Privacy of Consumer Financial Information Rule Under the Gramm-Leach-Bliley Act, 13150-13158 [2019-06039]
Download as PDF
13150
Federal Register / Vol. 84, No. 65 / Thursday, April 4, 2019 / Proposed Rules
For the reasons discussed above, I
certify this proposed regulation:
1. Is not a ‘‘significant regulatory
action’’ under Executive Order 12866;
2. Is not a ‘‘significant rule’’ under the
DOT Regulatory Policies and Procedures
(44 FR 11034, February 26, 1979);
3. Will not affect intrastate aviation in
Alaska; and
4. Will not have a significant
economic impact, positive or negative,
on a substantial number of small entities
under the criteria of the Regulatory
Flexibility Act.
List of Subjects in 14 CFR Part 39
Air transportation, Aircraft, Aviation
safety, Incorporation by reference,
Safety.
The Proposed Amendment
Accordingly, under the authority
delegated to me by the Administrator,
the FAA proposes to amend 14 CFR part
39 as follows:
PART 39—AIRWORTHINESS
DIRECTIVES
1. The authority citation for part 39
continues to read as follows:
■
Authority: 49 U.S.C. 106(g), 40113, 44701.
§ 39.13
[Amended]
2. The FAA amends § 39.13 by adding
the following new airworthiness
directive (AD):
■
Bombardier, Inc.: Docket No. FAA–2019–
0189; Product Identifier 2019–NM–001–
AD.
(a) Comments Due Date
We must receive comments by May 20,
2019.
(b) Affected ADs
None.
(c) Applicability
This AD applies to Bombardier, Inc.,
Model DHC–8–102, –103, –106, –201, –202,
–301, –311, and –315 airplanes, certificated
in any category, serial numbers 003 through
672 inclusive.
jbell on DSK30RV082PROD with PROPOSALS
(d) Subject
Air Transport Association (ATA) of
America Code 55, Stabilizers.
(e) Reason
This AD was prompted by the reported loss
of an elevator spring tab balance weight prior
to takeoff. We are issuing this AD to address
tolerance stack-up between the balance
weight and the hinge arm that can allow the
attachment bolts to fret with the hinge arm
and result in wear, fracture, and loss of the
spring tab balance weight. Loss of the spring
tab balance weight can lead to unacceptable
flutter margins and loss of the airplane.
VerDate Sep<11>2014
16:38 Apr 03, 2019
Jkt 247001
(f) Compliance
Comply with this AD within the
compliance times specified, unless already
done.
(g) Inspection and Corrective Actions
Within 600 flight hours after the effective
date of this AD, perform a detailed inspection
of the two balance weights and a detailed
inspection of the two hinge arms on each
elevator spring tab (left hand and right hand),
in accordance with Section 3.B, Part A, of the
Accomplishment Instructions of Bombardier
Service Bulletin 8–55–27, Revision A, dated
August 15, 2018.
(1) If any of the balance weight attachment
locknuts, part number (P/N) MS21042–4, is
found fractured, loose, or missing: Before
further flight conduct the rectification in
accordance with Section 3.B, Part B, of the
Accomplishment Instructions of Bombardier
Service Bulletin 8–55–27, Revision A, dated
August 15, 2018.
(2) If the balance weight is found not
secure: Within 60 flight hours after the
inspection required by paragraph (g) of this
AD, repair any damage to the hinge arm and
permanently secure the mass balance, in
accordance with Section 3.B, Part B, of the
Accomplishment Instructions of Bombardier
Service Bulletin 8–55–27, Revision A, dated
August 15, 2018.
(3) If the balance weight is found secure:
Within 5,000 flight hours after the inspection
required by paragraph (g) of this AD, repair
any damage to the hinge arm and
permanently secure the mass balance, in
accordance with Section 3.B, Part B, of the
Accomplishment Instructions of Bombardier
Service Bulletin 8–55–27, Revision A, dated
August 15, 2018.
(4) Where Bombardier Service Bulletin 8–
55–27, Revision A, dated August 15, 2018,
specifies to contact Bombardier for
appropriate action: Before further flight,
accomplish corrective actions in accordance
with the procedures specified in paragraph
(i)(2) of this AD.
(h) Credit for Previous Actions
This paragraph provides credit for actions
required by paragraphs (g), (g)(2), (g)(3), and
(g)(4) of this AD, if those actions were
performed before the effective date of this AD
using Section 3.B of the Accomplishment
Instructions of Bombardier Service Bulletin
8–55–27, dated April 17, 2018, provided that
within 600 flight hours after the effective
date of this AD, a detailed visual inspection
of the balance weight locknuts, P/N
MS21042–4, is performed in accordance with
Section 3.B, Part C, of the Accomplishment
Instructions of Bombardier Service Bulletin
8–55–27, Revision A, dated August 15, 2018,
and the rectification is performed before
further flight for any fractured, loose, or
missing balance weight attachment locknuts,
P/N MS21042–4, in accordance with Section
3.B, Part B, of Bombardier Service Bulletin 8–
55–27, Revision A dated August 15, 2018.
(i) Other FAA AD Provisions
The following provisions also apply to this
AD:
(1) Alternative Methods of Compliance
(AMOCs): The Manager, New York ACO
PO 00000
Frm 00008
Fmt 4702
Sfmt 4702
Branch, FAA, has the authority to approve
AMOCs for this AD, if requested using the
procedures found in 14 CFR 39.19. In
accordance with 14 CFR 39.19, send your
request to your principal inspector or local
Flight Standards District Office, as
appropriate. If sending information directly
to the manager of the certification office,
send it to ATTN: Program Manager,
Continuing Operational Safety, FAA, New
York ACO Branch, 1600 Stewart Avenue,
Suite 410, Westbury, NY 11590; telephone
516–228–7300; fax 516–794–5531. Before
using any approved AMOC, notify your
appropriate principal inspector, or lacking a
principal inspector, the manager of the local
flight standards district office/certificate
holding district office.
(2) Contacting the Manufacturer: For any
requirement in this AD to obtain corrective
actions from a manufacturer, the action must
be accomplished using a method approved
by the Manager, New York ACO Branch,
FAA; or Transport Canada Civil Aviation
(TCCA); or Bombardier, Inc.’s TCCA Design
Approval Organization (DAO). If approved by
the DAO, the approval must include the
DAO-authorized signature.
(j) Related Information
(1) Refer to Mandatory Continuing
Airworthiness Information (MCAI) Canadian
AD CF–2018–30, dated November 7, 2018,
for related information. This MCAI may be
found in the AD docket on the internet at
https://www.regulations.gov by searching for
and locating Docket No. FAA–2019–0189.
(2) For more information about this AD,
contact Andrea Jimenez, Aerospace Engineer,
Airframe and Mechanical Systems Section,
FAA, New York ACO Branch, 1600 Stewart
Avenue, Suite 410, Westbury, NY 11590;
telephone 516–228–7330; fax 516–794–5531;
email 9-avs-nyaco-cos@faa.gov.
(3) For service information identified in
this AD, contact Bombardier, Inc., Q-Series
Technical Help Desk, 123 Garratt Boulevard,
Toronto, Ontario M3K 1Y5, Canada;
telephone 416–375–4000; fax 416–375–4539;
email thd.qseries@aero.bombardier.com;
internet https://www.bombardier.com. You
may view this service information at the
FAA, Transport Standards Branch, 2200
South 216th St., Des Moines, WA. For
information on the availability of this
material at the FAA, call 206–231–3195.
Issued in Des Moines, Washington, on
March 28, 2019.
Michael Kaszycki,
Acting Director, System Oversight Division,
Aircraft Certification Service.
[FR Doc. 2019–06458 Filed 4–3–19; 8:45 am]
BILLING CODE 4910–13–P
FEDERAL TRADE COMMISSION
16 CFR Part 313
RIN 3084–AB42
Privacy of Consumer Financial
Information Rule Under the GrammLeach-Bliley Act
AGENCY:
E:\FR\FM\04APP1.SGM
Federal Trade Commission.
04APP1
Federal Register / Vol. 84, No. 65 / Thursday, April 4, 2019 / Proposed Rules
Notice of proposed rulemaking;
request for public comment.
ACTION:
The Federal Trade
Commission is proposing to amend its
Privacy Rule for certain financial
institutions subject to the Rule to revise
the Rule’s scope, to modify the Rule’s
definitions of ‘‘financial institution’’
and ‘‘federal functional regulator,’’ and
to update the Rule’s annual customer
privacy notice requirement. The
proposed amendments will also remove
certain examples in the Rule that apply
to financial institutions that now fall
outside the scope of the Commission’s
Rule. This action is necessary to
conform the Rule to the current
requirements of the Gramm-LeachBliley Act (GLBA), as amended by the
Dodd-Frank and FAST Acts, and will
clarify which financial institutions are
covered by the Commission’s Rule and
their annual customer privacy notice
obligations under the Rule.
DATES: Written comments must be
received on or before June 3, 2019.
ADDRESSES: Interested parties may file a
comment online or on paper by
following the Request for Comment part
of the SUPPLEMENTARY INFORMATION
section below. Write ‘‘Amendment to
the Privacy of Consumer Financial
Information Rule, 16 CFR part 313,
Rulemaking No. R411016,’’ on your
comment and file your comment online
at https://www.regulations.gov by
following the instructions on the webbased form. If you prefer to file your
comment on paper, mail your comment
to the following address: Federal Trade
Commission, Office of the Secretary,
600 Pennsylvania Avenue NW, Suite
CC–5610 (Annex B), Washington, DC
20580, or deliver your comment to the
following address: Federal Trade
Commission, Office of the Secretary,
Constitution Center, 400 7th Street SW,
5th Floor, Suite 5610 (Annex B),
Washington, DC 20024.
FOR FURTHER INFORMATION CONTACT:
David Lincicum or Allison M. Lefrak,
Division of Privacy and Identity
Protection, Bureau of Consumer
Protection, Federal Trade Commission,
600 Pennsylvania Avenue NW,
Washington, DC 20580, (202) 326–2773
or (202) 326–2804.
SUPPLEMENTARY INFORMATION:
SUMMARY:
jbell on DSK30RV082PROD with PROPOSALS
I. Background
A. The Statute and Regulation
The GLBA was enacted in 1999.1 The
GLBA, among other things, provides a
framework for regulating the privacy
practices of a broad range of financial
1 Public
Law 106–102, 113 Stat. 1338 (1999).
VerDate Sep<11>2014
16:38 Apr 03, 2019
Jkt 247001
institutions. The GLBA requires that
financial institutions provide their
customers with initial and annual
notices regarding their privacy
practices, and allow their customers to
opt out of sharing their information with
certain nonaffiliated third parties.
Rulemaking authority to implement
the GLBA’s privacy provisions was
initially spread among multiple
agencies. The Federal Reserve Board
(‘‘the Fed’’), the Office of Comptroller of
the Currency (‘‘OCC’’), the Federal
Deposit Insurance Corporation
(‘‘FDIC’’), and the Office of Thrift
Supervision (‘‘OTS’’) jointly adopted
final rules to implement the notice
requirements of the GLBA in 2000.2 The
Commission, the National Credit Union
Administration (‘‘NCUA’’), the
Securities and Exchange Commission
(‘‘SEC’’), and the Commodity Futures
Trading Commission (‘‘CFTC’’) were
part of the same interagency process,
but each issued their rules separately.3
In 2009, all those agencies jointly
adopted a model form that financial
institutions could use to provide the
required initial and annual privacy
disclosures.4
As originally promulgated, the FTC’s
Privacy Rule covered a broad range of
non-bank financial institutions such as
payday lenders, mortgage brokers, check
cashers, debt collectors, real estate
appraisers, certain motor vehicle
dealers, and remittance transfer
providers. In 2010, the Dodd-Frank Act 5
transferred the GLBA’s privacy notice
rulemaking authority from the Fed,
NCUA, OCC, OTS, the FDIC, and the
Commission (in part) to the Consumer
Financial Protection Bureau (‘‘CFPB’’).
The CFPB then restated the
implementing regulations in Regulation
P, 12 CFR part 1016, in late 2011
(‘‘Regulation P’’).6 However, under
section 1029 of the Dodd-Frank Act, the
Commission retained rulemaking
authority for certain motor vehicle
dealers.7 Thus, in 2012, the Commission
issued a notice that it was retaining the
implementing regulations governing
2 65
FR 35162 (June 1, 2000).
FR 33646 (May 24, 2000) (FTC final rule); 65
FR 31722 (May 18, 2000) (NCUA final rule); 65 FR
40334 (June 29, 2000) (SEC final rule); 66 FR 21236
(Apr. 27, 2001) (CFTC final rule).
4 74 FR 62890 (Dec. 1, 2009); see also 16 CFR
313.2, 313.4–313.9.
5 Public Law 111–203, 124 Stat. 1376 (2010).
6 76 FR 79025 (Dec. 21, 2011).
7 12 U.S.C. 5519. The FTC retained rulemaking
jurisdiction as to motor vehicle dealers that are
predominantly engaged in the sale and servicing or
the leasing and servicing of motor vehicles,
excluding those dealers that directly extend credit
to consumers and do not routinely assign the
extensions of credit to an unaffiliated third party.
For ease of reference, covered motor vehicle dealers
are referenced herein as ‘‘motor vehicle dealers.’’
3 65
PO 00000
Frm 00009
Fmt 4702
Sfmt 4702
13151
privacy notices for motor vehicle
dealers at 16 CFR part 313.8
Despite the transfer of general
rulemaking authority for the Privacy
Rule to the CFPB, the Commission and
other agencies retain their existing
enforcement authority under the
GLBA.9 In addition, the SEC and CFTC
retain rulemaking authority with respect
to securities and futures-related
companies, respectively.10 Accordingly,
as part of this rulemaking process, the
Commission has consulted and
coordinated, or offered to consult, with
those agencies that have rulemaking
and/or enforcement authority under the
GLBA, including the CFPB, SEC, CFTC,
and the National Association of
Insurance Commissioners (‘‘NAIC’’).11
On December 4, 2015, Congress
amended the GLBA as part of the FAST
Act. This amendment, titled Eliminate
Privacy Notice Confusion,12 added
GLBA subsection 503(f). This subsection
provides an exception under which
financial institutions that meet certain
conditions are not required to provide
annual privacy notices to customers.
