Privacy of Consumer Financial Information Rule Under the Gramm-Leach-Bliley Act, 13150-13158 [2019-06039]

Agencies

• FEDERAL TRADE COMMISSION

[Federal Register Volume 84, Number 65 (Thursday, April 4, 2019)]
[Proposed Rules]
[Pages 13150-13158]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2019-06039]


=======================================================================
-----------------------------------------------------------------------

FEDERAL TRADE COMMISSION

16 CFR Part 313

RIN 3084-AB42


Privacy of Consumer Financial Information Rule Under the Gramm-
Leach-Bliley Act

AGENCY: Federal Trade Commission.

[[Page 13151]]


ACTION: Notice of proposed rulemaking; request for public comment.

-----------------------------------------------------------------------

SUMMARY: The Federal Trade Commission is proposing to amend its Privacy 
Rule for certain financial institutions subject to the Rule to revise 
the Rule's scope, to modify the Rule's definitions of ``financial 
institution'' and ``federal functional regulator,'' and to update the 
Rule's annual customer privacy notice requirement. The proposed 
amendments will also remove certain examples in the Rule that apply to 
financial institutions that now fall outside the scope of the 
Commission's Rule. This action is necessary to conform the Rule to the 
current requirements of the Gramm-Leach-Bliley Act (GLBA), as amended 
by the Dodd-Frank and FAST Acts, and will clarify which financial 
institutions are covered by the Commission's Rule and their annual 
customer privacy notice obligations under the Rule.

DATES: Written comments must be received on or before June 3, 2019.

ADDRESSES: Interested parties may file a comment online or on paper by 
following the Request for Comment part of the SUPPLEMENTARY INFORMATION 
section below. Write ``Amendment to the Privacy of Consumer Financial 
Information Rule, 16 CFR part 313, Rulemaking No. R411016,'' on your 
comment and file your comment online at https://www.regulations.gov by 
following the instructions on the web-based form. If you prefer to file 
your comment on paper, mail your comment to the following address: 
Federal Trade Commission, Office of the Secretary, 600 Pennsylvania 
Avenue NW, Suite CC-5610 (Annex B), Washington, DC 20580, or deliver 
your comment to the following address: Federal Trade Commission, Office 
of the Secretary, Constitution Center, 400 7th Street SW, 5th Floor, 
Suite 5610 (Annex B), Washington, DC 20024.

FOR FURTHER INFORMATION CONTACT: David Lincicum or Allison M. Lefrak, 
Division of Privacy and Identity Protection, Bureau of Consumer 
Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, 
Washington, DC 20580, (202) 326-2773 or (202) 326-2804.

SUPPLEMENTARY INFORMATION:

I. Background

A. The Statute and Regulation

    The GLBA was enacted in 1999.\1\ The GLBA, among other things, 
provides a framework for regulating the privacy practices of a broad 
range of financial institutions. The GLBA requires that financial 
institutions provide their customers with initial and annual notices 
regarding their privacy practices, and allow their customers to opt out 
of sharing their information with certain nonaffiliated third parties.
---------------------------------------------------------------------------

    \1\ Public Law 106-102, 113 Stat. 1338 (1999).
---------------------------------------------------------------------------

    Rulemaking authority to implement the GLBA's privacy provisions was 
initially spread among multiple agencies. The Federal Reserve Board 
(``the Fed''), the Office of Comptroller of the Currency (``OCC''), the 
Federal Deposit Insurance Corporation (``FDIC''), and the Office of 
Thrift Supervision (``OTS'') jointly adopted final rules to implement 
the notice requirements of the GLBA in 2000.\2\ The Commission, the 
National Credit Union Administration (``NCUA''), the Securities and 
Exchange Commission (``SEC''), and the Commodity Futures Trading 
Commission (``CFTC'') were part of the same interagency process, but 
each issued their rules separately.\3\ In 2009, all those agencies 
jointly adopted a model form that financial institutions could use to 
provide the required initial and annual privacy disclosures.\4\
---------------------------------------------------------------------------

    \2\ 65 FR 35162 (June 1, 2000).
    \3\ 65 FR 33646 (May 24, 2000) (FTC final rule); 65 FR 31722 
(May 18, 2000) (NCUA final rule); 65 FR 40334 (June 29, 2000) (SEC 
final rule); 66 FR 21236 (Apr. 27, 2001) (CFTC final rule).
    \4\ 74 FR 62890 (Dec. 1, 2009); see also 16 CFR 313.2, 313.4-
313.9.
---------------------------------------------------------------------------

    As originally promulgated, the FTC's Privacy Rule covered a broad 
range of non-bank financial institutions such as payday lenders, 
mortgage brokers, check cashers, debt collectors, real estate 
appraisers, certain motor vehicle dealers, and remittance transfer 
providers. In 2010, the Dodd-Frank Act \5\ transferred the GLBA's 
privacy notice rulemaking authority from the Fed, NCUA, OCC, OTS, the 
FDIC, and the Commission (in part) to the Consumer Financial Protection 
Bureau (``CFPB''). The CFPB then restated the implementing regulations 
in Regulation P, 12 CFR part 1016, in late 2011 (``Regulation P'').\6\ 
However, under section 1029 of the Dodd-Frank Act, the Commission 
retained rulemaking authority for certain motor vehicle dealers.\7\ 
Thus, in 2012, the Commission issued a notice that it was retaining the 
implementing regulations governing privacy notices for motor vehicle 
dealers at 16 CFR part 313.\8\
---------------------------------------------------------------------------

    \5\ Public Law 111-203, 124 Stat. 1376 (2010).
    \6\ 76 FR 79025 (Dec. 21, 2011).
    \7\ 12 U.S.C. 5519. The FTC retained rulemaking jurisdiction as 
to motor vehicle dealers that are predominantly engaged in the sale 
and servicing or the leasing and servicing of motor vehicles, 
excluding those dealers that directly extend credit to consumers and 
do not routinely assign the extensions of credit to an unaffiliated 
third party. For ease of reference, covered motor vehicle dealers 
are referenced herein as ``motor vehicle dealers.''
    \8\ 77 FR 22200, 22201 (April 13, 2012) (also rescinding those 
regulations for which rulemaking authority was transferred to the 
CFPB under the Dodd-Frank Act).
---------------------------------------------------------------------------

