Amendment to the Annual Privacy Notice Requirement Under the Gramm-Leach-Bliley Act (Regulation P), 40945-40959 [2018-17572]
Download as PDF
Federal Register / Vol. 83, No. 160 / Friday, August 17, 2018 / Rules and Regulations
IMPORT ASSESSMENT TABLE—
Continued
IMPORT ASSESSMENT TABLE—
Continued
[Raw cotton fiber]
[Raw cotton fiber]
Conv.
factor
daltland on DSKBBV9HB2PROD with RULES
HTS No.
6302317030
6302317040
6302317050
6302319010
6302319020
6302319030
6302319040
6302319050
6302321010
6302321020
6302321030
6302321040
6302321050
6302321060
6302322010
6302322020
6302322030
6302322040
6302322050
6302322060
6302390030
6302402010
6302511000
6302512000
6302513000
6302514000
6302593020
6302600010
6302600020
6302600030
6302910005
6302910015
6302910025
6302910035
6302910045
6302910050
6302910060
6302931000
6302932000
6302992000
6303191100
6303910010
6303910020
6303921000
6303922010
6303922030
6303922050
6303990010
6304111000
6304113000
6304190500
6304191000
6304191500
6304192000
6304193060
6304910020
6304910070
6304920000
6304996040
6505001515
6505001525
6505001540
6505002030
6505002060
6505002545
6507000000
9404901000
9404908020
9404908040
VerDate Sep<11>2014
......
......
......
......
......
......
......
......
......
......
......
......
......
......
......
......
......
......
......
......
......
......
......
......
......
......
......
......
......
......
......
......
......
......
......
......
......
......
......
......
......
......
......
......
......
......
......
......
......
......
......
......
......
......
......
......
......
......
......
......
......
......
......
......
......
......
......
......
......
1.1073
1.1073
1.1073
0.7751
0.7751
0.7751
0.7751
0.7751
0.5537
0.3876
0.5537
0.3876
0.3876
0.3876
0.5537
0.3876
0.5537
0.3876
0.3876
0.3876
0.2215
0.9412
0.5537
0.8305
0.5537
0.7751
0.5537
1.1073
0.9966
0.9966
0.9966
1.1073
0.9966
0.9966
0.9966
0.9966
0.9966
0.4429
0.4429
0.2215
0.8859
0.609
0.609
0.2768
0.2768
0.2768
0.2768
0.2768
0.9966
0.1107
0.9966
1.1073
0.3876
0.3876
0.2215
0.8859
0.2215
0.8859
0.2215
1.1189
0.5594
1.1189
0.9412
0.9412
0.5537
0.3986
0.2104
0.9966
0.9966
16:27 Aug 16, 2018
Cents/kg.
1.3182407
1.3182407
1.3182407
0.9227566
0.9227566
0.9227566
0.9227566
0.9227566
0.6591799
0.4614378
0.6591799
0.4614378
0.4614378
0.4614378
0.6591799
0.4614378
0.6591799
0.4614378
0.4614378
0.4614378
0.2636958
1.1204986
0.6591799
0.9887103
0.6591799
0.9227566
0.6591799
1.3182407
1.1864523
1.1864523
1.1864523
1.3182407
1.1864523
1.1864523
1.1864523
1.1864523
1.1864523
0.5272725
0.5272725
0.2636958
1.0546640
0.7250145
0.7250145
0.3295304
0.3295304
0.3295304
0.3295304
0.3295304
1.1864523
0.1317884
1.1864523
1.3182407
0.4614378
0.4614378
0.2636958
1.0546640
0.2636958
1.0546640
0.2636958
1.3320505
0.6659657
1.3320505
1.1204986
1.1204986
0.6591799
0.4745333
0.2504812
1.1864523
1.1864523
Jkt 244001
Conv.
factor
HTS No.
9404908505
9404908536
9404909505
9404909570
9619002100
9619002500
9619003100
9619003300
9619004100
9619004300
9619006100
9619006400
9619006800
9619007100
9619007400
9619007800
9619007900
*
*
......
......
......
......
......
......
......
......
......
......
......
......
......
......
......
......
......
*
0.6644
0.0997
0.6644
0.2658
0.8681
0.1085
0.9535
1.1545
0.2384
0.2384
0.8528
0.2437
0.3655
1.1099
0.2466
0.2466
0.2466
*
Cents/kg.
0.7909682
0.1186929
0.7909682
0.3164349
1.0334731
0.1291693
1.1351418
1.3744323
0.2838152
0.2838152
1.0152584
0.2901249
0.4351278
1.3213360
0.2935773
0.2935773
0.2935773
*
(Authority: 7 U.S.C. 2101–2118)
Dated: August 13, 2018
Bruce Summers,
Administrator.
[FR Doc. 2018–17723 Filed 8–16–18; 8:45 am]
BILLING CODE 3410–02–P
BUREAU OF CONSUMER FINANCIAL
PROTECTION
12 CFR Part 1016
[Docket No. CFPB–2016–0032]
RIN 3170–AA60
Amendment to the Annual Privacy
Notice Requirement Under the GrammLeach-Bliley Act (Regulation P)
Bureau of Consumer Financial
Protection.
ACTION: Final rule.
AGENCY:
The Bureau of Consumer
Financial Protection (Bureau) is
amending Regulation P, which requires,
among other things, that financial
institutions provide an annual notice
describing their privacy policies and
practices to their customers. The
amendment implements a December
2015 statutory amendment to the
Gramm-Leach-Bliley Act providing an
exception to this annual notice
requirement for financial institutions
that meet certain conditions.
DATES: The amendments to Regulation P
in this final rule will become effective
on September 17, 2018.
FOR FURTHER INFORMATION CONTACT:
Monique Chenault, Paralegal Specialist;
Joseph Devlin, Senior Counsel; Office of
Regulations, at (202) 435–7700.
SUMMARY:
PO 00000
Frm 00015
Fmt 4700
Sfmt 4700
40945
SUPPLEMENTARY INFORMATION:
I. Summary of the Final Rule
Title V, Subtitle A of the GrammLeach-Bliley Act (GLBA) 1 and
Regulation P, which implements the
GLBA, mandate that financial
institutions provide their customers
with annual notices regarding those
institutions’ privacy policies. If
financial institutions share certain
consumer information with particular
types of third parties, the annual notices
must also provide customers with an
opportunity to opt out of the sharing.
Regulation P sets forth requirements for
how financial institutions must deliver
these annual privacy notices. In certain
circumstances, Regulation P permits
financial institutions to use an
alternative delivery method to provide
annual notices. This method requires,
among other things, that the annual
notice be posted on a financial
institution’s website.
On December 4, 2015, Congress
amended the GLBA as part of the Fixing
America’s Surface Transportation Act
(FAST Act). This amendment, titled
Eliminate Privacy Notice Confusion,2
added new GLBA section 503(f). This
subsection provides an exception under
which financial institutions that meet
certain conditions are not required to
provide annual privacy notices to
customers. Section 503(f)(1) requires
that to qualify for this exception, a
financial institution must not share
nonpublic personal information about
customers except as described in certain
statutory exceptions. (Sharing as
described in these specified statutory
exceptions does not trigger the
customer’s statutory right to opt out of
the financial institution’s sharing.) In
addition, section 503(f)(2) requires that
the financial institution must not have
changed its policies and practices with
regard to disclosing nonpublic personal
information from those that the
institution disclosed in the most recent
privacy notice it sent.
Section 503(f) took effect upon
enactment in December 2015. In July
2016 the Bureau proposed to update
Regulation P to reflect the change in the
underlying law. As part of its
implementation, the Bureau is also
amending Regulation P to provide
timing requirements for delivery of
annual privacy notices in the event that
a financial institution that qualified for
this annual notice exception later
changes its policies or practices in such
a way that it no longer qualifies for the
exception. The Bureau is further
1 15
U.S.C. 6801 through 6809.
Act, Public Law 114–94, section 75001.
2 FAST
E:\FR\FM\17AUR1.SGM
17AUR1
40946
Federal Register / Vol. 83, No. 160 / Friday, August 17, 2018 / Rules and Regulations
removing the Regulation P provision
that allows for use of the alternative
delivery method for annual privacy
notices because the Bureau believes the
alternative delivery method will no
longer be used in light of the annual
notice exception. Finally, the Bureau is
amending Regulation P to make a
technical correction to one of its
definitions.
II. Background
A. The Statute and Regulation
The GLBA was enacted into law in
1999 and governs the privacy practices
of a broad range of financial
institutions.3 Rulemaking authority to
implement the GLBA privacy provisions
was initially spread among many
agencies. The Federal Reserve Board
(Board), the Office of Comptroller of the
Currency (OCC), the Federal Deposit
Insurance Corporation (FDIC), and the
Office of Thrift Supervision (OTS)
jointly adopted final rules in 2000 to
implement the notice requirements of
the GLBA.4 The National Credit Union
Administration (NCUA), Federal Trade
Commission (FTC), Securities and
Exchange Commission (SEC), and
Commodity Futures Trading
Commission (CFTC) were part of the
same interagency process, but each of
these agencies issued separate rules.5 In
2009, all of the agencies with the
authority to issue rules to implement
the GLBA privacy notice provisions
issued a joint final rule with a model
form that financial institutions could
use, at their option, to provide required
initial and annual disclosures.6
In 2011, the Dodd-Frank Wall Street
Reform and Consumer Protection Act
(Dodd-Frank Act) 7 transferred GLBA
privacy notice rulemaking authority
from the Board, NCUA, OCC, OTS, the
FDIC, and the FTC (in part) to the
Bureau.8 The Bureau then restated the
implementing regulations in Regulation
P, 12 CFR part 1016, in late 2011
through an interim final rule.9 In April
2016, the Bureau finalized that interim
Law 106–102, 113 Stat. 1338 (1999).
FR 35162 (June 1, 2000).
5 65 FR 31722 (May 18, 2000) (NCUA final rule);
65 FR 33646 (May 24, 2000) (FTC final rule); 65 FR
40334 (June 29, 2000) (SEC final rule); 66 FR 21236
(Apr. 27, 2001) (CFTC final rule).
6 74 FR 62890 (Dec. 1, 2009).
7 Public Law 111–203, 124 Stat. 1376 (2010).
8 Public Law 111–203, section 1093. The FTC
retained rulewriting authority over any financial
institution that is a person described in 12 U.S.C.
5519 (i.e., motor vehicle dealers predominantly
engaged in the sale and servicing of motor vehicles,
the leasing and servicing of motor vehicles, or
both).
9 76 FR 79025 (Dec. 21, 2011).
final rule as amended by 79 FR 64057
(Oct. 28, 2014).10
The Bureau has the authority to
promulgate GLBA privacy rules for
depository institutions and many nondepository institutions. However,
rulewriting authority with regard to
securities and futures-related companies
is vested in the SEC and CFTC,
respectively, and rulewriting authority
with respect to certain motor vehicle
dealers is vested in the FTC.11 The four
agencies are required to consult with
each other and with representatives of
State insurance authorities to assure, to
the extent possible, consistency and
comparability among implementing
rules.12 Toward that end, the Bureau has
consulted and coordinated with these
agencies and with the National
Association of Insurance Commissioners
(NAIC) concerning this final rule and
the proposal that preceded it. The
Bureau has also consulted with
prudential regulators and other
appropriate Federal agencies, as
required under Section 1022 of the
Dodd-Frank Act as part of its general
rulewriting process.13
The GLBA and Regulation P require
that financial institutions provide
consumers with certain notices
describing their privacy policies.14
Financial institutions are generally
required to provide an initial notice of
these policies when a customer
relationship is established and to
provide an annual notice to customers
every year that the customer
relationship continues.15 Except as
otherwise authorized in the regulation,
if a financial institution chooses to
disclose nonpublic personal information
about a consumer to a nonaffiliated
third party other than as described in its
initial notice, the institution is also
required to deliver a revised privacy
notice.16 The types of information
required to be included in the initial,
annual, and revised notices are
identical. Each notice must describe
whether and how the financial
institution shares consumers’ nonpublic
personal information with other
3 Public
daltland on DSKBBV9HB2PROD with RULES
4 65
VerDate Sep<11>2014
16:27 Aug 16, 2018
Jkt 244001
10 81
FR 25323 (Apr. 28, 2016).
U.S.C. 6804; 12 CFR 1016.1(b).
12 15 U.S.C. 6804(a)(2).
13 12 U.S.C. 5512(b)(2)(B).
14 When a financial institution has a continuing
relationship with the consumer, an annual privacy
notice is required and the consumer is then referred
to as a ‘‘customer.’’ 12 CFR 1016.3(i), 1016.3(j)(1).
15 12 CFR 1016.4(a)(1), 1016.5(a)(1). Financial
institutions are also required to provide initial
notices to consumers before disclosing any
nonpublic personal information to a nonaffiliated
third party outside of certain exceptions. 12 CFR
1016.4(a)(2).
16 12 CFR 1016.8.
11 15
PO 00000
Frm 00016
Fmt 4700
Sfmt 4700
entities.17 The notices must also briefly
describe how financial institutions
protect the nonpublic personal
information they collect and maintain.18
GLBA Section 502 and Regulation P
also require that initial, annual, and
revised notices provide information
about the right to opt out of certain
financial institution sharing of
nonpublic personal information with
some types of nonaffiliated third parties.
For example, a mortgage customer has
the right to opt out of a financial
institution disclosing his or her name
and address to an unaffiliated home
insurance company. On the other hand,
a financial institution is not required to
allow a consumer to opt out of the
institution’s disclosure of his or her
nonpublic personal information to third
party service providers and pursuant to
joint marketing arrangements subject to
certain requirements; disclosures
relating to maintaining and servicing
accounts, securitization, law
enforcement and compliance, and
consumer reporting; and certain other
disclosures described in the GLBA and
Regulation P as exceptions to the optout requirement.19
In addition to opt-out rights under the
GLBA, annual privacy notices also may
include information about certain
consumer opt-out rights under the Fair
Credit Reporting Act (FCRA). The
privacy notices under the GLBA/
Regulation P and affiliate disclosures
under the FCRA/Regulation V interact
in two ways. First, section
603(d)(2)(A)(iii) of the FCRA excludes
from that statute’s definition of a
consumer report 20 the sharing of certain
information about a consumer with the
institution’s affiliates if the consumer is
notified of such sharing and is given an
opportunity to opt out.21 Section
503(c)(4) of the GLBA and Regulation P
require financial institutions to
incorporate into any required
Regulation P notices the notification
and opt-out disclosures provided
pursuant to section 603(d)(2)(A)(iii) of
the FCRA, if the institution provides
such disclosures.22
Second, section 624 of the FCRA and
Regulation V’s Affiliate Marketing Rule
provide that an affiliate of a financial
institution that receives certain
information (e.g., transaction history) 23
17 12
CFR 1016.6(a)(1)–(5), (9).
CFR 1016.6(a)(8).
19 15 U.S.C. 6802(b)(2), (e); 12 CFR 1016.13,
1016.14, 1016.15.
20 15 U.S.C. 1681a(d).
21 15 U.S.C. 1681a(d)(2)(A)(iii).
22 15 U.S.C. 6803(c)(4); 12 CFR 1016.6(a)(7).
23 The type of information to which section 624
applies is information that would be a consumer
18 12
E:\FR\FM\17AUR1.SGM
17AUR1
Federal Register / Vol. 83, No. 160 / Friday, August 17, 2018 / Rules and Regulations
from the institution about a consumer
may not use the information to make
solicitations for marketing purposes
unless the consumer is notified of such
use and provided with an opportunity
to opt out of that use.24 Section 624 of
the FCRA and Regulation V also permit
(but do not require) financial
institutions to incorporate any opt-out
disclosures provided under section 624
of the FCRA and subpart C of Regulation
V into privacy notices provided
pursuant to the GLBA and Regulation
P.25
daltland on DSKBBV9HB2PROD with RULES
B. The Alternative Delivery Method for
Annual Privacy Notices
In pursuit of the Bureau’s goal of
reducing unnecessary or unduly
burdensome regulations, the Bureau in
December 2011 issued a Request for
Information (RFI) seeking specific
suggestions from the public for
streamlining regulations the Bureau had
inherited from other Federal agencies.
In that RFI, the Bureau specifically
identified the annual privacy notice as
a potential opportunity for streamlining
and solicited comment on possible
alternatives to delivering the annual
privacy notice.26 Numerous industry
commenters responded to the RFI by
advocating for the elimination or
limitation of the annual notice
requirement.
Financial institutions historically
have provided annual notices generally
by U.S. postal mail.27 In 2014, the
Bureau adopted a rule to allow financial
institutions to use an alternative
delivery method to provide annual
privacy notices through posting the
notices on their websites if they meet
certain conditions.28 Specifically,
financial institutions were allowed to
use the alternative delivery method for
annual notices if: (1) No opt-out rights
were triggered by the financial
institution’s information sharing
practices under the GLBA; (2) no FCRA
section 603 opt-out notices were
required to appear on the annual notice
and any opt-outs required by FCRA
section 624 had previously been
report, but for the exclusions provided by section
603(d)(2)(A)(i), (ii), or (iii) of the FCRA.
24 15 U.S.C. 1681s–3 and 12 CFR pt. 1022, subpart
C.
25 15 U.S.C. 1681s–3(b); 12 CFR 1022.23(b).
26 76 FR 75825, 75828 (Dec. 5, 2011).
27 Regulation P, however, does allow financial
institutions to provide notices electronically (e.g.,
by email) with consent. 12 CFR 1016.9(a) (stating
that a financial institution may deliver the notice
electronically if the consumer agrees). The Bureau
believes that most consumers do not receive privacy
notices electronically.
28 79 FR 64057 (revising 12 CFR 1016.9(c)). The
Bureau’s alternative delivery method became
effective on October 28, 2014. Id.
VerDate Sep<11>2014
16:27 Aug 16, 2018
Jkt 244001
provided, if applicable, or the annual
notice was not the only notice provided
to satisfy those requirements; (3) the
information included in the annual
notice had not changed since the
customer received the previous notice;
and (4) the financial institution used the
model form provided in Regulation P for
its annual notice.
In addition, to assist customers with
limited or no access to the internet, an
institution using the alternative delivery
method was required to mail annual
notices to customers who requested
them by telephone. To make customers
aware that its annual privacy notice was
available through the website or by
phone, the institution was required to
include a clear and conspicuous
statement of availability at least once
per year on an account statement,
coupon book, or a notice or disclosure
the institution issued under any
provision of law.
C. Statutory Amendment and Proposed
Rule
On December 4, 2015, Congress
amended the GLBA as part of the FAST
Act. This amendment, titled Eliminate
Privacy Notice Confusion,29 added new
GLBA section 503(f), which provides an
exception under which financial
institutions that meet two conditions are
not required to provide annual notices
to customers.30 New GLBA section
503(f)(1) states the first condition for the
annual notice exception: That a
financial institution must provide
nonpublic personal information only in
accordance with certain exceptions in
the GLBA; providing nonpublic
personal information under these
exceptions does not trigger consumer
opt-out rights.31 New GLBA section
503(f)(2) states the second condition for
the annual notice exception: That a
financial institution must not have
changed its policies and practices with
regard to disclosing nonpublic personal
information from the policies and
practices that were disclosed in the
most recent disclosure sent to
consumers in accordance with GLBA
29 FAST
Act, Public Law 114–94, section 75001.
order to avoid confusion and facilitate
responsiveness to consumer requests, the Bureau
notes that a financial institution that qualifies for
the annual notice exception could provide a privacy
notice to a customer without jeopardizing the
availability of the exception, such as in response to
a customer specifically requesting a copy of the
notice.
31 These provisions are in GLBA section 502(b)(2)
or (e) and are incorporated into existing Regulation
P at § 1016.13, § 1016.14, and § 1016.15. They
provide exceptions from the requirement that a
financial institution provide notice and an
opportunity to opt out of sharing nonpublic
personal information with a nonaffiliated third
party.
30 In
PO 00000
Frm 00017
Fmt 4700
Sfmt 4700
40947
section 503. The statutory amendment
became effective upon enactment in
December 2015.
On July 15, 2016, the Bureau
published a proposed rule to implement
the FAST Act statutory amendment to
the GLBA. The Bureau has considered
the comments received on that proposed
rule, and now issues this final rule
based on it.
D. Effective Date
As discussed above, the statutory
exception to the annual notice
requirement is already effective. The
amendments to Regulation P in this
final rule will be effective 30 days from
the date of publication in the Federal
Register.
E. Privacy Considerations
In developing this final rule, the
Bureau considered its potential impact
on consumer privacy. The rule will not
affect the collection or use of
consumers’ nonpublic personal
information by financial institutions.
The rule implements a new statutory
exception to limit the circumstances
under which financial institutions
subject to Regulation P will be required
to deliver annual privacy notices to
their customers. Delivery of annual
privacy notices is required under the
rule if financial institutions make
certain types of changes to their privacy
policies or if the statute and Regulation
P afford customers the right to opt out
of financial institutions’ sharing of
customers’ nonpublic personal
information with nonaffiliated third
parties. The statutory exception and this
final rule do not affect the requirement
to deliver an initial privacy notice, and
all consumers will continue to receive
such notices describing the privacy
policies of any financial institutions
with which they do business to the
extent currently required.
III. Legal Authority
The Bureau is issuing this final rule
pursuant to its authority under section
504 of the GLBA, as amended by section
1093 of the Dodd-Frank Act.32 The
Bureau is also issuing this rule pursuant
to its authority under sections 1022 and
1061 of the Dodd-Frank Act.33
IV. Section-by-Section Analysis
Section 1016.3
Definitions
3(s)(1)
Regulation P’s substantive
requirements, including the requirement
to deliver privacy notices, are generally
32 15
33 12
E:\FR\FM\17AUR1.SGM
U.S.C. 6804.
U.S.C. 5512, 5581.
17AUR1
40948
Federal Register / Vol. 83, No. 160 / Friday, August 17, 2018 / Rules and Regulations
imposed upon entities that meet the
definition of ‘‘You’’ in § 1016.3(s)(1).
That provision defines ‘‘You’’ as a
‘‘financial institution or other person for
which the Bureau has rulemaking
authority under section 504(a)(1)(A) of
the GLBA.’’ In order to coordinate this
definition more correctly with the
term’s usage in the regulation, the
Bureau proposed to limit ‘‘You’’ to
financial institutions.
The Bureau received no comments on
this technical amendment, and adopts it
now as proposed.
As explained above, Regulation P’s
substantive requirements, including the
requirement to deliver privacy notices,
are generally imposed upon entities that
meet the definition of ‘‘You’’ in
§ 1016.3(s)(1). The Bureau has
rulemaking authority over entities other
than financial institutions pursuant to
GLBA section 504(a)(1)(A).34 The
statute’s privacy notice requirements,
however, specifically apply only to
financial institutions.35 The Bureau
therefore believes that it is appropriate
to limit the definition of ‘‘You’’ in
§ 1016.3(s)(1) to financial institutions.
For this reason, the Bureau is amending
§ 1016.3(s)(1) to remove the phrase ‘‘or
other persons.’’ The Bureau does not
believe this technical amendment to
§ 1016.3(s)(1) will change the settled
understanding of the scope of
Regulation P’s privacy notice
requirements. Instead, the Bureau
believes it will clarify that the scope of
Regulation P’s privacy notice
requirements is consistent with the
understanding of stakeholders.
daltland on DSKBBV9HB2PROD with RULES
Section 1016.5 Annual Privacy Notice
to Customers Required
5(a) General Rule
The Bureau proposed to amend the
general requirement in § 1016.5(a)(1)
that financial institutions provide
annual notices, to clarify that the
Bureau has added an exception to this
requirement in § 1016.5(e) to
incorporate the amendment to GLBA
section 503.