B. The Privacy Notice Requirements
As noted, the GLBA and the Privacy
Rule require that motor vehicle dealers
provide consumers with notices
describing their privacy policies.
Specifically, section 503 of the GLBA
and the Privacy Rule require covered
entities to provide an initial notice of
these policies,13 and then ‘‘provide a
clear and conspicuous notice to
customers that accurately reflects [their]
privacy policies and practices not less
than annually during the continuation
of the customer relationship.’’ 14
Section 502 of the GLBA and the
Privacy Rule require that initial and
annual notices inform customers of their
right to opt out of the sharing of
nonpublic personal information with
some types of nonaffiliated third
parties.15 For example, a customer has
the right to opt out of allowing a motor
vehicle dealer to sell her name and
address to a nonaffiliated auto insurance
company.16 On the other hand, a motor
vehicle dealer is not required to allow
consumers to opt out of the dealer’s
8 77 FR 22200, 22201 (April 13, 2012) (also
rescinding those regulations for which rulemaking
authority was transferred to the CFPB under the
Dodd-Frank Act).
9 15 U.S.C. 6805(a).
10 15 U.S.C. 6804, 6809; 12 U.S.C. 1843(k)(4); 12
CFR 1016.1(b).
11 See 15 U.S.C. 6804(a)(2).
12 Public Law 114–94, sec. 75001, 129 Stat. 1312,
1787 (2015).
13 15 U.S.C. 6803; 16 CFR 313.4.
14 15 U.S.C. 6803; 16 CFR 313.5(a)(1).
15 15 U.S.C. 6802; 16 CFR 313.6(a)(6).
16 16 CFR 313.10(a).
E:\FR\FM\04APP1.SGM
04APP1
13152
Federal Register / Vol. 84, No. 65 / Thursday, April 4, 2019 / Proposed Rules
jbell on DSK30RV082PROD with PROPOSALS
sharing involving third-party service
providers, joint marketing arrangements,
maintenance and servicing of accounts,
securitization, law enforcement and
compliance, reporting to consumer
reporting agencies, and certain other
activities that are specified in the statute
and regulation.17 Accordingly, if a
motor vehicle dealer limits its sharing to
uses that do not trigger opt-out rights, it
may provide an annual privacy notice to
its customers that does not include
information regarding opt-out rights.
Motor vehicle dealers also may
include in the annual privacy notice
information about certain consumer optout rights related to affiliate sharing
under the Fair Credit Reporting Act
(‘‘FCRA’’). First, section 603(d)(2)(A)(iii)
of the FCRA allows the sharing of a
consumer’s information among
affiliates, but only if the consumer is
notified of such sharing and is given an
opportunity to opt out.18 Section
503(c)(4) of the GLBA and the Privacy
Rule generally require motor vehicle
dealers to incorporate any notifications
and opt-out disclosures provided
pursuant to section 603(d)(2)(A)(iii) of
the FCRA into their initial and annual
privacy notices.19
Second, section 624 of the FCRA and
the FTC’s Affiliate Marketing Rule 20
provide that an affiliate of a motor
vehicle dealer that receives certain
information about a consumer from the
dealer may not use that information for
marketing purposes, unless the
consumer is provided with an
opportunity to opt out of that use.21
This requirement governs the use of
information by an affiliate, not the
sharing of information among affiliates,
and thus is distinct from the affiliate
sharing opt-out discussed above. The
Affiliate Marketing Rule permits (but
does not require) motor vehicle dealers
to incorporate any opt-out disclosures
provided under section 624 of the FCRA
and the Affiliate Marketing Rule into the
initial and annual privacy notices
required by the GLBA.22
Finally, section 313.6(a)(8) of the
Privacy Rule requires that the initial and
annual notices briefly describe how
motor vehicle dealers protect the
17 15 U.S.C. 6802(b)(2), 6802(e); 16 CFR 313.13–
313.15.
18 15 U.S.C. 1681a(d)(2)(A)(iii).
19 15 U.S.C. 6803(c)(4); 16 CFR 313.6(a)(7).
20 16 CFR 680.1–680.28.
21 15 U.S.C. 1681s–3. The FTC’s Affiliate
Marketing Rule applies to motor vehicle dealers.
See 77 FR 22200 (Apr. 13, 2012). The FTC also
enforces the CFPB’s Regulation V’s Affiliate
Marketing Rule, 12 CFR part 1022, subpart C, for
other entities over which the FTC has enforcement
authority under the FCRA.
22 16 CFR 680.23(b).
VerDate Sep<11>2014
16:38 Apr 03, 2019
Jkt 247001
nonpublic personal information they
collect and maintain.
II. Proposed Revision of the Privacy
Rule
A. The Consumer Financial Protection
Bureau Rulemaking
In December 2011, the CFPB issued a
Request for Information seeking specific
suggestions for streamlining regulations
that were transferred to the CFPB from
other Federal agencies, including the
annual privacy notice requirement.23
After receiving numerous comments, in
May 2014, the CFPB issued a proposed
rule to amend its Regulation P to allow
financial institutions to notify
consumers that a privacy notice was
available online, in certain enumerated
circumstances.24 The CFPB finalized its
rulemaking in October 2014.25
provider or for fraud detection and
prevention purposes), and (2) has not
changed its policies and practices with
respect to disclosing nonpublic personal
information since it last provided a
privacy notice to its customers.29 This
modification of the GLBA rendered the
Commission’s proposed changes to the
Privacy Rule moot because those
changes, if adopted, would have been in
conflict with the revised statute.30
D. New Proposed Changes to the Privacy
Rule
In light of this history, the
Commission is issuing this notice of
proposed rulemaking. The Commission
now proposes to make three types of
changes to the Privacy Rule: (1)
Technical changes to the Rule to
correspond to the reduced scope of the
Rule due to Dodd-Frank Act changes,
which primarily consist of removing
B. The Commission’s 2015 Proposed
references that do not apply to motor
Rulemaking
vehicle dealers; (2) modifications to the
On June 24, 2015, the Commission
annual privacy notice requirements to
published a Notice of Proposed
reflect the changes made to the GLBA by
Rulemaking (‘‘2015 NPRM’’) proposing
the FAST Act; and (3) a modification to
26
revisions to the Privacy Rule. First, the
the scope and definition of ‘‘financial
Commission proposed a number of
institution’’ to include entities engaged
changes to comport with the Doddin activities that are incidental to
Frank Act revision of GLBA, which
financial activities, which would bring
transferred rulemaking authority for
the Rule into accord with the CFPB’s
most financial institutions to the CFPB.
Regulation P.
The Commission also proposed
1. Technical Changes To Correspond to
amending the Rule to allow motor
vehicle dealers to notify their customers Statutory Changes Resulting From the
that a privacy notice is available online, Dodd-Frank Act
under circumstances identical to those
The Commission adopted the scope
that had been adopted by the CFPB.27
of, and definitions in, the original
The Commission received six
Privacy Rule at a time when it had
comments from individuals and
rulemaking authority for the Privacy
entities.28
Rule over a broader group of non-bank
‘‘financial institutions’’ as defined by
C. The Passage of the FAST Act
the GLBA. While the Dodd-Frank Act
As described above, on December 4,
did not change the Commission’s
2015, President Obama signed the FAST
enforcement authority for the privacy
Act. The FAST Act contains a provision notice obligations of the GLBA, it did
that modified the annual privacy notice amend the Commission’s rulemaking
requirement under the GLBA. The
authority under the GLBA such that the
provision states that a financial
Privacy Rule only applies to motor
institution is not required to provide an vehicle dealers.31 The amendments in
annual privacy notice if it: (1) Only
the Dodd-Frank Act necessitate certain
shares non-public personal information
technical revisions to the Privacy Rule
with non-affiliated third parties in a
to ensure that the regulation is
manner that does not require an opt-out consistent with the text of the amended
right be provided to customers (e.g., if
GLBA.32 For example, retaining
the institution discloses nonpublic
examples that apply to entities other
personal information to a service
23 76
FR 75825, 75828 (Dec. 5, 2011).
24 79 FR 27214 (May 14, 2014) (CFPB Notice of
Proposed Rulemaking).
25 79 FR 64057 (Oct. 28, 2014).
26 80 FR 36267 (June 24, 2015).
27 See 79 FR 64057 (Oct. 28, 2014).
28 The comments are posted at: https://
www.ftc.gov/policy/public-comments/2015/06/
initiative-614. The Commission assigned each
comment a number appearing after the name of the
commenter and the date of submission.
PO 00000
Frm 00010
Fmt 4702
Sfmt 4702
29 15
U.S.C. 6803(f).
2016, the CFPB issued a proposed
amendment to Regulation P that would alter the
annual notice requirement to conform to the
statutory changes. 81 FR 44801 (July 11, 2016). The
rule became final in September 2018. 83 FR 40945
(Sept. 17, 2018).
31 For other types of financial institutions over
which the Commission has enforcement authority
under the GLBA, the Commission now enforces the
CFPB’s Regulation P.
32 15 U.S.C. 6804(1)(C).
30 In
E:\FR\FM\04APP1.SGM
04APP1
Federal Register / Vol. 84, No. 65 / Thursday, April 4, 2019 / Proposed Rules
jbell on DSK30RV082PROD with PROPOSALS
than motor vehicle dealers may lead to
confusion about the existing, narrower
scope of the Privacy Rule. Accordingly,
the Commission proposes to modify the
Privacy Rule to provide clearer guidance
to financial institutions that are covered
motor vehicle dealers.33
The proposed amendment to section
313.1(b) narrows the description of the
scope of the Privacy Rule to those
entities set forth in the Dodd-Frank
Act 34 that are predominantly engaged in
the sale and servicing of motor vehicles
or the leasing and servicing of motor
vehicles, excluding those dealers that
directly extend credit to consumers and
do not routinely assign the extensions of
credit to an unaffiliated third party. It
also removes the reference in the Rule’s
scope to ‘‘other persons’’: Although the
Commission continues to have
enforcement authority over ‘‘other
persons’’ covered by the CFPB’s
Regulation P, the Commission no longer
has rulemaking authority for the Privacy
Rule over ‘‘other persons.’’ 35 In
addition, the Commission proposes to
eliminate from section 313.1(b) the note
indicating that (1) the Privacy Rule does
not modify, limit, or supersede the
standards under the Health Insurance
Portability and Accountability Act of
1996, and (2) if a financial institution
that is an institution of higher education
is in compliance with the Federal
Educational Rights and Privacy Act
(‘‘FERPA’’) and its implementing
regulations, such institution shall be
deemed in compliance with the Privacy
Rule. The Commission does not believe
these provisions will apply to motor
vehicle dealers covered by the Rule and
should be removed to improve clarity.
The Commission invites comments on
whether these provisions are relevant to
motor vehicle dealers and should be
retained.
The proposed amendments to section
313.3 also remove any examples that are
not likely to apply to motor vehicle
dealers. To help companies understand
whether and how the Rule applies to
them, the Rule includes examples of
financial institutions in section
313.3(k)(2). The current examples refer
to types of activities that motor vehicle
dealers typically do not engage in.
Therefore, leaving those examples in the
33 The Commission also proposes a change to 16
CFR 313.3(j) removing the Director of the Office of
Thrift Supervision from the definition of ‘‘Federal
Functional Regulators,’’ as the Office of Thrift
Supervision no longer exists.
34 12 U.S.C. 5519.
35 The Commission also proposes to amend 16
CFR 313.15(a)(4) to add the CFPB to the list of law
enforcement agencies to which financial
institutions are permitted to share information to
the extent permitted by law.
VerDate Sep<11>2014
16:38 Apr 03, 2019
Jkt 247001
Rule may lead to confusion about the
Rule’s current scope.
The proposed amendments also
remove certain examples from the
definition of ‘‘consumer’’ in section
313.3(e)(2). These examples do not
apply because motor vehicle dealers do
not provide the types of services
provided in the examples, such as
financial, investment, or economic
advisory services or serving as the
trustee of a trust.
Likewise, the proposed amendments
remove certain examples of establishing
a customer relationship from section
313.4(c)(3)(i). The removed examples do
not apply to customers of motor vehicle
dealers, because such activities are not
related to the sale or leasing of motor
vehicles. These include creating credit
card accounts, providing investment
advice or tax counseling, providing
mortgages, collecting debts from other
financial institutions, and providing
websites for consumers to review all of
their on-line financial accounts with
other financial institutions.
Finally, the proposed amendments
remove certain examples of termination
of customer relationships from section
313.5(b)(2). As with previously
discussed proposed amendments, the
removed examples concern customer
relationships based on services that
motor vehicle dealers do not provide.
These include credit card accounts,
credit counseling services, tax
preparation, and real estate settlement.
The removal of these inapplicable
examples will increase the clarity of the
rule by focusing on matters that are
relevant to the regulated financial
institutions. Removing these examples
will not alter the substance of the
underlying definitions or provisions of
the rule, which will have the same reach
and applicability as before the revisions.
The changes are intended to improve
clarity, not to alter substance. The
Commission invites comments on
whether any of the omitted examples
should be retained.
Although the Dodd-Frank Act altered
the Commission’s rulemaking authority
with respect to the Privacy Rule, it did
not alter the Commission’s rulemaking
authority for the Safeguards Rule. For
the Safeguards Rule, the Commission
continues to have rulemaking authority
over a broad range of non-bank financial
institutions. The Safeguards Rule,
however, currently incorporates by
reference the definitions contained in
the Privacy Rule, including all of the
examples of financial institutions listed
in the existing Privacy Rule.36
Accordingly, while the Commission
36 16
PO 00000
CFR 314.2(a).
