Privacy of Consumer Financial Information-Amendment To Conform Regulations to the Fixing America's Surface Transportation Act, 17341-17345 [2019-08253]

Download as PDF 17341 Rules and Regulations Federal Register Vol. 84, No. 80 Thursday, April 25, 2019 This section of the FEDERAL REGISTER contains regulatory documents having general applicability and legal effect, most of which are keyed to and codified in the Code of Federal Regulations, which is published under 50 titles pursuant to 44 U.S.C. 1510. The Code of Federal Regulations is sold by the Superintendent of Documents. COMMODITY FUTURES TRADING COMMISSION 17 CFR Part 160 RIN 3038–AE80 Privacy of Consumer Financial Information—Amendment To Conform Regulations to the Fixing America’s Surface Transportation Act Commodity Futures Trading Commission. ACTION: Final rule. AGENCY: The Commodity Futures Trading Commission (‘‘CFTC’’ or ‘‘Commission’’) is adopting amendments to revise its regulations requiring covered persons to provide annual privacy notices to customers. The revisions implement the Fixing America’s Surface Transportation Act’s (‘‘FAST Act’’) December 2015 statutory amendment to the Gramm-Leach-Bliley Act (‘‘GLB Act’’) by providing an exception to the annual notice requirement under certain conditions. DATES: This final rule is effective May 28, 2019. FOR FURTHER INFORMATION CONTACT: Matthew Kulkin, Director, (202) 418– 5213, mkulkin@cftc.gov; Frank Fisanich, Chief Counsel, (202) 418–5949, ffisanich@cftc.gov; or Jacob Chachkin, Special Counsel, (202) 418–5496, jchachkin@cftc.gov, Division of Swap Dealer and Intermediary Oversight, Commodity Futures Trading Commission, Three Lafayette Centre, 1155 21st Street NW, Washington, DC 20581. SUPPLEMENTARY INFORMATION: khammond on DSKBBV9HB2PROD with RULES SUMMARY: I. Background Title V, Subtitle A of the GLB Act 1 (‘‘Title V’’) mandates that financial institutions provide their consumers with whom they have customer 1 Title V, Subtitle A, Public Law 106–102, 113 Stat. 1338 (1999), as codified at 15 U.S.C. 6801– 6809. VerDate Sep<11>2014 15:45 Apr 24, 2019 Jkt 247001 relationships (‘‘customers’’) with annual notices regarding those institutions’ privacy policies and practices.2 Further, subject to certain exceptions, if financial institutions share nonpublic personal information with particular types of third parties, the financial institutions must also provide their consumers with an opportunity to opt out of the sharing.3 The Commission and entities subject to its jurisdiction were originally excluded from Title V’s coverage.4 However, section 124 of the Commodity Futures Modernization Act of 2000 5 amended the Commodity Exchange Act (‘‘CEA’’) to add section 5g,6 providing that futures commission merchants (‘‘FCMs’’), commodity trading advisors (‘‘CTAs’’), commodity pool operators (‘‘CPOs’’), and introducing brokers (‘‘IBs’’) 7 fall under the requirements of Title V and requiring the Commission to prescribe regulations in furtherance of Title V. Thus, in 2001, the Commission promulgated part 160 of its regulations to establish standards relating to Title V.8 Consistent with Title V, part 160 requires that, generally, all FCMs, RFEDs, CTAs, CPOs, IBs, MSPs, and SDs that are subject to the jurisdiction of the Commission, regardless of whether they are required to register with the Commission (‘‘Covered Persons’’), provide a clear and conspicuous notice to customers that accurately reflects their privacy policies and practices not less than annually 2 See 15 U.S.C. 6803. 15 U.S.C. 6802(b). See also 15 U.S.C. 6809(4)(A) (defining ‘‘nonpublic personal information’’). 4 15 U.S.C. 6809(3)(B). 5 Section 124, Appendix E of Public Law 106– 554, 114 Stat. 2763 (2000). 6 7 U.S.C. 7b–2. 7 For the definitions of these intermediary categories, see section 1a of the CEA and § 1.3 of the Commission’s regulations. 7 U.S.C. 1a and 17 CFR 1.3. 8 Privacy of Customer Information, 66 FR 21235 (April 27, 2001). The Commission later modified its part 160 regulations to apply them to retail foreign exchange dealers (‘‘RFEDs’’), swap dealers (‘‘SDs’’), and major swap participants (‘‘MSPs’’). Regulation of Off-Exchange Retail Foreign Exchange Transactions and Intermediaries, 75 FR 55409 (Sept. 10, 2010) for RFEDs, and Privacy of Consumer Financial Information; Conforming Amendments Under Dodd-Frank Act, 76 FR 43874 (July 22, 2011) for SDs and MSPs. For the definition of RFED, see § 5.1(h). 17 CFR 5.1(h). For the definitions of SD and MSP, see section 1a of the CEA and § 1.3 of the Commission’s regulations. 7 U.S.C. 1a and 17 CFR 1.3. 3 See PO 00000 Frm 00001 Fmt 4700 Sfmt 4700 during the life of the customer relationship.9 On December 4, 2015, Congress amended Title V as part of the FAST Act.10 This amendment, titled ‘‘Eliminate Privacy Notice Confusion,’’ added section 503(f) to the GLB Act to limit the circumstances under which a financial institution must provide a privacy notice to its customers on an annual basis.11 In particular, under section 503(f), a financial institution is excepted from the requirement to send privacy notices on an annual basis if that financial institution (1) does not share nonpublic personal information except as described in certain specified exceptions; and (2) has not changed its policies and practices with regard to disclosing nonpublic personal information from those policies and practices that the institution disclosed in the most recent disclosure it sent to consumers in accordance with section 503.12 This amendment to the GLB Act became effective upon enactment of the FAST Act in December 2015. II. Proposal On December 10, 2018, the Commission published a Notice of Proposed Rulemaking (the ‘‘NPRM’’) 13 to amend § 160.5 of the Commission’s regulations (the ‘‘Proposal’’) to implement the FAST Act amendments to the GLB Act with respect to Covered Persons.14 Specifically, the Commission proposed to modify § 160.5(a) to add a reference to an exception, contained in 9 17 CFR 160.1 and 160.5. Part 160 does not apply to foreign (non-resident) FCMs, RFEDs, CTAs, CPOs, IBs, MSPs, and SDs that are not registered with the Commission. 17 CFR 160.1. Therefore, they are not ‘‘Covered Persons’’ as defined in this release. 10 Section 75001, Public Law 114–94, 129 Stat. 1312 (2015), available at http:// transportation.house.gov/uploadedfiles/fastact_ xml.pdf (last visited Nov. 30, 2018). 11 Id. 12 See 15 U.S.C. 6803(f). 13 83 FR 63450 (Dec. 10, 2018). 14 In developing the Proposal, pursuant to Section 6804(a)(2) of the GLB Act, the Commission consulted and coordinated with the Bureau of Consumer Financial Protection (‘‘CFPB’’), the Securities and Exchange Commission, the Federal Trade Commission, and the National Association of Insurance Commissioners regarding consistency and comparability with the regulations prescribed by such agencies. See 15 U.S.C. 6804(a)(2). In addition, the Proposal was consistent with rules recently finalized by the CFPB (‘‘CFPB Final Rule’’). See Amendment to the Annual Privacy Notice Requirement Under the Gramm-Leach-Bliley Act (Regulation P), 83 FR 40945 (Aug. 17, 2018). E:\FR\FM\25APR1.SGM 25APR1 17342 Federal Register / Vol. 84, No. 80 / Thursday, April 25, 2019 / Rules and Regulations khammond on DSKBBV9HB2PROD with RULES a new paragraph (d), to the requirement that a Covered Person annually provide a clear and conspicuous notice to customers that reflects the Covered Person’s privacy policies and practices (‘‘annual privacy notice’’) during the life of the customer relationship. The Commission proposed to describe that exception in Section 160.5(d)(1) by stating that a Covered Person is not required to deliver an annual privacy notice to customers pursuant to § 160.5(a) if it: (1) Provides nonpublic personal information to nonaffiliated third parties only in accordance with the provisions of §§ 160.13, 160.14, 160.15 and any other exceptions adopted by the Commission pursuant to section 504(b) of the GLB Act; 15 and (2) has not changed its policies and practices with regard to disclosing nonpublic personal information from the policies and practices that were disclosed to the customer under § 160.6(a)(2) through (5) and § 160.6(a)(9) 16 in the most recent privacy notice provided to such customer pursuant to part 160 of the Commission’s regulations. In addition, because, as discussed in the Proposal, the GLB Act is silent as to when a financial institution that has relied on and no longer meets the requirements of the exception must next provide an annual privacy notice, the Commission proposed a framework for 15 Section 503(f)(1) of the GLB Act permits a financial institution to share nonpublic personal information in accordance with the provisions of sections 502(b)(2) or (e) of the GLB Act or regulations prescribed under section 504(b) of the GLB Act. See 15 U.S.C. 6802 and 6803. Sharing by a financial institution, as described in sections 502(b)(2) or (e), does not trigger the consumer’s statutory right to opt out of such sharing. These exceptions are incorporated into existing Commission regulations at 17 CFR 160.13 (Exception to opt out requirements for service providers and joint marketing), 160.14 (Exceptions to notice and opt out requirements for processing and servicing transactions), and 160.15 (Other exceptions to notice and opt out requirements). Section 504(b) of the GLB Act gives the Commission and other relevant agencies authority to include additional exceptions to certain regulations promulgated under Title V as are deemed consistent with Title V’s purposes. See 15 U.S.C. 6804(b). 