Privacy of Consumer Financial Information Rule Under the Gramm-Leach-Bliley Act, 70020-70027 [2021-25735]

Download as PDF 70020 Federal Register / Vol. 86, No. 234 / Thursday, December 9, 2021 / Rules and Regulations (v) Iran. Islamic Revolutionary Guard Corps Intelligence Organization (IRGC– IO) and Artesh Directorate for Intelligence (J2). (vi) Korea, North. Reconnaissance General Bureau (RGB). (vii) Russia. Main Intelligence Directorate (GRU). (viii) Syria. Military Intelligence Service. (ix) Venezuela. General Directorate of Military Counterintelligence (DGCIM). ■ 9. Supplement No.7 to part 744 is amended in the table by adding in alphabetical order an entry for ‘‘CAMBODIA’’ to read as follows: Supplement No. 7 to Part 744— ’Military End-User’ (MEU) List * * * * Country Federal Register citation Entity * * Cambodia ...... * * * * * [Reserved] ... [Reserved] * * * * Matthew S. Borman, Deputy Assistant Secretary for Export Administration. [FR Doc. 2021–26633 Filed 12–8–21; 8:45 am] BILLING CODE 3510–33–P FEDERAL TRADE COMMISSION 16 CFR Part 313 RIN 3084–AB42 Privacy of Consumer Financial Information Rule Under the GrammLeach-Bliley Act Federal Trade Commission. Final rule. AGENCY: ACTION: khammond on DSKJM1Z7X2PROD with RULES VerDate Sep<11>2014 16:33 Dec 08, 2021 Jkt 256001 I. Background A. The Statute and Regulation The GLBA was enacted in 1999.1 The GLBA, among other things, requires that financial institutions provide their customers with initial and annual notices regarding their privacy practices, and allow their customers to opt out of sharing their information with certain nonaffiliated third parties. Rulemaking authority to implement the GLBA’s privacy provisions was initially spread among multiple agencies. The Federal Reserve Board (‘‘the Fed’’), the Office of Comptroller of the Currency (‘‘OCC’’), the Federal Deposit Insurance Corporation (‘‘FDIC’’), and the Office of Thrift Supervision (‘‘OTS’’) jointly adopted final rules to implement the notice and opt-out requirements of the GLBA in 2000.2 The Commission, the National Credit Union Administration (‘‘NCUA’’), the Securities and Exchange Commission (‘‘SEC’’), and the Commodity Futures Trading Commission (‘‘CFTC’’) were part of the same interagency process, but each issued their rules separately.3 In 2009, all those agencies jointly adopted a model form financial institutions could use to provide the required initial and annual privacy disclosures.4 As originally promulgated, the FTC’s Privacy Rule covered a broad range of 1 Public The Federal Trade Commission is amending its Privacy Rule to revise the rule’s scope, to modify the rule’s definitions of ‘‘financial institution’’ and ‘‘Federal functional regulator,’’ and to update the rule’s annual customer privacy notice requirement. The amendments also remove certain examples in the rule that apply to financial institutions that now fall outside its scope. This action is necessary to conform the rule to the current requirements of the GrammLeach-Bliley Act (‘‘GLBA’’), as amended by the Dodd-Frank and FAST Acts, and the Commission’s revisions to the Safeguards Rule, which are being announced simultaneously through a separate document published elsewhere in this issue of the Federal Register. SUMMARY: The amendments are effective January 10, 2022. FOR FURTHER INFORMATION CONTACT: David Lincicum (202–326–2773), Division of Privacy and Identity Protection, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580. SUPPLEMENTARY INFORMATION: DATES: Law 106–102, 113 Stat. 1338 (1999). Final Rule, 65 FR 35162 (June 1, 2000) available at https://www.federalregister.gov/ documents/2001/04/27/01-10398/privacy-ofconsumer-financial-information. 3 FTC Final Privacy Rule, 65 FR 33645 (May 24, 2000) available at https://www.federalregister.gov/ documents/2000/05/24/00-12755/privacy-ofconsumer-financial-information; NCUA Final Privacy Rule, 65 FR 31722 (May 18, 2000) available at https://www.federalregister.gov/documents/2000/ 05/18/00-12014/privacy-of-consumer-financialinformation-requirements-for-insurance; SEC Final Privacy Rule, 65 FR 40333 (June 29, 2000) available at https://www.federalregister.gov/documents/2000/ 06/29/00-16269/privacy-of-consumer-financialinformation-regulation-s-p; CFTC Final Privacy Rule, 66 FR 21235 (Apr. 27, 2001) available at https://www.federalregister.gov/documents/2001/ 04/27/01-10398/privacy-of-consumer-financialinformation. 4 Joint Model Form, 74 FR 62889 (Dec. 1, 2009) available at https://www.federalregister.gov/ documents/2009/12/01/E9-27882/final-modelprivacy-form-under-the-gramm-leach-bliley-act; see also 16 CFR 313.2, 16 CFR 313.4 through 313.9. 2 Joint PO 00000 Frm 00044 Fmt 4700 Sfmt 4700 non-bank financial institutions such as payday lenders, mortgage brokers, check cashers, debt collectors, real estate appraisers, certain motor vehicle dealers, and remittance transfer providers. In 2010, the Dodd-Frank Act 5 transferred the majority of GLBA’s privacy rulemaking authority from the Fed, NCUA, OCC, OTS, FDIC, and the Commission (in part) to the Consumer Financial Protection Bureau (‘‘CFPB’’). The CFPB then restated the implementing regulations in Regulation P, 12 CFR part 1016, in late 2011 (‘‘Regulation P’’).6 However, under section 1029 of the Dodd-Frank Act, the Commission retained rulemaking authority for certain motor vehicle dealers.7 Thus, in 2012, the Commission announced it was retaining the implementing regulations governing privacy notices for motor vehicle dealers at 16 CFR part 313.8 Despite the transfer of general rulemaking authority for the Privacy Rule to the CFPB, the Commission and other agencies retain their existing enforcement authority under the GLBA.9 In addition, the SEC and CFTC retain rulemaking authority with respect to securities and futures-related companies, respectively.10 Accordingly, as part of this rulemaking process, the Commission has consulted and coordinated, or offered to consult, with those agencies that have rulemaking and/or enforcement authority under the GLBA, including the CFPB, SEC, CFTC, and the National Association of Insurance Commissioners (‘‘NAIC’’).11 On December 4, 2015, Congress amended the GLBA as part of the FAST Act. This amendment, titled Eliminate Privacy Notice Confusion,12 added GLBA subsection 503(f). This subsection 5 Public Law 111–203, 124 Stat. 1376 (2010). Final Rule for Regulation P, 76 FR 79025 (Dec. 21, 2011) available at https:// www.federalregister.gov/documents/2011/12/21/ 2011-31729/privacy-of-consumer-financialinformation-regulation-p. 7 12 U.S.C. 5519. The FTC retained rulemaking jurisdiction as to motor vehicle dealers that are predominantly engaged in the sale and servicing or the leasing and servicing of motor vehicles, excluding those dealers that directly extend credit to consumers and do not routinely assign the extensions of credit to an unaffiliated third party. For ease of reference, covered motor vehicle dealers are referenced herein as ‘‘motor vehicle dealers.’’ 8 Rescission of Rules, 77 FR 22200, 22201 (Apr. 13, 2012) available at https:// www.federalregister.gov/documents/2012/04/13/ 2012-8748/rescission-of-rules (also rescinding those regulations for which rulemaking authority was transferred to the CFPB under the Dodd-Frank Act). 9 15 U.S.C. 6805(a). 10 15 U.S.C. 6804, 6809; 12 U.S.C. 1843(k)(4); 12 CFR 1016.1(b). 11 See 15 U.S.C. 6804(a)(2). 12 Section 75001, Public Law 114–94, 129 Stat. 1312, 1787 (2015). 6 Interim E:\FR\FM\09DER1.SGM 09DER1 Federal Register / Vol. 86, No. 234 / Thursday, December 9, 2021 / Rules and Regulations provides an exception under which financial institutions that meet certain conditions are not required to provide annual privacy notices to customers. khammond on DSKJM1Z7X2PROD with RULES B. The Privacy Notice Requirements As noted, the current Privacy Rule, as modified after Congress enacted the Dodd-Frank Act, requires motor vehicle dealers provide consumers with notices describing their privacy policies. Specifically, it requires covered entities to provide an initial notice of these policies,13 and then ‘‘provide a clear and conspicuous notice to customers that accurately reflects [their] privacy policies and practices not less than annually during the continuation of the customer relationship.’’ 14 The rule requires that initial and annual notices inform customers of their right to opt out of the sharing of nonpublic personal information with some types of nonaffiliated third parties.15 For example, a customer has the right to opt out of allowing a motor vehicle dealer to sell her name and address to a nonaffiliated auto insurance company.16 On the other hand, a motor vehicle dealer is not required to allow consumers to opt out of the dealer’s sharing involving third-party service providers, joint marketing arrangements, maintenance and servicing of accounts, securitization, law enforcement and compliance, reporting to consumer reporting agencies, and certain other specified activities.17 Accordingly, if a motor vehicle dealer limits its sharing to uses that do not trigger opt-out rights, it may provide an annual privacy notice to its customers that does not include information regarding opt-out rights. Motor vehicle dealers also may include in the annual privacy notice information about certain consumer optout rights related to affiliate sharing under the Fair Credit Reporting Act (‘‘FCRA’’). First, section 603(d)(2)(A)(iii) of the FCRA allows the sharing of a consumer’s information among affiliates, but only if the consumer is notified of such sharing and is given an opportunity to opt out.18 Section 503(c)(4) of the GLBA and the Privacy Rule generally require motor vehicle dealers to incorporate any notifications and opt-out disclosures provided pursuant to section 603(d)(2)(A)(iii) of the FCRA into their initial and annual privacy notices.19 13 15 U.S.C. 6803; 16 CFR 313.4. U.S.C. 6803; 16 CFR 313.5(a)(1). 15 15 U.S.C. 6802; 16 CFR 313.6(a)(6). 16 16 CFR 313.10(a). 17 15 U.S.C. 6802(b)(2), 6802(e); 16 CFR 313.13– 313.15. 18 15 U.S.C. 1681a(d)(2)(A)(iii). 19 15 U.S.C. 6803(c)(4); 16 CFR 313.6(a)(7). 14 15 VerDate Sep<11>2014 16:33 Dec 08, 2021 Jkt 256001 In addition, section 624 of the FCRA and the FTC’s Affiliate Marketing Rule 20 provide that an affiliate of a motor vehicle dealer that receives certain information about a consumer from the dealer may not use that information for marketing purposes, unless the consumer is provided with an opportunity to opt out of that use.21 This requirement governs the use of information by an affiliate, not the sharing of information among affiliates, and thus is distinct from the affiliate sharing opt-out discussed above. The Affiliate Marketing Rule permits (but does not require) motor vehicle dealers to incorporate any opt-out disclosures provided under section 624 of the FCRA and the Affiliate Marketing Rule into the initial and annual privacy notices required by the GLBA.22 Finally, § 313.6(a)(8) of the Privacy Rule requires the initial and annual notices briefly describe how motor vehicle dealers protect the nonpublic personal information they collect and maintain.23 II. Revision of the Privacy Rule On April 4, 2019, the Commission issued a notice of proposed rulemaking 24 setting forth amendments to the Privacy Rule (the ‘‘Proposed Amendments’’) proposing three types of changes to the Privacy Rule: (1) Technical changes to the rule to correspond to the reduced scope of the rule due to Dodd-Frank Act changes, which primarily consist of removing references that do not apply to motor 20 16 CFR 680.1–680.28. U.S.C. 1681s-3. The FTC’s Affiliate Marketing Rule applies to motor vehicle dealers. See 77 FR 22201. The FTC also enforces the CFPB’s Regulation V’s Affiliate Marketing Rule, 12 CFR part 1022, subpart C, for other entities over which the FTC has enforcement authority under the FCRA. 22 16 CFR 680.23(b). 23 16 CFR 313.6(a)(8). 24 On June 24, 2015, the Commission published a notice of proposed rulemaking (‘‘2015 NPRM’’) proposing revisions to the Privacy Rule. NPRM, 80 FR 36267 (June 24, 2015) available at https:// www.federalregister.gov/documents/2015/06/24/ 2015-14328/amendment-to-the-privacy-ofconsumer-financial-information-rule-under-thegramm-leach-bliley-act. First, the Commission proposed a number of changes to comport with the Dodd-Frank Act revision of GLBA, which transferred rulemaking authority for most financial institutions to the CFPB. The Commission also proposed amending the rule to allow motor vehicle dealers to notify their customers that a privacy notice is available online, under circumstances identical to those that had been adopted by the CFPB. Final Rule, 79 FR 64057 (Oct. 28, 2014) available at https://www.federalregister.gov/ documents/2014/10/28/2014-25299/amendment-tothe-annual-privacy-notice-requirement-under-thegramm-leach-bliley-act-regulation-p. The passage of the FAST Act rendered the Commission’s proposed changes to the Privacy Rule moot because those changes, if adopted, would have been in conflict with the revised statute. 21 15 PO 00000 Frm 00045 Fmt 4700 Sfmt 4700 70021 vehicle dealers; (2) modifications to the annual privacy notice requirements to reflect the changes made to the GLBA by the FAST Act; and (3) a modification to the scope and definition of ‘‘financial institution’’ to include entities engaged in activities incidental to financial activities, which would bring the rule into accord with the CFPB’s Regulation P. The Commission received four comments related to the proposed amendments, to which it responds below.25 A. Technical Changes To Correspond to Statutory Changes Resulting From the Dodd-Frank Act (1) Section 313.1(b) The proposed amendment to § 313.1(b) narrowed the description of the scope of the Privacy Rule to those entities set forth in the Dodd-Frank Act: 26 Those predominantly engaged in the sale and servicing of motor vehicles or the leasing and servicing of motor vehicles, excluding those dealers that directly extend credit to consumers and do not routinely assign the extensions of credit to an unaffiliated third party. It also removed the reference in the rule’s scope to ‘‘other persons,’’ because the Commission no longer has rulemaking authority for the Privacy Rule over ‘‘other persons.’’ Finally, the Proposed Amendments eliminated from § 313.1(b) the note indicating (1) the Privacy Rule does not modify, limit, or supersede the standards under the Health Insurance Portability and Accountability Act of 1996 (‘‘HIPAA’’), and (2) if a financial institution that is an institution of higher education is in compliance with the Federal Educational Rights and Privacy Act (‘‘FERPA’’) and its implementing regulations, such institution shall be deemed in compliance with the Privacy Rule. The Commission received two comments on these proposed changes. One commenter asked why the rule would not cover dealers that directly extend credit to consumers.27 In response, the Commission notes the Dodd-Frank Act excludes these dealers from the Commission’s rulemaking authority under the GLBA. The Commission continues to have enforcement authority over these dealers under Regulation P. Another commenter, the National Association of Automobile Dealers 25 The Commission also received three comments that related to the Safeguards Rule (16 CFR part 314). Those comments are addressed in the final Safeguards Rule published elsewhere in this issue of the Federal Register. 26 12 U.S.C. 5519. 27 Yuxiang Hao (comment 4). E:\FR\FM\09DER1.SGM 09DER1 70022 Federal Register / Vol. 86, No. 234 / Thursday, December 9, 2021 / Rules and Regulations (‘‘NADA’’), supported eliminating the references to HIPAA and FERPA, agreeing that these provisions would not apply to automobile dealers.28 Given that it received no other substantive comments, the Commission adopts the changes as proposed. (2) Section 313.3 To help companies understand whether and how the rule applies to them, the current rule includes examples of financial institutions in § 313.3(k)(2), examples of consumers in § 313.3(e)(2), examples of what would constitute establishing a customer relationship in § 313.3(i)(2)(i), and examples of what is not a customer relationship in § 313.2(i)(2)(ii). The Proposed Amendments to § 313.3 removed examples not likely to apply in the context of motor vehicle dealers. NADA was the only commenter who opined on this issue. It agreed the examples proposed for removal do not apply to motor vehicle dealers and supported their deletion. Accordingly, the final rule deletes these examples as proposed. NADA advocated for removal or modification of additional terms or examples that it asserted would not apply in the motor vehicle context. The Commission declines to make the changes suggested by NADA, for the reasons described below. khammond on DSKJM1Z7X2PROD with RULES a. Loans NADA argued the examples in the final rule should not include the word ‘‘loans’’ because motor vehicle dealers ‘‘do not generally issue ‘loans,’’’ but instead provide financing assistance or enter into retail installment sale contracts or leases. NADA suggested the term ‘‘loan’’ be replaced with ‘‘financing,’’ or ‘‘finance or lease contract.’’ 29 The Commission declines to modify existing examples in this manner. It believes the Privacy Rule should be substantively identical to Regulation P so financial institutions within the Commission’s enforcement authority are subject to the same requirements, regardless of whether they are subject to Regulation P or the Privacy Rule. Although the Commission recognizes some examples it has retained may not apply well to the motor vehicle context,30 changing the 28 National Automobile Dealers Association (comment 9), at 3–4. 29 NADA (comment 9), at 4. 30 The Commission notes that while the term ‘‘loan’’ may not be applicable to all motor vehicle dealers’ transactions with their customers, most extensions of credit or the arranging of credit will play the same role as loans for purposes of this amendment, and dealers may generally apply these examples accordingly. VerDate Sep<11>2014 16:33 Dec 08, 2021 Jkt 256001 language of an example, as opposed to completely removing it, could be read as a change to the substance of the rule. Accordingly, the Commission declines to change an existing term in the final rule.31 b. Examples of Continuing Relationships NADA suggested removing the term ‘‘investment accounts’’ from the example of a continuing relationship § 313.3(i)(2)(i)(A), as such accounts are not offered by motor vehicle dealers. As discussed above, however, the Commission declines to modify existing examples and does not adopt this change in the final rule. NADA also took issue with § 313.3(i)(2)(i)(D), which states a consumer has a continuing relationship with a financial institution when the consumer enters into an ‘‘agreement or understanding’’ with the financial institution in which the financial institution undertakes ‘‘to arrange credit to purchase a vehicle for the consumer.’’ NADA noted when motor vehicle dealers arrange credit for a consumer, they then assign that agreement to a third party and do not continue the relationship with the consumer. Although motor vehicle dealers may transfer the credit agreement to another financial institution, a continuing relationship is formed by the agreement and persists for as long as the motor vehicle dealer retains the agreement. The continuing relationship between the motor vehicle dealer and the consumer will end upon the transfer of the agreement, but until that transfer occurs, the consumer is the motor vehicle dealer’s customer for purposes of the Privacy Rule. Accordingly, the Commission declines to remove this example from the final rule. NADA also argued the term ‘‘understanding’’ in paragraph (i)(2)(i)(D) is confusing because it is not clear what an ‘‘understanding’’ would mean in this context, and motor vehicle dealers do not enter into informal relationships to arrange credit for consumers. The Commission believes, however, while informal understandings may be unusual for 31 The Proposed Amendments did modify existing examples in two instances. In §§ 313.3(i)(2)(i)(A) and 313.5(b)(2)(ii), references to mortgage loans were removed. Although the Commission continues to believe that mortgage loans are unlikely to be involved in the motor vehicle dealer context, as discussed above, the Commission recognizes that there is value in maintaining consistency with Regulation P, and that particular examples provided may not be applicable to every type of financial institution’s activities. Accordingly, the final rule retains the references to mortgage loans in these provisions. PO 00000 Frm 00046 Fmt 4700 Sfmt 4700 motor vehicle dealers, it is possible some dealers may engage in such practices and the example should continue to make clear that such arrangements create continuing relationships. In addition, as discussed above, the Commission declines to change the language of examples retained in the final rule. c. Examples of No Continuing Relationships NADA argued the example in § 313.3(i)(2)(ii)(A) does not apply to motor vehicle dealers. This example states no continuing relationship is created when a ‘‘consumer obtains a financial product or service from [the financial institution] only in isolated transactions, such as cashing a check with [the financial institution] or making a wire transfer through’’ the financial institution. NADA argued motor vehicle dealers generally do not engage in these activities, and while ‘‘it is theoretically possible that a dealer somewhere may offer, under unique circumstances, to cash a check for a customer, [NADA] is not aware of that service being offered by dealers and the possibility is attenuated at best.’’ 32 The Commission does not agree that this example should be removed. Although check cashing and wire transfer transactions may be unlikely at motor vehicle dealerships, these are helpful examples of the types of isolated transactions that do not create an ongoing relationship and, even for motor vehicle dealers that do not engage in these particular activities, they illustrate the principle well. The final rule retains this example. NADA also questioned the inclusion of § 313.3(i)(2)(ii)(C), which states a continuing relationship is not created when a ‘‘consumer obtains one-time personal appraisal services from’’ the financial institution. NADA asked whether this would apply when a motor vehicle dealer appraises a consumer’s used vehicle for trade-in value. The Commission believes that is precisely the type of appraisal suggested by the example. NADA also questioned how ‘‘such appraisal activity by a dealer could, as an initial matter be deemed to create a Customer relationship.’’ 33 The Commission believes, however, negative examples are useful to clarify the definition and, therefore, the final rule retains this example. 32 NADA 33 NADA E:\FR\FM\09DER1.SGM (comment 9), at 5. (comment 9), at 5. 09DER1 Federal Register / Vol. 86, No. 234 / Thursday, December 9, 2021 / Rules and Regulations B. Modifications to the Annual Privacy Notice To Reflect Statutory Changes Resulting From the FAST Act The Commission also proposed changing the Privacy Rule provisions governing how motor vehicle dealers should deliver annual privacy notices. Section 313.5(e) The proposed change to § 313.5(a)(1) added a statement that § 313.5(e) provides an exception to the general rule requiring the delivery of annual notices. Section 313.5(e) in turn sets forth the exception, which was taken from the FAST Act, and adopted by the CFPB in its amendments to Regulation P.34 It stated the annual notice need not be provided if (1) the financial institution has shared nonpublic personal information only in accordance with the provisions of §§ 313.13, 313.14, and 313.15, none of which require an opt-out opportunity be provided to customers; and (2) the financial institution’s disclosure policies and practices remain unchanged from the most recent privacy notice. Proposed § 313.5(e)(2) set forth the timing for resuming delivery of the annual notice if a financial institution no longer met requirements for the exception. The Commission received no comments on the substance of this paragraph and adopts it without modification.35 khammond on DSKJM1Z7X2PROD with RULES C. Modifications to Scope and Definitions To Bring the Rule Into Accord With Regulation P The Proposed Amendments changed the scope of the Privacy Rule and its definition of a ‘‘financial institution’’ in order to bring the Commission’s rule into accord with Regulation P. As explained in the NPRM, when first promulgating the Privacy Rule, the Commission determined companies engaged in activities ‘‘incidental to financial activities’’ would not be considered ‘‘financial institutions.’’ 36 The Commission was the only agency to 34 See Final Rule, 83 FR 40945 (August 17, 2018) available at https://www.federalregister.gov/ documents/2018/08/17/2018-17572/amendment-tothe-annual-privacy-notice-requirement-under-thegramm-leach-bliley-act-regulation-p. 35 As discussed above, NADA argued that the word ‘‘loan’’ should be replaced with ‘‘retail installment sale contract.’’ As discussed above, the Commission wishes the remaining examples in the final rule to be identical to those found in Regulation P and declines to make these changes. In addition, the National Independent Automobile Dealers Association noted that most dealers will not be required to provide annual notices because of their lack of ongoing relationships with their consumers, but supported the amendments in general. 36 See 16 CFR 313.3(k); see also 65 FR 33654. VerDate Sep<11>2014 16:33 Dec 08, 2021 Jkt 256001 adopt this restrictive definition in its Privacy Rule, while the other agencies included incidental activities. In addition, the Commission decided activities determined to be financial in nature after the enactment of the GLBA would not be automatically included in its Privacy Rule; rather, the Commission would have to take additional action to include them.37 The effect of these two decisions was to limit the activities covered by the Commission’s rules to those set out in 12 CFR 225.28 as it existed in 1999, and to exclude any activities later determined by the Fed to be financial activities or incidental to those activities.38 The Commission proposed modifying the definition of ‘‘financial institution’’ to harmonize the Privacy Rule with other agencies’ rules. The Commission proposed to amend § 313.1(b) to include companies that engage in activities financial in nature or incidental to such financial activities in the scope of the rule. Likewise, it proposed amending the definition of ‘‘financial institution’’ in § 313.3(k), to include any institution the business of which is engaging in an activity that is financial in nature or incidental to such financial activities. The effect of this proposed amendment would be to cause ‘‘finders’’ to be included in this definition, thereby bringing the Privacy Rule into harmony with the scope of entities covered by other agencies under Regulation P. The Commission received only two comments that addressed this proposed change in the Privacy Rule.39 NADA asked whether the proposed rule would apply to finders acting for a motor vehicle dealer.40 As discussed above, the Commission’s Privacy Rule applies only to motor vehicle dealers and so would apply only to finders that are also motor vehicle dealers. If a finder is not itself a motor vehicle dealer then the rule does not apply, even if the finder is acting to connect motor vehicle dealers with potential customers. Given that this scenario is unlikely, modifying the definition of ‘‘financial institution’’ for purposes of the Privacy Rule has little practical effect. Nevertheless, the Commission is modifying the definition for purposes of consistency with Regulation P and the Safeguards Rule. An individual consumer asked how often an entity must engage in an 37 65 FR 33654 n.23. 38 Id. 39 Several other entities commented on the expansion of the definition of a ‘‘financial institution’’ in the Safeguards Rule. These comments are addressed in the discussion of the final Safeguards Rule, published elsewhere in this issue of the Federal Register. 40 NADA (comment 9), at 7–8. PO 00000 Frm 00047 Fmt 4700 Sfmt 4700 70023 incidental activity to be considered a financial institution.41 As with other financial activities under the existing rule, an entity is a financial institution only if it is ‘‘significantly engaged’’ in the incidental activities. The Commission adopts the proposed amendment without change. Section 313.15(a)(4) Finally, the Commission proposed to amend § 313.15(a)(4) to add the CFPB to the list of law enforcement agencies to which financial institutions are permitted to share information to the extent permitted by law. The Commission received no comments on this change and adopts it as proposed. Section 313.18 Section 313.18 set forth the effective date for the rule and prescribed requirements for institutions’ compliance with the rule as to customers who were already customers at the time the rule was first promulgated. The relevant dates have long since passed. Section 313.18(a)(2) also provided an exception, stating this ‘‘part is not effective as to any institution that is significantly engaged in activities that the Federal Reserve Board determines, after November 12, 1999 . . . are activities that a financial holding company may engage in, until the Commission so determines.’’ As discussed above, the Commission has determined herein that this rule applies to financial institutions that engage in activities financial in nature or incidental to such financial activities, including entities significantly engaged in activities the Federal Reserve Board has determined, after November 12, 1999, are activities a financial holding company may engage in. Accordingly, the final rule removes § 313.18 in its entirety. III. Paperwork Reduction Act Under the Paperwork Reduction Act of 1995 (‘‘PRA’’),42 Federal agencies are generally required to seek Office of Management and Budget (‘‘OMB’’) approval for information collection requirements prior to implementation. Under the PRA, the Commission may not conduct or sponsor, and, notwithstanding any other provision of law, a person is not required to respond to an information collection, unless the information collection displays a valid control number assigned by OMB. This amendment modifies 16 CFR part 313. The collections of information related to the Privacy Rule and the 41 Qiyi 42 44 E:\FR\FM\09DER1.SGM Hu (comment 5). U.S.C. 3501 et seq. 09DER1 70024 Federal Register / Vol. 86, No. 234 / Thursday, December 9, 2021 / Rules and Regulations khammond on DSKJM1Z7X2PROD with RULES FAST Act statutory exceptions to the rule’s annual notice requirement have been previously reviewed and approved by OMB in accordance with the PRA.43 Under the existing clearance, the FTC has attributed to itself the estimated burden regarding all motor vehicle dealers and shares equally the remaining estimated PRA burden with the CFPB for other types of financial institutions for which both agencies have enforcement authority regarding the GLBA Privacy Rule.44 The amendments do not modify or add to information collection requirements previously approved by OMB. First, the Commission anticipates the expansion of the definition of ‘‘financial institution’’ to include entities engaged in activities incidental to financial activities will have little to no effect. It is not clear any finders that are also motor vehicle dealers are not already covered by the rule through their activities as motor vehicle dealers. Second, the removal of certain examples provided in the rule that are not applicable to motor vehicle dealers will have no impact on existing information collection requirements. Therefore, the Commission does not believe the amendments substantially or materially modify any ‘‘collections of information’’ as defined by the PRA. The Commission sought comment on whether there are any finders in existence that would be covered by the proposed rule and are not covered by the current rule. The Commission received no comments that suggested such entities exist. IV. Regulatory Flexibility Act The Regulatory Flexibility Act (‘‘RFA’’), as amended by the Small Business Regulatory Enforcement Fairness Act of 1996, requires an agency to either provide an Initial Regulatory Flexibility Analysis (‘‘IRFA’’) with a proposed rule, or certify that the proposed rule will not have a significant impact on a substantial number of small entities.45 The Commission does not believe this amendment to the Privacy Rule has the threshold impact on small entities. First, most of the changes effectuate statutory changes from the Dodd-Frank Act and the FAST Act. Second, the Commission does not expect the amendment to impose costs on small motor vehicle dealers because the amendments are primarily for 43 The OMB Control Number is 3084–0121. Notice, 82 FR 48081 (Oct. 16, 2017) available at https://www.federalregister.gov/ documents/2017/10/16/2017-22334/agencyinformation-collection-activities-submission-foromb-review-comment-request. 45 5 U.S.C. 603–605. 44 PRA VerDate Sep<11>2014 16:33 Dec 08, 2021 Jkt 256001 clarification purposes and should not result in any increased burden on any motor vehicle dealer. Thus, a small entity that complies with current law need not take any different or additional action under the final rule. Accordingly, the Commission believes the rule will not have a significant economic impact on small entities. The final rule would add requirements only to motor vehicle dealers that function as finders and do not already engage in other financial activities that would cause them to be financial institutions under the rule. The Commission has not identified any such entities. Therefore, the Commission certifies the rule will not have a significant economic impact on a substantial number of small businesses. In this document, the Commission adopts the amendments proposed in its NPRM with only minimal modifications. In its Initial Regulatory Flexibility Analysis (‘‘IRFA’’), the Commission determined the proposed rule would not have a significant impact on small entities because there were no small businesses that were being subjected to new burdens as a result of the amendments. Although the Commission certifies under the RFA that the rule will not have a significant impact on a substantial number of small entities, and hereby provides notice of that certification to the Small Business Administration, the Commission nonetheless has determined publishing a final regulatory flexibility analysis (‘‘FRFA’’) is appropriate to ensure the impact of the rule is fully addressed. Therefore, the Commission has prepared the following analysis: 1. Need for and Objectives of the Final Rule To address the Dodd-Frank Act and FAST Act changes the amendments change the Privacy Rule’s scope and definition of ‘‘financial institution’’; change the annual notice requirement; and remove certain examples provided in the rule that are not applicable to motor vehicle dealers. With this action, the Commission makes the current, narrow scope of the rule clearer. Additionally, the modification of the definition of ‘‘financial institution’’ to cover motor vehicle dealers engaged in ‘‘activities incidental to financial activities’’ harmonizes the Privacy Rule with other agencies’ rules. 2. Significant Issues Raised in Public Comments in Response to the IRFA The Commission did not receive any comments that addressed the burden on small entities. In addition, the Commission did not receive any PO 00000 Frm 00048 Fmt 4700 Sfmt 4700 comments filed by the Chief Counsel for Advocacy of the Small Business Administration (‘‘SBA’’). 3. Estimate of Number of Small Entities To Which the Final Rule Will Apply The Commission anticipates many covered motor vehicle dealers may qualify as small businesses according to the applicable SBA size standards.46 As explained in the IRFA, however, determining a precise estimate of the number of small entities—including newly covered entities under the modified definition of financial institution—is not readily feasible. No commenters addressed this issue. Nonetheless, as discussed above, these amendments will not add any additional burdens on any covered small businesses. 4. Projected Reporting, Recordkeeping, and Other Compliance Requirements The amendments do not impose any new or substantively revised ‘‘collections of information,’’ as defined by the PRA. 5. Description of Steps Taken To Minimize Significant Economic Impact, if Any, on Small Entities, Including Alternatives The Commission did not propose any specific small entity exemption or other significant alternatives because the amendment is not expected to increase reporting requirements and will not impose any new requirements or compliance costs. The Commission anticipates the amendments will reduce the burden for many covered entities associated with the Privacy Rule annual notice. The amendments retain the flexibility already present in the existing rule, which allows notices to be provided in a variety of ways, including electronically in some circumstances. As to the core requirements of the rule, they come from GLBA itself, as amended by the Dodd-Frank and the FAST Act. The statute prescribes the definition of financial institutions to be covered by the rule and sets forth the specific requirements, which the Commission cannot modify to ease burdens on small entities. Therefore, the Commission does not believe any 46 Table of Small Bus. Size Standards Matched to North American Indus. Classification System Codes, 13 CFR 121.201 (available at: https:// www.sba.gov/document/support--table-sizestandards), updated Aug. 19, 2019. For example, used car dealers are classified as NAICS 441120 and new car dealers as NAICS 441110. Under those standards, the SBA would classify as small businesses independent used car dealers having annual receipts of less than $27 million and new car dealers having fewer than 200 employees each. E:\FR\FM\09DER1.SGM 09DER1 Federal Register / Vol. 86, No. 234 / Thursday, December 9, 2021 / Rules and Regulations alternatives for small entities are required or appropriate. V. Other Matters Pursuant to the Congressional Review Act (5 U.S.C. 801 et seq.), the Office of Information and Regulatory Affairs designated this rule as not a ‘‘major rule,’’ as defined by 5 U.S.C. 804(2). List of Subjects in 16 CFR Part 313 Consumer protection, Credit, Data protection, Privacy, Trade practices. For the reasons stated above, the Federal Trade Commission amends 16 CFR part 313 as follows: PART 313—PRIVACY OF CONSUMER FINANCIAL INFORMATION 1. The authority citation for part 313 is revised to read as follows: ■ Authority: 15 U.S.C. 6801 et seq., 12 U.S.C. 5519. 2. Amend § 313.1 by revising paragraph (b) to read as follows: ■ § 313.1 Purpose and scope. khammond on DSKJM1Z7X2PROD with RULES * * * * * (b) Scope. This part applies only to nonpublic personal information about individuals who obtain financial products or services primarily for personal, family or household purposes from the institutions listed below. This part does not apply to information about companies or about individuals who obtain financial products or services for business, commercial, or agricultural purposes. This part applies to those ‘‘financial institutions’’ over which the Federal Trade Commission (‘‘Commission’’) has rulemaking authority pursuant to section 504(a)(1)(C) of the Gramm-Leach-Bliley Act. An entity is a ‘‘financial institution’’ if its business is engaging in an activity that is financial in nature or incidental to such financial activities as described in section 4(k) of the Bank Holding Company Act of 1956, 12 U.S.C. 1843(k), which incorporates activities enumerated by the Federal Reserve Board in 12 CFR 225.28 and 225.86. The ‘‘financial institutions’’ subject to the Commission’s rulemaking authority are any persons described in 12 U.S.C. 5519 that are predominantly engaged in the sale and servicing of motor vehicles, the leasing and servicing of motor vehicles, or both. They are referred to in this part as ‘‘You.’’ Excluded from the coverage of this part are motor vehicle dealers described in 12 U.S.C. 5519(b) that directly extend to consumers retail credit or retail leases involving motor vehicles in which the contract governing such extension of retail credit VerDate Sep<11>2014 16:33 Dec 08, 2021 Jkt 256001 or retail leases is not routinely assigned to an unaffiliated third party finance or leasing source. ■ 3. Amend § 313.3 by revising paragraphs (e), (i), (j), (k), and (q) to read as follows: § 313.3 Definitions. * * * * * (e)(1) Consumer means an individual who obtains or has obtained a financial product or service from you that is to be used primarily for personal, family, or household purposes, or that individual’s legal representative. (2) For example: (i) An individual who applies to you for credit for personal, family, or household purposes is a consumer of a financial service, regardless of whether the credit is extended. (ii) An individual who provides nonpublic personal information to you in order to obtain a determination about whether he or she may qualify for a loan to be used primarily for personal, family, or household purposes is a consumer of a financial service, regardless of whether the loan is extended. (iii) If you hold ownership or servicing rights to an individual’s loan that is used primarily for personal, family, or household purposes, the individual is your consumer, even if you hold those rights in conjunction with one or more other institutions. (The individual is also a consumer with respect to the other financial institutions involved.) An individual who has a loan in which you have ownership or servicing rights is your consumer, even if you, or another institution with those rights, hire an agent to collect on the loan. (iv) An individual who is a consumer of another financial institution is not your consumer solely because you act as agent for, or provide processing or other services to, that financial institution. (v) An individual is not your consumer solely because he or she is a participant or a beneficiary of an employee benefit plan that you sponsor or for which you act as a trustee or fiduciary. * * * * * (i)(1) Customer relationship means a continuing relationship between a consumer and you under which you provide one or more financial products or services to the consumer that are to be used primarily for personal, family, or household purposes. (2) For example: (i) Continuing relationship. A consumer has a continuing relationship with you if the consumer: PO 00000 Frm 00049 Fmt 4700 Sfmt 4700 70025 (A) Has a credit or investment account with you; (B) Obtains a loan from you; (C) Purchases an insurance product from you; (D) Enters into an agreement or understanding with you whereby you undertake to arrange or broker a home mortgage loan, or credit to purchase a vehicle, for the consumer; (E) Enters into a lease of personal property on a non-operating basis with you; or (F) Has a loan for which you own the servicing rights. (ii) No continuing relationship. A consumer does not, however, have a continuing relationship with you if: (A) The consumer obtains a financial product or service from you only in isolated transactions, such as cashing a check with you or making a wire transfer through you; (B) You sell the consumer’s loan and do not retain the rights to service that loan; or (C) The consumer obtains one-time personal