Frm 00011
Fmt 4702
Sfmt 4702
13153
proposes to modify the Privacy Rule
definitions to include examples
applicable only to motor vehicle
dealers, the Commission has also
proposed in a separate concurrent
NPRM to amend the Safeguards Rule to
import definitions of relevant terms and
examples from the current version of the
Privacy Rule.37
2. Modifications to the Annual Privacy
Notice To Reflect Statutory Changes
Resulting From the FAST Act
The Commission also proposes
changes to the Privacy Rule provisions
governing how motor vehicle dealers
should deliver annual privacy notices.
These changes implement statutory
changes resulting from the enactment of
the FAST Act and replace those set forth
in the 2015 NPRM.
Several commenters opined on the
proposed changes to notice delivery in
the 2015 NPRM. Those comments have
been rendered obsolete by the statutory
changes. The current proposed rule
implements the changes set forth in the
FAST Act.
Section 313.5(a)(1)—General Rule
The proposed section 313.5(a)(1)
notes that section 313.5(e) provides an
exception to the general rule requiring
the delivery of annual notices.
Section 313.5(e)
This proposed new section sets forth
the exception to the annual privacy
notice requirement. The Commission
adopts the reasoning and changes set
forth by the CFPB in its amendments to
Regulation P to adopt the FAST Act
changes.38 First, proposed section
313.5(e)(1)(i) sets forth that the financial
institution must share nonpublic
personal information only in accordance
with the provisions of sections 313.13,
313.14, and 313.15, none of which
require an opt-out opportunity be
provided to customers. Second,
proposed section 313.5(e)(1)(ii) states
that the financial institution must also
not have changed its disclosure policies
and practices that were contained in its
most recent privacy notice to customers.
Proposed section 313.5(e)(2) sets forth
the timing for delivering an annual
notice if a financial institution no longer
meets requirements for the exception
and must resume delivery of annual
notices. There are two scenarios under
which a financial institution would
need to resume delivering annual
notices: (1) Where the change in its
policies trigger the existing requirement
37 The NPRM relating to the Safeguards Rule is
published elsewhere in this issue of the Federal
Register.
38 See 81 FR 44801 (July 10, 2016).
E:\FR\FM\04APP1.SGM
04APP1
13154
Federal Register / Vol. 84, No. 65 / Thursday, April 4, 2019 / Proposed Rules
to issue a revised privacy notice, as
required by section 313.8; and (2) where
the change does not trigger a need for
the financial institution to issue a
revised notice under section 313.8.
These two situations are addressed by
proposed sections 313.5(e)(2)(i) and (ii),
respectively. In the first situation, the
revised notice issued by the financial
institution acts as an initial privacy
notice for the purposes of the timing of
future annual notices. In the second
situation, the financial institution must
provide an annual notice to customers
within 100 days of the change in
policies or practices. Proposed section
313.5(e)(2)(iii) sets forth an example for
both scenarios.
jbell on DSK30RV082PROD with PROPOSALS
1. Modifications To Scope and
Definitions To Bring the Rule Into
Accord With Regulation P
Whether a company is a ‘‘financial
institution’’ is determined by the types
of activities in which the company
engages. When first promulgating the
Privacy Rule, the Commission
determined that companies engaged in
activities that are ‘‘incidental to
financial activities’’ would not be
considered ‘‘financial institutions.’’ 39
The Commission was the only agency to
adopt this restrictive definition in its
Privacy Rule, while the other agencies
included incidental activities.40 In
addition, the Commission decided that
activities that were determined to be
financial in nature after the enactment
of the GLBA would not be automatically
included in its Privacy Rule; rather, the
Commission would have to take
additional action to include them.41 The
effect of these two decisions was to limit
the activities covered by the
Commission’s rules to those set out in
12 CFR 225.28 as it existed in 1999, and
to exclude any activities later
determined by the Fed to be financial
activities or incidental to those
activities.42
The Commission proposes modifying
the definition of ‘‘financial institution’’
to harmonize the Privacy Rule with
other agencies’ rules. The Commission
proposes to amend section 313.1(b) to
include companies that engage in
activities that are financial in nature or
incidental to such financial activities.
Likewise, it proposes to amend the
39 See 16 CFR 313.3(k); see also 65 FR 33646,
33654 (May 24, 2000).
40 The Commission also added the requirement
that an entity must be ‘‘significantly engaged’’ in
the financial activity to be considered a financial
institution under the Privacy Rule. 16 CFR 313.3(k).
The Commission is not proposing to change this
requirement.
41 65 FR 33646, 33654 n.23 (May 24, 2000).
42 Id.
VerDate Sep<11>2014
16:38 Apr 03, 2019
Jkt 247001
definition of ‘‘financial institution’’ in
section 313.3(k), to include any
institution the business of which is
engaging in an activity that is financial
in nature or incidental to such financial
activities.43 The effect of this proposed
amendment would be to cause ‘‘finders’’
to be included in this definition, thereby
bringing the Privacy Rule into harmony
with the scope of entities covered by
other agencies under Regulation P. It
would not bring any other activities
under the coverage the definition
because the Fed has not determined any
other activity other than ‘‘finding’’ to be
financial in nature or incidental to such
activity since the enactment of the
GLBA. In practice, the Commission
expects that this change to the Privacy
Rule will have little to no effect because
of the already narrow scope of the Rule:
It is not clear that there are any motor
vehicle dealers that would be covered
by this rule whose only activity that
would qualify them as a financial
institution is the act of finding, as most
motor vehicle dealers are more directly
involved in obtaining financing for their
customers. Nevertheless, the
Commission believes this change is
important to keep the Rule consistent
with the Safeguards Rule and other
agencies’ GLBA implementing rules.
The Commission has not previously
requested comment on revising the
definition of ‘‘financial institution’’ in
this way for the Privacy Rule. Through
this NPRM, it does so here. Specifically,
the Commission seeks information on
(1) whether any entities function as
‘‘finders’’ for motor vehicle dealers, and
if so how many; (2) whether such
finders collect or maintain customer
information as defined by the Rule; and
(3) the costs and benefits, including the
costs and benefits to finders and
consumers, of this proposed
amendment.
III. Request for Comment
You can file a comment online or on
paper. For the Commission to consider
your comment, we must receive it on or
before June 3, 2019. Write ‘‘Amendment
to the Privacy of Consumer Financial
Information Rule, 16 CFR part 313,
Rulemaking No. R411016’’ on the
comment. Your comment, including
your name and your state, will be
placed on the public record of this
proceeding, including, to the extent
practicable, the https://
www.regulations.gov website.
Postal mail addressed to the
Commission is subject to delay due to
43 This proposal is also consistent with the
agency’s concurrent proposal to revise the
Safeguards Rule in the same manner.
PO 00000
Frm 00012
Fmt 4702
Sfmt 4702
heightened security screening. As a
result, we encourage you to submit your
comment online. To make sure that the
Commission considers your online
comment, you must file it at https://
www.regulations.gov by following the
instructions on the web-based form.
If you file your comment on paper,
write ‘‘Amendment to the Privacy of
Consumer Financial Information Rule,
16 CFR part 313, Rulemaking No.
R411016,’’ on your comment and on the
envelope, and mail your comment to the
following address: Federal Trade
Commission, Office of the Secretary,
600 Pennsylvania Avenue NW, Suite
CC–5610 (Annex B), Washington, DC
20580, or deliver your comment to the
following address: Federal Trade
Commission, Office of the Secretary,
Constitution Center, 400 7th Street SW,
5th Floor, Suite 5610 (Annex B),
Washington, DC 20024. If possible,
please submit your paper comment to
the Commission by courier or overnight
service.
Because your comment will be placed
on the publicly accessible website,
https://www.regulations.gov/, you are
solely responsible for making sure that
your comment does not include any
sensitive or confidential information. In
particular, your comment should not
include any sensitive personal
information, such as your or anyone
else’s Social Security number, date of
birth, driver’s license number or other
state identification number or foreign
country equivalent, passport number,
financial account number, or credit or
debit card number. You are also solely
responsible for making sure that your
comment does not include any sensitive
health information, such as medical
records or other individually
identifiable health information. In
addition, your comment should not
include any ‘‘trade secret or any
commercial or financial information
which . . . is privileged or
confidential,’’ as provided by section
6(f) of the FTC Act, 15 U.S.C. 46(f), and
FTC Rule 4.10(a)(2), 16 CFR 4.10(a)(2),
including in particular, competitively
sensitive information such as costs,
sales statistics, inventories, formulas,
patterns, devices, manufacturing
processes, or customer names.
Comments containing material for
which confidential treatment is
requested must be filed in paper form,
must be clearly labeled ‘‘Confidential,’’
and must comply with FTC Rule 4.9(c).
In particular, the written request for
confidential treatment that accompanies
the comment must include the factual
and legal basis for the request, and must
identify the specific portions of the
comments to be withheld from the
E:\FR\FM\04APP1.SGM
04APP1
Federal Register / Vol. 84, No. 65 / Thursday, April 4, 2019 / Proposed Rules
public record.44 Your comment will be
kept confidential only if the FTC
General Counsel grants your request in
accordance with the law and the public
interest. Once your comment has been
posted publicly at www.regulations.gov,
we cannot redact or remove your
comment from the FTC website, unless
you submit a confidentiality request that
meets the requirements for such
treatment under FTC Rule 4.9(c), and
the General Counsel grants that request.
Visit the Commission website at
https://www.ftc.gov/ to read this
document and the news release
describing it. The FTC Act and other
laws that the Commission administers
permit the collection of public
comments to consider and use in this
proceeding as appropriate. The
Commission will consider all timely
and responsive public comments that it
receives on or before June 3, 2019. For
information on the Commission’s
privacy policy, including routine uses
permitted by the Privacy Act, see
https://www.ftc.gov/site-information/
privacy-policy.
jbell on DSK30RV082PROD with PROPOSALS
IV. Communications by Outside Parties
to the Commissioners or Their Advisors
Written communications and
summaries or transcripts of oral
communications respecting the merits
of this proceeding, from any outside
party to any Commissioner or
Commissioner’s advisor, will be placed
on the public record.45
V. Paperwork Reduction Act
Under the Paperwork Reduction Act
of 1995 (PRA),46 Federal agencies are
generally required to seek Office of
Management and Budget (OMB)
approval for information collection
requirements prior to implementation.
Under the PRA, the Commission may
not conduct or sponsor, and,
notwithstanding any other provision of
law, a person is not required to respond
to an information collection, unless the
information collection displays a valid
control number assigned by OMB.
This proposal would amend 16 CFR
part 313. The collections of information
related to the Privacy Rule and the
FAST Act statutory exceptions to the
Rule’s annual notice requirement have
been previously reviewed and approved
by OMB in accordance with the PRA.47
Under the existing clearance, the FTC
has attributed to itself the estimated
burden regarding all motor vehicle
44 See
16 CFR 4.9(c).
CFR 1.26(b)(5).
46 44 U.S.C. 3501 et seq.
47 The FTC has current clearance through
November 30, 2020. The OMB Control Number is
3084–0121.
45 16
VerDate Sep<11>2014
16:38 Apr 03, 2019
Jkt 247001
dealers and then shares equally the
remaining estimated PRA burden with
the CFPB for other types of financial
institutions for which both agencies
have enforcement authority regarding
the GLBA Privacy Rule.48
The proposed amendments do not
modify or add to information collection
requirements that were previously
approved by OMB. First, the
Commission anticipates that the
proposed expansion of the definition of
‘‘financial institution’’ to include
entities engaged in activities that are
incidental to financial activities will
have little to no effect. It is not clear that
any finders are in the business of
linking consumers with financing
through motor vehicle dealers, as
opposed to other types of financial
institutions such as payday lenders or
mortgage lenders.
Second, the proposed removal of
certain examples provided in the Rule
that are not applicable to motor vehicle
dealers will have no impact on existing
information collection requirements.
Therefore, the Commission does not
believe that the proposed amendments
would substantially or materially
modify any ‘‘collections of information’’
as defined by the PRA.
The Commission seeks comment on
whether there are any finders in
existence that would be covered by the
proposed Rule. If there are such
businesses, the Commission will seek
OMB clearance as appropriate.
VI. Regulatory Flexibility Act
The Regulatory Flexibility Act (RFA),
as amended by the Small Business
Regulatory Enforcement Fairness Act of
1996, requires an agency to either
provide an Initial Regulatory Flexibility
Analysis (‘‘IRFA’’) with a proposed rule,
or certify that the proposed rule will not
have a significant impact on a
substantial number of small entities.49
The Commission does not expect that
this Rule, if adopted, would have the
threshold impact on small entities. First,
most of the burdens flow from the
mandates of the GLBA, not from the
specific provisions of the proposed
Rule. Second, the Commission does not
expect the proposal to impose costs on
small motor vehicle dealers because the
amendments are primarily for
clarification purposes and should not
result in any increased burden on any
motor vehicle dealer. Thus, a small
entity that complies with current law
need not take any different or additional
action if the proposal is adopted.
Nonetheless, the Commission has
48 82
49 5
PO 00000
FR 48081.
U.S.C. 603–605.
Frm 00013
Fmt 4702
Sfmt 4702
13155
determined that it is appropriate to
publish an Initial Regulatory Flexibility
Analysis in order to inquire into the
impact of the proposed Rule on small
entities. The Commission does not
believe that there are any small entities
engaged in finding for motor vehicle
financing that would now be covered as
a result of the modified definition of
‘‘financial institution.’’ However, the
Commission invites comment on this
issue.
1. Reasons for the Proposed Rule
To address the Dodd-Frank Act and
FAST Act changes the Commission
proposes to change the Privacy Rule’s
scope and definition of ‘‘financial
institution’’; change the annual notice
requirement; and remove certain
examples provided in the Rule that are
not applicable to motor vehicle dealers.
These changes will make the current,
narrow scope of the Rule clearer.
