Amendment to the Annual Privacy Notice Requirement Under the Gramm-Leach-Bliley Act (Regulation P), 64057-64082 [2014-25299]

Download as PDF 64057 Rules and Regulations Federal Register Vol. 79, No. 208 Tuesday, October 28, 2014 This section of the FEDERAL REGISTER contains regulatory documents having general applicability and legal effect, most of which are keyed to and codified in the Code of Federal Regulations, which is published under 50 titles pursuant to 44 U.S.C. 1510. The Code of Federal Regulations is sold by the Superintendent of Documents. Prices of new books are listed in the first FEDERAL REGISTER issue of each week. BUREAU OF CONSUMER FINANCIAL PROTECTION 12 CFR Part 1016 [Docket No. CFPB–2014–0010] RIN 3170–AA39 Amendment to the Annual Privacy Notice Requirement Under the GrammLeach-Bliley Act (Regulation P) Bureau of Consumer Financial Protection. ACTION: Final rule. AGENCY: The Bureau of Consumer Financial Protection (Bureau) is amending Regulation P, which requires, among other things, that financial institutions provide an annual disclosure of their privacy policies to their customers. The amendment creates an alternative delivery method for this annual disclosure, which financial institutions will be able to use under certain circumstances. DATES: This final rule is effective on October 28, 2014. FOR FURTHER INFORMATION CONTACT: Nora Rigby and Joseph Devlin, Counsels; Office of Regulations, at (202) 435–7700. SUPPLEMENTARY INFORMATION: SUMMARY: asabaliauskas on DSK5VPTVN1PROD with RULES I. Summary of the Rule The Gramm-Leach-Bliley Act (GLBA) 1 and Regulation P mandate that financial institutions provide their customers with initial and annual notices regarding their privacy policies. If financial institutions share certain customer information with particular types of third parties, the institutions are also required to provide notice to their customers and an opportunity to opt out of the sharing. The Fair Credit Reporting Act (FCRA) requires similar notices of opt-out rights. Many financial 1 15 U.S.C. 6801 et seq. VerDate Sep<11>2014 16:44 Oct 27, 2014 Jkt 235001 institutions currently mail printed copies of annual GLBA privacy notices to their customers, including notices of GLBA and/or FCRA opt-out rights, where applicable, but some of these institutions have expressed concern that this practice causes information overload for consumers and unnecessary expense. In response to such concerns, the Bureau proposed and now finalizes this rule to allow financial institutions to use an alternative delivery method to provide annual privacy notices through posting the annual notices on their Web sites if they meet certain conditions. Specifically, financial institutions may use the alternative delivery method for annual privacy notices if: (1) No opt-out rights are triggered by the financial institution’s information sharing practices under GLBA or FCRA section 603, and opt-out notices required by FCRA section 624 have previously been provided, if applicable, or the annual privacy notice is not the only notice provided to satisfy those requirements; (2) the information included in the privacy notice has not changed since the customer received the previous notice; and (3) the financial institution uses the model form provided in Regulation P as its annual privacy notice. To use the alternative method, the financial institution must continuously post the annual privacy notice in a clear and conspicuous manner on a page of its Web site, without requiring a login or similar steps or agreement to any conditions to access the notice. In addition, to assist customers with limited or no access to the Internet, the institution must mail annual notices to customers who request them by telephone, within ten days of the request. To make customers aware that its annual privacy notice is available through these means, the institution must insert a clear and conspicuous statement at least once per year on an account statement, coupon book, or a notice or disclosure the institution issues under any provision of law. The statement must inform customers that the annual privacy notice is available on the financial institution’s Web site, the institution will mail the notice to customers who request it by calling a specific telephone number, and the notice has not changed. PO 00000 Frm 00001 Fmt 4700 Sfmt 4700 A financial institution is still required to use one of the permissible delivery methods that predate this rule change (referred to as the standard delivery methods) if the institution, among other things, has changed its privacy practices or engages in information-sharing activities for which customers have a right to opt out. II. Background A. The Statute and Regulation The GLBA was enacted into law in 1999.2 The statute, among other things, is intended to provide a comprehensive framework for regulating the privacy practices of an extremely broad range of entities. ‘‘Financial institutions’’ for purposes of the GLBA include not only depository institutions and nondepository institutions providing consumer financial products or services (such as payday lenders, mortgage brokers, check cashers, debt collectors, and remittance transfer providers), but also many businesses that do not offer or provide consumer financial products or services. Rulemaking authority to implement the GLBA privacy provisions was initially spread among many agencies. The Federal Reserve Board (Board), the Office of Comptroller of the Currency (OCC), the Federal Deposit Insurance Corporation (FDIC), and the Office of Thrift Supervision (OTS) jointly adopted final rules in 2000 to implement the notice requirements of the GLBA.3 The National Credit Union Administration (NCUA), Federal Trade Commission (FTC), Securities and Exchange Commission (SEC), and Commodity Futures Trading Commission (CFTC) were part of the same interagency process, but each of these agencies issued separate rules.4 In 2009, all of the agencies with the authority to issue rules to implement the GLBA privacy provisions issued a joint final rule with a model form that financial institutions could use, at their option, to provide the required initial and annual privacy disclosures.5 In 2011, the Dodd-Frank Wall Street Reform and Consumer Protection Act 2 Public Law 106–102, 113 Stat. 1338 (1999). FR 35162 (June 1, 2000). 4 65 FR 31722 (May 18, 2000) (NCUA final rule); 65 FR 33646 (May 24, 2000) (FTC final rule); 65 FR 40334 (June 29, 2000) (SEC final rule); 66 FR 21252 (Apr. 27, 2001) (CFTC final rule). 5 74 FR 62890 (Dec. 1, 2009). 3 65 E:\FR\FM\28OCR1.SGM 28OCR1 64058 Federal Register / Vol. 79, No. 208 / Tuesday, October 28, 2014 / Rules and Regulations (Dodd-Frank Act) 6 transferred GLBA privacy notice rulemaking authority from the Board, NCUA, OCC, OTS, the FDIC, and the FTC (in part) to the Bureau.7 The Bureau then restated the implementing regulations in Regulation P, 12 CFR part 1016, in late 2011.8 The Bureau has the authority to promulgate GLBA privacy rules for depository institutions and many nondepository institutions. However, rulewriting authority with regard to securities and futures-related companies is vested in the SEC and CFTC, respectively, and rulewriting authority with respect to certain motor vehicle dealers is vested in the FTC.9 The Bureau has consulted and coordinated with these agencies and with the National Association of Insurance Commissioners (NAIC) concerning the alternative delivery method.10 The Bureau has also consulted with other appropriate federal agencies, as required under Section 1022 of the Dodd-Frank Act. 1. Annual Privacy Notices The GLBA and its implementing regulation, Regulation P,11 require that financial institutions 12 provide consumers with certain notices describing their privacy policies. Financial institutions are generally required to first provide an initial notice of these policies, and then an annual notice to customers every year that the relationship continues.13 (When a financial institution has a continuing relationship with the consumer, an annual privacy notice is required and the consumer is then referred to as a ‘‘customer.’’) 14 These notices describe whether and how the financial 6 Public Law 111–203, 124 Stat. 1376 (2010). Law 111–203, section 1093. The FTC retained rulewriting authority over any financial institution that is a person described in 12 U.S.C. 5519 (i.e., motor vehicle dealers predominantly engaged in the sale and servicing of motor vehicles, the leasing and servicing of motor vehicles, or both). 8 76 FR 79025 (Dec. 21, 2011). 9 15 U.S.C 6804, 6809; 12 U.S.C. 1843(k)(4); 12 CFR 1016.1(b). 10 In regard to any Regulation P rulemaking, section 504 of GLBA provides that each of the agencies authorized to prescribe GLBA regulations (currently the Bureau, FTC, SEC, and CFTC) ‘‘shall consult and coordinate with the other such agencies and, as appropriate, . . . with representatives of State insurance authorities designated by the National Association of Insurance Commissioners, for the purpose of assuring, to the extent possible, that the regulations prescribed by each such agency are consistent and comparable with the regulations prescribed by the other such agencies.’’ 15 U.S.C. 6804(a)(2). 11 12 CFR part 1016. 12 Regulation P defines ‘‘financial institution.’’ See 12 CFR 1016.3(l). 13 12 CFR 1016.4, 1016.5(a)(1). 14 12 CFR 1016.3(i). asabaliauskas on DSK5VPTVN1PROD with RULES 7 Public VerDate Sep<11>2014 16:44 Oct 27, 2014 Jkt 235001 institution shares consumers’ nonpublic personal information,15 including personally identifiable financial information, with other entities. In some cases, these notices also explain how consumers can opt out of certain types of sharing. The notices further briefly describe how financial institutions protect the nonpublic personal information they collect and maintain. Financial institutions typically use U.S. postal mail to send initial and annual privacy notices to consumers. Section 502 of the GLBA and Regulation P at § 1016.6(a)(6) also require that initial and annual notices inform customers of their right to opt out of certain financial institution sharing of nonpublic personal information with some types of nonaffiliated third parties. For example, customers have the right to opt out of a financial institution selling the names and addresses of its mortgage customers to an unaffiliated home insurance company and, therefore, the institution would have to provide an opt-out notice before it sells the information. On the other hand, financial institutions are not required to allow consumers to opt out of the institutions’ sharing involving third-party service providers, joint marketing arrangements, maintaining and servicing accounts, securitization, law enforcement and compliance, reporting to consumer reporting agencies, and certain other activities that are specified in the statute and regulation as exceptions to the opt-out requirement.16 If a financial institution limits its types of sharing to those which do not trigger opt-out rights, it may provide a ‘‘simplified’’ annual privacy notice to its customers that does not include opt-out information.17 In addition to opt-out rights under the GLBA, annual privacy notices also may include information about certain consumer opt-out rights under the FCRA. The annual privacy disclosures 15 Regulation P defines ‘‘nonpublic personal information.’’ See 12 CFR 1016.3(p). 16 15 U.S.C. 6802(b)(2), (e); 12 CFR 1016.13, 1016.14, 1016.15. 17 Section 1016.6(c)(5) allows financial institutions to provide ‘‘simplified notices’’ if they do not disclose, and do not wish to reserve the right to disclose, nonpublic personal information about customers or former customers to affiliates or nonaffiliated third parties except as authorized under §§ 1016.14 and 1016.15. The exceptions at §§ 1016.14 and 1016.15 track statutory exemptions and cover a variety of situations, such as maintaining and servicing the customer’s account, securitization and secondary market sale, and fraud prevention. They directly exempt institutions from the opt-out requirements. The exception that includes service providers and joint marketing arrangements, at § 1016.13, is also statutory, but financial institutions that share according to this exception may not use the simplified notice, even though consumers cannot opt out of this sharing. PO 00000 Frm 00002 Fmt 4700 Sfmt 4700 under the GLBA/Regulation P and affiliate disclosures under the FCRA/ Regulation V interact in two ways. First, the FCRA imposes requirements on financial institutions providing ‘‘consumer reports’’ to others, but section 603(d)(2)(A)(iii) of the FCRA excludes from the statute’s definition of a consumer report 18 the sharing of certain information about a consumer among the institution’s affiliates if the consumer is notified of such sharing and is given an opportunity to opt out.19 Section 503(c)(4) of the GLBA and Regulation P require financial institutions providing their customers with initial and annual privacy notices to incorporate into them any notification and opt-out disclosures provided pursuant to section 603(d)(2)(A)(iii) of the FCRA.20 Second, section 624 of the FCRA and Regulation V’s Affiliate Marketing Rule provide that an affiliate of a financial institution that receives certain information (e.g., transaction history) 21 from the institution about a consumer may not use the information to make solicitations for marketing purposes unless the consumer is notified of such use and provided with an opportunity to opt out of that use.22 Regulation V also permits (but does not require) financial institutions providing their customers with initial and annual privacy notices under Regulation P to incorporate any opt-out disclosures provided under section 624 of the FCRA and subpart C of Regulation V into those notices.23 18 The FCRA defines ‘‘consumer report’’ generally as ‘‘any written, oral, or other communication of any information by a consumer reporting agency bearing on a consumer’s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living which is used or expected to be used or collected in whole or in part for the purpose of serving as a factor in establishing the consumer’s eligibility for: (A) Credit or insurance to be used primarily for personal, family, or household purposes; (B) employment purposes; or (C) any other purpose authorized under section 1681b of this title.’’ 15 U.S.C. 1681a. 19 15 U.S.C. 1681a(d)(2)(A)(iii). 20 15 U.S.C. 6803(c)(4); 12 CFR 1016.6(a)(7). 21 The type of information to which section 624 applies is information that would be a consumer report, but for the exclusions provided by section 603(d)(2)(A)(i), (ii), or (iii) of the FCRA (i.e., a report solely containing information about transactions or experiences between the consumer and the institution making the report, communication of that information among persons related by common ownership or affiliated by corporate control, or communication of other information as discussed above). 22 15 U.S.C. 1681s–3 and 12 CFR part 1022, subpart C. 23 12 CFR 1022.23(b). E:\FR\FM\28OCR1.SGM 28OCR1 Federal Register / Vol. 79, No. 208 / Tuesday, October 28, 2014 / Rules and Regulations asabaliauskas on DSK5VPTVN1PROD with RULES 2. Method of Delivering Annual Privacy Notices Section 503 of the GLBA sets forth the requirement that financial institutions provide initial and annual privacy disclosures to consumers. Specifically, it states that ‘‘a financial institution shall provide a clear and conspicuous disclosure to such consumer, in writing or in electronic form or other form permitted by the regulations prescribed under section 6804 of this title, of such financial institution’s policies and practices with respect to’’ disclosing and protecting consumers’ nonpublic personal information.24 Although financial institutions provide most annual privacy notices by U.S. postal mail, Regulation P allows financial institutions to provide notices electronically (e.g., by email) to customers with their consent.25 B. CFPB Streamlining Initiative In pursuit of the Bureau’s goal of reducing unnecessary or unduly burdensome regulations, the Bureau in December 2011 issued a Request for Information seeking specific suggestions from the public for streamlining regulations the Bureau had inherited from other Federal agencies (Streamlining RFI). In that RFI, the Bureau specifically identified the annual privacy notice as a potential opportunity for streamlining and solicited comment on possible alternatives to delivering the annual privacy notice.26 Numerous industry commenters strongly advocated eliminating or limiting the annual notice requirement. They stated that most customers ignore annual privacy notices. Even if customers do read them, according to industry stakeholders, the content of these disclosures provides little benefit, especially if customers have no right to opt out of information sharing because the financial institution does not share nonpublic personal information in a way that triggers such rights. Financial institutions argued that mailing these notices imposes significant costs and that there are other ways of conveying to customers the information in the written notices just as effectively but at a lower cost. Several industry commenters suggested that if an institution’s privacy notice has not changed, the institution should be 24 15 U.S.C. 6803(a) (emphasis added). CFR 1016.9(a) states that a financial institution may deliver the notice electronically if the consumer agrees. After discussions with industry stakeholders, however, the Bureau believes that most consumers do not receive electronic disclosures. 26 76 FR 75825, 75828 (Dec. 5, 2011). 25 12 VerDate Sep<11>2014 16:44 Oct 27, 2014 Jkt 235001 allowed to communicate on the consumer’s periodic statement, via email, or by some other cost-effective means that the annual privacy notice is available on its Web site or upon request, by telephone.27 A banking industry trade association and other industry commenters suggested that the Bureau eliminate or ease the annual notice requirement for financial institutions if their privacy policies have not changed and they do not share nonpublic personal information beyond the exceptions allowed by the GLBA (e.g., the exception that allows sharing nonpublic personal information with the servicer of an account). They argued that the GLBA exceptions were crafted to allow what Congress viewed as nonproblematic sharing and, therefore, the law does not require financial institutions to permit consumers to opt out of such sharing. The need for an annual notice is thus less evident if a financial institution only shares nonpublic personal information pursuant to one of these exceptions. The trade association estimated that 75% of banks do not share beyond these exceptions and do not change their notices from year to year. Consumer advocacy groups generally stated that customers benefit from financial institutions providing them with printed annual privacy notices, which may remind customers of privacy rights that they may not have exercised previously. Consumer representatives argued that these notices make customers aware of their privacy rights in regard to financial institutions, even if customers have no opt-out rights. One compliance company commenter agreed with the consumer groups’ view of the importance of the notices. One advocacy group suggested that a narrow easing of 27 On a related issue, industry commenters stated that the annual notice causes confusion and unnecessary opt-out requests from customers who do not recall that they have already opted out in a previous year. As stated in the Supplementary Information to the Final Model Privacy Form Under the Gramm-Leach-Bliley Act, a financial institution is free to provide additional information in other, supplemental materials to customers if it wishes to do so. See 74 FR at 62908. For example, a financial institution that uses the model form could include supplemental materials outside the model form advising those customers who previously opted out that they do not need to opt out again if the institution has not changed its notice to include new opt-out options. See 74 FR at 62905. In the proposed rule, the Bureau requested comment on whether financial institutions would want to include on the privacy notice itself a statement describing the customer’s opt-out status. The response to this request was overwhelmingly negative, with industry commenters stating that indicating opt-out status on the annual notice would add significant costs because the financial institution would have to track customers’ status and send specific, different forms. PO 00000 Frm 00003 Fmt 4700 Sfmt 4700 64059 annual notice requirements where a financial institution shares information only with affiliates might not be objectionable, although it did not support changing the current requirements. The Bureau did not receive any comment on the annual privacy notice change from privacy advocacy groups. C. Understanding the Effects of Certain Deposit Regulations—Study In November 2013, the Bureau published a study assessing the effects of certain deposit regulations on financial institutions’ operations.28 This study provided operational insights from seven banks about their annual privacy notices.29 Many of these banks use third-party vendors, who design or distribute the notices on the banks’ behalf. All seven participants provided the annual notice as a separate mailing, which resulted in higher costs for postage, materials, and labor than if the notice were mailed with other material. Some financial institutions apparently send separate mailings to ensure that their disclosures are ‘‘clear and conspicuous,’’ 30 although 2009 guidance from the eight agencies promulgating the model privacy form explained that a separate mailing is not required.31 This separate mailing practice contrasts with the usual financial institution preference (particularly for smaller study participants) to bundle mailings with monthly statements. Indeed, subsequent Bureau outreach suggests that many financial institutions do mail the annual privacy notice with other materials. Finally, while the study participants echoed the sentiment that few customers read privacy notices, participant banks with call centers also reported that after they send annual notices, the number of customers who call about the banks’ privacy policies increases. 28 Consumer Financial Protection Bureau, ‘‘Understanding the Effects of Certain Deposit Regulations on Financial Institutions’ Operations: Findings on Relative Costs for Systems, Personnel, and Processes at Seven Institutions’’ (Nov. 2013), available at https://files.consumerfinance.gov/f/ 201311_cfpb_report_findings-relative-costs.pdf. 29 Information collected for the study may be used to assist the Bureau in its investigations of ‘‘the effects of a potential or existing regulation on the business decisions of providers.’’ OMB Information Request—Control Number: 3170–0032. 30 15 U.S.C. 6803 (‘‘[In the initial and annual privacy notices] a financial institution shall provide a clear and conspicuous disclosure. . . .’’); 12 CFR 1016.3(b)(1) (defining ‘‘clear and conspicuous’’ as ‘‘reasonably understandable and designed to call attention to the nature and significance of the information in the notice.’’) 31 See 74 FR at 62897–62898. E:\FR\FM\28OCR1.SGM 28OCR1 64060 Federal Register / Vol. 79, No. 208 / Tuesday, October 28, 2014 / Rules and Regulations D. Further Outreach F. Effective Date In addition to the consultations with other government agencies discussed above, while preparing the proposed rule the Bureau conducted further outreach to industry and consumer advocate stakeholders. The Bureau held meetings with consumer groups, including groups and individuals with a specific interest in privacy issues. The Bureau also held meetings with industry groups that represent institutions that must comply with the annual privacy notice requirement, including banks, credit unions, mortgage servicers, and debt buyers. As with the responses to the Streamlining RFI, the consumer groups generally expressed the view that mailed privacy notices were useful, even when no opt-out rights were present, and that changes were not necessary. Among other comments, they suggested that the Bureau promote the use of the Regulation P model form. The industry participants also generally expressed similar views to those expressed by industry in response to the Streamlining RFI. They supported creation of an alternative delivery method for annual privacy notices.32 Numerous industry commenters requested that any final rule adopted be made effective immediately, to make the rule’s benefits available as soon as possible. An agency must allow 30 days before a substantive rule is made effective, unless, among other things, the rule ‘‘grants or recognizes an exemption or relieves a restriction’’ 34 or ‘‘as otherwise provided by the agency for good cause found and published with the rule.’’ 35 This rule recognizes an exemption from or relieves a restriction on providing the Regulation P annual privacy notice according to the standard delivery methods, and does not create any new requirement because a financial institution can choose not to use the new method. Accordingly, the 30 day delay in effective date does not apply and the Bureau finds good cause to make this rule effective immediately on publication in the Federal Register, in order to allow financial institutions and consumers to enjoy the benefits of this rule as soon as possible. E. Comments on the Proposed Rule asabaliauskas on DSK5VPTVN1PROD with RULES On May 13, 2014, the Bureau published a proposed rule in the Federal Register to amend 12 CFR 1016.9, the Regulation P provision on annual privacy notices.33 The comment period closed on July 14, 2014. In response to the proposal, the Bureau received approximately 130 comments from industry trade associations, consumer groups, public interest groups, individual financial institutions, and others. As discussed in more detail below, the Bureau has considered these comments in adopting this final rule. Two commenters discussed the proposed rule’s relation to and potential conflicts with the law of certain states. During the preparation of this final rule, the Bureau consulted with the two states that were identified as having laws that might preclude use of the alternative delivery method and explained the nature and benefits of the change being made to Regulation P. The two states are reviewing their laws and considering how to proceed. 32 Recently Congress considered proposed legislation that would provide burden relief as to annual privacy notices, though no law has been enacted. See, e.g., H.R. 749, passed by the House and referred to the Senate in March of 2013; and S. 635, introduced in the Senate in late 2013. 33 See 79 FR 27214 (May 13, 2014). The Bureau subsequently extended the comment deadline. 79 FR 30485 (May 28, 2014). VerDate Sep<11>2014 16:44 Oct 27, 2014 Jkt 235001 G. Privacy Considerations In developing the proposed rule and this final rule, the Bureau considered its potential impact on consumer privacy. The rule will not affect the collection or use of consumers’ nonpublic personal information by financial institutions. The rule will expand the permissible methods by which financial institutions subject to Regulation P may deliver annual privacy notices to their customers in limited circumstances. Among other limitations, it will not expand the permissible delivery methods if financial institutions make various types of changes to their annual privacy notices or if their annual privacy notices afford customers the right to opt out of financial institutions’ sharing of customers’ nonpublic personal information. The rule is designed to ensure that when the alternative delivery method is used, customers will continue to have access to clear and conspicuous annual privacy notices. III. Legal Authority The Bureau is issuing this final rule pursuant to its authority under section 504 of the GLBA, as amended by section 1093 of the Dodd-Frank Act.36 The Bureau is also issuing this rule pursuant to its authority under sections 1022 and 1061 of the Dodd-Frank Act.37 34 5 U.S.C. 553(d)(1). U.S.C. 553(d)(3). 36 15 U.S.C. 6804. 37 12 U.S.C. 5512, 5581. 35 5 PO 00000 Frm 00004 Fmt 4700 Sfmt 4700 Prior to July 21, 2011, rulemaking authority for the privacy provisions of the GLBA was shared by eight federal agencies: The Board, the FDIC, the FTC, the NCUA, the OCC, the OTS, the SEC, and the CFTC. The Dodd-Frank Act amended a number of Federal consumer financial laws, including the GLBA. Among other changes, the Dodd-Frank Act transferred rulemaking authority for most of Subtitle A of Title V of the GLBA, with respect to financial institutions described in section 504(a)(1)(A) of the GLBA, from the Board, FDIC, FTC, NCUA, OCC, and OTS (collectively, the transferor agencies) to the Bureau, effective July 21, 2011. IV. Section-by-Section Analysis Section 1016.1—Purpose and Scope The Bureau is making technical corrections to two U.S. Code citations in § 1016.1(b)(1). Section 1016.9—Delivering Privacy and Opt-Out Notices Section 1016.9 of Regulation P describes how a financial institution must provide both the initial notice required by § 1016.4 and the annual notice required by § 1016.5. Specifically, existing § 1016.9(a) requires the notice to be provided so that each consumer can reasonably be expected to receive actual notice in writing or, if the consumer agrees, electronically. Existing § 1016.9(b) provides examples of delivery that will result in reasonable expectation of actual notice, including hand delivery, delivery by mail, or electronic delivery for consumers who conduct transactions electronically. Existing § 1016.9(c), redesignated by this final rule as § 1016.9(c)(1), provides examples regarding reasonable expectation of actual notice that apply to annual notices only. In the proposed rule, the Bureau proposed to add § 1016.9(c)(2), which would create an alternative delivery method for annual privacy notices, by which financial institutions that met certain requirements could comply with the annual notice requirement in § 1016.9(a). For the reasons discussed below, the Bureau is adopting § 1016.9(c)(2) substantially as proposed, with certain minor modifications. Proposed Rule As stated above, the Bureau proposed to add § 1016.9(c)(2), which would create an alternative delivery method for annual privacy notices, by which financial institutions that met certain requirements could comply with the E:\FR\FM\28OCR1.SGM 28OCR1 Federal Register / Vol. 79, No. 208 / Tuesday, October 28, 2014 / Rules and Regulations annual notice requirement in § 1016.9(a). The Bureau proposed to allow use of the alternative delivery method to reduce information overload, specifically by eliminating duplicative paper privacy notices in situations in which the customer generally has no ability to opt out of the financial institution’s information sharing.38 Moreover, the Bureau proposed to allow use of the alternative delivery method to decrease the burden on financial institutions of delivering notices, while typically continuing to require delivery of notices pursuant to the standard methods in situations in which customers could opt out of information sharing. Under the alternative delivery method as proposed, customers would have access via financial institutions’ Web sites (or by postal mail on request) to annual privacy notices that are conveyed via the model form, that generally do not inform customers of any right to opt out, and that repeat the same information as in previous privacy notices. Further, because financial institutions would be required to post their privacy notices continuously on their Web sites, customers would be able to access privacy notices throughout the year rather than waiting for an annual mailing. Financial institutions would be required to deliver to customers an annual reminder, on another notice or disclosure, of the availability of the privacy notice on the institution’s Web site and by mail upon telephone request. In light of these considerations, the Bureau believed that where the conditions set forth in the proposed rule would be satisfied, any incremental benefit in terms of customers’ awareness of privacy issues that might accrue from requiring delivery of the annual privacy notice pursuant to the standard methods would be outweighed by the costs of providing the notice, costs that ultimately might be passed through to customers. asabaliauskas on DSK5VPTVN1PROD with RULES Comments In the proposed rule, the Bureau sought data and other information 38 The Bureau noted in the proposed rule that the alternative delivery method would be available even where a notice and opt out is offered under the Affiliate Marketing Rule, subpart C of 12 CFR part 1022, which relates to marketing based on information shared by a financial institution, as long as the Affiliate Marketing Rule notice and opt out is also provided separately from the Regulation P annual privacy notice. (For example, this separate Affiliate Marketing Rule notice and opt-out can be provided on the initial privacy notice under Regulation P, which cannot be delivered via the alternative delivery method in any case.) The final rule adopts this approach. See the section-bysection discussion of § 1016.9(c)(2)(i)(C), below. VerDate Sep<11>2014 16:44 Oct 27, 2014 Jkt 235001 concerning the effect on customer privacy rights if financial institutions were to use the alternative delivery method rather than the standard delivery methods. The Bureau further requested comment on whether the proposed alternative delivery method would be effective in reducing the potential for information overload on customers and reducing the burden on financial institutions of mailing hard copy privacy notices. Comments from industry and consumer and public interest groups stated that the alternative delivery method would be beneficial to or have no effect on customers’ awareness and exercise of their privacy rights under Regulation P. Industry commenters indicated that the proposal would reduce information overload. In regard to burden reduction, comments and earlier outreach indicated that a majority of credit unions, a large number of banks, and many other financial institutions would benefit from being able to use the alternative delivery method. In addition, proposal comments and earlier outreach have indicated that small financial institutions are less likely to share their customers’ nonpublic personal information in a way that triggers customers’ opt-out rights, and so it is likely that many of those small institutions can decrease their costs through the use of the alternative delivery method. Many industry commenters, however, objected to certain aspects and requirements of the alternative delivery method, and stated that eliminating these conditions and requirements would significantly increase the rule’s burden reduction. Consumer and public interest groups, though, supported the inclusion of the conditions and requirements. These comments are discussed below in relation to the specific provisions they address. In the proposal, the Bureau noted that the alternative delivery method would be available where customers have already consented to receive their privacy notices electronically pursuant to § 1016.9(a) and invited comment regarding how often privacy notices are delivered electronically under existing Regulation P. The Bureau further invited comment on whether the proposed alternative delivery method is appropriate for customers who already receive privacy notices electronically and whether financial institutions that currently provide the notice electronically would be likely to use the proposed alternative delivery method. Only a few commenters addressed this issue. Some financial institutions PO 00000 Frm 00005 Fmt 4700 Sfmt 4700 64061 indicated that most customers do not receive their annual privacy notices by electronic means, but that the institutions may want to use the alternative delivery method for those that do. The institutions also requested clarification of how this should be done. In the proposed rule, the Bureau also noted that potential comparison shopping by consumers among financial institutions based on privacy policies was one of the objectives that GLBA model privacy notices, primarily initial privacy notices, were intended to accomplish. See 15 U.S.C. 6803(e).39 The Bureau invited empirical data on whether consumers do comparison shop among financial institutions based on privacy notices. The Bureau did not receive any such data. Final Rule As explained in the proposed rule, the specific language of section 503(a) of the GLBA grants some latitude in specifying by rule the method of conveying the annual notices, as long as a ‘‘clear and conspicuous disclosure’’ is provided ‘‘in writing or in electronic form or other form permitted by the regulations.’’ The Bureau’s statutory interpretation allowing the alternative delivery method provision to satisfy this disclosure requirement applies only to the specific type of disclosure involved in the rule and in the limited circumstances presented here, pursuant to the specific language of GLBA section 503. In relation to the comments regarding notices currently delivered electronically, the Bureau reiterates that the alternative delivery method is available in lieu of the existing standard delivery methods including electronic delivery. In addition, as discussed below, the Bureau now clarifies that the notice of availability required by § 1016.9(c)(2)(ii)(A) may be included on account statements, coupon books, or notices or disclosures an institution is required or expressly and specifically permitted to issue to the customer under any other provision of law and delivered through a means otherwise permitted for that type of account statement, coupon book, or notice or disclosure, including electronic delivery where applicable. For example, the notice of availability may be included on a mortgage loan’s periodic statement that is delivered electronically if the electronic delivery is in compliance with the Electronic Signatures in Global 39 Facilitating comparison shopping based on privacy policies was also mentioned repeatedly in the preamble to the model privacy notice rule. See generally 74 FR 62890. E:\FR\FM\28OCR1.SGM 28OCR1 64062 Federal Register / Vol. 79, No. 208 / Tuesday, October 28, 2014 / Rules and Regulations and National Commerce Act 40 (E-Sign) as required by Regulation Z.41 The Bureau adopts § 1016.9(c)(2) substantially as proposed, with minor modifications. Comments on the specific provisions of § 1016.9(c)(2), and the specific provisions as adopted in this final rule, are discussed more fully below. Section 1016.9(c)(2) Alternative Method for Providing Certain Annual Notices asabaliauskas on DSK5VPTVN1PROD with RULES Section 1016.9(c)(2)(i) Proposed § 1016.9(c)(2) would have set forth an alternative to § 1016.9(a) for providing certain annual notices. Proposed § 1016.9(c)(2)(i) would have provided that, notwithstanding the general notice requirement in § 1016.9(a), a financial institution may use the alternative method set forth in proposed § 1016.9(c)(2)(ii) to satisfy the requirement in § 1016.5(a)(1) to provide an annual notice if the institution met certain conditions as specified in proposed § 1016.9(c)(2)(i)(A) through (E). The Bureau is adopting § 1016.9(c)(2)(i) as proposed. The Bureau also proposed certain technical amendments to accommodate the new provision, which are adopted unchanged in the final rule.42 Comments The Bureau invited comment generally on the conditions in proposed § 1016.9(c)(2)(i)(A) through (E) and whether any of those conditions should not be required or whether additional conditions should be added. Commenters generally discussed the conditions individually, and those comments are discussed in regard to each of those individual conditions below. No industry commenters suggested additional conditions. A consumer group and an academic commenter suggested unrelated enhancements to the privacy notice regulations that would severely impede the burden reduction achieved by this rule and have not been adopted. An industry trade association suggested that the Bureau remove the required conditions because the alternative delivery method is superior to the standard methods, and all customers and financial institutions should benefit from its use in all circumstances. Other industry commenters suggested that the conditions were unnecessary because 40 15 U.S.C. 7001–7031. 12 CFR 1026.31(b) and 1026.41. 42 Existing § 1016.9(c) is redesignated as § 1016.9(c)(1) and its subparagraphs redesignated as § 1016.9(c)(1)(i) and (ii), respectively, to accommodate the addition of § 1016.9(c)(2). The Bureau is also adding a heading to new paragraph (c)(1) for technical reasons. 41 See VerDate Sep<11>2014 16:44 Oct 27, 2014 Jkt 235001 customers do not read the notices anyway. Several industry commenters suggested that the Bureau’s rule should not put more restrictions on the web posting of privacy notices than related pending legislation in Congress would if such legislation were enacted.43 Final Rule The Bureau adopts § 1016.9(c)(2)(i) as proposed. The Bureau believes that the alternative delivery method provides appropriate and sufficient notice if a privacy notice has not changed and is not needed to inform the customer of his or her opt-out rights. The Bureau, however, also believes that generally requiring financial institutions to use the standard delivery methods for notices that have changed or that are required to inform consumers of opt-out rights, is more consistent with the importance to the GLBA statutory scheme of customers’ ability to exercise opt-out rights. The Bureau also believes that the continued use of standard delivery methods in these circumstances is more consumerfriendly than allowing use of the alternative delivery method where notices have changed or are required to inform customers of opt-out rights. In regard to pending bills in Congress, the Bureau notes that the final rule is promulgated to implement the current GLBA statutory scheme. Section 1016.9(c)(2)(i)(A) Proposed § 1016.9(c)(2)(i)(A) would have set forth the first condition for using the alternative delivery method: That the financial institution does not share the customer’s information with nonaffiliated third parties other than through the activities specified under §§ 1016.13, 1016.14 and 1016.15 that do not trigger opt-out rights under the GLBA. For the reasons discussed below, the Bureau is finalizing § 1016.9(c)(2)(i)(A) as proposed, with minor technical revisions. Proposed Rule For the reasons stated in the proposal, the Bureau proposed to continue to require standard delivery of the annual notice where customers have opt-out rights. The Bureau further proposed limiting the alternative delivery method to circumstances in which customers have no information sharing opt-out rights under Regulation P as a way to reduce the burden of compliance generally while still mandating the use 43 Certain requirements for use of the alternative delivery method, such as those relating to FCRA opt-outs and use of the model privacy form, are not mentioned in any of the versions of this pending legislation. PO 00000 Frm 00006 Fmt 4700 Sfmt 4700 of the standard delivery methods to ensure that customers have direct notice of any opt-out rights they have. This approach was also reflected in proposed § 1016.9(c)(2)(i)(B) and (C), discussed in detail below, which would have limited the use of the alternative delivery method where a financial institution shares customer information with affiliates in a way that triggers opt-out rights under FCRA sections 603(d)(2)(A)(iii) and 624. Comments Many commenters addressed § 1016.9(c)(2)(i)(A), (B), and (C) (the ‘‘opt-out conditions’’) collectively without distinguishing among them.44 For example, several consumer and privacy advocacy groups stated that they supported finalizing the opt-out conditions because many customers will not take the additional steps necessary to access or receive a privacy notice under the alternative delivery method and that it is therefore appropriate to permit use of it only if a customer does not have opt-out rights. Similarly, a civil rights public interest group supported the opt-out conditions in part, stating that these limitations would incentivize financial institutions not to share their customers’ information. An organization representing state banking regulators also generally supported the proposed conditions for the alternative delivery method without specifically commenting on the opt-out conditions. Several individual credit unions and community banks either expressly supported the opt-out conditions or supported the proposal generally without addressing the opt-out conditions. Many financial institution commenters also expressed support for legislation currently pending in Congress that would either eliminate the requirement to provide an annual notice or allow an institution to provide access to an annual notice electronically if a financial institution does not share information in a way that triggers optout rights under the GLBA and other conditions are met.45 In contrast, however, other industry commenters, especially those representing larger financial institutions, objected to limiting the alternative delivery method to financial institutions that are not required to provide opt-out rights to their 44 To the extent that commenters distinguished among the opt-out conditions, they focused on the conditions proposed in § 1016.9(c)(2)(i)(B) and (C) which are discussed in detail in the section-bysection analysis below. 45 See, e.g., H.R. 749, passed by the House and referred to the Senate in March of 2013; and S. 635, introduced in the Senate in late 2013. E:\FR\FM\28OCR1.SGM 28OCR1 Federal Register / Vol. 79, No. 208 / Tuesday, October 28, 2014 / Rules and Regulations asabaliauskas on DSK5VPTVN1PROD with RULES customers, stating that such conditions would prevent them from using the alternative delivery method. These commenters stated that most large financial institutions, including most large non-bank financial institutions, share information in such a way that they are required to offer opt-out rights to their customers under either the GLBA or the FCRA (or both) and thus they would not be able to use the proposed alternative delivery method.46 These commenters asserted that the optout conditions would significantly limit the burden reduction from the proposal. Moreover, commenters objecting to not allowing the use of the alternative delivery method if customers have optout rights stated that customers only very infrequently exercise their rights to opt out of information sharing after receiving mailed annual privacy notices and thus the Bureau does not need to require standard delivery of notices even if opt-out rights exist. One national trade association representing business interests stated that the Bureau’s admission in the proposal that it is unlikely that fewer customers would read the privacy notice if financial institutions deliver it pursuant to the alternative method than read it if mailed undercuts the notion that mailed notices are more effective. Final Rule The Bureau is adopting § 1016.9(c)(2)(i)(A) as proposed except for technical revisions to revise the wording from ‘‘share with’’ to ‘‘disclose to’’ to be consistent with most of the rest of the existing rule text in part 1016 and to clarify that the information that may not be disclosed is the ‘‘customer’s nonpublic personal information.’’ The Bureau is aware that the proposed optout conditions in § 1016.9(c)(2)(i)(A), (B), and (C) will preclude some financial institutions from using the alternative delivery method. Nonetheless, the Bureau believes that because of the importance to the statutory scheme of customers’ ability to exercise opt-out rights, financial institutions must continue to satisfy requirements to provide information about these rights through the standard delivery methods. In addition, as shown by the Bureau’s research in connection with the proposal 47 and by comments received on the proposal, the Bureau believes that even with these conditions, many financial institutions will be able to use 46 A national trade association representing business interests stated that banks that hold collectively half of all U.S. deposits would not be able to use the alternative delivery method as proposed. 47 79 FR at 27227. VerDate Sep<11>2014 16:44 Oct 27, 2014 Jkt 235001 the alternative method which will relieve burden for them and reduce information overload for their customers.48 With respect to the comment that few customers opt out of information sharing when they receive notices through the standard delivery methods, the Bureau believes that standard delivery of the annual privacy notice is a more consumer-friendly method for conveying the existence of opt-out rights to customers and allowing them to exercise those rights. As to whether fewer customers will read the privacy notice when delivered pursuant to the alternative delivery method, the Bureau notes that there is no reliable evidence bearing on this question. In the absence of such evidence the Bureau opts to continue the standard delivery methods (e.g., mail) that require the least amount of effort from consumers to exercise their opt-out rights. Section 1016.9(c)(2)(i)(B) and 9(c)(2)(i)(C) Proposed § 1016.9(c)(2)(i)(B) would have set forth the second condition for using the alternative delivery method for the annual privacy notice: That the financial institution not include on its annual notice an opt out under section 603(d)(2)(A)(iii) of the FCRA.49 Proposed § 1016.9(c)(2)(i)(C) would have presented the third condition for using the alternative delivery method: that the annual privacy notice is not the only notice provided to satisfy the requirements of section 624 of the FCRA 50 and subpart C of 12 CFR part 1022 (the ‘‘Affiliate Marketing Rule’’). For the reasons discussed below, the Bureau is finalizing § 1016.9(c)(2)(i)(B) as proposed and is finalizing § 1016.9(c)(2)(i)(C) as revised. Proposed Rule As discussed in part II above, FCRA section 603(d)(2)(A)(iii) excludes from the statute’s definition of ‘‘consumer report’’ a financial institution’s sharing of certain information about a consumer with its affiliates if the financial institution provides the consumer with notice and an opportunity to opt out of the information sharing. Section 503(b)(4) of the GLBA expressly requires a financial institution’s privacy notice to 48 Apart from individual institutions that stated whether they would be able to use the alternative method, few commenters provided data on how many financial institutions would be precluded from using the alternative delivery method because of the opt-out condition. One state association representing banks did provide such data noting that only 11 of 99 banks that responded to the association’s survey would not be eligible to use the proposed alternative delivery method. 49 15 U.S.C. 1681a(d)(2)(A)(iii). 50 15 U.S.C. 1681s–3. PO 00000 Frm 00007 Fmt 4700 Sfmt 4700 64063 include any disclosures the financial institution is required to make under section 603(d)(2)(A)(iii) of the FCRA, if any. Section 1016.6(a)(7), which implements this statutory directive, requires a financial institution’s privacy notice to include any disclosures the institution makes under section 603(d)(2)(A)(iii). As stated in the proposal, because the Bureau proposed the alternative delivery method be available only if notices are not required to inform customers of opt-out rights, proposed § 1016.9(c)(2)(i)(B) provided that annual notices that inform customers of FCRA section 603(d)(2)(A)(iii) opt-out rights, like notices that inform customers of GLBA opt-out rights, would have to continue to be delivered pursuant to the standard delivery methods. In contrast to the FCRA section 603(d)(2)(A)(iii) notice and opt-out right, the Affiliate Marketing Rule notice and opt out is not required by either the GLBA or Regulation P to be included on the annual privacy notice. The Affiliate Marketing Rule notice and opt out may be included on this notice, however. Given that the Affiliate Marketing Rule notice and opt out is not required on the annual privacy notice (and indeed does not have to be provided annually),51 the Bureau believes, as stated in the proposal, that including the Affiliate Marketing Rule opt-out on the annual notice should not preclude a financial institution from using the alternative delivery method. The Bureau therefore proposed § 1016.9(c)(2)(i)(C), which would have allowed a financial institution to use the alternative delivery method if it provides the customer with an opt-out right under the Affiliate Marketing Rule as long as the Regulation P annual privacy notice was not the only notice provided to satisfy the Affiliate Marketing Rule, if applicable. As it did in the proposal, the Bureau notes that the required duration of a consumer opt-out under the Affiliate Marketing Rule depends on whether the Affiliate Marketing Rule notice and opt out is included as part of the Regulation P model privacy notice or issued separately. If a financial institution includes the Affiliate Marketing Rule notice and opt out on the model privacy notice, Regulation P requires that opt out to be of indefinite duration.52 In contrast, if a financial institution provides the Affiliate Marketing Rule 51 72 FR 62910, 62930 (Nov. 7, 2007). P provides, ‘‘Institutions that include this reason [for sharing or using personal information] must provide an opt-out of indefinite duration.’’ Appendix to part 1016 at C.2.d.6. 52 Regulation E:\FR\FM\28OCR1.SGM 28OCR1 64064 Federal Register / Vol. 79, No. 208 / Tuesday, October 28, 2014 / Rules and Regulations asabaliauskas on DSK5VPTVN1PROD with RULES notice and opt out separately, Regulation V allows the opt out to be offered for as few as five years, subject to renewal, and the disclosure of the duration of the opt out must be included on the separate notice.53 As stated in the proposal, the Bureau believes that prohibiting the use of the alternative delivery method if a financial institution voluntarily includes the Affiliate Marketing Rule notice and optout on its annual privacy notice could discourage financial institutions from including it. If so, it could be to the detriment of consumers who otherwise likely would not receive annual notice of their Affiliate Marketing Rule opt-out right. Comments Comments that addressed the three opt-out conditions in proposed § 1016.9(c)(2)(i)(A), (B), and (C) are discussed collectively above in the section-by-section analysis of § 1016.9(c)(2)(i)(A). Though many commenters generally supported the opt-out conditions, they did not separately discuss § 1016.9(c)(2)(i)(B) or (C). Commenters who specifically addressed § 1016.9(c)(2)(i)(B) and (C) stated that because FCRA-covered information sharing with affiliates is more widespread among financial institutions than information sharing with third-parties not covered by a GLBA exception, these FCRA conditions were likely to prevent many more financial institutions from taking advantage of the alternative delivery method than § 1016.9(c)(2)(i)(A) relating to GLBA opt-out rights. These commenters asserted that the FCRA optout conditions in proposed § 1016.9(c)(2)(i)(B) and (C) should not be finalized even if the Bureau continues to require standard delivery methods to customers who have GLBA opt-out rights. A national trade association representing the consumer credit industry stated that proposed § 1016.9(c)(2)(i)(B) and (C) would preclude non-depository institutions from using the alternative delivery method more than depository institutions because non-depository institutions tend to share information with affiliates (and thereby trigger FCRA opt-out rights) more often than depository institutions. Several state community bank and credit union associations as well as several individual community banks and credit unions objected to § 1016.9(c)(2)(i)(B) and (C) because they share information with affiliates to offer services to their 53 12 CFR 1022.22(b), 1022.23(a)(1)(iv). VerDate Sep<11>2014 16:44 Oct 27, 2014 Jkt 235001 customers that they otherwise could not offer. A ‘‘think tank’’ focused on data practices also opposed § 1016.9(c)(2)(i)(B) and (C) because it said the FCRA opt-out conditions are too limiting to financial institutions and a mailed notice is not necessary to inform customers of those opt-out rights. A mortgage industry group further opposed § 1016.9(c)(2)(i)(B) and (C) because information sharing governed by the FCRA is different in kind from that governed by the GLBA, and FCRA requirements should not determine the GLBA annual notice delivery requirements. Many industry commenters argued that the Bureau’s proposal should track proposed legislation in Congress which would either eliminate the annual notice requirement or allow an institution to provide access to an annual notice electronically or in other forms if no GLBA opt-out rights exist (and certain other conditions are met). Such proposed legislation, however, does not address the relationship between an alternative delivery method and FCRA opt-out rights. Specifically with respect to proposed § 1016.9(c)(2)(i)(C), several financial institutions stated that the requirement to separately provide the Affiliate Marketing Rule opt-out notice to use the alternative delivery method would negate the cost savings of the alternative delivery method. Final Rule The Bureau is finalizing § 1016.9(c)(2)(i)(B) as proposed and is finalizing § 1016.9(c)(2)(i)(C) as revised. The Bureau understands that including § 1016.9(c)(2)(i)(B) and (C) as conditions for using the alternative delivery method will limit the availability of the alternative delivery method more than if the Bureau finalized only the GLBA optout condition in § 1016.9(c)(2)(i)(A). The Bureau further understands that the FCRA opt-out conditions may affect certain types of financial institutions more than others. The Bureau is nonetheless persuaded, for the same reasons discussed in regard to § 1016.9(c)(2)(i)(A), that it is important for customers to receive standard delivery of the annual notice if that notice includes information concerning the right to opt out of information sharing. The Bureau believes that standard delivery is a more consumerfriendly way of notifying customers of their opt-out rights and allowing them to exercise those rights. With respect to commenters who stated that FCRA requirements should not govern GLBA annual notice requirements, the Bureau notes that PO 00000 Frm 00008 Fmt 4700 Sfmt 4700 section 503(b)(4) of GLBA expressly requires that disclosures required under section 603(d)(2)(A)(iii) of FCRA be included on the GLBA privacy notice. Section 603(d)(2)(A)(iii) of the FCRA is silent as to how frequently the notice of opt-out rights must be delivered, but the agencies responsible for implementation of the GLBA interpreted it to require provision of annual notice of the FCRA section 603(d)(2)(A)(iii) opt-out right.54 Accordingly, since it became effective in 2000, § 1016.6(a)(7) has required financial institutions that offer the FCRA section 603(d)(2)(A)(iii) opt-out to include it on their annual privacy notice. The Bureau’s determination that customers should continue to receive annual notices that inform them of optout rights pursuant to the standard delivery methods applies equally to those FCRA opt-out rights that are required by § 1016.6(a)(7) to be included on the GLBA annual privacy notice. FCRA opt-out rights conveyed on the annual notice under § 1016.6(a)(7) are as important to customers and to the FCRA statutory scheme as the GLBA opt-out rights and thus should be delivered pursuant to the standard delivery methods. Regarding § 1016.9(c)(2)(i)(C), the Bureau has substantially revised the provision to clarify how use of the model privacy notice to inform customers of opt-out rights under the Affiliate Marketing Rule interacts with use of the alternative delivery method. The Affiliate Marketing Rule requires that, before a financial institution may make solicitations based on eligibility information about a consumer it receives from an affiliate, the consumer must be provided with notice and an opportunity to opt out of such use. The Affiliate Marketing Rule further requires that a consumer’s opt-out must be effective for a period of at least five years, but if the financial institution chooses to honor the customer’s opt-out indefinitely, the notice need be delivered only once. As discussed above, this notice and opt-out may be included on a Regulation P privacy notice, but is not required to be. If the Affiliate Marketing Rule opt-out is incorporated in the model privacy notice, initial or annual, a financial institution must honor any customer opt-out request indefinitely.55 Accordingly, if a financial institution chooses to include the Affiliate Marketing Rule opt-out on its model privacy notice, the institution has no further Affiliate Marketing Rule disclosure obligations after the first 54 65 FR 35162, 35176 (June 1, 2000). to part 1016 at C.2.d.6. 55 Appendix E:\FR\FM\28OCR1.SGM 28OCR1 Federal Register / Vol. 79, No. 208 / Tuesday, October 28, 2014 / Rules and Regulations asabaliauskas on DSK5VPTVN1PROD with RULES model privacy notice is delivered and the institution is free to continue including the Affiliate Marketing Rule opt-out on the annual privacy notice without jeopardizing its ability to use the alternative delivery method.56 The language of § 1016.9(c)(2)(i)(C) has been revised to make this more explicit by stating that the alternative delivery method is available to a financial institution if ‘‘the requirements of [the Affiliate Marketing Rule], if applicable, have been satisfied previously or the annual privacy notice is not the only notice provided to satisfy such requirements.’’ In light of this clarification, the Bureau disagrees with commenters who stated that there would be no cost savings from the alternative delivery method for institutions that are subject to the Affiliate Marketing Rule. If those institutions used the model privacy notice and standard delivery methods to disclose opt-out rights, then they could use the alternative delivery method for subsequent annual notices. If those institutions provided a separate Affiliate Marketing Rule opt-out because they wanted to limit the duration of that optout, no additional notices would be required and the alternative delivery method would still be available. If the customer had not already received the Affiliate Marketing Rule opt-out notice, the financial institution would be required to deliver that notice only once using standard methods to satisfy § 1016.9(c)(2)(i)(C). The Bureau believes that generally a customer would have already received the Affiliate Marketing Rule notice and the one-time delivery still would not negate potential savings for annual notices in subsequent years. The Bureau acknowledges that some customers will no longer receive their annual privacy notice pursuant to standard delivery methods even though the notice informs them of a right to opt out that exists pursuant to the Affiliate Marketing Rule. The Bureau believes, however, that this concern is mitigated by the fact that if the customer had not already received notice of the Affiliate Marketing Rule opt out pursuant to standard delivery methods, the financial institution would have to provide a separate Affiliate Marketing Rule notice in order to satisfy § 1016.9(c)(2)(i)(C).57 56 A financial institution could also include the Affiliate Marketing Rule opt-out on a non-model privacy notice and choose to honor opt-outs indefinitely and have no further Affiliate Marketing Rule obligations after the first privacy notice is delivered. 