Amendment to the Annual Privacy Notice Requirement Under the Gramm-Leach-Bliley Act (Regulation P), 27214-27230 [2014-10713]

Download as PDF mstockstill on DSK4VPTVN1PROD with PROPOSALS 27214 Federal Register / Vol. 79, No. 92 / Tuesday, May 13, 2014 / Proposed Rules maintain the status quo and not prescribe late payment and interest charges for past due assessments. However, the Board determined that implementing such charges would help facilitate program administration by encouraging entities to pay their assessments in a timely manner. The Board reviewed rates of late payment and interest charges prescribed in other research and promotion programs and concluded that a 10 percent late payment charge and interest at a rate of 11⁄2 percent per month on the outstanding balance would be appropriate. In accordance with the Paperwork Reduction Act of 1995 (44 U.S.C. Chapter 35), the information collection and recordkeeping requirements that are imposed by the Order have been approved previously under OMB control number 0581–0264. This proposed rule would not result in a change to the information collection and recordkeeping requirements previously approved and would impose no additional reporting and recordkeeping burden on domestic manufacturers and importers of softwood lumber. As with all Federal promotion programs, reports and forms are periodically reviewed to reduce information requirements and duplication by industry and public sector agencies. Finally, USDA has not identified any relevant Federal rules that duplicate, overlap, or conflict with this proposed rule. AMS is committed to complying with the E-Government Act, to promote the use of the Internet and other information technologies to provide increased opportunities for citizen access to Government information and services, and for other purposes. Regarding outreach efforts, this action was discussed by the Board at its first meeting held in November 2011 and at six committee meetings held via teleconference during the first six months of 2012. The Board met in May 2012 and unanimously made its recommendation. All of the Board’s meetings, including meetings held via teleconference, are open to the public and interested persons are invited to participate and express their views. We have performed this initial RFA regarding the impact of this proposed action on small entities and we invite comments concerning potential effects of this action on small businesses. While this proposed rule set forth below has not received the approval of USDA, it has been determined that it is consistent with and would effectuate the purposes of the 1996 Act. VerDate Mar<15>2010 16:25 May 12, 2014 Jkt 232001 A 60-day comment period is provided to allow interested persons to respond to this proposal. All written comments received in response to this proposed rule by the date specified will be considered prior to finalizing this action. BUREAU OF CONSUMER FINANCIAL PROTECTION List of Subjects in 7 CFR Part 1217 Amendment to the Annual Privacy Notice Requirement Under the GrammLeach-Bliley Act (Regulation P) Administrative practice and procedure, Advertising, Consumer information, Marketing agreements, Softwood Lumber promotion, Reporting and recordkeeping requirements. For the reasons set forth in the preamble, 7 CFR part 1217 is proposed to be amended as follows: PART 1217—SOFTWOOD LUMBER RESEARCH, PROMOTION, CONSUMER EDUCATION AND INDUSTRY INFORMATION ORDER 1. The authority citation for 7 CFR part 1217 continues to read as follows: ■ Authority: 7 U.S.C. 7411–7425; 7 U.S.C. 7401. 2. Subpart C—Rules and Regulations is added to read as follows: ■ Subpart C—Rules and Regulations § 1217.520 Late payment and interest charges for past due assessments. (1) A late payment charge shall be imposed on any domestic manufacturer or importer who fails to make timely remittance to the Board of the total assessments for which they are liable. The late payment will be imposed on any assessments not received within 60 calendar days of the date they are due. This one-time late payment charge shall be 10 percent of the assessments due before interest charges have accrued. (2) In addition to the late payment charge, 11⁄2 percent per month interest on the outstanding balance, including any late payment and accrued interest, will be added to any accounts for which payment has not been received by the Board within 60 calendar days after the day assessments are due. Interest will continue to accrue monthly until the outstanding balance is paid to the Board. Dated: May 7, 2014. Rex A. Barnes, Deputy Administrator. [FR Doc. 2014–10995 Filed 5–12–14; 8:45 am] BILLING CODE 3410–02–P PO 00000 Frm 00003 Fmt 4702 Sfmt 4702 12 CFR Part 1016 [Docket No. CFPB–2014–0010] RIN 3170–AA39 Bureau of Consumer Financial Protection. ACTION: Proposed rule with request for comment. AGENCY: The Bureau of Consumer Financial Protection (Bureau) is proposing to amend Regulation P, which among other things requires that financial institutions provide an annual disclosure of their privacy policies to their customers. The amendment would create an alternative delivery method for this annual disclosure, which financial institutions would be able to use under certain circumstances. DATES: Comments must be received on or before June 12, 2014. ADDRESSES: You may submit comments, identified by Docket No. CFPB–2014– 0010 or RIN 3170–AA39, by any of the following methods: • Electronic: https:// www.regulations.gov. Follow the instructions for submitting comments. • Mail/Hand Delivery/Courier: Monica Jackson, Office of the Executive Secretary, Consumer Financial Protection Bureau, 1700 G Street NW., Washington, DC 20552. Instructions: All submissions should include the agency name and docket number or Regulatory Information Number (RIN) for this rulemaking. Because paper mail in the Washington, DC area and at the Bureau is subject to delay, commenters are encouraged to submit comments electronically. In general, all comments received will be posted without change to https:// www.regulations.gov. In addition, comments will be available for public inspection and copying at the Bureau’s offices in Washington, DC on official business days between the hours of 10 a.m. and 5 p.m. Eastern Time. You can make an appointment to inspect the documents by telephoning (202) 435– 7275. All comments, including attachments and other supporting materials, will become part of the public record and subject to public disclosure. Sensitive personal information, such as account numbers or Social Security numbers, should not be included. SUMMARY: E:\FR\FM\13MYP1.SGM 13MYP1 Federal Register / Vol. 79, No. 92 / Tuesday, May 13, 2014 / Proposed Rules FOR FURTHER INFORMATION CONTACT: mstockstill on DSK4VPTVN1PROD with PROPOSALS Nora Rigby and Joseph Devlin, Counsels; Office of Regulations, at (202) 435–7700. SUPPLEMENTARY INFORMATION: I. Summary of the Proposed Rule The Gramm-Leach-Bliley Act (GLBA) 1 mandates that financial institutions provide their customers with initial and annual notices regarding their privacy policies. If financial institutions share certain customer information with particular types of third parties, the institutions are also required to provide notice to their customers and an opportunity to opt out of the sharing. Many financial institutions currently mail printed copies of the annual GLBA privacy notices to their customers, but have expressed concern that this practice causes information overload for consumers and unnecessary expense. In response to such concerns, the Bureau is proposing to allow financial institutions that do not engage in certain types of information-sharing activities to stop mailing an annual disclosure if they post the annual notices on their Web sites and meet certain other conditions. Specifically, the proposal would allow financial institutions to use the proposed alternative delivery method for annual privacy notices if: (1) The financial institution does not share the customer’s nonpublic personal information with nonaffiliated third parties in a manner that triggers GLBA opt-out rights; (2) the financial institution does not include on its annual privacy notice an opt-out notice under section 603(d)(2)(A)(iii) of the Fair Credit Reporting Act (FCRA); (3) the financial institution’s annual privacy notice is not the only notice provided to satisfy the requirements of section 624 of the FCRA; (4) the information included in the privacy notice has not changed since the customer received the previous notice; and (5) the financial institution uses the model form provided in the GLBA’s implementing Regulation P. A financial institution would still be required to use the currently permitted delivery method if the institution, among other things, has changed its privacy practices or engages in information-sharing activities for which customers have a right to opt out. In using the proposed alternative method, a financial institution would have to insert a clear and conspicuous statement at least once per year on a notice or disclosure the institution issues under any other provision of law announcing that: the annual privacy notice is available on the financial institution’s Web site; it will be mailed to customers who request it by calling a toll-free telephone number; and it has not changed. The financial institution would have to continuously post the annual privacy notice in a clear and conspicuous manner on a page of its Web site, without requiring a login or similar steps to access the notice. In addition, to assist customers with limited or no access to the internet, financial institutions would have to mail annual notices promptly to customers who request them by phone. The proposal would apply to various types of financial institutions that provide consumer financial products and services. The Bureau is seeking comment on the proposal through June 12, 2014. The Bureau is also coordinating and consulting with other agencies that have authority to issue rules implementing GLBA with regard to certain other types of financial institutions, such as securities and futures traders, as well as consulting with other agencies that enforce the GLBA. II. Background A. The Statute and Regulation The GLBA was enacted into law in 1999.2 The GLBA, among other things, is intended to provide a comprehensive framework for regulating the privacy practices of an extremely broad range of entities. ‘‘Financial institutions’’ for purposes of the GLBA include not only depository institutions and nondepository institutions providing consumer financial products or services (such as payday lenders, mortgage brokers, check cashers, debt collectors, and remittance transfer providers), but also many businesses that do not offer or provide consumer financial products or services. Rulemaking authority to implement the GLBA privacy provisions was initially spread among many agencies. The Federal Reserve Board (Board), the Office of Comptroller of the Currency (OCC), the Federal Deposit Insurance Corporation (FDIC), and the Office of Thrift Supervision (OTS) jointly adopted final rules to implement the notice requirements of GLBA in 2000.3 The National Credit Union Administration (NCUA), Federal Trade Commission (FTC), Securities and Exchange Commission (SEC), and Commodity Futures Trading Commission (CFTC) were part of the 2 Public 1 15 U.S.C. 6801 et seq. VerDate Mar<15>2010 16:25 May 12, 2014 3 65 Jkt 232001 PO 00000 Law 106–102. FR 35162 (June 1, 2000). Frm 00004 Fmt 4702 Sfmt 4702 27215 same interagency process, but issued their rules separately.4 In 2009, all these agencies issued a joint final rule with a model form that financial institutions could use, at their option, to provide the required initial and annual privacy disclosures.5 In 2011, the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank Act) 6 transferred GLBA privacy notice rulemaking authority from the Board, NCUA, OCC, OTS, the FDIC, and the FTC (in part) to the Bureau.7 The Bureau then restated the implementing regulations in Regulation P, 12 CFR part 1016, in late 2011.8 The Bureau has the authority to promulgate GLBA privacy rules for depository institutions and many nondepository institutions. However, rulewriting authority with regard to securities and futures-related companies is vested in the SEC and CFTC, respectively, and rulewriting authority with respect to certain motor vehicle dealers is vested in the FTC.9 The Bureau has consulted and coordinated with these agencies and with the National Association of Insurance Commissioners (NAIC) concerning the proposed alternative delivery method.10 The Bureau has also consulted with other appropriate federal agencies, as required under Section 1022 of the Dodd-Frank Act. 1. Annual Privacy Notices The GLBA and its implementing regulation, Regulation P,11 require that financial institutions 12 provide consumers with certain notices 4 65 FR 31722 (May 18, 2000) (NCUA final rule); 65 FR 33646 (May 24, 2000) (FTC final rule); 65 FR 40334 (June 29, 2000) (SEC final rule); 66 FR 21252 (Apr. 27, 2001) (CFTC final rule). 5 74 FR 62890 (Dec. 1, 2009). 6 Public Law 111–203, 124 Stat. 1376 (2010). 7 Public Law 111–203, section 1093. The FTC retained rulewriting authority over any financial institution that is a person described in 12 U.S.C. 5519 (i.e., motor vehicle dealers predominantly engaged in the sale and servicing of motor vehicles, the leasing and servicing of motor vehicles, or both). 8 76 FR 79025 (Dec. 21, 2011). 9 15 U.S.C 6804, 6809; 12 U.S.C. 1843(k)(4); 12 CFR 1016.1(b). 10 In regard to any Regulation P rulemaking, section 504 of GLBA provides that each of the agencies authorized to prescribe GLBA regulations (currently the Bureau, FTC, SEC, and CFTC) ‘‘shall consult and coordinate with the other such agencies and, as appropriate, . . . with representatives of State insurance authorities designated by the National Association of Insurance Commissioners, for the purpose of assuring, to the extent possible, that the regulations prescribed by each such agency are consistent and comparable with the regulations prescribed by the other such agencies.’’ 15 U.S.C. 6804(a)(2). 11 12 CFR part 1016. 12 Regulation P defines ‘‘financial institution.’’ See 12 CFR 1016.3(l). E:\FR\FM\13MYP1.SGM 13MYP1 mstockstill on DSK4VPTVN1PROD with PROPOSALS 27216 Federal Register / Vol. 79, No. 92 / Tuesday, May 13, 2014 / Proposed Rules describing their privacy policies. Financial institutions are generally required to first provide an initial notice of these policies, and then an annual notice to customers every year that the relationship continues.13 (When a financial institution has a continuing relationship with the consumer, an annual privacy notice is required and the consumer is then referred to as a ‘‘customer.’’) 14 These notices describe whether and how the financial institution shares consumers’ nonpublic personal information,15 including personally identifiable financial information, with other entities, and in some cases explain how consumers can opt out of certain types of sharing. The notices also briefly describe how financial institutions protect the nonpublic personal information they collect and maintain. Financial institutions typically use U.S. postal mail to send initial and annual privacy notices to consumers. Implementing GLBA section 503, Regulation P generally requires the initial privacy notice,16 and also mandates that financial institutions ‘‘provide a clear and conspicuous notice to customers that accurately reflects [their] privacy policies and practices not less than annually during the continuation of the customer relationship.’’ 17 Section 502 of the GLBA and Regulation P at § 1016.6(a)(6) also require that initial and annual notices inform customers of their right to opt out of certain financial institution sharing of nonpublic personal information with some types of nonaffiliated third parties. For example, customers have the right to opt out of a financial institution selling the names and addresses of its mortgage customers to an unaffiliated home insurance company and, therefore, the institution would have to provide an opt-out notice before it sells the information. On the other hand, financial institutions are not required to allow consumers to opt out of the institutions’ sharing involving third-party service providers, joint marketing arrangements, maintaining and servicing accounts, securitization, law enforcement and compliance, reporting to consumer reporting agencies, and certain other activities that are specified in the statute and regulation as exceptions to the opt-out 13 12 CFR 1016.4, 1016.5(a)(1). CFR 1016.3(i). 15 Regulation P defines ‘‘nonpublic personal information.’’ See 12 CFR 1016.3(p). 16 12 CFR 1016.4(a). 17 12 CFR 1016.5(a)(1) (emphasis added). 14 12 VerDate Mar<15>2010 16:25 May 12, 2014 Jkt 232001 requirement.18 If a financial institution limits its types of sharing to those which do not trigger opt-out rights, it may provide a ‘‘simplified’’ annual privacy notice to its customers that does not include opt-out information.19 In addition to opt-out rights under GLBA, financial institutions also may include in the annual privacy notice information about certain consumer optout rights under FCRA. The annual privacy disclosures under the GLBA/ Regulation P and affiliate disclosures under the FCRA/Regulation V interact in two ways. First, section 603(d)(2)(A)(iii) of the FCRA excludes from the statute’s definition of a consumer report 20 the sharing of certain information about a consumer among affiliates if the consumer is notified of such sharing and is given an opportunity to opt out.21 Section 503(c)(4) of the GLBA and Regulation P, in turn, generally require financial institutions providing their customers with initial and annual privacy notices to incorporate into them any notification and opt-out disclosures provided pursuant to section 603(d)(2)(A)(iii) of the FCRA.22 Second, section 624 of the FCRA and Regulation V’s Affiliate Marketing Rule provide that an affiliate of a financial institution that receives certain information 23 about a consumer from 18 15 U.S.C. 6802(b)(2), (e); 12 CFR 1016.13, 1016.14, 1016.15. 19 Section 1016.6(c)(5) allows financial institutions to provide ‘‘simplified notices’’ if they do not disclose, and do not wish to reserve the right to disclose, nonpublic personal information about customers or former customers to affiliates or nonaffiliated third parties except as authorized under §§ 1016.14 and 1016.15. The exceptions at §§ 1016.14 and 1016.15 track statutory exemptions and cover a variety of situations, such as maintaining and servicing the customer’s account, securitization and secondary market sale, and fraud prevention. They directly exempt institutions from the opt-out requirements. The exception that includes service providers and joint marketing arrangements, at § 1016.13, is also statutory, but financial institutions that share according to this exception may not use the simplified notice, even though consumers cannot opt out of this sharing. 20 The FCRA defines ‘‘consumer report’’ generally as ‘‘any written, oral, or other communication of any information by a consumer reporting agency bearing on a consumer’s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living which is used or expected to be used or collected in whole or in part for the purpose of serving as a factor in establishing the consumer’s eligibility for: (A) credit or insurance to be used primarily for personal, family, or household purposes; (B) employment purposes; or (C) any other purpose authorized under section 1681b of this title.’’ 15 U.S.C. 1681a. 21 15 U.S.C. 1681a(d)(2)(A)(iii). 22 15 U.S.C. 6803(c)(4); 12 CFR 1016.6(a)(7). 23 The type of information to which section 624 applies is information that would be a consumer report, but for the exclusions provided by section 603(d)(2)(A)(i), (ii), or (iii) of the FCRA (i.e., a report PO 00000 Frm 00005 Fmt 4702 Sfmt 4702 the financial institution may not use the information to make solicitations for marketing purposes unless the consumer is notified of such use and provided with an opportunity to opt out of that use.24 Regulation V, in turn, permits (but does not require) financial institutions providing their customers with initial and annual privacy notices under Regulation P to incorporate any opt-out disclosures provided under section 624 of the FCRA and subpart C of Regulation V into those notices.25 2. Method of Delivering Annual Privacy Notices Section 503 of the GLBA sets forth the requirement that financial institutions provide initial and annual privacy disclosures to a consumer. Specifically, it states that ‘‘a financial institution shall provide a clear and conspicuous disclosure to such consumer, in writing or in electronic form or other form permitted by the regulations prescribed under section 6804 of this title, of such financial institution’s policies and practices with respect to’’ disclosing and protecting consumers’ nonpublic personal information.26 Although financial institutions provide most annual privacy notices by U.S. postal mail, Regulation P allows financial institutions to provide notices electronically (e.g., by email) to customers with their consent.27 B. CFPB Streamlining Initiative In pursuit of the Bureau’s goal of reducing unnecessary or unduly burdensome regulations, in December 2011, the Bureau issued a Request for Information seeking specific suggestions from the public for streamlining regulations the Bureau had inherited from other Federal agencies (Streamlining RFI). In that RFI, the Bureau specifically identified the annual privacy notice as a potential opportunity for streamlining and solicited comment on possible alternatives to delivering the annual privacy notice.28 solely containing information about transactions or experiences between the consumer and the institution making the report, communication of that information among persons related by common ownership or affiliated by corporate control, or communication of other information as discussed above). 24 15 U.S.C. 1681s–3 and 12 CFR pt. 1022, subpart C. 25 12 CFR 1022.23(b). 26 15 U.S.C. 6803(a) (emphasis added). 27 12 CFR 1016.9(a) states that a financial institution may deliver the notice electronically if the consumer agrees. After discussions with industry stakeholders, however, the Bureau believes that most consumers have not agreed to receive electronic disclosures. 28 76 FR 75825, 75828 (Dec. 5, 2011). E:\FR\FM\13MYP1.SGM 13MYP1 Federal Register / Vol. 79, No. 92 / Tuesday, May 13, 2014 / Proposed Rules mstockstill on DSK4VPTVN1PROD with PROPOSALS Numerous industry commenters strongly advocated eliminating or limiting the annual notice requirement. They stated that most customers ignore annual privacy notices. Even if customers do read them, according to industry stakeholders, the content of these disclosures provides little benefit, especially if customers have no right to opt out of information sharing because the financial institution does not share nonpublic personal information in a way that triggers such rights. Financial institutions argued that mailing these notices imposes significant costs and that there are other ways of conveying to customers the information in the written notices just as effectively but at a lower cost. Several industry commenters suggested that if an institution’s privacy notice has not changed, the institution should be allowed to communicate on the consumer’s periodic statement, via email, or by some other cost-effective means that the annual privacy notice is available on its Web site or upon request, by phone.29 A banking industry trade association and other industry commenters suggested that the Bureau eliminate or ease the annual notice requirement for financial institutions if their privacy policies have not changed and they do not share nonpublic personal information beyond the exceptions allowed by the GLBA (e.g., sharing nonpublic personal information with the servicer of an account). They argued that the GLBA exceptions were crafted to allow what Congress viewed as nonproblematic sharing and, therefore, the law does not permit consumers to opt out of such sharing. The need for an annual notice is thus less evident if a financial institution only shares nonpublic personal information pursuant to one of these exceptions. The trade association estimated that 75% of banks do not share beyond these exceptions and do not change their notices from year to year. Consumer advocacy groups generally stated that customers benefit from financial institutions providing them with printed annual privacy notices, which may remind customers of privacy 29 On a related issue, industry commenters stated that the annual notice causes confusion and unnecessary opt-out requests from customers who do not recall that they have already opted out in a previous year. As stated in the Supplementary Information to the Final Model Privacy Form Under the Gramm-Leach-Bliley Act, a financial institution is free to provide additional information in other, supplemental materials to customers if it wishes to do so. See 74 FR 62890, 62908 (Dec. 1, 2009). A financial institution could include supplemental materials advising those customers who previously opted out that they do not need to opt out again. VerDate Mar<15>2010 16:25 May 12, 2014 Jkt 232001 rights that they may not have exercised previously. Consumer representatives argued that these notices make customers aware of their privacy rights in regard to financial institutions, even if they have no opt-out rights. One compliance company commenter agreed with the consumer groups’ view of the importance of the notices. One advocacy group suggested that a narrow easing of annual notice requirements where a financial institution shares information only with affiliates might not be objectionable, although it did not support changing the current requirements. The Bureau did not receive any comment on the annual privacy notice change from privacy advocacy groups. C. Understanding the Effects of Certain Deposit Regulations—Study In November of 2013, the Bureau published a study assessing the effects of certain deposit regulations on financial institutions’ operations.30 This study provided operational insights from seven banks about their annual privacy notices.31 Many of these banks use third-party vendors, who design or distribute the notices on their behalf. All seven participants provided the annual notice as a separate mailing, which resulted in higher costs for postage, materials, and labor than if the notice were mailed with other material. Some financial institutions apparently send separate mailings to ensure that their disclosures are ‘‘clear and conspicuous,’’ 32 although 2009 guidance from the eight agencies promulgating the model privacy form explained that a separate mailing is not required.33 This separate mailing practice contrasts with the usual financial institution preference (particularly for smaller study participants) to bundle mailings with monthly statements. Indeed, subsequent Bureau outreach suggests that many financial institutions do mail the annual 30 Consumer Financial Protection Bureau, ‘‘Understanding the Effects of Certain Deposit Regulations on Financial Institutions’ Operations: Findings on Relative Costs for Systems, Personnel, and Processes at Seven Institutions’’ (Nov. 2013), available at https://files.consumerfinance.gov/f/ 201311_cfpb_report_findings-relative-costs.pdf. 31 Information collected for the study may be used to assist the Bureau in its investigations of ‘‘the effects of a potential or existing regulation on the business decisions of providers.’’ OMB Information Request—Control Number: 3170–0032. 32 15 U.S.C. 6803 (‘‘[In the initial and annual privacy notices] a financial institution shall provide a clear and conspicuous disclosure . . .’’); 12 CFR 1016.3(b)(1) (defining ‘‘clear and conspicuous’’ as ‘‘reasonably understandable and designed to call attention to the nature and significance of the information in the notice.’’) 33 See 74 FR 62890, 62897–62898. PO 00000 Frm 00006 Fmt 4702 Sfmt 4702 27217 privacy notice with other materials. Finally, while the study participants echoed the sentiment that few customers read privacy notices, participant banks with call centers also reported that after they send annual notices, the number of customers who call about the banks’ privacy policies increases. D. Further Outreach In addition to the consultations with other government agencies discussed above, while preparing this proposed rule the Bureau conducted further outreach to industry and consumer advocate stakeholders. The Bureau held meetings with consumer groups, including groups and participants with a specific interest in privacy issues. The Bureau also held meetings with industry groups that represent institutions that must comply with the annual privacy notice requirement, including banks, credit unions, mortgage servicers, and debt buyers. As with the responses to the Streamlining RFI, the consumer groups generally expressed the view that mailed privacy notices were useful, even when no opt-out rights were present, and that changes were not necessary. Among other comments, they suggested that the Bureau promote the use of the Regulation P model form. The industry participants also generally expressed similar views to those expressed by industry in response to the Streamlining RFI. They supported creation of an alternative delivery method for annual privacy notices.34 E. Privacy Considerations In developing the proposal, the Bureau considered its potential impact on consumer privacy. The proposal would not affect the collection or use of consumers’ nonpublic personal information by financial institutions. The proposal would expand the permissible methods by which financial institutions subject to Regulation P may deliver annual privacy notices to their customers in limited circumstances. Among other limitations, it would not expand the permissible delivery methods when financial institutions make various types of changes to their annual privacy notices or when their annual privacy notices afford customers the right to opt out of the sharing of their nonpublic personal information by financial institutions. The proposal is 34 Recently Congress considered proposed legislation that would provide burden relief as to annual privacy notices, though no law has been enacted. See, e.g., H.R. 749, passed by the House and referred to the Senate in March of 2013; and S. 635, introduced in the Senate in late 2013. E:\FR\FM\13MYP1.SGM 13MYP1 27218 Federal Register / Vol. 79, No. 92 / Tuesday, May 13, 2014 / Proposed Rules designed to ensure that when the alternative delivery method is used, customers would continue to have access to clear and conspicuous annual privacy notices. III. Legal Authority The Bureau is issuing this proposed rule pursuant to its authority under section 504 of the GLBA, as amended by section 1093 of the Dodd-Frank Act.35 The Bureau is also issuing this proposed rule pursuant to its authority under sections 1022 and 1061 of the DoddFrank Act.36 Prior to July 21, 2011, rulemaking authority for the privacy provisions of the GLBA was shared by eight federal agencies: the Board, the FDIC, the FTC, the NCUA, the OCC, the OTS, the SEC, and the CFTC. The Dodd-Frank Act amended a number of Federal consumer financial laws, including the GLBA. Among other changes, the Dodd-Frank Act transferred rulemaking authority for most of Subtitle A of Title V of the GLBA, with respect to financial institutions described in section 504(a)(1)(A) of the GLBA, from the Board, FDIC, FTC, NCUA, OCC, and OTS (collectively, the transferor agencies) to the Bureau, effective July 21, 2011. IV. Section-by-Section Analysis mstockstill on DSK4VPTVN1PROD with PROPOSALS Section 1016.9—Delivering Privacy and Opt-Out Notices Existing § 1016.9 describes how a financial institution must provide both the initial notice required by § 1016.4 and the annual notice required by § 1016.5. Specifically, § 1016.9(a) requires the notice to be provided so that each consumer can reasonably be expected to receive actual notice in writing or, if the consumer agrees, electronically. Section 1016.9(b) provides examples of delivery that would result in reasonable expectation of actual notice, including hand delivery, delivery by mail, or electronic delivery for consumers who conduct transactions electronically. Section 1016.9(c) provides examples regarding reasonable expectation of actual notice that apply to annual notices only. The Bureau believes that use of the alternative delivery method by financial institutions that meet the requirements discussed below is likely to reduce information overload, specifically by eliminating duplicative paper privacy notices in situations in which the customer generally has no ability to opt out of the financial institution’s 35 15 36 12 U.S.C. 6804. U.S.C. 5512, 5581. VerDate Mar<15>2010 16:25 May 12, 2014 Jkt 232001 information sharing.37 Moreover, the Bureau believes that the proposed rule’s alternative delivery method would be likely to decrease the burden on financial institutions of delivering notices,38 while generally continuing to require delivery of notices pursuant to the existing requirements in situations in which customers can opt out of information sharing. In response to the Streamlining RFI, a banking industry trade association estimated that 75% of banks do not change their notices from year to year and do not share information in a way that gives rise to customer opt-out rights. Accordingly, the Bureau believes that a large number of banks would be able to use the proposed alternative delivery method. Bureau outreach also suggests that a large majority of credit unions and many non-depository financial institutions would benefit from being able to use the alternative delivery method. In addition, because small financial institutions appear to be less likely to share their customers’ nonpublic personal information in a way that triggers customers’ opt-out rights, it is likely that many of them could decrease their costs through the use of the alternative delivery method. Under the alternative delivery method, customers would have access via financial institutions’ Web sites (or by postal mail on request) to annual privacy notices that use the model form, that generally do not inform customers of any right to opt out, and that convey the same information as in previous notices. Further, financial institutions would be required to post their privacy notice continuously on their Web sites and thus customers would be able to access the privacy notice throughout the year rather than waiting for an annual mailing.39 Financial institutions would 37 The Bureau notes that the proposed alternative delivery method would be available even where a financial institution offers a notice and opt out under the Affiliate Marketing Rule, subpart C of 12 CFR part 1022, which relates to marketing based on information shared by a financial institution, as long as the Affiliate Marketing Rule notice and opt out is also provided separately from the Regulation P privacy notice. See the section-by-section discussion of proposed § 1016.9(c)(2)(i)(C), below. 