial. Further, the information that the agencies have defined as financial is the information that the institution itself has determined is relevant to providing a financial product or service, as evidenced by the fact that the institution requests the information from the consumer, obtains it from a transaction involving a financial product or service with the consumer, or otherwise obtains it in connection with providing a financial product or service to a consumer. The Agencies are sensitive to the concern expressed by many commenters, including several hundred private investigators, about the need for ready access to identifying information to locate people attempting to evade their financial obligations. These commenters consistently suggested that names, addresses, and telephone numbers should not be treated as financial information. However, financial institutions rely on a broad range of information, including information such as addresses and telephone numbers, when providing financial products or services. Location information is used by financial institutions to provide a wide variety of financial services, from the sending of checking account statements to the disbursing of funds to a consumer. Other information, such as the maiden name of a consumer's mother often will be used by a financial institution to verify the consumer's identity. The Agencies concluded that it would be inappropriate to exclude certain items of information from the definition of personally identifiable financial information simply because a particular financial institution might not rely on those items when providing a particular financial product or service. The Agencies note that names, addresses, and telephone numbers, if publicly available, will not be subject to the opt out provisions of the statute unless that information is ``derivative information'' (i.e., information that is part of a list, description, or other grouping of consumers that is derived from personally identifiable financial information that is not publicly available). Thus, in instances involving specific requests about individuals, a financial institution still may disclose information about the individual that the institution reasonably believes to be publicly available, provided that in so doing the institution does not disclose the existence of a customer relationship that is not a matter of public record. Moreover, in instances when a consumer does not opt out, a financial institution may disclose any nonpublic personal information to a nonaffiliated third party provided that the disclosure is consistent with the institution's opt out and privacy notices. Customer relationship as ``personally identifiable financial information.'' The Agencies disagree with those commenters who maintain that customer relationships should not be considered to be personally identifiable financial information. Clearly, information that a particular person has a customer relationship identifies that person, and thus is personally identifiable. The Agencies believe that this information also is financial under the express terms of the statute, because it communicates that the person in question has a transaction involving a financial product or service with a [[Page 35172]] financial institution. While this information could in certain cases be a matter of public record, that does not change the analysis of whether the information is personally identifiable financial information. Changes made to the definition. The final rule makes various stylistic changes to the definition that are intended to make it easier to read and understand. In addition, the final rule adds to the examples of information covered by the rule any information that the institution collects through an information collecting device from a web server, often referred to as a ``cookie.'' See Sec. __.3(o)(2)(F). This illustrates one of the various means by which a financial institution may ``otherwise obtain'' information about a consumer in connection with providing a financial product or service to that consumer. The final rule also includes, as a negative example in Sec. __.3(o)(2)(ii)(B), a statement that aggregate information or blind data lacking personal identifiers is not covered by the definition of ``personally identifiable financial information.'' The Agencies agree with those commenters who opined that such data, by definition, do not identify any individual. p. Publicly Available Information The proposal defined ``publicly available information'' to include information that is lawfully available to the general public from official public records (such as real estate recordations or security interest filings), information from widely distributed media (such as a telephone book, television or radio program, or newspaper), and information that is required to be disclosed to the general public by Federal, State, or local law (such as securities disclosure documents). The proposed rules stated that publicly available information from widely distributed media would include information from an Internet site that is available to the general public without requiring a password or similar restriction. As previously explained in the discussion of ``nonpublic personal information,'' the proposed rules invited comment on two versions of the definition of ``publicly available information.'' The Agencies have adopted an approach in the final rule that they believe closely tracks the statute while providing much of the benefit provided under Alternative A. Several commenters questioned the appropriateness of excluding information from the definition of ``publicly available information'' if a person who seeks to obtain the information over the Internet must have a password or comply with a similar restriction. These commenters made the point that many Internet sites are available to a large number of people, each of whom need a user name and identification number to access the sites. Several of these commenters suggested that it is more appropriate to focus on whether the information was lawfully placed on the Internet. The Agencies agree with these comments, and have amended the final rule to remove the reference to passwords or similar restrictions from the example of the Internet as a ``widely distributed'' medium of communication. In its place, the Agencies have substituted a standard that requires the information, whether from the Internet or otherwise, to be available on an unrestricted basis. Information that an individual specifically requests be compiled, such as information that a locator or ``look up'' service provides with respect to a particular individual that may combine confidential information in addition to publicly available information, will not be considered available to the general public on an unrestricted basis, regardless of whether the information is provided over the Internet or otherwise. On the other hand, the rule states that an Internet site is not restricted merely because an Internet service provider or a site operator requires a fee or password as long as access is otherwise available to the general public. The traditional use of passwords is to confine the access of individual customers to specific, individual information. However, website operators, in particular, may require user identifications and passwords as a method of tracking access rather than restricting access to the information available through the website. Fees may be levied to obtain access to the Internet or to particular sites rather than restrict access to particular information. For example, Internet service providers may charge a fee for accessing the Internet. Other sites available to the general public, such as daily newspapers, also may charge a fee to access archived information. Therefore, the Agencies believe that the definition of ``widely distributed media'' should properly focus on whether the information is lawfully available to the general public, rather than on the type of medium from which information is obtained. The Agencies note that the concept of information being lawfully obtained was included in the proposal, and is retained in the final rule. Thus, information unlawfully obtained will not be deemed to be publicly available notwithstanding that it may be available to the general public through widely distributed media. To help understand how ``nonpublic personal information,'' ``personally identifiable financial information,'' and ``publicly available information'' will work under the final rule, the following example is offered. Assume that Mary provides her bank with various information in order to obtain a mortgage loan and to open a deposit account. Under the final rule, all of this information would be personally identifiable financial information. Once Mary establishes the customer relationships she seeks, the fact that Mary is a mortgage loan customer and a deposit accountholder at the bank also would be personally identifiable financial information. It may be that certain information provided by Mary, such as her name and address, is publicly available. If the bank has a reasonable basis to believe that this information is publicly available, and if the information was included on a list of the bank's mortgage loan customers that was derived using only publicly available information, then her name and address would fall outside the definition of ``nonpublic personal information'' in those jurisdictions where mortgages are a matter of public record. However, Mary's name and address would be protected as nonpublic personal information if the bank wanted to include those items on a list of its deposit accountholders. The difference in treatment stems from the distinction drawn in the statute between lists prepared using publicly available information (as would be the case in the mortgage loan hypothetical) and lists prepared using information that is not publicly available (as would be the case in the deposit account hypothetical). The Agencies recognize the complexity of this approach, but believe that it is mandated by the way the statute defines ``nonpublic personal information.'' It also is consistent with the fact that certain relationships are matters of public record, and, therefore, arguably deserving of less protection from disclosure. q. You Several Agencies used the pronoun ``you'' to refer to entities within their primary jurisdiction in the proposal and defined ``you'' to mean those entities. \7\ --------------------------------------------------------------------------- \7\ The OCC used the term ``bank'' instead of ``you'' in its regulation. --------------------------------------------------------------------------- The Agencies received very few comments in response to this definition. [[Page 35173]] While one commenter preferred the term ``bank'' to ``you,'' those Agencies using the term ``you'' believe that it makes the rule easier to read and have, therefore, adopted the definition substantially as proposed. The Board has revised its definition of ``you'' to clarify that insurance, broker dealer, investment adviser, and investment company subsidiaries of the financial institutions within its primary jurisdiction are not covered. Section __.4 Initial Privacy Notice to Consumers Required The GLB Act requires a financial institution to provide an initial notice of its privacy policies and practices in two circumstances. For customers, the notice must be provided at the time of establishing a customer relationship. For consumers who are not customers, the notice must be provided prior to disclosing nonpublic personal information about the consumer to a nonaffiliated third party. The proposed rule implemented these requirements by mandating that a financial institution provide the initial notice to an individual prior to the time a customer relationship is established and the opt out notice prior to disclosing nonpublic personal information to nonaffiliated third parties. These disclosures were required under the rule to be clear and conspicuous and to accurately reflect the institution's privacy policies and practices. The proposal also set out rules governing when a customer relationship is established and how a financial institution is to provide notice. The Agencies received many comments raising concerns about a large number of issues arising under proposed Sec. __.4. Most of the comments raised questions about the time by which initial notices must be provided, whether new notices are required for each new financial product or service obtained by a customer, the point at which a customer relationship is established, and how initial notices may be provided. Providing Initial Notices ``Prior To'' Time Customer Relationship Is Established Many commenters stated that, because the statute requires only that the initial notice be provided ``at the time of establishing a customer relationship,'' the regulation should not require that the notice be provided ``prior to'' the point at which a customer relationship is established. These commenters were concerned that the rule could be interpreted as requiring a financial institution to provide disclosures at a point different from when they must provide other federally mandated consumer disclosures during the process of establishing a customer relationship. In response to these comments, the Agencies have clarified the timing for providing initial notices. The final rule states that, as a general rule, the initial notice must be given not later than the time when a financial institution establishes a customer relationship. See Sec. __.4(a)(1). As stated in the preamble to the proposed rule, the initial notices may be provided at the same time a financial institution is required to give other notices, such as those required by the Board's regulations implementing the TILA. This approach, like the approach taken in the proposed rule, strikes a balance between (1) ensuring that consumers will receive privacy notices at a meaningful point along the continuum of ``establishing a customer relationship'' and (2) minimizing unnecessary burden on financial institutions that may otherwise result if the final rule were to require financial institutions to provide consumers with a series of notices at different times in a transaction. Providing Notices After Customer Relationship Is Established Several commenters stated that the rule should provide financial institutions with the flexibility to deliver the initial notice after the customer relationship is established under certain circumstances. These commenters posited several situations in which a customer relationship is established without face-to-face contact between the consumer and financial institution. The commenters stated that delivery of the initial notice before the customer relationship is established in these situations would be impractical, and a requirement along those lines would have a significant adverse effect on the ability to provide a financial product or service to a consumer as quickly as the consumer desires. The Agencies believe that it is appropriate for financial institutions to have flexibility in certain circumstances to provide the initial notice at a point after the customer relationship is established. To accommodate the wider range of situations presented by the commenters, the Agencies have modified the examples set out in the proposal of when a subsequent delivery of the initial notice is appropriate so that they now are more broadly applicable. As stated in the final rule in Sec. __.4(e), a financial institution may provide the initial notice within a reasonable time after establishing a customer relationship in two instances. First, notice may be provided after the fact if the establishment of the customer relationship is not at the customer's election. See Sec. __.4(e)(1)(i). This might occur, for instance, when a deposit account is sold. Second, a notice may be sent after establishing a customer relationship when to do otherwise would substantially delay the consumer's transaction and the consumer agrees to receive the notice at a later time. See Sec. __.4(e)(1)(ii). An example of this would be when a transaction is conducted over the telephone and the customer desires prompt delivery of the item purchased. Another example of when this might occur is when a bank establishes a customer relationship with an individual under a student loan program as described in the final rule where loan proceeds are disbursed promptly without prior communication between the bank and the customer. The Agencies note that in most situations, and particularly in situations involving the establishment of a customer relationship in person, a financial institution should give the initial notice at a point when the consumer still has a meaningful choice about whether to enter into the customer relationship. The exceptions listed in the examples, while not exhaustive, are intended to illustrate the less frequent situations when delivery either would pose a significant impediment to the conduct of a routine business practice or the consumer agrees to receive the notice later in order to obtain a financial product or service immediately. In circumstances when it is appropriate to deliver an initial notice after the customer relationship is established, a financial institution should deliver the notice within a reasonable time thereafter. Several commenters requested that the final rule specify precisely how many days a financial institution has in which to deliver the notice under these circumstances. However, the Agencies believe that a rule prescribing the maximum number of days would be inappropriate because (a) the circumstances of when an after-the-fact notice is appropriate are likely to vary significantly, and (b) a rule that attempts to accommodate every circumstance is likely to provide more time than is appropriate in many instances. Thus, rather than establish a rule that the Agencies believe may be viewed as applicable in all circumstances, the Agencies have elected to retain the more general rule as set out in the proposal in Sec. __.4(e)(1). [[Page 35174]] As the Agencies noted in the preamble to the proposed rule, nothing in the rule is intended to discourage a financial institution from providing an individual with a privacy notice at an earlier point in the relationship if the institution wishes to do so in order to make it easier for the individual to compare its privacy policies and practices with those of other institutions in advance of conducting transactions. New Notices Not Required for Each New Financial Product or Service Several commenters asked whether a new initial notice is required every time a consumer obtains a financial product or service from that financial institution. These commenters suggested that a consumer would not materially benefit from repeated disclosures of the same information, and that requiring additional initial notices to be provided to the same consumer would be burdensome on financial institutions. The Agencies agree that it would be burdensome with little corresponding benefit to the consumer to require a financial institution to provide the same consumer with additional copies of its initial notice every time the consumer obtains a financial product or service. Accordingly, the final rule states, in Sec. __.4(d), that