16 Paragraphs (1) through (9) of § 160.6(a) set forth the specific types of information that a Covered Person must include in its privacy notices. 17 CFR 160.6 (a)(1)–(9). As discussed in the Proposal, the information required by § 160.6(a)(2) through (5) and § 160.6(a)(9), which § 160.5(d)(1)(ii) references, specifically relate to the policies and practices connected to disclosing nonpublic personal information. As new GLB Act section 503(f)(2) states that a condition for the annual privacy notice exception is that a financial institution must not have changed its policies and practices with regard to disclosing nonpublic personal information from the policies and practices that were disclosed in the most recent notice sent to consumers, the Commission is framed the scope of the proposed exception to reference only the types of information listed in § 160.6(a)(2) through (5) and § 160.6(a)(9). VerDate Sep<11>2014 15:45 Apr 24, 2019 Jkt 247001 these circumstances. Specifically, proposed § 160.5(d)(2) stated that a Covered Person who has been excepted from delivering an annual privacy notice pursuant to § 160.5(d)(1) and who changes its policies or practices in such a way that it no longer meets the requirements for that exception, would, if such a change required a revised privacy notice pursuant to § 160.8,17 be required to provide an annual privacy notice in accordance with the timing requirements in § 160.5(a), treating the revised privacy notice as an initial privacy notice. Further, if the change in policies or practices did not require a revised privacy notice pursuant to § 160.8 to be sent, a Covered Person who has been previously excepted from delivering an annual privacy notice would be required to provide an annual privacy notice to customers within 100 days of the change in their policies or practices.18 As discussed in the Proposal, the Commission proposed this 100-day period because the Commission believes the annual privacy notice should be delivered within a relatively short time so that customers are informed of the change in a timely manner. Further, the Commission stated its belief that 100 days would allow a Covered Person to meet the notice requirement without imposing additional costs on Covered Persons; particularly, a 100-day delivery period would accommodate the inclusion of the notice with their quarterly statements.19 In addition, this 17 17 CFR 160.8 (Revised privacy notices). developing this framework, the Commission looked to § 160.8 because that provision already addresses circumstances in which a Covered Person might change its privacy policies or practices in a way that affects the content of the notices. Specifically, § 160.8 requires that a Covered Person provide a revised notice to consumers before implementing certain types of changes. In other cases, part 160 currently contemplates that a change in policy or practice that affects the content of the notices would simply be reflected on the next regular annual notice provided to customers pursuant to § 160.5. The Commission therefore proposed different timing requirements for resumption of delivery of annual notices, depending on whether the change at issue would trigger the requirement for a revised notice under § 160.8 prior to the change taking effect. 19 The Commission also noted in the Proposal that a delivery requirement resulting from a change in policies and practices described under proposed Commission regulation 160.5(d)(1)(ii) is effectively a one-time burden for a Covered Person absent additional changes to its policies and practices. Specifically, under the Proposal, after providing the one annual privacy notice, the Covered Person would once again meet both of the conditions for the exception—it would not be sharing other than as described under Commission regulation 160.5(d)(1)(i) and its policies and practices would not have changed since it provided the annual privacy notice. Because the Covered Person would once again meet the conditions for the exception, it would not be required to provide future annual privacy notices. 18 In PO 00000 Frm 00002 Fmt 4700 Sfmt 4700 100-day delivery period is required under the CFPB Final Rule, and the Commission stated that proposing the same delivery requirement as the CFPB furthers the Commission’s goal of having its regulations be consistent with those of other regulators, where appropriate. In order to ensure that the Proposal, if adopted, achieved its stated purpose, the Commission requested comments generally on all aspects of the Proposal and the NPRM,20 as well as comments on certain specific matters discussed below. The comment period for the Proposal ended on February 8, 2019. III. Summary of Comments and Final Rule The Commission received one relevant comment,21 which was supportive of the Proposal. The Commission is adopting the final rule (‘‘Final Rule’’) as proposed. Accordingly, the Commission is adopting the amendments to Commission regulation 160.5 as shown in the rule text in this document and for the reasons discussed in the Proposal and reiterated above. IV. Related Matters A. Regulatory Flexibility Act The Regulatory Flexibility Act 22 (‘‘RFA’’) requires federal agencies to consider whether the rules they propose will have a significant economic impact on a substantial number of small entities and, if so, to provide a regulatory flexibility analysis regarding the economic impact on those entities. In the Proposal, the Commission certified that the Proposal would not have a significant economic impact on a substantial number of small entities. The Commission requested comments with respect to the RFA and received no such comments. As discussed in the Proposal, the Final Rule adds an exception to § 160.5’s requirement that Covered Persons deliver annual privacy notices, as discussed above. The Final Rule affects Covered Persons (i.e., certain FCMs, RFEDs, CTAs, CPOs, IBs, MSPs, and SDs). To the extent that the Final Rule will impact Covered Persons that may be small entities for purposes of the RFA,23 the Commission considered 20 Proposal, 83 FR at 63453. Commission also received one comment that was not relevant to the Proposal. These comments are available at https:// comments.cftc.gov/PublicComments/ CommentList.aspx?id=2938. 22 5 U.S.C. 601 et seq. 23 The Commission has previously determined that certain entities are not ‘‘small entities’’ for purposes of the RFA. See, e.g., 47 FR 18618, 18619 21 The E:\FR\FM\25APR1.SGM 25APR1 Federal Register / Vol. 84, No. 80 / Thursday, April 25, 2019 / Rules and Regulations whether the Final Rule will have a significant economic impact on such Covered Persons. As a Covered Person may continue to provide annual privacy notices and not avail itself of the exception to the annual privacy notice requirement in § 160.5, the Final Rule will not impose any new regulatory obligations on Covered Persons, including Covered Persons that may be small entities for purposes of the RFA. Rather, to the extent that a Covered person relies on the exception, it would simply avoid providing a privacy notice annually until such time as it is no longer eligible for the exception. The Final Rule’s clarification that, once it is no longer eligible for the exception, the Covered Person needs to provide a privacy notice either in accordance with existing § 160.8 or within 100 days also does not result in any new burdens. Sections 160.5 and 160.8 are existing requirements to deliver annual privacy notices and revised privacy notices under certain circumstances. Further, the Commission endeavors to reduce any burdens for those Covered Persons utilizing the exception by allowing the 100-day period following loss of the exception to resume delivery of an annual privacy notice where a notice is not already required pursuant to § 160.8, as discussed above. The Commission does not, therefore, expect that any small entities that may be impacted by the rule to incur any additional costs as a result of the Final Rule. Therefore, the Commission believes that the Final Rule will not have a significant economic impact on a substantial number of small entities, as defined in the RFA. Accordingly, the Chairman, on behalf of the Commission, hereby certifies pursuant to 5 U.S.C. 605(b) that the Final Rule will not have a significant economic impact on a substantial number of small entities. khammond on DSKBBV9HB2PROD with RULES B. Paperwork Reduction Act The Paperwork Reduction Act of 1995 (‘‘PRA’’) 24 imposes certain requirements on Federal agencies, including the Commission, in (Apr. 30, 1982) (registered FCMs); 75 FR 55410, 55416 (Sept. 10, 2010) (RFEDs); 77 FR 2613, 2620 (Jan. 19, 2012) (SDs and MSPs). However, the Commission has determined that CPOs exempt pursuant to 17 CFR 4.13(a) are small entities. See 46 FR 26004 (May 8, 1981); 47 FR at 18619. The definitions of IB and CTA are also broad enough to potentially encompass ‘‘small entities.’’ See 48 FR 35248, 35276 (Aug. 3, 1983) (recognizing that the IB definition ‘‘undoubtedly encompasses many business enterprises of variable size’’); 47 FR at 18620 (the category of CTAs is ‘‘too broad’’ for a general determination regarding their small entity status). 