38 The Bureau notes that under current Regulation P, financial institutions are not required to deliver the privacy notice separately from other documents, although the Bureau believes that many financial institutions do so. 39 Fostering comparison shopping by consumers among financial institutions was one of the objectives that GLBA model privacy notices, primarily initial privacy notices, were intended to accomplish. See 15 U.S.C. 6803(e). Facilitating comparison shopping based on privacy policies was also mentioned repeatedly in the preamble to the model privacy notice rule. See 74 FR 62890 (Dec. 1, 2009). The Bureau invites empirical data on whether consumers do comparison shop among financial institutions based on privacy notices. PO 00000 Frm 00007 Fmt 4702 Sfmt 4702 be required to deliver to customers an annual reminder, on another notice or disclosure, of the availability of the privacy notice on the institution’s Web site. In light of these considerations, the Bureau believes that where the conditions set forth in the proposed rule are satisfied, any incremental benefit in terms of customers’ awareness of privacy issues that might accrue from requiring delivery pursuant to the existing methods of the annual privacy notice could be outweighed by the costs of providing the notice, costs that ultimately may be passed through to customers. The Bureau has determined that the specific language of section 503(a) of the GLBA grants some latitude in specifying by rule the method of conveying the annual notices, so long as a ‘‘clear and conspicuous disclosure’’ is provided ‘‘in writing or in electronic form or other form permitted by the regulations.’’ This statutory interpretation would apply only to the specific type of disclosure involved in the limited circumstances proposed pursuant to the specific language of GLBA section 503.40 The Bureau seeks data and other information concerning the effect on customer privacy rights if financial institutions were to use the alternative delivery method rather than their current delivery method. The Bureau further requests comment on whether the proposed alternative delivery method would be effective in reducing the potential for information overload on customers and reducing the burden on financial institutions of mailing hard copy privacy notices. The Bureau also has been informed by some financial institutions and consumer advocates 40 While the agencies previously charged with GLBA privacy notice rulemaking authority appear to have read the statutory grant of authority more restrictively (See, e.g., 65 FR at 35174 (June 1, 2000), those agencies did not cite or interpret the statutory language quoted above and were not considering a form of electronic notice. Commenters to the agencies’ proposed rule had suggested that the notice (including opt outs) be available only on request, or that a short-form notice be permitted in certain circumstances, and the agencies interpreted the statute as not allowing such arrangements. The Bureau’s proposed rule’s disclosure strategy is very different, and allows immediate access to the privacy notice for the overwhelming majority of customers. Further, circumstances have changed since the 2000 rulemaking. In 2000, only 41.5% of U.S. households had internet access at home. In contrast, as of 2012, 74.8% of U.S. households had internet access at home and 80% of U.S. adults were using the internet, thus making easy access to electronic notices significantly more widespread. See U.S. Census data, ‘‘Households With a Computer and Internet Use: 1984 to 2012,’’ available at https:// www.census.gov/hhes/computer/publications/ 2012.html and Pew Research Internet Project, available at https://www.pewinternet.org/2014/02/ 27/summary-of-findings-3/. E:\FR\FM\13MYP1.SGM 13MYP1 Federal Register / Vol. 79, No. 92 / Tuesday, May 13, 2014 / Proposed Rules that financial institutions and customers are unnecessarily burdened by redundant opt-out requests because customers who receive the privacy notice are often unaware that they have previously opted out of information sharing. The Bureau notes that a financial institution may currently include with its privacy notice a separate notice explaining a customer’s opt-out status, though the Bureau does not believe that many financial institutions do so. Although the Bureau is not proposing to change the model form or instructions in Regulation P at this time, the Bureau requests comment on whether financial institutions would want to include on the privacy notice itself a statement describing the customer’s opt-out status. Lastly, the Bureau notes that the proposed alternative delivery method would be available where customers have already consented to receive their privacy notices electronically pursuant to § 1016.9(a) and invites comment regarding how often privacy notices are delivered electronically under existing Regulation P. The Bureau further invites comment on whether the proposed alternative delivery method is appropriate for customers who already receive privacy notices electronically and whether financial institutions that currently provide the notice electronically would be likely to use the proposed alternative delivery method. mstockstill on DSK4VPTVN1PROD with PROPOSALS 9(c)(2) Alternative Method for Providing Certain Annual Notices 9(c)(2)(i) Proposed § 1016.9(c)(2) sets forth an alternative to § 1016.9(a) for providing certain annual notices. (Existing § 1016.9(c) would be redesignated as § 1016.9(c)(1) and its subparagraphs redesignated as § 1016.9(c)(1)(i) and (ii), respectively, to accommodate the new addition. The Bureau is also proposing to add a heading to new paragraph (c)(1) for technical reasons.) Specifically, proposed § 1016.9(c)(2)(i) would provide that, notwithstanding the general requirement in § 1016.9(a) that a notice be provided so that each consumer can reasonably be expected to receive actual notice, a financial institution may use the alternative method set forth in proposed § 1016.9(c)(2)(ii) to satisfy the requirement in § 1016.5(a)(1) to provide an annual notice if the institution meets certain conditions as specified in proposed § 1016.9(c)(2)(i)(A) through (E), which are discussed in detail below. The Bureau invites comment generally on the conditions in proposed § 1016.9(c)(2)(i)(A) through (E) and VerDate Mar<15>2010 16:25 May 12, 2014 Jkt 232001 whether any of those conditions should not be required or whether additional conditions should be added. The Bureau notes that the proposed alternative delivery method would not alter the requirement in § 1016.5(a)(1) that the notice be provided annually. 9(c)(2)(i)(A) Proposed § 1016.9(c)(2)(i)(A) would set forth the first condition for using the alternative delivery method: that the financial institution does not share the customer’s information with nonaffiliated third parties other than through the activities specified under §§ 1016.13, 1016.14 and 1016.15 that do not trigger opt-out rights under the GLBA. Pursuant to § 1016.10(a), a financial institution generally may not disclose nonpublic personal information about a consumer to a nonaffiliated third party without first providing the consumer with a notice and opportunity to opt out of that sharing. Sections 1016.13, 1016.14, and 1016.15 lay out certain exceptions to the general opt-out requirement.41 Accordingly, where a financial institution shares with nonaffiliated third parties as permitted by §§ 1016.13, 1016.14, and 1016.15, the financial institution is not required to provide the consumer with an opportunity to opt out of such sharing. The Bureau believes that the alternative delivery method, while reducing burden, might not be as effective in alerting customers to their ability to opt out of certain types of information sharing as the current delivery method where a financial institution shares beyond the exceptions in §§ 1016.13, 1016.14, and 1016.15. The Bureau thus believes that the current delivery method for the annual notice pursuant to existing § 1016.9(a) is likely to be important for customers who have the right to opt out of information sharing. The Bureau believes that limiting the alternative delivery method to circumstances in 41 Specifically, § 1016.13 provides that the optout requirement generally does not apply where a financial institution shares nonpublic personal information with nonaffiliated third parties to provide services to the sharing financial institution, including for marketing products or services of the financial institution or those of other financial institutions with which the sharing institution has joint marketing agreements. Section 1016.14 provides that the opt-out requirement generally does not apply where the financial institution shares nonpublic personal information as required to process or service transactions for the consumer’s account. Section 1016.15 provides that the opt-out requirement does not apply to certain specific types of information sharing by the financial institution, including, for example, at the consumer’s request, to protect the confidentiality of the financial institution’s records, to a consumer reporting agency, and to comply with a properly authorized civil, criminal or regulatory investigation. PO 00000 Frm 00008 Fmt 4702 Sfmt 4702 27219 which customers have no information sharing opt-out rights under Regulation P would generally reduce the burden of compliance while still mandating the use of the current delivery method to ensure that customers have notice of their opt-out rights where they exist. For the foregoing reasons, the Bureau proposes § 1016.9(c)(2)(i)(A). The Bureau invites comment on the extent to which different financial institutions share beyond the exceptions in §§ 1016.13, 1016.14, and 1016.15 and thus would be precluded from using the proposed alternative delivery method. The Bureau further invites comment on the impact on customers of receiving the annual privacy notice pursuant to the current delivery method, rather than the proposed alternative delivery method, where the notice informs the customer of opt-out rights pursuant to Regulation P. 9(c)(2)(i)(B) Proposed § 1016.9(c)(2)(i)(B) would set forth the second condition for using the alternative delivery method for the annual privacy notice: that the financial institution not include on its annual notice an opt out under section 603(d)(2)(A)(iii) of the FCRA.42 As discussed in part II above, FCRA section 603(d)(2)(A)(iii) excludes from the statute’s definition of ‘‘consumer report’’ a financial institution’s sharing of certain information about a consumer with its affiliates if the financial institution provides the consumer with notice and an opportunity to opt out of the information sharing. Though this notice and opt out is a product of the FCRA rather than the GLBA, section 503(b)(4) of the GLBA and § 1016.6(a)(7) require a financial institution’s privacy notice to include any disclosures the financial institution makes under section 603(d)(2)(A)(iii) of the FCRA. Accordingly, to the extent that a financial institution chooses to provide an opt out pursuant to FCRA section 603(d)(2)(A)(iii), § 1016.6(a)(7) requires the privacy notice to include that opt out.43 For the same reasons as discussed with respect to proposed § 1016.9(c)(2)(i)(A), the Bureau proposes to allow a financial institution to use the alternative delivery method only if it does not share information in a way that triggers information sharing opt-out rights for the customer, including those under section 603(d)(2)(A)(iii) of the FCRA. Accordingly, the Bureau proposes § 1016.9(c)(2)(i)(B). The Bureau invites comment on the extent to which different financial 42 15 U.S.C. 1681a(d)(2)(A)(iii). 64 FR 35162, 35176 (June 1, 2000). 43 See E:\FR\FM\13MYP1.SGM 13MYP1 27220 Federal Register / Vol. 79, No. 92 / Tuesday, May 13, 2014 / Proposed Rules mstockstill on DSK4VPTVN1PROD with PROPOSALS institutions provide a FCRA section 603(d)(2)(A)(iii) opt out and thus would be precluded from using the proposed alternative delivery method. The Bureau further invites comment on the benefit to customers of receiving the annual privacy notice pursuant to the current delivery method, rather than the proposed alternative delivery method, where the notice informs the customer of opt-out rights pursuant to FCRA section 603(d)(2)(A)(iii). 9(c)(2)(i)(C) Proposed § 1016.9(c)(2)(i)(C) would contain the third condition for using the alternative delivery method: that the annual privacy notice is not the only notice provided to satisfy the requirements of section 624 of the FCRA 44 and subpart C of 12 CFR part 1022 (the ‘‘Affiliate Marketing Rule’’). The Bureau is proposing to provide flexibility in the manner in which an annual notice which contains disclosures under the Affiliate Marketing Rule is provided since proposed § 1016.9(c)(2)(i)(C) would require the consumer to be provided the Affiliate Marketing notice and opt out separately, as discussed below. FCRA section 624, as implemented by the Affiliate Marketing Rule, provides that a person may not use certain information about a consumer that it receives from an affiliate to make solicitations for marketing purposes unless the consumer receives notice and the opportunity to opt out of this use from an affiliate with whom the consumer has or had a pre-existing business relationship.45 The Affiliate Marketing Rule further governs the content, scope, and duration of that notice and opt out and the method by which it must be provided to consumers.46 In contrast to the FCRA section 603(d)(2)(A)(iii) notice and opt-out right, which is generally required to be included on the annual privacy notice by § 1016.6(a)(7) if a financial institution offers that opt out, the Affiliate Marketing Rule notice and opt out is not required to be included on the Regulation P privacy notice. The Affiliate Marketing Rule notice and opt out may be included on the privacy notice, however. Moreover, the model privacy notice includes a notice and opt out under FCRA section 624 and the Affiliate Marketing Rule,47 and the Affiliate Marketing Rule specifically provides that its opt out may be 44 15 U.S.C. 1681s–3. CFR 1022.21(a). 46 12 CFR 1022.22, 1022.23, 1022.24, 1022.25, 1022.26, and 1022.27. 47 Appendix to part 1016 at C.2.d.6. 45 12 VerDate Mar<15>2010 16:25 May 12, 2014 Jkt 232001 incorporated into the GLBA privacy notice.48 The instructions to the GLBA model privacy notice make clear that a financial institution subject to the Affiliate Marketing Rule may omit that notice and opt out from the GLBA model privacy notice, provided the institution separately complies with the Affiliate Marketing Rule.49 Given that the Affiliate Marketing Rule notice and opt out is not required on the annual privacy notice (and indeed does not have to be provided annually),50 the Bureau believes that the existence of an opt-out right under the Affiliate Marketing Rule should not preclude a financial institution from using the proposed alternative delivery method. Instead, the Bureau is proposing that the alternative delivery method would be available for a financial institution that must provide a notice and opt out under the Affiliate Marketing Rule as long as the annual privacy notice is not the only notice provided to the customer explaining that opt-out right. In other words, a financial institution that undertakes optout obligations under the Affiliate Marketing Rule may use the alternative delivery method provided that it fulfills those notice and opt-out obligations separately from the annual privacy notice. The Bureau notes that certain requirements for the Affiliate Marketing notice and opt out differ, depending on whether it is included as part of the model privacy notice or issued separately. Where a financial institution includes the Affiliate Marketing notice and opt out on the model privacy notice, Regulation P requires that opt out to be of indefinite duration.51 In contrast, where a financial institution provides the Affiliate Marketing notice and opt out separately, Regulation V allows the opt out to be offered for as little as five years, subject to renewal, and the disclosure of the duration of the opt out must be included on the notice.52 Because inclusion of the Affiliate Marketing opt out on the model privacy notice requires a financial institution to honor the opt out indefinitely, a financial institution that also offers the opt out right separately in order to use the alternative delivery method would be able to comply with both Regulations P and V by stating in the separate Affiliate Marketing notice 48 12 CFR 1022.23(b). to part 1016 at C.2.d.6. 50 72 FR 62910, 62930 (Nov. 7, 2007). 51 Regulation P provides, ‘‘Institutions that include this reason [for sharing or using personal information] must provide an opt-out of indefinite duration.’’ Appendix to part 1016 at C.2.d.6. 52 12 CFR 1022.22(b). 12 CFR 1022.23(a)(1)(iv). 49 Appendix PO 00000 Frm 00009 Fmt 4702 Sfmt 4702 that the opt out is of indefinite duration and by honoring such opt-out requests indefinitely. The Bureau acknowledges that under this proposal some customers will no longer receive their annual privacy notice pursuant to the current delivery requirements even though the notice informs them of a right to opt out that exists pursuant to the Affiliate Marketing Rule. The Bureau believes, however, that this concern is mitigated by the fact that in such cases, proposed § 1016.9(c)(2)(i)(C) would require that the Affiliate Marketing Rule opt-out notice also be delivered separately from the annual privacy notice.53 The Bureau considered but decided against proposing to prohibit use of the alternative delivery method where a financial institution provides an opt out under the Affiliate Marketing Rule. The Bureau believes that prohibiting the use of the alternative delivery method in that circumstance could discourage financial institutions from voluntarily providing the Affiliate Marketing notice and opt out through its annual privacy notice and could be at odds with a financial institution’s choice whether to use the annual privacy notice to comply with its opt-out obligations under the Affiliate Marketing Rule. Accordingly, the Bureau is proposing § 1016.9(c)(2)(i)(C) which would permit use of the alternative delivery method for a financial institution that provides a notice and opt out under the Affiliate Marketing Rule, provided that the financial institution does not use the annual privacy notice as the sole means of providing notice to customers of that opt-out right. The Bureau invites comment on the extent to which financial institutions include the Affiliate Marketing Rule opt out on their Regulation P privacy notices and thus would be precluded from using the proposed alternative delivery method unless they separately delivered an Affiliate Marketing Rule opt-out notice. The Bureau further invites comment on the benefit or harm to customers of receiving the annual privacy notice pursuant to the alternative delivery method if the notice informs the customer of opt-out rights pursuant to the Affiliate Marketing Rule and the customer would receive a separate Affiliate Marketing rule opt-out notice. 53 Alternatively, the financial institution could continue to use the current delivery method and include the Affiliate Marketing opt out on the annual privacy notice, with no separate notice required. E:\FR\FM\13MYP1.SGM 13MYP1 Federal Register / Vol. 79, No. 92 / Tuesday, May 13, 2014 / Proposed Rules mstockstill on DSK4VPTVN1PROD with PROPOSALS 9(c)(2)(i)(D) Proposed § 1016.9(c)(2)(i)(D) would present the fourth condition for using the alternative delivery method: that the information a financial institution is required to convey on its annual privacy notice pursuant to § 1016.6(a)(1) through (5), (8) and (9) has not changed since the immediately previous privacy notice, initial or annual, to the customer. The Bureau is proposing to provide more flexibility in the method by which a notice that has not changed may be delivered because it believes that delivery of the annual notice as currently required by § 1016.9(a) is likely less useful if the customer has already received a privacy notice, the financial institution’s sharing practices remain generally unchanged since that previous notice, and the other requirements of proposed § 1016.9(c)(2)(i) are met. Proposed § 1016.9(c)(2)(i)(D) lists the specific disclosures of the privacy notice that must not change in order for a financial institution to take advantage of the alternative delivery method. They are: (1) the categories of nonpublic personal information that the financial institution collects (§ 1016.6(a)(1)); (2) the categories of nonpublic personal information that the financial institution discloses (§ 1016.6(a)(2)); (3) the categories of affiliates and nonaffiliated third parties to whom the financial institution discloses nonpublic personal information, other than those parties to whom the financial institution discloses information under §§ 1016.14 and 1016.15 (§ 1016.6(a)(3)); (4) the categories of nonpublic personal information about the financial institution’s former customers that the financial institution discloses and the categories of affiliates and nonaffiliated third parties to whom the financial institution discloses nonpublic personal information about the financial institution’s former customers, other than those parties to whom the financial institution discloses information under §§ 1016.14 and 1016.15 (§ 1016.6(a)(4)); (5) if the financial institution discloses nonpublic personal information to a nonaffiliated third party under § 1016.13 (and no other exception in § 1016.14 or § 1016.15 applies to that disclosure), a separate statement of the categories of information the financial institution discloses and the categories of third parties with whom the financial institution has contracted (§ 1016.6(a)(5)); (6) the financial institution’s policies and practices with respect to protecting the confidentiality and security of VerDate Mar<15>2010 16:25 May 12, 2014 Jkt 232001 nonpublic personal information (§ 1016.6(a)(8)); and (7) any description of nonaffiliated third parties subject to exceptions as described in § 1016.6(b) (§ 1016.6(a)(9)).54 With respect to disclosures required by § 1016.6(a)(1) through (5) and (9) (items 1–5 and 7 in the list above), the Bureau emphasizes that a financial institution would be precluded from using the alternative delivery method only if it made changes in the category of information it collects or discloses so as to require changes to the disclosure on the notice itself. The disclosures required by § 1016.6(a)(1) through (5) and (9) describe categories of nonpublic personal information collected and disclosed and categories of third parties with whom that information is disclosed. Accordingly, only a change in or addition of a category of information collected or shared or in a category of third party with whom the information is shared would prevent a financial institution from satisfying proposed § 1016.9(c)(2)(i)(D). The Bureau further notes that stylistic changes in the wording of the notice that do not change the information conveyed on the notice would not prevent a financial institution from satisfying proposed § 1016.9(c)(2)(i)(D). For example, assume a financial institution begins collecting information regarding potential customers’ assets as part of an application process that the institution had not previously collected. If the institution had previously disclosed on its privacy notice that the nonpublic personal information it collected included information received from customers on applications or other forms, the financial institution would satisfy proposed § 1016.9(c)(2)(i)(D) notwithstanding the fact that the institution had not previously collected asset information. Similarly, a financial institution’s decision to begin sharing its customers’ nonpublic personal information with a mortgage broker, even where it had not previously shared that information with any mortgage brokers, would not prohibit the financial institution from satisfying 54 Note that the information disclosed pursuant to § 1016.6(a)(6) and (7) are not among the provisions in proposed § 1016.9(c)(2)(i)(D) because those disclosures relate to opt-out rights the existence of which would make the alternative delivery method unavailable for a financial institution under proposed § 1016.9(c)(2)(i)(A) and (B), as discussed above. In addition, the omission from proposed § 1016.9(c)(2)(i)(D) of the opt-out disclosures under GLBA and FCRA makes clear that a financial institution may change its privacy policy so as to eliminate information sharing that triggers opt-out rights and may then make use of the alternative delivery method for the next annual privacy notice. PO 00000 Frm 00010 Fmt 4702 Sfmt 4702 27221 proposed § 1016.9(c)(2)(i)(D) provided that the financial institution had previously disclosed on its privacy notice that it shared information with financial service providers. With respect to the disclosure required by § 1016.6(a)(8), the Bureau notes that proposed § 1016.9(c)(2)(i)(D) would disallow the use of the alternative delivery method if a financial institution changes the required description of its policies and practices with respect to protecting the confidentiality and security of nonpublic personal information. The Bureau recognizes that this information is distinguishable from the information required by § 1016.6(a)(1) through (5) and (9) in that the information required by § 1016.6(a)(8) does not describe the financial institution’s collecting or sharing of nonpublic personal information but instead describes the financial institution’s overall data security policy. The Bureau believes that changes in the description of a financial institution’s data security policy likely are significant enough that when they occur, the annual privacy notice should continue to be delivered according to the existing methods in § 1016.9. Indeed, in light of recent largescale data security breaches, the Bureau believes that some customers may be more interested in the data security policies of their financial institutions than they were previously. The Bureau notes that stylistic changes to the description of the data security policy that do not change the information conveyed on the notice would not prevent a financial institution from satisfying proposed § 1016.9(c)(2)(i)(D). The Bureau further notes that (similar to the information required by § 1016.6(a)(1) through (5) and (9)) changes to the underlying data security policy would preclude financial institutions from using the alternative delivery method only if these policy changes are substantial enough under Regulation P to trigger changes in the description of that policy on the annual notice itself. The Bureau believes, therefore, that financial institutions likely will be able to make improvements to their data security practices without necessarily changing information disclosed pursuant to § 1016.6(a)(8). The Bureau invites comment about the effect on customers of conditioning availability of the alternative delivery method on there being no change from the previous year’s notice without regard to the conditions that would be required by proposed § 1016.9(c)(2)(i)(A) through (C). The Bureau further invites comment on how E:\FR\FM\13MYP1.SGM 13MYP1 27222 Federal Register / Vol. 79, No. 92 / Tuesday, May 13, 2014 / Proposed Rules mstockstill on DSK4VPTVN1PROD with PROPOSALS often financial institutions change their privacy notice such that they would be precluded from using the proposed alternative delivery method. Lastly, the Bureau invites comment on the extent to which a financial institution’s changing its data security policy might preclude it from using the proposed alternative delivery method and whether the information disclosed pursuant to § 1016.6(a)(8) should be included in proposed § 1016.9(c)(2)(i)(D). 9(c)(2)(i)(E) The last condition for use of the alternative delivery method, which would be set forth in proposed § 1016.9(c)(2)(i)(E), requires that the financial institution use the model privacy form for its annual privacy notice. Though use of the model form constitutes compliance with the notice content requirements of §§ 1016.6 and 1016.7, Regulation P does not require use of the model notice.55 However, the Bureau believes that a large majority of financial institutions use the model notice. The model notice was adopted in 2009 as part of an interagency rulemaking because consumer research revealed that the model notice was easier to understand and use than most privacy notices then being used.56 During outreach, consumer and privacy groups told the Bureau that that the model notice is easier for consumers to understand than other privacy notices. The Bureau is proposing to require use of the model notice as a condition of using the alternative delivery method to foster the use of a form of notice that appears to be more effective in conveying privacy policy information to customers than non-standard notices and thus enhance the effectiveness of the notice provided under the alternative method. Accordingly, the Bureau is proposing § 1016.9(c)(2)(i)(E), which would permit use of the alternative delivery method only if a financial institution uses the model privacy form for its annual privacy notice. The Bureau believes that proposed § 1016.9(c)(2)(i)(E) is likely to encourage some financial institutions that are not currently doing so to use the model notice in order to take advantage of the cost savings associated with the alternative delivery method. Moreover, the Bureau does not believe that requiring use of the model notice to be eligible for the alternative delivery method creates a significant compliance burden for the minority of financial institutions that do not currently use it, especially given that financial 55 12 56 74 CFR 1016.2. FR 62890, 62891 (Dec. 1, 2009). VerDate Mar<15>2010 16:25 May 12, 2014 Jkt 232001 institutions would not choose to use the alternative delivery method if the onetime cost of adopting the model notice were not more than offset by the ongoing burden reduction of the alternative delivery method for the annual notice. The Bureau notes that the model form accommodates information that may be required by state or international law, as applicable, in a box called ‘‘Other important information.’’ 