Amendment to the Annual Privacy Notice Requirement Under the Gramm-Leach-Bliley Act (Regulation P), 40945-40959 [2018-17572]

Download as PDF Federal Register / Vol. 83, No. 160 / Friday, August 17, 2018 / Rules and Regulations IMPORT ASSESSMENT TABLE— Continued IMPORT ASSESSMENT TABLE— Continued [Raw cotton fiber] [Raw cotton fiber] Conv. factor daltland on DSKBBV9HB2PROD with RULES HTS No. 6302317030 6302317040 6302317050 6302319010 6302319020 6302319030 6302319040 6302319050 6302321010 6302321020 6302321030 6302321040 6302321050 6302321060 6302322010 6302322020 6302322030 6302322040 6302322050 6302322060 6302390030 6302402010 6302511000 6302512000 6302513000 6302514000 6302593020 6302600010 6302600020 6302600030 6302910005 6302910015 6302910025 6302910035 6302910045 6302910050 6302910060 6302931000 6302932000 6302992000 6303191100 6303910010 6303910020 6303921000 6303922010 6303922030 6303922050 6303990010 6304111000 6304113000 6304190500 6304191000 6304191500 6304192000 6304193060 6304910020 6304910070 6304920000 6304996040 6505001515 6505001525 6505001540 6505002030 6505002060 6505002545 6507000000 9404901000 9404908020 9404908040 VerDate Sep<11>2014 ...... ...... ...... ...... ...... ...... ...... ...... ...... ...... ...... ...... ...... ...... ...... ...... ...... ...... ...... ...... ...... ...... ...... ...... ...... ...... ...... ...... ...... ...... ...... ...... ...... ...... ...... ...... ...... ...... ...... ...... ...... ...... ...... ...... ...... ...... ...... ...... ...... ...... ...... ...... ...... ...... ...... ...... ...... ...... ...... ...... ...... ...... ...... ...... ...... ...... ...... ...... ...... 1.1073 1.1073 1.1073 0.7751 0.7751 0.7751 0.7751 0.7751 0.5537 0.3876 0.5537 0.3876 0.3876 0.3876 0.5537 0.3876 0.5537 0.3876 0.3876 0.3876 0.2215 0.9412 0.5537 0.8305 0.5537 0.7751 0.5537 1.1073 0.9966 0.9966 0.9966 1.1073 0.9966 0.9966 0.9966 0.9966 0.9966 0.4429 0.4429 0.2215 0.8859 0.609 0.609 0.2768 0.2768 0.2768 0.2768 0.2768 0.9966 0.1107 0.9966 1.1073 0.3876 0.3876 0.2215 0.8859 0.2215 0.8859 0.2215 1.1189 0.5594 1.1189 0.9412 0.9412 0.5537 0.3986 0.2104 0.9966 0.9966 16:27 Aug 16, 2018 Cents/kg. 1.3182407 1.3182407 1.3182407 0.9227566 0.9227566 0.9227566 0.9227566 0.9227566 0.6591799 0.4614378 0.6591799 0.4614378 0.4614378 0.4614378 0.6591799 0.4614378 0.6591799 0.4614378 0.4614378 0.4614378 0.2636958 1.1204986 0.6591799 0.9887103 0.6591799 0.9227566 0.6591799 1.3182407 1.1864523 1.1864523 1.1864523 1.3182407 1.1864523 1.1864523 1.1864523 1.1864523 1.1864523 0.5272725 0.5272725 0.2636958 1.0546640 0.7250145 0.7250145 0.3295304 0.3295304 0.3295304 0.3295304 0.3295304 1.1864523 0.1317884 1.1864523 1.3182407 0.4614378 0.4614378 0.2636958 1.0546640 0.2636958 1.0546640 0.2636958 1.3320505 0.6659657 1.3320505 1.1204986 1.1204986 0.6591799 0.4745333 0.2504812 1.1864523 1.1864523 Jkt 244001 Conv. factor HTS No. 9404908505 9404908536 9404909505 9404909570 9619002100 9619002500 9619003100 9619003300 9619004100 9619004300 9619006100 9619006400 9619006800 9619007100 9619007400 9619007800 9619007900 * * ...... ...... ...... ...... ...... ...... ...... ...... ...... ...... ...... ...... ...... ...... ...... ...... ...... * 0.6644 0.0997 0.6644 0.2658 0.8681 0.1085 0.9535 1.1545 0.2384 0.2384 0.8528 0.2437 0.3655 1.1099 0.2466 0.2466 0.2466 * Cents/kg. 0.7909682 0.1186929 0.7909682 0.3164349 1.0334731 0.1291693 1.1351418 1.3744323 0.2838152 0.2838152 1.0152584 0.2901249 0.4351278 1.3213360 0.2935773 0.2935773 0.2935773 * (Authority: 7 U.S.C. 2101–2118) Dated: August 13, 2018 Bruce Summers, Administrator. [FR Doc. 2018–17723 Filed 8–16–18; 8:45 am] BILLING CODE 3410–02–P BUREAU OF CONSUMER FINANCIAL PROTECTION 12 CFR Part 1016 [Docket No. CFPB–2016–0032] RIN 3170–AA60 Amendment to the Annual Privacy Notice Requirement Under the GrammLeach-Bliley Act (Regulation P) Bureau of Consumer Financial Protection. ACTION: Final rule. AGENCY: The Bureau of Consumer Financial Protection (Bureau) is amending Regulation P, which requires, among other things, that financial institutions provide an annual notice describing their privacy policies and practices to their customers. The amendment implements a December 2015 statutory amendment to the Gramm-Leach-Bliley Act providing an exception to this annual notice requirement for financial institutions that meet certain conditions. DATES: The amendments to Regulation P in this final rule will become effective on September 17, 2018. FOR FURTHER INFORMATION CONTACT: Monique Chenault, Paralegal Specialist; Joseph Devlin, Senior Counsel; Office of Regulations, at (202) 435–7700. SUMMARY: PO 00000 Frm 00015 Fmt 4700 Sfmt 4700 40945 SUPPLEMENTARY INFORMATION: I. Summary of the Final Rule Title V, Subtitle A of the GrammLeach-Bliley Act (GLBA) 1 and Regulation P, which implements the GLBA, mandate that financial institutions provide their customers with annual notices regarding those institutions’ privacy policies. If financial institutions share certain consumer information with particular types of third parties, the annual notices must also provide customers with an opportunity to opt out of the sharing. Regulation P sets forth requirements for how financial institutions must deliver these annual privacy notices. In certain circumstances, Regulation P permits financial institutions to use an alternative delivery method to provide annual notices. This method requires, among other things, that the annual notice be posted on a financial institution’s website. On December 4, 2015, Congress amended the GLBA as part of the Fixing America’s Surface Transportation Act (FAST Act). This amendment, titled Eliminate Privacy Notice Confusion,2 added new GLBA section 503(f). This subsection provides an exception under which financial institutions that meet certain conditions are not required to provide annual privacy notices to customers. Section 503(f)(1) requires that to qualify for this exception, a financial institution must not share nonpublic personal information about customers except as described in certain statutory exceptions. (Sharing as described in these specified statutory exceptions does not trigger the customer’s statutory right to opt out of the financial institution’s sharing.) In addition, section 503(f)(2) requires that the financial institution must not have changed its policies and practices with regard to disclosing nonpublic personal information from those that the institution disclosed in the most recent privacy notice it sent. Section 503(f) took effect upon enactment in December 2015. In July 2016 the Bureau proposed to update Regulation P to reflect the change in the underlying law. As part of its implementation, the Bureau is also amending Regulation P to provide timing requirements for delivery of annual privacy notices in the event that a financial institution that qualified for this annual notice exception later changes its policies or practices in such a way that it no longer qualifies for the exception. The Bureau is further 1 15 U.S.C. 6801 through 6809. Act, Public Law 114–94, section 75001. 2 FAST E:\FR\FM\17AUR1.SGM 17AUR1 40946 Federal Register / Vol. 83, No. 160 / Friday, August 17, 2018 / Rules and Regulations removing the Regulation P provision that allows for use of the alternative delivery method for annual privacy notices because the Bureau believes the alternative delivery method will no longer be used in light of the annual notice exception. Finally, the Bureau is amending Regulation P to make a technical correction to one of its definitions. II. Background A. The Statute and Regulation The GLBA was enacted into law in 1999 and governs the privacy practices of a broad range of financial institutions.3 Rulemaking authority to implement the GLBA privacy provisions was initially spread among many agencies. The Federal Reserve Board (Board), the Office of Comptroller of the Currency (OCC), the Federal Deposit Insurance Corporation (FDIC), and the Office of Thrift Supervision (OTS) jointly adopted final rules in 2000 to implement the notice requirements of the GLBA.4 The National Credit Union Administration (NCUA), Federal Trade Commission (FTC), Securities and Exchange Commission (SEC), and Commodity Futures Trading Commission (CFTC) were part of the same interagency process, but each of these agencies issued separate rules.5 In 2009, all of the agencies with the authority to issue rules to implement the GLBA privacy notice provisions issued a joint final rule with a model form that financial institutions could use, at their option, to provide required initial and annual disclosures.6 In 2011, the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank Act) 7 transferred GLBA privacy notice rulemaking authority from the Board, NCUA, OCC, OTS, the FDIC, and the FTC (in part) to the Bureau.8 The Bureau then restated the implementing regulations in Regulation P, 12 CFR part 1016, in late 2011 through an interim final rule.9 In April 2016, the Bureau finalized that interim Law 106–102, 113 Stat. 1338 (1999). FR 35162 (June 1, 2000). 5 65 FR 31722 (May 18, 2000) (NCUA final rule); 65 FR 33646 (May 24, 2000) (FTC final rule); 65 FR 40334 (June 29, 2000) (SEC final rule); 66 FR 21236 (Apr. 27, 2001) (CFTC final rule). 6 74 FR 62890 (Dec. 1, 2009). 7 Public Law 111–203, 124 Stat. 1376 (2010). 8 Public Law 111–203, section 1093. The FTC retained rulewriting authority over any financial institution that is a person described in 12 U.S.C. 5519 (i.e., motor vehicle dealers predominantly engaged in the sale and servicing of motor vehicles, the leasing and servicing of motor vehicles, or both). 9 76 FR 79025 (Dec. 21, 2011). final rule as amended by 79 FR 64057 (Oct. 28, 2014).10 The Bureau has the authority to promulgate GLBA privacy rules for depository institutions and many nondepository institutions. However, rulewriting authority with regard to securities and futures-related companies is vested in the SEC and CFTC, respectively, and rulewriting authority with respect to certain motor vehicle dealers is vested in the FTC.11 The four agencies are required to consult with each other and with representatives of State insurance authorities to assure, to the extent possible, consistency and comparability among implementing rules.12 Toward that end, the Bureau has consulted and coordinated with these agencies and with the National Association of Insurance Commissioners (NAIC) concerning this final rule and the proposal that preceded it. The Bureau has also consulted with prudential regulators and other appropriate Federal agencies, as required under Section 1022 of the Dodd-Frank Act as part of its general rulewriting process.13 The GLBA and Regulation P require that financial institutions provide consumers with certain notices describing their privacy policies.14 Financial institutions are generally required to provide an initial notice of these policies when a customer relationship is established and to provide an annual notice to customers every year that the customer relationship continues.15 Except as otherwise authorized in the regulation, if a financial institution chooses to disclose nonpublic personal information about a consumer to a nonaffiliated third party other than as described in its initial notice, the institution is also required to deliver a revised privacy notice.16 The types of information required to be included in the initial, annual, and revised notices are identical. Each notice must describe whether and how the financial institution shares consumers’ nonpublic personal information with other 3 Public daltland on DSKBBV9HB2PROD with RULES 4 65 VerDate Sep<11>2014 16:27 Aug 16, 2018 Jkt 244001 10 81 FR 25323 (Apr. 28, 2016). U.S.C. 6804; 12 CFR 1016.1(b). 12 15 U.S.C. 6804(a)(2). 13 12 U.S.C. 5512(b)(2)(B). 14 When a financial institution has a continuing relationship with the consumer, an annual privacy notice is required and the consumer is then referred to as a ‘‘customer.’’ 12 CFR 1016.3(i), 1016.3(j)(1). 15 12 CFR 1016.4(a)(1), 1016.5(a)(1). Financial institutions are also required to provide initial notices to consumers before disclosing any nonpublic personal information to a nonaffiliated third party outside of certain exceptions. 12 CFR 1016.4(a)(2). 16 12 CFR 1016.8. 11 15 PO 00000 Frm 00016 Fmt 4700 Sfmt 4700 entities.17 The notices must also briefly describe how financial institutions protect the nonpublic personal information they collect and maintain.18 GLBA Section 502 and Regulation P also require that initial, annual, and revised notices provide information about the right to opt out of certain financial institution sharing of nonpublic personal information with some types of nonaffiliated third parties. For example, a mortgage customer has the right to opt out of a financial institution disclosing his or her name and address to an unaffiliated home insurance company. On the other hand, a financial institution is not required to allow a consumer to opt out of the institution’s disclosure of his or her nonpublic personal information to third party service providers and pursuant to joint marketing arrangements subject to certain requirements; disclosures relating to maintaining and servicing accounts, securitization, law enforcement and compliance, and consumer reporting; and certain other disclosures described in the GLBA and Regulation P as exceptions to the optout requirement.19 In addition to opt-out rights under the GLBA, annual privacy notices also may include information about certain consumer opt-out rights under the Fair Credit Reporting Act (FCRA). The privacy notices under the GLBA/ Regulation P and affiliate disclosures under the FCRA/Regulation V interact in two ways. First, section 603(d)(2)(A)(iii) of the FCRA excludes from that statute’s definition of a consumer report 20 the sharing of certain information about a consumer with the institution’s affiliates if the consumer is notified of such sharing and is given an opportunity to opt out.21 Section 503(c)(4) of the GLBA and Regulation P require financial institutions to incorporate into any required Regulation P notices the notification and opt-out disclosures provided pursuant to section 603(d)(2)(A)(iii) of the FCRA, if the institution provides such disclosures.22 Second, section 624 of the FCRA and Regulation V’s Affiliate Marketing Rule provide that an affiliate of a financial institution that receives certain information (e.g., transaction history) 23 17 12 CFR 1016.6(a)(1)–(5), (9). CFR 1016.6(a)(8). 19 15 U.S.C. 6802(b)(2), (e); 12 CFR 1016.13, 1016.14, 1016.15. 20 15 U.S.C. 1681a(d). 21 15 U.S.C. 1681a(d)(2)(A)(iii). 22 15 U.S.C. 6803(c)(4); 12 CFR 1016.6(a)(7). 23 The type of information to which section 624 applies is information that would be a consumer 18 12 E:\FR\FM\17AUR1.SGM 17AUR1 Federal Register / Vol. 83, No. 160 / Friday, August 17, 2018 / Rules and Regulations from the institution about a consumer may not use the information to make solicitations for marketing purposes unless the consumer is notified of such use and provided with an opportunity to opt out of that use.24 Section 624 of the FCRA and Regulation V also permit (but do not require) financial institutions to incorporate any opt-out disclosures provided under section 624 of the FCRA and subpart C of Regulation V into privacy notices provided pursuant to the GLBA and Regulation P.25 daltland on DSKBBV9HB2PROD with RULES B. The Alternative Delivery Method for Annual Privacy Notices In pursuit of the Bureau’s goal of reducing unnecessary or unduly burdensome regulations, the Bureau in December 2011 issued a Request for Information (RFI) seeking specific suggestions from the public for streamlining regulations the Bureau had inherited from other Federal agencies. In that RFI, the Bureau specifically identified the annual privacy notice as a potential opportunity for streamlining and solicited comment on possible alternatives to delivering the annual privacy notice.26 Numerous industry commenters responded to the RFI by advocating for the elimination or limitation of the annual notice requirement. Financial institutions historically have provided annual notices generally by U.S. postal mail.27 In 2014, the Bureau adopted a rule to allow financial institutions to use an alternative delivery method to provide annual privacy notices through posting the notices on their websites if they meet certain conditions.28 Specifically, financial institutions were allowed to use the alternative delivery method for annual notices if: (1) No opt-out rights were triggered by the financial institution’s information sharing practices under the GLBA; (2) no FCRA section 603 opt-out notices were required to appear on the annual notice and any opt-outs required by FCRA section 624 had previously been report, but for the exclusions provided by section 603(d)(2)(A)(i), (ii), or (iii) of the FCRA. 24 15 U.S.C. 1681s–3 and 12 CFR pt. 1022, subpart C. 25 15 U.S.C. 1681s–3(b); 12 CFR 1022.23(b). 26 76 FR 75825, 75828 (Dec. 5, 2011). 27 Regulation P, however, does allow financial institutions to provide notices electronically (e.g., by email) with consent. 12 CFR 1016.9(a) (stating that a financial institution may deliver the notice electronically if the consumer agrees). The Bureau believes that most consumers do not receive privacy notices electronically. 28 79 FR 64057 (revising 12 CFR 1016.9(c)). The Bureau’s alternative delivery method became effective on October 28, 2014. Id. VerDate Sep<11>2014 16:27 Aug 16, 2018 Jkt 244001 provided, if applicable, or the annual notice was not the only notice provided to satisfy those requirements; (3) the information included in the annual notice had not changed since the customer received the previous notice; and (4) the financial institution used the model form provided in Regulation P for its annual notice. In addition, to assist customers with limited or no access to the internet, an institution using the alternative delivery method was required to mail annual notices to customers who requested them by telephone. To make customers aware that its annual privacy notice was available through the website or by phone, the institution was required to include a clear and conspicuous statement of availability at least once per year on an account statement, coupon book, or a notice or disclosure the institution issued under any provision of law. C. Statutory Amendment and Proposed Rule On December 4, 2015, Congress amended the GLBA as part of the FAST Act. This amendment, titled Eliminate Privacy Notice Confusion,29 added new GLBA section 503(f), which provides an exception under which financial institutions that meet two conditions are not required to provide annual notices to customers.30 New GLBA section 503(f)(1) states the first condition for the annual notice exception: That a financial institution must provide nonpublic personal information only in accordance with certain exceptions in the GLBA; providing nonpublic personal information under these exceptions does not trigger consumer opt-out rights.31 New GLBA section 503(f)(2) states the second condition for the annual notice exception: That a financial institution must not have changed its policies and practices with regard to disclosing nonpublic personal information from the policies and practices that were disclosed in the most recent disclosure sent to consumers in accordance with GLBA 29 FAST Act, Public Law 114–94, section 75001. order to avoid confusion and facilitate responsiveness to consumer requests, the Bureau notes that a financial institution that qualifies for the annual notice exception could provide a privacy notice to a customer without jeopardizing the availability of the exception, such as in response to a customer specifically requesting a copy of the notice. 31 These provisions are in GLBA section 502(b)(2) or (e) and are incorporated into existing Regulation P at § 1016.13, § 1016.14, and § 1016.15. They provide exceptions from the requirement that a financial institution provide notice and an opportunity to opt out of sharing nonpublic personal information with a nonaffiliated third party. 30 In PO 00000 Frm 00017 Fmt 4700 Sfmt 4700 40947 section 503. The statutory amendment became effective upon enactment in December 2015. On July 15, 2016, the Bureau published a proposed rule to implement the FAST Act statutory amendment to the GLBA. The Bureau has considered the comments received on that proposed rule, and now issues this final rule based on it. D. Effective Date As discussed above, the statutory exception to the annual notice requirement is already effective. The amendments to Regulation P in this final rule will be effective 30 days from the date of publication in the Federal Register. E. Privacy Considerations In developing this final rule, the Bureau considered its potential impact on consumer privacy. The rule will not affect the collection or use of consumers’ nonpublic personal information by financial institutions. The rule implements a new statutory exception to limit the circumstances under which financial institutions subject to Regulation P will be required to deliver annual privacy notices to their customers. Delivery of annual privacy notices is required under the rule if financial institutions make certain types of changes to their privacy policies or if the statute and Regulation P afford customers the right to opt out of financial institutions’ sharing of customers’ nonpublic personal information with nonaffiliated third parties. The statutory exception and this final rule do not affect the requirement to deliver an initial privacy notice, and all consumers will continue to receive such notices describing the privacy policies of any financial institutions with which they do business to the extent currently required. III. Legal Authority The Bureau is issuing this final rule pursuant to its authority under section 504 of the GLBA, as amended by section 1093 of the Dodd-Frank Act.32 The Bureau is also issuing this rule pursuant to its authority under sections 1022 and 1061 of the Dodd-Frank Act.33 IV. Section-by-Section Analysis Section 1016.3 Definitions 3(s)(1) Regulation P’s substantive requirements, including the requirement to deliver privacy notices, are generally 32 15 33 12 E:\FR\FM\17AUR1.SGM U.S.C. 6804. U.S.C. 5512, 5581. 17AUR1 40948 Federal Register / Vol. 83, No. 160 / Friday, August 17, 2018 / Rules and Regulations imposed upon entities that meet the definition of ‘‘You’’ in § 1016.3(s)(1). That provision defines ‘‘You’’ as a ‘‘financial institution or other person for which the Bureau has rulemaking authority under section 504(a)(1)(A) of the GLBA.’’ In order to coordinate this definition more correctly with the term’s usage in the regulation, the Bureau proposed to limit ‘‘You’’ to financial institutions. The Bureau received no comments on this technical amendment, and adopts it now as proposed. As explained above, Regulation P’s substantive requirements, including the requirement to deliver privacy notices, are generally imposed upon entities that meet the definition of ‘‘You’’ in § 1016.3(s)(1). The Bureau has rulemaking authority over entities other than financial institutions pursuant to GLBA section 504(a)(1)(A).34 The statute’s privacy notice requirements, however, specifically apply only to financial institutions.35 The Bureau therefore believes that it is appropriate to limit the definition of ‘‘You’’ in § 1016.3(s)(1) to financial institutions. For this reason, the Bureau is amending § 1016.3(s)(1) to remove the phrase ‘‘or other persons.’’ The Bureau does not believe this technical amendment to § 1016.3(s)(1) will change the settled understanding of the scope of Regulation P’s privacy notice requirements. Instead, the Bureau believes it will clarify that the scope of Regulation P’s privacy notice requirements is consistent with the understanding of stakeholders. daltland on DSKBBV9HB2PROD with RULES Section 1016.5 Annual Privacy Notice to Customers Required 5(a) General Rule The Bureau proposed to amend the general requirement in § 1016.5(a)(1) that financial institutions provide annual notices, to clarify that the Bureau has added an exception to this requirement in § 1016.5(e) to incorporate the amendment to GLBA section 503. No commenters specifically discussed the conforming change to the general rule in § 1016.5(a). One commenter suggested that the Bureau remove any GLBA privacy notice requirement and instead require financial institutions to post their privacy notices online, allow all consumers to choose whether to receive any privacy notices, make 34 Such rulemaking authority has been exercised with respect to nonaffiliated third parties to which a financial institution discloses nonpublic personal information and that third party’s affiliates for purposes of GLBA section 502(c)’s limits on reuse of information. See 12 CFR 1016.11(c)–(d). 35 See GLBA sections 502(a)–(b) and 503(a). VerDate Sep<11>2014 16:27 Aug 16, 2018 Jkt 244001 electronic notices the default for any consumers who opt to receive any privacy notices, and allow financial institutions to charge fees for any paper privacy notices they provide. The Bureau now adopts the conforming amendment to the general requirement in § 1016.5(a)(1) that financial institutions provide annual notices, to clarify that the Bureau has added an exception to this requirement in § 1016.5(e) to incorporate the amendment to GLBA section 503. The Bureau does not believe that the comment is relevant to the proposal and it does not provide a basis to change the approach proposed by the Bureau. Congress did not include revisions along the lines the commenter suggested in the statutory provision that the Bureau is implementing in this rulemaking. 5(e) Exception to Annual Notice Requirement New GLBA § 503(f) provides that a financial institution is excepted from providing an annual notice if it meets the two conditions described below. The Bureau proposed to add new § 1016.5(e) to incorporate into Regulation P the exception created by new § 503(f). Under proposed § 1016.5(e), as in section 503(f), a financial institution would be excepted from providing an annual notice if it meets the two conditions discussed below. The commenters overwhelmingly supported proposed § 1016.5(e). Although some commenters asked that the exception be broadened, no commenters who discussed the proposed exception objected to it. The commenters stated that the exception would reduce burden and would not harm consumers, and was less complicated and burdensome than the previous alternative delivery method. Some suggested that the provision would benefit consumers. The comments that specifically discussed either of the two requirements for the exception, in § 1016.5(e)(1)(i) and (ii), are discussed below in relation to those provisions. A trade association representing credit unions requested that to eliminate confusion and protect institutions from citations, the rule should be effective retroactive to December 4, 2015, the date the statutory GLBA amendments took effect. In addition, an attorney suggested that the Bureau preempt State privacy statutes that might require institutions to continue providing annual privacy notices in spite of the Federal exception. The attorney recommended the Bureau modify PO 00000 Frm 00018 Fmt 4700 Sfmt 4700 § 1016.17 to expressly preempt contrary State law, and instead require that an institution make its privacy notice continually available online. After considering the comments and for the reasons discussed below, the Bureau now adopts the exception to the annual notice requirement largely as proposed, with certain changes to the timing provisions in § 1016.5(e)(2), as discussed below. In regard to the comment recommending that § 1016.17 be modified, § 1016.17 implements GLBA § 507,36 which provides specific standards regarding preemption of State law. The Bureau does not believe that the comment is relevant to the proposal and it does not provide a basis to change the approach proposed by the Bureau. Congress did not include revisions along the lines the commenter suggested in the statute that the Bureau is implementing in this rulemaking. In regard to the comment on retroactivity, the Bureau has made clear in the proposed rule and this final rule that new GLBA § 503(f) became effective upon enactment in December 2015.37 As the central elements of this rule are already in effect, the Bureau believes that there is no need to make this rule retroactive. To the extent that this rule changes applicable law, the Bureau notes that retroactive rulemaking is disfavored by the courts, and the commenter has not established why it would be appropriate here. This rule takes effect 30 days after its publication in the Federal Register. 