Annual Privacy Notice Requirement; Regulation P

This Proposed Rule document was issued by the Consumer Financial Protection Bureau (CFPB)

For related information, Open Docket Folder  Docket folder icon


BUREAU OF CONSUMER FINANCIAL PROTECTION
12 CFR Part 1016
[Docket No. CFPB-2014-0010]
RIN 3170-AA39

Amendment to the Annual Privacy Notice Requirement Under the Gramm-Leach-Bliley Act (Regulation P)

Agency

Bureau of Consumer Financial Protection.

Action

Proposed rule with request for comment.

Summary

The Bureau of Consumer Financial Protection (Bureau) is proposing to amend Regulation P, which among other things requires that financial institutions provide an annual disclosure of their privacy policies to their customers. The amendment would create an alternative delivery method for this annual disclosure, which financial institutions would be able to use under certain circumstances.

Dates

Comments must be received on or before June 12, 2014.

Addresses

You may submit comments, identified by Docket No. CFPB-2014-0010 or RIN 3170-AA39, by any of the following methods:

  • Electronic: http://www.regulations.gov. Follow the instructions for submitting comments.
  • Mail/Hand Delivery/Courier: Monica Jackson, Office of the Executive Secretary, Consumer Financial Protection Bureau, 1700 G Street NW., Washington, DC 20552.

Instructions: All submissions should include the agency name and docket number or Regulatory Information Number (RIN) for this rulemaking. Because paper mail in the Washington, DC area and at the Bureau is subject to delay, commenters are encouraged to submit comments electronically. In general, all comments received will be posted without change to http://www.regulations.gov. In addition, comments will be available for public inspection and copying at the Bureau's offices in Washington, DC on official business days between the hours of 10 a.m. and 5 p.m. Eastern Time. You can make an appointment to inspect the documents by telephoning (202) 435-7275.

All comments, including attachments and other supporting materials, will become part of the public record and subject to public disclosure. Sensitive personal information, such as account numbers or Social Security numbers, should not be included.

For Further Information Contact

Nora Rigby and Joseph Devlin, Counsels; Office of Regulations, at (202) 435-7700.

Supplementary Information

I. Summary of the Proposed Rule

The Gramm-Leach-Bliley Act (GLBA) (1) mandates that financial institutions provide their customers with initial and annual notices regarding their privacy policies. If financial institutions share certain customer information with particular types of third parties, the institutions are also required to provide notice to their customers and an opportunity to opt out of the sharing. Many financial institutions currently mail printed copies of the annual GLBA privacy notices to their customers, but have expressed concern that this practice causes information overload for consumers and unnecessary expense.

In response to such concerns, the Bureau is proposing to allow financial institutions that do not engage in certain types of information-sharing activities to stop mailing an annual disclosure if they post the annual notices on their Web sites and meet certain other conditions. Specifically, the proposal would allow financial institutions to use the proposed alternative delivery method for annual privacy notices if: (1) The financial institution does not share the customer's nonpublic personal information with nonaffiliated third parties in a manner that triggers GLBA opt-out rights; (2) the financial institution does not include on its annual privacy notice an opt-out notice under section 603(d)(2)(A)(iii) of the Fair Credit Reporting Act (FCRA); (3) the financial institution's annual privacy notice is not the only notice provided to satisfy the requirements of section 624 of the FCRA; (4) the information included in the privacy notice has not changed since the customer received the previous notice; and (5) the financial institution uses the model form provided in the GLBA's implementing Regulation P. A financial institution would still be required to use the currently permitted delivery method if the institution, among other things, has changed its privacy practices or engages in information-sharing activities for which customers have a right to opt out.

In using the proposed alternative method, a financial institution would have to insert a clear and conspicuous statement at least once per year on a notice or disclosure the institution issues under any other provision of law announcing that: the annual privacy notice is available on the financial institution's Web site; it will be mailed to customers who request it by calling a toll-free telephone number; and it has not changed. The financial institution would have to continuously post the annual privacy notice in a clear and conspicuous manner on a page of its Web site, without requiring a login or similar steps to access the notice. In addition, to assist customers with limited or no access to the internet, financial institutions would have to mail annual notices promptly to customers who request them by phone.

The proposal would apply to various types of financial institutions that provide consumer financial products and services. The Bureau is seeking comment on the proposal through June 12, 2014. The Bureau is also coordinating and consulting with other agencies that have authority to issue rules implementing GLBA with regard to certain other types of financial institutions, such as securities and futures traders, as well as consulting with other agencies that enforce the GLBA.

II. Background

A. The Statute and Regulation

The GLBA was enacted into law in 1999. (2) The GLBA, among other things, is intended to provide a comprehensive framework for regulating the privacy practices of an extremely broad range of entities. “Financial institutions” for purposes of the GLBA include not only depository institutions and non-depository institutions providing consumer financial products or services (such as payday lenders, mortgage brokers, check cashers, debt collectors, and remittance transfer providers), but also many businesses that do not offer or provide consumer financial products or services.

Rulemaking authority to implement the GLBA privacy provisions was initially spread among many agencies. The Federal Reserve Board (Board), the Office of Comptroller of the Currency (OCC), the Federal Deposit Insurance Corporation (FDIC), and the Office of Thrift Supervision (OTS) jointly adopted final rules to implement the notice requirements of GLBA in 2000. (3) The National Credit Union Administration (NCUA), Federal Trade Commission (FTC), Securities and Exchange Commission (SEC), and Commodity Futures Trading Commission (CFTC) were part of the same interagency process, but issued their rules separately. (4) In 2009, all these agencies issued a joint final rule with a model form that financial institutions could use, at their option, to provide the required initial and annual privacy disclosures. (5)

In 2011, the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank Act) (6) transferred GLBA privacy notice rulemaking authority from the Board, NCUA, OCC, OTS, the FDIC, and the FTC (in part) to the Bureau. (7) The Bureau then restated the implementing regulations in Regulation P, 12 CFR part 1016, in late 2011. (8)

The Bureau has the authority to promulgate GLBA privacy rules for depository institutions and many non-depository institutions. However, rulewriting authority with regard to securities and futures-related companies is vested in the SEC and CFTC, respectively, and rulewriting authority with respect to certain motor vehicle dealers is vested in the FTC. (9) The Bureau has consulted and coordinated with these agencies and with the National Association of Insurance Commissioners (NAIC) concerning the proposed alternative delivery method. (10) The Bureau has also consulted with other appropriate federal agencies, as required under Section 1022 of the Dodd-Frank Act.

1. Annual Privacy Notices

The GLBA and its implementing regulation, Regulation P, (11) require that financial institutions (12) provide consumers with certain noticesdescribing their privacy policies. Financial institutions are generally required to first provide an initial notice of these policies, and then an annual notice to customers every year that the relationship continues. (13) (When a financial institution has a continuing relationship with the consumer, an annual privacy notice is required and the consumer is then referred to as a “customer.”) (14) These notices describe whether and how the financial institution shares consumers' nonpublic personal information, (15) including personally identifiable financial information, with other entities, and in some cases explain how consumers can opt out of certain types of sharing. The notices also briefly describe how financial institutions protect the nonpublic personal information they collect and maintain. Financial institutions typically use U.S. postal mail to send initial and annual privacy notices to consumers.

Implementing GLBA section 503, Regulation P generally requires the initial privacy notice, (16) and also mandates that financial institutions “provide a clear and conspicuous notice to customers that accurately reflects [their] privacy policies and practices not less than annually during the continuation of the customer relationship.” (17)

Section 502 of the GLBA and Regulation P at § 1016.6(a)(6) also require that initial and annual notices inform customers of their right to opt out of certain financial institution sharing of nonpublic personal information with some types of nonaffiliated third parties. For example, customers have the right to opt out of a financial institution selling the names and addresses of its mortgage customers to an unaffiliated home insurance company and, therefore, the institution would have to provide an opt-out notice before it sells the information. On the other hand, financial institutions are not required to allow consumers to opt out of the institutions' sharing involving third-party service providers, joint marketing arrangements, maintaining and servicing accounts, securitization, law enforcement and compliance, reporting to consumer reporting agencies, and certain other activities that are specified in the statute and regulation as exceptions to the opt-out requirement. (18) If a financial institution limits its types of sharing to those which do not trigger opt-out rights, it may provide a “simplified” annual privacy notice to its customers that does not include opt-out information. (19)

In addition to opt-out rights under GLBA, financial institutions also may include in the annual privacy notice information about certain consumer opt-out rights under FCRA. The annual privacy disclosures under the GLBA/Regulation P and affiliate disclosures under the FCRA/Regulation V interact in two ways. First, section 603(d)(2)(A)(iii) of the FCRA excludes from the statute's definition of a consumer report (20) the sharing of certain information about a consumer among affiliates if the consumer is notified of such sharing and is given an opportunity to opt out. (21) Section 503(c)(4) of the GLBA and Regulation P, in turn, generally require financial institutions providing their customers with initial and annual privacy notices to incorporate into them any notification and opt-out disclosures provided pursuant to section 603(d)(2)(A)(iii) of the FCRA. (22)

Second, section 624 of the FCRA and Regulation V's Affiliate Marketing Rule provide that an affiliate of a financial institution that receives certain information (23) about a consumer from the financial institution may not use the information to make solicitations for marketing purposes unless the consumer is notified of such use and provided with an opportunity to opt out of that use. (24) Regulation V, in turn, permits (but does not require) financial institutions providing their customers with initial and annual privacy notices under Regulation P to incorporate any opt-out disclosures provided under section 624 of the FCRA and subpart C of Regulation V into those notices. (25)

2. Method of Delivering Annual Privacy Notices

Section 503 of the GLBA sets forth the requirement that financial institutions provide initial and annual privacy disclosures to a consumer. Specifically, it states that “a financial institution shall provide a clear and conspicuous disclosure to such consumer, in writing or in electronic form or other form permitted by the regulations prescribed under section 6804 of this title, of such financial institution's policies and practices with respect to” disclosing and protecting consumers' nonpublic personal information. (26) Although financial institutions provide most annual privacy notices by U.S. postal mail, Regulation P allows financial institutions to provide notices electronically (e.g., by email) to customers with their consent. (27)

B. CFPB Streamlining Initiative

In pursuit of the Bureau's goal of reducing unnecessary or unduly burdensome regulations, in December 2011, the Bureau issued a Request for Information seeking specific suggestions from the public for streamlining regulations the Bureau had inherited from other Federal agencies (Streamlining RFI). In that RFI, the Bureau specifically identified the annual privacy notice as a potential opportunity for streamlining and solicited comment on possible alternatives to delivering the annual privacy notice. (28)

Numerous industry commenters strongly advocated eliminating or limiting the annual notice requirement. They stated that most customers ignore annual privacy notices. Even if customers do read them, according to industry stakeholders, the content of these disclosures provides little benefit, especially if customers have no right to opt out of information sharing because the financial institution does not share nonpublic personal information in a way that triggers such rights. Financial institutions argued that mailing these notices imposes significant costs and that there are other ways of conveying to customers the information in the written notices just as effectively but at a lower cost. Several industry commenters suggested that if an institution's privacy notice has not changed, the institution should be allowed to communicate on the consumer's periodic statement, via email, or by some other cost-effective means that the annual privacy notice is available on its Web site or upon request, by phone. (29)

A banking industry trade association and other industry commenters suggested that the Bureau eliminate or ease the annual notice requirement for financial institutions if their privacy policies have not changed and they do not share nonpublic personal information beyond the exceptions allowed by the GLBA (e.g., sharing nonpublic personal information with the servicer of an account). They argued that the GLBA exceptions were crafted to allow what Congress viewed as non-problematic sharing and, therefore, the law does not permit consumers to opt out of such sharing. The need for an annual notice is thus less evident if a financial institution only shares nonpublic personal information pursuant to one of these exceptions. The trade association estimated that 75% of banks do not share beyond these exceptions and do not change their notices from year to year.