57 Accordingly, the Bureau expects that a financial institution that has additional privacy disclosure obligations pursuant to state or international law would still be able to use the model form in order to take advantage of the proposed alternative delivery method. The Bureau invites comment on related state or international law requirements and their interaction with the model privacy notice as well as the proposed alternative delivery method in general. The Bureau does not contemplate that adoption of the model privacy form, which may require changes to the wording and layout of the privacy notice but not to the information conveyed, would constitute a change within the meaning of proposed § 1016.9(c)(2)(i)(D). In a somewhat analogous situation, the agencies that promulgated the model privacy notice explained: ‘‘Adoption of the model form, with no change in policies or practices, would not constitute a revised notice [for purposes of the rule section on revised privacy notices], although institutions may elect to consider the format change as revision, at their option.’’ 58 The Bureau solicits comment on whether adoption of the model form instead should be considered a change in the annual notice pursuant to proposed § 1016.9(c)(2)(i)(D) such that an institution adopting the model form in the first instance would be precluded from using the proposed alternative delivery method until the following year’s annual notice. The Bureau further invites comment on the extent to which financial institutions currently use the model privacy notice and if they do not, whether they would choose to do so to take advantage of the proposed alternative delivery method. Lastly, the Bureau invites comment on the benefit to customers of receiving the model privacy notice rather than a privacy notice in a non-standard format. 9(c)(2)(ii) In proposed § 1016.9(c)(2)(ii), the Bureau sets forth the alternative delivery method that would be 57 Appendix 58 74 PO 00000 to part 1016 at C.3.c.1. FR 62890, 62907 n. 196. Frm 00011 Fmt 4702 Sfmt 4702 permissible to satisfy the requirement in § 1016.5(a)(1) to provide an annual notice if a financial institution meets the conditions described in proposed § 1016.9(c)(2)(i). For the reasons discussed above, the Bureau believes that delivery of the annual privacy notice pursuant to the existing delivery requirements may be less important for customers if the requirements of proposed § 1016.9(c)(2)(i) are met. The Bureau believes that delivery pursuant to the alternative delivery method proposed, described in detail below, would inform customers of their financial institution’s privacy policies effectively and at a lower cost than the current delivery methods. Although the Bureau believes it is unlikely, the Bureau recognizes the possibility that fewer customers may read the privacy notice when it is delivered pursuant to the alternative method than would have read the notice if it had been delivered to them using the current delivery methods. The Bureau requests comment on how frequently customers read privacy notices delivered pursuant to existing § 1016.9(a) and how frequently the notices would be read if they were provided pursuant to the proposed alternative delivery method. The Bureau further invites comment generally on the components of the alternative delivery method in proposed § 1016.9(c)(2)(ii)(A) through (C) and whether any of those components should not be required or whether additional components should be added. 9(c)(2)(ii)(A) Proposed § 1016.9(c)(2)(ii)(A) would set forth the first component of the alternative delivery method: that a financial institution inform the customer of the availability of the annual privacy notice. To satisfy proposed § 1016.9(c)(2)(ii)(A), a financial institution would be required to convey in a clear and conspicuous manner not less than annually on a notice or disclosure the institution is required or expressly and specifically permitted to use under any other provision of law that its privacy notice has not changed, that the notice is available on its Web site and that a hard copy of the notice will be mailed to customers if they call a toll-free number to request one. Proposed § 1016.9(c)(2)(ii)(A) would use the term ‘‘clear and conspicuous,’’ which is defined in existing § 1016.3(b)(1) as meaning ‘‘reasonably understandable’’ and ‘‘designed to call attention to the nature and significance of the information.’’ The Bureau believes that the existing examples in E:\FR\FM\13MYP1.SGM 13MYP1 mstockstill on DSK4VPTVN1PROD with PROPOSALS Federal Register / Vol. 79, No. 92 / Tuesday, May 13, 2014 / Proposed Rules § 1016.3(b)(2)(i) and (ii) for reasonably understandable and designed to call attention, respectively, likely would provide sufficient guidance on ways to make the notice of availability in proposed § 1016.9(c)(2)(ii)(A) clear and conspicuous. Specifically, because the notice of availability would be combined with another notice or disclosure sent to the customer, the Bureau points to existing § 1016.3(b)(2)(ii)(E), which states that on a form that combines a notice with other information, a notice containing distinctive type size, style, and graphic devices, such as shading or sidebars, is designed to call attention to the nature and significance of the information, as required under the clear and conspicuous definition. With respect to the notice of availability being conveyed not less than annually, the Bureau notes that the proposed rule would permit it being included more often than annually (e.g., quarterly or monthly). Although the Bureau is proposing to require the notice of availability annually, the Bureau invites comment on the advantages and disadvantages of it being provided on a more frequent basis. With respect to the type of statement that may be used to convey the notice of availability, proposed § 1016.9(c)(2)(ii)(A) would permit it to be conveyed on a notice or disclosure the institution is required or expressly and specifically permitted to issue under any other provision of law. This language is similar to that used in Regulation V, which provides that ‘‘a notice required by this subpart may be coordinated and consolidated with any other notice or disclosure required to be issued under any other provision of law. . . .’’ 59 Proposed § 1016.9(c)(2)(ii)(A) would add to that language in order to ensure that the notice of availability could be included on disclosures that are expressly and specifically permitted by law, even if not required. The Bureau notes that a notice of availability would satisfy proposed § 1016.9(c)(2)(ii)(A) if it were included on a periodic statement which is permitted but not required by Regulation DD 60 but would not satisfy proposed § 1016.9(c)(2)(ii)(A) if included on advertising materials that were neither required nor specifically permitted by law. Proposed § 1016.9(c)(2)(ii)(A) does not specify in more detail the type of statement on which the notice of availability must be conveyed because the Bureau intends the alternative delivery method to be 59 12 60 12 CFR 1022.23(b). CFR 1030.6. VerDate Mar<15>2010 16:25 May 12, 2014 flexible enough to be used by financial institutions whose business practices vary widely. The Bureau invites comment on the benefits and costs of requiring the notice of availability to be included on a document required or expressly and specifically permitted under any other provision of law. The Bureau further notes that where two or more financial institutions provide a joint privacy notice pursuant to § 1016.9(f), proposed § 1016.9(c)(2)(ii)(A) would require each financial institution to separately provide the notice of availability on a notice or disclosure that it is required or permitted to issue. The Bureau invites comment on how often financial institutions jointly provide privacy notices and whether the proposed alternative delivery method would be feasible for such jointly issued notices. Proposed § 1016.9(c)(2)(ii)(A) also would require the institution to state on the notice that its privacy policy has not changed. The Bureau intends this proposed requirement to help customers assess whether they are interested in reading the policy. This statement would always be accurate if the alternative delivery method is used correctly, since a financial institution could not use the alternative delivery method if its annual privacy notice had changed. Proposed § 1016.9(c)(2)(ii)(A) would further require that the statement include a specific web address that takes customers directly to the page where the privacy notice is available and a toll-free telephone number for customers to call and request that a hard copy of the annual notice be mailed to them. With respect to the specific web address, the Bureau notes that the language of proposed § 1016.9(c)(2)(ii)(A) is somewhat similar to an option used on the model privacy notice to provide an online opt out of information sharing.61 Proposed § 1016.9(c)(2)(ii)(A) requires a web address that the customer can type into a web browser to directly access the page that contains the privacy notice so that the customer need not click on any links after typing in the web address. The Bureau believes that a direct link may make it easier and more convenient for customers to access the privacy notice. Proposed § 1016.9(c)(2)(ii)(A) would also require that the notice of availability include a toll-free number a customer can call to request a hard copy of the annual privacy notice. This requirement is intended to assist customers who do not have internet 61 Appendix Jkt 232001 PO 00000 to 12 CFR part 1016, at C.2.e. Frm 00012 Fmt 4702 Sfmt 4702 27223 access or would prefer to receive a hard copy of the privacy notice. The Bureau notes that Regulation P currently contains provisions on the use of a tollfree number. For example, existing § 1016.6(d)(4)(i) lists a financial institution providing a toll-free number that the consumer may call to request a notice as an example of reasonable means by which a consumer who is not a customer may obtain a copy of an institution’s privacy notice. The Bureau expects that most financial institutions will already have a toll-free number for their customers to contact them and thus providing a toll-free number for this purpose would not be a significant burden. Further, the Bureau is concerned that requiring a customer to pay for a call to the financial institution to request a copy of the privacy notice could impose a new cost on the customer that could deter customers from calling to request a hard copy of the notice. The Bureau invites comment about the advantages and disadvantages of requiring financial institutions to provide a toll-free number and whether there would be other appropriate ways to balance customers’ interests and to distinguish between small and large financial institutions. The Bureau further invites comment on the relative need that the telephone number for customers to request a copy of the privacy notice be toll-free, given recent technological and billing practice changes to the telephone industry. Lastly, the Bureau invites comment on the advantages and disadvantages of requiring financial institutions to provide a dedicated telephone number for privacy notice requests so that customers can easily request a hard copy of the notice without navigating a complicated automated telephone menu. 9(c)(2)(ii)(B) Proposed § 1016.9(c)(2)(ii)(B) would set forth the second component of the alternative delivery method: That the financial institution post its current privacy notice continuously and in a clear and conspicuous manner on a page of the institution’s Web site that contains only the privacy notice. The Bureau believes, based on its outreach, that this provision of the alternative delivery method is feasible for most financial institutions. Even for a financial institution that does not currently post its annual notice on its Web site, creating a specific page for this purpose is a one-time process that the Bureau believes most financial institutions could implement without significant cost. Further, the Bureau E:\FR\FM\13MYP1.SGM 13MYP1 27224 Federal Register / Vol. 79, No. 92 / Tuesday, May 13, 2014 / Proposed Rules mstockstill on DSK4VPTVN1PROD with PROPOSALS believes that encouraging financial institutions that do not already do so to post the privacy notice on their Web sites may benefit consumers by making the notices more widely available. Proposed § 1016.9(c)(2)(ii)(B) would require that the annual notice be posted on a page of the Web site that contains only the privacy notice because the Bureau believes that were the notice included on a page with other content, such as other disclosures or promotions for products, that content could detract from the prominence of the notice and make it less likely that a customer would actually read it. However, information that is not content, such as navigational menus to other pages on the Web site, could appear on the same page as the privacy notice. The Bureau notes that other pages on the financial institution’s Web site could link to the page containing the privacy notice but the customer would still have to be provided a specific web address that takes the customer directly to the page where the privacy notice is available to satisfy the requirement to post the notice on the financial institution’s Web site in proposed § 1016.9(c)(2)(ii)(B).62 Proposed § 1016.9(c)(2)(ii)(B) would further require that the Web page that contains the privacy notice be accessible to the customer without requiring the customer to provide any information such as a login name or password or agree to any conditions to access the page. The Bureau is concerned that if customers were required to register for a login name or sign in to the financial institution’s Web site simply to access the privacy notice, it could discourage some customers from accessing and reading the notice. Given that the alternative delivery method will require 62 With regard to the proposed requirement that the notice be posted in a ‘‘clear and conspicuous’’ manner, the Bureau notes that existing § 1016.3(b)(2)(iii) gives examples of what clear and conspicuous means for a privacy notice posted on a Web site. One example provides that a financial institution designs its notice to call attention to the nature and significance of the information in the notice if it uses text or visual cues to encourage scrolling down the page if necessary to view the entire notice and ensures that other elements on the Web site (such as text, graphics, hyperlinks, or sound) do not distract attention from the notice. Section 1016.3(b)(2)(iii)(A) and (B) also provides examples of clear and conspicuous placement of the notice within the financial institution’s Web site but these examples do not seem relevant to the posting of the notice for the alternative delivery method because consumers will be typing into their web browser the web address of the specific page that contains the annual notice, rather than navigating to the annual notice from the financial institution’s home page. To the extent that a financial institution is satisfying existing § 1016.9(a) and not the alternative delivery method proposed in § 1016.9(c)(2) by posting the privacy notice on its Web site, the clear and conspicuous examples in § 1016.3(b)(2)(iii)(A) and (B) still apply. VerDate Mar<15>2010 16:25 May 12, 2014 Jkt 232001 customers to seek out the annual notice in a way that they have not previously been required to do, proposed § 1016.9(c)(2)(ii)(B) intends to make accessing the privacy notice on an institution’s Web site as simple and straightforward as possible. For the reasons described above, the Bureau proposes § 1016.9(c)(2)(ii)(B). The Bureau invites comment regarding the prevalence of financial institutions that currently maintain Web sites, whether they currently post the Regulation P privacy notice on those Web sites, and if they do not currently do these things, how costly it would be to do so. The Bureau additionally seeks comment on whether financial institutions provide different privacy notices for different groups of customers, depending on the type of account the customer has with the financial institution, such that posting multiple privacy notices on the financial institution’s Web site may create confusion as to which is the relevant privacy notice for any particular customer. Lastly, the Bureau seeks comment on the relative benefit or harm to customers of accessing the privacy notice on a financial institution’s Web site as proposed. 9(c)(2)(ii)(C) Proposed § 1016.9(c)(2)(ii)(C) would set forth the third component of the alternative delivery method: That the financial institution promptly mail its current privacy notice to those customers who request it by telephone. The Bureau proposes this requirement to assist customers without internet access and customers with internet access who would prefer to receive a hard copy of the notice. Proposed § 1016.9(c)(2)(ii)(C) would include a requirement that the notice be mailed promptly to indicate that a financial institution may not, for example, wait to mail the privacy notice until another notice or disclosure is sent to the customer, but would instead be required to mail the privacy notice shortly after receiving the customer’s request to do so. The Bureau notes that consistent with privacy notices currently provided under Regulation P, financial institutions will not charge the customer for delivering the annual notice, given that delivery of the annual notice is required by statute and regulation. For these reasons, the Bureau proposes § 1016.9(c)(2)(ii)(C). The Bureau invites comment on whether prompt mailing of the privacy notice upon request is feasible for financial institutions and on the relative cost associated with mailing privacy notices on request. The Bureau further invites comment on whether PO 00000 Frm 00013 Fmt 4702 Sfmt 4702 requiring prompt mailing is sufficient to ensure that customers receive privacy notices in a timely manner or whether ‘‘promptly’’ should be more specifically defined, such as by a certain number of days. 9(c)(2)(iii) Proposed § 1016.9(c)(2)(iii) would provide an example of a notice of availability that satisfies § 1016.9(c)(2)(ii)(A). The Bureau intends this example to provide clear guidance on permissible content for the notice of availability to facilitate compliance. The content of the example notice of availability in proposed § 1016.9(c)(2)(iii) draws from language in the existing model privacy notice, which was previously subject to consumer testing.63 The proposed example would include the heading ‘‘Privacy Notice’’ in boldface on the notice of availability. The proposed example further would state that Federal law requires the financial institution to tell customers how it collects, shares, and protects their personal information; this language mirrors the ‘‘Why’’ box on the model privacy notices.64 The remaining portion of the proposed example would inform customers that the financial institution’s privacy notice has not changed, the address of the Web site at which customers can access the privacy notice, and the toll-free phone number to call to request a free copy of the notice. Because the Bureau believes that this language would provide a compliant and effective notice of availability, the Bureau proposes § 1016.9(c)(2)(iii). The Bureau notes that the proposed example contains certain illustrative elements that would satisfy proposed § 1016.9(c)(2) but are not specifically required by the proposed rule text. These include entitling the notice of availability ‘‘Privacy Notice,’’ including a statement that ‘‘Federal law requires the financial institution to tell customers how it collects, shares, and protects their personal information,’’ and stating that getting a copy of the notice is ‘‘free’’ to the consumer. The Bureau invites comment on whether the proposed example notice of availability would be feasible for financial institutions to implement, whether the illustrative elements not specifically required by the rule should be so required, and whether the proposed language would be effective in informing customers of the availability of the privacy notice. 63 See Appendix to 12 CFR part 1016, at A. 64 Id. E:\FR\FM\13MYP1.SGM 13MYP1 Federal Register / Vol. 79, No. 92 / Tuesday, May 13, 2014 / Proposed Rules V. Section 1022(b)(2) of the Dodd-Frank Act A. Overview mstockstill on DSK4VPTVN1PROD with PROPOSALS In developing the proposed rule, the Bureau has considered the potential benefits, costs, and impacts.65 The Bureau requests comment on the preliminary analysis presented below as well as the submission of additional data that could inform the Bureau’s analysis of the benefits, costs, and impacts of the rule. The Bureau has consulted and coordinated with the SEC, CFTC, FTC, and NAIC, and consulted with or offered to consult with, the OCC, Federal Reserve Board, FDIC, NCUA, and HUD, including regarding consistency with any prudential, market, or systemic objectives administered by such agencies. The proposal would amend § 1016.9(c) of Regulation P to provide an alternative method for delivering annual privacy notices. A financial institution would be able to use the alternative delivery method if: (1) It does not share information with nonaffiliated third parties other than for purposes under the exclusions allowed under Regulation P; (2) It does not include on its annual privacy notice an opt out under section 603(d)(2)(A)(iii) of the FCRA; (3) The annual privacy notice is not the only method used to satisfy the requirements of section 624 of the FCRA and subpart C of part 1022, if applicable; (4) Certain information it is required to convey on its annual privacy notice has not changed since it provided the immediately previous privacy notice; and (5) It uses the Regulation P model privacy form for its annual privacy notice. Under the proposed alternative delivery method, the financial institution would have to: (1) Convey at least annually on another notice or disclosure that its privacy notice is available on its Web site and will be mailed upon request to a toll-free number. Among other things, the institution would have to include a specific web address that takes the customer directly to the privacy notice; 65 Specifically, section 1022(b)(2)(A) of the DoddFrank Act calls for the Bureau to consider the potential benefits and costs of a regulation to consumers and covered persons, including the potential reduction of access by consumers to consumer financial products or services; the impact on depository institutions and credit unions with $10 billion or less in total assets as described in section 1026 of the Dodd-Frank Act; and the impact on consumers in rural areas. VerDate Mar<15>2010 16:25 May 12, 2014 Jkt 232001 (2) Post its current privacy notice continuously on a page of its Web site that contains only the privacy notice, without requiring a login or any conditions to access the page; and (3) Promptly mail its current privacy notice to customers who request it by telephone. B. Potential Benefits and Costs to Consumers and Covered Persons Proposed § 1016.9(c)(2) provides certain benefits to consumers relative to the baseline established by the current provisions of Regulation P. The proposal provides an incentive for financial institutions to adopt the model privacy form and to post it on their Web sites; or, if already adopted, to post the model privacy form on their Web sites; as long as there are no other reasons that the financial institutions would not be able to use the alternative delivery method. Recent research establishes that, at least for banks, a large number do not post the model privacy form on their Web sites. While the Bureau does not know how many of these financial institutions would need to make this change in order to use the alternative delivery method, at least some additional consumers would learn about the information sharing policies of financial institutions through the model privacy form as a result of proposed § 1016.9(c)(2).66 Given the consumer testing that went into the development of the model form and the public input that went into its design, the Bureau believes that the model form is generally clearer and easier to understand than most privacy notices that deviate from the model.67 Thus, proposed § 1016.9(c)(2) would likely make it easier for some consumers to review privacy policies and opt outs and to make comparisons across the privacy policies and opt outs of financial institutions. Proposed § 1016.9(c)(2) may also benefit certain consumers by disclosing that a financial institution’s privacy policy has not changed and by reducing the number of full, unchanged privacy 66 See L.F. Cranor, K. Idouchi, P.G. Leon, M. Sleeper, B. Ur, Are They Actually Any Different? Comparing Thousands of Financial Institutions’ Privacy Practices. The Twelfth Workshop on the Economics of Information Security (WEIS 2013), June 11–12, 2013, Washington, DC. They find that only about half of FDIC insured depositories (3,422 out of 6,701) post the model privacy form on their Web sites. 67 The development and testing of the model privacy notice is discussed in L. Garrison, M. Hastak, J.M. Hogarth, S. Kleimann, A.S. Levy, Designing Evidence-based Disclosures: A Case Study of Financial Privacy Notices. The Journal of Consumer Affairs, Summer 2012: 204–234. See also the model privacy form final rule, 74 FR 62890 (December 1, 2009). PO 00000 Frm 00014 Fmt 4702 Sfmt 4702 27225 policies certain consumers receive every year. Under the proposal, consumers who transact with financial institutions that adopt the alternative delivery method would be informed through a notice or disclosure they are already receiving that the privacy policy has not changed but is available for their review, and these consumers would only receive the full privacy policy as a matter of course when it has changed or other requirements for use of the alternative delivery method are not met. While there is no data available on the number of consumers who are indifferent to (or dislike) receiving full, unchanged privacy notices every year, the limited use of opt outs and anecdotal evidence suggest that there are such consumers.68 Some consumers who want to review privacy policies may prefer reading the privacy form on a Web site to being mailed one, especially since financial institutions using the alternative delivery method must limit their information sharing to practices that do not give consumers opt-out rights. The Bureau believes that few consumers would experience any costs from proposed § 1016.9(c)(2). There is a risk that some consumers may be less informed about a financial institution’s information sharing practices if the financial institution adopts the proposed alternative delivery method. However, proposed § 1016.9(c)(2)(ii)(A) mitigates this risk by requiring annually a clear and conspicuous statement that the privacy notice is available on the Web site, and proposed § 1016.9(c)(2)(ii)(B) ensures that the model privacy form is posted continuously in a clear and conspicuous manner on the Web site. Consumers may print the privacy policy at their own expense, while under current § 1016.9(c)(2) the notice is delivered to them, which represents a transfer of costs from industry to consumers. However, proposed § 1016.9(c)(2)(ii)(A) would provide consumers with a tollfree telephone number to request that the privacy notice be mailed to the consumer, which gives consumers the option of obtaining the notice without incurring the cost of printing it. Further, the Bureau believes that a printed form is mostly valuable to consumers who would exercise opt-out rights. However, the only opt outs that could be available to the consumer under proposed § 1016.9(c)(2) would be voluntary opt 68 One early analysis of the use of the opt outs reported at most 5% of consumers make use of them in any year, and likely fewer. See J.M. Lacker, The Economics of Financial Privacy: To Opt Out or Opt In? Federal Reserve Bank of Richmond Economic Quarterly, Volume 88/3, Summer 2002. E:\FR\FM\13MYP1.SGM 13MYP1 mstockstill on DSK4VPTVN1PROD with PROPOSALS 27226 Federal Register / Vol. 79, No. 92 / Tuesday, May 13, 2014 / Proposed Rules outs, i.e., opt outs from modes of sharing information that are covered by exceptions, or (at the institution’s discretion) an Affiliate Marketing optout beyond those the institution has previously provided elsewhere. Voluntary opt outs do not appear to be common.69 Regarding benefits and costs to covered persons, the primary effect of the proposal would be burden reduction by lowering the costs to industry of providing annual privacy notices. Proposed § 1016.9(c)(2) would impose no new compliance requirements on any financial institution. All methods of compliance under current law would remain available to a financial institution if the proposal were adopted, and a financial institution that is in compliance with current law would not be required to take any different or additional action. The Bureau believes that a financial institution would adopt the proposed alternative delivery method only if it expected the costs of complying with the proposed alternative delivery method would be lower than the costs of complying with current Regulation P. By definition, the expected cost savings to financial institutions from the proposed revisions to § 1016.9(c) is the expected number of annual privacy notices that would be provided through the proposed alternative delivery method multiplied by the expected reduction in the cost per-notice from using the alternative delivery method. As explained below, many financial institutions would not be able to use the proposed alternative delivery method without changing their information sharing practices. For example, the Bureau believes that few financial institutions would find it in their interest to change information sharing practices just to reduce the costs of providing the annual privacy notice. Thus, the first step in estimating the expected cost savings to financial institutions from proposed § 1016.9(c)(2) would be to identify the financial institutions whose current information sharing practices would allow them to use the proposed alternative method. The Bureau would then need to determine their currents costs for providing the annual privacy notices and the expected costs of providing these notices under proposed § 1016.9(c)(2).70 69 See Cranor et al. (2013). Their findings (Table 2) imply that at most 15% of the 3,422 FDIC insured depositories that post the model privacy form on their Web sites offer at least one voluntary opt out. 70 The analysis that follows makes certain additional assumptions about adjustments that financial institutions are not likely to make just to VerDate Mar<15>2010 16:25 May 12, 2014 Jkt 232001 The Bureau does not have sufficient data to perform every step of this analysis, but it performed a number of analyses and outreach activities to approximate the expected cost savings. Regarding banks, the Bureau examined the privacy policies of the 19 banks with assets over $100 billion as well as the privacy policies of 106 additional banks selected through random sampling.71 The Bureau found that the overall average rate at which banks’ information sharing practices would make them eligible for using the alternative delivery method if other conditions were met is 80%. However, only 18% of sampled banks with assets over $10 billion could clearly use the proposed alternative delivery method, while 81% of sampled banks with assets of $10 billion or less and 88% of sampled banks with assets of $500 million or less could clearly use the proposed alternative delivery method. These results indicate that a large majority of smaller banks would likely be able to use the proposed alternative delivery method but most of the largest banks would not.72 One caveat regarding these estimates and the ones that follow concerns the use of consolidated privacy notices by entities regulated by different agencies. Entities that could comply with Regulation P by adopting the alternative delivery method are not likely to do so unless they have large numbers of readily identified customers with whom compliance with GLBA does not further require compliance with the GLBA regulations of other agencies. While the Bureau does not have data on the frequency with which entities that use consolidated privacy notices also meet these additional conditions, the Bureau believes that many entities that use consolidated privacy notices are larger financial institutions with information sharing practices that would not allow them to use the alternative delivery method for compliance with Regulation P. The Bureau’s estimates regarding the adoption of the alternative delivery method are accurate, notwithstanding be able to adopt the alternative delivery method. For example, small institutions might not find it worthwhile to establish Web sites or toll-free numbers given the relatively small savings in costs that might result. These assumptions are discussed further below. 