5(e)(1) When Exception Available 5(e)(1)(i) New GLBA section 503(f)(1) states the first condition for the annual privacy notice exception: that a financial institution provide nonpublic personal information only in accordance with the provisions of subsection (b)(2) or (e) of section 502 of the GLBA. The Bureau proposed § 1016.5(e)(1)(i) to incorporate this condition by requiring that to qualify for the annual notice exception, any nonpublic personal information that financial institutions provide to nonaffiliated third parties must be provided only in accordance with § 1016.13, § 1016.14 or § 1016.15 of Regulation P. Almost no commenters specifically discussed the first of the two requirements of the new statutory exception. One credit union explained that it does not share nonpublic personal information beyond the exceptions provided in § 1016.13, 36 15 U.S.C. 6807. above, Part II.C. 37 See E:\FR\FM\17AUR1.SGM 17AUR1 daltland on DSKBBV9HB2PROD with RULES Federal Register / Vol. 83, No. 160 / Friday, August 17, 2018 / Rules and Regulations § 1016.14 or § 1016.15 of Regulation P, and that it believes the § 1016.5(e)(1)(i) requirement will work well. Another commenter discussed voluntary optouts that a financial institution may offer, asking whether the inclusion on the privacy notice of opt-outs that allow consumers to opt out of sharing that is described in § 1016.13, § 1016.14 or § 1016.15 of Regulation P would interfere with meeting the requirement in § 1016.5(e)(1)(i). The Bureau now adopts § 1016.5(e)(1)(i) as proposed. Section 1016.5(e)(1)(i) will incorporate the first requirement of GLBA § 503(f) by requiring that to qualify for the annual notice exception, any nonpublic personal information that financial institutions provide to nonaffiliated third parties must be provided only in accordance with § 1016.13, § 1016.14 or § 1016.15 of Regulation P; these regulatory sections implement subsections (b)(2) and (e) of section 502.38 A financial institution sharing information only pursuant to these exceptions is not required to provide customers with a right to opt out of that sharing. In addition, because they would only involve information sharing within the exceptions of § 1016.13, § 1016.14 or § 1016.15, voluntary optouts included on privacy notices would not affect compliance with the § 1016.5(e)(1)(i) requirement or the annual notice exception. The Bureau notes that § 1016.6(a)(7) requires that annual privacy notices incorporate any disclosures made under FCRA section 603(d)(2)(A)(iii) regarding the consumer’s ability to opt out of sharing of information among affiliates. Further, the notices may incorporate any opt-out disclosures provided under FCRA section 624.39 GLBA section 503(f)(1) does not mention information sharing that would trigger an opt-out notice under FCRA sections 603(d)(2)(A)(iii) or 624. Given the structure of the statute, the Bureau does not interpret GLBA section 503(f)(1) to preclude financial institutions that provide nonpublic personal information in accordance with FCRA sections 603(d)(2)(A)(iii) or 624 from qualifying for the exception. Thus, as the Bureau stated in its proposal, the presence or absence of these FCRA disclosures on a financial institution’s privacy notice will not affect whether the institution satisfies 38 The sharing described in these provisions includes, among other things, sharing involving third party service providers, joint marketing arrangements, maintaining and servicing accounts, securitization, law enforcement and compliance, and reporting to consumer reporting agencies. 39 15 U.S.C. 1681s–3(b); 12 CFR 1022.23(b). VerDate Sep<11>2014 16:27 Aug 16, 2018 Jkt 244001 GLBA section 503(f)(1) and § 1016.5(e)(1)(i). As the Bureau noted, however, financial institutions that choose to take advantage of the annual notice exception must still provide any opt-out disclosures required under FCRA sections 603(d)(2)(A)(iii) and 624, if applicable. Under the FCRA, neither of these opt-outs is required to be provided annually.40 Accordingly, institutions can provide these disclosures through other methods, for example, through their initial privacy notices in most circumstances. 5(e)(1)(ii) New GLBA section 503(f)(2) states the second condition for the annual notice exception: that a financial institution not have changed its ‘‘policies and practices with regard to disclosing nonpublic personal information’’ from the policies and practices that were disclosed in the most recent notice sent to consumers in accordance with GLBA section 503. Because the Bureau determined that the statutory language was ambiguous as to the exact types of sharing intended, the Bureau proposed § 1016.5(e)(1)(ii) to resolve this ambiguity by requiring that, to qualify for the annual notice exception, a financial institution must not have changed its policies and practices with regard to disclosing nonpublic personal information from the policies and practices that were disclosed to the customer under § 1016.6(a)(2) through (5) and (9) in the most recent privacy notice the financial institution provided. As with the first requirement for the annual notice exception at § 1016.5(e)(1)(i), few commenters specifically discussed the second requirement at § 1016.5(e)(1)(ii). However, the commenters overwhelmingly signaled their support for these provisions by supporting the Bureau’s implementation of the statutory exception. Two trade associations representing credit unions did specifically express support for the proposed interpretation of the statutory language as referring only to a change to a disclosure under § 1016.6(a)(2) through (5) and (9). The Bureau now adopts § 1016.5(e)(1)(ii) as proposed, providing that, to qualify for the annual notice exception, a financial institution must not have changed its policies and practices with regard to disclosing nonpublic personal information from the policies and practices that were 40 See 15 U.S.C. 1681a(d)(2)(A)(iii); 12 CFR 1022.21, 1022.27; 72 FR 62910, 62930 (Nov. 7, 2007). PO 00000 Frm 00019 Fmt 4700 Sfmt 4700 40949 disclosed to the customer under § 1016.6(a)(2) through (5) and (9) in the most recent privacy notice the financial institution provided. Paragraphs (1) through (9) of § 1016.6(a) list the specific information that must be included in privacy notices. Section 1016.6(a)(2) through (5) and (9) require a financial institution to include information related to its policies and practices with regard to disclosing nonpublic personal information, but § 1016.6(a)(1) (information collection) and § 1016.6(a)(8) (confidentiality and security) do not.41 Accordingly, the Bureau believes that only changes to an institution’s policies and practices that would require changes to any of the disclosures required by § 1016.6(a)(2) through (5) and (9) would cause a financial institution to be unable to use the exception in § 1016.5(e)(1)(ii).42 Section 1016.6(a)(7) requires that any disclosure an institution makes under FCRA section 603(d)(2)(A)(iii), which describes a consumer’s ability to opt out of disclosures of information among affiliates, be included on the privacy notice. The Bureau believes that the statute is ambiguous as to whether a financial institution that changes the disclosure required under § 1016.6(a)(7) from the most recent notice sent to consumers would satisfy GLBA section 503(f)(2). In the proposed rule, the Bureau sought comment on whether proposed § 1016.5(e)(1)(ii) should include changes to disclosures required by § 1016.6(a)(7) and on how frequently institutions change that disclosure. The Bureau further sought comment on whether institutions would prefer to inform customers of these changes 41 The information specified in § 1016.6(a)(6) describes the consumer’s right pursuant to Regulation P to opt out of an institution’s disclosure of information and would be inapplicable where a financial institution qualifies for the annual notice exception. 42 To have used the Bureau’s former alternative delivery method, the information a financial institution was required to convey on its annual privacy notice pursuant to § 1016.6(a)(1) through (5), (8), and (9) was required not to have changed from the information disclosed in the most recent privacy notice provided to the consumer. See removed 12 CFR 1016.9(c)(2)(D). Thus, changes to the information a financial institution was required to convey pursuant to § 1016.6(a)(1) and (8) would have prevented a financial institution from using the alternative delivery method but such changes will not prevent a financial institution from satisfying § 1016.5(e)(1)(ii) for the annual notice exception. Because institutions that include information on their privacy notice pursuant to § 1016.6(a)(7) (which relates to opt-out notices provided pursuant to the FCRA) were not permitted to use the alternative delivery method in any case, § 1016.6(a)(7) was not listed as a type of information that if changed would have prevented a financial institution from using the alternative delivery method. E:\FR\FM\17AUR1.SGM 17AUR1 daltland on DSKBBV9HB2PROD with RULES 40950 Federal Register / Vol. 83, No. 160 / Friday, August 17, 2018 / Rules and Regulations through sending an annual privacy notice or through sending a disclosure describing only the FCRA section 603(d)(2)(A)(iii) opt-outs, if applicable, and also sought comment on the impact on consumers of these two methods. All the commenters who addressed these issues stated that changes to the disclosures required by FCRA section 603(d)(2)(A)(iii) should not affect the availability of the annual notice exception. A State-wide trade association representing credit unions indicated that the presence or absence of FCRA disclosures on a credit union’s privacy notice, and subsequent changes to those FCRA sharing practices, should not impact whether an institution qualifies for the annual notice exception. This trade association stated, without providing data, that it believed that changes by credit unions in its State to FCRA section 603(d)(2)(A)(iii) information disclosures are infrequent, and that few such credit unions share data in a way that trigger a FCRA optout in the first place. Other commenters who discussed the 603(d)(2)(A)(iii) information disclosures stated that allowing changes to disqualify financial institutions from the annual notice exception would interfere with the burden reduction intended, and that FCRA has its own disclosure requirements. Given the structure of the statute, the Bureau does not interpret GLBA section 503(f)(2) to preclude financial institutions that make changes to disclosures required by § 1016.6(a)(7) from qualifying for the exception. The Bureau also notes that a change in the 603(d)(2)(A)(iii) information disclosures only requires a one-time notice and opt out. The Bureau does not believe that consumers would be materially benefited by requiring this one-time notice to be included in a privacy notice under Regulation P, especially where it is required in a separate notice required by the FCRA. In addition to the discussion of 603(d)(2)(A)(iii) information disclosures, the Bureau noted in the proposed rule that a financial institution would satisfy § 1016.5(e)(1)(ii) if it changes its disclosures describing policies and practices with regard to disclosing nonpublic personal information that are included in the institution’s privacy notice without being required by the GLBA or § 1016.6 (e.g., disclosures describing sharing with affiliates under FCRA section 624 or voluntary disclosures and opt-outs). The Bureau sought comment on whether changes to disclosures that are not required to be included in privacy notices by the GLBA or § 1016.6 should VerDate Sep<11>2014 16:27 Aug 16, 2018 Jkt 244001 cause an institution not to satisfy § 1016.5(e)(1)(ii). The Bureau received few comments on this issue. A trade association representing credit unions stated that later changes to initial voluntary disclosures should not trigger the need to send annual privacy notices. The commenter suggested that imposing such a requirement would dissuade institutions from making voluntary disclosures. A banking and insurance trade association stated that affiliate marketing policy changes should not impact the availability of the exception. A trade association representing banks stated that changes to disclosures that are not required to be included in privacy notices should not trigger noncompliance. The trade association believed it would be costly and burdensome to add additional disclosures. As indicated in the preamble to the proposed rule, the Bureau has determined that disclosures describing sharing with affiliates under FCRA section 624 or voluntary disclosures and opt-outs will not affect a financial institution’s eligibility for the annual privacy notice exception under GLBA § 503(f). The Bureau believes that the alternative interpretation could discourage the use of voluntary disclosures while adding unnecessary burden. 5(e)(2) Delivery of Annual Privacy Notice After Financial Institution No Longer Meets Requirements for Exception New GLBA section 503(f) states that a financial institution that meets the requirements for the annual notice exception will not be required to provide annual notices ‘‘until such time’’ as the financial institution fails to comply with the criteria described in section 503(f)(1) and 503(f)(2), which are now implemented in § 1016.5(e)(1)(i) and (ii). A financial institution will no longer meet the requirements for the exception either by beginning to share nonpublic personal information in ways that trigger rights to opt-out notices under the GLBA and Regulation P, or by otherwise changing its policies and practices with regard to disclosing nonpublic personal information from the policies and practices that were disclosed to the customer under § 1016.6(a)(2) through (5) and (9) in the most recent privacy notice the financial institution provided. Financial institutions that no longer meet the conditions for the exception must provide customers with annual privacy notices. However, the GLBA, PO 00000 Frm 00020 Fmt 4700 Sfmt 4700 including new GLBA section 503(f), does not clearly specify when institutions must provide these notices. Thus, the statute is ambiguous on the point. It could be read to require the financial institution to provide an annual privacy notice by the time it changes its policies or practices in such a way that it no longer qualifies for the exception. Alternatively, it could be read to subject the financial institution, at the time it changes its policies or practices in such a way that it no longer qualifies for the exception, to the requirement to provide an annual privacy notice while being silent as to the timing for providing that notice. Pursuant to its authority in GLBA section 504 to issue rules to implement the GLBA, the Bureau proposed to resolve this ambiguity by adopting this second reading and issuing standards for when institutions must provide these notices. Specifically, in proposed § 1016.5(e)(2)(i) and (ii), the Bureau proposed to use its rulemaking authority under GLBA section 504(a) to establish timing requirements for providing an annual notice in these circumstances. The Bureau proposed to establish these requirements to ensure that delivery of the annual privacy notice in these circumstances is consistent with the existing timing requirements for privacy notices in the regulation, where applicable, and to provide clarity to financial institutions regarding these requirements. In developing the proposed framework, the Bureau looked to existing requirements under the statute and regulation because they already address circumstances in which a financial institution might change its policies and procedures in a way that affects the content of the notices. Specifically, § 1016.8 requires that the financial institution provide a revised notice to consumers before implementing certain types of changes; in other cases, the statute and regulation currently contemplate that a change in policy and procedure that affects the content of the notices would simply be reflected on the next regular annual notice provided to the customer. The Bureau is therefore proposing different timing requirements for the resumption of the annual notice requirement depending on whether the change at issue would trigger the requirement for a revised notice under § 1016.8 prior to the change taking effect. Accordingly, the timing requirements in proposed § 1016.5(e)(2)(i) and (ii) would differ depending on whether the change that causes the financial institution to no longer satisfy the conditions for the annual notice E:\FR\FM\17AUR1.SGM 17AUR1 Federal Register / Vol. 83, No. 160 / Friday, August 17, 2018 / Rules and Regulations daltland on DSKBBV9HB2PROD with RULES exception also triggers a requirement under existing Regulation P to deliver a revised notice. Section 1016.8 currently requires that financial institutions provide revised notices to consumers before the institutions share nonpublic personal information with a nonaffiliated third party if their sharing would be different from what the institution described in the initial notice it delivered. After delivering the revised notice, the financial institution must also give the consumer a reasonable opportunity to opt out of any new information sharing beyond the Regulation P exceptions before the new sharing occurs. Three-fifths of all industry commenters on the proposed rule specifically addressed the proposed timing requirements. The comments on the timing requirements viewed the requirement in § 1016.5(e)(2)(i) and that in § 1016.5(e)(2)(ii) very differently, as will be discussed below in regard to those sections. In regard to the overall timing requirements, one trade association representing credit unions expressed appreciation for the Bureau’s proposal, stating that such clarification will eliminate confusion surrounding delivery requirements after a financial institution no longer meets the requirements for the exception. A trade association representing banks supported the proposed timing requirements, asserting that institutions will not find it difficult to comply with the suggested conditions. This commenter also requested clarification that once notices are sent and there are no further privacy changes, an institution will be able to again qualify for the exception, thus excepting them from having to send further annual notices. The Bureau is adopting the timing provisions largely as proposed, with a change to the duration of the timing requirement in § 1016.5(e)(2)(ii), as discussed below. The Bureau is also adding another example to § 1016.5(e)(2)(iii) to clarify whether a financial institution again qualifies for the annual notice exception after delivering an annual notice under § 1016.5(e)(2). 5(e)(2)(i) Changes Preceded by a Revised Privacy Notice For changes to a financial institution’s policies or practices that cause it to no longer satisfy the conditions for the exception and also trigger an obligation to send a revised notice prior to the change, the Bureau proposed in § 1016.5(e)(2)(i) that financial institutions would be required to resume delivery of their subsequent VerDate Sep<11>2014 16:27 Aug 16, 2018 Jkt 244001 regular annual notices pursuant to the existing timing requirements that govern delivery of annual notices generally. Because the revised notice would inform the customer of the institution’s changed policies and practices before any new sharing occurs, the Bureau believed that there is no clear urgency regarding delivery of the first annual notice subsequent to implementation of the new policies and procedures. Specifically, § 1016.4(a)(1) generally requires a financial institution to provide an initial notice to an individual who becomes the institution’s customer no later than when it establishes a customer relationship. Section 1016.5(a) requires a financial institution to provide a privacy notice to its customers ‘‘not less than annually’’ during the continuation of any customer relationship. Section 1016.5(a)(1) defines annually to mean ‘‘at least once in any period of 12 consecutive months.’’ It further provides that a financial institution ‘‘may define the 12-consecutive-month period, but [] must apply it to the customer on a consistent basis.’’ Section 1016.5(a)(2) provides an example of the meaning of ‘‘annually’’ in relation to the delivery of the first annual notice after the initial notice: You provide a notice annually if you define the 12-consecutive-month period as a calendar year and provide the annual notice to the customer once in each calendar year following the calendar year in which you provided the initial notice. For example, if a customer opens an account on any day of year 1, you must provide an annual notice to that customer by December 31 of year 2. The example in § 1016.5(a)(2) provides financial institutions with the flexibility to select a specific date during the year to provide annual notices to all customers, regardless of when a particular customer relationship began. This flexibility avoids burdening institutions with either having to provide annual notices on the anniversary of initial notices, or alternatively providing two notices in the first year of the customer relationship to get all accounts originated in a given calendar year on the same cycle for delivering subsequent annual notices. The Bureau proposed that the approach to timing of the annual notice in § 1016.5(a)(2) be applied if a financial institution makes a change that causes it to lose the exception and triggers the requirement to deliver a revised notice prior to the change. Under the proposed approach, if a financial institution provides a revised notice on any day of year 1 in advance of changing its policies or practices such that it loses PO 00000 Frm 00021 Fmt 4700 Sfmt 4700 40951 the exception, that revised notice would be treated as analogous to an initial notice in § 1016.5(a)(2). Assuming that the financial institution defines the 12month period as the calendar year, the financial institution would have to provide the first annual notice after losing the exception by December 31 of year 2. The Bureau invited comment on the timing conditions proposed in § 1016.5(e)(2)(i). Few commenters separately discussed § 1016.5(e)(2)(i). All commenters who explicitly addressed the proposed timing requirements under § 1016.5(e)(2)(i) agreed with the Bureau’s proposed approach. No industry commenters suggested alternative timing conditions. One credit union asserted that the proposed timing condition would incentivize credit unions to plan and notify their members in advance of making changes to privacy policies. Two trade associations representing banks and credit unions supported the timing requirement because it would prevent institutions from having to send out multiple notices within the same year. The trade association representing credit unions asserted that redundant notices provide no benefit to consumers and pose a burden and expense on credit unions. The Bureau now adopts § 1016.5(e)(2)(i) as proposed. The Bureau believes that using the same approach in § 1016.5(e)(2)(i) as in existing § 1016.5(a)(2) is appropriate for two reasons. First, customers will receive a revised notice informing them of the change in the financial institution’s policies or practices before the change occurs, and thus customers will not be harmed by the financial institution taking a longer period of time in which to deliver the first annual notice after the annual notice exception has been lost. Second, this approach will preserve flexibility for financial institutions and avoid requiring them to deliver a revised notice and an annual notice in the same year, and allowing them to use a convenient delivery date for annual notices for all customers. The Bureau believes this flexibility is justified because a financial institution that is required to deliver a revised privacy notice pursuant to § 1016.8 may have continuing annual notice obligations after the exception is lost. Such an institution could be sharing other than as described in the Regulation P exceptions and thus fail to satisfy § 1016.5(e)(1)(i), making the annual notice exception unavailable in future years. E:\FR\FM\17AUR1.SGM 17AUR1 daltland on DSKBBV9HB2PROD with RULES 40952 Federal Register / Vol. 83, No. 160 / Friday, August 17, 2018 / Rules and Regulations 5(e)(2)(ii) Changes Not Preceded by a Revised Privacy Notice For financial institutions that change their policies and practices in such a way as to lose the § 503(f) exception, but do not share information in a way that triggers the requirement under § 1016.8 to deliver a revised notice prior to the change, the Bureau proposed that a financial institution must deliver the annual notice within 60 days after the change that caused the institution to lose the exception. The Bureau proposed this 60-day period for providing the annual notice in this situation because customers would not receive a revised notice from the financial institution prior to the institution’s change in policies or practices. The Bureau requested comment on whether 60 days is an appropriate period for delivering annual notices in these circumstances or if another period would be more appropriate. Approximately half of all commenters specifically addressed the timing conditions proposed under § 1016.5(e)(2)(ii). These commenters generally opposed the 60-day requirement, advocating instead for an increased amount of time for institutions to deliver the revised notice. The majority of these commenters requested at least 90 days to deliver the notice. Trade associations representing credit unions cited cost concerns with the 60day requirement, asserting that because they send quarterly statements to many consumers, the timing requirement would require institutions to send out an additional notice. Some of these commenters suggested that 90 days was a more appropriate timeframe, as it would allow institutions to minimize costs by sending the revised notice with the next quarterly statement. One of these trade associations representing credit unions also asserted that 60 days was too brief, particularly for small credit unions addressing inadvertent changes. This commenter suggested 90 to 120 days to allow credit unions the opportunity to include the notice with the quarterly periodic statement, and noted that while all members may not receive monthly statements, most receive account statements quarterly. Other industry commenters suggested 120 days as an appropriate time to deliver the annual notice. A few of these commenters cited the same abovementioned cost concerns that are associated with separate mailers. These commenters asserted that 120 days would allow the notice to be included with regularly scheduled member VerDate Sep<11>2014 16:27 Aug 16, 2018 Jkt 244001 statements, therefore eliminating the need for an additional mailer. One industry commenter representing credit unions noted that a separate mailer would be especially costly for smaller credit unions with fewer resources. Industry commenters who suggested 120 days also stated, without specific explanation, that the proposed 60-day requirement did not provide institutions enough time to perform. A few of these industry commenters asserted that smaller credit unions, particularly those with fewer resources, would find the 60day time frame too short. Some of those same commenters thought that larger credit unions with numerous departments working to consolidate information would also struggle to meet the 60-day requirement. Several trade associations representing credit unions stated that a longer time frame would allow credit unions time to organize logistics, educate staff, and command the resources necessary to draft and send the required notice. One industry commenter stated that an extension would not negatively impact consumers because prior notice is still required when changes allow sharing with third parties of non-public personal information and the option to opt out in advance. One trade association commenter representing credit unions suggested at least 180 days, citing the fact that § 1016.8 does not require a revised privacy notice under the circumstances described in § 1016.5(e)(2)(ii). This commenter also suggested that to combat costs, financial institutions should have the option to include a message on periodic statements or mailers that there has been a change to the privacy notice, and direct the recipient to the financial institution’s website to view and download an electronic copy of the revised notice. The Bureau now adopts the timing provision in § 1016.5(e)(2)(ii) with a 100 calendar day period during which the financial institution must provide the annual privacy notice. The unanimous industry objection to the 60-day period suggests that the proposal likely would have imposed costs that the Bureau had not anticipated. The 100-day period will accommodate the inclusion of the notice with quarterly statements. The Bureau believes that providing 10 days in addition to the 90 days many commenters requested is appropriate because most calendar quarters are slightly longer than 90 days, and a short additional period should be allowed for administrative activities and to provide flexibility if the end date falls on a weekend or holiday. The Bureau does not believe that consumers will be PO 00000 Frm 00022 Fmt 4700 Sfmt 4700 harmed by this extension of the time period from the proposal. However, the Bureau notes that the commenters requesting 120 or 180 days provided no specific reason why allowing such additional time would contribute to cost savings beyond allowing the notice to be included in quarterly statements. The Bureau is not aware of any other reason, and therefore declines to adopt a longer period. The Bureau believes that the 100-day deadline will not impose undue or unreasonable costs on financial institutions, particularly since the delivery requirement is effectively a one-time burden absent additional changes to a financial institution’s policies and practices. Specifically, after providing the one annual notice, the financial institution will likely once again meet both of the conditions for the exception—it will not be sharing nonpublic personal information with nonaffiliates other than as described in a Regulation P exception to the opt-out requirements and its policies and practices will not have changed since it provided the annual notice. Because the financial institution likely will once again meet the conditions for the exception, it likely will not be required to provide future annual notices. In other words, these financial institutions will likely lose the exception for only a single year. The Bureau is including an additional example in § 1016.5(e)(2)(iii)(B) for clarity. Given that financial institutions delivering notices pursuant to § 1016.5(e)(2)(ii) will likely have no continuing obligation to send annual notices, they likely will not need flexibility in choosing a convenient delivery date for future annual notices, beyond the 100 days of flexibility being provided for a single privacy notice.43 In regard to the comment that the regulation should allow financial institutions to include a message on periodic statements or mailers directing customers to an electronic copy of the annual notice, the Bureau believes that any reduction in costs would be minimal because the financial institution is likely not required to provide more than one notice. In addition, the Bureau did not propose or request comment on such an option. The Bureau also notes that financial institutions have substantial flexibility in managing the burden involved in sending the one annual notice because institutions can generally choose when 43 If the financial institution were to make changes in the future to its practices and policies, these changes could trigger a new obligation to provide annual privacy notices. E:\FR\FM\17AUR1.SGM 17AUR1 Federal Register / Vol. 83, No. 160 / Friday, August 17, 2018 / Rules and Regulations daltland on DSKBBV9HB2PROD with RULES they change their policies or practices. Accordingly, an institution can choose when to make the change triggering the commencement of the 100-day period for delivery of the annual notice, so that the date of delivery can be as convenient and low-cost as possible. 