Department of the Treasury System - GPO · Tuesday, February 22, 2000 Part II Department of the Treasury Officer of the Comptroller of the Currency Office of Thrift Supervision 12

Tuesday,

February 22, 2000

Part II

Department of theTreasuryOfficer of the Comptroller of theCurrencyOffice of Thrift Supervision12 CFR Parts 40 and 573

Federal ReserveSystem12 CFR Part 216

Federal DepositInsuranceCorporation12 CFR Part 332Privacy of Consumer FinancialInformation; Proposed Rule

VerDate 16<FEB>2000 19:23 Feb 18, 2000 Jkt 190000 PO 00000 Frm 00001 Fmt 4717 Sfmt 4717 E:\FR\FM\22FEP2.SGM pfrm11 PsN: 22FEP2

8770 Federal Register / Vol. 65, No. 35 / Tuesday, February 22, 2000 / Proposed Rules

DEPARTMENT OF THE TREASURY

Office of the Comptroller of theCurrency

12 CFR Part 40

[Docket No. 00–05 ]

RIN 1557–AB77

FEDERAL RESERVE SYSTEM

12 CFR Part 216

[Docket No. R–1058]

FEDERAL DEPOSIT INSURANCECORPORATION

12 CFR Part 332

RIN 3064–AC32

DEPARTMENT OF THE TREASURY

Office of Thrift Supervision

12 CFR Part 573

[Docket No. 2000–13]

RIN 1550–AB36

Privacy of Consumer FinancialInformation

AGENCIES: Office of the Comptroller ofthe Currency, Treasury; Board ofGovernors of the Federal ReserveSystem; Federal Deposit InsuranceCorporation; and Office of ThriftSupervision, Treasury.ACTION: Joint notice of proposedrulemaking.

SUMMARY: The Office of the Comptrollerof the Currency, Board of Governors ofthe Federal Reserve System, FederalDeposit Insurance Corporation, and theOffice of Thrift Supervision,(collectively, the Agencies) arerequesting comment on proposedprivacy rules published pursuant tosection 504 of the Gramm-Leach-BlileyAct (the G-L-B Act or Act). Section 504authorizes the Agencies to issueregulations as may be necessary toimplement notice requirements andrestrictions on a financial institution’sability to disclose nonpublic personalinformation about consumers tononaffiliated third parties. Pursuant tosection 503 of the G-L-B Act, a financialinstitution must provide its customerswith a notice of its privacy policies andpractices. Section 502 prohibits afinancial institution from disclosingnonpublic personal information about aconsumer to nonaffiliated third partiesunless the institution satisfies variousdisclosure and opt-out requirements andthe consumer has not elected to opt out

of the disclosure. These proposed rulesimplement the requirements outlinedabove.

DATES: Comments must be received byMarch 31, 2000.ADDRESSES: Comments should bedirected to: Office of the Comptroller ofthe Currency (OCC): CommunicationsDivision, Office of the Comptroller ofthe Currency, 250 E Street, SW.,Washington, DC 20219, Attention:Docket No. 00–05; FAX number (202)874–5274 or Internet address:[email protected] may be inspected andphotocopied at the same location.

Board of Governors of the FederalReserve System (Board): Comments,which should refer to Docket No. R–1058, may be mailed to Ms. Jennifer J.Johnson, Secretary, Board of Governorsof the Federal Reserve System, 20th andC Streets, NW, Washington, DC 20551 ormailed electronically [email protected] addressed to Ms. Johnsonalso may be delivered to the Board’smail room between 8:45 a.m. and 5:15p.m. and to the security control roomoutside of those hours. Both the mailroom and the security control room areaccessible from the courtyard entranceon 20th Street between ConstitutionAvenue and C Street, NW. Commentsmay be inspected in Room MP–500between 9 a.m. and 5 p.m., pursuant to§ 261.12, except as provided in § 261.14,of the Board’s Rules Regarding theAvailability of Information, 12 CFR261.12 and 261.14.

Federal Deposit InsuranceCorporation (FDIC): Send writtencomments to Robert E. Feldman,Executive Secretary, Attention:Comments/OES, Federal DepositInsurance Corporation, 550 17th Street,NW., Washington, DC 20429. Commentsmay be hand delivered to the guardstation at the rear of the 17th Streetbuilding (located on F Street) onbusiness days between 7 a.m. and 5 p.m.(Fax number (202) 898–3838).Comments may be inspected andphotocopied in the FDIC PublicInformation Center, Room 100, 801 17thStreet, NW., Washington, DC 20429,between 9 a.m. and 4:30 p.m. onbusiness days.

Comments may be submitted to theFDIC electronically over the Internet atwww.fdic.gov. Further informationconcerning this option may be foundbelow at ‘‘FDIC’s New Electronic PublicComment Site.’’ Comments also may bemailed electronically [email protected].

Office of Thrift Supervision (OTS):Send comments to Manager,

Dissemination Branch, InformationManagement & Services Division, Officeof Thrift Supervision, 1700 G Street,NW., Washington, DC 20552, AttentionDocket No. 2000–13. Hand delivercomments to Public Reference Room,1700 G Street, NW., lower level, from9:00 A.M. to 5:00 P.M. on business days.Send facsimile transmissions to FAXNumber (202) 906–7755 or (202) 906–6956 (if the comment is over 25 pages).Send e-mails [email protected] and includeyour name and telephone number.Interested persons may inspectcomments at 1700 G Street, NW., from9 a.m. until 4 p.m. on business days.FOR FURTHER INFORMATION CONTACT:

0CCAmy Friend, Assistant Chief Counsel

(202) 874–5200Mark Tenhundfeld, Assistant Director,

Legislative and Regulatory ActivitiesDivision (202) 874–5090

Michael Bylsma, Director, Communityand Consumer Law (202) 874–5750

Steve Van Meter, Senior Attorney,Community and Consumer Law (202)874–5750

Karen Furst, Policy Analyst, Economicand Policy Analysis (202) 874–4509

Paul Utterback, National BankExaminer, Bank Supervision Policy(202) 874–5461, or

Jeffery Abrahamson, Attorney,Legislative and Regulatory ActivitiesDivision (202) 874–5090

BoardOliver I. Ireland, Associate General

Counsel (202) 452–3625Stephanie Martin, Managing Senior

Counsel (202) 452–3198, orThomas Scanlon, Attorney (202) 452–

3594, Legal Division, orAdrienne D. Hurt, Assistant Director

(202) 452–2412Jane J. Gell, Managing Counsel (202)

452–3667, orJames H. Mann, Attorney (202) 452–

2412, Division of Consumer andCommunity Affairs.

For the hearing impaired only, contactDiane Jenkins, TelecommunicationsDevice for the Deaf (TDD) (202) 452–3544, Board of Governors of theFederal Reserve System, 20th and CStreets, NW, Washington, DC 20551.

FDICDeanna Caldwell, Community Affairs

Officer, Division of Compliance andConsumer Affairs, (202) 736–0141

James K. Baebel, Senior ReviewExaminer, Division of Complianceand Consumer Affairs, (202) 736–0229

Robert A. Patrick, Counsel, Regulationsand Legislation Section, (202) 898–3757


8771Federal Register / Vol. 65, No. 35 / Tuesday, February, 22, 2000 / Proposed Rules

1 The NCUA, FTC, SEC, and the TreasuryDepartment also have participated in therulemaking process, and the NCUA, FTC, and SECwill separately issue comparable proposed rules.

Marc J. Goldstrom, Counsel, Regulationsand Legislation Section, (202) 898–8807

Marilyn E. Anderson, Senior Counsel,Regulations and Legislation Section,(202) 898–3522

Nancy Schucker Recchia, Counsel,Regulations and Legislation Section,(202) 898–8885.

OTS

Christine Harrington, Counsel (Bankingand Finance), (202) 906–7957

Paul Robin, Assistant Chief Counsel,(202) 906–6648, Regulations andLegislation Division; or

Cindy Baltierra, Program Analyst,Compliance Policy (202) 906–6540,Office of Thrift Supervision, 1700 GStreet, NW., Washington DC 20552.

SUPPLEMENTARY INFORMATION: Thecontents of this preamble are listed inthe following outline:I. BackgroundII. Section-by-Section AnalysisIII. FDIC’s New Electronic Public Comment

SiteIV. Regulatory Analysis

A. Paperwork Reduction ActB. Regulatory Flexibility ActC. Executive Order 12866D. Unfunded Mandates Act of 1995

V. Solicitation of Comments on Use of ‘‘PlainLanguage’’

I. Background

On November 12, 1999, PresidentClinton signed the G–L–B Act (Pub. L.106–102, codified at 15 U.S.C. 6801 etseq.) into law. Subtitle A of Title V ofthe Act, captioned Disclosure ofNonpublic Personal Information, limitsthe instances in which a financialinstitution may disclose nonpublicpersonal information about a consumerto nonaffiliated third parties, andrequires a financial institution todisclose to all of its customers theinstitution’s privacy policies andpractices with respect to informationsharing with both affiliates andnonaffiliated third parties. Title V alsorequires the Agencies, the Secretary ofthe Treasury, the National Credit UnionAdministration (NCUA), the FederalTrade Commission (FTC), and theSecurities and Exchange Commission(SEC), after consulting withrepresentatives of State insuranceauthorities designated by the NationalAssociation of InsuranceCommissioners, to prescribe suchregulations as may be necessary to carryout the purposes of the provisions inTitle V that govern disclosure ofnonpublic personal information.

The Agencies have prepared proposedrules to implement Subtitle A that areconsistent and comparable to the extent

possible, as is required by the statute.1Except where noted in the discussion ofthe proposed definitions of ‘‘nonpublicpersonal information,’’ ‘‘personallyidentifiable financial information,’’ and‘‘publicly available information,’’ thetexts of the Agencies’’ proposedregulations are substantively identical.The Agencies request comment on allaspects of the proposed rules as well ascomment on the specific provisions andissues highlighted in the section-by-section analysis below.

II. Section-by-Section AnalysisThe discussion that follows applies to

each of the Agencies’ proposed rules.Given that each agency will assign adifferent part to its privacy rule, thecitations are to sections only, leavingcitations to part numbers blank.

§l.1 Purpose and ScopeProposed paragraph (a) of this section

identifies three purposes of the rules.First, the rules require a financialinstitution to provide notice toconsumers about the institution’sprivacy policies and practices. Second,the rules describe the conditions underwhich a financial institution maydisclose nonpublic personal informationabout a consumer to a nonaffiliatedthird party. Third, the rules provide amethod for a consumer to ‘‘opt out’’ ofthe disclosure of that information tononaffiliated third parties, subject to theexceptions in proposed §§l.9,l.10,andl.11, as discussed below.

Proposed paragraph (b) sets out thescope of the banking agencies’ rules andtracks the scope of enforcement set outin section 505(a) of the G–L–B Act. Thisparagraph notes that the rules applyonly to information about individualswho obtain a financial product orservice from a financial institution to beused for personal, family, or householdpurposes.

The G–L–B Act and the proposedrules apply to domestic offices of UnitedStates banks and domestic branches andagencies of foreign banks. The Agenciesrequest comment on whether the rulesshould apply to foreign financialinstitutions that solicit business in theUnited States but that do not have anoffice in the United States.

§l.2 Rule of ConstructionProposed §l.2 of the rules sets out a

rule of construction intended to clarifythe effect of the examples used in therules. Given the wide variety oftransactions that Title V of the G–L–B

Act covers, the Agencies propose toadopt rules of general applicability andprovide examples of conduct thatwould, and would not, comply with therule. While the general rules areconsistent among the Agencies’proposals to the extent possible, theexamples used by the Federal bankingagencies differ on occasion from thoseused by the other agencies in order toprovide guidance that may be mostmeaningful to entities within a givenagency’s jurisdiction.

The examples are provided infurtherance of the Federal bankingagencies’ obligation under section 722of the G–L–B Act to use ‘‘plainlanguage’’ in all proposed and finalrules published after January 1, 2000.These examples are not intended to beexhaustive; rather, they are intended toprovide guidance about how the ruleswould apply in specific situations. TheAgencies invite comment on whetherincluding examples in the rule is usefuland suggestions on additional ordifferent examples that may be helpfulin illustrating compliance with the rule.

§l.3 Definitionsa. Affiliate. The proposed rules adopt

the definition of ‘‘affiliate’’ that is usedin section 509(6) of the G–L–B Act. Anaffiliation will be found when onecompany ‘‘controls’’ (which is definedin §l.3(g), below), is controlled by, oris under common control with anothercompany. The definition includes bothfinancial institutions and entities thatare not financial institutions.

b. Clear and conspicuous. Title V ofthe G–L–B Act and the proposed rulesrequire that various notices be ‘‘clearand conspicuous.’’ The proposed rulesdefine this term to mean that the noticeis reasonably understandable anddesigned to call attention to the natureand significance of the informationcontained in the notice.

The proposed rules do not mandatethe use of any particular technique formaking the notices clear andconspicuous, but instead allow eachfinancial institution the flexibility todecide for itself how best to complywith this requirement. Ways in which anotice may satisfy the clear andconspicuous standard would include,for instance, using a plain-languagecaption, in a type set easily seen, that isdesigned to call attention to theinformation contained in the notice.Other plain language principles areprovided in the examples that followthe general rule.

c. Collect. The proposed rules define‘‘collect’’ to mean obtaining anyinformation that is organized orretrievable on a personally identifiable


8772 Federal Register / Vol. 65, No. 35 / Tuesday, February, 22, 2000 / Proposed Rules

2 A ‘‘customer’’ may be defined differently forpurposes of other regulations. See, e.g., 12 CFR7.4002.

basis, irrespective of the source of theunderlying information. Severalsections of the proposed rule (see, e.g.,§§l.6 andl.7) impose obligations thatarise when a financial institutioncollects information about a consumer.This proposed definition clarifies thatthese obligations arise when theinformation enables the user to identifya particular consumer. It also clarifiesthat the obligations arise regardless ofwhether the financial institution obtainsthe information from a consumer orfrom some other source.

d. Company. The proposed rulesdefine ‘‘company,’’ which is used in thedefinition of ‘‘affiliate,’’ as anycorporation, limited liability company,business trust, general or limitedpartnership, association, or similarorganization.

e. Consumer. The proposed rulesdefine ‘‘consumer’’ to mean anindividual who obtains, from a financialinstitution, financial products orservices that are to be used primarily forpersonal, family, or householdpurposes. An individual also will bedeemed to be a consumer for purposesof a financial institution if thatinstitution purchases the individual’saccount from some other institution.The definition also includes the legalrepresentative of an individual.

The G–L–B Act distinguishes‘‘consumers’’ from ‘‘customers’’ forpurposes of the notice requirementsimposed by the Act. As explained morefully in the discussion of proposed§l.4, below, a financial institution isrequired to give a ‘‘consumer’’ thenotices required under Title V only ifthe institution intends to disclosenonpublic personal information aboutthe consumer to a nonaffiliated thirdparty for a purpose that is notauthorized by one of several exceptionsset out in proposed §§l.10 andl.11.By contrast, a financial institution mustgive all ‘‘customers,’’ at the time ofestablishing a customer relationship andannually thereafter during thecontinuation of the customerrelationship, a notice of the institution’sprivacy policy.

A person is a ‘‘consumer’’ under theproposed rules if he or she obtains afinancial product or service from afinancial institution. The definition of‘‘financial product or service’’ inproposed §l.3(k), below, includes,among other things, the evaluation by afinancial institution of an applicationthat a person submits to obtain afinancial product or service. Thus, afinancial institution that intends toshare nonpublic personal informationabout a consumer with nonaffiliatedthird parties outside of the exceptions

described in §§l.10 andl.11 will haveto give the requisite notices, even if theconsumer does not enter into a customerrelationship with the institution.

The examples that follow thedefinition of ‘‘consumer’’ clarify whensomeone is a consumer. They includesituations where someone applies for aloan or provides information for thepurpose of determining whether he orshe prequalifies for a loan, a personproviding information in connectionwith seeking to obtain financialadvisory services, and a person whonegotiates a workout of a loan. Theexamples also clarify the status ofsomeone whose loan has been sold.

f. Consumer reporting agency. Theproposed rules adopt the definition of‘‘consumer reporting agency’’ that isused in section 603(f) of the Fair CreditReporting Act (15 U.S.C. 1681a(f)). Thisterm is used in proposed §§l.11andl.13.

g. Control. The proposed rules define‘‘control’’ using the tests applied insection 23A of the Federal Reserve Act(12 U.S.C. 371c). This definition is usedto determine when companies areaffiliated (see discussion of proposed§l.3(a), above), and would result infinancial institutions being consideredas affiliates regardless of whether thecontrol is by a company or individual.

h. Customer. The proposed rulesdefine ‘‘customer’’ as any consumerwho has a ‘‘customer relationship’’ witha particular financial institution. As isexplained more fully in the discussionof proposed §l.4, below, a consumerbecomes a customer of a financialinstitution at the time of entering into acontinuing relationship with theinstitution. Thus, for instance, aconsumer would become a customer atthe time the consumer executes thedocuments needed to open a depositaccount or borrow money from afinancial institution.

The distinction between consumersand customers determines what noticesa financial institution must provide. If aconsumer never becomes a customer,the institution is not required to provideany notices to the consumer unless theinstitution intends to disclosenonpublic personal information aboutthat consumer to nonaffiliated thirdparties outside of the exceptions as setout in §§l.10 andl.11. By contrast, ifa consumer becomes a customer, theinstitution must provide a copy of itsprivacy policy prior to the time itestablishes the customer relationshipand at least annually thereafter duringthe continuation of the customerrelationship.

i. Customer relationship. Theproposed rules define ‘‘customer

relationship’’ as a continuingrelationship between a consumer and afinancial institution whereby theinstitution provides a financial productor service that is to be used by theconsumer primarily for personal, family,or household purposes.2 Because the G–L–B Act requires annual notices of thefinancial institution’s privacy policies toits customers, the Agencies haveinterpreted the Act as requiring morethan isolated transactions between abank and a consumer to establish acustomer relationship, unless it isreasonable to expect further contactabout that transaction between the bankand consumer afterwards. Thus, theproposed rules define ‘‘customerrelationship’’ as one that generally is ofa continuing nature. As noted in theexamples that follow the definition, thiswould include, for instance,maintaining a deposit, loan, trust, orinvestment account.

