Privacy of Consumer Financial Information Under Title V of the Gramm-Leach-Bliley Act, 76356-76367 [2012-31273]

Download as PDF 76356 Federal Register / Vol. 77, No. 249 / Friday, December 28, 2012 / Rules and Regulations rulemaking, this final rule is not subject to section 202 of the Unfunded Mandates Reform Act. List of Subjects 12 CFR Part 19 Administrative practice and procedure, Crime, Equal access to justice, Investigations, National banks, Penalties, Securities. 12 CFR Part 109 Administrative practice and procedure, Penalties. violations that occurred on or after July 6, 2012. PART 109—RULES OF PRACTICE AND PROCEDURE IN ADJUDICATORY PROCEEDINGS 4. The authority citation for part 109 continues to read as follows: ■ Authority: 5 U.S.C. 504, 554–557; 12 U.S.C. 1464, 1467, 1467a, 1468, 1817(j), 1818, 1820(k), 1829(e), 3349, 4717, 5412(b)(2)(B); 15 U.S.C. 78(l), 78o–5, 78u–2; 28 U.S.C. 2461 note; 31 U.S.C. 5321; and 42 U.S.C. 4012a. 5. Section 109.103 is amended by revising the introductory text to paragraph (c), and adding paragraph (d) to read as follows: ■ Authority and Issuance For the reasons set out in the preamble, parts 19 and 109 of chapter I of title 12 of the Code of Federal Regulations are amended as follows: PART 19—RULES OF PRACTICE AND PROCEDURE 1. The authority citation for part 19 continues to read as follows: ■ Authority: 5 U.S.C. 504, 554–557; 12 U.S.C. 93(b), 93a, 164, 505, 1817, 1818, 1820, 1831m, 1831o, 1972, 3102, 3108(a), 3909, and 4717; 15 U.S.C. 78(h) and (i), 78o–4(c), 78o– 5, 78q–1, 78s, 78u, 78u–2, 78u–3, and 78w; 28 U.S.C. 2461 note; 31 U.S.C. 330 and 5321; and 42 U.S.C. 4012a. Subpart O—Civil Money Penalty Adjustments § 109.103 Civil money penalties. * * * * * (c) Maximum amount of civil money penalties. Except as provided in paragraph (d) of this section, the maximum amount of each civil money penalty in the chart below applies to violations that occurred on or after December 6, 2012: * * * * * (d) Flood insurance penalty. The maximum amount of the civil money penalty prescribed by 42 U.S.C. 4012a(f), set forth in the chart in paragraph (c) of this section, applies to violations that occurred on or after July 6, 2012. through the FCA Board (Board), issued a final rule under part 630 on September 26, 2012 (77 FR 59050) amending our regulations relating to the Federal Farm Credit Banks Funding Corporation System Audit Committee and the Farm Credit System annual report to investors. In accordance with 12 U.S.C. 2252, the effective date of the final rule is 30 days from the date of publication in the Federal Register during which either or both Houses of Congress are in session. Based on the records of the sessions of Congress, the effective date of the regulations is December 12, 2012. DATES: Effective Date: Under the authority of 12 U.S.C. 2252, the regulation amending 12 CFR part 630 published on September 26, 2012 (77 FR 59050) is effective December 12, 2012. FOR FURTHER INFORMATION CONTACT: Deborah Wilson, Senior Accountant, Office of Regulatory Policy, Farm Credit Administration, McLean, Virginia 22102–5090, (703) 883–4498, TTY (703) 883–4434, or Laura McFarland, Senior Counsel, Office of General Counsel, Farm Credit Administration, McLean, Virginia 22102–5090, (703) 883–4020, TTY (703) 883–4020. Authority: 12 U.S.C. 2252(a)(9) and (10). Dated: December 20, 2012. Dale L. Aultman, Secretary, Farm Credit Administration Board. 2. The heading to subpart O is revised as set forth above. ■ 3. Section 19.240 is amended by revising the section heading, the introductory text to paragraph (a), (b), and adding paragraph (c) to read as follows: Dated: December 21, 2012. Daniel P. Stipano, Acting Chief Counsel. BILLING CODE 4810–33–P COMMODITY FUTURES TRADING COMMISSION § 19.240 FARM CREDIT ADMINISTRATION 17 CFR Part 160 12 CFR Part 630 Privacy of Consumer Financial Information Under Title V of the Gramm-Leach-Bliley Act ■ Civil Money Penalties. srobinson on DSK4SPTVN1PROD with (a) The maximum amount of each civil money penalty within the OCC’s jurisdiction is set forth as follows: * * * * * (b) Except as provided in paragraph (c) of this section, the maximum amount of each civil money penalty, set forth in the chart in paragraph (a) of this section, applies to violations that occurred on or after December 6, 2012. (c) The maximum amount of the civil money penalty prescribed by 42 U.S.C. 4012a(f)(5), set forth in the chart in paragraph (a) of this section, applies to VerDate Mar<15>2010 18:32 Dec 27, 2012 Jkt 229001 [FR Doc. 2012–31103 Filed 12–27–12; 8:45 am] BILLING CODE 6705–01–P [FR Doc. 2012–31187 Filed 12–27–12; 8:45 am] RIN 3052–AC77 Disclosure to Investors in System-wide and Consolidated Bank Debt Obligations of the Farm Credit System; System Audit Committee; Effective Date Farm Credit Administration. Notice of effective date. AGENCY: ACTION: The Farm Credit Administration (FCA or Agency), SUMMARY: PO 00000 Frm 00016 Fmt 4700 Sfmt 4700 CFR Correction In Title 17 of the Code of Federal Regulations, Parts 1 to 199, revised as of April 1, 2012, on page 958, appendices A and B to part 160 are reinstated to read as follows; Appendix A to Part 160—Model Privacy Form A. The Model Privacy Form E:\FR\FM\28DER1.SGM 28DER1 Federal Register / Vol. 77, No. 249 / Friday, December 28, 2012 / Rules and Regulations 76357 Version 1: Model Form With No Opt-out. WtfATDOES [tiAMEOFFlNANCIAl"1NS'MUl1ON] DO . wrrH YOUR PERSONAlItFORMATlON? Fit_. companiae chooM how....,..... your p!InIOft8I infonmdion. Federat . . giwIe ~ tha right to limit .... but not "sharing. FadaalIaw..,""-. toWyou how we coIact. ....... and pmted your personal information. Please naad ihia notice caaUy to undfntand tIIIhat . . do. The typee of personal infomtation we coIec:t and ..... depend on tha ~ or 88I'Vice you have with us. Thie informlIIIion eM indude: • • SaciaI Security number and [incomeI [account batanceI] and fpayment hiatoryJ • Icrd hiulory] and (cadit aconaa) When you are no longer our CU8ton1ar. \WI continue to ..... your infomtation .. deecribed in this notice. AI financial companiesmsed to .... cuatomena' ~ infonmidion to run their IINfII'IJday buainela.1n tha ~bekM. we lilt tha . . . . . 1ntn:iaI companies can ..... their ~ inbrnrdion; the nJaIIOft8 (nIIme fi financial in&tituIionJ chooaea to &hare; and ~you can limit this &haring. pIiIfBOI. for ........ purpo8IIIIAt- ,._in auch .. to pmceu yourlranaactiontJ, your ~ I'fIIIIpOftd to ccurtCldln and legal ~ orrepcdtocrdbureau8 Forour~' ~buaimtepurpoaes­ VerDate Mar<15>2010 18:32 Dec 27, 2012 Jkt 229001 PO 00000 Frm 00017 Fmt 4700 Sfmt 4725 E:\FR\FM\28DER1.SGM 28DER1 ER28DE12.003</GPH> srobinson on DSK4SPTVN1PROD with infomtation IIbout your~ and ....ialCOll srobinson on DSK4SPTVN1PROD with 76358 VerDate Mar<15>2010 18:32 Dec 27, 2012 l - .. f r Jkt 229001 l PO 00000 J ,,. I Frm 00018 Fmt 4700 Sfmt 4725 iii ~1·1f. i I..· J~JI it·h IJii iii 1 I;'1,'i.iIII If .. Ii I HI 111 i 11 Ii ~ Jr ih~h I !ufn".nUli 1·1 E:\FR\FM\28DER1.SGM 28DER1 II H i III In J ~··fi i.i 1 ·1 If. rf in Ii.. jl i i ill! I H i ). l r It t ti. f r r It t· sf ,II ~ II 11 1 H r ER28DE12.004</GPH> g ii II fir Itt ,JfI Federal Register / Vol. 77, No. 249 / Friday, December 28, 2012 / Rules and Regulations if I Federal Register / Vol. 77, No. 249 / Friday, December 28, 2012 / Rules and Regulations 76359 Version 2: Model Form with Opt-Out by Telephone and/or Online. WHAT DOES (NAME OF FINANCIAL INSTITUTION] DO WITH YOUR INFORMATION? PERSONAL Financial ~ chooee hOliYhIy . . . . your pam.cnIII ilfol.naDon. federaI_ gives _1Ilao ~ ua to WI you h<lrN we coIIet. ..... and protect your per..... ilfolmaior ~ I'8ad tit noIioe CIIIIfIIuIy to .. undeIatand whet _ do. conIiIUI1WII the right to limit 8CIft'I8 but not .. aharing. FedenIJ The t)pea of pet'8CInIII information _ coiIact and . . . depend on the product or 8II'II'Wico you have with ua. Thia inbnlllllion can incb:ie: • Social Security number and [incomeI • • [account balaGlCGI)"'" fpaymant history) {ctedit hiatoryj and (ad 8COI'III8) /iii financial compalli_ ntIIId to . . . c:ustoment' pcnonaI infonnation to run their ~ ~ In thetllClicln below. _list the -...ens financiIIII COIIJpIIftiea can ehan their ~. information; the fe8IlIC:IM ~ of financial inatitulionl ~ to IIIhaN; and whether you can limit thiaaharing. penIOi_ For OUt' affiIiatlIta· ..,.".., bueinMe~­ infonnation about your trar_ctiolla and ......1ICf!ICJ For OUt' ~ . . . . , . , bueineJu purpoIMISinfomvItionaboutyour~ For nonaffiIietu to matbt to you • Cal (phone number)-our menu wiI pompt you through your choice(a) or • Vieit us online: [weIHIite] P'IeaH note: If you ant a f'IfWi CUIItcmer, _ can begin sharing your i..bnlllion l30I daya from 1het date we aant this notice. When you 1ft no longer our CUIIIIomeIj we continua to . . . your infonmdion .. daacribed in thia~ VerDate Mar<15>2010 18:32 Dec 27, 2012 Jkt 229001 PO 00000 Frm 00019 Fmt 4700 Sfmt 4725 E:\FR\FM\28DER1.SGM 28DER1 ER28DE12.005</GPH> srobinson on DSK4SPTVN1PROD with can contIiIct us at 76360 Federal Register / Vol. 77, No. 249 / Friday, December 28, 2012 / Rules and Regulations How doee [name of finenciaI imItitution] coIact fffI pereonaI infofrnllltion? Wecolect your pnonai infarmation. for example. VII'hen you • [open an accountJ 01' (dapoa.it moI'IfJYJ • (pay your biIaJ or (eppIJ far a IoariJ • fuao your cndit 01' debit CIIII'd) fiNe eIao collect your pereonaI infonnaIion from other companiea.J OR fiNe eIao collect your ~ information from others. such _ credit ~~OI'othar Why can\ I limit aIIlJharing? Federal law givttJt8 you tba right to limit only IhIIring for affiliates" ~ ~ ~-infon'.tion about your cNdmra1nm... • ~ from uaing yourinfomllllion to market to you • aharing for nonaffiIataa to mIlII'ket to you Sbidallillwa and indMdueI ~ may fiNe you additional rights to limit sharing. (See below for more on yotJt rights under state law.] • What happana when limit sharing for an acoaunt I hold jointty with someone ....? tyour choicea will apply to fIIlfIIlYOIIt8 on yout acoount.) OR (Your choicea 'Will apply to ~ on your account-uniasa you tel us otherwise.] ~ nIated by ccmmon O'IItIfMIIallip or control "1'hey can be fi.