71 The Bureau defined five strata for banks under $100 billion and three strata for credit unions under $10 billion and drew random samples from each of the strata. We obtained privacy policies from the Web sites of financial institutions. 72 As discussed in the Section-by-Section Analysis, a banking trade association commenting on the Streamlining RFI estimated that 75% of banks do not change their notices from year to year and do not share information in a way that gives rise to customer opt-out rights. The Bureau’s estimate is consistent with this comment. PO 00000 Frm 00015 Fmt 4702 Sfmt 4702 the use of consolidated privacy notices, if the use of consolidated privacy notices is highly correlated with information sharing practices that alone would prevent the adoption of the alternative delivery mechanism. The Bureau requests data and other factual information regarding this correlation and more generally regarding the extent to which the use of consolidated privacy notices may prevent the adoption of the alternative delivery method. The Bureau also examined the privacy policies of the four credit unions with assets over $10 billion as well as the privacy policies of 50 additional credit unions selected through random sampling. The Bureau found that two of the four credit unions with assets over $10 billion could clearly use the proposed alternative delivery method without changing their information sharing policies. Further, 62% of sampled credit unions with assets over $500 million could clearly use the alternative delivery method. However, the Bureau also found that only 13 of the 25 sampled credit unions with assets of $500 million or less either posted the model privacy form on their Web sites or provided enough information about their sharing practices to permit a clear determination regarding whether the alternative delivery method would be available to them (2 of the 25 did not have Web sites). The Bureau found that 11 of the 13 (85%) for which a determination could be made would be able to use the proposed alternative delivery method, and the Bureau believes that a significant majority of the sample of 25 would be able to use the proposed alternative delivery method (perhaps after adopting the model form). For purposes of this analysis, the Bureau conservatively assumes that 11 of the 25 sampled credit unions with assets of $500 million or less would be able to use the proposed alternative delivery method and requests comment on how to improve this estimate. Regarding non-depository financial institutions, the Bureau believes based on initial outreach that a majority are likely to be able to use the alternative delivery method. For instance, the prohibition on disclosing information to third parties in the Fair Debt Collection Practices Act (FDCPA) leads the Bureau to believe that financial institutions subject to those limits likely would be able to use the alternative delivery method when GLBA notice requirements apply.73 The Bureau will 73 FDCPA section 805(b) prohibits communication with third parties in connection with the collection of a debt. E:\FR\FM\13MYP1.SGM 13MYP1 mstockstill on DSK4VPTVN1PROD with PROPOSALS Federal Register / Vol. 79, No. 92 / Tuesday, May 13, 2014 / Proposed Rules continue to refine its knowledge of the information sharing practices of nondepository financial institutions and the extent to which they may be able to use the proposed alternative delivery method. The Bureau requests comment and the submission of information relevant to this issue. Although these initial estimates provide some insight into the numbers of banks and credit unions that could use the alternative delivery method, the Bureau does not have precise data on the number of annual privacy notices these institutions currently provide. Thus, it is not possible to directly compute the total number of annual privacy notices that would no longer be sent. The Bureau does, however, have information on the burden of providing the annual privacy notices from the Paperwork Reduction Act Supporting Statements for Regulation P that are on file with the Office of Management and Budget. This information can be used to obtain an initial estimate of the ongoing savings from the alternative delivery method.74 In estimating this savings for banks and credit unions, the analysis above establishes that it is essential to take into account the variation by the size of banks and credit unions in the likelihood they could use the alternative delivery method. To ensure that these differences inform the estimates, the Bureau allocated the total burden of providing the annual privacy notices to asset classes in proportion to the share of assets in the class. The Bureau then estimated an amount of burden reduction specific to each asset class using the results from the sampling described above. The total burden reduction is then the sum of the burden reductions in each asset class. For banks and credit unions combined, the estimated reduction in burden using this methodology is approximately $6 million annually. Regarding nondepositories, the Bureau believes that a large fraction of non-depositories of all sizes would be able to use the alternative delivery method and used the overall average rate at which banks could utilize the alternative delivery method. The estimated reduction in burden is approximately $10 million annually.75 Thus, the Bureau believes that the total reduction in burden is approximately $16 million dollars 74 It is worth noting at the outset that, with this methodology, the total cost of providing the annual privacy notice is approximately $28.5 million per year. 75 Note that this figure excludes auto dealers. Auto dealers are regulated by the FTC and would not be directly impacted by this amendment to Regulation P. VerDate Mar<15>2010 16:25 May 12, 2014 Jkt 232001 annually. This represents about 56% of the total $28.5 million annual cost of providing the annual privacy notice and opt-out notices under Regulation P.76 The Bureau requests comment on this preliminary analysis as well as the submission of additional data that could inform the Bureau’s consideration of the cost savings to financial institutions. The Bureau notes that these estimates of ongoing savings are gross figures and do not take into account any ongoing costs associated with the alternative delivery method. The Bureau believes that such ongoing costs would be minimal. They would consist of additional text on a notice or disclosure the institution already provides, additional phone calls from consumers requesting that the model form be mailed, and the costs of mailing the forms prompted by these calls. The Bureau currently believes that few consumers will request that the form be mailed in order to read it or to exercise any voluntary opt-out right. There would be minimal ongoing costs associated with the alternative delivery method from maintaining a Web page if a financial institution already has a Web site and none whatsoever if the financial institution already has a Web page dedicated to the annual privacy policy. The Bureau’s research indicates that all but the smallest banks and credit unions have Web sites and the estimates of cost savings assume that they would not adopt the alternative delivery method. The Bureau is not aware of information regarding the use of Web sites by nondepository financial institutions and welcomes information relevant to understanding the costs to these institutions of adopting the alternative delivery method. In developing the proposed rule, the Bureau considered alternatives to the requirements it is proposing. As discussed at length above, the Bureau believes that the alternative delivery method might not adequately alert customers to their ability to opt out of certain types of information sharing were it available where a financial institution shares beyond the exceptions in §§ 1016.13, 1016.14, and 1016.15. Thus, the Bureau considered but is not proposing an option in which the alternative delivery method could be used where a financial institution shares beyond one or more of these exceptions. For the same reason, the Bureau considered but is not proposing an option in which the alternative delivery 76 The total reduction is approximately $17 million annually if 85% of credit unions with assets of $500 million or less use the proposed alternative delivery method. This represents about 60% of the total annual cost of providing these notices. PO 00000 Frm 00016 Fmt 4702 Sfmt 4702 27227 method could be used where a financial institution shares information in a way that triggers information sharing opt-out rights under section 603(d)(2)(A)(iii) of the FCRA. On the other hand, the Bureau considered but is not proposing an option in which the alternative delivery method could never be used where a financial institution provides an opt-out right under the Affiliate Marketing Rule. A financial institution may use the alternative delivery method if it fulfills its opt-out obligations under the Affiliate Marketing Rule separately from the annual privacy notice. This case is distinguishable from the other two in that the customer is not dependent on the alternative delivery method to be made aware of the opt-out right under the Affiliate Marketing Rule. The Bureau also considered alternatives to the requirements regarding the types of information that cannot have changed since the previous annual notice to be able to use the alternative delivery method. The Bureau discussed these alternatives at length above and incorporates that discussion here. C. Potential Specific Impacts of the Rule The Bureau currently understands that 81% of banks with $10 billion or less in assets would be able to utilize the alternative delivery method, with a greater opportunity for utilization among the smaller banks. Thus, the proposed rule may have differential impacts on insured depository institutions with $10 billion or less in assets as described in section 1026 of the Dodd-Frank Act. The Bureau also currently understands that at least 45% of credit unions with $10 billion or less in assets, and perhaps substantially more, would be able to utilize the alternative delivery method, with a greater opportunity for utilization among banks in the middle of this group. The uncertainty reflects the relatively large number of very small credit unions that do not post the model form on their Web sites and which therefore could not clearly use the alternative delivery method. The Bureau does not believe that the proposed rule would reduce consumers’ access to consumer financial products or services or have a unique impact on rural consumers. VI. Regulatory Flexibility Act The Regulatory Flexibility Act (RFA), as amended by the Small Business Regulatory Enforcement Fairness Act of 1996, requires each agency to consider the potential impact of its regulations on small entities, including small businesses, small governmental units, E:\FR\FM\13MYP1.SGM 13MYP1 27228 Federal Register / Vol. 79, No. 92 / Tuesday, May 13, 2014 / Proposed Rules and small not-for-profit organizations. The RFA generally requires an agency to conduct an initial regulatory flexibility analysis (IRFA) and a final regulatory flexibility analysis (FRFA) of any rule subject to notice-and-comment rulemaking requirements, unless the agency certifies that the rule will not have a significant economic impact on a substantial number of small entities.77 The Bureau also is subject to certain additional procedures under the RFA involving the convening of a panel to consult with small business representatives prior to proposing a rule for which an IRFA is required.78 An IRFA is not required here because the proposal, if adopted, would not have a significant economic impact on a substantial number of small entities. The Bureau does not expect the proposal to impose costs on small entities. All methods of compliance under current law will remain available to small entities if the proposal is adopted. Thus, a small entity that is in compliance with current law need not take any different or additional action if the proposal is adopted. In addition, as discussed above, the Bureau believes that the proposed alternative method would allow many institutions to reduce their costs, and that small financial institutions may be more likely to qualify for using the alternative delivery method than large institutions based on the complexity of large institutions’ information sharing practices. Accordingly, the undersigned certifies that this proposal, if adopted, would not have a significant economic impact on a substantial number of small entities. mstockstill on DSK4VPTVN1PROD with PROPOSALS VII. Paperwork Reduction Act Under the Paperwork Reduction Act of 1995 (PRA),79 Federal agencies are generally required to seek Office of Management and Budget (OMB) approval for information collection requirements prior to implementation. This proposal would amend Regulation P, 12 CFR part 1016. The collections of information related to Regulation P have been previously reviewed and approved by OMB in accordance with the PRA and assigned OMB Control Number 3170–0010. Under the PRA, the Bureau may not conduct or sponsor, and, notwithstanding any other provision of law, a person is not required to respond to an information collection, unless the information collection displays a valid control number assigned by OMB. 77 5 U.S.C. 603–605. U.S.C. 609. 79 44 U.S.C. 3501 et seq. 78 5 VerDate Mar<15>2010 16:25 May 12, 2014 Jkt 232001 As explained below, the Bureau has determined that this proposed rule does not contain any new or substantively revised information collection requirements other than those previously approved by OMB. Under this proposal, a financial institution will be permitted, but not required, to use an alternative delivery method for the annual privacy notice if: (1) It does not share information with nonaffiliated third parties other than for purposes covered by the exclusions allowed under Regulation P; (2) It does not include on its annual privacy notice an opt out under section 603(d)(2)(A)(iii) of the FCRA; (3) The annual privacy notice is not the only method used to satisfy the requirements of section 624 of the FCRA and subpart C of part 1022, if applicable; (4) Certain information it is required to convey on its annual privacy notice has not changed since it provided the immediately previous privacy notice; and (5) It uses the Regulation P model privacy form for its annual privacy notice. Under the proposed alternative delivery method, the financial institution would have to: (1) Convey at least annually on another notice or disclosure that its privacy notice is available on its Web site and will be mailed upon request to a toll-free number. Among other things, the institution would have to include a specific web address that takes the customer directly to the privacy notice; (2) Post its current privacy notice continuously on a page of its Web site that contains only the privacy notice, without requiring a login or any conditions to access the page; and (3) Promptly mail its current privacy notice to customers who request it by telephone. Under Regulation P, the Bureau generally accounts for the paperwork burden for the following respondents pursuant to its enforcement/supervisory authority: Insured depository institutions with more than $10 billion in total assets, their depository institution affiliates, and certain nondepository institutions. The Bureau and the FTC generally both have enforcement authority over nondepository institutions subject to Regulation P. Accordingly, the Bureau has allocated to itself half of the final rule’s estimated burden to nondepository institutions subject to Regulation P. Other Federal agencies, including the FTC, are responsible for estimating and reporting to OMB the paperwork burden for the institutions PO 00000 Frm 00017 Fmt 4702 Sfmt 4702 for which they have enforcement and/or supervision authority. They may use the Bureau’s burden estimation methodology, but need not do so. The Bureau does not believe that this proposed rule would impose any new or substantively revised collections of information as defined by the PRA, and instead believes that it would have the overall effect of reducing the previously approved estimated burden on industry for the information collections associated with the Regulation P annual privacy notice. Using the Bureau’s burden estimation methodology, the reduction in the estimated ongoing burden would be approximately 567,000 hours annually for the roughly 13,500 banks and credit unions subject to the proposed rule, including Bureau respondents, and the roughly 29,400 entities regulated by the Federal Trade Commission also subject to the proposed rule. The reduction in estimated ongoing costs from the reduction in ongoing burden would be approximately $16 million annually. The Bureau believes that the one-time cost of adopting the alternative delivery method for financial institutions that would adopt it is de minimis. Financial institutions that already use the model form and would adopt the alternative delivery method would incur minor one-time legal, programming and training costs. These institutions would have to communicate on a notice or disclosure they are already issuing under any other provision of law that the privacy notice is available. The expense of adding this notice would be minor. Staff may need some additional training in storing copies of the model form and sending it to customers on request. Institutions that do not use the model form would incur a one-time cost for creating one. However, since the promulgation of the model privacy form in 2009, an Online Form Builder has existed which any institution can use to readily create a unique, customized privacy notice using the model form template.80 The Bureau assumes that financial institutions that do not currently have Web sites or provide a toll-free number to their customers would not choose to comply with these requirements in order to use the alternative delivery method. The Bureau’s methodology for estimating the reduction in ongoing burden was discussed at length above. The Bureau defined five strata for banks under $100 billion and three strata for credit unions under $10 billion, drew 80 This Online Form Builder is available at https:// www.federalreserve.gov/newsevents/press/bcreg/ 20100415a.htm. E:\FR\FM\13MYP1.SGM 13MYP1 mstockstill on DSK4VPTVN1PROD with PROPOSALS Federal Register / Vol. 79, No. 92 / Tuesday, May 13, 2014 / Proposed Rules random samples from each of the strata (separately for banks and credit unions) and examined the GLBA privacy notices available on the financial institutions’ Web sites, if any. The Bureau separately examined the Web sites of all banks over $100 billion (one additional bank stratum) and all credit unions over $10 billion (one additional credit union stratum). This process provided an estimate of the fraction of institutions within each bank or credit union stratum which would likely be able to use the alternative delivery method. In order to compute the reduction in ongoing burden (by stratum and overall) for these financial institutions, the Bureau apportioned the existing ongoing burden to each stratum according to the share of overall assets held by the financial institutions within the stratum. This was done separately for banks and credit unions. Note that this procedure ensures that the largest financial institutions, while few in number, are apportioned most of the existing burden. The Bureau then multiplied the estimate of the fraction of institutions within each stratum that would likely be able to use the alternative delivery method by the estimate of the existing ongoing burden within each stratum, separately for banks and credit unions. As discussed above, the largest bank and credit union strata tended to have the lowest share of financial institutions that could use the alternative delivery method. For the non-depository institutions subject to the FTC’s enforcement authority that are subject to the Bureau’s Regulation P, the Bureau estimated the reduction in ongoing burden by applying the overall share of banks that would likely be able to use the alternative delivery method (80%) to the current ongoing burden on nondepository financial institutions (exclusive of auto dealers) from providing the annual privacy notices and opt outs. The Bureau takes all of the reduction in ongoing burden from banks and credit unions with assets $10 billion and above and half the reduction in ongoing burden from the non-depository institutions subject to the FTC enforcement authority that are subject to the Bureau’s Regulation P. The total reduction in ongoing burden taken by the Bureau is 256,000 hours or $6.2 million annually. The Bureau has determined that the proposed rule does not contain any new or substantively revised information collection requirements as defined by the PRA and that the burden estimate for the previously-approved information collections should be revised as VerDate Mar<15>2010 16:25 May 12, 2014 Jkt 232001 explained above. The Bureau welcomes comments on these determinations or any other aspect of the proposal for purposes of the PRA. Comments should be submitted as outlined in the ADDRESSES section above. All comments will become a matter of public record. List of Subjects in 12 CFR Part 1016 Banks, banking, Consumer protection, Credit, Credit unions, Foreign banking, Holding companies, National banks, Privacy, Reporting and recordkeeping requirements, Savings associations, Trade practices. Authority and Issuance For the reasons set forth in the preamble, the Bureau proposes to amend Regulation P, 12 CFR part 1016, as set forth below: PART 1016—PRIVACY OF CONSUMER FINANCIAL INFORMATION (REGULATION P) 1. The authority citation for part 1016 continues to read as follows: ■ Authority: 12 U.S.C. 5512, 5581; 15 U.S.C. 6804. Subpart A—Privacy and Opt-Out Notices 2. Section 1016.9(c) is revised to read as follows: ■ § 1016.9 notices. Delivering privacy and opt out * * * * * (c) Annual notices only. (1) Reasonable expectation. You may reasonably expect that a customer will receive actual notice of your annual privacy notice if: (i) The customer uses your Web site to access financial products and services electronically and agrees to receive notices at the Web site, and you post your current privacy notice continuously in a clear and conspicuous manner on the Web site; or (ii) The customer has requested that you refrain from sending any information regarding the customer relationship, and your current privacy notice remains available to the customer upon request. (2) Alternative method for providing certain annual notices. (i) Notwithstanding paragraph (a) of this section, you may use the alternative method described in paragraph (c)(2)(ii) of this section to satisfy the requirement in § 1016.5(a)(1) to provide a notice if: (A) You do not share information with nonaffiliated third parties other than for purposes under §§ 1016.13, 1016.14, and 1016.15; PO 00000 Frm 00018 Fmt 4702 Sfmt 4702 27229 (B) You do not include on your annual privacy notice pursuant to § 1016.6(a)(7) an opt out under section 603(d)(2)(A)(iii) of the Fair Credit Reporting Act (15 U.S.C. 1681a(d)(2)(A)(iii)); (C) The annual privacy notice is not the only notice provided to satisfy the requirements of section 624 of the Fair Credit Reporting Act (15 U.S.C. 1681s– 3) and subpart C of part 1022 of this chapter, if applicable; (D) The information you are required to convey on your annual privacy notice pursuant to § 1016.6(a)(1) through (5), (8), and (9) has not changed since you provided the immediately previous privacy notice, initial or annual, to the customer; and (E) You use the model privacy form in the appendix to this part for your annual privacy notice. (ii) For an annual privacy notice that meets the requirements in paragraph (c)(2)(i) of this section, you satisfy the requirement in § 1016.5(a)(1) to provide a notice if you: (A) Convey in a clear and conspicuous manner not less than annually on a notice or disclosure you are required or expressly and specifically permitted to issue under any other provision of law that your privacy notice is available on your Web site and will be mailed to the customer upon request by telephone to a toll-free number. The statement must state that your privacy notice has not changed and must include a specific Web address that takes the customer directly to the page where the privacy notice is posted and a toll-free telephone number for the customer to request that it be mailed; (B) Post your current privacy notice continuously in a clear and conspicuous manner on a page of your Web site that contains only the privacy notice, without requiring the customer to provide any information such as a login name or password or agree to any conditions to access the page; and (C) Mail promptly your current privacy notice to those customers who request it by telephone. (iii) An example of a statement that satisfies paragraph (c)(2)(ii)(A) of this section is: Privacy Notice [in boldface]— Federal law requires us to tell you how we collect, share, and protect your personal information. Our privacy policy has not changed and you may review our policy and practices with respect to your personal information at [Web address] or we will mail you a free copy upon request if you call us toll-free at [toll-free telephone number]. * * * * * E:\FR\FM\13MYP1.SGM 13MYP1 27230 Federal Register / Vol. 79, No. 92 / Tuesday, May 13, 2014 / Proposed Rules Dated: May 6, 2014. Richard Cordray, Director, Bureau of Consumer Financial Protection. misleading and are in need of clarification. [FR Doc. 2014–10713 Filed 5–12–14; 8:45 am] Accordingly, the notice of proposed rulemaking (REG–140974–11), that was the subject of FR Doc. 2013–30845, is corrected as follows: ■ 1. The authority citation for part 1 is amended by correcting the sectional authority for § 1.1298–1 to read in part as follows: Correction of Publication BILLING CODE 4810–AM–P DEPARTMENT OF THE TREASURY Internal Revenue Service 26 CFR Parts 1 [REG–140974–11] Authority: 26 U.S.C. 7805 * * * Section 1.1298–1 also issued under 26 U.S.C. 1298(f) and (g) * * * RIN 1545–BK66 § 1.1298–1 Definitions and Reporting Requirements for Shareholders of Passive Foreign Investment Companies; Correction ■ Internal Revenue Service (IRS), Treasury. ACTION: Correction to a notice of proposed rulemaking by cross reference to temporary regulations. AGENCY: This document contains corrections to a notice of proposed rulemaking by cross-reference to temporary regulations (REG–140974–11) that was published in the Federal Register on Tuesday, December 31, 2013 (78 FR 79650). The proposed regulations provide guidance on determining the ownership of a passive foreign investment company (PFIC), the annual filing requirements for shareholders of PFICs, and an exclusion from certain filing requirements for shareholders that constructively own interests in certain foreign corporations. DATES: The comment period for written or electronic comments and requests for a public hearing for the notice of proposed rulemaking by cross-reference to temporary regulations published at 78 FR 79650, December 31, 2013, ended on March 31, 2014. FOR FURTHER INFORMATION CONTACT: Susan E. Massey at (202) 317–6934 (not a toll free number). SUPPLEMENTARY INFORMATION: SUMMARY: mstockstill on DSK4VPTVN1PROD with PROPOSALS Background The notice of proposed rulemaking by cross-reference to temporary regulations (REG–140974–11) that is the subject of this document is under sections 1297, 1298, 6038, and 6046 of the Internal Revenue Code. Need for Correction As published, the notice of proposed rulemaking by cross-reference to temporary regulations (REG–140974–11) contains errors that may prove to be VerDate Mar<15>2010 16:25 May 12, 2014 Jkt 232001 [Corrected] 2. On Page 79652, column 1, the seventh line from the top of the page, the language ‘‘as the text of § 1.1298– 1T(h) published’’ is corrected to read ‘‘as the text of § 1.1298–1T published’’. Martin V. Franks, Chief, Publications and Regulations Branch, Legal Processing Division, Associate Chief Counsel (Procedure and Administration). [FR Doc. 2014–10858 Filed 5–12–14; 8:45 am] BILLING CODE 4830–01–P DEPARTMENT OF EDUCATION 34 CFR Chapter III [Docket ID ED–2014–OSERS–0027] Proposed Priority—Assistive Technology: Alternative Financing Program [CFDA Number: 84.224D.] Office of Special Education and Rehabilitative Services, Department of Education. ACTION: Proposed priority. AGENCY: The Assistant Secretary for Special Education and Rehabilitative Services proposes a priority under the Assistive Technology Alternative Financing Program. The Assistant Secretary may use this priority for competitions in fiscal year (FY) 2014 and later years. This priority is designed to ensure that the Department funds high-quality assistive technology alternative financing programs that meet rigorous standards in order to enable individuals with disabilities to access and acquire assistive technology devices and services necessary to achieve education, community living, and employment goals. DATES: We must receive your comments on or before June 12, 2014. ADDRESSES: Submit your comments through the Federal eRulemaking Portal or via postal mail, commercial delivery, SUMMARY: PO 00000 Frm 00019 Fmt 4702 Sfmt 4702 or hand delivery. We will not accept comments submitted by fax or by email or those submitted after the comment period. To ensure that we do not receive duplicate copies, please submit your comments only once. In addition, please include the Docket ID at the top of your comments. • Federal eRulemaking Portal: Go to www.regulations.gov to submit your comments electronically. Information on using Regulations.gov, including instructions for accessing agency documents, submitting comments, and viewing the docket, is available on the site under ‘‘Are you new to the site?’’ • Postal Mail, Commercial Delivery, or Hand Delivery: If you mail or deliver your comments about this notice, address them to Brian Bard, U.S. Department of Education, 400 Maryland Avenue SW., Room 5021, Potomac Center Plaza (PCP), Washington, DC 20202–2800. Privacy Note: The Department’s policy is to make all comments received from members of the public available for public viewing in their entirety on the Federal eRulemaking Portal at www.regulations.gov. Therefore, commenters should be careful to include in their comments only information that they wish to make publicly available. FOR FURTHER INFORMATION CONTACT: Brian Bard. Telephone: (202) 245–7345. If you use a telecommunications device for the deaf (TDD) or a text telephone (TTY), call the Federal Relay Service (FRS), toll free, at 1–800–877– 8339. SUPPLEMENTARY INFORMATION: Invitation to Comment: We invite you to submit comments regarding this notice. To ensure that your comments have maximum effect in developing the final priority, we urge you to identify clearly the specific topic that each comment addresses. We invite you to assist us in complying with the specific requirements of Executive Orders 12866 and 13563 and their overall requirement of reducing regulatory burden that might result from this proposed priority. Please let us know of any further ways we could reduce potential costs or increase potential benefits while preserving the effective and efficient administration of the program. During and after the comment period, you may inspect all public comments about this notice in Room 5025, 550 12th Street SW., PCP, Washington, DC, between the hours of 8:30 a.m. and 4:00 p.m., Washington, DC time, Monday through Friday of each week except Federal holidays. E:\FR\FM\13MYP1.SGM 13MYP1