appraisal services from you. (j) Federal functional regulator means: (1) The Board of Governors of the Federal Reserve System; (2) The Office of the Comptroller of the Currency; (3) The Board of Directors of the Federal Deposit Insurance Corporation; (4) The National Credit Union Administration Board; and (5) The Securities and Exchange Commission. (k)(1) Financial institution means any institution the business of which is engaging in an activity that is financial in nature or incidental to such financial activities as described in section 4(k) of the Bank Holding Company Act of 1956, 12 U.S.C. 1843(k). An institution that is significantly engaged in financial activities, or significantly engaged in activities incidental to such financial activities, is a financial institution. (2) An example of a financial institution is an automobile dealership that, as a usual part of its business, leases automobiles on a nonoperating basis for longer than 90 days is a financial institution with respect to its leasing business because leasing personal property on a nonoperating basis where the initial term of the lease is at least 90 days is a financial activity listed in 12 CFR 225.28(b)(3) and referenced in section 4(k)(4)(F) of the Bank Holding Company Act. (3) Financial institution does not include entities that engage in financial activities but that are not significantly engaged in those financial activities. (4) An example of entities that are not significantly engaged in financial E:\FR\FM\09DER1.SGM 09DER1 70026 Federal Register / Vol. 86, No. 234 / Thursday, December 9, 2021 / Rules and Regulations khammond on DSKJM1Z7X2PROD with RULES activities is a motor vehicle dealer is not a financial institution merely because it accepts payment in the form of cash, checks, or credit cards that it did not issue. * * * * * (q) You includes each ‘‘financial institution’’ over which the Commission has rulemaking authority pursuant to section 504(a)(1)(C) of the GrammLeach-Bliley Act (15 U.S.C. 6804(a)(1)(C)). ■ 4. Amend § 313.4 by adding a heading for paragraph (c)(3) and revising paragraphs (c)(3)(i) and (e) to read as follows: (a)(1) and (b)(2), and adding paragraph (e) to read as follows: § 313.5 Annual privacy notice to customers required. (a) In general—(1) General rule. Except as provided by paragraph (e) of this section, you must provide a clear and conspicuous notice to customers that accurately reflects your privacy policies and practices not less than annually during the continuation of the customer relationship. Annually means at least once in any period of 12 consecutive months during which that relationship exists. You may define the 12-consecutive-month period, but you § 313.4 Initial privacy notice to consumers must apply it to the customer on a consistent basis. required. * * * * * * * * * * (b) * * * (c) * * * (2) Examples. Your customer becomes (3) Examples—(i) Examples of a former customer when: establishing a customer relationship. (i) In the case of a closed-end loan, the You establish a customer relationship customer pays the loan in full, you when the consumer: charge off the loan, or you sell the loan (A) Executes the contract to obtain without retaining servicing rights. credit from you or purchase insurance (ii) In the case of mortgage or vehicle from you; or loan brokering services, your customer (B) Executes the lease for personal has obtained a loan through you (and property with you. you no longer provide any statements or * * * * * notices to the customer concerning that (e) Exceptions to allow subsequent relationship), or has ceased using your delivery of notice—(1) General. You may services for such purposes. provide the initial notice required by (iii) In cases where there is no paragraph (a)(1) of this section within a definitive time at which the customer reasonable time after you establish a relationship has terminated, you have customer relationship if: not communicated with the customer (i) Establishing the customer about the relationship for a period of 12 relationship is not at the customer’s consecutive months, other than to election; or provide annual privacy notices or (ii) Providing notice not later than promotional material. when you establish a customer * * * * * relationship would substantially delay (e) Exception to annual privacy notice the customer’s transaction and customer requirement—(1) When exception agrees to receive the notice at a later available. You are not required to time. deliver an annual privacy notice if you: (2) Examples of exceptions—(i) (i) Provide nonpublic personal Substantial delay of customer’s information to nonaffiliated third transaction. Providing notice not later parties only in accordance with the than when you establish a customer provisions of § 313.13, § 313.14, or relationship would substantially delay § 313.15; and the customer’s transaction when you (ii) Have not changed your policies and the individual agree over the and practices with regard to disclosing telephone to enter into a customer nonpublic personal information from relationship involving prompt delivery the policies and practices that were of the financial product or service. disclosed to the customer under (ii) No substantial delay of customer’s § 313.6(a)(2) through (5) and (9) in the transaction. Providing notice not later most recent privacy notice provided than when you establish a customer pursuant to this part. relationship would not substantially (2) Delivery of annual privacy notice delay the customer’s transaction when after financial institution no longer the relationship is initiated in person at meets requirements for exception. If you your office or through other means by have been excepted from delivering an which the customer may view the annual privacy notice pursuant to notice, such as through a website. paragraph (e)(1) of this section and * * * * * change your policies or practices in such a way that you no longer meet the ■ 5. Amend § 313.5 by adding a heading requirements for that exception, you for paragraph (a), revising paragraphs VerDate Sep<11>2014 16:33 Dec 08, 2021 Jkt 256001 PO 00000 Frm 00050 Fmt 4700 Sfmt 4700 must comply with paragraph (e)(2)(i) or (ii) of this section, as applicable. (i) Changes preceded by a revised privacy notice. If you no longer meet the requirements of paragraph (e)(1) of this section because you change your policies or practices in such a way that § 313.8 requires you to provide a revised privacy notice, you must provide an annual privacy notice in accordance with the timing requirement in paragraph (a) of this section, treating the revised privacy notice as an initial privacy notice. (ii) Changes not preceded by a revised privacy notice. If you no longer meet the requirements of paragraph (e)(1) of this section because you change your policies or practices in such a way that § 313.8 does not require you to provide a revised privacy notice, you must provide an annual privacy notice within 100 days of the change in your policies or practices that causes you to no longer meet the requirement of paragraph (e)(1). (iii) Examples. (A) You change your policies and practices in such a way that you no longer meet the requirements of paragraph (e)(1) of this section effective April 1 of year 1. Assuming you define the 12-consecutive-month period pursuant to paragraph (a) of this section as a calendar year, if you were required to provide a revised privacy notice under § 313.8 and you provided that notice on March 1 of year 1, you must provide an annual privacy notice by December 31 of year 2. If you were not required to provide a revised privacy notice under § 313.8, you must provide an annual privacy notice by July 9 of year 1. (B) You change your policies and practices in such a way that you no longer meet the requirements of paragraph (e)(1) of this section, and so provide an annual notice to your customers. After providing the annual notice to your customers, you once again meet the requirements of paragraph (e)(1) of this section for an exception to the annual notice requirement. You do not need to provide additional annual notice to your customers until such time as you no longer meet the requirements of paragraph (e)(1) of this section. ■ 6. Amend § 313.15 by revising paragraph (a)(4) to read as follows: § 313.15 Other exceptions to notice and opt out requirements. (a) * * * (4) To the extent specifically permitted or required under other provisions of law and in accordance with the Right to Financial Privacy Act of 1978 (12 U.S.C. 3401 et seq.), to law E:\FR\FM\09DER1.SGM 09DER1 Federal Register / Vol. 86, No. 234 / Thursday, December 9, 2021 / Rules and Regulations enforcement agencies (including the Consumer Financial Protection Bureau, a federal functional regulator, the Secretary of the Treasury, with respect to 31 U.S.C. Chapter 53, Subchapter II (Records and Reports on Monetary Instruments and Transactions) and 12 U.S.C. Chapter 21 (Financial Recordkeeping), a State insurance authority, with respect to any person domiciled in that insurance authority’s State that is engaged in providing insurance, and the Federal Trade Commission), self-regulatory organizations, or for an investigation on a matter related to public safety; * * * * * § 313.18 ■ [Removed] 7. Remove § 313.18. By direction of the Commission. April J. Tabor, Acting Secretary. [FR Doc. 2021–25735 Filed 12–8–21; 8:45 am] BILLING CODE 6750–01–P SECURITIES AND EXCHANGE COMMISSION 17 CFR Parts 200, 232, and 249 [Release No. 34–93701; IC–34431; File No. S7–03–21] RIN 3235–AM84 Holding Foreign Companies Accountable Act Disclosure Securities and Exchange Commission. ACTION: Final rule. AGENCY: We are adopting amendments to finalize interim final rules that revised Forms 20–F, 40–F, 10–K, and N–CSR to implement the disclosure and submission requirements of the Holding Foreign Companies Accountable Act (‘‘HFCA Act’’). The final amendments apply to registrants that the Securities and Exchange Commission (‘‘Commission’’) identifies as having filed an annual report with an audit report issued by a registered public accounting firm that is located in a foreign jurisdiction and that the Public Company Accounting Oversight Board (‘‘PCAOB’’) is unable to inspect or investigate completely because of a position taken by an authority in that jurisdiction. Consistent with the HFCA SUMMARY: Act, the amendments require the submission of documentation to the Commission establishing that such a registrant is not owned or controlled by a governmental entity in that foreign jurisdiction and also require disclosure in a foreign issuer’s annual report regarding the audit arrangements of, and governmental influence on, such registrants. The amendments are effective on January 10, 2022, except for the addition of § 232.405(c)(1)(iii)(C), which is effective from January 10, 2022, until July 1, 2023. DATES: FOR FURTHER INFORMATION CONTACT: Luna Bloom, Office Chief, at (202) 551– 3430, in the Office of Rulemaking, Division of Corporation Finance; Theodore Venuti, Assistant Director, at (202) 551–5658, in the Office of Market Supervision, Division of Trading and Markets; or Blair Burnett, Senior Counsel, at (202) 551–6792, in the Investment Company Regulation Office, Division of Investment Management; U.S. Securities and Exchange Commission, 100 F Street NE, Washington, DC 20549. We are adopting amendments to the following rules and forms. SUPPLEMENTARY INFORMATION: CFR citation (17 CFR) Commission reference Regulation S–T: Rule 405 .................................................................................................................................................................. Securities Exchange Act of 1934 (Exchange Act):1 Form 20–F ............................................................................................................................................................... Form 40–F ............................................................................................................................................................... Form 10–K ............................................................................................................................................................... Exchange Act and Investment Company Act of 1940 (Investment Company Act):2 Form N–CSR ........................................................................................................................................................... khammond on DSKJM1Z7X2PROD with RULES Table of Contents I. Introduction II. Discussion of Amendments A. Documentation Submission Requirements 1. Interim Final Amendments 2. Comments 3. Final Amendments B. Disclosure Requirements 1. Interim Final Amendments 2. Comments 3. Final Amendments C. Inline XBRL Tagging D. Timing Issues E. Determination of Commission-Identified Issuer F. Process for Trading Prohibition 1. HFCA Act Trading Prohibitions 2. Process for Imposing a HFCA Act Trading Prohibition 1 15 2 15 U.S.C. 78a et seq. U.S.C. 80a–1 et seq. VerDate Sep<11>2014 20:19 Dec 08, 2021 Jkt 256001 3. Process for Terminating Trading Prohibitions; Required Certification G. Amendment to the Delegations of Authority of the Commission III. Procedural and Other Matters IV. Economic Analysis A. Introduction and Broad Economic Considerations B. Baseline 1. Regulatory Baseline 2. Affected Parties C. Economic Effects 1. Benefits and Costs of HFCA Act Disclosure Requirements 2. Benefits and Costs of HFCA Act Submission Requirement 3. Impact on Efficiency, Competition, and Capital Formation V. Paperwork Reduction Act A. Background B. Summary of the Amendments C. Burden and Cost Estimates Related to the Amendments VI. Statutory Authority PO 00000 Frm 00051 Fmt 4700 70027 Sfmt 4700 § 232.405. § 249.220f. § 249.240f. § 249.310. §§ 249.331 and 274.128. I. Introduction On March 18, 2021,3 the Commission adopted interim final amendments to Form 10–K, Form 20–F, Form 40–F, and Form N–CSR to implement the disclosure and submission requirements of Sections 2 and 3 of the HFCA Act,4 which became law on December 18, 2020. Section 2 of the HFCA Act amended Section 104 of the SarbanesOxley Act of 2002 (‘‘Sarbanes-Oxley Act’’) 5 by adding Section 104(i) to the Sarbanes-Oxley Act. Section 104(i)(2) of 3 See Holding Foreign Companies Accountable Act Disclosure, Release No. 34–91364 (Mar. 18, 2021) [86 FR 17528 (Apr. 5, 2021)] (‘‘Interim Final Release’’). 4 Public Law 116–222, 134 Stat. 1063 (Dec. 18, 2020). 5 15 U.S.C. 7214 (as amended by Pub. L. 116– 222). E:\FR\FM\09DER1.SGM 09DER1