    Despite the transfer of general rulemaking authority for the 
Privacy Rule to the CFPB, the Commission and other agencies retain 
their existing enforcement authority under the GLBA.\9\ In addition, 
the SEC and CFTC retain rulemaking authority with respect to securities 
and futures-related companies, respectively.\10\ Accordingly, as part 
of this rulemaking process, the Commission has consulted and 
coordinated, or offered to consult, with those agencies that have 
rulemaking and/or enforcement authority under the GLBA, including the 
CFPB, SEC, CFTC, and the National Association of Insurance 
Commissioners (``NAIC'').\11\
---------------------------------------------------------------------------

    \9\ 15 U.S.C. 6805(a).
    \10\ 15 U.S.C. 6804, 6809; 12 U.S.C. 1843(k)(4); 12 CFR 
1016.1(b).
    \11\ See 15 U.S.C. 6804(a)(2).
---------------------------------------------------------------------------

    On December 4, 2015, Congress amended the GLBA as part of the FAST 
Act. This amendment, titled Eliminate Privacy Notice Confusion,\12\ 
added GLBA subsection 503(f). This subsection provides an exception 
under which financial institutions that meet certain conditions are not 
required to provide annual privacy notices to customers.
---------------------------------------------------------------------------

    \12\ Public Law 114-94, sec. 75001, 129 Stat. 1312, 1787 (2015).
---------------------------------------------------------------------------

B. The Privacy Notice Requirements

    As noted, the GLBA and the Privacy Rule require that motor vehicle 
dealers provide consumers with notices describing their privacy 
policies. Specifically, section 503 of the GLBA and the Privacy Rule 
require covered entities to provide an initial notice of these 
policies,\13\ and then ``provide a clear and conspicuous notice to 
customers that accurately reflects [their] privacy policies and 
practices not less than annually during the continuation of the 
customer relationship.'' \14\
---------------------------------------------------------------------------

    \13\ 15 U.S.C. 6803; 16 CFR 313.4.
    \14\ 15 U.S.C. 6803; 16 CFR 313.5(a)(1).
---------------------------------------------------------------------------

    Section 502 of the GLBA and the Privacy Rule require that initial 
and annual notices inform customers of their right to opt out of the 
sharing of nonpublic personal information with some types of 
nonaffiliated third parties.\15\ For example, a customer has the right 
to opt out of allowing a motor vehicle dealer to sell her name and 
address to a nonaffiliated auto insurance company.\16\ On the other 
hand, a motor vehicle dealer is not required to allow consumers to opt 
out of the dealer's

[[Page 13152]]

sharing involving third-party service providers, joint marketing 
arrangements, maintenance and servicing of accounts, securitization, 
law enforcement and compliance, reporting to consumer reporting 
agencies, and certain other activities that are specified in the 
statute and regulation.\17\ Accordingly, if a motor vehicle dealer 
limits its sharing to uses that do not trigger opt-out rights, it may 
provide an annual privacy notice to its customers that does not include 
information regarding opt-out rights.
---------------------------------------------------------------------------

    \15\ 15 U.S.C. 6802; 16 CFR 313.6(a)(6).
    \16\ 16 CFR 313.10(a).
    \17\ 15 U.S.C. 6802(b)(2), 6802(e); 16 CFR 313.13-313.15.
---------------------------------------------------------------------------

    Motor vehicle dealers also may include in the annual privacy notice 
information about certain consumer opt-out rights related to affiliate 
sharing under the Fair Credit Reporting Act (``FCRA''). First, section 
603(d)(2)(A)(iii) of the FCRA allows the sharing of a consumer's 
information among affiliates, but only if the consumer is notified of 
such sharing and is given an opportunity to opt out.\18\ Section 
503(c)(4) of the GLBA and the Privacy Rule generally require motor 
vehicle dealers to incorporate any notifications and opt-out 
disclosures provided pursuant to section 603(d)(2)(A)(iii) of the FCRA 
into their initial and annual privacy notices.\19\
---------------------------------------------------------------------------

    \18\ 15 U.S.C. 1681a(d)(2)(A)(iii).
    \19\ 15 U.S.C. 6803(c)(4); 16 CFR 313.6(a)(7).
---------------------------------------------------------------------------

    Second, section 624 of the FCRA and the FTC's Affiliate Marketing 
Rule \20\ provide that an affiliate of a motor vehicle dealer that 
receives certain information about a consumer from the dealer may not 
use that information for marketing purposes, unless the consumer is 
provided with an opportunity to opt out of that use.\21\ This 
requirement governs the use of information by an affiliate, not the 
sharing of information among affiliates, and thus is distinct from the 
affiliate sharing opt-out discussed above. The Affiliate Marketing Rule 
permits (but does not require) motor vehicle dealers to incorporate any 
opt-out disclosures provided under section 624 of the FCRA and the 
Affiliate Marketing Rule into the initial and annual privacy notices 
required by the GLBA.\22\
---------------------------------------------------------------------------

    \20\ 16 CFR 680.1-680.28.
    \21\ 15 U.S.C. 1681s-3. The FTC's Affiliate Marketing Rule 
applies to motor vehicle dealers. See 77 FR 22200 (Apr. 13, 2012). 
The FTC also enforces the CFPB's Regulation V's Affiliate Marketing 
Rule, 12 CFR part 1022, subpart C, for other entities over which the 
FTC has enforcement authority under the FCRA.
    \22\ 16 CFR 680.23(b).
---------------------------------------------------------------------------

    Finally, section 313.6(a)(8) of the Privacy Rule requires that the 
initial and annual notices briefly describe how motor vehicle dealers 
protect the nonpublic personal information they collect and maintain.

II. Proposed Revision of the Privacy Rule

A. The Consumer Financial Protection Bureau Rulemaking

    In December 2011, the CFPB issued a Request for Information seeking 
specific suggestions for streamlining regulations that were transferred 
to the CFPB from other Federal agencies, including the annual privacy 
notice requirement.\23\ After receiving numerous comments, in May 2014, 
the CFPB issued a proposed rule to amend its Regulation P to allow 
financial institutions to notify consumers that a privacy notice was 
available online, in certain enumerated circumstances.\24\ The CFPB 
finalized its rulemaking in October 2014.\25\
---------------------------------------------------------------------------

    \23\ 76 FR 75825, 75828 (Dec. 5, 2011).
    \24\ 79 FR 27214 (May 14, 2014) (CFPB Notice of Proposed 
Rulemaking).
    \25\ 79 FR 64057 (Oct. 28, 2014).
---------------------------------------------------------------------------