Consumer advocacy groups generally stated that customers benefit from financial institutions providing them with printed annual privacy notices, which may remind customers of privacy rights that they may not have exercised previously. Consumer representatives argued that these notices make customers aware of their privacy rights in regard to financial institutions, even if they have no opt-out rights. One compliance company commenter agreed with the consumer groups' view of the importance of the notices. One advocacy group suggested that a narrow easing of annual notice requirements where a financial institution shares information only with affiliates might not be objectionable, although it did not support changing the current requirements. The Bureau did not receive any comment on the annual privacy notice change from privacy advocacy groups.

C. Understanding the Effects of Certain Deposit Regulations—Study

In November of 2013, the Bureau published a study assessing the effects of certain deposit regulations on financial institutions' operations. (30) This study provided operational insights from seven banks about their annual privacy notices. (31) Many of these banks use third-party vendors, who design or distribute the notices on their behalf. All seven participants provided the annual notice as a separate mailing, which resulted in higher costs for postage, materials, and labor than if the notice were mailed with other material. Some financial institutions apparently send separate mailings to ensure that their disclosures are “clear and conspicuous,” (32) although 2009 guidance from the eight agencies promulgating the model privacy form explained that a separate mailing is not required. (33) This separate mailing practice contrasts with the usual financial institution preference (particularly for smaller study participants) to bundle mailings with monthly statements. Indeed, subsequent Bureau outreach suggests that many financial institutions do mail the annual privacy notice with other materials. Finally, while the study participants echoed the sentiment that few customers read privacy notices, participant banks with call centers also reported that after they send annual notices, the number of customers who call about the banks' privacy policies increases.

D. Further Outreach

In addition to the consultations with other government agencies discussed above, while preparing this proposed rule the Bureau conducted further outreach to industry and consumer advocate stakeholders. The Bureau held meetings with consumer groups, including groups and participants with a specific interest in privacy issues. The Bureau also held meetings with industry groups that represent institutions that must comply with the annual privacy notice requirement, including banks, credit unions, mortgage servicers, and debt buyers.

As with the responses to the Streamlining RFI, the consumer groups generally expressed the view that mailed privacy notices were useful, even when no opt-out rights were present, and that changes were not necessary. Among other comments, they suggested that the Bureau promote the use of the Regulation P model form. The industry participants also generally expressed similar views to those expressed by industry in response to the Streamlining RFI. They supported creation of an alternative delivery method for annual privacy notices. (34)

E. Privacy Considerations

In developing the proposal, the Bureau considered its potential impact on consumer privacy. The proposal would not affect the collection or use of consumers' nonpublic personal information by financial institutions. The proposal would expand the permissible methods by which financial institutions subject to Regulation P may deliver annual privacy notices to their customers in limited circumstances. Among other limitations, it would not expand the permissible delivery methods when financial institutions make various types of changes to their annual privacy notices or when their annual privacy notices afford customers the right to opt out of the sharing of their nonpublic personal information by financial institutions. The proposal isdesigned to ensure that when the alternative delivery method is used, customers would continue to have access to clear and conspicuous annual privacy notices.

III. Legal Authority

The Bureau is issuing this proposed rule pursuant to its authority under section 504 of the GLBA, as amended by section 1093 of the Dodd-Frank Act. (35) The Bureau is also issuing this proposed rule pursuant to its authority under sections 1022 and 1061 of the Dodd-Frank Act. (36)

Prior to July 21, 2011, rulemaking authority for the privacy provisions of the GLBA was shared by eight federal agencies: the Board, the FDIC, the FTC, the NCUA, the OCC, the OTS, the SEC, and the CFTC. The Dodd-Frank Act amended a number of Federal consumer financial laws, including the GLBA. Among other changes, the Dodd-Frank Act transferred rulemaking authority for most of Subtitle A of Title V of the GLBA, with respect to financial institutions described in section 504(a)(1)(A) of the GLBA, from the Board, FDIC, FTC, NCUA, OCC, and OTS (collectively, the transferor agencies) to the Bureau, effective July 21, 2011.

IV. Section-by-Section Analysis

Section 1016.9—Delivering Privacy and Opt-Out Notices

Existing § 1016.9 describes how a financial institution must provide both the initial notice required by § 1016.4 and the annual notice required by § 1016.5. Specifically, § 1016.9(a) requires the notice to be provided so that each consumer can reasonably be expected to receive actual notice in writing or, if the consumer agrees, electronically. Section 1016.9(b) provides examples of delivery that would result in reasonable expectation of actual notice, including hand delivery, delivery by mail, or electronic delivery for consumers who conduct transactions electronically. Section 1016.9(c) provides examples regarding reasonable expectation of actual notice that apply to annual notices only.

The Bureau believes that use of the alternative delivery method by financial institutions that meet the requirements discussed below is likely to reduce information overload, specifically by eliminating duplicative paper privacy notices in situations in which the customer generally has no ability to opt out of the financial institution's information sharing. (37) Moreover, the Bureau believes that the proposed rule's alternative delivery method would be likely to decrease the burden on financial institutions of delivering notices, (38) while generally continuing to require delivery of notices pursuant to the existing requirements in situations in which customers can opt out of information sharing. In response to the Streamlining RFI, a banking industry trade association estimated that 75% of banks do not change their notices from year to year and do not share information in a way that gives rise to customer opt-out rights. Accordingly, the Bureau believes that a large number of banks would be able to use the proposed alternative delivery method. Bureau outreach also suggests that a large majority of credit unions and many non-depository financial institutions would benefit from being able to use the alternative delivery method. In addition, because small financial institutions appear to be less likely to share their customers' nonpublic personal information in a way that triggers customers' opt-out rights, it is likely that many of them could decrease their costs through the use of the alternative delivery method.

Under the alternative delivery method, customers would have access via financial institutions' Web sites (or by postal mail on request) to annual privacy notices that use the model form, that generally do not inform customers of any right to opt out, and that convey the same information as in previous notices. Further, financial institutions would be required to post their privacy notice continuously on their Web sites and thus customers would be able to access the privacy notice throughout the year rather than waiting for an annual mailing. (39) Financial institutions would be required to deliver to customers an annual reminder, on another notice or disclosure, of the availability of the privacy notice on the institution's Web site. In light of these considerations, the Bureau believes that where the conditions set forth in the proposed rule are satisfied, any incremental benefit in terms of customers' awareness of privacy issues that might accrue from requiring delivery pursuant to the existing methods of the annual privacy notice could be outweighed by the costs of providing the notice, costs that ultimately may be passed through to customers. The Bureau has determined that the specific language of section 503(a) of the GLBA grants some latitude in specifying by rule the method of conveying the annual notices, so long as a “clear and conspicuous disclosure” is provided “in writing or in electronic form or other form permitted by the regulations.” This statutory interpretation would apply only to the specific type of disclosure involved in the limited circumstances proposed pursuant to the specific language of GLBA section 503. (40)

The Bureau seeks data and other information concerning the effect on customer privacy rights if financial institutions were to use the alternative delivery method rather than their current delivery method. The Bureau further requests comment on whether the proposed alternative delivery method would be effective in reducing the potential for information overload on customers and reducing the burden on financial institutions of mailing hard copy privacy notices. The Bureau also has been informed by some financial institutions and consumer advocatesthat financial institutions and customers are unnecessarily burdened by redundant opt-out requests because customers who receive the privacy notice are often unaware that they have previously opted out of information sharing. The Bureau notes that a financial institution may currently include with its privacy notice a separate notice explaining a customer's opt-out status, though the Bureau does not believe that many financial institutions do so. Although the Bureau is not proposing to change the model form or instructions in Regulation P at this time, the Bureau requests comment on whether financial institutions would want to include on the privacy notice itself a statement describing the customer's opt-out status.

Lastly, the Bureau notes that the proposed alternative delivery method would be available where customers have already consented to receive their privacy notices electronically pursuant to § 1016.9(a) and invites comment regarding how often privacy notices are delivered electronically under existing Regulation P. The Bureau further invites comment on whether the proposed alternative delivery method is appropriate for customers who already receive privacy notices electronically and whether financial institutions that currently provide the notice electronically would be likely to use the proposed alternative delivery method.

9(c)(2) Alternative Method for Providing Certain Annual Notices

9(c)(2)(i)

Proposed § 1016.9(c)(2) sets forth an alternative to § 1016.9(a) for providing certain annual notices. (Existing § 1016.9(c) would be redesignated as § 1016.9(c)(1) and its subparagraphs redesignated as § 1016.9(c)(1)(i) and (ii), respectively, to accommodate the new addition. The Bureau is also proposing to add a heading to new paragraph (c)(1) for technical reasons.) Specifically, proposed § 1016.9(c)(2)(i) would provide that, notwithstanding the general requirement in § 1016.9(a) that a notice be provided so that each consumer can reasonably be expected to receive actual notice, a financial institution may use the alternative method set forth in proposed § 1016.9(c)(2)(ii) to satisfy the requirement in § 1016.5(a)(1) to provide an annual notice if the institution meets certain conditions as specified in proposed § 1016.9(c)(2)(i)(A) through (E), which are discussed in detail below. The Bureau invites comment generally on the conditions in proposed § 1016.9(c)(2)(i)(A) through (E) and whether any of those conditions should not be required or whether additional conditions should be added. The Bureau notes that the proposed alternative delivery method would not alter the requirement in § 1016.5(a)(1) that the notice be provided annually.

9(c)(2)(i)(A)

Proposed § 1016.9(c)(2)(i)(A) would set forth the first condition for using the alternative delivery method: that the financial institution does not share the customer's information with nonaffiliated third parties other than through the activities specified under §§ 1016.13, 1016.14 and 1016.15 that do not trigger opt-out rights under the GLBA. Pursuant to § 1016.10(a), a financial institution generally may not disclose nonpublic personal information about a consumer to a nonaffiliated third party without first providing the consumer with a notice and opportunity to opt out of that sharing. Sections 1016.13, 1016.14, and 1016.15 lay out certain exceptions to the general opt-out requirement. (41) Accordingly, where a financial institution shares with nonaffiliated third parties as permitted by §§ 1016.13, 1016.14, and 1016.15, the financial institution is not required to provide the consumer with an opportunity to opt out of such sharing.

The Bureau believes that the alternative delivery method, while reducing burden, might not be as effective in alerting customers to their ability to opt out of certain types of information sharing as the current delivery method where a financial institution shares beyond the exceptions in §§ 1016.13, 1016.14, and 1016.15. The Bureau thus believes that the current delivery method for the annual notice pursuant to existing § 1016.9(a) is likely to be important for customers who have the right to opt out of information sharing. The Bureau believes that limiting the alternative delivery method to circumstances in which customers have no information sharing opt-out rights under Regulation P would generally reduce the burden of compliance while still mandating the use of the current delivery method to ensure that customers have notice of their opt-out rights where they exist. For the foregoing reasons, the Bureau proposes § 1016.9(c)(2)(i)(A).

The Bureau invites comment on the extent to which different financial institutions share beyond the exceptions in §§ 1016.13, 1016.14, and 1016.15 and thus would be precluded from using the proposed alternative delivery method. The Bureau further invites comment on the impact on customers of receiving the annual privacy notice pursuant to the current delivery method, rather than the proposed alternative delivery method, where the notice informs the customer of opt-out rights pursuant to Regulation P.