A one-time transaction may besufficient to establish a customerrelationship, depending on the nature ofthe transaction. The examples thatfollow the definition of ‘‘customerrelationship’’ clarify, for instance, that apurchase of an insurance policy wouldbe sufficient to establish a customerrelationship because of the continuingnature of the product, whereas using anautomated teller machine (ATM) at abank at which a consumer transacts noother business, purchasing traveler’schecks or money orders, or cashing acheck would not. While a personengaging in one of these latter types oftransactions would be a consumer underthe regulation (thereby requiring thefinancial institution to provide notices ifthe institution intends to disclosenonpublic personal information aboutthe consumer to nonaffiliated thirdparties outside of the exceptions), theconsumer would not be a customer. Aconsumer would not necessarily becomea customer simply by repeatedlyengaging in isolated transactions, suchas withdrawing funds at regularintervals from an ATM owned by aninstitution with whom the consumerhas no account.

The examples also clarify that aconsumer will have a customerrelationship with a financial institutionthat makes a loan to the consumer andthen sells the loan but retains theservicing rights. In that case, the personwill be a customer of both theinstitution that sold the loan and theinstitution that bought it.



3 The Board’s proposed rule sets out AlternativeB only.

j. Financial institution. The proposedrules define ‘‘financial institution’’ asany institution the business of which isengaging in activities that are financialin nature, or incidental to such financialactivities, as described in section 4(k) ofthe Bank Holding Company Act of 1956(12 U.S.C. 1843(k)). The proposed rulesalso exempt from the definition of‘‘financial institution’’ those entitiesspecifically excluded by the G–L–B Act.

k. Financial product or service. Theproposed rules define ‘‘financialproduct or service’’ as a product orservice that a financial institution couldoffer as an activity that is financial innature, or incidental to such a financialactivity, under section 4(k) of the BankHolding Company Act of 1956, asamended. An activity that iscomplementary to a financial activity, asdescribed in section 4(k), is notincluded in the definition of ‘‘financialproduct or service’’ under this part. Theproposed rules’ definition includes thefinancial institution’s evaluation ofinformation collected in connectionwith an application by a consumer fora financial product or service even if theapplication ultimately is rejected orwithdrawn. It also includes thedistribution of information about aconsumer for the purpose of assistingthe consumer to obtain a financialproduct or service.

l. Government regulator. Theproposed rules adopt the definition of‘‘government regulator’’ that includeseach of the Agencies participating inthis rulemaking, the Secretary of theTreasury, the NCUA, FTC, SEC, andState insurance authorities under thecircumstances identified in thedefinition. This term is used in theexception set out in proposed§l.11(a)(4) for disclosures to lawenforcement agencies, ‘‘includinggovernment regulators.’’

m. Nonaffiliated third party.Paragraph (1) of the proposed definitionof ‘‘nonaffiliated third party’’ providesthat the term means any person (whichincludes natural persons as well ascorporate entities such as corporations,partnerships, trusts, and so on) except:(1) An affiliate of a financial institution,and (2) a joint employee of a financialinstitution and a third party. Thisparagraph is intended to besubstantively the same as the definitionused in section 509(5) of the G–L–B Act.Paragraph (2) of the proposed definitionprovides that ‘‘nonaffiliated third party’’includes any company that is an affiliateby virtue of the direct or indirectownership or control of the company bythe financial institution or one of itsaffiliates in conducting merchantbanking or investment banking activities

of the type described in section4(k)(4)(H) or insurance companyactivities of the type described insection 4(k)(4)(I) of the Bank HoldingCompany Act, whether or not thefinancial institution is affiliated with abank or is relying on the authority ofthose sections.

n. Nonpublic personal information.Section 509(4) of the G–L–B Act defines‘‘nonpublic personal information’’ tomean ‘‘personally identifiable financialinformation’’ (which term is not definedin the Act) that is provided by aconsumer to a financial institution,results from any transaction with theconsumer or any service performed forthe consumer, or is otherwise obtainedby the financial institution. Any list,description, or other grouping ofconsumers—and ‘‘publicly availableinformation’’ (which also is undefinedin the G–L–B Act) pertaining to them—that is derived using any nonpublicpersonal information other thanpublicly available information also isincluded in the definition of ‘‘nonpublicpersonal information.’’

The proposed rules implement thisprovision of the G–L–B Act by restating,in paragraph (1) of proposed §l.3(n),the categories of information describedabove. However, the proposed rulespresent two alternatives concerning thetreatment, for purposes of the definitionof ‘‘nonpublic personal information,’’ ofinformation that can be obtained fromsources available to the general public.The alternatives are based ondifferences in the definitions of‘‘personally identifiable financialinformation’’ and ‘‘publicly availableinformation’’ which, when readtogether, result in more informationbeing treated as ‘‘nonpublic personalinformation’’ under Alternative A thanwould be the case under Alternative B.

Alternative A excludes publiclyavailable information from the scope of‘‘nonpublic personal information’’ onlyin two circumstances. The first is whenthe information is part of a list,description, or other grouping ofconsumers that is derived without usingpersonally identifiable financialinformation. The second is wheninformation, not provided by aconsumer and not resulting from atransaction with the consumer, isotherwise obtained by a financialinstitution in connection with providinga financial product or service to theconsumer. However, in order for theinformation to be considered ‘‘publiclyavailable’’ under Alternative A, theinformation must be obtained fromgovernment records, widely distributedmedia, or government-mandateddisclosures. The fact that the

information is available from thosesources is immaterial if the financialinstitution does not actually obtain theinformation from one of them.

Alternative B 3 similarly excludespublicly available information from thescope of ‘‘nonpublic personalinformation’’ when the information ispart of a list, description, or othergrouping of consumers that is derivedwithout using personally identifiablefinancial information. However,Alternative B also excludes any otherpublicly available information, unlessthe information is part of a list,description, or other grouping ofconsumers that is derived usingpersonally identifiable financialinformation. Under Alternative B,information need only be available froma public source for it to be considered‘‘publicly available.’’ If the informationis lawfully available to the generalpublic, then it will be publicly availableand excluded from the scope of‘‘nonpublic personal information’’regardless of whether the institutionobtains it from a publicly availablesource (unless, as previously noted, it ispart of a list of consumers that isderived using personally identifiableinformation). As a result of thisapproach, the fact that information hasbeen given to a financial institution bya consumer does not automaticallyextend to that information theprotections afforded to nonpublicpersonal information.

The two alternatives will produce thesame results in many instances. UnderAlternative A, a person’s name, address,and other information that typically isthought of as publicly available istreated as nonpublic if that informationis provided by the person to a bank inconnection with obtaining a financialproduct or service. Thus, a bank wouldbe unable to disclose such informationunder Alternative A to a nonaffiliatedthird party unless the bank complieswith the notice and opt outrequirements discussed below. UnderAlternative B, if the person’s name andaddress were available from publicsources, they would be publiclyavailable information. However, evenunder Alternative B, the bank wouldhave to comply with the notice and optout requirements before sharing thatinformation with nonaffiliated thirdparties if the information was includedon a customer list.

The two alternatives will producedifferent results, however, in thesituation where a bank wants to disclosethe name, address, or other information



4 64 FR 59918 (Nov. 3, 1999).

available to the general public about anindividual. In that situation, AlternativeA would require compliance with thenotice and opt out requirements.Alternative B would not, because theinformation would not be part of a list,description, or other grouping ofconsumers. The Agencies invitecomment on both alternatives.

The Agencies also specifically invitecomment on whether either definitionof ‘‘nonpublic personal information’’would cover information about aconsumer that contains no indicators ofa consumer’s identity. For instance, if amortgage lender provided informationabout its mortgage loans (such as loan-to-value ratios, interest rates, censustracts of mortgaged property, paymenthistory, credit scores, and income) to anonaffiliated third party for the purposeof preparing market studies, would thelender, without notice or opt out to theconsumer, be permitted to do so if theinformation contains no personalidentifiers?

o. Personally identifiable financialinformation. As discussed above, theG–L–B Act defines ‘‘nonpublic personalinformation’’ to include, among otherthings, ‘‘personally identifiable financialinformation’’ but does not define thelatter term.

As a general matter, the proposedrules treat any personally identifiableinformation as financial if it is obtainedby a financial institution in connectionwith providing a financial product orservice to a consumer. The Agenciesbelieve that this approach reasonablyinterprets the word ‘‘financial’’ andcreates a workable and clear standardfor distinguishing information that isfinancial from other personalinformation. The Agencies recognizethat this interpretation may result incertain information being covered by therules that may not be consideredintrinsically financial, such as healthstatus, and specifically invite commenton the proposed definition of‘‘personally identifiable financialinformation.’’

The proposed rules define‘‘personally identifiable financialinformation’’ to include three categoriesof information. While these threecategories are for the most part identicalin both alternatives (see discussion ofcategory 3, below, concerning adifference between the categories), thedifferences in how Alternatives A and Btreat publicly available informationresult in different applications of whatpersonally identifiable financialinformation is included within thedefinition of ‘‘nonpublic personalinformation.’’

The first category of informationconsidered to be ‘‘personallyidentifiable financial information’’ isany information that a consumerprovides a financial institution in orderto obtain a financial product or service.As noted in the examples that follow thedefinition, this would includeinformation provided on an applicationto obtain a loan, credit card, or otherfinancial product or service. If, forinstance, medical information isprovided on an application to obtain afinancial product or service (such aswould be the case if a consumer appliesfor a life insurance policy), thatinformation would be considered‘‘personally identifiable financialinformation’’ for purposes of theproposed rules.

The second category of informationcovered by the proposed definition of‘‘personally identifiable financialinformation’’ includes any informationresulting from any transaction betweenthe consumer and the financialinstitution involving a financial productor service. This would include, as notedin the examples following thedefinition, account balance information,payment or overdraft history, and creditor debit card purchase information.

The third category includes anyfinancial information about a consumerotherwise obtained by the financialinstitution in connection with providinga financial product or service to theconsumer. This would include, forexample, information obtained from aconsumer report or from an outsidesource to verify information a consumerprovides on an application to obtain afinancial product or service. There is adifference in the statement of the thirdcategory between Alternatives A and B.Alternative A expressly excludes fromthis category publicly availableinformation, while Alternative B doesnot. However, given the definitions of‘‘nonpublic personal information’’ and‘‘publicly available information’’ inAlternative B, the result is that any ofthe three categories of personallyidentifiable information in Alternative Bwill exclude publicly availableinformation from the personallyidentifiable financial information that isconsidered ‘‘nonpublic personalinformation.’’

The examples clarify that thedefinition of ‘‘personally identifiablefinancial information’’ does not includea list of names and addresses of peoplewho are customers of an entity that isnot a financial institution. Thus, thenames and addresses of people whosubscribe, for instance, to a particularmagazine fall outside the definition. If,however, a financial institution includes

those names and addresses as part of alist of the institution’s customers, thenthe names and addresses becomenonpublic personal information.

The Agencies note that there are otherlaws that may impose limitations ondisclosures of nonpublic personalinformation in addition to thoseimposed by the G-L-B Act and theseproposed rules. For instance, the FairCredit Reporting Act imposesconditions on the sharing of applicationinformation between affiliates andnonaffiliated third parties. The recentlyproposed Department of Health andHuman Services regulations 4 thatimplement the Health InsurancePortability and Accountability Act of1996 would, if adopted in final form,limit the circumstances under whichmedical information may be disclosed.There may be State laws that affect afinancial institution’s ability to discloseinformation. Thus, financial institutionswill need to monitor and comply withapplicable legislative and regulatorydevelopments that affect the disclosureof consumer information.

The Agencies seek comment onwhether further definition of‘‘personally identifiable financialinformation’’ would be helpful.

p. Publicly available information. Theproposed rules contain two versions ofthe definition of ‘‘publicly availableinformation.’’ For the most part, thedefinitions are identical, and differ onlyin that Alternative A does not treatinformation as publicly available unlessit is obtained from one of the publicsources listed in the proposed rules.Alternative B, by contrast, treatsinformation as publicly available if itcould be obtained from one of the publicsources listed in the rules, even if it wasobtained from a source not listed in thedefinition. The Agencies invitecomments on which alternative is moreappropriate.

The remaining parts of the twoalternative versions are identical. Thus,under either alternative, the definitionof ‘‘publicly available information’’includes information from officialpublic records, such as real estaterecordations or security interest filings.It also includes information from widelydistributed media (such as a telephonebook, television or radio program, ornewspaper) and information that isrequired to be disclosed to the generalpublic by Federal, State, or local law(such as securities disclosuredocuments). The proposed rules statethat information obtained over theInternet will be considered publiclyavailable information if the information



5 The OCC has used the term ‘‘bank’’ instead of‘‘you’’ in its regulation.

is obtainable from a site available to thegeneral public without requiring apassword or similar restriction. TheAgencies invite comment on whatinformation is appropriately consideredpublicly available, particularly in thecontext of information available over theInternet.

q. You. For those Agencies that usethe pronoun ‘‘you’’ to refer to entitieswithin their primary jurisdiction,5 thedefinition of this term will vary witheach of the Agencies’ regulations basedupon the financial institutions undertheir jurisdictions.

§l.4 Initial Notice to Consumers ofPrivacy Policies and Practices Required

Initial notice required. The G–L–B Actrequires a financial institution toprovide an initial notice of its privacypolicies and practices in twocircumstances. For customers, thenotice must be provided at the time ofestablishing a customer relationship.For consumers who do not becomecustomers, the notice must be providedprior to disclosing nonpublic personalinformation about the consumer to anonaffiliated third party.

Paragraph (a) of proposed §l.4 statesthe general rule regarding these notices.Pursuant to that paragraph, a financialinstitution must provide a clear andconspicuous notice (i.e., a notice that isreasonably understandable anddesigned to call attention to the natureand significance of the information itprovides) that accurately reflects theinstitution’s privacy policies andpractices. Thus, a financial institutionmay not fail to maintain the protectionsthat it represents in the notice that itwill provide. The Agencies expect thatfinancial institutions will takeappropriate measures to adhere to theirstated privacy policies and practices.

The proposed rules do not prohibitaffiliated institutions from using acommon initial, annual, or opt outnotice, so long as the notice is deliveredin accordance with the rule and isaccurate for all recipients. Similarly, therules do not prohibit an institution fromestablishing different privacy policiesand practices for different categories ofconsumers, customers, or products, solong as each particular consumer orcustomer receives a notice that isaccurate with respect to him or her.

Notice to customers. The proposedrules require that a financial institutionprovide an individual a privacy noticeprior to the time that it establishes acustomer relationship. Thus, the noticesmay be provided at the same time a

financial institution is required to giveother notices, such as those required bythe Board’s regulations implementingthe Truth in Lending Act (12 CFR226.6). This approach is intended tostrike a balance between: (1) Ensuringthat consumers will receive privacynotices at a meaningful point along thecontinuum of ‘‘establishing a customerrelationship’’; and (2) minimizingunnecessary burdens on financialinstitutions that may result if a financialinstitution is required to provide aconsumer with a series of notices atdifferent times in a transaction. Nothingin the proposed rules is intended todiscourage a financial institution fromproviding an individual with a privacynotice at an earlier point in therelationship if the institution wishes todo so in order to make it easier for theindividual to compare its privacypolicies and practices with those ofother institutions in advance ofconducting transactions.

Paragraph (c) of proposed §l.4identifies the time a customerrelationship is established as the pointat which a financial institution and aconsumer enter into a continuingrelationship. The examples that areprovided after the statement of thegeneral rule inform the reader that, forcustomer relationships that arecontractual in nature (including, forinstance, deposit accounts, loans, orpurchases of a nondeposit product), acustomer relationship is establishedupon the execution by the consumer ofthe contract that is necessary to conductthe transaction in question. In the caseof a credit card account, the customerrelationship is established when theconsumer opens the account. Aconsumer opens a credit card accountwhen he or she becomes obligated onthe account, such as when he or shemakes the first purchase, receives thefirst advance, or becomes obligated forany fee or charges under the accountother than an application fee orrefundable membership fee. Fortransactions that may not involve acontract (including, for instance,providing investment advisory services),a customer relationship will beestablished if the consumer pays oragrees to pay a fee or commission for theservice.

Notice to consumers. For consumerswho do not establish a customerrelationship, the initial notice may beprovided at any point before thefinancial institution discloses nonpublicpersonal information to nonaffiliatedthird parties. As provided in paragraph(b) of the proposed rule, if theinstitution does not intend to disclosethe information in question or intends

to make only those disclosures that areauthorized by one of the exceptions setout in §§l.10 and l.11 of theproposed rule, it is not required toprovide the initial notice.

How to provide notice. Paragraph (d)of proposed §l.4 sets out the rulesgoverning how financial institutionsmust provide the initial notices. Thegeneral rule requires that the initialnotice be provided so that eachrecipient can reasonably be expected toreceive actual notice. The Agenciesinvite comment on who should receivea notice in situations where there ismore than one party to an account.

The notice may be delivered inwriting or, if the consumer agrees,electronically. Oral notices alone areinsufficient. In the case of customers,the notice must be given in a way sothat the customer may either retain it oraccess it at a later time. Thisrequirement that the notice be given ina manner permitting access at a latertime does not preclude a financialinstitution from changing its privacypolicy. See proposed §l.8(c), below.Rather, the rules are intended only torequire that a customer be able to accessthe most recently adopted privacypolicy.