5(e)(2)(iii) Examples In order to facilitate compliance with proposed § 1016.5(e)(2), the Bureau proposed § 1016.5(e)(2)(iii) to provide an example for when an institution must provide an annual notice after changing its policies or practices such that it no longer meets the requirements for the annual notice exception set forth in proposed § 1016.5(e)(1). The Bureau did not receive any comments specifically discussing the example provided in § 1016.5(e)(2)(iii). Because the Bureau believes that the example will provide clarity and facilitate compliance, it is now being made final in § 1016.5(e)(2)(iii)(A), with a minor change due to the alteration of the time frame in § 1016.5(e)(2)(ii). In addition, the Bureau is providing a second example, in § 1016.5(e)(2)(iii)(B), to facilitate compliance when a financial institution must only provide one annual notice before it again qualifies for the § 1016.5(e)(1) exception. Section 1016.5(e)(2)(iii)(A) provides an example for when an institution must provide an annual notice after changing its policies or practices such that it no longer meets the requirements for the annual notice exception in § 1016.5(e)(1). The Bureau believes this example will facilitate compliance with § 1016.5(e)(2). The example assumes that an institution changes its policies or practices effective April 1 of year 1 and defines the 12-consecutive-month period pursuant to § 1016.5(a)(1) as a calendar year. Section 1016.5(e)(2)(iii)(A) states that the institution must provide an annual notice by December 31 of year 2 if the institution was required to provide a revised notice prior to the change and provided that revised notice on March 1 of year 1 in advance of the change. Section 1016.5(e)(2)(iii)(A) further states that the institution must provide an annual notice by July 9 of year 1 if the institution was not required to provide a revised notice prior to the change. The Bureau is also providing a second example, in § 1016.5(e)(2)(iii)(B), to facilitate compliance when a financial institution must provide only one annual notice before it again qualifies for the § 1016.5(e)(1) exception, as discussed above in relation to § 1016.5(e)(2)(ii). The example assumes that a financial institution changes its VerDate Sep<11>2014 16:27 Aug 16, 2018 Jkt 244001 policies and practices in such a way that it no longer meets the requirements of § 1016.5(e)(1), and so provides an annual notice to its customers. The example further assumes that after providing the annual notice to its customers, the financial institution once again meets the requirements of § 1016.5(e)(1) for an exception to the annual notice requirement. The example explains that the financial institution does not need to provide additional annual notices to its customers until such time as it no longer meets the requirements of § 1016.5(e)(1). Section 1016.9 Delivering Privacy and Opt Out Notices 9(c)(2) Alternative Delivery Method for Providing Certain Annual Notices As discussed in Part II, the Bureau amended Regulation P in October 2014 to allow financial institutions that met certain criteria to deliver annual notices pursuant to the ‘‘alternative delivery method.’’ Because financial institutions that met the conditions in Regulation P to use the alternative delivery method will also meet the conditions for the statutory exception in section 503(f), the Bureau proposed to remove the alternative delivery method from Regulation P by removing § 1016.9(c)(2) and renumbering existing § 1016.9(c)(1) as § 1016.9(c). Commenters generally expressed support for the proposed removal of the alternative delivery method. Ten commenters addressed the issue, with eight supporting the proposal and two opposing it. Some commenters welcomed elimination of the alternative delivery method, asserting that the conditions associated with the 2014 provision deterred institutions from taking advantage of the intended relief. A debt collector organization stated that the alternative delivery method did not provide a solution for many debt collectors and consumers. This commenter asserted that the alternative delivery required model form created a significant risk of class action litigation because of claims that the language conflicts with the Fair Debt Collection Practices Act’s prohibitions on thirdparty disclosure. A commenter representing several trade associations stated that the alternative delivery method requirement to post the notice online eliminated any benefits from the 2014 rule. Two trade associations agreed that the alternative delivery method would no longer be useful in light of the statutory exception to the annual notice requirement, and one of these trade PO 00000 Frm 00023 Fmt 4700 Sfmt 4700 40953 associations stated that it was unlikely that financial institutions would continue to use a complex means of compliance when a simpler one was available. Several commenters discussed benefits associated with eliminating the alternative delivery method. One trade association stated that removing the alternative delivery method would eliminate confusion between the rule and the statute. Another trade association representing banks expressed appreciation of the elimination of the alternative delivery method, arguing that it would remove the confusion of having both an exception from the annual privacy notice and an alternative to the delivery requirement. One trade association stated that consumers will benefit from the elimination of the method, as they will experience decreasing information overload. One trade association representing banks requested clarification that institutions that qualify for the exception but still keep a copy of the privacy policy on their websites will not be criticized or penalized. Two trade association commenters representing the consumer credit industry and credit unions did not support removal of the alternative delivery method. These commenters stated that their customers or members prefer to receive communications electronically. Both commenters cited cost burdens associated with mailing privacy notices. The trade association representing the consumer credit industry stated that several of their member financial institutions, particularly those that provide indirect auto loans, do not qualify for the statutory exception to the annual notice requirement because the institutions share consumer information with nonaffiliated third parties other than as described in §§ 1016.13, 14 and 15. These institutions are required under § 1016.10 of Regulation P to inform consumers through the institution’s annual privacy notice that the consumer has a right to opt out of that information sharing. The trade association representing the consumer credit industry encouraged expansion of the alternative delivery method, highlighting the cost effectiveness of electronic delivery and stating that many institutions upgraded systems to implement the alternative delivery method under the 2014 rule. This commenter also urged the Bureau to consider allowing institutions that share with nonaffiliated third parties to deliver their privacy notices electronically, such as via website E:\FR\FM\17AUR1.SGM 17AUR1 40954 Federal Register / Vol. 83, No. 160 / Friday, August 17, 2018 / Rules and Regulations posting, similar to the method permitted by the alternative delivery method. After considering the comments, the Bureau now adopts the proposed change, removing the alternative delivery method from Regulation P by removing § 1016.9(c)(2) and renumbering former § 1016.9(c)(1) as § 1016.9(c). Any financial institution that met the conditions to use the alternative delivery method will also meet the conditions to be excepted from delivering an annual privacy notice pursuant to new GLBA section 503(f). First, new GLBA section 503(f)(1) is substantively identical to the first requirement for using the alternative delivery method: 44 That the financial institution share nonpublic personal information about customers with nonaffiliated third parties only in ways that do not give rise to the customer’s right to opt out of that sharing.45 Second, new GLBA section 503(f)(2) is similar to the fourth requirement for using the alternative delivery method: that the institution must not have changed its policies and practices with regard to disclosing nonpublic personal information from those that were disclosed to the customer in the most recent privacy notice.46 Accordingly, any financial institution that would have met the requirements in former § 1016.9(c)(2) will also meet the requirements of section 503(f). The Bureau believes that a financial institution that has both options available to it would choose not to send the annual privacy notice at all, rather than to deliver it pursuant to the alternative delivery method, so that it can eliminate rather than merely reduce the cost of providing annual notices. Given that any financial institution that qualifies to use the alternative delivery method for its annual notices also meets the qualifications for the new annual notice exception, the Bureau believes that including the alternative delivery method in Regulation P is no longer useful. The Bureau notes that financial institutions that delivered annual 44 See removed 12 CFR 1016.9(c)(2)(i)(A). sharing is pursuant to GLBA section 503(b)(2) and (e), which correspond to Regulation P §§ 1016.13, 1016.14, and 1016.15. 46 See removed 12 CFR 1016.9(c)(2)(i)(D). The requirement in former § 1016.9(c)(2)(i)(D) was somewhat more restrictive because it required a financial institution not to have changed its practices with respect to disclosing nonpublic personal information and protecting the confidentiality and security of nonpublic personal information whereas section 503(f)(2) requires that the institution not have changed its policies only with respect to disclosing nonpublic personal information. See the section-by-section analysis of § 1016.5(e)(1)(ii) for further discussion. daltland on DSKBBV9HB2PROD with RULES 45 This VerDate Sep<11>2014 16:27 Aug 16, 2018 Jkt 244001 notices using the alternative delivery method while it was in effect delivered those notices using a method that was in compliance with Regulation P, notwithstanding that the alternative delivery method provision is now being removed from the regulation. The Bureau further notes that financial institutions that qualify for the new annual notice exception may still choose to post privacy notices on their websites, deliver privacy notices to consumers who request them, and notify consumers of the notices’ availability. Such activities will not affect a financial institution’s eligibility for the new 503(f) exception. The Bureau has considered the comments suggesting that it retain and expand the alternative delivery method for providing annual privacy notices. In this rulemaking, the Bureau is implementing the FAST Act amendments to the GLBA, which eliminate the requirement that financial institutions provide an annual privacy notice if certain conditions are met. In making these amendments to the GLBA, Congress did not address the delivery method financial institutions must or may use if they continue to be required to provide an annual privacy notice, including where financial institutions have not changed their privacy policies since their last privacy notice and they share information with nonaffiliated third parties other than as described in §§ 1016.13, .14, and .15. Because Congress did not address these issues in the FAST Act amendments to the GLBA, the Bureau declines to address them in this rulemaking to implement those amendments. V. Dodd-Frank Act Section 1022(b)(2) Analysis A. Overview In developing the final rule, the Bureau has considered the potential benefits, costs, and impacts as required by section 1022(b)(2) of the Dodd-Frank Act.47 The Bureau requested comment on the preliminary analysis as well as the submission of additional data that could inform the Bureau’s analysis of the benefits, costs, and impacts of the rule. The Bureau received one comment on the preliminary analysis, which it has considered in developing this final 47 Specifically, section 1022(b)(2)(A) of the DoddFrank Act calls for the Bureau to consider the potential benefits and costs of a regulation to consumers and covered persons, including the potential reduction of access by consumers to consumer financial products or services; the impact on depository institutions and credit unions with $10 billion or less in total assets as described in section 1026 of the Dodd-Frank Act; and the impact on consumers in rural areas. PO 00000 Frm 00024 Fmt 4700 Sfmt 4700 analysis. In addition, the Bureau has consulted and coordinated with the SEC, CFTC, FTC, and NAIC, and consulted with or offered to consult with the OCC, Federal Reserve Board, FDIC, NCUA, and HUD, including regarding consistency with any prudential, market, or systemic objectives administered by such agencies. This final rule implements the December 2015 amendment to the GLBA by amending § 1016.5 of Regulation P to provide that a financial institution is not required to deliver an annual privacy notice if it: (1) Provides nonpublic personal information to nonaffiliated third parties only in accordance with the provisions of § 1016.13, § 1016.14, or § 1016.15; and (2) Has not changed its policies and practices with regard to disclosing nonpublic personal information from the policies and practices that were disclosed to the customer under § 1016.6(a)(2) through (5) and (9) in the most recent privacy notice provided. In considering the potential benefits, costs, and impacts of the rule, the Bureau takes as the baseline for the analysis the legal regime that existed prior to the FAST Act’s amendment of the GLBA.48 This regime includes the current provisions of Regulation P. The Bureau assumes that all financial institutions that can use the alternative delivery method provided in § 1016.9(c)(2) are doing so. B. Potential Benefits and Costs to Consumers and Covered Persons The impact on consumers of § 1016.5(e) depends on whether the particular consumer prefers or would otherwise benefit from receiving an annual privacy notice that does not offer the consumer an opt-out under the GLBA and is largely unchanged49 from previous notices. Under § 1016.5(e), financial institutions that meet the requirements for the annual notice exception would not be required to provide consumers with annual privacy notices, and the Bureau anticipates that most institutions would decide not to provide notices in these circumstances. 48 The proposal referred to this as the ‘‘regulatory regime that currently exists.’’ 81 FR at 44808. However, the baseline the Bureau is using did not and does not reflect that the FAST Act has taken effect. The Bureau has discretion in each rulemaking to choose the relevant provisions to discuss and to choose the most appropriate baseline for that particular rulemaking. 49 As discussed in part IV in the section-bysection analysis of § 1016.5(e)(1)(ii), certain changes to an institution’s policies or practices would not cause the institution to lose the annual notice exception. E:\FR\FM\17AUR1.SGM 17AUR1 Federal Register / Vol. 83, No. 160 / Friday, August 17, 2018 / Rules and Regulations daltland on DSKBBV9HB2PROD with RULES While there is no data available on the number of consumers who are indifferent to (or dislike) receiving unchanged privacy notices every year, the limited use of opt-outs and anecdotal evidence suggest that there are such consumers.50 For this group of consumers, § 1016.5(e) might provide a benefit because it would be available to some institutions that cannot use the alternative delivery method, so that more consumers would stop receiving mailed annual privacy notices. For other consumers who would prefer or otherwise benefit from receiving the annual notices, there will be some cost because many institutions that previously delivered notices— whether through the standard delivery methods or through the alternative delivery method that includes posting on the institution’s website—will no longer deliver annual notices. Consumers may be less informed about opportunities to limit a financial institution’s information sharing practices if the financial institution meets the requirements for the annual notice exception and chooses not to provide annual notices. For example, some consumers will receive fewer notices in which a financial institution offers voluntary opt-outs, i.e., opt-outs that the financial institution is not required by Regulation P to offer (because, for example, the type of sharing the financial institution does is covered by an exception) but that the institution decides to provide anyway via the annual privacy notice. Voluntary opt-outs do not appear to be common, however.51 Further, institutions may continue to offer voluntary opt-outs and may offer them through other 50 One early analysis of the use of the opt-outs reported at most 5% of consumers make use of them in any year, and likely fewer. See Jeffrey M. Lacker, The Economics of Financial Privacy: To Opt Out or Opt In?, 88/3 Fed. Res. Bank Rich. Econ. Q., at 11 (Summer 2002), available at https:// www.richmondfed.org/-/media/richmondfedorg/ publications/research/economic_quarterly/2002/ summer/pdf/lacker.pdf. One commenter on the proposed rule also estimated that 5% of consumers use opt-outs. AFSA Comment letter, August 10, 2016. 51 See Lorrie Faith Cranor et al., Are They Actually Any Different? Comparing Thousands of Financial Institutions’ Privacy Practices, available at http://www.econinfosec.org/archive/weis2013/ papers/CranorWEIS2013.pdf (submitted as part of The Twelfth Workshop on the Economics of Information Security (WEIS 2013), June 11–12, 2013, Georgetown University, Washington, DC). Their findings (Table 2) imply that at most 15% of the 3,422 FDIC insured depositories that post the model privacy form on their websites offer at least one voluntary opt-out. Data from a much larger group of financial institutions analyzed by Cranor et al. (undated) imply (Table 2) that at most 27% of the 6,191 financial institutions that post the model privacy form on their websites offer at least one voluntary opt-out. VerDate Sep<11>2014 16:27 Aug 16, 2018 Jkt 244001 mechanisms even if they do not provide annual privacy notices. If financial institutions choose not to provide notices pursuant to the annual notice exception, consumers may also be less informed of their opt-out rights under the FCRA. Section 503(c)(4) of the GLBA and Regulation P require financial institutions providing initial and annual privacy notices to incorporate into them any notification and opt-out disclosures provided pursuant to section 603(d)(2)(A)(iii) of the FCRA.52 Section 624 of the FCRA and Regulation V also permit (but do not require) financial institutions providing initial and annual privacy notices under Regulation P to incorporate any opt-out disclosures provided under section 624 of the FCRA and subpart C of Regulation V into those notices.53 Because financial institutions will likely decide not to provide annual notices pursuant to the exception in proposed § 1016.5(e), consumers may be less informed of their opt-out rights pursuant to these sections of the FCRA to the extent that institutions use less effective methods to convey information about these rights to consumers.54 Consumers also may be less informed about a financial institution’s data collection practices and its policies and practices with respect to protecting the confidentiality and security of nonpublic personal information. Regarding benefits and costs to covered persons, the primary effect of the rule will be burden reduction achieved by lowering the costs to industry of providing annual privacy notices. Section 1016.5(e) imposes no new compliance requirements on any financial institution. Any institution that could use the alternative delivery method will meet the requirements for the annual notice exception pursuant to § 1016.5(e).55 A financial institution that is in compliance with current law will not be required to take any different or additional action unless it chooses to take advantage of the annual notice exception and thus will be required to separately meet its opt-out obligations, 52 15 U.S.C. 6803(c)(4); 12 CFR 1016.6(a)(7). U.S.C. 1681s–3(b); 12 CFR 1022.23(b). 54 As explained in the section-by-section analysis of § 1016.5(e)(1)(i) in part IV, the annual notice exception in § 1016.5(e) does not relieve financial institutions of the obligation to provide consumers with the information that is required under FCRA sections 603(d)(2)(A)(iii) or 624. 55 Any financial institution that meets the conditions to use the alternative delivery method will also meet the conditions to be excepted from delivering an annual privacy notice pursuant to new GLBA section 503(f) because the two conditions for section 503(f) are closely related to conditions for using the alternative delivery method. See the section-by-section analysis of § 1016.9(c) for further explanation. 53 15 PO 00000 Frm 00025 Fmt 4700 Sfmt 4700 40955 if any, pursuant to the FCRA.56 This analysis assumes that no financial institution will do so unless the net result of the choice is burden reducing. The expected cost savings to financial institutions from the revisions to § 1016.5(e) depend on whether the financial institution uses the alternative delivery method under the baseline. Financial institutions that currently use the alternative delivery method will likely cease complying with the requirements in current § 1016.9(c)(2) since they necessarily meet the requirements of the exception to the annual notice requirement and thus will no longer be required to deliver an annual notice.57 However, the Bureau expects that financial institutions that change from using the alternative delivery method to provide annual notices to not providing these notices at all will achieve little cost savings.58 Financial institutions that currently do not use the alternative delivery method are expected to use the proposed annual notice exception if the expected costs of any changes required to use the exception and the costs of any consequences of not providing the annual disclosure will be lower than the costs of complying with current Regulation P. The Bureau believes that few such financial institutions will find it in their interests to change their information sharing practices in order to use the annual notice exception. Thus, the Bureau takes the information sharing practices of financial institutions as given and considers how many financial institutions that do not currently meet the requirements to use the alternative delivery method can use the annual notice exception.59 As a practical matter, the Bureau identifies these institutions solely by their 56 See the section-by-section analysis to § 1016.5(e)(1)(i) in part IV for an explanation of the interaction between the annual notice exception and the opt-outs provided under FCRA sections 603(d)(2)(A)(iii) and 624. 57 See supra note 52. 58 The Bureau believes that the alternative delivery method imposes little ongoing cost to financial institutions that have adopted it. These costs derive from the additional text on an account statement, coupon book, notice or disclosure the institution already provides; maintaining a webpage dedicated to the annual privacy notice; responding to telephone calls from a very small number of consumers requesting that the model form be mailed; and mailing the forms prompted by these calls. 