9(c)(2)(i)(B)

Proposed § 1016.9(c)(2)(i)(B) would set forth the second condition for using the alternative delivery method for the annual privacy notice: that the financial institution not include on its annual notice an opt out under section 603(d)(2)(A)(iii) of the FCRA. (42) As discussed in part II above, FCRA section 603(d)(2)(A)(iii) excludes from the statute's definition of “consumer report” a financial institution's sharing of certain information about a consumer with its affiliates if the financial institution provides the consumer with notice and an opportunity to opt out of the information sharing. Though this notice and opt out is a product of the FCRA rather than the GLBA, section 503(b)(4) of the GLBA and § 1016.6(a)(7) require a financial institution's privacy notice to include any disclosures the financial institution makes under section 603(d)(2)(A)(iii) of the FCRA. Accordingly, to the extent that a financial institution chooses to provide an opt out pursuant to FCRA section 603(d)(2)(A)(iii), § 1016.6(a)(7) requires the privacy notice to include that opt out. (43) For the same reasons as discussed with respect to proposed § 1016.9(c)(2)(i)(A), the Bureau proposes to allow a financial institution to use the alternative delivery method only if it does not share information in a way that triggers information sharing opt-out rights for the customer, including those under section 603(d)(2)(A)(iii) of the FCRA. Accordingly, the Bureau proposes § 1016.9(c)(2)(i)(B).

The Bureau invites comment on the extent to which different financialinstitutions provide a FCRA section 603(d)(2)(A)(iii) opt out and thus would be precluded from using the proposed alternative delivery method. The Bureau further invites comment on the benefit to customers of receiving the annual privacy notice pursuant to the current delivery method, rather than the proposed alternative delivery method, where the notice informs the customer of opt-out rights pursuant to FCRA section 603(d)(2)(A)(iii).

9(c)(2)(i)(C)

Proposed § 1016.9(c)(2)(i)(C) would contain the third condition for using the alternative delivery method: that the annual privacy notice is not the only notice provided to satisfy the requirements of section 624 of the FCRA (44) and subpart C of 12 CFR part 1022 (the “Affiliate Marketing Rule”). The Bureau is proposing to provide flexibility in the manner in which an annual notice which contains disclosures under the Affiliate Marketing Rule is provided since proposed § 1016.9(c)(2)(i)(C) would require the consumer to be provided the Affiliate Marketing notice and opt out separately, as discussed below. FCRA section 624, as implemented by the Affiliate Marketing Rule, provides that a person may not use certain information about a consumer that it receives from an affiliate to make solicitations for marketing purposes unless the consumer receives notice and the opportunity to opt out of this use from an affiliate with whom the consumer has or had a pre-existing business relationship. (45) The Affiliate Marketing Rule further governs the content, scope, and duration of that notice and opt out and the method by which it must be provided to consumers. (46)

In contrast to the FCRA section 603(d)(2)(A)(iii) notice and opt-out right, which is generally required to be included on the annual privacy notice by § 1016.6(a)(7) if a financial institution offers that opt out, the Affiliate Marketing Rule notice and opt out is not required to be included on the Regulation P privacy notice. The Affiliate Marketing Rule notice and opt out may be included on the privacy notice, however. Moreover, the model privacy notice includes a notice and opt out under FCRA section 624 and the Affiliate Marketing Rule, (47) and the Affiliate Marketing Rule specifically provides that its opt out may be incorporated into the GLBA privacy notice. (48) The instructions to the GLBA model privacy notice make clear that a financial institution subject to the Affiliate Marketing Rule may omit that notice and opt out from the GLBA model privacy notice, provided the institution separately complies with the Affiliate Marketing Rule. (49)

Given that the Affiliate Marketing Rule notice and opt out is not required on the annual privacy notice (and indeed does not have to be provided annually), (50) the Bureau believes that the existence of an opt-out right under the Affiliate Marketing Rule should not preclude a financial institution from using the proposed alternative delivery method. Instead, the Bureau is proposing that the alternative delivery method would be available for a financial institution that must provide a notice and opt out under the Affiliate Marketing Rule as long as the annual privacy notice is not the only notice provided to the customer explaining that opt-out right. In other words, a financial institution that undertakes opt-out obligations under the Affiliate Marketing Rule may use the alternative delivery method provided that it fulfills those notice and opt-out obligations separately from the annual privacy notice.

The Bureau notes that certain requirements for the Affiliate Marketing notice and opt out differ, depending on whether it is included as part of the model privacy notice or issued separately. Where a financial institution includes the Affiliate Marketing notice and opt out on the model privacy notice, Regulation P requires that opt out to be of indefinite duration. (51) In contrast, where a financial institution provides the Affiliate Marketing notice and opt out separately, Regulation V allows the opt out to be offered for as little as five years, subject to renewal, and the disclosure of the duration of the opt out must be included on the notice. (52) Because inclusion of the Affiliate Marketing opt out on the model privacy notice requires a financial institution to honor the opt out indefinitely, a financial institution that also offers the opt out right separately in order to use the alternative delivery method would be able to comply with both Regulations P and V by stating in the separate Affiliate Marketing notice that the opt out is of indefinite duration and by honoring such opt-out requests indefinitely.

The Bureau acknowledges that under this proposal some customers will no longer receive their annual privacy notice pursuant to the current delivery requirements even though the notice informs them of a right to opt out that exists pursuant to the Affiliate Marketing Rule. The Bureau believes, however, that this concern is mitigated by the fact that in such cases, proposed § 1016.9(c)(2)(i)(C) would require that the Affiliate Marketing Rule opt-out notice also be delivered separately from the annual privacy notice. (53) The Bureau considered but decided against proposing to prohibit use of the alternative delivery method where a financial institution provides an opt out under the Affiliate Marketing Rule. The Bureau believes that prohibiting the use of the alternative delivery method in that circumstance could discourage financial institutions from voluntarily providing the Affiliate Marketing notice and opt out through its annual privacy notice and could be at odds with a financial institution's choice whether to use the annual privacy notice to comply with its opt-out obligations under the Affiliate Marketing Rule. Accordingly, the Bureau is proposing § 1016.9(c)(2)(i)(C) which would permit use of the alternative delivery method for a financial institution that provides a notice and opt out under the Affiliate Marketing Rule, provided that the financial institution does not use the annual privacy notice as the sole means of providing notice to customers of that opt-out right.

The Bureau invites comment on the extent to which financial institutions include the Affiliate Marketing Rule opt out on their Regulation P privacy notices and thus would be precluded from using the proposed alternative delivery method unless they separately delivered an Affiliate Marketing Rule opt-out notice. The Bureau further invites comment on the benefit or harm to customers of receiving the annual privacy notice pursuant to the alternative delivery method if the notice informs the customer of opt-out rights pursuant to the Affiliate Marketing Rule and the customer would receive a separate Affiliate Marketing rule opt-out notice.

9(c)(2)(i)(D)

Proposed § 1016.9(c)(2)(i)(D) would present the fourth condition for using the alternative delivery method: that the information a financial institution is required to convey on its annual privacy notice pursuant to § 1016.6(a)(1) through (5), (8) and (9) has not changed since the immediately previous privacy notice, initial or annual, to the customer. The Bureau is proposing to provide more flexibility in the method by which a notice that has not changed may be delivered because it believes that delivery of the annual notice as currently required by § 1016.9(a) is likely less useful if the customer has already received a privacy notice, the financial institution's sharing practices remain generally unchanged since that previous notice, and the other requirements of proposed § 1016.9(c)(2)(i) are met. Proposed § 1016.9(c)(2)(i)(D) lists the specific disclosures of the privacy notice that must not change in order for a financial institution to take advantage of the alternative delivery method. They are:

(1) the categories of nonpublic personal information that the financial institution collects (§ 1016.6(a)(1));

(2) the categories of nonpublic personal information that the financial institution discloses (§ 1016.6(a)(2));

(3) the categories of affiliates and nonaffiliated third parties to whom the financial institution discloses nonpublic personal information, other than those parties to whom the financial institution discloses information under §§ 1016.14 and 1016.15 (§ 1016.6(a)(3));

(4) the categories of nonpublic personal information about the financial institution's former customers that the financial institution discloses and the categories of affiliates and nonaffiliated third parties to whom the financial institution discloses nonpublic personal information about the financial institution's former customers, other than those parties to whom the financial institution discloses information under §§ 1016.14 and 1016.15 (§ 1016.6(a)(4));

(5) if the financial institution discloses nonpublic personal information to a nonaffiliated third party under § 1016.13 (and no other exception in § 1016.14 or § 1016.15 applies to that disclosure), a separate statement of the categories of information the financial institution discloses and the categories of third parties with whom the financial institution has contracted (§ 1016.6(a)(5));

(6) the financial institution's policies and practices with respect to protecting the confidentiality and security of nonpublic personal information (§ 1016.6(a)(8)); and

(7) any description of nonaffiliated third parties subject to exceptions as described in § 1016.6(b) (§ 1016.6(a)(9)). (54)

With respect to disclosures required by § 1016.6(a)(1) through (5) and (9) (items 1-5 and 7 in the list above), the Bureau emphasizes that a financial institution would be precluded from using the alternative delivery method only if it made changes in the category of information it collects or discloses so as to require changes to the disclosure on the notice itself. The disclosures required by § 1016.6(a)(1) through (5) and (9) describe categories of nonpublic personal information collected and disclosed and categories of third parties with whom that information is disclosed. Accordingly, only a change in or addition of a category of information collected or shared or in a category of third party with whom the information is shared would prevent a financial institution from satisfying proposed § 1016.9(c)(2)(i)(D). The Bureau further notes that stylistic changes in the wording of the notice that do not change the information conveyed on the notice would not prevent a financial institution from satisfying proposed § 1016.9(c)(2)(i)(D).

For example, assume a financial institution begins collecting information regarding potential customers' assets as part of an application process that the institution had not previously collected. If the institution had previously disclosed on its privacy notice that the nonpublic personal information it collected included information received from customers on applications or other forms, the financial institution would satisfy proposed § 1016.9(c)(2)(i)(D) notwithstanding the fact that the institution had not previously collected asset information. Similarly, a financial institution's decision to begin sharing its customers' nonpublic personal information with a mortgage broker, even where it had not previously shared that information with any mortgage brokers, would not prohibit the financial institution from satisfying proposed § 1016.9(c)(2)(i)(D) provided that the financial institution had previously disclosed on its privacy notice that it shared information with financial service providers.

With respect to the disclosure required by § 1016.6(a)(8), the Bureau notes that proposed § 1016.9(c)(2)(i)(D) would disallow the use of the alternative delivery method if a financial institution changes the required description of its policies and practices with respect to protecting the confidentiality and security of nonpublic personal information. The Bureau recognizes that this information is distinguishable from the information required by § 1016.6(a)(1) through (5) and (9) in that the information required by § 1016.6(a)(8) does not describe the financial institution's collecting or sharing of nonpublic personal information but instead describes the financial institution's overall data security policy. The Bureau believes that changes in the description of a financial institution's data security policy likely are significant enough that when they occur, the annual privacy notice should continue to be delivered according to the existing methods in § 1016.9. Indeed, in light of recent large-scale data security breaches, the Bureau believes that some customers may be more interested in the data security policies of their financial institutions than they were previously.