B. The Commission's 2015 Proposed Rulemaking

    On June 24, 2015, the Commission published a Notice of Proposed 
Rulemaking (``2015 NPRM'') proposing revisions to the Privacy Rule.\26\ 
First, the Commission proposed a number of changes to comport with the 
Dodd-Frank Act revision of GLBA, which transferred rulemaking authority 
for most financial institutions to the CFPB. The Commission also 
proposed amending the Rule to allow motor vehicle dealers to notify 
their customers that a privacy notice is available online, under 
circumstances identical to those that had been adopted by the CFPB.\27\
---------------------------------------------------------------------------

    \26\ 80 FR 36267 (June 24, 2015).
    \27\ See 79 FR 64057 (Oct. 28, 2014).
---------------------------------------------------------------------------

    The Commission received six comments from individuals and 
entities.\28\
---------------------------------------------------------------------------

    \28\ The comments are posted at: https://www.ftc.gov/policy/public-comments/2015/06/initiative-614. The Commission assigned each 
comment a number appearing after the name of the commenter and the 
date of submission.
---------------------------------------------------------------------------

C. The Passage of the FAST Act

    As described above, on December 4, 2015, President Obama signed the 
FAST Act. The FAST Act contains a provision that modified the annual 
privacy notice requirement under the GLBA. The provision states that a 
financial institution is not required to provide an annual privacy 
notice if it: (1) Only shares non-public personal information with non-
affiliated third parties in a manner that does not require an opt-out 
right be provided to customers (e.g., if the institution discloses 
nonpublic personal information to a service provider or for fraud 
detection and prevention purposes), and (2) has not changed its 
policies and practices with respect to disclosing nonpublic personal 
information since it last provided a privacy notice to its 
customers.\29\ This modification of the GLBA rendered the Commission's 
proposed changes to the Privacy Rule moot because those changes, if 
adopted, would have been in conflict with the revised statute.\30\
---------------------------------------------------------------------------

    \29\ 15 U.S.C. 6803(f).
    \30\ In 2016, the CFPB issued a proposed amendment to Regulation 
P that would alter the annual notice requirement to conform to the 
statutory changes. 81 FR 44801 (July 11, 2016). The rule became 
final in September 2018. 83 FR 40945 (Sept. 17, 2018).
---------------------------------------------------------------------------

D. New Proposed Changes to the Privacy Rule

    In light of this history, the Commission is issuing this notice of 
proposed rulemaking. The Commission now proposes to make three types of 
changes to the Privacy Rule: (1) Technical changes to the Rule to 
correspond to the reduced scope of the Rule due to Dodd-Frank Act 
changes, which primarily consist of removing references that do not 
apply to motor vehicle dealers; (2) modifications to the annual privacy 
notice requirements to reflect the changes made to the GLBA by the FAST 
Act; and (3) a modification to the scope and definition of ``financial 
institution'' to include entities engaged in activities that are 
incidental to financial activities, which would bring the Rule into 
accord with the CFPB's Regulation P.
1. Technical Changes To Correspond to Statutory Changes Resulting From 
the Dodd-Frank Act
    The Commission adopted the scope of, and definitions in, the 
original Privacy Rule at a time when it had rulemaking authority for 
the Privacy Rule over a broader group of non-bank ``financial 
institutions'' as defined by the GLBA. While the Dodd-Frank Act did not 
change the Commission's enforcement authority for the privacy notice 
obligations of the GLBA, it did amend the Commission's rulemaking 
authority under the GLBA such that the Privacy Rule only applies to 
motor vehicle dealers.\31\ The amendments in the Dodd-Frank Act 
necessitate certain technical revisions to the Privacy Rule to ensure 
that the regulation is consistent with the text of the amended 
GLBA.\32\ For example, retaining examples that apply to entities other

[[Page 13153]]

than motor vehicle dealers may lead to confusion about the existing, 
narrower scope of the Privacy Rule. Accordingly, the Commission 
proposes to modify the Privacy Rule to provide clearer guidance to 
financial institutions that are covered motor vehicle dealers.\33\
---------------------------------------------------------------------------

    \31\ For other types of financial institutions over which the 
Commission has enforcement authority under the GLBA, the Commission 
now enforces the CFPB's Regulation P.
    \32\ 15 U.S.C. 6804(1)(C).
    \33\ The Commission also proposes a change to 16 CFR 313.3(j) 
removing the Director of the Office of Thrift Supervision from the 
definition of ``Federal Functional Regulators,'' as the Office of 
Thrift Supervision no longer exists.
---------------------------------------------------------------------------

    The proposed amendment to section 313.1(b) narrows the description 
of the scope of the Privacy Rule to those entities set forth in the 
Dodd-Frank Act \34\ that are predominantly engaged in the sale and 
servicing of motor vehicles or the leasing and servicing of motor 
vehicles, excluding those dealers that directly extend credit to 
consumers and do not routinely assign the extensions of credit to an 
unaffiliated third party. It also removes the reference in the Rule's 
scope to ``other persons'': Although the Commission continues to have 
enforcement authority over ``other persons'' covered by the CFPB's 
Regulation P, the Commission no longer has rulemaking authority for the 
Privacy Rule over ``other persons.'' \35\ In addition, the Commission 
proposes to eliminate from section 313.1(b) the note indicating that 
(1) the Privacy Rule does not modify, limit, or supersede the standards 
under the Health Insurance Portability and Accountability Act of 1996, 
and (2) if a financial institution that is an institution of higher 
education is in compliance with the Federal Educational Rights and 
Privacy Act (``FERPA'') and its implementing regulations, such 
institution shall be deemed in compliance with the Privacy Rule. The 
Commission does not believe these provisions will apply to motor 
vehicle dealers covered by the Rule and should be removed to improve 
clarity. The Commission invites comments on whether these provisions 
are relevant to motor vehicle dealers and should be retained.
---------------------------------------------------------------------------

    \34\ 12 U.S.C. 5519.
    \35\ The Commission also proposes to amend 16 CFR 313.15(a)(4) 
to add the CFPB to the list of law enforcement agencies to which 
financial institutions are permitted to share information to the 
extent permitted by law.
---------------------------------------------------------------------------