Agencies

BUREAU OF CONSUMER FINANCIAL PROTECTION

[Federal Register Volume 79, Number 92 (Tuesday, May 13, 2014)]
[Proposed Rules]
[Pages 27214-27230]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: 2014-10713]

=======================================================================
-----------------------------------------------------------------------

BUREAU OF CONSUMER FINANCIAL PROTECTION

12 CFR Part 1016

[Docket No. CFPB-2014-0010]
RIN 3170-AA39

Amendment to the Annual Privacy Notice Requirement Under the
Gramm-Leach-Bliley Act (Regulation P)

AGENCY: Bureau of Consumer Financial Protection.

ACTION: Proposed rule with request for comment.

-----------------------------------------------------------------------

SUMMARY: The Bureau of Consumer Financial Protection (Bureau) is
proposing to amend Regulation P, which among other things requires that
financial institutions provide an annual disclosure of their privacy
policies to their customers. The amendment would create an alternative
delivery method for this annual disclosure, which financial
institutions would be able to use under certain circumstances.

DATES: Comments must be received on or before June 12, 2014.

ADDRESSES: You may submit comments, identified by Docket No. CFPB-2014-
0010 or RIN 3170-AA39, by any of the following methods:
Electronic: https://www.regulations.gov. Follow the
instructions for submitting comments.
Mail/Hand Delivery/Courier: Monica Jackson, Office of the
Executive Secretary, Consumer Financial Protection Bureau, 1700 G
Street NW., Washington, DC 20552.
Instructions: All submissions should include the agency name and
docket number or Regulatory Information Number (RIN) for this
rulemaking. Because paper mail in the Washington, DC area and at the
Bureau is subject to delay, commenters are encouraged to submit
comments electronically. In general, all comments received will be
posted without change to https://www.regulations.gov. In addition,
comments will be available for public inspection and copying at the
Bureau's offices in Washington, DC on official business days between
the hours of 10 a.m. and 5 p.m. Eastern Time. You can make an
appointment to inspect the documents by telephoning (202) 435-7275.
All comments, including attachments and other supporting materials,
will become part of the public record and subject to public disclosure.
Sensitive personal information, such as account numbers or Social
Security numbers, should not be included.

[[Page 27215]]

FOR FURTHER INFORMATION CONTACT: Nora Rigby and Joseph Devlin,
Counsels; Office of Regulations, at (202) 435-7700.

SUPPLEMENTARY INFORMATION:

I. Summary of the Proposed Rule

The Gramm-Leach-Bliley Act (GLBA) \1\ mandates that financial
institutions provide their customers with initial and annual notices
regarding their privacy policies. If financial institutions share
certain customer information with particular types of third parties,
the institutions are also required to provide notice to their customers
and an opportunity to opt out of the sharing. Many financial
institutions currently mail printed copies of the annual GLBA privacy
notices to their customers, but have expressed concern that this
practice causes information overload for consumers and unnecessary
expense.
---------------------------------------------------------------------------

\1\ 15 U.S.C. 6801 et seq.
---------------------------------------------------------------------------

In response to such concerns, the Bureau is proposing to allow
financial institutions that do not engage in certain types of
information-sharing activities to stop mailing an annual disclosure if
they post the annual notices on their Web sites and meet certain other
conditions. Specifically, the proposal would allow financial
institutions to use the proposed alternative delivery method for annual
privacy notices if: (1) The financial institution does not share the
customer's nonpublic personal information with nonaffiliated third
parties in a manner that triggers GLBA opt-out rights; (2) the
financial institution does not include on its annual privacy notice an
opt-out notice under section 603(d)(2)(A)(iii) of the Fair Credit
Reporting Act (FCRA); (3) the financial institution's annual privacy
notice is not the only notice provided to satisfy the requirements of
section 624 of the FCRA; (4) the information included in the privacy
notice has not changed since the customer received the previous notice;
and (5) the financial institution uses the model form provided in the
GLBA's implementing Regulation P. A financial institution would still
be required to use the currently permitted delivery method if the
institution, among other things, has changed its privacy practices or
engages in information-sharing activities for which customers have a
right to opt out.
In using the proposed alternative method, a financial institution
would have to insert a clear and conspicuous statement at least once
per year on a notice or disclosure the institution issues under any
other provision of law announcing that: the annual privacy notice is
available on the financial institution's Web site; it will be mailed to
customers who request it by calling a toll-free telephone number; and
it has not changed. The financial institution would have to
continuously post the annual privacy notice in a clear and conspicuous
manner on a page of its Web site, without requiring a login or similar
steps to access the notice. In addition, to assist customers with
limited or no access to the internet, financial institutions would have
to mail annual notices promptly to customers who request them by phone.
The proposal would apply to various types of financial institutions
that provide consumer financial products and services. The Bureau is
seeking comment on the proposal through June 12, 2014. The Bureau is
also coordinating and consulting with other agencies that have
authority to issue rules implementing GLBA with regard to certain other
types of financial institutions, such as securities and futures
traders, as well as consulting with other agencies that enforce the
GLBA.

II. Background

A. The Statute and Regulation

The GLBA was enacted into law in 1999.\2\ The GLBA, among other
things, is intended to provide a comprehensive framework for regulating
the privacy practices of an extremely broad range of entities.
``Financial institutions'' for purposes of the GLBA include not only
depository institutions and non-depository institutions providing
consumer financial products or services (such as payday lenders,
mortgage brokers, check cashers, debt collectors, and remittance
transfer providers), but also many businesses that do not offer or
provide consumer financial products or services.
---------------------------------------------------------------------------

\2\ Public Law 106-102.
---------------------------------------------------------------------------

Rulemaking authority to implement the GLBA privacy provisions was
initially spread among many agencies. The Federal Reserve Board
(Board), the Office of Comptroller of the Currency (OCC), the Federal
Deposit Insurance Corporation (FDIC), and the Office of Thrift
Supervision (OTS) jointly adopted final rules to implement the notice
requirements of GLBA in 2000.\3\ The National Credit Union
Administration (NCUA), Federal Trade Commission (FTC), Securities and
Exchange Commission (SEC), and Commodity Futures Trading Commission
(CFTC) were part of the same interagency process, but issued their
rules separately.\4\ In 2009, all these agencies issued a joint final
rule with a model form that financial institutions could use, at their
option, to provide the required initial and annual privacy
disclosures.\5\
---------------------------------------------------------------------------

\3\ 65 FR 35162 (June 1, 2000).
\4\ 65 FR 31722 (May 18, 2000) (NCUA final rule); 65 FR 33646
(May 24, 2000) (FTC final rule); 65 FR 40334 (June 29, 2000) (SEC
final rule); 66 FR 21252 (Apr. 27, 2001) (CFTC final rule).
\5\ 74 FR 62890 (Dec. 1, 2009).
---------------------------------------------------------------------------

In 2011, the Dodd-Frank Wall Street Reform and Consumer Protection
Act (Dodd-Frank Act) \6\ transferred GLBA privacy notice rulemaking
authority from the Board, NCUA, OCC, OTS, the FDIC, and the FTC (in
part) to the Bureau.\7\ The Bureau then restated the implementing
regulations in Regulation P, 12 CFR part 1016, in late 2011.\8\
---------------------------------------------------------------------------

\6\ Public Law 111-203, 124 Stat. 1376 (2010).
\7\ Public Law 111-203, section 1093. The FTC retained
rulewriting authority over any financial institution that is a
person described in 12 U.S.C. 5519 (i.e., motor vehicle dealers
predominantly engaged in the sale and servicing of motor vehicles,
the leasing and servicing of motor vehicles, or both).
\8\ 76 FR 79025 (Dec. 21, 2011).
---------------------------------------------------------------------------

The Bureau has the authority to promulgate GLBA privacy rules for
depository institutions and many non-depository institutions. However,
rulewriting authority with regard to securities and futures-related
companies is vested in the SEC and CFTC, respectively, and rulewriting
authority with respect to certain motor vehicle dealers is vested in
the FTC.\9\ The Bureau has consulted and coordinated with these
agencies and with the National Association of Insurance Commissioners
(NAIC) concerning the proposed alternative delivery method.\10\ The
Bureau has also consulted with other appropriate federal agencies, as
required under Section 1022 of the Dodd-Frank Act.
---------------------------------------------------------------------------

\9\ 15 U.S.C 6804, 6809; 12 U.S.C. 1843(k)(4); 12 CFR 1016.1(b).
\10\ In regard to any Regulation P rulemaking, section 504 of
GLBA provides that each of the agencies authorized to prescribe GLBA
regulations (currently the Bureau, FTC, SEC, and CFTC) ``shall
consult and coordinate with the other such agencies and, as
appropriate, . . . with representatives of State insurance
authorities designated by the National Association of Insurance
Commissioners, for the purpose of assuring, to the extent possible,
that the regulations prescribed by each such agency are consistent
and comparable with the regulations prescribed by the other such
agencies.'' 15 U.S.C. 6804(a)(2).
---------------------------------------------------------------------------

1. Annual Privacy Notices
The GLBA and its implementing regulation, Regulation P,\11\ require
that financial institutions \12\ provide consumers with certain notices

[[Page 27216]]

describing their privacy policies. Financial institutions are generally
required to first provide an initial notice of these policies, and then
an annual notice to customers every year that the relationship
continues.\13\ (When a financial institution has a continuing
relationship with the consumer, an annual privacy notice is required
and the consumer is then referred to as a ``customer.'') \14\ These
notices describe whether and how the financial institution shares
consumers' nonpublic personal information,\15\ including personally
identifiable financial information, with other entities, and in some
cases explain how consumers can opt out of certain types of sharing.
The notices also briefly describe how financial institutions protect
the nonpublic personal information they collect and maintain. Financial
institutions typically use U.S. postal mail to send initial and annual
privacy notices to consumers.
---------------------------------------------------------------------------

\11\ 12 CFR part 1016.
\12\ Regulation P defines ``financial institution.'' See 12 CFR
1016.3(l).
\13\ 12 CFR 1016.4, 1016.5(a)(1).
\14\ 12 CFR 1016.3(i).
\15\ Regulation P defines ``nonpublic personal information.''
See 12 CFR 1016.3(p).
---------------------------------------------------------------------------

Implementing GLBA section 503, Regulation P generally requires the
initial privacy notice,\16\ and also mandates that financial
institutions ``provide a clear and conspicuous notice to customers that
accurately reflects [their] privacy policies and practices not less
than annually during the continuation of the customer relationship.''
\17\
---------------------------------------------------------------------------

\16\ 12 CFR 1016.4(a).
\17\ 12 CFR 1016.5(a)(1) (emphasis added).
---------------------------------------------------------------------------

Section 502 of the GLBA and Regulation P at Sec. 1016.6(a)(6) also
require that initial and annual notices inform customers of their right
to opt out of certain financial institution sharing of nonpublic
personal information with some types of nonaffiliated third parties.
For example, customers have the right to opt out of a financial
institution selling the names and addresses of its mortgage customers
to an unaffiliated home insurance company and, therefore, the
institution would have to provide an opt-out notice before it sells the
information. On the other hand, financial institutions are not required
to allow consumers to opt out of the institutions' sharing involving
third-party service providers, joint marketing arrangements,
maintaining and servicing accounts, securitization, law enforcement and
compliance, reporting to consumer reporting agencies, and certain other
activities that are specified in the statute and regulation as
exceptions to the opt-out requirement.\18\ If a financial institution
limits its types of sharing to those which do not trigger opt-out
rights, it may provide a ``simplified'' annual privacy notice to its
customers that does not include opt-out information.\19\
---------------------------------------------------------------------------

\18\ 15 U.S.C. 6802(b)(2), (e); 12 CFR 1016.13, 1016.14,
1016.15.
\19\ Section 1016.6(c)(5) allows financial institutions to
provide ``simplified notices'' if they do not disclose, and do not
wish to reserve the right to disclose, nonpublic personal
information about customers or former customers to affiliates or
nonaffiliated third parties except as authorized under Sec. Sec.
1016.14 and 1016.15. The exceptions at Sec. Sec. 1016.14 and
1016.15 track statutory exemptions and cover a variety of
situations, such as maintaining and servicing the customer's
account, securitization and secondary market sale, and fraud
prevention. They directly exempt institutions from the opt-out
requirements. The exception that includes service providers and
joint marketing arrangements, at Sec. 1016.13, is also statutory,
but financial institutions that share according to this exception
may not use the simplified notice, even though consumers cannot opt
out of this sharing.
---------------------------------------------------------------------------

In addition to opt-out rights under GLBA, financial institutions
also may include in the annual privacy notice information about certain
consumer opt-out rights under FCRA. The annual privacy disclosures
under the GLBA/Regulation P and affiliate disclosures under the FCRA/
Regulation V interact in two ways. First, section 603(d)(2)(A)(iii) of
the FCRA excludes from the statute's definition of a consumer report
\20\ the sharing of certain information about a consumer among
affiliates if the consumer is notified of such sharing and is given an
opportunity to opt out.\21\ Section 503(c)(4) of the GLBA and
Regulation P, in turn, generally require financial institutions
providing their customers with initial and annual privacy notices to
incorporate into them any notification and opt-out disclosures provided
pursuant to section 603(d)(2)(A)(iii) of the FCRA.\22\
---------------------------------------------------------------------------

\20\ The FCRA defines ``consumer report'' generally as ``any
written, oral, or other communication of any information by a
consumer reporting agency bearing on a consumer's credit worthiness,
credit standing, credit capacity, character, general reputation,
personal characteristics, or mode of living which is used or
expected to be used or collected in whole or in part for the purpose
of serving as a factor in establishing the consumer's eligibility
for: (A) credit or insurance to be used primarily for personal,
family, or household purposes; (B) employment purposes; or (C) any
other purpose authorized under section 1681b of this title.'' 15
U.S.C. 1681a.
\21\ 15 U.S.C. 1681a(d)(2)(A)(iii).
\22\ 15 U.S.C. 6803(c)(4); 12 CFR 1016.6(a)(7).
---------------------------------------------------------------------------

Second, section 624 of the FCRA and Regulation V's Affiliate
Marketing Rule provide that an affiliate of a financial institution
that receives certain information \23\ about a consumer from the
financial institution may not use the information to make solicitations
for marketing purposes unless the consumer is notified of such use and
provided with an opportunity to opt out of that use.\24\ Regulation V,
in turn, permits (but does not require) financial institutions
providing their customers with initial and annual privacy notices under
Regulation P to incorporate any opt-out disclosures provided under
section 624 of the FCRA and subpart C of Regulation V into those
notices.\25\
---------------------------------------------------------------------------

\23\ The type of information to which section 624 applies is
information that would be a consumer report, but for the exclusions
provided by section 603(d)(2)(A)(i), (ii), or (iii) of the FCRA
(i.e., a report solely containing information about transactions or
experiences between the consumer and the institution making the
report, communication of that information among persons related by
common ownership or affiliated by corporate control, or
communication of other information as discussed above).
\24\ 15 U.S.C. 1681s-3 and 12 CFR pt. 1022, subpart C.
\25\ 12 CFR 1022.23(b).
---------------------------------------------------------------------------

2. Method of Delivering Annual Privacy Notices
Section 503 of the GLBA sets forth the requirement that financial
institutions provide initial and annual privacy disclosures to a
consumer. Specifically, it states that ``a financial institution shall
provide a clear and conspicuous disclosure to such consumer, in writing
or in electronic form or other form permitted by the regulations
prescribed under section 6804 of this title, of such financial
institution's policies and practices with respect to'' disclosing and
protecting consumers' nonpublic personal information.\26\ Although
financial institutions provide most annual privacy notices by U.S.
postal mail, Regulation P allows financial institutions to provide
notices electronically (e.g., by email) to customers with their
consent.\27\
---------------------------------------------------------------------------

\26\ 15 U.S.C. 6803(a) (emphasis added).
\27\ 12 CFR 1016.9(a) states that a financial institution may
deliver the notice electronically if the consumer agrees. After
discussions with industry stakeholders, however, the Bureau believes
that most consumers have not agreed to receive electronic
disclosures.
---------------------------------------------------------------------------

B. CFPB Streamlining Initiative

In pursuit of the Bureau's goal of reducing unnecessary or unduly
burdensome regulations, in December 2011, the Bureau issued a Request
for Information seeking specific suggestions from the public for
streamlining regulations the Bureau had inherited from other Federal
agencies (Streamlining RFI). In that RFI, the Bureau specifically
identified the annual privacy notice as a potential opportunity for
streamlining and solicited comment on possible alternatives to
delivering the annual privacy notice.\28\
---------------------------------------------------------------------------

\28\ 76 FR 75825, 75828 (Dec. 5, 2011).

---------------------------------------------------------------------------

[[Page 27217]]

Numerous industry commenters strongly advocated eliminating or
limiting the annual notice requirement. They stated that most customers
ignore annual privacy notices. Even if customers do read them,
according to industry stakeholders, the content of these disclosures
provides little benefit, especially if customers have no right to opt
out of information sharing because the financial institution does not
share nonpublic personal information in a way that triggers such
rights. Financial institutions argued that mailing these notices
imposes significant costs and that there are other ways of conveying to
customers the information in the written notices just as effectively
but at a lower cost. Several industry commenters suggested that if an
institution's privacy notice has not changed, the institution should be
allowed to communicate on the consumer's periodic statement, via email,
or by some other cost-effective means that the annual privacy notice is
available on its Web site or upon request, by phone.\29\
---------------------------------------------------------------------------

\29\ On a related issue, industry commenters stated that the
annual notice causes confusion and unnecessary opt-out requests from
customers who do not recall that they have already opted out in a
previous year. As stated in the Supplementary Information to the
Final Model Privacy Form Under the Gramm-Leach-Bliley Act, a
financial institution is free to provide additional information in
other, supplemental materials to customers if it wishes to do so.
See 74 FR 62890, 62908 (Dec. 1, 2009). A financial institution could
include supplemental materials advising those customers who
previously opted out that they do not need to opt out again.
---------------------------------------------------------------------------

A banking industry trade association and other industry commenters
suggested that the Bureau eliminate or ease the annual notice
requirement for financial institutions if their privacy policies have
not changed and they do not share nonpublic personal information beyond
the exceptions allowed by the GLBA (e.g., sharing nonpublic personal
information with the servicer of an account). They argued that the GLBA
exceptions were crafted to allow what Congress viewed as non-
problematic sharing and, therefore, the law does not permit consumers
to opt out of such sharing. The need for an annual notice is thus less
evident if a financial institution only shares nonpublic personal
information pursuant to one of these exceptions. The trade association
estimated that 75% of banks do not share beyond these exceptions and do
not change their notices from year to year.
Consumer advocacy groups generally stated that customers benefit
from financial institutions providing them with printed annual privacy
notices, which may remind customers of privacy rights that they may not
have exercised previously. Consumer representatives argued that these
notices make customers aware of their privacy rights in regard to
financial institutions, even if they have no opt-out rights. One
compliance company commenter agreed with the consumer groups' view of
the importance of the notices. One advocacy group suggested that a
narrow easing of annual notice requirements where a financial
institution shares information only with affiliates might not be
objectionable, although it did not support changing the current
requirements. The Bureau did not receive any comment on the annual
privacy notice change from privacy advocacy groups.

C. Understanding the Effects of Certain Deposit Regulations--Study

In November of 2013, the Bureau published a study assessing the
effects of certain deposit regulations on financial institutions'
operations.\30\ This study provided operational insights from seven
banks about their annual privacy notices.\31\ Many of these banks use
third-party vendors, who design or distribute the notices on their
behalf. All seven participants provided the annual notice as a separate
mailing, which resulted in higher costs for postage, materials, and
labor than if the notice were mailed with other material. Some
financial institutions apparently send separate mailings to ensure that
their disclosures are ``clear and conspicuous,'' \32\ although 2009
guidance from the eight agencies promulgating the model privacy form
explained that a separate mailing is not required.\33\ This separate
mailing practice contrasts with the usual financial institution
preference (particularly for smaller study participants) to bundle
mailings with monthly statements. Indeed, subsequent Bureau outreach
suggests that many financial institutions do mail the annual privacy
notice with other materials. Finally, while the study participants
echoed the sentiment that few customers read privacy notices,
participant banks with call centers also reported that after they send
annual notices, the number of customers who call about the banks'
privacy policies increases.
---------------------------------------------------------------------------

\30\ Consumer Financial Protection Bureau, ``Understanding the
Effects of Certain Deposit Regulations on Financial Institutions'
Operations: Findings on Relative Costs for Systems, Personnel, and
Processes at Seven Institutions'' (Nov. 2013), available at https://files.consumerfinance.gov/f/201311_cfpb_report_findings-relative-costs.pdf.
\31\ Information collected for the study may be used to assist
the Bureau in its investigations of ``the effects of a potential or
existing regulation on the business decisions of providers.'' OMB
Information Request--Control Number: 3170-0032.
\32\ 15 U.S.C. 6803 (``[In the initial and annual privacy
notices] a financial institution shall provide a clear and
conspicuous disclosure . . .''); 12 CFR 1016.3(b)(1) (defining
``clear and conspicuous'' as ``reasonably understandable and
designed to call attention to the nature and significance of the
information in the notice.'')
\33\ See 74 FR 62890, 62897-62898.
---------------------------------------------------------------------------

D. Further Outreach

In addition to the consultations with other government agencies
discussed above, while preparing this proposed rule the Bureau
conducted further outreach to industry and consumer advocate
stakeholders. The Bureau held meetings with consumer groups, including
groups and participants with a specific interest in privacy issues. The
Bureau also held meetings with industry groups that represent
institutions that must comply with the annual privacy notice
requirement, including banks, credit unions, mortgage servicers, and
debt buyers.
As with the responses to the Streamlining RFI, the consumer groups
generally expressed the view that mailed privacy notices were useful,
even when no opt-out rights were present, and that changes were not
necessary. Among other comments, they suggested that the Bureau promote
the use of the Regulation P model form. The industry participants also
generally expressed similar views to those expressed by industry in
response to the Streamlining RFI. They supported creation of an
alternative delivery method for annual privacy notices.\34\
---------------------------------------------------------------------------

\34\ Recently Congress considered proposed legislation that
would provide burden relief as to annual privacy notices, though no
law has been enacted. See, e.g., H.R. 749, passed by the House and
referred to the Senate in March of 2013; and S. 635, introduced in
the Senate in late 2013.
---------------------------------------------------------------------------

E. Privacy Considerations

In developing the proposal, the Bureau considered its potential
impact on consumer privacy. The proposal would not affect the
collection or use of consumers' nonpublic personal information by
financial institutions. The proposal would expand the permissible
methods by which financial institutions subject to Regulation P may
deliver annual privacy notices to their customers in limited
circumstances. Among other limitations, it would not expand the
permissible delivery methods when financial institutions make various
types of changes to their annual privacy notices or when their annual
privacy notices afford customers the right to opt out of the sharing of
their nonpublic personal information by financial institutions. The
proposal is

[[Page 27218]]

designed to ensure that when the alternative delivery method is used,
customers would continue to have access to clear and conspicuous annual
privacy notices.