~and nonfinancial compeniaa. • {afIIIiaIe information] Ccmprrniaa not RIIiated br cammon ownership 01' contmi. They can be financial and nonfinanc:iIII companiea. • [nonaIfIIiste infonnt!JItion} i-------------------------i------------------,----A formal agnMlment bett181ft ~ financial companies 1hat tDgather market financial pmducta or HI"lIicaa to you. srobinson on DSK4SPTVN1PROD with • VerDate Mar<15>2010 18:32 Dec 27, 2012 Jkt 229001 PO 00000 Frm 00020 [joint ~ infomJation} Fmt 4700 Sfmt 4725 E:\FR\FM\28DER1.SGM 28DER1 ER28DE12.006</GPH> Joint marketing Federal Register / Vol. 77, No. 249 / Friday, December 28, 2012 / Rules and Regulations 76361 Version 3: Model Form win MaI-tn Opt-out Form. WHAT DOES [NAME OF FINANCIAL INSTfNfION) DO WITH YOUR ~ 1NFORMAT1ON? compiIIII_ RnIIInciI!iI ehooNtac. thay _ _ infomtatioI .. taw 'f!iiwa _ t h e right to limit _ b u t notal ~ Federal taw __ NqUIru uti to tall you tac._coIect. ...... and~'j'IIINIr~ ~.. ~ fIIIIIId thienoticeCllllltl1llu1lJ to undendllnd what_ do. 'j'IIINIr~ ~ Thetypea CJI ~ inbmlllion _ CCIII!iIct and _ _ dIIIpI!Ind on the product Of I!I«IIice you *-e with uti. lNa iufannlllion __ inok.Ide: Social s.curily~andtr-me] (accaunt ~ and fpaymecrt hiamryJ {credit hiIIIaryJ and {credit ~ • • • Mfintmaial ~neadto _ _ ~. ~informIIIItian to run their~ ~ In the III1IIICtionbelaw._lietthe_~~_ ..... their ~. ~ info_lIdlar;; t h e _ (mime offintmaial inIItitution] ~ to whoiIIthwyou_imitWa ~ IIIhare; end For_~purpoeee- to offer our productI!I end ~ to you For joint ~with othertinencW~ F_ _ affUlie"I'~~~­ information about your blllllllllCtione and axpIIIIiII_ For_~·.~~~­ infornllttian about your ~ menu wiI prompt you through your ~ • VitIit uti ~ (IN IlIl_J 01" • Mail the form bafow ~note: • you _ allfl!llWCI.lIIItomer, _ _ begin your infarmation (30) _ _ from the date_ .... thie ftOIice. wt.t you_ nolor1gerour ~ _oontinua to _ _ 'f'IIII1IKir~._ ~ in lNa notice. ~ _contact ... "-we . . . . OR [lfyouhlwea joint IICCOW'It, your~ wilappfyto ~onyr:Nllf --~ you mark below. VerDate Mar<15>2010 Do not _ _ infarmation about my ~ with your lIIffiIiataa for their_eryday o Do not aIbiv your ~ to \ItII!I my penICI'IIIII i"formatiolt to I'fIIIrket to me. Do not _ _ my peniOnIIII informIIIItian with ~ to rnadtet their~ end ~~ o ~tome. AppIymy choioes ordy tome) 18:32 Dec 27, 2012 Jkt 229001 PO 00000 Frm 00021 Fmt 4700 Sfmt 4725 E:\FR\FM\28DER1.SGM 28DER1 ER28DE12.007</GPH> srobinson on DSK4SPTVN1PROD with o ~ flll'llltlall you Wlilnttolmit o srobinson on DSK4SPTVN1PROD with 76362 VerDate Mar<15>2010 II J Jkt 229001 II i r · I .., tU It PO 00000 I I I ! - :1 I1"1 I I" II lUI I I I I Frm 00022 Fmt 4700 "iii "If :11 ii1 '· 'i , I ! if .Ii II II II .... Sfmt 4725 "I HIlJii" JI lil".I till ' It ' It t I(ltt! 1 tl l til.} I~. & f ' rf r r I i o H' ifllf II" L L E:\FR\FM\28DER1.SGM 28DER1 ~ III 111 I, ! 1!l Hit bf. iiI! In i 1 fl' I I l. ' Ii II i 1 I I tt 1', J i t II I !i i II,I I t If f.,IIi, 11. I I, il l _ '[ q 1 I i ER28DE12.008</GPH> ,-1 I r 1 1 i lI' ! I - f ~ I J Federal Register / Vol. 77, No. 249 / Friday, December 28, 2012 / Rules and Regulations 18:32 Dec 27, 2012 It Federal Register / Vol. 77, No. 249 / Friday, December 28, 2012 / Rules and Regulations srobinson on DSK4SPTVN1PROD with 1. How the Model Privacy Form Is Used (a) The model form may be used, at the option of a financial institution, including a group of financial institutions that use a common privacy notice, to meet the content requirements of the privacy notice and opt-out notice set forth in §§ 160.6 and 160.7 of this part. (b) The model form is a standardized form, including page layout, content, format, style, pagination, and shading. Institutions seeking to obtain the safe harbor through use of the model form may modify it only as described in these Instructions. (c) Note that disclosure of certain information, such as assets, income, and information from a consumer reporting agency, may give rise to obligations under the Fair Credit Reporting Act [15 U.S.C. 1681–1681x] (FCRA), such as a requirement to permit a consumer to opt out of disclosures to affiliates or designation as a consumer reporting agency if disclosures are made to nonaffiliated third parties. (d) The word ‘‘customer’’ may be replaced by the word ‘‘member’’ whenever it appears in the model form, as appropriate. 2. The Contents of the Model Privacy Form The model form consists of two pages, which may be printed on both sides of a single sheet of paper, or may appear on two separate pages. Where an institution provides a long list of institutions at the end of the model form in accordance with Instruction C.3(a)(1), or provides additional information in accordance with Instruction C.3(c), and VerDate Mar<15>2010 18:32 Dec 27, 2012 Jkt 229001 such list or additional information exceeds the space available on page two of the model form, such list or additional information may extend to a third page. (a) Page One. The first page consists of the following components: (1) Date last revised (upper right-hand corner). (2) Title. (3) Key frame (Why?, What?, How?). (4) Disclosure table (‘‘Reasons we can share your personal information’’). (5) ‘‘To limit our sharing’’ box, as needed, for the financial institution’s opt-out information. (6) ‘‘Questions’’ box, for customer service contact information. (7) Mail-in opt-out form, as needed. (b) Page Two. The second page consists of the following components: (1) Heading (Page 2). (2) Frequently Asked Questions (‘‘Who we are’’ and ‘‘What we do’’). (3) Definitions. (4) ‘‘Other important information’’ box, as needed. 3. The Format of the Model Privacy Form The format of the model form may be modified only as described below. (a) Easily readable type font. Financial institutions that use the model form must use an easily readable type font. While a number of factors together produce easily readable type font, institutions are required to use a minimum of 10-point font (unless otherwise expressly permitted in these Instructions) and sufficient spacing between the lines of type. (b) Logo. A financial institution may include a corporate logo on any page of the notice, so long as it does not PO 00000 Frm 00023 Fmt 4700 Sfmt 4700 interfere with the readability of the model form or the space constraints of each page. (c) Page size and orientation. Each page of the model form must be printed on paper in portrait orientation, the size of which must be sufficient to meet the layout and minimum font size requirements, with sufficient white space on the top, bottom, and sides of the content. (d) Color. The model form must be printed on white or light color paper (such as cream) with black or other contrasting ink color. Spot color may be used to achieve visual interest, so long as the color contrast is distinctive and the color does not detract from the readability of the model form. Logos may also be printed in color. (e) Languages. The model form may be translated into languages other than English. C. Information Required in the Model Privacy Form The information in the model form may be modified only as described below: 1. Name of the Institution or Group of Affiliated Institutions Providing the Notice Insert the name of the financial institution providing the notice or a common identity of affiliated institutions jointly providing the notice on the form wherever [name of financial institution] appears. 2. Page One (a) Last revised date. The financial institution must insert in the upper right-hand corner the date on which the notice was last revised. The information E:\FR\FM\28DER1.SGM 28DER1 ER28DE12.009</GPH> B. General Instructions 76363 srobinson on DSK4SPTVN1PROD with 76364 Federal Register / Vol. 77, No. 249 / Friday, December 28, 2012 / Rules and Regulations shall appear in minimum 8-point font as ‘‘rev. [month/year]’’ using either the name or number of the month, such as ‘‘rev. July 2009’’ or ‘‘rev. 7/09’’. (b) General instructions for the ‘‘What?’’ box. (1) The bulleted list identifies the types of personal information that the institution collects and shares. All institutions must use the term ‘‘Social Security number’’ in the first bullet. (2) Institutions must use five (5) of the following terms to complete the bulleted list: Income; account balances; payment history; transaction history; transaction or loss history; credit history; credit scores; assets; investment experience; credit-based insurance scores; insurance claim history; medical information; overdraft history; purchase history; account transactions; risk tolerance; medical-related debts; credit card or other debt; mortgage rates and payments; retirement assets; checking account information; employment information; wire transfer instructions. (c) General instructions for the disclosure table. The left column lists reasons for sharing or using personal information. Each reason correlates to a specific legal provision described in paragraph C.2(d) of this Instruction. In the middle column, each institution must provide a ‘‘Yes’’ or ‘‘No’’ response that accurately reflects its information sharing policies and practices with respect to the reason listed on the left. In the right column, each institution must provide in each box one of the following three (3) responses, as applicable, that reflects whether a consumer can limit such sharing: ‘‘Yes’’ if it is required to or voluntarily provides an opt-out; ‘‘No’’ if it does not provide an opt-out; or ‘‘We don’t share’’ if it answers ‘‘No’’ in the middle column. Only the sixth row (‘‘For our affiliates to market to you’’) may be omitted at the option of the institution. See paragraph C.2(d)(6) of this Instruction. (d) Specific disclosures and corresponding legal provisions. (1) For our everyday business purposes. This reason incorporates sharing information under §§ 160.14 and 160.15 and with service providers