Additionally, the Commission proposes
modifying the definition of ‘‘financial
institution’’ to harmonize the Privacy
Rule with other agencies’ rules by
including ‘‘activities incidental to
financial activities’’ as a financial
activity. This change would bring
‘‘finders’’ within the scope of the Rule.
2. Statement of Objectives and Legal
Basis
The objectives of the proposed Rule
are discussed above. The legal basis for
the proposed Rule is section 501(b) of
the GLBA.
3. Description of Small Entities to
Which the Rule Will Apply
Determining a precise estimate of the
number of small entities 50—including
newly covered entities under the
modified definition of financial
institution—is not readily feasible.
Financial institutions covered by the
Rule include certain motor vehicle
dealers. If the proposed Rule is
finalized, finders will also be covered.
50 The U.S. Small Business Administration Table
of Small Business Size Standards Matched to North
American Industry Classification System Codes
(NAICS) are generally expressed in either millions
of dollars or number of employees. A size standard
is the largest that a business can be and still qualify
as a small business for Federal Government
programs. For the most part, size standards are the
annual receipts or the average employment of a
firm. New car dealers (NAICS code 441100) are
classified as small if they have fewer than 200
employees. Used car dealers (NAICS code 441120)
are classified as small if their annual receipts are
$25 million or less. Recreational vehicle dealers,
boat dealers, motorcycle, ATV and all other motor
vehicle dealers (NAICS codes 441210, 441222 and
441228) are classified as small if their annual
receipts are $32.5 million or less. The 2017 Table
of Small Business Size Standards is available at
https://www.sba.gov/sites/default/files/files/Size_
Standards_Table_2017.pdf.
E:\FR\FM\04APP1.SGM
04APP1
13156
Federal Register / Vol. 84, No. 65 / Thursday, April 4, 2019 / Proposed Rules
The Commission requests comment and
information on whether there are any
finders in existence that would be
covered by the proposed Rule.
4. Projected Reporting, Recordkeeping,
and Other Compliance Requirements
The Commission does not believe that
the proposed Rule would impose any
new or substantively revised
‘‘collections of information’’ as defined
by the PRA. Rather, the Commission
believes that the proposed amendments
would have the overall effect of
reducing the currently cleared estimated
burden for the information collections
associated with the Privacy Rule annual
notice. The Commission invites
comment on the costs to newly covered
financial institutions—if there are any—
of complying with the Rule.
jbell on DSK30RV082PROD with PROPOSALS
5. Identification of Duplicative,
Overlapping, or Conflicting Federal
Rules
The Commission’s proposal to modify
the definition of ‘‘financial institution’’
harmonizes the Privacy Rule with other
agencies’ rules. The effect of this
proposed amendment, as discussed
above, would be to cause ‘‘finders’’ to be
covered by the Rule, thereby bringing
the scope of the Privacy Rule into
harmony with the scope of entities
covered by other agencies under
Regulation P. The Commission believes
that this proposal does not create
conflicting or duplicative obligations on
small entities. As stated previously, the
Commission does not believe there are
any newly covered financial institutions
resulting from the proposed definitional
modification. However, the Commission
is requesting comment on the extent to
which other federal standards involving
privacy notices may duplicate and/or
satisfy or possibly conflict with the
Rule’s requirements for any newly
covered financial institutions.
6. Discussion of Significant Alternatives
As stated previously, the Commission
does not believe there are any newly
covered financial institutions resulting
from the proposed definitional
modification. Moreover, the
Commission believes that the other
proposed amendments would have the
overall effect of reducing the burden for
all covered entities associated with the
Privacy Rule annual notice. The
proposed amendments do not reduce
the flexibility already present in the
existing Rule, which allows notices to
be provided in a variety of ways,
including electronically in some
circumstances. As to the core
requirements of the proposed Rule, they
come from GLBA itself, as amended by
VerDate Sep<11>2014
16:38 Apr 03, 2019
Jkt 247001
the Dodd-Frank and the FAST Act. The
statute prescribes the definition of
financial institutions to be covered by
the Rule and sets forth the specific
requirements, which the Commission
cannot modify to ease burdens on small
entities. Therefore the Commission does
not believe that any alternatives for
small entities are required or
appropriate. However, the Commission
welcomes comment on any significant
alternative consistent with the GLBA
that would minimize the impact of the
proposed Rule on small entities—
specifically institutions that would be
newly covered financial institutions—if
there are any.
List of Subjects in 16 CFR Part 313
Consumer protection, Credit, Data
protection, Privacy, Trade practices.
For the reasons stated above, the
Federal Trade Commission proposes to
amend 16 CFR part 313 as follows:
■ 1. Revise the authority section for part
313 to read as follows:
Authority: 15 U.S.C. 6801 et seq., 12
U.S.C. 5519.
2. In § 313.1, revise paragraph (b) to
read as follows:
■
§ 313.1
Purpose and scope.
*
*
*
*
*
(b) Scope. This part applies only to
nonpublic personal information about
individuals who obtain financial
products or services primarily for
personal, family or household purposes
from the institutions listed below. This
part does not apply to information about
companies or about individuals who
obtain financial products or services for
business, commercial, or agricultural
purposes. This part applies to those
‘‘financial institutions’’ over which the
Federal Trade Commission
(‘‘Commission’’) has rulemaking
authority pursuant to section
504(a)(1)(C) of the Gramm-Leach-Bliley
Act. An entity is a ‘‘financial
institution’’ if its business is engaging in
an activity that is financial in nature or
incidental to such financial activities as
described in section 4(k) of the Bank
Holding Company Act of 1956, 12
U.S.C. 1843(k), which incorporates by
reference activities enumerated by the
Federal Reserve Board in 12 CFR 225.28
and 12 CFR 225.86. The ‘‘financial
institutions’’ subject to the
Commission’s rulemaking authority are
any persons described in 12 U.S.C. 5519
that are predominantly engaged in the
sale and servicing of motor vehicles, the
leasing and servicing of motor vehicles,
or both. They are referred to in this part
as ‘‘You.’’ Excluded from the coverage
of this regulation are motor vehicle
PO 00000
Frm 00014
Fmt 4702
Sfmt 4702
dealers described in 12 U.S.C. 5519(b)
that directly extend to consumers retail
credit or retail leases involving motor
vehicles in which the contract
governing such extension of retail credit
or retail leases is not routinely assigned
to an unaffiliated third party finance or
leasing source.
■ 3. In § 313.3, revise paragraphs (e), (i),
(j), (k) and (q), to read as follows:
§ 313.3
Definitions.
*
*
*
*
*
(e)(1) Consumer means an individual
who obtains or has obtained a financial
product or service from you that is to be
used primarily for personal, family, or
household purposes, or that individual’s
legal representative.
(2) Examples—(i) An individual who
applies to you for credit for personal,
family, or household purposes is a
consumer of a financial service,
regardless of whether the credit is
extended.
(ii) An individual who provides
nonpublic personal information to you
in order to obtain a determination about
whether he or she may qualify for a loan
to be used primarily for personal,
family, or household purposes is a
consumer of a financial service,
regardless of whether the loan is
extended.
(iii) If you hold ownership or
servicing rights to an individual’s loan
that is used primarily for personal,
family, or household purposes, the
individual is your consumer, even if
you hold those rights in conjunction
with one or more other institutions.
(The individual is also a consumer with
respect to the other financial
institutions involved.) An individual
who has a loan in which you have
ownership or servicing rights is your
consumer, even if you, or another
institution with those rights, hire an
agent to collect on the loan.
(iv) An individual who is a consumer
of another financial institution is not
your consumer solely because you act as
agent for, or provide processing or other
services to, that financial institution.
(v) An individual is not your
consumer solely because he or she is a
participant or a beneficiary of an
employee benefit plan that you sponsor
or for which you act as a trustee or
fiduciary.
*
*
*
*
*
(i)(1) Customer relationship means a
continuing relationship between a
consumer and you under which you
provide one or more financial products
or services to the consumer that are to
be used primarily for personal, family,
or household purposes.
E:\FR\FM\04APP1.SGM
04APP1
jbell on DSK30RV082PROD with PROPOSALS
Federal Register / Vol. 84, No. 65 / Thursday, April 4, 2019 / Proposed Rules
(2) Examples—(i) Continuing
relationship. A consumer has a
continuing relationship with you if the
consumer:
(A) Has a credit or investment account
with you;
(B) Obtains a loan from you;
(C) Purchases an insurance product
from you;
(D) Enters into an agreement or
understanding with you whereby you
undertake to arrange credit to purchase
a vehicle for the consumer;
(E) Enters into a lease of personal
property on a non-operating basis with
you; or
(F) Has a loan for which you own the
servicing rights.
(ii) No continuing relationship. A
consumer does not, however, have a
continuing relationship with you if:
(A) The consumer obtains a financial
product or service from you only in
isolated transactions, such as cashing a
check with you or making a wire
transfer through you;
(B) You sell the consumer’s loan and
do not retain the rights to service that
loan; or
(C) The consumer obtains one-time
personal appraisal services from you.
(j) Federal functional regulator means:
(1) The Board of Governors of the
Federal Reserve System;
(2) The Office of the Comptroller of
the Currency;
(3) The Board of Directors of the
Federal Deposit Insurance Corporation;
(4) The National Credit Union
Administration Board; and
(5) The Securities and Exchange
Commission.
(k)(1) Financial institution means any
institution the business of which is
engaging in an activity that is financial
in nature or incidental to such financial
activities as described in section 4(k) of
the Bank Holding Company Act of 1956,
12 U.S.C. 1843(k). An institution that is
significantly engaged in financial
activities is a financial institution.
(2) Example of financial institution.
An automobile dealership that, as a
usual part of its business, leases
automobiles on a nonoperating basis for
longer than 90 days is a financial
institution with respect to its leasing
business because leasing personal
property on a nonoperating basis where
the initial term of the lease is at least 90
days is a financial activity listed in 12
CFR 225.28(b)(3) and referenced in
section 4(k)(4)(F) of the Bank Holding
Company Act.
(3) Financial institution does not
include entities that engage in financial
activities but that are not significantly
engaged in those financial activities.
(4) Example of entities that are not
significantly engaged in financial
VerDate Sep<11>2014
16:38 Apr 03, 2019
Jkt 247001
activities. A motor vehicle dealer is not
a financial institution merely because it
accepts payment in the form of cash,
checks, or credit cards that it did not
issue.
*
*
*
*
*
(q) You includes each ‘‘financial
institution’’ over which the Commission
has rulemaking authority pursuant to
section 504(a)(1)(C) of the GrammLeach-Bliley Act (15 U.S.C.
6804(a)(1)(C)).
■ 4. In § 313.4, revise paragraphs
(c)(3)(i) and (e), to read as follows:
§ 313.4 Initial privacy notice to consumers
required.
*
*
*
*
*
(c) * * *
(3)(i) Examples of establishing a
customer relationship. You establish a
customer relationship when the
consumer:
(A) Executes the contract to obtain
credit from you or purchase insurance
from you; or
(B) Executes the lease for personal
property with you.
*
*
*
*
*
(e) Exceptions to allow subsequent
delivery of notice. (1) You may provide
the initial notice required by paragraph
(a)(1) of this section within a reasonable
time after you establish a customer
relationship if:
(i) Establishing the customer
relationship is not at the customer’s
election; or
(ii) Providing notice not later than
when you establish a customer
relationship would substantially delay
the customer’s transaction and customer
agrees to receive the notice at a later
time.
(2) Examples of exceptions—(i)
Substantial delay of customer’s
transaction. Providing notice not later
than when you establish a customer
relationship would substantially delay
the customer’s transaction when you
and the individual agree over the
telephone to enter into a customer
relationship involving prompt delivery
of the financial product or service.
(ii) No substantial delay of customer’s
transaction. Providing notice not later
than when you establish a customer
relationship would not substantially
delay the customer’s transaction when
the relationship is initiated in person at
your office or through other means by
which the customer may view the
notice, such as through a website.
*
*
*
*
*
■ 5. In § 313.5, revise paragraphs (a)(1)
and (b)(2) and add paragraph (e) to read
as follows:
PO 00000
Frm 00015
Fmt 4702
Sfmt 4702
13157
§ 313.5 Annual privacy notice to
customers required.
(a)(1) General rule. Except as provided
by paragraph (e) of this section, you
must provide a clear and conspicuous
notice to customers that accurately
reflects your privacy policies and
practices not less than annually during
the continuation of the customer
relationship. Annually means at least
once in any period of 12 consecutive
months during which that relationship
exists. You may define the 12consecutive-month period, but you must
apply it to the customer on a consistent
basis.
*
*
*
*
*
(b) * * *
(2) Examples. Your customer becomes
a former customer when:
(i) In the case of a closed-end loan, the
customer pays the loan in full, you
charge off the loan, or you sell the loan
without retaining servicing rights;
(ii) In the case of vehicle loan
brokering services, your customer has
obtained a loan through you (and you
no longer provide any statements or
notices to the customer concerning that
relationship), or has ceased using your
services for such purposes;
(iii) In cases where there is no
definitive time at which the customer
relationship has terminated, you have
not communicated with the customer
about the relationship for a period of 12
consecutive months, other than to
provide annual privacy notices or
promotional material.
*
*
*
*
*
(e) Exception to annual privacy notice
requirement. (1) When exception
available. You are not required to
deliver an annual privacy notice if you:
(i) Provide nonpublic personal
information to nonaffiliated third
parties only in accordance with the
provisions of § 313.13, § 313.14, or
§ 313.15; and
(ii) Have not changed your policies
and practices with regard to disclosing
nonpublic personal information from
the policies and practices that were
disclosed to the customer under
§ 313.6(a)(2) through (5) and (9) in the
most recent privacy notice provided
pursuant to this part.
(2) Delivery of annual privacy notice
after financial institution no longer
meets requirements for exception. If you
have been excepted from delivering an
annual privacy notice pursuant to
paragraph (e)(1) of this section and
change your policies or practices in
such a way that you no longer meet the
requirements for that exception, you
must comply with paragraph (e)(2)(i) or
(ii) of this section, as applicable.