III. Legal Authority

The Bureau is issuing this proposed rule pursuant to its authority
under section 504 of the GLBA, as amended by section 1093 of the Dodd-
Frank Act.\35\ The Bureau is also issuing this proposed rule pursuant
to its authority under sections 1022 and 1061 of the Dodd-Frank
Act.\36\
---------------------------------------------------------------------------

\35\ 15 U.S.C. 6804.
\36\ 12 U.S.C. 5512, 5581.
---------------------------------------------------------------------------

Prior to July 21, 2011, rulemaking authority for the privacy
provisions of the GLBA was shared by eight federal agencies: the Board,
the FDIC, the FTC, the NCUA, the OCC, the OTS, the SEC, and the CFTC.
The Dodd-Frank Act amended a number of Federal consumer financial laws,
including the GLBA. Among other changes, the Dodd-Frank Act transferred
rulemaking authority for most of Subtitle A of Title V of the GLBA,
with respect to financial institutions described in section
504(a)(1)(A) of the GLBA, from the Board, FDIC, FTC, NCUA, OCC, and OTS
(collectively, the transferor agencies) to the Bureau, effective July
21, 2011.

IV. Section-by-Section Analysis

Section 1016.9--Delivering Privacy and Opt-Out Notices

Existing Sec. 1016.9 describes how a financial institution must
provide both the initial notice required by Sec. 1016.4 and the annual
notice required by Sec. 1016.5. Specifically, Sec. 1016.9(a) requires
the notice to be provided so that each consumer can reasonably be
expected to receive actual notice in writing or, if the consumer
agrees, electronically. Section 1016.9(b) provides examples of delivery
that would result in reasonable expectation of actual notice, including
hand delivery, delivery by mail, or electronic delivery for consumers
who conduct transactions electronically. Section 1016.9(c) provides
examples regarding reasonable expectation of actual notice that apply
to annual notices only.
The Bureau believes that use of the alternative delivery method by
financial institutions that meet the requirements discussed below is
likely to reduce information overload, specifically by eliminating
duplicative paper privacy notices in situations in which the customer
generally has no ability to opt out of the financial institution's
information sharing.\37\ Moreover, the Bureau believes that the
proposed rule's alternative delivery method would be likely to decrease
the burden on financial institutions of delivering notices,\38\ while
generally continuing to require delivery of notices pursuant to the
existing requirements in situations in which customers can opt out of
information sharing. In response to the Streamlining RFI, a banking
industry trade association estimated that 75% of banks do not change
their notices from year to year and do not share information in a way
that gives rise to customer opt-out rights. Accordingly, the Bureau
believes that a large number of banks would be able to use the proposed
alternative delivery method. Bureau outreach also suggests that a large
majority of credit unions and many non-depository financial
institutions would benefit from being able to use the alternative
delivery method. In addition, because small financial institutions
appear to be less likely to share their customers' nonpublic personal
information in a way that triggers customers' opt-out rights, it is
likely that many of them could decrease their costs through the use of
the alternative delivery method.
---------------------------------------------------------------------------

\37\ The Bureau notes that the proposed alternative delivery
method would be available even where a financial institution offers
a notice and opt out under the Affiliate Marketing Rule, subpart C
of 12 CFR part 1022, which relates to marketing based on information
shared by a financial institution, as long as the Affiliate
Marketing Rule notice and opt out is also provided separately from
the Regulation P privacy notice. See the section-by-section
discussion of proposed Sec. 1016.9(c)(2)(i)(C), below.
\38\ The Bureau notes that under current Regulation P, financial
institutions are not required to deliver the privacy notice
separately from other documents, although the Bureau believes that
many financial institutions do so.
---------------------------------------------------------------------------

Under the alternative delivery method, customers would have access
via financial institutions' Web sites (or by postal mail on request) to
annual privacy notices that use the model form, that generally do not
inform customers of any right to opt out, and that convey the same
information as in previous notices. Further, financial institutions
would be required to post their privacy notice continuously on their
Web sites and thus customers would be able to access the privacy notice
throughout the year rather than waiting for an annual mailing.\39\
Financial institutions would be required to deliver to customers an
annual reminder, on another notice or disclosure, of the availability
of the privacy notice on the institution's Web site. In light of these
considerations, the Bureau believes that where the conditions set forth
in the proposed rule are satisfied, any incremental benefit in terms of
customers' awareness of privacy issues that might accrue from requiring
delivery pursuant to the existing methods of the annual privacy notice
could be outweighed by the costs of providing the notice, costs that
ultimately may be passed through to customers. The Bureau has
determined that the specific language of section 503(a) of the GLBA
grants some latitude in specifying by rule the method of conveying the
annual notices, so long as a ``clear and conspicuous disclosure'' is
provided ``in writing or in electronic form or other form permitted by
the regulations.'' This statutory interpretation would apply only to
the specific type of disclosure involved in the limited circumstances
proposed pursuant to the specific language of GLBA section 503.\40\
---------------------------------------------------------------------------

\39\ Fostering comparison shopping by consumers among financial
institutions was one of the objectives that GLBA model privacy
notices, primarily initial privacy notices, were intended to
accomplish. See 15 U.S.C. 6803(e). Facilitating comparison shopping
based on privacy policies was also mentioned repeatedly in the
preamble to the model privacy notice rule. See 74 FR 62890 (Dec. 1,
2009). The Bureau invites empirical data on whether consumers do
comparison shop among financial institutions based on privacy
notices.
\40\ While the agencies previously charged with GLBA privacy
notice rulemaking authority appear to have read the statutory grant
of authority more restrictively (See, e.g., 65 FR at 35174 (June 1,
2000), those agencies did not cite or interpret the statutory
language quoted above and were not considering a form of electronic
notice. Commenters to the agencies' proposed rule had suggested that
the notice (including opt outs) be available only on request, or
that a short-form notice be permitted in certain circumstances, and
the agencies interpreted the statute as not allowing such
arrangements. The Bureau's proposed rule's disclosure strategy is
very different, and allows immediate access to the privacy notice
for the overwhelming majority of customers.
Further, circumstances have changed since the 2000 rulemaking.
In 2000, only 41.5% of U.S. households had internet access at home.
In contrast, as of 2012, 74.8% of U.S. households had internet
access at home and 80% of U.S. adults were using the internet, thus
making easy access to electronic notices significantly more
widespread. See U.S. Census data, ``Households With a Computer and
Internet Use: 1984 to 2012,'' available at https://www.census.gov/hhes/computer/publications/2012.html and Pew Research Internet
Project, available at https://www.pewinternet.org/2014/02/27/summary-of-findings-3/.
---------------------------------------------------------------------------

The Bureau seeks data and other information concerning the effect
on customer privacy rights if financial institutions were to use the
alternative delivery method rather than their current delivery method.
The Bureau further requests comment on whether the proposed alternative
delivery method would be effective in reducing the potential for
information overload on customers and reducing the burden on financial
institutions of mailing hard copy privacy notices. The Bureau also has
been informed by some financial institutions and consumer advocates

[[Page 27219]]

that financial institutions and customers are unnecessarily burdened by
redundant opt-out requests because customers who receive the privacy
notice are often unaware that they have previously opted out of
information sharing. The Bureau notes that a financial institution may
currently include with its privacy notice a separate notice explaining
a customer's opt-out status, though the Bureau does not believe that
many financial institutions do so. Although the Bureau is not proposing
to change the model form or instructions in Regulation P at this time,
the Bureau requests comment on whether financial institutions would
want to include on the privacy notice itself a statement describing the
customer's opt-out status.
Lastly, the Bureau notes that the proposed alternative delivery
method would be available where customers have already consented to
receive their privacy notices electronically pursuant to Sec.
1016.9(a) and invites comment regarding how often privacy notices are
delivered electronically under existing Regulation P. The Bureau
further invites comment on whether the proposed alternative delivery
method is appropriate for customers who already receive privacy notices
electronically and whether financial institutions that currently
provide the notice electronically would be likely to use the proposed
alternative delivery method.

9(c)(2) Alternative Method for Providing Certain Annual Notices

9(c)(2)(i)
Proposed Sec. 1016.9(c)(2) sets forth an alternative to Sec.
1016.9(a) for providing certain annual notices. (Existing Sec.
1016.9(c) would be redesignated as Sec. 1016.9(c)(1) and its
subparagraphs redesignated as Sec. 1016.9(c)(1)(i) and (ii),
respectively, to accommodate the new addition. The Bureau is also
proposing to add a heading to new paragraph (c)(1) for technical
reasons.) Specifically, proposed Sec. 1016.9(c)(2)(i) would provide
that, notwithstanding the general requirement in Sec. 1016.9(a) that a
notice be provided so that each consumer can reasonably be expected to
receive actual notice, a financial institution may use the alternative
method set forth in proposed Sec. 1016.9(c)(2)(ii) to satisfy the
requirement in Sec. 1016.5(a)(1) to provide an annual notice if the
institution meets certain conditions as specified in proposed Sec.
1016.9(c)(2)(i)(A) through (E), which are discussed in detail below.
The Bureau invites comment generally on the conditions in proposed
Sec. 1016.9(c)(2)(i)(A) through (E) and whether any of those
conditions should not be required or whether additional conditions
should be added. The Bureau notes that the proposed alternative
delivery method would not alter the requirement in Sec. 1016.5(a)(1)
that the notice be provided annually.
9(c)(2)(i)(A)
Proposed Sec. 1016.9(c)(2)(i)(A) would set forth the first
condition for using the alternative delivery method: that the financial
institution does not share the customer's information with
nonaffiliated third parties other than through the activities specified
under Sec. Sec. 1016.13, 1016.14 and 1016.15 that do not trigger opt-
out rights under the GLBA. Pursuant to Sec. 1016.10(a), a financial
institution generally may not disclose nonpublic personal information
about a consumer to a nonaffiliated third party without first providing
the consumer with a notice and opportunity to opt out of that sharing.
Sections 1016.13, 1016.14, and 1016.15 lay out certain exceptions to
the general opt-out requirement.\41\ Accordingly, where a financial
institution shares with nonaffiliated third parties as permitted by
Sec. Sec. 1016.13, 1016.14, and 1016.15, the financial institution is
not required to provide the consumer with an opportunity to opt out of
such sharing.
---------------------------------------------------------------------------

\41\ Specifically, Sec. 1016.13 provides that the opt-out
requirement generally does not apply where a financial institution
shares nonpublic personal information with nonaffiliated third
parties to provide services to the sharing financial institution,
including for marketing products or services of the financial
institution or those of other financial institutions with which the
sharing institution has joint marketing agreements. Section 1016.14
provides that the opt-out requirement generally does not apply where
the financial institution shares nonpublic personal information as
required to process or service transactions for the consumer's
account. Section 1016.15 provides that the opt-out requirement does
not apply to certain specific types of information sharing by the
financial institution, including, for example, at the consumer's
request, to protect the confidentiality of the financial
institution's records, to a consumer reporting agency, and to comply
with a properly authorized civil, criminal or regulatory
investigation.
---------------------------------------------------------------------------

The Bureau believes that the alternative delivery method, while
reducing burden, might not be as effective in alerting customers to
their ability to opt out of certain types of information sharing as the
current delivery method where a financial institution shares beyond the
exceptions in Sec. Sec. 1016.13, 1016.14, and 1016.15. The Bureau thus
believes that the current delivery method for the annual notice
pursuant to existing Sec. 1016.9(a) is likely to be important for
customers who have the right to opt out of information sharing. The
Bureau believes that limiting the alternative delivery method to
circumstances in which customers have no information sharing opt-out
rights under Regulation P would generally reduce the burden of
compliance while still mandating the use of the current delivery method
to ensure that customers have notice of their opt-out rights where they
exist. For the foregoing reasons, the Bureau proposes Sec.
1016.9(c)(2)(i)(A).
The Bureau invites comment on the extent to which different
financial institutions share beyond the exceptions in Sec. Sec.
1016.13, 1016.14, and 1016.15 and thus would be precluded from using
the proposed alternative delivery method. The Bureau further invites
comment on the impact on customers of receiving the annual privacy
notice pursuant to the current delivery method, rather than the
proposed alternative delivery method, where the notice informs the
customer of opt-out rights pursuant to Regulation P.
9(c)(2)(i)(B)
Proposed Sec. 1016.9(c)(2)(i)(B) would set forth the second
condition for using the alternative delivery method for the annual
privacy notice: that the financial institution not include on its
annual notice an opt out under section 603(d)(2)(A)(iii) of the
FCRA.\42\ As discussed in part II above, FCRA section 603(d)(2)(A)(iii)
excludes from the statute's definition of ``consumer report'' a
financial institution's sharing of certain information about a consumer
with its affiliates if the financial institution provides the consumer
with notice and an opportunity to opt out of the information sharing.
Though this notice and opt out is a product of the FCRA rather than the
GLBA, section 503(b)(4) of the GLBA and Sec. 1016.6(a)(7) require a
financial institution's privacy notice to include any disclosures the
financial institution makes under section 603(d)(2)(A)(iii) of the
FCRA. Accordingly, to the extent that a financial institution chooses
to provide an opt out pursuant to FCRA section 603(d)(2)(A)(iii), Sec.
1016.6(a)(7) requires the privacy notice to include that opt out.\43\
For the same reasons as discussed with respect to proposed Sec.
1016.9(c)(2)(i)(A), the Bureau proposes to allow a financial
institution to use the alternative delivery method only if it does not
share information in a way that triggers information sharing opt-out
rights for the customer, including those under section
603(d)(2)(A)(iii) of the FCRA. Accordingly, the Bureau proposes Sec.
1016.9(c)(2)(i)(B).
---------------------------------------------------------------------------

\42\ 15 U.S.C. 1681a(d)(2)(A)(iii).
\43\ See 64 FR 35162, 35176 (June 1, 2000).
---------------------------------------------------------------------------

The Bureau invites comment on the extent to which different
financial

[[Page 27220]]

institutions provide a FCRA section 603(d)(2)(A)(iii) opt out and thus
would be precluded from using the proposed alternative delivery method.
The Bureau further invites comment on the benefit to customers of
receiving the annual privacy notice pursuant to the current delivery
method, rather than the proposed alternative delivery method, where the
notice informs the customer of opt-out rights pursuant to FCRA section
603(d)(2)(A)(iii).
9(c)(2)(i)(C)
Proposed Sec. 1016.9(c)(2)(i)(C) would contain the third condition
for using the alternative delivery method: that the annual privacy
notice is not the only notice provided to satisfy the requirements of
section 624 of the FCRA \44\ and subpart C of 12 CFR part 1022 (the
``Affiliate Marketing Rule''). The Bureau is proposing to provide
flexibility in the manner in which an annual notice which contains
disclosures under the Affiliate Marketing Rule is provided since
proposed Sec. 1016.9(c)(2)(i)(C) would require the consumer to be
provided the Affiliate Marketing notice and opt out separately, as
discussed below. FCRA section 624, as implemented by the Affiliate
Marketing Rule, provides that a person may not use certain information
about a consumer that it receives from an affiliate to make
solicitations for marketing purposes unless the consumer receives
notice and the opportunity to opt out of this use from an affiliate
with whom the consumer has or had a pre-existing business
relationship.\45\ The Affiliate Marketing Rule further governs the
content, scope, and duration of that notice and opt out and the method
by which it must be provided to consumers.\46\
---------------------------------------------------------------------------

\44\ 15 U.S.C. 1681s-3.
\45\ 12 CFR 1022.21(a).
\46\ 12 CFR 1022.22, 1022.23, 1022.24, 1022.25, 1022.26, and
1022.27.
---------------------------------------------------------------------------

In contrast to the FCRA section 603(d)(2)(A)(iii) notice and opt-
out right, which is generally required to be included on the annual
privacy notice by Sec. 1016.6(a)(7) if a financial institution offers
that opt out, the Affiliate Marketing Rule notice and opt out is not
required to be included on the Regulation P privacy notice. The
Affiliate Marketing Rule notice and opt out may be included on the
privacy notice, however. Moreover, the model privacy notice includes a
notice and opt out under FCRA section 624 and the Affiliate Marketing
Rule,\47\ and the Affiliate Marketing Rule specifically provides that
its opt out may be incorporated into the GLBA privacy notice.\48\ The
instructions to the GLBA model privacy notice make clear that a
financial institution subject to the Affiliate Marketing Rule may omit
that notice and opt out from the GLBA model privacy notice, provided
the institution separately complies with the Affiliate Marketing
Rule.\49\
---------------------------------------------------------------------------

\47\ Appendix to part 1016 at C.2.d.6.
\48\ 12 CFR 1022.23(b).
\49\ Appendix to part 1016 at C.2.d.6.
---------------------------------------------------------------------------

Given that the Affiliate Marketing Rule notice and opt out is not
required on the annual privacy notice (and indeed does not have to be
provided annually),\50\ the Bureau believes that the existence of an
opt-out right under the Affiliate Marketing Rule should not preclude a
financial institution from using the proposed alternative delivery
method. Instead, the Bureau is proposing that the alternative delivery
method would be available for a financial institution that must provide
a notice and opt out under the Affiliate Marketing Rule as long as the
annual privacy notice is not the only notice provided to the customer
explaining that opt-out right. In other words, a financial institution
that undertakes opt-out obligations under the Affiliate Marketing Rule
may use the alternative delivery method provided that it fulfills those
notice and opt-out obligations separately from the annual privacy
notice.
---------------------------------------------------------------------------

\50\ 72 FR 62910, 62930 (Nov. 7, 2007).
---------------------------------------------------------------------------

The Bureau notes that certain requirements for the Affiliate
Marketing notice and opt out differ, depending on whether it is
included as part of the model privacy notice or issued separately.
Where a financial institution includes the Affiliate Marketing notice
and opt out on the model privacy notice, Regulation P requires that opt
out to be of indefinite duration.\51\ In contrast, where a financial
institution provides the Affiliate Marketing notice and opt out
separately, Regulation V allows the opt out to be offered for as little
as five years, subject to renewal, and the disclosure of the duration
of the opt out must be included on the notice.\52\ Because inclusion of
the Affiliate Marketing opt out on the model privacy notice requires a
financial institution to honor the opt out indefinitely, a financial
institution that also offers the opt out right separately in order to
use the alternative delivery method would be able to comply with both
Regulations P and V by stating in the separate Affiliate Marketing
notice that the opt out is of indefinite duration and by honoring such
opt-out requests indefinitely.
---------------------------------------------------------------------------

\51\ Regulation P provides, ``Institutions that include this
reason [for sharing or using personal information] must provide an
opt-out of indefinite duration.'' Appendix to part 1016 at C.2.d.6.
\52\ 12 CFR 1022.22(b). 12 CFR 1022.23(a)(1)(iv).
---------------------------------------------------------------------------

The Bureau acknowledges that under this proposal some customers
will no longer receive their annual privacy notice pursuant to the
current delivery requirements even though the notice informs them of a
right to opt out that exists pursuant to the Affiliate Marketing Rule.
The Bureau believes, however, that this concern is mitigated by the
fact that in such cases, proposed Sec. 1016.9(c)(2)(i)(C) would
require that the Affiliate Marketing Rule opt-out notice also be
delivered separately from the annual privacy notice.\53\ The Bureau
considered but decided against proposing to prohibit use of the
alternative delivery method where a financial institution provides an
opt out under the Affiliate Marketing Rule. The Bureau believes that
prohibiting the use of the alternative delivery method in that
circumstance could discourage financial institutions from voluntarily
providing the Affiliate Marketing notice and opt out through its annual
privacy notice and could be at odds with a financial institution's
choice whether to use the annual privacy notice to comply with its opt-
out obligations under the Affiliate Marketing Rule. Accordingly, the
Bureau is proposing Sec. 1016.9(c)(2)(i)(C) which would permit use of
the alternative delivery method for a financial institution that
provides a notice and opt out under the Affiliate Marketing Rule,
provided that the financial institution does not use the annual privacy
notice as the sole means of providing notice to customers of that opt-
out right.
---------------------------------------------------------------------------

\53\ Alternatively, the financial institution could continue to
use the current delivery method and include the Affiliate Marketing
opt out on the annual privacy notice, with no separate notice
required.
---------------------------------------------------------------------------

The Bureau invites comment on the extent to which financial
institutions include the Affiliate Marketing Rule opt out on their
Regulation P privacy notices and thus would be precluded from using the
proposed alternative delivery method unless they separately delivered
an Affiliate Marketing Rule opt-out notice. The Bureau further invites
comment on the benefit or harm to customers of receiving the annual
privacy notice pursuant to the alternative delivery method if the
notice informs the customer of opt-out rights pursuant to the Affiliate
Marketing Rule and the customer would receive a separate Affiliate
Marketing rule opt-out notice.

[[Page 27221]]

9(c)(2)(i)(D)
Proposed Sec. 1016.9(c)(2)(i)(D) would present the fourth
condition for using the alternative delivery method: that the
information a financial institution is required to convey on its annual
privacy notice pursuant to Sec. 1016.6(a)(1) through (5), (8) and (9)
has not changed since the immediately previous privacy notice, initial
or annual, to the customer. The Bureau is proposing to provide more
flexibility in the method by which a notice that has not changed may be
delivered because it believes that delivery of the annual notice as
currently required by Sec. 1016.9(a) is likely less useful if the
customer has already received a privacy notice, the financial
institution's sharing practices remain generally unchanged since that
previous notice, and the other requirements of proposed Sec.
1016.9(c)(2)(i) are met. Proposed Sec. 1016.9(c)(2)(i)(D) lists the
specific disclosures of the privacy notice that must not change in
order for a financial institution to take advantage of the alternative
delivery method. They are:
(1) the categories of nonpublic personal information that the
financial institution collects (Sec. 1016.6(a)(1));
(2) the categories of nonpublic personal information that the
financial institution discloses (Sec. 1016.6(a)(2));
(3) the categories of affiliates and nonaffiliated third parties to
whom the financial institution discloses nonpublic personal
information, other than those parties to whom the financial institution
discloses information under Sec. Sec. 1016.14 and 1016.15 (Sec.
1016.6(a)(3));
(4) the categories of nonpublic personal information about the
financial institution's former customers that the financial institution
discloses and the categories of affiliates and nonaffiliated third
parties to whom the financial institution discloses nonpublic personal
information about the financial institution's former customers, other
than those parties to whom the financial institution discloses
information under Sec. Sec. 1016.14 and 1016.15 (Sec. 1016.6(a)(4));
(5) if the financial institution discloses nonpublic personal
information to a nonaffiliated third party under Sec. 1016.13 (and no
other exception in Sec. 1016.14 or Sec. 1016.15 applies to that
disclosure), a separate statement of the categories of information the
financial institution discloses and the categories of third parties
with whom the financial institution has contracted (Sec.
1016.6(a)(5));
(6) the financial institution's policies and practices with respect
to protecting the confidentiality and security of nonpublic personal
information (Sec. 1016.6(a)(8)); and
(7) any description of nonaffiliated third parties subject to
exceptions as described in Sec. 1016.6(b) (Sec. 1016.6(a)(9)).\54\
---------------------------------------------------------------------------

\54\ Note that the information disclosed pursuant to Sec.
1016.6(a)(6) and (7) are not among the provisions in proposed Sec.
1016.9(c)(2)(i)(D) because those disclosures relate to opt-out
rights the existence of which would make the alternative delivery
method unavailable for a financial institution under proposed Sec.
1016.9(c)(2)(i)(A) and (B), as discussed above. In addition, the
omission from proposed Sec. 1016.9(c)(2)(i)(D) of the opt-out
disclosures under GLBA and FCRA makes clear that a financial
institution may change its privacy policy so as to eliminate
information sharing that triggers opt-out rights and may then make
use of the alternative delivery method for the next annual privacy
notice.
---------------------------------------------------------------------------