57 Alternatively, the financial institution could continue to use the current delivery method and include the Affiliate Marketing opt out on the annual privacy notice, with no separate notice required. VerDate Sep<11>2014 16:44 Oct 27, 2014 Jkt 235001 The Bureau considered but decided against prohibiting use of the alternative delivery method where a financial institution provides an opt out under the Affiliate Marketing Rule because neither the GLBA nor Regulation P requires the Affiliate Marketing Rule opt-out to be included on the annual privacy notice. Section 1016.9(c)(2)(i)(D) Proposed § 1016.9(c)(2)(i)(D) would have presented the fourth condition for using the alternative delivery method: That the information a financial institution is required to convey on its annual privacy notice pursuant to § 1016.6(a)(1) through (5), (8) and (9) has not changed since the immediately previous privacy notice (whether initial or annual) to the customer. For the reasons discussed below, the Bureau is adopting § 1016.9(c)(2)(i)(D) with some modifications. Proposed Rule The Bureau proposed to provide more flexibility in the method of delivering a notice that has not changed because it believed that delivery of the annual notice by the standard delivery methods is likely less useful if the customer has already received a privacy notice, the financial institution’s sharing practices remain generally unchanged since that previous notice, and the other requirements of § 1016.9(c)(2)(i) are met. Proposed § 1016.9(c)(2)(i)(D) would have listed the specific disclosures of the privacy notice that must not change for a financial institution to take advantage of the alternative delivery method: § 1016.9(a)(1) through (5), (8), and (9). The Bureau explained that the disclosures required by § 1016.6(a)(1) through (5) and (9) describe categories of nonpublic personal information collected and disclosed and categories of third parties with whom that information is disclosed. Accordingly, only a change in or addition of a category of information collected or shared or in a category of third party with whom the information is shared would have prevented a financial institution from satisfying proposed § 1016.9(c)(2)(i)(D) based on the disclosures required by § 1016.6(a)(1) through (5) and (9). The Bureau also explained that the disclosure required by § 1016.6(a)(8) would disallow use of the alternative delivery method if a financial institution changed the required description of its policies and practices with respect to protecting the confidentiality and security of nonpublic personal information. The Bureau explained that changes in the PO 00000 Frm 00009 Fmt 4700 Sfmt 4700 64065 description of a financial institution’s data security policy likely are significant enough that when they occur, the annual privacy notice should continue to be delivered according to the standard delivery methods. Indeed, in light of recent large-scale data security breaches, some customers may be more interested in the data security policies of their financial institutions than they were previously. The Bureau further noted in the proposal that stylistic changes in the wording of the notice that do not change the information conveyed on the notice would not prevent a financial institution from satisfying proposed § 1016.9(c)(2)(i)(D). Comments Most commenters that addressed § 1016.9(c)(2)(i)(D) supported the proposed requirement. A national association representing student loan servicers stated that proposed § 1016.9(c)(2)(i)(D) is the most important element of the requirements for using the alternative delivery method. Several national associations representing both large and small financial institutions suggested retaining the requirement in § 1016.9(c)(2)(i)(D), even though they advocated alternatives to other components of the proposal. As noted in the section-by-section analyses of § 1016.9(c)(2)(i)(A) and (B), many commenters expressed their support for legislation pending in Congress that is somewhat similar to the proposal and includes the requirement that the financial institution’s privacy notice remain unchanged from the previous notice. In contrast, a national business coalition relating to online privacy criticized proposed § 1016.9(c)(2)(i)(D) as significantly reducing the opportunity for financial institutions to use the alternative delivery method, in conjunction with the other requirements of proposed § 1016.9(c)(2)(i). Most other commenters suggested technical changes to proposed § 1016.9(c)(2)(i)(D) or requested clarification. A state association representing credit unions and a community bank commented that a revised privacy notice is required by § 1016.8 if a financial institution shares information other than as described in the initial privacy notice. It thus proposed that § 1016.9(c)(2)(i)(D) should allow financial institutions to use the alternative delivery method if the information disclosed on the privacy notice has not changed since the immediately previous privacy notice, initial, annual, or revised. A compliance services company commented that Regulation P requires E:\FR\FM\28OCR1.SGM 28OCR1 64066 Federal Register / Vol. 79, No. 208 / Tuesday, October 28, 2014 / Rules and Regulations asabaliauskas on DSK5VPTVN1PROD with RULES information to be included on the model privacy notice that, if changed, might be significant for customers but is not included in § 1016.9(c)(2)(i)(D). Such information includes the name of the financial institution providing the notice, changes in the definitions section of the notice which describes the financial institution’s affiliates, nonaffiliates with whom it shares information, and joint marketing practices, and changes in the ‘‘Other Important Information’’ section of the model form, such as those involving state law requirements. The compliance services company further commented that the statement on the notice of availability required by § 1016.9(c)(2)(ii)(A) that ‘‘our privacy policy has not changed’’ could be inaccurate if such information had in fact changed. Moreover, the compliance services company also explained that the Bureau’s statement in the proposal that a financial institution could change its privacy policy so as to eliminate information sharing that triggers opt-out rights and then make use of the alternative delivery method for the next annual privacy notice 58 conflicts with § 1016.9(c)(2)(i)(D) as proposed. According to the commenter, eliminating a category of affiliates with whom the financial institution shares information would trigger changes to the disclosure required by § 1016.6(a)(2) and thus would prevent a financial institution from complying with proposed § 1016.9(c)(2)(i)(D). Lastly, the compliance services company requested guidance on the sequence of events that would allow a financial institution to use the alternative delivery method after a privacy policy change occurs. For example, the company asked for clarification on when a revised notice should be sent, a time period after the notice of availability was delivered within which the institution would be required to implement the requirements for Web site posting and establishing a telephone number to request the privacy notice, and a time frame after the change for the institution to wait before it starts using the statement that ‘‘our privacy policy has not changed.’’ Final Rule The Bureau is adopting § 1016.9(c)(2)(i)(D) with some modifications. Regarding the comment that proposed § 1016.9(c)(2)(i)(D) renders the alternative delivery method of limited availability to financial institutions, the Bureau believes that requiring notices that have changed to 58 79 FR at 27221 n.54. VerDate Sep<11>2014 16:44 Oct 27, 2014 Jkt 235001 be delivered pursuant to standard delivery methods is a more consumerfriendly way of notifying customers of changes than requiring consumers to affirmatively seek out information about the changed policy. As to revised privacy notices, the Bureau agrees that a financial institution that has used standard delivery methods to provide customers with a revised privacy notice under § 1016.8 should be able to use the alternative delivery method for its next annual notice. Accordingly, the Bureau is revising proposed § 1016.9(c)(2)(i)(D) to permit a financial institution to use the alternative delivery method if the information contained on its privacy notice has not changed since it provided the immediately previous privacy notice (whether initial, annual, or revised). Regarding the comment that some pertinent information on the privacy notice could change and proposed § 1016.9(c)(2)(i)(D) would still permit the financial institution to use the alternative delivery method, the Bureau is permitting use of the alternative delivery method following such changes to provide greater flexibility. For example, although information about the name of the financial institution or its affiliates is useful to customers, the Bureau does not believe that information is as important in the context of the privacy notice as changes to the categories of nonpublic personal information collected and disclosed by the financial institution, the categories of third parties with whom the institution discloses that information, and changes to the institution’s policies and practices with respect to protecting the confidentiality and security of nonpublic personal information. Moreover, where a financial institution changes its name, that name change would likely be conveyed to the institutions’ customers through means beyond the annual privacy notice. Indeed, including changes to the financial institution’s name, the names of its affiliates, or its joint marketing practices in § 1016.9(c)(2)(i)(D) likely would limit the availability of the alternative method without much benefit to customers. Lastly, the Bureau believes that the statement required by § 1016.9(c)(2)(ii)(A) that ‘‘our privacy policy has not changed’’ is accurate even when information such as the financial institution’s name or its affiliates have changed, as long as the policy the financial institution is required to describe on its annual privacy notice pursuant to § 1016.6(a)(1) through (5), (8), and (9) has not changed. As to a financial institution that changes its privacy policy to eliminate information sharing that triggers opt-out PO 00000 Frm 00010 Fmt 4700 Sfmt 4700 rights, the Bureau determines that such an institution would be able to use the alternative delivery method for its next annual notice and agrees that this should be clarified in the rule text. Under the final rule, if an institution chooses to stop sharing certain categories of information or to stop sharing information with certain categories of third parties, the financial institution will be able to use the alternative delivery method for its next annual privacy notice without first sending out a privacy notice pursuant to standard delivery methods (provided it meets the requirements of in § 1016.9(c)(2)). The Bureau is modifying § 1016.9(c)(2)(i)(D) to permit financial institutions to use the alternative delivery method if the information the institution is required to convey has not changed other than to eliminate categories of information it discloses or categories of third parties to whom it discloses information. Lastly, as to the request for clarification about the process for using the alternative delivery method after a financial institution changes its sharing practices, the alternative delivery method does not alter either the requirements for providing a revised privacy notice in § 1016.8 or any of the timing requirements in existing § 1016.5. Accordingly, to the extent that § 1016.8 requires a financial institution to deliver a revised privacy notice if a financial institution changes its information sharing, the institution is still required to deliver that notice pursuant to § 1016.9.59 Similarly, the adoption of § 1016.9(c)(2) does not change the timing requirements for delivering the annual notice. Accordingly, if a financial institution makes a change to its information sharing practices that would prevent it from meeting the condition in § 1016.9(c)(2)(i)(D), i.e., a change other than to eliminate categories of information it discloses or categories of third parties to whom it discloses, the financial institution could use the alternative delivery method to meet its next annual privacy notice requirement if it first sent a revised privacy notice pursuant to the standard delivery methods (provided it meets the requirements of § 1016.9(c)(2)). If the change is to its policies and practices regarding protecting the confidentiality and security of nonpublic personal information, no revised privacy notice would be required under § 1016.8 but a 59 The Bureau notes that a revised privacy notice may not be delivered using the alternative delivery method because the alternative method only may be used to satisfy the requirement to provide an annual notice in § 1016.5(a)(1). E:\FR\FM\28OCR1.SGM 28OCR1 Federal Register / Vol. 79, No. 208 / Tuesday, October 28, 2014 / Rules and Regulations asabaliauskas on DSK5VPTVN1PROD with RULES financial institution could opt to provide one anyway so that it could use the alternative delivery method and the statement that its privacy policy has not changed to meet its next annual notice requirement. Alternatively, a financial institution that makes a change to its information sharing practices or its policies and practices with respect to protecting the confidentiality and security of nonpublic personal information that would prevent the institution from meeting the condition in § 1016.9(c)(2)(i)(D) could send its next annual privacy notice using standard delivery methods and resume using the alternative delivery method thereafter. To the extent that a financial institution chooses to provide the notice of availability of its privacy policies more often than annually, it could include the statement that its privacy policy has not changed whenever the intervening change is not a change covered by § 1016.9(c)(2)(i)(D); where the intervening change is one covered by § 1016.9(c)(2)(i)(D), the financial institution could include the statement that its privacy policy has not changed once it delivers a revised privacy notice pursuant to the standard delivery methods. Regarding when a financial institution must implement the Web site posting of the privacy notice and the telephone number for requesting the notice, a financial institution may choose to adopt the alternative delivery method at any time. However, it would need to meet all of the requirements for using the alternative delivery method by the due date of the first annual privacy notice that the institution does not deliver using one of the standard delivery methods. This would include sending the notice of availability that informs customers of the existence of the Web site and the telephone number and providing customers access to the privacy notice by Web site and through telephone request by that due date. Section 1016.9(c)(2)(i)(E) The last condition for use of the alternative delivery method included in the Bureau’s proposed rule, which was set forth in proposed § 1016.9(c)(2)(i)(E), would have required that a financial institution use the Regulation P model privacy form for its annual privacy notice. The Bureau now adopts the provision as proposed. Proposed Rule The model form was adopted in 2009 as part of an interagency rulemaking mandated by Congress.60 The form was developed using consumer research to ensure that the model notice was easier to understand and use than most privacy notices then being used.61 During outreach prior to the Bureau’s issuance of its May 13, 2014, proposed rule, consumer and privacy groups told the Bureau that the model form is easier for consumers to understand than other privacy notices. The Bureau’s research on the impacts of its proposed rule 62 determined that some non-model form privacy notices were not easily understood. This research also determined that a significant percentage of financial institutions already use the model privacy form. Accordingly, the Bureau proposed § 1016.9(c)(2)(i)(E), which would permit use of the alternative delivery method only if a financial institution uses the model privacy form for its annual privacy notice. Comments The Bureau invited comment on the extent to which financial institutions currently use the model privacy form and, if they do not, whether they would choose to do so to take advantage of the proposed alternative delivery method. In addition, the Bureau invited comment on the benefit to customers of receiving a privacy notice in the model form rather than a privacy notice in a non-standardized format. The comments indicated that a significant number of industry participants are using the model form already. The Bureau did not receive much comment on whether the model form requirement would incentivize its use so that financial institutions could use the alternative delivery method. However, one industry commenter stated it would do so. On the other hand, some other industry commenters asserted that conditioning the use of the alternative delivery method on the use of the model form would significantly affect how many financial institutions could use the alternative delivery method and experience reduced burden. Consumer and public interest group commenters explicitly and strongly supported the model form requirement, explaining that the model form is easier for consumers to understand than other notices that individual financial institutions use because it does not have the legal jargon and complex vocabulary found in those other notices. An academic commenter described a project where notices are collected and compared, and stressed the importance of online standardized notices, such as 61 74 60 15 U.S.C. 6803(e). VerDate Sep<11>2014 16:44 Oct 27, 2014 FR at 62891. below, parts V and VI. 62 See Jkt 235001 PO 00000 Frm 00011 Fmt 4700 Sfmt 4700 64067 those using the model form. Some credit union associations supported the model form requirement but requested that the Bureau clarify whether changes to the form would be acceptable and, if so, what types of changes would be acceptable. Many comments from industry members and groups supported the rule as proposed or only objected to requirements other than the model form, and so they did not appear to view the model form requirement as problematic. However, several industry trade associations and many individual institutions objected to the model form requirement. One trade association stated that many financial institutions currently use forms that they believe are more informative than the model form and that their customers are more familiar with. A student loan servicing trade association made a similar comment, stating that some servicers do not want to use the model form because their version provides customers with more information. Many trade association and individual industry commenters also were concerned that if they made changes to the model form to be clearer and more informative, it would preclude them from using the alternative delivery method. These commenters suggested that the Bureau state clearly that changes in wording and layout in the model form would be acceptable. Several commenters requested that the form used only have to comply with Regulation P, rather than having to follow the model form instructions. Two trade associations stated that the model form is one-sizefits-all and does not work for nontraditional financial institutions such as companies that offer long-term installment plans. Other commenters objected to the requirement that the Web page containing the model form have no other information and suggested that other privacy information should be allowed. The Bureau also invited comment on related state or international law requirements and their interaction with the model privacy notice. Although the Bureau did receive comments, as discussed above, on the proposed rule’s relation to state law, those comments did not address the model form requirement. In addition, the Bureau solicited comment on whether adoption of the model form itself should be considered a change in the annual notice pursuant to proposed § 1016.9(c)(2)(i)(D) such that an institution using the model form for the first time would be precluded from using the proposed alternative E:\FR\FM\28OCR1.SGM 28OCR1 64068 Federal Register / Vol. 79, No. 208 / Tuesday, October 28, 2014 / Rules and Regulations delivery method until the following year’s annual notice. Consumer and public interest group commenters did not address this issue, but some industry commenters stated that adoption of the model form should not be considered a change under § 1016.9(c)(2)(i)(D). asabaliauskas on DSK5VPTVN1PROD with RULES Final Rule The Bureau adopts § 1016.9(c)(2)(i)(E) as proposed. Based on the Bureau’s impact analyses and the research that went into the development and testing of the model form,63 the Bureau continues to believe that requiring use of the model form as a condition of using the alternative delivery method will foster the use of a notice that is, in general, more consumer-friendly and effective in conveying privacy policy information to customers than nonstandardized notices. The Bureau also continues to believe that § 1016.9(c)(2)(i)(E) is likely to encourage some financial institutions that are not currently doing so to use the model form to take advantage of the cost savings associated with the alternative delivery method. Moreover, the Bureau does not believe that adopting the model form will entail significant costs for the minority of financial institutions that do not currently use it, and notes that there is an Online Form Builder that allows financial institutions to readily create customized privacy notices using the model form template.64 In addition, the Bureau 63 The research that went into the development and testing of the model form was detailed in four reports: (1) Financial Privacy Notice: A Report on Validation Testing Results (Kleimann Validation Report), February 12, 2009, available at https:// www.ftc.gov/system/files/documents/reports/ financial-privacy-notice-report-validation-testingresults-kleimann-validationreport/financial_ privacy_notice_a_report_on_validation_testing_ results_kleimann_validation_report.pdf; (2) Consumer Comprehension of Financial Privacy Notices: A Report on the Results of the Quantitative Testing (Levy-Hastak Report), December 15, 2008, available at https://www.ftc.gov/system/files/ documents/reports/quantitative-research-levyhastak-report/quantitative_research_-_levy-hastak_ report.pdf; (3) Mall Intercept Study of Consumer Understanding of Financial Privacy Notices: Methodological Report (Macro International Report), September 18, 2008, available at https:// www.ftc.gov/system/files/documents/reports/ quantitative-research-macro-international-report/ quantitative_research_-_macro_international_ report.pdf; and (4) Evolution of a Prototype Financial Privacy Notice: A Report on the Form Development Project, March 31, 2006, available at https://kleimann.com/ftcprivacy.pdf. The development and testing of the model privacy notice is also discussed in L. Garrison, M. Hastak, J.M. Hogarth, S. Kleimann, A.S. Levy, Designing Evidence-based Disclosures: A Case Study of Financial Privacy Notices. The Journal of Consumer Affairs, Summer 2012: 204–234. 64 This Online Form Builder is available at https:// www.federalreserve.gov/newsevents/press/bcreg/ 20100415a.htm. VerDate Sep<11>2014 16:44 Oct 27, 2014 Jkt 235001 believes that in a large majority of instances the one-time cost of adopting the model form will be offset quickly by the reduced cost of printing and mailing forms, which will then continue year after year. While some financial institution commenters asserted that conditioning the use of the alternative delivery method on the use of the model form would significantly affect how many financial institutions could use the alternative delivery method and experience reduced regulatory burden, they did not submit data or substantive analysis on this point. In regard to comments about forms that comply with Regulation P but may not comply exactly with the model form instructions, potentially giving rise to violations when the alternative delivery method is used, the Bureau notes that financial institutions may consult counsel on how to comply so as to limit the risk of government enforcement.65 In regard to types of financial institutions that do not prefer to use the model form for whatever reason, the Bureau notes that the model form was carefully crafted to be usable by a wide variety of financial institutions,66 but any institutions that choose not to use it may continue to send annual privacy notices in the standard manner. The Bureau notes that the model form accommodates information that may be required by state or international law, as applicable, in a box called ‘‘Other important information.’’ 67 Accordingly, the Bureau expects that a financial institution that has additional privacy disclosure obligations pursuant to state or international law will still be able to use the model form to take advantage of the proposed alternative delivery method. In regard to supplemental privacy information a financial institution wishes to convey, the discussion of § 1016.9(c)(2)(ii)(B) below makes clear that a link to such information elsewhere on the financial institution’s Web site may be included as part of the navigational materials on the Web page containing the model privacy form. In addition, the Bureau has determined that a financial institution’s adoption of the model privacy form, which may require changes to the wording and layout of the privacy notice but not to the substance of the information conveyed under § 1016.6(a)(1) through (5), (8) and (9), will not constitute a change within the 65 The Bureau also notes that there is no private right of action under Regulation P. 66 See 74 FR at 62901. 67 Appendix to part 1016 at C.3.c.1. PO 00000 Frm 00012 Fmt 4700 Sfmt 4700 meaning of § 1016.9(c)(2)(i)(D). A financial institution thus may adopt the model form and use the alternative delivery method with that model form immediately to satisfy its annual notice requirement under Regulation P. This interpretation is consistent with the interpretation by the agencies that promulgated the model notice at the time it was first issued with regard to whether adoption of the form required provision of a revised privacy notice under § 1016.8.68 Section 1016.9(c)(2)(ii) In proposed § 1016.9(c)(2)(ii), the Bureau would have set forth the alternative delivery method that would be permissible to satisfy the requirement in § 1016.5(a)(1) to provide an annual notice if a financial institution met the conditions described in proposed § 1016.9(c)(2)(i). The Bureau proposed an alternative delivery method for financial institutions that met the conditions in proposed § 1016.9(c)(2)(i) where delivery of the annual privacy notice pursuant to the standard delivery requirements may be less important for customers. As stated in the proposal, the alternative delivery method would still inform customers of their financial institution’s privacy policies effectively, but at a lower cost than the standard delivery methods. The Bureau received comments supporting the general framework of the alternative delivery method proposed in § 1016.9(c)(2)(ii) from financial institutions, consumer groups, and privacy groups alike. For example, a national association representing business interests and a national association representing the consumer credit industry stated that the proposed alternative delivery method would be an effective mechanism for ensuring that all customers are aware of the institution’s privacy policy and their opt-out rights. A national association representing credit unions, a public interest group representing consumers, and an organization of state banking supervisors all supported the framework of the alternative delivery method. The Bureau received many comments criticizing or supporting specific components of the alternative delivery method. These comments are discussed in detail below. The Bureau is adopting § 1016.9(c)(2)(ii) largely as proposed, for the reasons stated above and in the proposal. Changes to the individual paragraphs of § 1016.9(c)(2)(ii) will be discussed in detail below. 68 See E:\FR\FM\28OCR1.SGM 74 FR at 62907 n. 196. 28OCR1 Federal Register / Vol. 79, No. 208 / Tuesday, October 28, 2014 / Rules and Regulations Section 1016.9(c)(2)(ii)(A) Proposed § 1016.9(c)(2)(ii)(A) would have set forth the first component of the alternative delivery method: That a financial institution inform the customer of the availability of the annual privacy notice. For the reasons discussed below, the Bureau is adopting § 1016.9(c)(2)(ii)(A) substantially as proposed but with some modifications. Proposed Rule To satisfy proposed § 1016.9(c)(2)(ii)(A), a financial institution would have been required to convey in a clear and conspicuous manner not less than annually on a notice or disclosure the institution is required or expressly and specifically permitted to issue under any other provision of law that its privacy notice has not changed, that the notice is available on its Web site, and that a hard copy of the notice will be mailed to customers if they call a toll-free telephone number to request one. asabaliauskas on DSK5VPTVN1PROD with RULES General Comments Several financial institution commenters objected to proposed § 1016.9(c)(2)(ii)(A) because there are some financial products for which financial institutions send no documents to customers and thus including a notice of availability on some other statement or notice currently used would not be possible. For example, national associations representing debt buyers and automobile dealers stated that those financial institutions do not send or may not send documents to their customers at all during the course of a year. Several individual depository institutions commented that they do not send statements or notices to certain types of customers, such as customers with certificates of deposit, passbook savings accounts, safe deposit vaults, and mortgage or installment loans with coupon books. National associations representing banks, community banks, and financial service providers as well as many individual banks and credit unions commented that the proposed notice of availability would be burdensome, even for financial institutions that do send statements or notices to some customers. First, these commenters stated that it would be difficult and expensive for financial institutions to determine which customers and accounts receive suitable documents on which to include the notice of availability and which ones do not. Second, some financial institution commenters stated that space was VerDate Sep<11>2014 16:44 Oct 27, 2014 Jkt 235001 limited on their periodic statements and that it would be unworkable to include the notice of availability on them. Final Rule The Bureau is adopting § 1016.9(c)(2)(ii)(A) substantially as proposed but with modifications as discussed below. It is important that customers receive actual notice that the annual privacy notice is available on the financial institution’s Web site through some statement or notice that they are likely to read. Although posting the privacy notice on a Web site will make the privacy notice widely available, customers likely would not be aware of its existence or its importance without the notice of availability, especially customers that do not use the financial institution’s Web site. The Bureau understands that there are costs associated with sending an annual notice of availability and that doing so could negate the cost savings of the alternative delivery method for some financial institutions that do not already send statements or notices to their customers. However, the Bureau expects that most financial institutions will be able to incorporate the notice of availability in a mailing that the institution conducts in the normal course of business. In any event, the Bureau believes that financial institutions that choose to use the alternative delivery method must provide the notice of availability because it is an integral component of the alternative delivery method given that it informs customers that the privacy notice is available. Not Less Than Annually The proposed rule would have required that financial institutions convey the notice of availability to customers not less than annually. Proposed § 1016.9(c)(2)(ii)(A) also would have permitted it to be included more often than annually (e.g., quarterly or monthly) and invited comment on the advantages and disadvantages of it being provided on a more frequent basis. Several commenters, including a university privacy think tank and individual credit unions and community banks, commented that an annual notice of availability is sufficient to inform customers of the online availability of the institution’s annual privacy notice. However, a national organization representing consumer and privacy rights stated that the notice of availability should be required at least quarterly. The Bureau continues to believe that an annual reminder is sufficient to inform customers of the availability of PO 00000 Frm 00013 Fmt 4700 Sfmt 4700 64069 the privacy notice. Indeed, the GLBA requires that the privacy notice itself be delivered ‘‘not less than annually’’ after the initial customer relationship is established, and the Bureau believes that requiring the notice of availability not less than annually is consistent with the statute.69 To the extent that financial institutions would prefer for administrative or other reasons to include the notice of availability on statements or notices that are delivered to customers more often than annually, the Bureau notes that more frequent delivery is permissible under § 1016.9(c)(2)(ii)(A). Type of Statement Used To Convey the Notice of Availability With respect to the type of statement that may be used to convey the notice of availability, proposed § 1016.9(c)(2)(ii)(A) would have permitted it to be conveyed on a notice or disclosure the institution is required or expressly and specifically permitted to issue under any other provision of law. The Bureau noted in the proposal that a notice of availability could be included on a periodic statement which is permitted but not required by Regulation DD 70 to satisfy proposed § 1016.9(c)(2)(ii)(A) but that including it on advertising materials that were neither required nor specifically permitted by law would not satisfy proposed § 1016.9(c)(2)(ii)(A). As stated in the proposal, § 1016.9(c)(2)(ii)(A) would not have specified in more detail the type of statements on which the notice of availability must be conveyed because the Bureau intended the alternative delivery method to be flexible enough to be used by financial institutions whose business practices vary widely. Many financial institution commenters advocated that the Bureau expand the types of documents that financial institutions could use to provide the notice of availability. A national association representing student loan servicers suggested that the Bureau should add periodic statements to the types of documents that could include the notice, because the periodic notices for student loans are not required or expressly and specifically permitted under any other provision of law. An automotive finance company identified the same concern with its billing statements. Several individual financial institutions requested that they be allowed to include the notice of availability on coupon books. A national association representing credit unions, 69 See 70 12 E:\FR\FM\28OCR1.SGM generally GLBA section 503(a). CFR 1030.6. 28OCR1 asabaliauskas on DSK5VPTVN1PROD with RULES 64070 Federal Register / Vol. 79, No. 208 / Tuesday, October 28, 2014 / Rules and Regulations two state credit union associations, and several individual credit unions suggested that they be allowed to use customer newsletters, branch posting, or advertisements to provide the notice of availability. The Bureau is persuaded by the comments that it should broaden the type of statement on which the notice of availability could be included to satisfy § 1016.9(c)(2)(ii)(A) in the final rule. The Bureau proposed to require that the notice of availability be included on a statement or notice required or otherwise permitted by law to ensure that customers were likely to read the underlying document on which the notice of availability is included. The Bureau believes that customers also have compelling reasons to read account statements and coupon books that directly concern the status of their existing accounts even if they are not required or otherwise permitted by law. Accordingly, under the final rule, the Bureau is allowing a notice of availability included on an ‘‘account statement’’ or ‘‘coupon book’’ also to satisfy § 1016.9(c)(2)(ii)(A). An account statement would include periodic statements or billing statements not required or expressly and specifically permitted by law. The Bureau intends the term ‘‘account statement’’ to be flexible enough to cover documents provided to customers by a diverse array of financial institutions. In contrast, the Bureau is concerned that customers may not read advertisements or newsletters on the assumption that they do not specifically concern the customer’s existing account. The Bureau believes it would not be consumer-friendly to require customers to seek out and examine advertisements and newsletters to find the notice of availability. The Bureau therefore declines to revise proposed § 1016.9(c)(2)(ii)(A) to be satisfied by a notice of availability included in such materials. Further, since nothing in § 1016.9(c)(2)(ii)(A) alters laws or regulations governing account statements, coupon books, or other notices or disclosures, institutions should not include the notice of availability on such materials in a way that would cause the materials to fail to comply with applicable laws or regulations governing those materials. Regarding the request that the Bureau permit physical posting of the notice of availability in a financial institution’s lobby to satisfy § 1016.9(c)(2)(ii)(A), the Bureau notes that the GLBA contemplates providing individual notice to customers of opt-out rights and privacy practices. For example, section 502(b)(1)(A) of the GLBA requires opt outs to be disclosed ‘‘to the consumer’’ VerDate Sep<11>2014 16:44 Oct 27, 2014 Jkt 235001 and section 503(a) of the GLBA requires the privacy notice to be delivered ‘‘to such consumer.’’ While the Bureau believes that providing a notice of availability individually directing customers to a notice on a Web site is sufficient to inform them of the availability of the privacy notice under the parameters of this rule, posting a general notice of availability in the financial institution’s lobby or elsewhere generally directing customers to the privacy notice is not. Similarly, the Bureau does not believe that publishing a general notice of availability in newspapers is sufficient. Indeed, some customers do not go to the institution’s lobby or office and may not see published announcements. The Bureau believes it would not be consumer-friendly to require customers to seek out and examine postings in an institution’s offices or announcements in certain newspapers to find the notice of availability. While the Bureau recognizes that there are other statutes and regulations that require notice to customers for other purposes by such public posting or publishing, the Bureau believes such public notices are not sufficient given the GLBA’s framework that requires individualized notice. Indeed, Regulation P already provides with respect to privacy notices that an institution may not reasonably expect that a consumer will receive actual notice of its privacy policies and practices if it only posts a sign in a branch or office or generally publishes advertisements of its privacy policies and practices.71 The Bureau’s approach as to notices of availability is consistent in this respect. The Bureau is therefore revising § 1016.9(c)(2)(ii)(A) to include that delivery of the notice of availability must be ‘‘to the customer’’ to clarify that § 1016.9(c)(2)(ii)(A) is not satisfied by including the notice of availability on other disclosures or notices required or expressly permitted by law to be publicly posted or published. Clear and Conspicuous Proposed § 1016.9(c)(2)(ii)(A) would have used the term ‘‘clear and conspicuous,’’ which is defined in existing § 1016.3(b)(1) as meaning ‘‘reasonably understandable’’ and ‘‘designed to call attention to the nature and significance of the information.’’ As stated in the proposal, the Bureau 71 12 CFR 1016.9(b)(2)(i). The Bureau’s rule on delivery of Affiliate Marketing Rule notices under Regulation V similarly provides that a consumer may not reasonably be expected to receive actual notice if the affiliate providing the notice only posts the notice on a sign in a branch or office or generally publishes the notice in a newspaper. 12 CFR 1022.26(c)(1). PO 00000 Frm 00014 Fmt 4700 Sfmt 4700 believed that the existing examples in § 1016.3(b)(2)(i) and (ii) for reasonably understandable and designed to call attention, respectively, likely would provide sufficient guidance on ways to make the notice of availability in proposed § 1016.9(c)(2)(ii)(A) clear and conspicuous. Some commenters, including a state and a national association representing credit unions, supported the proposed clear and conspicuous requirement as sufficient given existing § 1016.3(b)(2)(i) which provides guidance on type size, style, and graphic devices, such as shading and side bars. A few commenters, including several national associations representing large banks, community banks, and other financial service providers, as well as a few individual community banks stated that clear and conspicuous should be further defined. As stated in the proposal, the Bureau believes that the existing definition of clear and conspicuous and examples in § 1016.3(b) are sufficient for the notice of availability. Given the variety of statements on which the notice of availability may be included and the numerous ways in which they may be designed, the Bureau does not believe that it is feasible or practical to provide guidance as to what would be clear and conspicuous in all of these circumstances. The Bureau believes that financial institutions should be able to use the existing definition of clear and conspicuous and examples in § 1016.3(b) to design notices of availability that consumers will be likely to read and therefore the Bureau adopts this aspect of § 1016.9(c)(2)(ii)(A) without change. Toll-Free Telephone Number Proposed § 1016.9(c)(2)(ii)(A) also would have required that the notice of availability include a toll-free number a customer can call to request that the annual privacy notice be mailed. The Bureau explained in the proposal that this requirement was intended to assist customers who do not have internet access or would prefer to receive a hard copy of the privacy notice and that it expected that most institutions would already have a toll-free number. The majority of commenters on this provision, typically those from credit unions, community banks, and other small financial institutions, disagreed with this aspect of the proposal. These commenters objected to the toll-free number requirement because many smaller institutions do not currently have toll-free numbers and they stated that obtaining a toll-free number would offset the intended burden reduction of the proposal. Commenters further noted E:\FR\FM\28OCR1.SGM 28OCR1 asabaliauskas on DSK5VPTVN1PROD with RULES Federal Register / Vol. 79, No. 208 / Tuesday, October 28, 2014 / Rules and Regulations that most credit unions and community banks operate in limited geographical areas such that customers are typically in the same area code as their financial institution and thus a toll-free telephone number is unnecessary. Lastly, many of these commenters stated that a toll-free number is unnecessary given that most customers have cellular telephone or home telephone plans under which they would incur no charges for calling their financial institution to request the annual privacy notice. A few commenters, including a national association representing student loan servicers and some individual community banks and credit unions, stated that they did not object to the toll-free number requirement because their institution or member institutions already have toll-free numbers or can obtain one without significant expense. No commenters expressly supported requiring a toll-free telephone number. The proposal also solicited comment on whether the final rule should require financial institutions to provide a dedicated telephone line for privacy notice requests to use the alternative delivery method. Commenters who addressed the issue included several national trade associations representing large and small banks, a national trade association representing student loan servicers and several individual community banks and credit unions. All commenters who addressed this issue stated that requiring a dedicated tollfree number to request an annual privacy notice was unnecessary. Some commenters also suggested that requiring a dedicated telephone number was so expensive as to offset the potential cost savings of the proposal for small entities. These commenters noted that customers rarely call their financial institutions to opt out of sharing when mailed an annual privacy notice and that customers are even less likely to call their financial institution to request a copy of the annual notice. Given the expected low call volume, these commenters believe that a dedicated telephone line is unnecessary and unduly expensive. The Bureau is persuaded that requiring a toll-free telephone number or a dedicated telephone line to request the privacy notice be mailed would offset the intended burden reduction of the proposal for many financial institutions without providing much benefit to customers. The Bureau believes that the cost to financial institutions of requiring a toll-free telephone number or a dedicated telephone line is not warranted given that customers likely will call VerDate Sep<11>2014 16:44 Oct 27, 2014 Jkt 235001 infrequently to request a mailed copy of the annual privacy notice, especially because the privacy notices would be readily available on the institutions’ Web sites. The Bureau also considered allowing institutions to choose between providing a toll-free number or a telephone number a customer could call and reverse the charge, i.e., a telephone number that would accept collect calls, an alternative available under several other Bureau regulations.72 The Bureau decided against this alternative because it believes, as stated by commenters, that financial institutions that do not already maintain toll-free telephone numbers typically have customers who live in the same area code as the institution and such customers likely would request a copy of the privacy notice using a free local call, rather than a collect call. In addition, a requirement that a financial institution without a toll-free number accept collect calls for privacy notice requests could effectively require the institution to accept collect calls as a general practice, assuming that it did not pay for a dedicated line for the privacy notice calls, thereby adding to its costs. For the reasons described, the Bureau is adopting § 1016.9(c)(2)(ii)(A) as revised to require the notice of availability to include a telephone number. The Bureau encourages financial institutions that already maintain a toll-free telephone number to use that number in the statement required by § 1016.9(c)(2)(ii)(A), to simplify the process for a customer to call and request a mailed copy of the privacy notice. Other Issues Proposed § 1016.9(c)(2)(ii)(A) also would have required the institution to state on the notice of availability that its privacy policy has not changed. The Bureau intended this proposed requirement to help customers assess whether they are interested in reading and accessing the policy. This statement would always be accurate if the alternative delivery method is used correctly, because a financial institution could not use the alternative delivery method if its annual privacy notice had changed under § 1016.9(c)(2)(i)(D). A compliance company commented that the statement that the privacy policy had not changed might not be accurate in certain situations where a financial institution eliminates categories of information it discloses or categories of third parties to whom it discloses information. That comment is addressed 72 See, e.g., 12 CFR 1024.33(b)(4)(ii), 1026.16(e), 1026.24(g)(2). PO 00000 Frm 00015 Fmt 4700 Sfmt 4700 64071 above in the section-by-section analysis of § 1016.9(c)(2)(i)(D). Proposed § 1016.9(c)(2)(ii)(A) further would have required that the statement include a specific web address that takes customers directly to the Web page where the privacy notice is available. Proposed § 1016.9(c)(2)(ii)(A) would have required a web address that the customer can type into a web browser to directly access the page that contains the privacy notice so that the customer need not click on any links after typing in the web address. The Bureau proposed this requirement because a direct link may make it easier and more convenient for customers to access the privacy notice, particularly for notices of availability delivered electronically that provide a hyperlink. While the Bureau recognizes that the length and complexity of the web address would affect how easy and convenient it is for customers to manually type in the address, the Bureau does not anticipate that institutions will provide addresses that are needlessly lengthy or complex. If this does not prove to be the case, the Bureau may consider measures in the future to ensure that the Web site addresses used are consumer-friendly. The Bureau did not receive any comments on this aspect of the proposal and adopts this element of § 1016.9(c)(2)(ii)(A) as proposed. The Bureau further noted in the proposal that if two or more financial institutions provide a joint privacy notice pursuant to § 1016.9(f), proposed § 1016.9(c)(2)(ii)(A) would require each financial institution to separately provide the notice of availability on a notice or disclosure that it is required or permitted to issue. The Bureau invited comment on how often financial institutions jointly provide privacy notices and whether the proposed alternative delivery method would be feasible for such jointly issued notices, but the Bureau received no comments on that issue. Section 1016.9(c)(2)(ii)(A) as finalized would require each institution providing a joint notice to send a notice of availability on an account statement, coupon book, or other notice or disclosure it is required or expressly and specifically permitted to issue to the customer. Financial institutions that jointly provide account statements, coupon books, or other notices or disclosures could also satisfy § 1016.9(c)(2)(ii)(A) by including the notice of availability on such jointly provided materials. A national organization representing consumer and privacy interests suggested that the notice of availability include the fact that privacy notices E:\FR\FM\28OCR1.SGM 28OCR1 64072 Federal Register / Vol. 79, No. 208 / Tuesday, October 28, 2014 / Rules and Regulations may be delivered by email upon the customers’ request and provide instructions for how customers could exercise that option. The Bureau declines to require notification of email availability to be included in the notice because some financial institutions may not have the capability to provide privacy notices by email. The Bureau notes, however, that a financial institution could include such a statement in the notice of availability required by § 1016.9(c)(2)(ii)(A) as long as the required content of the notice of availability is clear and conspicuous. For the reasons discussed, the Bureau is adopting § 1016.9(c)(2)(ii)(A) with the modifications described above. Section 1016.9(c)(2)(ii)(B) Proposed § 1016.9(c)(2)(ii)(B) would have set forth the second component of the alternative delivery method: That the financial institution post its current privacy notice continuously and in a clear and conspicuous manner on a page of the institution’s Web site that contains only the privacy notice, without requiring the customer to provide any information such as a login name or password or agree to any conditions to access the page. The Bureau is adopting § 1016.9(c)(2)(ii)(B) as revised, for the reasons discussed below. asabaliauskas on DSK5VPTVN1PROD with RULES Proposed Rule The Bureau believes and comments on the proposal support the conclusion that many financial institutions already maintain Web sites where they could post the annual privacy notice. Moreover, encouraging financial institutions to post the notices would benefit consumers by making the notices more widely available. Proposed § 1016.9(c)(2)(ii)(B) would have required that the annual notice be posted on a page of the Web site that contains only the privacy notice. Comments A state-chartered bank and a credit union opposed the requirement that the Web page contain only the privacy notice. These commenters stated that they include the privacy notice with other relevant privacy policies for their institution and thus customers could miss valuable privacy-related information if no other information were permitted to be included with the privacy notice. National associations representing large banks, community banks, and the financial services industry as well as a coalition of financial institutions focusing on ecommerce and privacy objected to the proposed requirement that the Web site VerDate Sep<11>2014 16:44 Oct 27, 2014 Jkt 235001 not require a login name or password or that the customer agree to any terms to access it. These commenters argued that financial institutions often require customers to accept terms to initially access a Web site, particularly where customer account information accessed through the Web site may need to be protected for security reasons. Few other commenters addressed this issue, however. Other commenters raised a variety of concerns about the posting of the privacy notice. National associations representing large banks, community banks, the financial services industry, and credit unions and several individual banks and credit unions suggested that the Bureau remove the word ‘‘continuously’’ so that a financial institutions would not be in violation of § 1016.9(c)(2)(ii)(B) in the event its Web site malfunctioned. An organization representing state banking supervisors suggested that § 1016.9(c)(2)(ii)(B) require financial institutions to include a link to the privacy policy on their home page. Lastly, one credit union commenter requested that the Bureau allow the privacy notice to be posted physically in the lobby of the financial institution for financial institutions that do not maintain Web sites. Final Rule The Bureau is adopting § 1016.9(c)(2)(ii)(B) as revised. As to the commenters who stated that the requirement that the Web page contain only the privacy notice could prevent consumers from seeing supplemental privacy information, as stated in the proposal, the Bureau is concerned that permitting information other than the privacy notice to be included on the Web page could detract from the prominence of the notice and make it less likely that a customer would actually read it. The Bureau believes that the risk of such distracting information being included with the privacy notice outweighs any potential benefit to allowing additional content to be included on the page with the privacy notice. The Bureau is revising § 1016.9(c)(2)(ii)(B) to clarify that the privacy notice must be the only content on the Web page. Information that is not content, however, such as navigational menus that link to other pages on the financial institution’s Web site, could appear on the same page as the privacy notice pursuant to § 1016.9(c)(2)(ii)(B). Indeed, such navigational materials could include a link to another portion of the financial institution’s Web site that contains supplemental information PO 00000 Frm 00016 Fmt 4700 Sfmt 4700 concerning other privacy or information management practices.73 With respect to the requirement that the Web page not require a login name or password or that the customer agree to any conditions to access it, the Bureau declines to revise this requirement. The Bureau intends for the alternative delivery method to serve customers who may not already use the financial institution’s Web site to manage their accounts and thus may not have agreed to terms or created login credentials. Indeed, as stated in the proposal, the Bureau is concerned that if customers were required to register for a login name or sign in to the financial institution’s Web site simply to access the privacy notice, it could discourage some customers from accessing and reading the notice. The Bureau notes that financial institutions could still require customers to have login credentials or agree to terms and conditions to access other portions of the Web site, such as those containing sensitive account information or used to conduct transactions, including exercising the Affiliate Marketing Rule opt-out. Given that the alternative delivery method will require customers to seek out the annual privacy notice in a way that they have not previously been required to do, § 1016.9(c)(2)(ii)(B) is meant to make accessing the privacy notice on an institution’s Web site as simple and straightforward as possible. As to the proposal’s requirement that the privacy notice be posted continuously, the Bureau does not regard ‘‘continuously’’ to suggest that financial institutions would violate § 1016.9(c)(2)(ii)(B) if their Web site temporarily malfunctioned. This language requiring ‘‘continuously’’ posting on a Web site is used in existing § 1016.9(c)(1) (which is being recodified in this final rule as § 1016.9(c)(1)(i)). The Bureau understands from the comments that financial institutions would be unlikely to post standardized information, such as the privacy notice, on a non-continuous basis. Nevertheless, the Bureau emphasizes that § 1016.9(c)(2)(ii)(B) assumes that financial institutions will post the privacy notice on their Web sites so that the notice is available but for occasional or unavoidable interruptions, such as routine maintenance or unexpected malfunctions. Regarding requiring a link to the privacy notice from a financial 73 See generally 74 FR at 62908 (noting, in response to industry requests for the flexibility to add other information to the model privacy form, that the agencies were not precluding an institution from providing such information on other, supplemental materials). E:\FR\FM\28OCR1.SGM 28OCR1 Federal Register / Vol. 79, No. 208 / Tuesday, October 28, 2014 / Rules and Regulations asabaliauskas on DSK5VPTVN1PROD with RULES institution’s homepage, during outreach before the proposal, many financial institutions stated to the Bureau that space on their Web site’s home page is extremely valuable and that requiring a link on the home page would limit their ability to use that space for other important communications with customers. Although the Bureau encourages financial institutions to include a link to the privacy policy on other pages of their Web sites, including the home page, the Bureau declines to require such a link. Because § 1016.9(c)(2)(ii)(A) requires the notice of availability to include a web address for the page containing the privacy notice, the Bureau expects that customers can easily locate the page. The Bureau further notes, as stated in the proposal, that other pages on the financial institution’s Web site could link to the page containing the privacy notice. Nevertheless, a financial institution would still have to provide the customer a specific web address that takes the customer directly to the page where the privacy notice is available to satisfy the requirement to post the notice on the financial institution’s Web site in § 1016.9(c)(2)(ii)(B).74 As to the suggestion that the privacy notice be posted in the institution’s lobby, rather than on a Web site, the Bureau understands that there may be some institutions that do not maintain Web sites. The Bureau believes, however, that Web site posting is an integral component of the alternative delivery method and ensures that the privacy notice be widely available when it is not sent to individual customers according to standard delivery methods. The Bureau does not believe that lobby posting of the privacy notice makes it 74 With regard to the proposed requirement that the notice be posted in a ‘‘clear and conspicuous’’ manner, the Bureau notes that existing § 1016.3(b)(2)(iii) gives examples of what clear and conspicuous means for a privacy notice posted on a Web site. One example provides that a financial institution designs its notice to call attention to the nature and significance of the information in the notice if it uses text or visual cues to encourage scrolling down the page if necessary to view the entire notice and ensures that other elements on the Web site (such as text, graphics, hyperlinks, or sound) do not distract attention from the notice. Section 1016.3(b)(2)(iii)(A) and (B) also provides examples of clear and conspicuous placement of the notice within the financial institution’s Web site but these examples do not seem relevant to the posting of the notice for the alternative delivery method because customers will be typing into their web browser the web address of the specific page that contains the annual notice, rather than navigating to the annual notice from the financial institution’s home page. To the extent that a financial institution is satisfying existing § 1016.9(a) and not the alternative delivery method in § 1016.9(c)(2) by posting the privacy notice on its Web site, the clear and conspicuous examples in § 1016.3(b)(2)(iii)(A) and (B) still apply. VerDate Sep<11>2014 16:44 Oct 27, 2014 Jkt 235001 sufficiently available to customers given the individualized notice contemplated by the GLBA and discussed more fully in the section-by-section analysis of § 1016.9(c)(2)(i)(A) above. Accordingly, the Bureau declines to revise § 1016.9(c)(2)(ii)(B) to permit posting of the notice in a lobby to satisfy the requirement. For the reasons discussed, the Bureau is adopting § 1016.9(c)(2)(ii)(B) as revised. Section 1016.9(c)(2)(ii)(C) Proposed § 1016.9(c)(2)(ii)(C) would have set forth the third component of the alternative delivery method: That the financial institution mail promptly its current privacy notice to those customers who request it by telephone. For the reasons discussed below, the Bureau adopts § 1016.9(c)(2)(ii)(C) as revised. Proposed Rule As stated in the proposal, the Bureau proposed this requirement to assist customers without internet access and customers with internet access who would prefer to receive a hard copy of the notice. The Bureau invited comment in the proposal on whether requiring prompt mailing is sufficient to ensure that customers receive privacy notices in a timely manner or whether ‘‘promptly’’ should be more specifically defined, such as by a certain number of days. Comments A few bank commenters stated that it was not necessary to define ‘‘promptly’’ further, but most financial institutions that commented on this issue stated that a specific number of days would be helpful. Suggestions included five days, ten business days, 15 days, and 30 days. A trade association representing mortgage lenders requested that the Bureau revise § 1016.9(c)(2)(ii)(C) to require the financial institution send the privacy notice, rather than mail it, to clarify that the financial institution could comply with the requirement by emailing the privacy notice. An organization representing consumers and privacy rights suggested that the Bureau expressly prohibit a financial institution from including other information, such as sales solicitations, in the mailing containing the annual privacy notice so as to avoid distracting customers with irrelevant information. Final Rule In response to the commenters’ requests for clarity on how long financial institutions have to mail privacy notices upon request, the Bureau is adopting § 1016.9(c)(2)(ii)(C) PO 00000 Frm 00017 Fmt 4700 Sfmt 4700 64073 as revised to require notices to be mailed within ten days of the customer’s request. The Bureau notes that existing provisions of Regulation P define periods in terms of a number of days, meaning calendar days.75 The Bureau believes that financial institutions should be able to provide a privacy notice within ten calendar days of a customer’s request, even accounting for weekends and holidays during which the financial institution may be closed. As stated in the proposal, the Bureau notes that consistent with privacy notices currently provided under Regulation P, it expects that financial institutions will not charge the customer for delivering the annual notice, given that delivery of the annual notice is required by statute and regulation. Regarding email delivery of the privacy notice upon request, as stated in the proposal, § 1016.9(c)(2)(ii)(C) is intended primarily for customers without internet access to be able to receive a paper copy of the privacy notice through the U.S. mail. The Bureau expects that customers with internet access who receive the notice of availability are much more likely to go to the financial institution’s Web site to access the privacy notice than to telephone the financial institution to request a privacy notice be sent to them. With respect to prohibiting the mailing containing the privacy notice from containing other information, such as solicitations, the Bureau declines to impose a blanket prohibition on the inclusion of such material. As discussed above, the Supplementary Information to the Final Model Privacy Form Under the Gramm-Leach-Bliley Act explained that financial institutions that use the model privacy form are not precluded from providing additional information in other, supplemental materials to customers if they wish to do so.76 Further, the existing requirement at § 1016.5(a) that the annual notice be ‘‘clear and conspicuous’’ would apply to the mailing of this privacy notice as it does to the standard delivery methods for annual notices.77 This requirement precludes the inclusion of other material in a manner that would render 75 E.g., 12 CFR 1016.10(a)(3). 74 FR at 62908. 77 Cf. 74 FR at 62898 (‘‘[T]he Agencies agree that institutions may incorporate the model form into another document but they must do so in a way that meets all the requirements of the privacy rule and the model form instructions, including that: The model form must be presented in a way that is clear an conspicuous; it must be intact so that the customer can retain the content of the model form; and it must retain the same page orientation, content, format, and order as provided for in this Rule.’’) (footnotes omitted). 