a financial institution will satisfy the notice requirements when an existing customer obtains a new financial product or service if the institution's initial, revised, or annual notice (as appropriate) is accurate with respect to the new financial product or service. Joint Accountholders The majority of comments on how to provide notice suggested that the final rule state that a financial institution is not obligated to provide more than one notice to joint accountholders. Several of these commenters noted that disclosure obligations arising from joint accounts are well settled under other rules, such as the regulations implementing the Equal Credit Opportunity Act (Regulation B, 12 CFR part 202, ) and TILA. Commenters noted that under both Reg. B and Reg. Z, a financial institution is permitted to give only one notice. The authorities cited include requirements that the financial institution give disclosures, as appropriate, to the ``primary applicant'' if this is readily apparent (in the case of Reg. B; see 12 CFR 202.9(f)) or to a person ``primarily liable on the account'' (in the case of Reg. Z; see 12 CFR 226.5(b)). The Agencies agree that a financial institution should be allowed to provide initial notices in a manner consistent with other disclosure obligations. Accordingly, the final rule clarifies, in Sec. __.9(g), that only one notice is required to be sent in connection with a joint account. A financial institution may, in its discretion, provide notices to each party to the account. This situation might arise, for instance, when a financial institution does not want one opt out election to apply automatically to all joint accountholders (see discussion of how to provide opt out notices, below). Mergers A few commenters requested guidance on what notices are required in the event of a merger of two financial institutions or an acquisition of one financial institution by another. In such a situation, the need to provide new initial (and opt out) notices to the customers of the entity that ceases to exist will depend on whether the notices previously given to those customers accurately reflect the policies and practices of the surviving entity. If they do, the surviving entity will not be required under the rule to provide new notices. As was stated in the preamble to the proposed rule, a financial institution may not fail to maintain the protections that it represents in the notice that it will provide. The Agencies expect that financial institutions will take appropriate measures to adhere to their stated policies and practices. Section __.5 Annual Privacy Notice to Customers Required Section 503 of the GLB Act requires a financial institution to provide notices of its privacy policies and practices at least annually to its customers ``during the continuation'' of a customer relationship. The proposed rules implemented this requirement by requiring a clear and conspicuous notice that accurately reflects the privacy policies and practices then in effect to be provided at least once during any period of twelve consecutive months. The proposed rules noted that rules governing how to provide an initial notice also would apply to annual notices, and stated that a financial institution would not be required to provide annual notices to a customer with whom it no longer has a continuing relationship. Several commenters requested that the final rule permit annual notices to be given each calendar year, instead of every twelve months. A variation suggested by a few commenters was to state that notices must be provided during each calendar year, with no more than 15 months elapsing between mailings. To clarify the extent of financial institutions' flexibility, the final rule retains the general rule requiring annual notices but then provides an example, in Sec. __.5(a)(2)(ii), stating that a financial institution may select a calendar year as the 12-month period within which notices will be provided and provide the first annual notice at any point in the calendar year following the year in which the customer relationship was established. The final rule also requires that a financial institution apply the 12-month cycle to its consumers on a consistent basis. Several commenters suggested that a financial institution be permitted to make the annual notice available upon request only, particularly if there have been no material changes to the notice since it was last delivered. These commenters maintained that little value is added by providing customers with additional copies each year of the same information. Some suggested that financial institutions be permitted to provide a ``short-form'' annual notice, in which the institution informs its customers that there has been no change to its privacy policies and practices and that the customers may obtain a copy upon request. The Agencies have not amended the final rule to permit this approach, for two reasons. First, the Agencies view the statute as contemplating complete disclosures annually to all customers during the duration of the customer relationship. Section 503 of the GLB Act states that ``not less than annually during the continuation of [a customer] relationship, a financial institution shall provide a clear and conspicuous disclosure to such consumer [i.e., one with whom a customer relationship has been formed], * * * of such financial institution's policies and practices with respect to'' the information enumerated in the statute. The Agencies believe that this provision contemplates a full set of disclosures to each customer once a year. Second, the clarifications made in the final rule to the disclosure provisions make it clear that a financial institution is not required to provide a lengthy and detailed privacy notice to comply with the rule. Small institutions that do not share information with third parties beyond the statutory exceptions should be able to provide a short, streamlined notice. The rule also permits a financial institution to provide annual notices to customers over the institution's web site if the customer conducts transactions electronically and agrees to such disclosures (see additional discussion of this flexibility, below, in Sec. __.9). As a [[Page 35175]] result, the final rule achieves much of the burden reduction sought by those requesting a short-form annual notice option. Most of the remaining comments received in response to proposed Sec. __.5 addressed the rules governing when a customer relationship is terminated. Several focused on whether ``dormancy'' of a deposit account, which was presented as an example in the proposed rule of when a customer relationship is terminated, should be determined according to state law or a financial institution's internal policies. These commenters were unanimous in their view that ``dormancy'' should be determined according to an institution's own policies, without reliance on state laws that may produce conflicting results and unnecessary burden for institutions operating in more than one state. A few commenters suggested that the final rule use ``inactive'' instead of ``dormant'' in order to avoid unintended consequences of classifying an account as dormant. In light of these comments, the final rule retains in the examples of when a customer relationship will be terminated the situation where there is no activity in a deposit account according to a financial institution's policies. The Agencies also have used the term ``inactive'' rather than ``dormant'' in Sec. __.5(b)(2)(i) to avoid the unintended consequences posited by the comments. A few commenters stated that the example of no communication with a customer for twelve months should be amended to clarify that promotional materials would not be considered a communication about the relationship sufficient to extend the duration of the customer relationship. These commenters generally suggested that the rule be tied to communications initiated by the customer. The Agencies agree that a communication that merely informs a person about, or seeks to encourage use of, a financial institution's products or services is not the type of communication that signifies an ongoing relationship. The final rule has been amended in Sec. __.5(b)(2)(iv) to reflect that the distribution of promotional materials will not prolong a customer relationship under the rule. The Agencies disagree, however, that the test should focus on whether there has been any customer-initiated contact, because there will be instances in which the customer will not initiate a contact with a financial institution within the relevant time period but nonetheless has an ongoing relationship. Section __.6 Information To Be Included in Initial and Annual Privacy Notices Section 503 of the GLB Act identifies the items of information that must be included in a financial institution's initial and annual notices. Section 503(a) of the GLB Act sets out the general requirement that a financial institution must provide customers with a notice describing the institution's policies and practices with respect to, among other things, disclosing nonpublic personal information to affiliates and nonaffiliated third parties. Section 503(b) of the Act identifies certain elements that must be addressed in that notice. The proposed rule implemented section 503 by requiring a financial institution to provide information concerning: The categories of nonpublic personal information that a financial institution may collect; The categories of nonpublic personal information that a financial institution may disclose; The categories of affiliates and nonaffiliated third parties to whom a financial institution discloses nonpublic personal information, other than those to whom information is disclosed pursuant to an exception in section 502(e) of the GLB Act; The financial institution's policies with respect to sharing information about former customers; The categories of information that are disclosed pursuant to agreements with third party service providers and joint marketers and the categories of third parties providing the services; A consumer's right to opt out of the disclosure of nonpublic personal information to nonaffiliated third parties; Any disclosures regarding affiliate information sharing opt outs a financial institution is providing under the FCRA; and The bank's policies and practices with respect to protecting the confidentiality, security, and integrity of nonpublic personal information. The Agencies received a large number of comments concerning these requirements, with the majority of comments making the points summarized below. Level of Detail Required Many commenters offered the general observation that the level of detail that would be required under the proposed rule would result in lengthy, complicated, and ultimately confusing disclosures. These comments have led the Agencies to conclude that additional clarification is required concerning the level of detail that the Agencies expect a financial institution's initial and annual disclosures to contain. The Agencies do not believe that the statute requires--nor do the Agencies intend to require--a financial institution to publish lengthy disclosures that identify with precision every type of information collected or disclosed, the name of every entity with whom the financial institution shares information, and a complete description of the technical specifications of how the institution protects its customers' records or the identity of each employee who has access to such records. Instead, the Agencies have concluded that the statute, by focusing on ``categories'' of information and recipients of information, is intended to require notices that provide consumers with a general description of the third parties to whom a financial institution discloses nonpublic personal information, the types of information it discloses, and the other information about the institution's privacy policies and practices listed above. The final rule, like the proposal, permits a financial institution to comply with these notice requirements by providing a description that is representative of its privacy policies and practices. The Agencies believe that in most cases the initial and annual disclosure requirements can be satisfied by disclosures contained in a tri-fold brochure. To address commenters' concerns about the likelihood that consumers will not read long, detailed disclosures, the Agencies have revised the examples of the disclosures set out in proposed Sec. __.6(c) to clarify the level of detail that the Agencies think is appropriate under the statute. Sample clauses have been provided in Appendix A to the rules, and guidance for certain institutions has been set out later in this preamble. Because the examples are not exclusive, the final rule permits a financial institution to use different categories than those provided in the examples, thereby providing additional flexibility for financial institutions in complying with the disclosure requirements. In addition, the language in Sec. __.6(a) that precedes the items of information to be addressed in the initial notice has been amended to clarify that a financial institution is required only to address those items that apply to the institution. Thus, for instance, if a financial institution does not disclose nonpublic personal information to third parties, it may simply omit any reference to the categories of affiliates and nonaffiliated third parties to whom the institution [[Page 35176]] discloses nonpublic personal information. As was noted in the preamble to the proposed rule, the required content is the same for both the initial and annual notices of privacy policies and practices. While the information contained in the notices must be accurate as of the time the notices are provided, a financial institution may prepare its notices based on current and anticipated policies and practices. Short-Form Initial Notice The Agencies have reconsidered the need to give consumers a copy of a financial institution's complete initial notice when there is no customer relationship. In these circumstances, the Agencies believe that the objectives of the statute can be accomplished in a less burdensome way than was proposed. Accordingly, the Agencies have exercised their exemptive authority as provided in section 504(b) to create an exception to the general rule that otherwise requires a financial institution to provide both the initial and opt out notices to a consumer before disclosing nonpublic personal information about that consumer to nonaffiliated third parties. This exception is set out in Sec. __.6(d) of the final rule, which states that a financial institution may provide a ``short-form'' initial privacy policy notice along with the opt out notice to a consumer with whom the institution does not have a customer relationship. The short-form notice must clearly and conspicuously state that the disclosure containing information about the institution's privacy policies and practices is available upon request and provide one or more reasonable means by which the consumer may obtain a copy of the notice. This approach reflects the Agencies' belief that a consumer who does not become a customer of a financial institution generally may have less interest in certain elements of the institution's privacy policies. Relative to other aspects of the transaction, the consumer may receive greater benefit from obtaining a concise, but meaningful, opt out notice that informs the consumer about the categories of his or her information the institution may disclose and the categories of nonaffiliated third parties that may receive the information. The rule also requires a financial institution to provide a consumer who is interested in the more complete privacy disclosures with a reasonable means to obtain them. Information About Affiliate Sharing Another point made by several commenters in response to proposed Sec. __.6 was that the rule should not include a requirement that categories of affiliates with whom a financial institution shares information be included in the initial and annual notices. These commenters pointed out that the statute specifically requires disclosures of categories of nonaffiliated third parties only, and that the only statutorily mandated disclosures concerning affiliate sharing are disclosures required, if any, concerning affiliate sharing pursuant to section 603(d)(2)(A)(iii) of the Fair Credit Reporting Act (FCRA) (15 U.S.C. 1681a(d)(2)(A)(iii)). \8\ These commenters concluded that the Agencies, by expanding the disclosure requirements in the manner prescribed in the proposed rule, would be exceeding their rulemaking authority and imposing unnecessary burden on financial institutions. --------------------------------------------------------------------------- \8\ Section 603(d)(2)(A)(iii) excludes from the definition of ``consumer report'' the communication of certain consumer information among affiliated entities if the consumer is notified about the disclosure of such information and given an opportunity to opt out of the disclosure of that information. The information that can be disclosed to affiliates under this provision includes, for instance, information from consumer reports and applications for financial products or services. In general, this information represents personal information provided directly by the consumer to the institution, such as income and assets, in addition to information contained within consumer reports. --------------------------------------------------------------------------- The Agencies believe that the language and legislative history of section 503 support requiring disclosures of affiliate sharing beyond what may be required by the FCRA. First, section 503(b) does not state that the items listed therein are to be the only items set out in a financial institution's initial and annual disclosures. Instead, it uses the nonrestrictive phrase ``shall include'' when discussing the contents of the disclosures, thereby preserving flexibility for the Agencies (which were expressly granted authority under section 503(a) to prescribe rules governing these notices) to require that additional items be addressed in the disclosures consistent with those specifically enumerated. Second, section 503(a) states that the financial institution shall provide in its initial and annual notices ``a clear and conspicuous disclosure * * * of such financial institution's policies and practices with respect to--(1) disclosing nonpublic personal information to affiliates and nonaffiliated third parties, consistent with section 502, including the categories of information that may be disclosed; * * *'' While the FCRA disclosures would be a subset of the disclosures required by section 503(a)(1), they may not be sufficient to fully satisfy that requirement. Third, the legislative history of the GLB Act suggests that Congress intended for the disclosures to provide more information about affiliate sharing than what may be required under the FCRA.