Agencies

[Federal Register Volume 86, Number 234 (Thursday, December 9, 2021)]
[Rules and Regulations]
[Pages 70020-70027]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2021-25735]


=======================================================================
-----------------------------------------------------------------------

FEDERAL TRADE COMMISSION

16 CFR Part 313

RIN 3084-AB42


Privacy of Consumer Financial Information Rule Under the Gramm-
Leach-Bliley Act

AGENCY: Federal Trade Commission.

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: The Federal Trade Commission is amending its Privacy Rule to 
revise the rule's scope, to modify the rule's definitions of 
``financial institution'' and ``Federal functional regulator,'' and to 
update the rule's annual customer privacy notice requirement. The 
amendments also remove certain examples in the rule that apply to 
financial institutions that now fall outside its scope. This action is 
necessary to conform the rule to the current requirements of the Gramm-
Leach-Bliley Act (``GLBA''), as amended by the Dodd-Frank and FAST 
Acts, and the Commission's revisions to the Safeguards Rule, which are 
being announced simultaneously through a separate document published 
elsewhere in this issue of the Federal Register.

DATES: The amendments are effective January 10, 2022.

FOR FURTHER INFORMATION CONTACT: David Lincicum (202-326-2773), 
Division of Privacy and Identity Protection, Bureau of Consumer 
Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, 
Washington, DC 20580.

SUPPLEMENTARY INFORMATION:

I. Background

A. The Statute and Regulation

    The GLBA was enacted in 1999.\1\ The GLBA, among other things, 
requires that financial institutions provide their customers with 
initial and annual notices regarding their privacy practices, and allow 
their customers to opt out of sharing their information with certain 
nonaffiliated third parties.
---------------------------------------------------------------------------

    \1\ Public Law 106-102, 113 Stat. 1338 (1999).
---------------------------------------------------------------------------

    Rulemaking authority to implement the GLBA's privacy provisions was 
initially spread among multiple agencies. The Federal Reserve Board 
(``the Fed''), the Office of Comptroller of the Currency (``OCC''), the 
Federal Deposit Insurance Corporation (``FDIC''), and the Office of 
Thrift Supervision (``OTS'') jointly adopted final rules to implement 
the notice and opt-out requirements of the GLBA in 2000.\2\ The 
Commission, the National Credit Union Administration (``NCUA''), the 
Securities and Exchange Commission (``SEC''), and the Commodity Futures 
Trading Commission (``CFTC'') were part of the same interagency 
process, but each issued their rules separately.\3\ In 2009, all those 
agencies jointly adopted a model form financial institutions could use 
to provide the required initial and annual privacy disclosures.\4\
---------------------------------------------------------------------------

    \2\ Joint Final Rule, 65 FR 35162 (June 1, 2000) available at 
https://www.federalregister.gov/documents/2001/04/27/01-10398/privacy-of-consumer-financial-information.
    \3\ FTC Final Privacy Rule, 65 FR 33645 (May 24, 2000) available 
at https://www.federalregister.gov/documents/2000/05/24/00-12755/privacy-of-consumer-financial-information; NCUA Final Privacy Rule, 
65 FR 31722 (May 18, 2000) available at https://www.federalregister.gov/documents/2000/05/18/00-12014/privacy-of-consumer-financial-information-requirements-for-insurance; SEC Final 
Privacy Rule, 65 FR 40333 (June 29, 2000) available at https://www.federalregister.gov/documents/2000/06/29/00-16269/privacy-of-consumer-financial-information-regulation-s-p; CFTC Final Privacy 
Rule, 66 FR 21235 (Apr. 27, 2001) available at https://www.federalregister.gov/documents/2001/04/27/01-10398/privacy-of-consumer-financial-information.
    \4\ Joint Model Form, 74 FR 62889 (Dec. 1, 2009) available at 
https://www.federalregister.gov/documents/2009/12/01/E9-27882/final-model-privacy-form-under-the-gramm-leach-bliley-act; see also 16 CFR 
313.2, 16 CFR 313.4 through 313.9.
---------------------------------------------------------------------------

    As originally promulgated, the FTC's Privacy Rule covered a broad 
range of non-bank financial institutions such as payday lenders, 
mortgage brokers, check cashers, debt collectors, real estate 
appraisers, certain motor vehicle dealers, and remittance transfer 
providers. In 2010, the Dodd-Frank Act \5\ transferred the majority of 
GLBA's privacy rulemaking authority from the Fed, NCUA, OCC, OTS, FDIC, 
and the Commission (in part) to the Consumer Financial Protection 
Bureau (``CFPB''). The CFPB then restated the implementing regulations 
in Regulation P, 12 CFR part 1016, in late 2011 (``Regulation P'').\6\ 
However, under section 1029 of the Dodd-Frank Act, the Commission 
retained rulemaking authority for certain motor vehicle dealers.\7\ 
Thus, in 2012, the Commission announced it was retaining the 
implementing regulations governing privacy notices for motor vehicle 
dealers at 16 CFR part 313.\8\
---------------------------------------------------------------------------

    \5\ Public Law 111-203, 124 Stat. 1376 (2010).
    \6\ Interim Final Rule for Regulation P, 76 FR 79025 (Dec. 21, 
2011) available at https://www.federalregister.gov/documents/2011/12/21/2011-31729/privacy-of-consumer-financial-information-regulation-p.
    \7\ 12 U.S.C. 5519. The FTC retained rulemaking jurisdiction as 
to motor vehicle dealers that are predominantly engaged in the sale 
and servicing or the leasing and servicing of motor vehicles, 
excluding those dealers that directly extend credit to consumers and 
do not routinely assign the extensions of credit to an unaffiliated 
third party. For ease of reference, covered motor vehicle dealers 
are referenced herein as ``motor vehicle dealers.''
    \8\ Rescission of Rules, 77 FR 22200, 22201 (Apr. 13, 2012) 
available at https://www.federalregister.gov/documents/2012/04/13/2012-8748/rescission-of-rules (also rescinding those regulations for 
which rulemaking authority was transferred to the CFPB under the 
Dodd-Frank Act).
---------------------------------------------------------------------------

    Despite the transfer of general rulemaking authority for the 
Privacy Rule to the CFPB, the Commission and other agencies retain 
their existing enforcement authority under the GLBA.\9\ In addition, 
the SEC and CFTC retain rulemaking authority with respect to securities 
and futures-related companies, respectively.\10\ Accordingly, as part 
of this rulemaking process, the Commission has consulted and 
coordinated, or offered to consult, with those agencies that have 
rulemaking and/or enforcement authority under the GLBA, including the 
CFPB, SEC, CFTC, and the National Association of Insurance 
Commissioners (``NAIC'').\11\
---------------------------------------------------------------------------

    \9\ 15 U.S.C. 6805(a).
    \10\ 15 U.S.C. 6804, 6809; 12 U.S.C. 1843(k)(4); 12 CFR 
1016.1(b).
    \11\ See 15 U.S.C. 6804(a)(2).
---------------------------------------------------------------------------

    On December 4, 2015, Congress amended the GLBA as part of the FAST 
Act. This amendment, titled Eliminate Privacy Notice Confusion,\12\ 
added GLBA subsection 503(f). This subsection

[[Page 70021]]

provides an exception under which financial institutions that meet 
certain conditions are not required to provide annual privacy notices 
to customers.
---------------------------------------------------------------------------

    \12\ Section 75001, Public Law 114-94, 129 Stat. 1312, 1787 
(2015).
---------------------------------------------------------------------------

B. The Privacy Notice Requirements

    As noted, the current Privacy Rule, as modified after Congress 
enacted the Dodd-Frank Act, requires motor vehicle dealers provide 
consumers with notices describing their privacy policies. Specifically, 
it requires covered entities to provide an initial notice of these 
policies,\13\ and then ``provide a clear and conspicuous notice to 
customers that accurately reflects [their] privacy policies and 
practices not less than annually during the continuation of the 
customer relationship.'' \14\
---------------------------------------------------------------------------

    \13\ 15 U.S.C. 6803; 16 CFR 313.4.
    \14\ 15 U.S.C. 6803; 16 CFR 313.5(a)(1).
---------------------------------------------------------------------------

    The rule requires that initial and annual notices inform customers 
of their right to opt out of the sharing of nonpublic personal 
information with some types of nonaffiliated third parties.\15\ For 
example, a customer has the right to opt out of allowing a motor 
vehicle dealer to sell her name and address to a nonaffiliated auto 
insurance company.\16\ On the other hand, a motor vehicle dealer is not 
required to allow consumers to opt out of the dealer's sharing 
involving third-party service providers, joint marketing arrangements, 
maintenance and servicing of accounts, securitization, law enforcement 
and compliance, reporting to consumer reporting agencies, and certain 
other specified activities.\17\ Accordingly, if a motor vehicle dealer 
limits its sharing to uses that do not trigger opt-out rights, it may 
provide an annual privacy notice to its customers that does not include 
information regarding opt-out rights.
---------------------------------------------------------------------------

    \15\ 15 U.S.C. 6802; 16 CFR 313.6(a)(6).
    \16\ 16 CFR 313.10(a).
    \17\ 15 U.S.C. 6802(b)(2), 6802(e); 16 CFR 313.13-313.15.
---------------------------------------------------------------------------

    Motor vehicle dealers also may include in the annual privacy notice 
information about certain consumer opt-out rights related to affiliate 
sharing under the Fair Credit Reporting Act (``FCRA''). First, section 
603(d)(2)(A)(iii) of the FCRA allows the sharing of a consumer's 
information among affiliates, but only if the consumer is notified of 
such sharing and is given an opportunity to opt out.\18\ Section 
503(c)(4) of the GLBA and the Privacy Rule generally require motor 
vehicle dealers to incorporate any notifications and opt-out 
disclosures provided pursuant to section 603(d)(2)(A)(iii) of the FCRA 
into their initial and annual privacy notices.\19\
---------------------------------------------------------------------------

    \18\ 15 U.S.C. 1681a(d)(2)(A)(iii).
    \19\ 15 U.S.C. 6803(c)(4); 16 CFR 313.6(a)(7).
---------------------------------------------------------------------------

    In addition, section 624 of the FCRA and the FTC's Affiliate 
Marketing Rule \20\ provide that an affiliate of a motor vehicle dealer 
that receives certain information about a consumer from the dealer may 
not use that information for marketing purposes, unless the consumer is 
provided with an opportunity to opt out of that use.\21\ This 
requirement governs the use of information by an affiliate, not the 
sharing of information among affiliates, and thus is distinct from the 
affiliate sharing opt-out discussed above. The Affiliate Marketing Rule 
permits (but does not require) motor vehicle dealers to incorporate any 
opt-out disclosures provided under section 624 of the FCRA and the 
Affiliate Marketing Rule into the initial and annual privacy notices 
required by the GLBA.\22\
---------------------------------------------------------------------------

    \20\ 16 CFR 680.1-680.28.
    \21\ 15 U.S.C. 1681s-3. The FTC's Affiliate Marketing Rule 
applies to motor vehicle dealers. See 77 FR 22201. The FTC also 
enforces the CFPB's Regulation V's Affiliate Marketing Rule, 12 CFR 
part 1022, subpart C, for other entities over which the FTC has 
enforcement authority under the FCRA.
    \22\ 16 CFR 680.23(b).
---------------------------------------------------------------------------

