Current through Register Vol. 63, No. 12, December 1, 2024
(1) This rule implements the requirement of
the annual notice under ORS
746.620, describes the contents
of the annual notice and provides examples of categories of information
required in the annual notice.
(2)
The following are examples of categories of personal financial information
collected by a licensee. A licensee satisfies the requirement of categorizing
the personal financial information it collects if the licensee categorizes it
according to the source of the information, as applicable:
(a) Information from the consumer;
(b) Information about the consumer's
transactions with the licensee or its affiliates;
(c) Information about the consumer's
transactions with nonaffiliated third parties; and
(d) Information from an insurance support
organization.
(3) The
following are examples of categories of personal financial information
disclosed by a licensee:
(a) A licensee
satisfies the requirement of categorizing personal financial information it
discloses if the licensee categorizes the information according to source, as
described in section (2) of this rule, as applicable, and provides a few
examples to illustrate the types of information in each category. These may
include:
(A) Information from the consumer,
including application information such as assets and income and identifying
information such as name, address and social security number;
(B) Transaction information, such as
information about balances, payment history and parties to the transaction;
and
(C) Information from consumer
reporting agencies, such as a consumer's creditworthiness and credit
history.
(b) A licensee
does not adequately categorize the information that it discloses if the
licensee uses only general terms, such as transaction information about the
consumer.
(c) If a licensee may
disclose all of the personal financial information about consumers that it
collects, the licensee may simply state that fact without describing the
categories or examples of personal financial information that the licensee
discloses.
(4) The
following are examples for describing categories of affiliated and
nonaffiliated third parties to which a licensee discloses information:
(a) A licensee satisfies the requirement of
categorizing the affiliates and nonaffiliated third parties to which the
licensee discloses personal financial information about consumers if the
licensee identifies the types of business in which they engage.
(b) Types of businesses may be described by
general terms only if the licensee uses a few illustrative examples of
significant lines of business. For example, a licensee may use the term
financial products or services if it includes appropriate examples of
significant lines of businesses, such as life insurer, automobile insurer,
consumer banking or securities brokerage.
(c) A licensee may also categorize the
affiliates and nonaffiliated third parties to which it discloses personal
financial information about consumers using more detailed categories.
(5) An annual notice shall include
an explanation of the consumer's right under ORS
746.665(1)(k)
to opt out of the disclosure of personal financial information to nonaffiliated
third parties, including the method by which the consumer may exercise the
right at that time. An annual notice that contains such an explanation
satisfies the requirement of 746.620(3)(f). If a licensee discloses personal
financial information under the exception in 746.665(1)(k) to a nonaffiliated
third party to market products or services that it offers alone or jointly with
another financial institution, the licensee satisfies the applicable disclosure
requirement of this rule if the licensee:
(a)
Lists the categories of personal financial information it discloses, using the
same categories and examples the licensee used to meet the requirements of
section (1) of this rule.
(b)
States whether the third party is:
(A) A
service provider that performs marketing services on the licensee's behalf or
on behalf of the licensee and another financial institution; or
(B) A financial institution with whom the
licensee has a joint marketing agreement.
(6) If a licensee does not disclose personal
financial information about customers or former customers to affiliates or
nonaffiliated third parties except as authorized under ORS
746.665(1)(a) to (j) and (m) to
(q), and under 746.665(1)(L) in connection
with an audit, the licensee may state that fact, in addition to the information
it is required to provide under 746.620(3)(a), (h) and (i), and (4).
(7) A licensee describes its policies and
practices relating to protection of the confidentiality and security of
personal financial information if it does both of the following:
(a) Describes in general terms who is
authorized to have access to the information; and
(b) States whether the licensee has security
practices and procedures in place to ensure the confidentiality of the
information in accordance with the licensee's policy. The licensee is not
required to describe technical information about the safeguards it
uses.
(8) A licensee's
notice may include any of the following:
(a)
Categories of personal financial information that the licensee reserves the
right to disclose in the future but does not currently disclose; and
(b) Categories of affiliates or nonaffiliated
third parties to whom the licensee reserves the right in the future to
disclose, but to whom the licensee does not currently disclose, personal
financial information.
Stat. Auth.: ORS
731.244, ORS
746.600 & ORS
746.620
Stats. Implemented: ORS
746.600, ORS
746.620, ORS
746.630 & ORS
746.665