76 See E:\FR\FM\28OCR1.SGM 28OCR1 64074 Federal Register / Vol. 79, No. 208 / Tuesday, October 28, 2014 / Rules and Regulations the privacy notice not reasonably understandable and designed to call attention to the nature and significance of the information in the notice. In light of this existing requirement and the fact that customers who have requested the privacy notice be mailed will be expecting it, the Bureau does not believe that it is necessary at this time to impose a blanket prohibition on the inclusion of other material with the mailing of the privacy notice. Section 1016.9(c)(2)(iii) Proposed § 1016.9(c)(2)(iii) would have provided an example of a notice of availability that satisfies § 1016.9(c)(2)(ii)(A). The Bureau is adopting § 1016.9(c)(2)(iii) substantially as proposed with minor technical revisions. Proposed Rule The Bureau intended the example in proposed § 1016.9(c)(2)(iii) to provide clear guidance on permissible content for the notice of availability to facilitate compliance. The proposed example would have included the heading ‘‘Privacy Notice’’ in boldface on the notice of availability. The proposed example further would have stated that Federal law requires the financial institution to tell customers how it collects, shares, and protects their personal information; this language mirrors the ‘‘Why’’ box on the model privacy notices. asabaliauskas on DSK5VPTVN1PROD with RULES Comments One commenter requested that other forms of emphasis be permitted rather than boldface because they could not use boldface in their software system. A national and a state association representing credit unions requested that the Bureau create a model notice of availability with graphics and shading that would be a safe harbor for compliance with proposed § 1016.9(c)(2)(ii)(A). Final Rule The Bureau is adopting § 1016.9(c)(2)(ii) as revised. With respect to the comment that some financial institutions’ software programs do not allow for boldface, the Bureau notes that § 1016.9(c)(2)(iii) is an example of how to comply with § 1016.9(c)(2)(ii)(A) but other language and formatting techniques could also satisfy that section. Nevertheless, the Bureau is revising § 1016.9(c)(2)(iii) to state that the heading ‘‘Privacy Notice’’ could be in boldface or otherwise emphasized. ‘‘Otherwise emphasized’’ could include using all capital letters or underlining. As to the requests to create VerDate Sep<11>2014 16:44 Oct 27, 2014 Jkt 235001 a model notice of availability with shading and graphics, the Bureau declines to do so at this time because it believes that the example notice of availability in § 1016.9(c)(2)(iii) provides sufficient guidance to financial institutions on how to comply with § 1016.9(c)(2)(ii)(A). The Bureau is also modifying § 1016.9(c)(2)(iii) to reflect that the telephone number provided need not be a toll-free number, to be consistent with § 1016.9(c)(2)(ii)(A) as finalized. V. Section 1022(b)(2) of the Dodd-Frank Act A. Overview In developing the final rule, the Bureau has considered its potential benefits, costs, and impacts.78 In addition, the Bureau has consulted and coordinated with the SEC, CFTC, FTC, and NAIC, and consulted with or offered to consult with the OCC, the Board, FDIC, NCUA, and HUD, including regarding consistency with any prudential, market, or systemic objectives administered by such agencies. This final rule amends § 1016.9(c) of Regulation P to provide an alternative method for delivering annual privacy notices. The primary purpose of the rule is to reduce unnecessary or unduly burdensome regulations, and the alternative delivery method will reduce the burden of providing these annual privacy notices. A financial institution may use the alternative delivery method if: (1) It does not disclose the customer’s nonpublic personal information to nonaffiliated third parties in a manner that triggers GLBA opt-out rights; (2) It does not include on its annual privacy notice an opt-out notice under section 603(d)(2)(A)(iii) of the Fair Credit Reporting Act (FCRA); (3) The requirements of section 624 of the FCRA and the Affiliate Marketing Rule, if applicable, have been satisfied previously or the annual privacy notice is not the only notice provided to satisfy such requirements; (4) The information included in the privacy notice has not changed since the customer received the previous notice (subject to an exception); and (5) It uses the model form provided in the GLBA’s implementing Regulation P. 78 Specifically, section 1022(b)(2)(A) of the DoddFrank Act calls for the Bureau to consider the potential benefits and costs of a regulation to consumers and covered persons, including the potential reduction of access by consumers to consumer financial products or services; the impact on depository institutions and credit unions with $10 billion or less in total assets as described in section 1026 of the Dodd-Frank Act; and the impact on consumers in rural areas. PO 00000 Frm 00018 Fmt 4700 Sfmt 4700 Under the alternative delivery method, the financial institution would have to: (1) Convey in a clear and conspicuous manner not less than annually on an account statement, coupon book, or a notice or disclosure the institution issues under any provision of law that its privacy notice is available on its Web site, it will be mailed to customers who request it by telephone, and it has not changed; (2) Post its current privacy notice in a continuous and clear and conspicuous manner on a page of its Web site on which the only content is the privacy notice, without requiring a login name or similar steps or agreeing to any conditions to access the page; and (3) Mail its current privacy notice to customers who request it by telephone within ten days of the request. B. Potential Benefits and Costs to Consumers and Covered Persons The requirements in § 1016.9(c)(2) provide certain benefits to consumers relative to the baseline established by the current provisions of Regulation P. These requirements provide an incentive for financial institutions to adopt the model privacy form and to post it on their Web sites, particularly when these changes are the only ones that would be needed to use the alternative delivery method. Recent research establishes that large numbers of banks, credit unions and other financial institutions do not post the model privacy form on their Web sites and presumably many have not adopted it.79 Given the consumer testing that 79 See L. F. Cranor, K. Idouchi, P. G. Leon, M. Sleeper, B. Ur, Are They Actually Any Different? Comparing Thousands of Financial Institutions’ Privacy Practices. The Twelfth Workshop on the Economics of Information Security (WEIS 2013), June 11–12, 2013, Washington, DC, available at https://weis2013.econinfosec.org/papers/ CranorWEIS2013.pdf. They find that only about 51% of FDIC insured depositories for which a Web site domain name is listed in the FDIC directory of financial institutions (3,422 out of 6,701) post the model privacy form on their Web sites. A Web site was not listed for an additional 371 institutions, and these institutions were excluded from the analysis. Some of these authors recently replicated and extended this work; see L. F. Cranor, P. G. Leon, B. Ur, A Large-Scale Evaluation of U.S. Financial Institutions’ Standardized Privacy Notices, undated, available at https:// www.andrew.cmu.edu/user/pgl/ financialnotices.pdf. These authors find that 56% of FDIC insured depositories for which a Web site domain name is listed in the FDIC directory of financial institutions (3,594 out of 6,409) post the model privacy form on their Web sites. They also analyzed a much larger group of insured depositories, credit unions and credit card companies, first searching for an institution’s Web site (when the Web site URL was not on lists of financial institutions they obtained from the FDIC, NCUA and the Federal Reserve) and then searching for the institution’s model privacy form. With this E:\FR\FM\28OCR1.SGM 28OCR1 Federal Register / Vol. 79, No. 208 / Tuesday, October 28, 2014 / Rules and Regulations asabaliauskas on DSK5VPTVN1PROD with RULES went into the development of the model form and the public input that went into its design, the Bureau believes that the model form is generally clearer and easier to understand than most privacy notices that deviate from the model.80 While the Bureau does not know how many more financial institutions would adopt the model privacy form and post it on their Web sites in order to use the alternative delivery method, at least some additional consumers likely would be able to learn about the information sharing policies of financial institutions through the model privacy form as a result of § 1016.9(c)(2). It also may be more convenient for some consumers to learn about information sharing policies from a privacy policy on a Web site rather than a mailed copy, especially since financial institutions using the alternative delivery method must limit their information sharing to practices that do not give consumers opt-out rights. Thus, § 1016.9(c)(2) likely would make it easier for some consumers to review and understand privacy policies and to make comparisons across financial institutions with regard to privacy policies and opt outs. The requirements in § 1016.9(c)(2) also may benefit consumers who transact with financial institutions that adopt the alternative delivery method by disclosing that a financial institution’s privacy policy has not changed. These consumers would not methodology, the authors find that only about 32% (6,191 of 19,329) of this larger group of financial institutions posts the model privacy form on Web sites. 80 The research that went into the development and testing of the model form was detailed in four reports: (1) Financial Privacy Notice: A Report on Validation Testing Results (Kleimann Validation Report), February 12, 2009, available at https:// www.ftc.gov/system/files/documents/reports/ financial-privacy-notice-report-validation-testingresults-kleimann-validationreport/financial_ privacy_notice_a_report_on_validation_testing_ results_kleimann_validation_report.pdf; (2) Consumer Comprehension of Financial Privacy Notices: A Report on the Results of the Quantitative Testing (Levy-Hastak Report), December 15, 2008, available at https://www.ftc.gov/system/files/ documents/reports/quantitative-research-levyhastak-report/quantitative_research_-_levy-hastak_ report.pdf; (3) Mall Intercept Study of Consumer Understanding of Financial Privacy Notices: Methodological Report (Macro International Report), September 18, 2008, available at https:// www.ftc.gov/system/files/documents/reports/ quantitative-research-macro-international-report/ quantitative_research_-_macro_international_ report.pdf; and (4) Evolution of a Prototype Financial Privacy Notice: A Report on the Form Development Project, March 31, 2006, available at https://kleimann.com/ftcprivacy.pdf. The development and testing of the model privacy notice is also discussed in L. Garrison, M. Hastak, J.M. Hogarth, S. Kleimann, A.S. Levy, Designing Evidence-based Disclosures: A Case Study of Financial Privacy Notices. The Journal of Consumer Affairs, Summer 2012: 204–234. VerDate Sep<11>2014 16:44 Oct 27, 2014 Jkt 235001 receive a notice presenting the full privacy policy unless the privacy policy has changed or when other requirements for use of the alternative delivery method are not met. There is no representative, administrative data available on the number of consumers who are indifferent to or dislike receiving full, unchanged privacy notices every year. The limited use of opt outs and anecdotal evidence suggest that there are such consumers. In addition, one national trade association surveyed its members and found that 76% of respondents were more likely to read a privacy notice when there were changes to it. The commenter concluded that notification of a change to a privacy policy was more important to its members than routinely sending privacy notices in the mail. The Bureau believes that few consumers would experience any costs from § 1016.9(c)(2). There is a risk that some consumers may be less informed about a financial institution’s information sharing practices if the financial institution adopts the alternative delivery method. However, § 1016.9(c)(2)(ii)(A) mitigates this risk by requiring the inclusion annually on another notice or disclosure of a clear and conspicuous statement that the privacy notice is available on the Web site, and § 1016.9(c)(2)(ii)(B) ensures that the model privacy form is posted in a continuous and clear and conspicuous manner on the Web site. Consumers may print the privacy notice at their own expense, while under current § 1016.9(c)(2) the notice is delivered to them, which represents a transfer of costs from industry to consumers. However, § 1016.9(c)(2)(ii)(A) provides consumers with a specific telephone number to request that the privacy notice be mailed to the consumer, which gives consumers the option of obtaining the notice without incurring the cost of printing it. Further, the Bureau believes that a printed form is mostly valuable to consumers who would exercise opt-out rights. The only opt outs that could be available to the consumer under § 1016.9(c)(2) would be voluntary opt outs, i.e., opt outs from modes of sharing information that are not required by Regulation P, or (at the institution’s discretion) an Affiliate Marketing Rule opt-out beyond those the institution has previously provided elsewhere. Voluntary opt outs do not appear to be common.81 81 See Cranor et al. (2013). Their findings (Table 2) imply that at most 15% of the 3,422 FDIC insured depositories that post the model privacy form on their Web sites offer at least one voluntary opt out. Data from a much larger group of financial institutions analyzed by Cranor et al. (undated) PO 00000 Frm 00019 Fmt 4700 Sfmt 4700 64075 A number of commenters claimed that few consumers derive any benefit from the annual privacy notice, most do not read the notice, and some consumers may dislike receiving it. A national trade association surveyed its members and found that 25% of the respondents who recalled receiving an annual privacy notice either disposed of the notice without opening it or opened it without reading it. The remaining 75% would skim or read the notice. One state banking association asked its members if the bank ever received a complaint or comment about the bank’s privacy notice from a customer. The commenter did not provide quantitative information but offered examples of responses. Among the responses were statements that customers would call after receiving the annual privacy notice to complain or to ask not to receive the notice in the future. These commenters generally conclude that there would be no cost to consumers and perhaps additional benefits from alternatives to the rule that allowed for more widespread adoption of the alternative delivery method. As explained at length above, the Bureau believes that requiring notices that have changed or that include required consumer opt-outs to be physically delivered, unless the consumer has agreed to receive them electronically, is more consistent with the importance to the statutory scheme of customers’ ability to exercise opt-out rights and more consumer-friendly than allowing use of the alternative delivery method where notices have changed or include required opt-outs. That discussion is incorporated here. Further, the Bureau believes that while some consumers may prefer not to receive annual privacy notices even when those notices include required opt-outs, others may feel differently, and consumers who would fail to exercise an opt out if the alternative delivery method were available incur a cost. Finally, the Bureau notes that the data from one commenter described above at least suggests that consumers may benefit from physical delivery when the notice has changed. Regarding benefits and costs to covered persons, the primary effect of the final rule is to reduce burden by lowering the costs to industry of providing annual privacy notices. The requirements in § 1016.9(c)(2) impose no new compliance requirements on any financial institution. All methods of imply (Table 2) that at most 27% of the 6,191 financial institutions that post the model privacy form on their Web sites offer at least one voluntary opt out. E:\FR\FM\28OCR1.SGM 28OCR1 64076 Federal Register / Vol. 79, No. 208 / Tuesday, October 28, 2014 / Rules and Regulations asabaliauskas on DSK5VPTVN1PROD with RULES compliance under current law remain available to a financial institution, and a financial institution that is in compliance with current law is not required to take any different or additional action. The Bureau believes that a financial institution would adopt the alternative delivery method only if it expected the costs of complying with the alternative delivery method would be lower than the costs of complying with existing Regulation P. By definition, the expected cost savings to financial institutions from the adoption of § 1016.9(c)(2) is the expected number of annual privacy notices that would be provided through the alternative delivery method multiplied by the expected reduction in the cost per-notice from using the alternative delivery method. As explained below, many financial institutions would not be able to use the alternative delivery method without changing their information sharing practices, and the Bureau believes that few financial institutions would find it in their interest to change information sharing practices just to reduce the costs of providing the annual privacy notice. Thus, the first step in estimating the expected cost savings to financial institutions from § 1016.9(c)(2) would be to identify the financial institutions whose current information sharing practices would allow them to use the alternative delivery method. The Bureau would then need to determine their currents costs for providing the annual privacy notices and the expected costs of providing these notices under § 1016.9(c)(2).82 The Bureau does not have sufficient data to perform every step of this analysis, but it performed a number of analyses and outreach activities to approximate the expected cost savings. Regarding banks, the Bureau examined the privacy policies of the 19 banks with assets over $100 billion as well as the privacy policies of 106 additional banks selected through random sampling.83 The Bureau found that the overall average rate at which banks’ information sharing practices would make them eligible for using the alternative delivery 82 The analysis that follows makes certain additional assumptions about adjustments that financial institutions are not likely to undertake just to be able to adopt the alternative delivery method. For example, a small institution without a Web site might not find it worthwhile to establish one given the relatively small savings in costs that might result. These assumptions are discussed further below. 83 The Bureau defined five strata for banks under $100 billion and three strata for credit unions under $10 billion and drew random samples from each of the strata. We obtained privacy policies from the Web sites of financial institutions. VerDate Sep<11>2014 16:44 Oct 27, 2014 Jkt 235001 method if other conditions were met is 80%.84 However, only 21% of sampled banks with assets over $10 billion could clearly use the alternative delivery method, while 81% of sampled banks with assets of $10 billion or less and 88% of sampled banks with assets of $500 million or less could clearly use the alternative delivery method. These results indicate that a large majority of smaller banks would likely be able to use the alternative delivery method but most of the largest banks would not.85 One state banking association surveyed its members and provided data that is generally consistent with the finding that the vast majority of smaller banks would likely be able to use the alternative delivery method. Ninetynine institutions responded to at least one of six questions. Fifty-three provided their banks total assets; of these, 50 reported assets under $500 million. However, only 12 respondents stated that they would not be eligible to use the alternative delivery method. If these 12 respondents were among the 53 that provided their bank’s total assets and all 53 responded to the question about eligibility, between 76% and 82% of this association’s members with assets under $500 million believed they would be eligible to use the alternative delivery method.86 The Bureau also examined the privacy policies of the four credit unions with assets over $10 billion as well as the privacy policies of 50 additional credit unions selected through random sampling. The Bureau found that three of the four credit unions with assets over $10 billion clearly could use the alternative delivery method without changing their information sharing policies. Further, 67% of sampled credit unions with assets over $500 million could clearly use the alternative delivery method. However, the Bureau also found that only 13 of the 25 sampled credit unions with assets of $500 million or less either posted the model privacy form on their Web sites 84 In these and subsequent calculations, entities that stated that they shared information so their affiliates could market to the consumer were considered eligible for the alternative delivery method since they could use the alternative delivery method as long as the annual privacy notice is not the only notice on which they provide the opt-out; see § 1016.9(c)(2)(i)(C). 85 As discussed in the section-by-section analysis, a banking trade association commenting on the Streamlining RFI estimated that 75% of banks do not change their notices from year to year and do not share information in a way that gives rise to customer opt-out rights. The Bureau’s estimate is consistent with this comment. 86 Unfortunately, more precise calculations are not possible without more information about responses conditional on asset size and the response rate to each question. PO 00000 Frm 00020 Fmt 4700 Sfmt 4700 or provided enough information about their sharing practices to permit a clear determination regarding whether the alternative delivery method would be available to them (2 of the 25 did not have Web sites). The Bureau found that 11 of the 13 (85%) for which a determination could be made would be able to use the alternative delivery method, and the Bureau believes that a significant majority of the sample of 25 would be able to use the alternative delivery method (perhaps after adopting the model form). For purposes of this analysis, the Bureau conservatively assumes that only 11 of the 25 sampled credit unions with assets of $500 million or less would be able to use the alternative delivery method, although the actual figure is likely much higher. The Bureau requested comment on how to improve this estimate of the number of small credit unions that would be able to use the alternative delivery method. The Bureau did not receive comments on this specific issue. Comments that relate to the general accuracy of these estimates are discussed below. Although these estimates provide some insight into the numbers of banks and credit unions that could use the alternative delivery method, the Bureau does not have precise data on the number of annual privacy notices these institutions currently provide. Thus, it is not possible to directly compute the total number of annual privacy notices that would no longer be sent. The Bureau does, however, have information about the burden on banks, credit unions and non-depository financial institutions from providing the annual privacy notices from the Paperwork Reduction Act Supporting Statements for Regulation P on file with the Office of Management and Budget. This information can be used to obtain an estimate of the ongoing savings from the alternative delivery method.87 In estimating this savings for banks and credit unions, the analysis above establishes that it is essential to take into account the variation by size of banks and credit unions in relation to the likelihood they could use the alternative delivery method. To ensure that these differences inform the estimates, the Bureau allocated the total burden of providing the annual privacy notices to asset classes in proportion to the share of assets in the class. The Bureau then estimated an amount of burden reduction specific to each asset 87 It is worth noting at the outset that, with this methodology, the total cost of providing the annual privacy notice and opt-out notice under Regulation P is approximately $30 million per year. E:\FR\FM\28OCR1.SGM 28OCR1 Federal Register / Vol. 79, No. 208 / Tuesday, October 28, 2014 / Rules and Regulations class using the results from the sampling described above. The total burden reduction is then the sum of the burden reductions in each asset class. For banks and credit unions combined, the estimated reduction in burden using this methodology is approximately $6.9 million annually. Regarding non-depository financial institutions, the proposed analysis stated that based on initial outreach, a majority were likely to be able to use the alternative delivery method. The proposed analysis stated that the prohibition on disclosing information to third parties in the Fair Debt Collection Practices Act (FDCPA) suggested that financial institutions subject to those limits likely would be able to use the alternative delivery method when GLBA notice requirements apply.88 The proposed analysis then used the overall average rate at which banks could utilize the alternative delivery method in its calculations of burden reduction for non-depository financial institutions. The Bureau stated that it would continue to refine its knowledge of the information sharing practices of non-depository financial institutions and requested comment and the submission of information relevant to this issue. The Bureau received comment letters from a debt buyer, a trade association for debt buyers and one student loan servicer that identified proposed requirements that would have limited the ability of these non-depository financial institutions to use the alternative delivery method. All three commenters stated that restrictions on how financial institutions could provide the proposed notice of availability would limit use of the alternative delivery method. All three also stated that the requirement to use the model form would limit use of the alternative delivery method. These issues are discussed below.89 The two debt-buying entities commented that restrictions on how the proposed notice of availability could be provided would eliminate any savings from the alternative delivery method. Specifically, proposed § 1016.9(c)(2)(ii)(A) required the notice asabaliauskas on DSK5VPTVN1PROD with RULES 88 FDCPA section 805(b) generally prohibits communication with third parties in connection with the collection of a debt. 89 The Bureau requested comment on, but did not propose, requiring a dedicated telephone number for privacy notice requests. The student loan servicer commented that this requirement would not be a good use of resources for small lenders. The Bureau is not requiring a dedicated telephone number for these requests in the final rule; further, the Bureau is not finalizing the proposed requirement that the telephone number for these requests be toll-free. VerDate Sep<11>2014 16:44 Oct 27, 2014 Jkt 235001 of availability to be provided on a notice or disclosure the financial institution was required or expressly and specifically permitted to issue under any other provision of law. One of these commenters stated that debt buyers are not required or specifically permitted to issue notices to consumers on a regular or annual basis. Thus, the alternative delivery method would simply exchange one annual privacy notice requirement for another. The other debtbuyer commenter stated that consumers whose accounts were not in active collections may not receive any correspondence from the commenter in the course of a year other than the annual privacy notice. Thus, the notice of availability would eliminate the savings intended by the alternative delivery method. In contrast, the student loan servicer commented that lenders and servicers of private education loans send periodic statements, but since no law requires them, proposed § 1016.9(c)(2)(ii)(A) would not allow its members to use periodic statements to provide the notice of availability. As discussed above, the Bureau is revising proposed § 1016.9(c)(2)(ii)(A) to permit the notice of availability to be included on an account statement which would include periodic statements or billing statements not required or expressly permitted by law. The Bureau believes that this would permit student loan servicers and other non-depository financial institutions to use the alternative delivery method, as was assumed in the proposed analysis. This change from the proposed rule may also permit additional debt buyers to reduce costs by adopting the alternative delivery method.90 The Bureau recognizes, however, that final § 1016.9(c)(2)(ii)(A) may still deter many debt buyers from adopting the alternative delivery method. All three commenters also stated that the requirement to use the model form would limit use of the alternative delivery method. The two debt-buying entities cited requirements in the FDCPA that they stated made it difficult for them to adopt the model form. In contrast, the student loan servicer stated that some of its members that do not currently use the model form might not adopt it because they believed that the 90 One of the debt-buyer commenters recommended that the Bureau allow the statement of availability to be provided on ‘‘any legally permissible’’ mailed materials. The Bureau intends the term account statement to be flexible and it might include some of the legally permissible materials mentioned by this debt buyer. However, it would not include materials such as advertisements or newsletters. PO 00000 Frm 00021 Fmt 4700 Sfmt 4700 64077 information they provide is more comprehensive. As discussed above, while the Bureau is requiring use of the model form, the Bureau is modifying proposed § 1016.9(c)(2)(ii)(B) to clarify that information that is not content, such as navigational menus that link to other pages on the financial institution’s Web site, could appear on the same page as the privacy notice and link to another portion of the financial institution’s Web site that contains information supplemental to the privacy notice. The Bureau believes that this would encourage student loan servicers as well as other non-depository financial institutions to adopt the model form and use the alternative delivery method. There is necessarily considerable uncertainty around any estimate of the number of non-depository financial institutions that could use the alternative delivery method. However, the Bureau did not receive any comments directly on the assumption that non-depository financial institutions will be able to utilize the alternative delivery method at the same overall average rate as banks. Further, partly in response to comments from non-depository financial institutions, the Bureau is adopting § 1016.9(c)(2)(ii)(A) with changes from the proposal so that it is less of a barrier to adoption of the alternative delivery method. Finally, while the Bureau recognizes that many debt buyers may not be able to use the alternative delivery method, debt buyers are one group in the extremely large and heterogeneous group of non-depository financial institutions subjection to Regulation P. The Bureau therefore continues to estimate the reduction in burden on non-depository financial institutions as approximately $10 million annually.91 Thus, the Bureau believes that the total reduction in burden is approximately $17 million dollars annually. This represents about 58% of the total $30 million annual cost of providing the annual privacy notice and opt-out notice under Regulation P.92 91 Note that this figure excludes auto dealers. Auto dealers are regulated by the FTC and would not be directly impacted by this amendment to Regulation P. 92 The Bureau recognizes that this analysis does not take into account the possibility that, as with banks and credit unions, the largest non-depository financial institutions may be least likely to be able to use the alternative delivery method. Assuming the size distribution and utilization rate are the same as for credit unions, the reduction in burden on non-depository financial institutions would be approximately $7.5 million annually instead of $10 million annually. E:\FR\FM\28OCR1.SGM 28OCR1 asabaliauskas on DSK5VPTVN1PROD with RULES 64078 Federal Register / Vol. 79, No. 208 / Tuesday, October 28, 2014 / Rules and Regulations The Bureau did not receive comments directly on this estimate or the methodology. The Bureau did receive quantitative information from individual financial institutions and state associations about the costs of providing annual privacy notices and in some cases the expected savings from the alternative delivery method. It not possible to use this information to precisely estimate market-wide totals for the baseline cost and expected savings. The data is, however, informative regarding the Bureau’s estimates. Regarding banks, a state banking association that surveyed its members provided data in which the average cost of providing the notices was about $1,700. All but one of the respondents had assets under $500 million. A bank with $367 million in assets reported spending $1,800 on printing. A bank with $442 million in assets reported spending $1,900 on printing and mailing. A bank with $1.1 billion in assets reported spending $3,800 on printing and stated it delivers the annual privacy notice with an account statement. A bank with $3 billion in assets reported spending $20,000 on notice distribution. It is not possible to extrapolate precisely from this data to the entire market without additional information regarding the representativeness of this data, the relationship between assets and costs, the proportion of banks that incur mailing costs when distributing the notice, and the costs for banks above $3 billion in assets. However, applying these figures to the roughly 7,000 banks in the United States suggests costs of well over $40 million to the banking sector alone. The Bureau received similar information from credit unions. A credit union with $12 million in assets and 3,000 members reported that it would save $150 per year with the alternative delivery method. A credit union with approximately $1 billion in assets reported spending $4,200 on printing and $36,800 on mailing. A credit union with $5 billion in assets reported spending $10,000 on printing and delivers the annual notice with an account statement. In addition, one trade association for debt-buyers reported that debt buyers alone spend approximately $28 million on mailing annual privacy notices.93 The data provided by commenters suggests that the total cost of providing annual privacy notices by financial 93 A financial corporation with $2 billion in assets reported sending approximately 37,000 annual privacy notices and needing 100 hours for this work. VerDate Sep<11>2014 16:44 Oct 27, 2014 Jkt 235001 institutions subject to Regulation P may currently be larger than the $30 million reported above. To improve this estimate would require extensive data collection from a wide range of financial institutions and is not reasonably available to the Bureau. The previous analysis does not, however, indicate any significant error in the estimate that the alternative delivery method may relieve about 58% of the total annual cost of providing the annual privacy notice and opt-out notice under Regulation P. The Bureau has a continuing interest in improving its estimates of regulatory burden and burden reduction and welcomes comments on these estimates at any time. The Bureau notes that these estimates of ongoing savings are gross figures and do not take into account any one-time or ongoing costs associated with the alternative delivery method. The Bureau believes that one-time costs associated with using the alternative delivery method would be minimal and would not prevent adoption of the alternative delivery method, as long as the institution already has a Web site and currently annually provides an account statement, coupon book, or notice or disclosure as described in § 1016.9(c)(2)(ii)(A). In the analysis above, the Bureau found that all but two financial institutions had Web sites and assumed that these two institutions would not adopt the alternative delivery method. However, the Bureau recognizes that it sampled very few of the smallest financial institutions and that these are the ones most likely not to have Web sites. Comments on the proposed rule were generally consistent with the Bureau’s analysis. One state banking association commented that approximately 5% of its members do not have a Web site. Another state banking association reported that 5 respondents to a survey that received 99 responses stated that they do not have a Web site. One state banking association reported that, when asked to estimate the cost of putting the annual privacy notice on a Web page that only contains the privacy notice, 15 responded that the cost would be ‘‘minimal,’’ one responded it would cost $500, and one that it would cost $3000. One bank with approximately $3 billion in assets commented that the cost of adding a Web page would be ‘‘insignificant.’’ A bank with under $500 million in assets commented that it had paid $700 to its vendor to make an electronic version of its privacy notice available on its Web site. These results are consistent with the Bureau’s own research and analysis. The Bureau requested information regarding the use PO 00000 Frm 00022 Fmt 4700 Sfmt 4700 of Web sites by non-depository financial institutions but did not receive any data on this subject. The Bureau believes that the one-time costs associated with providing the notice of availability annually on an account statement, coupon book, or notice or disclosure as described in § 1016.9(c)(2)(ii)(A) would be small. One state banking association commented that, given the range of customer relationship types, a bank may need to adjust a number of different notices in order to provide the notice of availability to all of its customers. The Bureau believes that the cost of each adjustment would be small. These costs would also be recouped over time through the savings achieved from no longer delivering the annual privacy notice through the mail or even through some of the other delivery methods that the existing rule permits.94 Similarly, the Bureau believes that the requirements for using the alternative delivery method would provide few sources of additional ongoing costs relative to the baseline to financial institutions that adopt it. These costs would consist of additional text on an account statement, coupon book, notice or disclosure the institution already provides, maintaining a Web page dedicated to the annual privacy notice if one does not already exist, additional telephone calls from consumers requesting that the model form be mailed, and the costs of mailing the forms prompted by these calls. The Bureau currently believes that few consumers will request that the form be mailed in order to read it or to exercise any voluntary or FCRA Affiliate Marketing Rule opt-out right. A number of commenters stated that the proposed requirement to maintain a toll-free telephone number for requesting annual privacy notices (and the alternative considered of a dedicated toll-free number) would impose an unnecessary expense. Final § 1016.9(c)(2)(ii)(A) does not require the telephone number to be toll-free. One caveat regarding these estimates concerns the use of consolidated privacy notices by entities regulated by different agencies. For example, entities that could comply with Regulation P by adopting the alternative delivery 94 The Bureau believes that banks and credit unions have relatively few customers to whom they do not send at least once per year, an account statement, coupon book, or other notice or disclosure that meets the conditions in final § 1016.9(c)(2)(ii)(A). Some banks and credit unions and their associations commented that § 1016.9(c)(2)(ii)(A) was too restrictive in this regard and might limit adoption of the alternative delivery method. As discussed above, final § 1016.9(c)(2)(ii)(A) is less restrictive. E:\FR\FM\28OCR1.SGM 28OCR1 asabaliauskas on DSK5VPTVN1PROD with RULES Federal Register / Vol. 79, No. 208 / Tuesday, October 28, 2014 / Rules and Regulations method would not do so if they still needed to send these customers an additional disclosure in order to comply with the GLBA regulations of other agencies. The Bureau believes that among the entities that will continue to use a standard delivery method, few will do so solely because of the need to comply with the GLBA regulations of multiple agencies. Rather, most such entities will also be large financial institutions and will not satisfy the requirements on information sharing in § 1016.9(c)(2)(i)(A)–(C). Thus, the Bureau believes that its estimates regarding the adoption of the alternative delivery method are accurate, notwithstanding the use of consolidated privacy notices, since the use of consolidated privacy notices is likely highly correlated with information sharing practices that alone prevent the adoption of the alternative delivery method. The Bureau requested data and other factual information regarding the extent to which the use of consolidated privacy notices may prevent the adoption of the alternative delivery method. The Bureau did not receive any comments on this issue. In developing the rule, the Bureau considered alternatives to the requirements it is adopting. As discussed at length above, the Bureau believes that the alternative delivery method might not adequately alert customers to their ability to opt out of certain types of information sharing were it available where a financial institution shares a customer’s nonpublic personal information beyond the exceptions in §§ 1016.13, 1016.14, and 1016.15. Thus, the Bureau considered but is not adopting an option in which the alternative delivery method could be used where a financial institution shares beyond one or more of these exceptions. For the same reason, the Bureau considered but is not adopting an option in which the alternative delivery method could be used where a financial institution shares information in a way that triggers information sharing opt-out rights under section 603(d)(2)(A)(iii) of the FCRA. On the other hand, the Bureau considered an option in which the alternative delivery method could never be used where a customer has an opt-out right under the Affiliate Marketing Rule. A financial institution may use the alternative delivery method if the requirements under section 624 of the FCRA and the Affiliate Marketing Rule have been satisfied previously or the annual privacy notice is not the only notice provided to satisfy such requirements. This case is VerDate Sep<11>2014 16:44 Oct 27, 2014 Jkt 235001 distinguishable from the other two in that the Affiliate Marketing Rule opt-out notice is not required to be included on the annual privacy notice and may be sent separately. As explained above, a financial institution could send the separate Affiliate Marketing Rule optout only once (as long as it honored that opt-out indefinitely) and use the alternative delivery method to meet its yearly annual notice requirement, with or without including the Affiliate Marketing Rule opt-out notice on the model form. The Bureau also considered alternatives to the requirements regarding the types of information that cannot have changed since the previous annual notice to be able to use the alternative delivery method. The Bureau discussed these alternatives at length above and incorporates that discussion here. C. Potential Specific Impacts of the Rule The Bureau currently understands that 81% of banks with $10 billion or less in assets would be able to utilize the alternative delivery method, with a greater opportunity for utilization among the smaller banks. Thus, the rule may have differential impacts on insured depository institutions with $10 billion or less in assets as described in section 1026 of the Dodd-Frank Act. The Bureau also currently understands that at least 46% of credit unions with $10 billion or less in assets, and perhaps substantially more, would be able to utilize the alternative delivery method, with a greater opportunity for utilization among credit unions in the middle of this group. The uncertainty reflects the relatively large number of very small credit unions that do not post the model form on their Web sites and which therefore could not clearly use the alternative delivery method. The Bureau does not believe that the rule would reduce consumers’ access to consumer financial products or services. The rule may, however, benefit consumers in rural areas less than consumers in non-rural areas. Rural consumers in most states have far less access to broadband and the alternative delivery method may displace delivery of paper notices with notices posted on Web sites.95 Rural consumers likely still would benefit overall, however, given the general availability of the disclosure through slower internet access or on 95 For a comparison of access to broadband by rural and non-rural consumers, see Bringing Broadband to Rural America: Update to Report on a Rural Broadband Strategy, June 17, 2011, pages 22–24, available at https://apps.fcc.gov/edocs_ public/attachmatch/DOC-320924A1.pdf. PO 00000 Frm 00023 Fmt 4700 Sfmt 4700 64079 request by telephone and the potentially greater use of the model form. VI. Regulatory Flexibility Act The Regulatory Flexibility Act (RFA), as amended by the Small Business Regulatory Enforcement Fairness Act of 1996, requires each agency to consider the potential impact of its regulations on small entities, including small businesses, small governmental units, and small not-for-profit organizations. The RFA generally requires an agency to conduct an initial regulatory flexibility analysis (IRFA) and a final regulatory flexibility analysis (FRFA) of any rule subject to notice-and-comment rulemaking requirements, unless the agency certifies that the rule will not have a significant economic impact on a substantial number of small entities.96 The Bureau also is subject to certain additional procedures under the RFA involving the convening of a panel to consult with small business representatives prior to proposing a rule for which an IRFA is required.97 The Bureau now certifies that a FRFA is not required for this final rule because it will not have a significant economic impact on a substantial number of small entities. The Bureau does not expect the final rule to impose costs on small entities. All methods of compliance under current law will remain available to small entities under the final rule. Thus, a small entity that is in compliance with current law need not take any different or additional action. In addition, the Bureau believes that the alternative delivery method would allow some small institutions to reduce costs, but by a small amount relative to overall costs given that this rulemaking addresses a single disclosure. Accordingly, the undersigned certifies that this rule will not have a significant economic impact on a substantial number of small entities. VII. Paperwork Reduction Act Under the Paperwork Reduction Act of 1995 (PRA),98 Federal agencies are generally required to seek Office of Management and Budget (OMB) approval for information collection requirements prior to implementation. This final rule will amend Regulation P, 12 CFR part 1016. The collections of information related to Regulation P have been previously reviewed and approved by OMB in accordance with the PRA and assigned OMB Control Number 3170–0010. Under the PRA, the Bureau may not conduct or sponsor, and, 96 5 U.S.C. 603–605. U.S.C. 609. 98 44 U.S.C. 3501 et seq. 97 5 E:\FR\FM\28OCR1.SGM 28OCR1 asabaliauskas on DSK5VPTVN1PROD with RULES 64080 Federal Register / Vol. 79, No. 208 / Tuesday, October 28, 2014 / Rules and Regulations notwithstanding any other provision of law, a person is not required to respond to an information collection, unless the information collection displays a valid control number assigned by OMB. As explained below, the Bureau has determined that this rule does not contain any new or substantively revised information collection requirements other than those previously approved by OMB. Under this rule, a financial institution will be permitted, but not required, to use an alternative delivery method for the annual privacy notice if: (1) It does not disclose the customer’s nonpublic personal information to nonaffiliated third parties in a manner that triggers GLBA opt-out rights; (2) It does not include on its annual privacy notice an opt-out notice under section 603(d)(2)(A)(iii) of the Fair Credit Reporting Act (FCRA); (3) The requirements of section 624 of the FCRA and the Affiliate Marketing Rule, if applicable, have been satisfied previously or the annual privacy notice is not the only notice provided to satisfy such requirements; (4) The information included in the privacy notice has not changed since the customer received the previous notice (subject to an exception); and (5) It uses the model form provided in the GLBA’s implementing Regulation P. Under the alternative delivery method, the financial institution would have to: (1) Convey in a clear and conspicuous manner not less than annually on an account statement, coupon book, or a notice or disclosure the institution issues under any provision of law that its privacy notice is available on its Web site, it will be mailed to customers who request it by telephone, and it has not changed; (2) Post its current privacy notice continuously and in a clear and conspicuous manner on a page of its Web site on which the only content is the privacy notice, without requiring the customer to provide any information such as a login name or password or agree to any conditions to access the page; and (3) Mail its current privacy notice to customers who request it by telephone within ten days of the request. Under Regulation P, the Bureau generally accounts for the paperwork burden for the following respondents pursuant to its enforcement/supervisory authority: Insured depository institutions with more than $10 billion in total assets, their depository institution affiliates, and certain nondepository financial institutions. The Bureau and the FTC generally both have VerDate Sep<11>2014 16:44 Oct 27, 2014 Jkt 235001 enforcement authority over nondepository financial institutions subject to Regulation P. Accordingly, the Bureau has allocated to itself half of the final rule’s estimated burden on nondepository institutions subject to Regulation P. Other Federal agencies, including the FTC, are responsible for estimating and reporting to OMB the paperwork burden for the institutions for which they have enforcement and/or supervision authority. They may use the Bureau’s burden estimation methodology, but need not do so. The Bureau does not believe that this rule would impose any new or substantively revised collections of information as defined by the PRA, and instead believes that it would have the overall effect of reducing the previously approved estimated burden on industry for the information collections associated with the Regulation P annual privacy notice. Using the Bureau’s burden estimation methodology, the reduction in the estimated ongoing burden would be approximately 584,000 hours annually for the roughly 13,500 banks and credit unions subject to the rule, including Bureau respondents, and the roughly 29,400 entities subject to the Federal Trade Commission’s enforcement authority also subject to the rule. The reduction in estimated ongoing costs from the reduction in ongoing burden would be approximately $17 million annually. The Bureau believes that the one-time cost of adopting the alternative delivery method for financial institutions that would adopt it is de minimis. Financial institutions that already use the model form and would adopt the alternative delivery method would incur minor one-time legal, programming, and training costs. These institutions would have to communicate on an account statement, coupon book, or notice or disclosure that the privacy notice is available. The expense of adding this notice would be minor, particularly where the institution would be issuing the account statement, coupon book, or notice or disclosure anyway. Staff may need some additional training in storing copies of the model form and sending it to customers on request. Institutions that do not use the model form would incur a one-time cost for creating one. However, since the promulgation of the model privacy form in 2009, an Online Form Builder has existed which any institution can use to readily create customized privacy notices using the model form template.99 The Bureau 99 This Online Form Builder is available at https:// www.federalreserve.gov/newsevents/press/bcreg/ 20100415a.htm. PO 00000 Frm 00024 Fmt 4700 Sfmt 4700 assumes that financial institutions that do not currently have Web sites would not choose to comply with these requirements in order to use the alternative delivery method. The Bureau’s methodology for estimating the reduction in ongoing burden was discussed at length above. The Bureau defined five strata for banks under $100 billion and three strata for credit unions under $10 billion, drew random samples from each of the strata (separately for banks and credit unions) and examined the GLBA privacy notices available on the financial institutions’ Web sites, if any. The Bureau separately examined the Web sites of all banks over $100 billion (one additional bank stratum) and all credit unions over $10 billion (one additional credit union stratum). This process provided an estimate of the fraction of institutions within each bank or credit union stratum which would likely be able to use the alternative delivery method. In order to compute the reduction in ongoing burden (by stratum and overall) for these financial institutions, the Bureau apportioned the existing ongoing burden to each stratum according to the share of overall assets held by the financial institutions within the stratum. This was done separately for banks and credit unions. Note that this procedure ensures that the largest financial institutions, while few in number, are apportioned most of the existing burden. The Bureau then multiplied the estimate of the fraction of institutions within each stratum that would likely be able to use the alternative delivery method by the estimate of the existing ongoing burden within each stratum, separately for banks and credit unions. As discussed above, the largest bank and credit union strata tended to have the lowest share of financial institutions that could use the alternative delivery method. For the non-depository institutions subject to the FTC’s enforcement authority that are subject to the Bureau’s Regulation P, the Bureau estimated the reduction in ongoing burden by applying the overall share of banks that would likely be able to use the alternative delivery method (80%) to the current ongoing burden on nondepository financial institutions (exclusive of auto dealers) from providing the annual privacy notices and opt outs. The Bureau takes all of the reduction in ongoing burden from banks and credit unions with assets $10 billion and above and half the reduction in ongoing burden from the non-depository institutions subject to the FTC enforcement authority that are subject to E:\FR\FM\28OCR1.SGM 28OCR1 Federal Register / Vol. 79, No. 208 / Tuesday, October 28, 2014 / Rules and Regulations the Bureau’s Regulation P. The current Bureau burden for all information collections in Regulation P is 516,000 hours. The total reduction in ongoing burden taken by 14,844 Bureau respondents is 261,904 hours. The 64081 remaining Bureau burden for all information collections in Regulation P is 254,096 hours. SUMMARY OF BURDEN CHANGES Information collections Previously approved total burden hours Net change in burden hours New total burden hours Notices and disclosures ............................................................................................................... 516,000 ¥261,904 254,096 The Bureau has determined that the rule does not contain any new or substantively revised information collection requirements as defined by the PRA and that the burden estimate for the previously-approved information collections should be revised as explained above. List of Subjects in 12 CFR Part 1016 Banks, Banking, Consumer protection, Credit, Credit unions, Foreign banking, Holding companies, National banks, Privacy, Reporting and recordkeeping requirements, Savings associations, Trade practices. of the GLB Act, including third parties that are not financial institutions but that receive nonpublic personal information from financial institutions with whom they are not affiliated. This part does not apply to certain motor vehicle dealers described in 12 U.S.C. 5519 or to entities for which the Securities and Exchange Commission or the Commodity Futures Trading Commission has rulemaking authority pursuant to sections 504(a)(1)(A)–(B) of the GLB Act (15 U.S.C. 6804(a)(1)(A)– (B)). Except as otherwise specifically provided herein, entities to which this part applies are referred to in this part as ‘‘you.’’ Authority and Issuance For the reasons set forth in the preamble, the Bureau amends Regulation P, 12 CFR part 1016, as set forth below: ■ PART 1016—PRIVACY OF CONSUMER FINANCIAL INFORMATION (REGULATION P) § 1016.9 notices. Subpart A—Privacy and Opt-Out Notices 1. The authority citation for part 1016 continues to read as follows: ■ Authority: 12 U.S.C. 5512, 5581; 15 U.S.C. 6804. 2. Section 1016.1(b)(1) is revised to read as follows: ■ § 1016.1 Purpose and scope. asabaliauskas on DSK5VPTVN1PROD with RULES * * * * * (b) Scope. (1) This part applies only to nonpublic personal information about individuals who obtain financial products or services primarily for personal, family, or household purposes from the institutions listed below. This part does not apply to information about companies or about individuals who obtain financial products or services for business, commercial, or agricultural purposes. This part applies to those financial institutions and other persons for which the Bureau of Consumer Financial Protection (Bureau) has rulemaking authority pursuant to section 504(a)(1)(A) of the GrammLeach-Bliley Act (GLB Act) (15 U.S.C. 6804(a)(1)(A)). Specifically, this part applies to any financial institution and other covered person or service provider that is subject to Subtitle A of Title V VerDate Sep<11>2014 16:44 Oct 27, 2014 Jkt 235001 3. Section 1016.9(c) is revised to read as follows: Delivering privacy and opt out * * * * * (c) Annual notices only—(1) Reasonable expectation. You may reasonably expect that a customer will receive actual notice of your annual privacy notice if: (i) The customer uses your Web site to access financial products and services electronically and agrees to receive notices at the Web site, and you post your current privacy notice continuously in a clear and conspicuous manner on the Web site; or (ii) The customer has requested that you refrain from sending any information regarding the customer relationship, and your current privacy notice remains available to the customer upon request. (2) Alternative method for providing certain annual notices. (i) Notwithstanding paragraph (a) of this section, you may use the alternative method described in paragraph (c)(2)(ii) of this section to satisfy the requirement in § 1016.5(a)(1) to provide a notice if: (A) You do not disclose the customer’s nonpublic personal information to nonaffiliated third parties other than for purposes under §§ 1016.13, 1016.14, and 1016.15; PO 00000 Frm 00025 Fmt 4700 Sfmt 4700 (B) You do not include on your annual privacy notice pursuant to § 1016.6(a)(7) an opt out under section 603(d)(2)(A)(iii) of the Fair Credit Reporting Act (15 U.S.C. 1681a(d)(2)(A)(iii)); (C) The requirements of section 624 of the Fair Credit Reporting Act (15 U.S.C. 1681s–3) and subpart C of part 1022 of this chapter, if applicable, have been satisfied previously or the annual privacy notice is not the only notice provided to satisfy such requirements; (D) The information you are required to convey on your annual privacy notice pursuant to § 1016.6(a)(1) through (5), (8), and (9) has not changed since you provided the immediately previous privacy notice (whether initial, annual, or revised) to the customer, other than to eliminate categories of information you disclose or categories of third parties to whom you disclose information; and (E) You use the model privacy form in the appendix to this part for your annual privacy notice. (ii) For an annual privacy notice that meets the requirements in paragraph (c)(2)(i) of this section, you satisfy the requirement in § 1016.5(a)(1) to provide a notice if you: (A) Convey in a clear and conspicuous manner not less than annually on an account statement, coupon book, or a notice or disclosure you are required or expressly and specifically permitted to issue to the customer under any other provision of law that your privacy notice is available on your Web site and will be mailed to the customer upon request by telephone. The statement must state that your privacy notice has not changed and must include a specific Web address that takes the customer directly to the page where the privacy notice is posted and a telephone number for the customer to request that it be mailed; (B) Post your current privacy notice continuously and in clear and conspicuous manner on a page of your Web site on which the only content is the privacy notice, without requiring the customer to provide any information such as a login name or password or E:\FR\FM\28OCR1.SGM 28OCR1 64082 Federal Register / Vol. 79, No. 208 / Tuesday, October 28, 2014 / Rules and Regulations agree to any conditions to access the page; and (C) Mail your current privacy notice to those customers who request it by telephone within ten days of the request. (iii) An example of a statement that satisfies paragraph (c)(2)(ii)(A) of this section is as follows with the words ‘‘Privacy Notice’’ in boldface or otherwise emphasized: Privacy Notice— Federal law requires us to tell you how we collect, share, and protect your personal information. Our privacy policy has not changed and you may review our policy and practices with respect to your personal information at [Web address] or we will mail you a free copy upon request if you call us at [telephone number]. * * * * * Dated: October 17, 2014. Richard Cordray, Director, Bureau of Consumer Financial Protection. [FR Doc. 2014–25299 Filed 10–27–14; 8:45 am] BILLING CODE 4810–AM–P DEPARTMENT OF TRANSPORTATION Federal Aviation Administration 14 CFR Part 39 [Docket No. FAA–2014–0423; Directorate Identifier 2013–NM–233–AD; Amendment 39–17997; AD 2014–21–05] RIN 2120–AA64 Airworthiness Directives; the Boeing Company Airplanes Federal Aviation Administration (FAA), DOT. ACTION: Final rule. AGENCY: We are adopting a new airworthiness directive (AD) for certain The Boeing Company Model DC–10–10, DC–10–10F, DC–10–30, DC–10–30F (KC–10A and KDC–10), DC–10–40, MD– 10–10F, and MD–10–30F airplanes. This AD was prompted by an evaluation by the design approval holder (DAH) indicating that the forward cargo compartment frames are subject to widespread fatigue damage (WFD). This AD requires an inspection of the attachment holes at the forward cargo asabaliauskas on DSK5VPTVN1PROD with RULES SUMMARY: compartment frames and the cargo liner for cracking, and repair if necessary. This AD would also require installing new oversized fasteners in the forward cargo compartment frames. We are issuing this AD to prevent fatigue cracking of the forward cargo compartment frames, which could result in loss of the fail-safe structural integrity of the airplane. DATES: This AD is effective December 2, 2014. The Director of the Federal Register approved the incorporation by reference of a certain publication listed in this AD as of December 2, 2014. ADDRESSES: For service information identified in this AD, contact Boeing Commercial Airplanes, Attention: Data & Services Management, 3855 Lakewood Boulevard, MC D800–0019, Long Beach, CA 90846–0001; telephone 206–544–5000, extension 2; fax 206– 766–5683; Internet https:// www.myboeingfleet.com. You may view this referenced service information at the FAA, Transport Airplane Directorate, 1601 Lind Avenue SW., Renton, WA 98057–3356. For information on the availability of this material at the FAA, call 425–227–1221. Examining the AD Docket You may examine the AD docket on the Internet at https:// www.regulations.gov by searching for and locating Docket No. FAA–2014– 0423; or in person at the Docket Management Facility between 9 a.m. and 5 p.m., Monday through Friday, except Federal holidays. The AD docket contains this AD, the regulatory evaluation, any comments received, and other information. The address for the Docket Office (phone: 800–647–5527) is Docket Management Facility, U.S. Department of Transportation, Docket Operations, M–30, West Building Ground Floor, Room W12–140, 1200 New Jersey Avenue SE., Washington, DC 20590. FOR FURTHER INFORMATION CONTACT: Nenita Odesa, Aerospace Engineer, Airframe Branch, ANM 120L, Los Angeles Aircraft Certification Office (ACO), FAA, 3960 Paramount Boulevard, Lakewood, CA 90712–4137; phone: 562–627–5234; fax: 562–627– 5210; email: nenita.odesa@faa.gov. SUPPLEMENTARY INFORMATION: Discussion We issued a notice of proposed rulemaking (NPRM) to amend 14 CFR part 39 by adding an AD that would apply to certain The Boeing Company Model DC–10–10, DC–10–10F, DC–10– 30, DC–10–30F (KC–10A and KDC–10), DC–10–40, MD 10–10F, and MD–10– 30F airplanes. The NPRM published in the Federal Register on June 30, 2014 (79 FR 36669). The NPRM was prompted by an evaluation by the DAH indicating that the forward cargo compartment frames are subject to WFD. The NPRM proposed to require an inspection of the attachment holes at the forward cargo compartment frames and the cargo liner for cracking, and repair if necessary. The NPRM also proposed to require installing new oversized fasteners in the forward cargo compartment frames. We are issuing this AD to prevent fatigue cracking of the forward cargo compartment frames, which could result in loss of the failsafe structural integrity of the airplane. Comments We gave the public the opportunity to participate in developing this AD. We have considered the comment received. Boeing supported the NPRM (79 FR 36669, June 30, 2014). Conclusion We reviewed the relevant data, considered the comment received, and determined that air safety and the public interest require adopting this AD as proposed except for minor editorial changes. We have determined that these minor changes: • Are consistent with the intent that was proposed in the NPRM (79 FR 36669, June 30, 2014) for correcting the unsafe condition; and • Do not add any additional burden upon the public than was already proposed in the NPRM (79 FR 36669, June 30, 2014). Costs of Compliance We estimate that this AD affects 25 airplanes of U.S. registry. We estimate the following costs to comply with this AD: ESTIMATED COSTS Action Labor cost Parts cost Cost per product Inspection .............. Modification ............ Up to 19 work-hours × $85 per hour = $1,615 .................. Up to 6 work-hours × $85 per hour = $510 ....................... $0 .......................... Up to $801 ............ Up to $1,615 ......... Up to $1,311 ......... VerDate Sep<11>2014 16:44 Oct 27, 2014 Jkt 235001 PO 00000 Frm 00026 Fmt 4700 Sfmt 4700 E:\FR\FM\28OCR1.SGM 28OCR1 Cost on U.S. operators Up to $40,375. Up to $32,775.