With respect to disclosures required by Sec. 1016.6(a)(1) through
(5) and (9) (items 1-5 and 7 in the list above), the Bureau emphasizes
that a financial institution would be precluded from using the
alternative delivery method only if it made changes in the category of
information it collects or discloses so as to require changes to the
disclosure on the notice itself. The disclosures required by Sec.
1016.6(a)(1) through (5) and (9) describe categories of nonpublic
personal information collected and disclosed and categories of third
parties with whom that information is disclosed. Accordingly, only a
change in or addition of a category of information collected or shared
or in a category of third party with whom the information is shared
would prevent a financial institution from satisfying proposed Sec.
1016.9(c)(2)(i)(D). The Bureau further notes that stylistic changes in
the wording of the notice that do not change the information conveyed
on the notice would not prevent a financial institution from satisfying
proposed Sec. 1016.9(c)(2)(i)(D).
For example, assume a financial institution begins collecting
information regarding potential customers' assets as part of an
application process that the institution had not previously collected.
If the institution had previously disclosed on its privacy notice that
the nonpublic personal information it collected included information
received from customers on applications or other forms, the financial
institution would satisfy proposed Sec. 1016.9(c)(2)(i)(D)
notwithstanding the fact that the institution had not previously
collected asset information. Similarly, a financial institution's
decision to begin sharing its customers' nonpublic personal information
with a mortgage broker, even where it had not previously shared that
information with any mortgage brokers, would not prohibit the financial
institution from satisfying proposed Sec. 1016.9(c)(2)(i)(D) provided
that the financial institution had previously disclosed on its privacy
notice that it shared information with financial service providers.
With respect to the disclosure required by Sec. 1016.6(a)(8), the
Bureau notes that proposed Sec. 1016.9(c)(2)(i)(D) would disallow the
use of the alternative delivery method if a financial institution
changes the required description of its policies and practices with
respect to protecting the confidentiality and security of nonpublic
personal information. The Bureau recognizes that this information is
distinguishable from the information required by Sec. 1016.6(a)(1)
through (5) and (9) in that the information required by Sec.
1016.6(a)(8) does not describe the financial institution's collecting
or sharing of nonpublic personal information but instead describes the
financial institution's overall data security policy. The Bureau
believes that changes in the description of a financial institution's
data security policy likely are significant enough that when they
occur, the annual privacy notice should continue to be delivered
according to the existing methods in Sec. 1016.9. Indeed, in light of
recent large-scale data security breaches, the Bureau believes that
some customers may be more interested in the data security policies of
their financial institutions than they were previously.
The Bureau notes that stylistic changes to the description of the
data security policy that do not change the information conveyed on the
notice would not prevent a financial institution from satisfying
proposed Sec. 1016.9(c)(2)(i)(D). The Bureau further notes that
(similar to the information required by Sec. 1016.6(a)(1) through (5)
and (9)) changes to the underlying data security policy would preclude
financial institutions from using the alternative delivery method only
if these policy changes are substantial enough under Regulation P to
trigger changes in the description of that policy on the annual notice
itself. The Bureau believes, therefore, that financial institutions
likely will be able to make improvements to their data security
practices without necessarily changing information disclosed pursuant
to Sec. 1016.6(a)(8).
The Bureau invites comment about the effect on customers of
conditioning availability of the alternative delivery method on there
being no change from the previous year's notice without regard to the
conditions that would be required by proposed Sec. 1016.9(c)(2)(i)(A)
through (C). The Bureau further invites comment on how

[[Page 27222]]

often financial institutions change their privacy notice such that they
would be precluded from using the proposed alternative delivery method.
Lastly, the Bureau invites comment on the extent to which a financial
institution's changing its data security policy might preclude it from
using the proposed alternative delivery method and whether the
information disclosed pursuant to Sec. 1016.6(a)(8) should be included
in proposed Sec. 1016.9(c)(2)(i)(D).
9(c)(2)(i)(E)
The last condition for use of the alternative delivery method,
which would be set forth in proposed Sec. 1016.9(c)(2)(i)(E), requires
that the financial institution use the model privacy form for its
annual privacy notice. Though use of the model form constitutes
compliance with the notice content requirements of Sec. Sec. 1016.6
and 1016.7, Regulation P does not require use of the model notice.\55\
However, the Bureau believes that a large majority of financial
institutions use the model notice. The model notice was adopted in 2009
as part of an interagency rulemaking because consumer research revealed
that the model notice was easier to understand and use than most
privacy notices then being used.\56\ During outreach, consumer and
privacy groups told the Bureau that that the model notice is easier for
consumers to understand than other privacy notices. The Bureau is
proposing to require use of the model notice as a condition of using
the alternative delivery method to foster the use of a form of notice
that appears to be more effective in conveying privacy policy
information to customers than non-standard notices and thus enhance the
effectiveness of the notice provided under the alternative method.
---------------------------------------------------------------------------

\55\ 12 CFR 1016.2.
\56\ 74 FR 62890, 62891 (Dec. 1, 2009).
---------------------------------------------------------------------------

Accordingly, the Bureau is proposing Sec. 1016.9(c)(2)(i)(E),
which would permit use of the alternative delivery method only if a
financial institution uses the model privacy form for its annual
privacy notice. The Bureau believes that proposed Sec.
1016.9(c)(2)(i)(E) is likely to encourage some financial institutions
that are not currently doing so to use the model notice in order to
take advantage of the cost savings associated with the alternative
delivery method. Moreover, the Bureau does not believe that requiring
use of the model notice to be eligible for the alternative delivery
method creates a significant compliance burden for the minority of
financial institutions that do not currently use it, especially given
that financial institutions would not choose to use the alternative
delivery method if the one-time cost of adopting the model notice were
not more than offset by the ongoing burden reduction of the alternative
delivery method for the annual notice.
The Bureau notes that the model form accommodates information that
may be required by state or international law, as applicable, in a box
called ``Other important information.'' \57\ Accordingly, the Bureau
expects that a financial institution that has additional privacy
disclosure obligations pursuant to state or international law would
still be able to use the model form in order to take advantage of the
proposed alternative delivery method. The Bureau invites comment on
related state or international law requirements and their interaction
with the model privacy notice as well as the proposed alternative
delivery method in general.
---------------------------------------------------------------------------

\57\ Appendix to part 1016 at C.3.c.1.
---------------------------------------------------------------------------

The Bureau does not contemplate that adoption of the model privacy
form, which may require changes to the wording and layout of the
privacy notice but not to the information conveyed, would constitute a
change within the meaning of proposed Sec. 1016.9(c)(2)(i)(D). In a
somewhat analogous situation, the agencies that promulgated the model
privacy notice explained: ``Adoption of the model form, with no change
in policies or practices, would not constitute a revised notice [for
purposes of the rule section on revised privacy notices], although
institutions may elect to consider the format change as revision, at
their option.'' \58\ The Bureau solicits comment on whether adoption of
the model form instead should be considered a change in the annual
notice pursuant to proposed Sec. 1016.9(c)(2)(i)(D) such that an
institution adopting the model form in the first instance would be
precluded from using the proposed alternative delivery method until the
following year's annual notice. The Bureau further invites comment on
the extent to which financial institutions currently use the model
privacy notice and if they do not, whether they would choose to do so
to take advantage of the proposed alternative delivery method. Lastly,
the Bureau invites comment on the benefit to customers of receiving the
model privacy notice rather than a privacy notice in a non-standard
format.
---------------------------------------------------------------------------

\58\ 74 FR 62890, 62907 n. 196.
---------------------------------------------------------------------------

9(c)(2)(ii)
In proposed Sec. 1016.9(c)(2)(ii), the Bureau sets forth the
alternative delivery method that would be permissible to satisfy the
requirement in Sec. 1016.5(a)(1) to provide an annual notice if a
financial institution meets the conditions described in proposed Sec.
1016.9(c)(2)(i). For the reasons discussed above, the Bureau believes
that delivery of the annual privacy notice pursuant to the existing
delivery requirements may be less important for customers if the
requirements of proposed Sec. 1016.9(c)(2)(i) are met. The Bureau
believes that delivery pursuant to the alternative delivery method
proposed, described in detail below, would inform customers of their
financial institution's privacy policies effectively and at a lower
cost than the current delivery methods. Although the Bureau believes it
is unlikely, the Bureau recognizes the possibility that fewer customers
may read the privacy notice when it is delivered pursuant to the
alternative method than would have read the notice if it had been
delivered to them using the current delivery methods. The Bureau
requests comment on how frequently customers read privacy notices
delivered pursuant to existing Sec. 1016.9(a) and how frequently the
notices would be read if they were provided pursuant to the proposed
alternative delivery method. The Bureau further invites comment
generally on the components of the alternative delivery method in
proposed Sec. 1016.9(c)(2)(ii)(A) through (C) and whether any of those
components should not be required or whether additional components
should be added.
9(c)(2)(ii)(A)
Proposed Sec. 1016.9(c)(2)(ii)(A) would set forth the first
component of the alternative delivery method: that a financial
institution inform the customer of the availability of the annual
privacy notice. To satisfy proposed Sec. 1016.9(c)(2)(ii)(A), a
financial institution would be required to convey in a clear and
conspicuous manner not less than annually on a notice or disclosure the
institution is required or expressly and specifically permitted to use
under any other provision of law that its privacy notice has not
changed, that the notice is available on its Web site and that a hard
copy of the notice will be mailed to customers if they call a toll-free
number to request one.
Proposed Sec. 1016.9(c)(2)(ii)(A) would use the term ``clear and
conspicuous,'' which is defined in existing Sec. 1016.3(b)(1) as
meaning ``reasonably understandable'' and ``designed to call attention
to the nature and significance of the information.'' The Bureau
believes that the existing examples in

[[Page 27223]]

Sec. 1016.3(b)(2)(i) and (ii) for reasonably understandable and
designed to call attention, respectively, likely would provide
sufficient guidance on ways to make the notice of availability in
proposed Sec. 1016.9(c)(2)(ii)(A) clear and conspicuous. Specifically,
because the notice of availability would be combined with another
notice or disclosure sent to the customer, the Bureau points to
existing Sec. 1016.3(b)(2)(ii)(E), which states that on a form that
combines a notice with other information, a notice containing
distinctive type size, style, and graphic devices, such as shading or
sidebars, is designed to call attention to the nature and significance
of the information, as required under the clear and conspicuous
definition.
With respect to the notice of availability being conveyed not less
than annually, the Bureau notes that the proposed rule would permit it
being included more often than annually (e.g., quarterly or monthly).
Although the Bureau is proposing to require the notice of availability
annually, the Bureau invites comment on the advantages and
disadvantages of it being provided on a more frequent basis.
With respect to the type of statement that may be used to convey
the notice of availability, proposed Sec. 1016.9(c)(2)(ii)(A) would
permit it to be conveyed on a notice or disclosure the institution is
required or expressly and specifically permitted to issue under any
other provision of law. This language is similar to that used in
Regulation V, which provides that ``a notice required by this subpart
may be coordinated and consolidated with any other notice or disclosure
required to be issued under any other provision of law. . . .'' \59\
Proposed Sec. 1016.9(c)(2)(ii)(A) would add to that language in order
to ensure that the notice of availability could be included on
disclosures that are expressly and specifically permitted by law, even
if not required. The Bureau notes that a notice of availability would
satisfy proposed Sec. 1016.9(c)(2)(ii)(A) if it were included on a
periodic statement which is permitted but not required by Regulation DD
\60\ but would not satisfy proposed Sec. 1016.9(c)(2)(ii)(A) if
included on advertising materials that were neither required nor
specifically permitted by law. Proposed Sec. 1016.9(c)(2)(ii)(A) does
not specify in more detail the type of statement on which the notice of
availability must be conveyed because the Bureau intends the
alternative delivery method to be flexible enough to be used by
financial institutions whose business practices vary widely. The Bureau
invites comment on the benefits and costs of requiring the notice of
availability to be included on a document required or expressly and
specifically permitted under any other provision of law.
---------------------------------------------------------------------------

\59\ 12 CFR 1022.23(b).
\60\ 12 CFR 1030.6.
---------------------------------------------------------------------------

The Bureau further notes that where two or more financial
institutions provide a joint privacy notice pursuant to Sec.
1016.9(f), proposed Sec. 1016.9(c)(2)(ii)(A) would require each
financial institution to separately provide the notice of availability
on a notice or disclosure that it is required or permitted to issue.
The Bureau invites comment on how often financial institutions jointly
provide privacy notices and whether the proposed alternative delivery
method would be feasible for such jointly issued notices.
Proposed Sec. 1016.9(c)(2)(ii)(A) also would require the
institution to state on the notice that its privacy policy has not
changed. The Bureau intends this proposed requirement to help customers
assess whether they are interested in reading the policy. This
statement would always be accurate if the alternative delivery method
is used correctly, since a financial institution could not use the
alternative delivery method if its annual privacy notice had changed.
Proposed Sec. 1016.9(c)(2)(ii)(A) would further require that the
statement include a specific web address that takes customers directly
to the page where the privacy notice is available and a toll-free
telephone number for customers to call and request that a hard copy of
the annual notice be mailed to them. With respect to the specific web
address, the Bureau notes that the language of proposed Sec.
1016.9(c)(2)(ii)(A) is somewhat similar to an option used on the model
privacy notice to provide an online opt out of information sharing.\61\
Proposed Sec. 1016.9(c)(2)(ii)(A) requires a web address that the
customer can type into a web browser to directly access the page that
contains the privacy notice so that the customer need not click on any
links after typing in the web address. The Bureau believes that a
direct link may make it easier and more convenient for customers to
access the privacy notice.
---------------------------------------------------------------------------

\61\ Appendix to 12 CFR part 1016, at C.2.e.
---------------------------------------------------------------------------

Proposed Sec. 1016.9(c)(2)(ii)(A) would also require that the
notice of availability include a toll-free number a customer can call
to request a hard copy of the annual privacy notice. This requirement
is intended to assist customers who do not have internet access or
would prefer to receive a hard copy of the privacy notice. The Bureau
notes that Regulation P currently contains provisions on the use of a
toll-free number. For example, existing Sec. 1016.6(d)(4)(i) lists a
financial institution providing a toll-free number that the consumer
may call to request a notice as an example of reasonable means by which
a consumer who is not a customer may obtain a copy of an institution's
privacy notice. The Bureau expects that most financial institutions
will already have a toll-free number for their customers to contact
them and thus providing a toll-free number for this purpose would not
be a significant burden. Further, the Bureau is concerned that
requiring a customer to pay for a call to the financial institution to
request a copy of the privacy notice could impose a new cost on the
customer that could deter customers from calling to request a hard copy
of the notice.
The Bureau invites comment about the advantages and disadvantages
of requiring financial institutions to provide a toll-free number and
whether there would be other appropriate ways to balance customers'
interests and to distinguish between small and large financial
institutions. The Bureau further invites comment on the relative need
that the telephone number for customers to request a copy of the
privacy notice be toll-free, given recent technological and billing
practice changes to the telephone industry. Lastly, the Bureau invites
comment on the advantages and disadvantages of requiring financial
institutions to provide a dedicated telephone number for privacy notice
requests so that customers can easily request a hard copy of the notice
without navigating a complicated automated telephone menu.
9(c)(2)(ii)(B)
Proposed Sec. 1016.9(c)(2)(ii)(B) would set forth the second
component of the alternative delivery method: That the financial
institution post its current privacy notice continuously and in a clear
and conspicuous manner on a page of the institution's Web site that
contains only the privacy notice. The Bureau believes, based on its
outreach, that this provision of the alternative delivery method is
feasible for most financial institutions. Even for a financial
institution that does not currently post its annual notice on its Web
site, creating a specific page for this purpose is a one-time process
that the Bureau believes most financial institutions could implement
without significant cost. Further, the Bureau

[[Page 27224]]

believes that encouraging financial institutions that do not already do
so to post the privacy notice on their Web sites may benefit consumers
by making the notices more widely available.
Proposed Sec. 1016.9(c)(2)(ii)(B) would require that the annual
notice be posted on a page of the Web site that contains only the
privacy notice because the Bureau believes that were the notice
included on a page with other content, such as other disclosures or
promotions for products, that content could detract from the prominence
of the notice and make it less likely that a customer would actually
read it. However, information that is not content, such as navigational
menus to other pages on the Web site, could appear on the same page as
the privacy notice. The Bureau notes that other pages on the financial
institution's Web site could link to the page containing the privacy
notice but the customer would still have to be provided a specific web
address that takes the customer directly to the page where the privacy
notice is available to satisfy the requirement to post the notice on
the financial institution's Web site in proposed Sec.
1016.9(c)(2)(ii)(B).\62\
---------------------------------------------------------------------------

\62\ With regard to the proposed requirement that the notice be
posted in a ``clear and conspicuous'' manner, the Bureau notes that
existing Sec. 1016.3(b)(2)(iii) gives examples of what clear and
conspicuous means for a privacy notice posted on a Web site. One
example provides that a financial institution designs its notice to
call attention to the nature and significance of the information in
the notice if it uses text or visual cues to encourage scrolling
down the page if necessary to view the entire notice and ensures
that other elements on the Web site (such as text, graphics,
hyperlinks, or sound) do not distract attention from the notice.
Section 1016.3(b)(2)(iii)(A) and (B) also provides examples of clear
and conspicuous placement of the notice within the financial
institution's Web site but these examples do not seem relevant to
the posting of the notice for the alternative delivery method
because consumers will be typing into their web browser the web
address of the specific page that contains the annual notice, rather
than navigating to the annual notice from the financial
institution's home page. To the extent that a financial institution
is satisfying existing Sec. 1016.9(a) and not the alternative
delivery method proposed in Sec. 1016.9(c)(2) by posting the
privacy notice on its Web site, the clear and conspicuous examples
in Sec. 1016.3(b)(2)(iii)(A) and (B) still apply.
---------------------------------------------------------------------------

Proposed Sec. 1016.9(c)(2)(ii)(B) would further require that the
Web page that contains the privacy notice be accessible to the customer
without requiring the customer to provide any information such as a
login name or password or agree to any conditions to access the page.
The Bureau is concerned that if customers were required to register for
a login name or sign in to the financial institution's Web site simply
to access the privacy notice, it could discourage some customers from
accessing and reading the notice. Given that the alternative delivery
method will require customers to seek out the annual notice in a way
that they have not previously been required to do, proposed Sec.
1016.9(c)(2)(ii)(B) intends to make accessing the privacy notice on an
institution's Web site as simple and straightforward as possible. For
the reasons described above, the Bureau proposes Sec.
1016.9(c)(2)(ii)(B).
The Bureau invites comment regarding the prevalence of financial
institutions that currently maintain Web sites, whether they currently
post the Regulation P privacy notice on those Web sites, and if they do
not currently do these things, how costly it would be to do so. The
Bureau additionally seeks comment on whether financial institutions
provide different privacy notices for different groups of customers,
depending on the type of account the customer has with the financial
institution, such that posting multiple privacy notices on the
financial institution's Web site may create confusion as to which is
the relevant privacy notice for any particular customer. Lastly, the
Bureau seeks comment on the relative benefit or harm to customers of
accessing the privacy notice on a financial institution's Web site as
proposed.
9(c)(2)(ii)(C)
Proposed Sec. 1016.9(c)(2)(ii)(C) would set forth the third
component of the alternative delivery method: That the financial
institution promptly mail its current privacy notice to those customers
who request it by telephone. The Bureau proposes this requirement to
assist customers without internet access and customers with internet
access who would prefer to receive a hard copy of the notice. Proposed
Sec. 1016.9(c)(2)(ii)(C) would include a requirement that the notice
be mailed promptly to indicate that a financial institution may not,
for example, wait to mail the privacy notice until another notice or
disclosure is sent to the customer, but would instead be required to
mail the privacy notice shortly after receiving the customer's request
to do so. The Bureau notes that consistent with privacy notices
currently provided under Regulation P, financial institutions will not
charge the customer for delivering the annual notice, given that
delivery of the annual notice is required by statute and regulation.
For these reasons, the Bureau proposes Sec. 1016.9(c)(2)(ii)(C). The
Bureau invites comment on whether prompt mailing of the privacy notice
upon request is feasible for financial institutions and on the relative
cost associated with mailing privacy notices on request. The Bureau
further invites comment on whether requiring prompt mailing is
sufficient to ensure that customers receive privacy notices in a timely
manner or whether ``promptly'' should be more specifically defined,
such as by a certain number of days.
9(c)(2)(iii)
Proposed Sec. 1016.9(c)(2)(iii) would provide an example of a
notice of availability that satisfies Sec. 1016.9(c)(2)(ii)(A). The
Bureau intends this example to provide clear guidance on permissible
content for the notice of availability to facilitate compliance. The
content of the example notice of availability in proposed Sec.
1016.9(c)(2)(iii) draws from language in the existing model privacy
notice, which was previously subject to consumer testing.\63\ The
proposed example would include the heading ``Privacy Notice'' in
boldface on the notice of availability. The proposed example further
would state that Federal law requires the financial institution to tell
customers how it collects, shares, and protects their personal
information; this language mirrors the ``Why'' box on the model privacy
notices.\64\ The remaining portion of the proposed example would inform
customers that the financial institution's privacy notice has not
changed, the address of the Web site at which customers can access the
privacy notice, and the toll-free phone number to call to request a
free copy of the notice. Because the Bureau believes that this language
would provide a compliant and effective notice of availability, the
Bureau proposes Sec. 1016.9(c)(2)(iii).
---------------------------------------------------------------------------

\63\ See Appendix to 12 CFR part 1016, at A.
\64\ Id.
---------------------------------------------------------------------------

The Bureau notes that the proposed example contains certain
illustrative elements that would satisfy proposed Sec. 1016.9(c)(2)
but are not specifically required by the proposed rule text. These
include entitling the notice of availability ``Privacy Notice,''
including a statement that ``Federal law requires the financial
institution to tell customers how it collects, shares, and protects
their personal information,'' and stating that getting a copy of the
notice is ``free'' to the consumer. The Bureau invites comment on
whether the proposed example notice of availability would be feasible
for financial institutions to implement, whether the illustrative
elements not specifically required by the rule should be so required,
and whether the proposed language would be effective in informing
customers of the availability of the privacy notice.

[[Page 27225]]

V. Section 1022(b)(2) of the Dodd-Frank Act

A. Overview

In developing the proposed rule, the Bureau has considered the
potential benefits, costs, and impacts.\65\ The Bureau requests comment
on the preliminary analysis presented below as well as the submission
of additional data that could inform the Bureau's analysis of the
benefits, costs, and impacts of the rule. The Bureau has consulted and
coordinated with the SEC, CFTC, FTC, and NAIC, and consulted with or
offered to consult with, the OCC, Federal Reserve Board, FDIC, NCUA,
and HUD, including regarding consistency with any prudential, market,
or systemic objectives administered by such agencies.
---------------------------------------------------------------------------

\65\ Specifically, section 1022(b)(2)(A) of the Dodd-Frank Act
calls for the Bureau to consider the potential benefits and costs of
a regulation to consumers and covered persons, including the
potential reduction of access by consumers to consumer financial
products or services; the impact on depository institutions and
credit unions with $10 billion or less in total assets as described
in section 1026 of the Dodd-Frank Act; and the impact on consumers
in rural areas.
---------------------------------------------------------------------------

The proposal would amend Sec. 1016.9(c) of Regulation P to provide
an alternative method for delivering annual privacy notices. A
financial institution would be able to use the alternative delivery
method if:
(1) It does not share information with nonaffiliated third parties
other than for purposes under the exclusions allowed under Regulation
P;
(2) It does not include on its annual privacy notice an opt out
under section 603(d)(2)(A)(iii) of the FCRA;
(3) The annual privacy notice is not the only method used to
satisfy the requirements of section 624 of the FCRA and subpart C of
part 1022, if applicable;
(4) Certain information it is required to convey on its annual
privacy notice has not changed since it provided the immediately
previous privacy notice; and
(5) It uses the Regulation P model privacy form for its annual
privacy notice.
Under the proposed alternative delivery method, the financial
institution would have to:
(1) Convey at least annually on another notice or disclosure that
its privacy notice is available on its Web site and will be mailed upon
request to a toll-free number. Among other things, the institution
would have to include a specific web address that takes the customer
directly to the privacy notice;
(2) Post its current privacy notice continuously on a page of its
Web site that contains only the privacy notice, without requiring a
login or any conditions to access the page; and
(3) Promptly mail its current privacy notice to customers who
request it by telephone.