24 44 U.S.C. 3501 et seq. VerDate Sep<11>2014 15:45 Apr 24, 2019 Jkt 247001 connection with their conducting or sponsoring any collection of information, as defined by the PRA. The Commission may not conduct or sponsor, and a person is not required to respond to, a collection of information unless it displays a currently valid Office of Management and Budget (‘‘OMB’’) control number. As discussed in the Proposal, the Commission believes that the Final Rule will not impose any new recordkeeping or information collection requirements, or other collections of information that require approval of OMB under the PRA. However, by providing the exception to the requirement to provide annual privacy notices to customers discussed above, the Final Rule modifies a collection of information for which the Commission has previously received a control number from OMB. The title for this collection of information is ‘‘Privacy of Consumer Financial Information, OMB control number 3038–0055’’.25 Collection 3038– 0055 is currently in force with its control number having been provided by OMB. Accordingly, the Commission submitted to OMB revisions to OMB control number 3038–0055 to reflect the addition of this exception and the resulting reduction of burden. In particular, the Commission estimated that the availability of the exception in Commission regulation 160.5(d) will reduce the current number of annual privacy notices by approximately 30%. Accordingly, in accordance with its previous estimates, the Commission estimated that the Final Rule will reduce the total number of responses by 113,620 responses annually and reduce the time burden by approximately 1,136 hours annually. The Commission believes that the one-time cost of adopting the annual privacy notice exception for Covered Persons that adopt it is de minimis. Information Collection Comments. In the Proposal, the Commission invited the public and other Federal agencies to comment on any aspect of the information collection requirements discussed therein. The Commission did not receive any such comments. C. Cost-Benefit Considerations Section 15(a) of the CEA requires the Commission to consider the costs and benefits of its actions before promulgating a regulation under the CEA. Section 15(a) further specifies that the costs and benefits shall be evaluated 25 See OMB Control No. 3038–0055, http:// www.reginfo.gov/public/do/PRAOMBHistory? ombControlNumber=3038-0055# (last visited Nov. 30, 2018). PO 00000 Frm 00003 Fmt 4700 Sfmt 4700 17343 in light of the following five broad areas of market and public concern: (1) Protection of market participants and the public; (2) efficiency, competitiveness, and financial integrity of futures markets; (3) price discovery; (4) sound risk management practices; and (5) other public interest considerations. The Commission considers the costs and benefits resulting from its discretionary determinations with respect to the section 15(a) considerations. As discussed above, the Commission is implementing the FAST Act’s amendments to the GLB Act by amending § 160.5 to incorporate an exception to a Covered Person’s obligation to provide an annual privacy notice under certain specified circumstances, consistent with section 503(f) of the GLB Act, and address when a Covered Person that has relied on and no longer meets the requirements of that exception must next provide an annual privacy notice. Below, the Commission discusses the costs and benefits of the Final Rule.26 The baseline against which the costs and benefits are considered is the current status quo for Covered Persons with respect to their obligation to provide annual privacy notices. The Commission recognizes that there are inherent costs and benefits to Covered Persons and their customers associated with providing an exception to the annual privacy notice requirement, which Congress took into account in amending the GLB Act under the FAST Act. The Commission further recognizes that there are costs and benefits due to discretionary actions taken by the Commission in implementing the exception. In formulating the Final Rule, the Commission was mindful of the policy goals that drove Congress to create this exception and endeavored not to impose unnecessary burdens on Covered Persons in determining when a Covered Person next needs to provide an annual privacy notice after loss of the exception.27 26 The Commission endeavors to assess the expected costs and benefits of the Final Rule in quantitative terms where possible. Where estimation or quantification is not feasible, the Commission provides its discussion in qualitative terms. Given a general lack of relevant data, the Commission’s assessment is generally provided in qualitative terms. 27 The Commission notes that the consideration of costs and benefits below is based on the understanding that the markets function internationally, with many transactions involving United States firms taking place across international boundaries; with some commission registrants being organized outside of the United States; with some leading industry members typically conducting operations both within and outside the E:\FR\FM\25APR1.SGM Continued 25APR1 17344 Federal Register / Vol. 84, No. 80 / Thursday, April 25, 2019 / Rules and Regulations khammond on DSKBBV9HB2PROD with RULES The Commission anticipates that some Covered Persons may avail themselves of the exception in the Final Rule and not provide annual privacy notices. The Final Rule benefits these Covered Persons that are opting out of providing annual privacy notices by reducing their costs associated with sending such notices. Further, because no Covered Person is required to avail themselves of the exception in the Final Rule, as discussed above, the Commission believes that it is reasonable to conclude that only those Covered Persons that expect a net benefit from the Final Rule will stop providing annual privacy notices under the proposed exception. The Commission recognizes that, as a result of the Final Rule, certain customers of Covered Persons may no longer receive privacy notices annually and therefore will not be made aware of the Covered Persons’ policies and procedures as frequently. However, the scope of the exception is tailored such that customers of Covered Persons could only not receive an annual privacy notice to the extent that the Covered Person: (1) Provides nonpublic personal information to nonaffiliated third parties only in accordance with the provisions of §§ 160.13, 160.14, 160.15 and any other exceptions adopted by the Commission pursuant to section 504(b) of the GLB Act; and (2) has not changed its policies and practices with regard to disclosing nonpublic personal information from the policies and practices that were disclosed to the customer under § 160.6(a)(2) through (5) and § 160.6(a)(9) in the most recent privacy notice provided to such customer pursuant to part 160 of the Commission’s regulations. Thus, the Final Rule may reduce confusion among customers by providing them with disclosures when they would be most relevant, i.e., when disclosure policies change after the customer relationship begins and to the extent an institution shares sensitive personal information with third parties for marketing purposes. In determining when to require the resumption of annual privacy notices following the loss of the exception in United States; and with industry members commonly following substantially similar business practices wherever located. Where the Commission does not specifically refer to matters of location, the discussion of costs and benefits below refers to the effects of this proposal on all activity subject to the proposed and amended regulations, whether by virtue of the activity’s physical location in the United States or by virtue of the activity’s connection with or effect on United States commerce under CEA section 2(i). In particular, the Commission notes that some Covered Persons are located outside of the United States. VerDate Sep<11>2014 15:45 Apr 24, 2019 Jkt 247001 the Final Rule, the Commission endeavored to make its requirements consistent with existing timing requirements for privacy notices under current regulations, as discussed above, and to provide clarity to Covered Persons.28 Specifically, in requiring the resumption of annual privacy notices within 100 days of the loss of the exception where a revised privacy notice is not required under § 160.8, the Commission has tried not to impose unnecessary burdens on Covered Persons while taking into account the potential impact on a Covered Person’s customers of not receiving such notices in a timely manner. The Commission considered different requirements for the resumption of annual privacy notices in these circumstances (e.g., requiring a notice before the change in the policy or practice causing the loss of the availability of the exception or immediately following such change, or within 60 or 90 days of such change). The Commission is providing the 100 day period because it believes the Final Rule to be consistent with the revisions of the GLB Act in the FAST Act and current regulations while allowing Covered Persons some flexibility in resuming annual privacy notices. This flexibility allows, for example, these notices to be included with quarterly statements to reduce any costs from resuming providing such notices. In providing timing requirements for the resumption of annual privacy notices where a revised notice is required under § 160.8, the Commission is clarifying the effect of such a revised notice on the requirement that a Covered Person provide an annual privacy notice and on the eligibility for the exception to this requirement. Specifically, the Commission is clarifying that a Covered Person must provide the notice currently required by § 160.8 and treat such notice as an initial privacy notice. Section 15(a) Considerations. In light of the foregoing, the CFTC has evaluated the costs and benefits of the Final Rule pursuant to the five considerations identified in section 15(a) of the CEA as follows: (1) Protection of Market Participants and the