pursuant to § 160.13 of this part other than the purposes specified in paragraphs C.2(d)(2) or C.2(d)(3) of these Instructions. (2) For our marketing purposes. This reason incorporates sharing information with service providers by an institution for its own marketing pursuant to § 160.13 of this part. An institution that shares for this reason may choose to provide an opt-out. VerDate Mar<15>2010 18:32 Dec 27, 2012 Jkt 229001 (3) For joint marketing with other financial companies. This reason incorporates sharing information under joint marketing agreements between two or more financial institutions and with any service provider used in connection with such agreements pursuant to § 160.13 of this part. An institution that shares for this reason may choose to provide an opt-out. (4) For our affiliates’ everyday business purposes—information about transactions and experiences. This reason incorporates sharing information specified in sections 603(d)(2)(A)(i) and (ii) of the FCRA. An institution that shares for this reason may choose to provide an opt-out. (5) For our affiliates’ everyday business purposes—information about creditworthiness. This reason incorporates sharing information pursuant to section 603(d)(2)(A)(iii) of the FCRA. An institution that shares for this reason must provide an opt-out. (6) For our affiliates to market to you. This reason incorporates sharing information specified in section 624 of the FCRA. This reason may be omitted from the disclosure table when: the institution does not have affiliates (or does not disclose personal information to its affiliates); the institution’s affiliates do not use personal information in a manner that requires an opt-out; or the institution provides the affiliate marketing notice separately. Institutions that include this reason must provide an opt-out of indefinite duration. An institution not required to provide an opt-out under this subparagraph may elect to include this reason in the model form. Note: The CFTC’s Regulations do not address the affiliate marketing rule. (7) For nonaffiliates to market to you. This reason incorporates sharing described in §§ 160.7 and 160.10(a) of this part. An institution that shares personal information for this reason must provide an opt-out. (e) To limit our sharing: A financial institution must include this section of the model form only if it provides an opt-out. The word ‘‘choice’’ may be written in either the singular or plural, as appropriate. Institutions must select one or more of the applicable opt-out methods described: telephone, such as by a toll-free number; a Web site; or use of a mail-in opt-out form. Institutions may include the words ‘‘toll-free’’ before telephone, as appropriate. An institution that allows consumers to opt out online must provide either a specific Web address that takes consumers directly to the opt-out page or a general Web address that provides a clear and conspicuous direct link to the opt-out PO 00000 Frm 00024 Fmt 4700 Sfmt 4700 page. The opt-out choices made available to the consumer who contacts the institution through these methods must correspond accurately to the ‘‘Yes’’ responses in the third column of the disclosure table. In the part titled ‘‘Please note’’ institutions may insert a number that is 30 or greater in the space marked ‘‘[30].’’ Instructions on voluntary or state privacy law opt-out information are in paragraph C.2(g)(5) of these Instructions. (f) Questions box. Customer service contact information must be inserted as appropriate, where [phone number] or [Web site] appear. Institutions may elect to provide either a phone number, such as a toll-free number, or a Web address, or both. Institutions may include the words ‘‘toll-free’’ before the telephone number, as appropriate. (g) Mail-in opt-out form. Financial institutions must include this mail-in form only if they state in the ‘‘To limit our sharing’’ box that consumers can opt out by mail. The mail-in form must provide opt-out options that correspond accurately to the ‘‘Yes’’ responses in the third column in the disclosure table. Institutions that require customers to provide only name and address may omit the section identified as ‘‘[account #].’’ Institutions that require additional or different information, such as a random opt-out number or a truncated account number, to implement an optout election should modify the ‘‘[account #]’’ reference accordingly. This includes institutions that require customers with multiple accounts to identify each account to which the optout should apply. An institution must enter its opt-out mailing address: in the far right of this form (see version 3); or below the form (see version 4). The reverse side of the mail-in opt-out form must not include any content of the model form. (1) Joint accountholder. Only institutions that provide their joint accountholders the choice to opt out for only one accountholder, in accordance with paragraph C.3(a)(5) of these Instructions, must include in the far left column of the mail-in form the following statement: ‘‘If you have a joint account, your choice(s) will apply to everyone on your account unless you mark below. Apply my choice(s) only to me.’’ The word ‘‘choice’’ may be written in either the singular or plural, as appropriate. Financial institutions that provide insurance products or services, provide this option, and elect to use the model form may substitute the word ‘‘policy’’ for ‘‘account’’ in this statement. Institutions that do not provide this option may eliminate this left column from the mail-in form. E:\FR\FM\28DER1.SGM 28DER1 Federal Register / Vol. 77, No. 249 / Friday, December 28, 2012 / Rules and Regulations srobinson on DSK4SPTVN1PROD with (2) FCRA Section 603(d)(2)(A)(iii) optout. If the institution shares personal information pursuant to section 603(d)(2)(A)(iii) of the FCRA, it must include in the mail-in opt-out form the following statement: ‘‘Do not share information about my creditworthiness with your affiliates for their everyday business purposes.’’ (3) FCRA Section 624 opt-out. If the institution incorporates section 624 of the FCRA in accord with paragraph C.2(d)(6) of these Instructions, it must include in the mail-in opt-out form the following statement: ‘‘Do not allow your affiliates to use my personal information to market to me.’’ (4) Nonaffiliate opt-out. If the financial institution shares personal information pursuant to § 160.10(a) of this part, it must include in the mail-in opt-out form the following statement: ‘‘Do not share my personal information with nonaffiliates to market their products and services to me.’’ (5) Additional opt-outs. Financial institutions that use the disclosure table to provide opt-out options beyond those required by Federal law must provide those opt-outs in this section of the model form. A financial institution that chooses to offer an opt-out for its own marketing in the mail-in opt-out form must include one of the two following statements: ‘‘Do not share my personal information to market to me.’’ or ‘‘Do not use my personal information to market to me.’’ A financial institution that chooses to offer an opt-out for joint marketing must include the following statement: ‘‘Do not share my personal information with other financial institutions to jointly market to me.’’ (h) Barcodes. A financial institution may elect to include a barcode and/or ‘‘tagline’’ (an internal identifier) in 6point font at the bottom of page one, as needed for information internal to the institution, so long as these do not interfere with the clarity or text of the form. 3. Page Two (a) General Instructions for the Questions. Certain of the Questions may be customized as follows: (1) ‘‘Who is providing this notice?’’ This question may be omitted where only one financial institution provides the model form and that institution is clearly identified in the title on page one. Two or more financial institutions that jointly provide the model form must use this question to identify themselves as required by § 160.9(f) of this part. Where the list of institutions exceeds four (4) lines, the institution must describe in the response to this question the general types of VerDate Mar<15>2010 18:32 Dec 27, 2012 Jkt 229001 institutions jointly providing the notice and must separately identify those institutions, in minimum 8-point font, directly following the ‘‘Other important information’’ box, or, if that box is not included in the institution’s form, directly following the ‘‘Definitions.’’ The list may appear in a multi-column format. (2) ‘‘How does [name of financial institution] protect my personal information?’’ The financial institution may only provide additional information pertaining to its safeguards practices following the designated response to this question. Such information may include information about the institution’s use of cookies or other measures it uses to safeguard personal information. Institutions are limited to a maximum of 30 additional words. (3) ‘‘How does [name of financial institution] collect my personal information?’’ Institutions must use five (5) of the following terms to complete the bulleted list for this question: Open an account; deposit money; pay your bills; apply for a loan; use your credit or debit card; seek financial or tax advice; apply for insurance; pay insurance premiums; file an insurance claim; seek advice about your investments; buy securities from us; sell securities to us; direct us to buy securities; direct us to sell your securities; make deposits or withdrawals from your account; enter into an investment advisory contract; give us your income information; provide employment information; give us your employment history; tell us about your investment or retirement portfolio; tell us about your investment or retirement earnings; apply for financing; apply for a lease; provide account information; give us your contact information; pay us by check; give us your wage statements; provide your mortgage information; make a wire transfer; tell us who receives the money; tell us where to send the money; show your government-issued ID; show your driver’s license; order a commodity futures or option trade. Institutions that collect personal information from their affiliates and/or credit bureaus must include after the bulleted list the following statement: ‘‘We also collect your personal information from others, such as credit bureaus, affiliates, or other companies.’’ Institutions that do not collect personal information from their affiliates or credit bureaus but do collect information from other companies must include the following statement instead: ‘‘We also collect your personal information from other companies.’’ Only institutions that do PO 00000 Frm 00025 Fmt 4700 Sfmt 4700 76365 not collect any personal information from affiliates, credit bureaus, or other companies can omit both statements. (4) ‘‘Why can’t I limit all sharing?’’ Institutions that describe state privacy law provisions in the ‘‘Other important information’’ box must use the bracketed sentence: ‘‘See below for more on your rights under state law.’’ Other institutions must omit this sentence. (5) ‘‘What happens when I limit sharing for an account I hold jointly with someone else?’’ Only financial institutions that provide opt-out options must use this question. Other institutions must omit this question. Institutions must choose one of the following two statements to respond to this question: ‘‘Your choices will apply to everyone on your account.’’ or ‘‘Your choices will apply to everyone on your account—unless you tell us otherwise.’’ Financial institutions that provide insurance products or services and elect to use the model form may substitute the word ‘‘policy’’ for ‘‘account’’ in these statements. (b) General Instructions for the Definitions. The financial institution must customize the space below the responses to the three definitions in this section. This specific information must be in italicized lettering to set off the information from the standardized definitions. (1) Affiliates. As required by § 160.6(a)(3) of this part, where [affiliate information] appears, the financial institution must: (i) If it has no affiliates, state: ‘‘[name of financial institution] has no affiliates’’; (ii) If it has affiliates but does not share personal information, state: ‘‘[name of financial institution] does not share with our affiliates’’; or (iii) If it shares with its affiliates, state, as applicable: ‘‘Our affiliates include companies with a [common corporate identity of financial institution] name; financial companies such as [insert illustrative list of companies]; nonfinancial companies, such as [insert illustrative list of companies]; and others, such as [insert illustrative list].’’ (2) Nonaffiliates. As required by § 160.6(c)(3) of this part, where [nonaffiliate information] appears, the financial institution must: (i) If it does not share with nonaffiliated third parties, state: ’’ [name of financial institution] does not share with nonaffiliates so they can market to you’’; or (ii) If it shares with nonaffiliated third parties, state, as applicable: ‘‘Nonaffiliates we share with can include [list categories of companies E:\FR\FM\28DER1.SGM 28DER1 76366 Federal Register / Vol. 77, No. 249 / Friday, December 28, 2012 / Rules and Regulations such as mortgage companies, insurance companies, direct marketing companies, and nonprofit organizations].’’ (3) Joint Marketing. As required by § 160.13 of this part, where [joint marketing] appears, the financial institution must: (i) If it does not engage in joint marketing, state: ‘‘[name of financial institution] doesn’t jointly market’’; or (ii) If it shares personal information for joint marketing, state, as applicable: ‘‘Our joint marketing partners include [list categories of companies such as credit card companies].’’ (c) General instructions for the ‘‘Other important information’’ box. This box is optional. The space provided for information in this box is not limited. Only the following types of information can appear in this box. (1) State and/or international privacy law information; and/or (2) Acknowledgment of receipt form. [74 FR 62975, Dec. 1, 2009] Appendix B to Part 160—Sample Clauses This appendix only applies to privacy notices provided before January 1, 2011. Financial institutions, including a group of financial holding company affiliates that use a common privacy notice, may use the following sample clauses, if the clause is accurate for each institution that uses the notice. Note that disclosure of certain information, such as assets, income and information from a consumer reporting agency, may give rise to obligations under the Fair Credit Reporting Act, such as a requirement to permit a consumer to opt out of disclosures to affiliates or designation as a consumer reporting agency if disclosures are made to nonaffiliated third parties. A–1—Categories of Information You Collect (All Institutions) You may use this clause, as applicable, to meet the requirement of § 160.6(a)(1) to describe the categories of nonpublic personal information you collect. srobinson on DSK4SPTVN1PROD with Sample Clause A–1 We collect nonpublic personal information about you from the following sources: • Information we receive from you on applications or other forms; • Information about your transactions with us, our affiliates or others; and • Information we receive from a consumer reporting agency. A–2—Categories of Information You Disclose (Institutions That Disclose Outside of the Exceptions) You may use one of these clauses, as applicable, to meet the requirement of § 160.6(a)(2) to describe the categories of nonpublic personal information you disclose. You may use these clauses if you disclose nonpublic personal information other than as permitted by the exceptions in §§ 160.13, 160.14 and 160.15. VerDate Mar<15>2010 18:32 Dec 27, 2012 Jkt 229001 Sample Clause A–2, Alternative 1 We may disclose the following kinds of nonpublic personal information about you: • Information we receive from you on applications or other forms, such as [provide illustrative examples, such as ‘‘your name, address, Social Security number, assets and income’’]; • Information about your transactions with us, our affiliates or others, such as [provide illustrative examples, such as ‘‘your account balance, payment history, parties to transactions and credit card usage’’]; and • Information we receive from a consumer reporting agency, such as [provide illustrative examples, such as ‘‘your creditworthiness and credit history’’]. Sample Clause A–2, Alternative 2 We may disclose all of the information that we collect, as described [describe location in the notice, such as ‘‘above’’ or ‘‘below’’]. A–3—Categories of Information You Disclose and Parties To Whom You Disclose (Institutions That Do Not Disclose Outside of the Exceptions) You may use this clause, as applicable, to meet the requirements of §§ 160.6(a)(2), (3) and (4) to describe the categories of nonpublic personal information about customers and former customers that you disclose and the categories of affiliates and nonaffiliated third parties to whom you disclose. You may use this clause if you do not disclose nonpublic personal information to any party, other than as is permitted by the exceptions in §§ 160.14 and 160.15. Sample Clause A–3 We do not disclose any nonpublic personal information about our customers or former customers to anyone, except as permitted by law. A–4—Categories of Parties To Whom You Disclose (Institutions That Disclose Outside of the Exceptions) You may use this clause, as applicable, to meet the requirement of § 160.6(a)(3) to describe the categories of affiliates and nonaffiliated third parties to whom you disclose nonpublic personal information. You may use this clause if you disclose nonpublic personal information other than as permitted by the exceptions in §§ 160.13, 160.14 and 160.15, as well as when permitted by the exceptions in §§ 160.14 and 160.15. Sample Clause A–4 We may disclose nonpublic personal information about you to the following types of third parties: • Financial service providers, such as [provide illustrative examples, such as ‘‘mortgage bankers’’]; • Non-financial companies, such as [provide illustrative examples, such as ‘‘retailers, direct marketers, airlines and publishers’’]; and • Others, such as [provide illustrative examples, such as ‘‘non-profit organizations’’]. We may also disclose nonpublic personal information about you to nonaffiliated third parties as permitted by law. PO 00000 Frm 00026 Fmt 4700 Sfmt 4700 A–5—Service Provider/Joint Marketing Exception You may use one of these clauses, as applicable, to meet the requirements of § 160.6(a)(5) related to the exception for service providers and joint marketers in § 160.13. If you disclose nonpublic personal information under this exception, you must describe the categories of nonpublic personal information you disclose and the categories of third parties with whom you have contracted. Sample Clause A–5, Alternative 1 We may disclose the following information to companies that perform marketing services on our behalf or to other financial institutions with which we have joint marketing agreements: • Information we receive from you on applications or other forms, such as [provide illustrative examples, such as ‘‘your name, address, Social Security number, assets and income’’]; • Information about your transactions with us, our affiliates, or others, such as [provide illustrative examples, such as ‘‘your account balance, payment history, parties to transactions and credit card usage’’]; and • Information we receive from a consumer reporting agency, such as [provide illustrative examples, such as ‘‘your creditworthiness and credit history’’]. Sample Clause A–5, Alternative 2 We may disclose all of the information we collect, as described [describe location in the notice, such as ‘‘above’’ or ‘‘below’’] to companies that perform marketing services on our behalf or to other financial institutions with which we have joint marketing agreements. A–6—Explanation of Opt Out Right (Institutions That Disclose Outside of the Exceptions) You may use this clause, as applicable, to meet the requirement of § 160.6(a)(6) to provide an explanation of the consumer’s right to opt out of the disclosure of nonpublic personal information to nonaffiliated third parties, including the method(s) by which the consumer may exercise that right. You may use this clause if you disclose nonpublic personal information other than as permitted by the exceptions in §§ 160.13, 160.14 and 160.15. Sample Clause A–6 If you prefer that we not disclose nonpublic personal information about you to nonaffiliated third parties you may opt out of those disclosures; that is, you may direct us not to make those disclosures (other than disclosures permitted or required by law). If you wish to opt out of disclosures to nonaffiliated third parties, you may [describe a reasonable means of opting out, such as ‘‘call the following toll-free number: (insert number)’’]. A–7—Confidentiality and Security (All Institutions) You may use this clause, as applicable, to meet the requirement of § 160.6(a)(8) to describe your policies and practices with E:\FR\FM\28DER1.SGM 28DER1 Federal Register / Vol. 77, No. 249 / Friday, December 28, 2012 / Rules and Regulations respect to protecting the confidentiality and security of nonpublic personal information. Sample Clause A–7 We restrict access to nonpublic personal information about you to [provide an appropriate description, such as ‘‘those employees who need to know that information to provide products or services to you’’]. We maintain physical, electronic and procedural safeguards that comply with federal standards to safeguard your nonpublic personal information. [66 FR 21252, Apr. 27, 2001, as amended at 74 FR 62984, Dec. 1, 2009] [FR Doc. 2012–31273 Filed 12–27–12; 8:45 am] BILLING CODE 1505–01–D DEPARTMENT OF ENERGY Federal Energy Regulatory Commission 18 CFR Part 366 [Docket No. RM11–12–000; Order No. 771] Availability of E-Tag Information to Commission Staff Federal Energy Regulatory Commission, DOE. ACTION: Final rule. AGENCY: In this Final Rule, the Federal Energy Regulatory Commission (the Commission) is amending its SUMMARY: regulations, pursuant to sections 222 and 307(a) of the Federal Power Act (FPA), to grant Commission access, on a non-public and ongoing basis, to the complete electronic tags (e-Tags) used to schedule the transmission of electric power interchange transactions in wholesale markets. This Final Rule will require e-Tag Authors (through their Agent Service) and Balancing Authorities (through their Authority Service) to take appropriate steps to ensure Commission access to the e-Tags covered by this Final Rule by designating the Commission as an addressee on the e-Tags. After the Commission is designated as an addressee, the Commission will access the e-Tags by contracting with a commercial vendor. The commercial vendor will provide data management services and receive e-Tags addressed to the Commission. The information made available under this Final Rule will bolster the Commission’s market surveillance and analysis efforts by helping the Commission to detect and prevent market manipulation and anticompetitive behavior. This information will also help the Commission monitor the efficiency of markets and better inform Commission policies and decision-making, thereby helping to ensure just and reasonable rates. In addition, this Final Rule will require 76367 that e-Tag information be made available to regional transmission organizations and independent system operators and their Market Monitoring Units, upon request to e-Tag Authors and Authority Services, subject to appropriate confidentiality restrictions. DATES: Effective Date: This Final Rule will become effective February 26, 2013. FOR FURTHER INFORMATION CONTACT: Maria Vouras (Technical Information), Office of Enforcement, Federal Energy Regulatory Commission, 888 First Street NE., Washington, DC 20426, Telephone: (202) 502–8062, Email: maria.vouras@ferc.gov. William Sauer (Technical Information), Office of Energy Policy and Innovation, Federal Energy Regulatory Commission, 888 First Street NE., Washington, DC 20426, Telephone: (202) 502–6639, Email: william.sauer@ferc.gov. Gary D. Cohen (Legal Information), Office of the General Counsel, Federal Energy Regulatory Commission, 888 First Street NE., Washington, DC 20426, Telephone: (202) 502–8321, Email: gary.cohen@ferc.gov. SUPPLEMENTARY INFORMATION: Order No. 771 Final Rule Table of Contents Paragraph No. srobinson on DSK4SPTVN1PROD with I. Background ............................................................................................................................................................................................ II. Discussion ............................................................................................................................................................................................ A. Legal Authority to Require E-Tag Access ................................................................................................................................... 1. E-Tag NOPR ............................................................................................................................................................................ 2. Comments ............................................................................................................................................................................... 3. Commission Determination ................................................................................................................................................... B. Need for Commission Access to E-Tag Information ................................................................................................................... 1. E-Tag NOPR ............................................................................................................................................................................ 2. Comments ............................................................................................................................................................................... 3. Commission Determination ................................................................................................................................................... C. Implementing the Commission’s E-Tag Access .......................................................................................................................... 1. E-Tag NOPR ............................................................................................................................................................................ 2. Comments ............................................................................................................................................................................... 3. Commission Determination ................................................................................................................................................... D. Providing E-Tag Access to MMUs, RTOs and ISOs ................................................................................................................... 1. E-Tag NOPR ............................................................................................................................................................................ 2. Comments ............................................................................................................................................................................... 3. Commission Determination ................................................................................................................................................... E. Confidentiality of Data ................................................................................................................................................................. 1. E-Tag NOPR ............................................................................................................................................................................ 2. Comments ............................................................................................................................................................................... 3. Commission Determination ................................................................................................................................................... III. Information Collection Statement ...................................................................................................................................................... IV. Regulatory Flexibility Act .................................................................................................................................................................. V. Document Availability ........................................................................................................................................................................ VI. Effective Date and Congressional Notification ................................................................................................................................. Before Commissioners: Jon Wellinghoff, Chairman; Philip D. Moeller, John R. Norris, Cheryl A. LaFleur, and Tony T. Clark. Issued December 20, 2012. VerDate Mar<15>2010 18:32 Dec 27, 2012 Jkt 229001 1. In this Final Rule, the Federal Energy Regulatory Commission (Commission) is amending its regulations, pursuant to sections 222 PO 00000 Frm 00027 Fmt 4700 Sfmt 4700 and 307(a) of the Federal Power Act E:\FR\FM\28DER1.SGM 28DER1 3 10 10 10 11 14 22 22 23 28 34 34 35 40 43 43 44 53 56 56 57 59 61 69 71 74