The Bureau notes that stylistic changes to the description of the data security policy that do not change the information conveyed on the notice would not prevent a financial institution from satisfying proposed § 1016.9(c)(2)(i)(D). The Bureau further notes that (similar to the information required by § 1016.6(a)(1) through (5) and (9)) changes to the underlying data security policy would preclude financial institutions from using the alternative delivery method only if these policy changes are substantial enough under Regulation P to trigger changes in the description of that policy on the annual notice itself. The Bureau believes, therefore, that financial institutions likely will be able to make improvements to their data security practices without necessarily changing information disclosed pursuant to § 1016.6(a)(8).

The Bureau invites comment about the effect on customers of conditioning availability of the alternative delivery method on there being no change from the previous year's notice without regard to the conditions that would be required by proposed § 1016.9(c)(2)(i)(A) through (C). The Bureau further invites comment on howoften financial institutions change their privacy notice such that they would be precluded from using the proposed alternative delivery method. Lastly, the Bureau invites comment on the extent to which a financial institution's changing its data security policy might preclude it from using the proposed alternative delivery method and whether the information disclosed pursuant to § 1016.6(a)(8) should be included in proposed § 1016.9(c)(2)(i)(D).

9(c)(2)(i)(E)

The last condition for use of the alternative delivery method, which would be set forth in proposed § 1016.9(c)(2)(i)(E), requires that the financial institution use the model privacy form for its annual privacy notice. Though use of the model form constitutes compliance with the notice content requirements of §§ 1016.6 and 1016.7, Regulation P does not require use of the model notice. (55) However, the Bureau believes that a large majority of financial institutions use the model notice. The model notice was adopted in 2009 as part of an interagency rulemaking because consumer research revealed that the model notice was easier to understand and use than most privacy notices then being used. (56) During outreach, consumer and privacy groups told the Bureau that that the model notice is easier for consumers to understand than other privacy notices. The Bureau is proposing to require use of the model notice as a condition of using the alternative delivery method to foster the use of a form of notice that appears to be more effective in conveying privacy policy information to customers than non-standard notices and thus enhance the effectiveness of the notice provided under the alternative method.

Accordingly, the Bureau is proposing § 1016.9(c)(2)(i)(E), which would permit use of the alternative delivery method only if a financial institution uses the model privacy form for its annual privacy notice. The Bureau believes that proposed § 1016.9(c)(2)(i)(E) is likely to encourage some financial institutions that are not currently doing so to use the model notice in order to take advantage of the cost savings associated with the alternative delivery method. Moreover, the Bureau does not believe that requiring use of the model notice to be eligible for the alternative delivery method creates a significant compliance burden for the minority of financial institutions that do not currently use it, especially given that financial institutions would not choose to use the alternative delivery method if the one-time cost of adopting the model notice were not more than offset by the ongoing burden reduction of the alternative delivery method for the annual notice.

The Bureau notes that the model form accommodates information that may be required by state or international law, as applicable, in a box called “Other important information.” (57) Accordingly, the Bureau expects that a financial institution that has additional privacy disclosure obligations pursuant to state or international law would still be able to use the model form in order to take advantage of the proposed alternative delivery method. The Bureau invites comment on related state or international law requirements and their interaction with the model privacy notice as well as the proposed alternative delivery method in general.

The Bureau does not contemplate that adoption of the model privacy form, which may require changes to the wording and layout of the privacy notice but not to the information conveyed, would constitute a change within the meaning of proposed § 1016.9(c)(2)(i)(D). In a somewhat analogous situation, the agencies that promulgated the model privacy notice explained: “Adoption of the model form, with no change in policies or practices, would not constitute a revised notice [for purposes of the rule section on revised privacy notices], although institutions may elect to consider the format change as revision, at their option.” (58) The Bureau solicits comment on whether adoption of the model form instead should be considered a change in the annual notice pursuant to proposed § 1016.9(c)(2)(i)(D) such that an institution adopting the model form in the first instance would be precluded from using the proposed alternative delivery method until the following year's annual notice. The Bureau further invites comment on the extent to which financial institutions currently use the model privacy notice and if they do not, whether they would choose to do so to take advantage of the proposed alternative delivery method. Lastly, the Bureau invites comment on the benefit to customers of receiving the model privacy notice rather than a privacy notice in a non-standard format.

9(c)(2)(ii)

In proposed § 1016.9(c)(2)(ii), the Bureau sets forth the alternative delivery method that would be permissible to satisfy the requirement in § 1016.5(a)(1) to provide an annual notice if a financial institution meets the conditions described in proposed § 1016.9(c)(2)(i). For the reasons discussed above, the Bureau believes that delivery of the annual privacy notice pursuant to the existing delivery requirements may be less important for customers if the requirements of proposed § 1016.9(c)(2)(i) are met. The Bureau believes that delivery pursuant to the alternative delivery method proposed, described in detail below, would inform customers of their financial institution's privacy policies effectively and at a lower cost than the current delivery methods. Although the Bureau believes it is unlikely, the Bureau recognizes the possibility that fewer customers may read the privacy notice when it is delivered pursuant to the alternative method than would have read the notice if it had been delivered to them using the current delivery methods. The Bureau requests comment on how frequently customers read privacy notices delivered pursuant to existing § 1016.9(a) and how frequently the notices would be read if they were provided pursuant to the proposed alternative delivery method. The Bureau further invites comment generally on the components of the alternative delivery method in proposed § 1016.9(c)(2)(ii)(A) through (C) and whether any of those components should not be required or whether additional components should be added.

9(c)(2)(ii)(A)

Proposed § 1016.9(c)(2)(ii)(A) would set forth the first component of the alternative delivery method: that a financial institution inform the customer of the availability of the annual privacy notice. To satisfy proposed § 1016.9(c)(2)(ii)(A), a financial institution would be required to convey in a clear and conspicuous manner not less than annually on a notice or disclosure the institution is required or expressly and specifically permitted to use under any other provision of law that its privacy notice has not changed, that the notice is available on its Web site and that a hard copy of the notice will be mailed to customers if they call a toll-free number to request one.

Proposed § 1016.9(c)(2)(ii)(A) would use the term “clear and conspicuous,” which is defined in existing § 1016.3(b)(1) as meaning “reasonably understandable” and “designed to call attention to the nature and significance of the information.” The Bureau believes that the existing examples in§ 1016.3(b)(2)(i) and (ii) for reasonably understandable and designed to call attention, respectively, likely would provide sufficient guidance on ways to make the notice of availability in proposed § 1016.9(c)(2)(ii)(A) clear and conspicuous. Specifically, because the notice of availability would be combined with another notice or disclosure sent to the customer, the Bureau points to existing § 1016.3(b)(2)(ii)(E), which states that on a form that combines a notice with other information, a notice containing distinctive type size, style, and graphic devices, such as shading or sidebars, is designed to call attention to the nature and significance of the information, as required under the clear and conspicuous definition.

With respect to the notice of availability being conveyed not less than annually, the Bureau notes that the proposed rule would permit it being included more often than annually (e.g., quarterly or monthly). Although the Bureau is proposing to require the notice of availability annually, the Bureau invites comment on the advantages and disadvantages of it being provided on a more frequent basis.

With respect to the type of statement that may be used to convey the notice of availability, proposed § 1016.9(c)(2)(ii)(A) would permit it to be conveyed on a notice or disclosure the institution is required or expressly and specifically permitted to issue under any other provision of law. This language is similar to that used in Regulation V, which provides that “a notice required by this subpart may be coordinated and consolidated with any other notice or disclosure required to be issued under any other provision of law. . . .” (59) Proposed § 1016.9(c)(2)(ii)(A) would add to that language in order to ensure that the notice of availability could be included on disclosures that are expressly and specifically permitted by law, even if not required. The Bureau notes that a notice of availability would satisfy proposed § 1016.9(c)(2)(ii)(A) if it were included on a periodic statement which is permitted but not required by Regulation DD (60) but would not satisfy proposed § 1016.9(c)(2)(ii)(A) if included on advertising materials that were neither required nor specifically permitted by law. Proposed § 1016.9(c)(2)(ii)(A) does not specify in more detail the type of statement on which the notice of availability must be conveyed because the Bureau intends the alternative delivery method to be flexible enough to be used by financial institutions whose business practices vary widely. The Bureau invites comment on the benefits and costs of requiring the notice of availability to be included on a document required or expressly and specifically permitted under any other provision of law.

The Bureau further notes that where two or more financial institutions provide a joint privacy notice pursuant to § 1016.9(f), proposed § 1016.9(c)(2)(ii)(A) would require each financial institution to separately provide the notice of availability on a notice or disclosure that it is required or permitted to issue. The Bureau invites comment on how often financial institutions jointly provide privacy notices and whether the proposed alternative delivery method would be feasible for such jointly issued notices.

Proposed § 1016.9(c)(2)(ii)(A) also would require the institution to state on the notice that its privacy policy has not changed. The Bureau intends this proposed requirement to help customers assess whether they are interested in reading the policy. This statement would always be accurate if the alternative delivery method is used correctly, since a financial institution could not use the alternative delivery method if its annual privacy notice had changed.

Proposed § 1016.9(c)(2)(ii)(A) would further require that the statement include a specific web address that takes customers directly to the page where the privacy notice is available and a toll-free telephone number for customers to call and request that a hard copy of the annual notice be mailed to them. With respect to the specific web address, the Bureau notes that the language of proposed § 1016.9(c)(2)(ii)(A) is somewhat similar to an option used on the model privacy notice to provide an online opt out of information sharing. (61) Proposed § 1016.9(c)(2)(ii)(A) requires a web address that the customer can type into a web browser to directly access the page that contains the privacy notice so that the customer need not click on any links after typing in the web address. The Bureau believes that a direct link may make it easier and more convenient for customers to access the privacy notice.

Proposed § 1016.9(c)(2)(ii)(A) would also require that the notice of availability include a toll-free number a customer can call to request a hard copy of the annual privacy notice. This requirement is intended to assist customers who do not have internet access or would prefer to receive a hard copy of the privacy notice. The Bureau notes that Regulation P currently contains provisions on the use of a toll-free number. For example, existing § 1016.6(d)(4)(i) lists a financial institution providing a toll-free number that the consumer may call to request a notice as an example of reasonable means by which a consumer who is not a customer may obtain a copy of an institution's privacy notice. The Bureau expects that most financial institutions will already have a toll-free number for their customers to contact them and thus providing a toll-free number for this purpose would not be a significant burden. Further, the Bureau is concerned that requiring a customer to pay for a call to the financial institution to request a copy of the privacy notice could impose a new cost on the customer that could deter customers from calling to request a hard copy of the notice.

The Bureau invites comment about the advantages and disadvantages of requiring financial institutions to provide a toll-free number and whether there would be other appropriate ways to balance customers' interests and to distinguish between small and large financial institutions. The Bureau further invites comment on the relative need that the telephone number for customers to request a copy of the privacy notice be toll-free, given recent technological and billing practice changes to the telephone industry. Lastly, the Bureau invites comment on the advantages and disadvantages of requiring financial institutions to provide a dedicated telephone number for privacy notice requests so that customers can easily request a hard copy of the notice without navigating a complicated automated telephone menu.

9(c)(2)(ii)(B)

Proposed § 1016.9(c)(2)(ii)(B) would set forth the second component of the alternative delivery method: That the financial institution post its current privacy notice continuously and in a clear and conspicuous manner on a page of the institution's Web site that contains only the privacy notice. The Bureau believes, based on its outreach, that this provision of the alternative delivery method is feasible for most financial institutions. Even for a financial institution that does not currently post its annual notice on its Web site, creating a specific page for this purpose is a one-time process that the Bureau believes most financial institutions could implement without significant cost. Further, the Bureaubelieves that encouraging financial institutions that do not already do so to post the privacy notice on their Web sites may benefit consumers by making the notices more widely available.