\9\ That history underscores the Congressional intent of ensuring that individuals are given the opportunity to make informed decisions about the privacy policies and practices of financial institutions. The Agencies believe that limiting the disclosures about affiliate sharing just to those disclosures that may be required under the FCRA would frustrate that purpose. --------------------------------------------------------------------------- \9\ See, e.g., remarks of Sen. Gramm (noting that the privacy bill contains ``for the first time a full disclosure requirement. It requires every bank in America, when you open your account to tell you precisely what their policy is: Do they share personal financial information within the bank? Do they share it outside the bank?''), 145 Cong. Rec. S13786 (daily ed. Nov. 3, 1999); remarks of Sen. Hagel, id. at S13876 (``Financial institutions would be required to disclose their privacy policies to their customers on a timely basis. If customers do not believe adequate protections exist at their institution, they can take their business elsewhere.''). --------------------------------------------------------------------------- Disclosures of the FCRA Opt Out Right Another commonly advanced argument was that a financial institution should not be required to include FCRA disclosures in its annual notices. As previously discussed, section 503(b)(4) of the GLB Act requires a financial institution's initial and annual notice to include the disclosures required, if any, under section 603(d)(2)(A)(iii) of the FCRA. The proposed rules implemented section 503(b)(4) of the GLB Act by including the requirement that a financial institution's initial and annual notice include any disclosures a financial institution makes under section 603(d)(2)(A)(iii) of the FCRA. Several commenters pointed out that the FCRA requires disclosures of a consumer's right to opt out of affiliate sharing only once. They noted that the GLB Act states, in section 506(c), that nothing in the GLB Act is to be construed to modify, limit, or supersede the operation of the FCRA. These commenters maintain that the ``if any'' language of section 503(b)(4), read in the context of section 506, suggests that, since at most only one notice must be provided under the FCRA, section 503 should require only one FCRA disclosure under the privacy rule. The commenters concluded that, by requiring more notices than are required [[Page 35177]] under the FCRA, the Agencies would be violating this express preservation of the FCRA. As discussed above, the Agencies believe that a financial institution, in order to comply with the requirement that it disclose its policies and practices with respect to sharing information with affiliated and nonaffiliated third parties, must describe the circumstances under which it will be sharing information with affiliates. Clearly, the ability of consumers to opt out of affiliate information sharing under the FCRA affects a financial institution's policies and practices with respect to disclosing information to its affiliates. Failing to include this information and an explanation of how the opt out right may be exercised would, in the view of the Agencies, make the disclosures incomplete. Thus, a financial institution will need to include this information in its initial and annual notices. The Agencies note, moreover, that they disagree with the commenters' reading of sections 503 and 506. Section 503 does not distinguish between the disclosures to be provided in the initial notice from those to be provided in the annual notice. Thus, a plain reading of section 503 suggests that any disclosures that are required under the FCRA must be included in both the initial and annual notices. The Agencies interpret the ``if any'' language as a recognition that not all institutions provide FCRA notices because not all institutions engage in the type of affiliate sharing covered by the FCRA. By requiring the FCRA notice to appear as part of the annual notice under the privacy rule, the Agencies believe that they are not modifying, limiting, or superseding the operation of the FCRA; financial institutions will have exactly the same FCRA obligations following the effective date of the privacy rule as they had before. The only difference will be that, as is required by the GLB Act, a financial institution's initial and annual disclosures about its privacy policy and practices will need to reflect how the financial institution complies with the affiliate sharing provisions of the FCRA. Disclosures of the Right to Opt Out Other commenters suggested that the final rule eliminate the requirement that the initial and annual notices contain disclosures about a consumer's right to opt out. These commenters pointed out that the statute does not specifically require these disclosures. As previously discussed, section 503(a) of the statute requires a financial institution to disclose its policies and practices with respect to sharing information, both with affiliated and nonaffiliated third parties. Given that a financial institution's practices with respect to sharing nonpublic personal information with nonaffiliated third parties will be affected by the opt out rights created by the statute, an institution will need to describe these opt out rights in order to provide a complete disclosure that satisfies the statute. Other Comments The Agencies received many comments expressing support for a number of the provisions in proposed Sec. __.6. For instance, several commenters noted their agreement with the approach of permitting a financial institution to state generally that it makes disclosures to nonaffiliated third parties ``as permitted by law'' to describe disclosures made pursuant to one of the exceptions. Others agreed with the proposed flexibility to allow a disclosure to be based on current and contemplated information sharing. In light of these comments, the Agencies have adopted proposed Sec. __.6 with changes as discussed above. The final rule makes several other stylistic changes to the material in Sec. __.6 that are intended to make the rule easier to read. \10\ --------------------------------------------------------------------------- \10\ The Agencies expect to publish proposed standards in the near future relating to administrative, technical, and physical safeguards as required by section 501(b) of the GLB Act. --------------------------------------------------------------------------- Section __.7 Form of Opt Out Notice to Consumers; Opt Out Methods Paragraph (a) of proposed Sec. __.8 required that any opt out notice provided by a financial institution be clear and conspicuous and accurately explain the right to opt out. The proposed rule also required a financial institution to provide the consumer with a reasonable means by which to opt out, required a financial institution to honor an opt out election as soon as reasonably practicable, and stated that an opt out election survived until revoked by the consumer. The Agencies received a large number of comments in response to each of these provisions, addressing the application of these rules to joint accounts, the means by which an opt out right may be exercised, duration of an opt out, the level of detail required in the opt out notice, and the time by which an opt out election must be honored. These points are addressed below. Joint Accounts Most of the commenters on this issue stated that a financial institution should have the option of providing one notice per account, regardless of the number of persons on the account. The Agencies agree that this is appropriate, and have added a new Sec. __.7(d) to address this issue. Under the final rule, a financial institution has the option of providing only one initial, annual, and opt out notice per account. However, any of the accountholders must have the right to opt out. The final rule requires a financial institution to state in the opt out notice provided to a joint accountholder whether the institution will consider an opt out by a joint accountholder as an opt out by all of the associated accountholders or whether each accountholder is permitted to opt out separately. Means of Opting Out Another issue addressed by many commenters concerned the means by which consumers may opt out. Several suggested that a financial institution, after having provided reasonable means of opting out, should be able to require consumers to use those means exclusively. The Agencies agree with this suggestion, recognizing that a financial institution may not have trained personnel or systems in place to handle opt out elections at each point of contact between a consumer and financial institution. Assuming a financial institution offers one or more of the opt out means provided in the examples in the final rule or a means of opting out that is comparably convenient for a consumer, the institution may require consumers to opt out in accordance with those means and choose not to honor opt out elections communicated to the institution through alternative means. A new paragraph (iv) has been added to Sec. __.7(a)(2)(iv) to reflect this. The final rule adds an example of a toll-free telephone number in Sec. __.7(a)(2)(ii)(D) as another way by which financial institutions may allow consumers to opt out. As stated in Sec. __.7(a)(2)(iii)(A), a financial institution may not require a consumer to write his or her own letter in order to opt out. Duration of Opt Out Several commenters requested that the rule concerning duration of an opt out, as provided in Sec. __.8(e) of the proposal, be changed to require a more workable approach. These commenters noted that, under the proposal, a financial institution would be required to keep track of opt out elections forever. To illustrate their point, the commenters posited the example of a person who opts out during the course of establishing a customer relationship with a financial institution, terminates that relationship, and then establishes [[Page 35178]] another customer relationship several years later, perhaps under a different name or with someone on a joint account. The commenters suggested that it would be more appropriate in these circumstances to treat the opt out election made in connection with the first relationship as applying solely to that relationship. The Agencies agree with the commenters' suggestions. Thus, under the final rule, a financial institution is to treat an opt out election made by a customer in connection with a prior customer relationship as applying solely to the nonpublic personal information that the financial institution collected during, or related to, that relationship. That opt out will continue until the customer revokes it. However, if the customer relationship terminates and a new one is established at a later point, the financial institution must then provide a new opt out notice to the customer in connection with the new relationship and any prior opt out election does not apply to the new relationship. Level of Detail Required in Opt Out Notice A few commenters expressed concern about the level of detail they perceived the proposed rule to require in an opt out notice. These commenters interpreted the statement in proposed Sec. __.8(a)(2) that a financial institution ``provides adequate notice * * * if [the institution] identifies all of the categories of nonpublic personal information that [the institution] discloses or reserves the right to disclose to nonaffiliated third parties as described in [Sec. __.6]'' as requiring a more detailed disclosure of categories of nonpublic personal information and nonaffiliated third parties than is required in the initial and annual notices. The Agencies did not intend this result, and specifically referred to Sec. __.6 in the proposed opt out provision to address precisely the concern raised by these commenters. The disclosures in the initial and annual notices of the categories of nonpublic personal information being disclosed and the categories of nonaffiliated third parties to whom the information is disclosed will suffice for purposes of the opt out notices as well. If the opt out notice is a part of the same document that contains the disclosures that must be included in the initial notice, then the financial institution is not required to restate the same information in the opt out notice. In this instance, the rule requires only that the categories of nonpublic personal information the institution intends to share and the categories of nonaffiliated third parties with whom it will share are clearly disclosed to the consumer when the opt out and privacy notices are read together. One commenter suggested that, while a financial institution should have the option of providing an opt out notice that is sufficiently broad to cover anticipated disclosures, the financial institution also should be permitted to provide a customer who already has opted out with a new opt out notice in connection with a new financial product or service and, if the consumer does not opt out a second time, be free to disclose nonpublic personal information obtained in connection with that financial product or service to nonaffiliated third parties. The Agencies believe that a financial institution should be permitted the flexibility to provide opt out notices that are either narrowly tailored to specific types of nonpublic personal information and types of nonaffiliated third parties or that are more broadly worded to anticipate future disclosure plans. However, if a consumer opts out after receiving an opt out notice from a financial institution that is broad enough to cover the new type of information sharing desired by that institution, the failure of the consumer to opt out again does not revoke the earlier opt out election. Time by Which Opt Out Must Be Honored Under the proposal, a financial institution is directed to comply with an opt out election ``as soon as reasonably practicable.'' A large number of comments asked the Agencies to clarify in the final rule how long a financial institution has after receiving an opt out election to cease disclosing nonpublic personal information to nonaffiliated third parties. Suggestions for a more precise standard ranged from mandating that a financial institution stop disclosing information immediately to a mandatory cessation within several months of receiving the opt out. As was the case with other suggestions for bright-line standards in different contexts, the Agencies believe that it is appropriate to retain a more general rule in light of the wide range of practices throughout the financial institutions industry. A potential drawback of a more prescriptive rule is that an institution might use the standard as a safe harbor in all instances and thus fail to honor an opt out election as early as it is otherwise capable of doing. Another drawback is that a standard that is set in light of current industry practices and capabilities is likely to become outmoded quickly as advances in technology increase efficiency. The Agencies therefore decline to adopt a more rigid standard, and instead retain the rule as set out in Sec. __.7(e) of the final rule. For the reasons stated above, the Agencies adopt, in Sec. __.7, the rule governing the form of opt out notices and methods of opting out as discussed above. This section contains other stylistic changes to what was proposed in order to make the final rule easier to read. Section __.8 Revised Privacy Notices The proposed rule, in Sec. __.8(c), prohibited a financial institution, directly or through its affiliates, from disclosing nonpublic personal information about its consumers to nonaffiliated third parties unless the institution first provided a copy of its privacy notice and opt out notice. The proposal also required that these notices be accurate when given. Thus, if an institution wants to disclose nonpublic personal information in a way that is not accurately described in its notices, the institution would be required under the proposed rule to provide new notices before making the disclosure in question. The Agencies received no comments raising questions about these requirements. Accordingly, the final rule adopts them, but sets them out in a separate section (Sec. __.8) in the final rule for emphasis. The final rule sets out examples in Sec. __.8(b) of when a new notice would, and would not, be required. Section __.9 Delivering Privacy and Opt Out Notices The proposed rules governing delivery of initial, annual, and opt out notices were set out in proposed Secs. __.4(d), __.5(b), and __.8(b), respectively. Given the substantial similarities between the three sets of rules, the Agencies have decided to combine the rules in one section in order to make it easier for the reader. Accordingly, the final rule states these rules in Sec. __.9. The general rule requires that notices be provided in a manner so that each consumer can reasonably be expected to receive actual notice in writing, or, if the consumer agrees, electronically. The Agencies received a number of comments on the various provisions governing delivery, as discussed below. Posting Initial Notices on a Web Site A few commenters suggested that a financial institution be allowed to [[Page 35179]] deliver initial notices simply by posting its notice on the institution's web site. The Agencies recognize that there will be instances when a notice on a web site may be delivered in a way that will enable the financial institution to reasonably expect that the consumer will receive it. The final rule retains, as an example of one way to comply with the rule, the posting of a notice on a web site and requiring a consumer to acknowledge receipt of the notice as a step in the process of obtaining a financial product or service. See Sec. __.9(b)(1)(iii). However, the Agencies believe that the mere posting of a notice on a web site would not be sufficient in all cases for the financial institution to reasonably expect its consumers to receive the notice. Accordingly, the Agencies have declined to expand the rule beyond the circumstance described in the example provided. Posting Annual Notices on a Web Site Several commenters requested that a privacy notice posted by a financial institution on its web site be deemed to satisfy the annual notice requirement, at least for customers who agree to receive notices on the institution's web site. The Agencies believe that it is appropriate to provide annual notices in this way for customers who conduct transactions electronically and agree to accept notices on a web site. Accordingly, the Agencies have amended the rule by adding a new Sec. __.9(c)(1) to clarify that a financial institution may reasonably expect a customer who uses the institution's web site to access financial products or services will receive actual notice if the customer has agreed to accept notices at the institution's web site and the financial institution posts a current notice of its privacy policies and practices continuously and in a clear and conspicuous manner on the web site. The Agencies believe that this will reduce burden on financial institutions while ensuring that customers who transact business electronically will have continuous access to institutions' privacy policies and practices. Disclosures to Customers Requesting No Communication Several commenters suggested the Agencies clarify in the final rule how the disclosure obligations may be met in the case of a customer who requests that the institution refrain from sending information about the customer's relationship. These commenters stated that, in this case, the customer's request should be honored. The