No commenters specifically discussed
the conforming change to the general
rule in § 1016.5(a). One commenter
suggested that the Bureau remove any
GLBA privacy notice requirement and
instead require financial institutions to
post their privacy notices online, allow
all consumers to choose whether to
receive any privacy notices, make
34 Such rulemaking authority has been exercised
with respect to nonaffiliated third parties to which
a financial institution discloses nonpublic personal
information and that third party’s affiliates for
purposes of GLBA section 502(c)’s limits on reuse
of information. See 12 CFR 1016.11(c)–(d).
35 See GLBA sections 502(a)–(b) and 503(a).
VerDate Sep<11>2014
16:27 Aug 16, 2018
Jkt 244001
electronic notices the default for any
consumers who opt to receive any
privacy notices, and allow financial
institutions to charge fees for any paper
privacy notices they provide.
The Bureau now adopts the
conforming amendment to the general
requirement in § 1016.5(a)(1) that
financial institutions provide annual
notices, to clarify that the Bureau has
added an exception to this requirement
in § 1016.5(e) to incorporate the
amendment to GLBA section 503. The
Bureau does not believe that the
comment is relevant to the proposal and
it does not provide a basis to change the
approach proposed by the Bureau.
Congress did not include revisions
along the lines the commenter suggested
in the statutory provision that the
Bureau is implementing in this
rulemaking.
5(e) Exception to Annual Notice
Requirement
New GLBA § 503(f) provides that a
financial institution is excepted from
providing an annual notice if it meets
the two conditions described below.
The Bureau proposed to add new
§ 1016.5(e) to incorporate into
Regulation P the exception created by
new § 503(f). Under proposed
§ 1016.5(e), as in section 503(f), a
financial institution would be excepted
from providing an annual notice if it
meets the two conditions discussed
below.
The commenters overwhelmingly
supported proposed § 1016.5(e).
Although some commenters asked that
the exception be broadened, no
commenters who discussed the
proposed exception objected to it. The
commenters stated that the exception
would reduce burden and would not
harm consumers, and was less
complicated and burdensome than the
previous alternative delivery method.
Some suggested that the provision
would benefit consumers. The
comments that specifically discussed
either of the two requirements for the
exception, in § 1016.5(e)(1)(i) and (ii),
are discussed below in relation to those
provisions.
A trade association representing
credit unions requested that to eliminate
confusion and protect institutions from
citations, the rule should be effective
retroactive to December 4, 2015, the
date the statutory GLBA amendments
took effect. In addition, an attorney
suggested that the Bureau preempt State
privacy statutes that might require
institutions to continue providing
annual privacy notices in spite of the
Federal exception. The attorney
recommended the Bureau modify
PO 00000
Frm 00018
Fmt 4700
Sfmt 4700
§ 1016.17 to expressly preempt contrary
State law, and instead require that an
institution make its privacy notice
continually available online.
After considering the comments and
for the reasons discussed below, the
Bureau now adopts the exception to the
annual notice requirement largely as
proposed, with certain changes to the
timing provisions in § 1016.5(e)(2), as
discussed below.
In regard to the comment
recommending that § 1016.17 be
modified, § 1016.17 implements GLBA
§ 507,36 which provides specific
standards regarding preemption of State
law. The Bureau does not believe that
the comment is relevant to the proposal
and it does not provide a basis to change
the approach proposed by the Bureau.
Congress did not include revisions
along the lines the commenter suggested
in the statute that the Bureau is
implementing in this rulemaking.
In regard to the comment on
retroactivity, the Bureau has made clear
in the proposed rule and this final rule
that new GLBA § 503(f) became effective
upon enactment in December 2015.37 As
the central elements of this rule are
already in effect, the Bureau believes
that there is no need to make this rule
retroactive. To the extent that this rule
changes applicable law, the Bureau
notes that retroactive rulemaking is
disfavored by the courts, and the
commenter has not established why it
would be appropriate here. This rule
takes effect 30 days after its publication
in the Federal Register.
5(e)(1) When Exception Available
5(e)(1)(i)
New GLBA section 503(f)(1) states the
first condition for the annual privacy
notice exception: that a financial
institution provide nonpublic personal
information only in accordance with the
provisions of subsection (b)(2) or (e) of
section 502 of the GLBA. The Bureau
proposed § 1016.5(e)(1)(i) to incorporate
this condition by requiring that to
qualify for the annual notice exception,
any nonpublic personal information that
financial institutions provide to
nonaffiliated third parties must be
provided only in accordance with
§ 1016.13, § 1016.14 or § 1016.15 of
Regulation P.
Almost no commenters specifically
discussed the first of the two
requirements of the new statutory
exception. One credit union explained
that it does not share nonpublic
personal information beyond the
exceptions provided in § 1016.13,
36 15
U.S.C. 6807.
above, Part II.C.
37 See
E:\FR\FM\17AUR1.SGM
17AUR1
daltland on DSKBBV9HB2PROD with RULES
Federal Register / Vol. 83, No. 160 / Friday, August 17, 2018 / Rules and Regulations
§ 1016.14 or § 1016.15 of Regulation P,
and that it believes the § 1016.5(e)(1)(i)
requirement will work well. Another
commenter discussed voluntary optouts that a financial institution may
offer, asking whether the inclusion on
the privacy notice of opt-outs that allow
consumers to opt out of sharing that is
described in § 1016.13, § 1016.14 or
§ 1016.15 of Regulation P would
interfere with meeting the requirement
in § 1016.5(e)(1)(i).
The Bureau now adopts
§ 1016.5(e)(1)(i) as proposed. Section
1016.5(e)(1)(i) will incorporate the first
requirement of GLBA § 503(f) by
requiring that to qualify for the annual
notice exception, any nonpublic
personal information that financial
institutions provide to nonaffiliated
third parties must be provided only in
accordance with § 1016.13, § 1016.14 or
§ 1016.15 of Regulation P; these
regulatory sections implement
subsections (b)(2) and (e) of section
502.38 A financial institution sharing
information only pursuant to these
exceptions is not required to provide
customers with a right to opt out of that
sharing. In addition, because they
would only involve information sharing
within the exceptions of § 1016.13,
§ 1016.14 or § 1016.15, voluntary optouts included on privacy notices would
not affect compliance with the
§ 1016.5(e)(1)(i) requirement or the
annual notice exception.
The Bureau notes that § 1016.6(a)(7)
requires that annual privacy notices
incorporate any disclosures made under
FCRA section 603(d)(2)(A)(iii) regarding
the consumer’s ability to opt out of
sharing of information among affiliates.
Further, the notices may incorporate
any opt-out disclosures provided under
FCRA section 624.39 GLBA section
503(f)(1) does not mention information
sharing that would trigger an opt-out
notice under FCRA sections
603(d)(2)(A)(iii) or 624.
Given the structure of the statute, the
Bureau does not interpret GLBA section
503(f)(1) to preclude financial
institutions that provide nonpublic
personal information in accordance
with FCRA sections 603(d)(2)(A)(iii) or
624 from qualifying for the exception.
Thus, as the Bureau stated in its
proposal, the presence or absence of
these FCRA disclosures on a financial
institution’s privacy notice will not
affect whether the institution satisfies
38 The sharing described in these provisions
includes, among other things, sharing involving
third party service providers, joint marketing
arrangements, maintaining and servicing accounts,
securitization, law enforcement and compliance,
and reporting to consumer reporting agencies.
39 15 U.S.C. 1681s–3(b); 12 CFR 1022.23(b).
VerDate Sep<11>2014
16:27 Aug 16, 2018
Jkt 244001
GLBA section 503(f)(1) and
§ 1016.5(e)(1)(i). As the Bureau noted,
however, financial institutions that
choose to take advantage of the annual
notice exception must still provide any
opt-out disclosures required under
FCRA sections 603(d)(2)(A)(iii) and 624,
if applicable. Under the FCRA, neither
of these opt-outs is required to be
provided annually.40 Accordingly,
institutions can provide these
disclosures through other methods, for
example, through their initial privacy
notices in most circumstances.
5(e)(1)(ii)
New GLBA section 503(f)(2) states the
second condition for the annual notice
exception: that a financial institution
not have changed its ‘‘policies and
practices with regard to disclosing
nonpublic personal information’’ from
the policies and practices that were
disclosed in the most recent notice sent
to consumers in accordance with GLBA
section 503. Because the Bureau
determined that the statutory language
was ambiguous as to the exact types of
sharing intended, the Bureau proposed
§ 1016.5(e)(1)(ii) to resolve this
ambiguity by requiring that, to qualify
for the annual notice exception, a
financial institution must not have
changed its policies and practices with
regard to disclosing nonpublic personal
information from the policies and
practices that were disclosed to the
customer under § 1016.6(a)(2) through
(5) and (9) in the most recent privacy
notice the financial institution
provided.
As with the first requirement for the
annual notice exception at
§ 1016.5(e)(1)(i), few commenters
specifically discussed the second
requirement at § 1016.5(e)(1)(ii).
However, the commenters
overwhelmingly signaled their support
for these provisions by supporting the
Bureau’s implementation of the
statutory exception. Two trade
associations representing credit unions
did specifically express support for the
proposed interpretation of the statutory
language as referring only to a change to
a disclosure under § 1016.6(a)(2)
through (5) and (9).
The Bureau now adopts
§ 1016.5(e)(1)(ii) as proposed, providing
that, to qualify for the annual notice
exception, a financial institution must
not have changed its policies and
practices with regard to disclosing
nonpublic personal information from
the policies and practices that were
40 See 15 U.S.C. 1681a(d)(2)(A)(iii); 12 CFR
1022.21, 1022.27; 72 FR 62910, 62930 (Nov. 7,
2007).
PO 00000
Frm 00019
Fmt 4700
Sfmt 4700
40949
disclosed to the customer under
§ 1016.6(a)(2) through (5) and (9) in the
most recent privacy notice the financial
institution provided.
Paragraphs (1) through (9) of
§ 1016.6(a) list the specific information
that must be included in privacy
notices. Section 1016.6(a)(2) through (5)
and (9) require a financial institution to
include information related to its
policies and practices with regard to
disclosing nonpublic personal
information, but § 1016.6(a)(1)
(information collection) and
§ 1016.6(a)(8) (confidentiality and
security) do not.41 Accordingly, the
Bureau believes that only changes to an
institution’s policies and practices that
would require changes to any of the
disclosures required by § 1016.6(a)(2)
through (5) and (9) would cause a
financial institution to be unable to use
the exception in § 1016.5(e)(1)(ii).42
Section 1016.6(a)(7) requires that any
disclosure an institution makes under
FCRA section 603(d)(2)(A)(iii), which
describes a consumer’s ability to opt out
of disclosures of information among
affiliates, be included on the privacy
notice. The Bureau believes that the
statute is ambiguous as to whether a
financial institution that changes the
disclosure required under § 1016.6(a)(7)
from the most recent notice sent to
consumers would satisfy GLBA section
503(f)(2). In the proposed rule, the
Bureau sought comment on whether
proposed § 1016.5(e)(1)(ii) should
include changes to disclosures required
by § 1016.6(a)(7) and on how frequently
institutions change that disclosure. The
Bureau further sought comment on
whether institutions would prefer to
inform customers of these changes
41 The information specified in § 1016.6(a)(6)
describes the consumer’s right pursuant to
Regulation P to opt out of an institution’s disclosure
of information and would be inapplicable where a
financial institution qualifies for the annual notice
exception.
42 To have used the Bureau’s former alternative
delivery method, the information a financial
institution was required to convey on its annual
privacy notice pursuant to § 1016.6(a)(1) through
(5), (8), and (9) was required not to have changed
from the information disclosed in the most recent
privacy notice provided to the consumer. See
removed 12 CFR 1016.9(c)(2)(D). Thus, changes to
the information a financial institution was required
to convey pursuant to § 1016.6(a)(1) and (8) would
have prevented a financial institution from using
the alternative delivery method but such changes
will not prevent a financial institution from
satisfying § 1016.5(e)(1)(ii) for the annual notice
exception. Because institutions that include
information on their privacy notice pursuant to
§ 1016.6(a)(7) (which relates to opt-out notices
provided pursuant to the FCRA) were not permitted
to use the alternative delivery method in any case,
§ 1016.6(a)(7) was not listed as a type of information
that if changed would have prevented a financial
institution from using the alternative delivery
method.
E:\FR\FM\17AUR1.SGM
17AUR1
daltland on DSKBBV9HB2PROD with RULES
40950
Federal Register / Vol. 83, No. 160 / Friday, August 17, 2018 / Rules and Regulations
through sending an annual privacy
notice or through sending a disclosure
describing only the FCRA section
603(d)(2)(A)(iii) opt-outs, if applicable,
and also sought comment on the impact
on consumers of these two methods.
All the commenters who addressed
these issues stated that changes to the
disclosures required by FCRA section
603(d)(2)(A)(iii) should not affect the
availability of the annual notice
exception. A State-wide trade
association representing credit unions
indicated that the presence or absence
of FCRA disclosures on a credit union’s
privacy notice, and subsequent changes
to those FCRA sharing practices, should
not impact whether an institution
qualifies for the annual notice
exception. This trade association stated,
without providing data, that it believed
that changes by credit unions in its State
to FCRA section 603(d)(2)(A)(iii)
information disclosures are infrequent,
and that few such credit unions share
data in a way that trigger a FCRA optout in the first place. Other commenters
who discussed the 603(d)(2)(A)(iii)
information disclosures stated that
allowing changes to disqualify financial
institutions from the annual notice
exception would interfere with the
burden reduction intended, and that
FCRA has its own disclosure
requirements.
Given the structure of the statute, the
Bureau does not interpret GLBA section
503(f)(2) to preclude financial
institutions that make changes to
disclosures required by § 1016.6(a)(7)
from qualifying for the exception. The
Bureau also notes that a change in the
603(d)(2)(A)(iii) information disclosures
only requires a one-time notice and opt
out. The Bureau does not believe that
consumers would be materially
benefited by requiring this one-time
notice to be included in a privacy notice
under Regulation P, especially where it
is required in a separate notice required
by the FCRA.
In addition to the discussion of
603(d)(2)(A)(iii) information
disclosures, the Bureau noted in the
proposed rule that a financial institution
would satisfy § 1016.5(e)(1)(ii) if it
changes its disclosures describing
policies and practices with regard to
disclosing nonpublic personal
information that are included in the
institution’s privacy notice without
being required by the GLBA or § 1016.6
(e.g., disclosures describing sharing
with affiliates under FCRA section 624
or voluntary disclosures and opt-outs).
The Bureau sought comment on
whether changes to disclosures that are
not required to be included in privacy
notices by the GLBA or § 1016.6 should
VerDate Sep<11>2014
16:27 Aug 16, 2018
Jkt 244001
cause an institution not to satisfy
§ 1016.5(e)(1)(ii).
The Bureau received few comments
on this issue. A trade association
representing credit unions stated that
later changes to initial voluntary
disclosures should not trigger the need
to send annual privacy notices. The
commenter suggested that imposing
such a requirement would dissuade
institutions from making voluntary
disclosures. A banking and insurance
trade association stated that affiliate
marketing policy changes should not
impact the availability of the exception.
A trade association representing banks
stated that changes to disclosures that
are not required to be included in
privacy notices should not trigger noncompliance. The trade association
believed it would be costly and
burdensome to add additional
disclosures.
As indicated in the preamble to the
proposed rule, the Bureau has
determined that disclosures describing
sharing with affiliates under FCRA
section 624 or voluntary disclosures and
opt-outs will not affect a financial
institution’s eligibility for the annual
privacy notice exception under GLBA
§ 503(f). The Bureau believes that the
alternative interpretation could
discourage the use of voluntary
disclosures while adding unnecessary
burden.
5(e)(2) Delivery of Annual Privacy
Notice After Financial Institution No
Longer Meets Requirements for
Exception
New GLBA section 503(f) states that a
financial institution that meets the
requirements for the annual notice
exception will not be required to
provide annual notices ‘‘until such
time’’ as the financial institution fails to
comply with the criteria described in
section 503(f)(1) and 503(f)(2), which
are now implemented in
§ 1016.5(e)(1)(i) and (ii). A financial
institution will no longer meet the
requirements for the exception either by
beginning to share nonpublic personal
information in ways that trigger rights to
opt-out notices under the GLBA and
Regulation P, or by otherwise changing
its policies and practices with regard to
disclosing nonpublic personal
information from the policies and
practices that were disclosed to the
customer under § 1016.6(a)(2) through
(5) and (9) in the most recent privacy
notice the financial institution
provided.
Financial institutions that no longer
meet the conditions for the exception
must provide customers with annual
privacy notices. However, the GLBA,
PO 00000
Frm 00020
Fmt 4700
Sfmt 4700
including new GLBA section 503(f),
does not clearly specify when
institutions must provide these notices.
Thus, the statute is ambiguous on the
point. It could be read to require the
financial institution to provide an
annual privacy notice by the time it
changes its policies or practices in such
a way that it no longer qualifies for the
exception. Alternatively, it could be
read to subject the financial institution,
at the time it changes its policies or
practices in such a way that it no longer
qualifies for the exception, to the
requirement to provide an annual
privacy notice while being silent as to
the timing for providing that notice.
Pursuant to its authority in GLBA
section 504 to issue rules to implement
the GLBA, the Bureau proposed to
resolve this ambiguity by adopting this
second reading and issuing standards
for when institutions must provide
these notices. Specifically, in proposed
§ 1016.5(e)(2)(i) and (ii), the Bureau
proposed to use its rulemaking authority
under GLBA section 504(a) to establish
timing requirements for providing an
annual notice in these circumstances.
The Bureau proposed to establish these
requirements to ensure that delivery of
the annual privacy notice in these
circumstances is consistent with the
existing timing requirements for privacy
notices in the regulation, where
applicable, and to provide clarity to
financial institutions regarding these
requirements.
In developing the proposed
framework, the Bureau looked to
existing requirements under the statute
and regulation because they already
address circumstances in which a
financial institution might change its
policies and procedures in a way that
affects the content of the notices.
Specifically, § 1016.8 requires that the
financial institution provide a revised
notice to consumers before
implementing certain types of changes;
in other cases, the statute and regulation
currently contemplate that a change in
policy and procedure that affects the
content of the notices would simply be
reflected on the next regular annual
notice provided to the customer. The
Bureau is therefore proposing different
timing requirements for the resumption
of the annual notice requirement
depending on whether the change at
issue would trigger the requirement for
a revised notice under § 1016.8 prior to
the change taking effect.
Accordingly, the timing requirements
in proposed § 1016.5(e)(2)(i) and (ii)
would differ depending on whether the
change that causes the financial
institution to no longer satisfy the
conditions for the annual notice
E:\FR\FM\17AUR1.SGM
17AUR1
Federal Register / Vol. 83, No. 160 / Friday, August 17, 2018 / Rules and Regulations
daltland on DSKBBV9HB2PROD with RULES
exception also triggers a requirement
under existing Regulation P to deliver a
revised notice. Section 1016.8 currently
requires that financial institutions
provide revised notices to consumers
before the institutions share nonpublic
personal information with a
nonaffiliated third party if their sharing
would be different from what the
institution described in the initial notice
it delivered. After delivering the revised
notice, the financial institution must
also give the consumer a reasonable
opportunity to opt out of any new
information sharing beyond the
Regulation P exceptions before the new
sharing occurs.
Three-fifths of all industry
commenters on the proposed rule
specifically addressed the proposed
timing requirements. The comments on
the timing requirements viewed the
requirement in § 1016.5(e)(2)(i) and that
in § 1016.5(e)(2)(ii) very differently, as
will be discussed below in regard to
those sections. In regard to the overall
timing requirements, one trade
association representing credit unions
expressed appreciation for the Bureau’s
proposal, stating that such clarification
will eliminate confusion surrounding
delivery requirements after a financial
institution no longer meets the
requirements for the exception. A trade
association representing banks
supported the proposed timing
requirements, asserting that institutions
will not find it difficult to comply with
the suggested conditions. This
commenter also requested clarification
that once notices are sent and there are
no further privacy changes, an
institution will be able to again qualify
for the exception, thus excepting them
from having to send further annual
notices.
The Bureau is adopting the timing
provisions largely as proposed, with a
change to the duration of the timing
requirement in § 1016.5(e)(2)(ii), as
discussed below. The Bureau is also
adding another example to
§ 1016.5(e)(2)(iii) to clarify whether a
financial institution again qualifies for
the annual notice exception after
delivering an annual notice under
§ 1016.5(e)(2).
5(e)(2)(i) Changes Preceded by a Revised
Privacy Notice
For changes to a financial institution’s
policies or practices that cause it to no
longer satisfy the conditions for the
exception and also trigger an obligation
to send a revised notice prior to the
change, the Bureau proposed in
§ 1016.5(e)(2)(i) that financial
institutions would be required to
resume delivery of their subsequent
VerDate Sep<11>2014
16:27 Aug 16, 2018
Jkt 244001
regular annual notices pursuant to the
existing timing requirements that govern
delivery of annual notices generally.
Because the revised notice would
inform the customer of the institution’s
changed policies and practices before
any new sharing occurs, the Bureau
believed that there is no clear urgency
regarding delivery of the first annual
notice subsequent to implementation of
the new policies and procedures.
Specifically, § 1016.4(a)(1) generally
requires a financial institution to
provide an initial notice to an
individual who becomes the
institution’s customer no later than
when it establishes a customer
relationship. Section 1016.5(a) requires
a financial institution to provide a
privacy notice to its customers ‘‘not less
than annually’’ during the continuation
of any customer relationship. Section
1016.5(a)(1) defines annually to mean
‘‘at least once in any period of 12
consecutive months.’’ It further provides
that a financial institution ‘‘may define
the 12-consecutive-month period, but []
must apply it to the customer on a
consistent basis.’’ Section 1016.5(a)(2)
provides an example of the meaning of
‘‘annually’’ in relation to the delivery of
the first annual notice after the initial
notice:
You provide a notice annually if you
define the 12-consecutive-month period as a
calendar year and provide the annual notice
to the customer once in each calendar year
following the calendar year in which you
provided the initial notice. For example, if a
customer opens an account on any day of
year 1, you must provide an annual notice to
that customer by December 31 of year 2.
The example in § 1016.5(a)(2)
provides financial institutions with the
flexibility to select a specific date
during the year to provide annual
notices to all customers, regardless of
when a particular customer relationship
began. This flexibility avoids burdening
institutions with either having to
provide annual notices on the
anniversary of initial notices, or
alternatively providing two notices in
the first year of the customer
relationship to get all accounts
originated in a given calendar year on
the same cycle for delivering subsequent
annual notices.
The Bureau proposed that the
approach to timing of the annual notice
in § 1016.5(a)(2) be applied if a financial
institution makes a change that causes
it to lose the exception and triggers the
requirement to deliver a revised notice
prior to the change. Under the proposed
approach, if a financial institution
provides a revised notice on any day of
year 1 in advance of changing its
policies or practices such that it loses
PO 00000
Frm 00021
Fmt 4700
Sfmt 4700
40951
the exception, that revised notice would
be treated as analogous to an initial
notice in § 1016.5(a)(2). Assuming that
the financial institution defines the 12month period as the calendar year, the
financial institution would have to
provide the first annual notice after
losing the exception by December 31 of
year 2.
The Bureau invited comment on the
timing conditions proposed in
§ 1016.5(e)(2)(i). Few commenters
separately discussed § 1016.5(e)(2)(i).
All commenters who explicitly
addressed the proposed timing
requirements under § 1016.5(e)(2)(i)
agreed with the Bureau’s proposed
approach. No industry commenters
suggested alternative timing conditions.
One credit union asserted that the
proposed timing condition would
incentivize credit unions to plan and
notify their members in advance of
making changes to privacy policies.
Two trade associations representing
banks and credit unions supported the
timing requirement because it would
prevent institutions from having to send
out multiple notices within the same
year. The trade association representing
credit unions asserted that redundant
notices provide no benefit to consumers
and pose a burden and expense on
credit unions.