Public The requirements of § 160.5 protect market participants by ensuring that customers of Covered Persons are informed about such Covered Persons’ practices and policies with respect to nonpublic personal information and 28 In addition, as discussed above, the Commission notes that a Covered Person’s obligation to resume providing annual privacy notices may be effectively a one-time burden absent additional changes to their policies and practices. PO 00000 Frm 00004 Fmt 4700 Sfmt 4700 certain other information described in § 160.6. As discussed above, the Commission recognizes that, as a result of the Final Rule, some customers of Covered Persons may no longer receive privacy notices annually and therefore will not be made aware of the Covered Persons’ policies and procedures as frequently. However, the scope of the exception is tailored such that customers of Covered Persons could only not receive an annual privacy notice to the extent that the Covered Person: (1) Provides nonpublic personal information to nonaffiliated third parties only in accordance with the provisions of §§ 160.13, 160.14, 160.15 and any other exceptions adopted by the Commission pursuant to section 504(b) of the GLB Act; and (2) has not changed its policies and practices with regard to disclosing nonpublic personal information from the policies and practices that were disclosed to the customer under § 160.6(a)(2) through (5) and § 160.6(a)(9) in the most recent privacy notice provided to such customer pursuant to part 160 of the Commission’s regulations. Further, as discussed above, the Final Rule may reduce confusion among customers by providing them with disclosures when they would be most relevant. In addition, the Commission believes that the requirements for the resumption of annual privacy notices following the loss of the exception in the Final Rule will allow customers of Covered Persons to receive annual privacy notices in a timely manner while not causing Covered Persons to incur any additional costs. (2) Efficiency, Competitiveness, and Financial Integrity of Markets The Commission believes that the Final Rule may improve competition by reducing costs for Covered Persons that meet the requirements of the exception in § 160.5(d) to not deliver an annual privacy notice and elect to not deliver such notices. Specifically, the Commission expects that the Final Rule will likely result in fewer substantially similar annual privacy notices being delivered, which will reduce costs associated with producing and delivering such privacy notices. Further, to the extent that a Covered Person is no longer able to take advantage of the exception to providing annual privacy notices and is required to resume providing them, the Commission believes that a Covered Person will not incur any additional costs in doing so, as the Covered Person would simply need to resume sending annual privacy notices as currently required. E:\FR\FM\25APR1.SGM 25APR1 khammond on DSKBBV9HB2PROD with RULES Federal Register / Vol. 84, No. 80 / Thursday, April 25, 2019 / Rules and Regulations (3) Price Discovery The Commission has not identified an impact on price discovery as a result of the Final Rule. For the reasons stated in the preamble, the Commodity Futures Trading Commission amends 17 CFR chapter I as follows: (4) Sound Risk Management The Commission has not identified an impact on sound risk management as a result of the Final Rule. PART 160—PRIVACY OF CONSUMER FINANCIAL INFORMATION UNDER TITLE V OF THE GRAMM-LEACHBLILEY ACT (5) Other Public Interest Considerations The Commission has not identified an impact on other public interest considerations as a result of the Final Rule. Comments on Cost-Benefit Considerations. The Commission invited public comment on its costbenefit considerations in the Proposal, including the Section 15(a) factors described above. The Commission received no such comments. ■ D. Antitrust Considerations Section 15(b) of the CEA requires the Commission to take into consideration the public interest to be protected by the antitrust laws and endeavor to take the least anticompetitive means of achieving the purposes of the CEA, in issuing any order or adopting any Commission rule or regulation (including any exemption under section 4(c) or 4c(b)), or in requiring or approving any bylaw, rule, or regulation of a contract market or registered futures association established pursuant to section 17 of the CEA.29 The Commission believes that the public interest to be protected by the antitrust laws is generally to protect competition. The Commission requested and did not receive any comments on whether the Proposal implicated any other specific public interest to be protected by the antitrust laws. The Commission has considered this Final Rule to determine whether it is anticompetitive and has preliminarily identified no anticompetitive effects. The Commission requested and did not receive any comments on whether the Proposal was anticompetitive and, if it is, what the anticompetitive effects are. Because the Commission has preliminarily determined that this Final Rule is not anticompetitive and has no anticompetitive effects and received no comments on its determination, the Commission has not identified any less anticompetitive means of achieving the purposes of the CEA. List of Subjects in 17 CFR Part 160 Brokers, Consumer protection, Privacy, Reporting and recordkeeping requirements. 29 7 U.S.C. 19(b). VerDate Sep<11>2014 15:45 Apr 24, 2019 Jkt 247001 1. The authority citation for part 160 continues to read as follows: Authority: 7 U.S.C. 7b–2 and 12a(5); 15 U.S.C 6801, et seq., and sec. 1093, Pub. L. 111–203, 124 Stat. 1376. 2. In § 160.5, revise the first sentence of paragraph (a)(1) and add paragraph (d) to read as follows: ■ § 160.5 Annual privacy notice to customers required. (a)(1) * * * Except as provided by paragraph (d) of this section, you must provide a clear and conspicuous notice to customers that accurately reflects your privacy policies and practices not less than annually during the life of the customer relationship. * * * * * * * * (d) Exception to annual privacy notice requirement. (1) You are not required to deliver an annual privacy notice if you: (i) Provide nonpublic personal information to nonaffiliated third parties only in accordance with the provisions of §§ 160.13, 160.14, and 160.15 and any other exceptions adopted by the Commission pursuant to section 504(b) of the GLB Act; and (ii) Have not changed your policies and practices with regard to disclosing nonpublic personal information from the policies and practices that were disclosed to the customer under § 160.6(a)(2) through (5) and § 160.6(a)(9) in the most recent privacy notice sent to the customer pursuant to this part. (2) Delivery of annual privacy notice after you no longer meet requirements for exception. If you have been excepted from delivering an annual privacy notice pursuant to paragraph (d)(1) of this section and change your policies or practices in such a way that you no longer meet the requirements for that exception, you must comply with paragraph (d)(2)(i) or (ii) of this section, as applicable. (i) Changes preceded by a revised privacy notice. If you no longer meet the requirements of paragraph (d)(1) of this section because you change your policies or practices in such a way that § 160.8 of this part requires you to provide a revised privacy notice, you must provide an annual privacy notice in accordance with the timing requirements in paragraph (a) of this PO 00000 Frm 00005 Fmt 4700 Sfmt 4700 17345 section, treating the revised privacy notice as an initial privacy notice. (ii) Changes not preceded by a revised privacy notice. If you no longer meet the requirements of paragraph (d)(1) of this section because you change your policies or practices in such a way that § 160.8 of this part does not require you to provide a revised privacy notice, you must provide an annual privacy notice within 100 days of the change in your policies or practices that causes you to no longer meet the requirements of paragraph (d)(1) of this section. Issued in Washington, DC, on April 19, 2019, by the Commission. Robert Sidman, Deputy Secretary of the Commission. Appendix to Privacy of Consumer Financial Information—Amendment To Conform Regulations to the Fixing America’s Surface Transportation Act—Commission Voting Summary On this matter, Chairman Giancarlo and Commissioners Quintenz, Behnam, Stump, and Berkovitz voted in the affirmative. No Commissioner voted in the negative. [FR Doc. 2019–08253 Filed 4–24–19; 8:45 am] BILLING CODE 6351–01–P ENVIRONMENTAL PROTECTION AGENCY 40 CFR Parts 9 and 721 [EPA–HQ–OPPT–2018–0159; FRL–9991–33] RIN 2070–AK45 Restrictions on Discontinued Uses of Asbestos; Significant New Use Rule Environmental Protection Agency (EPA). ACTION: Final rule. AGENCY: Under the Toxic Substances Control Act (TSCA), EPA is promulgating a rule to ensure that any discontinued uses of asbestos cannot reenter the marketplace without EPA review, closing a loophole in the regulatory regime for asbestos. DATES: This final rule is effective June 24, 2019. ADDRESSES: The docket for this action, identified by docket identification (ID) number EPA–HQ–OPPT–2018–0159, is available at http://www.regulations.gov or at the Office of Pollution Prevention and Toxics Docket (OPPT Docket), Environmental Protection Agency Docket Center (EPA/DC), West William Jefferson Clinton Bldg., Rm. 3334, 1301 Constitution Ave. NW, Washington, DC. The Public Reading Room is open from 8:30 a.m. to 4:30 p.m., Monday through SUMMARY: E:\FR\FM\25APR1.SGM 25APR1