Agencies

[Federal Register Volume 77, Number 249 (Friday, December 28, 2012)]
[Rules and Regulations]
[Pages 76356-76367]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: 2012-31273]


=======================================================================
-----------------------------------------------------------------------

COMMODITY FUTURES TRADING COMMISSION

17 CFR Part 160


Privacy of Consumer Financial Information Under Title V of the 
Gramm-Leach-Bliley Act

CFR Correction

    In Title 17 of the Code of Federal Regulations, Parts 1 to 199, 
revised as of April 1, 2012, on page 958, appendices A and B to part 
160 are reinstated to read as follows;

Appendix A to Part 160--Model Privacy Form

    A. The Model Privacy Form

[[Page 76357]]

[GRAPHIC] [TIFF OMITTED] TR28DE12.003


[[Page 76358]]


[GRAPHIC] [TIFF OMITTED] TR28DE12.004


[[Page 76359]]


[GRAPHIC] [TIFF OMITTED] TR28DE12.005


[[Page 76360]]


[GRAPHIC] [TIFF OMITTED] TR28DE12.006


[[Page 76361]]


[GRAPHIC] [TIFF OMITTED] TR28DE12.007


[[Page 76362]]


[GRAPHIC] [TIFF OMITTED] TR28DE12.008


[[Page 76363]]


[GRAPHIC] [TIFF OMITTED] TR28DE12.009

B. General Instructions

1. How the Model Privacy Form Is Used
    (a) The model form may be used, at the option of a financial 
institution, including a group of financial institutions that use a 
common privacy notice, to meet the content requirements of the privacy 
notice and opt-out notice set forth in Sec. Sec.  160.6 and 160.7 of 
this part.
    (b) The model form is a standardized form, including page layout, 
content, format, style, pagination, and shading. Institutions seeking 
to obtain the safe harbor through use of the model form may modify it 
only as described in these Instructions.
    (c) Note that disclosure of certain information, such as assets, 
income, and information from a consumer reporting agency, may give rise 
to obligations under the Fair Credit Reporting Act [15 U.S.C. 1681-
1681x] (FCRA), such as a requirement to permit a consumer to opt out of 
disclosures to affiliates or designation as a consumer reporting agency 
if disclosures are made to nonaffiliated third parties.
    (d) The word ``customer'' may be replaced by the word ``member'' 
whenever it appears in the model form, as appropriate.
2. The Contents of the Model Privacy Form
    The model form consists of two pages, which may be printed on both 
sides of a single sheet of paper, or may appear on two separate pages. 
Where an institution provides a long list of institutions at the end of 
the model form in accordance with Instruction C.3(a)(1), or provides 
additional information in accordance with Instruction C.3(c), and such 
list or additional information exceeds the space available on page two 
of the model form, such list or additional information may extend to a 
third page.
    (a) Page One. The first page consists of the following components:
    (1) Date last revised (upper right-hand corner).
    (2) Title.
    (3) Key frame (Why?, What?, How?).
    (4) Disclosure table (``Reasons we can share your personal 
information'').
    (5) ``To limit our sharing'' box, as needed, for the financial 
institution's opt-out information.
    (6) ``Questions'' box, for customer service contact information.
    (7) Mail-in opt-out form, as needed.
    (b) Page Two. The second page consists of the following components:
    (1) Heading (Page 2).
    (2) Frequently Asked Questions (``Who we are'' and ``What we do'').
    (3) Definitions.
    (4) ``Other important information'' box, as needed.
3. The Format of the Model Privacy Form
    The format of the model form may be modified only as described 
below.
    (a) Easily readable type font. Financial institutions that use the 
model form must use an easily readable type font. While a number of 
factors together produce easily readable type font, institutions are 
required to use a minimum of 10-point font (unless otherwise expressly 
permitted in these Instructions) and sufficient spacing between the 
lines of type.
    (b) Logo. A financial institution may include a corporate logo on 
any page of the notice, so long as it does not interfere with the 
readability of the model form or the space constraints of each page.
    (c) Page size and orientation. Each page of the model form must be 
printed on paper in portrait orientation, the size of which must be 
sufficient to meet the layout and minimum font size requirements, with 
sufficient white space on the top, bottom, and sides of the content.
    (d) Color. The model form must be printed on white or light color 
paper (such as cream) with black or other contrasting ink color. Spot 
color may be used to achieve visual interest, so long as the color 
contrast is distinctive and the color does not detract from the 
readability of the model form. Logos may also be printed in color.
    (e) Languages. The model form may be translated into languages 
other than English.

C. Information Required in the Model Privacy Form

    The information in the model form may be modified only as described 
below:
1. Name of the Institution or Group of Affiliated Institutions 
Providing the Notice
    Insert the name of the financial institution providing the notice 
or a common identity of affiliated institutions jointly providing the 
notice on the form wherever [name of financial institution] appears.
2. Page One
    (a) Last revised date. The financial institution must insert in the 
upper right-hand corner the date on which the notice was last revised. 
The information

[[Page 76364]]