    The proposed amendments to section 313.3 also remove any examples 
that are not likely to apply to motor vehicle dealers. To help 
companies understand whether and how the Rule applies to them, the Rule 
includes examples of financial institutions in section 313.3(k)(2). The 
current examples refer to types of activities that motor vehicle 
dealers typically do not engage in. Therefore, leaving those examples 
in the Rule may lead to confusion about the Rule's current scope.
    The proposed amendments also remove certain examples from the 
definition of ``consumer'' in section 313.3(e)(2). These examples do 
not apply because motor vehicle dealers do not provide the types of 
services provided in the examples, such as financial, investment, or 
economic advisory services or serving as the trustee of a trust.
    Likewise, the proposed amendments remove certain examples of 
establishing a customer relationship from section 313.4(c)(3)(i). The 
removed examples do not apply to customers of motor vehicle dealers, 
because such activities are not related to the sale or leasing of motor 
vehicles. These include creating credit card accounts, providing 
investment advice or tax counseling, providing mortgages, collecting 
debts from other financial institutions, and providing websites for 
consumers to review all of their on-line financial accounts with other 
financial institutions.
    Finally, the proposed amendments remove certain examples of 
termination of customer relationships from section 313.5(b)(2). As with 
previously discussed proposed amendments, the removed examples concern 
customer relationships based on services that motor vehicle dealers do 
not provide. These include credit card accounts, credit counseling 
services, tax preparation, and real estate settlement. The removal of 
these inapplicable examples will increase the clarity of the rule by 
focusing on matters that are relevant to the regulated financial 
institutions. Removing these examples will not alter the substance of 
the underlying definitions or provisions of the rule, which will have 
the same reach and applicability as before the revisions. The changes 
are intended to improve clarity, not to alter substance. The Commission 
invites comments on whether any of the omitted examples should be 
retained.
    Although the Dodd-Frank Act altered the Commission's rulemaking 
authority with respect to the Privacy Rule, it did not alter the 
Commission's rulemaking authority for the Safeguards Rule. For the 
Safeguards Rule, the Commission continues to have rulemaking authority 
over a broad range of non-bank financial institutions. The Safeguards 
Rule, however, currently incorporates by reference the definitions 
contained in the Privacy Rule, including all of the examples of 
financial institutions listed in the existing Privacy Rule.\36\ 
Accordingly, while the Commission proposes to modify the Privacy Rule 
definitions to include examples applicable only to motor vehicle 
dealers, the Commission has also proposed in a separate concurrent NPRM 
to amend the Safeguards Rule to import definitions of relevant terms 
and examples from the current version of the Privacy Rule.\37\
---------------------------------------------------------------------------

    \36\ 16 CFR 314.2(a).
    \37\ The NPRM relating to the Safeguards Rule is published 
elsewhere in this issue of the Federal Register.
---------------------------------------------------------------------------

2. Modifications to the Annual Privacy Notice To Reflect Statutory 
Changes Resulting From the FAST Act
    The Commission also proposes changes to the Privacy Rule provisions 
governing how motor vehicle dealers should deliver annual privacy 
notices. These changes implement statutory changes resulting from the 
enactment of the FAST Act and replace those set forth in the 2015 NPRM.
    Several commenters opined on the proposed changes to notice 
delivery in the 2015 NPRM. Those comments have been rendered obsolete 
by the statutory changes. The current proposed rule implements the 
changes set forth in the FAST Act.

Section 313.5(a)(1)--General Rule

    The proposed section 313.5(a)(1) notes that section 313.5(e) 
provides an exception to the general rule requiring the delivery of 
annual notices.

Section 313.5(e)

    This proposed new section sets forth the exception to the annual 
privacy notice requirement. The Commission adopts the reasoning and 
changes set forth by the CFPB in its amendments to Regulation P to 
adopt the FAST Act changes.\38\ First, proposed section 313.5(e)(1)(i) 
sets forth that the financial institution must share nonpublic personal 
information only in accordance with the provisions of sections 313.13, 
313.14, and 313.15, none of which require an opt-out opportunity be 
provided to customers. Second, proposed section 313.5(e)(1)(ii) states 
that the financial institution must also not have changed its 
disclosure policies and practices that were contained in its most 
recent privacy notice to customers.
---------------------------------------------------------------------------

    \38\ See 81 FR 44801 (July 10, 2016).
---------------------------------------------------------------------------

    Proposed section 313.5(e)(2) sets forth the timing for delivering 
an annual notice if a financial institution no longer meets 
requirements for the exception and must resume delivery of annual 
notices. There are two scenarios under which a financial institution 
would need to resume delivering annual notices: (1) Where the change in 
its policies trigger the existing requirement

[[Page 13154]]

to issue a revised privacy notice, as required by section 313.8; and 
(2) where the change does not trigger a need for the financial 
institution to issue a revised notice under section 313.8. These two 
situations are addressed by proposed sections 313.5(e)(2)(i) and (ii), 
respectively. In the first situation, the revised notice issued by the 
financial institution acts as an initial privacy notice for the 
purposes of the timing of future annual notices. In the second 
situation, the financial institution must provide an annual notice to 
customers within 100 days of the change in policies or practices. 
Proposed section 313.5(e)(2)(iii) sets forth an example for both 
scenarios.
1. Modifications To Scope and Definitions To Bring the Rule Into Accord 
With Regulation P
    Whether a company is a ``financial institution'' is determined by 
the types of activities in which the company engages. When first 
promulgating the Privacy Rule, the Commission determined that companies 
engaged in activities that are ``incidental to financial activities'' 
would not be considered ``financial institutions.'' \39\ The Commission 
was the only agency to adopt this restrictive definition in its Privacy 
Rule, while the other agencies included incidental activities.\40\ In 
addition, the Commission decided that activities that were determined 
to be financial in nature after the enactment of the GLBA would not be 
automatically included in its Privacy Rule; rather, the Commission 
would have to take additional action to include them.\41\ The effect of 
these two decisions was to limit the activities covered by the 
Commission's rules to those set out in 12 CFR 225.28 as it existed in 
1999, and to exclude any activities later determined by the Fed to be 
financial activities or incidental to those activities.\42\
---------------------------------------------------------------------------

    \39\ See 16 CFR 313.3(k); see also 65 FR 33646, 33654 (May 24, 
2000).
    \40\ The Commission also added the requirement that an entity 
must be ``significantly engaged'' in the financial activity to be 
considered a financial institution under the Privacy Rule. 16 CFR 
313.3(k). The Commission is not proposing to change this 
requirement.
    \41\ 65 FR 33646, 33654 n.23 (May 24, 2000).
    \42\ Id.
---------------------------------------------------------------------------