The Bureau now adopts
§ 1016.5(e)(2)(i) as proposed. The
Bureau believes that using the same
approach in § 1016.5(e)(2)(i) as in
existing § 1016.5(a)(2) is appropriate for
two reasons. First, customers will
receive a revised notice informing them
of the change in the financial
institution’s policies or practices before
the change occurs, and thus customers
will not be harmed by the financial
institution taking a longer period of time
in which to deliver the first annual
notice after the annual notice exception
has been lost. Second, this approach
will preserve flexibility for financial
institutions and avoid requiring them to
deliver a revised notice and an annual
notice in the same year, and allowing
them to use a convenient delivery date
for annual notices for all customers. The
Bureau believes this flexibility is
justified because a financial institution
that is required to deliver a revised
privacy notice pursuant to § 1016.8 may
have continuing annual notice
obligations after the exception is lost.
Such an institution could be sharing
other than as described in the
Regulation P exceptions and thus fail to
satisfy § 1016.5(e)(1)(i), making the
annual notice exception unavailable in
future years.
E:\FR\FM\17AUR1.SGM
17AUR1
daltland on DSKBBV9HB2PROD with RULES
40952
Federal Register / Vol. 83, No. 160 / Friday, August 17, 2018 / Rules and Regulations
5(e)(2)(ii) Changes Not Preceded by a
Revised Privacy Notice
For financial institutions that change
their policies and practices in such a
way as to lose the § 503(f) exception, but
do not share information in a way that
triggers the requirement under § 1016.8
to deliver a revised notice prior to the
change, the Bureau proposed that a
financial institution must deliver the
annual notice within 60 days after the
change that caused the institution to
lose the exception. The Bureau
proposed this 60-day period for
providing the annual notice in this
situation because customers would not
receive a revised notice from the
financial institution prior to the
institution’s change in policies or
practices.
The Bureau requested comment on
whether 60 days is an appropriate
period for delivering annual notices in
these circumstances or if another period
would be more appropriate.
Approximately half of all commenters
specifically addressed the timing
conditions proposed under
§ 1016.5(e)(2)(ii). These commenters
generally opposed the 60-day
requirement, advocating instead for an
increased amount of time for
institutions to deliver the revised notice.
The majority of these commenters
requested at least 90 days to deliver the
notice.
Trade associations representing credit
unions cited cost concerns with the 60day requirement, asserting that because
they send quarterly statements to many
consumers, the timing requirement
would require institutions to send out
an additional notice. Some of these
commenters suggested that 90 days was
a more appropriate timeframe, as it
would allow institutions to minimize
costs by sending the revised notice with
the next quarterly statement. One of
these trade associations representing
credit unions also asserted that 60 days
was too brief, particularly for small
credit unions addressing inadvertent
changes. This commenter suggested 90
to 120 days to allow credit unions the
opportunity to include the notice with
the quarterly periodic statement, and
noted that while all members may not
receive monthly statements, most
receive account statements quarterly.
Other industry commenters suggested
120 days as an appropriate time to
deliver the annual notice. A few of these
commenters cited the same abovementioned cost concerns that are
associated with separate mailers. These
commenters asserted that 120 days
would allow the notice to be included
with regularly scheduled member
VerDate Sep<11>2014
16:27 Aug 16, 2018
Jkt 244001
statements, therefore eliminating the
need for an additional mailer. One
industry commenter representing credit
unions noted that a separate mailer
would be especially costly for smaller
credit unions with fewer resources.
Industry commenters who suggested
120 days also stated, without specific
explanation, that the proposed 60-day
requirement did not provide institutions
enough time to perform. A few of these
industry commenters asserted that
smaller credit unions, particularly those
with fewer resources, would find the 60day time frame too short. Some of those
same commenters thought that larger
credit unions with numerous
departments working to consolidate
information would also struggle to meet
the 60-day requirement. Several trade
associations representing credit unions
stated that a longer time frame would
allow credit unions time to organize
logistics, educate staff, and command
the resources necessary to draft and
send the required notice. One industry
commenter stated that an extension
would not negatively impact consumers
because prior notice is still required
when changes allow sharing with third
parties of non-public personal
information and the option to opt out in
advance.
One trade association commenter
representing credit unions suggested at
least 180 days, citing the fact that
§ 1016.8 does not require a revised
privacy notice under the circumstances
described in § 1016.5(e)(2)(ii). This
commenter also suggested that to
combat costs, financial institutions
should have the option to include a
message on periodic statements or
mailers that there has been a change to
the privacy notice, and direct the
recipient to the financial institution’s
website to view and download an
electronic copy of the revised notice.
The Bureau now adopts the timing
provision in § 1016.5(e)(2)(ii) with a 100
calendar day period during which the
financial institution must provide the
annual privacy notice. The unanimous
industry objection to the 60-day period
suggests that the proposal likely would
have imposed costs that the Bureau had
not anticipated. The 100-day period will
accommodate the inclusion of the notice
with quarterly statements. The Bureau
believes that providing 10 days in
addition to the 90 days many
commenters requested is appropriate
because most calendar quarters are
slightly longer than 90 days, and a short
additional period should be allowed for
administrative activities and to provide
flexibility if the end date falls on a
weekend or holiday. The Bureau does
not believe that consumers will be
PO 00000
Frm 00022
Fmt 4700
Sfmt 4700
harmed by this extension of the time
period from the proposal.
However, the Bureau notes that the
commenters requesting 120 or 180 days
provided no specific reason why
allowing such additional time would
contribute to cost savings beyond
allowing the notice to be included in
quarterly statements. The Bureau is not
aware of any other reason, and therefore
declines to adopt a longer period.
The Bureau believes that the 100-day
deadline will not impose undue or
unreasonable costs on financial
institutions, particularly since the
delivery requirement is effectively a
one-time burden absent additional
changes to a financial institution’s
policies and practices. Specifically, after
providing the one annual notice, the
financial institution will likely once
again meet both of the conditions for the
exception—it will not be sharing
nonpublic personal information with
nonaffiliates other than as described in
a Regulation P exception to the opt-out
requirements and its policies and
practices will not have changed since it
provided the annual notice. Because the
financial institution likely will once
again meet the conditions for the
exception, it likely will not be required
to provide future annual notices. In
other words, these financial institutions
will likely lose the exception for only a
single year. The Bureau is including an
additional example in
§ 1016.5(e)(2)(iii)(B) for clarity. Given
that financial institutions delivering
notices pursuant to § 1016.5(e)(2)(ii)
will likely have no continuing
obligation to send annual notices, they
likely will not need flexibility in
choosing a convenient delivery date for
future annual notices, beyond the 100
days of flexibility being provided for a
single privacy notice.43
In regard to the comment that the
regulation should allow financial
institutions to include a message on
periodic statements or mailers directing
customers to an electronic copy of the
annual notice, the Bureau believes that
any reduction in costs would be
minimal because the financial
institution is likely not required to
provide more than one notice. In
addition, the Bureau did not propose or
request comment on such an option.
The Bureau also notes that financial
institutions have substantial flexibility
in managing the burden involved in
sending the one annual notice because
institutions can generally choose when
43 If the financial institution were to make
changes in the future to its practices and policies,
these changes could trigger a new obligation to
provide annual privacy notices.
E:\FR\FM\17AUR1.SGM
17AUR1
Federal Register / Vol. 83, No. 160 / Friday, August 17, 2018 / Rules and Regulations
daltland on DSKBBV9HB2PROD with RULES
they change their policies or practices.
Accordingly, an institution can choose
when to make the change triggering the
commencement of the 100-day period
for delivery of the annual notice, so that
the date of delivery can be as
convenient and low-cost as possible.
5(e)(2)(iii) Examples
In order to facilitate compliance with
proposed § 1016.5(e)(2), the Bureau
proposed § 1016.5(e)(2)(iii) to provide
an example for when an institution
must provide an annual notice after
changing its policies or practices such
that it no longer meets the requirements
for the annual notice exception set forth
in proposed § 1016.5(e)(1).
The Bureau did not receive any
comments specifically discussing the
example provided in § 1016.5(e)(2)(iii).
Because the Bureau believes that the
example will provide clarity and
facilitate compliance, it is now being
made final in § 1016.5(e)(2)(iii)(A), with
a minor change due to the alteration of
the time frame in § 1016.5(e)(2)(ii). In
addition, the Bureau is providing a
second example, in § 1016.5(e)(2)(iii)(B),
to facilitate compliance when a
financial institution must only provide
one annual notice before it again
qualifies for the § 1016.5(e)(1)
exception.
Section 1016.5(e)(2)(iii)(A) provides
an example for when an institution
must provide an annual notice after
changing its policies or practices such
that it no longer meets the requirements
for the annual notice exception in
§ 1016.5(e)(1). The Bureau believes this
example will facilitate compliance with
§ 1016.5(e)(2). The example assumes
that an institution changes its policies
or practices effective April 1 of year 1
and defines the 12-consecutive-month
period pursuant to § 1016.5(a)(1) as a
calendar year. Section
1016.5(e)(2)(iii)(A) states that the
institution must provide an annual
notice by December 31 of year 2 if the
institution was required to provide a
revised notice prior to the change and
provided that revised notice on March
1 of year 1 in advance of the change.
Section 1016.5(e)(2)(iii)(A) further states
that the institution must provide an
annual notice by July 9 of year 1 if the
institution was not required to provide
a revised notice prior to the change.
The Bureau is also providing a second
example, in § 1016.5(e)(2)(iii)(B), to
facilitate compliance when a financial
institution must provide only one
annual notice before it again qualifies
for the § 1016.5(e)(1) exception, as
discussed above in relation to
§ 1016.5(e)(2)(ii). The example assumes
that a financial institution changes its
VerDate Sep<11>2014
16:27 Aug 16, 2018
Jkt 244001
policies and practices in such a way that
it no longer meets the requirements of
§ 1016.5(e)(1), and so provides an
annual notice to its customers. The
example further assumes that after
providing the annual notice to its
customers, the financial institution once
again meets the requirements of
§ 1016.5(e)(1) for an exception to the
annual notice requirement. The example
explains that the financial institution
does not need to provide additional
annual notices to its customers until
such time as it no longer meets the
requirements of § 1016.5(e)(1).
Section 1016.9 Delivering Privacy and
Opt Out Notices
9(c)(2) Alternative Delivery Method for
Providing Certain Annual Notices
As discussed in Part II, the Bureau
amended Regulation P in October 2014
to allow financial institutions that met
certain criteria to deliver annual notices
pursuant to the ‘‘alternative delivery
method.’’ Because financial institutions
that met the conditions in Regulation P
to use the alternative delivery method
will also meet the conditions for the
statutory exception in section 503(f), the
Bureau proposed to remove the
alternative delivery method from
Regulation P by removing § 1016.9(c)(2)
and renumbering existing § 1016.9(c)(1)
as § 1016.9(c).
Commenters generally expressed
support for the proposed removal of the
alternative delivery method. Ten
commenters addressed the issue, with
eight supporting the proposal and two
opposing it.
Some commenters welcomed
elimination of the alternative delivery
method, asserting that the conditions
associated with the 2014 provision
deterred institutions from taking
advantage of the intended relief. A debt
collector organization stated that the
alternative delivery method did not
provide a solution for many debt
collectors and consumers. This
commenter asserted that the alternative
delivery required model form created a
significant risk of class action litigation
because of claims that the language
conflicts with the Fair Debt Collection
Practices Act’s prohibitions on thirdparty disclosure. A commenter
representing several trade associations
stated that the alternative delivery
method requirement to post the notice
online eliminated any benefits from the
2014 rule.
Two trade associations agreed that the
alternative delivery method would no
longer be useful in light of the statutory
exception to the annual notice
requirement, and one of these trade
PO 00000
Frm 00023
Fmt 4700
Sfmt 4700
40953
associations stated that it was unlikely
that financial institutions would
continue to use a complex means of
compliance when a simpler one was
available.
Several commenters discussed
benefits associated with eliminating the
alternative delivery method. One trade
association stated that removing the
alternative delivery method would
eliminate confusion between the rule
and the statute. Another trade
association representing banks
expressed appreciation of the
elimination of the alternative delivery
method, arguing that it would remove
the confusion of having both an
exception from the annual privacy
notice and an alternative to the delivery
requirement. One trade association
stated that consumers will benefit from
the elimination of the method, as they
will experience decreasing information
overload.
One trade association representing
banks requested clarification that
institutions that qualify for the
exception but still keep a copy of the
privacy policy on their websites will not
be criticized or penalized.
Two trade association commenters
representing the consumer credit
industry and credit unions did not
support removal of the alternative
delivery method. These commenters
stated that their customers or members
prefer to receive communications
electronically. Both commenters cited
cost burdens associated with mailing
privacy notices.
The trade association representing the
consumer credit industry stated that
several of their member financial
institutions, particularly those that
provide indirect auto loans, do not
qualify for the statutory exception to the
annual notice requirement because the
institutions share consumer information
with nonaffiliated third parties other
than as described in §§ 1016.13, 14 and
15. These institutions are required
under § 1016.10 of Regulation P to
inform consumers through the
institution’s annual privacy notice that
the consumer has a right to opt out of
that information sharing. The trade
association representing the consumer
credit industry encouraged expansion of
the alternative delivery method,
highlighting the cost effectiveness of
electronic delivery and stating that
many institutions upgraded systems to
implement the alternative delivery
method under the 2014 rule. This
commenter also urged the Bureau to
consider allowing institutions that share
with nonaffiliated third parties to
deliver their privacy notices
electronically, such as via website
E:\FR\FM\17AUR1.SGM
17AUR1
40954
Federal Register / Vol. 83, No. 160 / Friday, August 17, 2018 / Rules and Regulations
posting, similar to the method permitted
by the alternative delivery method.
After considering the comments, the
Bureau now adopts the proposed
change, removing the alternative
delivery method from Regulation P by
removing § 1016.9(c)(2) and
renumbering former § 1016.9(c)(1) as
§ 1016.9(c).
Any financial institution that met the
conditions to use the alternative
delivery method will also meet the
conditions to be excepted from
delivering an annual privacy notice
pursuant to new GLBA section 503(f).
First, new GLBA section 503(f)(1) is
substantively identical to the first
requirement for using the alternative
delivery method: 44 That the financial
institution share nonpublic personal
information about customers with
nonaffiliated third parties only in ways
that do not give rise to the customer’s
right to opt out of that sharing.45
Second, new GLBA section 503(f)(2) is
similar to the fourth requirement for
using the alternative delivery method:
that the institution must not have
changed its policies and practices with
regard to disclosing nonpublic personal
information from those that were
disclosed to the customer in the most
recent privacy notice.46 Accordingly,
any financial institution that would
have met the requirements in former
§ 1016.9(c)(2) will also meet the
requirements of section 503(f).
The Bureau believes that a financial
institution that has both options
available to it would choose not to send
the annual privacy notice at all, rather
than to deliver it pursuant to the
alternative delivery method, so that it
can eliminate rather than merely reduce
the cost of providing annual notices.
Given that any financial institution that
qualifies to use the alternative delivery
method for its annual notices also meets
the qualifications for the new annual
notice exception, the Bureau believes
that including the alternative delivery
method in Regulation P is no longer
useful.
The Bureau notes that financial
institutions that delivered annual
44 See
removed 12 CFR 1016.9(c)(2)(i)(A).
sharing is pursuant to GLBA section
503(b)(2) and (e), which correspond to Regulation
P §§ 1016.13, 1016.14, and 1016.15.
46 See removed 12 CFR 1016.9(c)(2)(i)(D). The
requirement in former § 1016.9(c)(2)(i)(D) was
somewhat more restrictive because it required a
financial institution not to have changed its
practices with respect to disclosing nonpublic
personal information and protecting the
confidentiality and security of nonpublic personal
information whereas section 503(f)(2) requires that
the institution not have changed its policies only
with respect to disclosing nonpublic personal
information. See the section-by-section analysis of
§ 1016.5(e)(1)(ii) for further discussion.
daltland on DSKBBV9HB2PROD with RULES
45 This
VerDate Sep<11>2014
16:27 Aug 16, 2018
Jkt 244001
notices using the alternative delivery
method while it was in effect delivered
those notices using a method that was
in compliance with Regulation P,
notwithstanding that the alternative
delivery method provision is now being
removed from the regulation. The
Bureau further notes that financial
institutions that qualify for the new
annual notice exception may still
choose to post privacy notices on their
websites, deliver privacy notices to
consumers who request them, and
notify consumers of the notices’
availability. Such activities will not
affect a financial institution’s eligibility
for the new 503(f) exception.
The Bureau has considered the
comments suggesting that it retain and
expand the alternative delivery method
for providing annual privacy notices. In
this rulemaking, the Bureau is
implementing the FAST Act
amendments to the GLBA, which
eliminate the requirement that financial
institutions provide an annual privacy
notice if certain conditions are met. In
making these amendments to the GLBA,
Congress did not address the delivery
method financial institutions must or
may use if they continue to be required
to provide an annual privacy notice,
including where financial institutions
have not changed their privacy policies
since their last privacy notice and they
share information with nonaffiliated
third parties other than as described in
§§ 1016.13, .14, and .15. Because
Congress did not address these issues in
the FAST Act amendments to the GLBA,
the Bureau declines to address them in
this rulemaking to implement those
amendments.
V. Dodd-Frank Act Section 1022(b)(2)
Analysis
A. Overview
In developing the final rule, the
Bureau has considered the potential
benefits, costs, and impacts as required
by section 1022(b)(2) of the Dodd-Frank
Act.47 The Bureau requested comment
on the preliminary analysis as well as
the submission of additional data that
could inform the Bureau’s analysis of
the benefits, costs, and impacts of the
rule. The Bureau received one comment
on the preliminary analysis, which it
has considered in developing this final
47 Specifically, section 1022(b)(2)(A) of the DoddFrank Act calls for the Bureau to consider the
potential benefits and costs of a regulation to
consumers and covered persons, including the
potential reduction of access by consumers to
consumer financial products or services; the impact
on depository institutions and credit unions with
$10 billion or less in total assets as described in
section 1026 of the Dodd-Frank Act; and the impact
on consumers in rural areas.
PO 00000
Frm 00024
Fmt 4700
Sfmt 4700
analysis. In addition, the Bureau has
consulted and coordinated with the
SEC, CFTC, FTC, and NAIC, and
consulted with or offered to consult
with the OCC, Federal Reserve Board,
FDIC, NCUA, and HUD, including
regarding consistency with any
prudential, market, or systemic
objectives administered by such
agencies.
This final rule implements the
December 2015 amendment to the
GLBA by amending § 1016.5 of
Regulation P to provide that a financial
institution is not required to deliver an
annual privacy notice if it:
(1) Provides nonpublic personal
information to nonaffiliated third
parties only in accordance with the
provisions of § 1016.13, § 1016.14, or
§ 1016.15; and
(2) Has not changed its policies and
practices with regard to disclosing
nonpublic personal information from
the policies and practices that were
disclosed to the customer under
§ 1016.6(a)(2) through (5) and (9) in the
most recent privacy notice provided.
In considering the potential benefits,
costs, and impacts of the rule, the
Bureau takes as the baseline for the
analysis the legal regime that existed
prior to the FAST Act’s amendment of
the GLBA.48 This regime includes the
current provisions of Regulation P. The
Bureau assumes that all financial
institutions that can use the alternative
delivery method provided in
§ 1016.9(c)(2) are doing so.
B. Potential Benefits and Costs to
Consumers and Covered Persons
The impact on consumers of
§ 1016.5(e) depends on whether the
particular consumer prefers or would
otherwise benefit from receiving an
annual privacy notice that does not offer
the consumer an opt-out under the
GLBA and is largely unchanged49 from
previous notices. Under § 1016.5(e),
financial institutions that meet the
requirements for the annual notice
exception would not be required to
provide consumers with annual privacy
notices, and the Bureau anticipates that
most institutions would decide not to
provide notices in these circumstances.
48 The proposal referred to this as the ‘‘regulatory
regime that currently exists.’’ 81 FR at 44808.
However, the baseline the Bureau is using did not
and does not reflect that the FAST Act has taken
effect. The Bureau has discretion in each
rulemaking to choose the relevant provisions to
discuss and to choose the most appropriate baseline
for that particular rulemaking.
49 As discussed in part IV in the section-bysection analysis of § 1016.5(e)(1)(ii), certain changes
to an institution’s policies or practices would not
cause the institution to lose the annual notice
exception.
E:\FR\FM\17AUR1.SGM
17AUR1
Federal Register / Vol. 83, No. 160 / Friday, August 17, 2018 / Rules and Regulations
daltland on DSKBBV9HB2PROD with RULES
While there is no data available on the
number of consumers who are
indifferent to (or dislike) receiving
unchanged privacy notices every year,
the limited use of opt-outs and
anecdotal evidence suggest that there
are such consumers.50 For this group of
consumers, § 1016.5(e) might provide a
benefit because it would be available to
some institutions that cannot use the
alternative delivery method, so that
more consumers would stop receiving
mailed annual privacy notices.
For other consumers who would
prefer or otherwise benefit from
receiving the annual notices, there will
be some cost because many institutions
that previously delivered notices—
whether through the standard delivery
methods or through the alternative
delivery method that includes posting
on the institution’s website—will no
longer deliver annual notices.
Consumers may be less informed about
opportunities to limit a financial
institution’s information sharing
practices if the financial institution
meets the requirements for the annual
notice exception and chooses not to
provide annual notices. For example,
some consumers will receive fewer
notices in which a financial institution
offers voluntary opt-outs, i.e., opt-outs
that the financial institution is not
required by Regulation P to offer
(because, for example, the type of
sharing the financial institution does is
covered by an exception) but that the
institution decides to provide anyway
via the annual privacy notice. Voluntary
opt-outs do not appear to be common,
however.51 Further, institutions may
continue to offer voluntary opt-outs and
may offer them through other
50 One early analysis of the use of the opt-outs
reported at most 5% of consumers make use of
them in any year, and likely fewer. See Jeffrey M.
Lacker, The Economics of Financial Privacy: To Opt
Out or Opt In?, 88/3 Fed. Res. Bank Rich. Econ. Q.,
at 11 (Summer 2002), available at https://
www.richmondfed.org/-/media/richmondfedorg/
publications/research/economic_quarterly/2002/
summer/pdf/lacker.pdf. One commenter on the
proposed rule also estimated that 5% of consumers
use opt-outs. AFSA Comment letter, August 10,
2016.
51 See Lorrie Faith Cranor et al., Are They
Actually Any Different? Comparing Thousands of
Financial Institutions’ Privacy Practices, available
at https://www.econinfosec.org/archive/weis2013/
papers/CranorWEIS2013.pdf (submitted as part of
The Twelfth Workshop on the Economics of
Information Security (WEIS 2013), June 11–12,
2013, Georgetown University, Washington, DC).
Their findings (Table 2) imply that at most 15% of
the 3,422 FDIC insured depositories that post the
model privacy form on their websites offer at least
one voluntary opt-out. Data from a much larger
group of financial institutions analyzed by Cranor
et al. (undated) imply (Table 2) that at most 27%
of the 6,191 financial institutions that post the
model privacy form on their websites offer at least
one voluntary opt-out.
VerDate Sep<11>2014
16:27 Aug 16, 2018
Jkt 244001
mechanisms even if they do not provide
annual privacy notices.
If financial institutions choose not to
provide notices pursuant to the annual
notice exception, consumers may also
be less informed of their opt-out rights
under the FCRA. Section 503(c)(4) of the
GLBA and Regulation P require
financial institutions providing initial
and annual privacy notices to
incorporate into them any notification
and opt-out disclosures provided
pursuant to section 603(d)(2)(A)(iii) of
the FCRA.52 Section 624 of the FCRA
and Regulation V also permit (but do
not require) financial institutions
providing initial and annual privacy
notices under Regulation P to
incorporate any opt-out disclosures
provided under section 624 of the FCRA
and subpart C of Regulation V into those
notices.53 Because financial institutions
will likely decide not to provide annual
notices pursuant to the exception in
proposed § 1016.5(e), consumers may be
less informed of their opt-out rights
pursuant to these sections of the FCRA
to the extent that institutions use less
effective methods to convey information
about these rights to consumers.54
Consumers also may be less informed
about a financial institution’s data
collection practices and its policies and
practices with respect to protecting the
confidentiality and security of
nonpublic personal information.