Agencies

[Federal Register Volume 79, Number 208 (Tuesday, October 28, 2014)]
[Rules and Regulations]
[Pages 64057-64082]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: 2014-25299]



========================================================================
Rules and Regulations
                                                Federal Register
________________________________________________________________________

This section of the FEDERAL REGISTER contains regulatory documents 
having general applicability and legal effect, most of which are keyed 
to and codified in the Code of Federal Regulations, which is published 
under 50 titles pursuant to 44 U.S.C. 1510.

The Code of Federal Regulations is sold by the Superintendent of Documents. 
Prices of new books are listed in the first FEDERAL REGISTER issue of each 
week.

========================================================================


Federal Register / Vol. 79, No. 208 / Tuesday, October 28, 2014 / 
Rules and Regulations

[[Page 64057]]



BUREAU OF CONSUMER FINANCIAL PROTECTION

12 CFR Part 1016

[Docket No. CFPB-2014-0010]
RIN 3170-AA39


Amendment to the Annual Privacy Notice Requirement Under the 
Gramm-Leach-Bliley Act (Regulation P)

AGENCY: Bureau of Consumer Financial Protection.

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: The Bureau of Consumer Financial Protection (Bureau) is 
amending Regulation P, which requires, among other things, that 
financial institutions provide an annual disclosure of their privacy 
policies to their customers. The amendment creates an alternative 
delivery method for this annual disclosure, which financial 
institutions will be able to use under certain circumstances.

DATES: This final rule is effective on October 28, 2014.

FOR FURTHER INFORMATION CONTACT: Nora Rigby and Joseph Devlin, 
Counsels; Office of Regulations, at (202) 435-7700.

SUPPLEMENTARY INFORMATION: 

I. Summary of the Rule

    The Gramm-Leach-Bliley Act (GLBA) \1\ and Regulation P mandate that 
financial institutions provide their customers with initial and annual 
notices regarding their privacy policies. If financial institutions 
share certain customer information with particular types of third 
parties, the institutions are also required to provide notice to their 
customers and an opportunity to opt out of the sharing. The Fair Credit 
Reporting Act (FCRA) requires similar notices of opt-out rights. Many 
financial institutions currently mail printed copies of annual GLBA 
privacy notices to their customers, including notices of GLBA and/or 
FCRA opt-out rights, where applicable, but some of these institutions 
have expressed concern that this practice causes information overload 
for consumers and unnecessary expense.
---------------------------------------------------------------------------

    \1\ 15 U.S.C. 6801 et seq.
---------------------------------------------------------------------------

    In response to such concerns, the Bureau proposed and now finalizes 
this rule to allow financial institutions to use an alternative 
delivery method to provide annual privacy notices through posting the 
annual notices on their Web sites if they meet certain conditions. 
Specifically, financial institutions may use the alternative delivery 
method for annual privacy notices if: (1) No opt-out rights are 
triggered by the financial institution's information sharing practices 
under GLBA or FCRA section 603, and opt-out notices required by FCRA 
section 624 have previously been provided, if applicable, or the annual 
privacy notice is not the only notice provided to satisfy those 
requirements; (2) the information included in the privacy notice has 
not changed since the customer received the previous notice; and (3) 
the financial institution uses the model form provided in Regulation P 
as its annual privacy notice.
    To use the alternative method, the financial institution must 
continuously post the annual privacy notice in a clear and conspicuous 
manner on a page of its Web site, without requiring a login or similar 
steps or agreement to any conditions to access the notice. In addition, 
to assist customers with limited or no access to the Internet, the 
institution must mail annual notices to customers who request them by 
telephone, within ten days of the request.
    To make customers aware that its annual privacy notice is available 
through these means, the institution must insert a clear and 
conspicuous statement at least once per year on an account statement, 
coupon book, or a notice or disclosure the institution issues under any 
provision of law. The statement must inform customers that the annual 
privacy notice is available on the financial institution's Web site, 
the institution will mail the notice to customers who request it by 
calling a specific telephone number, and the notice has not changed.
    A financial institution is still required to use one of the 
permissible delivery methods that predate this rule change (referred to 
as the standard delivery methods) if the institution, among other 
things, has changed its privacy practices or engages in information-
sharing activities for which customers have a right to opt out.