    The Commission proposes modifying the definition of ``financial 
institution'' to harmonize the Privacy Rule with other agencies' rules. 
The Commission proposes to amend section 313.1(b) to include companies 
that engage in activities that are financial in nature or incidental to 
such financial activities. Likewise, it proposes to amend the 
definition of ``financial institution'' in section 313.3(k), to include 
any institution the business of which is engaging in an activity that 
is financial in nature or incidental to such financial activities.\43\ 
The effect of this proposed amendment would be to cause ``finders'' to 
be included in this definition, thereby bringing the Privacy Rule into 
harmony with the scope of entities covered by other agencies under 
Regulation P. It would not bring any other activities under the 
coverage the definition because the Fed has not determined any other 
activity other than ``finding'' to be financial in nature or incidental 
to such activity since the enactment of the GLBA. In practice, the 
Commission expects that this change to the Privacy Rule will have 
little to no effect because of the already narrow scope of the Rule: It 
is not clear that there are any motor vehicle dealers that would be 
covered by this rule whose only activity that would qualify them as a 
financial institution is the act of finding, as most motor vehicle 
dealers are more directly involved in obtaining financing for their 
customers. Nevertheless, the Commission believes this change is 
important to keep the Rule consistent with the Safeguards Rule and 
other agencies' GLBA implementing rules.
---------------------------------------------------------------------------

    \43\ This proposal is also consistent with the agency's 
concurrent proposal to revise the Safeguards Rule in the same 
manner.
---------------------------------------------------------------------------

    The Commission has not previously requested comment on revising the 
definition of ``financial institution'' in this way for the Privacy 
Rule. Through this NPRM, it does so here. Specifically, the Commission 
seeks information on (1) whether any entities function as ``finders'' 
for motor vehicle dealers, and if so how many; (2) whether such finders 
collect or maintain customer information as defined by the Rule; and 
(3) the costs and benefits, including the costs and benefits to finders 
and consumers, of this proposed amendment.

III. Request for Comment

    You can file a comment online or on paper. For the Commission to 
consider your comment, we must receive it on or before June 3, 2019. 
Write ``Amendment to the Privacy of Consumer Financial Information 
Rule, 16 CFR part 313, Rulemaking No. R411016'' on the comment. Your 
comment, including your name and your state, will be placed on the 
public record of this proceeding, including, to the extent practicable, 
the https://www.regulations.gov website.
    Postal mail addressed to the Commission is subject to delay due to 
heightened security screening. As a result, we encourage you to submit 
your comment online. To make sure that the Commission considers your 
online comment, you must file it at https://www.regulations.gov by 
following the instructions on the web-based form.
    If you file your comment on paper, write ``Amendment to the Privacy 
of Consumer Financial Information Rule, 16 CFR part 313, Rulemaking No. 
R411016,'' on your comment and on the envelope, and mail your comment 
to the following address: Federal Trade Commission, Office of the 
Secretary, 600 Pennsylvania Avenue NW, Suite CC-5610 (Annex B), 
Washington, DC 20580, or deliver your comment to the following address: 
Federal Trade Commission, Office of the Secretary, Constitution Center, 
400 7th Street SW, 5th Floor, Suite 5610 (Annex B), Washington, DC 
20024. If possible, please submit your paper comment to the Commission 
by courier or overnight service.
    Because your comment will be placed on the publicly accessible 
website, https://www.regulations.gov/, you are solely responsible for 
making sure that your comment does not include any sensitive or 
confidential information. In particular, your comment should not 
include any sensitive personal information, such as your or anyone 
else's Social Security number, date of birth, driver's license number 
or other state identification number or foreign country equivalent, 
passport number, financial account number, or credit or debit card 
number. You are also solely responsible for making sure that your 
comment does not include any sensitive health information, such as 
medical records or other individually identifiable health information. 
In addition, your comment should not include any ``trade secret or any 
commercial or financial information which . . . is privileged or 
confidential,'' as provided by section 6(f) of the FTC Act, 15 U.S.C. 
46(f), and FTC Rule 4.10(a)(2), 16 CFR 4.10(a)(2), including in 
particular, competitively sensitive information such as costs, sales 
statistics, inventories, formulas, patterns, devices, manufacturing 
processes, or customer names.
    Comments containing material for which confidential treatment is 
requested must be filed in paper form, must be clearly labeled 
``Confidential,'' and must comply with FTC Rule 4.9(c). In particular, 
the written request for confidential treatment that accompanies the 
comment must include the factual and legal basis for the request, and 
must identify the specific portions of the comments to be withheld from 
the

[[Page 13155]]

public record.\44\ Your comment will be kept confidential only if the 
FTC General Counsel grants your request in accordance with the law and 
the public interest. Once your comment has been posted publicly at 
www.regulations.gov, we cannot redact or remove your comment from the 
FTC website, unless you submit a confidentiality request that meets the 
requirements for such treatment under FTC Rule 4.9(c), and the General 
Counsel grants that request.
---------------------------------------------------------------------------

    \44\ See 16 CFR 4.9(c).
---------------------------------------------------------------------------

    Visit the Commission website at https://www.ftc.gov/ to read this 
document and the news release describing it. The FTC Act and other laws 
that the Commission administers permit the collection of public 
comments to consider and use in this proceeding as appropriate. The 
Commission will consider all timely and responsive public comments that 
it receives on or before June 3, 2019. For information on the 
Commission's privacy policy, including routine uses permitted by the 
Privacy Act, see https://www.ftc.gov/site-information/privacy-policy.

IV. Communications by Outside Parties to the Commissioners or Their 
Advisors

    Written communications and summaries or transcripts of oral 
communications respecting the merits of this proceeding, from any 
outside party to any Commissioner or Commissioner's advisor, will be 
placed on the public record.\45\
---------------------------------------------------------------------------

    \45\ 16 CFR 1.26(b)(5).
---------------------------------------------------------------------------

V. Paperwork Reduction Act

    Under the Paperwork Reduction Act of 1995 (PRA),\46\ Federal 
agencies are generally required to seek Office of Management and Budget 
(OMB) approval for information collection requirements prior to 
implementation. Under the PRA, the Commission may not conduct or 
sponsor, and, notwithstanding any other provision of law, a person is 
not required to respond to an information collection, unless the 
information collection displays a valid control number assigned by OMB.
---------------------------------------------------------------------------

    \46\ 44 U.S.C. 3501 et seq.
---------------------------------------------------------------------------

    This proposal would amend 16 CFR part 313. The collections of 
information related to the Privacy Rule and the FAST Act statutory 
exceptions to the Rule's annual notice requirement have been previously 
reviewed and approved by OMB in accordance with the PRA.\47\
---------------------------------------------------------------------------

    \47\ The FTC has current clearance through November 30, 2020. 
The OMB Control Number is 3084-0121.
---------------------------------------------------------------------------