Agencies agree. When a customer provides explicit instructions for a financial institution not to communicate with that customer, the Agencies believe that the request should be honored. The final rule clarifies, in Sec. __.9(c), that financial institutions need not send notices to a customer who requests no communication, provided that a notice is available upon request. Reaccessing a Notice A few commenters stated that the requirement that a privacy policy be provided in a way that enables a customer to either retain or reaccess the notice should clarify that the rule obligates a financial institution to make available only the privacy policy currently in effect. These commenters were concerned about the potential for confusion and the burden stemming from a rule that would require a financial institution to make available every version of its privacy policies. The Agencies agree that it is appropriate to require only that the current privacy policy be made available to someone seeking to obtain it after having received the initial notice, and have amended the rule accordingly in Sec. __.9(e)(2)(iii). Joint Notices Other commenters requested that the rule clarify that the privacy policies and practices of several different affiliated financial institutions may be described on a single notice. Related to this point, commenters requested that the final rule address whether affiliated financial institutions, each of whom has a customer relationship with the same consumer, may elect to send only one notice to the consumer on behalf of all of the affiliates covered by the notice and have that one notice satisfy the disclosure obligations under Sec. __.4 of each affiliate. The Agencies believe that financial institutions should be able to combine initial disclosures in one document. The Agencies also believe that it is appropriate to permit financial institutions that prepare a combined initial, annual, or revised notice to give, on a collective basis, a consumer only one copy of the notice. The final rule reflects this flexibility, in Sec. __.9(f). The Agencies emphasize that the notice must be accurate for all financial institutions using the notice and must identify by name each of the institutions. Section __.10 Limits on Disclosure of Nonpublic Personal Information to Nonaffiliated Third Parties Section 502(a) of the GLB Act generally prohibits a financial institution, directly or through its affiliates, from sharing nonpublic personal information about a consumer with a nonaffiliated third party unless the institution provides the consumer with a notice of the institution's privacy policies and practices. Section 502(b) further requires that the financial institution provide the consumer with a clear and conspicuous notice that the consumer's nonpublic personal information may be disclosed to nonaffiliated third parties, that the consumer be given an opportunity to opt out of that disclosure, and that the consumer be informed of how to opt out. Section __.7 of the proposed rules implemented these provisions by requiring a financial institution to give the consumer the initial notice required by Sec. __.4, the opt out notice required by Sec. __.8, and a reasonable opportunity to opt out. Most of the comments on this section focused on the question of what is a reasonable opportunity to opt out. Suggestions ranged from a financial institution having the right to begin sharing information immediately (when the opt out and initial notices are provided as part of a transaction being conducted electronically, such as might be the case in an ATM transaction) up to a mandatory delay of 120 days from the time the notices are provided. The Agencies believe that the wide variety of suggestions underscores the appropriateness of a more general test that avoids setting a mandatory waiting period applicable in all cases. For isolated transactions where a financial institution intends to disclose nonpublic personal information that it obtains through an electronic transaction and the consumer is provided a convenient means of opting out as part of the transaction, it would be reasonable not to force the financial institution to wait a set period of time before sharing the information. An example of this is provided at Sec. __.10(a)(3)(iii). For notices that are provided by mail, the Agencies believe it is appropriate to allow the consumer additional time. In these latter instances, the Agencies consider it reasonable to permit the consumer to opt out by mailing back a form, by calling a toll-free number, or by any other reasonable means within 30 days from the date the opt out notice was mailed. See Sec. __.10(a)(3)(i). The final rule also provides an example of a reasonable opportunity for opting out in connection with accounts opened on-line. See Sec. __.10(a)(3)(ii). However, rather than try to anticipate every scenario and establish a time frame that would accommodate each, the Agencies think it is appropriate simply to state that the consumer must be given a reasonable opportunity to opt out and then provide a few illustrative examples [[Page 35180]] of what would be reasonable in different contexts. Other comments pointed out that proposed Sec. __.7(a)(3)(i) (Sec. __.10(a)(3)(i) of the final rule) inappropriately implied that the opportunity to opt out by mail is available only when a consumer has a customer relationship with the financial institution. The final rule deletes the reference to a customer relationship in that section to avoid creating that implication. Section __.11 Limits on Redisclosure and Reuse of Information Section 502(c) of the GLB Act provides that a nonaffiliated third party that receives nonpublic personal information from a financial institution shall not, directly or indirectly through an affiliate, disclose the information to any person that is not affiliated with both the financial institution and the third party, unless the disclosure would be lawful if made directly by the financial institution. A financial institution may generally disclose nonpublic personal information to a nonaffiliated third party for any purpose subject to notice and opt out, for certain service and joint marketing arrangements under section 502(b), and in accordance with specific enumerated exceptions under section 502(e). The limits on redisclosure and reuse that were set out in the proposal reflected the Agencies' belief that implicit in the joint marketing and the enumerated exceptions is the idea that information may only be used for the purposes for which the third party received it.\11\ The proposed rule implemented section 502(c) by imposing limits on redisclosure that apply both to a financial institution that receives information from a nonaffiliated financial institution and to any nonaffiliated third party that receives nonpublic personal information from a financial institution. The proposed rule implemented the implicit limitations on use by imposing limits on the ability of financial institutions and nonaffiliated third parties to reuse nonpublic personal information they receive. The Agencies sought comment on whether the final rule should limit the ability of an entity that receives nonpublic personal information pursuant to an exception to use that information only for the purpose of that exception. The Agencies also sought comment on what the term ``lawful'' means in the context of section 502(c), and whether a recipient of nonpublic personal information could ``lawfully'' disclose information if the disclosure complied with a notice provided by the institution that made the disclosure initially. Finally, the Agencies invited comment on whether the rules should require a financial institution that discloses nonpublic personal information to a nonaffiliated third party to develop policies and procedures to ensure that the third party complies with the limits on redisclosure of that information. --------------------------------------------------------------------------- \11\ For example, as discussed further below, permitted use for an enumerated exception would not include use for marketing purposes. --------------------------------------------------------------------------- The Agencies received a large number of comments in response to this proposed section. A few maintained that the Agencies would exceed their rulemaking authority if the final rule were to retain the limits on reuse of information, given that section 502(c) expressly addresses only redisclosures and not reuse. Most comments concerning proposed Sec. __.12 stated that financial institutions should not have to monitor compliance with the redisclosure and reuse provisions of the rule, although these commenters said that financial institutions typically will contractually limit the recipient's ability to reuse information for purposes other than those for which the information was disclosed. These issues are addressed below. Limits on Reuse and Redisclosure The position advanced by those critical of imposing limits on reuse is premised on the conclusion that Congress, by addressing limits on redisclosures in section 502(c), provided the only limits that may be imposed on what a recipient of nonpublic personal information can do with that information. The Agencies disagree with this premise. Although section 502(c) does not expressly address reuse, reuse limitations are, as indicated, implicit in the provisions authorizing or permitting disclosures. For example, it would be inconsistent with the purposes of the Act to permit information disclosed in accordance with section 502(e)(1) (which permits disclosures as necessary to effect, administer, or enforce a transaction with a consumer or in connection with certain routine activities related to such a transaction) to be used for the third party recipient's marketing purposes. Moreover, permitting reuse without limits would undermine the protections afforded to a consumer who does not establish a customer relationship. Such a person is not put on notice that the disclosures under section 502(e) are even made because these disclosures do not entitle the consumer to any privacy or opt out notice. Thus, the limits on reuse are the only protection the individual has arising under the statute. Accordingly, the Agencies have concluded that it is appropriate to exercise their rulemaking authority under section 504(a)(1) (which authorizes the Agencies to write regulations necessary to carry out the purposes of Subtitle A of Title V) to impose limits on reuse when information is received under an exception in section 502(e) of the GLB Act. By contrast, when a consumer decides not to opt out after being given adequate notices and the opportunity to do so, that consumer has made a decision to permit the sharing of his or her nonpublic personal information with the categories of entities identified in the financial institution's notices. The consumer's primary protection in the case of a disclosure falling outside the section 502(e) exceptions comes from receiving the mandatory disclosures and the right to opt out. The statute provides only the additional protection in section 502(c), restricting a recipient's ability to redisclose information to entities that are not affiliated with either the recipient or the financial institution making the disclosure initially. Thus, if a consumer permits a financial institution to disclose nonpublic personal information to the categories of nonaffiliated third parties that are described in the institution's notices, recipients of that nonpublic personal information appear authorized under the statute to make disclosures that comply with those notices. To implement this statutory scheme, the Agencies have imposed the following limits on redisclosure and reuse, which will vary depending on whether the information was provided pursuant to one of the 502(e) exceptions or otherwise. Limits on redisclosure and reuse when information is received pursuant to section 502(e). For nonpublic personal information provided pursuant to section 502(e), a financial institution receiving the information may disclose the information to its affiliates or to affiliates of the financial institution from which the information was received. It may also disclose and use the information pursuant to an exception in Secs. __.14 or __.15 in the ordinary course of business to carry out the activity covered by the exception under which the institution received the information. The financial institution's affiliates may disclose and use the information, but only to the extent permissible for the financial institution. These same general rules apply to a non-financial institution third party that receives nonpublic personal information from a financial institution under [[Page 35181]] section 502(e). Thus, the third party receiving the information pursuant to one of the section 502(e) exceptions may disclose the information to its affiliates or to the affiliates of the financial institution that made the disclosure. The third party also may disclose and use the information pursuant to one of the section 502(e) exceptions as noted in the rule. The affiliates of the third party may disclose and use the information only to the extent permissible for the third party. Limits on redisclosure when information is not received pursuant to section 502(e). For nonpublic personal information provided outside one of the section 502(e) exceptions, the financial institution receiving the information may disclose the information to its affiliates or to the affiliates of the financial institution that made the initial disclosure. It may also disclose the information to any other person, if the disclosure would be lawful if made directly by the financial institution from which the information was received. This would enable the receiving institution to disclose pursuant to one of the section 502(e) exceptions. It also would permit the receiving institution to redisclose information in accordance with the opt out and privacy notices given by the institution making the initial disclosures, as limited by any opt out elections received by that institution. The affiliates of a financial institution that receives nonpublic personal information may disclose only to the extent that the financial institution may disclose the information. If a third party receives information from a financial institution outside one of the section 502(e) exceptions, the third party may disclose to its affiliates or to the affiliates of the financial institution. It may also disclose to any other person if the disclosure would be lawful if made by the financial institution. The third party's affiliates may disclose and use the information to the same extent permissible for the third party. In cases where an entity receives information outside of one of the section 502(e) exceptions, that entity will in essence ``step into the shoes'' of the financial institution that made the initial disclosures. Thus, if the financial institution made the initial disclosures after representing to its consumers that it had carefully screened the entities to whom it intended to disclose the information, the receiving entity must comply with those representations. Otherwise, the subsequent disclosure by the receiving entity would not be in accordance with the notices given to consumers and would not, therefore, be lawful. Even if such representations do not prevent the recipient from redisclosing the information, the recipient's ability to redisclose will be limited by whatever opt out instructions were given to the institution making the initial disclosures and by whatever new opt out instructions that are given after the initial disclosure. The receiving entity, therefore, must have procedures in place to continually monitor the status of who opts out and to what extent. Given these practical limitations on the ability of a recipient to disclose pursuant to another institution's privacy and opt out notices, redisclosure of information is most likely to arise under one of the section 502(e) exceptions (as implemented by Secs. __.14 and __.15 of the final rule). Monitoring Third Parties The Agencies have decided not to amend their respective rules to impose a specific duty on financial institutions to monitor third parties' use of nonpublic personal information provided by the institutions. This does not address whether obligations to do so may arise in other contexts. The Agencies note, for instance, that most of the commenters who requested that the Agencies not impose such a duty stated that they have contracts in place that limit what the recipient may do with the information. The Agencies also note that the limits on reuse as stated in the final rule provide a basis for an action to be brought against an entity that violates those limits. Section __.12 Limits on Sharing Account Number Information for Marketing Purposes Section 502(d) of the GLB Act prohibits a financial institution from disclosing, ``other than to a consumer reporting agency, an account number or similar form of access number or access code for a credit card account, deposit account, or transaction account of a consumer to any nonaffiliated third party for use in telemarketing, direct mail marketing, or other marketing through electronic mail to the consumer.'' Proposed Sec. __.13 applied this statutory prohibition to disclosures made directly or indirectly by a financial institution, and sought comment on whether one or more exceptions to the flat prohibition should be created. The Agencies received comments from people who suggested that various exceptions be created as well as from people who believe that a flat prohibition is necessary to protect consumers from unscrupulous practices. After considering the suggestions from all of the commenters addressing this issue, the Agencies have decided to amend proposed Sec. __.13 by (a) adding two exceptions that the Agencies believe are necessary for financial institutions to engage in legitimate, routine business practices and that are unlikely to pose a significant potential for abuse and (b) clarifying that the prohibition does not apply in two circumstances frequently mentioned in the comments. These exceptions and clarifications are discussed below. Disclosures to a Financial Institution's Agent or Service Provider Many financial institutions noted that they use agents or service providers to conduct marketing on the institution's behalf. This might occur, for instance, when an insured depository institution instructs a service provider that assists in the delivery of monthly statements to include a ``statement stuffer'' with the statement informing consumers about a financial product or service offered by the institution. The Agencies recognize the need to disclose account numbers in this instance, and believe that there is little risk to the consumer presented by such disclosure. Similarly, the Agencies recognize that a financial institution may use agents to market the institution's own financial products and services. Commenters advocating that the final rule exclude disclosures to agents stated that the agents effectively act as the financial institution in the marketing of the institution's financial products and services. These commenters suggested that there was no more reason to preclude sharing the account numbers