Examples of acceptable ways thenotice may be delivered include hand-delivering a copy of the notice, mailinga copy to the consumer’s last knownaddress, or sending it via electronic mailto a consumer who obtains a financialproduct or service from the institutionelectronically. It would not be sufficientto provide only a posted copy of thenotice in a lobby. Similarly, it wouldnot be sufficient to provide the initialnotice only on a Web page, unless theconsumer is required to access that pageto obtain the product or service inquestion. Electronic delivery generallyshould be in the form of electronic mailso as to ensure that a consumer actuallyreceives the notice. In thosecircumstances where a consumer is inthe process of conducting a transactionover the Internet, electronic deliveryalso may include posting the notice ona Web page as described above. If afinancial institution and consumerorally agree to enter into a contract fora financial product or service over thetelephone, the institution may providethe consumer with the option ofreceiving the initial notice afterproviding the product or service so asnot to delay the transaction. TheAgencies invite comment on theregulatory burden of providing theinitial notices and on the methodsfinancial institutions anticipate using toprovide the notices.



The Agencies recognize that in somecircumstances a customer does not havea choice as to the institution with whichhe or she has a customer relationship,such as when an institution purchasesthe customer’s loan in the secondarymarket. In these situations, it may not bepracticable for the institution to providea notice prior to establishing thecustomer relationship. The proposedrules provide that if a financialinstitution purchases a loan or assumesa deposit liability from another financialinstitution or in the secondary marketand the customer does not have a choiceabout the purchase or assumption, theacquiring financial institution mayprovide the initial notice within areasonable time thereafter. The Agenciesinvite comment on whether there areother similar situations for which anexception is necessary.

The Agencies also recognize thatcertain consumers may have requestedthat a financial institution not sendstatements, notices, or othercommunications to them, such as incertain private banking relationships.The Agencies request comment onwhether and how the rules shouldaddress these situations with respect tothe notices required by these rules. TheAgencies also request comment onwhether there are other situations whereproviding notice by mail isimpracticable.

§l.5 Annual Notice to CustomersRequired

Section 503 of the G–L–B Act requiresa financial institution to provide noticesof its privacy policies and practices atleast annually to its customers. Theproposed rules implement thisrequirement by requiring a clear andconspicuous notice that accuratelyreflects the privacy policies andpractices then in effect to be providedat least once during any period oftwelve consecutive months. The rulesgoverning how to provide an initialnotice also apply to annual notices.

Section 503(a) of the G–L–B Actrequires that the annual notices beprovided ‘‘during the continuation’’ of acustomer relationship. To implementthis requirement, the proposed rulesstate that a financial institution is notrequired to provide annual notices to acustomer with whom it no longer has acontinuing relationship. The examplesthat follow this general rule provideguidance on when there no longer is acontinuing relationship for purposes ofthe rules. These include, for instance,deposit accounts that are treated asdormant by a financial institution, loansthat are paid in full or charged off, or

assets sold without retaining servicingrights.

There will be certain customerrelationships (such as obtaininginvestment advice from a stock broker)that do not present a clear event afterwhich there is no longer a customerrelationship. The proposed rulescontain an example intended to coverthese situations, stating that arelationship will no longer be deemedcontinuing for purposes of the proposedrules if the financial institution has notcommunicated with a customer, otherthan providing an annual privacy policynotice, for a period of 12 consecutivemonths.

The Agencies invite commentgenerally on whether the examplesprovided in proposed §l.5 areadequate and on whether the proposedstandard deeming an accountrelationship to have terminated after 12months of no communication isappropriate. The Agencies specificallyrequest comment on whether, in theexample of dormant accounts, theapplicable standard should be theinstitution’s policies or applicable Statelaw. The Agencies also invite commenton the regulatory burden of providingthe annual notices and on the methodsfinancial institutions anticipate using toprovide the notices.

§l.6 Information To Be Included inInitial and Annual Notices of PrivacyPolicies and Practices

Section 503 of the G–L–B Actidentifies the items of information thatmust be included in a financialinstitution’s initial and annual notices.Section 503(a) of the G–L–B Act sets outthe general requirement that a financialinstitution must provide customers witha notice describing the institution’spolicies and practices with respect to,among other things, disclosingnonpublic personal information toaffiliates and nonaffiliated third parties.Section 503(b) of the Act identifiescertain elements that must be addressedin that notice.

The required content is the same forboth the initial and annual notices ofprivacy policies and practices. Whilethe information contained in the noticesmust be accurate as of the time thenotices are provided, a financialinstitution may prepare its notices basedon current and anticipated policies andpractices.

The information to be included is asfollows:

1. Categories of Nonpublic PersonalInformation That a Financial InstitutionMay Collect

Section 503(b)(2) requires a financialinstitution to inform its customers aboutthe categories of nonpublic personalinformation that the institution collects.The proposed rules implement thisrequirement in §l.6(a)(1) and providean example of how to comply with thisrequirement that focuses the notice onthe source of the information collected.As noted in the example, a financialinstitution will satisfy this requirementif it categorizes the informationaccording to the sources, such asapplication information, transactioninformation, and consumer reportinformation. Financial institutions mayprovide more detail about the categoriesof information collected but are notrequired to do so by the proposed rules.

2. Categories of Nonpublic PersonalInformation That a Financial InstitutionMay Disclose

Section 503(a)(1) of the G–L–B Actrequires the financial institution’s initialand annual notice to provideinformation about the categories ofnonpublic personal information thatmay be disclosed either to affiliates ornonaffiliated third parties.

The proposed rules implement thisrequirement in proposed §l.6(a)(2).The examples of how to comply withthis rule focus on the content ofinformation to be disclosed. As stated inthe relevant examples, a financialinstitution may satisfy this requirementby categorizing information according tosource and providing illustrativeexamples of the content of theinformation. These categories mightinclude application information (suchas assets and income), identifyinginformation (such as name, address, andsocial security number), transactioninformation (such as information aboutaccount activity, account balances, andpurchases), and information fromconsumer reports (such as credithistory).

Financial institutions are free toprovide more detailed information inthe initial and annual notices if theychoose to do so. Conversely, if afinancial institution does not disclose,and does not intend to disclose,nonpublic personal information toaffiliates or nonaffiliated third parties,its initial and annual notices maysimply state this fact without furtherelaboration about categories ofinformation disclosed.



3. Categories of Affiliates andNonaffiliated Third Parties to Whom aFinancial Institution DisclosesNonpublic Personal Information

As previously noted, section 503(a)includes a general requirement that afinancial institution provide a notice toits customers of the institution’s policiesand practices with respect to disclosingnonpublic personal information toaffiliates and nonaffiliated third parties.Section 503(b) states that the noticerequired by section 503(a) shall includecertain specified items. Among those isthe requirement, set out in section503(b)(1), that a financial institutioninform its customers about its policiesand practices with respect to disclosingnonpublic personal information tononaffiliated third parties. The Agenciesbelieve that, when read together,sections 503(a) and 503(b) of the G–L–B Act require a financial institution’snotice to address disclosures ofnonpublic personal information to bothaffiliates and nonaffiliated third parties.

The proposed rules implement thisrequirement in §l.6(a)(3). The exampleillustrating how a financial institutionmay comply with the rules states that afinancial institution will adequatelycategorize the affiliates andnonaffiliated third parties to whom itdiscloses nonpublic personalinformation about consumers if itidentifies the types of businesses inwhich they engage. Types of businessesmay be described by general terms, suchas financial products or services, if thefinancial institution providesillustrative examples of the significantlines of businesses of the recipient, suchas retail banking, mortgage lending, lifeinsurance, or securities brokerage.

The G–L–B Act does not require afinancial institution to list the categoriesof persons to whom information may bedisclosed pursuant to one of theexceptions set out in proposed §§l.10and l.11. The proposed rules state thata financial institution is required only toinform consumers that it makesdisclosures as permitted by law tononaffiliated third parties in addition tothose described in the notice. TheAgencies invite comment on whethersuch a notice would be adequate.

If a financial institution does notdisclose, and does not intend todisclose, nonpublic personalinformation to affiliates or nonaffiliatedthird parties, its initial and annualnotices may simply state this factwithout further elaboration aboutcategories of third parties.

4. Information About Former Customers

Section 503(a)(2) of the Act requiresthe financial institution’s initial andannual privacy notices to include theinstitution’s policies and practices withrespect to disclosing nonpublic personalinformation of persons who have ceasedto be customers of the institution.Section 503(b)(1)(B) requires that thisinformation be provided with respect toinformation disclosed to nonaffiliatedthird parties.

The Agencies have concluded that,when read together, sections 503(a)(2)and 503(b)(1)(B) require a financialinstitution to include in the initial andannual notices the institution’s policiesand practices with respect to sharinginformation about former customerswith all affiliates and nonaffiliated thirdparties. This requirement is set out inthe proposed rules at §l.6(a)(4). Thisrequirement does not require a financialinstitution to provide a notice andopportunity to opt out to a formercustomer before sharing nonpublicpersonal information about that formercustomer with an affiliate.

5. Information Disclosed to ServiceProviders

Section 502(b)(2) of the G–L–B Actpermits a financial institution todisclose nonpublic personal informationabout a consumer to a nonaffiliatedthird party for the purpose of the thirdparty performing services for theinstitution, including marketingfinancial products or services under ajoint agreement between the financialinstitution and at least one otherfinancial institution. In this case, aconsumer has no right to opt out, butthe financial institution must inform theconsumer that it will be disclosing theinformation in question unless theservice falls within one of theexceptions listed in section 502(e) of theAct.

The proposed rules implement theseprovisions, in §l.6(a)(5), by requiringthat, if a financial institution disclosesnonpublic personal information to anonaffiliated third party pursuant to theexception for service providers and jointmarketing, the institution is to includein the initial and annual notices aseparate description of the categories ofinformation that are disclosed and thecategories of third parties providing theservices. A financial institution maycomply with these requirements byproviding the same level of detail in thenotice as is required to satisfy therequirements in proposed §§l.6(a)(2)and (3).

6. Right to Opt Out

As previously noted, sections503(a)(1) and 503(b)(1) of the G–L–B Actrequire a financial institution to providecustomers with a notice of its privacypolicies and practices concerning,among other things, disclosingnonpublic personal informationconsistent with section 502 of the Act.

The proposed rules implement thisrequirement, in proposed §l.6(a)(6), byrequiring the initial and annual noticesto explain the right to opt out ofdisclosures of nonpublic personalinformation to nonaffiliated thirdparties, including the methods availableto exercise that right.

7. Disclosures Made Under the FairCredit Reporting Act (FCRA)

Section 503(b)(4) of the G–L–B Actrequires a financial institution’s initialand annual notice to include thedisclosures required, if any, undersection 603(d)(2)(A)(iii) of the FCRA.Section 603(d)(2)(A)(iii) excludes fromthe definition of ‘‘consumer report’’ thecommunication of certain consumerinformation among affiliated entities ifthe consumer is notified about thedisclosure of such information andgiven an opportunity to opt out of thatinformation sharing. The informationthat can be shared among affiliatesunder this provision includes, forinstance, information from consumerreports and applications for financialproducts or services. In general, thisinformation represents personalinformation provided directly by theconsumer to the institution, such asincome and social security number, inaddition to information containedwithin credit bureau reports.

The proposed rules implementsection 503(b)(4) of the G–L–B Act byincluding the requirement that afinancial institution’s initial and annualnotice include any disclosures afinancial institution makes undersection 603(d)(2)(A)(iii) of the FCRA.

8. Confidentiality, Security, andIntegrity

Section 503(a)(3) of the G–L–B Actrequires the initial and annual notices toprovide information about a financialinstitution’s policies and practices withrespect to protecting the nonpublicpersonal information of consumers.Section 503(b)(3) of the Act requires thenotices to include the policies that theinstitution maintains to protect theconfidentiality and security ofnonpublic personal information, inaccordance with section 501 (whichrequires the Agencies to establishstandards governing the administrative,



technical, and physical safeguards ofcustomer information).

The proposed rules implement theseprovisions by requiring a financialinstitution to include in the initial andannual notices the institution’s policiesand practices with respect to protectingthe confidentiality, security, andintegrity of nonpublic personalinformation. The relevant example inthe proposed rules states that a financialinstitution may comply with therequirement as it concernsconfidentiality and security if theinstitution explains matters such as whohas access to the information and thecircumstances under which theinformation may be accessed. Theinformation about integrity should focuson the measures the institution takes toprotect against reasonably anticipatedthreats or hazards. The proposed rulesdo not require a financial institution toprovide technical or proprietaryinformation about how it safeguardsconsumer information.

The Agencies are in the process ofpreparing the section 501 standardsrelating to administrative, technical, andphysical safeguards, and anticipatehaving those standards in place at thetime of the issuance of the final privacyrules. This will enable financialinstitutions to develop the initial andannual notices in light of thosestandards.

§l.7 Limitation on disclosure ofnonpublic personal information aboutconsumers to nonaffiliated third parties.

Section 502(a) of the G–L–B Actgenerally prohibits a financialinstitution from sharing nonpublicpersonal information about a consumerwith a nonaffiliated third party unlessthe institution provides the consumerwith a notice of the institution’s privacypolicies and practices. Section 502(b)further requires that the financialinstitution provide the consumer with aclear and conspicuous notice that theconsumer’s nonpublic personalinformation may be disclosed tononaffiliated third parties, that theconsumer be given an opportunity toopt out of that disclosure, and that theconsumer be informed of how to optout.

Section l.7 of the proposed rulesimplements these provisions. Paragraph(a)(1) of §l.7 sets out the criteria thata financial institution must satisfybefore disclosing nonpublic personalinformation to nonaffiliated thirdparties. As stated in the text of theproposed rules, these criteria apply todirect and indirect disclosures throughan affiliate. The Agencies invitecomment on how the right to opt out

should apply in the case of jointaccounts. Should, for instance, afinancial institution require all partiesto an account to opt out before the optout becomes effective? If not and onlyone of the parties opts out, should theopt out apply only to information aboutthe party opting out or should it applyto information about all parties to theaccount? The Agencies also requestcomment on how the opt out rightshould apply to commingled trustaccounts, where a trustee manages asingle account on behalf of multiplebeneficiaries.

Paragraph (a)(2) defines ‘‘opt out’’ ina way that incorporates the exceptionsto the right to opt out stated in proposed§§l.9, l.10, and l.11.

The proposed rules implement therequirement that a consumer be givenan opportunity to opt out beforeinformation is disclosed by requiringthat the opportunity be reasonable. Theexamples that follow the general ruleprovide guidance in situations involvingnotices that are mailed and notices thatare provided in connection withisolated transactions. In the former case,a consumer will have a reasonableopportunity to opt out if the financialinstitution provides 30 days in which toopt out. In the latter case, anopportunity will be reasonable if theconsumer must decide as part of thetransaction whether to opt out beforecompleting the transaction. TheAgencies invite comment on whether 30days is a reasonable opportunity to optout in the case of notices sent by mail,and on whether an example in thecontext of transactions conducted usingan electronic medium would be helpful.

The requirement that a consumerhave a reasonable opportunity to opt outdoes not mean that a consumer forfeitsthat right once the opportunity lapses.The consumer always has the right toopt out (as discussed further inproposed §l.8, below). However, if anindividual does not exercise that opt outright when first presented with anopportunity, the financial institutionwould be permitted to disclosenonpublic personal information tononaffiliated third parties for the periodof time necessary to implement theconsumer’s opt out direction.

Paragraph (b) of proposed §l.7clarifies that the right to opt out appliesregardless of whether a consumer hasestablished a customer relationship witha financial institution. As noted above,all customers are consumers under theproposed rules. Thus, the fact that aconsumer establishes a customerrelationship with a financial institutiondoes not change the institution’sobligations to comply with the

requirements of proposed §l.7(a)before sharing nonpublic personalinformation about that consumer withnonaffiliated third parties. This alsoapplies in the context of a consumerwho had a customer relationship with afinancial institution but then terminatedthat relationship. Paragraph (b) alsoclarifies that the consumer protectionsafforded by paragraph (a) of proposed§l.7 apply to all nonpublic personalinformation collected by a financialinstitution, regardless of whencollected. Thus, if a consumer elects toopt out of information sharing withnonaffiliated third parties, that electionapplies to all nonpublic personalinformation about that consumer in thefinancial institution’s possession,regardless of when the information isobtained.

Paragraph (c) of proposed §l.7 statesthat a financial institution may, but isnot required to, provide consumers withthe option of a partial opt out inaddition to the opt out required by thissection. This could enable a consumerto limit, for instance, the types ofinformation disclosed to nonaffiliatedthird parties or the types of recipients ofthe nonpublic personal informationabout that consumer. If the partial optout option is provided, a financialinstitution must state this option in away that clearly informs the consumerabout the choices available andconsequences thereof.

§l.8 Form and Method of ProvidingOpt Out Notice to Consumers

Paragraph (a) of proposed §l.8requires that any opt out noticeprovided by a financial institutionpursuant to proposed §l.7 be clear andconspicuous and accurately explain theright to opt out. The notice must informthe consumer that the institution maydisclose nonpublic personal informationto nonaffiliated third parties, state thatthe consumer has a right to opt out, andprovide the consumer with a reasonablemeans by which to opt out.