Regarding benefits and costs to
covered persons, the primary effect of
the rule will be burden reduction
achieved by lowering the costs to
industry of providing annual privacy
notices. Section 1016.5(e) imposes no
new compliance requirements on any
financial institution. Any institution
that could use the alternative delivery
method will meet the requirements for
the annual notice exception pursuant to
§ 1016.5(e).55 A financial institution that
is in compliance with current law will
not be required to take any different or
additional action unless it chooses to
take advantage of the annual notice
exception and thus will be required to
separately meet its opt-out obligations,
52 15
U.S.C. 6803(c)(4); 12 CFR 1016.6(a)(7).
U.S.C. 1681s–3(b); 12 CFR 1022.23(b).
54 As explained in the section-by-section analysis
of § 1016.5(e)(1)(i) in part IV, the annual notice
exception in § 1016.5(e) does not relieve financial
institutions of the obligation to provide consumers
with the information that is required under FCRA
sections 603(d)(2)(A)(iii) or 624.
55 Any financial institution that meets the
conditions to use the alternative delivery method
will also meet the conditions to be excepted from
delivering an annual privacy notice pursuant to
new GLBA section 503(f) because the two
conditions for section 503(f) are closely related to
conditions for using the alternative delivery
method. See the section-by-section analysis of
§ 1016.9(c) for further explanation.
53 15
PO 00000
Frm 00025
Fmt 4700
Sfmt 4700
40955
if any, pursuant to the FCRA.56 This
analysis assumes that no financial
institution will do so unless the net
result of the choice is burden reducing.
The expected cost savings to financial
institutions from the revisions to
§ 1016.5(e) depend on whether the
financial institution uses the alternative
delivery method under the baseline.
Financial institutions that currently use
the alternative delivery method will
likely cease complying with the
requirements in current § 1016.9(c)(2)
since they necessarily meet the
requirements of the exception to the
annual notice requirement and thus will
no longer be required to deliver an
annual notice.57 However, the Bureau
expects that financial institutions that
change from using the alternative
delivery method to provide annual
notices to not providing these notices at
all will achieve little cost savings.58
Financial institutions that currently do
not use the alternative delivery method
are expected to use the proposed annual
notice exception if the expected costs of
any changes required to use the
exception and the costs of any
consequences of not providing the
annual disclosure will be lower than the
costs of complying with current
Regulation P. The Bureau believes that
few such financial institutions will find
it in their interests to change their
information sharing practices in order to
use the annual notice exception. Thus,
the Bureau takes the information
sharing practices of financial
institutions as given and considers how
many financial institutions that do not
currently meet the requirements to use
the alternative delivery method can use
the annual notice exception.59 As a
practical matter, the Bureau identifies
these institutions solely by their
56 See the section-by-section analysis to
§ 1016.5(e)(1)(i) in part IV for an explanation of the
interaction between the annual notice exception
and the opt-outs provided under FCRA sections
603(d)(2)(A)(iii) and 624.
57 See supra note 52.
58 The Bureau believes that the alternative
delivery method imposes little ongoing cost to
financial institutions that have adopted it. These
costs derive from the additional text on an account
statement, coupon book, notice or disclosure the
institution already provides; maintaining a webpage dedicated to the annual privacy notice;
responding to telephone calls from a very small
number of consumers requesting that the model
form be mailed; and mailing the forms prompted by
these calls.
59 Because the Bureau takes institutions’ sharing
practices as given and because the cost savings
estimate is based on a single year, the expected cost
savings for institutions does not account for a
reduction or increase in aggregate cost savings that
may occur if any institutions change their sharing
practices in the future such that they no longer meet
the requirements for the annual notice exception or
they begin to meet those requirements.
E:\FR\FM\17AUR1.SGM
17AUR1
40956
Federal Register / Vol. 83, No. 160 / Friday, August 17, 2018 / Rules and Regulations
daltland on DSKBBV9HB2PROD with RULES
information sharing practices: That is to
say, the Bureau identifies the financial
institutions whose current information
sharing practices do not meet the
standards in § 1016.9(c)(2) but will meet
the standards in § 1016.5(e). The Bureau
then estimates the ongoing savings in
costs to these financial institutions from
no longer sending the annual privacy
notice.60
For the 2014 Annual Privacy Notice
Rule, the Bureau collected a sample of
privacy policies from banks and credit
unions and estimated both the number
of financial institutions that would
adopt the alternative delivery method
and the aggregate cost savings that
would result.61 Specifically, the Bureau
examined the privacy policies of 19
banks with assets over $100 billion as
well as the privacy policies of 106
additional banks selected through
random sampling. The Bureau
previously concluded that 80% of banks
could use the alternative delivery
method that was set forth in
§ 1016.9(c)(2). For the current
rulemaking, the Bureau re-analyzed this
sample to identify banks with
information sharing practices that do
not meet the standard in § 1016.9(c)(2)
but will meet the standard in
§ 1016.5(e). In the re-analysis, the
Bureau finds that 48% of banks that
could not use the alternative delivery
method can use the proposed exception
to the annual notice requirement. Most
of these banks were not able to use the
alternative delivery method because
they offered opt-outs to consumers
pursuant to FCRA section
60 The Bureau assumes that a financial institution
used the alternative delivery method whenever the
Bureau can obtain the annual privacy notice from
the website of the financial institution and the
Bureau concludes from the information on the
privacy notice that the information sharing
practices of the financial institution comply with
removed § 1016.9(c)(2). If a financial institution did
not use the model form, the Bureau assumes that
the financial institution would have adopted the
model form if the information sharing practices
complied with § 1016.9(c)(2). This methodology
overstates the number of these financial institutions
that could have used the alternative delivery
method, because some of these financial
institutions might not have met all of the
requirements of § 1016.9(c)(2), and therefore
understates the benefits of the annual notice
exception to these financial institutions. On the
other hand, if a financial institution does not have
a website, the Bureau cannot (as a practical matter)
obtain and evaluate its information sharing
practices. In this case, the Bureau assumes that the
financial institution cannot use either the
alternative delivery method or the annual notice
exception. This also tends to understate the benefits
of the annual notice exception to these financial
institutions, since none of them could have used
the alternative delivery method but some might be
able to use the annual notice exception.
61 See 79 FR 64057, 64076–64077 (Oct. 28, 2014).
Note that the term ‘‘banks’’ as used throughout this
rule includes savings associations.
VerDate Sep<11>2014
16:27 Aug 16, 2018
Jkt 244001
603(d)(2)(A)(iii); a financial institution
can meet the requirements for the
annual notice exception in § 1016.5(e)
even if it offers such opt-outs.
Specifically, the Bureau previously
estimated that approximately 1,350
banks could not use the alternative
delivery method and our re-analysis
shows that 650 of these banks (48%)
will be able to use the annual notice
exception.62 For banks with assets over
$10 billion, 70% of those that could not
use the alternative delivery method can
use the annual notice exception. For
banks with assets of $10 billion or less
and banks with assets of $500 million or
less, the respective figures are 47% and
40%.
The Bureau also previously examined
the privacy policies of the four credit
unions with assets over $10 billion as
well as the privacy policies of 50
additional credit unions selected
through random sampling. The Bureau
previously concluded that 46% of credit
unions could use the alternative
delivery method. The information
evaluated in the re-analysis shows that
none of the credit unions that could not
use the alternative delivery method will
be able to use the exception to the
annual notice requirement. Credit
unions that clearly could not use the
alternative delivery method generally
shared information with nonaffiliated
third parties other than as specified in
the exceptions in §§ 1016.13, 1016.14,
and 1016.15. However, there are a
number of cases in which the Bureau
could not readily evaluate the
information sharing practices of the
sampled credit union because it did not
have a website, did not post the privacy
notice on its website, or did not use the
model form.63 In the proposal, the
Bureau requested data and other factual
information on the use of the alternative
delivery method by credit unions and
the likely use of the proposed annual
notice exception by credit unions that
cannot use the alternative delivery
method. No comments provided data in
response to this request.64
62 While these 650 banks are just 9.5% of all
banks, this percentage does not take into account
the fact that the majority of banks could not
potentially benefit from the exception to the annual
privacy notice requirement since (by our previous
analysis) they already use the alternative delivery
method.
63 One or more of these conditions held for a
number of credit unions with assets of $500 million
or less. As explained above, if a financial institution
did not have a website or did not post the privacy
notice on their website, the Bureau made the
conservative assumption that it did not benefit from
the alternative delivery method and will not benefit
from the new annual notice exception. See also 79
FR 64057, 64076 (Oct. 28, 2014).
64 Although no credit unions or credit union
advocates commented or provided data, one State
PO 00000
Frm 00026
Fmt 4700
Sfmt 4700
Regarding the number of nondepository financial institutions that
will benefit from the exception to the
annual notice requirement, the Bureau
uses the same basic methodology as in
its prior analysis. Specifically, the
Bureau assumes that the fraction of nondepository financial institutions that
cannot use the alternative delivery
method but can use the new annual
notice exception is the same for nondepository institutions as for banks
(9.5%).65
Having identified the financial
institutions that will benefit from the
exception to the annual notice
requirement, the Bureau estimates the
benefit using the same basic
methodology as in its prior analysis.66
For banks, the Bureau allocated the total
burden of providing the annual privacy
notices to asset-size groups in
proportion to the share of assets in the
group. The Bureau then estimated an
amount of burden reduction specific to
each asset-size group using the results
from the privacy notice analysis
described above. The total burden
reduction is then the sum of the burden
reductions in each asset-size group. The
estimated reduction in burden for banks
using this methodology is
approximately $3.158 million annually.
The estimated reduction in burden for
non-depository financial institutions is
an additional $231,000 annually.67
Thus, the Bureau believes that the total
reduction in burden is approximately
$3.389 million dollars annually.68 This
represents about 28% of the total
$12.162 million annual cost of
providing the annual privacy notice
under Regulation P.
The Bureau requested comment on
the preliminary presentation of this
analysis as well as the submission of
additional data that could inform the
Bureau’s consideration of the cost
savings to financial institutions. No
comments addressed this request.
trade association representing banks stated that
many financial institutions will appreciate and take
advantage of the exception, but it will not create
additional costs or harm to consumers. That
commenter did not provide data.
65 For further discussion, see id. at 64077.
66 See id. at 64076–64077.
67 Note that this figure excludes auto dealers.
Auto dealers are regulated by the FTC and will not
be directly impacted by this amendment to
Regulation P.
68 Some of these banks and non-depository
financial institutions that currently include on their
annual privacy notice the opt-out notices pursuant
to FCRA section 603(d)(2)(A)(iii) or FCRA section
624 and the Affiliate Marketing Rule may now be
required to deliver these notices separately. The
Bureau does not have the data necessary to estimate
the frequency with which these opt-out notices will
be delivered separately or to subtract the cost of
delivering them separately from the savings from no
longer providing the annual privacy notice.
E:\FR\FM\17AUR1.SGM
17AUR1
Federal Register / Vol. 83, No. 160 / Friday, August 17, 2018 / Rules and Regulations
The Regulation P exception to the
annual notice requirement implements a
December 2015 statutory amendment to
the GLBA. The Bureau considered
alternatives to the timeline for delivery
of annual notices when a financial
institution that qualified for the annual
exception changes its policies or
practices such that it no longer qualifies.
Because the estimates of costs and
benefits to consumers and covered
persons take institutions’ sharing
policies and practices as given, the
alternatives with respect to the timeline
for delivery of annual notices do not
impact those estimates. Further, even if
the estimates allowed for changes in
sharing policies and practices that can
cause institutions to meet or fail to meet
the requirements for the annual notice
exception, the aggregate annual benefits
and costs of delivery will not likely be
significantly impacted by the timeline
for delivery of annual notices. The
Bureau does note, however, that
changing from 60 to 100 days for
delivery of the annual privacy notice
under § 1016.5(e)(2)(ii) should result in
a small burden reduction from the
proposal, as financial institutions will
be able to send the notice with quarterly
statements as they requested.
daltland on DSKBBV9HB2PROD with RULES
C. Impact on Depository Institutions
With No More Than $10 Billion in
Assets
The Bureau currently estimates that
approximately 600 banks with $10
billion or less in assets cannot use the
alternative delivery method but can use
the annual notice exception. This
constitutes 47% of banks with $10
billion or less in assets that do not use
the alternative delivery method and
8.8% of all banks with $10 billion or
less in assets. As reported above, 70%
of banks with more than $10 billion in
assets that do not use the alternative
delivery method can use the proposed
exception to the annual notice
requirement. This is 55% of all banks
with more than $10 billion in assets.
Thus, the rule may have different
impacts on federally insured depository
institutions with $10 billion or less in
assets as described in section 1026 of
the Dodd-Frank Act. The Bureau
currently believes that no credit unions
of any size that could not use the
alternative delivery method will be able
to use the exception to the annual notice
requirement.
D. Impact on Access to Credit and on
Consumers in Rural Areas
The Bureau does not believe that the
rule will reduce consumers’ access to
consumer financial products or services
VerDate Sep<11>2014
16:27 Aug 16, 2018
Jkt 244001
or have a unique impact on rural
consumers.
VI. Regulatory Flexibility Act
The Regulatory Flexibility Act (RFA)
as amended by the Small Business
Regulatory Enforcement Fairness Act of
1996, requires each agency to consider
the potential impact of its regulations on
small entities, including small
businesses, small governmental units,
and small not-for-profit organizations.
The RFA defines a ‘‘small business’’ as
a business that meets the size standard
developed by the Small Business
Administration pursuant to the Small
Business Act. The RFA generally
requires an agency to conduct an initial
regulatory flexibility analysis (IRFA)
and a final regulatory flexibility analysis
(FRFA) of any rule subject to noticeand-comment rulemaking requirements,
unless the agency certifies that the rule
will not have a significant economic
impact on a substantial number of small
entities.69 The Bureau also is subject to
certain additional procedures under the
RFA involving the convening of a panel
to consult with small business
representatives prior to proposing a rule
for which an IRFA is required.70
At the proposed rule stage, the Bureau
determined that an IRFA was not
required because the proposal, if
adopted, would not have a significant
economic impact on a substantial
number of small entities. For this final
rule, the Bureau continues to believe
that that determination is accurate. The
Bureau does not expect the rule to
impose costs on small entities. All
methods of compliance under current
law will remain available to small
entities when this rule is adopted. Thus,
a small entity that is in compliance with
current law need not take any different
or additional action under the new rule.
In addition, based on the data analysis
described previously, the Bureau
believes that the annual notice
exception will allow some small
institutions to stop sending the annual
notice and to thereby reduce costs.
Accordingly, the undersigned certifies
that this rule will not have a significant
economic impact on a substantial
number of small entities.
VII. Paperwork Reduction Act
Under the Paperwork Reduction Act
of 1995 (PRA),71 Federal agencies are
generally required to seek Office of
Management and Budget (OMB)
approval for information collection
requirements prior to implementation.
69 5
U.S.C. 603 through 605.
U.S.C. 609.
71 44 U.S.C. 3501 through 3558.
70 5
PO 00000
Frm 00027
Fmt 4700
Sfmt 4700
40957
This proposal would amend Regulation
P, 12 CFR part 1016. The collections of
information related to Regulation P have
been previously reviewed and approved
by OMB in accordance with the PRA
and assigned OMB Control Number
3170–0010. Under the PRA, the Bureau
may not conduct or sponsor, and,
notwithstanding any other provision of
law, a person is not required to respond
to an information collection, unless the
information collection displays a valid
control number assigned by OMB.
As explained below, the Bureau has
determined that this rule does not
contain any new or substantively
revised information collection
requirements other than those
previously approved by OMB. The rule
will implement the December 2015
amendment to the GLBA and amend
§ 1016.5 of Regulation P to provide that
a financial institution is not required to
deliver an annual privacy notice if it:
(1) Provides nonpublic personal
information to nonaffiliated third
parties only in accordance with the
provisions of § 1016.13, § 1016.14, or
§ 1016.15 and;
(2) Has not changed its policies and
practices with regard to disclosing
nonpublic personal information from
the policies and practices that were
disclosed to the customer under
§ 1016.6(a)(2) through (5) and (9) in the
most recent privacy notice provided.
Under Regulation P, the Bureau
generally accounts for the paperwork
burden for the following respondents
pursuant to its enforcement/supervisory
authority: Federally insured depository
institutions with more than $10 billion
in total assets, their depository
institution affiliates, and certain nondepository institutions. The Bureau and
the FTC generally both have
enforcement authority over nondepository institutions subject to
Regulation P. Accordingly, the Bureau
has allocated to itself half of the final
rule’s estimated reduction in burden on
non-depository financial institutions
subject to Regulation P. Other Federal
agencies, including the FTC, are
responsible for estimating and reporting
to OMB the paperwork burden for the
institutions for which they have
enforcement and/or supervision
authority. They may use the Bureau’s
burden estimation methodology, but
need not do so.
The Bureau does not believe that this
final rule will impose any new or
substantively revised collections of
information as defined by the PRA, and
instead believes that it will have the
overall effect of reducing the previously
approved estimated burden on industry
for the information collections
E:\FR\FM\17AUR1.SGM
17AUR1
40958
Federal Register / Vol. 83, No. 160 / Friday, August 17, 2018 / Rules and Regulations
associated with the Regulation P annual
privacy notice. Using the Bureau’s
burden estimation methodology, the
reduction in the estimated ongoing
burden will be approximately 62,197
hours annually for the roughly 13,500
banks and credit unions subject to the
rule, including Bureau respondents, and
the roughly 29,400 entities regulated by
the FTC also subject to the rule (i.e.,
entities over which the FTC has
Regulation P administrative
enforcement authority). The reduction
in estimated ongoing costs from the
reduction in ongoing burden will be
approximately $3.389 million
annually.72
The Bureau believes that the one-time
cost of adopting the annual notice
exception for financial institutions that
adopt it will be de minimis. The
Bureau’s methodology for estimating the
reduction in ongoing burden was
discussed above. The method is similar
to that described in the PRA analysis in
the 2014 Annual Privacy Notice Rule.
The only difference is that instead of
estimating the fraction of institutions
that will be able to use the alternative
delivery method, the Bureau estimates
the fraction of institutions that will be
able to use the annual notice exception
and are not already using the alternative
delivery method, to compute the
reduction in burden relative to the
baseline.73
The Bureau takes all of the reduction
in ongoing burden from banks and
credit unions with assets $10 billion
and above and half the reduction in
ongoing burden from the non-depository
institutions subject to the FTC
enforcement authority that are subject to
the Bureau’s Regulation P. The total
reduction in ongoing burden taken by
the Bureau is 53,216 hours or $3.058
million annually.74
The Bureau has determined that the
final rule does not contain any new or
substantively revised information
collection requirements as defined by
the PRA and that the burden estimate
for the previously approved information
collections should be revised as
explained above. The Bureau requested
comments on these determinations or
any other aspect of the proposal for
purposes of the PRA, but received none.
SUMMARY OF BURDEN CHANGES
Information collections
Previously
approved total
burden hours
Net
change in
burden
hours
New total
burden
hours
Notices and disclosures ...............................................................................................................
366,134
¥53,216
312,917
VIII. Congressional Review Act
Pursuant to the Congressional Review
Act (5 U.S.C. 801 et seq.), the Bureau
will submit a report containing this rule
and other required information to the
United States Senate, the United States
House of Representatives, and the
Comptroller General of the United
States prior to the rule taking effect. The
Office of Information and Regulatory
Affairs (OIRA) has designated this rule
as not a ‘‘major rule’’ as defined by 5
U.S.C. 804(2).
List of Subjects in 12 CFR Part 1016
Banks, Banking, Consumer protection,
Credit, Credit unions, Foreign banking,
Holding companies, National banks,
Privacy, Reporting and recordkeeping
requirements, Savings associations,
Trade practices.
Authority and Issuance
For the reasons set forth in the
preamble, the Bureau amends
Regulation P, 12 CFR part 1016, as set
forth below:
daltland on DSKBBV9HB2PROD with RULES
1. The authority citation for part 1016
continues to read as follows:
■
72 The total hours and costs consist of: (a) 51,230
hours at banks and credit unions evaluated at
$61.65/hour; and (b) 10,967 hours at entities
regulated by the FTC also subject to the rule,
evaluated at $21.07/hour.
16:27 Aug 16, 2018
Jkt 244001
2. Section 1016.3 is amended by
revising paragraph (s)(1) to read as
follows:
■
§ 1016.3
Definitions.
*
*
*
*
*
(s)(1) You means a financial
institution for which the Bureau has
rulemaking authority under section
504(a)(1)(A) of the GLB Act (15 U.S.C.
6804(a)(1)(A)).
*
*
*
*
*
Subpart A—Privacy and Opt Out
Notices
3. Section 1016.5 is amended by
revising the first sentence of paragraph
(a)(1) and adding paragraph (e) to read
as follows:
■
§ 1016.5 Annual privacy notice to
customers required.
PART 1016—PRIVACY OF CONSUMER
FINANCIAL INFORMATION
(REGULATION P)
VerDate Sep<11>2014
Authority: 12 U.S.C. 5512, 5581; 15 U.S.C.
6804.
(a)(1) * * * Except as provided by
paragraph (e) of this section, you must
provide a clear and conspicuous notice
to customers that accurately reflects
your privacy policies and practices not
less than annually during the
continuation of the customer
relationship. * * *
*
*
*
*
*
73 See
79 FR 64057, 64080 (Oct. 28, 2014).
total hours and costs consist of: (a) 47,733
hours at banks and credit unions evaluated at
$61.65/hour; and (b) 5,484 hours at entities
74 The
PO 00000
Frm 00028
Fmt 4700
Sfmt 4700
(e) Exception to annual privacy notice
requirement. (1) When exception
available. You are not required to
deliver an annual privacy notice if you:
(i) Provide nonpublic personal
information to nonaffiliated third
parties only in accordance with the
provisions of § 1016.13, § 1016.14, or
§ 1016.15; and
(ii) Have not changed your policies
and practices with regard to disclosing
nonpublic personal information from
the policies and practices that were
disclosed to the customer under
§ 1016.6(a)(2) through (5) and (9) in the
most recent privacy notice provided
pursuant to this part.
(2) Delivery of annual privacy notice
after financial institution no longer
meets requirements for exception. If you
have been excepted from delivering an
annual privacy notice pursuant to
paragraph (e)(1) of this section and
change your policies or practices in
such a way that you no longer meet the
requirements for that exception, you
must comply with paragraph (e)(2)(i) or
(e)(2)(ii) of this section, as applicable.
(i) Changes preceded by a revised
privacy notice. If you no longer meet the
requirements of paragraph (e)(1) of this
section because you change your
policies or practices in such a way that
regulated by the FTC also subject to the rule,
evaluated at $21.07/hour.
E:\FR\FM\17AUR1.SGM
17AUR1
Federal Register / Vol. 83, No. 160 / Friday, August 17, 2018 / Rules and Regulations
§ 1016.8 requires you to provide a
revised privacy notice, you must
provide an annual privacy notice in
accordance with the timing
requirements in paragraph (a) of this
section, treating the revised privacy
notice as an initial privacy notice.
(ii) Changes not preceded by a revised
privacy notice. If you no longer meet the
requirements of paragraph (e)(1) of this
section because you change your
policies or practices in such a way that
§ 1016.8 does not require you to provide
a revised privacy notice, you must
provide an annual privacy notice within
100 days of the change in your policies
or practices that causes you to no longer
meet the requirements of paragraph
(e)(1) of this section.