Proposed § 1016.9(c)(2)(ii)(B) would require that the annual notice be posted on a page of the Web site that contains only the privacy notice because the Bureau believes that were the notice included on a page with other content, such as other disclosures or promotions for products, that content could detract from the prominence of the notice and make it less likely that a customer would actually read it. However, information that is not content, such as navigational menus to other pages on the Web site, could appear on the same page as the privacy notice. The Bureau notes that other pages on the financial institution's Web site could link to the page containing the privacy notice but the customer would still have to be provided a specific web address that takes the customer directly to the page where the privacy notice is available to satisfy the requirement to post the notice on the financial institution's Web site in proposed § 1016.9(c)(2)(ii)(B). (62)

Proposed § 1016.9(c)(2)(ii)(B) would further require that the Web page that contains the privacy notice be accessible to the customer without requiring the customer to provide any information such as a login name or password or agree to any conditions to access the page. The Bureau is concerned that if customers were required to register for a login name or sign in to the financial institution's Web site simply to access the privacy notice, it could discourage some customers from accessing and reading the notice. Given that the alternative delivery method will require customers to seek out the annual notice in a way that they have not previously been required to do, proposed § 1016.9(c)(2)(ii)(B) intends to make accessing the privacy notice on an institution's Web site as simple and straightforward as possible. For the reasons described above, the Bureau proposes § 1016.9(c)(2)(ii)(B).

The Bureau invites comment regarding the prevalence of financial institutions that currently maintain Web sites, whether they currently post the Regulation P privacy notice on those Web sites, and if they do not currently do these things, how costly it would be to do so. The Bureau additionally seeks comment on whether financial institutions provide different privacy notices for different groups of customers, depending on the type of account the customer has with the financial institution, such that posting multiple privacy notices on the financial institution's Web site may create confusion as to which is the relevant privacy notice for any particular customer. Lastly, the Bureau seeks comment on the relative benefit or harm to customers of accessing the privacy notice on a financial institution's Web site as proposed.

9(c)(2)(ii)(C)

Proposed § 1016.9(c)(2)(ii)(C) would set forth the third component of the alternative delivery method: That the financial institution promptly mail its current privacy notice to those customers who request it by telephone. The Bureau proposes this requirement to assist customers without internet access and customers with internet access who would prefer to receive a hard copy of the notice. Proposed § 1016.9(c)(2)(ii)(C) would include a requirement that the notice be mailed promptly to indicate that a financial institution may not, for example, wait to mail the privacy notice until another notice or disclosure is sent to the customer, but would instead be required to mail the privacy notice shortly after receiving the customer's request to do so. The Bureau notes that consistent with privacy notices currently provided under Regulation P, financial institutions will not charge the customer for delivering the annual notice, given that delivery of the annual notice is required by statute and regulation. For these reasons, the Bureau proposes § 1016.9(c)(2)(ii)(C). The Bureau invites comment on whether prompt mailing of the privacy notice upon request is feasible for financial institutions and on the relative cost associated with mailing privacy notices on request. The Bureau further invites comment on whether requiring prompt mailing is sufficient to ensure that customers receive privacy notices in a timely manner or whether “promptly” should be more specifically defined, such as by a certain number of days.

9(c)(2)(iii)

Proposed § 1016.9(c)(2)(iii) would provide an example of a notice of availability that satisfies § 1016.9(c)(2)(ii)(A). The Bureau intends this example to provide clear guidance on permissible content for the notice of availability to facilitate compliance. The content of the example notice of availability in proposed § 1016.9(c)(2)(iii) draws from language in the existing model privacy notice, which was previously subject to consumer testing. (63) The proposed example would include the heading “Privacy Notice” in boldface on the notice of availability. The proposed example further would state that Federal law requires the financial institution to tell customers how it collects, shares, and protects their personal information; this language mirrors the “Why” box on the model privacy notices. (64) The remaining portion of the proposed example would inform customers that the financial institution's privacy notice has not changed, the address of the Web site at which customers can access the privacy notice, and the toll-free phone number to call to request a free copy of the notice. Because the Bureau believes that this language would provide a compliant and effective notice of availability, the Bureau proposes § 1016.9(c)(2)(iii).

The Bureau notes that the proposed example contains certain illustrative elements that would satisfy proposed § 1016.9(c)(2) but are not specifically required by the proposed rule text. These include entitling the notice of availability “Privacy Notice,” including a statement that “Federal law requires the financial institution to tell customers how it collects, shares, and protects their personal information,” and stating that getting a copy of the notice is “free” to the consumer. The Bureau invites comment on whether the proposed example notice of availability would be feasible for financial institutions to implement, whether the illustrative elements not specifically required by the rule should be so required, and whether the proposed language would be effective in informing customers of the availability of the privacy notice.

V. Section 1022(b)(2) of the Dodd-Frank Act

A. Overview

In developing the proposed rule, the Bureau has considered the potential benefits, costs, and impacts. (65) The Bureau requests comment on the preliminary analysis presented below as well as the submission of additional data that could inform the Bureau's analysis of the benefits, costs, and impacts of the rule. The Bureau has consulted and coordinated with the SEC, CFTC, FTC, and NAIC, and consulted with or offered to consult with, the OCC, Federal Reserve Board, FDIC, NCUA, and HUD, including regarding consistency with any prudential, market, or systemic objectives administered by such agencies.

The proposal would amend § 1016.9(c) of Regulation P to provide an alternative method for delivering annual privacy notices. A financial institution would be able to use the alternative delivery method if:

(1) It does not share information with nonaffiliated third parties other than for purposes under the exclusions allowed under Regulation P;

(2) It does not include on its annual privacy notice an opt out under section 603(d)(2)(A)(iii) of the FCRA;

(3) The annual privacy notice is not the only method used to satisfy the requirements of section 624 of the FCRA and subpart C of part 1022, if applicable;

(4) Certain information it is required to convey on its annual privacy notice has not changed since it provided the immediately previous privacy notice; and

(5) It uses the Regulation P model privacy form for its annual privacy notice.

Under the proposed alternative delivery method, the financial institution would have to:

(1) Convey at least annually on another notice or disclosure that its privacy notice is available on its Web site and will be mailed upon request to a toll-free number. Among other things, the institution would have to include a specific web address that takes the customer directly to the privacy notice;

(2) Post its current privacy notice continuously on a page of its Web site that contains only the privacy notice, without requiring a login or any conditions to access the page; and

(3) Promptly mail its current privacy notice to customers who request it by telephone.

B. Potential Benefits and Costs to Consumers and Covered Persons

Proposed § 1016.9(c)(2) provides certain benefits to consumers relative to the baseline established by the current provisions of Regulation P. The proposal provides an incentive for financial institutions to adopt the model privacy form and to post it on their Web sites; or, if already adopted, to post the model privacy form on their Web sites; as long as there are no other reasons that the financial institutions would not be able to use the alternative delivery method. Recent research establishes that, at least for banks, a large number do not post the model privacy form on their Web sites. While the Bureau does not know how many of these financial institutions would need to make this change in order to use the alternative delivery method, at least some additional consumers would learn about the information sharing policies of financial institutions through the model privacy form as a result of proposed § 1016.9(c)(2). (66) Given the consumer testing that went into the development of the model form and the public input that went into its design, the Bureau believes that the model form is generally clearer and easier to understand than most privacy notices that deviate from the model. (67) Thus, proposed § 1016.9(c)(2) would likely make it easier for some consumers to review privacy policies and opt outs and to make comparisons across the privacy policies and opt outs of financial institutions.

Proposed § 1016.9(c)(2) may also benefit certain consumers by disclosing that a financial institution's privacy policy has not changed and by reducing the number of full, unchanged privacy policies certain consumers receive every year. Under the proposal, consumers who transact with financial institutions that adopt the alternative delivery method would be informed through a notice or disclosure they are already receiving that the privacy policy has not changed but is available for their review, and these consumers would only receive the full privacy policy as a matter of course when it has changed or other requirements for use of the alternative delivery method are not met. While there is no data available on the number of consumers who are indifferent to (or dislike) receiving full, unchanged privacy notices every year, the limited use of opt outs and anecdotal evidence suggest that there are such consumers. (68) Some consumers who want to review privacy policies may prefer reading the privacy form on a Web site to being mailed one, especially since financial institutions using the alternative delivery method must limit their information sharing to practices that do not give consumers opt-out rights.

The Bureau believes that few consumers would experience any costs from proposed § 1016.9(c)(2). There is a risk that some consumers may be less informed about a financial institution's information sharing practices if the financial institution adopts the proposed alternative delivery method. However, proposed § 1016.9(c)(2)(ii)(A) mitigates this risk by requiring annually a clear and conspicuous statement that the privacy notice is available on the Web site, and proposed § 1016.9(c)(2)(ii)(B) ensures that the model privacy form is posted continuously in a clear and conspicuous manner on the Web site. Consumers may print the privacy policy at their own expense, while under current § 1016.9(c)(2) the notice is delivered to them, which represents a transfer of costs from industry to consumers. However, proposed § 1016.9(c)(2)(ii)(A) would provide consumers with a toll-free telephone number to request that the privacy notice be mailed to the consumer, which gives consumers the option of obtaining the notice without incurring the cost of printing it. Further, the Bureau believes that a printed form is mostly valuable to consumers who would exercise opt-out rights. However, the only opt outs that could be available to the consumer under proposed § 1016.9(c)(2) would be voluntary opt opt outs from modes of sharing information that are covered by exceptions, or (at the institution's discretion) an Affiliate Marketing opt-out beyond those the institution has previously provided elsewhere. Voluntary opt outs do not appear to be common. (69)

Regarding benefits and costs to covered persons, the primary effect of the proposal would be burden reduction by lowering the costs to industry of providing annual privacy notices. Proposed § 1016.9(c)(2) would impose no new compliance requirements on any financial institution. All methods of compliance under current law would remain available to a financial institution if the proposal were adopted, and a financial institution that is in compliance with current law would not be required to take any different or additional action. The Bureau believes that a financial institution would adopt the proposed alternative delivery method only if it expected the costs of complying with the proposed alternative delivery method would be lower than the costs of complying with current Regulation P.

By definition, the expected cost savings to financial institutions from the proposed revisions to § 1016.9(c) is the expected number of annual privacy notices that would be provided through the proposed alternative delivery method multiplied by the expected reduction in the cost per-notice from using the alternative delivery method. As explained below, many financial institutions would not be able to use the proposed alternative delivery method without changing their information sharing practices. For example, the Bureau believes that few financial institutions would find it in their interest to change information sharing practices just to reduce the costs of providing the annual privacy notice. Thus, the first step in estimating the expected cost savings to financial institutions from proposed § 1016.9(c)(2) would be to identify the financial institutions whose current information sharing practices would allow them to use the proposed alternative method. The Bureau would then need to determine their currents costs for providing the annual privacy notices and the expected costs of providing these notices under proposed § 1016.9(c)(2). (70)

The Bureau does not have sufficient data to perform every step of this analysis, but it performed a number of analyses and outreach activities to approximate the expected cost savings. Regarding banks, the Bureau examined the privacy policies of the 19 banks with assets over $100 billion as well as the privacy policies of 106 additional banks selected through random sampling. (71) The Bureau found that the overall average rate at which banks' information sharing practices would make them eligible for using the alternative delivery method if other conditions were met is 80%. However, only 18% of sampled banks with assets over $10 billion could clearly use the proposed alternative delivery method, while 81% of sampled banks with assets of $10 billion or less and 88% of sampled banks with assets of $500 million or less could clearly use the proposed alternative delivery method. These results indicate that a large majority of smaller banks would likely be able to use the proposed alternative delivery method but most of the largest banks would not. (72)

One caveat regarding these estimates and the ones that follow concerns the use of consolidated privacy notices by entities regulated by different agencies. Entities that could comply with Regulation P by adopting the alternative delivery method are not likely to do so unless they have large numbers of readily identified customers with whom compliance with GLBA does not further require compliance with the GLBA regulations of other agencies. While the Bureau does not have data on the frequency with which entities that use consolidated privacy notices also meet these additional conditions, the Bureau believes that many entities that use consolidated privacy notices are larger financial institutions with information sharing practices that would not allow them to use the alternative delivery method for compliance with Regulation P. The Bureau's estimates regarding the adoption of the alternative delivery method are accurate, notwithstanding the use of consolidated privacy notices, if the use of consolidated privacy notices is highly correlated with information sharing practices that alone would prevent the adoption of the alternative delivery mechanism. The Bureau requests data and other factual information regarding this correlation and more generally regarding the extent to which the use of consolidated privacy notices may prevent the adoption of the alternative delivery method.