The examples that follow the generalrule state that a financial institution willadequately provide notice of the right toopt out if it identifies the categories ofinformation that may be disclosed andthe categories of nonaffiliated thirdparties to whom the information may bedisclosed and that the consumer mayopt out of those disclosures. A financialinstitution that plans to disclose onlylimited types of information or to onlya specific type of nonaffiliated thirdparty may provide a correspondinglynarrow notice to consumers. However,to minimize the number of opt outnotices a financial institution mustprovide, the institution may wish to



base its notices on current andanticipated information sharing plans. Anew opt out notice is not required fordisclosures to different types ofnonaffiliated third parties or of differenttypes of information, provided that themost recent opt out notice is sufficientlybroad to cover the entities orinformation in question. Nor is afinancial institution required to providesubsequent opt out notices when aconsumer establishes a new type ofcustomer relationship with thatfinancial institution, unless theinstitution’s opt out policies differdepending on the type of customerrelationship.

The examples also suggest severalways in which a financial institutionmay provide reasonable means to optout, including check-off boxes, replyforms, and electronic mail addresses. Afinancial institution does not provide areasonable means to opt out if the onlymeans provided is for a consumer towrite his or her own letter to theinstitution to exercise the right,although an institution may honor sucha letter if received.

Paragraph (b) applies the same rulesto delivery of the opt out notice thatapply to delivery of the initial andannual notices. In addition, paragraph(b) clarifies that the opt out notice maybe provided together with, or on thesame form as, the initial and annualnotices. However, if the opt out noticeis provided after the initial notice, afinancial institution must provide acopy of the initial notice along with theopt out notice. If a financial institutionand consumer orally agree to enter intoa customer relationship, the institutionmay provide the opt out notice withina reasonable time thereafter if theconsumer agrees. The Agencies invitecomment on whether a more specifictime by which the notice must be givenwould be appropriate.

Paragraph (c) sets out the rulesgoverning a financial institution’sobligations in the event the institutionchanges its disclosure policies. Asstated in that paragraph, a financialinstitution may not disclose nonpublicpersonal information to a nonaffiliatedthird party unless the institution firstprovides a revised notice and newopportunity to opt out. The institutionmust wait a reasonable period of timebefore disclosing information accordingto the terms of the revised notice inorder to afford the consumer areasonable opportunity to opt out. Afinancial institution must provide therevised notice of its policies andpractices and opt out notice to aconsumer using the means permitted forproviding the initial notice and opt out

notice to that consumer under §l.4(c)and §l.8(b), respectively, whichrequire that the notices be given in amanner so that each consumer canreasonably be expected to receive actualnotice in writing or, if the consumeragrees, in electronic form.

Paragraph (d) states that a consumerhas the right to opt out at any time. TheAgencies considered whether to includea time limit by which financialinstitutions must effectuate aconsumer’s opt out election, butdecided that the wide variety ofpractices of financial institutions madeone limit inappropriate. Instead, theAgencies’ rules require that disclosuresstop as soon as reasonably practicable.

Paragraph (e) states that an opt outwill continue until a consumer revokesit. The rules require that suchrevocation be in writing, or, if theconsumer has agreed, electronically.

The Agencies invite comment on thelikely burden of complying with therequirement to provide opt out notices,the methods financial institutionsanticipate using to deliver the opt outnotices, and the approximate number ofopt out notices they expect to deliverand process.

§l.9 Exception to Opt OutRequirements for Service Providers andJoint Marketing

Section 502(b) of the G–L–B Actcreates an exception to the opt out rulesfor the disclosure of information to anonaffiliated third party for use by thethird party to perform services for, orfunctions on behalf of, the financialinstitution, including the marketing ofthe financial institution’s own productsor services or financial products orservices offered pursuant to a jointagreement between two or morefinancial institutions. A consumer willnot have the right to opt out ofdisclosing nonpublic personalinformation about the consumer tononaffiliated third parties under thesecircumstances, if the financialinstitution satisfies certainrequirements.

First, the institution must, as stated insection 502(b), ‘‘fully disclose’’ to theconsumer that it will provide thisinformation to the nonaffiliated thirdparty before the information is shared.This disclosure should be provided aspart of the initial notice that is requiredby §l.4. The Agencies invite commenton whether the proposed rulesappropriately implement the ‘‘fullydisclose’’ requirement in section502(b)(2).

Second, the financial institution mustenter into a contract with the third partythat requires the third party to maintain

the confidentiality of the information.This contract should be designed toensure that the third party: (a) Willmaintain the confidentiality of theinformation at least to the same extentas is required for the financialinstitution that discloses it; and (b) willuse the information solely for thepurposes for which the information isdisclosed or as otherwise permitted by§§l.10 and l.11 of the proposed rules.The Agencies invite comment on theapplication of proposed §l.9(a)(2)(ii)in the context of financial institutionsthat contract with credit scoring vendorsto evaluate borrower creditworthiness.Specifically, would that section prohibitthe vendor from also using theconsumers’ information without theindicators of personal identity to helpimprove its scoring models?

The G–L–B Act allows the Agencies toimpose requirements on the disclosureof information pursuant to the exceptionfor service providers beyond thoseimposed in the statute. The Agencieshave not done so in the proposed rules,but invite comment on whetheradditional requirements should beimposed, and, if so, what thoserequirements should address. TheAgencies note, for instance, that jointagreements have the potential to createreputation risk and legal risk for afinancial institution entering into suchan agreement. The Agencies seekcomment on whether the rules shouldrequire a financial institution to takesteps to assure itself that the productbeing jointly marketed and the otherparticipants in the joint marketingagreement do not present undue risksfor the institution. These steps mightinclude, for instance, ensuring that thefinancial institution’s sponsorship of theproduct or service in question is evidentfrom the marketing of that product orservice. The Agencies also invitecomments on any other requirementsthat would be appropriate to protect aconsumer’s financial privacy, and onwhether the rules should provideexamples of the types of jointagreements that are covered.

§l.10 Exceptions to Notice and OptOut Requirements for Processing andServicing Transactions

Section 502(e) of the G–L–B Actcreates exceptions to the requirementsthat apply to the disclosure ofnonpublic personal information tononaffiliated third parties. Paragraph (1)of that section sets out certainexceptions for disclosures made,generally speaking, in connection withthe administration, processing,servicing, and sale of a consumer’saccount.



Paragraph (a) of proposed §l.10 setsout those exceptions, making onlystylistic changes to the statutory textthat are intended to make the exceptionseasier to read. Paragraph (b) sets out thedefinition of ‘‘necessary to effect,administer, or enforce’’ that is containedin section 509(7) of the G–L–B Act,making only stylistic changes intendedto clarify the definition.

The exceptions set out in proposed§l.10, and the exceptions discussed inproposed §l.11, below, do not affect afinancial institution’s obligation toprovide initial notices of its privacypolicies and practices prior to the timeit establishes a customer relationshipand annual notices thereafter. Thosenotices must be provided to allcustomers, even if the institutionintends to disclose the nonpublicpersonal information only pursuant tothe exceptions in proposed §l.10.

§l.11 Other exceptions to notice andopt out requirements.

As noted above, section 502(e)contains several exceptions to therequirements that otherwise wouldapply to the disclosures of nonpublicpersonal information to nonaffiliatedthird parties. Proposed §l.11 sets outthose exceptions that are not made inconnection with the administration,processing, servicing, and sale of aconsumer’s account, and makes stylisticchanges intended to clarify theexceptions.

One of the exceptions stated inproposed §l.11 is for disclosures madewith the consent or at the direction ofthe consumer, provided the consumerhas not revoked the consent. Followingthe list of exceptions is an example ofconsent in which a financial institutionthat has received an application from aconsumer for a mortgage loan informs anonaffiliated insurance company thatthe consumer has applied for a loan sothat the insurance company can contactthe person about homeowner’sinsurance. Consent in such a situationwould enable the financial institution tomake the disclosure to the third partywithout first providing the initial noticerequired by §l.4 or the opt out noticerequired by §l.7, but the disclosuremust not exceed the purposes for whichconsent was given. The example alsostates that consent may be revoked by aconsumer at any time by the consumerexercising the right to opt out of futuredisclosures. The Agencies invitecomment on whether safeguards shouldbe added to the exception for consent inorder to minimize the potential forconsumer confusion. Such safeguardsmight include, for instance, arequirement that consent be written,

that it be indicated on a separatesignature line in a relevant document oron a distinct Web page, or that it maybe effective for only a limited period oftime.

§l.12 Limits on Redisclosure andReuse of Information

Section l.12 of the proposed rulesimplements the Act’s limitations onredisclosure and reuse of nonpublicpersonal information about consumers.Section 502(c) of the Act provides thata nonaffiliated third party that receivesnonpublic personal information from afinancial institution shall not, directlyor indirectly through an affiliate,disclose the information to any personthat is not affiliated with either thefinancial institution or the third party,unless the disclosure would be lawful ifmade directly by the financialinstitution. Paragraph (a)(1) sets out theAct’s redisclosure limitation as itapplies to a financial institution thatreceives information from anothernonaffiliated financial institution.Paragraph (b)(1) mirrors the provisionsof paragraph (a)(1), but applies theredisclosure limits to any nonaffiliatedthird party that receives nonpublicpersonal information from a financialinstitution.

The Act appears to place theinstitution that receives the informationinto the shoes of the institution thatdisclosed the information for purposesof determining whether redisclosures bythe receiving institution are ‘‘lawful.’’Thus, the Act appears to permit thereceiving institution to redisclose theinformation to: (1) An entity to whomthe original transferring institutioncould disclose the information pursuantto one of the exceptions in §§l.9,l.10, or ;l.11, or (2) an entity to whomthe original transferring institutioncould have disclosed the information asdescribed under its notice of privacypolicies and practices, unless theconsumer has exercised the right to optout of that disclosure. Because aconsumer can exercise the right to optout of a disclosure at any time, the Actmay effectively preclude third partiesthat receive information to which theopt out right applies from redisclosingthe information, except pursuant to oneof the exceptions in §§l.9, l.10, orl.11. The Agencies invite comment onwhether the rules should require afinancial institution that disclosesnonpublic personal information to anonaffiliated third party to developpolicies and procedures to ensure thatthe third party complies with the limitson redisclosure of that information.

Sections 502(b)(2) and 502(e) (asimplemented by §§l.9, l.10, and

l.11 of the proposed rules) describewhen a financial institution maydisclose nonpublic personal informationwithout providing the consumer withthe initial privacy notice and anopportunity to opt out, but thoseexceptions apply only when theinformation is used for the specificpurposes set out in those sections.Paragraph (a)(2) of proposed §l.12clarifies this limitation on reuse as itapplies to financial institutions.Paragraph (a)(2) provides that afinancial institution may use nonpublicpersonal information about a consumerthat it receives from a nonaffiliatedfinancial institution in accordance withan exception under §§l.9, l.10, orl.11 only for the purpose of thatexception. Paragraph (b)(2) applies thesame limits on reuse to anynonaffiliated third party that receivesnonpublic personal information from afinancial institution. The Agenciesrequest comment on whether proposed§§l.12(a)(2) and l.12(b)(2) wouldrestrict a nonaffiliated third party fromusing information obtained inaccordance with the exceptions in§§l.9, l.10, and l.11 for purposesbeyond the scope of those exceptions ifthe information is not used in apersonally identifiable form. This mightoccur, for example, in the case of acredit scoring vendor using informationto improve its scoring models.

The Agencies invite comments on themeaning of the word ‘‘lawful’’ as thatterm is used in section 502(c). TheAgencies specifically solicit commenton whether it would be lawful for anonaffiliated third party to discloseinformation pursuant to the exceptionprovided in proposed §l.9 of the rules.Under that exception, a financialinstitution must comply with certainrequirements before disclosinginformation to a nonaffiliated thirdparty. Given that the statute andproposed rules impose thoserequirements on the financial institutionmaking the initial disclosure, theAgencies invite comment on whethersubsequent disclosures by the thirdparty could satisfy the requirement thatthose disclosures be lawful when thefinancial institution is not party to thesubsequent disclosure.

§l.13 Limits on Sharing of AccountNumber Information for MarketingPurposes

Section 502(d) of the G–L–B Actprohibits a financial institution fromdisclosing, other than to a consumerreporting agency, account numbers orsimilar form of access number or accesscode for a credit card account, depositaccount, or transaction account of a


8781Federal Register / Vol. 65, No. 35 / Tuesday, February 22, 2000 / Proposed Rules

consumer to any nonaffiliated thirdparty for use in telemarketing, directmail marketing, or other marketingthrough electronic mail to theconsumer. Proposed §l.13 applies thisstatutory prohibition to disclosuresmade directly or indirectly by afinancial institution.

The Agencies note that there is noexception in Title V to the flatprohibition established by section502(d). The Statement of Managerscontained in the Conference Report to S.900 encourages the Agencies to adopt anexception to section 502(d) to permitdisclosures of account numbers inlimited instances. It states:

In exercising their authority under section504(b) [which vests the Agencies withauthority to grant exceptions to section502(a)–(d) beyond those set out in thestatute], the agencies and authoritiesdescribed in section 504(a)(1) may considerit consistent with the purposes of thissubtitle to permit the disclosure of customeraccount numbers or similar forms of accessnumbers or access codes in an encrypted,scrambled, or similarly coded form, wherethe disclosure is expressly authorized by thecustomer and is necessary to service orprocess a transaction expressly requested orauthorized by the customer.

Managers’ Statement at 18. TheAgencies have not proposed anexception to the prohibition of section502(d) because of the risks associatedwith third parties’ direct access to aconsumer’s account. The Agencies seekcomment on whether an exception tothe section 502(d) prohibition thatpermits third parties access to accountnumbers is appropriate, thecircumstances under which anexception would be appropriate, andhow such an exception should beformulated to provide consumers withadequate protection. The Agencies alsoseek comment on whether a flatprohibition as set out in section 502(d)might unintentionally disrupt certainroutine practices, such as the disclosureof account numbers to a serviceprovider who handles the preparationand distribution of monthly checkingaccount statements for a financialinstitution coupled with a request bythe institution that the service providerinclude literature with the statementabout a product. In addition, theAgencies invite comment on whether aconsumer ought to be able to consent tothe disclosure of his or her accountnumber, notwithstanding the generalprohibition in section 502(d) and, if so,what standards should apply. TheAgencies also seek comment on whethersection 502(d) prohibits the disclosureby a financial institution to a marketingfirm of encrypted account numbers if

the financial institution does notprovide the marketer the key to decryptthe number.

§l.14 Protection of Fair CreditReporting Act

Section 506 makes severalamendments to the FCRA to vestrulemaking authority in variousagencies and to restore the Agencies’regular examination authority.Paragraph (c) of section 506 states that,except for the amendments notedregarding rulemaking authority, nothingin Title V is to be construed to modify,limit, or supersede the operation of theFCRA, and no inference is to be drawnon the basis of the provisions of Title Vwhether information is transaction orexperience information under section603 of the FCRA.

Proposed §l.14 implements section506(c) of the G–L–B Act by restating thestatute, making only minor stylisticchanges intended to make the ruleclearer.

§l.15 Relation to State LawsSection 507 of the G–L–B Act states,

in essence, that Title V does notpreempt any State law that providesgreater protections than are provided byTitle V. Determinations of whether aState law or Title V provides greaterprotections are to be made by theFederal Trade Commission (FTC) afterconsultation with the agency thatregulates either the party filing acomplaint or the financial institutionabout whom the complaint was filed.Determinations of whether State orFederal law afford greater protectionsmay be initiated by any interested partyor on the FTC’s own motion.

Proposed §l.15 is substantivelyidentical to section 507, noting that theproposed rules (as opposed to thestatute) do not preempt State laws thatprovide greater protection forconsumers than do the rules.

§l.16 Effective Date; Transition RuleSection 510 of the G–L–B Act states

that, as a general rule, the relevantprovisions of Title V take effect 6months after the date on which rules arerequired to be prescribed. However,section 510(1) authorizes the Agenciesto prescribe a later date in the rulesenacted pursuant to section 504.

Proposed §l.16 states, in paragraph(a), an effective date of November 13,2000. This assumes that a final rule willbe adopted within the time frameprescribed by section 504(a)(3). TheAgencies intend to provide at least sixmonths following the adoption of a finalrule for financial institutions to bringtheir policies and procedures into

compliance with the requirements of thefinal rule. The Agencies invite commenton whether six months followingadoption of final rules is sufficient toenable financial institutions to complywith the rules.

Paragraph (b) of proposed §l.16provides a transition rule for consumerswho were customers as of the effectivedate of the rules. Since those customerrelationships already will have beenestablished as of the rules’ effective date(thereby making it inappropriate torequire a financial institution to providethose customers with a copy of theinstitution’s initial notice at the time ofestablishing a customer relationship),the rules require instead that the initialnotice be provided within 30 days of theeffective date. The Agencies invitecomment on whether 30 days is enoughtime to permit a financial institution todeliver the required notices, bearing inmind that the G–L–B Act contemplatesat least a six-month delayed effectivedate from the date the rules are adopted.

If a financial institution intends todisclose nonpublic personal informationabout someone who was a consumerbefore the effective date, the institutionmust provide the notices required by§§l.4 and l.7 and provide areasonable opportunity to opt out beforethe effective date. If, in this instance, theinstitution already is disclosinginformation about such a consumer, itmay continue to do so withoutinterruption until the consumer optsout, in which case the institution muststop disclosing nonpublic personalinformation about that consumer tononaffiliated third parties as soon asreasonably practicable.

III. FDIC’s New Electronic PublicComment Site

The FDIC has developed a new pageon its web site to facilitate thesubmission of electronic comments inresponse to this general solicitation (theEPC site). The EPC site provides analternative to the written letter and maybe a more convenient way for you tosubmit your comments. Commentingthrough the EPC site will assist the FDICto more accurately and efficientlyanalyze comments submittedelectronically. If you submit yourcomments through the EPC site yourcomments will receive the sameconsideration that they would receive ifsubmitted in hard copy to the FDIC’sstreet address. Information providedthrough the EPC site will be used by theFDIC only to assist in its analysis of theproposed regulation. The FDIC will notuse an individual’s name or any otherpersonal identifier of an individual toretrieve records or information



submitted through the EPC site. Likecomments submitted in hard copy to theFDIC’s street address, EPC sitecomments will be made available intheir entirety (including thecommenter’s name and address if thecommenter chooses to provide them) forpublic inspection.