shall appear in minimum 8-point font as ``rev. [month/year]'' using 
either the name or number of the month, such as ``rev. July 2009'' or 
``rev. 7/09''.
    (b) General instructions for the ``What?'' box.
    (1) The bulleted list identifies the types of personal information 
that the institution collects and shares. All institutions must use the 
term ``Social Security number'' in the first bullet.
    (2) Institutions must use five (5) of the following terms to 
complete the bulleted list: Income; account balances; payment history; 
transaction history; transaction or loss history; credit history; 
credit scores; assets; investment experience; credit-based insurance 
scores; insurance claim history; medical information; overdraft 
history; purchase history; account transactions; risk tolerance; 
medical-related debts; credit card or other debt; mortgage rates and 
payments; retirement assets; checking account information; employment 
information; wire transfer instructions.
    (c) General instructions for the disclosure table. The left column 
lists reasons for sharing or using personal information. Each reason 
correlates to a specific legal provision described in paragraph C.2(d) 
of this Instruction. In the middle column, each institution must 
provide a ``Yes'' or ``No'' response that accurately reflects its 
information sharing policies and practices with respect to the reason 
listed on the left. In the right column, each institution must provide 
in each box one of the following three (3) responses, as applicable, 
that reflects whether a consumer can limit such sharing: ``Yes'' if it 
is required to or voluntarily provides an opt-out; ``No'' if it does 
not provide an opt-out; or ``We don't share'' if it answers ``No'' in 
the middle column. Only the sixth row (``For our affiliates to market 
to you'') may be omitted at the option of the institution. See 
paragraph C.2(d)(6) of this Instruction.
    (d) Specific disclosures and corresponding legal provisions.
    (1) For our everyday business purposes. This reason incorporates 
sharing information under Sec. Sec.  160.14 and 160.15 and with service 
providers pursuant to Sec.  160.13 of this part other than the purposes 
specified in paragraphs C.2(d)(2) or C.2(d)(3) of these Instructions.
    (2) For our marketing purposes. This reason incorporates sharing 
information with service providers by an institution for its own 
marketing pursuant to Sec.  160.13 of this part. An institution that 
shares for this reason may choose to provide an opt-out.
    (3) For joint marketing with other financial companies. This reason 
incorporates sharing information under joint marketing agreements 
between two or more financial institutions and with any service 
provider used in connection with such agreements pursuant to Sec.  
160.13 of this part. An institution that shares for this reason may 
choose to provide an opt-out.
    (4) For our affiliates' everyday business purposes--information 
about transactions and experiences. This reason incorporates sharing 
information specified in sections 603(d)(2)(A)(i) and (ii) of the FCRA. 
An institution that shares for this reason may choose to provide an 
opt-out.
    (5) For our affiliates' everyday business purposes--information 
about creditworthiness. This reason incorporates sharing information 
pursuant to section 603(d)(2)(A)(iii) of the FCRA. An institution that 
shares for this reason must provide an opt-out.
    (6) For our affiliates to market to you. This reason incorporates 
sharing information specified in section 624 of the FCRA. This reason 
may be omitted from the disclosure table when: the institution does not 
have affiliates (or does not disclose personal information to its 
affiliates); the institution's affiliates do not use personal 
information in a manner that requires an opt-out; or the institution 
provides the affiliate marketing notice separately. Institutions that 
include this reason must provide an opt-out of indefinite duration. An 
institution not required to provide an opt-out under this subparagraph 
may elect to include this reason in the model form. Note: The CFTC's 
Regulations do not address the affiliate marketing rule.
    (7) For nonaffiliates to market to you. This reason incorporates 
sharing described in Sec. Sec.  160.7 and 160.10(a) of this part. An 
institution that shares personal information for this reason must 
provide an opt-out.
    (e) To limit our sharing: A financial institution must include this 
section of the model form only if it provides an opt-out. The word 
``choice'' may be written in either the singular or plural, as 
appropriate. Institutions must select one or more of the applicable 
opt-out methods described: telephone, such as by a toll-free number; a 
Web site; or use of a mail-in opt-out form. Institutions may include 
the words ``toll-free'' before telephone, as appropriate. An 
institution that allows consumers to opt out online must provide either 
a specific Web address that takes consumers directly to the opt-out 
page or a general Web address that provides a clear and conspicuous 
direct link to the opt-out page. The opt-out choices made available to 
the consumer who contacts the institution through these methods must 
correspond accurately to the ``Yes'' responses in the third column of 
the disclosure table. In the part titled ``Please note'' institutions 
may insert a number that is 30 or greater in the space marked ``[30].'' 
Instructions on voluntary or state privacy law opt-out information are 
in paragraph C.2(g)(5) of these Instructions.
    (f) Questions box. Customer service contact information must be 
inserted as appropriate, where [phone number] or [Web site] appear. 
Institutions may elect to provide either a phone number, such as a 
toll-free number, or a Web address, or both. Institutions may include 
the words ``toll-free'' before the telephone number, as appropriate.
    (g) Mail-in opt-out form. Financial institutions must include this 
mail-in form only if they state in the ``To limit our sharing'' box 
that consumers can opt out by mail. The mail-in form must provide opt-
out options that correspond accurately to the ``Yes'' responses in the 
third column in the disclosure table. Institutions that require 
customers to provide only name and address may omit the section 
identified as ``[account ].'' Institutions that require 
additional or different information, such as a random opt-out number or 
a truncated account number, to implement an opt-out election should 
modify the ``[account ]'' reference accordingly. This includes 
institutions that require customers with multiple accounts to identify 
each account to which the opt-out should apply. An institution must 
enter its opt-out mailing address: in the far right of this form (see 
version 3); or below the form (see version 4). The reverse side of the 
mail-in opt-out form must not include any content of the model form.
    (1) Joint accountholder. Only institutions that provide their joint 
accountholders the choice to opt out for only one accountholder, in 
accordance with paragraph C.3(a)(5) of these Instructions, must include 
in the far left column of the mail-in form the following statement: 
``If you have a joint account, your choice(s) will apply to everyone on 
your account unless you mark below. Apply my choice(s) only to me.'' 
The word ``choice'' may be written in either the singular or plural, as 
appropriate. Financial institutions that provide insurance products or 
services, provide this option, and elect to use the model form may 
substitute the word ``policy'' for ``account'' in this statement. 
Institutions that do not provide this option may eliminate this left 
column from the mail-in form.

[[Page 76365]]

    (2) FCRA Section 603(d)(2)(A)(iii) opt-out. If the institution 
shares personal information pursuant to section 603(d)(2)(A)(iii) of 
the FCRA, it must include in the mail-in opt-out form the following 
statement: ``Do not share information about my creditworthiness with 
your affiliates for their everyday business purposes.''
    (3) FCRA Section 624 opt-out. If the institution incorporates 
section 624 of the FCRA in accord with paragraph C.2(d)(6) of these 
Instructions, it must include in the mail-in opt-out form the following 
statement: ``Do not allow your affiliates to use my personal 
information to market to me.''
    (4) Nonaffiliate opt-out. If the financial institution shares 
personal information pursuant to Sec.  160.10(a) of this part, it must 
include in the mail-in opt-out form the following statement: ``Do not 
share my personal information with nonaffiliates to market their 
products and services to me.''
    (5) Additional opt-outs. Financial institutions that use the 
disclosure table to provide opt-out options beyond those required by 
Federal law must provide those opt-outs in this section of the model 
form. A financial institution that chooses to offer an opt-out for its 
own marketing in the mail-in opt-out form must include one of the two 
following statements: ``Do not share my personal information to market 
to me.'' or ``Do not use my personal information to market to me.'' A 
financial institution that chooses to offer an opt-out for joint 
marketing must include the following statement: ``Do not share my 
personal information with other financial institutions to jointly 
market to me.''
    (h) Barcodes. A financial institution may elect to include a 
barcode and/or ``tagline'' (an internal identifier) in 6-point font at 
the bottom of page one, as needed for information internal to the 
institution, so long as these do not interfere with the clarity or text 
of the form.
3. Page Two
    (a) General Instructions for the Questions. Certain of the 
Questions may be customized as follows:
    (1) ``Who is providing this notice?'' This question may be omitted 
where only one financial institution provides the model form and that 
institution is clearly identified in the title on page one. Two or more 
financial institutions that jointly provide the model form must use 
this question to identify themselves as required by Sec.  160.9(f) of 
this part. Where the list of institutions exceeds four (4) lines, the 
institution must describe in the response to this question the general 
types of institutions jointly providing the notice and must separately 
identify those institutions, in minimum 8-point font, directly 
following the ``Other important information'' box, or, if that box is 
not included in the institution's form, directly following the 
``Definitions.'' The list may appear in a multi-column format.
    (2) ``How does [name of financial institution] protect my personal 
information?'' The financial institution may only provide additional 
information pertaining to its safeguards practices following the 
designated response to this question. Such information may include 
information about the institution's use of cookies or other measures it 
uses to safeguard personal information. Institutions are limited to a 
maximum of 30 additional words.
    (3) ``How does [name of financial institution] collect my personal 
information?'' Institutions must use five (5) of the following terms to 
complete the bulleted list for this question: Open an account; deposit 
money; pay your bills; apply for a loan; use your credit or debit card; 
seek financial or tax advice; apply for insurance; pay insurance 
premiums; file an insurance claim; seek advice about your investments; 
buy securities from us; sell securities to us; direct us to buy 
securities; direct us to sell your securities; make deposits or 
withdrawals from your account; enter into an investment advisory 
contract; give us your income information; provide employment 
information; give us your employment history; tell us about your 
investment or retirement portfolio; tell us about your investment or 
retirement earnings; apply for financing; apply for a lease; provide 
account information; give us your contact information; pay us by check; 
give us your wage statements; provide your mortgage information; make a 
wire transfer; tell us who receives the money; tell us where to send 
the money; show your government-issued ID; show your driver's license; 
order a commodity futures or option trade. Institutions that collect 
personal information from their affiliates and/or credit bureaus must 
include after the bulleted list the following statement: ``We also 
collect your personal information from others, such as credit bureaus, 
affiliates, or other companies.'' Institutions that do not collect 
personal information from their affiliates or credit bureaus but do 
collect information from other companies must include the following 
statement instead: ``We also collect your personal information from 
other companies.'' Only institutions that do not collect any personal 
information from affiliates, credit bureaus, or other companies can 
omit both statements.
    (4) ``Why can't I limit all sharing?'' Institutions that describe 
state privacy law provisions in the ``Other important information'' box 
must use the bracketed sentence: ``See below for more on your rights 
under state law.'' Other institutions must omit this sentence.
    (5) ``What happens when I limit sharing for an account I hold 
jointly with someone else?'' Only financial institutions that provide 
opt-out options must use this question. Other institutions must omit 
this question. Institutions must choose one of the following two 
statements to respond to this question: ``Your choices will apply to 
everyone on your account.'' or ``Your choices will apply to everyone on 
your account--unless you tell us otherwise.'' Financial institutions 
that provide insurance products or services and elect to use the model 
form may substitute the word ``policy'' for ``account'' in these 
statements.
    (b) General Instructions for the Definitions.
    The financial institution must customize the space below the 
responses to the three definitions in this section. This specific 
information must be in italicized lettering to set off the information 
from the standardized definitions.
    (1) Affiliates. As required by Sec.  160.6(a)(3) of this part, 
where [affiliate information] appears, the financial institution must:
    (i) If it has no affiliates, state: ``[name of financial 
institution] has no affiliates'';
    (ii) If it has affiliates but does not share personal information, 
state: ``[name of financial institution] does not share with our 
affiliates''; or
    (iii) If it shares with its affiliates, state, as applicable: ``Our 
affiliates include companies with a [common corporate identity of 
financial institution] name; financial companies such as [insert 
illustrative list of companies]; nonfinancial companies, such as 
[insert illustrative list of companies]; and others, such as [insert 
illustrative list].''
    (2) Nonaffiliates. As required by Sec.  160.6(c)(3) of this part, 
where [nonaffiliate information] appears, the financial institution 
must:
    (i) If it does not share with nonaffiliated third parties, state: 
'' [name of financial institution] does not share with nonaffiliates so 
they can market to you''; or
    (ii) If it shares with nonaffiliated third parties, state, as 
applicable: ``Nonaffiliates we share with can include [list categories 
of companies