B. Potential Benefits and Costs to Consumers and Covered Persons

Proposed Sec. 1016.9(c)(2) provides certain benefits to consumers
relative to the baseline established by the current provisions of
Regulation P. The proposal provides an incentive for financial
institutions to adopt the model privacy form and to post it on their
Web sites; or, if already adopted, to post the model privacy form on
their Web sites; as long as there are no other reasons that the
financial institutions would not be able to use the alternative
delivery method. Recent research establishes that, at least for banks,
a large number do not post the model privacy form on their Web sites.
While the Bureau does not know how many of these financial institutions
would need to make this change in order to use the alternative delivery
method, at least some additional consumers would learn about the
information sharing policies of financial institutions through the
model privacy form as a result of proposed Sec. 1016.9(c)(2).\66\
Given the consumer testing that went into the development of the model
form and the public input that went into its design, the Bureau
believes that the model form is generally clearer and easier to
understand than most privacy notices that deviate from the model.\67\
Thus, proposed Sec. 1016.9(c)(2) would likely make it easier for some
consumers to review privacy policies and opt outs and to make
comparisons across the privacy policies and opt outs of financial
institutions.
---------------------------------------------------------------------------

\66\ See L.F. Cranor, K. Idouchi, P.G. Leon, M. Sleeper, B. Ur,
Are They Actually Any Different? Comparing Thousands of Financial
Institutions' Privacy Practices. The Twelfth Workshop on the
Economics of Information Security (WEIS 2013), June 11-12, 2013,
Washington, DC. They find that only about half of FDIC insured
depositories (3,422 out of 6,701) post the model privacy form on
their Web sites.
\67\ The development and testing of the model privacy notice is
discussed in L. Garrison, M. Hastak, J.M. Hogarth, S. Kleimann, A.S.
Levy, Designing Evidence-based Disclosures: A Case Study of
Financial Privacy Notices. The Journal of Consumer Affairs, Summer
2012: 204-234. See also the model privacy form final rule, 74 FR
62890 (December 1, 2009).
---------------------------------------------------------------------------

Proposed Sec. 1016.9(c)(2) may also benefit certain consumers by
disclosing that a financial institution's privacy policy has not
changed and by reducing the number of full, unchanged privacy policies
certain consumers receive every year. Under the proposal, consumers who
transact with financial institutions that adopt the alternative
delivery method would be informed through a notice or disclosure they
are already receiving that the privacy policy has not changed but is
available for their review, and these consumers would only receive the
full privacy policy as a matter of course when it has changed or other
requirements for use of the alternative delivery method are not met.
While there is no data available on the number of consumers who are
indifferent to (or dislike) receiving full, unchanged privacy notices
every year, the limited use of opt outs and anecdotal evidence suggest
that there are such consumers.\68\ Some consumers who want to review
privacy policies may prefer reading the privacy form on a Web site to
being mailed one, especially since financial institutions using the
alternative delivery method must limit their information sharing to
practices that do not give consumers opt-out rights.
---------------------------------------------------------------------------

\68\ One early analysis of the use of the opt outs reported at
most 5% of consumers make use of them in any year, and likely fewer.
See J.M. Lacker, The Economics of Financial Privacy: To Opt Out or
Opt In? Federal Reserve Bank of Richmond Economic Quarterly, Volume
88/3, Summer 2002.
---------------------------------------------------------------------------

The Bureau believes that few consumers would experience any costs
from proposed Sec. 1016.9(c)(2). There is a risk that some consumers
may be less informed about a financial institution's information
sharing practices if the financial institution adopts the proposed
alternative delivery method. However, proposed Sec.
1016.9(c)(2)(ii)(A) mitigates this risk by requiring annually a clear
and conspicuous statement that the privacy notice is available on the
Web site, and proposed Sec. 1016.9(c)(2)(ii)(B) ensures that the model
privacy form is posted continuously in a clear and conspicuous manner
on the Web site. Consumers may print the privacy policy at their own
expense, while under current Sec. 1016.9(c)(2) the notice is delivered
to them, which represents a transfer of costs from industry to
consumers. However, proposed Sec. 1016.9(c)(2)(ii)(A) would provide
consumers with a toll-free telephone number to request that the privacy
notice be mailed to the consumer, which gives consumers the option of
obtaining the notice without incurring the cost of printing it.
Further, the Bureau believes that a printed form is mostly valuable to
consumers who would exercise opt-out rights. However, the only opt outs
that could be available to the consumer under proposed Sec.
1016.9(c)(2) would be voluntary opt

[[Page 27226]]

outs, i.e., opt outs from modes of sharing information that are covered
by exceptions, or (at the institution's discretion) an Affiliate
Marketing opt-out beyond those the institution has previously provided
elsewhere. Voluntary opt outs do not appear to be common.\69\
---------------------------------------------------------------------------

\69\ See Cranor et al. (2013). Their findings (Table 2) imply
that at most 15% of the 3,422 FDIC insured depositories that post
the model privacy form on their Web sites offer at least one
voluntary opt out.
---------------------------------------------------------------------------

Regarding benefits and costs to covered persons, the primary effect
of the proposal would be burden reduction by lowering the costs to
industry of providing annual privacy notices. Proposed Sec.
1016.9(c)(2) would impose no new compliance requirements on any
financial institution. All methods of compliance under current law
would remain available to a financial institution if the proposal were
adopted, and a financial institution that is in compliance with current
law would not be required to take any different or additional action.
The Bureau believes that a financial institution would adopt the
proposed alternative delivery method only if it expected the costs of
complying with the proposed alternative delivery method would be lower
than the costs of complying with current Regulation P.
By definition, the expected cost savings to financial institutions
from the proposed revisions to Sec. 1016.9(c) is the expected number
of annual privacy notices that would be provided through the proposed
alternative delivery method multiplied by the expected reduction in the
cost per-notice from using the alternative delivery method. As
explained below, many financial institutions would not be able to use
the proposed alternative delivery method without changing their
information sharing practices. For example, the Bureau believes that
few financial institutions would find it in their interest to change
information sharing practices just to reduce the costs of providing the
annual privacy notice. Thus, the first step in estimating the expected
cost savings to financial institutions from proposed Sec. 1016.9(c)(2)
would be to identify the financial institutions whose current
information sharing practices would allow them to use the proposed
alternative method. The Bureau would then need to determine their
currents costs for providing the annual privacy notices and the
expected costs of providing these notices under proposed Sec.
1016.9(c)(2).\70\
---------------------------------------------------------------------------

\70\ The analysis that follows makes certain additional
assumptions about adjustments that financial institutions are not
likely to make just to be able to adopt the alternative delivery
method. For example, small institutions might not find it worthwhile
to establish Web sites or toll-free numbers given the relatively
small savings in costs that might result. These assumptions are
discussed further below.
---------------------------------------------------------------------------

The Bureau does not have sufficient data to perform every step of
this analysis, but it performed a number of analyses and outreach
activities to approximate the expected cost savings. Regarding banks,
the Bureau examined the privacy policies of the 19 banks with assets
over $100 billion as well as the privacy policies of 106 additional
banks selected through random sampling.\71\ The Bureau found that the
overall average rate at which banks' information sharing practices
would make them eligible for using the alternative delivery method if
other conditions were met is 80%. However, only 18% of sampled banks
with assets over $10 billion could clearly use the proposed alternative
delivery method, while 81% of sampled banks with assets of $10 billion
or less and 88% of sampled banks with assets of $500 million or less
could clearly use the proposed alternative delivery method. These
results indicate that a large majority of smaller banks would likely be
able to use the proposed alternative delivery method but most of the
largest banks would not.\72\
---------------------------------------------------------------------------

\71\ The Bureau defined five strata for banks under $100 billion
and three strata for credit unions under $10 billion and drew random
samples from each of the strata. We obtained privacy policies from
the Web sites of financial institutions.
\72\ As discussed in the Section-by-Section Analysis, a banking
trade association commenting on the Streamlining RFI estimated that
75% of banks do not change their notices from year to year and do
not share information in a way that gives rise to customer opt-out
rights. The Bureau's estimate is consistent with this comment.
---------------------------------------------------------------------------

One caveat regarding these estimates and the ones that follow
concerns the use of consolidated privacy notices by entities regulated
by different agencies. Entities that could comply with Regulation P by
adopting the alternative delivery method are not likely to do so unless
they have large numbers of readily identified customers with whom
compliance with GLBA does not further require compliance with the GLBA
regulations of other agencies. While the Bureau does not have data on
the frequency with which entities that use consolidated privacy notices
also meet these additional conditions, the Bureau believes that many
entities that use consolidated privacy notices are larger financial
institutions with information sharing practices that would not allow
them to use the alternative delivery method for compliance with
Regulation P. The Bureau's estimates regarding the adoption of the
alternative delivery method are accurate, notwithstanding the use of
consolidated privacy notices, if the use of consolidated privacy
notices is highly correlated with information sharing practices that
alone would prevent the adoption of the alternative delivery mechanism.
The Bureau requests data and other factual information regarding this
correlation and more generally regarding the extent to which the use of
consolidated privacy notices may prevent the adoption of the
alternative delivery method.
The Bureau also examined the privacy policies of the four credit
unions with assets over $10 billion as well as the privacy policies of
50 additional credit unions selected through random sampling. The
Bureau found that two of the four credit unions with assets over $10
billion could clearly use the proposed alternative delivery method
without changing their information sharing policies. Further, 62% of
sampled credit unions with assets over $500 million could clearly use
the alternative delivery method. However, the Bureau also found that
only 13 of the 25 sampled credit unions with assets of $500 million or
less either posted the model privacy form on their Web sites or
provided enough information about their sharing practices to permit a
clear determination regarding whether the alternative delivery method
would be available to them (2 of the 25 did not have Web sites). The
Bureau found that 11 of the 13 (85%) for which a determination could be
made would be able to use the proposed alternative delivery method, and
the Bureau believes that a significant majority of the sample of 25
would be able to use the proposed alternative delivery method (perhaps
after adopting the model form). For purposes of this analysis, the
Bureau conservatively assumes that 11 of the 25 sampled credit unions
with assets of $500 million or less would be able to use the proposed
alternative delivery method and requests comment on how to improve this
estimate.
Regarding non-depository financial institutions, the Bureau
believes based on initial outreach that a majority are likely to be
able to use the alternative delivery method. For instance, the
prohibition on disclosing information to third parties in the Fair Debt
Collection Practices Act (FDCPA) leads the Bureau to believe that
financial institutions subject to those limits likely would be able to
use the alternative delivery method when GLBA notice requirements
apply.\73\ The Bureau will

[[Page 27227]]

continue to refine its knowledge of the information sharing practices
of non-depository financial institutions and the extent to which they
may be able to use the proposed alternative delivery method. The Bureau
requests comment and the submission of information relevant to this
issue.
---------------------------------------------------------------------------

\73\ FDCPA section 805(b) prohibits communication with third
parties in connection with the collection of a debt.
---------------------------------------------------------------------------

Although these initial estimates provide some insight into the
numbers of banks and credit unions that could use the alternative
delivery method, the Bureau does not have precise data on the number of
annual privacy notices these institutions currently provide. Thus, it
is not possible to directly compute the total number of annual privacy
notices that would no longer be sent. The Bureau does, however, have
information on the burden of providing the annual privacy notices from
the Paperwork Reduction Act Supporting Statements for Regulation P that
are on file with the Office of Management and Budget. This information
can be used to obtain an initial estimate of the ongoing savings from
the alternative delivery method.\74\
---------------------------------------------------------------------------

\74\ It is worth noting at the outset that, with this
methodology, the total cost of providing the annual privacy notice
is approximately $28.5 million per year.
---------------------------------------------------------------------------

In estimating this savings for banks and credit unions, the
analysis above establishes that it is essential to take into account
the variation by the size of banks and credit unions in the likelihood
they could use the alternative delivery method. To ensure that these
differences inform the estimates, the Bureau allocated the total burden
of providing the annual privacy notices to asset classes in proportion
to the share of assets in the class. The Bureau then estimated an
amount of burden reduction specific to each asset class using the
results from the sampling described above. The total burden reduction
is then the sum of the burden reductions in each asset class. For banks
and credit unions combined, the estimated reduction in burden using
this methodology is approximately $6 million annually. Regarding non-
depositories, the Bureau believes that a large fraction of non-
depositories of all sizes would be able to use the alternative delivery
method and used the overall average rate at which banks could utilize
the alternative delivery method. The estimated reduction in burden is
approximately $10 million annually.\75\ Thus, the Bureau believes that
the total reduction in burden is approximately $16 million dollars
annually. This represents about 56% of the total $28.5 million annual
cost of providing the annual privacy notice and opt-out notices under
Regulation P.\76\ The Bureau requests comment on this preliminary
analysis as well as the submission of additional data that could inform
the Bureau's consideration of the cost savings to financial
institutions.
---------------------------------------------------------------------------

\75\ Note that this figure excludes auto dealers. Auto dealers
are regulated by the FTC and would not be directly impacted by this
amendment to Regulation P.
\76\ The total reduction is approximately $17 million annually
if 85% of credit unions with assets of $500 million or less use the
proposed alternative delivery method. This represents about 60% of
the total annual cost of providing these notices.
---------------------------------------------------------------------------

The Bureau notes that these estimates of ongoing savings are gross
figures and do not take into account any ongoing costs associated with
the alternative delivery method. The Bureau believes that such ongoing
costs would be minimal. They would consist of additional text on a
notice or disclosure the institution already provides, additional phone
calls from consumers requesting that the model form be mailed, and the
costs of mailing the forms prompted by these calls. The Bureau
currently believes that few consumers will request that the form be
mailed in order to read it or to exercise any voluntary opt-out right.
There would be minimal ongoing costs associated with the alternative
delivery method from maintaining a Web page if a financial institution
already has a Web site and none whatsoever if the financial institution
already has a Web page dedicated to the annual privacy policy. The
Bureau's research indicates that all but the smallest banks and credit
unions have Web sites and the estimates of cost savings assume that
they would not adopt the alternative delivery method. The Bureau is not
aware of information regarding the use of Web sites by non-depository
financial institutions and welcomes information relevant to
understanding the costs to these institutions of adopting the
alternative delivery method.
In developing the proposed rule, the Bureau considered alternatives
to the requirements it is proposing. As discussed at length above, the
Bureau believes that the alternative delivery method might not
adequately alert customers to their ability to opt out of certain types
of information sharing were it available where a financial institution
shares beyond the exceptions in Sec. Sec. 1016.13, 1016.14, and
1016.15. Thus, the Bureau considered but is not proposing an option in
which the alternative delivery method could be used where a financial
institution shares beyond one or more of these exceptions. For the same
reason, the Bureau considered but is not proposing an option in which
the alternative delivery method could be used where a financial
institution shares information in a way that triggers information
sharing opt-out rights under section 603(d)(2)(A)(iii) of the FCRA. On
the other hand, the Bureau considered but is not proposing an option in
which the alternative delivery method could never be used where a
financial institution provides an opt-out right under the Affiliate
Marketing Rule. A financial institution may use the alternative
delivery method if it fulfills its opt-out obligations under the
Affiliate Marketing Rule separately from the annual privacy notice.
This case is distinguishable from the other two in that the customer is
not dependent on the alternative delivery method to be made aware of
the opt-out right under the Affiliate Marketing Rule.
The Bureau also considered alternatives to the requirements
regarding the types of information that cannot have changed since the
previous annual notice to be able to use the alternative delivery
method. The Bureau discussed these alternatives at length above and
incorporates that discussion here.

C. Potential Specific Impacts of the Rule

The Bureau currently understands that 81% of banks with $10 billion
or less in assets would be able to utilize the alternative delivery
method, with a greater opportunity for utilization among the smaller
banks. Thus, the proposed rule may have differential impacts on insured
depository institutions with $10 billion or less in assets as described
in section 1026 of the Dodd-Frank Act. The Bureau also currently
understands that at least 45% of credit unions with $10 billion or less
in assets, and perhaps substantially more, would be able to utilize the
alternative delivery method, with a greater opportunity for utilization
among banks in the middle of this group. The uncertainty reflects the
relatively large number of very small credit unions that do not post
the model form on their Web sites and which therefore could not clearly
use the alternative delivery method.
The Bureau does not believe that the proposed rule would reduce
consumers' access to consumer financial products or services or have a
unique impact on rural consumers.

VI. Regulatory Flexibility Act

The Regulatory Flexibility Act (RFA), as amended by the Small
Business Regulatory Enforcement Fairness Act of 1996, requires each
agency to consider the potential impact of its regulations on small
entities, including small businesses, small governmental units,

[[Page 27228]]

and small not-for-profit organizations. The RFA generally requires an
agency to conduct an initial regulatory flexibility analysis (IRFA) and
a final regulatory flexibility analysis (FRFA) of any rule subject to
notice-and-comment rulemaking requirements, unless the agency certifies
that the rule will not have a significant economic impact on a
substantial number of small entities.\77\ The Bureau also is subject to
certain additional procedures under the RFA involving the convening of
a panel to consult with small business representatives prior to
proposing a rule for which an IRFA is required.\78\
---------------------------------------------------------------------------

\77\ 5 U.S.C. 603-605.
\78\ 5 U.S.C. 609.
---------------------------------------------------------------------------

An IRFA is not required here because the proposal, if adopted,
would not have a significant economic impact on a substantial number of
small entities. The Bureau does not expect the proposal to impose costs
on small entities. All methods of compliance under current law will
remain available to small entities if the proposal is adopted. Thus, a
small entity that is in compliance with current law need not take any
different or additional action if the proposal is adopted. In addition,
as discussed above, the Bureau believes that the proposed alternative
method would allow many institutions to reduce their costs, and that
small financial institutions may be more likely to qualify for using
the alternative delivery method than large institutions based on the
complexity of large institutions' information sharing practices.
Accordingly, the undersigned certifies that this proposal, if
adopted, would not have a significant economic impact on a substantial
number of small entities.

VII. Paperwork Reduction Act

Under the Paperwork Reduction Act of 1995 (PRA),\79\ Federal
agencies are generally required to seek Office of Management and Budget
(OMB) approval for information collection requirements prior to
implementation. This proposal would amend Regulation P, 12 CFR part
1016. The collections of information related to Regulation P have been
previously reviewed and approved by OMB in accordance with the PRA and
assigned OMB Control Number 3170-0010. Under the PRA, the Bureau may
not conduct or sponsor, and, notwithstanding any other provision of
law, a person is not required to respond to an information collection,
unless the information collection displays a valid control number
assigned by OMB.
---------------------------------------------------------------------------

\79\ 44 U.S.C. 3501 et seq.
---------------------------------------------------------------------------

As explained below, the Bureau has determined that this proposed
rule does not contain any new or substantively revised information
collection requirements other than those previously approved by OMB.
Under this proposal, a financial institution will be permitted, but not
required, to use an alternative delivery method for the annual privacy
notice if:
(1) It does not share information with nonaffiliated third parties
other than for purposes covered by the exclusions allowed under
Regulation P;
(2) It does not include on its annual privacy notice an opt out
under section 603(d)(2)(A)(iii) of the FCRA;
(3) The annual privacy notice is not the only method used to
satisfy the requirements of section 624 of the FCRA and subpart C of
part 1022, if applicable;
(4) Certain information it is required to convey on its annual
privacy notice has not changed since it provided the immediately
previous privacy notice; and
(5) It uses the Regulation P model privacy form for its annual
privacy notice.
Under the proposed alternative delivery method, the financial
institution would have to:
(1) Convey at least annually on another notice or disclosure that
its privacy notice is available on its Web site and will be mailed upon
request to a toll-free number. Among other things, the institution
would have to include a specific web address that takes the customer
directly to the privacy notice;
(2) Post its current privacy notice continuously on a page of its
Web site that contains only the privacy notice, without requiring a
login or any conditions to access the page; and
(3) Promptly mail its current privacy notice to customers who
request it by telephone.
Under Regulation P, the Bureau generally accounts for the paperwork
burden for the following respondents pursuant to its enforcement/
supervisory authority: Insured depository institutions with more than
$10 billion in total assets, their depository institution affiliates,
and certain non-depository institutions. The Bureau and the FTC
generally both have enforcement authority over non-depository
institutions subject to Regulation P. Accordingly, the Bureau has
allocated to itself half of the final rule's estimated burden to non-
depository institutions subject to Regulation P. Other Federal
agencies, including the FTC, are responsible for estimating and
reporting to OMB the paperwork burden for the institutions for which
they have enforcement and/or supervision authority. They may use the
Bureau's burden estimation methodology, but need not do so.
The Bureau does not believe that this proposed rule would impose
any new or substantively revised collections of information as defined
by the PRA, and instead believes that it would have the overall effect
of reducing the previously approved estimated burden on industry for
the information collections associated with the Regulation P annual
privacy notice. Using the Bureau's burden estimation methodology, the
reduction in the estimated ongoing burden would be approximately
567,000 hours annually for the roughly 13,500 banks and credit unions
subject to the proposed rule, including Bureau respondents, and the
roughly 29,400 entities regulated by the Federal Trade Commission also
subject to the proposed rule. The reduction in estimated ongoing costs
from the reduction in ongoing burden would be approximately $16 million
annually.
The Bureau believes that the one-time cost of adopting the
alternative delivery method for financial institutions that would adopt
it is de minimis. Financial institutions that already use the model
form and would adopt the alternative delivery method would incur minor
one-time legal, programming and training costs. These institutions
would have to communicate on a notice or disclosure they are already
issuing under any other provision of law that the privacy notice is
available. The expense of adding this notice would be minor. Staff may
need some additional training in storing copies of the model form and
sending it to customers on request. Institutions that do not use the
model form would incur a one-time cost for creating one. However, since
the promulgation of the model privacy form in 2009, an Online Form
Builder has existed which any institution can use to readily create a
unique, customized privacy notice using the model form template.\80\
The Bureau assumes that financial institutions that do not currently
have Web sites or provide a toll-free number to their customers would
not choose to comply with these requirements in order to use the
alternative delivery method.
---------------------------------------------------------------------------

\80\ This Online Form Builder is available at https://www.federalreserve.gov/newsevents/press/bcreg/20100415a.htm.
---------------------------------------------------------------------------

The Bureau's methodology for estimating the reduction in ongoing
burden was discussed at length above. The Bureau defined five strata
for banks under $100 billion and three strata for credit unions under
$10 billion, drew

[[Page 27229]]

random samples from each of the strata (separately for banks and credit
unions) and examined the GLBA privacy notices available on the
financial institutions' Web sites, if any. The Bureau separately
examined the Web sites of all banks over $100 billion (one additional
bank stratum) and all credit unions over $10 billion (one additional
credit union stratum). This process provided an estimate of the
fraction of institutions within each bank or credit union stratum which
would likely be able to use the alternative delivery method. In order
to compute the reduction in ongoing burden (by stratum and overall) for
these financial institutions, the Bureau apportioned the existing
ongoing burden to each stratum according to the share of overall assets
held by the financial institutions within the stratum. This was done
separately for banks and credit unions. Note that this procedure
ensures that the largest financial institutions, while few in number,
are apportioned most of the existing burden. The Bureau then multiplied
the estimate of the fraction of institutions within each stratum that
would likely be able to use the alternative delivery method by the
estimate of the existing ongoing burden within each stratum, separately
for banks and credit unions. As discussed above, the largest bank and
credit union strata tended to have the lowest share of financial
institutions that could use the alternative delivery method.
For the non-depository institutions subject to the FTC's
enforcement authority that are subject to the Bureau's Regulation P,
the Bureau estimated the reduction in ongoing burden by applying the
overall share of banks that would likely be able to use the alternative
delivery method (80%) to the current ongoing burden on non-depository
financial institutions (exclusive of auto dealers) from providing the
annual privacy notices and opt outs.
The Bureau takes all of the reduction in ongoing burden from banks
and credit unions with assets $10 billion and above and half the
reduction in ongoing burden from the non-depository institutions
subject to the FTC enforcement authority that are subject to the
Bureau's Regulation P. The total reduction in ongoing burden taken by
the Bureau is 256,000 hours or $6.2 million annually.
The Bureau has determined that the proposed rule does not contain
any new or substantively revised information collection requirements as
defined by the PRA and that the burden estimate for the previously-
approved information collections should be revised as explained above.
The Bureau welcomes comments on these determinations or any other
aspect of the proposal for purposes of the PRA. Comments should be
submitted as outlined in the ADDRESSES section above. All comments will
become a matter of public record.

List of Subjects in 12 CFR Part 1016

Banks, banking, Consumer protection, Credit, Credit unions, Foreign
banking, Holding companies, National banks, Privacy, Reporting and
recordkeeping requirements, Savings associations, Trade practices.

Authority and Issuance

For the reasons set forth in the preamble, the Bureau proposes to
amend Regulation P, 12 CFR part 1016, as set forth below:

PART 1016--PRIVACY OF CONSUMER FINANCIAL INFORMATION (REGULATION P)

0
1. The authority citation for part 1016 continues to read as follows:

Authority: 12 U.S.C. 5512, 5581; 15 U.S.C. 6804.

Subpart A--Privacy and Opt-Out Notices

0
2. Section 1016.9(c) is revised to read as follows:

Sec. 1016.9 Delivering privacy and opt out notices.

* * * * *
(c) Annual notices only. (1) Reasonable expectation. You may
reasonably expect that a customer will receive actual notice of your
annual privacy notice if:
(i) The customer uses your Web site to access financial products
and services electronically and agrees to receive notices at the Web
site, and you post your current privacy notice continuously in a clear
and conspicuous manner on the Web site; or
(ii) The customer has requested that you refrain from sending any
information regarding the customer relationship, and your current
privacy notice remains available to the customer upon request.
(2) Alternative method for providing certain annual notices. (i)
Notwithstanding paragraph (a) of this section, you may use the
alternative method described in paragraph (c)(2)(ii) of this section to
satisfy the requirement in Sec. 1016.5(a)(1) to provide a notice if:
(A) You do not share information with nonaffiliated third parties
other than for purposes under Sec. Sec. 1016.13, 1016.14, and 1016.15;
(B) You do not include on your annual privacy notice pursuant to
Sec. 1016.6(a)(7) an opt out under section 603(d)(2)(A)(iii) of the
Fair Credit Reporting Act (15 U.S.C. 1681a(d)(2)(A)(iii));
(C) The annual privacy notice is not the only notice provided to
satisfy the requirements of section 624 of the Fair Credit Reporting
Act (15 U.S.C. 1681s-3) and subpart C of part 1022 of this chapter, if
applicable;
(D) The information you are required to convey on your annual
privacy notice pursuant to Sec. 1016.6(a)(1) through (5), (8), and (9)
has not changed since you provided the immediately previous privacy
notice, initial or annual, to the customer; and
(E) You use the model privacy form in the appendix to this part for
your annual privacy notice.
(ii) For an annual privacy notice that meets the requirements in
paragraph (c)(2)(i) of this section, you satisfy the requirement in
Sec. 1016.5(a)(1) to provide a notice if you:
(A) Convey in a clear and conspicuous manner not less than annually
on a notice or disclosure you are required or expressly and
specifically permitted to issue under any other provision of law that
your privacy notice is available on your Web site and will be mailed to
the customer upon request by telephone to a toll-free number. The
statement must state that your privacy notice has not changed and must
include a specific Web address that takes the customer directly to the
page where the privacy notice is posted and a toll-free telephone
number for the customer to request that it be mailed;
(B) Post your current privacy notice continuously in a clear and
conspicuous manner on a page of your Web site that contains only the
privacy notice, without requiring the customer to provide any
information such as a login name or password or agree to any conditions
to access the page; and
(C) Mail promptly your current privacy notice to those customers
who request it by telephone.
(iii) An example of a statement that satisfies paragraph
(c)(2)(ii)(A) of this section is: Privacy Notice [in boldface]--Federal
law requires us to tell you how we collect, share, and protect your
personal information. Our privacy policy has not changed and you may
review our policy and practices with respect to your personal
information at [Web address] or we will mail you a free copy upon
request if you call us toll-free at [toll-free telephone number].
* * * * *

[[Page 27230]]

Dated: May 6, 2014.
Richard Cordray,
Director, Bureau of Consumer Financial Protection.
[FR Doc. 2014-10713 Filed 5-12-14; 8:45 am]
BILLING CODE 4810-AM-P

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.