The EPC site will be available on theFDIC’s home page at http://www.fdic.gov. You will be able to provide generalcomments or comments on any specificsections of, or questions on, theproposed rule. You will also be able toview the regulation and SupplementaryInformation sections that relate to yourcomments directly on the site. Once youhave finished commenting on thesections of interest to you, you mayindicate your general approval ordisapproval of the proposed regulationby answering the following question:Does the proposed regulationappropriately implement the G–L–B Actto provide the full extent of privacyprotections intended by the Act?[Yes/No].

If you choose to answer this question,your response will be used in the FDIC’sanalysis of public comment on theregulation. The FDIC encourages you toprovide written comments in the spacesprovided in addition to responding tothis specific question. Writtencomments enable the FDIC tothoughtfully consider possible changesto the proposed regulation.

The FDIC is also interested in yourfeedback on the EPC site. We haveprovided a space for you to comment onthe site itself. Answers to this questionwill help the FDIC evaluate the EPC sitefor use in future rulemaking.

At the conclusion of the EPC site youwill have an opportunity to provide uswith your name, indicate whether youare an individual, bank, tradeassociation, or government agency, andprovide the name of the organizationyou represent, if applicable. Whetheryou choose to respond to thesequestions is entirely up to you. Anyresponses received may help the FDICto better understand the publiccomments it receives.

IV. Regulatory Analysis

A. Paperwork Reduction Act

The Agencies invite comment on:(1) Whether the collections of

information contained in this notice ofproposed rulemaking are necessary forthe proper performance of eachAgency’s functions, including whetherthe information has practical utility;

(2) The accuracy of each Agency’sestimate of the burden of the proposedinformation collections;

(3) Ways to enhance the quality,utility, and clarity of the information tobe collected;

(4) Ways to minimize the burden ofthe information collections onrespondents, including the use ofautomated collection techniques orother forms of information technology;and

(5) Estimates of capital or start-upcosts and costs of operation,maintenance, and purchases of servicesto provide information.

Recordkeepers are not required torespond to these collections ofinformation unless they display acurrently valid Office of Managementand Budget (OMB) control number. Theagencies are currently requesting theirrespective control numbers for theseinformation collections from OMB.

This proposed regulation containsseveral disclosure requirements. Therespondents must prepare and providethe initial notice to all currentcustomers and all new customers at thetime of establishing a customerrelationship (proposed §l.4(a)).Subsequently, an annual notice must beprovided to all customers at least onceduring a twelve-month period duringthe continuation of the customerrelationship (proposed §l.5(a)). Theopt out notice (and partial opt outnotice, if applicable; see proposed§l.7(a)(1)(iii)) must be provided priorto disclosing nonpublic personalinformation to certain nonaffiliatedthird parties. If a financial institutionwishes to disclose information in a waythat is inconsistent with the noticespreviously given to a consumer, theinstitution must provide consumerswith revised notices (proposed§l.8(c)).

The proposed regulation also containsconsumer reporting requirements. Inorder for consumers to opt out, theymust respond to the institution’s opt outnotice (proposed §§l.7(a)(2), (a)(3)(i),and (c)). At any time during theircontinued relationship with theinstitution, consumers have the right tochange or update their opt out statuswith the institution (proposed §§l.8(d)and (e)). The Agencies request publiccomment on all aspects of thecollections of information contained inthis proposed rule, including consumerresponses to the opt-out notice andconsumer changes to their opt-out statuswith an institution. In light of theuncertainty regarding what institutionswill do to comply with the opt-outrequirements and how consumers willreact, the Agencies estimate a nominalburden stemming from consumerresponses of one hour per institution,

and will revisit this estimate in light ofthe comments received.

OCC: The collection of informationrequirements contained in this notice ofproposed rulemaking have beensubmitted to the Office of Managementand Budget for review in accordancewith the Paperwork Reduction Act of1995 (44 U.S.C. 3507(d)). Comments onthe collections of information should besent to the Office of Management andBudget, Paperwork Reduction Project(1557—to be assigned), Washington, DC20503, with copies to the Legislativeand Regulatory Activities Division(1557—to be assigned), Office of theComptroller of the Currency, 250 EStreet, SW, Washington, DC 20219.

The likely respondents are nationalbanks, District of Columbia banks, andFederal branches and agencies of foreignbanks.

Estimated average annual burdenhours per bank respondent: 45.

Estimated number of bankrespondents: 2,400.

Estimated total annual reportingburden: 108,000 hours.

Board: In accordance with section3506 of the Paperwork Reduction Act of1995 (44 U.S.C. Ch. 35; 5 CFR 1320,appendix A.1), the Board reviewed thenotice of proposed rulemaking underthe authority delegated to the Board bythe OMB. Comments on the collectionsof information should be sent to MaryM. West, Chief, Financial ReportsSection, Division of Research andStatistics, Mail Stop 97, Board ofGovernors of the Federal ReserveSystem, Washington, DC 20551, with acopy to the Office of Management andBudget, Paperwork Reduction Project(7100—to be assigned), Washington, DC20503.

The likely respondents are statemember banks, bank holdingcompanies, affiliates and certain non-bank subsidiaries of bank holdingcompanies, uninsured state agenciesand branches of foreign banks,commercial lending companies ownedor controlled by foreign banks, and Edgeand agreement corporations.

Estimated number of respondents:9500.

Estimated average annual burdenhours per respondent: 45 hours.

Estimated total annual reporting anddisclosure burden: 427,500.

FDIC: The collections of informationcontained in the notice of proposedrulemaking will be submitted to theOMB in accordance with the PaperworkReduction Act of 1995. 44 U.S.C. 3507.The FDIC will use any commentsreceived to develop its new burdenestimates. Comments on the collections



of information should be sent to StevenF. Hanft, Office of the ExecutiveSecretary, Federal Deposit InsuranceCorporation, 550 17th Street, NW,Washington, DC 20429, with a copy tothe Office of Management and Budget,Paperwork Reduction Project (3064—tobe assigned), Washington, DC 20503.

The likely respondents are insurednonmember banks.

Estimated number of respondents:5,764.


Estimated total annual reporting anddisclosure burden: 259,380 hours.

OTS: The collection of informationrequirements contained in the notice ofproposed rulemaking will be submittedto the OMB in accordance with thePaperwork Reduction Act of 1995. 44U.S.C. 3507. The OTS will use anycomments received to develop its newburden estimates. Comments on thecollection of information should be sentto the Dissemination Branch (1550–AB36), Office of Thrift Supervision,1700 G Street, NW, Washington, DC20552, with a copy to the Office ofManagement and Budget, PaperworkReduction Project (1550–AB36),Washington, DC 20503.

The likely respondents are savingsassociations.

Estimated number of respondents:1,104.


Estimated total annual disclosure andrecordkeeping burden: 49,680 hours.

B. Regulatory Flexibility Act

OCC: Under the Regulatory FlexibilityAct (RFA), the OCC must either providean Initial Regulatory FlexibilityAnalysis (IRFA) with a proposed rule orcertify that the proposed rule would nothave a significant economic impact ona substantial number of small entities.The OCC has decided to publish thefollowing analysis and invites thepublic’s comments on the propose rule’simpact on small entities (i.e., forpurposes of RFA, small entities includebanks with less than $100 million inassets).

A. Reasons for and Objectives of theProposed Rule; Legal Basis for Rule

The proposed rule implementsprovisions of Title V, Subtitle A of theG–L–B Act addressing consumerprivacy. In general, these statutoryprovisions require banks to providenotice to consumers about aninstitution’s privacy policies andpractices, restrict the ability of a bank toshare nonpublic personal informationabout consumers to nonaffiliated third

parties, and permit consumers toprevent the institution from disclosingnonpublic personal information aboutthem to certain non-affiliated thirdparties by ‘‘opting out’’ of thatdisclosure.

The notice and opt out requirementsare imposed by Title V, Subtitle A of theG–L–B Act, and are to become effectivewithin one year from the date the Actwas signed into law. Section 504 of theG–L–B Act authorizes the OCC toprescribe ‘‘such regulations as may benecessary’’ to carry out the purposes ofTitle V, Subtitle A. The OCC believesthat a regulatory promulgation gives theprivate sector greater certainty on howto comply with the statute and clearerguidance regarding how it will beenforced.

B. Requirements of the Proposed Rule;Description of Small Entities to WhomRule Would Apply

Subject to certain exceptionsexplained below, the proposed rulegenerally requires that a bank provideall of its customers the followingnotices: (1) An initial privacy notice(prior to the time the customerrelationship is established or, forexisting customers, within 30 days ofthe rule’s effective date); (2) an opt outnotice (prior to the disclosing of theindividual’s nonpublic personalinformation to nonaffiliated thirdparties); and (3) an annual privacynotice for the duration of the customerrelationship. A bank’s ‘‘customer’’ is aconsumer with whom the bank has a‘‘continuing relationship’’ (e.g., anongoing deposit or loan relationship—but does not include a transientrelationship, such as the mere purchaseof traveler’s checks from the bank).

The proposed rule also requires abank to provide its consumers an initialprivacy notice and an opt out noticeprior to disclosing the individual’snonpublic personal information withnonaffiliated third parties. If the bankdoes not intend to share suchinformation about its consumers, thenno privacy or opt out notice need begiven. A bank’s ‘‘consumer,’’ which is abroader concept than ‘‘customer,’’includes: (1) Individuals who haveapplied to the bank for a financialservice or product; and (2) individualswho have purchased a product orservice that results in a transient (asopposed to continuing) relationship(e.g., mere purchase of traveler’s checksfrom a bank).

There are a host of exceptions to thegeneral rules stated above. A bank mayshare a consumer’s nonpublic personalinformation with nonaffiliated thirdparties without having to give a privacy

and opt out notice if, for example, suchsharing is necessary: (1) To effect,administer, or enforce a transactionrequested or authorized by theconsumer; (2) to protect the security ofrecords pertaining to the consumer,service, product, or transaction; (3) toprotect against or prevent actual orpotential fraud, unauthorizedtransactions, claims or other liability; or(4) to provide information to ratingagencies or the bank’s attorneys,auditors, and accountants. Also, in caseswhere a bank enters into a contract witha nonaffiliated third party to undertakejoint marketing or to have the thirdparty perform certain functions onbehalf of the bank, no opt out noticemust be given. In such an instance, thebank must disclose to the consumer thatit is providing the information and enterinto a contract with the third party thatrestricts the third party’s use of theinformation and requires the third partyto maintain confidentiality of theinformation.

Because the relevant statute did notprovide a general exception for smallbanks, the proposed rule would apply toall banks, regardless of size, includingthose with assets of $100 million or less.As of September 30, 1999, 1213 (of2,383 total) national banks had assets of$100 million or less.

Compliance requirements will varydepending, for example, upon a bank’sinformation sharing practices, whetherthe bank already has or discloses aprivacy policy, and whether the bankalready has an opt-out mechanism inplace pursuant to the Fair CreditReporting Act.

As part of the requirement to providea privacy notice, a bank’s practicesregarding its collection, sharing, andsafeguarding of certain nonpublicpersonal information must besummarized in writing in a form that isrequired or permitted by the proposedregulation. However, if the bank doesnot share such information (or sharesonly to the extent permitted under theexceptions), its privacy notice may bestreamlined. Various surveys suggestthat a majority of banks already haveprivacy policies in place as part of usualand customary business practices. Forthese institutions, the costs fortranslating that policy into a noticeformat should be minimal.

Further, to minimize the burden andcosts of distributing privacy policies,the proposed regulation allows eachbank to choose the method by which itwill distribute required notices. Forexample, banks may include an annualprivacy notice with periodic accountstatements that the bank already sendsto the customer. Also, the initial privacy



6 64 FR 59918 (Nov. 3, 1999). 7 64 FR 59918 (Nov. 3, 1999).

notice may be provided with otheralready-required disclosure statements,such as those required under the Truthin Lending Act.

The OCC believes that the burdenimposed by the opt out requirement willbe minimized to the extent that a bankmust give opt out notices under theFCRA. Under the FCRA, a bank musthave an opt out mechanism in place ifthe bank: (1) Shares certain consumerinformation (i.e., application or creditreport information) with its affiliates,and (2) does not want to be treated asa consumer reporting agency (as willusually be the case). For a bank thatgives FCRA notices and that wants toshare nonpublic personal informationwith nonaffiliated third parties, thebank should be able to adapt its existingopt out mechanism to accommodate therequirements of the proposed rule. Ofcourse, a bank need not provide anyopt-out notices or set up any opt-outmechanism if it will only be sharingnonpublic information withnonaffiliated third parties to the extentpermitted by one of the manyexceptions permitted in the proposedrule.

Professional skills needed to complywith the proposed rule may includeclerical, computer systems, personneltraining, as well as legal drafting andadvice. The information collectionrequirements imposed by the G–L–B Actand the proposed rule are furtheraddressed in the section titled,‘‘Paperwork Reduction Act.’’

C. Relevant Federal Rules Which MayDuplicate, Overlap or Conflict With theProposed Rule

While the scope of the proposedregulation (pursuant to the G–L–B Act)is unique, there may be some overlap incertain circumstances with thefollowing: As noted above, the FairCredit Reporting Act requires a bankthat: (1) Does not want to be treated asa consumer reporting agency; and (2)desires to share certain consumerinformation (i.e., application or creditreport information) with its affiliates, toprovide the consumer with a clear andconspicuous notice and an opportunityto opt out of such information sharing.Also, at the time a consumer contractsfor an electronic fund transfer service,the Electronic Funds Transfer Actrequires the terms and conditions ofsuch transfer to be disclosed, includingunder what circumstances the bank willin the ordinary course of businessdisclose information concerning theconsumer’s account to third persons.The recently proposed Department ofHealth and Human Services

regulations 6 that implement the HealthInsurance Portability andAccountability Act of 1996 would, ifadopted in final form, limit thecircumstances under which medicalinformation may be disclosed. Finally,the Children’s Online Privacy ProtectionAct (under which the Federal bankingagencies are charged with enforcementof implementing regulationspromulgated by the Federal TradeCommission) generally requires onlineservice operators collecting personalinformation from a child to obtainparental consent and post a privacynotice on the web site. The OCC seekscomment on additional Federal rulesthat may duplicate, overlap, or conflictwith the proposal.

D. Significant Alternatives to theProposed Rule That Minimize theImpact on Small Entities

As previously noted, the proposedrule’s requirements are expresslymandated by the G–L–B Act. Theproposed rule attempts to clarify,consolidate, and simplify the statutoryrequirements for all covered entities,including small entities. The proposedrule also provides substantial flexibilityso that any bank, regardless of size, maytailor its practices to its individualneeds. While the OCC may grantexceptions to the opt out requirementsset out in sections 502 (a) through (d),section 504(b) of the G–L–B Act requiressuch exceptions to be ‘‘consistent withthe purposes of this subtitle [i.e.,Subtitle A of Title V].’’ As stated insection 501(a) of the Act, ‘‘It is thepolicy of the Congress that eachfinancial institution has an affirmativeand continuing obligation to respect theprivacy of its customers and to protectthe security and confidentiality of thosecustomers’ nonpublic personalinformation.’’ (Emphasis added.) TheOCC believes that an exception thatwould create different levels ofprotections for consumers based on thesize of the institution with whom theyconduct business would not beconsistent with the purposes of SubtitleA. The OCC welcomes comment on anysignificant alternatives, consistent withthe G–L–B Act, that would minimize theimpact on small entities.

Board: The Regulatory Flexibility Act(5 U.S.C. 603) requires an agency topublish an initial regulatory flexibilityanalysis with any notice of proposedrulemaking. A description of the reasonswhy action by the agency is beingconsidered and a statement of theobjectives of, and legal basis for, theproposed rule, are contained in the

supplementary material above. TheBoard’s proposed rule will apply to thefollowing institutions (numbersapproximate):

Type of institution Approx.No.

State member banks .................. 1,000Bank holding companies ............ 5,900Bank holding company subsidi-

aries ........................................ 2,100U.S. branches and agencies of

foreign banks .......................... 400Edge/Agreement corporations,

commercial lending companies 100

Total ..................................... 9,500

The Board estimates that over 4,500 ofthe respondents could be consideredsmall institutions with assets less than$100 million.

Overlap with other Federal rules.While the scope of the proposedregulation (pursuant to the G–L–B Act)is unique, it may, in certaincircumstances, overlap with thefollowing statutes and regulations:

1. The Fair Credit Reporting Act (15U.S.C. 1681a(d)(2)) requires a bank that:(1) Does not want to be treated as aconsumer reporting agency; and (2)desires to share certain consumerinformation (that is, application orcredit report information) with itsaffiliates, to provide the consumer witha clear and conspicuous notice and anopportunity to opt out of suchinformation sharing.

2. At the time a consumer contractsfor an electronic fund transfer service,the Electronic Funds Transfer Act (15U.S.C. 1693c(a)(9)) requires the termsand conditions of such transfer to bedisclosed, including under whatcircumstances the bank will in theordinary course of business discloseinformation concerning the consumer’saccount to third persons.

3. The recently proposed Departmentof Health and Human Servicesregulations 7 that implement the HealthInsurance Portability andAccountability Act of 1996 (42 U.S.C.3120d–1 et seq.) would, if adopted infinal form, limit the circumstancesunder which medical information maybe disclosed.