II. Background

A. The Statute and Regulation

    The GLBA was enacted into law in 1999.\2\ The statute, among other 
things, is intended to provide a comprehensive framework for regulating 
the privacy practices of an extremely broad range of entities. 
``Financial institutions'' for purposes of the GLBA include not only 
depository institutions and non-depository institutions providing 
consumer financial products or services (such as payday lenders, 
mortgage brokers, check cashers, debt collectors, and remittance 
transfer providers), but also many businesses that do not offer or 
provide consumer financial products or services.
---------------------------------------------------------------------------

    \2\ Public Law 106-102, 113 Stat. 1338 (1999).
---------------------------------------------------------------------------

    Rulemaking authority to implement the GLBA privacy provisions was 
initially spread among many agencies. The Federal Reserve Board 
(Board), the Office of Comptroller of the Currency (OCC), the Federal 
Deposit Insurance Corporation (FDIC), and the Office of Thrift 
Supervision (OTS) jointly adopted final rules in 2000 to implement the 
notice requirements of the GLBA.\3\ The National Credit Union 
Administration (NCUA), Federal Trade Commission (FTC), Securities and 
Exchange Commission (SEC), and Commodity Futures Trading Commission 
(CFTC) were part of the same interagency process, but each of these 
agencies issued separate rules.\4\ In 2009, all of the agencies with 
the authority to issue rules to implement the GLBA privacy provisions 
issued a joint final rule with a model form that financial institutions 
could use, at their option, to provide the required initial and annual 
privacy disclosures.\5\
---------------------------------------------------------------------------

    \3\ 65 FR 35162 (June 1, 2000).
    \4\ 65 FR 31722 (May 18, 2000) (NCUA final rule); 65 FR 33646 
(May 24, 2000) (FTC final rule); 65 FR 40334 (June 29, 2000) (SEC 
final rule); 66 FR 21252 (Apr. 27, 2001) (CFTC final rule).
    \5\ 74 FR 62890 (Dec. 1, 2009).
---------------------------------------------------------------------------

    In 2011, the Dodd-Frank Wall Street Reform and Consumer Protection 
Act

[[Page 64058]]

(Dodd-Frank Act) \6\ transferred GLBA privacy notice rulemaking 
authority from the Board, NCUA, OCC, OTS, the FDIC, and the FTC (in 
part) to the Bureau.\7\ The Bureau then restated the implementing 
regulations in Regulation P, 12 CFR part 1016, in late 2011.\8\
---------------------------------------------------------------------------

    \6\ Public Law 111-203, 124 Stat. 1376 (2010).
    \7\ Public Law 111-203, section 1093. The FTC retained 
rulewriting authority over any financial institution that is a 
person described in 12 U.S.C. 5519 (i.e., motor vehicle dealers 
predominantly engaged in the sale and servicing of motor vehicles, 
the leasing and servicing of motor vehicles, or both).
    \8\ 76 FR 79025 (Dec. 21, 2011).
---------------------------------------------------------------------------

    The Bureau has the authority to promulgate GLBA privacy rules for 
depository institutions and many non-depository institutions. However, 
rulewriting authority with regard to securities and futures-related 
companies is vested in the SEC and CFTC, respectively, and rulewriting 
authority with respect to certain motor vehicle dealers is vested in 
the FTC.\9\ The Bureau has consulted and coordinated with these 
agencies and with the National Association of Insurance Commissioners 
(NAIC) concerning the alternative delivery method.\10\ The Bureau has 
also consulted with other appropriate federal agencies, as required 
under Section 1022 of the Dodd-Frank Act.
---------------------------------------------------------------------------

    \9\ 15 U.S.C 6804, 6809; 12 U.S.C. 1843(k)(4); 12 CFR 1016.1(b).
    \10\ In regard to any Regulation P rulemaking, section 504 of 
GLBA provides that each of the agencies authorized to prescribe GLBA 
regulations (currently the Bureau, FTC, SEC, and CFTC) ``shall 
consult and coordinate with the other such agencies and, as 
appropriate, . . . with representatives of State insurance 
authorities designated by the National Association of Insurance 
Commissioners, for the purpose of assuring, to the extent possible, 
that the regulations prescribed by each such agency are consistent 
and comparable with the regulations prescribed by the other such 
agencies.'' 15 U.S.C. 6804(a)(2).
---------------------------------------------------------------------------

1. Annual Privacy Notices
    The GLBA and its implementing regulation, Regulation P,\11\ require 
that financial institutions \12\ provide consumers with certain notices 
describing their privacy policies. Financial institutions are generally 
required to first provide an initial notice of these policies, and then 
an annual notice to customers every year that the relationship 
continues.\13\ (When a financial institution has a continuing 
relationship with the consumer, an annual privacy notice is required 
and the consumer is then referred to as a ``customer.'') \14\ These 
notices describe whether and how the financial institution shares 
consumers' nonpublic personal information,\15\ including personally 
identifiable financial information, with other entities. In some cases, 
these notices also explain how consumers can opt out of certain types 
of sharing. The notices further briefly describe how financial 
institutions protect the nonpublic personal information they collect 
and maintain. Financial institutions typically use U.S. postal mail to 
send initial and annual privacy notices to consumers.
---------------------------------------------------------------------------

    \11\ 12 CFR part 1016.
    \12\ Regulation P defines ``financial institution.'' See 12 CFR 
1016.3(l).
    \13\ 12 CFR 1016.4, 1016.5(a)(1).
    \14\ 12 CFR 1016.3(i).
    \15\ Regulation P defines ``nonpublic personal information.'' 
See 12 CFR 1016.3(p).
---------------------------------------------------------------------------

    Section 502 of the GLBA and Regulation P at Sec.  1016.6(a)(6) also 
require that initial and annual notices inform customers of their right 
to opt out of certain financial institution sharing of nonpublic 
personal information with some types of nonaffiliated third parties. 
For example, customers have the right to opt out of a financial 
institution selling the names and addresses of its mortgage customers 
to an unaffiliated home insurance company and, therefore, the 
institution would have to provide an opt-out notice before it sells the 
information. On the other hand, financial institutions are not required 
to allow consumers to opt out of the institutions' sharing involving 
third-party service providers, joint marketing arrangements, 
maintaining and servicing accounts, securitization, law enforcement and 
compliance, reporting to consumer reporting agencies, and certain other 
activities that are specified in the statute and regulation as 
exceptions to the opt-out requirement.\16\ If a financial institution 
limits its types of sharing to those which do not trigger opt-out 
rights, it may provide a ``simplified'' annual privacy notice to its 
customers that does not include opt-out information.\17\
---------------------------------------------------------------------------

    \16\ 15 U.S.C. 6802(b)(2), (e); 12 CFR 1016.13, 1016.14, 
1016.15.
    \17\ Section 1016.6(c)(5) allows financial institutions to 
provide ``simplified notices'' if they do not disclose, and do not 
wish to reserve the right to disclose, nonpublic personal 
information about customers or former customers to affiliates or 
nonaffiliated third parties except as authorized under Sec. Sec.  
1016.14 and 1016.15. The exceptions at Sec. Sec.  1016.14 and 
1016.15 track statutory exemptions and cover a variety of 
situations, such as maintaining and servicing the customer's 
account, securitization and secondary market sale, and fraud 
prevention. They directly exempt institutions from the opt-out 
requirements. The exception that includes service providers and 
joint marketing arrangements, at Sec.  1016.13, is also statutory, 
but financial institutions that share according to this exception 
may not use the simplified notice, even though consumers cannot opt 
out of this sharing.
---------------------------------------------------------------------------

    In addition to opt-out rights under the GLBA, annual privacy 
notices also may include information about certain consumer opt-out 
rights under the FCRA. The annual privacy disclosures under the GLBA/
Regulation P and affiliate disclosures under the FCRA/Regulation V 
interact in two ways. First, the FCRA imposes requirements on financial 
institutions providing ``consumer reports'' to others, but section 
603(d)(2)(A)(iii) of the FCRA excludes from the statute's definition of 
a consumer report \18\ the sharing of certain information about a 
consumer among the institution's affiliates if the consumer is notified 
of such sharing and is given an opportunity to opt out.\19\ Section 
503(c)(4) of the GLBA and Regulation P require financial institutions 
providing their customers with initial and annual privacy notices to 
incorporate into them any notification and opt-out disclosures provided 
pursuant to section 603(d)(2)(A)(iii) of the FCRA.\20\
---------------------------------------------------------------------------

    \18\ The FCRA defines ``consumer report'' generally as ``any 
written, oral, or other communication of any information by a 
consumer reporting agency bearing on a consumer's credit worthiness, 
credit standing, credit capacity, character, general reputation, 
personal characteristics, or mode of living which is used or 
expected to be used or collected in whole or in part for the purpose 
of serving as a factor in establishing the consumer's eligibility 
for: (A) Credit or insurance to be used primarily for personal, 
family, or household purposes; (B) employment purposes; or (C) any 
other purpose authorized under section 1681b of this title.'' 15 
U.S.C. 1681a.
    \19\ 15 U.S.C. 1681a(d)(2)(A)(iii).
    \20\ 15 U.S.C. 6803(c)(4); 12 CFR 1016.6(a)(7).
---------------------------------------------------------------------------

    Second, section 624 of the FCRA and Regulation V's Affiliate 
Marketing Rule provide that an affiliate of a financial institution 
that receives certain information (e.g., transaction history) \21\ from 
the institution about a consumer may not use the information to make 
solicitations for marketing purposes unless the consumer is notified of 
such use and provided with an opportunity to opt out of that use.\22\ 
Regulation V also permits (but does not require) financial institutions 
providing their customers with initial and annual privacy notices under 
Regulation P to incorporate any opt-out disclosures provided under 
section 624 of the FCRA and subpart C of Regulation V into those 
notices.\23\
---------------------------------------------------------------------------

    \21\ The type of information to which section 624 applies is 
information that would be a consumer report, but for the exclusions 
provided by section 603(d)(2)(A)(i), (ii), or (iii) of the FCRA 
(i.e., a report solely containing information about transactions or 
experiences between the consumer and the institution making the 
report, communication of that information among persons related by 
common ownership or affiliated by corporate control, or 
communication of other information as discussed above).
    \22\ 15 U.S.C. 1681s-3 and 12 CFR part 1022, subpart C.
    \23\ 12 CFR 1022.23(b).

---------------------------------------------------------------------------

[[Page 64059]]

2. Method of Delivering Annual Privacy Notices
    Section 503 of the GLBA sets forth the requirement that financial 
institutions provide initial and annual privacy disclosures to 
consumers. Specifically, it states that ``a financial institution shall 
provide a clear and conspicuous disclosure to such consumer, in writing 
or in electronic form or other form permitted by the regulations 
prescribed under section 6804 of this title, of such financial 
institution's policies and practices with respect to'' disclosing and 
protecting consumers' nonpublic personal information.\24\ Although 
financial institutions provide most annual privacy notices by U.S. 
postal mail, Regulation P allows financial institutions to provide 
notices electronically (e.g., by email) to customers with their 
consent.\25\
---------------------------------------------------------------------------

    \24\ 15 U.S.C. 6803(a) (emphasis added).
    \25\ 12 CFR 1016.9(a) states that a financial institution may 
deliver the notice electronically if the consumer agrees. After 
discussions with industry stakeholders, however, the Bureau believes 
that most consumers do not receive electronic disclosures.
---------------------------------------------------------------------------

B. CFPB Streamlining Initiative

    In pursuit of the Bureau's goal of reducing unnecessary or unduly 
burdensome regulations, the Bureau in December 2011 issued a Request 
for Information seeking specific suggestions from the public for 
streamlining regulations the Bureau had inherited from other Federal 
agencies (Streamlining RFI). In that RFI, the Bureau specifically 
identified the annual privacy notice as a potential opportunity for 
streamlining and solicited comment on possible alternatives to 
delivering the annual privacy notice.\26\
---------------------------------------------------------------------------

    \26\ 76 FR 75825, 75828 (Dec. 5, 2011).
---------------------------------------------------------------------------

    Numerous industry commenters strongly advocated eliminating or 
limiting the annual notice requirement. They stated that most customers 
ignore annual privacy notices. Even if customers do read them, 
according to industry stakeholders, the content of these disclosures 
provides little benefit, especially if customers have no right to opt 
out of information sharing because the financial institution does not 
share nonpublic personal information in a way that triggers such 
rights. Financial institutions argued that mailing these notices 
imposes significant costs and that there are other ways of conveying to 
customers the information in the written notices just as effectively 
but at a lower cost. Several industry commenters suggested that if an 
institution's privacy notice has not changed, the institution should be 
allowed to communicate on the consumer's periodic statement, via email, 
or by some other cost-effective means that the annual privacy notice is 
available on its Web site or upon request, by telephone.\27\
---------------------------------------------------------------------------

    \27\ On a related issue, industry commenters stated that the 
annual notice causes confusion and unnecessary opt-out requests from 
customers who do not recall that they have already opted out in a 
previous year. As stated in the Supplementary Information to the 
Final Model Privacy Form Under the Gramm-Leach-Bliley Act, a 
financial institution is free to provide additional information in 
other, supplemental materials to customers if it wishes to do so. 
See 74 FR at 62908. For example, a financial institution that uses 
the model form could include supplemental materials outside the 
model form advising those customers who previously opted out that 
they do not need to opt out again if the institution has not changed 
its notice to include new opt-out options. See 74 FR at 62905. In 
the proposed rule, the Bureau requested comment on whether financial 
institutions would want to include on the privacy notice itself a 
statement describing the customer's opt-out status. The response to 
this request was overwhelmingly negative, with industry commenters 
stating that indicating opt-out status on the annual notice would 
add significant costs because the financial institution would have 
to track customers' status and send specific, different forms.
---------------------------------------------------------------------------

    A banking industry trade association and other industry commenters 
suggested that the Bureau eliminate or ease the annual notice 
requirement for financial institutions if their privacy policies have 
not changed and they do not share nonpublic personal information beyond 
the exceptions allowed by the GLBA (e.g., the exception that allows 
sharing nonpublic personal information with the servicer of an 
account). They argued that the GLBA exceptions were crafted to allow 
what Congress viewed as non-problematic sharing and, therefore, the law 
does not require financial institutions to permit consumers to opt out 
of such sharing. The need for an annual notice is thus less evident if 
a financial institution only shares nonpublic personal information 
pursuant to one of these exceptions. The trade association estimated 
that 75% of banks do not share beyond these exceptions and do not 
change their notices from year to year.
    Consumer advocacy groups generally stated that customers benefit 
from financial institutions providing them with printed annual privacy 
notices, which may remind customers of privacy rights that they may not 
have exercised previously. Consumer representatives argued that these 
notices make customers aware of their privacy rights in regard to 
financial institutions, even if customers have no opt-out rights. One 
compliance company commenter agreed with the consumer groups' view of 
the importance of the notices. One advocacy group suggested that a 
narrow easing of annual notice requirements where a financial 
institution shares information only with affiliates might not be 
objectionable, although it did not support changing the current 
requirements. The Bureau did not receive any comment on the annual 
privacy notice change from privacy advocacy groups.

C. Understanding the Effects of Certain Deposit Regulations--Study

    In November 2013, the Bureau published a study assessing the 
effects of certain deposit regulations on financial institutions' 
operations.\28\ This study provided operational insights from seven 
banks about their annual privacy notices.\29\ Many of these banks use 
third-party vendors, who design or distribute the notices on the banks' 
behalf. All seven participants provided the annual notice as a separate 
mailing, which resulted in higher costs for postage, materials, and 
labor than if the notice were mailed with other material. Some 
financial institutions apparently send separate mailings to ensure that 
their disclosures are ``clear and conspicuous,'' \30\ although 2009 
guidance from the eight agencies promulgating the model privacy form 
explained that a separate mailing is not required.\31\ This separate 
mailing practice contrasts with the usual financial institution 
preference (particularly for smaller study participants) to bundle 
mailings with monthly statements. Indeed, subsequent Bureau outreach 
suggests that many financial institutions do mail the annual privacy 
notice with other materials. Finally, while the study participants 
echoed the sentiment that few customers read privacy notices, 
participant banks with call centers also reported that after they send 
annual notices, the number of customers who call about the banks' 
privacy policies increases.
---------------------------------------------------------------------------

    \28\ Consumer Financial Protection Bureau, ``Understanding the 
Effects of Certain Deposit Regulations on Financial Institutions' 
Operations: Findings on Relative Costs for Systems, Personnel, and 
Processes at Seven Institutions'' (Nov. 2013), available at https://files.consumerfinance.gov/f/201311_cfpb_report_findings-relative-costs.pdf.
    \29\ Information collected for the study may be used to assist 
the Bureau in its investigations of ``the effects of a potential or 
existing regulation on the business decisions of providers.'' OMB 
Information Request--Control Number: 3170-0032.
    \30\ 15 U.S.C. 6803 (``[In the initial and annual privacy 
notices] a financial institution shall provide a clear and 
conspicuous disclosure. . . .''); 12 CFR 1016.3(b)(1) (defining 
``clear and conspicuous'' as ``reasonably understandable and 
designed to call attention to the nature and significance of the 
information in the notice.'')
    \31\ See 74 FR at 62897-62898.

---------------------------------------------------------------------------

[[Page 64060]]

D. Further Outreach

    In addition to the consultations with other government agencies 
discussed above, while preparing the proposed rule the Bureau conducted 
further outreach to industry and consumer advocate stakeholders. The 
Bureau held meetings with consumer groups, including groups and 
individuals with a specific interest in privacy issues. The Bureau also 
held meetings with industry groups that represent institutions that 
must comply with the annual privacy notice requirement, including 
banks, credit unions, mortgage servicers, and debt buyers.
    As with the responses to the Streamlining RFI, the consumer groups 
generally expressed the view that mailed privacy notices were useful, 
even when no opt-out rights were present, and that changes were not 
necessary. Among other comments, they suggested that the Bureau promote 
the use of the Regulation P model form. The industry participants also 
generally expressed similar views to those expressed by industry in 
response to the Streamlining RFI. They supported creation of an 
alternative delivery method for annual privacy notices.\32\
---------------------------------------------------------------------------

    \32\ Recently Congress considered proposed legislation that 
would provide burden relief as to annual privacy notices, though no 
law has been enacted. See, e.g., H.R. 749, passed by the House and 
referred to the Senate in March of 2013; and S. 635, introduced in 
the Senate in late 2013.
---------------------------------------------------------------------------

E. Comments on the Proposed Rule

    On May 13, 2014, the Bureau published a proposed rule in the 
Federal Register to amend 12 CFR 1016.9, the Regulation P provision on 
annual privacy notices.\33\ The comment period closed on July 14, 2014. 
In response to the proposal, the Bureau received approximately 130 
comments from industry trade associations, consumer groups, public 
interest groups, individual financial institutions, and others. As 
discussed in more detail below, the Bureau has considered these 
comments in adopting this final rule.
---------------------------------------------------------------------------

    \33\ See 79 FR 27214 (May 13, 2014). The Bureau subsequently 
extended the comment deadline. 79 FR 30485 (May 28, 2014).
---------------------------------------------------------------------------

    Two commenters discussed the proposed rule's relation to and 
potential conflicts with the law of certain states. During the 
preparation of this final rule, the Bureau consulted with the two 
states that were identified as having laws that might preclude use of 
the alternative delivery method and explained the nature and benefits 
of the change being made to Regulation P. The two states are reviewing 
their laws and considering how to proceed.

F. Effective Date

    Numerous industry commenters requested that any final rule adopted 
be made effective immediately, to make the rule's benefits available as 
soon as possible. An agency must allow 30 days before a substantive 
rule is made effective, unless, among other things, the rule ``grants 
or recognizes an exemption or relieves a restriction'' \34\ or ``as 
otherwise provided by the agency for good cause found and published 
with the rule.'' \35\ This rule recognizes an exemption from or 
relieves a restriction on providing the Regulation P annual privacy 
notice according to the standard delivery methods, and does not create 
any new requirement because a financial institution can choose not to 
use the new method. Accordingly, the 30 day delay in effective date 
does not apply and the Bureau finds good cause to make this rule 
effective immediately on publication in the Federal Register, in order 
to allow financial institutions and consumers to enjoy the benefits of 
this rule as soon as possible.
---------------------------------------------------------------------------

    \34\ 5 U.S.C. 553(d)(1).
    \35\ 5 U.S.C. 553(d)(3).
---------------------------------------------------------------------------

G. Privacy Considerations

    In developing the proposed rule and this final rule, the Bureau 
considered its potential impact on consumer privacy. The rule will not 
affect the collection or use of consumers' nonpublic personal 
information by financial institutions. The rule will expand the 
permissible methods by which financial institutions subject to 
Regulation P may deliver annual privacy notices to their customers in 
limited circumstances. Among other limitations, it will not expand the 
permissible delivery methods if financial institutions make various 
types of changes to their annual privacy notices or if their annual 
privacy notices afford customers the right to opt out of financial 
institutions' sharing of customers' nonpublic personal information. The 
rule is designed to ensure that when the alternative delivery method is 
used, customers will continue to have access to clear and conspicuous 
annual privacy notices.

III. Legal Authority

    The Bureau is issuing this final rule pursuant to its authority 
under section 504 of the GLBA, as amended by section 1093 of the Dodd-
Frank Act.\36\ The Bureau is also issuing this rule pursuant to its 
authority under sections 1022 and 1061 of the Dodd-Frank Act.\37\
---------------------------------------------------------------------------

    \36\ 15 U.S.C. 6804.
    \37\ 12 U.S.C. 5512, 5581.
---------------------------------------------------------------------------

    Prior to July 21, 2011, rulemaking authority for the privacy 
provisions of the GLBA was shared by eight federal agencies: The Board, 
the FDIC, the FTC, the NCUA, the OCC, the OTS, the SEC, and the CFTC. 
The Dodd-Frank Act amended a number of Federal consumer financial laws, 
including the GLBA. Among other changes, the Dodd-Frank Act transferred 
rulemaking authority for most of Subtitle A of Title V of the GLBA, 
with respect to financial institutions described in section 
504(a)(1)(A) of the GLBA, from the Board, FDIC, FTC, NCUA, OCC, and OTS 
(collectively, the transferor agencies) to the Bureau, effective July 
21, 2011.

IV. Section-by-Section Analysis

Section 1016.1--Purpose and Scope

    The Bureau is making technical corrections to two U.S. Code 
citations in Sec.  1016.1(b)(1).

Section 1016.9--Delivering Privacy and Opt-Out Notices

    Section 1016.9 of Regulation P describes how a financial 
institution must provide both the initial notice required by Sec.  
1016.4 and the annual notice required by Sec.  1016.5. Specifically, 
existing Sec.  1016.9(a) requires the notice to be provided so that 
each consumer can reasonably be expected to receive actual notice in 
writing or, if the consumer agrees, electronically. Existing Sec.  
1016.9(b) provides examples of delivery that will result in reasonable 
expectation of actual notice, including hand delivery, delivery by 
mail, or electronic delivery for consumers who conduct transactions 
electronically. Existing Sec.  1016.9(c), redesignated by this final 
rule as Sec.  1016.9(c)(1), provides examples regarding reasonable 
expectation of actual notice that apply to annual notices only.
    In the proposed rule, the Bureau proposed to add Sec.  
1016.9(c)(2), which would create an alternative delivery method for 
annual privacy notices, by which financial institutions that met 
certain requirements could comply with the annual notice requirement in 
Sec.  1016.9(a). For the reasons discussed below, the Bureau is 
adopting Sec.  1016.9(c)(2) substantially as proposed, with certain 
minor modifications.
Proposed Rule
    As stated above, the Bureau proposed to add Sec.  1016.9(c)(2), 
which would create an alternative delivery method for annual privacy 
notices, by which financial institutions that met certain requirements 
could comply with the

[[Page 64061]]

annual notice requirement in Sec.  1016.9(a). The Bureau proposed to 
allow use of the alternative delivery method to reduce information 
overload, specifically by eliminating duplicative paper privacy notices 
in situations in which the customer generally has no ability to opt out 
of the financial institution's information sharing.\38\ Moreover, the 
Bureau proposed to allow use of the alternative delivery method to 
decrease the burden on financial institutions of delivering notices, 
while typically continuing to require delivery of notices pursuant to 
the standard methods in situations in which customers could opt out of 
information sharing.
---------------------------------------------------------------------------

    \38\ The Bureau noted in the proposed rule that the alternative 
delivery method would be available even where a notice and opt out 
is offered under the Affiliate Marketing Rule, subpart C of 12 CFR 
part 1022, which relates to marketing based on information shared by 
a financial institution, as long as the Affiliate Marketing Rule 
notice and opt out is also provided separately from the Regulation P 
annual privacy notice. (For example, this separate Affiliate 
Marketing Rule notice and opt-out can be provided on the initial 
privacy notice under Regulation P, which cannot be delivered via the 
alternative delivery method in any case.) The final rule adopts this 
approach. See the section-by-section discussion of Sec.  
1016.9(c)(2)(i)(C), below.
---------------------------------------------------------------------------

    Under the alternative delivery method as proposed, customers would 
have access via financial institutions' Web sites (or by postal mail on 
request) to annual privacy notices that are conveyed via the model 
form, that generally do not inform customers of any right to opt out, 
and that repeat the same information as in previous privacy notices. 
Further, because financial institutions would be required to post their 
privacy notices continuously on their Web sites, customers would be 
able to access privacy notices throughout the year rather than waiting 
for an annual mailing. Financial institutions would be required to 
deliver to customers an annual reminder, on another notice or 
disclosure, of the availability of the privacy notice on the 
institution's Web site and by mail upon telephone request. In light of 
these considerations, the Bureau believed that where the conditions set 
forth in the proposed rule would be satisfied, any incremental benefit 
in terms of customers' awareness of privacy issues that might accrue 
from requiring delivery of the annual privacy notice pursuant to the 
standard methods would be outweighed by the costs of providing the 
notice, costs that ultimately might be passed through to customers.
Comments
    In the proposed rule, the Bureau sought data and other information 
concerning the effect on customer privacy rights if financial 
institutions were to use the alternative delivery method rather than 
the standard delivery methods. The Bureau further requested comment on 
whether the proposed alternative delivery method would be effective in 
reducing the potential for information overload on customers and 
reducing the burden on financial institutions of mailing hard copy 
privacy notices.
    Comments from industry and consumer and public interest groups 
stated that the alternative delivery method would be beneficial to or 
have no effect on customers' awareness and exercise of their privacy 
rights under Regulation P. Industry commenters indicated that the 
proposal would reduce information overload. In regard to burden 
reduction, comments and earlier outreach indicated that a majority of 
credit unions, a large number of banks, and many other financial 
institutions would benefit from being able to use the alternative 
delivery method. In addition, proposal comments and earlier outreach 
have indicated that small financial institutions are less likely to 
share their customers' nonpublic personal information in a way that 
triggers customers' opt-out rights, and so it is likely that many of 
those small institutions can decrease their costs through the use of 
the alternative delivery method.
    Many industry commenters, however, objected to certain aspects and 
requirements of the alternative delivery method, and stated that 
eliminating these conditions and requirements would significantly 
increase the rule's burden reduction. Consumer and public interest 
groups, though, supported the inclusion of the conditions and 
requirements. These comments are discussed below in relation to the 
specific provisions they address.
    In the proposal, the Bureau noted that the alternative delivery 
method would be available where customers have already consented to 
receive their privacy notices electronically pursuant to Sec.  
1016.9(a) and invited comment regarding how often privacy notices are 
delivered electronically under existing Regulation P. The Bureau 
further invited comment on whether the proposed alternative delivery 
method is appropriate for customers who already receive privacy notices 
electronically and whether financial institutions that currently 
provide the notice electronically would be likely to use the proposed 
alternative delivery method. Only a few commenters addressed this 
issue. Some financial institutions indicated that most customers do not 
receive their annual privacy notices by electronic means, but that the 
institutions may want to use the alternative delivery method for those 
that do. The institutions also requested clarification of how this 
should be done.
    In the proposed rule, the Bureau also noted that potential 
comparison shopping by consumers among financial institutions based on 
privacy policies was one of the objectives that GLBA model privacy 
notices, primarily initial privacy notices, were intended to 
accomplish. See 15 U.S.C. 6803(e).\39\ The Bureau invited empirical 
data on whether consumers do comparison shop among financial 
institutions based on privacy notices. The Bureau did not receive any 
such data.
---------------------------------------------------------------------------

    \39\ Facilitating comparison shopping based on privacy policies 
was also mentioned repeatedly in the preamble to the model privacy 
notice rule. See generally 74 FR 62890.
---------------------------------------------------------------------------

Final Rule
    As explained in the proposed rule, the specific language of section 
503(a) of the GLBA grants some latitude in specifying by rule the 
method of conveying the annual notices, as long as a ``clear and 
conspicuous disclosure'' is provided ``in writing or in electronic form 
or other form permitted by the regulations.'' The Bureau's statutory 
interpretation allowing the alternative delivery method provision to 
satisfy this disclosure requirement applies only to the specific type 
of disclosure involved in the rule and in the limited circumstances 
presented here, pursuant to the specific language of GLBA section 503.
    In relation to the comments regarding notices currently delivered 
electronically, the Bureau reiterates that the alternative delivery 
method is available in lieu of the existing standard delivery methods 
including electronic delivery. In addition, as discussed below, the 
Bureau now clarifies that the notice of availability required by Sec.  
1016.9(c)(2)(ii)(A) may be included on account statements, coupon 
books, or notices or disclosures an institution is required or 
expressly and specifically permitted to issue to the customer under any 
other provision of law and delivered through a means otherwise 
permitted for that type of account statement, coupon book, or notice or 
disclosure, including electronic delivery where applicable. For 
example, the notice of availability may be included on a mortgage 
loan's periodic statement that is delivered electronically if the 
electronic delivery is in compliance with the Electronic Signatures in 
Global

[[Page 64062]]

and National Commerce Act \40\ (E-Sign) as required by Regulation 
Z.\41\
---------------------------------------------------------------------------

    \40\ 15 U.S.C. 7001-7031.
    \41\ See 12 CFR 1026.31(b) and 1026.41.
---------------------------------------------------------------------------

    The Bureau adopts Sec.  1016.9(c)(2) substantially as proposed, 
with minor modifications. Comments on the specific provisions of Sec.  
1016.9(c)(2), and the specific provisions as adopted in this final 
rule, are discussed more fully below.

Section 1016.9(c)(2) Alternative Method for Providing Certain Annual 
Notices

Section 1016.9(c)(2)(i)

    Proposed Sec.  1016.9(c)(2) would have set forth an alternative to 
Sec.  1016.9(a) for providing certain annual notices. Proposed Sec.  
1016.9(c)(2)(i) would have provided that, notwithstanding the general 
notice requirement in Sec.  1016.9(a), a financial institution may use 
the alternative method set forth in proposed Sec.  1016.9(c)(2)(ii) to 
satisfy the requirement in Sec.  1016.5(a)(1) to provide an annual 
notice if the institution met certain conditions as specified in 
proposed Sec.  1016.9(c)(2)(i)(A) through (E). The Bureau is adopting 
Sec.  1016.9(c)(2)(i) as proposed. The Bureau also proposed certain 
technical amendments to accommodate the new provision, which are 
adopted unchanged in the final rule.\42\
---------------------------------------------------------------------------

    \42\ Existing Sec.  1016.9(c) is redesignated as Sec.  
1016.9(c)(1) and its subparagraphs redesignated as Sec.  
1016.9(c)(1)(i) and (ii), respectively, to accommodate the addition 
of Sec.  1016.9(c)(2). The Bureau is also adding a heading to new 
paragraph (c)(1) for technical reasons.
---------------------------------------------------------------------------

Comments
    The Bureau invited comment generally on the conditions in proposed 
Sec.  1016.9(c)(2)(i)(A) through (E) and whether any of those 
conditions should not be required or whether additional conditions 
should be added. Commenters generally discussed the conditions 
individually, and those comments are discussed in regard to each of 
those individual conditions below. No industry commenters suggested 
additional conditions. A consumer group and an academic commenter 
suggested unrelated enhancements to the privacy notice regulations that 
would severely impede the burden reduction achieved by this rule and 
have not been adopted. An industry trade association suggested that the 
Bureau remove the required conditions because the alternative delivery 
method is superior to the standard methods, and all customers and 
financial institutions should benefit from its use in all 
circumstances. Other industry commenters suggested that the conditions 
were unnecessary because customers do not read the notices anyway. 
Several industry commenters suggested that the Bureau's rule should not 
put more restrictions on the web posting of privacy notices than 
related pending legislation in Congress would if such legislation were 
enacted.\43\
---------------------------------------------------------------------------

    \43\ Certain requirements for use of the alternative delivery 
method, such as those relating to FCRA opt-outs and use of the model 
privacy form, are not mentioned in any of the versions of this 
pending legislation.
---------------------------------------------------------------------------

Final Rule
    The Bureau adopts Sec.  1016.9(c)(2)(i) as proposed. The Bureau 
believes that the alternative delivery method provides appropriate and 
sufficient notice if a privacy notice has not changed and is not needed 
to inform the customer of his or her opt-out rights. The Bureau, 
however, also believes that generally requiring financial institutions 
to use the standard delivery methods for notices that have changed or 
that are required to inform consumers of opt-out rights, is more 
consistent with the importance to the GLBA statutory scheme of 
customers' ability to exercise opt-out rights. The Bureau also believes 
that the continued use of standard delivery methods in these 
circumstances is more consumer-friendly than allowing use of the 
alternative delivery method where notices have changed or are required 
to inform customers of opt-out rights. In regard to pending bills in 
Congress, the Bureau notes that the final rule is promulgated to 
implement the current GLBA statutory scheme.