(iii) Examples. (A) You change your
policies and practices in such a way that
you no longer meet the requirements of
paragraph (e)(1) of this section effective
April 1 of year 1. Assuming you define
the 12-consecutive-month period
pursuant to paragraph (a) of this section
as a calendar year, if you were required
to provide a revised privacy notice
under § 1016.8 and you provided that
notice on March 1 of year 1, you must
provide an annual privacy notice by
December 31 of year 2. If you were not
required to provide a revised privacy
notice under § 1016.8, you must provide
an annual privacy notice by July 9 of
year 1.
(B) You change your policies and
practices in such a way that you no
longer meet the requirements of
paragraph (e)(1) of this section, and so
provide an annual notice to your
customers. After providing the annual
notice to your customers, you once
again meet the requirements of
paragraph (e)(1) of this section for an
exception to the annual notice
requirement. You do not need to
provide additional annual notices to
your customers until such time as you
no longer meet the requirements of
paragraph (e)(1) of this section.
■ 4. Section 1016.9 is amended by
revising paragraph (c) to read as follows:
§ 1016.9 Delivering privacy and opt out
notices.
daltland on DSKBBV9HB2PROD with RULES
*
*
*
*
*
(c) Annual notices only. You may
reasonably expect that a customer will
receive actual notice of your annual
privacy notice if:
(1) The customer uses your website to
access financial products and services
electronically and agrees to receive
notices at the website, and you post
your current privacy notice
continuously in a clear and conspicuous
manner on the website; or
VerDate Sep<11>2014
16:27 Aug 16, 2018
Jkt 244001
(2) The customer has requested that
you refrain from sending any
information regarding the customer
relationship, and your current privacy
notice remains available to the customer
upon request.
*
*
*
*
*
Dated: August 9, 2018.
Mick Mulvaney,
Acting Director, Bureau of Consumer
Financial Protection.
[FR Doc. 2018–17572 Filed 8–16–18; 8:45 am]
BILLING CODE 4810–AM–P
DEPARTMENT OF TRANSPORTATION
Federal Aviation Administration
14 CFR Part 39
[Docket No. FAA–2018–0303; Product
Identifier 2018–NM–006–AD; Amendment
39–19360; AD 2018–17–06]
RIN 2120–AA64
Airworthiness Directives; Fokker
Services B.V. Airplanes
Federal Aviation
Administration (FAA), Department of
Transportation (DOT).
ACTION: Final rule.
AGENCY:
We are adopting a new
airworthiness directive (AD) for certain
Fokker Services B.V. Model F28 Mark
0070 and 0100 airplanes. This AD was
prompted by a report that the retraction
actuator eye-end of a Goodrich main
landing gear (MLG) failed. This AD
requires a one-time general visual
inspection of the left-hand (LH) and
right-hand (RH) MLG retraction
actuators and replacement if necessary.
We are issuing this AD to address the
unsafe condition on these products.
DATES: This AD is effective September
21, 2018.
The Director of the Federal Register
approved the incorporation by reference
of a certain publication listed in this AD
as of September 21, 2018.
ADDRESSES: For service information
identified in this final rule, contact
Fokker Services B.V., Technical
Services Dept., P.O. Box 1357, 2130 EL
Hoofddorp, the Netherlands; telephone
+31 (0)88–6280–350; fax +31 (0)88–
6280–111; email technicalservices@
fokker.com; internet https://
www.myfokkerfleet.com. You may view
this service information at the FAA,
Transport Standards Branch, 2200
South 216th St., Des Moines, WA. For
information on the availability of this
material at the FAA, call 206–231–3195.
It is also available on the internet at
SUMMARY:
PO 00000
Frm 00029
Fmt 4700
Sfmt 4700
40959
https://www.regulations.gov by searching
for and locating Docket No. FAA–2018–
0303.
Examining the AD Docket
You may examine the AD docket on
the internet at https://
www.regulations.gov by searching for
and locating Docket No. FAA–2018–
0303; or in person at Docket Operations
between 9 a.m. and 5 p.m., Monday
through Friday, except Federal holidays.
The AD docket contains this final rule,
the regulatory evaluation, any
comments received, and other
information. The address for Docket
Operations (phone: 800–647–5527) is in
the ADDRESSES section. Comments will
be available in the AD docket shortly
after receipt.
FOR FURTHER INFORMATION CONTACT:
Tom Rodriguez, Aerospace Engineer,
International Section, Transport
Standards Branch, FAA, 2200 South
216th St., Des Moines, WA 98198;
telephone and fax 206–231–3226.
SUPPLEMENTARY INFORMATION:
Discussion
We issued a notice of proposed
rulemaking (NPRM) to amend 14 CFR
part 39 by adding an AD that would
apply to certain Fokker Services B.V.
Model F28 Mark 0070 and 0100
airplanes. The NPRM published in the
Federal Register on April 27, 2018 (83
FR 18488). The NPRM was prompted by
a report that the retraction actuator eyeend of a Goodrich MLG failed. The
NPRM proposed to require a one-time
general visual inspection of the LH and
RH MLG retraction actuators and
replacement if necessary.
We are issuing this AD to address
failure of the retraction actuator eye-end
of a Goodrich MLG, which could
prevent retraction of the MLG and/or its
complete extension, possibly resulting
in damage to the airplane during
landing, and consequent injury to
occupants.
The European Aviation Safety Agency
(EASA), which is the Technical Agent
for the Member States of the European
Union, has issued EASA AD 2018–0001,
dated January 4, 2018 (referred to after
this as the Mandatory Continuing
Airworthiness Information, or ‘‘the
MCAI’’), to correct an unsafe condition
for certain Fokker Services B.V. Model
F28 Mark 0070 and 0100 airplanes. The
MCAI states:
An occurrence was reported where,
following take-off after gear up selection, the
retraction actuator eye-end (P/N [part
number] 41518–3) of a Goodrich MLG failed.
After the LG UNSAFE indication, the flight
crew successfully selected gear down and
locked by applying the alternate extension
E:\FR\FM\17AUR1.SGM
17AUR1
Agencies
[Federal Register Volume 83, Number 160 (Friday, August 17, 2018)]
[Rules and Regulations]
[Pages 40945-40959]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2018-17572]
=======================================================================
-----------------------------------------------------------------------
BUREAU OF CONSUMER FINANCIAL PROTECTION
12 CFR Part 1016
[Docket No. CFPB-2016-0032]
RIN 3170-AA60
Amendment to the Annual Privacy Notice Requirement Under the
Gramm-Leach-Bliley Act (Regulation P)
AGENCY: Bureau of Consumer Financial Protection.
ACTION: Final rule.
-----------------------------------------------------------------------
SUMMARY: The Bureau of Consumer Financial Protection (Bureau) is
amending Regulation P, which requires, among other things, that
financial institutions provide an annual notice describing their
privacy policies and practices to their customers. The amendment
implements a December 2015 statutory amendment to the Gramm-Leach-
Bliley Act providing an exception to this annual notice requirement for
financial institutions that meet certain conditions.
DATES: The amendments to Regulation P in this final rule will become
effective on September 17, 2018.
FOR FURTHER INFORMATION CONTACT: Monique Chenault, Paralegal
Specialist; Joseph Devlin, Senior Counsel; Office of Regulations, at
(202) 435-7700.
SUPPLEMENTARY INFORMATION:
I. Summary of the Final Rule
Title V, Subtitle A of the Gramm-Leach-Bliley Act (GLBA) \1\ and
Regulation P, which implements the GLBA, mandate that financial
institutions provide their customers with annual notices regarding
those institutions' privacy policies. If financial institutions share
certain consumer information with particular types of third parties,
the annual notices must also provide customers with an opportunity to
opt out of the sharing. Regulation P sets forth requirements for how
financial institutions must deliver these annual privacy notices. In
certain circumstances, Regulation P permits financial institutions to
use an alternative delivery method to provide annual notices. This
method requires, among other things, that the annual notice be posted
on a financial institution's website.
---------------------------------------------------------------------------
\1\ 15 U.S.C. 6801 through 6809.
---------------------------------------------------------------------------
On December 4, 2015, Congress amended the GLBA as part of the
Fixing America's Surface Transportation Act (FAST Act). This amendment,
titled Eliminate Privacy Notice Confusion,\2\ added new GLBA section
503(f). This subsection provides an exception under which financial
institutions that meet certain conditions are not required to provide
annual privacy notices to customers. Section 503(f)(1) requires that to
qualify for this exception, a financial institution must not share
nonpublic personal information about customers except as described in
certain statutory exceptions. (Sharing as described in these specified
statutory exceptions does not trigger the customer's statutory right to
opt out of the financial institution's sharing.) In addition, section
503(f)(2) requires that the financial institution must not have changed
its policies and practices with regard to disclosing nonpublic personal
information from those that the institution disclosed in the most
recent privacy notice it sent.
---------------------------------------------------------------------------
\2\ FAST Act, Public Law 114-94, section 75001.
---------------------------------------------------------------------------
Section 503(f) took effect upon enactment in December 2015. In July
2016 the Bureau proposed to update Regulation P to reflect the change
in the underlying law. As part of its implementation, the Bureau is
also amending Regulation P to provide timing requirements for delivery
of annual privacy notices in the event that a financial institution
that qualified for this annual notice exception later changes its
policies or practices in such a way that it no longer qualifies for the
exception. The Bureau is further
[[Page 40946]]
removing the Regulation P provision that allows for use of the
alternative delivery method for annual privacy notices because the
Bureau believes the alternative delivery method will no longer be used
in light of the annual notice exception. Finally, the Bureau is
amending Regulation P to make a technical correction to one of its
definitions.
II. Background
A. The Statute and Regulation
The GLBA was enacted into law in 1999 and governs the privacy
practices of a broad range of financial institutions.\3\ Rulemaking
authority to implement the GLBA privacy provisions was initially spread
among many agencies. The Federal Reserve Board (Board), the Office of
Comptroller of the Currency (OCC), the Federal Deposit Insurance
Corporation (FDIC), and the Office of Thrift Supervision (OTS) jointly
adopted final rules in 2000 to implement the notice requirements of the
GLBA.\4\ The National Credit Union Administration (NCUA), Federal Trade
Commission (FTC), Securities and Exchange Commission (SEC), and
Commodity Futures Trading Commission (CFTC) were part of the same
interagency process, but each of these agencies issued separate
rules.\5\ In 2009, all of the agencies with the authority to issue
rules to implement the GLBA privacy notice provisions issued a joint
final rule with a model form that financial institutions could use, at
their option, to provide required initial and annual disclosures.\6\
---------------------------------------------------------------------------
\3\ Public Law 106-102, 113 Stat. 1338 (1999).
\4\ 65 FR 35162 (June 1, 2000).
\5\ 65 FR 31722 (May 18, 2000) (NCUA final rule); 65 FR 33646
(May 24, 2000) (FTC final rule); 65 FR 40334 (June 29, 2000) (SEC
final rule); 66 FR 21236 (Apr. 27, 2001) (CFTC final rule).
\6\ 74 FR 62890 (Dec. 1, 2009).
---------------------------------------------------------------------------
In 2011, the Dodd-Frank Wall Street Reform and Consumer Protection
Act (Dodd-Frank Act) \7\ transferred GLBA privacy notice rulemaking
authority from the Board, NCUA, OCC, OTS, the FDIC, and the FTC (in
part) to the Bureau.\8\ The Bureau then restated the implementing
regulations in Regulation P, 12 CFR part 1016, in late 2011 through an
interim final rule.\9\ In April 2016, the Bureau finalized that interim
final rule as amended by 79 FR 64057 (Oct. 28, 2014).\10\
---------------------------------------------------------------------------
\7\ Public Law 111-203, 124 Stat. 1376 (2010).
\8\ Public Law 111-203, section 1093. The FTC retained
rulewriting authority over any financial institution that is a
person described in 12 U.S.C. 5519 (i.e., motor vehicle dealers
predominantly engaged in the sale and servicing of motor vehicles,
the leasing and servicing of motor vehicles, or both).
\9\ 76 FR 79025 (Dec. 21, 2011).
\10\ 81 FR 25323 (Apr. 28, 2016).
---------------------------------------------------------------------------
The Bureau has the authority to promulgate GLBA privacy rules for
depository institutions and many non-depository institutions. However,
rulewriting authority with regard to securities and futures-related
companies is vested in the SEC and CFTC, respectively, and rulewriting
authority with respect to certain motor vehicle dealers is vested in
the FTC.\11\ The four agencies are required to consult with each other
and with representatives of State insurance authorities to assure, to
the extent possible, consistency and comparability among implementing
rules.\12\ Toward that end, the Bureau has consulted and coordinated
with these agencies and with the National Association of Insurance
Commissioners (NAIC) concerning this final rule and the proposal that
preceded it. The Bureau has also consulted with prudential regulators
and other appropriate Federal agencies, as required under Section 1022
of the Dodd-Frank Act as part of its general rulewriting process.\13\
---------------------------------------------------------------------------
\11\ 15 U.S.C. 6804; 12 CFR 1016.1(b).
\12\ 15 U.S.C. 6804(a)(2).
\13\ 12 U.S.C. 5512(b)(2)(B).
---------------------------------------------------------------------------
The GLBA and Regulation P require that financial institutions
provide consumers with certain notices describing their privacy
policies.\14\ Financial institutions are generally required to provide
an initial notice of these policies when a customer relationship is
established and to provide an annual notice to customers every year
that the customer relationship continues.\15\ Except as otherwise
authorized in the regulation, if a financial institution chooses to
disclose nonpublic personal information about a consumer to a
nonaffiliated third party other than as described in its initial
notice, the institution is also required to deliver a revised privacy
notice.\16\ The types of information required to be included in the
initial, annual, and revised notices are identical. Each notice must
describe whether and how the financial institution shares consumers'
nonpublic personal information with other entities.\17\ The notices
must also briefly describe how financial institutions protect the
nonpublic personal information they collect and maintain.\18\
---------------------------------------------------------------------------
\14\ When a financial institution has a continuing relationship
with the consumer, an annual privacy notice is required and the
consumer is then referred to as a ``customer.'' 12 CFR 1016.3(i),
1016.3(j)(1).
\15\ 12 CFR 1016.4(a)(1), 1016.5(a)(1). Financial institutions
are also required to provide initial notices to consumers before
disclosing any nonpublic personal information to a nonaffiliated
third party outside of certain exceptions. 12 CFR 1016.4(a)(2).
\16\ 12 CFR 1016.8.
\17\ 12 CFR 1016.6(a)(1)-(5), (9).
\18\ 12 CFR 1016.6(a)(8).
---------------------------------------------------------------------------
GLBA Section 502 and Regulation P also require that initial,
annual, and revised notices provide information about the right to opt
out of certain financial institution sharing of nonpublic personal
information with some types of nonaffiliated third parties. For
example, a mortgage customer has the right to opt out of a financial
institution disclosing his or her name and address to an unaffiliated
home insurance company. On the other hand, a financial institution is
not required to allow a consumer to opt out of the institution's
disclosure of his or her nonpublic personal information to third party
service providers and pursuant to joint marketing arrangements subject
to certain requirements; disclosures relating to maintaining and
servicing accounts, securitization, law enforcement and compliance, and
consumer reporting; and certain other disclosures described in the GLBA
and Regulation P as exceptions to the opt-out requirement.\19\
---------------------------------------------------------------------------
\19\ 15 U.S.C. 6802(b)(2), (e); 12 CFR 1016.13, 1016.14,
1016.15.
---------------------------------------------------------------------------
In addition to opt-out rights under the GLBA, annual privacy
notices also may include information about certain consumer opt-out
rights under the Fair Credit Reporting Act (FCRA). The privacy notices
under the GLBA/Regulation P and affiliate disclosures under the FCRA/
Regulation V interact in two ways. First, section 603(d)(2)(A)(iii) of
the FCRA excludes from that statute's definition of a consumer report
\20\ the sharing of certain information about a consumer with the
institution's affiliates if the consumer is notified of such sharing
and is given an opportunity to opt out.\21\ Section 503(c)(4) of the
GLBA and Regulation P require financial institutions to incorporate
into any required Regulation P notices the notification and opt-out
disclosures provided pursuant to section 603(d)(2)(A)(iii) of the FCRA,
if the institution provides such disclosures.\22\
---------------------------------------------------------------------------
\20\ 15 U.S.C. 1681a(d).
\21\ 15 U.S.C. 1681a(d)(2)(A)(iii).
\22\ 15 U.S.C. 6803(c)(4); 12 CFR 1016.6(a)(7).
---------------------------------------------------------------------------
Second, section 624 of the FCRA and Regulation V's Affiliate
Marketing Rule provide that an affiliate of a financial institution
that receives certain information (e.g., transaction history) \23\
[[Page 40947]]
from the institution about a consumer may not use the information to
make solicitations for marketing purposes unless the consumer is
notified of such use and provided with an opportunity to opt out of
that use.\24\ Section 624 of the FCRA and Regulation V also permit (but
do not require) financial institutions to incorporate any opt-out
disclosures provided under section 624 of the FCRA and subpart C of
Regulation V into privacy notices provided pursuant to the GLBA and
Regulation P.\25\
---------------------------------------------------------------------------
\23\ The type of information to which section 624 applies is
information that would be a consumer report, but for the exclusions
provided by section 603(d)(2)(A)(i), (ii), or (iii) of the FCRA.
\24\ 15 U.S.C. 1681s-3 and 12 CFR pt. 1022, subpart C.
\25\ 15 U.S.C. 1681s-3(b); 12 CFR 1022.23(b).
---------------------------------------------------------------------------
B. The Alternative Delivery Method for Annual Privacy Notices
In pursuit of the Bureau's goal of reducing unnecessary or unduly
burdensome regulations, the Bureau in December 2011 issued a Request
for Information (RFI) seeking specific suggestions from the public for
streamlining regulations the Bureau had inherited from other Federal
agencies. In that RFI, the Bureau specifically identified the annual
privacy notice as a potential opportunity for streamlining and
solicited comment on possible alternatives to delivering the annual
privacy notice.\26\ Numerous industry commenters responded to the RFI
by advocating for the elimination or limitation of the annual notice
requirement.
---------------------------------------------------------------------------
\26\ 76 FR 75825, 75828 (Dec. 5, 2011).
---------------------------------------------------------------------------
Financial institutions historically have provided annual notices
generally by U.S. postal mail.\27\ In 2014, the Bureau adopted a rule
to allow financial institutions to use an alternative delivery method
to provide annual privacy notices through posting the notices on their
websites if they meet certain conditions.\28\ Specifically, financial
institutions were allowed to use the alternative delivery method for
annual notices if: (1) No opt-out rights were triggered by the
financial institution's information sharing practices under the GLBA;
(2) no FCRA section 603 opt-out notices were required to appear on the
annual notice and any opt-outs required by FCRA section 624 had
previously been provided, if applicable, or the annual notice was not
the only notice provided to satisfy those requirements; (3) the
information included in the annual notice had not changed since the
customer received the previous notice; and (4) the financial
institution used the model form provided in Regulation P for its annual
notice.
---------------------------------------------------------------------------
\27\ Regulation P, however, does allow financial institutions to
provide notices electronically (e.g., by email) with consent. 12 CFR
1016.9(a) (stating that a financial institution may deliver the
notice electronically if the consumer agrees). The Bureau believes
that most consumers do not receive privacy notices electronically.
\28\ 79 FR 64057 (revising 12 CFR 1016.9(c)). The Bureau's
alternative delivery method became effective on October 28, 2014.
Id.
---------------------------------------------------------------------------
In addition, to assist customers with limited or no access to the
internet, an institution using the alternative delivery method was
required to mail annual notices to customers who requested them by
telephone. To make customers aware that its annual privacy notice was
available through the website or by phone, the institution was required
to include a clear and conspicuous statement of availability at least
once per year on an account statement, coupon book, or a notice or
disclosure the institution issued under any provision of law.
C. Statutory Amendment and Proposed Rule
On December 4, 2015, Congress amended the GLBA as part of the FAST
Act. This amendment, titled Eliminate Privacy Notice Confusion,\29\
added new GLBA section 503(f), which provides an exception under which
financial institutions that meet two conditions are not required to
provide annual notices to customers.\30\ New GLBA section 503(f)(1)
states the first condition for the annual notice exception: That a
financial institution must provide nonpublic personal information only
in accordance with certain exceptions in the GLBA; providing nonpublic
personal information under these exceptions does not trigger consumer
opt-out rights.\31\ New GLBA section 503(f)(2) states the second
condition for the annual notice exception: That a financial institution
must not have changed its policies and practices with regard to
disclosing nonpublic personal information from the policies and
practices that were disclosed in the most recent disclosure sent to
consumers in accordance with GLBA section 503. The statutory amendment
became effective upon enactment in December 2015.
---------------------------------------------------------------------------
\29\ FAST Act, Public Law 114-94, section 75001.
\30\ In order to avoid confusion and facilitate responsiveness
to consumer requests, the Bureau notes that a financial institution
that qualifies for the annual notice exception could provide a
privacy notice to a customer without jeopardizing the availability
of the exception, such as in response to a customer specifically
requesting a copy of the notice.
\31\ These provisions are in GLBA section 502(b)(2) or (e) and
are incorporated into existing Regulation P at Sec. 1016.13, Sec.
1016.14, and Sec. 1016.15. They provide exceptions from the
requirement that a financial institution provide notice and an
opportunity to opt out of sharing nonpublic personal information
with a nonaffiliated third party.
---------------------------------------------------------------------------
On July 15, 2016, the Bureau published a proposed rule to implement
the FAST Act statutory amendment to the GLBA. The Bureau has considered
the comments received on that proposed rule, and now issues this final
rule based on it.
D. Effective Date
As discussed above, the statutory exception to the annual notice
requirement is already effective. The amendments to Regulation P in
this final rule will be effective 30 days from the date of publication
in the Federal Register.
E. Privacy Considerations
In developing this final rule, the Bureau considered its potential
impact on consumer privacy. The rule will not affect the collection or
use of consumers' nonpublic personal information by financial
institutions. The rule implements a new statutory exception to limit
the circumstances under which financial institutions subject to
Regulation P will be required to deliver annual privacy notices to
their customers. Delivery of annual privacy notices is required under
the rule if financial institutions make certain types of changes to
their privacy policies or if the statute and Regulation P afford
customers the right to opt out of financial institutions' sharing of
customers' nonpublic personal information with nonaffiliated third
parties. The statutory exception and this final rule do not affect the
requirement to deliver an initial privacy notice, and all consumers
will continue to receive such notices describing the privacy policies
of any financial institutions with which they do business to the extent
currently required.
III. Legal Authority
The Bureau is issuing this final rule pursuant to its authority
under section 504 of the GLBA, as amended by section 1093 of the Dodd-
Frank Act.\32\ The Bureau is also issuing this rule pursuant to its
authority under sections 1022 and 1061 of the Dodd-Frank Act.\33\
---------------------------------------------------------------------------
\32\ 15 U.S.C. 6804.
\33\ 12 U.S.C. 5512, 5581.
---------------------------------------------------------------------------
IV. Section-by-Section Analysis
Section 1016.3 Definitions
3(s)(1)
Regulation P's substantive requirements, including the requirement
to deliver privacy notices, are generally
[[Page 40948]]
imposed upon entities that meet the definition of ``You'' in Sec.
1016.3(s)(1). That provision defines ``You'' as a ``financial
institution or other person for which the Bureau has rulemaking
authority under section 504(a)(1)(A) of the GLBA.'' In order to
coordinate this definition more correctly with the term's usage in the
regulation, the Bureau proposed to limit ``You'' to financial
institutions.
The Bureau received no comments on this technical amendment, and
adopts it now as proposed.
As explained above, Regulation P's substantive requirements,
including the requirement to deliver privacy notices, are generally
imposed upon entities that meet the definition of ``You'' in Sec.