Agencies

[Federal Register Volume 84, Number 80 (Thursday, April 25, 2019)]
[Rules and Regulations]
[Pages 17341-17345]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2019-08253]



========================================================================
Rules and Regulations
                                                Federal Register
________________________________________________________________________

This section of the FEDERAL REGISTER contains regulatory documents 
having general applicability and legal effect, most of which are keyed 
to and codified in the Code of Federal Regulations, which is published 
under 50 titles pursuant to 44 U.S.C. 1510.

The Code of Federal Regulations is sold by the Superintendent of Documents. 

========================================================================


Federal Register / Vol. 84, No. 80 / Thursday, April 25, 2019 / Rules 
and Regulations

[[Page 17341]]



COMMODITY FUTURES TRADING COMMISSION

17 CFR Part 160

RIN 3038-AE80


Privacy of Consumer Financial Information--Amendment To Conform 
Regulations to the Fixing America's Surface Transportation Act

AGENCY: Commodity Futures Trading Commission.

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: The Commodity Futures Trading Commission (``CFTC'' or 
``Commission'') is adopting amendments to revise its regulations 
requiring covered persons to provide annual privacy notices to 
customers. The revisions implement the Fixing America's Surface 
Transportation Act's (``FAST Act'') December 2015 statutory amendment 
to the Gramm-Leach-Bliley Act (``GLB Act'') by providing an exception 
to the annual notice requirement under certain conditions.

DATES: This final rule is effective May 28, 2019.

FOR FURTHER INFORMATION CONTACT: Matthew Kulkin, Director, (202) 418-
5213, [email protected]; Frank Fisanich, Chief Counsel, (202) 418-5949, 
[email protected]; or Jacob Chachkin, Special Counsel, (202) 418-5496, 
[email protected], Division of Swap Dealer and Intermediary Oversight, 
Commodity Futures Trading Commission, Three Lafayette Centre, 1155 21st 
Street NW, Washington, DC 20581.

SUPPLEMENTARY INFORMATION:

I. Background

    Title V, Subtitle A of the GLB Act \1\ (``Title V'') mandates that 
financial institutions provide their consumers with whom they have 
customer relationships (``customers'') with annual notices regarding 
those institutions' privacy policies and practices.\2\ Further, subject 
to certain exceptions, if financial institutions share nonpublic 
personal information with particular types of third parties, the 
financial institutions must also provide their consumers with an 
opportunity to opt out of the sharing.\3\ The Commission and entities 
subject to its jurisdiction were originally excluded from Title V's 
coverage.\4\ However, section 124 of the Commodity Futures 
Modernization Act of 2000 \5\ amended the Commodity Exchange Act 
(``CEA'') to add section 5g,\6\ providing that futures commission 
merchants (``FCMs''), commodity trading advisors (``CTAs''), commodity 
pool operators (``CPOs''), and introducing brokers (``IBs'') \7\ fall 
under the requirements of Title V and requiring the Commission to 
prescribe regulations in furtherance of Title V. Thus, in 2001, the 
Commission promulgated part 160 of its regulations to establish 
standards relating to Title V.\8\
---------------------------------------------------------------------------

    \1\ Title V, Subtitle A, Public Law 106-102, 113 Stat. 1338 
(1999), as codified at 15 U.S.C. 6801-6809.
    \2\ See 15 U.S.C. 6803.
    \3\ See 15 U.S.C. 6802(b). See also 15 U.S.C. 6809(4)(A) 
(defining ``nonpublic personal information'').
    \4\ 15 U.S.C. 6809(3)(B).
    \5\ Section 124, Appendix E of Public Law 106-554, 114 Stat. 
2763 (2000).
    \6\ 7 U.S.C. 7b-2.
    \7\ For the definitions of these intermediary categories, see 
section 1a of the CEA and Sec.  1.3 of the Commission's regulations. 
7 U.S.C. 1a and 17 CFR 1.3.
    \8\ Privacy of Customer Information, 66 FR 21235 (April 27, 
2001). The Commission later modified its part 160 regulations to 
apply them to retail foreign exchange dealers (``RFEDs''), swap 
dealers (``SDs''), and major swap participants (``MSPs''). 
Regulation of Off-Exchange Retail Foreign Exchange Transactions and 
Intermediaries, 75 FR 55409 (Sept. 10, 2010) for RFEDs, and Privacy 
of Consumer Financial Information; Conforming Amendments Under Dodd-
Frank Act, 76 FR 43874 (July 22, 2011) for SDs and MSPs. For the 
definition of RFED, see Sec.  5.1(h). 17 CFR 5.1(h). For the 
definitions of SD and MSP, see section 1a of the CEA and Sec.  1.3 
of the Commission's regulations. 7 U.S.C. 1a and 17 CFR 1.3.
---------------------------------------------------------------------------

    Consistent with Title V, part 160 requires that, generally, all 
FCMs, RFEDs, CTAs, CPOs, IBs, MSPs, and SDs that are subject to the 
jurisdiction of the Commission, regardless of whether they are required 
to register with the Commission (``Covered Persons''), provide a clear 
and conspicuous notice to customers that accurately reflects their 
privacy policies and practices not less than annually during the life 
of the customer relationship.\9\
---------------------------------------------------------------------------

    \9\ 17 CFR 160.1 and 160.5. Part 160 does not apply to foreign 
(non-resident) FCMs, RFEDs, CTAs, CPOs, IBs, MSPs, and SDs that are 
not registered with the Commission. 17 CFR 160.1. Therefore, they 
are not ``Covered Persons'' as defined in this release.
---------------------------------------------------------------------------

    On December 4, 2015, Congress amended Title V as part of the FAST 
Act.\10\ This amendment, titled ``Eliminate Privacy Notice Confusion,'' 
added section 503(f) to the GLB Act to limit the circumstances under 
which a financial institution must provide a privacy notice to its 
customers on an annual basis.\11\ In particular, under section 503(f), 
a financial institution is excepted from the requirement to send 
privacy notices on an annual basis if that financial institution (1) 
does not share nonpublic personal information except as described in 
certain specified exceptions; and (2) has not changed its policies and 
practices with regard to disclosing nonpublic personal information from 
those policies and practices that the institution disclosed in the most 
recent disclosure it sent to consumers in accordance with section 
503.\12\ This amendment to the GLB Act became effective upon enactment 
of the FAST Act in December 2015.
---------------------------------------------------------------------------

    \10\ Section 75001, Public Law 114-94, 129 Stat. 1312 (2015), 
available at http://transportation.house.gov/uploadedfiles/fastact_xml.pdf (last visited Nov. 30, 2018).
    \11\ Id.
    \12\ See 15 U.S.C. 6803(f).
---------------------------------------------------------------------------

II. Proposal

    On December 10, 2018, the Commission published a Notice of Proposed 
Rulemaking (the ``NPRM'') \13\ to amend Sec.  160.5 of the Commission's 
regulations (the ``Proposal'') to implement the FAST Act amendments to 
the GLB Act with respect to Covered Persons.\14\ Specifically, the 
Commission proposed to modify Sec.  160.5(a) to add a reference to an 
exception, contained in

[[Page 17342]]

a new paragraph (d), to the requirement that a Covered Person annually 
provide a clear and conspicuous notice to customers that reflects the 
Covered Person's privacy policies and practices (``annual privacy 
notice'') during the life of the customer relationship. The Commission 
proposed to describe that exception in Section 160.5(d)(1) by stating 
that a Covered Person is not required to deliver an annual privacy 
notice to customers pursuant to Sec.  160.5(a) if it: (1) Provides 
nonpublic personal information to nonaffiliated third parties only in 
accordance with the provisions of Sec. Sec.  160.13, 160.14, 160.15 and 
any other exceptions adopted by the Commission pursuant to section 
504(b) of the GLB Act; \15\ and (2) has not changed its policies and 
practices with regard to disclosing nonpublic personal information from 
the policies and practices that were disclosed to the customer under 
Sec.  160.6(a)(2) through (5) and Sec.  160.6(a)(9) \16\ in the most 
recent privacy notice provided to such customer pursuant to part 160 of 
the Commission's regulations.
---------------------------------------------------------------------------