4. The Children’s Online PrivacyProtection Act of 1998 (15 U.S.C. 6502)(under which the Federal bankingagencies are charged with enforcementof implementing regulationspromulgated by the Federal TradeCommission) generally requires onlineservice operators collecting personalinformation from a child to obtain



8 H. R. Conf. Rep. No. 106–434, at 173 (1999).9 The RFA defines the term ‘‘small entity’’ in 5

U.S.C. 601 by reference to definitions published bythe Small Business Administration (SBA). The SBAhas defined a ‘‘small entity for banking purposes asa national or commercial bank, savings institutionor credit union with less than $100 million inassets.’’ See 13 CFR 121.201.

10 ‘‘KPMG Analysis Consumer Privacy Policies:Write Now.’’ Online Reuters 19 Jan. 2000.

11 ‘‘Interagency Financial Institution Web SitePrivacy Survey Report.’’ FDIC Press Release 9November 1999.

parental consent and post a privacynotice on the web site.

New compliance requirements. Theproposed rule contains new compliancerequirements for all coveredinstitutions, most of which are requiredby the G–L–B Act. The institutions willbe required to prepare notices of theirprivacy policies and practices andprovide those notices to consumers asspecified in the rule. Institutions thatdisclose nonpublic personal informationabout consumers to nonaffiliated thirdparties will be required to provide optout notices to consumers as well as areasonable opportunity to opt out ofcertain disclosures. These institutionswill have to develop systems forkeeping track of consumers’ opt outdirections. Some institutions,particularly those that disclosenonpublic information about consumersto nonaffiliated third parties, will likelyneed the advice of legal counsel toensure that they comply with the rule,and may also require computerprogramming changes and additionalstaff training. The Board does not havea practicable or reliable basis forquantifying the costs of the proposedrule or any alternatives, but seekscomment on the potential costs.

Exemptions for small institutions. TheBoard believes the requirements of theAct and this rule will create additionalburden for covered institutions,particularly those that disclosenonpublic personal information aboutconsumers to nonaffiliated third parties.The rule applies to all coveredinstitutions, regardless of size. The Actdoes not provide the Board with theauthority to exempt a small institutionfrom the requirement to provide a noticeof its privacy policies and practices toa consumer with whom it establishes acustomer relationship. Although theBoard could exempt small institutionsfrom providing a notice and opportunityfor consumers to opt out of certaininformation disclosures, the Board doesnot believe that such an exemptionwould be appropriate, given the purposeof the Act to protect the confidentialityand security of nonpublic personalinformation about consumers. TheBoard believes that the burden isrelatively small for institutions that donot disclose nonpublic personalinformation about consumers tononaffiliated third parties. Theseinstitutions may provide relativelysimple initial and annual notices toconsumers with whom they establishcustomer relationships.

The Board recognizes that theCongressional Conferees on the Actwished to ensure that smaller financialinstitutions are not placed at a

competitive disadvantage by a statutoryregime that permits certain informationto be shared freely within an affiliatestructure while limiting the ability toshare that same information withnonaffiliated third parties. TheConferees stated that, in prescribingregulations, the federal regulatoryagencies should take into considerationany adverse competitive effects uponsmall commercial banks, thrifts, andcredit unions.8 At this time, it is notclear the extent to which smallinstitutions will be placed at adisadvantage by information-sharingamong affiliates in large institutionalfamilies. The Board believes that furtherexperience under the regulation wouldbe appropriate before considering anyexemptions in this area for smallinstitutions.

The Board requests comment on theburdens associated with the proposedrule and whether any exemptions forsmall institutions would be appropriate.

FDIC: The Regulatory Flexibility Act(5 U.S.C. 601–612) (RFA) requires anagency to publish an initial regulatoryflexibility analysis with this proposedrule, except to the extent provided inthe RFA, whenever the agency isrequired to publish a general notice ofproposed rulemaking for a proposedrule. The FDIC cannot at this timedetermine whether the proposed rulewould have a significant economicimpact on a substantial number of smallentities as defined by the RFA.9Therefore, pursuant to subsections 603(b) and (c) of the RFA, the FDICprovides the following initial regulatoryflexibility analysis.

Reasons for Proposed RuleThe FDIC is requesting comment on

proposed privacy rules publishedpursuant to section 504 of the G–L–BAct. Section 504 requires the Agenciesin consultation with representatives ofState insurance authorities to issueregulations implementing noticerequirements and restrictions on afinancial institution’s ability to disclosenonpublic personal information aboutconsumers to nonaffiliated third parties.These requirements are expresslymandated by the G–L–B Act. It is theview of the FDIC that the G–L–B Act’srequirements account for most, if not,all of the economic impact of theproposed rule.

Statement of Objectives and Legal Basis

The SUPPLEMENTARY INFORMATIONsection above contains this information.The legal basis for the proposed rule isthe G–L–B Act.

Description/Estimate of the SmallEntities to Which the Rule Applies

The proposed rule would apply to allFDIC-insured State nonmember banks,approximately 3,700 of which are smallentities as defined by the RFA.

Projected Reporting, Recordkeeping andOther Compliance Requirements

The information collectionrequirements imposed by G–L–B Actand the proposed rule are discussedabove in the section titled, ‘‘PaperworkReduction Act.’’

General Requirements

Pursuant to section 503 of the G–L–B Act and §§ 332.4—332.6 of theregulation, a financial institution mustprovide its customers with a notice ofits privacy policies and practices.Section 502 of the G–L–B Act and§§ 332.7–332.12 of the regulationprohibit a financial institution fromdisclosing nonpublic personalinformation about a consumer tononaffiliated third parties unless theinstitution satisfies various disclosurerequirements and the consumer haselected not to opt out of the disclosure.

The statute and proposed rule requirea financial institution to disclose to allof its customers the institution’s privacypolicies and practices with respect toinformation sharing with both affiliatesand non-affiliated third parties.Institutions are required to provide thisnotice at the time of establishing acustomer relationship and annuallythereafter. Recent experience has shownthat it is a usual and customary businesspractice of financial institutions. KPMGreported in a recent industry survey oflarge and small banks that 71% ofbankers said their institutions alreadyhad privacy policies in place eithercompany-wide or in some selectedunits.10 Another recent survey ofInternet banking sites conducted byfederal banking regulators concludedthat over 62% of financial institutionsthat collected personal informationonline provided a privacy policy orinformation practice statement.11

Furthermore, a number of industrygroups have developed model privacypolicies that are available as part of their



12 ‘‘Banks Should Tell Customers of Policies toProtect Privacy, Banking Groups Say.’’ Online BNAElectronic Commerce & Law 16 September 1998.

13 5 U.S.C. 605(b).14 13 CFR 121.201, Division H (1999).

self-regulatory efforts in the privacyarea.12 The FDIC believes theestablishment of a privacy policy is ausual and customary business practiceand the costs for translating that policyinto a disclosure format should beminimal. The FDIC seeks anyinformation or comment on the costs forcreating privacy policy disclosures.

To minimize the burden and costs tofinancial institutions of distributingprivacy policies, the proposedregulation allows each bank to choosethe method by which it will distributerequired disclosure statements.Institutions may provide customers witha privacy disclosure statement withperiodic statements, with other requireddisclosure statements, via electronicmail to consumers who obtain afinancial product or serviceelectronically, and other acceptablemeans described in the proposedregulation. The FDIC believes that thecost of distributing privacy disclosurestatements will be minimal and seeksany information or comment on thecosts for distributing privacy policydisclosures.

The statute and proposed ruledescribe the conditions under which afinancial institution may disclosenonpublic personal information about aconsumer to a nonaffiliated third party.A number of exceptions are provided fornonaffiliated third parties performingservices for the institution. The rulesrequire institutions to develop a methodto allow customers to opt out of non-affiliated third party informationsharing. Only those institutions thatintend to share nonpublic personalinformation with third parties outside ofthe exemptions provided are required toestablish ‘‘opt out’’ disclosure andprocessing procedures. Furthermore,only those institutions that sharenonpublic personal information withthird parties outside of the exemptionsprovided could be expected toencounter any reduction in revenue asa result of the diminished value ofinformation sales. The FDIC informallysurveyed its regional offices todetermine the costs of implementing theopt out provisions of the proposedregulation. Based on the observations byFDIC examiners, the FDIC believes thatthe costs to implement opt outprovisions of the regulation for smallinsured nonmember banks will beminimal. Few nonaffiliated third partyinformation sharing arrangements couldbe identified that would fall outside theexceptions provided in the regulation.Congress recognized the lack of

information available on affiliateinformation sharing practices byrequiring the regulators to conduct a‘‘Study of Information Sharing AmongFinancial Affiliates’’ that focuses on thepractice of institutions sharingconfidential customer information withaffiliates and non-affiliated third parties.This study is due subsequent to releaseof this regulation. The FDIC seeksfurther comment on the informationsharing practices and actual costs ofimplementing the opt out disclosureand processing requirements of theproposed regulation.

Identification of Duplicative,Overlapping, or Conflicting FederalRules

While the scope of the proposedregulation (pursuant to the G–L–B Act)is unique, there may be some overlap incertain circumstances with thefollowing: As noted above, the FCRArequires a bank that: (1) Does not wantto be treated as a consumer reportingagency; and (2) desires to share certainconsumer information (i.e., applicationor credit report information) with itsaffiliates, to provide the consumer witha clear and conspicuous notice and anopportunity to opt out of suchinformation sharing. Also, at the time aconsumer contracts for an electronicfund transfer service, the ElectronicFunds Transfer Act requires the termsand conditions of such transfer to bedisclosed, including under whatcircumstances the bank will in theordinary course of business discloseinformation concerning the consumer’saccount to third persons. Finally, theChildren’s Online Privacy ProtectionAct (under which the Federal bankingagencies are charged with enforcementof implementing regulationspromulgated by the Federal TradeCommission) generally requires onlineservice operators collecting personalinformation from a child to obtainparental consent and post a privacynotice on the web site. The FDIC seekscomments and information about anysuch rules, as well as any other state,local, or industry rules or policies thatrequire financial institutions toimplement business practices thatwould comply with the requirements ofthe proposed rule.

Discussion of Significant AlternativesAs previously noted, the proposed

rule’s requirements are expresslymandated by the G–L–B Act. Theproposed rule attempts to clarify,consolidate, and simplify the statutoryrequirements for all covered entities,including small entities. The proposedrule also provides substantial flexibilityso that any bank, regardless of size, may

tailor its practices to its individualneeds. While the FDIC may grantexceptions to the opt out requirementsset out in sections 502(a) through (d),section 504(b) of the G–L–B Act requiressuch exceptions to be ‘‘consistent withthe purposes of this subtitle [i.e.,Subtitle A of Title V].’’ As stated insection 501(a) of the Act, ‘‘It is thepolicy of the Congress that eachfinancial institution has an affirmativeand continuing obligation to respect theprivacy of its customers and to protectthe security and confidentiality of thosecustomers’ nonpublic personalinformation.’’ (Emphasis added.) TheFDIC believes that an exception thatwould create different levels ofprotections for consumers based on thesize of the institution with whom theyconduct business would not beconsistent with the purposes of SubtitleA. The FDIC welcomes comment on anysignificant alternatives, consistent withthe G–L–B Act, that would minimize theimpact on small entities.

OTS: The Regulatory Flexibility Actrequires federal agencies to eitherprepare an initial regulatory flexibilityanalysis (IRFA) with this proposed ruleor certify that the proposed rule wouldnot have a significant economic impacton a substantial number of smallentities. 13 The OTS cannot, at this time,determine whether the proposed rulewould have a significant economicimpact on a substantial number of smallinstitutions. Therefore, OTS includesthe following IRFA.

A description of the reasons why OTSis considering this action, and astatement of the objectives of, and legalbasis for, the proposed rule are in thesupplementary material above.

A. Small Entities to Which the ProposedRule Would Apply

The proposed rule would apply to allfinancial institutions, without regard tothe institutions’ size. Small depositoryinstitutions are generally defined, forRegulatory Flexibility Act purposes, asthose with assets under $100 million. 14

This proposed rule would apply toapproximately 500 small savingsassociations.

B. Requirements of the Proposed Rule

As described more fully above, theproposed rule contains new compliancerequirements for all savingsassociations. Most of the requirementsare mandated by the G–L–B Act.Savings associations will be required toprepare



15 G–L–B Act, Pub. Law. No. 106–102, 113 Stat.1338, § 501(a) (1999) (to be codified at 15 USC6801). 16 H. R. Conf. Rep. No. 106–434, at 173 (1999).

notices of their privacy policies andpractices and provide those notices toconsumers. Savings associations thatdisclose nonpublic personal informationabout consumers to nonaffiliated thirdparties will be required to provide optout notices to consumers as well as areasonable opportunity to opt out ofcertain disclosures. These savingsassociations will have to developsystems for keeping track of consumers’opt out directions.

C. Reporting, Recordkeeping, and OtherCompliance Requirements

The proposed rule would requiresavings associations to disclose theirprivacy policies to consumers, and tokeep track of any opt out notices theconsumers submit.

Many financial institutions mayalready have established privacypolicies and practices and may alreadybe partly or fully prepared to meet therequirements of this proposed rule.Additionally, OTS anticipates that tradeassociations and others will preparecompliance materials and guidance thatfinancial institutions can use to meetthe requirements of this proposed rule.

To the extent that existing practicesand available resources are insufficient,financial institutions would needprofessional skills to comply with thisproposed rule. To prepare the requiredprivacy disclosures and opt out notices,financial institutions may need legal orother professional advice and drafting.This would be true for the initialdisclosures and notices, and for anysubsequent changes to those documents.For financial institutions that publishprivacy notices electronically or acceptelectronic opt outs, computer expertisewould be necessary to convert thedocuments to the appropriate electronicform.

The proposed regulation would allowfinancial institutions to shareconsumers’ nonpublic personalinformation with a nonaffiliated thirdparty to perform services for thefinancial institution. However,§ 573.9(a)(2) of the regulation wouldrequire institutions in that event tocontractually require the third partyrecipient to maintain the privacy ofshared information. In these cases,financial institutions may require legaladvice and drafting to ensure that theircontracts meet the requirements of theproposed rule.

Financial institutions may furtherneed professional skills to process optout notices that consumers submit.Some financial institutions may useclerical or computer programmer skillsto perform these tasks. Some degree ofpersonnel training may be necessary,such as to train staff on the procedures

for entering opt out data into a computerdatabase.

OTS does not have a practicable orreliable basis for quantifying the costs ofthis proposed rule, or of any alternativeto the rule. OTS cannot predict howsavings associations would comply withthe proposed notice requirements, orhow many opt out notices savingsassociations would receive and need toprocess. Some savings associations maycurrently derive revenue from sellinginformation about their customers, andthis rule may decrease the amount ofthat revenue. OTS has no reliable basisfor determining the amount of thisdecrease in revenue at savingsassociations. The costs of this proposedrule or any alternative to the rule areunpredictable for two reasons. First,Congress has required this regulation tobe finalized within six months afterG–L–B’s enactment. This short timeperiod makes it difficult to surveysavings associations or tradeorganizations for reliable information.Second, and more importantly, theG–L–B Act and this rulemaking are sonew that the industry has not hadenough time to learn what the lawrequires and decide how to proceed.Rather than merely guess at theregulatory burden of this proposed rule,OTS solicits comment on the burdenand on ways to minimize it, consistentwith the G–L–B Act.

D. Significant AlternativesThe requirements in the proposed

rule parallel those in the G–L–B Act.The proposed regulation would clarifythe statutory requirements in certainareas, and would restate therequirements in a more understandablemanner, but would not impose anysubstantially different requirements.

Congress has decided that ‘‘each’’financial institution must protectconsumers’ privacy, without regard tothe size of the financial institutions withwhich consumers interact. 15 OTSbelieves it does not have authority toexempt small entities from Subtitle V ofthe G–L–B Act.

Although OTS could exempt smallsavings associations from providing anotice and opportunity for consumers toopt out of certain informationdisclosures, OTS does not believe thatsuch an exemption would beappropriate, given the purpose of theG–L–B Act to protect the confidentialityand security of nonpublic personalinformation about consumers. Savingsassociations that do not disclosenonpublic personal information about

consumers to nonaffiliated third partiesmay provide relatively simple initialand annual notices to their customers.

OTS recognizes that the CongressionalConferees on the Act wished to ensurethat smaller financial institutions arenot placed at a competitivedisadvantage by a statutory regime thatpermits certain information to be sharedfreely within an affiliate structure whilelimiting the ability to share that sameinformation with nonaffiliated thirdparties. The Conferees stated that, inprescribing regulations, the federalregulatory agencies should take intoconsideration any adverse competitiveeffects upon small commercial banks,thrifts, and credit unions. 16 At thistime, it is not clear the extent to whichsmall institutions will be placed at adisadvantage by information-sharingamong affiliates in large institutionalfamilies. OTS believes that furtherexperience under the regulation wouldbe appropriate before considering anyexemptions in this area for smallinstitutions.

To reduce regulatory burden,consistent with the statutoryrequirements, this proposed regulationwould provide financial institutionswith substantial flexibility to useprivacy practices tailored to theirindividual needs. For example, theAgencies considered setting a certaintime within which financial institutionsthat receive opt out notices mustcomply with them. Because theAgencies thought a certain time limitmight impose undue regulatory burden,the proposed rule would requirecompliance with opt out notices ‘‘assoon as reasonably practicable.’’§ 573.8(e). Similarly, the proposed rulewould become effective on November13, 2000. This is designed to allowfinancial institutions one year afterG–L–B was enacted, and six monthsafter this rule’s expected effective date,to come into compliance. § 573.16(a).The Agencies are soliciting commentson whether these time limits wouldallow financial institutions sufficienttime to comply with the rules.

OTS requests comment on theburdens associated with the proposedrule and whether any exceptions forsmall institutions would be appropriate.