1016.3(s)(1). The Bureau has rulemaking authority over entities other
than financial institutions pursuant to GLBA section 504(a)(1)(A).\34\
The statute's privacy notice requirements, however, specifically apply
only to financial institutions.\35\ The Bureau therefore believes that
it is appropriate to limit the definition of ``You'' in Sec.
1016.3(s)(1) to financial institutions. For this reason, the Bureau is
amending Sec. 1016.3(s)(1) to remove the phrase ``or other persons.''
The Bureau does not believe this technical amendment to Sec.
1016.3(s)(1) will change the settled understanding of the scope of
Regulation P's privacy notice requirements. Instead, the Bureau
believes it will clarify that the scope of Regulation P's privacy
notice requirements is consistent with the understanding of
stakeholders.
---------------------------------------------------------------------------
\34\ Such rulemaking authority has been exercised with respect
to nonaffiliated third parties to which a financial institution
discloses nonpublic personal information and that third party's
affiliates for purposes of GLBA section 502(c)'s limits on reuse of
information. See 12 CFR 1016.11(c)-(d).
\35\ See GLBA sections 502(a)-(b) and 503(a).
---------------------------------------------------------------------------
Section 1016.5 Annual Privacy Notice to Customers Required
5(a) General Rule
The Bureau proposed to amend the general requirement in Sec.
1016.5(a)(1) that financial institutions provide annual notices, to
clarify that the Bureau has added an exception to this requirement in
Sec. 1016.5(e) to incorporate the amendment to GLBA section 503.
No commenters specifically discussed the conforming change to the
general rule in Sec. 1016.5(a). One commenter suggested that the
Bureau remove any GLBA privacy notice requirement and instead require
financial institutions to post their privacy notices online, allow all
consumers to choose whether to receive any privacy notices, make
electronic notices the default for any consumers who opt to receive any
privacy notices, and allow financial institutions to charge fees for
any paper privacy notices they provide.
The Bureau now adopts the conforming amendment to the general
requirement in Sec. 1016.5(a)(1) that financial institutions provide
annual notices, to clarify that the Bureau has added an exception to
this requirement in Sec. 1016.5(e) to incorporate the amendment to
GLBA section 503. The Bureau does not believe that the comment is
relevant to the proposal and it does not provide a basis to change the
approach proposed by the Bureau. Congress did not include revisions
along the lines the commenter suggested in the statutory provision that
the Bureau is implementing in this rulemaking.
5(e) Exception to Annual Notice Requirement
New GLBA Sec. 503(f) provides that a financial institution is
excepted from providing an annual notice if it meets the two conditions
described below. The Bureau proposed to add new Sec. 1016.5(e) to
incorporate into Regulation P the exception created by new Sec.
503(f). Under proposed Sec. 1016.5(e), as in section 503(f), a
financial institution would be excepted from providing an annual notice
if it meets the two conditions discussed below.
The commenters overwhelmingly supported proposed Sec. 1016.5(e).
Although some commenters asked that the exception be broadened, no
commenters who discussed the proposed exception objected to it. The
commenters stated that the exception would reduce burden and would not
harm consumers, and was less complicated and burdensome than the
previous alternative delivery method. Some suggested that the provision
would benefit consumers. The comments that specifically discussed
either of the two requirements for the exception, in Sec.
1016.5(e)(1)(i) and (ii), are discussed below in relation to those
provisions.
A trade association representing credit unions requested that to
eliminate confusion and protect institutions from citations, the rule
should be effective retroactive to December 4, 2015, the date the
statutory GLBA amendments took effect. In addition, an attorney
suggested that the Bureau preempt State privacy statutes that might
require institutions to continue providing annual privacy notices in
spite of the Federal exception. The attorney recommended the Bureau
modify Sec. 1016.17 to expressly preempt contrary State law, and
instead require that an institution make its privacy notice continually
available online.
After considering the comments and for the reasons discussed below,
the Bureau now adopts the exception to the annual notice requirement
largely as proposed, with certain changes to the timing provisions in
Sec. 1016.5(e)(2), as discussed below.
In regard to the comment recommending that Sec. 1016.17 be
modified, Sec. 1016.17 implements GLBA Sec. 507,\36\ which provides
specific standards regarding preemption of State law. The Bureau does
not believe that the comment is relevant to the proposal and it does
not provide a basis to change the approach proposed by the Bureau.
Congress did not include revisions along the lines the commenter
suggested in the statute that the Bureau is implementing in this
rulemaking.
---------------------------------------------------------------------------
\36\ 15 U.S.C. 6807.
---------------------------------------------------------------------------
In regard to the comment on retroactivity, the Bureau has made
clear in the proposed rule and this final rule that new GLBA Sec.
503(f) became effective upon enactment in December 2015.\37\ As the
central elements of this rule are already in effect, the Bureau
believes that there is no need to make this rule retroactive. To the
extent that this rule changes applicable law, the Bureau notes that
retroactive rulemaking is disfavored by the courts, and the commenter
has not established why it would be appropriate here. This rule takes
effect 30 days after its publication in the Federal Register.
---------------------------------------------------------------------------
\37\ See above, Part II.C.
---------------------------------------------------------------------------
5(e)(1) When Exception Available
5(e)(1)(i)
New GLBA section 503(f)(1) states the first condition for the
annual privacy notice exception: that a financial institution provide
nonpublic personal information only in accordance with the provisions
of subsection (b)(2) or (e) of section 502 of the GLBA. The Bureau
proposed Sec. 1016.5(e)(1)(i) to incorporate this condition by
requiring that to qualify for the annual notice exception, any
nonpublic personal information that financial institutions provide to
nonaffiliated third parties must be provided only in accordance with
Sec. 1016.13, Sec. 1016.14 or Sec. 1016.15 of Regulation P.
Almost no commenters specifically discussed the first of the two
requirements of the new statutory exception. One credit union explained
that it does not share nonpublic personal information beyond the
exceptions provided in Sec. 1016.13,
[[Page 40949]]
Sec. 1016.14 or Sec. 1016.15 of Regulation P, and that it believes
the Sec. 1016.5(e)(1)(i) requirement will work well. Another commenter
discussed voluntary opt-outs that a financial institution may offer,
asking whether the inclusion on the privacy notice of opt-outs that
allow consumers to opt out of sharing that is described in Sec.
1016.13, Sec. 1016.14 or Sec. 1016.15 of Regulation P would interfere
with meeting the requirement in Sec. 1016.5(e)(1)(i).
The Bureau now adopts Sec. 1016.5(e)(1)(i) as proposed. Section
1016.5(e)(1)(i) will incorporate the first requirement of GLBA Sec.
503(f) by requiring that to qualify for the annual notice exception,
any nonpublic personal information that financial institutions provide
to nonaffiliated third parties must be provided only in accordance with
Sec. 1016.13, Sec. 1016.14 or Sec. 1016.15 of Regulation P; these
regulatory sections implement subsections (b)(2) and (e) of section
502.\38\ A financial institution sharing information only pursuant to
these exceptions is not required to provide customers with a right to
opt out of that sharing. In addition, because they would only involve
information sharing within the exceptions of Sec. 1016.13, Sec.
1016.14 or Sec. 1016.15, voluntary opt-outs included on privacy
notices would not affect compliance with the Sec. 1016.5(e)(1)(i)
requirement or the annual notice exception.
---------------------------------------------------------------------------
\38\ The sharing described in these provisions includes, among
other things, sharing involving third party service providers, joint
marketing arrangements, maintaining and servicing accounts,
securitization, law enforcement and compliance, and reporting to
consumer reporting agencies.
---------------------------------------------------------------------------
The Bureau notes that Sec. 1016.6(a)(7) requires that annual
privacy notices incorporate any disclosures made under FCRA section
603(d)(2)(A)(iii) regarding the consumer's ability to opt out of
sharing of information among affiliates. Further, the notices may
incorporate any opt-out disclosures provided under FCRA section
624.\39\ GLBA section 503(f)(1) does not mention information sharing
that would trigger an opt-out notice under FCRA sections
603(d)(2)(A)(iii) or 624.
---------------------------------------------------------------------------
\39\ 15 U.S.C. 1681s-3(b); 12 CFR 1022.23(b).
---------------------------------------------------------------------------
Given the structure of the statute, the Bureau does not interpret
GLBA section 503(f)(1) to preclude financial institutions that provide
nonpublic personal information in accordance with FCRA sections
603(d)(2)(A)(iii) or 624 from qualifying for the exception. Thus, as
the Bureau stated in its proposal, the presence or absence of these
FCRA disclosures on a financial institution's privacy notice will not
affect whether the institution satisfies GLBA section 503(f)(1) and
Sec. 1016.5(e)(1)(i). As the Bureau noted, however, financial
institutions that choose to take advantage of the annual notice
exception must still provide any opt-out disclosures required under
FCRA sections 603(d)(2)(A)(iii) and 624, if applicable. Under the FCRA,
neither of these opt-outs is required to be provided annually.\40\
Accordingly, institutions can provide these disclosures through other
methods, for example, through their initial privacy notices in most
circumstances.
---------------------------------------------------------------------------
\40\ See 15 U.S.C. 1681a(d)(2)(A)(iii); 12 CFR 1022.21, 1022.27;
72 FR 62910, 62930 (Nov. 7, 2007).
---------------------------------------------------------------------------
5(e)(1)(ii)
New GLBA section 503(f)(2) states the second condition for the
annual notice exception: that a financial institution not have changed
its ``policies and practices with regard to disclosing nonpublic
personal information'' from the policies and practices that were
disclosed in the most recent notice sent to consumers in accordance
with GLBA section 503. Because the Bureau determined that the statutory
language was ambiguous as to the exact types of sharing intended, the
Bureau proposed Sec. 1016.5(e)(1)(ii) to resolve this ambiguity by
requiring that, to qualify for the annual notice exception, a financial
institution must not have changed its policies and practices with
regard to disclosing nonpublic personal information from the policies
and practices that were disclosed to the customer under Sec.
1016.6(a)(2) through (5) and (9) in the most recent privacy notice the
financial institution provided.
As with the first requirement for the annual notice exception at
Sec. 1016.5(e)(1)(i), few commenters specifically discussed the second
requirement at Sec. 1016.5(e)(1)(ii). However, the commenters
overwhelmingly signaled their support for these provisions by
supporting the Bureau's implementation of the statutory exception. Two
trade associations representing credit unions did specifically express
support for the proposed interpretation of the statutory language as
referring only to a change to a disclosure under Sec. 1016.6(a)(2)
through (5) and (9).
The Bureau now adopts Sec. 1016.5(e)(1)(ii) as proposed, providing
that, to qualify for the annual notice exception, a financial
institution must not have changed its policies and practices with
regard to disclosing nonpublic personal information from the policies
and practices that were disclosed to the customer under Sec.
1016.6(a)(2) through (5) and (9) in the most recent privacy notice the
financial institution provided.
Paragraphs (1) through (9) of Sec. 1016.6(a) list the specific
information that must be included in privacy notices. Section
1016.6(a)(2) through (5) and (9) require a financial institution to
include information related to its policies and practices with regard
to disclosing nonpublic personal information, but Sec. 1016.6(a)(1)
(information collection) and Sec. 1016.6(a)(8) (confidentiality and
security) do not.\41\ Accordingly, the Bureau believes that only
changes to an institution's policies and practices that would require
changes to any of the disclosures required by Sec. 1016.6(a)(2)
through (5) and (9) would cause a financial institution to be unable to
use the exception in Sec. 1016.5(e)(1)(ii).\42\
---------------------------------------------------------------------------
\41\ The information specified in Sec. 1016.6(a)(6) describes
the consumer's right pursuant to Regulation P to opt out of an
institution's disclosure of information and would be inapplicable
where a financial institution qualifies for the annual notice
exception.
\42\ To have used the Bureau's former alternative delivery
method, the information a financial institution was required to
convey on its annual privacy notice pursuant to Sec. 1016.6(a)(1)
through (5), (8), and (9) was required not to have changed from the
information disclosed in the most recent privacy notice provided to
the consumer. See removed 12 CFR 1016.9(c)(2)(D). Thus, changes to
the information a financial institution was required to convey
pursuant to Sec. 1016.6(a)(1) and (8) would have prevented a
financial institution from using the alternative delivery method but
such changes will not prevent a financial institution from
satisfying Sec. 1016.5(e)(1)(ii) for the annual notice exception.
Because institutions that include information on their privacy
notice pursuant to Sec. 1016.6(a)(7) (which relates to opt-out
notices provided pursuant to the FCRA) were not permitted to use the
alternative delivery method in any case, Sec. 1016.6(a)(7) was not
listed as a type of information that if changed would have prevented
a financial institution from using the alternative delivery method.
---------------------------------------------------------------------------
Section 1016.6(a)(7) requires that any disclosure an institution
makes under FCRA section 603(d)(2)(A)(iii), which describes a
consumer's ability to opt out of disclosures of information among
affiliates, be included on the privacy notice. The Bureau believes that
the statute is ambiguous as to whether a financial institution that
changes the disclosure required under Sec. 1016.6(a)(7) from the most
recent notice sent to consumers would satisfy GLBA section 503(f)(2).
In the proposed rule, the Bureau sought comment on whether proposed
Sec. 1016.5(e)(1)(ii) should include changes to disclosures required
by Sec. 1016.6(a)(7) and on how frequently institutions change that
disclosure. The Bureau further sought comment on whether institutions
would prefer to inform customers of these changes
[[Page 40950]]
through sending an annual privacy notice or through sending a
disclosure describing only the FCRA section 603(d)(2)(A)(iii) opt-outs,
if applicable, and also sought comment on the impact on consumers of
these two methods.
All the commenters who addressed these issues stated that changes
to the disclosures required by FCRA section 603(d)(2)(A)(iii) should
not affect the availability of the annual notice exception. A State-
wide trade association representing credit unions indicated that the
presence or absence of FCRA disclosures on a credit union's privacy
notice, and subsequent changes to those FCRA sharing practices, should
not impact whether an institution qualifies for the annual notice
exception. This trade association stated, without providing data, that
it believed that changes by credit unions in its State to FCRA section
603(d)(2)(A)(iii) information disclosures are infrequent, and that few
such credit unions share data in a way that trigger a FCRA opt-out in
the first place. Other commenters who discussed the 603(d)(2)(A)(iii)
information disclosures stated that allowing changes to disqualify
financial institutions from the annual notice exception would interfere
with the burden reduction intended, and that FCRA has its own
disclosure requirements.
Given the structure of the statute, the Bureau does not interpret
GLBA section 503(f)(2) to preclude financial institutions that make
changes to disclosures required by Sec. 1016.6(a)(7) from qualifying
for the exception. The Bureau also notes that a change in the
603(d)(2)(A)(iii) information disclosures only requires a one-time
notice and opt out. The Bureau does not believe that consumers would be
materially benefited by requiring this one-time notice to be included
in a privacy notice under Regulation P, especially where it is required
in a separate notice required by the FCRA.
In addition to the discussion of 603(d)(2)(A)(iii) information
disclosures, the Bureau noted in the proposed rule that a financial
institution would satisfy Sec. 1016.5(e)(1)(ii) if it changes its
disclosures describing policies and practices with regard to disclosing
nonpublic personal information that are included in the institution's
privacy notice without being required by the GLBA or Sec. 1016.6
(e.g., disclosures describing sharing with affiliates under FCRA
section 624 or voluntary disclosures and opt-outs). The Bureau sought
comment on whether changes to disclosures that are not required to be
included in privacy notices by the GLBA or Sec. 1016.6 should cause an
institution not to satisfy Sec. 1016.5(e)(1)(ii).
The Bureau received few comments on this issue. A trade association
representing credit unions stated that later changes to initial
voluntary disclosures should not trigger the need to send annual
privacy notices. The commenter suggested that imposing such a
requirement would dissuade institutions from making voluntary
disclosures. A banking and insurance trade association stated that
affiliate marketing policy changes should not impact the availability
of the exception. A trade association representing banks stated that
changes to disclosures that are not required to be included in privacy
notices should not trigger non-compliance. The trade association
believed it would be costly and burdensome to add additional
disclosures.
As indicated in the preamble to the proposed rule, the Bureau has
determined that disclosures describing sharing with affiliates under
FCRA section 624 or voluntary disclosures and opt-outs will not affect
a financial institution's eligibility for the annual privacy notice
exception under GLBA Sec. 503(f). The Bureau believes that the
alternative interpretation could discourage the use of voluntary
disclosures while adding unnecessary burden.
5(e)(2) Delivery of Annual Privacy Notice After Financial Institution
No Longer Meets Requirements for Exception
New GLBA section 503(f) states that a financial institution that
meets the requirements for the annual notice exception will not be
required to provide annual notices ``until such time'' as the financial
institution fails to comply with the criteria described in section
503(f)(1) and 503(f)(2), which are now implemented in Sec.
1016.5(e)(1)(i) and (ii). A financial institution will no longer meet
the requirements for the exception either by beginning to share
nonpublic personal information in ways that trigger rights to opt-out
notices under the GLBA and Regulation P, or by otherwise changing its
policies and practices with regard to disclosing nonpublic personal
information from the policies and practices that were disclosed to the
customer under Sec. 1016.6(a)(2) through (5) and (9) in the most
recent privacy notice the financial institution provided.
Financial institutions that no longer meet the conditions for the
exception must provide customers with annual privacy notices. However,
the GLBA, including new GLBA section 503(f), does not clearly specify
when institutions must provide these notices. Thus, the statute is
ambiguous on the point. It could be read to require the financial
institution to provide an annual privacy notice by the time it changes
its policies or practices in such a way that it no longer qualifies for
the exception. Alternatively, it could be read to subject the financial
institution, at the time it changes its policies or practices in such a
way that it no longer qualifies for the exception, to the requirement
to provide an annual privacy notice while being silent as to the timing
for providing that notice.
Pursuant to its authority in GLBA section 504 to issue rules to
implement the GLBA, the Bureau proposed to resolve this ambiguity by
adopting this second reading and issuing standards for when
institutions must provide these notices. Specifically, in proposed
Sec. 1016.5(e)(2)(i) and (ii), the Bureau proposed to use its
rulemaking authority under GLBA section 504(a) to establish timing
requirements for providing an annual notice in these circumstances. The
Bureau proposed to establish these requirements to ensure that delivery
of the annual privacy notice in these circumstances is consistent with
the existing timing requirements for privacy notices in the regulation,
where applicable, and to provide clarity to financial institutions
regarding these requirements.
In developing the proposed framework, the Bureau looked to existing
requirements under the statute and regulation because they already
address circumstances in which a financial institution might change its
policies and procedures in a way that affects the content of the
notices. Specifically, Sec. 1016.8 requires that the financial
institution provide a revised notice to consumers before implementing
certain types of changes; in other cases, the statute and regulation
currently contemplate that a change in policy and procedure that
affects the content of the notices would simply be reflected on the
next regular annual notice provided to the customer. The Bureau is
therefore proposing different timing requirements for the resumption of
the annual notice requirement depending on whether the change at issue
would trigger the requirement for a revised notice under Sec. 1016.8
prior to the change taking effect.
Accordingly, the timing requirements in proposed Sec.
1016.5(e)(2)(i) and (ii) would differ depending on whether the change
that causes the financial institution to no longer satisfy the
conditions for the annual notice
[[Page 40951]]
exception also triggers a requirement under existing Regulation P to
deliver a revised notice. Section 1016.8 currently requires that
financial institutions provide revised notices to consumers before the
institutions share nonpublic personal information with a nonaffiliated
third party if their sharing would be different from what the
institution described in the initial notice it delivered. After
delivering the revised notice, the financial institution must also give
the consumer a reasonable opportunity to opt out of any new information
sharing beyond the Regulation P exceptions before the new sharing
occurs.
Three-fifths of all industry commenters on the proposed rule
specifically addressed the proposed timing requirements. The comments
on the timing requirements viewed the requirement in Sec.
1016.5(e)(2)(i) and that in Sec. 1016.5(e)(2)(ii) very differently, as
will be discussed below in regard to those sections. In regard to the
overall timing requirements, one trade association representing credit
unions expressed appreciation for the Bureau's proposal, stating that
such clarification will eliminate confusion surrounding delivery
requirements after a financial institution no longer meets the
requirements for the exception. A trade association representing banks
supported the proposed timing requirements, asserting that institutions
will not find it difficult to comply with the suggested conditions.
This commenter also requested clarification that once notices are sent
and there are no further privacy changes, an institution will be able
to again qualify for the exception, thus excepting them from having to
send further annual notices.
The Bureau is adopting the timing provisions largely as proposed,
with a change to the duration of the timing requirement in Sec.
1016.5(e)(2)(ii), as discussed below. The Bureau is also adding another
example to Sec. 1016.5(e)(2)(iii) to clarify whether a financial
institution again qualifies for the annual notice exception after
delivering an annual notice under Sec. 1016.5(e)(2).
5(e)(2)(i) Changes Preceded by a Revised Privacy Notice
For changes to a financial institution's policies or practices that
cause it to no longer satisfy the conditions for the exception and also
trigger an obligation to send a revised notice prior to the change, the
Bureau proposed in Sec. 1016.5(e)(2)(i) that financial institutions
would be required to resume delivery of their subsequent regular annual
notices pursuant to the existing timing requirements that govern
delivery of annual notices generally. Because the revised notice would
inform the customer of the institution's changed policies and practices
before any new sharing occurs, the Bureau believed that there is no
clear urgency regarding delivery of the first annual notice subsequent
to implementation of the new policies and procedures.
Specifically, Sec. 1016.4(a)(1) generally requires a financial
institution to provide an initial notice to an individual who becomes
the institution's customer no later than when it establishes a customer
relationship. Section 1016.5(a) requires a financial institution to
provide a privacy notice to its customers ``not less than annually''
during the continuation of any customer relationship. Section
1016.5(a)(1) defines annually to mean ``at least once in any period of
12 consecutive months.'' It further provides that a financial
institution ``may define the 12-consecutive-month period, but [] must
apply it to the customer on a consistent basis.'' Section 1016.5(a)(2)
provides an example of the meaning of ``annually'' in relation to the
delivery of the first annual notice after the initial notice:
You provide a notice annually if you define the 12-consecutive-
month period as a calendar year and provide the annual notice to the
customer once in each calendar year following the calendar year in
which you provided the initial notice. For example, if a customer
opens an account on any day of year 1, you must provide an annual
notice to that customer by December 31 of year 2.
The example in Sec. 1016.5(a)(2) provides financial institutions
with the flexibility to select a specific date during the year to
provide annual notices to all customers, regardless of when a
particular customer relationship began. This flexibility avoids
burdening institutions with either having to provide annual notices on
the anniversary of initial notices, or alternatively providing two
notices in the first year of the customer relationship to get all
accounts originated in a given calendar year on the same cycle for
delivering subsequent annual notices.
The Bureau proposed that the approach to timing of the annual
notice in Sec. 1016.5(a)(2) be applied if a financial institution
makes a change that causes it to lose the exception and triggers the
requirement to deliver a revised notice prior to the change. Under the
proposed approach, if a financial institution provides a revised notice
on any day of year 1 in advance of changing its policies or practices
such that it loses the exception, that revised notice would be treated
as analogous to an initial notice in Sec. 1016.5(a)(2). Assuming that
the financial institution defines the 12-month period as the calendar
year, the financial institution would have to provide the first annual
notice after losing the exception by December 31 of year 2.
The Bureau invited comment on the timing conditions proposed in
Sec. 1016.5(e)(2)(i). Few commenters separately discussed Sec.
1016.5(e)(2)(i). All commenters who explicitly addressed the proposed
timing requirements under Sec. 1016.5(e)(2)(i) agreed with the
Bureau's proposed approach. No industry commenters suggested
alternative timing conditions. One credit union asserted that the
proposed timing condition would incentivize credit unions to plan and
notify their members in advance of making changes to privacy policies.