The Bureau also examined the privacy policies of the four credit unions with assets over $10 billion as well as the privacy policies of 50 additional credit unions selected through random sampling. The Bureau found that two of the four credit unions with assets over $10 billion could clearly use the proposed alternative delivery method without changing their information sharing policies. Further, 62% of sampled credit unions with assets over $500 million could clearly use the alternative delivery method. However, the Bureau also found that only 13 of the 25 sampled credit unions with assets of $500 million or less either posted the model privacy form on their Web sites or provided enough information about their sharing practices to permit a clear determination regarding whether the alternative delivery method would be available to them (2 of the 25 did not have Web sites). The Bureau found that 11 of the 13 (85%) for which a determination could be made would be able to use the proposed alternative delivery method, and the Bureau believes that a significant majority of the sample of 25 would be able to use the proposed alternative delivery method (perhaps after adopting the model form). For purposes of this analysis, the Bureau conservatively assumes that 11 of the 25 sampled credit unions with assets of $500 million or less would be able to use the proposed alternative delivery method and requests comment on how to improve this estimate.

Regarding non-depository financial institutions, the Bureau believes based on initial outreach that a majority are likely to be able to use the alternative delivery method. For instance, the prohibition on disclosing information to third parties in the Fair Debt Collection Practices Act (FDCPA) leads the Bureau to believe that financial institutions subject to those limits likely would be able to use the alternative delivery method when GLBA notice requirements apply. (73) The Bureau willcontinue to refine its knowledge of the information sharing practices of non-depository financial institutions and the extent to which they may be able to use the proposed alternative delivery method. The Bureau requests comment and the submission of information relevant to this issue.

Although these initial estimates provide some insight into the numbers of banks and credit unions that could use the alternative delivery method, the Bureau does not have precise data on the number of annual privacy notices these institutions currently provide. Thus, it is not possible to directly compute the total number of annual privacy notices that would no longer be sent. The Bureau does, however, have information on the burden of providing the annual privacy notices from the Paperwork Reduction Act Supporting Statements for Regulation P that are on file with the Office of Management and Budget. This information can be used to obtain an initial estimate of the ongoing savings from the alternative delivery method. (74)

In estimating this savings for banks and credit unions, the analysis above establishes that it is essential to take into account the variation by the size of banks and credit unions in the likelihood they could use the alternative delivery method. To ensure that these differences inform the estimates, the Bureau allocated the total burden of providing the annual privacy notices to asset classes in proportion to the share of assets in the class. The Bureau then estimated an amount of burden reduction specific to each asset class using the results from the sampling described above. The total burden reduction is then the sum of the burden reductions in each asset class. For banks and credit unions combined, the estimated reduction in burden using this methodology is approximately $6 million annually. Regarding non-depositories, the Bureau believes that a large fraction of non-depositories of all sizes would be able to use the alternative delivery method and used the overall average rate at which banks could utilize the alternative delivery method. The estimated reduction in burden is approximately $10 million annually. (75) Thus, the Bureau believes that the total reduction in burden is approximately $16 million dollars annually. This represents about 56% of the total $28.5 million annual cost of providing the annual privacy notice and opt-out notices under Regulation P. (76) The Bureau requests comment on this preliminary analysis as well as the submission of additional data that could inform the Bureau's consideration of the cost savings to financial institutions.

The Bureau notes that these estimates of ongoing savings are gross figures and do not take into account any ongoing costs associated with the alternative delivery method. The Bureau believes that such ongoing costs would be minimal. They would consist of additional text on a notice or disclosure the institution already provides, additional phone calls from consumers requesting that the model form be mailed, and the costs of mailing the forms prompted by these calls. The Bureau currently believes that few consumers will request that the form be mailed in order to read it or to exercise any voluntary opt-out right. There would be minimal ongoing costs associated with the alternative delivery method from maintaining a Web page if a financial institution already has a Web site and none whatsoever if the financial institution already has a Web page dedicated to the annual privacy policy. The Bureau's research indicates that all but the smallest banks and credit unions have Web sites and the estimates of cost savings assume that they would not adopt the alternative delivery method. The Bureau is not aware of information regarding the use of Web sites by non-depository financial institutions and welcomes information relevant to understanding the costs to these institutions of adopting the alternative delivery method.

In developing the proposed rule, the Bureau considered alternatives to the requirements it is proposing. As discussed at length above, the Bureau believes that the alternative delivery method might not adequately alert customers to their ability to opt out of certain types of information sharing were it available where a financial institution shares beyond the exceptions in §§ 1016.13, 1016.14, and 1016.15. Thus, the Bureau considered but is not proposing an option in which the alternative delivery method could be used where a financial institution shares beyond one or more of these exceptions. For the same reason, the Bureau considered but is not proposing an option in which the alternative delivery method could be used where a financial institution shares information in a way that triggers information sharing opt-out rights under section 603(d)(2)(A)(iii) of the FCRA. On the other hand, the Bureau considered but is not proposing an option in which the alternative delivery method could never be used where a financial institution provides an opt-out right under the Affiliate Marketing Rule. A financial institution may use the alternative delivery method if it fulfills its opt-out obligations under the Affiliate Marketing Rule separately from the annual privacy notice. This case is distinguishable from the other two in that the customer is not dependent on the alternative delivery method to be made aware of the opt-out right under the Affiliate Marketing Rule.

The Bureau also considered alternatives to the requirements regarding the types of information that cannot have changed since the previous annual notice to be able to use the alternative delivery method. The Bureau discussed these alternatives at length above and incorporates that discussion here.

C. Potential Specific Impacts of the Rule

The Bureau currently understands that 81% of banks with $10 billion or less in assets would be able to utilize the alternative delivery method, with a greater opportunity for utilization among the smaller banks. Thus, the proposed rule may have differential impacts on insured depository institutions with $10 billion or less in assets as described in section 1026 of the Dodd-Frank Act. The Bureau also currently understands that at least 45% of credit unions with $10 billion or less in assets, and perhaps substantially more, would be able to utilize the alternative delivery method, with a greater opportunity for utilization among banks in the middle of this group. The uncertainty reflects the relatively large number of very small credit unions that do not post the model form on their Web sites and which therefore could not clearly use the alternative delivery method.

The Bureau does not believe that the proposed rule would reduce consumers' access to consumer financial products or services or have a unique impact on rural consumers.

VI. Regulatory Flexibility Act

The Regulatory Flexibility Act (RFA), as amended by the Small Business Regulatory Enforcement Fairness Act of 1996, requires each agency to consider the potential impact of its regulations on small entities, including small businesses, small governmental units,and small not-for-profit organizations. The RFA generally requires an agency to conduct an initial regulatory flexibility analysis (IRFA) and a final regulatory flexibility analysis (FRFA) of any rule subject to notice-and-comment rulemaking requirements, unless the agency certifies that the rule will not have a significant economic impact on a substantial number of small entities. (77) The Bureau also is subject to certain additional procedures under the RFA involving the convening of a panel to consult with small business representatives prior to proposing a rule for which an IRFA is required. (78)

An IRFA is not required here because the proposal, if adopted, would not have a significant economic impact on a substantial number of small entities. The Bureau does not expect the proposal to impose costs on small entities. All methods of compliance under current law will remain available to small entities if the proposal is adopted. Thus, a small entity that is in compliance with current law need not take any different or additional action if the proposal is adopted. In addition, as discussed above, the Bureau believes that the proposed alternative method would allow many institutions to reduce their costs, and that small financial institutions may be more likely to qualify for using the alternative delivery method than large institutions based on the complexity of large institutions' information sharing practices.

Accordingly, the undersigned certifies that this proposal, if adopted, would not have a significant economic impact on a substantial number of small entities.

VII. Paperwork Reduction Act

Under the Paperwork Reduction Act of 1995 (PRA), (79) Federal agencies are generally required to seek Office of Management and Budget (OMB) approval for information collection requirements prior to implementation. This proposal would amend Regulation P, 12 CFR part 1016. The collections of information related to Regulation P have been previously reviewed and approved by OMB in accordance with the PRA and assigned OMB Control Number 3170-0010. Under the PRA, the Bureau may not conduct or sponsor, and, notwithstanding any other provision of law, a person is not required to respond to an information collection, unless the information collection displays a valid control number assigned by OMB.

As explained below, the Bureau has determined that this proposed rule does not contain any new or substantively revised information collection requirements other than those previously approved by OMB. Under this proposal, a financial institution will be permitted, but not required, to use an alternative delivery method for the annual privacy notice if:

(1) It does not share information with nonaffiliated third parties other than for purposes covered by the exclusions allowed under Regulation P;

(2) It does not include on its annual privacy notice an opt out under section 603(d)(2)(A)(iii) of the FCRA;

(3) The annual privacy notice is not the only method used to satisfy the requirements of section 624 of the FCRA and subpart C of part 1022, if applicable;

(4) Certain information it is required to convey on its annual privacy notice has not changed since it provided the immediately previous privacy notice; and

(5) It uses the Regulation P model privacy form for its annual privacy notice.

Under the proposed alternative delivery method, the financial institution would have to:

(1) Convey at least annually on another notice or disclosure that its privacy notice is available on its Web site and will be mailed upon request to a toll-free number. Among other things, the institution would have to include a specific web address that takes the customer directly to the privacy notice;

(2) Post its current privacy notice continuously on a page of its Web site that contains only the privacy notice, without requiring a login or any conditions to access the page; and

(3) Promptly mail its current privacy notice to customers who request it by telephone.

Under Regulation P, the Bureau generally accounts for the paperwork burden for the following respondents pursuant to its enforcement/supervisory authority: Insured depository institutions with more than $10 billion in total assets, their depository institution affiliates, and certain non-depository institutions. The Bureau and the FTC generally both have enforcement authority over non-depository institutions subject to Regulation P. Accordingly, the Bureau has allocated to itself half of the final rule's estimated burden to non-depository institutions subject to Regulation P. Other Federal agencies, including the FTC, are responsible for estimating and reporting to OMB the paperwork burden for the institutions for which they have enforcement and/or supervision authority. They may use the Bureau's burden estimation methodology, but need not do so.