Section 1016.9(c)(2)(i)(A)

    Proposed Sec.  1016.9(c)(2)(i)(A) would have set forth the first 
condition for using the alternative delivery method: That the financial 
institution does not share the customer's information with 
nonaffiliated third parties other than through the activities specified 
under Sec. Sec.  1016.13, 1016.14 and 1016.15 that do not trigger opt-
out rights under the GLBA. For the reasons discussed below, the Bureau 
is finalizing Sec.  1016.9(c)(2)(i)(A) as proposed, with minor 
technical revisions.
Proposed Rule
    For the reasons stated in the proposal, the Bureau proposed to 
continue to require standard delivery of the annual notice where 
customers have opt-out rights. The Bureau further proposed limiting the 
alternative delivery method to circumstances in which customers have no 
information sharing opt-out rights under Regulation P as a way to 
reduce the burden of compliance generally while still mandating the use 
of the standard delivery methods to ensure that customers have direct 
notice of any opt-out rights they have. This approach was also 
reflected in proposed Sec.  1016.9(c)(2)(i)(B) and (C), discussed in 
detail below, which would have limited the use of the alternative 
delivery method where a financial institution shares customer 
information with affiliates in a way that triggers opt-out rights under 
FCRA sections 603(d)(2)(A)(iii) and 624.
Comments
    Many commenters addressed Sec.  1016.9(c)(2)(i)(A), (B), and (C) 
(the ``opt-out conditions'') collectively without distinguishing among 
them.\44\ For example, several consumer and privacy advocacy groups 
stated that they supported finalizing the opt-out conditions because 
many customers will not take the additional steps necessary to access 
or receive a privacy notice under the alternative delivery method and 
that it is therefore appropriate to permit use of it only if a customer 
does not have opt-out rights. Similarly, a civil rights public interest 
group supported the opt-out conditions in part, stating that these 
limitations would incentivize financial institutions not to share their 
customers' information. An organization representing state banking 
regulators also generally supported the proposed conditions for the 
alternative delivery method without specifically commenting on the opt-
out conditions. Several individual credit unions and community banks 
either expressly supported the opt-out conditions or supported the 
proposal generally without addressing the opt-out conditions. Many 
financial institution commenters also expressed support for legislation 
currently pending in Congress that would either eliminate the 
requirement to provide an annual notice or allow an institution to 
provide access to an annual notice electronically if a financial 
institution does not share information in a way that triggers opt-out 
rights under the GLBA and other conditions are met.\45\
---------------------------------------------------------------------------

    \44\ To the extent that commenters distinguished among the opt-
out conditions, they focused on the conditions proposed in Sec.  
1016.9(c)(2)(i)(B) and (C) which are discussed in detail in the 
section-by-section analysis below.
    \45\ See, e.g., H.R. 749, passed by the House and referred to 
the Senate in March of 2013; and S. 635, introduced in the Senate in 
late 2013.
---------------------------------------------------------------------------

    In contrast, however, other industry commenters, especially those 
representing larger financial institutions, objected to limiting the 
alternative delivery method to financial institutions that are not 
required to provide opt-out rights to their

[[Page 64063]]

customers, stating that such conditions would prevent them from using 
the alternative delivery method. These commenters stated that most 
large financial institutions, including most large non-bank financial 
institutions, share information in such a way that they are required to 
offer opt-out rights to their customers under either the GLBA or the 
FCRA (or both) and thus they would not be able to use the proposed 
alternative delivery method.\46\ These commenters asserted that the 
opt-out conditions would significantly limit the burden reduction from 
the proposal.
---------------------------------------------------------------------------

    \46\ A national trade association representing business 
interests stated that banks that hold collectively half of all U.S. 
deposits would not be able to use the alternative delivery method as 
proposed.
---------------------------------------------------------------------------

    Moreover, commenters objecting to not allowing the use of the 
alternative delivery method if customers have opt-out rights stated 
that customers only very infrequently exercise their rights to opt out 
of information sharing after receiving mailed annual privacy notices 
and thus the Bureau does not need to require standard delivery of 
notices even if opt-out rights exist. One national trade association 
representing business interests stated that the Bureau's admission in 
the proposal that it is unlikely that fewer customers would read the 
privacy notice if financial institutions deliver it pursuant to the 
alternative method than read it if mailed undercuts the notion that 
mailed notices are more effective.
Final Rule
    The Bureau is adopting Sec.  1016.9(c)(2)(i)(A) as proposed except 
for technical revisions to revise the wording from ``share with'' to 
``disclose to'' to be consistent with most of the rest of the existing 
rule text in part 1016 and to clarify that the information that may not 
be disclosed is the ``customer's nonpublic personal information.'' The 
Bureau is aware that the proposed opt-out conditions in Sec.  
1016.9(c)(2)(i)(A), (B), and (C) will preclude some financial 
institutions from using the alternative delivery method. Nonetheless, 
the Bureau believes that because of the importance to the statutory 
scheme of customers' ability to exercise opt-out rights, financial 
institutions must continue to satisfy requirements to provide 
information about these rights through the standard delivery methods. 
In addition, as shown by the Bureau's research in connection with the 
proposal \47\ and by comments received on the proposal, the Bureau 
believes that even with these conditions, many financial institutions 
will be able to use the alternative method which will relieve burden 
for them and reduce information overload for their customers.\48\ With 
respect to the comment that few customers opt out of information 
sharing when they receive notices through the standard delivery 
methods, the Bureau believes that standard delivery of the annual 
privacy notice is a more consumer-friendly method for conveying the 
existence of opt-out rights to customers and allowing them to exercise 
those rights. As to whether fewer customers will read the privacy 
notice when delivered pursuant to the alternative delivery method, the 
Bureau notes that there is no reliable evidence bearing on this 
question. In the absence of such evidence the Bureau opts to continue 
the standard delivery methods (e.g., mail) that require the least 
amount of effort from consumers to exercise their opt-out rights.
---------------------------------------------------------------------------

    \47\ 79 FR at 27227.
    \48\ Apart from individual institutions that stated whether they 
would be able to use the alternative method, few commenters provided 
data on how many financial institutions would be precluded from 
using the alternative delivery method because of the opt-out 
condition. One state association representing banks did provide such 
data noting that only 11 of 99 banks that responded to the 
association's survey would not be eligible to use the proposed 
alternative delivery method.
---------------------------------------------------------------------------

Section 1016.9(c)(2)(i)(B) and 9(c)(2)(i)(C)

    Proposed Sec.  1016.9(c)(2)(i)(B) would have set forth the second 
condition for using the alternative delivery method for the annual 
privacy notice: That the financial institution not include on its 
annual notice an opt out under section 603(d)(2)(A)(iii) of the 
FCRA.\49\ Proposed Sec.  1016.9(c)(2)(i)(C) would have presented the 
third condition for using the alternative delivery method: that the 
annual privacy notice is not the only notice provided to satisfy the 
requirements of section 624 of the FCRA \50\ and subpart C of 12 CFR 
part 1022 (the ``Affiliate Marketing Rule''). For the reasons discussed 
below, the Bureau is finalizing Sec.  1016.9(c)(2)(i)(B) as proposed 
and is finalizing Sec.  1016.9(c)(2)(i)(C) as revised.
---------------------------------------------------------------------------

    \49\ 15 U.S.C. 1681a(d)(2)(A)(iii).
    \50\ 15 U.S.C. 1681s-3.
---------------------------------------------------------------------------

Proposed Rule
    As discussed in part II above, FCRA section 603(d)(2)(A)(iii) 
excludes from the statute's definition of ``consumer report'' a 
financial institution's sharing of certain information about a consumer 
with its affiliates if the financial institution provides the consumer 
with notice and an opportunity to opt out of the information sharing. 
Section 503(b)(4) of the GLBA expressly requires a financial 
institution's privacy notice to include any disclosures the financial 
institution is required to make under section 603(d)(2)(A)(iii) of the 
FCRA, if any. Section 1016.6(a)(7), which implements this statutory 
directive, requires a financial institution's privacy notice to include 
any disclosures the institution makes under section 603(d)(2)(A)(iii). 
As stated in the proposal, because the Bureau proposed the alternative 
delivery method be available only if notices are not required to inform 
customers of opt-out rights, proposed Sec.  1016.9(c)(2)(i)(B) provided 
that annual notices that inform customers of FCRA section 
603(d)(2)(A)(iii) opt-out rights, like notices that inform customers of 
GLBA opt-out rights, would have to continue to be delivered pursuant to 
the standard delivery methods.
    In contrast to the FCRA section 603(d)(2)(A)(iii) notice and opt-
out right, the Affiliate Marketing Rule notice and opt out is not 
required by either the GLBA or Regulation P to be included on the 
annual privacy notice. The Affiliate Marketing Rule notice and opt out 
may be included on this notice, however. Given that the Affiliate 
Marketing Rule notice and opt out is not required on the annual privacy 
notice (and indeed does not have to be provided annually),\51\ the 
Bureau believes, as stated in the proposal, that including the 
Affiliate Marketing Rule opt-out on the annual notice should not 
preclude a financial institution from using the alternative delivery 
method. The Bureau therefore proposed Sec.  1016.9(c)(2)(i)(C), which 
would have allowed a financial institution to use the alternative 
delivery method if it provides the customer with an opt-out right under 
the Affiliate Marketing Rule as long as the Regulation P annual privacy 
notice was not the only notice provided to satisfy the Affiliate 
Marketing Rule, if applicable.
---------------------------------------------------------------------------

    \51\ 72 FR 62910, 62930 (Nov. 7, 2007).
---------------------------------------------------------------------------

    As it did in the proposal, the Bureau notes that the required 
duration of a consumer opt-out under the Affiliate Marketing Rule 
depends on whether the Affiliate Marketing Rule notice and opt out is 
included as part of the Regulation P model privacy notice or issued 
separately. If a financial institution includes the Affiliate Marketing 
Rule notice and opt out on the model privacy notice, Regulation P 
requires that opt out to be of indefinite duration.\52\ In contrast, if 
a financial institution provides the Affiliate Marketing Rule

[[Page 64064]]

notice and opt out separately, Regulation V allows the opt out to be 
offered for as few as five years, subject to renewal, and the 
disclosure of the duration of the opt out must be included on the 
separate notice.\53\ As stated in the proposal, the Bureau believes 
that prohibiting the use of the alternative delivery method if a 
financial institution voluntarily includes the Affiliate Marketing Rule 
notice and opt-out on its annual privacy notice could discourage 
financial institutions from including it. If so, it could be to the 
detriment of consumers who otherwise likely would not receive annual 
notice of their Affiliate Marketing Rule opt-out right.
---------------------------------------------------------------------------

    \52\ Regulation P provides, ``Institutions that include this 
reason [for sharing or using personal information] must provide an 
opt-out of indefinite duration.'' Appendix to part 1016 at C.2.d.6.
    \53\ 12 CFR 1022.22(b), 1022.23(a)(1)(iv).
---------------------------------------------------------------------------

Comments
    Comments that addressed the three opt-out conditions in proposed 
Sec.  1016.9(c)(2)(i)(A), (B), and (C) are discussed collectively above 
in the section-by-section analysis of Sec.  1016.9(c)(2)(i)(A). Though 
many commenters generally supported the opt-out conditions, they did 
not separately discuss Sec.  1016.9(c)(2)(i)(B) or (C). Commenters who 
specifically addressed Sec.  1016.9(c)(2)(i)(B) and (C) stated that 
because FCRA-covered information sharing with affiliates is more 
widespread among financial institutions than information sharing with 
third-parties not covered by a GLBA exception, these FCRA conditions 
were likely to prevent many more financial institutions from taking 
advantage of the alternative delivery method than Sec.  
1016.9(c)(2)(i)(A) relating to GLBA opt-out rights. These commenters 
asserted that the FCRA opt-out conditions in proposed Sec.  
1016.9(c)(2)(i)(B) and (C) should not be finalized even if the Bureau 
continues to require standard delivery methods to customers who have 
GLBA opt-out rights.
    A national trade association representing the consumer credit 
industry stated that proposed Sec.  1016.9(c)(2)(i)(B) and (C) would 
preclude non-depository institutions from using the alternative 
delivery method more than depository institutions because non-
depository institutions tend to share information with affiliates (and 
thereby trigger FCRA opt-out rights) more often than depository 
institutions. Several state community bank and credit union 
associations as well as several individual community banks and credit 
unions objected to Sec.  1016.9(c)(2)(i)(B) and (C) because they share 
information with affiliates to offer services to their customers that 
they otherwise could not offer. A ``think tank'' focused on data 
practices also opposed Sec.  1016.9(c)(2)(i)(B) and (C) because it said 
the FCRA opt-out conditions are too limiting to financial institutions 
and a mailed notice is not necessary to inform customers of those opt-
out rights. A mortgage industry group further opposed Sec.  
1016.9(c)(2)(i)(B) and (C) because information sharing governed by the 
FCRA is different in kind from that governed by the GLBA, and FCRA 
requirements should not determine the GLBA annual notice delivery 
requirements. Many industry commenters argued that the Bureau's 
proposal should track proposed legislation in Congress which would 
either eliminate the annual notice requirement or allow an institution 
to provide access to an annual notice electronically or in other forms 
if no GLBA opt-out rights exist (and certain other conditions are met). 
Such proposed legislation, however, does not address the relationship 
between an alternative delivery method and FCRA opt-out rights.
    Specifically with respect to proposed Sec.  1016.9(c)(2)(i)(C), 
several financial institutions stated that the requirement to 
separately provide the Affiliate Marketing Rule opt-out notice to use 
the alternative delivery method would negate the cost savings of the 
alternative delivery method.
Final Rule
    The Bureau is finalizing Sec.  1016.9(c)(2)(i)(B) as proposed and 
is finalizing Sec.  1016.9(c)(2)(i)(C) as revised. The Bureau 
understands that including Sec.  1016.9(c)(2)(i)(B) and (C) as 
conditions for using the alternative delivery method will limit the 
availability of the alternative delivery method more than if the Bureau 
finalized only the GLBA opt-out condition in Sec.  1016.9(c)(2)(i)(A). 
The Bureau further understands that the FCRA opt-out conditions may 
affect certain types of financial institutions more than others. The 
Bureau is nonetheless persuaded, for the same reasons discussed in 
regard to Sec.  1016.9(c)(2)(i)(A), that it is important for customers 
to receive standard delivery of the annual notice if that notice 
includes information concerning the right to opt out of information 
sharing. The Bureau believes that standard delivery is a more consumer-
friendly way of notifying customers of their opt-out rights and 
allowing them to exercise those rights.
    With respect to commenters who stated that FCRA requirements should 
not govern GLBA annual notice requirements, the Bureau notes that 
section 503(b)(4) of GLBA expressly requires that disclosures required 
under section 603(d)(2)(A)(iii) of FCRA be included on the GLBA privacy 
notice. Section 603(d)(2)(A)(iii) of the FCRA is silent as to how 
frequently the notice of opt-out rights must be delivered, but the 
agencies responsible for implementation of the GLBA interpreted it to 
require provision of annual notice of the FCRA section 
603(d)(2)(A)(iii) opt-out right.\54\ Accordingly, since it became 
effective in 2000, Sec.  1016.6(a)(7) has required financial 
institutions that offer the FCRA section 603(d)(2)(A)(iii) opt-out to 
include it on their annual privacy notice. The Bureau's determination 
that customers should continue to receive annual notices that inform 
them of opt-out rights pursuant to the standard delivery methods 
applies equally to those FCRA opt-out rights that are required by Sec.  
1016.6(a)(7) to be included on the GLBA annual privacy notice. FCRA 
opt-out rights conveyed on the annual notice under Sec.  1016.6(a)(7) 
are as important to customers and to the FCRA statutory scheme as the 
GLBA opt-out rights and thus should be delivered pursuant to the 
standard delivery methods.
---------------------------------------------------------------------------

    \54\ 65 FR 35162, 35176 (June 1, 2000).
---------------------------------------------------------------------------

    Regarding Sec.  1016.9(c)(2)(i)(C), the Bureau has substantially 
revised the provision to clarify how use of the model privacy notice to 
inform customers of opt-out rights under the Affiliate Marketing Rule 
interacts with use of the alternative delivery method. The Affiliate 
Marketing Rule requires that, before a financial institution may make 
solicitations based on eligibility information about a consumer it 
receives from an affiliate, the consumer must be provided with notice 
and an opportunity to opt out of such use. The Affiliate Marketing Rule 
further requires that a consumer's opt-out must be effective for a 
period of at least five years, but if the financial institution chooses 
to honor the customer's opt-out indefinitely, the notice need be 
delivered only once. As discussed above, this notice and opt-out may be 
included on a Regulation P privacy notice, but is not required to be. 
If the Affiliate Marketing Rule opt-out is incorporated in the model 
privacy notice, initial or annual, a financial institution must honor 
any customer opt-out request indefinitely.\55\ Accordingly, if a 
financial institution chooses to include the Affiliate Marketing Rule 
opt-out on its model privacy notice, the institution has no further 
Affiliate Marketing Rule disclosure obligations after the first

[[Page 64065]]

model privacy notice is delivered and the institution is free to 
continue including the Affiliate Marketing Rule opt-out on the annual 
privacy notice without jeopardizing its ability to use the alternative 
delivery method.\56\
---------------------------------------------------------------------------

    \55\ Appendix to part 1016 at C.2.d.6.
    \56\ A financial institution could also include the Affiliate 
Marketing Rule opt-out on a non-model privacy notice and choose to 
honor opt-outs indefinitely and have no further Affiliate Marketing 
Rule obligations after the first privacy notice is delivered.
---------------------------------------------------------------------------

    The language of Sec.  1016.9(c)(2)(i)(C) has been revised to make 
this more explicit by stating that the alternative delivery method is 
available to a financial institution if ``the requirements of [the 
Affiliate Marketing Rule], if applicable, have been satisfied 
previously or the annual privacy notice is not the only notice provided 
to satisfy such requirements.'' In light of this clarification, the 
Bureau disagrees with commenters who stated that there would be no cost 
savings from the alternative delivery method for institutions that are 
subject to the Affiliate Marketing Rule. If those institutions used the 
model privacy notice and standard delivery methods to disclose opt-out 
rights, then they could use the alternative delivery method for 
subsequent annual notices. If those institutions provided a separate 
Affiliate Marketing Rule opt-out because they wanted to limit the 
duration of that opt-out, no additional notices would be required and 
the alternative delivery method would still be available. If the 
customer had not already received the Affiliate Marketing Rule opt-out 
notice, the financial institution would be required to deliver that 
notice only once using standard methods to satisfy Sec.  
1016.9(c)(2)(i)(C). The Bureau believes that generally a customer would 
have already received the Affiliate Marketing Rule notice and the one-
time delivery still would not negate potential savings for annual 
notices in subsequent years.
    The Bureau acknowledges that some customers will no longer receive 
their annual privacy notice pursuant to standard delivery methods even 
though the notice informs them of a right to opt out that exists 
pursuant to the Affiliate Marketing Rule. The Bureau believes, however, 
that this concern is mitigated by the fact that if the customer had not 
already received notice of the Affiliate Marketing Rule opt out 
pursuant to standard delivery methods, the financial institution would 
have to provide a separate Affiliate Marketing Rule notice in order to 
satisfy Sec.  1016.9(c)(2)(i)(C).\57\ The Bureau considered but decided 
against prohibiting use of the alternative delivery method where a 
financial institution provides an opt out under the Affiliate Marketing 
Rule because neither the GLBA nor Regulation P requires the Affiliate 
Marketing Rule opt-out to be included on the annual privacy notice.
---------------------------------------------------------------------------

    \57\ Alternatively, the financial institution could continue to 
use the current delivery method and include the Affiliate Marketing 
opt out on the annual privacy notice, with no separate notice 
required.
---------------------------------------------------------------------------

Section 1016.9(c)(2)(i)(D)

    Proposed Sec.  1016.9(c)(2)(i)(D) would have presented the fourth 
condition for using the alternative delivery method: That the 
information a financial institution is required to convey on its annual 
privacy notice pursuant to Sec.  1016.6(a)(1) through (5), (8) and (9) 
has not changed since the immediately previous privacy notice (whether 
initial or annual) to the customer. For the reasons discussed below, 
the Bureau is adopting Sec.  1016.9(c)(2)(i)(D) with some 
modifications.
Proposed Rule
    The Bureau proposed to provide more flexibility in the method of 
delivering a notice that has not changed because it believed that 
delivery of the annual notice by the standard delivery methods is 
likely less useful if the customer has already received a privacy 
notice, the financial institution's sharing practices remain generally 
unchanged since that previous notice, and the other requirements of 
Sec.  1016.9(c)(2)(i) are met. Proposed Sec.  1016.9(c)(2)(i)(D) would 
have listed the specific disclosures of the privacy notice that must 
not change for a financial institution to take advantage of the 
alternative delivery method: Sec.  1016.9(a)(1) through (5), (8), and 
(9).
    The Bureau explained that the disclosures required by Sec.  
1016.6(a)(1) through (5) and (9) describe categories of nonpublic 
personal information collected and disclosed and categories of third 
parties with whom that information is disclosed. Accordingly, only a 
change in or addition of a category of information collected or shared 
or in a category of third party with whom the information is shared 
would have prevented a financial institution from satisfying proposed 
Sec.  1016.9(c)(2)(i)(D) based on the disclosures required by Sec.  
1016.6(a)(1) through (5) and (9). The Bureau also explained that the 
disclosure required by Sec.  1016.6(a)(8) would disallow use of the 
alternative delivery method if a financial institution changed the 
required description of its policies and practices with respect to 
protecting the confidentiality and security of nonpublic personal 
information. The Bureau explained that changes in the description of a 
financial institution's data security policy likely are significant 
enough that when they occur, the annual privacy notice should continue 
to be delivered according to the standard delivery methods. Indeed, in 
light of recent large-scale data security breaches, some customers may 
be more interested in the data security policies of their financial 
institutions than they were previously. The Bureau further noted in the 
proposal that stylistic changes in the wording of the notice that do 
not change the information conveyed on the notice would not prevent a 
financial institution from satisfying proposed Sec.  
1016.9(c)(2)(i)(D).
Comments
    Most commenters that addressed Sec.  1016.9(c)(2)(i)(D) supported 
the proposed requirement. A national association representing student 
loan servicers stated that proposed Sec.  1016.9(c)(2)(i)(D) is the 
most important element of the requirements for using the alternative 
delivery method. Several national associations representing both large 
and small financial institutions suggested retaining the requirement in 
Sec.  1016.9(c)(2)(i)(D), even though they advocated alternatives to 
other components of the proposal. As noted in the section-by-section 
analyses of Sec.  1016.9(c)(2)(i)(A) and (B), many commenters expressed 
their support for legislation pending in Congress that is somewhat 
similar to the proposal and includes the requirement that the financial 
institution's privacy notice remain unchanged from the previous notice. 
In contrast, a national business coalition relating to online privacy 
criticized proposed Sec.  1016.9(c)(2)(i)(D) as significantly reducing 
the opportunity for financial institutions to use the alternative 
delivery method, in conjunction with the other requirements of proposed 
Sec.  1016.9(c)(2)(i).
    Most other commenters suggested technical changes to proposed Sec.  
1016.9(c)(2)(i)(D) or requested clarification. A state association 
representing credit unions and a community bank commented that a 
revised privacy notice is required by Sec.  1016.8 if a financial 
institution shares information other than as described in the initial 
privacy notice. It thus proposed that Sec.  1016.9(c)(2)(i)(D) should 
allow financial institutions to use the alternative delivery method if 
the information disclosed on the privacy notice has not changed since 
the immediately previous privacy notice, initial, annual, or revised.
    A compliance services company commented that Regulation P requires

[[Page 64066]]

information to be included on the model privacy notice that, if 
changed, might be significant for customers but is not included in 
Sec.  1016.9(c)(2)(i)(D). Such information includes the name of the 
financial institution providing the notice, changes in the definitions 
section of the notice which describes the financial institution's 
affiliates, nonaffiliates with whom it shares information, and joint 
marketing practices, and changes in the ``Other Important Information'' 
section of the model form, such as those involving state law 
requirements. The compliance services company further commented that 
the statement on the notice of availability required by Sec.  
1016.9(c)(2)(ii)(A) that ``our privacy policy has not changed'' could 
be inaccurate if such information had in fact changed. Moreover, the 
compliance services company also explained that the Bureau's statement 
in the proposal that a financial institution could change its privacy 
policy so as to eliminate information sharing that triggers opt-out 
rights and then make use of the alternative delivery method for the 
next annual privacy notice \58\ conflicts with Sec.  1016.9(c)(2)(i)(D) 
as proposed. According to the commenter, eliminating a category of 
affiliates with whom the financial institution shares information would 
trigger changes to the disclosure required by Sec.  1016.6(a)(2) and 
thus would prevent a financial institution from complying with proposed 
Sec.  1016.9(c)(2)(i)(D).
---------------------------------------------------------------------------

    \58\ 79 FR at 27221 n.54.
---------------------------------------------------------------------------

    Lastly, the compliance services company requested guidance on the 
sequence of events that would allow a financial institution to use the 
alternative delivery method after a privacy policy change occurs. For 
example, the company asked for clarification on when a revised notice 
should be sent, a time period after the notice of availability was 
delivered within which the institution would be required to implement 
the requirements for Web site posting and establishing a telephone 
number to request the privacy notice, and a time frame after the change 
for the institution to wait before it starts using the statement that 
``our privacy policy has not changed.''
Final Rule
    The Bureau is adopting Sec.  1016.9(c)(2)(i)(D) with some 
modifications. Regarding the comment that proposed Sec.  
1016.9(c)(2)(i)(D) renders the alternative delivery method of limited 
availability to financial institutions, the Bureau believes that 
requiring notices that have changed to be delivered pursuant to 
standard delivery methods is a more consumer-friendly way of notifying 
customers of changes than requiring consumers to affirmatively seek out 
information about the changed policy. As to revised privacy notices, 
the Bureau agrees that a financial institution that has used standard 
delivery methods to provide customers with a revised privacy notice 
under Sec.  1016.8 should be able to use the alternative delivery 
method for its next annual notice. Accordingly, the Bureau is revising 
proposed Sec.  1016.9(c)(2)(i)(D) to permit a financial institution to 
use the alternative delivery method if the information contained on its 
privacy notice has not changed since it provided the immediately 
previous privacy notice (whether initial, annual, or revised).
    Regarding the comment that some pertinent information on the 
privacy notice could change and proposed Sec.  1016.9(c)(2)(i)(D) would 
still permit the financial institution to use the alternative delivery 
method, the Bureau is permitting use of the alternative delivery method 
following such changes to provide greater flexibility. For example, 
although information about the name of the financial institution or its 
affiliates is useful to customers, the Bureau does not believe that 
information is as important in the context of the privacy notice as 
changes to the categories of nonpublic personal information collected 
and disclosed by the financial institution, the categories of third 
parties with whom the institution discloses that information, and 
changes to the institution's policies and practices with respect to 
protecting the confidentiality and security of nonpublic personal 
information. Moreover, where a financial institution changes its name, 
that name change would likely be conveyed to the institutions' 
customers through means beyond the annual privacy notice. Indeed, 
including changes to the financial institution's name, the names of its 
affiliates, or its joint marketing practices in Sec.  
1016.9(c)(2)(i)(D) likely would limit the availability of the 
alternative method without much benefit to customers. Lastly, the 
Bureau believes that the statement required by Sec.  
1016.9(c)(2)(ii)(A) that ``our privacy policy has not changed'' is 
accurate even when information such as the financial institution's name 
or its affiliates have changed, as long as the policy the financial 
institution is required to describe on its annual privacy notice 
pursuant to Sec.  1016.6(a)(1) through (5), (8), and (9) has not 
changed.
    As to a financial institution that changes its privacy policy to 
eliminate information sharing that triggers opt-out rights, the Bureau 
determines that such an institution would be able to use the 
alternative delivery method for its next annual notice and agrees that 
this should be clarified in the rule text. Under the final rule, if an 
institution chooses to stop sharing certain categories of information 
or to stop sharing information with certain categories of third 
parties, the financial institution will be able to use the alternative 
delivery method for its next annual privacy notice without first 
sending out a privacy notice pursuant to standard delivery methods 
(provided it meets the requirements of in Sec.  1016.9(c)(2)). The 
Bureau is modifying Sec.  1016.9(c)(2)(i)(D) to permit financial 
institutions to use the alternative delivery method if the information 
the institution is required to convey has not changed other than to 
eliminate categories of information it discloses or categories of third 
parties to whom it discloses information.
    Lastly, as to the request for clarification about the process for 
using the alternative delivery method after a financial institution 
changes its sharing practices, the alternative delivery method does not 
alter either the requirements for providing a revised privacy notice in 
Sec.  1016.8 or any of the timing requirements in existing Sec.  
1016.5. Accordingly, to the extent that Sec.  1016.8 requires a 
financial institution to deliver a revised privacy notice if a 
financial institution changes its information sharing, the institution 
is still required to deliver that notice pursuant to Sec.  1016.9.\59\ 
Similarly, the adoption of Sec.  1016.9(c)(2) does not change the 
timing requirements for delivering the annual notice.
---------------------------------------------------------------------------

    \59\ The Bureau notes that a revised privacy notice may not be 
delivered using the alternative delivery method because the 
alternative method only may be used to satisfy the requirement to 
provide an annual notice in Sec.  1016.5(a)(1).
---------------------------------------------------------------------------

    Accordingly, if a financial institution makes a change to its 
information sharing practices that would prevent it from meeting the 
condition in Sec.  1016.9(c)(2)(i)(D), i.e., a change other than to 
eliminate categories of information it discloses or categories of third 
parties to whom it discloses, the financial institution could use the 
alternative delivery method to meet its next annual privacy notice 
requirement if it first sent a revised privacy notice pursuant to the 
standard delivery methods (provided it meets the requirements of Sec.  
1016.9(c)(2)). If the change is to its policies and practices regarding 
protecting the confidentiality and security of nonpublic personal 
information, no revised privacy notice would be required under Sec.  
1016.8 but a

[[Page 64067]]

financial institution could opt to provide one anyway so that it could 
use the alternative delivery method and the statement that its privacy 
policy has not changed to meet its next annual notice requirement. 
Alternatively, a financial institution that makes a change to its 
information sharing practices or its policies and practices with 
respect to protecting the confidentiality and security of nonpublic 
personal information that would prevent the institution from meeting 
the condition in Sec.  1016.9(c)(2)(i)(D) could send its next annual 
privacy notice using standard delivery methods and resume using the 
alternative delivery method thereafter.
    To the extent that a financial institution chooses to provide the 
notice of availability of its privacy policies more often than 
annually, it could include the statement that its privacy policy has 
not changed whenever the intervening change is not a change covered by 
Sec.  1016.9(c)(2)(i)(D); where the intervening change is one covered 
by Sec.  1016.9(c)(2)(i)(D), the financial institution could include 
the statement that its privacy policy has not changed once it delivers 
a revised privacy notice pursuant to the standard delivery methods. 
Regarding when a financial institution must implement the Web site 
posting of the privacy notice and the telephone number for requesting 
the notice, a financial institution may choose to adopt the alternative 
delivery method at any time. However, it would need to meet all of the 
requirements for using the alternative delivery method by the due date 
of the first annual privacy notice that the institution does not 
deliver using one of the standard delivery methods. This would include 
sending the notice of availability that informs customers of the 
existence of the Web site and the telephone number and providing 
customers access to the privacy notice by Web site and through 
telephone request by that due date.

Section 1016.9(c)(2)(i)(E)

    The last condition for use of the alternative delivery method 
included in the Bureau's proposed rule, which was set forth in proposed 
Sec.  1016.9(c)(2)(i)(E), would have required that a financial 
institution use the Regulation P model privacy form for its annual 
privacy notice. The Bureau now adopts the provision as proposed.
Proposed Rule
    The model form was adopted in 2009 as part of an interagency 
rulemaking mandated by Congress.\60\ The form was developed using 
consumer research to ensure that the model notice was easier to 
understand and use than most privacy notices then being used.\61\ 
During outreach prior to the Bureau's issuance of its May 13, 2014, 
proposed rule, consumer and privacy groups told the Bureau that the 
model form is easier for consumers to understand than other privacy 
notices. The Bureau's research on the impacts of its proposed rule \62\ 
determined that some non-model form privacy notices were not easily 
understood. This research also determined that a significant percentage 
of financial institutions already use the model privacy form. 
Accordingly, the Bureau proposed Sec.  1016.9(c)(2)(i)(E), which would 
permit use of the alternative delivery method only if a financial 
institution uses the model privacy form for its annual privacy notice.
---------------------------------------------------------------------------

    \60\ 15 U.S.C. 6803(e).
    \61\ 74 FR at 62891.
    \62\ See below, parts V and VI.
---------------------------------------------------------------------------

Comments
    The Bureau invited comment on the extent to which financial 
institutions currently use the model privacy form and, if they do not, 
whether they would choose to do so to take advantage of the proposed 
alternative delivery method. In addition, the Bureau invited comment on 
the benefit to customers of receiving a privacy notice in the model 
form rather than a privacy notice in a non-standardized format.
    The comments indicated that a significant number of industry 
participants are using the model form already. The Bureau did not 
receive much comment on whether the model form requirement would 
incentivize its use so that financial institutions could use the 
alternative delivery method. However, one industry commenter stated it 
would do so. On the other hand, some other industry commenters asserted 
that conditioning the use of the alternative delivery method on the use 
of the model form would significantly affect how many financial 
institutions could use the alternative delivery method and experience 
reduced burden.
    Consumer and public interest group commenters explicitly and 
strongly supported the model form requirement, explaining that the 
model form is easier for consumers to understand than other notices 
that individual financial institutions use because it does not have the 
legal jargon and complex vocabulary found in those other notices. An 
academic commenter described a project where notices are collected and 
compared, and stressed the importance of online standardized notices, 
such as those using the model form. Some credit union associations 
supported the model form requirement but requested that the Bureau 
clarify whether changes to the form would be acceptable and, if so, 
what types of changes would be acceptable.
    Many comments from industry members and groups supported the rule 
as proposed or only objected to requirements other than the model form, 
and so they did not appear to view the model form requirement as 
problematic. However, several industry trade associations and many 
individual institutions objected to the model form requirement. One 
trade association stated that many financial institutions currently use 
forms that they believe are more informative than the model form and 
that their customers are more familiar with. A student loan servicing 
trade association made a similar comment, stating that some servicers 
do not want to use the model form because their version provides 
customers with more information.
    Many trade association and individual industry commenters also were 
concerned that if they made changes to the model form to be clearer and 
more informative, it would preclude them from using the alternative 
delivery method. These commenters suggested that the Bureau state 
clearly that changes in wording and layout in the model form would be 
acceptable. Several commenters requested that the form used only have 
to comply with Regulation P, rather than having to follow the model 
form instructions. Two trade associations stated that the model form is 
one-size-fits-all and does not work for nontraditional financial 
institutions such as companies that offer long-term installment plans. 
Other commenters objected to the requirement that the Web page 
containing the model form have no other information and suggested that 
other privacy information should be allowed.
    The Bureau also invited comment on related state or international 
law requirements and their interaction with the model privacy notice. 
Although the Bureau did receive comments, as discussed above, on the 
proposed rule's relation to state law, those comments did not address 
the model form requirement.
    In addition, the Bureau solicited comment on whether adoption of 
the model form itself should be considered a change in the annual 
notice pursuant to proposed Sec.  1016.9(c)(2)(i)(D) such that an 
institution using the model form for the first time would be precluded 
from using the proposed alternative

[[Page 64068]]

delivery method until the following year's annual notice. Consumer and 
public interest group commenters did not address this issue, but some 
industry commenters stated that adoption of the model form should not 
be considered a change under Sec.  1016.9(c)(2)(i)(D).
Final Rule
    The Bureau adopts Sec.  1016.9(c)(2)(i)(E) as proposed. Based on 
the Bureau's impact analyses and the research that went into the 
development and testing of the model form,\63\ the Bureau continues to 
believe that requiring use of the model form as a condition of using 
the alternative delivery method will foster the use of a notice that 
is, in general, more consumer-friendly and effective in conveying 
privacy policy information to customers than non-standardized notices. 
The Bureau also continues to believe that Sec.  1016.9(c)(2)(i)(E) is 
likely to encourage some financial institutions that are not currently 
doing so to use the model form to take advantage of the cost savings 
associated with the alternative delivery method. Moreover, the Bureau 
does not believe that adopting the model form will entail significant 
costs for the minority of financial institutions that do not currently 
use it, and notes that there is an Online Form Builder that allows 
financial institutions to readily create customized privacy notices 
using the model form template.\64\ In addition, the Bureau believes 
that in a large majority of instances the one-time cost of adopting the 
model form will be offset quickly by the reduced cost of printing and 
mailing forms, which will then continue year after year.
---------------------------------------------------------------------------

    \63\ The research that went into the development and testing of 
the model form was detailed in four reports: (1) Financial Privacy 
Notice: A Report on Validation Testing Results (Kleimann Validation 
Report), February 12, 2009, available at https://www.ftc.gov/system/files/documents/reports/financial-privacy-notice-report-validation-testing-results-kleimann-validationreport/financial_privacy_notice_a_report_on_validation_testing_results_kleimann_validation_report.pdf; (2) Consumer Comprehension of Financial 
Privacy Notices: A Report on the Results of the Quantitative Testing 
(Levy-Hastak Report), December 15, 2008, available at https://www.ftc.gov/system/files/documents/reports/quantitative-research-levy-hastak-report/quantitative_research_-_levy-hastak_report.pdf; 
(3) Mall Intercept Study of Consumer Understanding of Financial 
Privacy Notices: Methodological Report (Macro International Report), 
September 18, 2008, available at https://www.ftc.gov/system/files/documents/reports/quantitative-research-macro-international-report/quantitative_research_-_macro_international_report.pdf; and (4) 
Evolution of a Prototype Financial Privacy Notice: A Report on the 
Form Development Project, March 31, 2006, available at https://kleimann.com/ftcprivacy.pdf. The development and testing of the 
model privacy notice is also discussed in L. Garrison, M. Hastak, 
J.M. Hogarth, S. Kleimann, A.S. Levy, Designing Evidence-based 
Disclosures: A Case Study of Financial Privacy Notices. The Journal 
of Consumer Affairs, Summer 2012: 204-234.
    \64\ This Online Form Builder is available at https://www.federalreserve.gov/newsevents/press/bcreg/20100415a.htm.
---------------------------------------------------------------------------

    While some financial institution commenters asserted that 
conditioning the use of the alternative delivery method on the use of 
the model form would significantly affect how many financial 
institutions could use the alternative delivery method and experience 
reduced regulatory burden, they did not submit data or substantive 
analysis on this point. In regard to comments about forms that comply 
with Regulation P but may not comply exactly with the model form 
instructions, potentially giving rise to violations when the 
alternative delivery method is used, the Bureau notes that financial 
institutions may consult counsel on how to comply so as to limit the 
risk of government enforcement.\65\ In regard to types of financial 
institutions that do not prefer to use the model form for whatever 
reason, the Bureau notes that the model form was carefully crafted to 
be usable by a wide variety of financial institutions,\66\ but any 
institutions that choose not to use it may continue to send annual 
privacy notices in the standard manner.
---------------------------------------------------------------------------

    \65\ The Bureau also notes that there is no private right of 
action under Regulation P.
    \66\ See 74 FR at 62901.
---------------------------------------------------------------------------

    The Bureau notes that the model form accommodates information that 
may be required by state or international law, as applicable, in a box 
called ``Other important information.'' \67\ Accordingly, the Bureau 
expects that a financial institution that has additional privacy 
disclosure obligations pursuant to state or international law will 
still be able to use the model form to take advantage of the proposed 
alternative delivery method. In regard to supplemental privacy 
information a financial institution wishes to convey, the discussion of 
Sec.  1016.9(c)(2)(ii)(B) below makes clear that a link to such 
information elsewhere on the financial institution's Web site may be 
included as part of the navigational materials on the Web page 
containing the model privacy form.
---------------------------------------------------------------------------

    \67\ Appendix to part 1016 at C.3.c.1.
---------------------------------------------------------------------------

    In addition, the Bureau has determined that a financial 
institution's adoption of the model privacy form, which may require 
changes to the wording and layout of the privacy notice but not to the 
substance of the information conveyed under Sec.  1016.6(a)(1) through 
(5), (8) and (9), will not constitute a change within the meaning of 
Sec.  1016.9(c)(2)(i)(D). A financial institution thus may adopt the 
model form and use the alternative delivery method with that model form 
immediately to satisfy its annual notice requirement under Regulation 
P. This interpretation is consistent with the interpretation by the 
agencies that promulgated the model notice at the time it was first 
issued with regard to whether adoption of the form required provision 
of a revised privacy notice under Sec.  1016.8.\68\
---------------------------------------------------------------------------

    \68\ See 74 FR at 62907 n. 196.
---------------------------------------------------------------------------

Section 1016.9(c)(2)(ii)

    In proposed Sec.  1016.9(c)(2)(ii), the Bureau would have set forth 
the alternative delivery method that would be permissible to satisfy 
the requirement in Sec.  1016.5(a)(1) to provide an annual notice if a 
financial institution met the conditions described in proposed Sec.  
1016.9(c)(2)(i). The Bureau proposed an alternative delivery method for 
financial institutions that met the conditions in proposed Sec.  
1016.9(c)(2)(i) where delivery of the annual privacy notice pursuant to 
the standard delivery requirements may be less important for customers. 
As stated in the proposal, the alternative delivery method would still 
inform customers of their financial institution's privacy policies 
effectively, but at a lower cost than the standard delivery methods.
    The Bureau received comments supporting the general framework of 
the alternative delivery method proposed in Sec.  1016.9(c)(2)(ii) from 
financial institutions, consumer groups, and privacy groups alike. For 
example, a national association representing business interests and a 
national association representing the consumer credit industry stated 
that the proposed alternative delivery method would be an effective 
mechanism for ensuring that all customers are aware of the 
institution's privacy policy and their opt-out rights. A national 
association representing credit unions, a public interest group 
representing consumers, and an organization of state banking 
supervisors all supported the framework of the alternative delivery 
method. The Bureau received many comments criticizing or supporting 
specific components of the alternative delivery method. These comments 
are discussed in detail below. The Bureau is adopting Sec.  
1016.9(c)(2)(ii) largely as proposed, for the reasons stated above and 
in the proposal. Changes to the individual paragraphs of Sec.  
1016.9(c)(2)(ii) will be discussed in detail below.