Two trade associations representing banks and credit unions supported
the timing requirement because it would prevent institutions from
having to send out multiple notices within the same year. The trade
association representing credit unions asserted that redundant notices
provide no benefit to consumers and pose a burden and expense on credit
unions.
The Bureau now adopts Sec. 1016.5(e)(2)(i) as proposed. The Bureau
believes that using the same approach in Sec. 1016.5(e)(2)(i) as in
existing Sec. 1016.5(a)(2) is appropriate for two reasons. First,
customers will receive a revised notice informing them of the change in
the financial institution's policies or practices before the change
occurs, and thus customers will not be harmed by the financial
institution taking a longer period of time in which to deliver the
first annual notice after the annual notice exception has been lost.
Second, this approach will preserve flexibility for financial
institutions and avoid requiring them to deliver a revised notice and
an annual notice in the same year, and allowing them to use a
convenient delivery date for annual notices for all customers. The
Bureau believes this flexibility is justified because a financial
institution that is required to deliver a revised privacy notice
pursuant to Sec. 1016.8 may have continuing annual notice obligations
after the exception is lost. Such an institution could be sharing other
than as described in the Regulation P exceptions and thus fail to
satisfy Sec. 1016.5(e)(1)(i), making the annual notice exception
unavailable in future years.
[[Page 40952]]
5(e)(2)(ii) Changes Not Preceded by a Revised Privacy Notice
For financial institutions that change their policies and practices
in such a way as to lose the Sec. 503(f) exception, but do not share
information in a way that triggers the requirement under Sec. 1016.8
to deliver a revised notice prior to the change, the Bureau proposed
that a financial institution must deliver the annual notice within 60
days after the change that caused the institution to lose the
exception. The Bureau proposed this 60-day period for providing the
annual notice in this situation because customers would not receive a
revised notice from the financial institution prior to the
institution's change in policies or practices.
The Bureau requested comment on whether 60 days is an appropriate
period for delivering annual notices in these circumstances or if
another period would be more appropriate. Approximately half of all
commenters specifically addressed the timing conditions proposed under
Sec. 1016.5(e)(2)(ii). These commenters generally opposed the 60-day
requirement, advocating instead for an increased amount of time for
institutions to deliver the revised notice. The majority of these
commenters requested at least 90 days to deliver the notice.
Trade associations representing credit unions cited cost concerns
with the 60-day requirement, asserting that because they send quarterly
statements to many consumers, the timing requirement would require
institutions to send out an additional notice. Some of these commenters
suggested that 90 days was a more appropriate timeframe, as it would
allow institutions to minimize costs by sending the revised notice with
the next quarterly statement. One of these trade associations
representing credit unions also asserted that 60 days was too brief,
particularly for small credit unions addressing inadvertent changes.
This commenter suggested 90 to 120 days to allow credit unions the
opportunity to include the notice with the quarterly periodic
statement, and noted that while all members may not receive monthly
statements, most receive account statements quarterly.
Other industry commenters suggested 120 days as an appropriate time
to deliver the annual notice. A few of these commenters cited the same
above-mentioned cost concerns that are associated with separate
mailers. These commenters asserted that 120 days would allow the notice
to be included with regularly scheduled member statements, therefore
eliminating the need for an additional mailer. One industry commenter
representing credit unions noted that a separate mailer would be
especially costly for smaller credit unions with fewer resources.
Industry commenters who suggested 120 days also stated, without
specific explanation, that the proposed 60-day requirement did not
provide institutions enough time to perform. A few of these industry
commenters asserted that smaller credit unions, particularly those with
fewer resources, would find the 60-day time frame too short. Some of
those same commenters thought that larger credit unions with numerous
departments working to consolidate information would also struggle to
meet the 60-day requirement. Several trade associations representing
credit unions stated that a longer time frame would allow credit unions
time to organize logistics, educate staff, and command the resources
necessary to draft and send the required notice. One industry commenter
stated that an extension would not negatively impact consumers because
prior notice is still required when changes allow sharing with third
parties of non-public personal information and the option to opt out in
advance.
One trade association commenter representing credit unions
suggested at least 180 days, citing the fact that Sec. 1016.8 does not
require a revised privacy notice under the circumstances described in
Sec. 1016.5(e)(2)(ii). This commenter also suggested that to combat
costs, financial institutions should have the option to include a
message on periodic statements or mailers that there has been a change
to the privacy notice, and direct the recipient to the financial
institution's website to view and download an electronic copy of the
revised notice.
The Bureau now adopts the timing provision in Sec.
1016.5(e)(2)(ii) with a 100 calendar day period during which the
financial institution must provide the annual privacy notice. The
unanimous industry objection to the 60-day period suggests that the
proposal likely would have imposed costs that the Bureau had not
anticipated. The 100-day period will accommodate the inclusion of the
notice with quarterly statements. The Bureau believes that providing 10
days in addition to the 90 days many commenters requested is
appropriate because most calendar quarters are slightly longer than 90
days, and a short additional period should be allowed for
administrative activities and to provide flexibility if the end date
falls on a weekend or holiday. The Bureau does not believe that
consumers will be harmed by this extension of the time period from the
proposal.
However, the Bureau notes that the commenters requesting 120 or 180
days provided no specific reason why allowing such additional time
would contribute to cost savings beyond allowing the notice to be
included in quarterly statements. The Bureau is not aware of any other
reason, and therefore declines to adopt a longer period.
The Bureau believes that the 100-day deadline will not impose undue
or unreasonable costs on financial institutions, particularly since the
delivery requirement is effectively a one-time burden absent additional
changes to a financial institution's policies and practices.
Specifically, after providing the one annual notice, the financial
institution will likely once again meet both of the conditions for the
exception--it will not be sharing nonpublic personal information with
nonaffiliates other than as described in a Regulation P exception to
the opt-out requirements and its policies and practices will not have
changed since it provided the annual notice. Because the financial
institution likely will once again meet the conditions for the
exception, it likely will not be required to provide future annual
notices. In other words, these financial institutions will likely lose
the exception for only a single year. The Bureau is including an
additional example in Sec. 1016.5(e)(2)(iii)(B) for clarity. Given
that financial institutions delivering notices pursuant to Sec.
1016.5(e)(2)(ii) will likely have no continuing obligation to send
annual notices, they likely will not need flexibility in choosing a
convenient delivery date for future annual notices, beyond the 100 days
of flexibility being provided for a single privacy notice.\43\
---------------------------------------------------------------------------
\43\ If the financial institution were to make changes in the
future to its practices and policies, these changes could trigger a
new obligation to provide annual privacy notices.
---------------------------------------------------------------------------
In regard to the comment that the regulation should allow financial
institutions to include a message on periodic statements or mailers
directing customers to an electronic copy of the annual notice, the
Bureau believes that any reduction in costs would be minimal because
the financial institution is likely not required to provide more than
one notice. In addition, the Bureau did not propose or request comment
on such an option.
The Bureau also notes that financial institutions have substantial
flexibility in managing the burden involved in sending the one annual
notice because institutions can generally choose when
[[Page 40953]]
they change their policies or practices. Accordingly, an institution
can choose when to make the change triggering the commencement of the
100-day period for delivery of the annual notice, so that the date of
delivery can be as convenient and low-cost as possible.
5(e)(2)(iii) Examples
In order to facilitate compliance with proposed Sec. 1016.5(e)(2),
the Bureau proposed Sec. 1016.5(e)(2)(iii) to provide an example for
when an institution must provide an annual notice after changing its
policies or practices such that it no longer meets the requirements for
the annual notice exception set forth in proposed Sec. 1016.5(e)(1).
The Bureau did not receive any comments specifically discussing the
example provided in Sec. 1016.5(e)(2)(iii). Because the Bureau
believes that the example will provide clarity and facilitate
compliance, it is now being made final in Sec. 1016.5(e)(2)(iii)(A),
with a minor change due to the alteration of the time frame in Sec.
1016.5(e)(2)(ii). In addition, the Bureau is providing a second
example, in Sec. 1016.5(e)(2)(iii)(B), to facilitate compliance when a
financial institution must only provide one annual notice before it
again qualifies for the Sec. 1016.5(e)(1) exception.
Section 1016.5(e)(2)(iii)(A) provides an example for when an
institution must provide an annual notice after changing its policies
or practices such that it no longer meets the requirements for the
annual notice exception in Sec. 1016.5(e)(1). The Bureau believes this
example will facilitate compliance with Sec. 1016.5(e)(2). The example
assumes that an institution changes its policies or practices effective
April 1 of year 1 and defines the 12-consecutive-month period pursuant
to Sec. 1016.5(a)(1) as a calendar year. Section 1016.5(e)(2)(iii)(A)
states that the institution must provide an annual notice by December
31 of year 2 if the institution was required to provide a revised
notice prior to the change and provided that revised notice on March 1
of year 1 in advance of the change. Section 1016.5(e)(2)(iii)(A)
further states that the institution must provide an annual notice by
July 9 of year 1 if the institution was not required to provide a
revised notice prior to the change.
The Bureau is also providing a second example, in Sec.
1016.5(e)(2)(iii)(B), to facilitate compliance when a financial
institution must provide only one annual notice before it again
qualifies for the Sec. 1016.5(e)(1) exception, as discussed above in
relation to Sec. 1016.5(e)(2)(ii). The example assumes that a
financial institution changes its policies and practices in such a way
that it no longer meets the requirements of Sec. 1016.5(e)(1), and so
provides an annual notice to its customers. The example further assumes
that after providing the annual notice to its customers, the financial
institution once again meets the requirements of Sec. 1016.5(e)(1) for
an exception to the annual notice requirement. The example explains
that the financial institution does not need to provide additional
annual notices to its customers until such time as it no longer meets
the requirements of Sec. 1016.5(e)(1).
Section 1016.9 Delivering Privacy and Opt Out Notices
9(c)(2) Alternative Delivery Method for Providing Certain Annual
Notices
As discussed in Part II, the Bureau amended Regulation P in October
2014 to allow financial institutions that met certain criteria to
deliver annual notices pursuant to the ``alternative delivery method.''
Because financial institutions that met the conditions in Regulation P
to use the alternative delivery method will also meet the conditions
for the statutory exception in section 503(f), the Bureau proposed to
remove the alternative delivery method from Regulation P by removing
Sec. 1016.9(c)(2) and renumbering existing Sec. 1016.9(c)(1) as Sec.
1016.9(c).
Commenters generally expressed support for the proposed removal of
the alternative delivery method. Ten commenters addressed the issue,
with eight supporting the proposal and two opposing it.
Some commenters welcomed elimination of the alternative delivery
method, asserting that the conditions associated with the 2014
provision deterred institutions from taking advantage of the intended
relief. A debt collector organization stated that the alternative
delivery method did not provide a solution for many debt collectors and
consumers. This commenter asserted that the alternative delivery
required model form created a significant risk of class action
litigation because of claims that the language conflicts with the Fair
Debt Collection Practices Act's prohibitions on third-party disclosure.
A commenter representing several trade associations stated that the
alternative delivery method requirement to post the notice online
eliminated any benefits from the 2014 rule.
Two trade associations agreed that the alternative delivery method
would no longer be useful in light of the statutory exception to the
annual notice requirement, and one of these trade associations stated
that it was unlikely that financial institutions would continue to use
a complex means of compliance when a simpler one was available.
Several commenters discussed benefits associated with eliminating
the alternative delivery method. One trade association stated that
removing the alternative delivery method would eliminate confusion
between the rule and the statute. Another trade association
representing banks expressed appreciation of the elimination of the
alternative delivery method, arguing that it would remove the confusion
of having both an exception from the annual privacy notice and an
alternative to the delivery requirement. One trade association stated
that consumers will benefit from the elimination of the method, as they
will experience decreasing information overload.
One trade association representing banks requested clarification
that institutions that qualify for the exception but still keep a copy
of the privacy policy on their websites will not be criticized or
penalized.
Two trade association commenters representing the consumer credit
industry and credit unions did not support removal of the alternative
delivery method. These commenters stated that their customers or
members prefer to receive communications electronically. Both
commenters cited cost burdens associated with mailing privacy notices.
The trade association representing the consumer credit industry
stated that several of their member financial institutions,
particularly those that provide indirect auto loans, do not qualify for
the statutory exception to the annual notice requirement because the
institutions share consumer information with nonaffiliated third
parties other than as described in Sec. Sec. 1016.13, 14 and 15. These
institutions are required under Sec. 1016.10 of Regulation P to inform
consumers through the institution's annual privacy notice that the
consumer has a right to opt out of that information sharing. The trade
association representing the consumer credit industry encouraged
expansion of the alternative delivery method, highlighting the cost
effectiveness of electronic delivery and stating that many institutions
upgraded systems to implement the alternative delivery method under the
2014 rule. This commenter also urged the Bureau to consider allowing
institutions that share with nonaffiliated third parties to deliver
their privacy notices electronically, such as via website
[[Page 40954]]
posting, similar to the method permitted by the alternative delivery
method.
After considering the comments, the Bureau now adopts the proposed
change, removing the alternative delivery method from Regulation P by
removing Sec. 1016.9(c)(2) and renumbering former Sec. 1016.9(c)(1)
as Sec. 1016.9(c).
Any financial institution that met the conditions to use the
alternative delivery method will also meet the conditions to be
excepted from delivering an annual privacy notice pursuant to new GLBA
section 503(f). First, new GLBA section 503(f)(1) is substantively
identical to the first requirement for using the alternative delivery
method: \44\ That the financial institution share nonpublic personal
information about customers with nonaffiliated third parties only in
ways that do not give rise to the customer's right to opt out of that
sharing.\45\ Second, new GLBA section 503(f)(2) is similar to the
fourth requirement for using the alternative delivery method: that the
institution must not have changed its policies and practices with
regard to disclosing nonpublic personal information from those that
were disclosed to the customer in the most recent privacy notice.\46\
Accordingly, any financial institution that would have met the
requirements in former Sec. 1016.9(c)(2) will also meet the
requirements of section 503(f).
---------------------------------------------------------------------------
\44\ See removed 12 CFR 1016.9(c)(2)(i)(A).
\45\ This sharing is pursuant to GLBA section 503(b)(2) and (e),
which correspond to Regulation P Sec. Sec. 1016.13, 1016.14, and
1016.15.
\46\ See removed 12 CFR 1016.9(c)(2)(i)(D). The requirement in
former Sec. 1016.9(c)(2)(i)(D) was somewhat more restrictive
because it required a financial institution not to have changed its
practices with respect to disclosing nonpublic personal information
and protecting the confidentiality and security of nonpublic
personal information whereas section 503(f)(2) requires that the
institution not have changed its policies only with respect to
disclosing nonpublic personal information. See the section-by-
section analysis of Sec. 1016.5(e)(1)(ii) for further discussion.
---------------------------------------------------------------------------
The Bureau believes that a financial institution that has both
options available to it would choose not to send the annual privacy
notice at all, rather than to deliver it pursuant to the alternative
delivery method, so that it can eliminate rather than merely reduce the
cost of providing annual notices. Given that any financial institution
that qualifies to use the alternative delivery method for its annual
notices also meets the qualifications for the new annual notice
exception, the Bureau believes that including the alternative delivery
method in Regulation P is no longer useful.
The Bureau notes that financial institutions that delivered annual
notices using the alternative delivery method while it was in effect
delivered those notices using a method that was in compliance with
Regulation P, notwithstanding that the alternative delivery method
provision is now being removed from the regulation. The Bureau further
notes that financial institutions that qualify for the new annual
notice exception may still choose to post privacy notices on their
websites, deliver privacy notices to consumers who request them, and
notify consumers of the notices' availability. Such activities will not
affect a financial institution's eligibility for the new 503(f)
exception.
The Bureau has considered the comments suggesting that it retain
and expand the alternative delivery method for providing annual privacy
notices. In this rulemaking, the Bureau is implementing the FAST Act
amendments to the GLBA, which eliminate the requirement that financial
institutions provide an annual privacy notice if certain conditions are
met. In making these amendments to the GLBA, Congress did not address
the delivery method financial institutions must or may use if they
continue to be required to provide an annual privacy notice, including
where financial institutions have not changed their privacy policies
since their last privacy notice and they share information with
nonaffiliated third parties other than as described in Sec. Sec.
1016.13, .14, and .15. Because Congress did not address these issues in
the FAST Act amendments to the GLBA, the Bureau declines to address
them in this rulemaking to implement those amendments.
V. Dodd-Frank Act Section 1022(b)(2) Analysis
A. Overview
In developing the final rule, the Bureau has considered the
potential benefits, costs, and impacts as required by section
1022(b)(2) of the Dodd-Frank Act.\47\ The Bureau requested comment on
the preliminary analysis as well as the submission of additional data
that could inform the Bureau's analysis of the benefits, costs, and
impacts of the rule. The Bureau received one comment on the preliminary
analysis, which it has considered in developing this final analysis. In
addition, the Bureau has consulted and coordinated with the SEC, CFTC,
FTC, and NAIC, and consulted with or offered to consult with the OCC,
Federal Reserve Board, FDIC, NCUA, and HUD, including regarding
consistency with any prudential, market, or systemic objectives
administered by such agencies.
---------------------------------------------------------------------------
\47\ Specifically, section 1022(b)(2)(A) of the Dodd-Frank Act
calls for the Bureau to consider the potential benefits and costs of
a regulation to consumers and covered persons, including the
potential reduction of access by consumers to consumer financial
products or services; the impact on depository institutions and
credit unions with $10 billion or less in total assets as described
in section 1026 of the Dodd-Frank Act; and the impact on consumers
in rural areas.
---------------------------------------------------------------------------
This final rule implements the December 2015 amendment to the GLBA
by amending Sec. 1016.5 of Regulation P to provide that a financial
institution is not required to deliver an annual privacy notice if it:
(1) Provides nonpublic personal information to nonaffiliated third
parties only in accordance with the provisions of Sec. 1016.13, Sec.
1016.14, or Sec. 1016.15; and
(2) Has not changed its policies and practices with regard to
disclosing nonpublic personal information from the policies and
practices that were disclosed to the customer under Sec. 1016.6(a)(2)
through (5) and (9) in the most recent privacy notice provided.
In considering the potential benefits, costs, and impacts of the
rule, the Bureau takes as the baseline for the analysis the legal
regime that existed prior to the FAST Act's amendment of the GLBA.\48\
This regime includes the current provisions of Regulation P. The Bureau
assumes that all financial institutions that can use the alternative
delivery method provided in Sec. 1016.9(c)(2) are doing so.
---------------------------------------------------------------------------
\48\ The proposal referred to this as the ``regulatory regime
that currently exists.'' 81 FR at 44808. However, the baseline the
Bureau is using did not and does not reflect that the FAST Act has
taken effect. The Bureau has discretion in each rulemaking to choose
the relevant provisions to discuss and to choose the most
appropriate baseline for that particular rulemaking.
---------------------------------------------------------------------------
B. Potential Benefits and Costs to Consumers and Covered Persons
The impact on consumers of Sec. 1016.5(e) depends on whether the
particular consumer prefers or would otherwise benefit from receiving
an annual privacy notice that does not offer the consumer an opt-out
under the GLBA and is largely unchanged\49\ from previous notices.
Under Sec. 1016.5(e), financial institutions that meet the
requirements for the annual notice exception would not be required to
provide consumers with annual privacy notices, and the Bureau
anticipates that most institutions would decide not to provide notices
in these circumstances.
[[Page 40955]]
While there is no data available on the number of consumers who are
indifferent to (or dislike) receiving unchanged privacy notices every
year, the limited use of opt-outs and anecdotal evidence suggest that
there are such consumers.\50\ For this group of consumers, Sec.
1016.5(e) might provide a benefit because it would be available to some
institutions that cannot use the alternative delivery method, so that
more consumers would stop receiving mailed annual privacy notices.
---------------------------------------------------------------------------
\49\ As discussed in part IV in the section-by-section analysis
of Sec. 1016.5(e)(1)(ii), certain changes to an institution's
policies or practices would not cause the institution to lose the
annual notice exception.
\50\ One early analysis of the use of the opt-outs reported at
most 5% of consumers make use of them in any year, and likely fewer.
See Jeffrey M. Lacker, The Economics of Financial Privacy: To Opt
Out or Opt In?, 88/3 Fed. Res. Bank Rich. Econ. Q., at 11 (Summer
2002), available at https://www.richmondfed.org/-/media/richmondfedorg/publications/research/economic_quarterly/2002/summer/pdf/lacker.pdf. One commenter on the proposed rule also estimated
that 5% of consumers use opt-outs. AFSA Comment letter, August 10,
2016.
---------------------------------------------------------------------------
For other consumers who would prefer or otherwise benefit from
receiving the annual notices, there will be some cost because many
institutions that previously delivered notices--whether through the
standard delivery methods or through the alternative delivery method
that includes posting on the institution's website--will no longer
deliver annual notices. Consumers may be less informed about
opportunities to limit a financial institution's information sharing
practices if the financial institution meets the requirements for the
annual notice exception and chooses not to provide annual notices. For
example, some consumers will receive fewer notices in which a financial
institution offers voluntary opt-outs, i.e., opt-outs that the
financial institution is not required by Regulation P to offer
(because, for example, the type of sharing the financial institution
does is covered by an exception) but that the institution decides to
provide anyway via the annual privacy notice. Voluntary opt-outs do not
appear to be common, however.\51\ Further, institutions may continue to
offer voluntary opt-outs and may offer them through other mechanisms
even if they do not provide annual privacy notices.
---------------------------------------------------------------------------
\51\ See Lorrie Faith Cranor et al., Are They Actually Any
Different? Comparing Thousands of Financial Institutions' Privacy
Practices, available at https://www.econinfosec.org/archive/weis2013/papers/CranorWEIS2013.pdf (submitted as part of The Twelfth Workshop
on the Economics of Information Security (WEIS 2013), June 11-12,
2013, Georgetown University, Washington, DC). Their findings (Table
2) imply that at most 15% of the 3,422 FDIC insured depositories
that post the model privacy form on their websites offer at least
one voluntary opt-out. Data from a much larger group of financial
institutions analyzed by Cranor et al. (undated) imply (Table 2)
that at most 27% of the 6,191 financial institutions that post the
model privacy form on their websites offer at least one voluntary
opt-out.
---------------------------------------------------------------------------
If financial institutions choose not to provide notices pursuant to
the annual notice exception, consumers may also be less informed of
their opt-out rights under the FCRA. Section 503(c)(4) of the GLBA and
Regulation P require financial institutions providing initial and
annual privacy notices to incorporate into them any notification and
opt-out disclosures provided pursuant to section 603(d)(2)(A)(iii) of
the FCRA.\52\ Section 624 of the FCRA and Regulation V also permit (but
do not require) financial institutions providing initial and annual
privacy notices under Regulation P to incorporate any opt-out
disclosures provided under section 624 of the FCRA and subpart C of
Regulation V into those notices.\53\ Because financial institutions
will likely decide not to provide annual notices pursuant to the
exception in proposed Sec. 1016.5(e), consumers may be less informed
of their opt-out rights pursuant to these sections of the FCRA to the
extent that institutions use less effective methods to convey
information about these rights to consumers.\54\ Consumers also may be
less informed about a financial institution's data collection practices
and its policies and practices with respect to protecting the
confidentiality and security of nonpublic personal information.
---------------------------------------------------------------------------
\52\ 15 U.S.C. 6803(c)(4); 12 CFR 1016.6(a)(7).
\53\ 15 U.S.C. 1681s-3(b); 12 CFR 1022.23(b).
\54\ As explained in the section-by-section analysis of Sec.
1016.5(e)(1)(i) in part IV, the annual notice exception in Sec.
1016.5(e) does not relieve financial institutions of the obligation
to provide consumers with the information that is required under
FCRA sections 603(d)(2)(A)(iii) or 624.