59 Because the Bureau takes institutions’ sharing practices as given and because the cost savings estimate is based on a single year, the expected cost savings for institutions does not account for a reduction or increase in aggregate cost savings that may occur if any institutions change their sharing practices in the future such that they no longer meet the requirements for the annual notice exception or they begin to meet those requirements. E:\FR\FM\17AUR1.SGM 17AUR1 40956 Federal Register / Vol. 83, No. 160 / Friday, August 17, 2018 / Rules and Regulations daltland on DSKBBV9HB2PROD with RULES information sharing practices: That is to say, the Bureau identifies the financial institutions whose current information sharing practices do not meet the standards in § 1016.9(c)(2) but will meet the standards in § 1016.5(e). The Bureau then estimates the ongoing savings in costs to these financial institutions from no longer sending the annual privacy notice.60 For the 2014 Annual Privacy Notice Rule, the Bureau collected a sample of privacy policies from banks and credit unions and estimated both the number of financial institutions that would adopt the alternative delivery method and the aggregate cost savings that would result.61 Specifically, the Bureau examined the privacy policies of 19 banks with assets over $100 billion as well as the privacy policies of 106 additional banks selected through random sampling. The Bureau previously concluded that 80% of banks could use the alternative delivery method that was set forth in § 1016.9(c)(2). For the current rulemaking, the Bureau re-analyzed this sample to identify banks with information sharing practices that do not meet the standard in § 1016.9(c)(2) but will meet the standard in § 1016.5(e). In the re-analysis, the Bureau finds that 48% of banks that could not use the alternative delivery method can use the proposed exception to the annual notice requirement. Most of these banks were not able to use the alternative delivery method because they offered opt-outs to consumers pursuant to FCRA section 60 The Bureau assumes that a financial institution used the alternative delivery method whenever the Bureau can obtain the annual privacy notice from the website of the financial institution and the Bureau concludes from the information on the privacy notice that the information sharing practices of the financial institution comply with removed § 1016.9(c)(2). If a financial institution did not use the model form, the Bureau assumes that the financial institution would have adopted the model form if the information sharing practices complied with § 1016.9(c)(2). This methodology overstates the number of these financial institutions that could have used the alternative delivery method, because some of these financial institutions might not have met all of the requirements of § 1016.9(c)(2), and therefore understates the benefits of the annual notice exception to these financial institutions. On the other hand, if a financial institution does not have a website, the Bureau cannot (as a practical matter) obtain and evaluate its information sharing practices. In this case, the Bureau assumes that the financial institution cannot use either the alternative delivery method or the annual notice exception. This also tends to understate the benefits of the annual notice exception to these financial institutions, since none of them could have used the alternative delivery method but some might be able to use the annual notice exception. 61 See 79 FR 64057, 64076–64077 (Oct. 28, 2014). Note that the term ‘‘banks’’ as used throughout this rule includes savings associations. VerDate Sep<11>2014 16:27 Aug 16, 2018 Jkt 244001 603(d)(2)(A)(iii); a financial institution can meet the requirements for the annual notice exception in § 1016.5(e) even if it offers such opt-outs. Specifically, the Bureau previously estimated that approximately 1,350 banks could not use the alternative delivery method and our re-analysis shows that 650 of these banks (48%) will be able to use the annual notice exception.62 For banks with assets over $10 billion, 70% of those that could not use the alternative delivery method can use the annual notice exception. For banks with assets of $10 billion or less and banks with assets of $500 million or less, the respective figures are 47% and 40%. The Bureau also previously examined the privacy policies of the four credit unions with assets over $10 billion as well as the privacy policies of 50 additional credit unions selected through random sampling. The Bureau previously concluded that 46% of credit unions could use the alternative delivery method. The information evaluated in the re-analysis shows that none of the credit unions that could not use the alternative delivery method will be able to use the exception to the annual notice requirement. Credit unions that clearly could not use the alternative delivery method generally shared information with nonaffiliated third parties other than as specified in the exceptions in §§ 1016.13, 1016.14, and 1016.15. However, there are a number of cases in which the Bureau could not readily evaluate the information sharing practices of the sampled credit union because it did not have a website, did not post the privacy notice on its website, or did not use the model form.63 In the proposal, the Bureau requested data and other factual information on the use of the alternative delivery method by credit unions and the likely use of the proposed annual notice exception by credit unions that cannot use the alternative delivery method. No comments provided data in response to this request.64 62 While these 650 banks are just 9.5% of all banks, this percentage does not take into account the fact that the majority of banks could not potentially benefit from the exception to the annual privacy notice requirement since (by our previous analysis) they already use the alternative delivery method. 63 One or more of these conditions held for a number of credit unions with assets of $500 million or less. As explained above, if a financial institution did not have a website or did not post the privacy notice on their website, the Bureau made the conservative assumption that it did not benefit from the alternative delivery method and will not benefit from the new annual notice exception. See also 79 FR 64057, 64076 (Oct. 28, 2014). 64 Although no credit unions or credit union advocates commented or provided data, one State PO 00000 Frm 00026 Fmt 4700 Sfmt 4700 Regarding the number of nondepository financial institutions that will benefit from the exception to the annual notice requirement, the Bureau uses the same basic methodology as in its prior analysis. Specifically, the Bureau assumes that the fraction of nondepository financial institutions that cannot use the alternative delivery method but can use the new annual notice exception is the same for nondepository institutions as for banks (9.5%).65 Having identified the financial institutions that will benefit from the exception to the annual notice requirement, the Bureau estimates the benefit using the same basic methodology as in its prior analysis.66 For banks, the Bureau allocated the total burden of providing the annual privacy notices to asset-size groups in proportion to the share of assets in the group. The Bureau then estimated an amount of burden reduction specific to each asset-size group using the results from the privacy notice analysis described above. The total burden reduction is then the sum of the burden reductions in each asset-size group. The estimated reduction in burden for banks using this methodology is approximately $3.158 million annually. The estimated reduction in burden for non-depository financial institutions is an additional $231,000 annually.67 Thus, the Bureau believes that the total reduction in burden is approximately $3.389 million dollars annually.68 This represents about 28% of the total $12.162 million annual cost of providing the annual privacy notice under Regulation P. The Bureau requested comment on the preliminary presentation of this analysis as well as the submission of additional data that could inform the Bureau’s consideration of the cost savings to financial institutions. No comments addressed this request. trade association representing banks stated that many financial institutions will appreciate and take advantage of the exception, but it will not create additional costs or harm to consumers. That commenter did not provide data. 65 For further discussion, see id. at 64077. 66 See id. at 64076–64077. 67 Note that this figure excludes auto dealers. Auto dealers are regulated by the FTC and will not be directly impacted by this amendment to Regulation P. 68 Some of these banks and non-depository financial institutions that currently include on their annual privacy notice the opt-out notices pursuant to FCRA section 603(d)(2)(A)(iii) or FCRA section 624 and the Affiliate Marketing Rule may now be required to deliver these notices separately. The Bureau does not have the data necessary to estimate the frequency with which these opt-out notices will be delivered separately or to subtract the cost of delivering them separately from the savings from no longer providing the annual privacy notice. E:\FR\FM\17AUR1.SGM 17AUR1 Federal Register / Vol. 83, No. 160 / Friday, August 17, 2018 / Rules and Regulations The Regulation P exception to the annual notice requirement implements a December 2015 statutory amendment to the GLBA. The Bureau considered alternatives to the timeline for delivery of annual notices when a financial institution that qualified for the annual exception changes its policies or practices such that it no longer qualifies. Because the estimates of costs and benefits to consumers and covered persons take institutions’ sharing policies and practices as given, the alternatives with respect to the timeline for delivery of annual notices do not impact those estimates. Further, even if the estimates allowed for changes in sharing policies and practices that can cause institutions to meet or fail to meet the requirements for the annual notice exception, the aggregate annual benefits and costs of delivery will not likely be significantly impacted by the timeline for delivery of annual notices. The Bureau does note, however, that changing from 60 to 100 days for delivery of the annual privacy notice under § 1016.5(e)(2)(ii) should result in a small burden reduction from the proposal, as financial institutions will be able to send the notice with quarterly statements as they requested. daltland on DSKBBV9HB2PROD with RULES C. Impact on Depository Institutions With No More Than $10 Billion in Assets The Bureau currently estimates that approximately 600 banks with $10 billion or less in assets cannot use the alternative delivery method but can use the annual notice exception. This constitutes 47% of banks with $10 billion or less in assets that do not use the alternative delivery method and 8.8% of all banks with $10 billion or less in assets. As reported above, 70% of banks with more than $10 billion in assets that do not use the alternative delivery method can use the proposed exception to the annual notice requirement. This is 55% of all banks with more than $10 billion in assets. Thus, the rule may have different impacts on federally insured depository institutions with $10 billion or less in assets as described in section 1026 of the Dodd-Frank Act. The Bureau currently believes that no credit unions of any size that could not use the alternative delivery method will be able to use the exception to the annual notice requirement. D. Impact on Access to Credit and on Consumers in Rural Areas The Bureau does not believe that the rule will reduce consumers’ access to consumer financial products or services VerDate Sep<11>2014 16:27 Aug 16, 2018 Jkt 244001 or have a unique impact on rural consumers. VI. Regulatory Flexibility Act The Regulatory Flexibility Act (RFA) as amended by the Small Business Regulatory Enforcement Fairness Act of 1996, requires each agency to consider the potential impact of its regulations on small entities, including small businesses, small governmental units, and small not-for-profit organizations. The RFA defines a ‘‘small business’’ as a business that meets the size standard developed by the Small Business Administration pursuant to the Small Business Act. The RFA generally requires an agency to conduct an initial regulatory flexibility analysis (IRFA) and a final regulatory flexibility analysis (FRFA) of any rule subject to noticeand-comment rulemaking requirements, unless the agency certifies that the rule will not have a significant economic impact on a substantial number of small entities.69 The Bureau also is subject to certain additional procedures under the RFA involving the convening of a panel to consult with small business representatives prior to proposing a rule for which an IRFA is required.70 At the proposed rule stage, the Bureau determined that an IRFA was not required because the proposal, if adopted, would not have a significant economic impact on a substantial number of small entities. For this final rule, the Bureau continues to believe that that determination is accurate. The Bureau does not expect the rule to impose costs on small entities. All methods of compliance under current law will remain available to small entities when this rule is adopted. Thus, a small entity that is in compliance with current law need not take any different or additional action under the new rule. In addition, based on the data analysis described previously, the Bureau believes that the annual notice exception will allow some small institutions to stop sending the annual notice and to thereby reduce costs. Accordingly, the undersigned certifies that this rule will not have a significant economic impact on a substantial number of small entities. VII. Paperwork Reduction Act Under the Paperwork Reduction Act of 1995 (PRA),71 Federal agencies are generally required to seek Office of Management and Budget (OMB) approval for information collection requirements prior to implementation. 69 5 U.S.C. 603 through 605. U.S.C. 609. 71 44 U.S.C. 3501 through 3558. 70 5 PO 00000 Frm 00027 Fmt 4700 Sfmt 4700 40957 This proposal would amend Regulation P, 12 CFR part 1016. The collections of information related to Regulation P have been previously reviewed and approved by OMB in accordance with the PRA and assigned OMB Control Number 3170–0010. Under the PRA, the Bureau may not conduct or sponsor, and, notwithstanding any other provision of law, a person is not required to respond to an information collection, unless the information collection displays a valid control number assigned by OMB. As explained below, the Bureau has determined that this rule does not contain any new or substantively revised information collection requirements other than those previously approved by OMB. The rule will implement the December 2015 amendment to the GLBA and amend § 1016.5 of Regulation P to provide that a financial institution is not required to deliver an annual privacy notice if it: (1) Provides nonpublic personal information to nonaffiliated third parties only in accordance with the provisions of § 1016.13, § 1016.14, or § 1016.15 and; (2) Has not changed its policies and practices with regard to disclosing nonpublic personal information from the policies and practices that were disclosed to the customer under § 1016.6(a)(2) through (5) and (9) in the most recent privacy notice provided. Under Regulation P, the Bureau generally accounts for the paperwork burden for the following respondents pursuant to its enforcement/supervisory authority: Federally insured depository institutions with more than $10 billion in total assets, their depository institution affiliates, and certain nondepository institutions. The Bureau and the FTC generally both have enforcement authority over nondepository institutions subject to Regulation P. Accordingly, the Bureau has allocated to itself half of the final rule’s estimated reduction in burden on non-depository financial institutions subject to Regulation P. Other Federal agencies, including the FTC, are responsible for estimating and reporting to OMB the paperwork burden for the institutions for which they have enforcement and/or supervision authority. They may use the Bureau’s burden estimation methodology, but need not do so. The Bureau does not believe that this final rule will impose any new or substantively revised collections of information as defined by the PRA, and instead believes that it will have the overall effect of reducing the previously approved estimated burden on industry for the information collections E:\FR\FM\17AUR1.SGM 17AUR1 40958 Federal Register / Vol. 83, No. 160 / Friday, August 17, 2018 / Rules and Regulations associated with the Regulation P annual privacy notice. Using the Bureau’s burden estimation methodology, the reduction in the estimated ongoing burden will be approximately 62,197 hours annually for the roughly 13,500 banks and credit unions subject to the rule, including Bureau respondents, and the roughly 29,400 entities regulated by the FTC also subject to the rule (i.e., entities over which the FTC has Regulation P administrative enforcement authority). The reduction in estimated ongoing costs from the reduction in ongoing burden will be approximately $3.389 million annually.72 The Bureau believes that the one-time cost of adopting the annual notice exception for financial institutions that adopt it will be de minimis. The Bureau’s methodology for estimating the reduction in ongoing burden was discussed above. The method is similar to that described in the PRA analysis in the 2014 Annual Privacy Notice Rule. The only difference is that instead of estimating the fraction of institutions that will be able to use the alternative delivery method, the Bureau estimates the fraction of institutions that will be able to use the annual notice exception and are not already using the alternative delivery method, to compute the reduction in burden relative to the baseline.73 The Bureau takes all of the reduction in ongoing burden from banks and credit unions with assets $10 billion and above and half the reduction in ongoing burden from the non-depository institutions subject to the FTC enforcement authority that are subject to the Bureau’s Regulation P. The total reduction in ongoing burden taken by the Bureau is 53,216 hours or $3.058 million annually.74 The Bureau has determined that the final rule does not contain any new or substantively revised information collection requirements as defined by the PRA and that the burden estimate for the previously approved information collections should be revised as explained above. The Bureau requested comments on these determinations or any other aspect of the proposal for purposes of the PRA, but received none. SUMMARY OF BURDEN CHANGES Information collections Previously approved total burden hours Net change in burden hours New total burden hours Notices and disclosures ............................................................................................................... 366,134 ¥53,216 312,917 VIII. Congressional Review Act Pursuant to the Congressional Review Act (5 U.S.C. 801 et seq.), the Bureau will submit a report containing this rule and other required information to the United States Senate, the United States House of Representatives, and the Comptroller General of the United States prior to the rule taking effect. The Office of Information and Regulatory Affairs (OIRA) has designated this rule as not a ‘‘major rule’’ as defined by 5 U.S.C. 804(2). List of Subjects in 12 CFR Part 1016 Banks, Banking, Consumer protection, Credit, Credit unions, Foreign banking, Holding companies, National banks, Privacy, Reporting and recordkeeping requirements, Savings associations, Trade practices. Authority and Issuance For the reasons set forth in the preamble, the Bureau amends Regulation P, 12 CFR part 1016, as set forth below: daltland on DSKBBV9HB2PROD with RULES 1. The authority citation for part 1016 continues to read as follows: ■ 72 The total hours and costs consist of: (a) 51,230 hours at banks and credit unions evaluated at $61.65/hour; and (b) 10,967 hours at entities regulated by the FTC also subject to the rule, evaluated at $21.07/hour. 16:27 Aug 16, 2018 Jkt 244001 2. Section 1016.3 is amended by revising paragraph (s)(1) to read as follows: ■ § 1016.3 Definitions. * * * * * (s)(1) You means a financial institution for which the Bureau has rulemaking authority under section 504(a)(1)(A) of the GLB Act (15 U.S.C. 6804(a)(1)(A)). * * * * * Subpart A—Privacy and Opt Out Notices 3. Section 1016.5 is amended by revising the first sentence of paragraph (a)(1) and adding paragraph (e) to read as follows: ■ § 1016.5 Annual privacy notice to customers required. PART 1016—PRIVACY OF CONSUMER FINANCIAL INFORMATION (REGULATION P) VerDate Sep<11>2014 Authority: 12 U.S.C. 5512, 5581; 15 U.S.C. 6804. (a)(1) * * * Except as provided by paragraph (e) of this section, you must provide a clear and conspicuous notice to customers that accurately reflects your privacy policies and practices not less than annually during the continuation of the customer relationship. * * * * * * * * 73 See 79 FR 64057, 64080 (Oct. 28, 2014). total hours and costs consist of: (a) 47,733 hours at banks and credit unions evaluated at $61.65/hour; and (b) 5,484 hours at entities 74 The PO 00000 Frm 00028 Fmt 4700 Sfmt 4700 (e) Exception to annual privacy notice requirement. (1) When exception available. You are not required to deliver an annual privacy notice if you: (i) Provide nonpublic personal information to nonaffiliated third parties only in accordance with the provisions of § 1016.13, § 1016.14, or § 1016.15; and (ii) Have not changed your policies and practices with regard to disclosing nonpublic personal information from the policies and practices that were disclosed to the customer under § 1016.6(a)(2) through (5) and (9) in the most recent privacy notice provided pursuant to this part. (2) Delivery of annual privacy notice after financial institution no longer meets requirements for exception. If you have been excepted from delivering an annual privacy notice pursuant to paragraph (e)(1) of this section and change your policies or practices in such a way that you no longer meet the requirements for that exception, you must comply with paragraph (e)(2)(i) or (e)(2)(ii) of this section, as applicable. (i) Changes preceded by a revised privacy notice. If you no longer meet the requirements of paragraph (e)(1) of this section because you change your policies or practices in such a way that regulated by the FTC also subject to the rule, evaluated at $21.07/hour. E:\FR\FM\17AUR1.SGM 17AUR1 Federal Register / Vol. 83, No. 160 / Friday, August 17, 2018 / Rules and Regulations § 1016.8 requires you to provide a revised privacy notice, you must provide an annual privacy notice in accordance with the timing requirements in paragraph (a) of this section, treating the revised privacy notice as an initial privacy notice. (ii) Changes not preceded by a revised privacy notice. If you no longer meet the requirements of paragraph (e)(1) of this section because you change your policies or practices in such a way that § 1016.8 does not require you to provide a revised privacy notice, you must provide an annual privacy notice within 100 days of the change in your policies or practices that causes you to no longer meet the requirements of paragraph (e)(1) of this section. (iii) Examples. (A) You change your policies and practices in such a way that you no longer meet the requirements of paragraph (e)(1) of this section effective April 1 of year 1. Assuming you define the 12-consecutive-month period pursuant to paragraph (a) of this section as a calendar year, if you were required to provide a revised privacy notice under § 1016.8 and you provided that notice on March 1 of year 1, you must provide an annual privacy notice by December 31 of year 2. If you were not required to provide a revised privacy notice under § 1016.8, you must provide an annual privacy notice by July 9 of year 1. (B) You change your policies and practices in such a way that you no longer meet the requirements of paragraph (e)(1) of this section, and so provide an annual notice to your customers. After providing the annual notice to your customers, you once again meet the requirements of paragraph (e)(1) of this section for an exception to the annual notice requirement. You do not need to provide additional annual notices to your customers until such time as you no longer meet the requirements of paragraph (e)(1) of this section. ■ 4. Section 1016.9 is amended by revising paragraph (c) to read as follows: § 1016.9 Delivering privacy and opt out notices. daltland on DSKBBV9HB2PROD with RULES * * * * * (c) Annual notices only. You may reasonably expect that a customer will receive actual notice of your annual privacy notice if: (1) The customer uses your website to access financial products and services electronically and agrees to receive notices at the website, and you post your current privacy notice continuously in a clear and conspicuous manner on the website; or VerDate Sep<11>2014 16:27 Aug 16, 2018 Jkt 244001 (2) The customer has requested that you refrain from sending any information regarding the customer relationship, and your current privacy notice remains available to the customer upon request. * * * * * Dated: August 9, 2018. Mick Mulvaney, Acting Director, Bureau of Consumer Financial Protection. [FR Doc. 2018–17572 Filed 8–16–18; 8:45 am] BILLING CODE 4810–AM–P DEPARTMENT OF TRANSPORTATION Federal Aviation Administration 14 CFR Part 39 [Docket No. FAA–2018–0303; Product Identifier 2018–NM–006–AD; Amendment 39–19360; AD 2018–17–06] RIN 2120–AA64 Airworthiness Directives; Fokker Services B.V. Airplanes Federal Aviation Administration (FAA), Department of Transportation (DOT). ACTION: Final rule. AGENCY: We are adopting a new airworthiness directive (AD) for certain Fokker Services B.V. Model F28 Mark 0070 and 0100 airplanes. This AD was prompted by a report that the retraction actuator eye-end of a Goodrich main landing gear (MLG) failed. This AD requires a one-time general visual inspection of the left-hand (LH) and right-hand (RH) MLG retraction actuators and replacement if necessary. We are issuing this AD to address the unsafe condition on these products. DATES: This AD is effective September 21, 2018. The Director of the Federal Register approved the incorporation by reference of a certain publication listed in this AD as of September 21, 2018. ADDRESSES: For service information identified in this final rule, contact Fokker Services B.V., Technical Services Dept., P.O. Box 1357, 2130 EL Hoofddorp, the Netherlands; telephone +31 (0)88–6280–350; fax +31 (0)88– 6280–111; email technicalservices@ fokker.com; internet http:// www.myfokkerfleet.com. You may view this service information at the FAA, Transport Standards Branch, 2200 South 216th St., Des Moines, WA. For information on the availability of this material at the FAA, call 206–231–3195. It is also available on the internet at SUMMARY: PO 00000 Frm 00029 Fmt 4700 Sfmt 4700 40959 http://www.regulations.gov by searching for and locating Docket No. FAA–2018– 0303. Examining the AD Docket You may examine the AD docket on the internet at http:// www.regulations.gov by searching for and locating Docket No. FAA–2018– 0303; or in person at Docket Operations between 9 a.m. and 5 p.m., Monday through Friday, except Federal holidays. The AD docket contains this final rule, the regulatory evaluation, any comments received, and other information. The address for Docket Operations (phone: 800–647–5527) is in the ADDRESSES section. Comments will be available in the AD docket shortly after receipt. FOR FURTHER INFORMATION CONTACT: Tom Rodriguez, Aerospace Engineer, International Section, Transport Standards Branch, FAA, 2200 South 216th St., Des Moines, WA 98198; telephone and fax 206–231–3226. SUPPLEMENTARY INFORMATION: Discussion We issued a notice of proposed rulemaking (NPRM) to amend 14 CFR part 39 by adding an AD that would apply to certain Fokker Services B.V. Model F28 Mark 0070 and 0100 airplanes. The NPRM published in the Federal Register on April 27, 2018 (83 FR 18488). The NPRM was prompted by a report that the retraction actuator eyeend of a Goodrich MLG failed. The NPRM proposed to require a one-time general visual inspection of the LH and RH MLG retraction actuators and replacement if necessary. We are issuing this AD to address failure of the retraction actuator eye-end of a Goodrich MLG, which could prevent retraction of the MLG and/or its complete extension, possibly resulting in damage to the airplane during landing, and consequent injury to occupants. The European Aviation Safety Agency (EASA), which is the Technical Agent for the Member States of the European Union, has issued EASA AD 2018–0001, dated January 4, 2018 (referred to after this as the Mandatory Continuing Airworthiness Information, or ‘‘the MCAI’’), to correct an unsafe condition for certain Fokker Services B.V. Model F28 Mark 0070 and 0100 airplanes. The MCAI states: An occurrence was reported where, following take-off after gear up selection, the retraction actuator eye-end (P/N [part number] 41518–3) of a Goodrich MLG failed. After the LG UNSAFE indication, the flight crew successfully selected gear down and locked by applying the alternate extension E:\FR\FM\17AUR1.SGM 17AUR1