The Bureau does not believe that this proposed rule would impose any new or substantively revised collections of information as defined by the PRA, and instead believes that it would have the overall effect of reducing the previously approved estimated burden on industry for the information collections associated with the Regulation P annual privacy notice. Using the Bureau's burden estimation methodology, the reduction in the estimated ongoing burden would be approximately 567,000 hours annually for the roughly 13,500 banks and credit unions subject to the proposed rule, including Bureau respondents, and the roughly 29,400 entities regulated by the Federal Trade Commission also subject to the proposed rule. The reduction in estimated ongoing costs from the reduction in ongoing burden would be approximately $16 million annually.

The Bureau believes that the one-time cost of adopting the alternative delivery method for financial institutions that would adopt it is de minimis. Financial institutions that already use the model form and would adopt the alternative delivery method would incur minor one-time legal, programming and training costs. These institutions would have to communicate on a notice or disclosure they are already issuing under any other provision of law that the privacy notice is available. The expense of adding this notice would be minor. Staff may need some additional training in storing copies of the model form and sending it to customers on request. Institutions that do not use the model form would incur a one-time cost for creating one. However, since the promulgation of the model privacy form in 2009, an Online Form Builder has existed which any institution can use to readily create a unique, customized privacy notice using the model form template. (80) The Bureau assumes that financial institutions that do not currently have Web sites or provide a toll-free number to their customers would not choose to comply with these requirements in order to use the alternative delivery method.

The Bureau's methodology for estimating the reduction in ongoing burden was discussed at length above. The Bureau defined five strata for banks under $100 billion and three strata for credit unions under $10 billion, drewrandom samples from each of the strata (separately for banks and credit unions) and examined the GLBA privacy notices available on the financial institutions' Web sites, if any. The Bureau separately examined the Web sites of all banks over $100 billion (one additional bank stratum) and all credit unions over $10 billion (one additional credit union stratum). This process provided an estimate of the fraction of institutions within each bank or credit union stratum which would likely be able to use the alternative delivery method. In order to compute the reduction in ongoing burden (by stratum and overall) for these financial institutions, the Bureau apportioned the existing ongoing burden to each stratum according to the share of overall assets held by the financial institutions within the stratum. This was done separately for banks and credit unions. Note that this procedure ensures that the largest financial institutions, while few in number, are apportioned most of the existing burden. The Bureau then multiplied the estimate of the fraction of institutions within each stratum that would likely be able to use the alternative delivery method by the estimate of the existing ongoing burden within each stratum, separately for banks and credit unions. As discussed above, the largest bank and credit union strata tended to have the lowest share of financial institutions that could use the alternative delivery method.

For the non-depository institutions subject to the FTC's enforcement authority that are subject to the Bureau's Regulation P, the Bureau estimated the reduction in ongoing burden by applying the overall share of banks that would likely be able to use the alternative delivery method (80%) to the current ongoing burden on non-depository financial institutions (exclusive of auto dealers) from providing the annual privacy notices and opt outs.

The Bureau takes all of the reduction in ongoing burden from banks and credit unions with assets $10 billion and above and half the reduction in ongoing burden from the non-depository institutions subject to the FTC enforcement authority that are subject to the Bureau's Regulation P. The total reduction in ongoing burden taken by the Bureau is 256,000 hours or $6.2 million annually.

The Bureau has determined that the proposed rule does not contain any new or substantively revised information collection requirements as defined by the PRA and that the burden estimate for the previously-approved information collections should be revised as explained above. The Bureau welcomes comments on these determinations or any other aspect of the proposal for purposes of the PRA. Comments should be submitted as outlined in theADDRESSESsection above. All comments will become a matter of public record.

List of Subjects in 12 CFR Part 1016

Banks, banking, Consumer protection, Credit, Credit unions, Foreign banking, Holding companies, National banks, Privacy, Reporting and recordkeeping requirements, Savings associations, Trade practices.

Authority and Issuance

For the reasons set forth in the preamble, the Bureau proposes to amend Regulation P, 12 CFR part 1016, as set forth below:

Part 1016 Privacy of Consumer Financial Information Regulation P

1. The authority citation for part 1016 continues to read as follows:

Authority

12 U.S.C. 5512, 5581; 15 U.S.C. 6804.

Subpart a Privacy and Opt Out Notices

2. Section 1016.9(c) is revised to read as follows:

§ 1016.9
Delivering privacy and opt out notices.

* * * * *

(c) Annual notices only. (1) Reasonable expectation. You may reasonably expect that a customer will receive actual notice of your annual privacy notice if:

(i) The customer uses your Web site to access financial products and services electronically and agrees to receive notices at the Web site, and you post your current privacy notice continuously in a clear and conspicuous manner on the Web site; or

(ii) The customer has requested that you refrain from sending any information regarding the customer relationship, and your current privacy notice remains available to the customer upon request.

(2) Alternative method for providing certain annual notices. (i) Notwithstanding paragraph (a) of this section, you may use the alternative method described in paragraph (c)(2)(ii) of this section to satisfy the requirement in § 1016.5(a)(1) to provide a notice if:

(A) You do not share information with nonaffiliated third parties other than for purposes under §§ 1016.13, 1016.14, and 1016.15;

(B) You do not include on your annual privacy notice pursuant to § 1016.6(a)(7) an opt out under section 603(d)(2)(A)(iii) of the Fair Credit Reporting Act (15 U.S.C. 1681a(d)(2)(A)(iii));

(C) The annual privacy notice is not the only notice provided to satisfy the requirements of section 624 of the Fair Credit Reporting Act (15 U.S.C. 1681s-3) and subpart C of part 1022 of this chapter, if applicable;

(D) The information you are required to convey on your annual privacy notice pursuant to § 1016.6(a)(1) through (5), (8), and (9) has not changed since you provided the immediately previous privacy notice, initial or annual, to the customer; and

(E) You use the model privacy form in the appendix to this part for your annual privacy notice.

(ii) For an annual privacy notice that meets the requirements in paragraph (c)(2)(i) of this section, you satisfy the requirement in § 1016.5(a)(1) to provide a notice if you:

(A) Convey in a clear and conspicuous manner not less than annually on a notice or disclosure you are required or expressly and specifically permitted to issue under any other provision of law that your privacy notice is available on your Web site and will be mailed to the customer upon request by telephone to a toll-free number. The statement must state that your privacy notice has not changed and must include a specific Web address that takes the customer directly to the page where the privacy notice is posted and a toll-free telephone number for the customer to request that it be mailed;

(B) Post your current privacy notice continuously in a clear and conspicuous manner on a page of your Web site that contains only the privacy notice, without requiring the customer to provide any information such as a login name or password or agree to any conditions to access the page; and

(C) Mail promptly your current privacy notice to those customers who request it by telephone.

(iii) An example of a statement that satisfies paragraph (c)(2)(ii)(A) of this section is: Privacy Notice [in boldface]—Federal law requires us to tell you how we collect, share, and protect your personal information. Our privacy policy has not changed and you may review our policy and practices with respect to your personal information at [Web address] or we will mail you a free copy upon request if you call us toll-free at [toll-free telephone number].

* * * * *

Dated: May 6, 2014.
Richard Cordray,
Director,Bureau of Consumer Financial Protection.
[FR Doc. 2014-10713 Filed 5-12-14; 8:45 am]
BILLING CODE 4810-AM-P

Footnotes

(1) 15 U.S.C. 6801 et seq.

(2) Public Law 106-102.

(3) 65 FR 35162 (June 1, 2000).

(4) 65 FR 31722 (May 18, 2000) (NCUA final rule); 65 FR 33646 (May 24, 2000) (FTC final rule); 65 FR 40334 (June 29, 2000) (SEC final rule); 66 FR 21252 (Apr. 27, 2001) (CFTC final rule).

(5) 74 FR 62890 (Dec. 1, 2009).

(6) Public Law 111-203, 124 Stat. 1376 (2010).

(7) Public Law 111-203, section 1093. The FTC retained rulewriting authority over any financial institution that is a person described in 12 U.S.C. 5519 (i.e., motor vehicle dealers predominantly engaged in the sale and servicing of motor vehicles, the leasing and servicing of motor vehicles, or both).

(8) 76 FR 79025 (Dec. 21, 2011).

(9) 15 U.S.C 6804, 6809; 12 U.S.C. 1843(k)(4); 12 CFR 1016.1(b).

(10) In regard to any Regulation P rulemaking, section 504 of GLBA provides that each of the agencies authorized to prescribe GLBA regulations (currently the Bureau, FTC, SEC, and CFTC) “shall consult and coordinate with the other such agencies and, as appropriate, . . . with representatives of State insurance authorities designated by the National Association of Insurance Commissioners, for the purpose of assuring, to the extent possible, that the regulations prescribed by each such agency are consistent and comparable with the regulations prescribed by the other such agencies.” 15 U.S.C. 6804(a)(2).

(11) 12 CFR part 1016.

(12) Regulation P defines “financial institution.”See 12 CFR 1016.3(l).

(13) 12 CFR 1016.4, 1016.5(a)(1).

(14) 12 CFR 1016.3(i).

(15) Regulation P defines “nonpublic personal information.”See 12 CFR 1016.3(p).

(16) 12 CFR 1016.4(a).

(17) 12 CFR 1016.5(a)(1) (emphasis added).

(18) 15 U.S.C. 6802(b)(2), (e); 12 CFR 1016.13, 1016.14, 1016.15.

(19) Section 1016.6(c)(5) allows financial institutions to provide “simplified notices” if they do not disclose, and do not wish to reserve the right to disclose, nonpublic personal information about customers or former customers to affiliates or nonaffiliated third parties except as authorized under §§ 1016.14 and 1016.15. The exceptions at §§ 1016.14 and 1016.15 track statutory exemptions and cover a variety of situations, such as maintaining and servicing the customer's account, securitization and secondary market sale, and fraud prevention. They directly exempt institutions from the opt-out requirements. The exception that includes service providers and joint marketing arrangements, at § 1016.13, is also statutory, but financial institutions that share according to this exception may not use the simplified notice, even though consumers cannot opt out of this sharing.

(20) The FCRA defines “consumer report” generally as “any written, oral, or other communication of any information by a consumer reporting agency bearing on a consumer's credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living which is used or expected to be used or collected in whole or in part for the purpose of serving as a factor in establishing the consumer's eligibility for: (A) credit or insurance to be used primarily for personal, family, or household purposes; (B) employment purposes; or (C) any other purpose authorized under section 1681b of this title.” 15 U.S.C. 1681a.

(21) 15 U.S.C. 1681a(d)(2)(A)(iii).

(22) 15 U.S.C. 6803(c)(4); 12 CFR 1016.6(a)(7).

(23) The type of information to which section 624 applies is information that would be a consumer report, but for the exclusions provided by section 603(d)(2)(A)(i), (ii), or (iii) of the FCRA (i.e., a report solely containing information about transactions or experiences between the consumer and the institution making the report, communication of that information among persons related by common ownership or affiliated by corporate control, or communication of other information as discussed above).

(24) 15 U.S.C. 1681s-3 and 12 CFR pt. 1022, subpart C.

(25) 12 CFR 1022.23(b).

(26) 15 U.S.C. 6803(a) (emphasis added).

(27) 12 CFR 1016.9(a) states that a financial institution may deliver the notice electronically if the consumer agrees. After discussions with industry stakeholders, however, the Bureau believes that most consumers have not agreed to receive electronic disclosures.

(28) 76 FR 75825, 75828 (Dec. 5, 2011).

(29) On a related issue, industry commenters stated that the annual notice causes confusion and unnecessary opt-out requests from customers who do not recall that they have already opted out in a previous year. As stated in the Supplementary Information to the Final Model Privacy Form Under the Gramm-Leach-Bliley Act, a financial institution is free to provide additional information in other, supplemental materials to customers if it wishes to do so. See 74 FR 62890, 62908 (Dec. 1, 2009). A financial institution could include supplemental materials advising those customers who previously opted out that they do not need to opt out again.