    \13\ 83 FR 63450 (Dec. 10, 2018).
    \14\ In developing the Proposal, pursuant to Section 6804(a)(2) 
of the GLB Act, the Commission consulted and coordinated with the 
Bureau of Consumer Financial Protection (``CFPB''), the Securities 
and Exchange Commission, the Federal Trade Commission, and the 
National Association of Insurance Commissioners regarding 
consistency and comparability with the regulations prescribed by 
such agencies. See 15 U.S.C. 6804(a)(2). In addition, the Proposal 
was consistent with rules recently finalized by the CFPB (``CFPB 
Final Rule''). See Amendment to the Annual Privacy Notice 
Requirement Under the Gramm-Leach-Bliley Act (Regulation P), 83 FR 
40945 (Aug. 17, 2018).
    \15\ Section 503(f)(1) of the GLB Act permits a financial 
institution to share nonpublic personal information in accordance 
with the provisions of sections 502(b)(2) or (e) of the GLB Act or 
regulations prescribed under section 504(b) of the GLB Act. See 15 
U.S.C. 6802 and 6803. Sharing by a financial institution, as 
described in sections 502(b)(2) or (e), does not trigger the 
consumer's statutory right to opt out of such sharing. These 
exceptions are incorporated into existing Commission regulations at 
17 CFR 160.13 (Exception to opt out requirements for service 
providers and joint marketing), 160.14 (Exceptions to notice and opt 
out requirements for processing and servicing transactions), and 
160.15 (Other exceptions to notice and opt out requirements). 
Section 504(b) of the GLB Act gives the Commission and other 
relevant agencies authority to include additional exceptions to 
certain regulations promulgated under Title V as are deemed 
consistent with Title V's purposes. See 15 U.S.C. 6804(b).
    \16\ Paragraphs (1) through (9) of Sec.  160.6(a) set forth the 
specific types of information that a Covered Person must include in 
its privacy notices. 17 CFR 160.6 (a)(1)-(9). As discussed in the 
Proposal, the information required by Sec.  160.6(a)(2) through (5) 
and Sec.  160.6(a)(9), which Sec.  160.5(d)(1)(ii) references, 
specifically relate to the policies and practices connected to 
disclosing nonpublic personal information. As new GLB Act section 
503(f)(2) states that a condition for the annual privacy notice 
exception is that a financial institution must not have changed its 
policies and practices with regard to disclosing nonpublic personal 
information from the policies and practices that were disclosed in 
the most recent notice sent to consumers, the Commission is framed 
the scope of the proposed exception to reference only the types of 
information listed in Sec.  160.6(a)(2) through (5) and Sec.  
160.6(a)(9).
---------------------------------------------------------------------------

    In addition, because, as discussed in the Proposal, the GLB Act is 
silent as to when a financial institution that has relied on and no 
longer meets the requirements of the exception must next provide an 
annual privacy notice, the Commission proposed a framework for these 
circumstances. Specifically, proposed Sec.  160.5(d)(2) stated that a 
Covered Person who has been excepted from delivering an annual privacy 
notice pursuant to Sec.  160.5(d)(1) and who changes its policies or 
practices in such a way that it no longer meets the requirements for 
that exception, would, if such a change required a revised privacy 
notice pursuant to Sec.  160.8,\17\ be required to provide an annual 
privacy notice in accordance with the timing requirements in Sec.  
160.5(a), treating the revised privacy notice as an initial privacy 
notice. Further, if the change in policies or practices did not require 
a revised privacy notice pursuant to Sec.  160.8 to be sent, a Covered 
Person who has been previously excepted from delivering an annual 
privacy notice would be required to provide an annual privacy notice to 
customers within 100 days of the change in their policies or 
practices.\18\
---------------------------------------------------------------------------

    \17\ 17 CFR 160.8 (Revised privacy notices).
    \18\ In developing this framework, the Commission looked to 
Sec.  160.8 because that provision already addresses circumstances 
in which a Covered Person might change its privacy policies or 
practices in a way that affects the content of the notices. 
Specifically, Sec.  160.8 requires that a Covered Person provide a 
revised notice to consumers before implementing certain types of 
changes. In other cases, part 160 currently contemplates that a 
change in policy or practice that affects the content of the notices 
would simply be reflected on the next regular annual notice provided 
to customers pursuant to Sec.  160.5. The Commission therefore 
proposed different timing requirements for resumption of delivery of 
annual notices, depending on whether the change at issue would 
trigger the requirement for a revised notice under Sec.  160.8 prior 
to the change taking effect.
---------------------------------------------------------------------------

    As discussed in the Proposal, the Commission proposed this 100-day 
period because the Commission believes the annual privacy notice should 
be delivered within a relatively short time so that customers are 
informed of the change in a timely manner. Further, the Commission 
stated its belief that 100 days would allow a Covered Person to meet 
the notice requirement without imposing additional costs on Covered 
Persons; particularly, a 100-day delivery period would accommodate the 
inclusion of the notice with their quarterly statements.\19\ In 
addition, this 100-day delivery period is required under the CFPB Final 
Rule, and the Commission stated that proposing the same delivery 
requirement as the CFPB furthers the Commission's goal of having its 
regulations be consistent with those of other regulators, where 
appropriate.
---------------------------------------------------------------------------

    \19\ The Commission also noted in the Proposal that a delivery 
requirement resulting from a change in policies and practices 
described under proposed Commission regulation 160.5(d)(1)(ii) is 
effectively a one-time burden for a Covered Person absent additional 
changes to its policies and practices. Specifically, under the 
Proposal, after providing the one annual privacy notice, the Covered 
Person would once again meet both of the conditions for the 
exception--it would not be sharing other than as described under 
Commission regulation 160.5(d)(1)(i) and its policies and practices 
would not have changed since it provided the annual privacy notice. 
Because the Covered Person would once again meet the conditions for 
the exception, it would not be required to provide future annual 
privacy notices.
---------------------------------------------------------------------------

    In order to ensure that the Proposal, if adopted, achieved its 
stated purpose, the Commission requested comments generally on all 
aspects of the Proposal and the NPRM,\20\ as well as comments on 
certain specific matters discussed below. The comment period for the 
Proposal ended on February 8, 2019.
---------------------------------------------------------------------------

    \20\ Proposal, 83 FR at 63453.
---------------------------------------------------------------------------

III. Summary of Comments and Final Rule

    The Commission received one relevant comment,\21\ which was 
supportive of the Proposal.
---------------------------------------------------------------------------

    \21\ The Commission also received one comment that was not 
relevant to the Proposal. These comments are available at https://comments.cftc.gov/PublicComments/CommentList.aspx?id=2938.
---------------------------------------------------------------------------

    The Commission is adopting the final rule (``Final Rule'') as 
proposed. Accordingly, the Commission is adopting the amendments to 
Commission regulation 160.5 as shown in the rule text in this document 
and for the reasons discussed in the Proposal and reiterated above.

IV. Related Matters

A. Regulatory Flexibility Act

    The Regulatory Flexibility Act \22\ (``RFA'') requires federal 
agencies to consider whether the rules they propose will have a 
significant economic impact on a substantial number of small entities 
and, if so, to provide a regulatory flexibility analysis regarding the 
economic impact on those entities. In the Proposal, the Commission 
certified that the Proposal would not have a significant economic 
impact on a substantial number of small entities. The Commission 
requested comments with respect to the RFA and received no such 
comments.
---------------------------------------------------------------------------

    \22\ 5 U.S.C. 601 et seq.
---------------------------------------------------------------------------

    As discussed in the Proposal, the Final Rule adds an exception to 
Sec.  160.5's requirement that Covered Persons deliver annual privacy 
notices, as discussed above. The Final Rule affects Covered Persons 
(i.e., certain FCMs, RFEDs, CTAs, CPOs, IBs, MSPs, and SDs). To the 
extent that the Final Rule will impact Covered Persons that may be 
small entities for purposes of the RFA,\23\ the Commission considered

[[Page 17343]]

whether the Final Rule will have a significant economic impact on such 
Covered Persons.
---------------------------------------------------------------------------

    \23\ The Commission has previously determined that certain 
entities are not ``small entities'' for purposes of the RFA. See, 
e.g., 47 FR 18618, 18619 (Apr. 30, 1982) (registered FCMs); 75 FR 
55410, 55416 (Sept. 10, 2010) (RFEDs); 77 FR 2613, 2620 (Jan. 19, 
2012) (SDs and MSPs). However, the Commission has determined that 
CPOs exempt pursuant to 17 CFR 4.13(a) are small entities. See 46 FR 
26004 (May 8, 1981); 47 FR at 18619. The definitions of IB and CTA 
are also broad enough to potentially encompass ``small entities.'' 
See 48 FR 35248, 35276 (Aug. 3, 1983) (recognizing that the IB 
definition ``undoubtedly encompasses many business enterprises of 
variable size''); 47 FR at 18620 (the category of CTAs is ``too 
broad'' for a general determination regarding their small entity 
status).
---------------------------------------------------------------------------

    As a Covered Person may continue to provide annual privacy notices 
and not avail itself of the exception to the annual privacy notice 
requirement in Sec.  160.5, the Final Rule will not impose any new 
regulatory obligations on Covered Persons, including Covered Persons 
that may be small entities for purposes of the RFA. Rather, to the 
extent that a Covered person relies on the exception, it would simply 
avoid providing a privacy notice annually until such time as it is no 
longer eligible for the exception. The Final Rule's clarification that, 
once it is no longer eligible for the exception, the Covered Person 
needs to provide a privacy notice either in accordance with existing 
Sec.  160.8 or within 100 days also does not result in any new burdens. 
Sections 160.5 and 160.8 are existing requirements to deliver annual 
privacy notices and revised privacy notices under certain 
circumstances. Further, the Commission endeavors to reduce any burdens 
for those Covered Persons utilizing the exception by allowing the 100-
day period following loss of the exception to resume delivery of an 
annual privacy notice where a notice is not already required pursuant 
to Sec.  160.8, as discussed above. The Commission does not, therefore, 
expect that any small entities that may be impacted by the rule to 
incur any additional costs as a result of the Final Rule.
    Therefore, the Commission believes that the Final Rule will not 
have a significant economic impact on a substantial number of small 
entities, as defined in the RFA.
    Accordingly, the Chairman, on behalf of the Commission, hereby 
certifies pursuant to 5 U.S.C. 605(b) that the Final Rule will not have 
a significant economic impact on a substantial number of small 
entities.