Agencies

[Federal Register Volume 83, Number 160 (Friday, August 17, 2018)]
[Rules and Regulations]
[Pages 40945-40959]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2018-17572]


=======================================================================
-----------------------------------------------------------------------

BUREAU OF CONSUMER FINANCIAL PROTECTION

12 CFR Part 1016

[Docket No. CFPB-2016-0032]
RIN 3170-AA60


Amendment to the Annual Privacy Notice Requirement Under the 
Gramm-Leach-Bliley Act (Regulation P)

AGENCY: Bureau of Consumer Financial Protection.

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: The Bureau of Consumer Financial Protection (Bureau) is 
amending Regulation P, which requires, among other things, that 
financial institutions provide an annual notice describing their 
privacy policies and practices to their customers. The amendment 
implements a December 2015 statutory amendment to the Gramm-Leach-
Bliley Act providing an exception to this annual notice requirement for 
financial institutions that meet certain conditions.

DATES: The amendments to Regulation P in this final rule will become 
effective on September 17, 2018.

FOR FURTHER INFORMATION CONTACT: Monique Chenault, Paralegal 
Specialist; Joseph Devlin, Senior Counsel; Office of Regulations, at 
(202) 435-7700.

SUPPLEMENTARY INFORMATION:

I. Summary of the Final Rule

    Title V, Subtitle A of the Gramm-Leach-Bliley Act (GLBA) \1\ and 
Regulation P, which implements the GLBA, mandate that financial 
institutions provide their customers with annual notices regarding 
those institutions' privacy policies. If financial institutions share 
certain consumer information with particular types of third parties, 
the annual notices must also provide customers with an opportunity to 
opt out of the sharing. Regulation P sets forth requirements for how 
financial institutions must deliver these annual privacy notices. In 
certain circumstances, Regulation P permits financial institutions to 
use an alternative delivery method to provide annual notices. This 
method requires, among other things, that the annual notice be posted 
on a financial institution's website.
---------------------------------------------------------------------------

    \1\ 15 U.S.C. 6801 through 6809.
---------------------------------------------------------------------------

    On December 4, 2015, Congress amended the GLBA as part of the 
Fixing America's Surface Transportation Act (FAST Act). This amendment, 
titled Eliminate Privacy Notice Confusion,\2\ added new GLBA section 
503(f). This subsection provides an exception under which financial 
institutions that meet certain conditions are not required to provide 
annual privacy notices to customers. Section 503(f)(1) requires that to 
qualify for this exception, a financial institution must not share 
nonpublic personal information about customers except as described in 
certain statutory exceptions. (Sharing as described in these specified 
statutory exceptions does not trigger the customer's statutory right to 
opt out of the financial institution's sharing.) In addition, section 
503(f)(2) requires that the financial institution must not have changed 
its policies and practices with regard to disclosing nonpublic personal 
information from those that the institution disclosed in the most 
recent privacy notice it sent.
---------------------------------------------------------------------------

    \2\ FAST Act, Public Law 114-94, section 75001.
---------------------------------------------------------------------------

    Section 503(f) took effect upon enactment in December 2015. In July 
2016 the Bureau proposed to update Regulation P to reflect the change 
in the underlying law. As part of its implementation, the Bureau is 
also amending Regulation P to provide timing requirements for delivery 
of annual privacy notices in the event that a financial institution 
that qualified for this annual notice exception later changes its 
policies or practices in such a way that it no longer qualifies for the 
exception. The Bureau is further

[[Page 40946]]

removing the Regulation P provision that allows for use of the 
alternative delivery method for annual privacy notices because the 
Bureau believes the alternative delivery method will no longer be used 
in light of the annual notice exception. Finally, the Bureau is 
amending Regulation P to make a technical correction to one of its 
definitions.

II. Background

A. The Statute and Regulation

    The GLBA was enacted into law in 1999 and governs the privacy 
practices of a broad range of financial institutions.\3\ Rulemaking 
authority to implement the GLBA privacy provisions was initially spread 
among many agencies. The Federal Reserve Board (Board), the Office of 
Comptroller of the Currency (OCC), the Federal Deposit Insurance 
Corporation (FDIC), and the Office of Thrift Supervision (OTS) jointly 
adopted final rules in 2000 to implement the notice requirements of the 
GLBA.\4\ The National Credit Union Administration (NCUA), Federal Trade 
Commission (FTC), Securities and Exchange Commission (SEC), and 
Commodity Futures Trading Commission (CFTC) were part of the same 
interagency process, but each of these agencies issued separate 
rules.\5\ In 2009, all of the agencies with the authority to issue 
rules to implement the GLBA privacy notice provisions issued a joint 
final rule with a model form that financial institutions could use, at 
their option, to provide required initial and annual disclosures.\6\
---------------------------------------------------------------------------

    \3\ Public Law 106-102, 113 Stat. 1338 (1999).
    \4\ 65 FR 35162 (June 1, 2000).
    \5\ 65 FR 31722 (May 18, 2000) (NCUA final rule); 65 FR 33646 
(May 24, 2000) (FTC final rule); 65 FR 40334 (June 29, 2000) (SEC 
final rule); 66 FR 21236 (Apr. 27, 2001) (CFTC final rule).
    \6\ 74 FR 62890 (Dec. 1, 2009).
---------------------------------------------------------------------------

    In 2011, the Dodd-Frank Wall Street Reform and Consumer Protection 
Act (Dodd-Frank Act) \7\ transferred GLBA privacy notice rulemaking 
authority from the Board, NCUA, OCC, OTS, the FDIC, and the FTC (in 
part) to the Bureau.\8\ The Bureau then restated the implementing 
regulations in Regulation P, 12 CFR part 1016, in late 2011 through an 
interim final rule.\9\ In April 2016, the Bureau finalized that interim 
final rule as amended by 79 FR 64057 (Oct. 28, 2014).\10\
---------------------------------------------------------------------------

    \7\ Public Law 111-203, 124 Stat. 1376 (2010).
    \8\ Public Law 111-203, section 1093. The FTC retained 
rulewriting authority over any financial institution that is a 
person described in 12 U.S.C. 5519 (i.e., motor vehicle dealers 
predominantly engaged in the sale and servicing of motor vehicles, 
the leasing and servicing of motor vehicles, or both).
    \9\ 76 FR 79025 (Dec. 21, 2011).
    \10\ 81 FR 25323 (Apr. 28, 2016).
---------------------------------------------------------------------------

    The Bureau has the authority to promulgate GLBA privacy rules for 
depository institutions and many non-depository institutions. However, 
rulewriting authority with regard to securities and futures-related 
companies is vested in the SEC and CFTC, respectively, and rulewriting 
authority with respect to certain motor vehicle dealers is vested in 
the FTC.\11\ The four agencies are required to consult with each other 
and with representatives of State insurance authorities to assure, to 
the extent possible, consistency and comparability among implementing 
rules.\12\ Toward that end, the Bureau has consulted and coordinated 
with these agencies and with the National Association of Insurance 
Commissioners (NAIC) concerning this final rule and the proposal that 
preceded it. The Bureau has also consulted with prudential regulators 
and other appropriate Federal agencies, as required under Section 1022 
of the Dodd-Frank Act as part of its general rulewriting process.\13\
---------------------------------------------------------------------------

    \11\ 15 U.S.C. 6804; 12 CFR 1016.1(b).
    \12\ 15 U.S.C. 6804(a)(2).
    \13\ 12 U.S.C. 5512(b)(2)(B).
---------------------------------------------------------------------------

    The GLBA and Regulation P require that financial institutions 
provide consumers with certain notices describing their privacy 
policies.\14\ Financial institutions are generally required to provide 
an initial notice of these policies when a customer relationship is 
established and to provide an annual notice to customers every year 
that the customer relationship continues.\15\ Except as otherwise 
authorized in the regulation, if a financial institution chooses to 
disclose nonpublic personal information about a consumer to a 
nonaffiliated third party other than as described in its initial 
notice, the institution is also required to deliver a revised privacy 
notice.\16\ The types of information required to be included in the 
initial, annual, and revised notices are identical. Each notice must 
describe whether and how the financial institution shares consumers' 
nonpublic personal information with other entities.\17\ The notices 
must also briefly describe how financial institutions protect the 
nonpublic personal information they collect and maintain.\18\
---------------------------------------------------------------------------

    \14\ When a financial institution has a continuing relationship 
with the consumer, an annual privacy notice is required and the 
consumer is then referred to as a ``customer.'' 12 CFR 1016.3(i), 
1016.3(j)(1).
    \15\ 12 CFR 1016.4(a)(1), 1016.5(a)(1). Financial institutions 
are also required to provide initial notices to consumers before 
disclosing any nonpublic personal information to a nonaffiliated 
third party outside of certain exceptions. 12 CFR 1016.4(a)(2).
    \16\ 12 CFR 1016.8.
    \17\ 12 CFR 1016.6(a)(1)-(5), (9).
    \18\ 12 CFR 1016.6(a)(8).
---------------------------------------------------------------------------

    GLBA Section 502 and Regulation P also require that initial, 
annual, and revised notices provide information about the right to opt 
out of certain financial institution sharing of nonpublic personal 
information with some types of nonaffiliated third parties. For 
example, a mortgage customer has the right to opt out of a financial 
institution disclosing his or her name and address to an unaffiliated 
home insurance company. On the other hand, a financial institution is 
not required to allow a consumer to opt out of the institution's 
disclosure of his or her nonpublic personal information to third party 
service providers and pursuant to joint marketing arrangements subject 
to certain requirements; disclosures relating to maintaining and 
servicing accounts, securitization, law enforcement and compliance, and 
consumer reporting; and certain other disclosures described in the GLBA 
and Regulation P as exceptions to the opt-out requirement.\19\
---------------------------------------------------------------------------

    \19\ 15 U.S.C. 6802(b)(2), (e); 12 CFR 1016.13, 1016.14, 
1016.15.
---------------------------------------------------------------------------

    In addition to opt-out rights under the GLBA, annual privacy 
notices also may include information about certain consumer opt-out 
rights under the Fair Credit Reporting Act (FCRA). The privacy notices 
under the GLBA/Regulation P and affiliate disclosures under the FCRA/
Regulation V interact in two ways. First, section 603(d)(2)(A)(iii) of 
the FCRA excludes from that statute's definition of a consumer report 
\20\ the sharing of certain information about a consumer with the 
institution's affiliates if the consumer is notified of such sharing 
and is given an opportunity to opt out.\21\ Section 503(c)(4) of the 
GLBA and Regulation P require financial institutions to incorporate 
into any required Regulation P notices the notification and opt-out 
disclosures provided pursuant to section 603(d)(2)(A)(iii) of the FCRA, 
if the institution provides such disclosures.\22\
---------------------------------------------------------------------------

    \20\ 15 U.S.C. 1681a(d).
    \21\ 15 U.S.C. 1681a(d)(2)(A)(iii).
    \22\ 15 U.S.C. 6803(c)(4); 12 CFR 1016.6(a)(7).
---------------------------------------------------------------------------

    Second, section 624 of the FCRA and Regulation V's Affiliate 
Marketing Rule provide that an affiliate of a financial institution 
that receives certain information (e.g., transaction history) \23\

[[Page 40947]]

from the institution about a consumer may not use the information to 
make solicitations for marketing purposes unless the consumer is 
notified of such use and provided with an opportunity to opt out of 
that use.\24\ Section 624 of the FCRA and Regulation V also permit (but 
do not require) financial institutions to incorporate any opt-out 
disclosures provided under section 624 of the FCRA and subpart C of 
Regulation V into privacy notices provided pursuant to the GLBA and 
Regulation P.\25\
---------------------------------------------------------------------------

    \23\ The type of information to which section 624 applies is 
information that would be a consumer report, but for the exclusions 
provided by section 603(d)(2)(A)(i), (ii), or (iii) of the FCRA.
    \24\ 15 U.S.C. 1681s-3 and 12 CFR pt. 1022, subpart C.
    \25\ 15 U.S.C. 1681s-3(b); 12 CFR 1022.23(b).
---------------------------------------------------------------------------

B. The Alternative Delivery Method for Annual Privacy Notices

    In pursuit of the Bureau's goal of reducing unnecessary or unduly 
burdensome regulations, the Bureau in December 2011 issued a Request 
for Information (RFI) seeking specific suggestions from the public for 
streamlining regulations the Bureau had inherited from other Federal 
agencies. In that RFI, the Bureau specifically identified the annual 
privacy notice as a potential opportunity for streamlining and 
solicited comment on possible alternatives to delivering the annual 
privacy notice.\26\ Numerous industry commenters responded to the RFI 
by advocating for the elimination or limitation of the annual notice 
requirement.
---------------------------------------------------------------------------

    \26\ 76 FR 75825, 75828 (Dec. 5, 2011).
---------------------------------------------------------------------------

    Financial institutions historically have provided annual notices 
generally by U.S. postal mail.\27\ In 2014, the Bureau adopted a rule 
to allow financial institutions to use an alternative delivery method 
to provide annual privacy notices through posting the notices on their 
websites if they meet certain conditions.\28\ Specifically, financial 
institutions were allowed to use the alternative delivery method for 
annual notices if: (1) No opt-out rights were triggered by the 
financial institution's information sharing practices under the GLBA; 
(2) no FCRA section 603 opt-out notices were required to appear on the 
annual notice and any opt-outs required by FCRA section 624 had 
previously been provided, if applicable, or the annual notice was not 
the only notice provided to satisfy those requirements; (3) the 
information included in the annual notice had not changed since the 
customer received the previous notice; and (4) the financial 
institution used the model form provided in Regulation P for its annual 
notice.
---------------------------------------------------------------------------

    \27\ Regulation P, however, does allow financial institutions to 
provide notices electronically (e.g., by email) with consent. 12 CFR 
1016.9(a) (stating that a financial institution may deliver the 
notice electronically if the consumer agrees). The Bureau believes 
that most consumers do not receive privacy notices electronically.
    \28\ 79 FR 64057 (revising 12 CFR 1016.9(c)). The Bureau's 
alternative delivery method became effective on October 28, 2014. 
Id.
---------------------------------------------------------------------------

    In addition, to assist customers with limited or no access to the 
internet, an institution using the alternative delivery method was 
required to mail annual notices to customers who requested them by 
telephone. To make customers aware that its annual privacy notice was 
available through the website or by phone, the institution was required 
to include a clear and conspicuous statement of availability at least 
once per year on an account statement, coupon book, or a notice or 
disclosure the institution issued under any provision of law.

C. Statutory Amendment and Proposed Rule

    On December 4, 2015, Congress amended the GLBA as part of the FAST 
Act. This amendment, titled Eliminate Privacy Notice Confusion,\29\ 
added new GLBA section 503(f), which provides an exception under which 
financial institutions that meet two conditions are not required to 
provide annual notices to customers.\30\ New GLBA section 503(f)(1) 
states the first condition for the annual notice exception: That a 
financial institution must provide nonpublic personal information only 
in accordance with certain exceptions in the GLBA; providing nonpublic 
personal information under these exceptions does not trigger consumer 
opt-out rights.\31\ New GLBA section 503(f)(2) states the second 
condition for the annual notice exception: That a financial institution 
must not have changed its policies and practices with regard to 
disclosing nonpublic personal information from the policies and 
practices that were disclosed in the most recent disclosure sent to 
consumers in accordance with GLBA section 503. The statutory amendment 
became effective upon enactment in December 2015.
---------------------------------------------------------------------------

    \29\ FAST Act, Public Law 114-94, section 75001.
    \30\ In order to avoid confusion and facilitate responsiveness 
to consumer requests, the Bureau notes that a financial institution 
that qualifies for the annual notice exception could provide a 
privacy notice to a customer without jeopardizing the availability 
of the exception, such as in response to a customer specifically 
requesting a copy of the notice.
    \31\ These provisions are in GLBA section 502(b)(2) or (e) and 
are incorporated into existing Regulation P at Sec.  1016.13, Sec.  
1016.14, and Sec.  1016.15. They provide exceptions from the 
requirement that a financial institution provide notice and an 
opportunity to opt out of sharing nonpublic personal information 
with a nonaffiliated third party.
---------------------------------------------------------------------------

    On July 15, 2016, the Bureau published a proposed rule to implement 
the FAST Act statutory amendment to the GLBA. The Bureau has considered 
the comments received on that proposed rule, and now issues this final 
rule based on it.

D. Effective Date

    As discussed above, the statutory exception to the annual notice 
requirement is already effective. The amendments to Regulation P in 
this final rule will be effective 30 days from the date of publication 
in the Federal Register.

E. Privacy Considerations

    In developing this final rule, the Bureau considered its potential 
impact on consumer privacy. The rule will not affect the collection or 
use of consumers' nonpublic personal information by financial 
institutions. The rule implements a new statutory exception to limit 
the circumstances under which financial institutions subject to 
Regulation P will be required to deliver annual privacy notices to 
their customers. Delivery of annual privacy notices is required under 
the rule if financial institutions make certain types of changes to 
their privacy policies or if the statute and Regulation P afford 
customers the right to opt out of financial institutions' sharing of 
customers' nonpublic personal information with nonaffiliated third 
parties. The statutory exception and this final rule do not affect the 
requirement to deliver an initial privacy notice, and all consumers 
will continue to receive such notices describing the privacy policies 
of any financial institutions with which they do business to the extent 
currently required.

III. Legal Authority

    The Bureau is issuing this final rule pursuant to its authority 
under section 504 of the GLBA, as amended by section 1093 of the Dodd-
Frank Act.\32\ The Bureau is also issuing this rule pursuant to its 
authority under sections 1022 and 1061 of the Dodd-Frank Act.\33\
---------------------------------------------------------------------------

    \32\ 15 U.S.C. 6804.
    \33\ 12 U.S.C. 5512, 5581.
---------------------------------------------------------------------------

IV. Section-by-Section Analysis

Section 1016.3 Definitions

3(s)(1)

    Regulation P's substantive requirements, including the requirement 
to deliver privacy notices, are generally

[[Page 40948]]

imposed upon entities that meet the definition of ``You'' in Sec.  
1016.3(s)(1). That provision defines ``You'' as a ``financial 
institution or other person for which the Bureau has rulemaking 
authority under section 504(a)(1)(A) of the GLBA.'' In order to 
coordinate this definition more correctly with the term's usage in the 
regulation, the Bureau proposed to limit ``You'' to financial 
institutions.
    The Bureau received no comments on this technical amendment, and 
adopts it now as proposed.
    As explained above, Regulation P's substantive requirements, 
including the requirement to deliver privacy notices, are generally 
imposed upon entities that meet the definition of ``You'' in Sec.  
1016.3(s)(1). The Bureau has rulemaking authority over entities other 
than financial institutions pursuant to GLBA section 504(a)(1)(A).\34\ 
The statute's privacy notice requirements, however, specifically apply 
only to financial institutions.\35\ The Bureau therefore believes that 
it is appropriate to limit the definition of ``You'' in Sec.  
1016.3(s)(1) to financial institutions. For this reason, the Bureau is 
amending Sec.  1016.3(s)(1) to remove the phrase ``or other persons.'' 
The Bureau does not believe this technical amendment to Sec.  
1016.3(s)(1) will change the settled understanding of the scope of 
Regulation P's privacy notice requirements. Instead, the Bureau 
believes it will clarify that the scope of Regulation P's privacy 
notice requirements is consistent with the understanding of 
stakeholders.
---------------------------------------------------------------------------

    \34\ Such rulemaking authority has been exercised with respect 
to nonaffiliated third parties to which a financial institution 
discloses nonpublic personal information and that third party's 
affiliates for purposes of GLBA section 502(c)'s limits on reuse of 
information. See 12 CFR 1016.11(c)-(d).
    \35\ See GLBA sections 502(a)-(b) and 503(a).
---------------------------------------------------------------------------

Section 1016.5 Annual Privacy Notice to Customers Required

5(a) General Rule

    The Bureau proposed to amend the general requirement in Sec.  
1016.5(a)(1) that financial institutions provide annual notices, to 
clarify that the Bureau has added an exception to this requirement in 
Sec.  1016.5(e) to incorporate the amendment to GLBA section 503.
    No commenters specifically discussed the conforming change to the 
general rule in Sec.  1016.5(a). One commenter suggested that the 
Bureau remove any GLBA privacy notice requirement and instead require 
financial institutions to post their privacy notices online, allow all 
consumers to choose whether to receive any privacy notices, make 
electronic notices the default for any consumers who opt to receive any 
privacy notices, and allow financial institutions to charge fees for 
any paper privacy notices they provide.
    The Bureau now adopts the conforming amendment to the general 
requirement in Sec.  1016.5(a)(1) that financial institutions provide 
annual notices, to clarify that the Bureau has added an exception to 
this requirement in Sec.  1016.5(e) to incorporate the amendment to 
GLBA section 503. The Bureau does not believe that the comment is 
relevant to the proposal and it does not provide a basis to change the 
approach proposed by the Bureau. Congress did not include revisions 
along the lines the commenter suggested in the statutory provision that 
the Bureau is implementing in this rulemaking.