E:\FR\FM\04APP1.SGM
04APP1
13158
Federal Register / Vol. 84, No. 65 / Thursday, April 4, 2019 / Proposed Rules
(i) Changes preceded by a revised
privacy notice. If you no longer meet the
requirements of paragraph (e)(1) of this
section because you change your
policies or practices in such a way that
§ 313.8 requires you to provide a revised
privacy notice, you must provide an
annual privacy notice in accordance
with the timing requirement in
paragraph (a) of this section, treating the
revised privacy notice as an initial
privacy notice.
(ii) Changes not preceded by a revised
privacy notice. If you no longer meet the
requirements of paragraph (e)(1) of this
section because you change your
policies or practices in such a way that
§ 313.8 does not require you to provide
a revised privacy notice, you must
provide an annual privacy notice within
100 days of the change in your policies
or practices that causes you to no longer
meet the requirement of paragraph
(e)(1).
(iii) Examples. (A) You change your
policies and practices in such a way that
you no longer meet the requirements of
paragraph (e)(1) of this section effective
April 1 of year 1. Assuming you define
the 12-consecutive-month period
pursuant to paragraph (a) of this section
as a calendar year, if you were required
to provide a revised privacy notice
under § 313.8 and you provided that
notice on March 1 of year 1, you must
provide an annual privacy notice by
December 31 of year 2. If you were not
required to provide a revised privacy
notice under § 313.8, you must provide
an annual privacy notice by July 9 of
year 1.
(B) You change your policies and
practices in such a way that you no
longer meet the requirements of
paragraph (e)(1) of this section, and so
provide an annual notice to your
customers. After providing the annual
notice to your customers, you once
again meet the requirements of
paragraph (e)(1) of this section for an
exception to the annual notice
requirement. You do not need to
provide additional annual notice to your
customers until such time as you no
longer meet the requirements of
paragraph (e)(1) of this section.
■ 6. In § 313.15, revise paragraph (a)(4)
to read as follows:
jbell on DSK30RV082PROD with PROPOSALS
§ 313.15 Other exceptions to notice and
opt out requirements.
(a) * * *
(4) To the extent specifically
permitted or required under other
provisions of law and in accordance
with the Right to Financial Privacy Act
of 1978 (12 U.S.C. 3401 et seq.), to law
enforcement agencies (including the
Consumer Financial Protection Bureau,
VerDate Sep<11>2014
16:38 Apr 03, 2019
Jkt 247001
a federal functional regulator, the
Secretary of the Treasury, with respect
to 31 U.S.C. chapter 53, subchapter II
(Records and Reports on Monetary
Instruments and Transactions) and 12
U.S.C. chapter 21 (Financial
Recordkeeping), a State insurance
authority, with respect to any person
domiciled in that insurance authority’s
State that is engaged in providing
insurance, and the Federal Trade
Commission), self-regulatory
organizations, or for an investigation on
a matter related to public safety.
*
*
*
*
*
By direction of the Commission.
April J. Tabor,
Acting Secretary.
[FR Doc. 2019–06039 Filed 4–3–19; 8:45 am]
BILLING CODE 6750–01–P
FEDERAL TRADE COMMISSION
16 CFR Part 314
RIN 3084–AB35
Standards for Safeguarding Customer
Information
Federal Trade Commission.
Notice of proposed rulemaking;
request for public comment.
AGENCY:
ACTION:
The Federal Trade
Commission (‘‘FTC’’ or ‘‘Commission’’)
requests public comment on its proposal
to amend the Standards for
Safeguarding Customer Information
(‘‘Safeguards Rule’’ or ‘‘Rule’’). The
proposal contains five main
modifications to the existing Rule. First,
it adds provisions designed to provide
covered financial institutions with more
guidance on how to develop and
implement specific aspects of an overall
information security program. Second, it
adds provisions designed to improve the
accountability of financial institutions’
information security programs. Third, it
exempts small businesses from certain
requirements. Fourth, it expands the
definition of ‘‘financial institution’’ to
include entities engaged in activities
that the Federal Reserve Board
determines to be incidental to financial
activities. Finally, the Commission
proposes to include the definition of
‘‘financial institution’’ and related
examples in the Rule itself rather than
cross-reference them from a related FTC
rule, the Privacy of Consumer Financial
Information Rule.
DATES: Written comments must be
received on or before June 3, 2019.
ADDRESSES: Interested parties may file a
comment online or on paper by
following the Request for Comment part
SUMMARY:
PO 00000
Frm 00016
Fmt 4702
Sfmt 4702
of the SUPPLEMENTARY INFORMATION
section below. Write ‘‘Safeguards Rule,
16 CFR part 314, Project No. P145407,’’
on your comment and file your
comment online at https://
www.regulations.gov by following the
instructions on the web-based form. If
you prefer to file your comment on
paper, mail your comment to the
following address: Federal Trade
Commission, Office of the Secretary,
600 Pennsylvania Avenue NW, Suite
CC–5610 (Annex B), Washington, DC
20580, or deliver your comment to the
following address: Federal Trade
Commission, Office of the Secretary,
Constitution Center, 400 7th Street SW,
5th Floor, Suite 5610 (Annex B),
Washington, DC 20024.
FOR FURTHER INFORMATION CONTACT:
David Lincicum or Allison M. Lefrak,
Division of Privacy and Identity
Protection, Bureau of Consumer
Protection, Federal Trade Commission,
600 Pennsylvania Avenue NW,
Washington, DC 20580, (202) 326–2773
or (202) 326–2804.
SUPPLEMENTARY INFORMATION:
I. Background
The Gramm Leach Bliley Act (‘‘GLB’’
or ‘‘GLBA’’) was enacted in 1999.1 The
GLBA provides a framework for
regulating the privacy and data security
practices of a broad range of financial
institutions. Among other things, the
GLBA requires financial institutions to
provide customers with information
about the institutions’ privacy practices
and about their opt-out rights, and to
implement security safeguards for
customer information.
Subtitle A of Title V of the GLBA
required the Commission and other
federal agencies to establish standards
for financial institutions relating to
administrative, technical, and physical
safeguards for certain information.2
Pursuant to the Act’s directive, the
Commission promulgated the
Safeguards Rule in 2002. The
Safeguards Rule became effective on
May 23, 2003.
The Safeguards Rule requires a
financial institution to develop,
implement, and maintain a
comprehensive information security
program that consists of the
administrative, technical, and physical
safeguards the financial institution uses
to access, collect, distribute, process,
protect, store, use, transmit, dispose of,
or otherwise handle customer
information.3 The information security
program must be written in one or more
1 Public
Law 106–102, 113 Stat. 1338 (1999).
15 U.S.C. 6801(b), 6805(b)(2).
3 16 CFR 314.2(c).
2 See
E:\FR\FM\04APP1.SGM
04APP1
Agencies
[Federal Register Volume 84, Number 65 (Thursday, April 4, 2019)]
[Proposed Rules]
[Pages 13150-13158]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2019-06039]
=======================================================================
-----------------------------------------------------------------------
FEDERAL TRADE COMMISSION
16 CFR Part 313
RIN 3084-AB42
Privacy of Consumer Financial Information Rule Under the Gramm-
Leach-Bliley Act
AGENCY: Federal Trade Commission.
[[Page 13151]]
ACTION: Notice of proposed rulemaking; request for public comment.
-----------------------------------------------------------------------
SUMMARY: The Federal Trade Commission is proposing to amend its Privacy
Rule for certain financial institutions subject to the Rule to revise
the Rule's scope, to modify the Rule's definitions of ``financial
institution'' and ``federal functional regulator,'' and to update the
Rule's annual customer privacy notice requirement. The proposed
amendments will also remove certain examples in the Rule that apply to
financial institutions that now fall outside the scope of the
Commission's Rule. This action is necessary to conform the Rule to the
current requirements of the Gramm-Leach-Bliley Act (GLBA), as amended
by the Dodd-Frank and FAST Acts, and will clarify which financial
institutions are covered by the Commission's Rule and their annual
customer privacy notice obligations under the Rule.
DATES: Written comments must be received on or before June 3, 2019.
ADDRESSES: Interested parties may file a comment online or on paper by
following the Request for Comment part of the SUPPLEMENTARY INFORMATION
section below. Write ``Amendment to the Privacy of Consumer Financial
Information Rule, 16 CFR part 313, Rulemaking No. R411016,'' on your
comment and file your comment online at https://www.regulations.gov by
following the instructions on the web-based form. If you prefer to file
your comment on paper, mail your comment to the following address:
Federal Trade Commission, Office of the Secretary, 600 Pennsylvania
Avenue NW, Suite CC-5610 (Annex B), Washington, DC 20580, or deliver
your comment to the following address: Federal Trade Commission, Office
of the Secretary, Constitution Center, 400 7th Street SW, 5th Floor,
Suite 5610 (Annex B), Washington, DC 20024.
FOR FURTHER INFORMATION CONTACT: David Lincicum or Allison M. Lefrak,
Division of Privacy and Identity Protection, Bureau of Consumer
Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW,
Washington, DC 20580, (202) 326-2773 or (202) 326-2804.
SUPPLEMENTARY INFORMATION:
I. Background
A. The Statute and Regulation
The GLBA was enacted in 1999.\1\ The GLBA, among other things,
provides a framework for regulating the privacy practices of a broad
range of financial institutions. The GLBA requires that financial
institutions provide their customers with initial and annual notices
regarding their privacy practices, and allow their customers to opt out
of sharing their information with certain nonaffiliated third parties.
---------------------------------------------------------------------------
\1\ Public Law 106-102, 113 Stat. 1338 (1999).
---------------------------------------------------------------------------
Rulemaking authority to implement the GLBA's privacy provisions was
initially spread among multiple agencies. The Federal Reserve Board
(``the Fed''), the Office of Comptroller of the Currency (``OCC''), the
Federal Deposit Insurance Corporation (``FDIC''), and the Office of
Thrift Supervision (``OTS'') jointly adopted final rules to implement
the notice requirements of the GLBA in 2000.\2\ The Commission, the
National Credit Union Administration (``NCUA''), the Securities and
Exchange Commission (``SEC''), and the Commodity Futures Trading
Commission (``CFTC'') were part of the same interagency process, but
each issued their rules separately.\3\ In 2009, all those agencies
jointly adopted a model form that financial institutions could use to
provide the required initial and annual privacy disclosures.\4\
---------------------------------------------------------------------------
\2\ 65 FR 35162 (June 1, 2000).
\3\ 65 FR 33646 (May 24, 2000) (FTC final rule); 65 FR 31722
(May 18, 2000) (NCUA final rule); 65 FR 40334 (June 29, 2000) (SEC
final rule); 66 FR 21236 (Apr. 27, 2001) (CFTC final rule).
\4\ 74 FR 62890 (Dec. 1, 2009); see also 16 CFR 313.2, 313.4-
313.9.
---------------------------------------------------------------------------
As originally promulgated, the FTC's Privacy Rule covered a broad
range of non-bank financial institutions such as payday lenders,
mortgage brokers, check cashers, debt collectors, real estate
appraisers, certain motor vehicle dealers, and remittance transfer
providers. In 2010, the Dodd-Frank Act \5\ transferred the GLBA's
privacy notice rulemaking authority from the Fed, NCUA, OCC, OTS, the
FDIC, and the Commission (in part) to the Consumer Financial Protection
Bureau (``CFPB''). The CFPB then restated the implementing regulations
in Regulation P, 12 CFR part 1016, in late 2011 (``Regulation P'').\6\
However, under section 1029 of the Dodd-Frank Act, the Commission
retained rulemaking authority for certain motor vehicle dealers.\7\
Thus, in 2012, the Commission issued a notice that it was retaining the
implementing regulations governing privacy notices for motor vehicle
dealers at 16 CFR part 313.\8\
---------------------------------------------------------------------------
\5\ Public Law 111-203, 124 Stat. 1376 (2010).
\6\ 76 FR 79025 (Dec. 21, 2011).
\7\ 12 U.S.C. 5519. The FTC retained rulemaking jurisdiction as
to motor vehicle dealers that are predominantly engaged in the sale
and servicing or the leasing and servicing of motor vehicles,
excluding those dealers that directly extend credit to consumers and
do not routinely assign the extensions of credit to an unaffiliated
third party. For ease of reference, covered motor vehicle dealers
are referenced herein as ``motor vehicle dealers.''
\8\ 77 FR 22200, 22201 (April 13, 2012) (also rescinding those
regulations for which rulemaking authority was transferred to the
CFPB under the Dodd-Frank Act).
---------------------------------------------------------------------------
Despite the transfer of general rulemaking authority for the
Privacy Rule to the CFPB, the Commission and other agencies retain
their existing enforcement authority under the GLBA.\9\ In addition,
the SEC and CFTC retain rulemaking authority with respect to securities
and futures-related companies, respectively.\10\ Accordingly, as part
of this rulemaking process, the Commission has consulted and
coordinated, or offered to consult, with those agencies that have
rulemaking and/or enforcement authority under the GLBA, including the
CFPB, SEC, CFTC, and the National Association of Insurance
Commissioners (``NAIC'').\11\
---------------------------------------------------------------------------
\9\ 15 U.S.C. 6805(a).
\10\ 15 U.S.C. 6804, 6809; 12 U.S.C. 1843(k)(4); 12 CFR
1016.1(b).
\11\ See 15 U.S.C. 6804(a)(2).
---------------------------------------------------------------------------
On December 4, 2015, Congress amended the GLBA as part of the FAST
Act. This amendment, titled Eliminate Privacy Notice Confusion,\12\
added GLBA subsection 503(f). This subsection provides an exception
under which financial institutions that meet certain conditions are not
required to provide annual privacy notices to customers.
---------------------------------------------------------------------------
\12\ Public Law 114-94, sec. 75001, 129 Stat. 1312, 1787 (2015).