B. Paperwork Reduction Act

    The Paperwork Reduction Act of 1995 (``PRA'') \24\ imposes certain 
requirements on Federal agencies, including the Commission, in 
connection with their conducting or sponsoring any collection of 
information, as defined by the PRA. The Commission may not conduct or 
sponsor, and a person is not required to respond to, a collection of 
information unless it displays a currently valid Office of Management 
and Budget (``OMB'') control number.
---------------------------------------------------------------------------

    \24\ 44 U.S.C. 3501 et seq.
---------------------------------------------------------------------------

    As discussed in the Proposal, the Commission believes that the 
Final Rule will not impose any new recordkeeping or information 
collection requirements, or other collections of information that 
require approval of OMB under the PRA. However, by providing the 
exception to the requirement to provide annual privacy notices to 
customers discussed above, the Final Rule modifies a collection of 
information for which the Commission has previously received a control 
number from OMB. The title for this collection of information is 
``Privacy of Consumer Financial Information, OMB control number 3038-
0055''.\25\ Collection 3038-0055 is currently in force with its control 
number having been provided by OMB. Accordingly, the Commission 
submitted to OMB revisions to OMB control number 3038-0055 to reflect 
the addition of this exception and the resulting reduction of burden. 
In particular, the Commission estimated that the availability of the 
exception in Commission regulation 160.5(d) will reduce the current 
number of annual privacy notices by approximately 30%. Accordingly, in 
accordance with its previous estimates, the Commission estimated that 
the Final Rule will reduce the total number of responses by 113,620 
responses annually and reduce the time burden by approximately 1,136 
hours annually. The Commission believes that the one-time cost of 
adopting the annual privacy notice exception for Covered Persons that 
adopt it is de minimis.
---------------------------------------------------------------------------

    \25\ See OMB Control No. 3038-0055, http://www.reginfo.gov/public/do/PRAOMBHistory?ombControlNumber=3038-0055# (last visited 
Nov. 30, 2018).
---------------------------------------------------------------------------

    Information Collection Comments. In the Proposal, the Commission 
invited the public and other Federal agencies to comment on any aspect 
of the information collection requirements discussed therein. The 
Commission did not receive any such comments.

C. Cost-Benefit Considerations

    Section 15(a) of the CEA requires the Commission to consider the 
costs and benefits of its actions before promulgating a regulation 
under the CEA. Section 15(a) further specifies that the costs and 
benefits shall be evaluated in light of the following five broad areas 
of market and public concern: (1) Protection of market participants and 
the public; (2) efficiency, competitiveness, and financial integrity of 
futures markets; (3) price discovery; (4) sound risk management 
practices; and (5) other public interest considerations. The Commission 
considers the costs and benefits resulting from its discretionary 
determinations with respect to the section 15(a) considerations.
    As discussed above, the Commission is implementing the FAST Act's 
amendments to the GLB Act by amending Sec.  160.5 to incorporate an 
exception to a Covered Person's obligation to provide an annual privacy 
notice under certain specified circumstances, consistent with section 
503(f) of the GLB Act, and address when a Covered Person that has 
relied on and no longer meets the requirements of that exception must 
next provide an annual privacy notice.
    Below, the Commission discusses the costs and benefits of the Final 
Rule.\26\ The baseline against which the costs and benefits are 
considered is the current status quo for Covered Persons with respect 
to their obligation to provide annual privacy notices. The Commission 
recognizes that there are inherent costs and benefits to Covered 
Persons and their customers associated with providing an exception to 
the annual privacy notice requirement, which Congress took into account 
in amending the GLB Act under the FAST Act. The Commission further 
recognizes that there are costs and benefits due to discretionary 
actions taken by the Commission in implementing the exception. In 
formulating the Final Rule, the Commission was mindful of the policy 
goals that drove Congress to create this exception and endeavored not 
to impose unnecessary burdens on Covered Persons in determining when a 
Covered Person next needs to provide an annual privacy notice after 
loss of the exception.\27\
---------------------------------------------------------------------------

    \26\ The Commission endeavors to assess the expected costs and 
benefits of the Final Rule in quantitative terms where possible. 
Where estimation or quantification is not feasible, the Commission 
provides its discussion in qualitative terms. Given a general lack 
of relevant data, the Commission's assessment is generally provided 
in qualitative terms.
    \27\ The Commission notes that the consideration of costs and 
benefits below is based on the understanding that the markets 
function internationally, with many transactions involving United 
States firms taking place across international boundaries; with some 
commission registrants being organized outside of the United States; 
with some leading industry members typically conducting operations 
both within and outside the United States; and with industry members 
commonly following substantially similar business practices wherever 
located. Where the Commission does not specifically refer to matters 
of location, the discussion of costs and benefits below refers to 
the effects of this proposal on all activity subject to the proposed 
and amended regulations, whether by virtue of the activity's 
physical location in the United States or by virtue of the 
activity's connection with or effect on United States commerce under 
CEA section 2(i). In particular, the Commission notes that some 
Covered Persons are located outside of the United States.

---------------------------------------------------------------------------

[[Page 17344]]

    The Commission anticipates that some Covered Persons may avail 
themselves of the exception in the Final Rule and not provide annual 
privacy notices. The Final Rule benefits these Covered Persons that are 
opting out of providing annual privacy notices by reducing their costs 
associated with sending such notices. Further, because no Covered 
Person is required to avail themselves of the exception in the Final 
Rule, as discussed above, the Commission believes that it is reasonable 
to conclude that only those Covered Persons that expect a net benefit 
from the Final Rule will stop providing annual privacy notices under 
the proposed exception.
    The Commission recognizes that, as a result of the Final Rule, 
certain customers of Covered Persons may no longer receive privacy 
notices annually and therefore will not be made aware of the Covered 
Persons' policies and procedures as frequently. However, the scope of 
the exception is tailored such that customers of Covered Persons could 
only not receive an annual privacy notice to the extent that the 
Covered Person: (1) Provides nonpublic personal information to 
nonaffiliated third parties only in accordance with the provisions of 
Sec. Sec.  160.13, 160.14, 160.15 and any other exceptions adopted by 
the Commission pursuant to section 504(b) of the GLB Act; and (2) has 
not changed its policies and practices with regard to disclosing 
nonpublic personal information from the policies and practices that 
were disclosed to the customer under Sec.  160.6(a)(2) through (5) and 
Sec.  160.6(a)(9) in the most recent privacy notice provided to such 
customer pursuant to part 160 of the Commission's regulations. Thus, 
the Final Rule may reduce confusion among customers by providing them 
with disclosures when they would be most relevant, i.e., when 
disclosure policies change after the customer relationship begins and 
to the extent an institution shares sensitive personal information with 
third parties for marketing purposes.
    In determining when to require the resumption of annual privacy 
notices following the loss of the exception in the Final Rule, the 
Commission endeavored to make its requirements consistent with existing 
timing requirements for privacy notices under current regulations, as 
discussed above, and to provide clarity to Covered Persons.\28\ 
Specifically, in requiring the resumption of annual privacy notices 
within 100 days of the loss of the exception where a revised privacy 
notice is not required under Sec.  160.8, the Commission has tried not 
to impose unnecessary burdens on Covered Persons while taking into 
account the potential impact on a Covered Person's customers of not 
receiving such notices in a timely manner. The Commission considered 
different requirements for the resumption of annual privacy notices in 
these circumstances (e.g., requiring a notice before the change in the 
policy or practice causing the loss of the availability of the 
exception or immediately following such change, or within 60 or 90 days 
of such change). The Commission is providing the 100 day period because 
it believes the Final Rule to be consistent with the revisions of the 
GLB Act in the FAST Act and current regulations while allowing Covered 
Persons some flexibility in resuming annual privacy notices. This 
flexibility allows, for example, these notices to be included with 
quarterly statements to reduce any costs from resuming providing such 
notices. In providing timing requirements for the resumption of annual 
privacy notices where a revised notice is required under Sec.  160.8, 
the Commission is clarifying the effect of such a revised notice on the 
requirement that a Covered Person provide an annual privacy notice and 
on the eligibility for the exception to this requirement. Specifically, 
the Commission is clarifying that a Covered Person must provide the 
notice currently required by Sec.  160.8 and treat such notice as an 
initial privacy notice.
---------------------------------------------------------------------------