[[Page 64069]]

Section 1016.9(c)(2)(ii)(A)

    Proposed Sec.  1016.9(c)(2)(ii)(A) would have set forth the first 
component of the alternative delivery method: That a financial 
institution inform the customer of the availability of the annual 
privacy notice. For the reasons discussed below, the Bureau is adopting 
Sec.  1016.9(c)(2)(ii)(A) substantially as proposed but with some 
modifications.
Proposed Rule
    To satisfy proposed Sec.  1016.9(c)(2)(ii)(A), a financial 
institution would have been required to convey in a clear and 
conspicuous manner not less than annually on a notice or disclosure the 
institution is required or expressly and specifically permitted to 
issue under any other provision of law that its privacy notice has not 
changed, that the notice is available on its Web site, and that a hard 
copy of the notice will be mailed to customers if they call a toll-free 
telephone number to request one.
General Comments
    Several financial institution commenters objected to proposed Sec.  
1016.9(c)(2)(ii)(A) because there are some financial products for which 
financial institutions send no documents to customers and thus 
including a notice of availability on some other statement or notice 
currently used would not be possible. For example, national 
associations representing debt buyers and automobile dealers stated 
that those financial institutions do not send or may not send documents 
to their customers at all during the course of a year. Several 
individual depository institutions commented that they do not send 
statements or notices to certain types of customers, such as customers 
with certificates of deposit, passbook savings accounts, safe deposit 
vaults, and mortgage or installment loans with coupon books.
    National associations representing banks, community banks, and 
financial service providers as well as many individual banks and credit 
unions commented that the proposed notice of availability would be 
burdensome, even for financial institutions that do send statements or 
notices to some customers. First, these commenters stated that it would 
be difficult and expensive for financial institutions to determine 
which customers and accounts receive suitable documents on which to 
include the notice of availability and which ones do not. Second, some 
financial institution commenters stated that space was limited on their 
periodic statements and that it would be unworkable to include the 
notice of availability on them.
Final Rule
    The Bureau is adopting Sec.  1016.9(c)(2)(ii)(A) substantially as 
proposed but with modifications as discussed below. It is important 
that customers receive actual notice that the annual privacy notice is 
available on the financial institution's Web site through some 
statement or notice that they are likely to read. Although posting the 
privacy notice on a Web site will make the privacy notice widely 
available, customers likely would not be aware of its existence or its 
importance without the notice of availability, especially customers 
that do not use the financial institution's Web site. The Bureau 
understands that there are costs associated with sending an annual 
notice of availability and that doing so could negate the cost savings 
of the alternative delivery method for some financial institutions that 
do not already send statements or notices to their customers. However, 
the Bureau expects that most financial institutions will be able to 
incorporate the notice of availability in a mailing that the 
institution conducts in the normal course of business. In any event, 
the Bureau believes that financial institutions that choose to use the 
alternative delivery method must provide the notice of availability 
because it is an integral component of the alternative delivery method 
given that it informs customers that the privacy notice is available.
Not Less Than Annually
    The proposed rule would have required that financial institutions 
convey the notice of availability to customers not less than annually. 
Proposed Sec.  1016.9(c)(2)(ii)(A) also would have permitted it to be 
included more often than annually (e.g., quarterly or monthly) and 
invited comment on the advantages and disadvantages of it being 
provided on a more frequent basis. Several commenters, including a 
university privacy think tank and individual credit unions and 
community banks, commented that an annual notice of availability is 
sufficient to inform customers of the online availability of the 
institution's annual privacy notice. However, a national organization 
representing consumer and privacy rights stated that the notice of 
availability should be required at least quarterly.
    The Bureau continues to believe that an annual reminder is 
sufficient to inform customers of the availability of the privacy 
notice. Indeed, the GLBA requires that the privacy notice itself be 
delivered ``not less than annually'' after the initial customer 
relationship is established, and the Bureau believes that requiring the 
notice of availability not less than annually is consistent with the 
statute.\69\ To the extent that financial institutions would prefer for 
administrative or other reasons to include the notice of availability 
on statements or notices that are delivered to customers more often 
than annually, the Bureau notes that more frequent delivery is 
permissible under Sec.  1016.9(c)(2)(ii)(A).
---------------------------------------------------------------------------

    \69\ See generally GLBA section 503(a).
---------------------------------------------------------------------------

Type of Statement Used To Convey the Notice of Availability
    With respect to the type of statement that may be used to convey 
the notice of availability, proposed Sec.  1016.9(c)(2)(ii)(A) would 
have permitted it to be conveyed on a notice or disclosure the 
institution is required or expressly and specifically permitted to 
issue under any other provision of law. The Bureau noted in the 
proposal that a notice of availability could be included on a periodic 
statement which is permitted but not required by Regulation DD \70\ to 
satisfy proposed Sec.  1016.9(c)(2)(ii)(A) but that including it on 
advertising materials that were neither required nor specifically 
permitted by law would not satisfy proposed Sec.  1016.9(c)(2)(ii)(A). 
As stated in the proposal, Sec.  1016.9(c)(2)(ii)(A) would not have 
specified in more detail the type of statements on which the notice of 
availability must be conveyed because the Bureau intended the 
alternative delivery method to be flexible enough to be used by 
financial institutions whose business practices vary widely.
---------------------------------------------------------------------------

    \70\ 12 CFR 1030.6.
---------------------------------------------------------------------------

    Many financial institution commenters advocated that the Bureau 
expand the types of documents that financial institutions could use to 
provide the notice of availability. A national association representing 
student loan servicers suggested that the Bureau should add periodic 
statements to the types of documents that could include the notice, 
because the periodic notices for student loans are not required or 
expressly and specifically permitted under any other provision of law. 
An automotive finance company identified the same concern with its 
billing statements. Several individual financial institutions requested 
that they be allowed to include the notice of availability on coupon 
books. A national association representing credit unions,

[[Page 64070]]

two state credit union associations, and several individual credit 
unions suggested that they be allowed to use customer newsletters, 
branch posting, or advertisements to provide the notice of 
availability.
    The Bureau is persuaded by the comments that it should broaden the 
type of statement on which the notice of availability could be included 
to satisfy Sec.  1016.9(c)(2)(ii)(A) in the final rule. The Bureau 
proposed to require that the notice of availability be included on a 
statement or notice required or otherwise permitted by law to ensure 
that customers were likely to read the underlying document on which the 
notice of availability is included. The Bureau believes that customers 
also have compelling reasons to read account statements and coupon 
books that directly concern the status of their existing accounts even 
if they are not required or otherwise permitted by law. Accordingly, 
under the final rule, the Bureau is allowing a notice of availability 
included on an ``account statement'' or ``coupon book'' also to satisfy 
Sec.  1016.9(c)(2)(ii)(A). An account statement would include periodic 
statements or billing statements not required or expressly and 
specifically permitted by law. The Bureau intends the term ``account 
statement'' to be flexible enough to cover documents provided to 
customers by a diverse array of financial institutions. In contrast, 
the Bureau is concerned that customers may not read advertisements or 
newsletters on the assumption that they do not specifically concern the 
customer's existing account. The Bureau believes it would not be 
consumer-friendly to require customers to seek out and examine 
advertisements and newsletters to find the notice of availability. The 
Bureau therefore declines to revise proposed Sec.  1016.9(c)(2)(ii)(A) 
to be satisfied by a notice of availability included in such materials. 
Further, since nothing in Sec.  1016.9(c)(2)(ii)(A) alters laws or 
regulations governing account statements, coupon books, or other 
notices or disclosures, institutions should not include the notice of 
availability on such materials in a way that would cause the materials 
to fail to comply with applicable laws or regulations governing those 
materials.
    Regarding the request that the Bureau permit physical posting of 
the notice of availability in a financial institution's lobby to 
satisfy Sec.  1016.9(c)(2)(ii)(A), the Bureau notes that the GLBA 
contemplates providing individual notice to customers of opt-out rights 
and privacy practices. For example, section 502(b)(1)(A) of the GLBA 
requires opt outs to be disclosed ``to the consumer'' and section 
503(a) of the GLBA requires the privacy notice to be delivered ``to 
such consumer.'' While the Bureau believes that providing a notice of 
availability individually directing customers to a notice on a Web site 
is sufficient to inform them of the availability of the privacy notice 
under the parameters of this rule, posting a general notice of 
availability in the financial institution's lobby or elsewhere 
generally directing customers to the privacy notice is not. Similarly, 
the Bureau does not believe that publishing a general notice of 
availability in newspapers is sufficient. Indeed, some customers do not 
go to the institution's lobby or office and may not see published 
announcements. The Bureau believes it would not be consumer-friendly to 
require customers to seek out and examine postings in an institution's 
offices or announcements in certain newspapers to find the notice of 
availability. While the Bureau recognizes that there are other statutes 
and regulations that require notice to customers for other purposes by 
such public posting or publishing, the Bureau believes such public 
notices are not sufficient given the GLBA's framework that requires 
individualized notice. Indeed, Regulation P already provides with 
respect to privacy notices that an institution may not reasonably 
expect that a consumer will receive actual notice of its privacy 
policies and practices if it only posts a sign in a branch or office or 
generally publishes advertisements of its privacy policies and 
practices.\71\ The Bureau's approach as to notices of availability is 
consistent in this respect. The Bureau is therefore revising Sec.  
1016.9(c)(2)(ii)(A) to include that delivery of the notice of 
availability must be ``to the customer'' to clarify that Sec.  
1016.9(c)(2)(ii)(A) is not satisfied by including the notice of 
availability on other disclosures or notices required or expressly 
permitted by law to be publicly posted or published.
---------------------------------------------------------------------------

    \71\ 12 CFR 1016.9(b)(2)(i). The Bureau's rule on delivery of 
Affiliate Marketing Rule notices under Regulation V similarly 
provides that a consumer may not reasonably be expected to receive 
actual notice if the affiliate providing the notice only posts the 
notice on a sign in a branch or office or generally publishes the 
notice in a newspaper. 12 CFR 1022.26(c)(1).
---------------------------------------------------------------------------

Clear and Conspicuous
    Proposed Sec.  1016.9(c)(2)(ii)(A) would have used the term ``clear 
and conspicuous,'' which is defined in existing Sec.  1016.3(b)(1) as 
meaning ``reasonably understandable'' and ``designed to call attention 
to the nature and significance of the information.'' As stated in the 
proposal, the Bureau believed that the existing examples in Sec.  
1016.3(b)(2)(i) and (ii) for reasonably understandable and designed to 
call attention, respectively, likely would provide sufficient guidance 
on ways to make the notice of availability in proposed Sec.  
1016.9(c)(2)(ii)(A) clear and conspicuous. Some commenters, including a 
state and a national association representing credit unions, supported 
the proposed clear and conspicuous requirement as sufficient given 
existing Sec.  1016.3(b)(2)(i) which provides guidance on type size, 
style, and graphic devices, such as shading and side bars. A few 
commenters, including several national associations representing large 
banks, community banks, and other financial service providers, as well 
as a few individual community banks stated that clear and conspicuous 
should be further defined.
    As stated in the proposal, the Bureau believes that the existing 
definition of clear and conspicuous and examples in Sec.  1016.3(b) are 
sufficient for the notice of availability. Given the variety of 
statements on which the notice of availability may be included and the 
numerous ways in which they may be designed, the Bureau does not 
believe that it is feasible or practical to provide guidance as to what 
would be clear and conspicuous in all of these circumstances. The 
Bureau believes that financial institutions should be able to use the 
existing definition of clear and conspicuous and examples in Sec.  
1016.3(b) to design notices of availability that consumers will be 
likely to read and therefore the Bureau adopts this aspect of Sec.  
1016.9(c)(2)(ii)(A) without change.
Toll-Free Telephone Number
    Proposed Sec.  1016.9(c)(2)(ii)(A) also would have required that 
the notice of availability include a toll-free number a customer can 
call to request that the annual privacy notice be mailed. The Bureau 
explained in the proposal that this requirement was intended to assist 
customers who do not have internet access or would prefer to receive a 
hard copy of the privacy notice and that it expected that most 
institutions would already have a toll-free number.
    The majority of commenters on this provision, typically those from 
credit unions, community banks, and other small financial institutions, 
disagreed with this aspect of the proposal. These commenters objected 
to the toll-free number requirement because many smaller institutions 
do not currently have toll-free numbers and they stated that obtaining 
a toll-free number would offset the intended burden reduction of the 
proposal. Commenters further noted

[[Page 64071]]

that most credit unions and community banks operate in limited 
geographical areas such that customers are typically in the same area 
code as their financial institution and thus a toll-free telephone 
number is unnecessary. Lastly, many of these commenters stated that a 
toll-free number is unnecessary given that most customers have cellular 
telephone or home telephone plans under which they would incur no 
charges for calling their financial institution to request the annual 
privacy notice.
    A few commenters, including a national association representing 
student loan servicers and some individual community banks and credit 
unions, stated that they did not object to the toll-free number 
requirement because their institution or member institutions already 
have toll-free numbers or can obtain one without significant expense. 
No commenters expressly supported requiring a toll-free telephone 
number.
    The proposal also solicited comment on whether the final rule 
should require financial institutions to provide a dedicated telephone 
line for privacy notice requests to use the alternative delivery 
method. Commenters who addressed the issue included several national 
trade associations representing large and small banks, a national trade 
association representing student loan servicers and several individual 
community banks and credit unions. All commenters who addressed this 
issue stated that requiring a dedicated toll-free number to request an 
annual privacy notice was unnecessary. Some commenters also suggested 
that requiring a dedicated telephone number was so expensive as to 
offset the potential cost savings of the proposal for small entities. 
These commenters noted that customers rarely call their financial 
institutions to opt out of sharing when mailed an annual privacy notice 
and that customers are even less likely to call their financial 
institution to request a copy of the annual notice. Given the expected 
low call volume, these commenters believe that a dedicated telephone 
line is unnecessary and unduly expensive.
    The Bureau is persuaded that requiring a toll-free telephone number 
or a dedicated telephone line to request the privacy notice be mailed 
would offset the intended burden reduction of the proposal for many 
financial institutions without providing much benefit to customers. The 
Bureau believes that the cost to financial institutions of requiring a 
toll-free telephone number or a dedicated telephone line is not 
warranted given that customers likely will call infrequently to request 
a mailed copy of the annual privacy notice, especially because the 
privacy notices would be readily available on the institutions' Web 
sites. The Bureau also considered allowing institutions to choose 
between providing a toll-free number or a telephone number a customer 
could call and reverse the charge, i.e., a telephone number that would 
accept collect calls, an alternative available under several other 
Bureau regulations.\72\ The Bureau decided against this alternative 
because it believes, as stated by commenters, that financial 
institutions that do not already maintain toll-free telephone numbers 
typically have customers who live in the same area code as the 
institution and such customers likely would request a copy of the 
privacy notice using a free local call, rather than a collect call. In 
addition, a requirement that a financial institution without a toll-
free number accept collect calls for privacy notice requests could 
effectively require the institution to accept collect calls as a 
general practice, assuming that it did not pay for a dedicated line for 
the privacy notice calls, thereby adding to its costs.
---------------------------------------------------------------------------

    \72\ See, e.g., 12 CFR 1024.33(b)(4)(ii), 1026.16(e), 
1026.24(g)(2).
---------------------------------------------------------------------------

    For the reasons described, the Bureau is adopting Sec.  
1016.9(c)(2)(ii)(A) as revised to require the notice of availability to 
include a telephone number. The Bureau encourages financial 
institutions that already maintain a toll-free telephone number to use 
that number in the statement required by Sec.  1016.9(c)(2)(ii)(A), to 
simplify the process for a customer to call and request a mailed copy 
of the privacy notice.
Other Issues
    Proposed Sec.  1016.9(c)(2)(ii)(A) also would have required the 
institution to state on the notice of availability that its privacy 
policy has not changed. The Bureau intended this proposed requirement 
to help customers assess whether they are interested in reading and 
accessing the policy. This statement would always be accurate if the 
alternative delivery method is used correctly, because a financial 
institution could not use the alternative delivery method if its annual 
privacy notice had changed under Sec.  1016.9(c)(2)(i)(D). A compliance 
company commented that the statement that the privacy policy had not 
changed might not be accurate in certain situations where a financial 
institution eliminates categories of information it discloses or 
categories of third parties to whom it discloses information. That 
comment is addressed above in the section-by-section analysis of Sec.  
1016.9(c)(2)(i)(D).
    Proposed Sec.  1016.9(c)(2)(ii)(A) further would have required that 
the statement include a specific web address that takes customers 
directly to the Web page where the privacy notice is available. 
Proposed Sec.  1016.9(c)(2)(ii)(A) would have required a web address 
that the customer can type into a web browser to directly access the 
page that contains the privacy notice so that the customer need not 
click on any links after typing in the web address. The Bureau proposed 
this requirement because a direct link may make it easier and more 
convenient for customers to access the privacy notice, particularly for 
notices of availability delivered electronically that provide a 
hyperlink. While the Bureau recognizes that the length and complexity 
of the web address would affect how easy and convenient it is for 
customers to manually type in the address, the Bureau does not 
anticipate that institutions will provide addresses that are needlessly 
lengthy or complex. If this does not prove to be the case, the Bureau 
may consider measures in the future to ensure that the Web site 
addresses used are consumer-friendly. The Bureau did not receive any 
comments on this aspect of the proposal and adopts this element of 
Sec.  1016.9(c)(2)(ii)(A) as proposed.
    The Bureau further noted in the proposal that if two or more 
financial institutions provide a joint privacy notice pursuant to Sec.  
1016.9(f), proposed Sec.  1016.9(c)(2)(ii)(A) would require each 
financial institution to separately provide the notice of availability 
on a notice or disclosure that it is required or permitted to issue. 
The Bureau invited comment on how often financial institutions jointly 
provide privacy notices and whether the proposed alternative delivery 
method would be feasible for such jointly issued notices, but the 
Bureau received no comments on that issue. Section 1016.9(c)(2)(ii)(A) 
as finalized would require each institution providing a joint notice to 
send a notice of availability on an account statement, coupon book, or 
other notice or disclosure it is required or expressly and specifically 
permitted to issue to the customer. Financial institutions that jointly 
provide account statements, coupon books, or other notices or 
disclosures could also satisfy Sec.  1016.9(c)(2)(ii)(A) by including 
the notice of availability on such jointly provided materials.
    A national organization representing consumer and privacy interests 
suggested that the notice of availability include the fact that privacy 
notices

[[Page 64072]]

may be delivered by email upon the customers' request and provide 
instructions for how customers could exercise that option. The Bureau 
declines to require notification of email availability to be included 
in the notice because some financial institutions may not have the 
capability to provide privacy notices by email. The Bureau notes, 
however, that a financial institution could include such a statement in 
the notice of availability required by Sec.  1016.9(c)(2)(ii)(A) as 
long as the required content of the notice of availability is clear and 
conspicuous. For the reasons discussed, the Bureau is adopting Sec.  
1016.9(c)(2)(ii)(A) with the modifications described above.

Section 1016.9(c)(2)(ii)(B)

    Proposed Sec.  1016.9(c)(2)(ii)(B) would have set forth the second 
component of the alternative delivery method: That the financial 
institution post its current privacy notice continuously and in a clear 
and conspicuous manner on a page of the institution's Web site that 
contains only the privacy notice, without requiring the customer to 
provide any information such as a login name or password or agree to 
any conditions to access the page. The Bureau is adopting Sec.  
1016.9(c)(2)(ii)(B) as revised, for the reasons discussed below.
Proposed Rule
    The Bureau believes and comments on the proposal support the 
conclusion that many financial institutions already maintain Web sites 
where they could post the annual privacy notice. Moreover, encouraging 
financial institutions to post the notices would benefit consumers by 
making the notices more widely available. Proposed Sec.  
1016.9(c)(2)(ii)(B) would have required that the annual notice be 
posted on a page of the Web site that contains only the privacy notice.
Comments
    A state-chartered bank and a credit union opposed the requirement 
that the Web page contain only the privacy notice. These commenters 
stated that they include the privacy notice with other relevant privacy 
policies for their institution and thus customers could miss valuable 
privacy-related information if no other information were permitted to 
be included with the privacy notice. National associations representing 
large banks, community banks, and the financial services industry as 
well as a coalition of financial institutions focusing on e-commerce 
and privacy objected to the proposed requirement that the Web site not 
require a login name or password or that the customer agree to any 
terms to access it. These commenters argued that financial institutions 
often require customers to accept terms to initially access a Web site, 
particularly where customer account information accessed through the 
Web site may need to be protected for security reasons. Few other 
commenters addressed this issue, however.
    Other commenters raised a variety of concerns about the posting of 
the privacy notice. National associations representing large banks, 
community banks, the financial services industry, and credit unions and 
several individual banks and credit unions suggested that the Bureau 
remove the word ``continuously'' so that a financial institutions would 
not be in violation of Sec.  1016.9(c)(2)(ii)(B) in the event its Web 
site malfunctioned. An organization representing state banking 
supervisors suggested that Sec.  1016.9(c)(2)(ii)(B) require financial 
institutions to include a link to the privacy policy on their home 
page. Lastly, one credit union commenter requested that the Bureau 
allow the privacy notice to be posted physically in the lobby of the 
financial institution for financial institutions that do not maintain 
Web sites.
Final Rule
    The Bureau is adopting Sec.  1016.9(c)(2)(ii)(B) as revised. As to 
the commenters who stated that the requirement that the Web page 
contain only the privacy notice could prevent consumers from seeing 
supplemental privacy information, as stated in the proposal, the Bureau 
is concerned that permitting information other than the privacy notice 
to be included on the Web page could detract from the prominence of the 
notice and make it less likely that a customer would actually read it. 
The Bureau believes that the risk of such distracting information being 
included with the privacy notice outweighs any potential benefit to 
allowing additional content to be included on the page with the privacy 
notice. The Bureau is revising Sec.  1016.9(c)(2)(ii)(B) to clarify 
that the privacy notice must be the only content on the Web page. 
Information that is not content, however, such as navigational menus 
that link to other pages on the financial institution's Web site, could 
appear on the same page as the privacy notice pursuant to Sec.  
1016.9(c)(2)(ii)(B). Indeed, such navigational materials could include 
a link to another portion of the financial institution's Web site that 
contains supplemental information concerning other privacy or 
information management practices.\73\
---------------------------------------------------------------------------

    \73\ See generally 74 FR at 62908 (noting, in response to 
industry requests for the flexibility to add other information to 
the model privacy form, that the agencies were not precluding an 
institution from providing such information on other, supplemental 
materials).
---------------------------------------------------------------------------

    With respect to the requirement that the Web page not require a 
login name or password or that the customer agree to any conditions to 
access it, the Bureau declines to revise this requirement. The Bureau 
intends for the alternative delivery method to serve customers who may 
not already use the financial institution's Web site to manage their 
accounts and thus may not have agreed to terms or created login 
credentials. Indeed, as stated in the proposal, the Bureau is concerned 
that if customers were required to register for a login name or sign in 
to the financial institution's Web site simply to access the privacy 
notice, it could discourage some customers from accessing and reading 
the notice. The Bureau notes that financial institutions could still 
require customers to have login credentials or agree to terms and 
conditions to access other portions of the Web site, such as those 
containing sensitive account information or used to conduct 
transactions, including exercising the Affiliate Marketing Rule opt-
out. Given that the alternative delivery method will require customers 
to seek out the annual privacy notice in a way that they have not 
previously been required to do, Sec.  1016.9(c)(2)(ii)(B) is meant to 
make accessing the privacy notice on an institution's Web site as 
simple and straightforward as possible.
    As to the proposal's requirement that the privacy notice be posted 
continuously, the Bureau does not regard ``continuously'' to suggest 
that financial institutions would violate Sec.  1016.9(c)(2)(ii)(B) if 
their Web site temporarily malfunctioned. This language requiring 
``continuously'' posting on a Web site is used in existing Sec.  
1016.9(c)(1) (which is being recodified in this final rule as Sec.  
1016.9(c)(1)(i)). The Bureau understands from the comments that 
financial institutions would be unlikely to post standardized 
information, such as the privacy notice, on a non-continuous basis. 
Nevertheless, the Bureau emphasizes that Sec.  1016.9(c)(2)(ii)(B) 
assumes that financial institutions will post the privacy notice on 
their Web sites so that the notice is available but for occasional or 
unavoidable interruptions, such as routine maintenance or unexpected 
malfunctions.
    Regarding requiring a link to the privacy notice from a financial

[[Page 64073]]

institution's homepage, during outreach before the proposal, many 
financial institutions stated to the Bureau that space on their Web 
site's home page is extremely valuable and that requiring a link on the 
home page would limit their ability to use that space for other 
important communications with customers. Although the Bureau encourages 
financial institutions to include a link to the privacy policy on other 
pages of their Web sites, including the home page, the Bureau declines 
to require such a link. Because Sec.  1016.9(c)(2)(ii)(A) requires the 
notice of availability to include a web address for the page containing 
the privacy notice, the Bureau expects that customers can easily locate 
the page. The Bureau further notes, as stated in the proposal, that 
other pages on the financial institution's Web site could link to the 
page containing the privacy notice. Nevertheless, a financial 
institution would still have to provide the customer a specific web 
address that takes the customer directly to the page where the privacy 
notice is available to satisfy the requirement to post the notice on 
the financial institution's Web site in Sec.  1016.9(c)(2)(ii)(B).\74\
---------------------------------------------------------------------------

    \74\ With regard to the proposed requirement that the notice be 
posted in a ``clear and conspicuous'' manner, the Bureau notes that 
existing Sec.  1016.3(b)(2)(iii) gives examples of what clear and 
conspicuous means for a privacy notice posted on a Web site. One 
example provides that a financial institution designs its notice to 
call attention to the nature and significance of the information in 
the notice if it uses text or visual cues to encourage scrolling 
down the page if necessary to view the entire notice and ensures 
that other elements on the Web site (such as text, graphics, 
hyperlinks, or sound) do not distract attention from the notice. 
Section 1016.3(b)(2)(iii)(A) and (B) also provides examples of clear 
and conspicuous placement of the notice within the financial 
institution's Web site but these examples do not seem relevant to 
the posting of the notice for the alternative delivery method 
because customers will be typing into their web browser the web 
address of the specific page that contains the annual notice, rather 
than navigating to the annual notice from the financial 
institution's home page. To the extent that a financial institution 
is satisfying existing Sec.  1016.9(a) and not the alternative 
delivery method in Sec.  1016.9(c)(2) by posting the privacy notice 
on its Web site, the clear and conspicuous examples in Sec.  
1016.3(b)(2)(iii)(A) and (B) still apply.
---------------------------------------------------------------------------

    As to the suggestion that the privacy notice be posted in the 
institution's lobby, rather than on a Web site, the Bureau understands 
that there may be some institutions that do not maintain Web sites. The 
Bureau believes, however, that Web site posting is an integral 
component of the alternative delivery method and ensures that the 
privacy notice be widely available when it is not sent to individual 
customers according to standard delivery methods. The Bureau does not 
believe that lobby posting of the privacy notice makes it sufficiently 
available to customers given the individualized notice contemplated by 
the GLBA and discussed more fully in the section-by-section analysis of 
Sec.  1016.9(c)(2)(i)(A) above. Accordingly, the Bureau declines to 
revise Sec.  1016.9(c)(2)(ii)(B) to permit posting of the notice in a 
lobby to satisfy the requirement. For the reasons discussed, the Bureau 
is adopting Sec.  1016.9(c)(2)(ii)(B) as revised.

Section 1016.9(c)(2)(ii)(C)

    Proposed Sec.  1016.9(c)(2)(ii)(C) would have set forth the third 
component of the alternative delivery method: That the financial 
institution mail promptly its current privacy notice to those customers 
who request it by telephone. For the reasons discussed below, the 
Bureau adopts Sec.  1016.9(c)(2)(ii)(C) as revised.
Proposed Rule
    As stated in the proposal, the Bureau proposed this requirement to 
assist customers without internet access and customers with internet 
access who would prefer to receive a hard copy of the notice. The 
Bureau invited comment in the proposal on whether requiring prompt 
mailing is sufficient to ensure that customers receive privacy notices 
in a timely manner or whether ``promptly'' should be more specifically 
defined, such as by a certain number of days.
Comments
    A few bank commenters stated that it was not necessary to define 
``promptly'' further, but most financial institutions that commented on 
this issue stated that a specific number of days would be helpful. 
Suggestions included five days, ten business days, 15 days, and 30 
days. A trade association representing mortgage lenders requested that 
the Bureau revise Sec.  1016.9(c)(2)(ii)(C) to require the financial 
institution send the privacy notice, rather than mail it, to clarify 
that the financial institution could comply with the requirement by 
emailing the privacy notice. An organization representing consumers and 
privacy rights suggested that the Bureau expressly prohibit a financial 
institution from including other information, such as sales 
solicitations, in the mailing containing the annual privacy notice so 
as to avoid distracting customers with irrelevant information.
Final Rule
    In response to the commenters' requests for clarity on how long 
financial institutions have to mail privacy notices upon request, the 
Bureau is adopting Sec.  1016.9(c)(2)(ii)(C) as revised to require 
notices to be mailed within ten days of the customer's request. The 
Bureau notes that existing provisions of Regulation P define periods in 
terms of a number of days, meaning calendar days.\75\ The Bureau 
believes that financial institutions should be able to provide a 
privacy notice within ten calendar days of a customer's request, even 
accounting for weekends and holidays during which the financial 
institution may be closed. As stated in the proposal, the Bureau notes 
that consistent with privacy notices currently provided under 
Regulation P, it expects that financial institutions will not charge 
the customer for delivering the annual notice, given that delivery of 
the annual notice is required by statute and regulation.
---------------------------------------------------------------------------

    \75\ E.g., 12 CFR 1016.10(a)(3).
---------------------------------------------------------------------------

    Regarding email delivery of the privacy notice upon request, as 
stated in the proposal, Sec.  1016.9(c)(2)(ii)(C) is intended primarily 
for customers without internet access to be able to receive a paper 
copy of the privacy notice through the U.S. mail. The Bureau expects 
that customers with internet access who receive the notice of 
availability are much more likely to go to the financial institution's 
Web site to access the privacy notice than to telephone the financial 
institution to request a privacy notice be sent to them.
    With respect to prohibiting the mailing containing the privacy 
notice from containing other information, such as solicitations, the 
Bureau declines to impose a blanket prohibition on the inclusion of 
such material. As discussed above, the Supplementary Information to the 
Final Model Privacy Form Under the Gramm-Leach-Bliley Act explained 
that financial institutions that use the model privacy form are not 
precluded from providing additional information in other, supplemental 
materials to customers if they wish to do so.\76\ Further, the existing 
requirement at Sec.  1016.5(a) that the annual notice be ``clear and 
conspicuous'' would apply to the mailing of this privacy notice as it 
does to the standard delivery methods for annual notices.\77\ This 
requirement precludes the inclusion of other material in a manner that 
would render

[[Page 64074]]

the privacy notice not reasonably understandable and designed to call 
attention to the nature and significance of the information in the 
notice. In light of this existing requirement and the fact that 
customers who have requested the privacy notice be mailed will be 
expecting it, the Bureau does not believe that it is necessary at this 
time to impose a blanket prohibition on the inclusion of other material 
with the mailing of the privacy notice.
---------------------------------------------------------------------------

    \76\ See 74 FR at 62908.
    \77\ Cf. 74 FR at 62898 (``[T]he Agencies agree that 
institutions may incorporate the model form into another document 
but they must do so in a way that meets all the requirements of the 
privacy rule and the model form instructions, including that: The 
model form must be presented in a way that is clear an conspicuous; 
it must be intact so that the customer can retain the content of the 
model form; and it must retain the same page orientation, content, 
format, and order as provided for in this Rule.'') (footnotes 
omitted).
---------------------------------------------------------------------------

Section 1016.9(c)(2)(iii)

    Proposed Sec.  1016.9(c)(2)(iii) would have provided an example of 
a notice of availability that satisfies Sec.  1016.9(c)(2)(ii)(A). The 
Bureau is adopting Sec.  1016.9(c)(2)(iii) substantially as proposed 
with minor technical revisions.
Proposed Rule
    The Bureau intended the example in proposed Sec.  1016.9(c)(2)(iii) 
to provide clear guidance on permissible content for the notice of 
availability to facilitate compliance. The proposed example would have 
included the heading ``Privacy Notice'' in boldface on the notice of 
availability. The proposed example further would have stated that 
Federal law requires the financial institution to tell customers how it 
collects, shares, and protects their personal information; this 
language mirrors the ``Why'' box on the model privacy notices.
Comments
    One commenter requested that other forms of emphasis be permitted 
rather than boldface because they could not use boldface in their 
software system. A national and a state association representing credit 
unions requested that the Bureau create a model notice of availability 
with graphics and shading that would be a safe harbor for compliance 
with proposed Sec.  1016.9(c)(2)(ii)(A).
Final Rule
    The Bureau is adopting Sec.  1016.9(c)(2)(ii) as revised. With 
respect to the comment that some financial institutions' software 
programs do not allow for boldface, the Bureau notes that Sec.  
1016.9(c)(2)(iii) is an example of how to comply with Sec.  
1016.9(c)(2)(ii)(A) but other language and formatting techniques could 
also satisfy that section. Nevertheless, the Bureau is revising Sec.  
1016.9(c)(2)(iii) to state that the heading ``Privacy Notice'' could be 
in boldface or otherwise emphasized. ``Otherwise emphasized'' could 
include using all capital letters or underlining. As to the requests to 
create a model notice of availability with shading and graphics, the 
Bureau declines to do so at this time because it believes that the 
example notice of availability in Sec.  1016.9(c)(2)(iii) provides 
sufficient guidance to financial institutions on how to comply with 
Sec.  1016.9(c)(2)(ii)(A). The Bureau is also modifying Sec.  
1016.9(c)(2)(iii) to reflect that the telephone number provided need 
not be a toll-free number, to be consistent with Sec.  
1016.9(c)(2)(ii)(A) as finalized.

V. Section 1022(b)(2) of the Dodd-Frank Act

A. Overview

    In developing the final rule, the Bureau has considered its 
potential benefits, costs, and impacts.\78\ In addition, the Bureau has 
consulted and coordinated with the SEC, CFTC, FTC, and NAIC, and 
consulted with or offered to consult with the OCC, the Board, FDIC, 
NCUA, and HUD, including regarding consistency with any prudential, 
market, or systemic objectives administered by such agencies.
---------------------------------------------------------------------------

    \78\ Specifically, section 1022(b)(2)(A) of the Dodd-Frank Act 
calls for the Bureau to consider the potential benefits and costs of 
a regulation to consumers and covered persons, including the 
potential reduction of access by consumers to consumer financial 
products or services; the impact on depository institutions and 
credit unions with $10 billion or less in total assets as described 
in section 1026 of the Dodd-Frank Act; and the impact on consumers 
in rural areas.
---------------------------------------------------------------------------

    This final rule amends Sec.  1016.9(c) of Regulation P to provide 
an alternative method for delivering annual privacy notices. The 
primary purpose of the rule is to reduce unnecessary or unduly 
burdensome regulations, and the alternative delivery method will reduce 
the burden of providing these annual privacy notices. A financial 
institution may use the alternative delivery method if:
    (1) It does not disclose the customer's nonpublic personal 
information to nonaffiliated third parties in a manner that triggers 
GLBA opt-out rights;
    (2) It does not include on its annual privacy notice an opt-out 
notice under section 603(d)(2)(A)(iii) of the Fair Credit Reporting Act 
(FCRA);
    (3) The requirements of section 624 of the FCRA and the Affiliate 
Marketing Rule, if applicable, have been satisfied previously or the 
annual privacy notice is not the only notice provided to satisfy such 
requirements;
    (4) The information included in the privacy notice has not changed 
since the customer received the previous notice (subject to an 
exception); and
    (5) It uses the model form provided in the GLBA's implementing 
Regulation P.
    Under the alternative delivery method, the financial institution 
would have to:
    (1) Convey in a clear and conspicuous manner not less than annually 
on an account statement, coupon book, or a notice or disclosure the 
institution issues under any provision of law that its privacy notice 
is available on its Web site, it will be mailed to customers who 
request it by telephone, and it has not changed;
    (2) Post its current privacy notice in a continuous and clear and 
conspicuous manner on a page of its Web site on which the only content 
is the privacy notice, without requiring a login name or similar steps 
or agreeing to any conditions to access the page; and
    (3) Mail its current privacy notice to customers who request it by 
telephone within ten days of the request.

B. Potential Benefits and Costs to Consumers and Covered Persons

    The requirements in Sec.  1016.9(c)(2) provide certain benefits to 
consumers relative to the baseline established by the current 
provisions of Regulation P. These requirements provide an incentive for 
financial institutions to adopt the model privacy form and to post it 
on their Web sites, particularly when these changes are the only ones 
that would be needed to use the alternative delivery method. Recent 
research establishes that large numbers of banks, credit unions and 
other financial institutions do not post the model privacy form on 
their Web sites and presumably many have not adopted it.\79\ Given the 
consumer testing that

[[Page 64075]]

went into the development of the model form and the public input that 
went into its design, the Bureau believes that the model form is 
generally clearer and easier to understand than most privacy notices 
that deviate from the model.\80\ While the Bureau does not know how 
many more financial institutions would adopt the model privacy form and 
post it on their Web sites in order to use the alternative delivery 
method, at least some additional consumers likely would be able to 
learn about the information sharing policies of financial institutions 
through the model privacy form as a result of Sec.  1016.9(c)(2). It 
also may be more convenient for some consumers to learn about 
information sharing policies from a privacy policy on a Web site rather 
than a mailed copy, especially since financial institutions using the 
alternative delivery method must limit their information sharing to 
practices that do not give consumers opt-out rights. Thus, Sec.  
1016.9(c)(2) likely would make it easier for some consumers to review 
and understand privacy policies and to make comparisons across 
financial institutions with regard to privacy policies and opt outs.
---------------------------------------------------------------------------

    \79\ See L. F. Cranor, K. Idouchi, P. G. Leon, M. Sleeper, B. 
Ur, Are They Actually Any Different? Comparing Thousands of 
Financial Institutions' Privacy Practices. The Twelfth Workshop on 
the Economics of Information Security (WEIS 2013), June 11-12, 2013, 
Washington, DC, available at https://weis2013.econinfosec.org/papers/CranorWEIS2013.pdf. They find that only about 51% of FDIC insured 
depositories for which a Web site domain name is listed in the FDIC 
directory of financial institutions (3,422 out of 6,701) post the 
model privacy form on their Web sites. A Web site was not listed for 
an additional 371 institutions, and these institutions were excluded 
from the analysis. Some of these authors recently replicated and 
extended this work; see L. F. Cranor, P. G. Leon, B. Ur, A Large-
Scale Evaluation of U.S. Financial Institutions' Standardized 
Privacy Notices, undated, available at https://www.andrew.cmu.edu/user/pgl/financialnotices.pdf. These authors find that 56% of FDIC 
insured depositories for which a Web site domain name is listed in 
the FDIC directory of financial institutions (3,594 out of 6,409) 
post the model privacy form on their Web sites. They also analyzed a 
much larger group of insured depositories, credit unions and credit 
card companies, first searching for an institution's Web site (when 
the Web site URL was not on lists of financial institutions they 
obtained from the FDIC, NCUA and the Federal Reserve) and then 
searching for the institution's model privacy form. With this 
methodology, the authors find that only about 32% (6,191 of 19,329) 
of this larger group of financial institutions posts the model 
privacy form on Web sites.
    \80\ The research that went into the development and testing of 
the model form was detailed in four reports: (1) Financial Privacy 
Notice: A Report on Validation Testing Results (Kleimann Validation 
Report), February 12, 2009, available at https://www.ftc.gov/system/files/documents/reports/financial-privacy-notice-report-validation-testing-results-kleimann-validationreport/financial_privacy_notice_a_report_on_validation_testing_results_kleimann_validation_report.pdf; (2) Consumer Comprehension of Financial 
Privacy Notices: A Report on the Results of the Quantitative Testing 
(Levy-Hastak Report), December 15, 2008, available at https://www.ftc.gov/system/files/documents/reports/quantitative-research-levy-hastak-report/quantitative_research_-_levy-hastak_report.pdf; 
(3) Mall Intercept Study of Consumer Understanding of Financial 
Privacy Notices: Methodological Report (Macro International Report), 
September 18, 2008, available at https://www.ftc.gov/system/files/documents/reports/quantitative-research-macro-international-report/quantitative_research_-_macro_international_report.pdf; and (4) 
Evolution of a Prototype Financial Privacy Notice: A Report on the 
Form Development Project, March 31, 2006, available at  https://kleimann.com/ftcprivacy.pdf. The development and testing of the 
model privacy notice is also discussed in L. Garrison, M. Hastak, 
J.M. Hogarth, S. Kleimann, A.S. Levy, Designing Evidence-based 
Disclosures: A Case Study of Financial Privacy Notices. The Journal 
of Consumer Affairs, Summer 2012: 204-234.
---------------------------------------------------------------------------

    The requirements in Sec.  1016.9(c)(2) also may benefit consumers 
who transact with financial institutions that adopt the alternative 
delivery method by disclosing that a financial institution's privacy 
policy has not changed. These consumers would not receive a notice 
presenting the full privacy policy unless the privacy policy has 
changed or when other requirements for use of the alternative delivery 
method are not met. There is no representative, administrative data 
available on the number of consumers who are indifferent to or dislike 
receiving full, unchanged privacy notices every year. The limited use 
of opt outs and anecdotal evidence suggest that there are such 
consumers. In addition, one national trade association surveyed its 
members and found that 76% of respondents were more likely to read a 
privacy notice when there were changes to it. The commenter concluded 
that notification of a change to a privacy policy was more important to 
its members than routinely sending privacy notices in the mail.
    The Bureau believes that few consumers would experience any costs 
from Sec.  1016.9(c)(2). There is a risk that some consumers may be 
less informed about a financial institution's information sharing 
practices if the financial institution adopts the alternative delivery 
method. However, Sec.  1016.9(c)(2)(ii)(A) mitigates this risk by 
requiring the inclusion annually on another notice or disclosure of a 
clear and conspicuous statement that the privacy notice is available on 
the Web site, and Sec.  1016.9(c)(2)(ii)(B) ensures that the model 
privacy form is posted in a continuous and clear and conspicuous manner 
on the Web site. Consumers may print the privacy notice at their own 
expense, while under current Sec.  1016.9(c)(2) the notice is delivered 
to them, which represents a transfer of costs from industry to 
consumers. However, Sec.  1016.9(c)(2)(ii)(A) provides consumers with a 
specific telephone number to request that the privacy notice be mailed 
to the consumer, which gives consumers the option of obtaining the 
notice without incurring the cost of printing it. Further, the Bureau 
believes that a printed form is mostly valuable to consumers who would 
exercise opt-out rights. The only opt outs that could be available to 
the consumer under Sec.  1016.9(c)(2) would be voluntary opt outs, 
i.e., opt outs from modes of sharing information that are not required 
by Regulation P, or (at the institution's discretion) an Affiliate 
Marketing Rule opt-out beyond those the institution has previously 
provided elsewhere. Voluntary opt outs do not appear to be common.\81\
---------------------------------------------------------------------------