---------------------------------------------------------------------------
B. The Privacy Notice Requirements
As noted, the GLBA and the Privacy Rule require that motor vehicle
dealers provide consumers with notices describing their privacy
policies. Specifically, section 503 of the GLBA and the Privacy Rule
require covered entities to provide an initial notice of these
policies,\13\ and then ``provide a clear and conspicuous notice to
customers that accurately reflects [their] privacy policies and
practices not less than annually during the continuation of the
customer relationship.'' \14\
---------------------------------------------------------------------------
\13\ 15 U.S.C. 6803; 16 CFR 313.4.
\14\ 15 U.S.C. 6803; 16 CFR 313.5(a)(1).
---------------------------------------------------------------------------
Section 502 of the GLBA and the Privacy Rule require that initial
and annual notices inform customers of their right to opt out of the
sharing of nonpublic personal information with some types of
nonaffiliated third parties.\15\ For example, a customer has the right
to opt out of allowing a motor vehicle dealer to sell her name and
address to a nonaffiliated auto insurance company.\16\ On the other
hand, a motor vehicle dealer is not required to allow consumers to opt
out of the dealer's
[[Page 13152]]
sharing involving third-party service providers, joint marketing
arrangements, maintenance and servicing of accounts, securitization,
law enforcement and compliance, reporting to consumer reporting
agencies, and certain other activities that are specified in the
statute and regulation.\17\ Accordingly, if a motor vehicle dealer
limits its sharing to uses that do not trigger opt-out rights, it may
provide an annual privacy notice to its customers that does not include
information regarding opt-out rights.
---------------------------------------------------------------------------
\15\ 15 U.S.C. 6802; 16 CFR 313.6(a)(6).
\16\ 16 CFR 313.10(a).
\17\ 15 U.S.C. 6802(b)(2), 6802(e); 16 CFR 313.13-313.15.
---------------------------------------------------------------------------
Motor vehicle dealers also may include in the annual privacy notice
information about certain consumer opt-out rights related to affiliate
sharing under the Fair Credit Reporting Act (``FCRA''). First, section
603(d)(2)(A)(iii) of the FCRA allows the sharing of a consumer's
information among affiliates, but only if the consumer is notified of
such sharing and is given an opportunity to opt out.\18\ Section
503(c)(4) of the GLBA and the Privacy Rule generally require motor
vehicle dealers to incorporate any notifications and opt-out
disclosures provided pursuant to section 603(d)(2)(A)(iii) of the FCRA
into their initial and annual privacy notices.\19\
---------------------------------------------------------------------------
\18\ 15 U.S.C. 1681a(d)(2)(A)(iii).
\19\ 15 U.S.C. 6803(c)(4); 16 CFR 313.6(a)(7).
---------------------------------------------------------------------------
Second, section 624 of the FCRA and the FTC's Affiliate Marketing
Rule \20\ provide that an affiliate of a motor vehicle dealer that
receives certain information about a consumer from the dealer may not
use that information for marketing purposes, unless the consumer is
provided with an opportunity to opt out of that use.\21\ This
requirement governs the use of information by an affiliate, not the
sharing of information among affiliates, and thus is distinct from the
affiliate sharing opt-out discussed above. The Affiliate Marketing Rule
permits (but does not require) motor vehicle dealers to incorporate any
opt-out disclosures provided under section 624 of the FCRA and the
Affiliate Marketing Rule into the initial and annual privacy notices
required by the GLBA.\22\
---------------------------------------------------------------------------
\20\ 16 CFR 680.1-680.28.
\21\ 15 U.S.C. 1681s-3. The FTC's Affiliate Marketing Rule
applies to motor vehicle dealers. See 77 FR 22200 (Apr. 13, 2012).
The FTC also enforces the CFPB's Regulation V's Affiliate Marketing
Rule, 12 CFR part 1022, subpart C, for other entities over which the
FTC has enforcement authority under the FCRA.
\22\ 16 CFR 680.23(b).
---------------------------------------------------------------------------
Finally, section 313.6(a)(8) of the Privacy Rule requires that the
initial and annual notices briefly describe how motor vehicle dealers
protect the nonpublic personal information they collect and maintain.
II. Proposed Revision of the Privacy Rule
A. The Consumer Financial Protection Bureau Rulemaking
In December 2011, the CFPB issued a Request for Information seeking
specific suggestions for streamlining regulations that were transferred
to the CFPB from other Federal agencies, including the annual privacy
notice requirement.\23\ After receiving numerous comments, in May 2014,
the CFPB issued a proposed rule to amend its Regulation P to allow
financial institutions to notify consumers that a privacy notice was
available online, in certain enumerated circumstances.\24\ The CFPB
finalized its rulemaking in October 2014.\25\
---------------------------------------------------------------------------
\23\ 76 FR 75825, 75828 (Dec. 5, 2011).
\24\ 79 FR 27214 (May 14, 2014) (CFPB Notice of Proposed
Rulemaking).
\25\ 79 FR 64057 (Oct. 28, 2014).
---------------------------------------------------------------------------
B. The Commission's 2015 Proposed Rulemaking
On June 24, 2015, the Commission published a Notice of Proposed
Rulemaking (``2015 NPRM'') proposing revisions to the Privacy Rule.\26\
First, the Commission proposed a number of changes to comport with the
Dodd-Frank Act revision of GLBA, which transferred rulemaking authority
for most financial institutions to the CFPB. The Commission also
proposed amending the Rule to allow motor vehicle dealers to notify
their customers that a privacy notice is available online, under
circumstances identical to those that had been adopted by the CFPB.\27\
---------------------------------------------------------------------------
\26\ 80 FR 36267 (June 24, 2015).
\27\ See 79 FR 64057 (Oct. 28, 2014).
---------------------------------------------------------------------------
The Commission received six comments from individuals and
entities.\28\
---------------------------------------------------------------------------
\28\ The comments are posted at: https://www.ftc.gov/policy/public-comments/2015/06/initiative-614. The Commission assigned each
comment a number appearing after the name of the commenter and the
date of submission.
---------------------------------------------------------------------------
C. The Passage of the FAST Act
As described above, on December 4, 2015, President Obama signed the
FAST Act. The FAST Act contains a provision that modified the annual
privacy notice requirement under the GLBA. The provision states that a
financial institution is not required to provide an annual privacy
notice if it: (1) Only shares non-public personal information with non-
affiliated third parties in a manner that does not require an opt-out
right be provided to customers (e.g., if the institution discloses
nonpublic personal information to a service provider or for fraud
detection and prevention purposes), and (2) has not changed its
policies and practices with respect to disclosing nonpublic personal
information since it last provided a privacy notice to its
customers.\29\ This modification of the GLBA rendered the Commission's
proposed changes to the Privacy Rule moot because those changes, if
adopted, would have been in conflict with the revised statute.\30\
---------------------------------------------------------------------------
\29\ 15 U.S.C. 6803(f).
\30\ In 2016, the CFPB issued a proposed amendment to Regulation
P that would alter the annual notice requirement to conform to the
statutory changes. 81 FR 44801 (July 11, 2016). The rule became
final in September 2018. 83 FR 40945 (Sept. 17, 2018).
---------------------------------------------------------------------------
D. New Proposed Changes to the Privacy Rule
In light of this history, the Commission is issuing this notice of
proposed rulemaking. The Commission now proposes to make three types of
changes to the Privacy Rule: (1) Technical changes to the Rule to
correspond to the reduced scope of the Rule due to Dodd-Frank Act
changes, which primarily consist of removing references that do not
apply to motor vehicle dealers; (2) modifications to the annual privacy
notice requirements to reflect the changes made to the GLBA by the FAST
Act; and (3) a modification to the scope and definition of ``financial
institution'' to include entities engaged in activities that are
incidental to financial activities, which would bring the Rule into
accord with the CFPB's Regulation P.
1. Technical Changes To Correspond to Statutory Changes Resulting From
the Dodd-Frank Act
The Commission adopted the scope of, and definitions in, the
original Privacy Rule at a time when it had rulemaking authority for
the Privacy Rule over a broader group of non-bank ``financial
institutions'' as defined by the GLBA. While the Dodd-Frank Act did not
change the Commission's enforcement authority for the privacy notice
obligations of the GLBA, it did amend the Commission's rulemaking
authority under the GLBA such that the Privacy Rule only applies to
motor vehicle dealers.\31\ The amendments in the Dodd-Frank Act
necessitate certain technical revisions to the Privacy Rule to ensure
that the regulation is consistent with the text of the amended
GLBA.\32\ For example, retaining examples that apply to entities other
[[Page 13153]]
than motor vehicle dealers may lead to confusion about the existing,
narrower scope of the Privacy Rule. Accordingly, the Commission
proposes to modify the Privacy Rule to provide clearer guidance to
financial institutions that are covered motor vehicle dealers.\33\
---------------------------------------------------------------------------
\31\ For other types of financial institutions over which the
Commission has enforcement authority under the GLBA, the Commission
now enforces the CFPB's Regulation P.
\32\ 15 U.S.C. 6804(1)(C).
\33\ The Commission also proposes a change to 16 CFR 313.3(j)
removing the Director of the Office of Thrift Supervision from the
definition of ``Federal Functional Regulators,'' as the Office of
Thrift Supervision no longer exists.
---------------------------------------------------------------------------
The proposed amendment to section 313.1(b) narrows the description
of the scope of the Privacy Rule to those entities set forth in the
Dodd-Frank Act \34\ that are predominantly engaged in the sale and
servicing of motor vehicles or the leasing and servicing of motor
vehicles, excluding those dealers that directly extend credit to
consumers and do not routinely assign the extensions of credit to an
unaffiliated third party. It also removes the reference in the Rule's
scope to ``other persons'': Although the Commission continues to have
enforcement authority over ``other persons'' covered by the CFPB's
Regulation P, the Commission no longer has rulemaking authority for the
Privacy Rule over ``other persons.'' \35\ In addition, the Commission
proposes to eliminate from section 313.1(b) the note indicating that
(1) the Privacy Rule does not modify, limit, or supersede the standards
under the Health Insurance Portability and Accountability Act of 1996,
and (2) if a financial institution that is an institution of higher
education is in compliance with the Federal Educational Rights and
Privacy Act (``FERPA'') and its implementing regulations, such
institution shall be deemed in compliance with the Privacy Rule. The
Commission does not believe these provisions will apply to motor
vehicle dealers covered by the Rule and should be removed to improve
clarity. The Commission invites comments on whether these provisions
are relevant to motor vehicle dealers and should be retained.
---------------------------------------------------------------------------
\34\ 12 U.S.C. 5519.
\35\ The Commission also proposes to amend 16 CFR 313.15(a)(4)
to add the CFPB to the list of law enforcement agencies to which
financial institutions are permitted to share information to the
extent permitted by law.
---------------------------------------------------------------------------
The proposed amendments to section 313.3 also remove any examples
that are not likely to apply to motor vehicle dealers. To help
companies understand whether and how the Rule applies to them, the Rule
includes examples of financial institutions in section 313.3(k)(2). The
current examples refer to types of activities that motor vehicle
dealers typically do not engage in. Therefore, leaving those examples
in the Rule may lead to confusion about the Rule's current scope.
The proposed amendments also remove certain examples from the
definition of ``consumer'' in section 313.3(e)(2). These examples do
not apply because motor vehicle dealers do not provide the types of
services provided in the examples, such as financial, investment, or
economic advisory services or serving as the trustee of a trust.
Likewise, the proposed amendments remove certain examples of
establishing a customer relationship from section 313.4(c)(3)(i). The
removed examples do not apply to customers of motor vehicle dealers,
because such activities are not related to the sale or leasing of motor
vehicles. These include creating credit card accounts, providing
investment advice or tax counseling, providing mortgages, collecting
debts from other financial institutions, and providing websites for
consumers to review all of their on-line financial accounts with other
financial institutions.
Finally, the proposed amendments remove certain examples of
termination of customer relationships from section 313.5(b)(2). As with
previously discussed proposed amendments, the removed examples concern
customer relationships based on services that motor vehicle dealers do
not provide. These include credit card accounts, credit counseling
services, tax preparation, and real estate settlement. The removal of
these inapplicable examples will increase the clarity of the rule by
focusing on matters that are relevant to the regulated financial
institutions. Removing these examples will not alter the substance of
the underlying definitions or provisions of the rule, which will have
the same reach and applicability as before the revisions. The changes
are intended to improve clarity, not to alter substance. The Commission
invites comments on whether any of the omitted examples should be
retained.
Although the Dodd-Frank Act altered the Commission's rulemaking
authority with respect to the Privacy Rule, it did not alter the
Commission's rulemaking authority for the Safeguards Rule. For the
Safeguards Rule, the Commission continues to have rulemaking authority
over a broad range of non-bank financial institutions. The Safeguards
Rule, however, currently incorporates by reference the definitions
contained in the Privacy Rule, including all of the examples of
financial institutions listed in the existing Privacy Rule.\36\
Accordingly, while the Commission proposes to modify the Privacy Rule
definitions to include examples applicable only to motor vehicle
dealers, the Commission has also proposed in a separate concurrent NPRM
to amend the Safeguards Rule to import definitions of relevant terms
and examples from the current version of the Privacy Rule.\37\
---------------------------------------------------------------------------
\36\ 16 CFR 314.2(a).
\37\ The NPRM relating to the Safeguards Rule is published
elsewhere in this issue of the Federal Register.
---------------------------------------------------------------------------
2. Modifications to the Annual Privacy Notice To Reflect Statutory
Changes Resulting From the FAST Act
The Commission also proposes changes to the Privacy Rule provisions
governing how motor vehicle dealers should deliver annual privacy
notices. These changes implement statutory changes resulting from the
enactment of the FAST Act and replace those set forth in the 2015 NPRM.
Several commenters opined on the proposed changes to notice
delivery in the 2015 NPRM. Those comments have been rendered obsolete
by the statutory changes. The current proposed rule implements the
changes set forth in the FAST Act.