    \28\ In addition, as discussed above, the Commission notes that 
a Covered Person's obligation to resume providing annual privacy 
notices may be effectively a one-time burden absent additional 
changes to their policies and practices.
---------------------------------------------------------------------------

    Section 15(a) Considerations. In light of the foregoing, the CFTC 
has evaluated the costs and benefits of the Final Rule pursuant to the 
five considerations identified in section 15(a) of the CEA as follows:
(1) Protection of Market Participants and the Public
    The requirements of Sec.  160.5 protect market participants by 
ensuring that customers of Covered Persons are informed about such 
Covered Persons' practices and policies with respect to nonpublic 
personal information and certain other information described in Sec.  
160.6. As discussed above, the Commission recognizes that, as a result 
of the Final Rule, some customers of Covered Persons may no longer 
receive privacy notices annually and therefore will not be made aware 
of the Covered Persons' policies and procedures as frequently. However, 
the scope of the exception is tailored such that customers of Covered 
Persons could only not receive an annual privacy notice to the extent 
that the Covered Person: (1) Provides nonpublic personal information to 
nonaffiliated third parties only in accordance with the provisions of 
Sec. Sec.  160.13, 160.14, 160.15 and any other exceptions adopted by 
the Commission pursuant to section 504(b) of the GLB Act; and (2) has 
not changed its policies and practices with regard to disclosing 
nonpublic personal information from the policies and practices that 
were disclosed to the customer under Sec.  160.6(a)(2) through (5) and 
Sec.  160.6(a)(9) in the most recent privacy notice provided to such 
customer pursuant to part 160 of the Commission's regulations. Further, 
as discussed above, the Final Rule may reduce confusion among customers 
by providing them with disclosures when they would be most relevant. In 
addition, the Commission believes that the requirements for the 
resumption of annual privacy notices following the loss of the 
exception in the Final Rule will allow customers of Covered Persons to 
receive annual privacy notices in a timely manner while not causing 
Covered Persons to incur any additional costs.
(2) Efficiency, Competitiveness, and Financial Integrity of Markets
    The Commission believes that the Final Rule may improve competition 
by reducing costs for Covered Persons that meet the requirements of the 
exception in Sec.  160.5(d) to not deliver an annual privacy notice and 
elect to not deliver such notices. Specifically, the Commission expects 
that the Final Rule will likely result in fewer substantially similar 
annual privacy notices being delivered, which will reduce costs 
associated with producing and delivering such privacy notices. Further, 
to the extent that a Covered Person is no longer able to take advantage 
of the exception to providing annual privacy notices and is required to 
resume providing them, the Commission believes that a Covered Person 
will not incur any additional costs in doing so, as the Covered Person 
would simply need to resume sending annual privacy notices as currently 
required.

[[Page 17345]]

(3) Price Discovery
    The Commission has not identified an impact on price discovery as a 
result of the Final Rule.
(4) Sound Risk Management
    The Commission has not identified an impact on sound risk 
management as a result of the Final Rule.
(5) Other Public Interest Considerations
    The Commission has not identified an impact on other public 
interest considerations as a result of the Final Rule.
    Comments on Cost-Benefit Considerations. The Commission invited 
public comment on its cost-benefit considerations in the Proposal, 
including the Section 15(a) factors described above. The Commission 
received no such comments.

D. Antitrust Considerations

    Section 15(b) of the CEA requires the Commission to take into 
consideration the public interest to be protected by the antitrust laws 
and endeavor to take the least anticompetitive means of achieving the 
purposes of the CEA, in issuing any order or adopting any Commission 
rule or regulation (including any exemption under section 4(c) or 
4c(b)), or in requiring or approving any bylaw, rule, or regulation of 
a contract market or registered futures association established 
pursuant to section 17 of the CEA.\29\ The Commission believes that the 
public interest to be protected by the antitrust laws is generally to 
protect competition. The Commission requested and did not receive any 
comments on whether the Proposal implicated any other specific public 
interest to be protected by the antitrust laws.
---------------------------------------------------------------------------

    \29\ 7 U.S.C. 19(b).
---------------------------------------------------------------------------

    The Commission has considered this Final Rule to determine whether 
it is anticompetitive and has preliminarily identified no 
anticompetitive effects. The Commission requested and did not receive 
any comments on whether the Proposal was anticompetitive and, if it is, 
what the anticompetitive effects are.
    Because the Commission has preliminarily determined that this Final 
Rule is not anticompetitive and has no anticompetitive effects and 
received no comments on its determination, the Commission has not 
identified any less anticompetitive means of achieving the purposes of 
the CEA.

List of Subjects in 17 CFR Part 160

    Brokers, Consumer protection, Privacy, Reporting and recordkeeping 
requirements.

    For the reasons stated in the preamble, the Commodity Futures 
Trading Commission amends 17 CFR chapter I as follows:

PART 160--PRIVACY OF CONSUMER FINANCIAL INFORMATION UNDER TITLE V 
OF THE GRAMM-LEACH-BLILEY ACT

0
1. The authority citation for part 160 continues to read as follows:

    Authority: 7 U.S.C. 7b-2 and 12a(5); 15 U.S.C 6801, et seq., and 
sec. 1093, Pub. L. 111-203, 124 Stat. 1376.


0
2. In Sec.  160.5, revise the first sentence of paragraph (a)(1) and 
add paragraph (d) to read as follows:


Sec.  160.5  Annual privacy notice to customers required.

    (a)(1) * * * Except as provided by paragraph (d) of this section, 
you must provide a clear and conspicuous notice to customers that 
accurately reflects your privacy policies and practices not less than 
annually during the life of the customer relationship. * * *
* * * * *
    (d) Exception to annual privacy notice requirement. (1) You are not 
required to deliver an annual privacy notice if you:
    (i) Provide nonpublic personal information to nonaffiliated third 
parties only in accordance with the provisions of Sec. Sec.  160.13, 
160.14, and 160.15 and any other exceptions adopted by the Commission 
pursuant to section 504(b) of the GLB Act; and
    (ii) Have not changed your policies and practices with regard to 
disclosing nonpublic personal information from the policies and 
practices that were disclosed to the customer under Sec.  160.6(a)(2) 
through (5) and Sec.  160.6(a)(9) in the most recent privacy notice 
sent to the customer pursuant to this part.
    (2) Delivery of annual privacy notice after you no longer meet 
requirements for exception. If you have been excepted from delivering 
an annual privacy notice pursuant to paragraph (d)(1) of this section 
and change your policies or practices in such a way that you no longer 
meet the requirements for that exception, you must comply with 
paragraph (d)(2)(i) or (ii) of this section, as applicable.
    (i) Changes preceded by a revised privacy notice. If you no longer 
meet the requirements of paragraph (d)(1) of this section because you 
change your policies or practices in such a way that Sec.  160.8 of 
this part requires you to provide a revised privacy notice, you must 
provide an annual privacy notice in accordance with the timing 
requirements in paragraph (a) of this section, treating the revised 
privacy notice as an initial privacy notice.
    (ii) Changes not preceded by a revised privacy notice. If you no 
longer meet the requirements of paragraph (d)(1) of this section 
because you change your policies or practices in such a way that Sec.  
160.8 of this part does not require you to provide a revised privacy 
notice, you must provide an annual privacy notice within 100 days of 
the change in your policies or practices that causes you to no longer 
meet the requirements of paragraph (d)(1) of this section.

    Issued in Washington, DC, on April 19, 2019, by the Commission.
Robert Sidman,
Deputy Secretary of the Commission.

Appendix to Privacy of Consumer Financial Information--Amendment To 
Conform Regulations to the Fixing America's Surface Transportation 
Act--Commission Voting Summary

    On this matter, Chairman Giancarlo and Commissioners Quintenz, 
Behnam, Stump, and Berkovitz voted in the affirmative. No 
Commissioner voted in the negative.

[FR Doc. 2019-08253 Filed 4-24-19; 8:45 am]
BILLING CODE 6351-01-P