    \81\ See Cranor et al. (2013). Their findings (Table 2) imply 
that at most 15% of the 3,422 FDIC insured depositories that post 
the model privacy form on their Web sites offer at least one 
voluntary opt out. Data from a much larger group of financial 
institutions analyzed by Cranor et al. (undated) imply (Table 2) 
that at most 27% of the 6,191 financial institutions that post the 
model privacy form on their Web sites offer at least one voluntary 
opt out.
---------------------------------------------------------------------------

    A number of commenters claimed that few consumers derive any 
benefit from the annual privacy notice, most do not read the notice, 
and some consumers may dislike receiving it. A national trade 
association surveyed its members and found that 25% of the respondents 
who recalled receiving an annual privacy notice either disposed of the 
notice without opening it or opened it without reading it. The 
remaining 75% would skim or read the notice. One state banking 
association asked its members if the bank ever received a complaint or 
comment about the bank's privacy notice from a customer. The commenter 
did not provide quantitative information but offered examples of 
responses. Among the responses were statements that customers would 
call after receiving the annual privacy notice to complain or to ask 
not to receive the notice in the future. These commenters generally 
conclude that there would be no cost to consumers and perhaps 
additional benefits from alternatives to the rule that allowed for more 
widespread adoption of the alternative delivery method.
    As explained at length above, the Bureau believes that requiring 
notices that have changed or that include required consumer opt-outs to 
be physically delivered, unless the consumer has agreed to receive them 
electronically, is more consistent with the importance to the statutory 
scheme of customers' ability to exercise opt-out rights and more 
consumer-friendly than allowing use of the alternative delivery method 
where notices have changed or include required opt-outs. That 
discussion is incorporated here. Further, the Bureau believes that 
while some consumers may prefer not to receive annual privacy notices 
even when those notices include required opt-outs, others may feel 
differently, and consumers who would fail to exercise an opt out if the 
alternative delivery method were available incur a cost. Finally, the 
Bureau notes that the data from one commenter described above at least 
suggests that consumers may benefit from physical delivery when the 
notice has changed.
    Regarding benefits and costs to covered persons, the primary effect 
of the final rule is to reduce burden by lowering the costs to industry 
of providing annual privacy notices. The requirements in Sec.  
1016.9(c)(2) impose no new compliance requirements on any financial 
institution. All methods of

[[Page 64076]]

compliance under current law remain available to a financial 
institution, and a financial institution that is in compliance with 
current law is not required to take any different or additional action. 
The Bureau believes that a financial institution would adopt the 
alternative delivery method only if it expected the costs of complying 
with the alternative delivery method would be lower than the costs of 
complying with existing Regulation P.
    By definition, the expected cost savings to financial institutions 
from the adoption of Sec.  1016.9(c)(2) is the expected number of 
annual privacy notices that would be provided through the alternative 
delivery method multiplied by the expected reduction in the cost per-
notice from using the alternative delivery method. As explained below, 
many financial institutions would not be able to use the alternative 
delivery method without changing their information sharing practices, 
and the Bureau believes that few financial institutions would find it 
in their interest to change information sharing practices just to 
reduce the costs of providing the annual privacy notice. Thus, the 
first step in estimating the expected cost savings to financial 
institutions from Sec.  1016.9(c)(2) would be to identify the financial 
institutions whose current information sharing practices would allow 
them to use the alternative delivery method. The Bureau would then need 
to determine their currents costs for providing the annual privacy 
notices and the expected costs of providing these notices under Sec.  
1016.9(c)(2).\82\
---------------------------------------------------------------------------

    \82\ The analysis that follows makes certain additional 
assumptions about adjustments that financial institutions are not 
likely to undertake just to be able to adopt the alternative 
delivery method. For example, a small institution without a Web site 
might not find it worthwhile to establish one given the relatively 
small savings in costs that might result. These assumptions are 
discussed further below.
---------------------------------------------------------------------------

    The Bureau does not have sufficient data to perform every step of 
this analysis, but it performed a number of analyses and outreach 
activities to approximate the expected cost savings. Regarding banks, 
the Bureau examined the privacy policies of the 19 banks with assets 
over $100 billion as well as the privacy policies of 106 additional 
banks selected through random sampling.\83\ The Bureau found that the 
overall average rate at which banks' information sharing practices 
would make them eligible for using the alternative delivery method if 
other conditions were met is 80%.\84\ However, only 21% of sampled 
banks with assets over $10 billion could clearly use the alternative 
delivery method, while 81% of sampled banks with assets of $10 billion 
or less and 88% of sampled banks with assets of $500 million or less 
could clearly use the alternative delivery method. These results 
indicate that a large majority of smaller banks would likely be able to 
use the alternative delivery method but most of the largest banks would 
not.\85\
---------------------------------------------------------------------------

    \83\ The Bureau defined five strata for banks under $100 billion 
and three strata for credit unions under $10 billion and drew random 
samples from each of the strata. We obtained privacy policies from 
the Web sites of financial institutions.
    \84\ In these and subsequent calculations, entities that stated 
that they shared information so their affiliates could market to the 
consumer were considered eligible for the alternative delivery 
method since they could use the alternative delivery method as long 
as the annual privacy notice is not the only notice on which they 
provide the opt-out; see Sec.  1016.9(c)(2)(i)(C).
    \85\ As discussed in the section-by-section analysis, a banking 
trade association commenting on the Streamlining RFI estimated that 
75% of banks do not change their notices from year to year and do 
not share information in a way that gives rise to customer opt-out 
rights. The Bureau's estimate is consistent with this comment.
---------------------------------------------------------------------------

    One state banking association surveyed its members and provided 
data that is generally consistent with the finding that the vast 
majority of smaller banks would likely be able to use the alternative 
delivery method. Ninety-nine institutions responded to at least one of 
six questions. Fifty-three provided their banks total assets; of these, 
50 reported assets under $500 million. However, only 12 respondents 
stated that they would not be eligible to use the alternative delivery 
method. If these 12 respondents were among the 53 that provided their 
bank's total assets and all 53 responded to the question about 
eligibility, between 76% and 82% of this association's members with 
assets under $500 million believed they would be eligible to use the 
alternative delivery method.\86\
---------------------------------------------------------------------------

    \86\ Unfortunately, more precise calculations are not possible 
without more information about responses conditional on asset size 
and the response rate to each question.
---------------------------------------------------------------------------

    The Bureau also examined the privacy policies of the four credit 
unions with assets over $10 billion as well as the privacy policies of 
50 additional credit unions selected through random sampling. The 
Bureau found that three of the four credit unions with assets over $10 
billion clearly could use the alternative delivery method without 
changing their information sharing policies. Further, 67% of sampled 
credit unions with assets over $500 million could clearly use the 
alternative delivery method. However, the Bureau also found that only 
13 of the 25 sampled credit unions with assets of $500 million or less 
either posted the model privacy form on their Web sites or provided 
enough information about their sharing practices to permit a clear 
determination regarding whether the alternative delivery method would 
be available to them (2 of the 25 did not have Web sites). The Bureau 
found that 11 of the 13 (85%) for which a determination could be made 
would be able to use the alternative delivery method, and the Bureau 
believes that a significant majority of the sample of 25 would be able 
to use the alternative delivery method (perhaps after adopting the 
model form). For purposes of this analysis, the Bureau conservatively 
assumes that only 11 of the 25 sampled credit unions with assets of 
$500 million or less would be able to use the alternative delivery 
method, although the actual figure is likely much higher.
    The Bureau requested comment on how to improve this estimate of the 
number of small credit unions that would be able to use the alternative 
delivery method. The Bureau did not receive comments on this specific 
issue. Comments that relate to the general accuracy of these estimates 
are discussed below.
    Although these estimates provide some insight into the numbers of 
banks and credit unions that could use the alternative delivery method, 
the Bureau does not have precise data on the number of annual privacy 
notices these institutions currently provide. Thus, it is not possible 
to directly compute the total number of annual privacy notices that 
would no longer be sent. The Bureau does, however, have information 
about the burden on banks, credit unions and non-depository financial 
institutions from providing the annual privacy notices from the 
Paperwork Reduction Act Supporting Statements for Regulation P on file 
with the Office of Management and Budget. This information can be used 
to obtain an estimate of the ongoing savings from the alternative 
delivery method.\87\
---------------------------------------------------------------------------

    \87\ It is worth noting at the outset that, with this 
methodology, the total cost of providing the annual privacy notice 
and opt-out notice under Regulation P is approximately $30 million 
per year.
---------------------------------------------------------------------------

    In estimating this savings for banks and credit unions, the 
analysis above establishes that it is essential to take into account 
the variation by size of banks and credit unions in relation to the 
likelihood they could use the alternative delivery method. To ensure 
that these differences inform the estimates, the Bureau allocated the 
total burden of providing the annual privacy notices to asset classes 
in proportion to the share of assets in the class. The Bureau then 
estimated an amount of burden reduction specific to each asset

[[Page 64077]]

class using the results from the sampling described above. The total 
burden reduction is then the sum of the burden reductions in each asset 
class. For banks and credit unions combined, the estimated reduction in 
burden using this methodology is approximately $6.9 million annually.
    Regarding non-depository financial institutions, the proposed 
analysis stated that based on initial outreach, a majority were likely 
to be able to use the alternative delivery method. The proposed 
analysis stated that the prohibition on disclosing information to third 
parties in the Fair Debt Collection Practices Act (FDCPA) suggested 
that financial institutions subject to those limits likely would be 
able to use the alternative delivery method when GLBA notice 
requirements apply.\88\ The proposed analysis then used the overall 
average rate at which banks could utilize the alternative delivery 
method in its calculations of burden reduction for non-depository 
financial institutions. The Bureau stated that it would continue to 
refine its knowledge of the information sharing practices of non-
depository financial institutions and requested comment and the 
submission of information relevant to this issue.
---------------------------------------------------------------------------

    \88\ FDCPA section 805(b) generally prohibits communication with 
third parties in connection with the collection of a debt.
---------------------------------------------------------------------------

    The Bureau received comment letters from a debt buyer, a trade 
association for debt buyers and one student loan servicer that 
identified proposed requirements that would have limited the ability of 
these non-depository financial institutions to use the alternative 
delivery method. All three commenters stated that restrictions on how 
financial institutions could provide the proposed notice of 
availability would limit use of the alternative delivery method. All 
three also stated that the requirement to use the model form would 
limit use of the alternative delivery method. These issues are 
discussed below.\89\
---------------------------------------------------------------------------

    \89\ The Bureau requested comment on, but did not propose, 
requiring a dedicated telephone number for privacy notice requests. 
The student loan servicer commented that this requirement would not 
be a good use of resources for small lenders. The Bureau is not 
requiring a dedicated telephone number for these requests in the 
final rule; further, the Bureau is not finalizing the proposed 
requirement that the telephone number for these requests be toll-
free.
---------------------------------------------------------------------------

    The two debt-buying entities commented that restrictions on how the 
proposed notice of availability could be provided would eliminate any 
savings from the alternative delivery method. Specifically, proposed 
Sec.  1016.9(c)(2)(ii)(A) required the notice of availability to be 
provided on a notice or disclosure the financial institution was 
required or expressly and specifically permitted to issue under any 
other provision of law. One of these commenters stated that debt buyers 
are not required or specifically permitted to issue notices to 
consumers on a regular or annual basis. Thus, the alternative delivery 
method would simply exchange one annual privacy notice requirement for 
another. The other debt-buyer commenter stated that consumers whose 
accounts were not in active collections may not receive any 
correspondence from the commenter in the course of a year other than 
the annual privacy notice. Thus, the notice of availability would 
eliminate the savings intended by the alternative delivery method. In 
contrast, the student loan servicer commented that lenders and 
servicers of private education loans send periodic statements, but 
since no law requires them, proposed Sec.  1016.9(c)(2)(ii)(A) would 
not allow its members to use periodic statements to provide the notice 
of availability.
    As discussed above, the Bureau is revising proposed Sec.  
1016.9(c)(2)(ii)(A) to permit the notice of availability to be included 
on an account statement which would include periodic statements or 
billing statements not required or expressly permitted by law. The 
Bureau believes that this would permit student loan servicers and other 
non-depository financial institutions to use the alternative delivery 
method, as was assumed in the proposed analysis. This change from the 
proposed rule may also permit additional debt buyers to reduce costs by 
adopting the alternative delivery method.\90\ The Bureau recognizes, 
however, that final Sec.  1016.9(c)(2)(ii)(A) may still deter many debt 
buyers from adopting the alternative delivery method.
---------------------------------------------------------------------------

    \90\ One of the debt-buyer commenters recommended that the 
Bureau allow the statement of availability to be provided on ``any 
legally permissible'' mailed materials. The Bureau intends the term 
account statement to be flexible and it might include some of the 
legally permissible materials mentioned by this debt buyer. However, 
it would not include materials such as advertisements or 
newsletters.
---------------------------------------------------------------------------

    All three commenters also stated that the requirement to use the 
model form would limit use of the alternative delivery method. The two 
debt-buying entities cited requirements in the FDCPA that they stated 
made it difficult for them to adopt the model form. In contrast, the 
student loan servicer stated that some of its members that do not 
currently use the model form might not adopt it because they believed 
that the information they provide is more comprehensive.
    As discussed above, while the Bureau is requiring use of the model 
form, the Bureau is modifying proposed Sec.  1016.9(c)(2)(ii)(B) to 
clarify that information that is not content, such as navigational 
menus that link to other pages on the financial institution's Web site, 
could appear on the same page as the privacy notice and link to another 
portion of the financial institution's Web site that contains 
information supplemental to the privacy notice. The Bureau believes 
that this would encourage student loan servicers as well as other non-
depository financial institutions to adopt the model form and use the 
alternative delivery method.
    There is necessarily considerable uncertainty around any estimate 
of the number of non-depository financial institutions that could use 
the alternative delivery method. However, the Bureau did not receive 
any comments directly on the assumption that non-depository financial 
institutions will be able to utilize the alternative delivery method at 
the same overall average rate as banks. Further, partly in response to 
comments from non-depository financial institutions, the Bureau is 
adopting Sec.  1016.9(c)(2)(ii)(A) with changes from the proposal so 
that it is less of a barrier to adoption of the alternative delivery 
method. Finally, while the Bureau recognizes that many debt buyers may 
not be able to use the alternative delivery method, debt buyers are one 
group in the extremely large and heterogeneous group of non-depository 
financial institutions subjection to Regulation P. The Bureau therefore 
continues to estimate the reduction in burden on non-depository 
financial institutions as approximately $10 million annually.\91\
---------------------------------------------------------------------------

    \91\ Note that this figure excludes auto dealers. Auto dealers 
are regulated by the FTC and would not be directly impacted by this 
amendment to Regulation P.
---------------------------------------------------------------------------

    Thus, the Bureau believes that the total reduction in burden is 
approximately $17 million dollars annually. This represents about 58% 
of the total $30 million annual cost of providing the annual privacy 
notice and opt-out notice under Regulation P.\92\
---------------------------------------------------------------------------

    \92\ The Bureau recognizes that this analysis does not take into 
account the possibility that, as with banks and credit unions, the 
largest non-depository financial institutions may be least likely to 
be able to use the alternative delivery method. Assuming the size 
distribution and utilization rate are the same as for credit unions, 
the reduction in burden on non-depository financial institutions 
would be approximately $7.5 million annually instead of $10 million 
annually.

---------------------------------------------------------------------------

[[Page 64078]]

    The Bureau did not receive comments directly on this estimate or 
the methodology. The Bureau did receive quantitative information from 
individual financial institutions and state associations about the 
costs of providing annual privacy notices and in some cases the 
expected savings from the alternative delivery method. It not possible 
to use this information to precisely estimate market-wide totals for 
the baseline cost and expected savings. The data is, however, 
informative regarding the Bureau's estimates.
    Regarding banks, a state banking association that surveyed its 
members provided data in which the average cost of providing the 
notices was about $1,700. All but one of the respondents had assets 
under $500 million. A bank with $367 million in assets reported 
spending $1,800 on printing. A bank with $442 million in assets 
reported spending $1,900 on printing and mailing. A bank with $1.1 
billion in assets reported spending $3,800 on printing and stated it 
delivers the annual privacy notice with an account statement. A bank 
with $3 billion in assets reported spending $20,000 on notice 
distribution. It is not possible to extrapolate precisely from this 
data to the entire market without additional information regarding the 
representativeness of this data, the relationship between assets and 
costs, the proportion of banks that incur mailing costs when 
distributing the notice, and the costs for banks above $3 billion in 
assets. However, applying these figures to the roughly 7,000 banks in 
the United States suggests costs of well over $40 million to the 
banking sector alone.
    The Bureau received similar information from credit unions. A 
credit union with $12 million in assets and 3,000 members reported that 
it would save $150 per year with the alternative delivery method. A 
credit union with approximately $1 billion in assets reported spending 
$4,200 on printing and $36,800 on mailing. A credit union with $5 
billion in assets reported spending $10,000 on printing and delivers 
the annual notice with an account statement. In addition, one trade 
association for debt-buyers reported that debt buyers alone spend 
approximately $28 million on mailing annual privacy notices.\93\
---------------------------------------------------------------------------

    \93\ A financial corporation with $2 billion in assets reported 
sending approximately 37,000 annual privacy notices and needing 100 
hours for this work.
---------------------------------------------------------------------------

    The data provided by commenters suggests that the total cost of 
providing annual privacy notices by financial institutions subject to 
Regulation P may currently be larger than the $30 million reported 
above. To improve this estimate would require extensive data collection 
from a wide range of financial institutions and is not reasonably 
available to the Bureau. The previous analysis does not, however, 
indicate any significant error in the estimate that the alternative 
delivery method may relieve about 58% of the total annual cost of 
providing the annual privacy notice and opt-out notice under Regulation 
P. The Bureau has a continuing interest in improving its estimates of 
regulatory burden and burden reduction and welcomes comments on these 
estimates at any time.
    The Bureau notes that these estimates of ongoing savings are gross 
figures and do not take into account any one-time or ongoing costs 
associated with the alternative delivery method. The Bureau believes 
that one-time costs associated with using the alternative delivery 
method would be minimal and would not prevent adoption of the 
alternative delivery method, as long as the institution already has a 
Web site and currently annually provides an account statement, coupon 
book, or notice or disclosure as described in Sec.  
1016.9(c)(2)(ii)(A). In the analysis above, the Bureau found that all 
but two financial institutions had Web sites and assumed that these two 
institutions would not adopt the alternative delivery method. However, 
the Bureau recognizes that it sampled very few of the smallest 
financial institutions and that these are the ones most likely not to 
have Web sites.
    Comments on the proposed rule were generally consistent with the 
Bureau's analysis. One state banking association commented that 
approximately 5% of its members do not have a Web site. Another state 
banking association reported that 5 respondents to a survey that 
received 99 responses stated that they do not have a Web site. One 
state banking association reported that, when asked to estimate the 
cost of putting the annual privacy notice on a Web page that only 
contains the privacy notice, 15 responded that the cost would be 
``minimal,'' one responded it would cost $500, and one that it would 
cost $3000. One bank with approximately $3 billion in assets commented 
that the cost of adding a Web page would be ``insignificant.'' A bank 
with under $500 million in assets commented that it had paid $700 to 
its vendor to make an electronic version of its privacy notice 
available on its Web site. These results are consistent with the 
Bureau's own research and analysis. The Bureau requested information 
regarding the use of Web sites by non-depository financial institutions 
but did not receive any data on this subject.
    The Bureau believes that the one-time costs associated with 
providing the notice of availability annually on an account statement, 
coupon book, or notice or disclosure as described in Sec.  
1016.9(c)(2)(ii)(A) would be small. One state banking association 
commented that, given the range of customer relationship types, a bank 
may need to adjust a number of different notices in order to provide 
the notice of availability to all of its customers. The Bureau believes 
that the cost of each adjustment would be small. These costs would also 
be recouped over time through the savings achieved from no longer 
delivering the annual privacy notice through the mail or even through 
some of the other delivery methods that the existing rule permits.\94\
---------------------------------------------------------------------------

    \94\ The Bureau believes that banks and credit unions have 
relatively few customers to whom they do not send at least once per 
year, an account statement, coupon book, or other notice or 
disclosure that meets the conditions in final Sec.  
1016.9(c)(2)(ii)(A). Some banks and credit unions and their 
associations commented that Sec.  1016.9(c)(2)(ii)(A) was too 
restrictive in this regard and might limit adoption of the 
alternative delivery method. As discussed above, final Sec.  
1016.9(c)(2)(ii)(A) is less restrictive.
---------------------------------------------------------------------------

    Similarly, the Bureau believes that the requirements for using the 
alternative delivery method would provide few sources of additional 
ongoing costs relative to the baseline to financial institutions that 
adopt it. These costs would consist of additional text on an account 
statement, coupon book, notice or disclosure the institution already 
provides, maintaining a Web page dedicated to the annual privacy notice 
if one does not already exist, additional telephone calls from 
consumers requesting that the model form be mailed, and the costs of 
mailing the forms prompted by these calls. The Bureau currently 
believes that few consumers will request that the form be mailed in 
order to read it or to exercise any voluntary or FCRA Affiliate 
Marketing Rule opt-out right. A number of commenters stated that the 
proposed requirement to maintain a toll-free telephone number for 
requesting annual privacy notices (and the alternative considered of a 
dedicated toll-free number) would impose an unnecessary expense. Final 
Sec.  1016.9(c)(2)(ii)(A) does not require the telephone number to be 
toll-free.
    One caveat regarding these estimates concerns the use of 
consolidated privacy notices by entities regulated by different 
agencies. For example, entities that could comply with Regulation P by 
adopting the alternative delivery

[[Page 64079]]

method would not do so if they still needed to send these customers an 
additional disclosure in order to comply with the GLBA regulations of 
other agencies. The Bureau believes that among the entities that will 
continue to use a standard delivery method, few will do so solely 
because of the need to comply with the GLBA regulations of multiple 
agencies. Rather, most such entities will also be large financial 
institutions and will not satisfy the requirements on information 
sharing in Sec.  1016.9(c)(2)(i)(A)-(C). Thus, the Bureau believes that 
its estimates regarding the adoption of the alternative delivery method 
are accurate, notwithstanding the use of consolidated privacy notices, 
since the use of consolidated privacy notices is likely highly 
correlated with information sharing practices that alone prevent the 
adoption of the alternative delivery method. The Bureau requested data 
and other factual information regarding the extent to which the use of 
consolidated privacy notices may prevent the adoption of the 
alternative delivery method. The Bureau did not receive any comments on 
this issue.
    In developing the rule, the Bureau considered alternatives to the 
requirements it is adopting. As discussed at length above, the Bureau 
believes that the alternative delivery method might not adequately 
alert customers to their ability to opt out of certain types of 
information sharing were it available where a financial institution 
shares a customer's nonpublic personal information beyond the 
exceptions in Sec. Sec.  1016.13, 1016.14, and 1016.15. Thus, the 
Bureau considered but is not adopting an option in which the 
alternative delivery method could be used where a financial institution 
shares beyond one or more of these exceptions. For the same reason, the 
Bureau considered but is not adopting an option in which the 
alternative delivery method could be used where a financial institution 
shares information in a way that triggers information sharing opt-out 
rights under section 603(d)(2)(A)(iii) of the FCRA. On the other hand, 
the Bureau considered an option in which the alternative delivery 
method could never be used where a customer has an opt-out right under 
the Affiliate Marketing Rule. A financial institution may use the 
alternative delivery method if the requirements under section 624 of 
the FCRA and the Affiliate Marketing Rule have been satisfied 
previously or the annual privacy notice is not the only notice provided 
to satisfy such requirements. This case is distinguishable from the 
other two in that the Affiliate Marketing Rule opt-out notice is not 
required to be included on the annual privacy notice and may be sent 
separately. As explained above, a financial institution could send the 
separate Affiliate Marketing Rule opt-out only once (as long as it 
honored that opt-out indefinitely) and use the alternative delivery 
method to meet its yearly annual notice requirement, with or without 
including the Affiliate Marketing Rule opt-out notice on the model 
form.
    The Bureau also considered alternatives to the requirements 
regarding the types of information that cannot have changed since the 
previous annual notice to be able to use the alternative delivery 
method. The Bureau discussed these alternatives at length above and 
incorporates that discussion here.

C. Potential Specific Impacts of the Rule

    The Bureau currently understands that 81% of banks with $10 billion 
or less in assets would be able to utilize the alternative delivery 
method, with a greater opportunity for utilization among the smaller 
banks. Thus, the rule may have differential impacts on insured 
depository institutions with $10 billion or less in assets as described 
in section 1026 of the Dodd-Frank Act. The Bureau also currently 
understands that at least 46% of credit unions with $10 billion or less 
in assets, and perhaps substantially more, would be able to utilize the 
alternative delivery method, with a greater opportunity for utilization 
among credit unions in the middle of this group. The uncertainty 
reflects the relatively large number of very small credit unions that 
do not post the model form on their Web sites and which therefore could 
not clearly use the alternative delivery method.
    The Bureau does not believe that the rule would reduce consumers' 
access to consumer financial products or services. The rule may, 
however, benefit consumers in rural areas less than consumers in non-
rural areas. Rural consumers in most states have far less access to 
broadband and the alternative delivery method may displace delivery of 
paper notices with notices posted on Web sites.\95\ Rural consumers 
likely still would benefit overall, however, given the general 
availability of the disclosure through slower internet access or on 
request by telephone and the potentially greater use of the model form.
---------------------------------------------------------------------------

    \95\ For a comparison of access to broadband by rural and non-
rural consumers, see Bringing Broadband to Rural America: Update to 
Report on a Rural Broadband Strategy, June 17, 2011, pages 22-24, 
available at https://apps.fcc.gov/edocs_public/attachmatch/DOC-320924A1.pdf.
---------------------------------------------------------------------------

VI. Regulatory Flexibility Act

    The Regulatory Flexibility Act (RFA), as amended by the Small 
Business Regulatory Enforcement Fairness Act of 1996, requires each 
agency to consider the potential impact of its regulations on small 
entities, including small businesses, small governmental units, and 
small not-for-profit organizations. The RFA generally requires an 
agency to conduct an initial regulatory flexibility analysis (IRFA) and 
a final regulatory flexibility analysis (FRFA) of any rule subject to 
notice-and-comment rulemaking requirements, unless the agency certifies 
that the rule will not have a significant economic impact on a 
substantial number of small entities.\96\ The Bureau also is subject to 
certain additional procedures under the RFA involving the convening of 
a panel to consult with small business representatives prior to 
proposing a rule for which an IRFA is required.\97\
---------------------------------------------------------------------------

    \96\ 5 U.S.C. 603-605.
    \97\ 5 U.S.C. 609.
---------------------------------------------------------------------------

    The Bureau now certifies that a FRFA is not required for this final 
rule because it will not have a significant economic impact on a 
substantial number of small entities. The Bureau does not expect the 
final rule to impose costs on small entities. All methods of compliance 
under current law will remain available to small entities under the 
final rule. Thus, a small entity that is in compliance with current law 
need not take any different or additional action. In addition, the 
Bureau believes that the alternative delivery method would allow some 
small institutions to reduce costs, but by a small amount relative to 
overall costs given that this rulemaking addresses a single disclosure.
    Accordingly, the undersigned certifies that this rule will not have 
a significant economic impact on a substantial number of small 
entities.

VII. Paperwork Reduction Act

    Under the Paperwork Reduction Act of 1995 (PRA),\98\ Federal 
agencies are generally required to seek Office of Management and Budget 
(OMB) approval for information collection requirements prior to 
implementation. This final rule will amend Regulation P, 12 CFR part 
1016. The collections of information related to Regulation P have been 
previously reviewed and approved by OMB in accordance with the PRA and 
assigned OMB Control Number 3170-0010. Under the PRA, the Bureau may 
not conduct or sponsor, and,

[[Page 64080]]

notwithstanding any other provision of law, a person is not required to 
respond to an information collection, unless the information collection 
displays a valid control number assigned by OMB.
---------------------------------------------------------------------------

    \98\ 44 U.S.C. 3501 et seq.
---------------------------------------------------------------------------

    As explained below, the Bureau has determined that this rule does 
not contain any new or substantively revised information collection 
requirements other than those previously approved by OMB. Under this 
rule, a financial institution will be permitted, but not required, to 
use an alternative delivery method for the annual privacy notice if:
    (1) It does not disclose the customer's nonpublic personal 
information to nonaffiliated third parties in a manner that triggers 
GLBA opt-out rights;
    (2) It does not include on its annual privacy notice an opt-out 
notice under section 603(d)(2)(A)(iii) of the Fair Credit Reporting Act 
(FCRA);
    (3) The requirements of section 624 of the FCRA and the Affiliate 
Marketing Rule, if applicable, have been satisfied previously or the 
annual privacy notice is not the only notice provided to satisfy such 
requirements;
    (4) The information included in the privacy notice has not changed 
since the customer received the previous notice (subject to an 
exception); and
    (5) It uses the model form provided in the GLBA's implementing 
Regulation P.
    Under the alternative delivery method, the financial institution 
would have to:
    (1) Convey in a clear and conspicuous manner not less than annually 
on an account statement, coupon book, or a notice or disclosure the 
institution issues under any provision of law that its privacy notice 
is available on its Web site, it will be mailed to customers who 
request it by telephone, and it has not changed;
    (2) Post its current privacy notice continuously and in a clear and 
conspicuous manner on a page of its Web site on which the only content 
is the privacy notice, without requiring the customer to provide any 
information such as a login name or password or agree to any conditions 
to access the page; and
    (3) Mail its current privacy notice to customers who request it by 
telephone within ten days of the request.
    Under Regulation P, the Bureau generally accounts for the paperwork 
burden for the following respondents pursuant to its enforcement/
supervisory authority: Insured depository institutions with more than 
$10 billion in total assets, their depository institution affiliates, 
and certain non-depository financial institutions. The Bureau and the 
FTC generally both have enforcement authority over non-depository 
financial institutions subject to Regulation P. Accordingly, the Bureau 
has allocated to itself half of the final rule's estimated burden on 
non-depository institutions subject to Regulation P. Other Federal 
agencies, including the FTC, are responsible for estimating and 
reporting to OMB the paperwork burden for the institutions for which 
they have enforcement and/or supervision authority. They may use the 
Bureau's burden estimation methodology, but need not do so.
    The Bureau does not believe that this rule would impose any new or 
substantively revised collections of information as defined by the PRA, 
and instead believes that it would have the overall effect of reducing 
the previously approved estimated burden on industry for the 
information collections associated with the Regulation P annual privacy 
notice. Using the Bureau's burden estimation methodology, the reduction 
in the estimated ongoing burden would be approximately 584,000 hours 
annually for the roughly 13,500 banks and credit unions subject to the 
rule, including Bureau respondents, and the roughly 29,400 entities 
subject to the Federal Trade Commission's enforcement authority also 
subject to the rule. The reduction in estimated ongoing costs from the 
reduction in ongoing burden would be approximately $17 million 
annually.
    The Bureau believes that the one-time cost of adopting the 
alternative delivery method for financial institutions that would adopt 
it is de minimis. Financial institutions that already use the model 
form and would adopt the alternative delivery method would incur minor 
one-time legal, programming, and training costs. These institutions 
would have to communicate on an account statement, coupon book, or 
notice or disclosure that the privacy notice is available. The expense 
of adding this notice would be minor, particularly where the 
institution would be issuing the account statement, coupon book, or 
notice or disclosure anyway. Staff may need some additional training in 
storing copies of the model form and sending it to customers on 
request. Institutions that do not use the model form would incur a one-
time cost for creating one. However, since the promulgation of the 
model privacy form in 2009, an Online Form Builder has existed which 
any institution can use to readily create customized privacy notices 
using the model form template.\99\ The Bureau assumes that financial 
institutions that do not currently have Web sites would not choose to 
comply with these requirements in order to use the alternative delivery 
method.
---------------------------------------------------------------------------

    \99\ This Online Form Builder is available at https://www.federalreserve.gov/newsevents/press/bcreg/20100415a.htm.
---------------------------------------------------------------------------

    The Bureau's methodology for estimating the reduction in ongoing 
burden was discussed at length above. The Bureau defined five strata 
for banks under $100 billion and three strata for credit unions under 
$10 billion, drew random samples from each of the strata (separately 
for banks and credit unions) and examined the GLBA privacy notices 
available on the financial institutions' Web sites, if any. The Bureau 
separately examined the Web sites of all banks over $100 billion (one 
additional bank stratum) and all credit unions over $10 billion (one 
additional credit union stratum). This process provided an estimate of 
the fraction of institutions within each bank or credit union stratum 
which would likely be able to use the alternative delivery method. In 
order to compute the reduction in ongoing burden (by stratum and 
overall) for these financial institutions, the Bureau apportioned the 
existing ongoing burden to each stratum according to the share of 
overall assets held by the financial institutions within the stratum. 
This was done separately for banks and credit unions. Note that this 
procedure ensures that the largest financial institutions, while few in 
number, are apportioned most of the existing burden. The Bureau then 
multiplied the estimate of the fraction of institutions within each 
stratum that would likely be able to use the alternative delivery 
method by the estimate of the existing ongoing burden within each 
stratum, separately for banks and credit unions. As discussed above, 
the largest bank and credit union strata tended to have the lowest 
share of financial institutions that could use the alternative delivery 
method.
    For the non-depository institutions subject to the FTC's 
enforcement authority that are subject to the Bureau's Regulation P, 
the Bureau estimated the reduction in ongoing burden by applying the 
overall share of banks that would likely be able to use the alternative 
delivery method (80%) to the current ongoing burden on non-depository 
financial institutions (exclusive of auto dealers) from providing the 
annual privacy notices and opt outs.
    The Bureau takes all of the reduction in ongoing burden from banks 
and credit unions with assets $10 billion and above and half the 
reduction in ongoing burden from the non-depository institutions 
subject to the FTC enforcement authority that are subject to

[[Page 64081]]

the Bureau's Regulation P. The current Bureau burden for all 
information collections in Regulation P is 516,000 hours. The total 
reduction in ongoing burden taken by 14,844 Bureau respondents is 
261,904 hours. The remaining Bureau burden for all information 
collections in Regulation P is 254,096 hours.

                                            Summary of Burden Changes
----------------------------------------------------------------------------------------------------------------
                                                                  Previously
                   Information collections                      approved total   Net change in      New total
                                                                 burden hours     burden hours     burden hours
----------------------------------------------------------------------------------------------------------------
Notices and disclosures......................................         516,000         -261,904          254,096
----------------------------------------------------------------------------------------------------------------

    The Bureau has determined that the rule does not contain any new or 
substantively revised information collection requirements as defined by 
the PRA and that the burden estimate for the previously-approved 
information collections should be revised as explained above.

List of Subjects in 12 CFR Part 1016

    Banks, Banking, Consumer protection, Credit, Credit unions, Foreign 
banking, Holding companies, National banks, Privacy, Reporting and 
recordkeeping requirements, Savings associations, Trade practices.

Authority and Issuance

    For the reasons set forth in the preamble, the Bureau amends 
Regulation P, 12 CFR part 1016, as set forth below:

PART 1016--PRIVACY OF CONSUMER FINANCIAL INFORMATION (REGULATION P)

0
1. The authority citation for part 1016 continues to read as follows:

    Authority:  12 U.S.C. 5512, 5581; 15 U.S.C. 6804.

0
2. Section 1016.1(b)(1) is revised to read as follows:


Sec.  1016.1  Purpose and scope.

* * * * *
    (b) Scope. (1) This part applies only to nonpublic personal 
information about individuals who obtain financial products or services 
primarily for personal, family, or household purposes from the 
institutions listed below. This part does not apply to information 
about companies or about individuals who obtain financial products or 
services for business, commercial, or agricultural purposes. This part 
applies to those financial institutions and other persons for which the 
Bureau of Consumer Financial Protection (Bureau) has rulemaking 
authority pursuant to section 504(a)(1)(A) of the Gramm-Leach-Bliley 
Act (GLB Act) (15 U.S.C. 6804(a)(1)(A)). Specifically, this part 
applies to any financial institution and other covered person or 
service provider that is subject to Subtitle A of Title V of the GLB 
Act, including third parties that are not financial institutions but 
that receive nonpublic personal information from financial institutions 
with whom they are not affiliated. This part does not apply to certain 
motor vehicle dealers described in 12 U.S.C. 5519 or to entities for 
which the Securities and Exchange Commission or the Commodity Futures 
Trading Commission has rulemaking authority pursuant to sections 
504(a)(1)(A)-(B) of the GLB Act (15 U.S.C. 6804(a)(1)(A)-(B)). Except 
as otherwise specifically provided herein, entities to which this part 
applies are referred to in this part as ``you.''

Subpart A--Privacy and Opt-Out Notices

0
3. Section 1016.9(c) is revised to read as follows:


Sec.  1016.9  Delivering privacy and opt out notices.

* * * * *
    (c) Annual notices only--(1) Reasonable expectation. You may 
reasonably expect that a customer will receive actual notice of your 
annual privacy notice if:
    (i) The customer uses your Web site to access financial products 
and services electronically and agrees to receive notices at the Web 
site, and you post your current privacy notice continuously in a clear 
and conspicuous manner on the Web site; or
    (ii) The customer has requested that you refrain from sending any 
information regarding the customer relationship, and your current 
privacy notice remains available to the customer upon request.
    (2) Alternative method for providing certain annual notices. (i) 
Notwithstanding paragraph (a) of this section, you may use the 
alternative method described in paragraph (c)(2)(ii) of this section to 
satisfy the requirement in Sec.  1016.5(a)(1) to provide a notice if:
    (A) You do not disclose the customer's nonpublic personal 
information to nonaffiliated third parties other than for purposes 
under Sec. Sec.  1016.13, 1016.14, and 1016.15;
    (B) You do not include on your annual privacy notice pursuant to 
Sec.  1016.6(a)(7) an opt out under section 603(d)(2)(A)(iii) of the 
Fair Credit Reporting Act (15 U.S.C. 1681a(d)(2)(A)(iii));
    (C) The requirements of section 624 of the Fair Credit Reporting 
Act (15 U.S.C. 1681s-3) and subpart C of part 1022 of this chapter, if 
applicable, have been satisfied previously or the annual privacy notice 
is not the only notice provided to satisfy such requirements;
    (D) The information you are required to convey on your annual 
privacy notice pursuant to Sec.  1016.6(a)(1) through (5), (8), and (9) 
has not changed since you provided the immediately previous privacy 
notice (whether initial, annual, or revised) to the customer, other 
than to eliminate categories of information you disclose or categories 
of third parties to whom you disclose information; and
    (E) You use the model privacy form in the appendix to this part for 
your annual privacy notice.
    (ii) For an annual privacy notice that meets the requirements in 
paragraph (c)(2)(i) of this section, you satisfy the requirement in 
Sec.  1016.5(a)(1) to provide a notice if you:
    (A) Convey in a clear and conspicuous manner not less than annually 
on an account statement, coupon book, or a notice or disclosure you are 
required or expressly and specifically permitted to issue to the 
customer under any other provision of law that your privacy notice is 
available on your Web site and will be mailed to the customer upon 
request by telephone. The statement must state that your privacy notice 
has not changed and must include a specific Web address that takes the 
customer directly to the page where the privacy notice is posted and a 
telephone number for the customer to request that it be mailed;
    (B) Post your current privacy notice continuously and in clear and 
conspicuous manner on a page of your Web site on which the only content 
is the privacy notice, without requiring the customer to provide any 
information such as a login name or password or

[[Page 64082]]

agree to any conditions to access the page; and
    (C) Mail your current privacy notice to those customers who request 
it by telephone within ten days of the request.
    (iii) An example of a statement that satisfies paragraph 
(c)(2)(ii)(A) of this section is as follows with the words ``Privacy 
Notice'' in boldface or otherwise emphasized: Privacy Notice--Federal 
law requires us to tell you how we collect, share, and protect your 
personal information. Our privacy policy has not changed and you may 
review our policy and practices with respect to your personal 
information at [Web address] or we will mail you a free copy upon 
request if you call us at [telephone number].
* * * * *

    Dated: October 17, 2014.
Richard Cordray,
Director, Bureau of Consumer Financial Protection.
[FR Doc. 2014-25299 Filed 10-27-14; 8:45 am]
BILLING CODE 4810-AM-P
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.