E. Other Matters

While the scope of the proposedregulation (pursuant to the G–L–B Act)is unique, there may be some overlap incertain circumstances with certainFederal rules. As noted above, the FairCredit Reporting Act requires a savings



association that (1) does not want to betreated as a consumer reporting agencyand (2) desires to share certainconsumer information (i.e., applicationor credit report information) with itsaffiliates, to provide the consumer witha clear and conspicuous notice and anopportunity to opt out of suchinformation sharing. Also, at the time aconsumer contracts for an electronicfund transfer service, the ElectronicFunds Transfer Act requires the termsand conditions of such transfer to bedisclosed, including under whatcircumstances the bank will in theordinary course of business discloseinformation concerning the consumer’saccount to third persons. Finally, theChildren’s Online Privacy ProtectionAct (under which the Federal bankingagencies are charged with enforcementof implementing regulationspromulgated by the Federal TradeCommission) generally requires onlineservice operators collecting personalinformation from a child to obtainparental consent and post a privacynotice on the web site. OTS seekscomment on additional Federal rulesthat may duplicate, overlap or conflictwith the proposal.

C. Executive Order 12866OCC: The Comptroller of the Currency

has determined that this proposed rule,if adopted as a final rule, does notconstitute a ‘‘significant regulatoryaction’’ for the purposes of ExecutiveOrder 12866. The rule follows closelythe requirements of title V, subtitle A ofthe G–L–B Act. Since, the G–L–B Actestablishes the minimum requirementsfor this activity, the OCC has littlediscretion to propose regulatory optionsthat might significantly reduce costs orother burdens. However, even absentthe requirements of the G–L–B Act, ifthe OCC issued the rule under its ownauthority, the rule would not constitutea ‘‘significant regulatory action’’ for thepurposes of Executive Order 12866.

Nevertheless, the OCC acknowledgesthat the rule would impose costs onnational banks by requiring them tomake notifications and take otheractions impacting their day to dayoperations. Therefore, the OCC invitesnational banks and the public to provideany cost estimates and related data thatthey think would be useful to theagency in evaluating the overall costs ofthe rule. The OCC will review carefullythe comments and cost data that youprovide and will revisit the cost aspectsof the G–L–B Act as implemented bythis proposal in developing the finalrule.

OTS: OTS has determined that thisproposed rule, if adopted as a final rule,

would not constitute a ‘‘significantregulatory action’’ for the purposes ofExecutive Order 12866. The rule followsclosely the requirements of title V,subtitle A of the G–L–B Act. Since theG–L–B Act establishes the minimumrequirements for this activity, OTS haslittle discretion to propose regulatoryoptions that might significantly reducecosts or other burdens.

Nevertheless, OTS acknowledges thatthe rule would impose costs on thethrift industry by requiring savingsassociations to make notifications andtake other actions impacting their day today operations. Therefore, OTS invitesthe thrift industry and the public toprovide any cost estimates and relateddata that they think would be useful tothe agency in evaluating the overallcosts of the rule. OTS will reviewcarefully the comments and cost datathat you provide and will revisit thecost aspects of the G–L–B Act asimplemented by this proposal indeveloping the final rule.

D. Unfunded Mandates Act of 1995

Section 202 of the UnfundedMandates Reform Act of 1995, 2 U.S.C.1532 (Unfunded Mandates Act),requires that an agency prepare abudgetary impact statement beforepromulgating any rule likely to result ina Federal mandate that may result in theexpenditure by State, local, and tribalgovernments, in the aggregate, or by theprivate sector, of $100 million or morein any one year. If a budgetary impactstatement is required, section 205 of theUnfunded Mandates Act also requiresthe agency to identify and consider areasonable number of regulatoryalternatives before promulgating therule. However, an agency is not requiredto assess the effects of its regulatoryactions on the private sector to theextent that such regulations incorporaterequirements specifically set forth inlaw. 2 U.S.C. 1531. Most of theproposed rule’s provisions are alreadymandated by the applicable provisionsin Title V of the G–L–B Act, whichwould become effective and binding onthe private sector without a regulatorypromulgation. Therefore, the OCC andOTS have determined that this proposedregulation will not result inexpenditures by State, local, and tribalgovernments, in the aggregate, or by theprivate sector, of $100 million or morein any one year. Accordingly, the OCCand OTS have not prepared a budgetaryimpact statement or specificallyaddressed the regulatory alternativesconsidered.

V. Solicitation of Comments on Use of‘‘Plain Language’’

Section 722 of the G–L–B Act requiresthe Federal banking agencies to use‘‘plain language’’ in all proposed andfinal rules published after January 1,2000. We invite your comments on howto make this proposed rule easier tounderstand. For example:

• Have we organized the material tosuit your needs? If not, how could thematerial be better organized?

• Are the requirements in the ruleclearly stated? If not, how could the rulebe more clearly stated?

• Does the rule contain technicallanguage or jargon that isn’t clear? If not,which language requires clarification?For example, is the phrase ‘‘opt out’’confusing to the average reader? Shouldthe Agencies require financialinstitutions to use a different phrase intheir notices, such as ‘‘choose not tohave information shared’’?

• Would a different format (groupingand order of sections, use of headings,paragraphing) make the rule easier tounderstand? If so, what changes to theformat would make the rule easier tounderstand?

• Would more (but shorter) sectionsbe better? If so, which sections shouldbe changed?

• What else could we do to make therule easier to understand?

• The Agencies solicit comment onwhether the inclusion of examples inthe regulation is appropriate. Elevatingthe fact patterns to safe harbors in therule may generate certain problems overtime. For example, changes intechnology or practices may ultimatelyimpact the fact patterns contained in theexamples and require changes to theregulation. Are there alternativemethods to offer illustrative guidance ofthe concepts portrayed by the examples?

List of Subjects

12 CFR Part 40

Banks, banking, Consumer protection,National banks, Privacy, Reporting andrecordkeeping requirements.

12 CFR Part 216

Banks, banking, Consumer protection,Federal Reserve System, Foreignbanking, Holding companies,Information, Privacy, Reporting andrecordkeeping requirements.

12 CFR Part 332

Banks, banking, Privacy.

12 CFR Part 573

Consumer protection, Privacy,Savings associations.



Office of the Comptroller of theCurrency

12 CFR Chapter I

Authority and IssuanceFor the reasons set out in the joint

preamble, the OCC proposes to amendchapter I of title 12 of the Code ofFederal Regulations by adding a newpart 40 to read as follows:

PART 40—PRIVACY OF CONSUMERFINANCIAL INFORMATION

Sec.40.1 Purpose and scope.40.2 Rule of construction.40.3 Definitions.40.4 Initial notice to consumers of privacy

policies and practices required.40.5 Annual notice to customers required.40.6 Information to be included in initial

and annual notices of privacy policiesand practices.

40.7 Limitation on disclosure of nonpublicpersonal information about consumers tononaffiliated third parties.

40.8 Form and method of providing opt outnotice to consumers.

40.9 Exception to opt out requirements forservice providers and joint marketing.

40.10 Exceptions to notice and opt outrequirements for processing andservicing transactions.

40.11 Other exceptions to notice and optout requirements.

40.12 Limits on redisclosure and reuse ofinformation.

40.13 Limits on sharing of account numberinformation for marketing purposes.

40.14 Protection of Fair Credit ReportingAct.

40.15 Relation to State laws.40.16 Effective date; transition rule.

Authority: 12 U.S.C. 93a; 15 U.S.C. 6801 etseq.

§ 40.1 Purpose and scope.(a) Purpose. This part governs the

treatment of nonpublic personalinformation about consumers by thefinancial institutions listed in paragraph(b) of this section. This part:

(1) Requires a financial institution toprovide notice to consumers about itsprivacy policies and practices;

(2) Describes the conditions underwhich a financial institution maydisclose nonpublic personal informationabout consumers to nonaffiliated thirdparties; and

(3) Provides a method for consumersto prevent a financial institution fromdisclosing that information to certainnonaffiliated third parties by ‘‘optingout’’ of that disclosure, subject to theexceptions in §§ 40.9, 40.10, and 40.11.

(b) Scope. The rules established bythis part apply only to nonpublicpersonal information about individualswho obtain financial products orservices for personal, family or

household purposes from theinstitutions listed below. This part doesnot apply to information aboutcompanies or about individuals whoobtain financial products or services forbusiness purposes. This part applies toentities for which the Office of theComptroller of the Currency hasprimary supervisory authority. They arereferred to in this part as ‘‘the bank.’’These are national banks, District ofColumbia banks, Federal branches andFederal agencies of foreign banks, andany subsidiaries of such entities excepta broker or dealer that is registeredunder the Securities Exchange Act of1934, a registered investment adviser(with respect to the investment advisoryactivities of the adviser and activitiesincidental to those investment advisoryactivities), an investment companyregistered under the InvestmentCompany Act of 1940, an insurancecompany that is subject to supervisionby a State insurance regulator (withrespect to insurance activities of thecompany and activities incidental tothose insurance activities), and an entitythat is subject to regulation by theCommodity Futures TradingCommission.

§ 40.2 Rule of construction.The examples in this part are not

exclusive. Compliance with an example,to the extent applicable, constitutescompliance with this part.

§ 40.3 Definitions.As used in this part, unless the

context requires otherwise:(a) Affiliate means any company that

controls, is controlled by, or is undercommon control with another company.

(b)(1) Clear and conspicuous meansthat a notice is reasonablyunderstandable and designed to callattention to the nature and significanceof the information contained in thenotice.

(2) Examples. (i) The bank makes itnotice reasonably understandable if, tothe extent applicable, the bank:

(A) Presents the informationcontained in the notice in clear, concisesentences, paragraphs and sections;

(B) Uses short explanatory sentencesand bullet lists, whenever possible;

(C) Uses definite, concrete, everydaywords and active voice, wheneverpossible;

(D) Avoids multiple negatives;(E) Avoids legal and highly technical

business terminology; and(F) Avoids boilerplate explanations

that are imprecise and readily subject todifferent interpretations.

(ii) The bank designs its notice to callattention to the nature and significance

of the information contained in thenotice if, to the extent applicable, thebank:

(A) Uses a plain-language heading tocall attention to the notice;

(B) Uses a typeface and type size thatare easy to read; and

(C) Provides wide margins and ampleline spacing.

(iii) If the bank provides a notice onthe same form as another notice or otherdocument, the bank designs its notice tocall attention to the nature andsignificance of the informationcontained in the notice if the bank uses:

(A) Larger type size(s), boldface oritalics in the text;

(B) Wider margins and line spacing inthe notice; or

(C) Shading or sidebars to highlightthe notice, whenever possible.

(c) Collect means to obtaininformation that is organized orretrievable on a personally identifiablebasis, irrespective of the source of theunderlying information.

(d) Company means any corporation,limited liability company, businesstrust, general or limited partnership,association or similar organization.

(e) (1) Consumer means an individualwho obtains or has obtained a financialproduct or service from the bank that isto be used primarily for personal, familyor household purposes, and thatindividual’s legal representative.

(2) Examples. (i) An individual whoapplies to a bank for credit for personal,family or household purposes is aconsumer of a financial service,regardless of whether the credit isextended.

(ii) An individual who providesnonpublic personal information to abank in order to obtain a determinationabout whether he or she may qualify fora loan to be used primarily for personal,family, or household purposes is aconsumer of a financial service,regardless of whether the loan isextended by the bank or anotherfinancial institution.

(iii) An individual who providesnonpublic personal information to abank in connection with obtaining orseeking to obtain financial, investmentor economic advisory services is aconsumer regardless of whether thebank establishes an ongoing advisoryrelationship.

(iv) An individual who negotiates aworkout with a bank for a loan that thebank owns is a consumer regardless ofwhether the bank originally extendedthe loan to the individual.

(v) An individual who has a loan froma bank is the bank’s consumer even ifthe bank:

(A) Hires an agent to collect on theloan;



(B) Sells the rights to service the loan;or

(C) Bought the loan from the financialinstitution that originated the loan.

(vi) An individual is not a bank’sconsumer solely because the bankprocesses information about theindividual on behalf of a financialinstitution that extended the loan to theindividual.

(f) Consumer reporting agency has thesame meaning as in section 603(f) of theFair Credit Reporting Act (15 U.S.C.1681a(f)).

(g) Control of a company means:(1) Ownership, control, or power to

vote 25 percent or more of theoutstanding shares of any class of votingsecurity of the company, directly orindirectly, or acting through one ormore other persons;

(2) Control in any manner over theelection of a majority of the directors,trustees or general partners (orindividuals exercising similar functions)of the company; or

(3) The power to exercise, directly orindirectly, a controlling influence overthe management or policies of thecompany, as determined by the OCC.

(h) Customer means a consumer whohas a customer relationship with a bank.

(i) (1) Customer relationship means acontinuing relationship between aconsumer and a bank under which thebank provides one or more financialproducts or services to the consumerthat are to be used primarily forpersonal, family, or householdpurposes.

(2) Examples. (i) A consumer has acontinuing relationship with a bank ifthe consumer:

(A) Has a deposit, credit, trust orinvestment account with the bank;

(B) Purchases an insurance productfrom the bank;

(C) Holds an investment productthrough the bank;

(D) Enters into an agreement orunderstanding with the bank wherebythe bank undertakes to arrange or brokera home mortgage loan for the consumer;

(E) Has a loan that the bank serviceswhere the bank owns the servicingrights;

(F) Enters into a lease of personalproperty with the bank; or

(G) Obtains financial, investment oreconomic advisory services from thebank for a fee.

(ii) A consumer does not, however,have a continuing relationship with abank if:

(A) The consumer only obtains afinancial product or service in anisolated transaction, such aswithdrawing cash from the bank’sautomated teller machine (ATM) or

purchasing a cashier’s check or moneyorder;

(B) The bank sells the consumer’sloan and does not retain the rights toservice that loan; or

(C) The bank sells the consumerairline tickets, travel insurance ortraveler’s checks in an isolatedtransaction.

(j) (1) Financial institution means anyinstitution the business of which isengaging in activities that are financialin nature or incidental to such financialactivities as described in section 4(k) ofthe Bank Holding Company Act of 1956(12 U.S.C. 1843(k)).

(2) Financial institution does notinclude:

(i) Any person or entity with respectto any financial activity that is subjectto the jurisdiction of the CommodityFutures Trading Commission under theCommodity Exchange Act (7 U.S.C. 1 etseq.);

(ii) The Federal Agricultural MortgageCorporation or any entity chartered andoperating under the Farm Credit Act of1971 (12 U.S.C. 2001 et seq.); or

(iii) Institutions chartered by Congressspecifically to engage in securitizations,secondary market sales (including salesof servicing rights) or similartransactions related to a transaction of aconsumer, as long as such institutionsdo not sell or transfer nonpublicpersonal information to a nonaffiliatedthird party.

(k) (1) Financial product or servicemeans any product or service that afinancial holding company could offerby engaging in an activity that isfinancial in nature or incidental to sucha financial activity under section 4(k) ofthe Bank Holding Company Act of 1956(12 U.S.C. 1843(k)).

(2) Financial service includes a bank’sevaluation, brokerage or distribution ofinformation that the bank collects inconnection with a request or anapplication from a consumer for afinancial product or service.

(l) Government regulator means:(1) The Board of Governors of the

Federal Reserve System;(2) The Office of the Comptroller of

the Currency;(3) The Board of Directors of the

Federal Deposit Insurance Corporation;(4) The Director of the Office of Thrift

Supervision;(5) The National Credit Union

Administration Board;(6) The Securities and Exchange

Commission;(7) The Secretary of the Treasury,

with respect to 31 U.S.C. Chapter 53,Subchapter II (Records and Reports onMonetary Instruments and Transactions)and 12 U.S.C. Chapter 21 (FinancialRecordkeeping);

(8) A State insurance authority, withrespect to any person domiciled in thatinsurance authority’s State that isengaged in providing insurance; and

(9) The Federal Trade Commission.(m) (1) Nonaffiliated third party

means any person except:(i) A bank’s affiliate; or(ii) A person employed jointly by a

bank and any company that is not thebank’s affiliate (but nonaffiliated thirdparty includes the other company thatjointly employs the person).

(2) Nonaffiliated third party includesany company that is an affiliate byvirtue of the direct or indirectownership or control of the company bythe financial institution or any affiliateof the financial institution inconducting merchant banking orinvestment banking activities of the typedescribed in section 4(k)(4)(H) orinsurance company investmentactivities of the type described insection 4(k)(4)(I) of the Bank HoldingCompany Act (12 U.S.C. 1843(k)(4)(H)and (I)).

Alternative A(n) (1) Nonpublic personal

information means:(i) Personally identifiable financial

information; and(ii) Any list, description or other

grouping of consumers (and publiclyavailable information pertaining tothem) that is derived using anypersonally identifiable financialinformation.

(2) Nonpublic personal informationdoes not include any list, description, orother grouping of consumers (andpublicly available informationpertaining to them) that is derivedwithout using any personallyidentifiable financial information.

(3) Example. Nonpublic personalinformation includes any list ofindividuals’ street addresses andtelephone numbers that is derived usingany information consumers provide toyou on an application for a financialproduct or service.

(o) (1) Personally identifiablefinancial information means anyinformation:

(i) Provided by a consumer to a bankto obtain a financial product or servicefrom the bank;

(ii) Resulting from any transactioninvolving a financial product or servicebetween a bank and a consumer; or

(iii) The bank otherwise obtains abouta consumer in connection withproviding a financial product or serviceto that consumer, other than publiclyavailable information.