5(e) Exception to Annual Notice Requirement

    New GLBA Sec.  503(f) provides that a financial institution is 
excepted from providing an annual notice if it meets the two conditions 
described below. The Bureau proposed to add new Sec.  1016.5(e) to 
incorporate into Regulation P the exception created by new Sec.  
503(f). Under proposed Sec.  1016.5(e), as in section 503(f), a 
financial institution would be excepted from providing an annual notice 
if it meets the two conditions discussed below.
    The commenters overwhelmingly supported proposed Sec.  1016.5(e). 
Although some commenters asked that the exception be broadened, no 
commenters who discussed the proposed exception objected to it. The 
commenters stated that the exception would reduce burden and would not 
harm consumers, and was less complicated and burdensome than the 
previous alternative delivery method. Some suggested that the provision 
would benefit consumers. The comments that specifically discussed 
either of the two requirements for the exception, in Sec.  
1016.5(e)(1)(i) and (ii), are discussed below in relation to those 
provisions.
    A trade association representing credit unions requested that to 
eliminate confusion and protect institutions from citations, the rule 
should be effective retroactive to December 4, 2015, the date the 
statutory GLBA amendments took effect. In addition, an attorney 
suggested that the Bureau preempt State privacy statutes that might 
require institutions to continue providing annual privacy notices in 
spite of the Federal exception. The attorney recommended the Bureau 
modify Sec.  1016.17 to expressly preempt contrary State law, and 
instead require that an institution make its privacy notice continually 
available online.
    After considering the comments and for the reasons discussed below, 
the Bureau now adopts the exception to the annual notice requirement 
largely as proposed, with certain changes to the timing provisions in 
Sec.  1016.5(e)(2), as discussed below.
    In regard to the comment recommending that Sec.  1016.17 be 
modified, Sec.  1016.17 implements GLBA Sec.  507,\36\ which provides 
specific standards regarding preemption of State law. The Bureau does 
not believe that the comment is relevant to the proposal and it does 
not provide a basis to change the approach proposed by the Bureau. 
Congress did not include revisions along the lines the commenter 
suggested in the statute that the Bureau is implementing in this 
rulemaking.
---------------------------------------------------------------------------

    \36\ 15 U.S.C. 6807.
---------------------------------------------------------------------------

    In regard to the comment on retroactivity, the Bureau has made 
clear in the proposed rule and this final rule that new GLBA Sec.  
503(f) became effective upon enactment in December 2015.\37\ As the 
central elements of this rule are already in effect, the Bureau 
believes that there is no need to make this rule retroactive. To the 
extent that this rule changes applicable law, the Bureau notes that 
retroactive rulemaking is disfavored by the courts, and the commenter 
has not established why it would be appropriate here. This rule takes 
effect 30 days after its publication in the Federal Register.
---------------------------------------------------------------------------

    \37\ See above, Part II.C.
---------------------------------------------------------------------------

5(e)(1) When Exception Available

5(e)(1)(i)

    New GLBA section 503(f)(1) states the first condition for the 
annual privacy notice exception: that a financial institution provide 
nonpublic personal information only in accordance with the provisions 
of subsection (b)(2) or (e) of section 502 of the GLBA. The Bureau 
proposed Sec.  1016.5(e)(1)(i) to incorporate this condition by 
requiring that to qualify for the annual notice exception, any 
nonpublic personal information that financial institutions provide to 
nonaffiliated third parties must be provided only in accordance with 
Sec.  1016.13, Sec.  1016.14 or Sec.  1016.15 of Regulation P.
    Almost no commenters specifically discussed the first of the two 
requirements of the new statutory exception. One credit union explained 
that it does not share nonpublic personal information beyond the 
exceptions provided in Sec.  1016.13,

[[Page 40949]]

Sec.  1016.14 or Sec.  1016.15 of Regulation P, and that it believes 
the Sec.  1016.5(e)(1)(i) requirement will work well. Another commenter 
discussed voluntary opt-outs that a financial institution may offer, 
asking whether the inclusion on the privacy notice of opt-outs that 
allow consumers to opt out of sharing that is described in Sec.  
1016.13, Sec.  1016.14 or Sec.  1016.15 of Regulation P would interfere 
with meeting the requirement in Sec.  1016.5(e)(1)(i).
    The Bureau now adopts Sec.  1016.5(e)(1)(i) as proposed. Section 
1016.5(e)(1)(i) will incorporate the first requirement of GLBA Sec.  
503(f) by requiring that to qualify for the annual notice exception, 
any nonpublic personal information that financial institutions provide 
to nonaffiliated third parties must be provided only in accordance with 
Sec.  1016.13, Sec.  1016.14 or Sec.  1016.15 of Regulation P; these 
regulatory sections implement subsections (b)(2) and (e) of section 
502.\38\ A financial institution sharing information only pursuant to 
these exceptions is not required to provide customers with a right to 
opt out of that sharing. In addition, because they would only involve 
information sharing within the exceptions of Sec.  1016.13, Sec.  
1016.14 or Sec.  1016.15, voluntary opt-outs included on privacy 
notices would not affect compliance with the Sec.  1016.5(e)(1)(i) 
requirement or the annual notice exception.
---------------------------------------------------------------------------

    \38\ The sharing described in these provisions includes, among 
other things, sharing involving third party service providers, joint 
marketing arrangements, maintaining and servicing accounts, 
securitization, law enforcement and compliance, and reporting to 
consumer reporting agencies.
---------------------------------------------------------------------------

    The Bureau notes that Sec.  1016.6(a)(7) requires that annual 
privacy notices incorporate any disclosures made under FCRA section 
603(d)(2)(A)(iii) regarding the consumer's ability to opt out of 
sharing of information among affiliates. Further, the notices may 
incorporate any opt-out disclosures provided under FCRA section 
624.\39\ GLBA section 503(f)(1) does not mention information sharing 
that would trigger an opt-out notice under FCRA sections 
603(d)(2)(A)(iii) or 624.
---------------------------------------------------------------------------

    \39\ 15 U.S.C. 1681s-3(b); 12 CFR 1022.23(b).
---------------------------------------------------------------------------

    Given the structure of the statute, the Bureau does not interpret 
GLBA section 503(f)(1) to preclude financial institutions that provide 
nonpublic personal information in accordance with FCRA sections 
603(d)(2)(A)(iii) or 624 from qualifying for the exception. Thus, as 
the Bureau stated in its proposal, the presence or absence of these 
FCRA disclosures on a financial institution's privacy notice will not 
affect whether the institution satisfies GLBA section 503(f)(1) and 
Sec.  1016.5(e)(1)(i). As the Bureau noted, however, financial 
institutions that choose to take advantage of the annual notice 
exception must still provide any opt-out disclosures required under 
FCRA sections 603(d)(2)(A)(iii) and 624, if applicable. Under the FCRA, 
neither of these opt-outs is required to be provided annually.\40\ 
Accordingly, institutions can provide these disclosures through other 
methods, for example, through their initial privacy notices in most 
circumstances.
---------------------------------------------------------------------------

    \40\ See 15 U.S.C. 1681a(d)(2)(A)(iii); 12 CFR 1022.21, 1022.27; 
72 FR 62910, 62930 (Nov. 7, 2007).
---------------------------------------------------------------------------

5(e)(1)(ii)

    New GLBA section 503(f)(2) states the second condition for the 
annual notice exception: that a financial institution not have changed 
its ``policies and practices with regard to disclosing nonpublic 
personal information'' from the policies and practices that were 
disclosed in the most recent notice sent to consumers in accordance 
with GLBA section 503. Because the Bureau determined that the statutory 
language was ambiguous as to the exact types of sharing intended, the 
Bureau proposed Sec.  1016.5(e)(1)(ii) to resolve this ambiguity by 
requiring that, to qualify for the annual notice exception, a financial 
institution must not have changed its policies and practices with 
regard to disclosing nonpublic personal information from the policies 
and practices that were disclosed to the customer under Sec.  
1016.6(a)(2) through (5) and (9) in the most recent privacy notice the 
financial institution provided.
    As with the first requirement for the annual notice exception at 
Sec.  1016.5(e)(1)(i), few commenters specifically discussed the second 
requirement at Sec.  1016.5(e)(1)(ii). However, the commenters 
overwhelmingly signaled their support for these provisions by 
supporting the Bureau's implementation of the statutory exception. Two 
trade associations representing credit unions did specifically express 
support for the proposed interpretation of the statutory language as 
referring only to a change to a disclosure under Sec.  1016.6(a)(2) 
through (5) and (9).
    The Bureau now adopts Sec.  1016.5(e)(1)(ii) as proposed, providing 
that, to qualify for the annual notice exception, a financial 
institution must not have changed its policies and practices with 
regard to disclosing nonpublic personal information from the policies 
and practices that were disclosed to the customer under Sec.  
1016.6(a)(2) through (5) and (9) in the most recent privacy notice the 
financial institution provided.
    Paragraphs (1) through (9) of Sec.  1016.6(a) list the specific 
information that must be included in privacy notices. Section 
1016.6(a)(2) through (5) and (9) require a financial institution to 
include information related to its policies and practices with regard 
to disclosing nonpublic personal information, but Sec.  1016.6(a)(1) 
(information collection) and Sec.  1016.6(a)(8) (confidentiality and 
security) do not.\41\ Accordingly, the Bureau believes that only 
changes to an institution's policies and practices that would require 
changes to any of the disclosures required by Sec.  1016.6(a)(2) 
through (5) and (9) would cause a financial institution to be unable to 
use the exception in Sec.  1016.5(e)(1)(ii).\42\
---------------------------------------------------------------------------

    \41\ The information specified in Sec.  1016.6(a)(6) describes 
the consumer's right pursuant to Regulation P to opt out of an 
institution's disclosure of information and would be inapplicable 
where a financial institution qualifies for the annual notice 
exception.
    \42\ To have used the Bureau's former alternative delivery 
method, the information a financial institution was required to 
convey on its annual privacy notice pursuant to Sec.  1016.6(a)(1) 
through (5), (8), and (9) was required not to have changed from the 
information disclosed in the most recent privacy notice provided to 
the consumer. See removed 12 CFR 1016.9(c)(2)(D). Thus, changes to 
the information a financial institution was required to convey 
pursuant to Sec.  1016.6(a)(1) and (8) would have prevented a 
financial institution from using the alternative delivery method but 
such changes will not prevent a financial institution from 
satisfying Sec.  1016.5(e)(1)(ii) for the annual notice exception. 
Because institutions that include information on their privacy 
notice pursuant to Sec.  1016.6(a)(7) (which relates to opt-out 
notices provided pursuant to the FCRA) were not permitted to use the 
alternative delivery method in any case, Sec.  1016.6(a)(7) was not 
listed as a type of information that if changed would have prevented 
a financial institution from using the alternative delivery method.
---------------------------------------------------------------------------

    Section 1016.6(a)(7) requires that any disclosure an institution 
makes under FCRA section 603(d)(2)(A)(iii), which describes a 
consumer's ability to opt out of disclosures of information among 
affiliates, be included on the privacy notice. The Bureau believes that 
the statute is ambiguous as to whether a financial institution that 
changes the disclosure required under Sec.  1016.6(a)(7) from the most 
recent notice sent to consumers would satisfy GLBA section 503(f)(2). 
In the proposed rule, the Bureau sought comment on whether proposed 
Sec.  1016.5(e)(1)(ii) should include changes to disclosures required 
by Sec.  1016.6(a)(7) and on how frequently institutions change that 
disclosure. The Bureau further sought comment on whether institutions 
would prefer to inform customers of these changes

[[Page 40950]]

through sending an annual privacy notice or through sending a 
disclosure describing only the FCRA section 603(d)(2)(A)(iii) opt-outs, 
if applicable, and also sought comment on the impact on consumers of 
these two methods.
    All the commenters who addressed these issues stated that changes 
to the disclosures required by FCRA section 603(d)(2)(A)(iii) should 
not affect the availability of the annual notice exception. A State-
wide trade association representing credit unions indicated that the 
presence or absence of FCRA disclosures on a credit union's privacy 
notice, and subsequent changes to those FCRA sharing practices, should 
not impact whether an institution qualifies for the annual notice 
exception. This trade association stated, without providing data, that 
it believed that changes by credit unions in its State to FCRA section 
603(d)(2)(A)(iii) information disclosures are infrequent, and that few 
such credit unions share data in a way that trigger a FCRA opt-out in 
the first place. Other commenters who discussed the 603(d)(2)(A)(iii) 
information disclosures stated that allowing changes to disqualify 
financial institutions from the annual notice exception would interfere 
with the burden reduction intended, and that FCRA has its own 
disclosure requirements.
    Given the structure of the statute, the Bureau does not interpret 
GLBA section 503(f)(2) to preclude financial institutions that make 
changes to disclosures required by Sec.  1016.6(a)(7) from qualifying 
for the exception. The Bureau also notes that a change in the 
603(d)(2)(A)(iii) information disclosures only requires a one-time 
notice and opt out. The Bureau does not believe that consumers would be 
materially benefited by requiring this one-time notice to be included 
in a privacy notice under Regulation P, especially where it is required 
in a separate notice required by the FCRA.
    In addition to the discussion of 603(d)(2)(A)(iii) information 
disclosures, the Bureau noted in the proposed rule that a financial 
institution would satisfy Sec.  1016.5(e)(1)(ii) if it changes its 
disclosures describing policies and practices with regard to disclosing 
nonpublic personal information that are included in the institution's 
privacy notice without being required by the GLBA or Sec.  1016.6 
(e.g., disclosures describing sharing with affiliates under FCRA 
section 624 or voluntary disclosures and opt-outs). The Bureau sought 
comment on whether changes to disclosures that are not required to be 
included in privacy notices by the GLBA or Sec.  1016.6 should cause an 
institution not to satisfy Sec.  1016.5(e)(1)(ii).
    The Bureau received few comments on this issue. A trade association 
representing credit unions stated that later changes to initial 
voluntary disclosures should not trigger the need to send annual 
privacy notices. The commenter suggested that imposing such a 
requirement would dissuade institutions from making voluntary 
disclosures. A banking and insurance trade association stated that 
affiliate marketing policy changes should not impact the availability 
of the exception. A trade association representing banks stated that 
changes to disclosures that are not required to be included in privacy 
notices should not trigger non-compliance. The trade association 
believed it would be costly and burdensome to add additional 
disclosures.
    As indicated in the preamble to the proposed rule, the Bureau has 
determined that disclosures describing sharing with affiliates under 
FCRA section 624 or voluntary disclosures and opt-outs will not affect 
a financial institution's eligibility for the annual privacy notice 
exception under GLBA Sec.  503(f). The Bureau believes that the 
alternative interpretation could discourage the use of voluntary 
disclosures while adding unnecessary burden.

5(e)(2) Delivery of Annual Privacy Notice After Financial Institution 
No Longer Meets Requirements for Exception

    New GLBA section 503(f) states that a financial institution that 
meets the requirements for the annual notice exception will not be 
required to provide annual notices ``until such time'' as the financial 
institution fails to comply with the criteria described in section 
503(f)(1) and 503(f)(2), which are now implemented in Sec.  
1016.5(e)(1)(i) and (ii). A financial institution will no longer meet 
the requirements for the exception either by beginning to share 
nonpublic personal information in ways that trigger rights to opt-out 
notices under the GLBA and Regulation P, or by otherwise changing its 
policies and practices with regard to disclosing nonpublic personal 
information from the policies and practices that were disclosed to the 
customer under Sec.  1016.6(a)(2) through (5) and (9) in the most 
recent privacy notice the financial institution provided.
    Financial institutions that no longer meet the conditions for the 
exception must provide customers with annual privacy notices. However, 
the GLBA, including new GLBA section 503(f), does not clearly specify 
when institutions must provide these notices. Thus, the statute is 
ambiguous on the point. It could be read to require the financial 
institution to provide an annual privacy notice by the time it changes 
its policies or practices in such a way that it no longer qualifies for 
the exception. Alternatively, it could be read to subject the financial 
institution, at the time it changes its policies or practices in such a 
way that it no longer qualifies for the exception, to the requirement 
to provide an annual privacy notice while being silent as to the timing 
for providing that notice.
    Pursuant to its authority in GLBA section 504 to issue rules to 
implement the GLBA, the Bureau proposed to resolve this ambiguity by 
adopting this second reading and issuing standards for when 
institutions must provide these notices. Specifically, in proposed 
Sec.  1016.5(e)(2)(i) and (ii), the Bureau proposed to use its 
rulemaking authority under GLBA section 504(a) to establish timing 
requirements for providing an annual notice in these circumstances. The 
Bureau proposed to establish these requirements to ensure that delivery 
of the annual privacy notice in these circumstances is consistent with 
the existing timing requirements for privacy notices in the regulation, 
where applicable, and to provide clarity to financial institutions 
regarding these requirements.
    In developing the proposed framework, the Bureau looked to existing 
requirements under the statute and regulation because they already 
address circumstances in which a financial institution might change its 
policies and procedures in a way that affects the content of the 
notices. Specifically, Sec.  1016.8 requires that the financial 
institution provide a revised notice to consumers before implementing 
certain types of changes; in other cases, the statute and regulation 
currently contemplate that a change in policy and procedure that 
affects the content of the notices would simply be reflected on the 
next regular annual notice provided to the customer. The Bureau is 
therefore proposing different timing requirements for the resumption of 
the annual notice requirement depending on whether the change at issue 
would trigger the requirement for a revised notice under Sec.  1016.8 
prior to the change taking effect.
    Accordingly, the timing requirements in proposed Sec.  
1016.5(e)(2)(i) and (ii) would differ depending on whether the change 
that causes the financial institution to no longer satisfy the 
conditions for the annual notice

[[Page 40951]]

exception also triggers a requirement under existing Regulation P to 
deliver a revised notice. Section 1016.8 currently requires that 
financial institutions provide revised notices to consumers before the 
institutions share nonpublic personal information with a nonaffiliated 
third party if their sharing would be different from what the 
institution described in the initial notice it delivered. After 
delivering the revised notice, the financial institution must also give 
the consumer a reasonable opportunity to opt out of any new information 
sharing beyond the Regulation P exceptions before the new sharing 
occurs.
    Three-fifths of all industry commenters on the proposed rule 
specifically addressed the proposed timing requirements. The comments 
on the timing requirements viewed the requirement in Sec.  
1016.5(e)(2)(i) and that in Sec.  1016.5(e)(2)(ii) very differently, as 
will be discussed below in regard to those sections. In regard to the 
overall timing requirements, one trade association representing credit 
unions expressed appreciation for the Bureau's proposal, stating that 
such clarification will eliminate confusion surrounding delivery 
requirements after a financial institution no longer meets the 
requirements for the exception. A trade association representing banks 
supported the proposed timing requirements, asserting that institutions 
will not find it difficult to comply with the suggested conditions. 
This commenter also requested clarification that once notices are sent 
and there are no further privacy changes, an institution will be able 
to again qualify for the exception, thus excepting them from having to 
send further annual notices.
    The Bureau is adopting the timing provisions largely as proposed, 
with a change to the duration of the timing requirement in Sec.  
1016.5(e)(2)(ii), as discussed below. The Bureau is also adding another 
example to Sec.  1016.5(e)(2)(iii) to clarify whether a financial 
institution again qualifies for the annual notice exception after 
delivering an annual notice under Sec.  1016.5(e)(2).

5(e)(2)(i) Changes Preceded by a Revised Privacy Notice

    For changes to a financial institution's policies or practices that 
cause it to no longer satisfy the conditions for the exception and also 
trigger an obligation to send a revised notice prior to the change, the 
Bureau proposed in Sec.  1016.5(e)(2)(i) that financial institutions 
would be required to resume delivery of their subsequent regular annual 
notices pursuant to the existing timing requirements that govern 
delivery of annual notices generally. Because the revised notice would 
inform the customer of the institution's changed policies and practices 
before any new sharing occurs, the Bureau believed that there is no 
clear urgency regarding delivery of the first annual notice subsequent 
to implementation of the new policies and procedures.
    Specifically, Sec.  1016.4(a)(1) generally requires a financial 
institution to provide an initial notice to an individual who becomes 
the institution's customer no later than when it establishes a customer 
relationship. Section 1016.5(a) requires a financial institution to 
provide a privacy notice to its customers ``not less than annually'' 
during the continuation of any customer relationship. Section 
1016.5(a)(1) defines annually to mean ``at least once in any period of 
12 consecutive months.'' It further provides that a financial 
institution ``may define the 12-consecutive-month period, but [] must 
apply it to the customer on a consistent basis.'' Section 1016.5(a)(2) 
provides an example of the meaning of ``annually'' in relation to the 
delivery of the first annual notice after the initial notice:

    You provide a notice annually if you define the 12-consecutive-
month period as a calendar year and provide the annual notice to the 
customer once in each calendar year following the calendar year in 
which you provided the initial notice. For example, if a customer 
opens an account on any day of year 1, you must provide an annual 
notice to that customer by December 31 of year 2.

    The example in Sec.  1016.5(a)(2) provides financial institutions 
with the flexibility to select a specific date during the year to 
provide annual notices to all customers, regardless of when a 
particular customer relationship began. This flexibility avoids 
burdening institutions with either having to provide annual notices on 
the anniversary of initial notices, or alternatively providing two 
notices in the first year of the customer relationship to get all 
accounts originated in a given calendar year on the same cycle for 
delivering subsequent annual notices.
    The Bureau proposed that the approach to timing of the annual 
notice in Sec.  1016.5(a)(2) be applied if a financial institution 
makes a change that causes it to lose the exception and triggers the 
requirement to deliver a revised notice prior to the change. Under the 
proposed approach, if a financial institution provides a revised notice 
on any day of year 1 in advance of changing its policies or practices 
such that it loses the exception, that revised notice would be treated 
as analogous to an initial notice in Sec.  1016.5(a)(2). Assuming that 
the financial institution defines the 12-month period as the calendar 
year, the financial institution would have to provide the first annual 
notice after losing the exception by December 31 of year 2.
    The Bureau invited comment on the timing conditions proposed in 
Sec.  1016.5(e)(2)(i). Few commenters separately discussed Sec.  
1016.5(e)(2)(i). All commenters who explicitly addressed the proposed 
timing requirements under Sec.  1016.5(e)(2)(i) agreed with the 
Bureau's proposed approach. No industry commenters suggested 
alternative timing conditions. One credit union asserted that the 
proposed timing condition would incentivize credit unions to plan and 
notify their members in advance of making changes to privacy policies. 
Two trade associations representing banks and credit unions supported 
the timing requirement because it would prevent institutions from 
having to send out multiple notices within the same year. The trade 
association representing credit unions asserted that redundant notices 
provide no benefit to consumers and pose a burden and expense on credit 
unions.
    The Bureau now adopts Sec.  1016.5(e)(2)(i) as proposed. The Bureau 
believes that using the same approach in Sec.  1016.5(e)(2)(i) as in 
existing Sec.  1016.5(a)(2) is appropriate for two reasons. First, 
customers will receive a revised notice informing them of the change in 
the financial institution's policies or practices before the change 
occurs, and thus customers will not be harmed by the financial 
institution taking a longer period of time in which to deliver the 
first annual notice after the annual notice exception has been lost. 
Second, this approach will preserve flexibility for financial 
institutions and avoid requiring them to deliver a revised notice and 
an annual notice in the same year, and allowing them to use a 
convenient delivery date for annual notices for all customers. The 
Bureau believes this flexibility is justified because a financial 
institution that is required to deliver a revised privacy notice 
pursuant to Sec.  1016.8 may have continuing annual notice obligations 
after the exception is lost. Such an institution could be sharing other 
than as described in the Regulation P exceptions and thus fail to 
satisfy Sec.  1016.5(e)(1)(i), making the annual notice exception 
unavailable in future years.