with an agent hired to market the institution's financial products and services than there would be to preclude sharing between two departments of the same institution. The Agencies are concerned, however, about the possibility of transactions being consummated by a financial institution's agent who may be engaging in practices contrary to the institution's instructions. While the Agencies recognize that a financial institution frequently will use agents to assist it in marketing its products, the Agencies believe that a consumer's protections are potentially eroded by allowing agents to have access to a consumer's account. Accordingly, the Agencies have added an exception in Sec. __.12(b)(1) that would permit disclosures of account numbers by a financial institution to an agent for the purpose of marketing the financial institution's financial product or services, but have qualified that exception by requiring [[Page 35182]] that the agent have no authority to initiate charges to the account. Private Label Credit Cards and Affinity Programs Many commenters stated that the final rule should not prevent the disclosure of account numbers in the situation where a consumer chooses to participate in a private label credit card program or other affinity program. Under these programs, a consumer typically will be offered certain benefits, often by a retail merchant, in return for using a credit card that is issued by a particular financial institution. The commenters suggested that, in the example of an affinity program, the consumer understands the need for the merchant and financial institution to share the consumer's account number. The Agencies agree that this type of disclosure is appropriate and does not create a significant risk to the consumer. Accordingly, Sec. __.12(b)(2) has been added to the final rule to exclude the sharing of account numbers where the participants are identified to the consumer at the time the consumer enters into the program. Encrypted Numbers Many commenters urged the Agencies to exercise their exemptive authority to permit the transmission of account numbers in encrypted form. Several commenters noted that encrypted account numbers and other internal identifiers of an account are frequently used to ensure that a consumer's instructions are properly executed, and that the inability to continue using these internal identifiers would increase the likelihood of errors in processing a consumer's instructions. These commenters also point out that if internal identifiers may not be used, a consumer would need to provide an account number in order to ensure proper handling of a request, which would expose the consumer to a greater risk than would the use of an internal tracking system that preserves the confidentiality of a number that may be used to access the account. The Agencies believe an encrypted account number without the key is something different from the number itself and thus falls outside the prohibition in section 502(d). In essence, it operates as an identifier attached to an account for internal tracking purposes only. The statute, by contrast, focuses on numbers that provide access to an account. Without the key to decrypt an account number, an encrypted number does not permit someone to access an account. In light of the statutory focus on access numbers, and given the demonstrated need to be able to identify which account a financial institution should debit or credit in connection with a transaction, the Agencies have included a clarification in Sec. __.12(c)(1) of the final rule stating that an account number, or similar form of access number or access code, does not include a number or code in an encrypted number form, as long as the financial institution does not provide the recipient with the means to decrypt the number. The Agencies believe that consumers will be adequately protected by disclosures of encrypted account numbers that do not enable the recipient to access the consumer's account. Definition of ``Transaction Account'' Several commenters suggested that the final rule clarify that accounts to which no charge may be posted are not covered by the prohibition against disclosing account numbers. These commenters frequently cited mortgage loan accounts as typical of those that should fall outside the scope of the prohibition. The Agencies agree with the principle behind these suggestions. However, the Agencies note that there have been instances in which a borrower's monthly payments on a mortgage loan have been increased in connection with the marketing of a financial product or service without the borrower's knowledge or permission. Accordingly, the final rule clarifies, in Sec. __.12(c)(2), that a transaction account is an account other than a deposit account or a credit card account, and does not include an account to which third parties cannot initiate charges. If it would be possible, for instance, for a third party marketer to initiate a charge to a mortgage loan account, then the final rule would prohibit the disclosure of that account number to the marketer. Section __.13 Exception to Opt Out Requirements for Service Providers and Joint Marketing Section 502(b) of the GLB Act creates an exception to the opt out rules for the disclosure of information to a nonaffiliated third party for use by the third party to perform services for, or functions on behalf of, the financial institution, including the marketing of the financial institution's own products or services or financial products or services offered pursuant to a joint agreement between two or more financial institutions. A consumer will not have the right to opt out of disclosing nonpublic personal information about the consumer to nonaffiliated third parties under these circumstances, if the financial institution ``fully discloses'' to the consumer that it will provide this information to the nonaffiliated third party before the information is shared and enters into a contract with the third party that requires the third party to maintain the confidentiality of the information. As noted in the proposed rule, this contract should be designed to ensure that the third party (a) will maintain the confidentiality of the information at least to the same extent as is required for the financial institution that discloses it, and (b) will use the information solely for the purposes for which the information is disclosed or as otherwise permitted by Secs. __.10 and __.11 of the proposed rules. The majority of the comments on this exception expressed concern that routine servicing agreements between a financial institution and, for instance, a loan servicer would be subject to the requirements of proposed Sec. __.9 (Sec. __.13 in the final rule). These commenters consistently pointed out that section 502(e) of the GLB Act contains several exceptions for the sharing of information by a financial institution that is necessary to permit a third party to perform services for a financial institution. The commenters requested clarification that disclosures made pursuant to one of the section 502(e) exceptions are not subject to the requirements imposed on disclosures made pursuant to section 502(b)(2) of the GLB Act. The Agencies agree that when a disclosure may be made under section 502(e), the statute permits that disclosure without the financial institution first complying with the requirements imposed by section 502(b)(2). A related issue is whether a financial institution must satisfy the disclosure obligations of section 502(b)(2) and have a confidentiality agreement in the case of a service provider that is performing an activity governed by section 502(b)(2) (i.e., those that are not covered by one of the section 502(e) exceptions). Several commenters maintained that it is illogical to impose a set of requirements on disclosures to the section 502(b)(2) service providers when no such requirements are imposed on the section 502(e) service providers. The Agencies believe, however, that a plain reading of section 502(b)(2) leads to that result.\12\ The Agencies read the phrase [[Page 35183]] ``if the financial institution fully discloses * * *'' as used in section 502(b)(2) as modifying the phrase ``This subsection shall not prevent a financial institution from providing nonpublic personal information to a nonaffiliated third party to perform services for or functions on behalf of the financial institution, * * *'' The Agencies thus have concluded that any disclosure to a service provider not covered by section 502(e) must satisfy the disclosure and written contract requirements of section 502(b)(2). --------------------------------------------------------------------------- \12\ The statute states, in relevant part, that section 502(b) ``* * shall not prevent a financial institution from providing nonpublic personal information to a nonaffiliated third party to perform services for or functions on behalf of the financial institution, including the marketing of the financial institution's own products or services, or financial products or services offered pursuant to joint agreements between two or more financial institutions that comply with the requirements imposed by the regulations prescribed under section 504, if the financial institution fully discloses the providing of such information and enters into a contractual agreement with the third party that requires the third party to maintain the confidentiality of such information.'' --------------------------------------------------------------------------- Several other commenters addressed the question of whether the rule should include safeguards beyond those provided by the statute to protect a financial institution from the risks that can arise from agreements with third parties. Most suggested that safety and soundness concerns were more appropriately addressed in a forum other than a rule designed to protect consumers' financial privacy. Others opined that financial institutions did not need the rule to mandate certain protections on their behalf. The Agencies have concluded that the protections set out in the statute, as implemented by Sec. __.13(a)(1), are adequate for purposes of the privacy rule. Those protections require a financial institution to provide the initial notice required by Sec. __.4 of the final rule as well as enter into a contractual agreement with a third party that prohibits the third party from disclosing or using the information other than to carry out the purposes for which the bank disclosed the information, including use under an exception in Secs. __.14 or __.15 in the ordinary course of business to carry out those purposes. These limitations will preclude recipients from sharing a consumer's nonpublic personal information pursuant to a chain of third party joint marketing agreements. Several commenters asked whether a financial institution would have to modify existing contracts with third parties to comply with the rule. The Agencies believe that a balance must be struck that minimizes interference with existing contracts while preventing evasions of the regulation. To achieve these goals, the final rule states, in Sec. __.18(c), that contracts entered into on or before July 1, 2000 must be brought into compliance with the provisions of Sec. __.13 by July 1, 2002. For the reasons expressed above, the Agencies have adopted, in Sec. __.13 of the final rule, the provisions that were set out in Sec. __.9 of the proposal with the changes noted above. The Agencies note that financial institutions should remain vigilant in their efforts to ensure that agreements they enter into with third parties do not expose the institutions to undue risks. These risks are particularly prevalent in arrangements whereby a financial institution endorses or sponsors a financial product or service offered by the third party. Section __.14 Exceptions to Notice and Opt Out Requirements for Processing and Servicing Transactions As previously discussed, section 502(e) of the GLB Act creates exceptions to the requirements that apply to the disclosure of nonpublic personal information to nonaffiliated third parties. Paragraph (1) of that section sets out certain exceptions for disclosures made, generally speaking, in connection with the administration, processing, servicing, and sale of a consumer's account. Proposed Sec. __.10 implemented those exceptions by restating them with only stylistic changes that were intended to make the exceptions easier to read. The preamble to that proposed section noted that the exceptions set out in proposed Sec. __.10 (as well as the exceptions set out in Sec. __.11 of the proposal) do not affect a financial institution's obligation to provide initial notices of its privacy policies and practices prior to the time it establishes a customer relationship and annual notices thereafter. The Agencies received several comments from institutions pointing out that, by deleting the statutory phrase ``in connection with'' from the exceptions for information shared (a) to service or process a financial product or service requested by the consumer or (b) to maintain or service a customer account, the Agencies narrowed the application of the exception. The Agencies did not intend this result, and have changed the final rule accordingly. See Sec. __.14(a). Several other commenters requested that the final rule specifically state that certain services, such as those provided by attorneys, appraisers, and debt collectors (as appropriate), are ``necessary'' to effect, administer, or enforce a transaction, as that term is used in paragraph (a) and defined in paragraph (b) of proposed Sec. __.10. Others cited examples of entities seeking to verify funds availability or obtain loan payoff information as instances where a disclosure would fall within the exceptions described in proposed Sec. __.10. The Agencies believe that disclosures to these types of professionals and under the circumstances posited by the commenters may be necessary to effect, administer, or enforce a transaction in a given situation. However, the Agencies have not listed specific types of disclosures in the regulation as necessarily falling within the scope of the exception because they are concerned that a general statement could be applied inappropriately to shelter disclosures that, in fact, are not necessary to effect, administer, or enforce a transaction. Other commenters suggested that the final rule clarify, in situations where a financial institution uses an agent to provide services to a consumer, that the consumer need not have directly requested or authorized the service provider to provide the financial product or service but may request it from the principal instead. The Agencies agree that the communication may be between the consumer and the service provider, and note that the rule governing agents as set out in the definition of ``consumer,'' above, provides the flexibility sought by the commenters. Briefly stated, an individual will not be a consumer of an entity that is acting as agent for another financial institution in connection with that financial institution's providing a financial product or service to the consumer. Section __.15 Other Exceptions to Notice and Opt Out Requirements As noted above, section 502(e) contains several exceptions to the requirements that otherwise would apply to the disclosures of nonpublic personal information to nonaffiliated third parties. Proposed Sec. __.11 set out those exceptions for disclosures that are not made in connection with the administration, processing, servicing, and sale of a consumer's account, and made stylistic changes to the statutory language intended to clarify the exceptions. The proposal also provided an example of the consent exception in the context of a financial institution that has received an application from a consumer for a mortgage loan informing a nonaffiliated insurance company that the consumer has applied for a loan. The Agencies invited comment on whether safeguards should be added to the exception for consent in order to minimize the potential for consumer confusion. Several commenters responded to the request for comment on whether the consent exception should include [[Page 35184]] safeguards, such as a requirement that the consent be written, be indicated by a signature on a separate line, or automatically terminate after a certain period of time. Of these, some favored the additional safeguards discussed in the proposal, while others maintained that safeguards are unnecessary. Several suggested that the consent exception include a provision noting that participation in a program where a consumer receives ``bundled'' products and services (such as would be the case, for instance, in an affinity program) necessarily implies consent to the disclosure of information between the entities that provide the bundled products or services. Others suggested that certain terms and conditions be imposed on any consent agreement, such as a time by which the financial institution must stop disclosing nonpublic personal information once a consent is revoked. The Agencies have declined to elaborate on the requirements for obtaining consent or the consumer safeguards that should be in place when a consumer consents. The Agencies believe that the resolution of this issue is appropriately left to the particular circumstances of a given transaction. The Agencies note that any financial institution that obtains the consent of a consumer to disclose nonpublic personal information should take steps to ensure that the limits of the consent are well understood by both the financial institution and the consumer. If misunderstandings arise, consumers may have means of redress, such as in situations when a financial institution obtains consent through a deceptive or fraudulent practice. Moreover, a consumer may always revoke his or her consent. In light of the safeguards already in place, the Agencies have decided not to add safeguards to the consent exception. Many commenters offered specific suggestions for additional exceptions or amendments to the proposed exceptions. In many cases, the suggestions are accommodated elsewhere in the regulation (such as is the case, for instance, for exceptions to permit (a) verification of available funds or (b) disclosures to or by appraisers, flood insurers, attorneys, insurance agents, or mortgage brokers to effect a transaction). In other cases, the suggestions are inconsistent with the statute (as is the case, for instance, with one commenter's suggestion that the Agencies completely exempt a financial institution from all of the statute's requirements if the institution makes no disclosures other than what is permitted by section 502(e)). While the Agencies recognize the merits of many of the remaining suggestions, they believe that the volume and complexity of these suggestions exceed what is appropriate in a regulation. Accordingly, the Agencies have retained, in Sec. __.15, the statement of the exceptions as proposed and invite interested parties to pursue with the Agencies clarifications as necessary in their particular circumstance. Section __.16 Protection of Fair Credit Reporting Act Section 506 of the GLB Act makes several amendments to the FCRA to vest rulemaking authority in various agencies and to restore the Agencies' regular examination