    Finally, Sec.  313.6(a)(8) of the Privacy Rule requires the initial 
and annual notices briefly describe how motor vehicle dealers protect 
the nonpublic personal information they collect and maintain.\23\
---------------------------------------------------------------------------

    \23\ 16 CFR 313.6(a)(8).
---------------------------------------------------------------------------

II. Revision of the Privacy Rule

    On April 4, 2019, the Commission issued a notice of proposed 
rulemaking \24\ setting forth amendments to the Privacy Rule (the 
``Proposed Amendments'') proposing three types of changes to the 
Privacy Rule: (1) Technical changes to the rule to correspond to the 
reduced scope of the rule due to Dodd-Frank Act changes, which 
primarily consist of removing references that do not apply to motor 
vehicle dealers; (2) modifications to the annual privacy notice 
requirements to reflect the changes made to the GLBA by the FAST Act; 
and (3) a modification to the scope and definition of ``financial 
institution'' to include entities engaged in activities incidental to 
financial activities, which would bring the rule into accord with the 
CFPB's Regulation P. The Commission received four comments related to 
the proposed amendments, to which it responds below.\25\
---------------------------------------------------------------------------

    \24\ On June 24, 2015, the Commission published a notice of 
proposed rulemaking (``2015 NPRM'') proposing revisions to the 
Privacy Rule. NPRM, 80 FR 36267 (June 24, 2015) available at https://www.federalregister.gov/documents/2015/06/24/2015-14328/amendment-to-the-privacy-of-consumer-financial-information-rule-under-the-gramm-leach-bliley-act. First, the Commission proposed a number of 
changes to comport with the Dodd-Frank Act revision of GLBA, which 
transferred rulemaking authority for most financial institutions to 
the CFPB. The Commission also proposed amending the rule to allow 
motor vehicle dealers to notify their customers that a privacy 
notice is available online, under circumstances identical to those 
that had been adopted by the CFPB. Final Rule, 79 FR 64057 (Oct. 28, 
2014) available at https://www.federalregister.gov/documents/2014/10/28/2014-25299/amendment-to-the-annual-privacy-notice-requirement-under-the-gramm-leach-bliley-act-regulation-p. The passage of the 
FAST Act rendered the Commission's proposed changes to the Privacy 
Rule moot because those changes, if adopted, would have been in 
conflict with the revised statute.
    \25\ The Commission also received three comments that related to 
the Safeguards Rule (16 CFR part 314). Those comments are addressed 
in the final Safeguards Rule published elsewhere in this issue of 
the Federal Register.
---------------------------------------------------------------------------

A. Technical Changes To Correspond to Statutory Changes Resulting From 
the Dodd-Frank Act

(1) Section 313.1(b)
    The proposed amendment to Sec.  313.1(b) narrowed the description 
of the scope of the Privacy Rule to those entities set forth in the 
Dodd-Frank Act: \26\ Those predominantly engaged in the sale and 
servicing of motor vehicles or the leasing and servicing of motor 
vehicles, excluding those dealers that directly extend credit to 
consumers and do not routinely assign the extensions of credit to an 
unaffiliated third party. It also removed the reference in the rule's 
scope to ``other persons,'' because the Commission no longer has 
rulemaking authority for the Privacy Rule over ``other persons.'' 
Finally, the Proposed Amendments eliminated from Sec.  313.1(b) the 
note indicating (1) the Privacy Rule does not modify, limit, or 
supersede the standards under the Health Insurance Portability and 
Accountability Act of 1996 (``HIPAA''), and (2) if a financial 
institution that is an institution of higher education is in compliance 
with the Federal Educational Rights and Privacy Act (``FERPA'') and its 
implementing regulations, such institution shall be deemed in 
compliance with the Privacy Rule.
---------------------------------------------------------------------------

    \26\ 12 U.S.C. 5519.
---------------------------------------------------------------------------

    The Commission received two comments on these proposed changes. One 
commenter asked why the rule would not cover dealers that directly 
extend credit to consumers.\27\ In response, the Commission notes the 
Dodd-Frank Act excludes these dealers from the Commission's rulemaking 
authority under the GLBA. The Commission continues to have enforcement 
authority over these dealers under Regulation P.
---------------------------------------------------------------------------

    \27\ Yuxiang Hao (comment 4).
---------------------------------------------------------------------------

    Another commenter, the National Association of Automobile Dealers

[[Page 70022]]

(``NADA''), supported eliminating the references to HIPAA and FERPA, 
agreeing that these provisions would not apply to automobile 
dealers.\28\ Given that it received no other substantive comments, the 
Commission adopts the changes as proposed.
---------------------------------------------------------------------------

    \28\ National Automobile Dealers Association (comment 9), at 3-
4.
---------------------------------------------------------------------------

(2) Section 313.3
    To help companies understand whether and how the rule applies to 
them, the current rule includes examples of financial institutions in 
Sec.  313.3(k)(2), examples of consumers in Sec.  313.3(e)(2), examples 
of what would constitute establishing a customer relationship in Sec.  
313.3(i)(2)(i), and examples of what is not a customer relationship in 
Sec.  313.2(i)(2)(ii). The Proposed Amendments to Sec.  313.3 removed 
examples not likely to apply in the context of motor vehicle dealers.
    NADA was the only commenter who opined on this issue. It agreed the 
examples proposed for removal do not apply to motor vehicle dealers and 
supported their deletion. Accordingly, the final rule deletes these 
examples as proposed.
    NADA advocated for removal or modification of additional terms or 
examples that it asserted would not apply in the motor vehicle context. 
The Commission declines to make the changes suggested by NADA, for the 
reasons described below.
a. Loans
    NADA argued the examples in the final rule should not include the 
word ``loans'' because motor vehicle dealers ``do not generally issue 
`loans,''' but instead provide financing assistance or enter into 
retail installment sale contracts or leases. NADA suggested the term 
``loan'' be replaced with ``financing,'' or ``finance or lease 
contract.'' \29\ The Commission declines to modify existing examples in 
this manner. It believes the Privacy Rule should be substantively 
identical to Regulation P so financial institutions within the 
Commission's enforcement authority are subject to the same 
requirements, regardless of whether they are subject to Regulation P or 
the Privacy Rule. Although the Commission recognizes some examples it 
has retained may not apply well to the motor vehicle context,\30\ 
changing the language of an example, as opposed to completely removing 
it, could be read as a change to the substance of the rule. 
Accordingly, the Commission declines to change an existing term in the 
final rule.\31\
---------------------------------------------------------------------------

    \29\ NADA (comment 9), at 4.
    \30\ The Commission notes that while the term ``loan'' may not 
be applicable to all motor vehicle dealers' transactions with their 
customers, most extensions of credit or the arranging of credit will 
play the same role as loans for purposes of this amendment, and 
dealers may generally apply these examples accordingly.
    \31\ The Proposed Amendments did modify existing examples in two 
instances. In Sec. Sec.  313.3(i)(2)(i)(A) and 313.5(b)(2)(ii), 
references to mortgage loans were removed. Although the Commission 
continues to believe that mortgage loans are unlikely to be involved 
in the motor vehicle dealer context, as discussed above, the 
Commission recognizes that there is value in maintaining consistency 
with Regulation P, and that particular examples provided may not be 
applicable to every type of financial institution's activities. 
Accordingly, the final rule retains the references to mortgage loans 
in these provisions.
---------------------------------------------------------------------------

b. Examples of Continuing Relationships
    NADA suggested removing the term ``investment accounts'' from the 
example of a continuing relationship Sec.  313.3(i)(2)(i)(A), as such 
accounts are not offered by motor vehicle dealers. As discussed above, 
however, the Commission declines to modify existing examples and does 
not adopt this change in the final rule. NADA also took issue with 
Sec.  313.3(i)(2)(i)(D), which states a consumer has a continuing 
relationship with a financial institution when the consumer enters into 
an ``agreement or understanding'' with the financial institution in 
which the financial institution undertakes ``to arrange credit to 
purchase a vehicle for the consumer.'' NADA noted when motor vehicle 
dealers arrange credit for a consumer, they then assign that agreement 
to a third party and do not continue the relationship with the 
consumer.
    Although motor vehicle dealers may transfer the credit agreement to 
another financial institution, a continuing relationship is formed by 
the agreement and persists for as long as the motor vehicle dealer 
retains the agreement. The continuing relationship between the motor 
vehicle dealer and the consumer will end upon the transfer of the 
agreement, but until that transfer occurs, the consumer is the motor 
vehicle dealer's customer for purposes of the Privacy Rule. 
Accordingly, the Commission declines to remove this example from the 
final rule.
    NADA also argued the term ``understanding'' in paragraph 
(i)(2)(i)(D) is confusing because it is not clear what an 
``understanding'' would mean in this context, and motor vehicle dealers 
do not enter into informal relationships to arrange credit for 
consumers. The Commission believes, however, while informal 
understandings may be unusual for motor vehicle dealers, it is possible 
some dealers may engage in such practices and the example should 
continue to make clear that such arrangements create continuing 
relationships. In addition, as discussed above, the Commission declines 
to change the language of examples retained in the final rule.
c. Examples of No Continuing Relationships
    NADA argued the example in Sec.  313.3(i)(2)(ii)(A) does not apply 
to motor vehicle dealers. This example states no continuing 
relationship is created when a ``consumer obtains a financial product 
or service from [the financial institution] only in isolated 
transactions, such as cashing a check with [the financial institution] 
or making a wire transfer through'' the financial institution. NADA 
argued motor vehicle dealers generally do not engage in these 
activities, and while ``it is theoretically possible that a dealer 
somewhere may offer, under unique circumstances, to cash a check for a 
customer, [NADA] is not aware of that service being offered by dealers 
and the possibility is attenuated at best.'' \32\ The Commission does 
not agree that this example should be removed. Although check cashing 
and wire transfer transactions may be unlikely at motor vehicle 
dealerships, these are helpful examples of the types of isolated 
transactions that do not create an ongoing relationship and, even for 
motor vehicle dealers that do not engage in these particular 
activities, they illustrate the principle well. The final rule retains 
this example.
---------------------------------------------------------------------------

    \32\ NADA (comment 9), at 5.
---------------------------------------------------------------------------

    NADA also questioned the inclusion of Sec.  313.3(i)(2)(ii)(C), 
which states a continuing relationship is not created when a ``consumer 
obtains one-time personal appraisal services from'' the financial 
institution. NADA asked whether this would apply when a motor vehicle 
dealer appraises a consumer's used vehicle for trade-in value. The 
Commission believes that is precisely the type of appraisal suggested 
by the example. NADA also questioned how ``such appraisal activity by a 
dealer could, as an initial matter be deemed to create a Customer 
relationship.'' \33\ The Commission believes, however, negative 
examples are useful to clarify the definition and, therefore, the final 
rule retains this example.
---------------------------------------------------------------------------

    \33\ NADA (comment 9), at 5.