    Under the existing clearance, the FTC has attributed to itself the 
estimated burden regarding all motor vehicle dealers and then shares 
equally the remaining estimated PRA burden with the CFPB for other 
types of financial institutions for which both agencies have 
enforcement authority regarding the GLBA Privacy Rule.\48\
---------------------------------------------------------------------------

    \48\ 82 FR 48081.
---------------------------------------------------------------------------

    The proposed amendments do not modify or add to information 
collection requirements that were previously approved by OMB. First, 
the Commission anticipates that the proposed expansion of the 
definition of ``financial institution'' to include entities engaged in 
activities that are incidental to financial activities will have little 
to no effect. It is not clear that any finders are in the business of 
linking consumers with financing through motor vehicle dealers, as 
opposed to other types of financial institutions such as payday lenders 
or mortgage lenders.
    Second, the proposed removal of certain examples provided in the 
Rule that are not applicable to motor vehicle dealers will have no 
impact on existing information collection requirements.
    Therefore, the Commission does not believe that the proposed 
amendments would substantially or materially modify any ``collections 
of information'' as defined by the PRA.
    The Commission seeks comment on whether there are any finders in 
existence that would be covered by the proposed Rule. If there are such 
businesses, the Commission will seek OMB clearance as appropriate.

VI. Regulatory Flexibility Act

    The Regulatory Flexibility Act (RFA), as amended by the Small 
Business Regulatory Enforcement Fairness Act of 1996, requires an 
agency to either provide an Initial Regulatory Flexibility Analysis 
(``IRFA'') with a proposed rule, or certify that the proposed rule will 
not have a significant impact on a substantial number of small 
entities.\49\ The Commission does not expect that this Rule, if 
adopted, would have the threshold impact on small entities. First, most 
of the burdens flow from the mandates of the GLBA, not from the 
specific provisions of the proposed Rule. Second, the Commission does 
not expect the proposal to impose costs on small motor vehicle dealers 
because the amendments are primarily for clarification purposes and 
should not result in any increased burden on any motor vehicle dealer. 
Thus, a small entity that complies with current law need not take any 
different or additional action if the proposal is adopted. Nonetheless, 
the Commission has determined that it is appropriate to publish an 
Initial Regulatory Flexibility Analysis in order to inquire into the 
impact of the proposed Rule on small entities. The Commission does not 
believe that there are any small entities engaged in finding for motor 
vehicle financing that would now be covered as a result of the modified 
definition of ``financial institution.'' However, the Commission 
invites comment on this issue.
---------------------------------------------------------------------------

    \49\ 5 U.S.C. 603-605.
---------------------------------------------------------------------------

1. Reasons for the Proposed Rule

    To address the Dodd-Frank Act and FAST Act changes the Commission 
proposes to change the Privacy Rule's scope and definition of 
``financial institution''; change the annual notice requirement; and 
remove certain examples provided in the Rule that are not applicable to 
motor vehicle dealers. These changes will make the current, narrow 
scope of the Rule clearer. Additionally, the Commission proposes 
modifying the definition of ``financial institution'' to harmonize the 
Privacy Rule with other agencies' rules by including ``activities 
incidental to financial activities'' as a financial activity. This 
change would bring ``finders'' within the scope of the Rule.

2. Statement of Objectives and Legal Basis

    The objectives of the proposed Rule are discussed above. The legal 
basis for the proposed Rule is section 501(b) of the GLBA.

3. Description of Small Entities to Which the Rule Will Apply

    Determining a precise estimate of the number of small entities 
\50\--including newly covered entities under the modified definition of 
financial institution--is not readily feasible. Financial institutions 
covered by the Rule include certain motor vehicle dealers. If the 
proposed Rule is finalized, finders will also be covered.

[[Page 13156]]

The Commission requests comment and information on whether there are 
any finders in existence that would be covered by the proposed Rule.
---------------------------------------------------------------------------

    \50\ The U.S. Small Business Administration Table of Small 
Business Size Standards Matched to North American Industry 
Classification System Codes (NAICS) are generally expressed in 
either millions of dollars or number of employees. A size standard 
is the largest that a business can be and still qualify as a small 
business for Federal Government programs. For the most part, size 
standards are the annual receipts or the average employment of a 
firm. New car dealers (NAICS code 441100) are classified as small if 
they have fewer than 200 employees. Used car dealers (NAICS code 
441120) are classified as small if their annual receipts are $25 
million or less. Recreational vehicle dealers, boat dealers, 
motorcycle, ATV and all other motor vehicle dealers (NAICS codes 
441210, 441222 and 441228) are classified as small if their annual 
receipts are $32.5 million or less. The 2017 Table of Small Business 
Size Standards is available at https://www.sba.gov/sites/default/files/files/Size_Standards_Table_2017.pdf.
---------------------------------------------------------------------------

4. Projected Reporting, Recordkeeping, and Other Compliance 
Requirements

    The Commission does not believe that the proposed Rule would impose 
any new or substantively revised ``collections of information'' as 
defined by the PRA. Rather, the Commission believes that the proposed 
amendments would have the overall effect of reducing the currently 
cleared estimated burden for the information collections associated 
with the Privacy Rule annual notice. The Commission invites comment on 
the costs to newly covered financial institutions--if there are any--of 
complying with the Rule.

5. Identification of Duplicative, Overlapping, or Conflicting Federal 
Rules

    The Commission's proposal to modify the definition of ``financial 
institution'' harmonizes the Privacy Rule with other agencies' rules. 
The effect of this proposed amendment, as discussed above, would be to 
cause ``finders'' to be covered by the Rule, thereby bringing the scope 
of the Privacy Rule into harmony with the scope of entities covered by 
other agencies under Regulation P. The Commission believes that this 
proposal does not create conflicting or duplicative obligations on 
small entities. As stated previously, the Commission does not believe 
there are any newly covered financial institutions resulting from the 
proposed definitional modification. However, the Commission is 
requesting comment on the extent to which other federal standards 
involving privacy notices may duplicate and/or satisfy or possibly 
conflict with the Rule's requirements for any newly covered financial 
institutions.