authority. Paragraph (c) of section 506 states that, except for the amendments noted regarding rulemaking authority, nothing in Title V of the GLB Act is to be construed to modify, limit, or supersede the operation of the FCRA, and no inference is to be drawn on the basis of the provisions of Title V whether information is transaction or experience information under section 603 of the FCRA. Proposed Sec. __.14 implemented section 506(c) of the GLB Act by restating the statute, making only minor stylistic changes intended to make the rule clearer. Comments about this provision focused on whether the Agencies, by requiring annual notice of a consumer's right to opt out under the FCRA, were modifying, limiting, or superseding the operation of the FCRA. For the reasons explained in the discussion of Sec. __.6, above, the Agencies do not believe that the annual disclosure mandated by the GLB Act affects in any way the obligations imposed by the FCRA. The Agencies received no other comment on this section, and, therefore, adopt the text set out in Sec. __.14 of the proposal. See Sec. __.16. Section __.17 Relation to State Laws Section 507 of the GLB Act states, in essence, that Title V does not preempt any State law that provides greater protections than are provided by Title V. Determinations of whether a State law or Title V provides greater protections are to be made by the Federal Trade Commission (FTC) after consultation with the agency that regulates either the party filing a complaint or the financial institution about whom the complaint was filed, and may be initiated by any interested party or on the FTC's own motion. Proposed Sec. __.15 essentially restated section 507, noting that the proposed rules (as opposed to the statute) do not preempt State laws that provide greater protection for consumers than do the rules. Comments on this section ranged from those who suggested that federal law should preempt state law in every case where there is a conflict to those who encouraged the Agencies to support the rights of states to enact greater protections. Some requested clarification of whether a particular state law would be considered more restrictive, while others suggested that the Agencies establish in the final rule a choice of law principle for financial institutions operating in more than one state. The Agencies believe that these and other suggestions made by the commenters exceed the scope of this rulemaking and are better addressed, to the extent the Agencies have authority to address them, in other forums. Accordingly, the Agencies have adopted the text set out in proposed Sec. __.15. See Sec. __.17 of the final rule. Section __.18 Effective Date; Transition Rule Section 510 of the GLB Act states that, as a general rule, the relevant provisions of Title V take effect 6 months after the date on which rules are required to be prescribed, i.e., November 12, 2000. However, section 510(1) authorizes the Agencies to prescribe a later date in the rules enacted pursuant to section 504. The proposed rule sought comment on the effective date prescribed by the statute. It also would have required that financial institutions provide initial notices, within 30 days of the effective date of the final rule, to people who were customers as of the effective date. The preamble to the proposed rule noted that a financial institution would have to provide opt out notices before the rule's effective date if the institution wanted to continue sharing nonpublic personal information with nonaffiliated third parties without interruption. The overwhelming majority of commenters addressing this provision requested additional time to comply with the final rule. Commenters stated that six months would not be sufficient to take the steps needed to comply with the regulation, including preparing new disclosure forms, developing software needed to track opt outs, training employees, creating management oversight systems, and undergoing internal examination and auditing to ensure compliance. Several commenters suggested that it would be less effective and potentially more confusing for consumers to receive several notices all around the end of the year 2000 than it would be for the notices to be delivered during a rolling phase-in. Others noted that the proposed effective date would [[Page 35185]] place a severe strain on financial institutions at a time when other year-end notices need to be prepared and delivered. Several commenters noted that financial institutions have not budgeted for the expenses in the current year that likely will be incurred. They also noted that the disclosures regarding the standards to be followed to protect customers' records have not been proposed for comment, thereby making it impossible for financial institutions to know how to prepare at least that part of the initial privacy notices. Requests for extensions of the effective date typically ranged from 12 months to 24 months from the date the final rules are published. Many commenters also stated that a 30-day phase-in for initial notices to existing customers is not feasible, given the large number of notices, the short period of time allowed, and the competing demands on financial institutions at the time when the initial notices must be sent. A few suggested that the rule require initial notices to be sent only to people who establish customer relationships after the effective date of the rule, and allow a financial institution to send annual notices to existing customers at some point during the next 12 months and annually thereafter. The Agencies agree that six months may be insufficient in certain instances for a financial institution to have ensured that its forms, systems, and procedures comply with the rule. In order to accommodate situations requiring additional time, the Agencies have retained the effective date of November 13, but, consistent with their authority under section 510(1) of the GLB Act to extend the effective date, the Agencies will give financial institutions until July 1, 2001 to be in full compliance with the regulation. Financial institutions are expected, however, to begin compliance efforts promptly, to use the period prior to June 30, 2001, to implement and test their systems, and to be in full compliance by July 1, 2001. Given that this provides financial institutions with slightly over 13 months in which to comply with the rule, the Agencies have determined that there no longer is any need for a separate phase-in for providing initial notices. Thus, a financial institution will need to deliver all required opt out notices and initial notices before July 1, 2001. Financial institutions are encouraged to provide disclosures as soon as practicable. Institutions that do not disclose nonpublic personal information to third parties have fewer burdens under the regulation (both in terms of the notice requirements and opt out mechanism) and should therefore be able to provide privacy notices to their consumers more expeditiously. Depending on the readiness of an institution to process opt out elections, institutions might wish to consider including the privacy and opt out notices in the same mailing as is used to provide tax information to consumers in the first quarter of 2001 to increase the likelihood that a consumer will not mistake the notices for an unwanted solicitation. The Agencies believe that this extension represents a fair balance between those seeking prompt implementation of the protections afforded by the statute and those concerned about the reliability of the systems that are put in place. The Agencies have concluded that the extension of the date by which financial institutions must be in full compliance provides much of the relief sought by those who suggested that initial notices should not be required for existing customers. By allowing financial institutions to deliver notices over a significantly longer period of time than was proposed, the concentrated burden that would have been imposed by the proposed rule is avoided. Accordingly, the Agencies have decided not to adopt the suggestion that initial notices be required only for new customers after the effective date of the rule. Initial notices need not be given to customers whose relationships have terminated prior to the date by which institutions must be in compliance with the rule. Thus, if an account is inactive according to a financial institution's policies before July 1, 2001, then no initial notice would be required in connection with that account. However, because these former customers would remain consumers, a financial institution would have to provide a privacy and opt out notice to them if the financial institution intended to disclose their nonpublic personal information to nonaffiliated third parties beyond the exceptions in Secs. __.14 and __.15. The Agencies note that full compliance with the rule's restrictions on disclosures is required on July 1, 2001. To be in full compliance, institutions must have provided their existing customers with a privacy notice, an opt out notice, and a reasonable amount of time to opt out prior to that date. If these have not been provided, the disclosure restrictions will apply. This means that an institution would have to cease sharing customers' nonpublic personal information with nonaffiliated third parties on that date, unless it may share the information pursuant to an exception under Secs. __.14 or __.15. Financial institutions that both provide the required notices and allow a reasonable period of time to opt out before July 1, 2001, may continue to share nonpublic personal information after that date for customers who do not opt out. Appendix A--Sample Clauses In order to provide additional guidance to financial institutions concerning the level of detail the Agencies believe is appropriate under the statute, the Agencies have prepared a variety of sample clauses for financial institutions to consider. The Agencies urge financial institutions to carefully review whether these clauses accurately reflect a given institution's policies and practices before using the clauses. Financial institutions are free to use different language and to include additional detail as they think is appropriate in their notices. Derivation Chart Below is a chart showing the derivation of the sections in the final privacy rule from the proposal. Only changes are noted. ---------------------------------------------------------------------------------------------------------------- Proposal Content of provision Final rule ---------------------------------------------------------------------------------------------------------------- 4(d).............................................. How to provide initial notice 9(a) N/A............................................... New product for existing 4(d) customer. 4(d)(3)........................................... Oral delivery................ 9(d) 4(d)(4)........................................... Retainable notice............ 9(e) N/A............................................... Joint relationships (privacy 9(g) notice). 5(b).............................................. How to provide annual notice. 9(a) 5(b).............................................. Actual notice of annual 9(c) notice. 5(c).............................................. Terminated customer 5(b) relationships. N/A............................................... Delivering short-form initial 6(d) notices. 7................................................. Main operative provision..... 10 [[Page 35186]] 8(a).............................................. Opt out methods and opt out 7(a) notice content. 8(b)(1)........................................... How to deliver opt out 9(a) notices. 8(b)(2)........................................... Oral delivery................ 9(d) 8(b)(3)........................................... Same form as initial notice.. 7(b) 8(b)(4)........................................... Initial notice must accompany 7(c) opt out notice. N/A............................................... Joint relationships (opt out 7(d) notice). 8(d).............................................. Time to comply with opt out; 7(e) & (f) continuing right to opt out. 8(e).............................................. Duration of opt out.......... 7(g) 8(c)(1)........................................... Revised notices.............. 8(a) 8(c)(2)........................................... How to deliver revised notice 8(c) 8(c)(3)........................................... Examples of when revised 8(b) notice is required. 9................................................. Exception for service 13 providers and joint marketers. 10................................................ Exceptions for processing and 14 servicing transactions. 11................................................ Other exceptions............. 15 12................................................ Redisclosure and reuse....... 11 13................................................ Sharing account number 12 information. 14................................................ FCRA......................... 16 15................................................ State law.................... 17 16................................................ Effective date............... 18 ---------------------------------------------------------------------------------------------------------------- IV. Guidance for Certain Institutions To minimize the burden and costs to a financial institution (``you'') and generally clarify the operation of the final rule, the Agencies have included this guidance that you may use in conjunction with the sample clauses in Appendix A. This guidance specifically applies to you if you: (1) Do not have any affiliates; (2) Only disclose nonpublic personal information to nonaffiliated third parties in accordance with an exception under Secs. __.14 or __.15, such as in connection with servicing or processing a financial product or service that a consumer requests or authorizes; and (3) Do not reserve the right to disclose nonpublic personal information to nonaffiliated third parties, except under Secs. __.14 and __.15.\13\ --------------------------------------------------------------------------- \13\ If you disclose or reserve the right to disclose nonpublic personal information to a nonaffiliated third party under other circumstances, you must comply with other provisions in the rule, notably Secs. __.7, __.8, and __.13, if applicable. If you disclose or reserve the right to disclose nonpublic personal information to an affiliate you must comply with other provisions in the rule, notably Sec. __.6(a)(7), as applicable. --------------------------------------------------------------------------- In addition, if you disclose nonpublic personal information in accordance with the exception in Sec. __.13, for service providers and joint marketers, you also must include an accurate description of that information, as illustrated by the sample clause in section (K) below. In general, if you disclose nonpublic personal information to nonaffiliated third parties only as authorized under an exception, then your only responsibilities under the regulation are to provide initial and annual notices to each of your customers. You do not need to provide an opt out notice or opt out rights to your customers. A. Initial Notice to Customers You must provide an initial notice to each of your customers. A customer is a natural person who has a continuing relationship with you, as described in Sec. __.4(c). For instance, an individual who opens a credit card or checking account with you is your customer. By contrast, an individual who uses your ATM to withdraw funds from a checking account at another financial institution is not your customer. Even if an individual repeatedly uses your ATM that individual is not your customer. In other words, you must provide initial and annual notices to each of your customers, but not to others. B. Time to Provide Initial Notice You must provide an initial privacy notice to each of your customers not later than when you establish a customer relationship (Sec. __.4(a)(1)). For instance, you must provide a privacy notice to an individual not later than when that individual executes the contract to open a checking account. Thus, you can provide the notice to a checking account customer together with the account agreement and signature card. Similarly, in the case of a loan, you must provide a privacy notice to an individual not later than when that individual executes the loan contract. For example, you can provide the notice to an individual together with the documents (or other forms) that constitute the loan contract. You may always deliver your privacy notices earlier than required. If one of your existing customers obtains a new financial product or service from you, then you need not provide another initial notice to that customer (Sec. __.4(d)) if that earlier notice covered the subsequent product. For instance, if Alison Individual walks into Bank for the first time on July 2, 2001, to open a checking account, then Bank complies with Sec. __.4(a)(1) of the rule if it provides an initial notice to Alison together with the deposit contract. When Alison opens her checking account, she becomes a customer of Bank. Alison maintains her checking account and, six months later, returns to Bank to obtain a loan. If the initial notice that Bank provided to Alison was accurate with respect to that loan, then Bank need not provide another initial notice to her when she obtains the loan because it has provided a notice to Alison that covered the loan when she opened her checking account. C. Method of Providing the Initial Notice You must provide your initial notice so that each customer can reasonably be expected to receive actual notice of it, in writing (Sec. __.9(a)). For example, you may provide the initial notice by mailing a printed copy of it together with a loan contract. Similarly, you may provide the initial notice by hand-delivering a printed copy of it to the customer together with a deposit account agreement. D. Compliance With Initial Notice Requirement for Existing Customers by Effective Date You must provide an initial notice to each of your current customers not later than July 1, 2001 (Sec. __.18(b)). You may do so by mailing a printed copy of the notice to the customer's last known address. E. Annual Notice During the continuation of the customer relationship, you must provide an annual notice to the customer, as described in Sec. __.5(a). You [[Page 35187]] must provide an annual notice to each customer at least once in any period of 12 consecutive months during which the customer relationship exists. You may define the 12-consecutive-month period, but must consistently apply that period to the customer. You may define the 12- consecutive-month period as a calendar year and provide the annual notice to the customer once in each calendar year following the calendar year in which you provided the initial notice. For example, assume that Bank defines the 12-consecutive-month period as a calendar year and provides annual notices to all of its customers on October 1 of each year. If Alison Individual opens a checking account with a Bank on July 2, 2001, thereby becoming a customer, then Bank must provide an initial notice to Alison together with the deposit agreement or earlier. Bank must provide an annual notice to Alison by December 31, 2002. If Bank provides an annual notice to Alison on October 1, 2002, as it does for other customers, then it must provide the next annual notice to Alison not later than October 1, 2003. F. Method of Providing the Annual Notice Like the initial notice, you must provide the annual notice so that each customer can reasonably be expected to receive actual notice of it, in writing (Sec. __.9(a)). You may do so by mailing a printed copy of the notice to the customer's last known address. G. Joint Accounts If two or more customers jointly obtain a financial product or service, then you may provide one initial notice to those customers jointly. Similarly, you may provide one annual notice to those customers jointly (Sec. __.9(g)). H. Information Described in the Initial and Annual Notices The initial and annual notices must include an accurate description of the following four items of information: 1. The categories of nonpublic personal information that you collect (Sec. __.6(a)(1)); 2. The fact that you do not disclose nonpublic personal information about your current and former customers to affiliates or nonaffiliated third parties, except as authorized by Secs. __.14 and __.15 (Sec. __.6(a)(2)-(4)). When describing the categories with respect to those parties, you are required to state only that you make disclosures to other nonaffiliated third parties as permitted by law (Sec. __.6(c)); 3. Your policies and practices with respect to protecting the confidentiality and security of nonpublic personal information (Sec. __.6(a)(8)). For each of these items of information above, you may use a sample clause from Appendix A. The Agencies emphasize that you may use a sample clause only if that clause accurately describes your actual policies and practices. I. Example of Notice A financial institution (``Bank'') that (i) does not have any affiliates and (ii) only discloses nonpublic personal information to nonaffiliated third parties as authorized under Secs. __.14 and __.15, may comply with the requirements of Sec. __.6 of the rule by using the following notice, if applicable. Bank collects nonpublic personal information about you from the following sources: Information we receive from you on applications or other forms; Information about your transactions with us or others; and Information we receive from a consumer reporting agency.