[[Page 76366]]

such as mortgage companies, insurance companies, direct marketing 
companies, and nonprofit organizations].''
    (3) Joint Marketing. As required by Sec.  160.13 of this part, 
where [joint marketing] appears, the financial institution must:
    (i) If it does not engage in joint marketing, state: ``[name of 
financial institution] doesn't jointly market''; or
    (ii) If it shares personal information for joint marketing, state, 
as applicable: ``Our joint marketing partners include [list categories 
of companies such as credit card companies].''
    (c) General instructions for the ``Other important information'' 
box. This box is optional. The space provided for information in this 
box is not limited. Only the following types of information can appear 
in this box.
    (1) State and/or international privacy law information; and/or
    (2) Acknowledgment of receipt form.

[74 FR 62975, Dec. 1, 2009]

Appendix B to Part 160--Sample Clauses

    This appendix only applies to privacy notices provided before 
January 1, 2011. Financial institutions, including a group of 
financial holding company affiliates that use a common privacy 
notice, may use the following sample clauses, if the clause is 
accurate for each institution that uses the notice. Note that 
disclosure of certain information, such as assets, income and 
information from a consumer reporting agency, may give rise to 
obligations under the Fair Credit Reporting Act, such as a 
requirement to permit a consumer to opt out of disclosures to 
affiliates or designation as a consumer reporting agency if 
disclosures are made to nonaffiliated third parties.

A-1--Categories of Information You Collect (All Institutions)

    You may use this clause, as applicable, to meet the requirement 
of Sec.  160.6(a)(1) to describe the categories of nonpublic 
personal information you collect.

Sample Clause A-1

    We collect nonpublic personal information about you from the 
following sources:
     Information we receive from you on applications or 
other forms;
     Information about your transactions with us, our 
affiliates or others; and
     Information we receive from a consumer reporting 
agency.

A-2--Categories of Information You Disclose (Institutions That Disclose 
Outside of the Exceptions)

    You may use one of these clauses, as applicable, to meet the 
requirement of Sec.  160.6(a)(2) to describe the categories of 
nonpublic personal information you disclose. You may use these 
clauses if you disclose nonpublic personal information other than as 
permitted by the exceptions in Sec. Sec.  160.13, 160.14 and 160.15.

Sample Clause A-2, Alternative 1

    We may disclose the following kinds of nonpublic personal 
information about you:
     Information we receive from you on applications or 
other forms, such as [provide illustrative examples, such as ``your 
name, address, Social Security number, assets and income''];
     Information about your transactions with us, our 
affiliates or others, such as [provide illustrative examples, such 
as ``your account balance, payment history, parties to transactions 
and credit card usage'']; and
     Information we receive from a consumer reporting 
agency, such as [provide illustrative examples, such as ``your 
creditworthiness and credit history''].

Sample Clause A-2, Alternative 2

    We may disclose all of the information that we collect, as 
described [describe location in the notice, such as ``above'' or 
``below''].

A-3--Categories of Information You Disclose and Parties To Whom You 
Disclose (Institutions That Do Not Disclose Outside of the Exceptions)

    You may use this clause, as applicable, to meet the requirements 
of Sec. Sec.  160.6(a)(2), (3) and (4) to describe the categories of 
nonpublic personal information about customers and former customers 
that you disclose and the categories of affiliates and nonaffiliated 
third parties to whom you disclose. You may use this clause if you 
do not disclose nonpublic personal information to any party, other 
than as is permitted by the exceptions in Sec. Sec.  160.14 and 
160.15.

Sample Clause A-3

    We do not disclose any nonpublic personal information about our 
customers or former customers to anyone, except as permitted by law.

A-4--Categories of Parties To Whom You Disclose (Institutions That 
Disclose Outside of the Exceptions)

    You may use this clause, as applicable, to meet the requirement 
of Sec.  160.6(a)(3) to describe the categories of affiliates and 
nonaffiliated third parties to whom you disclose nonpublic personal 
information. You may use this clause if you disclose nonpublic 
personal information other than as permitted by the exceptions in 
Sec. Sec.  160.13, 160.14 and 160.15, as well as when permitted by 
the exceptions in Sec. Sec.  160.14 and 160.15.

Sample Clause A-4

    We may disclose nonpublic personal information about you to the 
following types of third parties:
     Financial service providers, such as [provide 
illustrative examples, such as ``mortgage bankers''];
     Non-financial companies, such as [provide illustrative 
examples, such as ``retailers, direct marketers, airlines and 
publishers'']; and
     Others, such as [provide illustrative examples, such as 
``non-profit organizations''].
    We may also disclose nonpublic personal information about you to 
nonaffiliated third parties as permitted by law.

A-5--Service Provider/Joint Marketing Exception

    You may use one of these clauses, as applicable, to meet the 
requirements of Sec.  160.6(a)(5) related to the exception for 
service providers and joint marketers in Sec.  160.13. If you 
disclose nonpublic personal information under this exception, you 
must describe the categories of nonpublic personal information you 
disclose and the categories of third parties with whom you have 
contracted.

Sample Clause A-5, Alternative 1

    We may disclose the following information to companies that 
perform marketing services on our behalf or to other financial 
institutions with which we have joint marketing agreements:
     Information we receive from you on applications or 
other forms, such as [provide illustrative examples, such as ``your 
name, address, Social Security number, assets and income''];
     Information about your transactions with us, our 
affiliates, or others, such as [provide illustrative examples, such 
as ``your account balance, payment history, parties to transactions 
and credit card usage'']; and
     Information we receive from a consumer reporting 
agency, such as [provide illustrative examples, such as ``your 
creditworthiness and credit history''].

Sample Clause A-5, Alternative 2

    We may disclose all of the information we collect, as described 
[describe location in the notice, such as ``above'' or ``below''] to 
companies that perform marketing services on our behalf or to other 
financial institutions with which we have joint marketing 
agreements.

A-6--Explanation of Opt Out Right (Institutions That Disclose Outside 
of the Exceptions)

    You may use this clause, as applicable, to meet the requirement 
of Sec.  160.6(a)(6) to provide an explanation of the consumer's 
right to opt out of the disclosure of nonpublic personal information 
to nonaffiliated third parties, including the method(s) by which the 
consumer may exercise that right. You may use this clause if you 
disclose nonpublic personal information other than as permitted by 
the exceptions in Sec. Sec.  160.13, 160.14 and 160.15.

Sample Clause A-6

    If you prefer that we not disclose nonpublic personal 
information about you to nonaffiliated third parties you may opt out 
of those disclosures; that is, you may direct us not to make those 
disclosures (other than disclosures permitted or required by law). 
If you wish to opt out of disclosures to nonaffiliated third 
parties, you may [describe a reasonable means of opting out, such as 
``call the following toll-free number: (insert number)''].

A-7--Confidentiality and Security (All Institutions)

    You may use this clause, as applicable, to meet the requirement 
of Sec.  160.6(a)(8) to describe your policies and practices with

[[Page 76367]]

respect to protecting the confidentiality and security of nonpublic 
personal information.

Sample Clause A-7

    We restrict access to nonpublic personal information about you 
to [provide an appropriate description, such as ``those employees 
who need to know that information to provide products or services to 
you'']. We maintain physical, electronic and procedural safeguards 
that comply with federal standards to safeguard your nonpublic 
personal information.

[66 FR 21252, Apr. 27, 2001, as amended at 74 FR 62984, Dec. 1, 
2009]

[FR Doc. 2012-31273 Filed 12-27-12; 8:45 am]
BILLING CODE 1505-01-D