6. Discussion of Significant Alternatives

    As stated previously, the Commission does not believe there are any 
newly covered financial institutions resulting from the proposed 
definitional modification. Moreover, the Commission believes that the 
other proposed amendments would have the overall effect of reducing the 
burden for all covered entities associated with the Privacy Rule annual 
notice. The proposed amendments do not reduce the flexibility already 
present in the existing Rule, which allows notices to be provided in a 
variety of ways, including electronically in some circumstances. As to 
the core requirements of the proposed Rule, they come from GLBA itself, 
as amended by the Dodd-Frank and the FAST Act. The statute prescribes 
the definition of financial institutions to be covered by the Rule and 
sets forth the specific requirements, which the Commission cannot 
modify to ease burdens on small entities. Therefore the Commission does 
not believe that any alternatives for small entities are required or 
appropriate. However, the Commission welcomes comment on any 
significant alternative consistent with the GLBA that would minimize 
the impact of the proposed Rule on small entities--specifically 
institutions that would be newly covered financial institutions--if 
there are any.

List of Subjects in 16 CFR Part 313

    Consumer protection, Credit, Data protection, Privacy, Trade 
practices.

    For the reasons stated above, the Federal Trade Commission proposes 
to amend 16 CFR part 313 as follows:

0
1. Revise the authority section for part 313 to read as follows:

    Authority:  15 U.S.C. 6801 et seq., 12 U.S.C. 5519.

0
2. In Sec.  313.1, revise paragraph (b) to read as follows:


Sec.  313.1   Purpose and scope.

* * * * *
    (b) Scope. This part applies only to nonpublic personal information 
about individuals who obtain financial products or services primarily 
for personal, family or household purposes from the institutions listed 
below. This part does not apply to information about companies or about 
individuals who obtain financial products or services for business, 
commercial, or agricultural purposes. This part applies to those 
``financial institutions'' over which the Federal Trade Commission 
(``Commission'') has rulemaking authority pursuant to section 
504(a)(1)(C) of the Gramm-Leach-Bliley Act. An entity is a ``financial 
institution'' if its business is engaging in an activity that is 
financial in nature or incidental to such financial activities as 
described in section 4(k) of the Bank Holding Company Act of 1956, 12 
U.S.C. 1843(k), which incorporates by reference activities enumerated 
by the Federal Reserve Board in 12 CFR 225.28 and 12 CFR 225.86. The 
``financial institutions'' subject to the Commission's rulemaking 
authority are any persons described in 12 U.S.C. 5519 that are 
predominantly engaged in the sale and servicing of motor vehicles, the 
leasing and servicing of motor vehicles, or both. They are referred to 
in this part as ``You.'' Excluded from the coverage of this regulation 
are motor vehicle dealers described in 12 U.S.C. 5519(b) that directly 
extend to consumers retail credit or retail leases involving motor 
vehicles in which the contract governing such extension of retail 
credit or retail leases is not routinely assigned to an unaffiliated 
third party finance or leasing source.
0
3. In Sec.  313.3, revise paragraphs (e), (i), (j), (k) and (q), to 
read as follows:


Sec.  313.3   Definitions.

* * * * *
    (e)(1) Consumer means an individual who obtains or has obtained a 
financial product or service from you that is to be used primarily for 
personal, family, or household purposes, or that individual's legal 
representative.
    (2) Examples--(i) An individual who applies to you for credit for 
personal, family, or household purposes is a consumer of a financial 
service, regardless of whether the credit is extended.
    (ii) An individual who provides nonpublic personal information to 
you in order to obtain a determination about whether he or she may 
qualify for a loan to be used primarily for personal, family, or 
household purposes is a consumer of a financial service, regardless of 
whether the loan is extended.
    (iii) If you hold ownership or servicing rights to an individual's 
loan that is used primarily for personal, family, or household 
purposes, the individual is your consumer, even if you hold those 
rights in conjunction with one or more other institutions. (The 
individual is also a consumer with respect to the other financial 
institutions involved.) An individual who has a loan in which you have 
ownership or servicing rights is your consumer, even if you, or another 
institution with those rights, hire an agent to collect on the loan.
    (iv) An individual who is a consumer of another financial 
institution is not your consumer solely because you act as agent for, 
or provide processing or other services to, that financial institution.
    (v) An individual is not your consumer solely because he or she is 
a participant or a beneficiary of an employee benefit plan that you 
sponsor or for which you act as a trustee or fiduciary.
* * * * *
    (i)(1) Customer relationship means a continuing relationship 
between a consumer and you under which you provide one or more 
financial products or services to the consumer that are to be used 
primarily for personal, family, or household purposes.

[[Page 13157]]

    (2) Examples--(i) Continuing relationship. A consumer has a 
continuing relationship with you if the consumer:
    (A) Has a credit or investment account with you;
    (B) Obtains a loan from you;
    (C) Purchases an insurance product from you;
    (D) Enters into an agreement or understanding with you whereby you 
undertake to arrange credit to purchase a vehicle for the consumer;
    (E) Enters into a lease of personal property on a non-operating 
basis with you; or
    (F) Has a loan for which you own the servicing rights.
    (ii) No continuing relationship. A consumer does not, however, have 
a continuing relationship with you if:
    (A) The consumer obtains a financial product or service from you 
only in isolated transactions, such as cashing a check with you or 
making a wire transfer through you;
    (B) You sell the consumer's loan and do not retain the rights to 
service that loan; or
    (C) The consumer obtains one-time personal appraisal services from 
you.
    (j) Federal functional regulator means:
    (1) The Board of Governors of the Federal Reserve System;
    (2) The Office of the Comptroller of the Currency;
    (3) The Board of Directors of the Federal Deposit Insurance 
Corporation;
    (4) The National Credit Union Administration Board; and
    (5) The Securities and Exchange Commission.
    (k)(1) Financial institution means any institution the business of 
which is engaging in an activity that is financial in nature or 
incidental to such financial activities as described in section 4(k) of 
the Bank Holding Company Act of 1956, 12 U.S.C. 1843(k). An institution 
that is significantly engaged in financial activities is a financial 
institution.
    (2) Example of financial institution. An automobile dealership 
that, as a usual part of its business, leases automobiles on a 
nonoperating basis for longer than 90 days is a financial institution 
with respect to its leasing business because leasing personal property 
on a nonoperating basis where the initial term of the lease is at least 
90 days is a financial activity listed in 12 CFR 225.28(b)(3) and 
referenced in section 4(k)(4)(F) of the Bank Holding Company Act.
    (3) Financial institution does not include entities that engage in 
financial activities but that are not significantly engaged in those 
financial activities.
    (4) Example of entities that are not significantly engaged in 
financial activities. A motor vehicle dealer is not a financial 
institution merely because it accepts payment in the form of cash, 
checks, or credit cards that it did not issue.
* * * * *
    (q) You includes each ``financial institution'' over which the 
Commission has rulemaking authority pursuant to section 504(a)(1)(C) of 
the Gramm-Leach-Bliley Act (15 U.S.C. 6804(a)(1)(C)).
0
4. In Sec.  313.4, revise paragraphs (c)(3)(i) and (e), to read as 
follows:


Sec.  313.4   Initial privacy notice to consumers required.