---------------------------------------------------------------------------

[[Page 70023]]

B. Modifications to the Annual Privacy Notice To Reflect Statutory 
Changes Resulting From the FAST Act

    The Commission also proposed changing the Privacy Rule provisions 
governing how motor vehicle dealers should deliver annual privacy 
notices.
Section 313.5(e)
    The proposed change to Sec.  313.5(a)(1) added a statement that 
Sec.  313.5(e) provides an exception to the general rule requiring the 
delivery of annual notices. Section 313.5(e) in turn sets forth the 
exception, which was taken from the FAST Act, and adopted by the CFPB 
in its amendments to Regulation P.\34\ It stated the annual notice need 
not be provided if (1) the financial institution has shared nonpublic 
personal information only in accordance with the provisions of 
Sec. Sec.  313.13, 313.14, and 313.15, none of which require an opt-out 
opportunity be provided to customers; and (2) the financial 
institution's disclosure policies and practices remain unchanged from 
the most recent privacy notice.
---------------------------------------------------------------------------

    \34\ See Final Rule, 83 FR 40945 (August 17, 2018) available at 
https://www.federalregister.gov/documents/2018/08/17/2018-17572/amendment-to-the-annual-privacy-notice-requirement-under-the-gramm-leach-bliley-act-regulation-p.
---------------------------------------------------------------------------

    Proposed Sec.  313.5(e)(2) set forth the timing for resuming 
delivery of the annual notice if a financial institution no longer met 
requirements for the exception.
    The Commission received no comments on the substance of this 
paragraph and adopts it without modification.\35\
---------------------------------------------------------------------------

    \35\ As discussed above, NADA argued that the word ``loan'' 
should be replaced with ``retail installment sale contract.'' As 
discussed above, the Commission wishes the remaining examples in the 
final rule to be identical to those found in Regulation P and 
declines to make these changes. In addition, the National 
Independent Automobile Dealers Association noted that most dealers 
will not be required to provide annual notices because of their lack 
of ongoing relationships with their consumers, but supported the 
amendments in general.
---------------------------------------------------------------------------

C. Modifications to Scope and Definitions To Bring the Rule Into Accord 
With Regulation P

    The Proposed Amendments changed the scope of the Privacy Rule and 
its definition of a ``financial institution'' in order to bring the 
Commission's rule into accord with Regulation P. As explained in the 
NPRM, when first promulgating the Privacy Rule, the Commission 
determined companies engaged in activities ``incidental to financial 
activities'' would not be considered ``financial institutions.'' \36\ 
The Commission was the only agency to adopt this restrictive definition 
in its Privacy Rule, while the other agencies included incidental 
activities. In addition, the Commission decided activities determined 
to be financial in nature after the enactment of the GLBA would not be 
automatically included in its Privacy Rule; rather, the Commission 
would have to take additional action to include them.\37\ The effect of 
these two decisions was to limit the activities covered by the 
Commission's rules to those set out in 12 CFR 225.28 as it existed in 
1999, and to exclude any activities later determined by the Fed to be 
financial activities or incidental to those activities.\38\
---------------------------------------------------------------------------

    \36\ See 16 CFR 313.3(k); see also 65 FR 33654.
    \37\ 65 FR 33654 n.23.
    \38\ Id.
---------------------------------------------------------------------------

    The Commission proposed modifying the definition of ``financial 
institution'' to harmonize the Privacy Rule with other agencies' rules. 
The Commission proposed to amend Sec.  313.1(b) to include companies 
that engage in activities financial in nature or incidental to such 
financial activities in the scope of the rule. Likewise, it proposed 
amending the definition of ``financial institution'' in Sec.  313.3(k), 
to include any institution the business of which is engaging in an 
activity that is financial in nature or incidental to such financial 
activities. The effect of this proposed amendment would be to cause 
``finders'' to be included in this definition, thereby bringing the 
Privacy Rule into harmony with the scope of entities covered by other 
agencies under Regulation P.
    The Commission received only two comments that addressed this 
proposed change in the Privacy Rule.\39\ NADA asked whether the 
proposed rule would apply to finders acting for a motor vehicle 
dealer.\40\ As discussed above, the Commission's Privacy Rule applies 
only to motor vehicle dealers and so would apply only to finders that 
are also motor vehicle dealers. If a finder is not itself a motor 
vehicle dealer then the rule does not apply, even if the finder is 
acting to connect motor vehicle dealers with potential customers. Given 
that this scenario is unlikely, modifying the definition of ``financial 
institution'' for purposes of the Privacy Rule has little practical 
effect. Nevertheless, the Commission is modifying the definition for 
purposes of consistency with Regulation P and the Safeguards Rule.
---------------------------------------------------------------------------

    \39\ Several other entities commented on the expansion of the 
definition of a ``financial institution'' in the Safeguards Rule. 
These comments are addressed in the discussion of the final 
Safeguards Rule, published elsewhere in this issue of the Federal 
Register.
    \40\ NADA (comment 9), at 7-8.
---------------------------------------------------------------------------

    An individual consumer asked how often an entity must engage in an 
incidental activity to be considered a financial institution.\41\ As 
with other financial activities under the existing rule, an entity is a 
financial institution only if it is ``significantly engaged'' in the 
incidental activities.
---------------------------------------------------------------------------

    \41\ Qiyi Hu (comment 5).
---------------------------------------------------------------------------

    The Commission adopts the proposed amendment without change.
Section 313.15(a)(4)
    Finally, the Commission proposed to amend Sec.  313.15(a)(4) to add 
the CFPB to the list of law enforcement agencies to which financial 
institutions are permitted to share information to the extent permitted 
by law. The Commission received no comments on this change and adopts 
it as proposed.
Section 313.18
    Section 313.18 set forth the effective date for the rule and 
prescribed requirements for institutions' compliance with the rule as 
to customers who were already customers at the time the rule was first 
promulgated. The relevant dates have long since passed. Section 
313.18(a)(2) also provided an exception, stating this ``part is not 
effective as to any institution that is significantly engaged in 
activities that the Federal Reserve Board determines, after November 
12, 1999 . . . are activities that a financial holding company may 
engage in, until the Commission so determines.'' As discussed above, 
the Commission has determined herein that this rule applies to 
financial institutions that engage in activities financial in nature or 
incidental to such financial activities, including entities 
significantly engaged in activities the Federal Reserve Board has 
determined, after November 12, 1999, are activities a financial holding 
company may engage in. Accordingly, the final rule removes Sec.  313.18 
in its entirety.

III. Paperwork Reduction Act

    Under the Paperwork Reduction Act of 1995 (``PRA''),\42\ Federal 
agencies are generally required to seek Office of Management and Budget 
(``OMB'') approval for information collection requirements prior to 
implementation. Under the PRA, the Commission may not conduct or 
sponsor, and, notwithstanding any other provision of law, a person is 
not required to respond to an information collection, unless the 
information collection displays a valid control number assigned by OMB.
---------------------------------------------------------------------------

    \42\ 44 U.S.C. 3501 et seq.
---------------------------------------------------------------------------

    This amendment modifies 16 CFR part 313. The collections of 
information related to the Privacy Rule and the

[[Page 70024]]

FAST Act statutory exceptions to the rule's annual notice requirement 
have been previously reviewed and approved by OMB in accordance with 
the PRA.\43\
---------------------------------------------------------------------------

    \43\ The OMB Control Number is 3084-0121.
---------------------------------------------------------------------------

    Under the existing clearance, the FTC has attributed to itself the 
estimated burden regarding all motor vehicle dealers and shares equally 
the remaining estimated PRA burden with the CFPB for other types of 
financial institutions for which both agencies have enforcement 
authority regarding the GLBA Privacy Rule.\44\
---------------------------------------------------------------------------

    \44\ PRA Notice, 82 FR 48081 (Oct. 16, 2017) available at 
https://www.federalregister.gov/documents/2017/10/16/2017-22334/agency-information-collection-activities-submission-for-omb-review-comment-request.
---------------------------------------------------------------------------

    The amendments do not modify or add to information collection 
requirements previously approved by OMB. First, the Commission 
anticipates the expansion of the definition of ``financial 
institution'' to include entities engaged in activities incidental to 
financial activities will have little to no effect. It is not clear any 
finders that are also motor vehicle dealers are not already covered by 
the rule through their activities as motor vehicle dealers.
    Second, the removal of certain examples provided in the rule that 
are not applicable to motor vehicle dealers will have no impact on 
existing information collection requirements.
    Therefore, the Commission does not believe the amendments 
substantially or materially modify any ``collections of information'' 
as defined by the PRA.
    The Commission sought comment on whether there are any finders in 
existence that would be covered by the proposed rule and are not 
covered by the current rule. The Commission received no comments that 
suggested such entities exist.

IV. Regulatory Flexibility Act

    The Regulatory Flexibility Act (``RFA''), as amended by the Small 
Business Regulatory Enforcement Fairness Act of 1996, requires an 
agency to either provide an Initial Regulatory Flexibility Analysis 
(``IRFA'') with a proposed rule, or certify that the proposed rule will 
not have a significant impact on a substantial number of small 
entities.\45\ The Commission does not believe this amendment to the 
Privacy Rule has the threshold impact on small entities. First, most of 
the changes effectuate statutory changes from the Dodd-Frank Act and 
the FAST Act. Second, the Commission does not expect the amendment to 
impose costs on small motor vehicle dealers because the amendments are 
primarily for clarification purposes and should not result in any 
increased burden on any motor vehicle dealer. Thus, a small entity that 
complies with current law need not take any different or additional 
action under the final rule.
---------------------------------------------------------------------------

    \45\ 5 U.S.C. 603-605.
---------------------------------------------------------------------------

    Accordingly, the Commission believes the rule will not have a 
significant economic impact on small entities. The final rule would add 
requirements only to motor vehicle dealers that function as finders and 
do not already engage in other financial activities that would cause 
them to be financial institutions under the rule. The Commission has 
not identified any such entities. Therefore, the Commission certifies 
the rule will not have a significant economic impact on a substantial 
number of small businesses.
    In this document, the Commission adopts the amendments proposed in 
its NPRM with only minimal modifications. In its Initial Regulatory 
Flexibility Analysis (``IRFA''), the Commission determined the proposed 
rule would not have a significant impact on small entities because 
there were no small businesses that were being subjected to new burdens 
as a result of the amendments. Although the Commission certifies under 
the RFA that the rule will not have a significant impact on a 
substantial number of small entities, and hereby provides notice of 
that certification to the Small Business Administration, the Commission 
nonetheless has determined publishing a final regulatory flexibility 
analysis (``FRFA'') is appropriate to ensure the impact of the rule is 
fully addressed. Therefore, the Commission has prepared the following 
analysis:

1. Need for and Objectives of the Final Rule

    To address the Dodd-Frank Act and FAST Act changes the amendments 
change the Privacy Rule's scope and definition of ``financial 
institution''; change the annual notice requirement; and remove certain 
examples provided in the rule that are not applicable to motor vehicle 
dealers. With this action, the Commission makes the current, narrow 
scope of the rule clearer. Additionally, the modification of the 
definition of ``financial institution'' to cover motor vehicle dealers 
engaged in ``activities incidental to financial activities'' harmonizes 
the Privacy Rule with other agencies' rules.

2. Significant Issues Raised in Public Comments in Response to the IRFA

    The Commission did not receive any comments that addressed the 
burden on small entities. In addition, the Commission did not receive 
any comments filed by the Chief Counsel for Advocacy of the Small 
Business Administration (``SBA'').

3. Estimate of Number of Small Entities To Which the Final Rule Will 
Apply

    The Commission anticipates many covered motor vehicle dealers may 
qualify as small businesses according to the applicable SBA size 
standards.\46\ As explained in the IRFA, however, determining a precise 
estimate of the number of small entities--including newly covered 
entities under the modified definition of financial institution--is not 
readily feasible. No commenters addressed this issue. Nonetheless, as 
discussed above, these amendments will not add any additional burdens 
on any covered small businesses.
---------------------------------------------------------------------------

    \46\ Table of Small Bus. Size Standards Matched to North 
American Indus. Classification System Codes, 13 CFR 121.201 
(available at: https://www.sba.gov/document/support--table-size-standards), updated Aug. 19, 2019. For example, used car dealers are 
classified as NAICS 441120 and new car dealers as NAICS 441110. 
Under those standards, the SBA would classify as small businesses 
independent used car dealers having annual receipts of less than $27 
million and new car dealers having fewer than 200 employees each.
---------------------------------------------------------------------------

4. Projected Reporting, Recordkeeping, and Other Compliance 
Requirements

    The amendments do not impose any new or substantively revised 
``collections of information,'' as defined by the PRA.

5. Description of Steps Taken To Minimize Significant Economic Impact, 
if Any, on Small Entities, Including Alternatives

    The Commission did not propose any specific small entity exemption 
or other significant alternatives because the amendment is not expected 
to increase reporting requirements and will not impose any new 
requirements or compliance costs. The Commission anticipates the 
amendments will reduce the burden for many covered entities associated 
with the Privacy Rule annual notice. The amendments retain the 
flexibility already present in the existing rule, which allows notices 
to be provided in a variety of ways, including electronically in some 
circumstances. As to the core requirements of the rule, they come from 
GLBA itself, as amended by the Dodd-Frank and the FAST Act. The statute 
prescribes the definition of financial institutions to be covered by 
the rule and sets forth the specific requirements, which the Commission 
cannot modify to ease burdens on small entities. Therefore, the 
Commission does not believe any

[[Page 70025]]

alternatives for small entities are required or appropriate.

V. Other Matters

    Pursuant to the Congressional Review Act (5 U.S.C. 801 et seq.), 
the Office of Information and Regulatory Affairs designated this rule 
as not a ``major rule,'' as defined by 5 U.S.C. 804(2).

List of Subjects in 16 CFR Part 313

    Consumer protection, Credit, Data protection, Privacy, Trade 
practices.