\14\ --------------------------------------------------------------------------- \14\ You need to describe only those general categories that apply to your policies and practices. Accordingly, if you do not collect information from ``a consumer reporting agency,'' for instance, then you need not describe that category in your notices. --------------------------------------------------------------------------- We do not disclose any nonpublic personal information about you to anyone, except as permitted by law. If you decide to close your account(s) or become an inactive customer, we will adhere to the privacy policies and practices as described in this notice. Bank restricts access to your personal and account information to those employees who need to know that information to provide products or services to you. Bank maintains physical, electronic, and procedural safeguards that comply with federal standards to guard your nonpublic personal information. J. Initial and Annual Notices Must Be Clear and Conspicuous The Agencies emphasize that you must ensure that both the initial and annual notices are clear and conspicuous, as defined in Sec. __.3(b). K. Example of Notice for Disclosure to Service Providers and Joint Marketers If you disclose nonpublic personal information in accordance with the exception in Sec. __.13, for service providers and joint marketers, you also must include an accurate description of that information. You may comply with the requirements of __.13 of the rule by including the following sample clause, if applicable, in the example of notice described in section (I) above: We may disclose all of the information we collect, as described [describe location in the notice, such as ``above'' or ``below''] to companies that perform marketing services on our behalf or to other financial institutions with whom we have joint marketing agreements. V. Regulatory Analysis A. Paperwork Reduction Act The Agencies may not conduct or sponsor, and an organization is not required to respond to, an information collection unless it displays a currently valid Office of Management and Budget (OMB) control number. The OMB control numbers are listed below. OCC: 1557-0216. Board: 7100-0294. FDIC: 3064-0136. OTS: 1550-0103. The Agencies sought comment on the burden estimates for the information collections listed below. Many commenters suggested, in response to specific proposed sections, that the rule would impose significant burden on them. Most of those suggestions concerned requirements that are imposed by the statute (such as the need to provide annual notices if an institution's previous notice remains accurate or the need to provide any notices at all in situations where an institution does not disclose nonpublic personal information to nonaffiliated third parties). The Agencies have attempted to address other concerns by amending several provisions as discussed above and by clarifying the Agencies' expectations as far as disclosures are concerned. Below is a brief summary of the remaining paperwork burdens implemented by this final rule. The final rule contains several disclosure requirements. The respondents must prepare and provide the initial notice to all current customers and all new customers not later than when a respondent establishes a customer relationship (Sec. __.4(a)). Subsequently, an annual notice must be provided to all customers at least once during a twelve-month period during the continuation of the customer relationship (Sec. __.5(a)). The opt out notice (and partial opt out notice, if applicable; see Sec. __.10(c)) must be provided prior to disclosing nonpublic personal information to certain nonaffiliated third parties. If a financial institution wishes to disclose information in a way that is inconsistent with the notices previously given to a [[Page 35188]] consumer, the institution must provide consumers with revised notices (Sec. __.8(a)). The final regulation also contains affirmative actions that consumers must take to exercise their rights. In order for consumers to prevent financial institutions from sharing their information with nonaffiliated third parties, they must opt out (Secs. __.7(a)(2)(ii)), __.10(a)(2) and __.10(c)). At any time during their continued relationship with the institution, consumers have the right to change or update their opt out status with the institution (Secs. __.7(f) and (g)). OCC: The rule requires the collection of certain information from national banks, District of Columbia banks, and Federal branches and agencies of foreign banks. OMB has reviewed and approved the collections of information contained in the final rule under control number 1557-0216, in accordance with the Paperwork Reduction Act of 1995 (PRA) (44 U.S.C. 3501 et seq.). OMB clearance will expire on March 31, 2003. There are 2,400 respondents with a total annual burden of 108,000 hours. Board: The rule requires the collection of certain information from state member banks, bank holding companies, affiliates and certain non- bank subsidiaries of bank holding companies, uninsured state agencies and branches of foreign banks, commercial lending companies owned or controlled by foreign banks, and Edge and agreement corporations. In accordance with the Paperwork Reduction Act of 1995 (44 U.S.C. 3506; 5 CFR 1320 Appendix A.1), the Board approved the rule under the authority delegated to the Board by OMB. The OMB control number is 7100-0294. There are 9,500 respondents with a total annual burden of 427,500 hours. FDIC: The rule requires the collection of certain information from insured nonmember banks, insured state branches of foreign banks, and certain subsidiaries of these entities. The Office of Management and Budget (OMB) has reviewed and approved the collections of information contained in the final rule under control number 3064-0136, in accordance with the Paperwork Reduction Act of 1995 (PRA) (44 U.S.C. 3501 et seq.). OMB clearance will expire on April 30, 2003. There are 5,764 respondents with a total annual burden of 259,380 hours. OTS: The rule requires the collection of certain information from savings associations and certain of their subsidiaries. OMB has reviewed and approved the collections of information contained in the final rule under control number 1550-0103, in accordance with the Paperwork Reduction Act of 1995 (PRA) (44 U.S.C. 3501 et seq.). OMB clearance will expire on April 30, 2003. There are 1,104 respondents with a total annual burden of 49,680 hours. The Agencies have a continuing interest in the public's opinion regarding collections of information. Members of the public may submit comments, at any time, regarding any aspect of these collections of information. Comments may be sent to: OCC: Communications Division, Attention: 1557-0216, Office of the Comptroller of the Currency, 250 E Street, SW, Third Floor, Washington, DC 20219. Board: Mary M. West, Federal Reserve Board Clearance Officer, Mail Stop 97, Division of Research and Statistics, Board of Governors of the Federal Reserve System, Washington, D.C. 20551. FDIC: Steven F. Hanft, Assistant Executive Secretary (Regulatory Analysis), Federal Deposit Insurance Corporation, Room F-4080, 550 17th Street NW., Washington, DC 20429. OTS: Dissemination Branch (1550-0103), Office of Thrift Supervision, 1700 G Street, NW., Washington, DC 20552. A copy of all comments should also be sent to Office of Management and Budget, Paperwork Reduction Project (include OMB control number), Washington, D.C. 20503. B. Regulatory Flexibility Act OCC: Under the Regulatory Flexibility Act (RFA), the OCC must either provide a Final Regulatory Flexibility Analysis (FRFA) with a final rule or certify that the final rule ``will not, if promulgated,'' have a significant economic impact on a substantial number of small entities.\15\ Given that the burden imposed on small institutions stems in large part from the statute, and in light of the significant number of changes described previously that reduce the rule's burden on financial institutions of all sizes, the OCC does not expect that the rule will have a significant economic impact on a substantial number of small entities. However, because the statute creates a set of requirements that are new both to the OCC and to financial institutions in general, the OCC has prepared the following FRFA and intends to publish a compliance guide for small entities. --------------------------------------------------------------------------- \15\ The RFA defines the term ``small entity'' in 5 U.S.C. 601 by reference to definitions published by the Small Business Administration (SBA). The SBA has defined a ``small entity'' for banking purposes as a national or commercial bank, savings institution or credit union with less than $100 million in assets. See 13 CFR 121.201. --------------------------------------------------------------------------- Need for and Objectives of the Final Rule; Legal Basis for the Rule The final rule implements the provisions of Title V, Subtitle A of the GLB Act addressing consumer privacy. In general, these statutory provisions require banks to provide notice to consumers about a bank's privacy policies and practices, restricts institutions from sharing nonpublic personal information about consumers to nonaffiliated third parties, and permits consumers to prevent institutions from disclosing nonpublic personal information about them to certain non-affiliated third parties by ``opting out'' of that disclosure. Section 504 of the GLB Act authorizes the OCC to prescribe ``such regulations as may be necessary'' to carry out the purposes of Title V, Subtitle A. If no regulations were promulgated, substantive burdens imposed by the Act (e.g., the notice, information sharing restrictions, and opt out requirements) would have become effective and binding on banks one year from the date the Act was signed into law. The OCC believes that a regulatory promulgation gives the private sector greater certainty about how to comply with the statute and clearer guidance regarding how it will be enforced. Small Entities to Which the Rule Will Apply The proposed rule would apply to all banks, regardless of size, including those with assets of under $100 million. As of December 1999, 1203 (of 2365 total) national banks had assets of under $100 million. As explained below, Title V, Subtitle A of the GLB Act did not provide a general exception for small banks, nor did it appear that such an exception would be consistent with the purposes of the Act. Compliance Requirements and Effects of the Final Rule on Small Entities A detailed description of the final rule's requirements is set forth above in the section-by-section analysis (Supplementary Information, part III). Among other things, a bank will generally be required to prepare a notice of its privacy policies and practices and provide that notice to consumers under conditions as specified in the rule (e.g., a privacy notice must be provided no later than the time that a customer relationship is established and then once annually for the duration of that customer relationship). Banks that disclose nonpublic personal information about consumers to nonaffiliated third parties will be subject to additional mandates, including a requirement to [[Page 35189]] provide an opt out notice to consumers along with a reasonable opportunity to opt out of certain disclosures. There are a host of exceptions to the general rules stated above. For example, a bank may share a consumer's nonpublic personal information with nonaffiliated third parties without having to give an opt out notice if such sharing is necessary to effect, administer, or enforce a transaction requested or authorized by the consumer. These exceptions have the effect of minimizing the burden on institutions of all sizes. To comply with the final rule, banks will need to, among other things, prepare disclosure forms, make various operational changes, and train staff. Professional skills needed to comply with the final rule may include clerical, computer systems, personnel training, as well as legal drafting and advice. The compliance requirements and costs are likely to vary considerably among institutions, depending upon a number of factors, such as: --Whether a bank intends to disclose covered information. A bank that does not disclose nonpublic personal information about consumers to third parties (or shares only to the extent permitted under the exceptions) (i) could have a streamlined privacy notice, (ii) will not need to provide an opt out notice to consumers, and (iii) will not need to implement procedures to honor the wishes of consumers that choose to opt out of certain information sharing. --Whether the bank already has a notice describing its privacy policy. Various surveys suggest that a majority of banks already have privacy policies in place as part of usual and customary business practices. For these institutions, the costs for revising that policy to comply with the regulation are likely to be significantly less than would be the costs for those institutions having to develop a new policy. --Whether the bank already has an opt-out mechanism in place pursuant to the Fair Credit Reporting Act (FCRA). Under the FCRA, a bank must provide opt out notices and have an opt out mechanism in place if the bank (i) shares certain consumer information (i.e., application or credit report information) with its affiliates, and (ii) does not want to be treated as a consumer reporting agency under the Act. A bank that already gives FCRA notices and wants to share nonpublic personal information with nonaffiliated third parties should be able to adapt its existing opt out mechanism to accommodate the requirements of the final rule. Summary of Significant Issues Raised by the Public Comments; Description of Steps the Agency Has Taken To Minimize Burden One approach to minimizing the burden on small entities would be to provide a specific exemption for such institutions. The OCC has no authority under the statute to grant an exception that would remove small institutions from the entire scope of the rule. The OCC does have exemptive authority under section 504(b) to grant such exceptions to the opt out provisions ``as are deemed consistent with the purposes of'' the statute. The OCC believes that a wholesale exemption for small banks from the opt out provisions would be inconsistent with the purposes of the Act. As stated in section 501(a) of the Act, ``It is the policy of the Congress that each financial institution has an affirmative and continuing obligation to respect the privacy of its customers and to protect the security and confidentiality of those customers' nonpublic personal information.'' (Emphasis added.) The OCC believes the privacy of someone's nonpublic personal information is no less deserving of protection simply because the information is obtained by a small bank. The final rule does, however, provide substantial flexibility so that any bank, regardless of size, may tailor its practices to its individual needs. For example, to minimize the burden and costs of distributing privacy policies, the final rule (i) allows each bank to choose the method by which it will distribute required notices (e.g., banks may include an annual privacy notice with periodic account statements that the bank already sends to the customer) and (ii) allows for the initial privacy notice to be provided with other Federally mandated consumer disclosures, such as those required under the Truth- in-Lending Act. In addition, the OCC carefully considered comments that suggested a variety of other alternatives to reduce burden. In response to these comments, the agency attempted to minimize the burden on all businesses, including small entities, in a manner consistent with providing the privacy protections mandated by the Act. The discussion below reviews some of the changes adopted in the final rule to accomplish this purpose. For a more complete discussion of significant issues raised by public comments and the changes adopted in the final rule, see the section-by-section analysis above, which is incorporated herein by reference (Supplementary Information, part III). Content of disclosures. Many commenters interpreted the rule as requiring long, detailed privacy disclosures that, in these commenters' view, would be of little benefit to consumers. To address these comments, the final rule clarifies the level of detail that the OCC believes is appropriate under the statute. In particular, the final rule substantially revises the examples of disclosures that would satisfy the rule; Appendix A includes sample clauses that might be used; and the preamble states that the Agencies believe disclosures required by the rule could fit on a typical tri-fold brochure. Also, the Agencies have provided additional guidance under the caption Guidance for Certain