* * * * *
    (c) * * *
    (3)(i) Examples of establishing a customer relationship. You 
establish a customer relationship when the consumer:
    (A) Executes the contract to obtain credit from you or purchase 
insurance from you; or
    (B) Executes the lease for personal property with you.
* * * * *
    (e) Exceptions to allow subsequent delivery of notice. (1) You may 
provide the initial notice required by paragraph (a)(1) of this section 
within a reasonable time after you establish a customer relationship 
if:
    (i) Establishing the customer relationship is not at the customer's 
election; or
    (ii) Providing notice not later than when you establish a customer 
relationship would substantially delay the customer's transaction and 
customer agrees to receive the notice at a later time.
    (2) Examples of exceptions--(i) Substantial delay of customer's 
transaction. Providing notice not later than when you establish a 
customer relationship would substantially delay the customer's 
transaction when you and the individual agree over the telephone to 
enter into a customer relationship involving prompt delivery of the 
financial product or service.
    (ii) No substantial delay of customer's transaction. Providing 
notice not later than when you establish a customer relationship would 
not substantially delay the customer's transaction when the 
relationship is initiated in person at your office or through other 
means by which the customer may view the notice, such as through a 
website.
* * * * *
0
5. In Sec.  313.5, revise paragraphs (a)(1) and (b)(2) and add 
paragraph (e) to read as follows:


Sec.  313.5   Annual privacy notice to customers required.

    (a)(1) General rule. Except as provided by paragraph (e) of this 
section, you must provide a clear and conspicuous notice to customers 
that accurately reflects your privacy policies and practices not less 
than annually during the continuation of the customer relationship. 
Annually means at least once in any period of 12 consecutive months 
during which that relationship exists. You may define the 12-
consecutive-month period, but you must apply it to the customer on a 
consistent basis.
* * * * *
    (b) * * *
    (2) Examples. Your customer becomes a former customer when:
    (i) In the case of a closed-end loan, the customer pays the loan in 
full, you charge off the loan, or you sell the loan without retaining 
servicing rights;
    (ii) In the case of vehicle loan brokering services, your customer 
has obtained a loan through you (and you no longer provide any 
statements or notices to the customer concerning that relationship), or 
has ceased using your services for such purposes;
    (iii) In cases where there is no definitive time at which the 
customer relationship has terminated, you have not communicated with 
the customer about the relationship for a period of 12 consecutive 
months, other than to provide annual privacy notices or promotional 
material.
* * * * *
    (e) Exception to annual privacy notice requirement. (1) When 
exception available. You are not required to deliver an annual privacy 
notice if you:
    (i) Provide nonpublic personal information to nonaffiliated third 
parties only in accordance with the provisions of Sec.  313.13, Sec.  
313.14, or Sec.  313.15; and
    (ii) Have not changed your policies and practices with regard to 
disclosing nonpublic personal information from the policies and 
practices that were disclosed to the customer under Sec.  313.6(a)(2) 
through (5) and (9) in the most recent privacy notice provided pursuant 
to this part.
    (2) Delivery of annual privacy notice after financial institution 
no longer meets requirements for exception. If you have been excepted 
from delivering an annual privacy notice pursuant to paragraph (e)(1) 
of this section and change your policies or practices in such a way 
that you no longer meet the requirements for that exception, you must 
comply with paragraph (e)(2)(i) or (ii) of this section, as applicable.

[[Page 13158]]

    (i) Changes preceded by a revised privacy notice. If you no longer 
meet the requirements of paragraph (e)(1) of this section because you 
change your policies or practices in such a way that Sec.  313.8 
requires you to provide a revised privacy notice, you must provide an 
annual privacy notice in accordance with the timing requirement in 
paragraph (a) of this section, treating the revised privacy notice as 
an initial privacy notice.
    (ii) Changes not preceded by a revised privacy notice. If you no 
longer meet the requirements of paragraph (e)(1) of this section 
because you change your policies or practices in such a way that Sec.  
313.8 does not require you to provide a revised privacy notice, you 
must provide an annual privacy notice within 100 days of the change in 
your policies or practices that causes you to no longer meet the 
requirement of paragraph (e)(1).
    (iii) Examples. (A) You change your policies and practices in such 
a way that you no longer meet the requirements of paragraph (e)(1) of 
this section effective April 1 of year 1. Assuming you define the 12-
consecutive-month period pursuant to paragraph (a) of this section as a 
calendar year, if you were required to provide a revised privacy notice 
under Sec.  313.8 and you provided that notice on March 1 of year 1, 
you must provide an annual privacy notice by December 31 of year 2. If 
you were not required to provide a revised privacy notice under Sec.  
313.8, you must provide an annual privacy notice by July 9 of year 1.
    (B) You change your policies and practices in such a way that you 
no longer meet the requirements of paragraph (e)(1) of this section, 
and so provide an annual notice to your customers. After providing the 
annual notice to your customers, you once again meet the requirements 
of paragraph (e)(1) of this section for an exception to the annual 
notice requirement. You do not need to provide additional annual notice 
to your customers until such time as you no longer meet the 
requirements of paragraph (e)(1) of this section.
0
6. In Sec.  313.15, revise paragraph (a)(4) to read as follows:


Sec.  313.15   Other exceptions to notice and opt out requirements.

    (a) * * *
    (4) To the extent specifically permitted or required under other 
provisions of law and in accordance with the Right to Financial Privacy 
Act of 1978 (12 U.S.C. 3401 et seq.), to law enforcement agencies 
(including the Consumer Financial Protection Bureau, a federal 
functional regulator, the Secretary of the Treasury, with respect to 31 
U.S.C. chapter 53, subchapter II (Records and Reports on Monetary 
Instruments and Transactions) and 12 U.S.C. chapter 21 (Financial 
Recordkeeping), a State insurance authority, with respect to any person 
domiciled in that insurance authority's State that is engaged in 
providing insurance, and the Federal Trade Commission), self-regulatory 
organizations, or for an investigation on a matter related to public 
safety.
* * * * *

    By direction of the Commission.
April J. Tabor,
Acting Secretary.
[FR Doc. 2019-06039 Filed 4-3-19; 8:45 am]
BILLING CODE 6750-01-P