[[Page 40952]]

5(e)(2)(ii) Changes Not Preceded by a Revised Privacy Notice

    For financial institutions that change their policies and practices 
in such a way as to lose the Sec.  503(f) exception, but do not share 
information in a way that triggers the requirement under Sec.  1016.8 
to deliver a revised notice prior to the change, the Bureau proposed 
that a financial institution must deliver the annual notice within 60 
days after the change that caused the institution to lose the 
exception. The Bureau proposed this 60-day period for providing the 
annual notice in this situation because customers would not receive a 
revised notice from the financial institution prior to the 
institution's change in policies or practices.
    The Bureau requested comment on whether 60 days is an appropriate 
period for delivering annual notices in these circumstances or if 
another period would be more appropriate. Approximately half of all 
commenters specifically addressed the timing conditions proposed under 
Sec.  1016.5(e)(2)(ii). These commenters generally opposed the 60-day 
requirement, advocating instead for an increased amount of time for 
institutions to deliver the revised notice. The majority of these 
commenters requested at least 90 days to deliver the notice.
    Trade associations representing credit unions cited cost concerns 
with the 60-day requirement, asserting that because they send quarterly 
statements to many consumers, the timing requirement would require 
institutions to send out an additional notice. Some of these commenters 
suggested that 90 days was a more appropriate timeframe, as it would 
allow institutions to minimize costs by sending the revised notice with 
the next quarterly statement. One of these trade associations 
representing credit unions also asserted that 60 days was too brief, 
particularly for small credit unions addressing inadvertent changes. 
This commenter suggested 90 to 120 days to allow credit unions the 
opportunity to include the notice with the quarterly periodic 
statement, and noted that while all members may not receive monthly 
statements, most receive account statements quarterly.
    Other industry commenters suggested 120 days as an appropriate time 
to deliver the annual notice. A few of these commenters cited the same 
above-mentioned cost concerns that are associated with separate 
mailers. These commenters asserted that 120 days would allow the notice 
to be included with regularly scheduled member statements, therefore 
eliminating the need for an additional mailer. One industry commenter 
representing credit unions noted that a separate mailer would be 
especially costly for smaller credit unions with fewer resources.
    Industry commenters who suggested 120 days also stated, without 
specific explanation, that the proposed 60-day requirement did not 
provide institutions enough time to perform. A few of these industry 
commenters asserted that smaller credit unions, particularly those with 
fewer resources, would find the 60-day time frame too short. Some of 
those same commenters thought that larger credit unions with numerous 
departments working to consolidate information would also struggle to 
meet the 60-day requirement. Several trade associations representing 
credit unions stated that a longer time frame would allow credit unions 
time to organize logistics, educate staff, and command the resources 
necessary to draft and send the required notice. One industry commenter 
stated that an extension would not negatively impact consumers because 
prior notice is still required when changes allow sharing with third 
parties of non-public personal information and the option to opt out in 
advance.
    One trade association commenter representing credit unions 
suggested at least 180 days, citing the fact that Sec.  1016.8 does not 
require a revised privacy notice under the circumstances described in 
Sec.  1016.5(e)(2)(ii). This commenter also suggested that to combat 
costs, financial institutions should have the option to include a 
message on periodic statements or mailers that there has been a change 
to the privacy notice, and direct the recipient to the financial 
institution's website to view and download an electronic copy of the 
revised notice.
    The Bureau now adopts the timing provision in Sec.  
1016.5(e)(2)(ii) with a 100 calendar day period during which the 
financial institution must provide the annual privacy notice. The 
unanimous industry objection to the 60-day period suggests that the 
proposal likely would have imposed costs that the Bureau had not 
anticipated. The 100-day period will accommodate the inclusion of the 
notice with quarterly statements. The Bureau believes that providing 10 
days in addition to the 90 days many commenters requested is 
appropriate because most calendar quarters are slightly longer than 90 
days, and a short additional period should be allowed for 
administrative activities and to provide flexibility if the end date 
falls on a weekend or holiday. The Bureau does not believe that 
consumers will be harmed by this extension of the time period from the 
proposal.
    However, the Bureau notes that the commenters requesting 120 or 180 
days provided no specific reason why allowing such additional time 
would contribute to cost savings beyond allowing the notice to be 
included in quarterly statements. The Bureau is not aware of any other 
reason, and therefore declines to adopt a longer period.
    The Bureau believes that the 100-day deadline will not impose undue 
or unreasonable costs on financial institutions, particularly since the 
delivery requirement is effectively a one-time burden absent additional 
changes to a financial institution's policies and practices. 
Specifically, after providing the one annual notice, the financial 
institution will likely once again meet both of the conditions for the 
exception--it will not be sharing nonpublic personal information with 
nonaffiliates other than as described in a Regulation P exception to 
the opt-out requirements and its policies and practices will not have 
changed since it provided the annual notice. Because the financial 
institution likely will once again meet the conditions for the 
exception, it likely will not be required to provide future annual 
notices. In other words, these financial institutions will likely lose 
the exception for only a single year. The Bureau is including an 
additional example in Sec.  1016.5(e)(2)(iii)(B) for clarity. Given 
that financial institutions delivering notices pursuant to Sec.  
1016.5(e)(2)(ii) will likely have no continuing obligation to send 
annual notices, they likely will not need flexibility in choosing a 
convenient delivery date for future annual notices, beyond the 100 days 
of flexibility being provided for a single privacy notice.\43\
---------------------------------------------------------------------------

    \43\ If the financial institution were to make changes in the 
future to its practices and policies, these changes could trigger a 
new obligation to provide annual privacy notices.
---------------------------------------------------------------------------

    In regard to the comment that the regulation should allow financial 
institutions to include a message on periodic statements or mailers 
directing customers to an electronic copy of the annual notice, the 
Bureau believes that any reduction in costs would be minimal because 
the financial institution is likely not required to provide more than 
one notice. In addition, the Bureau did not propose or request comment 
on such an option.
    The Bureau also notes that financial institutions have substantial 
flexibility in managing the burden involved in sending the one annual 
notice because institutions can generally choose when

[[Page 40953]]

they change their policies or practices. Accordingly, an institution 
can choose when to make the change triggering the commencement of the 
100-day period for delivery of the annual notice, so that the date of 
delivery can be as convenient and low-cost as possible.

5(e)(2)(iii) Examples

    In order to facilitate compliance with proposed Sec.  1016.5(e)(2), 
the Bureau proposed Sec.  1016.5(e)(2)(iii) to provide an example for 
when an institution must provide an annual notice after changing its 
policies or practices such that it no longer meets the requirements for 
the annual notice exception set forth in proposed Sec.  1016.5(e)(1).
    The Bureau did not receive any comments specifically discussing the 
example provided in Sec.  1016.5(e)(2)(iii). Because the Bureau 
believes that the example will provide clarity and facilitate 
compliance, it is now being made final in Sec.  1016.5(e)(2)(iii)(A), 
with a minor change due to the alteration of the time frame in Sec.  
1016.5(e)(2)(ii). In addition, the Bureau is providing a second 
example, in Sec.  1016.5(e)(2)(iii)(B), to facilitate compliance when a 
financial institution must only provide one annual notice before it 
again qualifies for the Sec.  1016.5(e)(1) exception.
    Section 1016.5(e)(2)(iii)(A) provides an example for when an 
institution must provide an annual notice after changing its policies 
or practices such that it no longer meets the requirements for the 
annual notice exception in Sec.  1016.5(e)(1). The Bureau believes this 
example will facilitate compliance with Sec.  1016.5(e)(2). The example 
assumes that an institution changes its policies or practices effective 
April 1 of year 1 and defines the 12-consecutive-month period pursuant 
to Sec.  1016.5(a)(1) as a calendar year. Section 1016.5(e)(2)(iii)(A) 
states that the institution must provide an annual notice by December 
31 of year 2 if the institution was required to provide a revised 
notice prior to the change and provided that revised notice on March 1 
of year 1 in advance of the change. Section 1016.5(e)(2)(iii)(A) 
further states that the institution must provide an annual notice by 
July 9 of year 1 if the institution was not required to provide a 
revised notice prior to the change.
    The Bureau is also providing a second example, in Sec.  
1016.5(e)(2)(iii)(B), to facilitate compliance when a financial 
institution must provide only one annual notice before it again 
qualifies for the Sec.  1016.5(e)(1) exception, as discussed above in 
relation to Sec.  1016.5(e)(2)(ii). The example assumes that a 
financial institution changes its policies and practices in such a way 
that it no longer meets the requirements of Sec.  1016.5(e)(1), and so 
provides an annual notice to its customers. The example further assumes 
that after providing the annual notice to its customers, the financial 
institution once again meets the requirements of Sec.  1016.5(e)(1) for 
an exception to the annual notice requirement. The example explains 
that the financial institution does not need to provide additional 
annual notices to its customers until such time as it no longer meets 
the requirements of Sec.  1016.5(e)(1).

Section 1016.9 Delivering Privacy and Opt Out Notices

9(c)(2) Alternative Delivery Method for Providing Certain Annual 
Notices

    As discussed in Part II, the Bureau amended Regulation P in October 
2014 to allow financial institutions that met certain criteria to 
deliver annual notices pursuant to the ``alternative delivery method.'' 
Because financial institutions that met the conditions in Regulation P 
to use the alternative delivery method will also meet the conditions 
for the statutory exception in section 503(f), the Bureau proposed to 
remove the alternative delivery method from Regulation P by removing 
Sec.  1016.9(c)(2) and renumbering existing Sec.  1016.9(c)(1) as Sec.  
1016.9(c).
    Commenters generally expressed support for the proposed removal of 
the alternative delivery method. Ten commenters addressed the issue, 
with eight supporting the proposal and two opposing it.
    Some commenters welcomed elimination of the alternative delivery 
method, asserting that the conditions associated with the 2014 
provision deterred institutions from taking advantage of the intended 
relief. A debt collector organization stated that the alternative 
delivery method did not provide a solution for many debt collectors and 
consumers. This commenter asserted that the alternative delivery 
required model form created a significant risk of class action 
litigation because of claims that the language conflicts with the Fair 
Debt Collection Practices Act's prohibitions on third-party disclosure. 
A commenter representing several trade associations stated that the 
alternative delivery method requirement to post the notice online 
eliminated any benefits from the 2014 rule.
    Two trade associations agreed that the alternative delivery method 
would no longer be useful in light of the statutory exception to the 
annual notice requirement, and one of these trade associations stated 
that it was unlikely that financial institutions would continue to use 
a complex means of compliance when a simpler one was available.
    Several commenters discussed benefits associated with eliminating 
the alternative delivery method. One trade association stated that 
removing the alternative delivery method would eliminate confusion 
between the rule and the statute. Another trade association 
representing banks expressed appreciation of the elimination of the 
alternative delivery method, arguing that it would remove the confusion 
of having both an exception from the annual privacy notice and an 
alternative to the delivery requirement. One trade association stated 
that consumers will benefit from the elimination of the method, as they 
will experience decreasing information overload.
    One trade association representing banks requested clarification 
that institutions that qualify for the exception but still keep a copy 
of the privacy policy on their websites will not be criticized or 
penalized.
    Two trade association commenters representing the consumer credit 
industry and credit unions did not support removal of the alternative 
delivery method. These commenters stated that their customers or 
members prefer to receive communications electronically. Both 
commenters cited cost burdens associated with mailing privacy notices.
    The trade association representing the consumer credit industry 
stated that several of their member financial institutions, 
particularly those that provide indirect auto loans, do not qualify for 
the statutory exception to the annual notice requirement because the 
institutions share consumer information with nonaffiliated third 
parties other than as described in Sec. Sec.  1016.13, 14 and 15. These 
institutions are required under Sec.  1016.10 of Regulation P to inform 
consumers through the institution's annual privacy notice that the 
consumer has a right to opt out of that information sharing. The trade 
association representing the consumer credit industry encouraged 
expansion of the alternative delivery method, highlighting the cost 
effectiveness of electronic delivery and stating that many institutions 
upgraded systems to implement the alternative delivery method under the 
2014 rule. This commenter also urged the Bureau to consider allowing 
institutions that share with nonaffiliated third parties to deliver 
their privacy notices electronically, such as via website

[[Page 40954]]

posting, similar to the method permitted by the alternative delivery 
method.
    After considering the comments, the Bureau now adopts the proposed 
change, removing the alternative delivery method from Regulation P by 
removing Sec.  1016.9(c)(2) and renumbering former Sec.  1016.9(c)(1) 
as Sec.  1016.9(c).
    Any financial institution that met the conditions to use the 
alternative delivery method will also meet the conditions to be 
excepted from delivering an annual privacy notice pursuant to new GLBA 
section 503(f). First, new GLBA section 503(f)(1) is substantively 
identical to the first requirement for using the alternative delivery 
method: \44\ That the financial institution share nonpublic personal 
information about customers with nonaffiliated third parties only in 
ways that do not give rise to the customer's right to opt out of that 
sharing.\45\ Second, new GLBA section 503(f)(2) is similar to the 
fourth requirement for using the alternative delivery method: that the 
institution must not have changed its policies and practices with 
regard to disclosing nonpublic personal information from those that 
were disclosed to the customer in the most recent privacy notice.\46\ 
Accordingly, any financial institution that would have met the 
requirements in former Sec.  1016.9(c)(2) will also meet the 
requirements of section 503(f).
---------------------------------------------------------------------------

    \44\ See removed 12 CFR 1016.9(c)(2)(i)(A).
    \45\ This sharing is pursuant to GLBA section 503(b)(2) and (e), 
which correspond to Regulation P Sec. Sec.  1016.13, 1016.14, and 
1016.15.
    \46\ See removed 12 CFR 1016.9(c)(2)(i)(D). The requirement in 
former Sec.  1016.9(c)(2)(i)(D) was somewhat more restrictive 
because it required a financial institution not to have changed its 
practices with respect to disclosing nonpublic personal information 
and protecting the confidentiality and security of nonpublic 
personal information whereas section 503(f)(2) requires that the 
institution not have changed its policies only with respect to 
disclosing nonpublic personal information. See the section-by-
section analysis of Sec.  1016.5(e)(1)(ii) for further discussion.
---------------------------------------------------------------------------

    The Bureau believes that a financial institution that has both 
options available to it would choose not to send the annual privacy 
notice at all, rather than to deliver it pursuant to the alternative 
delivery method, so that it can eliminate rather than merely reduce the 
cost of providing annual notices. Given that any financial institution 
that qualifies to use the alternative delivery method for its annual 
notices also meets the qualifications for the new annual notice 
exception, the Bureau believes that including the alternative delivery 
method in Regulation P is no longer useful.
    The Bureau notes that financial institutions that delivered annual 
notices using the alternative delivery method while it was in effect 
delivered those notices using a method that was in compliance with 
Regulation P, notwithstanding that the alternative delivery method 
provision is now being removed from the regulation. The Bureau further 
notes that financial institutions that qualify for the new annual 
notice exception may still choose to post privacy notices on their 
websites, deliver privacy notices to consumers who request them, and 
notify consumers of the notices' availability. Such activities will not 
affect a financial institution's eligibility for the new 503(f) 
exception.
    The Bureau has considered the comments suggesting that it retain 
and expand the alternative delivery method for providing annual privacy 
notices. In this rulemaking, the Bureau is implementing the FAST Act 
amendments to the GLBA, which eliminate the requirement that financial 
institutions provide an annual privacy notice if certain conditions are 
met. In making these amendments to the GLBA, Congress did not address 
the delivery method financial institutions must or may use if they 
continue to be required to provide an annual privacy notice, including 
where financial institutions have not changed their privacy policies 
since their last privacy notice and they share information with 
nonaffiliated third parties other than as described in Sec. Sec.  
1016.13, .14, and .15. Because Congress did not address these issues in 
the FAST Act amendments to the GLBA, the Bureau declines to address 
them in this rulemaking to implement those amendments.

V. Dodd-Frank Act Section 1022(b)(2) Analysis

A. Overview

    In developing the final rule, the Bureau has considered the 
potential benefits, costs, and impacts as required by section 
1022(b)(2) of the Dodd-Frank Act.\47\ The Bureau requested comment on 
the preliminary analysis as well as the submission of additional data 
that could inform the Bureau's analysis of the benefits, costs, and 
impacts of the rule. The Bureau received one comment on the preliminary 
analysis, which it has considered in developing this final analysis. In 
addition, the Bureau has consulted and coordinated with the SEC, CFTC, 
FTC, and NAIC, and consulted with or offered to consult with the OCC, 
Federal Reserve Board, FDIC, NCUA, and HUD, including regarding 
consistency with any prudential, market, or systemic objectives 
administered by such agencies.
---------------------------------------------------------------------------

    \47\ Specifically, section 1022(b)(2)(A) of the Dodd-Frank Act 
calls for the Bureau to consider the potential benefits and costs of 
a regulation to consumers and covered persons, including the 
potential reduction of access by consumers to consumer financial 
products or services; the impact on depository institutions and 
credit unions with $10 billion or less in total assets as described 
in section 1026 of the Dodd-Frank Act; and the impact on consumers 
in rural areas.
---------------------------------------------------------------------------

    This final rule implements the December 2015 amendment to the GLBA 
by amending Sec.  1016.5 of Regulation P to provide that a financial 
institution is not required to deliver an annual privacy notice if it:
    (1) Provides nonpublic personal information to nonaffiliated third 
parties only in accordance with the provisions of Sec.  1016.13, Sec.  
1016.14, or Sec.  1016.15; and
    (2) Has not changed its policies and practices with regard to 
disclosing nonpublic personal information from the policies and 
practices that were disclosed to the customer under Sec.  1016.6(a)(2) 
through (5) and (9) in the most recent privacy notice provided.
    In considering the potential benefits, costs, and impacts of the 
rule, the Bureau takes as the baseline for the analysis the legal 
regime that existed prior to the FAST Act's amendment of the GLBA.\48\ 
This regime includes the current provisions of Regulation P. The Bureau 
assumes that all financial institutions that can use the alternative 
delivery method provided in Sec.  1016.9(c)(2) are doing so.
---------------------------------------------------------------------------

    \48\ The proposal referred to this as the ``regulatory regime 
that currently exists.'' 81 FR at 44808. However, the baseline the 
Bureau is using did not and does not reflect that the FAST Act has 
taken effect. The Bureau has discretion in each rulemaking to choose 
the relevant provisions to discuss and to choose the most 
appropriate baseline for that particular rulemaking.
---------------------------------------------------------------------------

B. Potential Benefits and Costs to Consumers and Covered Persons

    The impact on consumers of Sec.  1016.5(e) depends on whether the 
particular consumer prefers or would otherwise benefit from receiving 
an annual privacy notice that does not offer the consumer an opt-out 
under the GLBA and is largely unchanged\49\ from previous notices. 
Under Sec.  1016.5(e), financial institutions that meet the 
requirements for the annual notice exception would not be required to 
provide consumers with annual privacy notices, and the Bureau 
anticipates that most institutions would decide not to provide notices 
in these circumstances.

[[Page 40955]]

While there is no data available on the number of consumers who are 
indifferent to (or dislike) receiving unchanged privacy notices every 
year, the limited use of opt-outs and anecdotal evidence suggest that 
there are such consumers.\50\ For this group of consumers, Sec.  
1016.5(e) might provide a benefit because it would be available to some 
institutions that cannot use the alternative delivery method, so that 
more consumers would stop receiving mailed annual privacy notices.
---------------------------------------------------------------------------

    \49\ As discussed in part IV in the section-by-section analysis 
of Sec.  1016.5(e)(1)(ii), certain changes to an institution's 
policies or practices would not cause the institution to lose the 
annual notice exception.
    \50\ One early analysis of the use of the opt-outs reported at 
most 5% of consumers make use of them in any year, and likely fewer. 
See Jeffrey M. Lacker, The Economics of Financial Privacy: To Opt 
Out or Opt In?, 88/3 Fed. Res. Bank Rich. Econ. Q., at 11 (Summer 
2002), available at https://www.richmondfed.org/-/media/richmondfedorg/publications/research/economic_quarterly/2002/summer/pdf/lacker.pdf. One commenter on the proposed rule also estimated 
that 5% of consumers use opt-outs. AFSA Comment letter, August 10, 
2016.
---------------------------------------------------------------------------

    For other consumers who would prefer or otherwise benefit from 
receiving the annual notices, there will be some cost because many 
institutions that previously delivered notices--whether through the 
standard delivery methods or through the alternative delivery method 
that includes posting on the institution's website--will no longer 
deliver annual notices. Consumers may be less informed about 
opportunities to limit a financial institution's information sharing 
practices if the financial institution meets the requirements for the 
annual notice exception and chooses not to provide annual notices. For 
example, some consumers will receive fewer notices in which a financial 
institution offers voluntary opt-outs, i.e., opt-outs that the 
financial institution is not required by Regulation P to offer 
(because, for example, the type of sharing the financial institution 
does is covered by an exception) but that the institution decides to 
provide anyway via the annual privacy notice. Voluntary opt-outs do not 
appear to be common, however.\51\ Further, institutions may continue to 
offer voluntary opt-outs and may offer them through other mechanisms 
even if they do not provide annual privacy notices.
---------------------------------------------------------------------------

    \51\ See Lorrie Faith Cranor et al., Are They Actually Any 
Different? Comparing Thousands of Financial Institutions' Privacy 
Practices, available at http://www.econinfosec.org/archive/weis2013/papers/CranorWEIS2013.pdf (submitted as part of The Twelfth Workshop 
on the Economics of Information Security (WEIS 2013), June 11-12, 
2013, Georgetown University, Washington, DC). Their findings (Table 
2) imply that at most 15% of the 3,422 FDIC insured depositories 
that post the model privacy form on their websites offer at least 
one voluntary opt-out. Data from a much larger group of financial 
institutions analyzed by Cranor et al. (undated) imply (Table 2) 
that at most 27% of the 6,191 financial institutions that post the 
model privacy form on their websites offer at least one voluntary 
opt-out.
---------------------------------------------------------------------------

    If financial institutions choose not to provide notices pursuant to 
the annual notice exception, consumers may also be less informed of 
their opt-out rights under the FCRA. Section 503(c)(4) of the GLBA and 
Regulation P require financial institutions providing initial and 
annual privacy notices to incorporate into them any notification and 
opt-out disclosures provided pursuant to section 603(d)(2)(A)(iii) of 
the FCRA.\52\ Section 624 of the FCRA and Regulation V also permit (but 
do not require) financial institutions providing initial and annual 
privacy notices under Regulation P to incorporate any opt-out 
disclosures provided under section 624 of the FCRA and subpart C of 
Regulation V into those notices.\53\ Because financial institutions 
will likely decide not to provide annual notices pursuant to the 
exception in proposed Sec.  1016.5(e), consumers may be less informed 
of their opt-out rights pursuant to these sections of the FCRA to the 
extent that institutions use less effective methods to convey 
information about these rights to consumers.\54\ Consumers also may be 
less informed about a financial institution's data collection practices 
and its policies and practices with respect to protecting the 
confidentiality and security of nonpublic personal information.
---------------------------------------------------------------------------

    \52\ 15 U.S.C. 6803(c)(4); 12 CFR 1016.6(a)(7).
    \53\ 15 U.S.C. 1681s-3(b); 12 CFR 1022.23(b).
    \54\ As explained in the section-by-section analysis of Sec.  
1016.5(e)(1)(i) in part IV, the annual notice exception in Sec.  
1016.5(e) does not relieve financial institutions of the obligation 
to provide consumers with the information that is required under 
FCRA sections 603(d)(2)(A)(iii) or 624.
---------------------------------------------------------------------------

    Regarding benefits and costs to covered persons, the primary effect 
of the rule will be burden reduction achieved by lowering the costs to 
industry of providing annual privacy notices. Section 1016.5(e) imposes 
no new compliance requirements on any financial institution. Any 
institution that could use the alternative delivery method will meet 
the requirements for the annual notice exception pursuant to Sec.  
1016.5(e).\55\ A financial institution that is in compliance with 
current law will not be required to take any different or additional 
action unless it chooses to take advantage of the annual notice 
exception and thus will be required to separately meet its opt-out 
obligations, if any, pursuant to the FCRA.\56\ This analysis assumes 
that no financial institution will do so unless the net result of the 
choice is burden reducing.
---------------------------------------------------------------------------

    \55\ Any financial institution that meets the conditions to use 
the alternative delivery method will also meet the conditions to be 
excepted from delivering an annual privacy notice pursuant to new 
GLBA section 503(f) because the two conditions for section 503(f) 
are closely related to conditions for using the alternative delivery 
method. See the section-by-section analysis of Sec.  1016.9(c) for 
further explanation.
    \56\ See the section-by-section analysis to Sec.  
1016.5(e)(1)(i) in part IV for an explanation of the interaction 
between the annual notice exception and the opt-outs provided under 
FCRA sections 603(d)(2)(A)(iii) and 624.
---------------------------------------------------------------------------