(30) Consumer Financial Protection Bureau, “Understanding the Effects of Certain Deposit Regulations on Financial Institutions' Operations: Findings on Relative Costs for Systems, Personnel, and Processes at Seven Institutions” (Nov. 2013), available at http://files.consumerfinance.gov/f/201311_cfpb_report_findings-relative-costs.pdf.

(31) Information collected for the study may be used to assist the Bureau in its investigations of “the effects of a potential or existing regulation on the business decisions of providers.” OMB Information Request—Control Number: 3170-0032.

(32) 15 U.S.C. 6803 (“[In the initial and annual privacy notices] a financial institution shall provide a clear and conspicuous disclosure . . .”); 12 CFR 1016.3(b)(1) (defining “clear and conspicuous” as “reasonably understandable and designed to call attention to the nature and significance of the information in the notice.”)

(33) See 74 FR 62890, 62897-62898.

(34) Recently Congress considered proposed legislation that would provide burden relief as to annual privacy notices, though no law has been enacted. See, e.g., H.R. 749, passed by the House and referred to the Senate in March of 2013; and S. 635, introduced in the Senate in late 2013.

(35) 15 U.S.C. 6804.

(36) 12 U.S.C. 5512, 5581.

(37) The Bureau notes that the proposed alternative delivery method would be available even where a financial institution offers a notice and opt out under the Affiliate Marketing Rule, subpart C of 12 CFR part 1022, which relates to marketing based on information shared by a financial institution, as long as the Affiliate Marketing Rule notice and opt out is also provided separately from the Regulation P privacy notice. See the section-by-section discussion of proposed § 1016.9(c)(2)(i)(C), below.

(38) The Bureau notes that under current Regulation P, financial institutions are not required to deliver the privacy notice separately from other documents, although the Bureau believes that many financial institutions do so.

(39) Fostering comparison shopping by consumers among financial institutions was one of the objectives that GLBA model privacy notices, primarily initial privacy notices, were intended to accomplish. See 15 U.S.C. 6803(e). Facilitating comparison shopping based on privacy policies was also mentioned repeatedly in the preamble to the model privacy notice rule. See 74 FR 62890 (Dec. 1, 2009). The Bureau invites empirical data on whether consumers do comparison shop among financial institutions based on privacy notices.

(40) While the agencies previously charged with GLBA privacy notice rulemaking authority appear to have read the statutory grant of authority more restrictively (See, e.g., 65 FR at 35174 (June 1, 2000), those agencies did not cite or interpret the statutory language quoted above and were not considering a form of electronic notice. Commenters to the agencies' proposed rule had suggested that the notice (including opt outs) be available only on request, or that a short-form notice be permitted in certain circumstances, and the agencies interpreted the statute as not allowing such arrangements. The Bureau's proposed rule's disclosure strategy is very different, and allows immediate access to the privacy notice for the overwhelming majority of customers.

Further, circumstances have changed since the 2000 rulemaking. In 2000, only 41.5% of U.S. households had internet access at home. In contrast, as of 2012, 74.8% of U.S. households had internet access at home and 80% of U.S. adults were using the internet, thus making easy access to electronic notices significantly more widespread. See U.S. Census data, “Households With a Computer and Internet Use: 1984 to 2012,”available at https://www.census.gov/hhes/computer/publications/2012.html and Pew Research Internet Project, available at http://www.pewinternet.org/2014/02/27/summary-of-findings-3/.

(41) Specifically, § 1016.13 provides that the opt-out requirement generally does not apply where a financial institution shares nonpublic personal information with nonaffiliated third parties to provide services to the sharing financial institution, including for marketing products or services of the financial institution or those of other financial institutions with which the sharing institution has joint marketing agreements. Section 1016.14 provides that the opt-out requirement generally does not apply where the financial institution shares nonpublic personal information as required to process or service transactions for the consumer's account. Section 1016.15 provides that the opt-out requirement does not apply to certain specific types of information sharing by the financial institution, including, for example, at the consumer's request, to protect the confidentiality of the financial institution's records, to a consumer reporting agency, and to comply with a properly authorized civil, criminal or regulatory investigation.

(42) 15 U.S.C. 1681a(d)(2)(A)(iii).

(43) See 64 FR 35162, 35176 (June 1, 2000).

(44) 15 U.S.C. 1681s-3.

(45) 12 CFR 1022.21(a).

(46) 12 CFR 1022.22, 1022.23, 1022.24, 1022.25, 1022.26, and 1022.27.

(47) Appendix to part 1016 at C.2.d.6.

(48) 12 CFR 1022.23(b).

(49) Appendix to part 1016 at C.2.d.6.

(50) 72 FR 62910, 62930 (Nov. 7, 2007).

(51) Regulation P provides, “Institutions that include this reason [for sharing or using personal information] must provide an opt-out of indefinite duration.” Appendix to part 1016 at C.2.d.6.

(52) 12 CFR 1022.22(b). 12 CFR 1022.23(a)(1)(iv).

(53) Alternatively, the financial institution could continue to use the current delivery method and include the Affiliate Marketing opt out on the annual privacy notice, with no separate notice required.

(54) Note that the information disclosed pursuant to § 1016.6(a)(6) and (7) are not among the provisions in proposed § 1016.9(c)(2)(i)(D) because those disclosures relate to opt-out rights the existence of which would make the alternative delivery method unavailable for a financial institution under proposed § 1016.9(c)(2)(i)(A) and (B), as discussed above. In addition, the omission from proposed § 1016.9(c)(2)(i)(D) of the opt-out disclosures under GLBA and FCRA makes clear that a financial institution may change its privacy policy so as to eliminate information sharing that triggers opt-out rights and may then make use of the alternative delivery method for the next annual privacy notice.

(55) 12 CFR 1016.2.

(56) 74 FR 62890, 62891 (Dec. 1, 2009).

(57) Appendix to part 1016 at C.3.c.1.

(58) 74 FR 62890, 62907 n. 196.

(59) 12 CFR 1022.23(b).

(60) 12 CFR 1030.6.

(61) Appendix to 12 CFR part 1016, at C.2.e.

(62) With regard to the proposed requirement that the notice be posted in a “clear and conspicuous” manner, the Bureau notes that existing § 1016.3(b)(2)(iii) gives examples of what clear and conspicuous means for a privacy notice posted on a Web site. One example provides that a financial institution designs its notice to call attention to the nature and significance of the information in the notice if it uses text or visual cues to encourage scrolling down the page if necessary to view the entire notice and ensures that other elements on the Web site (such as text, graphics, hyperlinks, or sound) do not distract attention from the notice. Section 1016.3(b)(2)(iii)(A) and (B) also provides examples of clear and conspicuous placement of the notice within the financial institution's Web site but these examples do not seem relevant to the posting of the notice for the alternative delivery method because consumers will be typing into their web browser the web address of the specific page that contains the annual notice, rather than navigating to the annual notice from the financial institution's home page. To the extent that a financial institution is satisfying existing § 1016.9(a) and not the alternative delivery method proposed in § 1016.9(c)(2) by posting the privacy notice on its Web site, the clear and conspicuous examples in § 1016.3(b)(2)(iii)(A) and (B) still apply.

(63) See Appendix to 12 CFR part 1016, at A.

(64) Id.

(65) Specifically, section 1022(b)(2)(A) of the Dodd-Frank Act calls for the Bureau to consider the potential benefits and costs of a regulation to consumers and covered persons, including the potential reduction of access by consumers to consumer financial products or services; the impact on depository institutions and credit unions with $10 billion or less in total assets as described in section 1026 of the Dodd-Frank Act; and the impact on consumers in rural areas.

(66) See L.F. Cranor, K. Idouchi, P.G. Leon, M. Sleeper, B. Ur, Are They Actually Any Different? Comparing Thousands of Financial Institutions' Privacy Practices. The Twelfth Workshop on the Economics of Information Security (WEIS 2013), June 11-12, 2013, Washington, DC. They find that only about half of FDIC insured depositories (3,422 out of 6,701) post the model privacy form on their Web sites.

(67) The development and testing of the model privacy notice is discussed in L. Garrison, M. Hastak, J.M. Hogarth, S. Kleimann, A.S. Levy, Designing Evidence-based Disclosures: A Case Study of Financial Privacy Notices. The Journal of Consumer Affairs, Summer 2012: 204-234. See also the model privacy form final rule, 74 FR 62890 (December 1, 2009).

(68) One early analysis of the use of the opt outs reported at most 5% of consumers make use of them in any year, and likely fewer. See J.M. Lacker, The Economics of Financial Privacy: To Opt Out or Opt In? Federal Reserve Bank of Richmond Economic Quarterly, Volume 88/3, Summer 2002.

(69) See Cranor et al. (2013). Their findings (Table 2) imply that at most 15% of the 3,422 FDIC insured depositories that post the model privacy form on their Web sites offer at least one voluntary opt out.

(70) The analysis that follows makes certain additional assumptions about adjustments that financial institutions are not likely to make just to be able to adopt the alternative delivery method. For example, small institutions might not find it worthwhile to establish Web sites or toll-free numbers given the relatively small savings in costs that might result. These assumptions are discussed further below.

(71) The Bureau defined five strata for banks under $100 billion and three strata for credit unions under $10 billion and drew random samples from each of the strata. We obtained privacy policies from the Web sites of financial institutions.

(72) As discussed in the Section-by-Section Analysis, a banking trade association commenting on the Streamlining RFI estimated that 75% of banks do not change their notices from year to year and do not share information in a way that gives rise to customer opt-out rights. The Bureau's estimate is consistent with this comment.

(73) FDCPA section 805(b) prohibits communication with third parties in connection with the collection of a debt.

(74) It is worth noting at the outset that, with this methodology, the total cost of providing the annual privacy notice is approximately $28.5 million per year.

(75) Note that this figure excludes auto dealers. Auto dealers are regulated by the FTC and would not be directly impacted by this amendment to Regulation P.

(76) The total reduction is approximately $17 million annually if 85% of credit unions with assets of $500 million or less use the proposed alternative delivery method. This represents about 60% of the total annual cost of providing these notices.

(77) 5 U.S.C. 603-605.

(78) 5 U.S.C. 609.

(79) 44 U.S.C. 3501 et seq.

(80) This Online Form Builder is available at http://www.federalreserve.gov/newsevents/press/bcreg/20100415a.htm.

 
 
Comment Period Closed
Jul 14 2014, at 11:59 PM ET
ID: CFPB-2014-0010-0001
View original printed format:
PDF

Document Information

Date Posted: May 13, 2014
RIN: 3170-AA39
CFR: 12 CFR Part 1016
Federal Register Number: 2014-10713
Show More Details  

Comments

126
Comments Received*
See attached comment letter.
See attached ex parte submission.
See attached comment letter.

Docket Information

This document is contained in
Related Dockets: None
Related RINs: None
Related Documents: None
Related Comments:

* This count refers to the total comment/submissions received on this document, as of 11:59 PM yesterday. Note: Agencies review all submissions, however some agencies may choose to redact, or withhold, certain submissions (or portions thereof) such as those containing private or proprietary information, inappropriate language, or duplicate/near duplicate examples of a mass-mail campaign. This can result in discrepancies between this count and those displayed when conducting searches on the Public Submission document type. For specific information about an agency’s public submission policy, refer to its website or the Federal Register document.

Document text and images courtesy of the
Federal Register