    For the reasons stated above, the Federal Trade Commission amends 
16 CFR part 313 as follows:

PART 313--PRIVACY OF CONSUMER FINANCIAL INFORMATION

0
1. The authority citation for part 313 is revised to read as follows:

    Authority:  15 U.S.C. 6801 et seq., 12 U.S.C. 5519.


0
2. Amend Sec.  313.1 by revising paragraph (b) to read as follows:


Sec.  313.1   Purpose and scope.

* * * * *
    (b) Scope. This part applies only to nonpublic personal information 
about individuals who obtain financial products or services primarily 
for personal, family or household purposes from the institutions listed 
below. This part does not apply to information about companies or about 
individuals who obtain financial products or services for business, 
commercial, or agricultural purposes. This part applies to those 
``financial institutions'' over which the Federal Trade Commission 
(``Commission'') has rulemaking authority pursuant to section 
504(a)(1)(C) of the Gramm-Leach-Bliley Act. An entity is a ``financial 
institution'' if its business is engaging in an activity that is 
financial in nature or incidental to such financial activities as 
described in section 4(k) of the Bank Holding Company Act of 1956, 12 
U.S.C. 1843(k), which incorporates activities enumerated by the Federal 
Reserve Board in 12 CFR 225.28 and 225.86. The ``financial 
institutions'' subject to the Commission's rulemaking authority are any 
persons described in 12 U.S.C. 5519 that are predominantly engaged in 
the sale and servicing of motor vehicles, the leasing and servicing of 
motor vehicles, or both. They are referred to in this part as ``You.'' 
Excluded from the coverage of this part are motor vehicle dealers 
described in 12 U.S.C. 5519(b) that directly extend to consumers retail 
credit or retail leases involving motor vehicles in which the contract 
governing such extension of retail credit or retail leases is not 
routinely assigned to an unaffiliated third party finance or leasing 
source.

0
3. Amend Sec.  313.3 by revising paragraphs (e), (i), (j), (k), and (q) 
to read as follows:


Sec.  313.3   Definitions.

* * * * *
    (e)(1) Consumer means an individual who obtains or has obtained a 
financial product or service from you that is to be used primarily for 
personal, family, or household purposes, or that individual's legal 
representative.
    (2) For example:
    (i) An individual who applies to you for credit for personal, 
family, or household purposes is a consumer of a financial service, 
regardless of whether the credit is extended.
    (ii) An individual who provides nonpublic personal information to 
you in order to obtain a determination about whether he or she may 
qualify for a loan to be used primarily for personal, family, or 
household purposes is a consumer of a financial service, regardless of 
whether the loan is extended.
    (iii) If you hold ownership or servicing rights to an individual's 
loan that is used primarily for personal, family, or household 
purposes, the individual is your consumer, even if you hold those 
rights in conjunction with one or more other institutions. (The 
individual is also a consumer with respect to the other financial 
institutions involved.) An individual who has a loan in which you have 
ownership or servicing rights is your consumer, even if you, or another 
institution with those rights, hire an agent to collect on the loan.
    (iv) An individual who is a consumer of another financial 
institution is not your consumer solely because you act as agent for, 
or provide processing or other services to, that financial institution.
    (v) An individual is not your consumer solely because he or she is 
a participant or a beneficiary of an employee benefit plan that you 
sponsor or for which you act as a trustee or fiduciary.
* * * * *
    (i)(1) Customer relationship means a continuing relationship 
between a consumer and you under which you provide one or more 
financial products or services to the consumer that are to be used 
primarily for personal, family, or household purposes.
    (2) For example:
    (i) Continuing relationship. A consumer has a continuing 
relationship with you if the consumer:
    (A) Has a credit or investment account with you;
    (B) Obtains a loan from you;
    (C) Purchases an insurance product from you;
    (D) Enters into an agreement or understanding with you whereby you 
undertake to arrange or broker a home mortgage loan, or credit to 
purchase a vehicle, for the consumer;
    (E) Enters into a lease of personal property on a non-operating 
basis with you; or
    (F) Has a loan for which you own the servicing rights.
    (ii) No continuing relationship. A consumer does not, however, have 
a continuing relationship with you if:
    (A) The consumer obtains a financial product or service from you 
only in isolated transactions, such as cashing a check with you or 
making a wire transfer through you;
    (B) You sell the consumer's loan and do not retain the rights to 
service that loan; or
    (C) The consumer obtains one-time personal appraisal services from 
you.
    (j) Federal functional regulator means:
    (1) The Board of Governors of the Federal Reserve System;
    (2) The Office of the Comptroller of the Currency;
    (3) The Board of Directors of the Federal Deposit Insurance 
Corporation;
    (4) The National Credit Union Administration Board; and
    (5) The Securities and Exchange Commission.
    (k)(1) Financial institution means any institution the business of 
which is engaging in an activity that is financial in nature or 
incidental to such financial activities as described in section 4(k) of 
the Bank Holding Company Act of 1956, 12 U.S.C. 1843(k). An institution 
that is significantly engaged in financial activities, or significantly 
engaged in activities incidental to such financial activities, is a 
financial institution.
    (2) An example of a financial institution is an automobile 
dealership that, as a usual part of its business, leases automobiles on 
a nonoperating basis for longer than 90 days is a financial institution 
with respect to its leasing business because leasing personal property 
on a nonoperating basis where the initial term of the lease is at least 
90 days is a financial activity listed in 12 CFR 225.28(b)(3) and 
referenced in section 4(k)(4)(F) of the Bank Holding Company Act.
    (3) Financial institution does not include entities that engage in 
financial activities but that are not significantly engaged in those 
financial activities.
    (4) An example of entities that are not significantly engaged in 
financial

[[Page 70026]]

activities is a motor vehicle dealer is not a financial institution 
merely because it accepts payment in the form of cash, checks, or 
credit cards that it did not issue.
* * * * *
    (q) You includes each ``financial institution'' over which the 
Commission has rulemaking authority pursuant to section 504(a)(1)(C) of 
the Gramm-Leach-Bliley Act (15 U.S.C. 6804(a)(1)(C)).

0
4. Amend Sec.  313.4 by adding a heading for paragraph (c)(3) and 
revising paragraphs (c)(3)(i) and (e) to read as follows:


Sec.  313.4   Initial privacy notice to consumers required.

* * * * *
    (c) * * *
    (3) Examples--(i) Examples of establishing a customer relationship. 
You establish a customer relationship when the consumer:
    (A) Executes the contract to obtain credit from you or purchase 
insurance from you; or
    (B) Executes the lease for personal property with you.
* * * * *
    (e) Exceptions to allow subsequent delivery of notice--(1) General. 
You may provide the initial notice required by paragraph (a)(1) of this 
section within a reasonable time after you establish a customer 
relationship if:
    (i) Establishing the customer relationship is not at the customer's 
election; or
    (ii) Providing notice not later than when you establish a customer 
relationship would substantially delay the customer's transaction and 
customer agrees to receive the notice at a later time.
    (2) Examples of exceptions--(i) Substantial delay of customer's 
transaction. Providing notice not later than when you establish a 
customer relationship would substantially delay the customer's 
transaction when you and the individual agree over the telephone to 
enter into a customer relationship involving prompt delivery of the 
financial product or service.
    (ii) No substantial delay of customer's transaction. Providing 
notice not later than when you establish a customer relationship would 
not substantially delay the customer's transaction when the 
relationship is initiated in person at your office or through other 
means by which the customer may view the notice, such as through a 
website.
* * * * *

0
5. Amend Sec.  313.5 by adding a heading for paragraph (a), revising 
paragraphs (a)(1) and (b)(2), and adding paragraph (e) to read as 
follows:


Sec.  313.5   Annual privacy notice to customers required.

    (a) In general--(1) General rule. Except as provided by paragraph 
(e) of this section, you must provide a clear and conspicuous notice to 
customers that accurately reflects your privacy policies and practices 
not less than annually during the continuation of the customer 
relationship. Annually means at least once in any period of 12 
consecutive months during which that relationship exists. You may 
define the 12-consecutive-month period, but you must apply it to the 
customer on a consistent basis.
* * * * *
    (b) * * *
    (2) Examples. Your customer becomes a former customer when:
    (i) In the case of a closed-end loan, the customer pays the loan in 
full, you charge off the loan, or you sell the loan without retaining 
servicing rights.
    (ii) In the case of mortgage or vehicle loan brokering services, 
your customer has obtained a loan through you (and you no longer 
provide any statements or notices to the customer concerning that 
relationship), or has ceased using your services for such purposes.
    (iii) In cases where there is no definitive time at which the 
customer relationship has terminated, you have not communicated with 
the customer about the relationship for a period of 12 consecutive 
months, other than to provide annual privacy notices or promotional 
material.
* * * * *
    (e) Exception to annual privacy notice requirement--(1) When 
exception available. You are not required to deliver an annual privacy 
notice if you:
    (i) Provide nonpublic personal information to nonaffiliated third 
parties only in accordance with the provisions of Sec.  313.13, Sec.  
313.14, or Sec.  313.15; and
    (ii) Have not changed your policies and practices with regard to 
disclosing nonpublic personal information from the policies and 
practices that were disclosed to the customer under Sec.  313.6(a)(2) 
through (5) and (9) in the most recent privacy notice provided pursuant 
to this part.
    (2) Delivery of annual privacy notice after financial institution 
no longer meets requirements for exception. If you have been excepted 
from delivering an annual privacy notice pursuant to paragraph (e)(1) 
of this section and change your policies or practices in such a way 
that you no longer meet the requirements for that exception, you must 
comply with paragraph (e)(2)(i) or (ii) of this section, as applicable.
    (i) Changes preceded by a revised privacy notice. If you no longer 
meet the requirements of paragraph (e)(1) of this section because you 
change your policies or practices in such a way that Sec.  313.8 
requires you to provide a revised privacy notice, you must provide an 
annual privacy notice in accordance with the timing requirement in 
paragraph (a) of this section, treating the revised privacy notice as 
an initial privacy notice.
    (ii) Changes not preceded by a revised privacy notice. If you no 
longer meet the requirements of paragraph (e)(1) of this section 
because you change your policies or practices in such a way that Sec.  
313.8 does not require you to provide a revised privacy notice, you 
must provide an annual privacy notice within 100 days of the change in 
your policies or practices that causes you to no longer meet the 
requirement of paragraph (e)(1).
    (iii) Examples. (A) You change your policies and practices in such 
a way that you no longer meet the requirements of paragraph (e)(1) of 
this section effective April 1 of year 1. Assuming you define the 12-
consecutive-month period pursuant to paragraph (a) of this section as a 
calendar year, if you were required to provide a revised privacy notice 
under Sec.  313.8 and you provided that notice on March 1 of year 1, 
you must provide an annual privacy notice by December 31 of year 2. If 
you were not required to provide a revised privacy notice under Sec.  
313.8, you must provide an annual privacy notice by July 9 of year 1.
    (B) You change your policies and practices in such a way that you 
no longer meet the requirements of paragraph (e)(1) of this section, 
and so provide an annual notice to your customers. After providing the 
annual notice to your customers, you once again meet the requirements 
of paragraph (e)(1) of this section for an exception to the annual 
notice requirement. You do not need to provide additional annual notice 
to your customers until such time as you no longer meet the 
requirements of paragraph (e)(1) of this section.

0
6. Amend Sec.  313.15 by revising paragraph (a)(4) to read as follows:


Sec.  313.15   Other exceptions to notice and opt out requirements.

    (a) * * *
    (4) To the extent specifically permitted or required under other 
provisions of law and in accordance with the Right to Financial Privacy 
Act of 1978 (12 U.S.C. 3401 et seq.), to law

[[Page 70027]]

enforcement agencies (including the Consumer Financial Protection 
Bureau, a federal functional regulator, the Secretary of the Treasury, 
with respect to 31 U.S.C. Chapter 53, Subchapter II (Records and 
Reports on Monetary Instruments and Transactions) and 12 U.S.C. Chapter 
21 (Financial Recordkeeping), a State insurance authority, with respect 
to any person domiciled in that insurance authority's State that is 
engaged in providing insurance, and the Federal Trade Commission), 
self-regulatory organizations, or for an investigation on a matter 
related to public safety;
* * * * *


Sec.  313.18   [Removed]

0
7. Remove Sec.  313.18.

    By direction of the Commission.
April J. Tabor,
Acting Secretary.
[FR Doc. 2021-25735 Filed 12-8-21; 8:45 am]
BILLING CODE 6750-01-P