Section 313.5(a)(1)--General Rule
The proposed section 313.5(a)(1) notes that section 313.5(e)
provides an exception to the general rule requiring the delivery of
annual notices.
Section 313.5(e)
This proposed new section sets forth the exception to the annual
privacy notice requirement. The Commission adopts the reasoning and
changes set forth by the CFPB in its amendments to Regulation P to
adopt the FAST Act changes.\38\ First, proposed section 313.5(e)(1)(i)
sets forth that the financial institution must share nonpublic personal
information only in accordance with the provisions of sections 313.13,
313.14, and 313.15, none of which require an opt-out opportunity be
provided to customers. Second, proposed section 313.5(e)(1)(ii) states
that the financial institution must also not have changed its
disclosure policies and practices that were contained in its most
recent privacy notice to customers.
---------------------------------------------------------------------------
\38\ See 81 FR 44801 (July 10, 2016).
---------------------------------------------------------------------------
Proposed section 313.5(e)(2) sets forth the timing for delivering
an annual notice if a financial institution no longer meets
requirements for the exception and must resume delivery of annual
notices. There are two scenarios under which a financial institution
would need to resume delivering annual notices: (1) Where the change in
its policies trigger the existing requirement
[[Page 13154]]
to issue a revised privacy notice, as required by section 313.8; and
(2) where the change does not trigger a need for the financial
institution to issue a revised notice under section 313.8. These two
situations are addressed by proposed sections 313.5(e)(2)(i) and (ii),
respectively. In the first situation, the revised notice issued by the
financial institution acts as an initial privacy notice for the
purposes of the timing of future annual notices. In the second
situation, the financial institution must provide an annual notice to
customers within 100 days of the change in policies or practices.
Proposed section 313.5(e)(2)(iii) sets forth an example for both
scenarios.
1. Modifications To Scope and Definitions To Bring the Rule Into Accord
With Regulation P
Whether a company is a ``financial institution'' is determined by
the types of activities in which the company engages. When first
promulgating the Privacy Rule, the Commission determined that companies
engaged in activities that are ``incidental to financial activities''
would not be considered ``financial institutions.'' \39\ The Commission
was the only agency to adopt this restrictive definition in its Privacy
Rule, while the other agencies included incidental activities.\40\ In
addition, the Commission decided that activities that were determined
to be financial in nature after the enactment of the GLBA would not be
automatically included in its Privacy Rule; rather, the Commission
would have to take additional action to include them.\41\ The effect of
these two decisions was to limit the activities covered by the
Commission's rules to those set out in 12 CFR 225.28 as it existed in
1999, and to exclude any activities later determined by the Fed to be
financial activities or incidental to those activities.\42\
---------------------------------------------------------------------------
\39\ See 16 CFR 313.3(k); see also 65 FR 33646, 33654 (May 24,
2000).
\40\ The Commission also added the requirement that an entity
must be ``significantly engaged'' in the financial activity to be
considered a financial institution under the Privacy Rule. 16 CFR
313.3(k). The Commission is not proposing to change this
requirement.
\41\ 65 FR 33646, 33654 n.23 (May 24, 2000).
\42\ Id.
---------------------------------------------------------------------------
The Commission proposes modifying the definition of ``financial
institution'' to harmonize the Privacy Rule with other agencies' rules.
The Commission proposes to amend section 313.1(b) to include companies
that engage in activities that are financial in nature or incidental to
such financial activities. Likewise, it proposes to amend the
definition of ``financial institution'' in section 313.3(k), to include
any institution the business of which is engaging in an activity that
is financial in nature or incidental to such financial activities.\43\
The effect of this proposed amendment would be to cause ``finders'' to
be included in this definition, thereby bringing the Privacy Rule into
harmony with the scope of entities covered by other agencies under
Regulation P. It would not bring any other activities under the
coverage the definition because the Fed has not determined any other
activity other than ``finding'' to be financial in nature or incidental
to such activity since the enactment of the GLBA. In practice, the
Commission expects that this change to the Privacy Rule will have
little to no effect because of the already narrow scope of the Rule: It
is not clear that there are any motor vehicle dealers that would be
covered by this rule whose only activity that would qualify them as a
financial institution is the act of finding, as most motor vehicle
dealers are more directly involved in obtaining financing for their
customers. Nevertheless, the Commission believes this change is
important to keep the Rule consistent with the Safeguards Rule and
other agencies' GLBA implementing rules.
---------------------------------------------------------------------------
\43\ This proposal is also consistent with the agency's
concurrent proposal to revise the Safeguards Rule in the same
manner.
---------------------------------------------------------------------------
The Commission has not previously requested comment on revising the
definition of ``financial institution'' in this way for the Privacy
Rule. Through this NPRM, it does so here. Specifically, the Commission
seeks information on (1) whether any entities function as ``finders''
for motor vehicle dealers, and if so how many; (2) whether such finders
collect or maintain customer information as defined by the Rule; and
(3) the costs and benefits, including the costs and benefits to finders
and consumers, of this proposed amendment.
III. Request for Comment
You can file a comment online or on paper. For the Commission to
consider your comment, we must receive it on or before June 3, 2019.
Write ``Amendment to the Privacy of Consumer Financial Information
Rule, 16 CFR part 313, Rulemaking No. R411016'' on the comment. Your
comment, including your name and your state, will be placed on the
public record of this proceeding, including, to the extent practicable,
the https://www.regulations.gov website.
Postal mail addressed to the Commission is subject to delay due to
heightened security screening. As a result, we encourage you to submit
your comment online. To make sure that the Commission considers your
online comment, you must file it at https://www.regulations.gov by
following the instructions on the web-based form.
If you file your comment on paper, write ``Amendment to the Privacy
of Consumer Financial Information Rule, 16 CFR part 313, Rulemaking No.
R411016,'' on your comment and on the envelope, and mail your comment
to the following address: Federal Trade Commission, Office of the
Secretary, 600 Pennsylvania Avenue NW, Suite CC-5610 (Annex B),
Washington, DC 20580, or deliver your comment to the following address:
Federal Trade Commission, Office of the Secretary, Constitution Center,
400 7th Street SW, 5th Floor, Suite 5610 (Annex B), Washington, DC
20024. If possible, please submit your paper comment to the Commission
by courier or overnight service.
Because your comment will be placed on the publicly accessible
website, https://www.regulations.gov/, you are solely responsible for
making sure that your comment does not include any sensitive or
confidential information. In particular, your comment should not
include any sensitive personal information, such as your or anyone
else's Social Security number, date of birth, driver's license number
or other state identification number or foreign country equivalent,
passport number, financial account number, or credit or debit card
number. You are also solely responsible for making sure that your
comment does not include any sensitive health information, such as
medical records or other individually identifiable health information.
In addition, your comment should not include any ``trade secret or any
commercial or financial information which . . . is privileged or
confidential,'' as provided by section 6(f) of the FTC Act, 15 U.S.C.
46(f), and FTC Rule 4.10(a)(2), 16 CFR 4.10(a)(2), including in
particular, competitively sensitive information such as costs, sales
statistics, inventories, formulas, patterns, devices, manufacturing
processes, or customer names.
Comments containing material for which confidential treatment is
requested must be filed in paper form, must be clearly labeled
``Confidential,'' and must comply with FTC Rule 4.9(c). In particular,
the written request for confidential treatment that accompanies the
comment must include the factual and legal basis for the request, and
must identify the specific portions of the comments to be withheld from
the
[[Page 13155]]
public record.\44\ Your comment will be kept confidential only if the
FTC General Counsel grants your request in accordance with the law and
the public interest. Once your comment has been posted publicly at
www.regulations.gov, we cannot redact or remove your comment from the
FTC website, unless you submit a confidentiality request that meets the
requirements for such treatment under FTC Rule 4.9(c), and the General
Counsel grants that request.
---------------------------------------------------------------------------
\44\ See 16 CFR 4.9(c).
---------------------------------------------------------------------------
Visit the Commission website at https://www.ftc.gov/ to read this
document and the news release describing it. The FTC Act and other laws
that the Commission administers permit the collection of public
comments to consider and use in this proceeding as appropriate. The
Commission will consider all timely and responsive public comments that
it receives on or before June 3, 2019. For information on the
Commission's privacy policy, including routine uses permitted by the
Privacy Act, see https://www.ftc.gov/site-information/privacy-policy.
IV. Communications by Outside Parties to the Commissioners or Their
Advisors
Written communications and summaries or transcripts of oral
communications respecting the merits of this proceeding, from any
outside party to any Commissioner or Commissioner's advisor, will be
placed on the public record.\45\
---------------------------------------------------------------------------
\45\ 16 CFR 1.26(b)(5).
---------------------------------------------------------------------------
V. Paperwork Reduction Act
Under the Paperwork Reduction Act of 1995 (PRA),\46\ Federal
agencies are generally required to seek Office of Management and Budget
(OMB) approval for information collection requirements prior to
implementation. Under the PRA, the Commission may not conduct or
sponsor, and, notwithstanding any other provision of law, a person is
not required to respond to an information collection, unless the
information collection displays a valid control number assigned by OMB.
---------------------------------------------------------------------------
\46\ 44 U.S.C. 3501 et seq.
---------------------------------------------------------------------------
This proposal would amend 16 CFR part 313. The collections of
information related to the Privacy Rule and the FAST Act statutory
exceptions to the Rule's annual notice requirement have been previously
reviewed and approved by OMB in accordance with the PRA.\47\
---------------------------------------------------------------------------
\47\ The FTC has current clearance through November 30, 2020.
The OMB Control Number is 3084-0121.
---------------------------------------------------------------------------
Under the existing clearance, the FTC has attributed to itself the
estimated burden regarding all motor vehicle dealers and then shares
equally the remaining estimated PRA burden with the CFPB for other
types of financial institutions for which both agencies have
enforcement authority regarding the GLBA Privacy Rule.\48\
---------------------------------------------------------------------------
\48\ 82 FR 48081.
---------------------------------------------------------------------------
The proposed amendments do not modify or add to information
collection requirements that were previously approved by OMB. First,
the Commission anticipates that the proposed expansion of the
definition of ``financial institution'' to include entities engaged in
activities that are incidental to financial activities will have little
to no effect. It is not clear that any finders are in the business of
linking consumers with financing through motor vehicle dealers, as
opposed to other types of financial institutions such as payday lenders
or mortgage lenders.
Second, the proposed removal of certain examples provided in the
Rule that are not applicable to motor vehicle dealers will have no
impact on existing information collection requirements.
Therefore, the Commission does not believe that the proposed
amendments would substantially or materially modify any ``collections
of information'' as defined by the PRA.
The Commission seeks comment on whether there are any finders in
existence that would be covered by the proposed Rule. If there are such
businesses, the Commission will seek OMB clearance as appropriate.
VI. Regulatory Flexibility Act
The Regulatory Flexibility Act (RFA), as amended by the Small
Business Regulatory Enforcement Fairness Act of 1996, requires an
agency to either provide an Initial Regulatory Flexibility Analysis
(``IRFA'') with a proposed rule, or certify that the proposed rule will
not have a significant impact on a substantial number of small
entities.\49\ The Commission does not expect that this Rule, if
adopted, would have the threshold impact on small entities. First, most
of the burdens flow from the mandates of the GLBA, not from the
specific provisions of the proposed Rule. Second, the Commission does
not expect the proposal to impose costs on small motor vehicle dealers
because the amendments are primarily for clarification purposes and
should not result in any increased burden on any motor vehicle dealer.
Thus, a small entity that complies with current law need not take any
different or additional action if the proposal is adopted. Nonetheless,
the Commission has determined that it is appropriate to publish an
Initial Regulatory Flexibility Analysis in order to inquire into the
impact of the proposed Rule on small entities. The Commission does not
believe that there are any small entities engaged in finding for motor
vehicle financing that would now be covered as a result of the modified
definition of ``financial institution.'' However, the Commission
invites comment on this issue.
---------------------------------------------------------------------------
\49\ 5 U.S.C. 603-605.
---------------------------------------------------------------------------
1. Reasons for the Proposed Rule
To address the Dodd-Frank Act and FAST Act changes the Commission
proposes to change the Privacy Rule's scope and definition of
``financial institution''; change the annual notice requirement; and
remove certain examples provided in the Rule that are not applicable to
motor vehicle dealers. These changes will make the current, narrow
scope of the Rule clearer. Additionally, the Commission proposes
modifying the definition of ``financial institution'' to harmonize the
Privacy Rule with other agencies' rules by including ``activities
incidental to financial activities'' as a financial activity. This
change would bring ``finders'' within the scope of the Rule.
2. Statement of Objectives and Legal Basis
The objectives of the proposed Rule are discussed above. The legal
basis for the proposed Rule is section 501(b) of the GLBA.
3. Description of Small Entities to Which the Rule Will Apply
Determining a precise estimate of the number of small entities
\50\--including newly covered entities under the modified definition of
financial institution--is not readily feasible. Financial institutions
covered by the Rule include certain motor vehicle dealers. If the
proposed Rule is finalized, finders will also be covered.
[[Page 13156]]
The Commission requests comment and information on whether there are
any finders in existence that would be covered by the proposed Rule.
---------------------------------------------------------------------------
\50\ The U.S. Small Business Administration Table of Small
Business Size Standards Matched to North American Industry
Classification System Codes (NAICS) are generally expressed in
either millions of dollars or number of employees. A size standard
is the largest that a business can be and still qualify as a small
business for Federal Government programs. For the most part, size
standards are the annual receipts or the average employment of a
firm. New car dealers (NAICS code 441100) are classified as small if
they have fewer than 200 employees. Used car dealers (NAICS code
441120) are classified as small if their annual receipts are $25
million or less. Recreational vehicle dealers, boat dealers,
motorcycle, ATV and all other motor vehicle dealers (NAICS codes
441210, 441222 and 441228) are classified as small if their annual
receipts are $32.5 million or less. The 2017 Table of Small Business
Size Standards is available at https://www.sba.gov/sites/default/files/files/Size_Standards_Table_2017.pdf.