---------------------------------------------------------------------------
Regarding benefits and costs to covered persons, the primary effect
of the rule will be burden reduction achieved by lowering the costs to
industry of providing annual privacy notices. Section 1016.5(e) imposes
no new compliance requirements on any financial institution. Any
institution that could use the alternative delivery method will meet
the requirements for the annual notice exception pursuant to Sec.
1016.5(e).\55\ A financial institution that is in compliance with
current law will not be required to take any different or additional
action unless it chooses to take advantage of the annual notice
exception and thus will be required to separately meet its opt-out
obligations, if any, pursuant to the FCRA.\56\ This analysis assumes
that no financial institution will do so unless the net result of the
choice is burden reducing.
---------------------------------------------------------------------------
\55\ Any financial institution that meets the conditions to use
the alternative delivery method will also meet the conditions to be
excepted from delivering an annual privacy notice pursuant to new
GLBA section 503(f) because the two conditions for section 503(f)
are closely related to conditions for using the alternative delivery
method. See the section-by-section analysis of Sec. 1016.9(c) for
further explanation.
\56\ See the section-by-section analysis to Sec.
1016.5(e)(1)(i) in part IV for an explanation of the interaction
between the annual notice exception and the opt-outs provided under
FCRA sections 603(d)(2)(A)(iii) and 624.
---------------------------------------------------------------------------
The expected cost savings to financial institutions from the
revisions to Sec. 1016.5(e) depend on whether the financial
institution uses the alternative delivery method under the baseline.
Financial institutions that currently use the alternative delivery
method will likely cease complying with the requirements in current
Sec. 1016.9(c)(2) since they necessarily meet the requirements of the
exception to the annual notice requirement and thus will no longer be
required to deliver an annual notice.\57\ However, the Bureau expects
that financial institutions that change from using the alternative
delivery method to provide annual notices to not providing these
notices at all will achieve little cost savings.\58\ Financial
institutions that currently do not use the alternative delivery method
are expected to use the proposed annual notice exception if the
expected costs of any changes required to use the exception and the
costs of any consequences of not providing the annual disclosure will
be lower than the costs of complying with current Regulation P. The
Bureau believes that few such financial institutions will find it in
their interests to change their information sharing practices in order
to use the annual notice exception. Thus, the Bureau takes the
information sharing practices of financial institutions as given and
considers how many financial institutions that do not currently meet
the requirements to use the alternative delivery method can use the
annual notice exception.\59\ As a practical matter, the Bureau
identifies these institutions solely by their
[[Page 40956]]
information sharing practices: That is to say, the Bureau identifies
the financial institutions whose current information sharing practices
do not meet the standards in Sec. 1016.9(c)(2) but will meet the
standards in Sec. 1016.5(e). The Bureau then estimates the ongoing
savings in costs to these financial institutions from no longer sending
the annual privacy notice.\60\
---------------------------------------------------------------------------
\57\ See supra note 52.
\58\ The Bureau believes that the alternative delivery method
imposes little ongoing cost to financial institutions that have
adopted it. These costs derive from the additional text on an
account statement, coupon book, notice or disclosure the institution
already provides; maintaining a web-page dedicated to the annual
privacy notice; responding to telephone calls from a very small
number of consumers requesting that the model form be mailed; and
mailing the forms prompted by these calls.
\59\ Because the Bureau takes institutions' sharing practices as
given and because the cost savings estimate is based on a single
year, the expected cost savings for institutions does not account
for a reduction or increase in aggregate cost savings that may occur
if any institutions change their sharing practices in the future
such that they no longer meet the requirements for the annual notice
exception or they begin to meet those requirements.
\60\ The Bureau assumes that a financial institution used the
alternative delivery method whenever the Bureau can obtain the
annual privacy notice from the website of the financial institution
and the Bureau concludes from the information on the privacy notice
that the information sharing practices of the financial institution
comply with removed Sec. 1016.9(c)(2). If a financial institution
did not use the model form, the Bureau assumes that the financial
institution would have adopted the model form if the information
sharing practices complied with Sec. 1016.9(c)(2). This methodology
overstates the number of these financial institutions that could
have used the alternative delivery method, because some of these
financial institutions might not have met all of the requirements of
Sec. 1016.9(c)(2), and therefore understates the benefits of the
annual notice exception to these financial institutions. On the
other hand, if a financial institution does not have a website, the
Bureau cannot (as a practical matter) obtain and evaluate its
information sharing practices. In this case, the Bureau assumes that
the financial institution cannot use either the alternative delivery
method or the annual notice exception. This also tends to understate
the benefits of the annual notice exception to these financial
institutions, since none of them could have used the alternative
delivery method but some might be able to use the annual notice
exception.
---------------------------------------------------------------------------
For the 2014 Annual Privacy Notice Rule, the Bureau collected a
sample of privacy policies from banks and credit unions and estimated
both the number of financial institutions that would adopt the
alternative delivery method and the aggregate cost savings that would
result.\61\ Specifically, the Bureau examined the privacy policies of
19 banks with assets over $100 billion as well as the privacy policies
of 106 additional banks selected through random sampling. The Bureau
previously concluded that 80% of banks could use the alternative
delivery method that was set forth in Sec. 1016.9(c)(2). For the
current rulemaking, the Bureau re-analyzed this sample to identify
banks with information sharing practices that do not meet the standard
in Sec. 1016.9(c)(2) but will meet the standard in Sec. 1016.5(e). In
the re-analysis, the Bureau finds that 48% of banks that could not use
the alternative delivery method can use the proposed exception to the
annual notice requirement. Most of these banks were not able to use the
alternative delivery method because they offered opt-outs to consumers
pursuant to FCRA section 603(d)(2)(A)(iii); a financial institution can
meet the requirements for the annual notice exception in Sec.
1016.5(e) even if it offers such opt-outs. Specifically, the Bureau
previously estimated that approximately 1,350 banks could not use the
alternative delivery method and our re-analysis shows that 650 of these
banks (48%) will be able to use the annual notice exception.\62\ For
banks with assets over $10 billion, 70% of those that could not use the
alternative delivery method can use the annual notice exception. For
banks with assets of $10 billion or less and banks with assets of $500
million or less, the respective figures are 47% and 40%.
---------------------------------------------------------------------------
\61\ See 79 FR 64057, 64076-64077 (Oct. 28, 2014). Note that the
term ``banks'' as used throughout this rule includes savings
associations.
\62\ While these 650 banks are just 9.5% of all banks, this
percentage does not take into account the fact that the majority of
banks could not potentially benefit from the exception to the annual
privacy notice requirement since (by our previous analysis) they
already use the alternative delivery method.
---------------------------------------------------------------------------
The Bureau also previously examined the privacy policies of the
four credit unions with assets over $10 billion as well as the privacy
policies of 50 additional credit unions selected through random
sampling. The Bureau previously concluded that 46% of credit unions
could use the alternative delivery method. The information evaluated in
the re-analysis shows that none of the credit unions that could not use
the alternative delivery method will be able to use the exception to
the annual notice requirement. Credit unions that clearly could not use
the alternative delivery method generally shared information with
nonaffiliated third parties other than as specified in the exceptions
in Sec. Sec. 1016.13, 1016.14, and 1016.15. However, there are a
number of cases in which the Bureau could not readily evaluate the
information sharing practices of the sampled credit union because it
did not have a website, did not post the privacy notice on its website,
or did not use the model form.\63\ In the proposal, the Bureau
requested data and other factual information on the use of the
alternative delivery method by credit unions and the likely use of the
proposed annual notice exception by credit unions that cannot use the
alternative delivery method. No comments provided data in response to
this request.\64\
---------------------------------------------------------------------------
\63\ One or more of these conditions held for a number of credit
unions with assets of $500 million or less. As explained above, if a
financial institution did not have a website or did not post the
privacy notice on their website, the Bureau made the conservative
assumption that it did not benefit from the alternative delivery
method and will not benefit from the new annual notice exception.
See also 79 FR 64057, 64076 (Oct. 28, 2014).
\64\ Although no credit unions or credit union advocates
commented or provided data, one State trade association representing
banks stated that many financial institutions will appreciate and
take advantage of the exception, but it will not create additional
costs or harm to consumers. That commenter did not provide data.
---------------------------------------------------------------------------
Regarding the number of non-depository financial institutions that
will benefit from the exception to the annual notice requirement, the
Bureau uses the same basic methodology as in its prior analysis.
Specifically, the Bureau assumes that the fraction of non-depository
financial institutions that cannot use the alternative delivery method
but can use the new annual notice exception is the same for non-
depository institutions as for banks (9.5%).\65\
---------------------------------------------------------------------------
\65\ For further discussion, see id. at 64077.
---------------------------------------------------------------------------
Having identified the financial institutions that will benefit from
the exception to the annual notice requirement, the Bureau estimates
the benefit using the same basic methodology as in its prior
analysis.\66\ For banks, the Bureau allocated the total burden of
providing the annual privacy notices to asset-size groups in proportion
to the share of assets in the group. The Bureau then estimated an
amount of burden reduction specific to each asset-size group using the
results from the privacy notice analysis described above. The total
burden reduction is then the sum of the burden reductions in each
asset-size group. The estimated reduction in burden for banks using
this methodology is approximately $3.158 million annually. The
estimated reduction in burden for non-depository financial institutions
is an additional $231,000 annually.\67\ Thus, the Bureau believes that
the total reduction in burden is approximately $3.389 million dollars
annually.\68\ This represents about 28% of the total $12.162 million
annual cost of providing the annual privacy notice under Regulation P.
---------------------------------------------------------------------------
\66\ See id. at 64076-64077.
\67\ Note that this figure excludes auto dealers. Auto dealers
are regulated by the FTC and will not be directly impacted by this
amendment to Regulation P.
\68\ Some of these banks and non-depository financial
institutions that currently include on their annual privacy notice
the opt-out notices pursuant to FCRA section 603(d)(2)(A)(iii) or
FCRA section 624 and the Affiliate Marketing Rule may now be
required to deliver these notices separately. The Bureau does not
have the data necessary to estimate the frequency with which these
opt-out notices will be delivered separately or to subtract the cost
of delivering them separately from the savings from no longer
providing the annual privacy notice.
---------------------------------------------------------------------------
The Bureau requested comment on the preliminary presentation of
this analysis as well as the submission of additional data that could
inform the Bureau's consideration of the cost savings to financial
institutions. No comments addressed this request.
[[Page 40957]]
The Regulation P exception to the annual notice requirement
implements a December 2015 statutory amendment to the GLBA. The Bureau
considered alternatives to the timeline for delivery of annual notices
when a financial institution that qualified for the annual exception
changes its policies or practices such that it no longer qualifies.
Because the estimates of costs and benefits to consumers and covered
persons take institutions' sharing policies and practices as given, the
alternatives with respect to the timeline for delivery of annual
notices do not impact those estimates. Further, even if the estimates
allowed for changes in sharing policies and practices that can cause
institutions to meet or fail to meet the requirements for the annual
notice exception, the aggregate annual benefits and costs of delivery
will not likely be significantly impacted by the timeline for delivery
of annual notices. The Bureau does note, however, that changing from 60
to 100 days for delivery of the annual privacy notice under Sec.
1016.5(e)(2)(ii) should result in a small burden reduction from the
proposal, as financial institutions will be able to send the notice
with quarterly statements as they requested.
C. Impact on Depository Institutions With No More Than $10 Billion in
Assets
The Bureau currently estimates that approximately 600 banks with
$10 billion or less in assets cannot use the alternative delivery
method but can use the annual notice exception. This constitutes 47% of
banks with $10 billion or less in assets that do not use the
alternative delivery method and 8.8% of all banks with $10 billion or
less in assets. As reported above, 70% of banks with more than $10
billion in assets that do not use the alternative delivery method can
use the proposed exception to the annual notice requirement. This is
55% of all banks with more than $10 billion in assets. Thus, the rule
may have different impacts on federally insured depository institutions
with $10 billion or less in assets as described in section 1026 of the
Dodd-Frank Act. The Bureau currently believes that no credit unions of
any size that could not use the alternative delivery method will be
able to use the exception to the annual notice requirement.
D. Impact on Access to Credit and on Consumers in Rural Areas
The Bureau does not believe that the rule will reduce consumers'
access to consumer financial products or services or have a unique
impact on rural consumers.
VI. Regulatory Flexibility Act
The Regulatory Flexibility Act (RFA) as amended by the Small
Business Regulatory Enforcement Fairness Act of 1996, requires each
agency to consider the potential impact of its regulations on small
entities, including small businesses, small governmental units, and
small not-for-profit organizations. The RFA defines a ``small
business'' as a business that meets the size standard developed by the
Small Business Administration pursuant to the Small Business Act. The
RFA generally requires an agency to conduct an initial regulatory
flexibility analysis (IRFA) and a final regulatory flexibility analysis
(FRFA) of any rule subject to notice-and-comment rulemaking
requirements, unless the agency certifies that the rule will not have a
significant economic impact on a substantial number of small
entities.\69\ The Bureau also is subject to certain additional
procedures under the RFA involving the convening of a panel to consult
with small business representatives prior to proposing a rule for which
an IRFA is required.\70\
---------------------------------------------------------------------------
\69\ 5 U.S.C. 603 through 605.
\70\ 5 U.S.C. 609.
---------------------------------------------------------------------------
At the proposed rule stage, the Bureau determined that an IRFA was
not required because the proposal, if adopted, would not have a
significant economic impact on a substantial number of small entities.
For this final rule, the Bureau continues to believe that that
determination is accurate. The Bureau does not expect the rule to
impose costs on small entities. All methods of compliance under current
law will remain available to small entities when this rule is adopted.
Thus, a small entity that is in compliance with current law need not
take any different or additional action under the new rule. In
addition, based on the data analysis described previously, the Bureau
believes that the annual notice exception will allow some small
institutions to stop sending the annual notice and to thereby reduce
costs.
Accordingly, the undersigned certifies that this rule will not have
a significant economic impact on a substantial number of small
entities.
VII. Paperwork Reduction Act
Under the Paperwork Reduction Act of 1995 (PRA),\71\ Federal
agencies are generally required to seek Office of Management and Budget
(OMB) approval for information collection requirements prior to
implementation. This proposal would amend Regulation P, 12 CFR part
1016. The collections of information related to Regulation P have been
previously reviewed and approved by OMB in accordance with the PRA and
assigned OMB Control Number 3170-0010. Under the PRA, the Bureau may
not conduct or sponsor, and, notwithstanding any other provision of
law, a person is not required to respond to an information collection,
unless the information collection displays a valid control number
assigned by OMB.
---------------------------------------------------------------------------
\71\ 44 U.S.C. 3501 through 3558.
---------------------------------------------------------------------------
As explained below, the Bureau has determined that this rule does
not contain any new or substantively revised information collection
requirements other than those previously approved by OMB. The rule will
implement the December 2015 amendment to the GLBA and amend Sec.
1016.5 of Regulation P to provide that a financial institution is not
required to deliver an annual privacy notice if it:
(1) Provides nonpublic personal information to nonaffiliated third
parties only in accordance with the provisions of Sec. 1016.13, Sec.
1016.14, or Sec. 1016.15 and;
(2) Has not changed its policies and practices with regard to
disclosing nonpublic personal information from the policies and
practices that were disclosed to the customer under Sec. 1016.6(a)(2)
through (5) and (9) in the most recent privacy notice provided.
Under Regulation P, the Bureau generally accounts for the paperwork
burden for the following respondents pursuant to its enforcement/
supervisory authority: Federally insured depository institutions with
more than $10 billion in total assets, their depository institution
affiliates, and certain non-depository institutions. The Bureau and the
FTC generally both have enforcement authority over non-depository
institutions subject to Regulation P. Accordingly, the Bureau has
allocated to itself half of the final rule's estimated reduction in
burden on non-depository financial institutions subject to Regulation
P. Other Federal agencies, including the FTC, are responsible for
estimating and reporting to OMB the paperwork burden for the
institutions for which they have enforcement and/or supervision
authority. They may use the Bureau's burden estimation methodology, but
need not do so.
The Bureau does not believe that this final rule will impose any
new or substantively revised collections of information as defined by
the PRA, and instead believes that it will have the overall effect of
reducing the previously approved estimated burden on industry for the
information collections
[[Page 40958]]
associated with the Regulation P annual privacy notice. Using the
Bureau's burden estimation methodology, the reduction in the estimated
ongoing burden will be approximately 62,197 hours annually for the
roughly 13,500 banks and credit unions subject to the rule, including
Bureau respondents, and the roughly 29,400 entities regulated by the
FTC also subject to the rule (i.e., entities over which the FTC has
Regulation P administrative enforcement authority). The reduction in
estimated ongoing costs from the reduction in ongoing burden will be
approximately $3.389 million annually.\72\
---------------------------------------------------------------------------
\72\ The total hours and costs consist of: (a) 51,230 hours at
banks and credit unions evaluated at $61.65/hour; and (b) 10,967
hours at entities regulated by the FTC also subject to the rule,
evaluated at $21.07/hour.
---------------------------------------------------------------------------
The Bureau believes that the one-time cost of adopting the annual
notice exception for financial institutions that adopt it will be de
minimis. The Bureau's methodology for estimating the reduction in
ongoing burden was discussed above. The method is similar to that
described in the PRA analysis in the 2014 Annual Privacy Notice Rule.
The only difference is that instead of estimating the fraction of
institutions that will be able to use the alternative delivery method,
the Bureau estimates the fraction of institutions that will be able to
use the annual notice exception and are not already using the
alternative delivery method, to compute the reduction in burden
relative to the baseline.\73\
---------------------------------------------------------------------------
\73\ See 79 FR 64057, 64080 (Oct. 28, 2014).
---------------------------------------------------------------------------
The Bureau takes all of the reduction in ongoing burden from banks
and credit unions with assets $10 billion and above and half the
reduction in ongoing burden from the non-depository institutions
subject to the FTC enforcement authority that are subject to the
Bureau's Regulation P. The total reduction in ongoing burden taken by
the Bureau is 53,216 hours or $3.058 million annually.\74\
---------------------------------------------------------------------------
\74\ The total hours and costs consist of: (a) 47,733 hours at
banks and credit unions evaluated at $61.65/hour; and (b) 5,484
hours at entities regulated by the FTC also subject to the rule,
evaluated at $21.07/hour.
---------------------------------------------------------------------------
The Bureau has determined that the final rule does not contain any
new or substantively revised information collection requirements as
defined by the PRA and that the burden estimate for the previously
approved information collections should be revised as explained above.
The Bureau requested comments on these determinations or any other
aspect of the proposal for purposes of the PRA, but received none.
Summary of Burden Changes
----------------------------------------------------------------------------------------------------------------
Previously
Information collections approved total Net change in New total
burden hours burden hours burden hours
----------------------------------------------------------------------------------------------------------------
Notices and disclosures...................................... 366,134 -53,216 312,917
----------------------------------------------------------------------------------------------------------------
VIII. Congressional Review Act
Pursuant to the Congressional Review Act (5 U.S.C. 801 et seq.),
the Bureau will submit a report containing this rule and other required
information to the United States Senate, the United States House of
Representatives, and the Comptroller General of the United States prior
to the rule taking effect. The Office of Information and Regulatory
Affairs (OIRA) has designated this rule as not a ``major rule'' as
defined by 5 U.S.C. 804(2).
List of Subjects in 12 CFR Part 1016
Banks, Banking, Consumer protection, Credit, Credit unions, Foreign
banking, Holding companies, National banks, Privacy, Reporting and
recordkeeping requirements, Savings associations, Trade practices.
Authority and Issuance
For the reasons set forth in the preamble, the Bureau amends
Regulation P, 12 CFR part 1016, as set forth below:
PART 1016--PRIVACY OF CONSUMER FINANCIAL INFORMATION (REGULATION P)
0
1. The authority citation for part 1016 continues to read as follows:
Authority: 12 U.S.C. 5512, 5581; 15 U.S.C. 6804.
0
2. Section 1016.3 is amended by revising paragraph (s)(1) to read as
follows:
Sec. 1016.3 Definitions.
* * * * *
(s)(1) You means a financial institution for which the Bureau has
rulemaking authority under section 504(a)(1)(A) of the GLB Act (15
U.S.C. 6804(a)(1)(A)).
* * * * *
Subpart A--Privacy and Opt Out Notices
0
3. Section 1016.5 is amended by revising the first sentence of
paragraph (a)(1) and adding paragraph (e) to read as follows:
Sec. 1016.5 Annual privacy notice to customers required.
(a)(1) * * * Except as provided by paragraph (e) of this section,
you must provide a clear and conspicuous notice to customers that
accurately reflects your privacy policies and practices not less than
annually during the continuation of the customer relationship. * * *
* * * * *
(e) Exception to annual privacy notice requirement. (1) When
exception available. You are not required to deliver an annual privacy
notice if you:
(i) Provide nonpublic personal information to nonaffiliated third
parties only in accordance with the provisions of Sec. 1016.13, Sec.
1016.14, or Sec. 1016.15; and
(ii) Have not changed your policies and practices with regard to
disclosing nonpublic personal information from the policies and
practices that were disclosed to the customer under Sec. 1016.6(a)(2)
through (5) and (9) in the most recent privacy notice provided pursuant
to this part.
(2) Delivery of annual privacy notice after financial institution
no longer meets requirements for exception. If you have been excepted
from delivering an annual privacy notice pursuant to paragraph (e)(1)
of this section and change your policies or practices in such a way
that you no longer meet the requirements for that exception, you must
comply with paragraph (e)(2)(i) or (e)(2)(ii) of this section, as
applicable.
(i) Changes preceded by a revised privacy notice. If you no longer
meet the requirements of paragraph (e)(1) of this section because you
change your policies or practices in such a way that
[[Page 40959]]
Sec. 1016.8 requires you to provide a revised privacy notice, you must
provide an annual privacy notice in accordance with the timing
requirements in paragraph (a) of this section, treating the revised
privacy notice as an initial privacy notice.
(ii) Changes not preceded by a revised privacy notice. If you no
longer meet the requirements of paragraph (e)(1) of this section
because you change your policies or practices in such a way that Sec.
1016.8 does not require you to provide a revised privacy notice, you
must provide an annual privacy notice within 100 days of the change in
your policies or practices that causes you to no longer meet the
requirements of paragraph (e)(1) of this section.
(iii) Examples. (A) You change your policies and practices in such
a way that you no longer meet the requirements of paragraph (e)(1) of
this section effective April 1 of year 1. Assuming you define the 12-
consecutive-month period pursuant to paragraph (a) of this section as a
calendar year, if you were required to provide a revised privacy notice
under Sec. 1016.8 and you provided that notice on March 1 of year 1,
you must provide an annual privacy notice by December 31 of year 2. If
you were not required to provide a revised privacy notice under Sec.
1016.8, you must provide an annual privacy notice by July 9 of year 1.
(B) You change your policies and practices in such a way that you
no longer meet the requirements of paragraph (e)(1) of this section,
and so provide an annual notice to your customers. After providing the
annual notice to your customers, you once again meet the requirements
of paragraph (e)(1) of this section for an exception to the annual
notice requirement. You do not need to provide additional annual
notices to your customers until such time as you no longer meet the
requirements of paragraph (e)(1) of this section.
0
4. Section 1016.9 is amended by revising paragraph (c) to read as
follows:
Sec. 1016.9 Delivering privacy and opt out notices.
* * * * *
(c) Annual notices only. You may reasonably expect that a customer
will receive actual notice of your annual privacy notice if:
(1) The customer uses your website to access financial products and
services electronically and agrees to receive notices at the website,
and you post your current privacy notice continuously in a clear and
conspicuous manner on the website; or
(2) The customer has requested that you refrain from sending any
information regarding the customer relationship, and your current
privacy notice remains available to the customer upon request.
* * * * *
Dated: August 9, 2018.
Mick Mulvaney,
Acting Director, Bureau of Consumer Financial Protection.
[FR Doc. 2018-17572 Filed 8-16-18; 8:45 am]
BILLING CODE 4810-AM-P