    The expected cost savings to financial institutions from the 
revisions to Sec.  1016.5(e) depend on whether the financial 
institution uses the alternative delivery method under the baseline. 
Financial institutions that currently use the alternative delivery 
method will likely cease complying with the requirements in current 
Sec.  1016.9(c)(2) since they necessarily meet the requirements of the 
exception to the annual notice requirement and thus will no longer be 
required to deliver an annual notice.\57\ However, the Bureau expects 
that financial institutions that change from using the alternative 
delivery method to provide annual notices to not providing these 
notices at all will achieve little cost savings.\58\ Financial 
institutions that currently do not use the alternative delivery method 
are expected to use the proposed annual notice exception if the 
expected costs of any changes required to use the exception and the 
costs of any consequences of not providing the annual disclosure will 
be lower than the costs of complying with current Regulation P. The 
Bureau believes that few such financial institutions will find it in 
their interests to change their information sharing practices in order 
to use the annual notice exception. Thus, the Bureau takes the 
information sharing practices of financial institutions as given and 
considers how many financial institutions that do not currently meet 
the requirements to use the alternative delivery method can use the 
annual notice exception.\59\ As a practical matter, the Bureau 
identifies these institutions solely by their

[[Page 40956]]

information sharing practices: That is to say, the Bureau identifies 
the financial institutions whose current information sharing practices 
do not meet the standards in Sec.  1016.9(c)(2) but will meet the 
standards in Sec.  1016.5(e). The Bureau then estimates the ongoing 
savings in costs to these financial institutions from no longer sending 
the annual privacy notice.\60\
---------------------------------------------------------------------------

    \57\ See supra note 52.
    \58\ The Bureau believes that the alternative delivery method 
imposes little ongoing cost to financial institutions that have 
adopted it. These costs derive from the additional text on an 
account statement, coupon book, notice or disclosure the institution 
already provides; maintaining a web-page dedicated to the annual 
privacy notice; responding to telephone calls from a very small 
number of consumers requesting that the model form be mailed; and 
mailing the forms prompted by these calls.
    \59\ Because the Bureau takes institutions' sharing practices as 
given and because the cost savings estimate is based on a single 
year, the expected cost savings for institutions does not account 
for a reduction or increase in aggregate cost savings that may occur 
if any institutions change their sharing practices in the future 
such that they no longer meet the requirements for the annual notice 
exception or they begin to meet those requirements.
    \60\ The Bureau assumes that a financial institution used the 
alternative delivery method whenever the Bureau can obtain the 
annual privacy notice from the website of the financial institution 
and the Bureau concludes from the information on the privacy notice 
that the information sharing practices of the financial institution 
comply with removed Sec.  1016.9(c)(2). If a financial institution 
did not use the model form, the Bureau assumes that the financial 
institution would have adopted the model form if the information 
sharing practices complied with Sec.  1016.9(c)(2). This methodology 
overstates the number of these financial institutions that could 
have used the alternative delivery method, because some of these 
financial institutions might not have met all of the requirements of 
Sec.  1016.9(c)(2), and therefore understates the benefits of the 
annual notice exception to these financial institutions. On the 
other hand, if a financial institution does not have a website, the 
Bureau cannot (as a practical matter) obtain and evaluate its 
information sharing practices. In this case, the Bureau assumes that 
the financial institution cannot use either the alternative delivery 
method or the annual notice exception. This also tends to understate 
the benefits of the annual notice exception to these financial 
institutions, since none of them could have used the alternative 
delivery method but some might be able to use the annual notice 
exception.
---------------------------------------------------------------------------

    For the 2014 Annual Privacy Notice Rule, the Bureau collected a 
sample of privacy policies from banks and credit unions and estimated 
both the number of financial institutions that would adopt the 
alternative delivery method and the aggregate cost savings that would 
result.\61\ Specifically, the Bureau examined the privacy policies of 
19 banks with assets over $100 billion as well as the privacy policies 
of 106 additional banks selected through random sampling. The Bureau 
previously concluded that 80% of banks could use the alternative 
delivery method that was set forth in Sec.  1016.9(c)(2). For the 
current rulemaking, the Bureau re-analyzed this sample to identify 
banks with information sharing practices that do not meet the standard 
in Sec.  1016.9(c)(2) but will meet the standard in Sec.  1016.5(e). In 
the re-analysis, the Bureau finds that 48% of banks that could not use 
the alternative delivery method can use the proposed exception to the 
annual notice requirement. Most of these banks were not able to use the 
alternative delivery method because they offered opt-outs to consumers 
pursuant to FCRA section 603(d)(2)(A)(iii); a financial institution can 
meet the requirements for the annual notice exception in Sec.  
1016.5(e) even if it offers such opt-outs. Specifically, the Bureau 
previously estimated that approximately 1,350 banks could not use the 
alternative delivery method and our re-analysis shows that 650 of these 
banks (48%) will be able to use the annual notice exception.\62\ For 
banks with assets over $10 billion, 70% of those that could not use the 
alternative delivery method can use the annual notice exception. For 
banks with assets of $10 billion or less and banks with assets of $500 
million or less, the respective figures are 47% and 40%.
---------------------------------------------------------------------------

    \61\ See 79 FR 64057, 64076-64077 (Oct. 28, 2014). Note that the 
term ``banks'' as used throughout this rule includes savings 
associations.
    \62\ While these 650 banks are just 9.5% of all banks, this 
percentage does not take into account the fact that the majority of 
banks could not potentially benefit from the exception to the annual 
privacy notice requirement since (by our previous analysis) they 
already use the alternative delivery method.
---------------------------------------------------------------------------

    The Bureau also previously examined the privacy policies of the 
four credit unions with assets over $10 billion as well as the privacy 
policies of 50 additional credit unions selected through random 
sampling. The Bureau previously concluded that 46% of credit unions 
could use the alternative delivery method. The information evaluated in 
the re-analysis shows that none of the credit unions that could not use 
the alternative delivery method will be able to use the exception to 
the annual notice requirement. Credit unions that clearly could not use 
the alternative delivery method generally shared information with 
nonaffiliated third parties other than as specified in the exceptions 
in Sec. Sec.  1016.13, 1016.14, and 1016.15. However, there are a 
number of cases in which the Bureau could not readily evaluate the 
information sharing practices of the sampled credit union because it 
did not have a website, did not post the privacy notice on its website, 
or did not use the model form.\63\ In the proposal, the Bureau 
requested data and other factual information on the use of the 
alternative delivery method by credit unions and the likely use of the 
proposed annual notice exception by credit unions that cannot use the 
alternative delivery method. No comments provided data in response to 
this request.\64\
---------------------------------------------------------------------------

    \63\ One or more of these conditions held for a number of credit 
unions with assets of $500 million or less. As explained above, if a 
financial institution did not have a website or did not post the 
privacy notice on their website, the Bureau made the conservative 
assumption that it did not benefit from the alternative delivery 
method and will not benefit from the new annual notice exception. 
See also 79 FR 64057, 64076 (Oct. 28, 2014).
    \64\ Although no credit unions or credit union advocates 
commented or provided data, one State trade association representing 
banks stated that many financial institutions will appreciate and 
take advantage of the exception, but it will not create additional 
costs or harm to consumers. That commenter did not provide data.
---------------------------------------------------------------------------

    Regarding the number of non-depository financial institutions that 
will benefit from the exception to the annual notice requirement, the 
Bureau uses the same basic methodology as in its prior analysis. 
Specifically, the Bureau assumes that the fraction of non-depository 
financial institutions that cannot use the alternative delivery method 
but can use the new annual notice exception is the same for non-
depository institutions as for banks (9.5%).\65\
---------------------------------------------------------------------------

    \65\ For further discussion, see id. at 64077.
---------------------------------------------------------------------------

    Having identified the financial institutions that will benefit from 
the exception to the annual notice requirement, the Bureau estimates 
the benefit using the same basic methodology as in its prior 
analysis.\66\ For banks, the Bureau allocated the total burden of 
providing the annual privacy notices to asset-size groups in proportion 
to the share of assets in the group. The Bureau then estimated an 
amount of burden reduction specific to each asset-size group using the 
results from the privacy notice analysis described above. The total 
burden reduction is then the sum of the burden reductions in each 
asset-size group. The estimated reduction in burden for banks using 
this methodology is approximately $3.158 million annually. The 
estimated reduction in burden for non-depository financial institutions 
is an additional $231,000 annually.\67\ Thus, the Bureau believes that 
the total reduction in burden is approximately $3.389 million dollars 
annually.\68\ This represents about 28% of the total $12.162 million 
annual cost of providing the annual privacy notice under Regulation P.
---------------------------------------------------------------------------

    \66\ See id. at 64076-64077.
    \67\ Note that this figure excludes auto dealers. Auto dealers 
are regulated by the FTC and will not be directly impacted by this 
amendment to Regulation P.
    \68\ Some of these banks and non-depository financial 
institutions that currently include on their annual privacy notice 
the opt-out notices pursuant to FCRA section 603(d)(2)(A)(iii) or 
FCRA section 624 and the Affiliate Marketing Rule may now be 
required to deliver these notices separately. The Bureau does not 
have the data necessary to estimate the frequency with which these 
opt-out notices will be delivered separately or to subtract the cost 
of delivering them separately from the savings from no longer 
providing the annual privacy notice.
---------------------------------------------------------------------------

    The Bureau requested comment on the preliminary presentation of 
this analysis as well as the submission of additional data that could 
inform the Bureau's consideration of the cost savings to financial 
institutions. No comments addressed this request.

[[Page 40957]]

    The Regulation P exception to the annual notice requirement 
implements a December 2015 statutory amendment to the GLBA. The Bureau 
considered alternatives to the timeline for delivery of annual notices 
when a financial institution that qualified for the annual exception 
changes its policies or practices such that it no longer qualifies. 
Because the estimates of costs and benefits to consumers and covered 
persons take institutions' sharing policies and practices as given, the 
alternatives with respect to the timeline for delivery of annual 
notices do not impact those estimates. Further, even if the estimates 
allowed for changes in sharing policies and practices that can cause 
institutions to meet or fail to meet the requirements for the annual 
notice exception, the aggregate annual benefits and costs of delivery 
will not likely be significantly impacted by the timeline for delivery 
of annual notices. The Bureau does note, however, that changing from 60 
to 100 days for delivery of the annual privacy notice under Sec.  
1016.5(e)(2)(ii) should result in a small burden reduction from the 
proposal, as financial institutions will be able to send the notice 
with quarterly statements as they requested.

C. Impact on Depository Institutions With No More Than $10 Billion in 
Assets

    The Bureau currently estimates that approximately 600 banks with 
$10 billion or less in assets cannot use the alternative delivery 
method but can use the annual notice exception. This constitutes 47% of 
banks with $10 billion or less in assets that do not use the 
alternative delivery method and 8.8% of all banks with $10 billion or 
less in assets. As reported above, 70% of banks with more than $10 
billion in assets that do not use the alternative delivery method can 
use the proposed exception to the annual notice requirement. This is 
55% of all banks with more than $10 billion in assets. Thus, the rule 
may have different impacts on federally insured depository institutions 
with $10 billion or less in assets as described in section 1026 of the 
Dodd-Frank Act. The Bureau currently believes that no credit unions of 
any size that could not use the alternative delivery method will be 
able to use the exception to the annual notice requirement.

D. Impact on Access to Credit and on Consumers in Rural Areas

    The Bureau does not believe that the rule will reduce consumers' 
access to consumer financial products or services or have a unique 
impact on rural consumers.

VI. Regulatory Flexibility Act

    The Regulatory Flexibility Act (RFA) as amended by the Small 
Business Regulatory Enforcement Fairness Act of 1996, requires each 
agency to consider the potential impact of its regulations on small 
entities, including small businesses, small governmental units, and 
small not-for-profit organizations. The RFA defines a ``small 
business'' as a business that meets the size standard developed by the 
Small Business Administration pursuant to the Small Business Act. The 
RFA generally requires an agency to conduct an initial regulatory 
flexibility analysis (IRFA) and a final regulatory flexibility analysis 
(FRFA) of any rule subject to notice-and-comment rulemaking 
requirements, unless the agency certifies that the rule will not have a 
significant economic impact on a substantial number of small 
entities.\69\ The Bureau also is subject to certain additional 
procedures under the RFA involving the convening of a panel to consult 
with small business representatives prior to proposing a rule for which 
an IRFA is required.\70\
---------------------------------------------------------------------------

    \69\ 5 U.S.C. 603 through 605.
    \70\ 5 U.S.C. 609.
---------------------------------------------------------------------------

    At the proposed rule stage, the Bureau determined that an IRFA was 
not required because the proposal, if adopted, would not have a 
significant economic impact on a substantial number of small entities. 
For this final rule, the Bureau continues to believe that that 
determination is accurate. The Bureau does not expect the rule to 
impose costs on small entities. All methods of compliance under current 
law will remain available to small entities when this rule is adopted. 
Thus, a small entity that is in compliance with current law need not 
take any different or additional action under the new rule. In 
addition, based on the data analysis described previously, the Bureau 
believes that the annual notice exception will allow some small 
institutions to stop sending the annual notice and to thereby reduce 
costs.
    Accordingly, the undersigned certifies that this rule will not have 
a significant economic impact on a substantial number of small 
entities.

VII. Paperwork Reduction Act

    Under the Paperwork Reduction Act of 1995 (PRA),\71\ Federal 
agencies are generally required to seek Office of Management and Budget 
(OMB) approval for information collection requirements prior to 
implementation. This proposal would amend Regulation P, 12 CFR part 
1016. The collections of information related to Regulation P have been 
previously reviewed and approved by OMB in accordance with the PRA and 
assigned OMB Control Number 3170-0010. Under the PRA, the Bureau may 
not conduct or sponsor, and, notwithstanding any other provision of 
law, a person is not required to respond to an information collection, 
unless the information collection displays a valid control number 
assigned by OMB.
---------------------------------------------------------------------------

    \71\ 44 U.S.C. 3501 through 3558.
---------------------------------------------------------------------------

    As explained below, the Bureau has determined that this rule does 
not contain any new or substantively revised information collection 
requirements other than those previously approved by OMB. The rule will 
implement the December 2015 amendment to the GLBA and amend Sec.  
1016.5 of Regulation P to provide that a financial institution is not 
required to deliver an annual privacy notice if it:
    (1) Provides nonpublic personal information to nonaffiliated third 
parties only in accordance with the provisions of Sec.  1016.13, Sec.  
1016.14, or Sec.  1016.15 and;
    (2) Has not changed its policies and practices with regard to 
disclosing nonpublic personal information from the policies and 
practices that were disclosed to the customer under Sec.  1016.6(a)(2) 
through (5) and (9) in the most recent privacy notice provided.
    Under Regulation P, the Bureau generally accounts for the paperwork 
burden for the following respondents pursuant to its enforcement/
supervisory authority: Federally insured depository institutions with 
more than $10 billion in total assets, their depository institution 
affiliates, and certain non-depository institutions. The Bureau and the 
FTC generally both have enforcement authority over non-depository 
institutions subject to Regulation P. Accordingly, the Bureau has 
allocated to itself half of the final rule's estimated reduction in 
burden on non-depository financial institutions subject to Regulation 
P. Other Federal agencies, including the FTC, are responsible for 
estimating and reporting to OMB the paperwork burden for the 
institutions for which they have enforcement and/or supervision 
authority. They may use the Bureau's burden estimation methodology, but 
need not do so.
    The Bureau does not believe that this final rule will impose any 
new or substantively revised collections of information as defined by 
the PRA, and instead believes that it will have the overall effect of 
reducing the previously approved estimated burden on industry for the 
information collections

[[Page 40958]]

associated with the Regulation P annual privacy notice. Using the 
Bureau's burden estimation methodology, the reduction in the estimated 
ongoing burden will be approximately 62,197 hours annually for the 
roughly 13,500 banks and credit unions subject to the rule, including 
Bureau respondents, and the roughly 29,400 entities regulated by the 
FTC also subject to the rule (i.e., entities over which the FTC has 
Regulation P administrative enforcement authority). The reduction in 
estimated ongoing costs from the reduction in ongoing burden will be 
approximately $3.389 million annually.\72\
---------------------------------------------------------------------------

    \72\ The total hours and costs consist of: (a) 51,230 hours at 
banks and credit unions evaluated at $61.65/hour; and (b) 10,967 
hours at entities regulated by the FTC also subject to the rule, 
evaluated at $21.07/hour.
---------------------------------------------------------------------------

    The Bureau believes that the one-time cost of adopting the annual 
notice exception for financial institutions that adopt it will be de 
minimis. The Bureau's methodology for estimating the reduction in 
ongoing burden was discussed above. The method is similar to that 
described in the PRA analysis in the 2014 Annual Privacy Notice Rule. 
The only difference is that instead of estimating the fraction of 
institutions that will be able to use the alternative delivery method, 
the Bureau estimates the fraction of institutions that will be able to 
use the annual notice exception and are not already using the 
alternative delivery method, to compute the reduction in burden 
relative to the baseline.\73\
---------------------------------------------------------------------------

    \73\ See 79 FR 64057, 64080 (Oct. 28, 2014).
---------------------------------------------------------------------------

    The Bureau takes all of the reduction in ongoing burden from banks 
and credit unions with assets $10 billion and above and half the 
reduction in ongoing burden from the non-depository institutions 
subject to the FTC enforcement authority that are subject to the 
Bureau's Regulation P. The total reduction in ongoing burden taken by 
the Bureau is 53,216 hours or $3.058 million annually.\74\
---------------------------------------------------------------------------

    \74\ The total hours and costs consist of: (a) 47,733 hours at 
banks and credit unions evaluated at $61.65/hour; and (b) 5,484 
hours at entities regulated by the FTC also subject to the rule, 
evaluated at $21.07/hour.
---------------------------------------------------------------------------

    The Bureau has determined that the final rule does not contain any 
new or substantively revised information collection requirements as 
defined by the PRA and that the burden estimate for the previously 
approved information collections should be revised as explained above. 
The Bureau requested comments on these determinations or any other 
aspect of the proposal for purposes of the PRA, but received none.

                                            Summary of Burden Changes
----------------------------------------------------------------------------------------------------------------
                                                                  Previously
                   Information collections                      approved total   Net change in      New total
                                                                 burden hours     burden hours     burden hours
----------------------------------------------------------------------------------------------------------------
Notices and disclosures......................................         366,134          -53,216          312,917
----------------------------------------------------------------------------------------------------------------

VIII. Congressional Review Act

    Pursuant to the Congressional Review Act (5 U.S.C. 801 et seq.), 
the Bureau will submit a report containing this rule and other required 
information to the United States Senate, the United States House of 
Representatives, and the Comptroller General of the United States prior 
to the rule taking effect. The Office of Information and Regulatory 
Affairs (OIRA) has designated this rule as not a ``major rule'' as 
defined by 5 U.S.C. 804(2).

List of Subjects in 12 CFR Part 1016

    Banks, Banking, Consumer protection, Credit, Credit unions, Foreign 
banking, Holding companies, National banks, Privacy, Reporting and 
recordkeeping requirements, Savings associations, Trade practices.

Authority and Issuance

    For the reasons set forth in the preamble, the Bureau amends 
Regulation P, 12 CFR part 1016, as set forth below:

PART 1016--PRIVACY OF CONSUMER FINANCIAL INFORMATION (REGULATION P)

0
1. The authority citation for part 1016 continues to read as follows:

    Authority:  12 U.S.C. 5512, 5581; 15 U.S.C. 6804.

0
2. Section 1016.3 is amended by revising paragraph (s)(1) to read as 
follows:


Sec.  1016.3  Definitions.

* * * * *
    (s)(1) You means a financial institution for which the Bureau has 
rulemaking authority under section 504(a)(1)(A) of the GLB Act (15 
U.S.C. 6804(a)(1)(A)).
* * * * *

Subpart A--Privacy and Opt Out Notices

0
3. Section 1016.5 is amended by revising the first sentence of 
paragraph (a)(1) and adding paragraph (e) to read as follows:


Sec.  1016.5  Annual privacy notice to customers required.

    (a)(1) * * * Except as provided by paragraph (e) of this section, 
you must provide a clear and conspicuous notice to customers that 
accurately reflects your privacy policies and practices not less than 
annually during the continuation of the customer relationship. * * *
* * * * *
    (e) Exception to annual privacy notice requirement. (1) When 
exception available. You are not required to deliver an annual privacy 
notice if you:
    (i) Provide nonpublic personal information to nonaffiliated third 
parties only in accordance with the provisions of Sec.  1016.13, Sec.  
1016.14, or Sec.  1016.15; and
    (ii) Have not changed your policies and practices with regard to 
disclosing nonpublic personal information from the policies and 
practices that were disclosed to the customer under Sec.  1016.6(a)(2) 
through (5) and (9) in the most recent privacy notice provided pursuant 
to this part.
    (2) Delivery of annual privacy notice after financial institution 
no longer meets requirements for exception. If you have been excepted 
from delivering an annual privacy notice pursuant to paragraph (e)(1) 
of this section and change your policies or practices in such a way 
that you no longer meet the requirements for that exception, you must 
comply with paragraph (e)(2)(i) or (e)(2)(ii) of this section, as 
applicable.
    (i) Changes preceded by a revised privacy notice. If you no longer 
meet the requirements of paragraph (e)(1) of this section because you 
change your policies or practices in such a way that

[[Page 40959]]

Sec.  1016.8 requires you to provide a revised privacy notice, you must 
provide an annual privacy notice in accordance with the timing 
requirements in paragraph (a) of this section, treating the revised 
privacy notice as an initial privacy notice.
    (ii) Changes not preceded by a revised privacy notice. If you no 
longer meet the requirements of paragraph (e)(1) of this section 
because you change your policies or practices in such a way that Sec.  
1016.8 does not require you to provide a revised privacy notice, you 
must provide an annual privacy notice within 100 days of the change in 
your policies or practices that causes you to no longer meet the 
requirements of paragraph (e)(1) of this section.
    (iii) Examples. (A) You change your policies and practices in such 
a way that you no longer meet the requirements of paragraph (e)(1) of 
this section effective April 1 of year 1. Assuming you define the 12-
consecutive-month period pursuant to paragraph (a) of this section as a 
calendar year, if you were required to provide a revised privacy notice 
under Sec.  1016.8 and you provided that notice on March 1 of year 1, 
you must provide an annual privacy notice by December 31 of year 2. If 
you were not required to provide a revised privacy notice under Sec.  
1016.8, you must provide an annual privacy notice by July 9 of year 1.
    (B) You change your policies and practices in such a way that you 
no longer meet the requirements of paragraph (e)(1) of this section, 
and so provide an annual notice to your customers. After providing the 
annual notice to your customers, you once again meet the requirements 
of paragraph (e)(1) of this section for an exception to the annual 
notice requirement. You do not need to provide additional annual 
notices to your customers until such time as you no longer meet the 
requirements of paragraph (e)(1) of this section.

0
4. Section 1016.9 is amended by revising paragraph (c) to read as 
follows:


Sec.  1016.9  Delivering privacy and opt out notices.

* * * * *
    (c) Annual notices only. You may reasonably expect that a customer 
will receive actual notice of your annual privacy notice if:
    (1) The customer uses your website to access financial products and 
services electronically and agrees to receive notices at the website, 
and you post your current privacy notice continuously in a clear and 
conspicuous manner on the website; or
    (2) The customer has requested that you refrain from sending any 
information regarding the customer relationship, and your current 
privacy notice remains available to the customer upon request.
* * * * *

    Dated: August 9, 2018.
Mick Mulvaney,
Acting Director, Bureau of Consumer Financial Protection.
[FR Doc. 2018-17572 Filed 8-16-18; 8:45 am]
 BILLING CODE 4810-AM-P