---------------------------------------------------------------------------
4. Projected Reporting, Recordkeeping, and Other Compliance
Requirements
The Commission does not believe that the proposed Rule would impose
any new or substantively revised ``collections of information'' as
defined by the PRA. Rather, the Commission believes that the proposed
amendments would have the overall effect of reducing the currently
cleared estimated burden for the information collections associated
with the Privacy Rule annual notice. The Commission invites comment on
the costs to newly covered financial institutions--if there are any--of
complying with the Rule.
5. Identification of Duplicative, Overlapping, or Conflicting Federal
Rules
The Commission's proposal to modify the definition of ``financial
institution'' harmonizes the Privacy Rule with other agencies' rules.
The effect of this proposed amendment, as discussed above, would be to
cause ``finders'' to be covered by the Rule, thereby bringing the scope
of the Privacy Rule into harmony with the scope of entities covered by
other agencies under Regulation P. The Commission believes that this
proposal does not create conflicting or duplicative obligations on
small entities. As stated previously, the Commission does not believe
there are any newly covered financial institutions resulting from the
proposed definitional modification. However, the Commission is
requesting comment on the extent to which other federal standards
involving privacy notices may duplicate and/or satisfy or possibly
conflict with the Rule's requirements for any newly covered financial
institutions.
6. Discussion of Significant Alternatives
As stated previously, the Commission does not believe there are any
newly covered financial institutions resulting from the proposed
definitional modification. Moreover, the Commission believes that the
other proposed amendments would have the overall effect of reducing the
burden for all covered entities associated with the Privacy Rule annual
notice. The proposed amendments do not reduce the flexibility already
present in the existing Rule, which allows notices to be provided in a
variety of ways, including electronically in some circumstances. As to
the core requirements of the proposed Rule, they come from GLBA itself,
as amended by the Dodd-Frank and the FAST Act. The statute prescribes
the definition of financial institutions to be covered by the Rule and
sets forth the specific requirements, which the Commission cannot
modify to ease burdens on small entities. Therefore the Commission does
not believe that any alternatives for small entities are required or
appropriate. However, the Commission welcomes comment on any
significant alternative consistent with the GLBA that would minimize
the impact of the proposed Rule on small entities--specifically
institutions that would be newly covered financial institutions--if
there are any.
List of Subjects in 16 CFR Part 313
Consumer protection, Credit, Data protection, Privacy, Trade
practices.
For the reasons stated above, the Federal Trade Commission proposes
to amend 16 CFR part 313 as follows:
0
1. Revise the authority section for part 313 to read as follows:
Authority: 15 U.S.C. 6801 et seq., 12 U.S.C. 5519.
0
2. In Sec. 313.1, revise paragraph (b) to read as follows:
Sec. 313.1 Purpose and scope.
* * * * *
(b) Scope. This part applies only to nonpublic personal information
about individuals who obtain financial products or services primarily
for personal, family or household purposes from the institutions listed
below. This part does not apply to information about companies or about
individuals who obtain financial products or services for business,
commercial, or agricultural purposes. This part applies to those
``financial institutions'' over which the Federal Trade Commission
(``Commission'') has rulemaking authority pursuant to section
504(a)(1)(C) of the Gramm-Leach-Bliley Act. An entity is a ``financial
institution'' if its business is engaging in an activity that is
financial in nature or incidental to such financial activities as
described in section 4(k) of the Bank Holding Company Act of 1956, 12
U.S.C. 1843(k), which incorporates by reference activities enumerated
by the Federal Reserve Board in 12 CFR 225.28 and 12 CFR 225.86. The
``financial institutions'' subject to the Commission's rulemaking
authority are any persons described in 12 U.S.C. 5519 that are
predominantly engaged in the sale and servicing of motor vehicles, the
leasing and servicing of motor vehicles, or both. They are referred to
in this part as ``You.'' Excluded from the coverage of this regulation
are motor vehicle dealers described in 12 U.S.C. 5519(b) that directly
extend to consumers retail credit or retail leases involving motor
vehicles in which the contract governing such extension of retail
credit or retail leases is not routinely assigned to an unaffiliated
third party finance or leasing source.
0
3. In Sec. 313.3, revise paragraphs (e), (i), (j), (k) and (q), to
read as follows:
Sec. 313.3 Definitions.
* * * * *
(e)(1) Consumer means an individual who obtains or has obtained a
financial product or service from you that is to be used primarily for
personal, family, or household purposes, or that individual's legal
representative.
(2) Examples--(i) An individual who applies to you for credit for
personal, family, or household purposes is a consumer of a financial
service, regardless of whether the credit is extended.
(ii) An individual who provides nonpublic personal information to
you in order to obtain a determination about whether he or she may
qualify for a loan to be used primarily for personal, family, or
household purposes is a consumer of a financial service, regardless of
whether the loan is extended.
(iii) If you hold ownership or servicing rights to an individual's
loan that is used primarily for personal, family, or household
purposes, the individual is your consumer, even if you hold those
rights in conjunction with one or more other institutions. (The
individual is also a consumer with respect to the other financial
institutions involved.) An individual who has a loan in which you have
ownership or servicing rights is your consumer, even if you, or another
institution with those rights, hire an agent to collect on the loan.
(iv) An individual who is a consumer of another financial
institution is not your consumer solely because you act as agent for,
or provide processing or other services to, that financial institution.
(v) An individual is not your consumer solely because he or she is
a participant or a beneficiary of an employee benefit plan that you
sponsor or for which you act as a trustee or fiduciary.
* * * * *
(i)(1) Customer relationship means a continuing relationship
between a consumer and you under which you provide one or more
financial products or services to the consumer that are to be used
primarily for personal, family, or household purposes.
[[Page 13157]]
(2) Examples--(i) Continuing relationship. A consumer has a
continuing relationship with you if the consumer:
(A) Has a credit or investment account with you;
(B) Obtains a loan from you;
(C) Purchases an insurance product from you;
(D) Enters into an agreement or understanding with you whereby you
undertake to arrange credit to purchase a vehicle for the consumer;
(E) Enters into a lease of personal property on a non-operating
basis with you; or
(F) Has a loan for which you own the servicing rights.
(ii) No continuing relationship. A consumer does not, however, have
a continuing relationship with you if:
(A) The consumer obtains a financial product or service from you
only in isolated transactions, such as cashing a check with you or
making a wire transfer through you;
(B) You sell the consumer's loan and do not retain the rights to
service that loan; or
(C) The consumer obtains one-time personal appraisal services from
you.
(j) Federal functional regulator means:
(1) The Board of Governors of the Federal Reserve System;
(2) The Office of the Comptroller of the Currency;
(3) The Board of Directors of the Federal Deposit Insurance
Corporation;
(4) The National Credit Union Administration Board; and
(5) The Securities and Exchange Commission.
(k)(1) Financial institution means any institution the business of
which is engaging in an activity that is financial in nature or
incidental to such financial activities as described in section 4(k) of
the Bank Holding Company Act of 1956, 12 U.S.C. 1843(k). An institution
that is significantly engaged in financial activities is a financial
institution.
(2) Example of financial institution. An automobile dealership
that, as a usual part of its business, leases automobiles on a
nonoperating basis for longer than 90 days is a financial institution
with respect to its leasing business because leasing personal property
on a nonoperating basis where the initial term of the lease is at least
90 days is a financial activity listed in 12 CFR 225.28(b)(3) and
referenced in section 4(k)(4)(F) of the Bank Holding Company Act.
(3) Financial institution does not include entities that engage in
financial activities but that are not significantly engaged in those
financial activities.
(4) Example of entities that are not significantly engaged in
financial activities. A motor vehicle dealer is not a financial
institution merely because it accepts payment in the form of cash,
checks, or credit cards that it did not issue.
* * * * *
(q) You includes each ``financial institution'' over which the
Commission has rulemaking authority pursuant to section 504(a)(1)(C) of
the Gramm-Leach-Bliley Act (15 U.S.C. 6804(a)(1)(C)).
0
4. In Sec. 313.4, revise paragraphs (c)(3)(i) and (e), to read as
follows:
Sec. 313.4 Initial privacy notice to consumers required.
* * * * *
(c) * * *
(3)(i) Examples of establishing a customer relationship. You
establish a customer relationship when the consumer:
(A) Executes the contract to obtain credit from you or purchase
insurance from you; or
(B) Executes the lease for personal property with you.
* * * * *
(e) Exceptions to allow subsequent delivery of notice. (1) You may
provide the initial notice required by paragraph (a)(1) of this section
within a reasonable time after you establish a customer relationship
if:
(i) Establishing the customer relationship is not at the customer's
election; or
(ii) Providing notice not later than when you establish a customer
relationship would substantially delay the customer's transaction and
customer agrees to receive the notice at a later time.
(2) Examples of exceptions--(i) Substantial delay of customer's
transaction. Providing notice not later than when you establish a
customer relationship would substantially delay the customer's
transaction when you and the individual agree over the telephone to
enter into a customer relationship involving prompt delivery of the
financial product or service.
(ii) No substantial delay of customer's transaction. Providing
notice not later than when you establish a customer relationship would
not substantially delay the customer's transaction when the
relationship is initiated in person at your office or through other
means by which the customer may view the notice, such as through a
website.
* * * * *
0
5. In Sec. 313.5, revise paragraphs (a)(1) and (b)(2) and add
paragraph (e) to read as follows:
Sec. 313.5 Annual privacy notice to customers required.
(a)(1) General rule. Except as provided by paragraph (e) of this
section, you must provide a clear and conspicuous notice to customers
that accurately reflects your privacy policies and practices not less
than annually during the continuation of the customer relationship.
Annually means at least once in any period of 12 consecutive months
during which that relationship exists. You may define the 12-
consecutive-month period, but you must apply it to the customer on a
consistent basis.
* * * * *
(b) * * *
(2) Examples. Your customer becomes a former customer when:
(i) In the case of a closed-end loan, the customer pays the loan in
full, you charge off the loan, or you sell the loan without retaining
servicing rights;
(ii) In the case of vehicle loan brokering services, your customer
has obtained a loan through you (and you no longer provide any
statements or notices to the customer concerning that relationship), or
has ceased using your services for such purposes;
(iii) In cases where there is no definitive time at which the
customer relationship has terminated, you have not communicated with
the customer about the relationship for a period of 12 consecutive
months, other than to provide annual privacy notices or promotional
material.
* * * * *
(e) Exception to annual privacy notice requirement. (1) When
exception available. You are not required to deliver an annual privacy
notice if you:
(i) Provide nonpublic personal information to nonaffiliated third
parties only in accordance with the provisions of Sec. 313.13, Sec.
313.14, or Sec. 313.15; and
(ii) Have not changed your policies and practices with regard to
disclosing nonpublic personal information from the policies and
practices that were disclosed to the customer under Sec. 313.6(a)(2)
through (5) and (9) in the most recent privacy notice provided pursuant
to this part.
(2) Delivery of annual privacy notice after financial institution
no longer meets requirements for exception. If you have been excepted
from delivering an annual privacy notice pursuant to paragraph (e)(1)
of this section and change your policies or practices in such a way
that you no longer meet the requirements for that exception, you must
comply with paragraph (e)(2)(i) or (ii) of this section, as applicable.
[[Page 13158]]
(i) Changes preceded by a revised privacy notice. If you no longer
meet the requirements of paragraph (e)(1) of this section because you
change your policies or practices in such a way that Sec. 313.8
requires you to provide a revised privacy notice, you must provide an
annual privacy notice in accordance with the timing requirement in
paragraph (a) of this section, treating the revised privacy notice as
an initial privacy notice.
(ii) Changes not preceded by a revised privacy notice. If you no
longer meet the requirements of paragraph (e)(1) of this section
because you change your policies or practices in such a way that Sec.
313.8 does not require you to provide a revised privacy notice, you
must provide an annual privacy notice within 100 days of the change in
your policies or practices that causes you to no longer meet the
requirement of paragraph (e)(1).
(iii) Examples. (A) You change your policies and practices in such
a way that you no longer meet the requirements of paragraph (e)(1) of
this section effective April 1 of year 1. Assuming you define the 12-
consecutive-month period pursuant to paragraph (a) of this section as a
calendar year, if you were required to provide a revised privacy notice
under Sec. 313.8 and you provided that notice on March 1 of year 1,
you must provide an annual privacy notice by December 31 of year 2. If
you were not required to provide a revised privacy notice under Sec.
313.8, you must provide an annual privacy notice by July 9 of year 1.
(B) You change your policies and practices in such a way that you
no longer meet the requirements of paragraph (e)(1) of this section,
and so provide an annual notice to your customers. After providing the
annual notice to your customers, you once again meet the requirements
of paragraph (e)(1) of this section for an exception to the annual
notice requirement. You do not need to provide additional annual notice
to your customers until such time as you no longer meet the
requirements of paragraph (e)(1) of this section.
0
6. In Sec. 313.15, revise paragraph (a)(4) to read as follows:
Sec. 313.15 Other exceptions to notice and opt out requirements.
(a) * * *
(4) To the extent specifically permitted or required under other
provisions of law and in accordance with the Right to Financial Privacy
Act of 1978 (12 U.S.C. 3401 et seq.), to law enforcement agencies
(including the Consumer Financial Protection Bureau, a federal
functional regulator, the Secretary of the Treasury, with respect to 31
U.S.C. chapter 53, subchapter II (Records and Reports on Monetary
Instruments and Transactions) and 12 U.S.C. chapter 21 (Financial
Recordkeeping), a State insurance authority, with respect to any person
domiciled in that insurance authority's State that is engaged in
providing insurance, and the Federal Trade Commission), self-regulatory
organizations, or for an investigation on a matter related to public
safety.
* * * * *
By direction of the Commission.
April J. Tabor,
Acting Secretary.
[FR Doc. 2019-06039 Filed 4-3-19; 8:45 am]
BILLING CODE 6750-01-P