Financial Institutions (Guidance) (Supplementary Information, Part IV). This Guidance, as well as the sample clauses in Appendix A, are intended to minimize the burden and costs for all banks, particularly small banks that will not generally be sharing nonpublic personal information with nonaffiliated third parties (except pursuant to the exceptions). In addition, the final rule permits a bank to provide a short-form privacy notice to a consumer that does not become a customer, provided the bank gives the consumer an opt out notice and notifies the consumer of a reasonably convenient method by which to obtain a copy of the full privacy notice. Definition of nonpublic personal information. A bank that wants to share nonpublic personal information about a consumer with a nonaffiliated third party generally must comply with the opt out restrictions in the rule. However, information that is considered ``publicly available information'' is excluded from the definition of nonpublic personal information. The proposed rule offered two alternatives. Under Alternative A, information that is generally available from a public source would not be considered ``publicly available information'' unless a bank actually obtains the information from a public source. Under Alternative B, the fact that the information could be obtained from a public source is sufficient for the information to be considered publicly available. For the reasons stated earlier in the preamble, the OCC adopted a slightly revised version of Alternative B, the less burdensome option. Effective date. By operation of section 510 of the statute, the relevant provisions of Title V take effective November 12, 2000. However, the statute authorizes the agencies to [[Page 35190]] prescribe a later date if implementing regulations are adopted. The proposed rule used the effective date prescribed by the statute. The OCC received a large number of comments from banks, including many from small entities, that requested more time to comply. Many such comments suggested that overall compliance costs could be reduced by delaying the effective date. For the reasons stated earlier in the preamble, the OCC believes it would be appropriate to give banks until July 1, 2001, to comply with the rule. New notices not required for each new financial product or service. Some banks, including small entities, expressed concern that the proposed rule may require a new initial notice each time a consumer obtains a new financial product or service. This would be especially burdensome for banks that adopt a universal privacy policy that covers multiple products and services. To address these concerns and minimize economic burden, the final rule clarifies that a new initial notice is not required if the bank has given the customer the bank's initial notice, and that the bank's initial notice remains accurate with respect to the new product or service. Annual notice requirement. Many banks, including small entities, suggested alternative, less burdensome methods for complying with the requirement that banks provide their customers with an annual privacy notice. As discussed earlier in the preamble, the OCC responded to these comments with a provision in the final rule that permits a bank to comply with the annual privacy notice requirements for customers under certain circumstances by continually posting the notice on the bank's web site in a clear and conspicuous manner. Notice to joint account holders. As noted earlier in the preamble, the final rule allows banks to provide one notice to joint account holders, with the understanding being that a decision to opt out made by one of the account holders will, absent a provision in the opt out notice to the contrary, prevent the bank from disclosing any nonpublic personal information about any of the account holders. This is particularly advantageous for banks, including small entities, that do not intend to share nonpublic personal information with nonaffiliated third parties (except as permitted under the exceptions). The OCC, along with the other Agencies, intends to publish a small entity compliance guide--separate from and in addition to the guidance for certain financial institutions included as part of this Federal Register notice--that will clarify the operation of and compliance with the rule. Board: The Regulatory Flexibility Act (5 U.S.C. 604) requires an agency to publish a final regulatory flexibility analysis when promulgating a final rule that was subject to notice and comment. Need for and Objectives of Rule As discussed above, this rule implements the privacy provisions in sections 502-510 of the GLB Act. The rule's objectives are to protect nonpublic personal information about consumers collected by financial institutions by: (1) Requiring a financial institution to provide notice to customers about its privacy policies and practices; (2) Describing the conditions under which a financial institution may disclose nonpublic personal information about consumers to nonaffiliated third parties; and (3) Providing a method for consumers to prevent a financial institution from disclosing that information to most nonaffiliated third parties by ``opting out'' of that disclosure, subject to certain exceptions. Comments on the Initial Regulatory Flexibility Analysis Although few commenters addressed the initial regulatory flexibility analysis specifically, many commenters addressed the regulatory burdens that were discussed in that analysis. Commenters provided a wide range of estimates of the costs of compliance, demonstrating the difficulty of precisely measuring the implementation costs for GLB Act privacy provisions. For example, one commenter representing a $4 billion dollar multi-bank holding company with ten financial institutions, estimated compliance costs at $160,000/year (an average of $16,000 per institution), contrasted with a $500 million institution that estimated compliance costs at $40,000/year. Another commenter representing an $18 billion dollar bank holding company estimated compliance costs at $2.1 million, while one of the nation's largest financial institutions estimated compliance costs between $2.5- $18 million. In another comment, a public policy group estimated that the costs of the rule ``may likely exceed $223 million annually'' based on a sample of deposit accounts and estimated loan accounts at 54 ``major institutions'' around the United States. Many commenters principally discussed the burdens that would be imposed by the proposed rule due to the effective date and the amount of detail that financial institutions would have to describe in their initial and annual notices. Many commenters urged the Board to extend the proposed November 13, 2000, effective date, for periods ranging from six months to two years. Most of these commenters argued that complying with the rule by November 13, 2000, would place an extraordinary burden on their businesses, particularly because the notices required by the rule would mandate changes to computer software, employee training, and compliance systems. To address these concerns, compliance with the final rule will be deferred until July 1, 2001. Many commenters urged the Board to reduce the level of detail that they perceived would be required in the notices under the proposed rule. Commenters argued, for instance, that requiring a detailed description of all of the sources of information that they use to collect information about their customers would make the notices too lengthy and complicated. In a similar vein, many commenters proposed that the Board should issue model forms to demonstrate the kinds of notices that would be permitted by the rule. The Board believes that the intent of the original proposal on the level of detail expected under the proposed rule was widely misinterpreted. The notices section has been redrafted in an effort to clarify the requirements. This should lead to modular provisions based on examples in the regulations that could be used by most institutions. The Board and the other Agencies have included, in an appendix to the final rule, sample clauses illustrating elements of the notice requirements for a small institution that does not sell information for marketing purposes and a large holding company with multiple affiliates that distributes information broadly. To further assist institutions in complying with the rule, the Board and the other Agencies have included in this Federal Register notice guidance for certain institutions that do not disclose nonpublic personal information to nonaffiliated third parties outside of the statutory exceptions. Nevertheless, some institutions may have to craft notice provisions to cover unique aspects of their privacy practices. This is necessary because it is impossible for the Board to anticipate all disclosure practices. In the absence of knowledge of these practices, any attempt to craft ``model notices'' that could be used by all institutions runs a substantial risk of being misleading. The Board also modified the final rule to clarify that a financial institution need not provide another initial notice to an existing customer who obtains a [[Page 35191]] new financial product or service so long as the previous notice provided to that customer was accurate with respect to the new financial product or service. The Board believes that this provision will enable a financial institution to adopt a single, comprehensive privacy policy for its financial products and services, and at the same time, reduce the costs to ensure that it delivers an accurate copy of its policy to each customer. The Board also clarified the final rule to permit a financial institution to provide one copy of the initial, annual, and revised notices, respectively, to consumers who jointly obtain a financial product or service. Correspondingly, the Board clarified that a financial institution may provide one opt out notice, if applicable, to consumers who jointly obtain a financial product or service. Institutions Covered The Board's final rule will apply to approximately 9,500 institutions, including state member banks, bank holding companies and certain of their nonbank subsidiaries or affiliates, state uninsured branches and agencies of foreign banks, commercial lending companies owned or controlled by foreign banks, and Edge and Agreement corporations. The Board estimates that over 4,500 of the institutions are small institutions with assets less than $100 million. New Compliance Requirements The final rule contains new compliance requirements for all covered institutions, most of which are required by the GLB Act. The institutions will be required to prepare notices of their privacy policies and practices and provide those notices to consumers as specified in the rule. Institutions that disclose nonpublic personal information about consumers to nonaffiliated third parties will be required to provide opt out notices to consumers as well as a reasonable opportunity to opt out of certain disclosures. These institutions will have to develop systems for keeping track of consumers' opt out directions. Some institutions, particularly those that disclose nonpublic information about consumers to nonaffiliated third parties, will likely need the advice of legal counsel to ensure that they comply with the rule, and may also require computer programming changes and additional staff training. Minimizing Impact on Small Institutions The Board believes the requirements of the Act and this rule will create additional burden for covered institutions, particularly those that disclose nonpublic personal information about consumers to nonaffiliated third parties. The rule applies to all covered institutions, regardless of size. The Act does not provide the Board with the authority to exempt a small institution from the requirement to provide a notice of its privacy policies and practices to its customers. Although the Board could exempt small institutions from providing a notice and opportunity for consumers to opt out of certain information disclosures, the Board does not believe that such an exemption would be appropriate, given that one of the purposes of the Act is to provide notice to consumers about the disclosure of nonpublic personal information. The Board believes that the burden is significantly lower for institutions that do not disclose nonpublic personal information about consumers to nonaffiliated third parties. These institutions may provide relatively simple initial and annual notices to consumers with whom they establish customer relationships. Also, the Board intends to publish a small entity compliance guide--separate from and in addition to the guidance for certain financial institutions included as part of this Federal Register notice--aimed to generally clarify the operation of and compliance with the rule. FDIC: The Regulatory Flexibility Act (5 U.S.C. 601-612) (RFA) requires, subject to certain exceptions, that federal agencies prepare an initial regulatory flexibility analysis (IRFA) with a proposed rule and a final regulatory flexibility analysis (FRFA) with a final rule, unless the agency certifies that the rule will not have a significant economic impact on a substantial number of small entities. \16\ At the time of issuance of the proposed rule, the FDIC could not make such a determination for certification, therefore the FDIC issued an IRFA pursuant to section 603 of the RFA. After considering the comments submitted in response to the proposed rule, the FDIC believes that it does not have sufficient information to determine whether the final rule would have a significant economic impact on a substantial number of small entities. Therefore, pursuant to section 604 of the RFA, the FDIC provides the following FRFA. --------------------------------------------------------------------------- \16\ The RFA defines the term ``small entity'' in 5 U.S.C. 601 by reference to definitions published by the Small Business Administration (SBA). The SBA has defined a ``small entity for banking purposes as a national or commercial bank, savings institution or credit union with less than $100 million in assets. See 13 CFR 121.201. --------------------------------------------------------------------------- This FRFA incorporates the FDIC's initial findings, as set forth in the IRFA; addressees the comments submitted in response to the IRFA; and describes the steps the FDIC has taken in the final rule to minimize the impact on small entities, consistent with the objectives of the GLB Act. Also, in accordance with Section 212 of the Small Business Regulatory Enforcement Fairness Act of 1996 (Public Law 104- 121), the FDIC will in the near future issue a Small Entity Compliance Guide to assist small entities in complying with this rule. Statement of the Need/Objectives of the Rule The final rule implements the provisions of Title V, Subtitle A of the GLB Act addressing consumer privacy. In general, these statutory provisions require banks to provide notice to consumers about an institution's privacy policies and practices, restrict institutions from sharing nonpublic personal information about consumers with nonaffiliated third parties, and permit consumers to prevent institutions from disclosing nonpublic personal information about them to certain non-affiliated third parties by ``opting out'' of that disclosure. Section 504 of the GLB Act requires the FDIC, in consultation with representatives of State insurance authorities, to prescribe ``such regulations as may be necessary'' to carry out the purposes of Title V, Subtitle A. If no regulations were promulgated, substantive burdens imposed by the Act (e.g., the notice, information sharing restrictions, and opt out requirements) would have become effective and binding on banks one year from the date the Act was signed into law. The FDIC believes that the final rule gives the private sector greater certainty on how to comply with the statute and clearer guidance regarding how it will be enforced. Summary of Significant Issues Raised in Public Comments In the IRFA, the FDIC specifically requested information on the costs of creating privacy policy disclosures, distributing privacy policy disclosures, implementing ``opt out'' disclosure and processing requirements, and complying with the proposed rule in its entirety. The FDIC received few comments responsive to the issue of implementation costs. While the majority of commenters representing the financial services industry indicated that compliance with the regulation [[Page 35192]] would require significant effort, these comments most often requested additional time to comply with the final rule, and did not address estimated costs to comply with the regulation. The few comments that the FDIC did receive quantifying the economic costs of compliance reflected a wide range of estimates, demonstrating the difficulty of precisely measuring the implementation costs for GLB Act privacy provisions. For example, one commenter representing a $4 billion dollar multi-bank holding company with ten financial institutions, estimated compliance costs at $160,000/year (an average of $16,000 per institution), contrasted with a $500 million dollar institution that estimated compliance costs at $40,000/year. Another commenter representing an $18 billion dollar bank holding company estimated compliance costs at $2.1 million, while one of the nation's largest financial institutions estimated compliance costs between $2.5- $18 million. In another comment, a public policy group estimated that the costs of the rule ``may likely exceed $223 million annually'' based on a sample of deposit accounts and estimated loan accounts at 54 ``major institutions'' around the United States \17\. --------------------------------------------------------------------------- \17\ This estimate was not limited to FDIC-supervised institutions, but rather was based on all financial institutions subject to the GLB Act. --------------------------------------------------------------------------- Summary of the Agency Assessment of Issues Raised in Public Comments Both the limited numbers of comments received that discussed compliance costs and the wide range of estimates provided, reflect the uncertainty of estimating the costs of implementing the GLB Act requirements. The new compliance requirements will indeed create additional economic costs for institutions, especially those that disclose information to nonaffiliated third parties. These costs include, but are not limited to (1) reviewing current information sharing practices; (2) determining operational changes necessary; (3) identifying sources/uses of customer information; (4) preparing disclosure forms; and (5) training staff. Most, if not, all of these costs result from requirements expressly mandated by the GLB Act. After a careful review of the comments received, the FDIC does not have a practicable or reliable basis for quantifying the costs of implementing the requirements of the GLB Act. We expect that compliance costs will vary significantly between institutions depending on information sharing practices. The FDIC continues to believe that the costs of implementing the opt out provisions of the final rule will be insubstantial for financial institutions that do not disclose nonpublic personal information to nonaffiliat