(2) Examples. (i) Personallyidentifiable financial informationincludes:



(A) Information a consumer providesto a bank on an application to obtain aloan, credit card, insurance or otherfinancial product or service, including,among other things, medicalinformation;

(B) Account balance information,payment history, overdraft history, andcredit or debit card purchaseinformation;

(C) The fact that an individual is orhas been one of a bank’s customers orhas obtained a financial product orservice from the bank, unless that factis derived using only publicly availableinformation, such as government realestate records or bankruptcy records;

(D) Other information about a bank’sconsumer if it is disclosed in a mannerthat indicates the individual is or hasbeen the bank’s consumer;

(E) Any information provided by aconsumer or otherwise obtained by thebank or its agent in connection withcollecting on a loan or servicing a loan;and

(F) Information from a consumerreport.

(ii) Personally identifiable financialinformation does not include a list ofnames and addresses of customers of anentity that is not a financial institution.

(p) (1) Publicly available informationmeans any information that is lawfullymade available to the general public thatis obtained from:

(i) Federal, State or local governmentrecords;

(ii) Widely distributed media; or(iii) Disclosures to the general public

that are required to be made by Federal,State or local law.

(2) Examples—(i) Governmentrecords. Publicly available informationcontained in government recordsincludes information contained ingovernment real estate records andsecurity interest filings.

(ii) Widely distributed media. Publiclyavailable information from widelydistributed media includes informationfrom a telephone book, a television orradio program, a newspaper or anInternet site that is available to thegeneral public without requiring apassword or similar restriction.

Alternative B(n) (1) Nonpublic personal




(2) Nonpublic personal informationdoes not include any:

(i) Publicly available information,except as provided in paragraph(n)(1)(ii) of this section; or

(ii) List, description, or other groupingof consumers (and publicly availableinformation pertaining to them) that isderived without using any personallyidentifiable financial information.

(3) Example. Nonpublic personalinformation includes any list ofindividuals’ street addresses andtelephone numbers that is derived usingpersonally identifiable financialinformation, such as account numbers.


(i) Provided by a consumer to a bankto obtain a financial product or servicefrom the bank;

(ii) About a consumer resulting fromany transaction involving a financialproduct or service between the bank anda consumer; or

(iii) The bank otherwise obtains abouta consumer in connection withproviding a financial product or serviceto that consumer.


(A) Information a consumer providesto a bank on an application to obtain aloan, credit card, insurance or otherfinancial product or service, including,among other things, medicalinformation;


(C) The fact that an individual is orhas been one of the bank’s customers orhas obtained a financial product orservice from the bank, unless that factis derived using only publicly availableinformation, such as government realestate records or bankruptcy records;

(D) Other information about a bank’sconsumer if it is disclosed in a mannerthat indicates the individual is or hasbeen the bank’s consumer;

(E) Any information provided by aconsumer or otherwise obtained by abank or its agent in connection withcollecting on a loan or servicing a loan;and



(p) (1) Publicly available informationmeans any information that is lawfullymade available to the general publicfrom:






§ 40.4 Initial notice to consumers ofprivacy policies and practices required.

(a) When initial notice is required. Abank must provide a clear andconspicuous notice that accuratelyreflects the bank’s privacy policies andpractices to:

(1) An individual who becomes thebank’s customer, prior to the time thatthe bank establishes a customerrelationship, except as provided inparagraph (d)(2) of this section; and

(2) A consumer, prior to the time thata bank discloses any nonpublic personalinformation about the consumer to anynonaffiliated third party, if the bankmakes such a disclosure other than asauthorized by §§ 40.10 and 40.11.

(b) When initial notice to a consumeris not required. The bank is not requiredto provide an initial notice to aconsumer under paragraph (a)(1) of thissection if:

(1) The bank does not disclose anynonpublic personal information aboutthe consumer to any nonaffiliated thirdparty, other than as authorized by§§ 40.10 and 40.11; and

(2) The bank does not have a customerrelationship with the consumer.

(c) When the bank establishes acustomer relationship—(1) General rule.A bank establishes a customerrelationship at the time the bank and theconsumer enter into a continuingrelationship.

(2) Examples. The bank establishes acustomer relationship when theconsumer:

(i) Opens a credit card account withthe bank;

(ii) Executes the contract to open adeposit account with the bank, obtainscredit from the bank, or purchasesinsurance from the bank;

(iii) Agrees to obtain financial,economic or investment advisoryservices from the bank for a fee; or

(iv) Becomes the bank’s client for thepurpose of the bank providing creditcounseling or tax preparation services.



(d) How to provide notice—(1)General rule. A bank must provide theprivacy notice required by paragraph (a)of this section so that each consumercan reasonably be expected to receiveactual notice in writing or, if theconsumer agrees, in electronic form.

(2) Exceptions to allow subsequentdelivery of notice. The bank mayprovide the initial notice required byparagraph (a)(1) of this section within areasonable time after it establishes acustomer relationship if:

(i) The bank purchases a loan orassumes a deposit liability from anotherfinancial institution and the customer ofthat loan or deposit account does nothave a choice about the bank’s purchaseor assumption; or

(ii) The bank and the consumer orallyagree to enter into a customerrelationship and the consumer agrees toreceive the notice thereafter.

(3) Oral description of noticeinsufficient. The bank may not providethe initial notice required by paragraph(a) of this section solely by orallyexplaining, either in person or over thetelephone, the bank’s privacy policiesand practices.

(4) Retention or accessibility of initialnotice for customers. For customersonly, the bank must provide the initialnotice required by paragraph (a)(1) ofthis section so that it can be retained orobtained at a later time by the customer,in a written form or, if the customeragrees, in electronic form.

(5) Examples. (i) A bank mayreasonably expect that a consumer willreceive actual notice of its privacypolicies and practices if the bank:

(A) Hand-delivers a printed copy ofthe notice to the consumer;

(B) Mails a printed copy of the noticeto the last known address of theconsumer;

(C) For the consumer who conductstransactions electronically, posts thenotice on the electronic site andrequires the consumer to acknowledgereceipt of the notice as a necessary stepto obtaining a particular financialproduct or service;

(D) For an isolated transaction withthe consumer, such as an ATMtransaction, posts the notice on theATM screen and requires the consumerto acknowledge receipt of the notice asa necessary step to obtaining theparticular financial product or service.

(ii) A bank may not, however,reasonably expect that a consumer willreceive actual notice of the bank’sprivacy policies and practices if thebank:

(A) Only posts a sign in its branch oroffice or generally publishes

advertisements of its privacy policiesand practices;

(B) Sends the notice via electronicmail to a consumer who obtains afinancial product or service from thebank in person or through the mail andwho does not agree to receive the noticeelectronically.

(iii) A bank provides the initialprivacy notice to the customer so that itcan be retained or obtained at a latertime if the bank:

(A) Hand-delivers a printed copy ofthe notice to the customer;

(B) Mails a printed copy of the noticeto the last known address of thecustomer upon request of the customer;or

(C) Maintains the notice on a web site(or a link to another web site) for thecustomer who obtains a financialproduct or service electronically andwho agrees to receive the noticeelectronically.

§ 40.5 Annual notice to customersrequired.

(a) General rule. A bank must providea clear and conspicuous notice tocustomers that accurately reflects thebank’s privacy policies and practicesnot less than annually during thecontinuation of the customerrelationship. Annually means at leastonce in any period of 12 consecutivemonths during which that relationshipexists.

(b) How to provide notice. A bankmust provide the annual notice requiredby paragraph (a) of this section to acustomer using a means permitted forproviding the initial notice to thatcustomer under § 40.4(d).

(c) (1) Termination of customerrelationship. A bank is not required toprovide an annual notice to a customerwith whom the bank no longer has acontinuing relationship.

(2) Examples. A bank no longer has acontinuing relationship with anindividual if:

(i) In the case of a deposit account, theaccount is dormant under the bank’spolicies;

(ii) In the case of a closed-end loan,the consumer pays the loan in full, thebank charges off the loan, or the banksells the loan without retainingservicing rights;

(iii) In the case of a credit cardrelationship or other open-end creditrelationship, the bank no longerprovides any statements or notices tothe consumer concerning thatrelationship or the bank sells the creditcard receivables without retainingservicing rights; or

(iv) For other types of relationships,the bank has not communicated with

the consumer about the relationship fora period of 12 consecutive months,other than to provide annual notices ofprivacy policies and practices.

§ 40.6 Information to be included in initialand annual notices of privacy policies andpractices.

(a) General rule. The initial andannual notices that a bank providesabout its privacy policies and practicesunder §§ 40.4 and 40.5 must includeeach of the following items ofinformation:

(1) The categories of nonpublicpersonal information about the bank’sconsumers that the bank collects;

(2) The categories of nonpublicpersonal information about the bank’sconsumers that the bank discloses;

(3) The categories of affiliates andnonaffiliated third parties to whom thebank discloses nonpublic personalinformation about its consumers, otherthan those parties to whom the bankdiscloses information under §§ 40.10and 40.11;

(4) The categories of nonpublicpersonal information about the bank’sformer customers that it discloses andthe categories of affiliates andnonaffiliated third parties to whom thebank discloses nonpublic personalinformation about its former customers,other than those parties to whom itdiscloses information under §§ 40.10and 40.11;

(5) If the bank discloses nonpublicpersonal information to a nonaffiliatedthird party under § 40.9 (and no otherexception applies to that disclosure), aseparate description of the categories ofinformation the bank discloses and thecategories of third parties with whomthe bank has contracted;

(6) An explanation of the right under§ 40.8(a) of the consumer to opt out ofthe disclosure of nonpublic personalinformation to nonaffiliated thirdparties, including the methods by whichthe consumer may exercise that right;

(7) Any disclosures that the bankmakes under section 603(d)(2)(A)(iii) ofthe Fair Credit Reporting Act (15 U.S.C.1681a(d)(2)(A)(iii)) (that is, noticesregarding the ability to opt out ofdisclosures of information amongaffiliates); and

(8) The bank’s policies and practiceswith respect to protecting theconfidentiality, security, and integrity ofnonpublic personal information.

(b) Description of nonaffiliated thirdparties subject to exceptions. If a bankdiscloses nonpublic personalinformation about a consumer to thirdparties as authorized under §§ 40.10 and40.11, the bank is not required to listthose exceptions in the initial or annual



privacy notices required by §§ 40.4 and40.5. When describing the categorieswith respect to those parties, the bankis only required to state that it makesdisclosures to other nonaffiliated thirdparties as permitted by law.

(c) Future disclosures. The bank’snotice may include:

(1) Categories of nonpublic personalinformation that the bank reserves theright to disclose in the future, but doesnot currently disclose; and

(2) Categories of affiliates ornonaffiliated third parties to whom thebank reserves the right in the future todisclose, but to whom the bank does notcurrently disclose, nonpublic personalinformation.

(d) Examples—(1) Categories ofnonpublic personal information that thebank collects. A bank adequatelycategorizes the nonpublic personalinformation it collects if it categorizesthe information according to the sourceof the information, such as applicationinformation, information abouttransactions (such as informationregarding a deposit, loan, or credit cardaccount), and consumer reports.

(2) Categories of nonpublic personalinformation the bank discloses. A bankadequately categorizes nonpublicpersonal information it discloses if thebank categorizes the informationaccording to source, and providesillustrative examples of the content ofthe information. These might includeapplication information, such as assetsand income; identifying information,such as name, address, and socialsecurity number; and transactioninformation, such as information aboutaccount balance, payment history,parties to the transaction, and creditcard usage; and information fromconsumer reports, such as a consumer’screditworthiness and credit history. Abank does not adequately categorize theinformation that it discloses if it usesonly general terms, such as transactioninformation about the consumer.

(3) Categories of affiliates andnonaffiliated third parties to whom thebank discloses. A bank adequatelycategorizes the affiliates andnonaffiliated third parties to whom itdiscloses nonpublic personalinformation about consumers if the bankidentifies the types of businesses thatthey engage in. Types of businesses maybe described by general terms only if thebank uses illustrative examples ofsignificant lines of business. Forexample, a bank may use the term‘‘financial products or services’’ if thebank includes appropriate examples ofsignificant lines of businesses, such asconsumer banking, mortgage lending,life insurance, or securities brokerage.

The bank also may categorize theaffiliates and nonaffiliated third partiesto whom the bank discloses nonpublicpersonal information about consumersusing more detailed categories.

(4) Simplified notices. If the bank doesnot disclose, and does not intend todisclose, nonpublic personalinformation to affiliates or nonaffiliatedthird parties, the bank may simply statethat fact, in addition to the informationthe bank must provide under paragraphs(a)(1), (a)(8), and (b) of this section.

(5) Confidentiality, security, andintegrity. A bank adequately describesits policies and practices with respect toprotecting the confidentiality andsecurity of nonpublic personalinformation if it explains who hasaccess to the information and thecircumstances under which theinformation may be accessed. The bankadequately describes its policies andpractices with respect to protecting theintegrity of nonpublic personalinformation if it explains measures thebank takes to protect against reasonablyanticipated threats or hazards. A bank isnot required to describe technicalinformation about the safeguards thebank uses.

§ 40.7 Limitation on disclosure ofnonpublic personal information aboutconsumers to nonaffiliated third parties.

(a) (1) Conditions for disclosure.Except as otherwise authorized in thispart, a bank may not, directly or throughany affiliate, disclose any nonpublicpersonal information about a consumerto a nonaffiliated third party unless:

(i) The bank has provided to theconsumer an initial notice as requiredunder § 40.4;

(ii) The bank has provided to theconsumer an opt out notice as requiredin § 40.8;

(iii) The bank has given the consumera reasonable opportunity, before thetime that the bank discloses theinformation to the nonaffiliated thirdparty, to opt out of the disclosure; and

(iv) The consumer does not opt out.(2) Opt out definition. Opt out means

a direction by the consumer that thebank not disclose nonpublic personalinformation about that consumer to anonaffiliated third party, other than aspermitted by §§ 40.9, 40.10, and 40.11.

(3) Examples of reasonableopportunity to opt out—(i) By mail. Abank provides a consumer with whomit has a customer relationship with areasonable opportunity to opt out if thebank mails the notices required inparagraph (a)(1) of this section to theconsumer and allows the consumer areasonable period of time, such as 30days, to opt out.

(ii) Isolated transaction with aconsumer. For an isolated transaction,such as the purchase of a cashier’scheck by a consumer, a bank providesa reasonable opportunity to opt out ifthe bank provides the consumer withthe required notices at the time of thetransaction and requests that theconsumer decide, as a necessary part ofthe transaction, whether to opt outbefore completing the transaction.

(b) Application of opt out to allconsumers and all nonpublic personalinformation. (1) A bank must complywith this section regardless of whetherthe bank and the consumer haveestablished a customer relationship.

(2) Unless a bank complies with thissection, it may not, directly or throughany affiliate, disclose any nonpublicpersonal information about a consumerthat the bank has collected, regardless ofwhether it collected the informationbefore or after receiving the direction toopt out from the consumer.

(c) Partial opt out. A bank may allowa consumer to select certain nonpublicpersonal information or certainnonaffiliated third parties with respectto which the consumer wishes to optout.

§ 40.8 Form and method of providing optout notice to consumers.

(a)(1) Form of opt out notice. A bankmust provide a clear and conspicuousnotice to each of its consumers thataccurately explains the right to opt outunder § 40.7(a)(1). The notice muststate:

(i) That the bank discloses or reservesthe right to disclose nonpublic personalinformation about its consumer to anonaffiliated third party;

(ii) That the consumer has the right toopt out of that disclosure; and

(iii) A reasonable means by which theconsumer may exercise the opt outright.

(2) Examples. (i) A bank providesadequate notice that the consumer canopt out of the disclosure of nonpublicpersonal information to a nonaffiliatedthird party if the bank identifies all ofthe categories of nonpublic personalinformation that the bank discloses orreserves the right to disclose tononaffiliated third parties as describedin § 40.6 and states that the consumercan opt out of the disclosure of thatinformation.

(ii) A bank provides a reasonablemeans of opting out if it:

(A) Designates check-off boxes in aprominent position on the relevantforms with the opt out notice;

(B) Includes a reply form togetherwith the opt out notice; or

(C) Provides an electronic means toopt out, such as a form that can be sent



via electronic mail or a process at thebank’s web site, if the consumer agreesto the electronic delivery of information.

(iii) A bank does not provide areasonable means of opting out if theonly means of opting out is for theconsumer to write his or her own letterto exercise that opt out right.

(b) How to provide opt out notice—(1)Delivery of notice. A bank must providethe opt out notice required by paragraph(a) of this section in a manner so thateach consumer can reasonably beexpected to receive actual notice inwriting or, if the consumer agrees, inelectronic form. If the bank and theconsumer orally agree to enter into acustomer relationship, the bank mayprovide the opt out notice required byparagraph (a) of this section within areasonable time thereafter if theconsumer agrees.

(2) Oral description of opt out rightinsufficient. A bank may not provide theopt out notice solely by orallyexplaining, either in person or over thetelephone, the right of the consumer toopt out.

(3) Same form as initial noticepermitted. A bank may provide the optout notice together with or on the samewritten or electronic form as the initialnotice the bank provides in accordancewith § 40.4.

(4) Initial notice required when optout notice delivered subsequent toinitial notice. If the bank provides theopt out notice at a later time thanrequired for the initial notice inaccordance with § 40.4, the bank mustalso include a copy of the initial noticein writing or, if the consumer agrees, inan electronic form with the opt outnotice.

(c) Notice of change in terms—(1)General rule. Except as otherwiseauthorized in this part, the bank mustnot, directly or through any affiliate,disclose any nonpublic personalinformation about a consumer to anonaffiliated third party other than asdescribed in the initial notice that thebank provided to the consumer under§ 40.4, unless:

(i) The bank has provided to theconsumer a revised notice thataccurately describes the bank’s policiesand practices;

(ii) The bank has provided to theconsumer a new opt out notice;

(iii) The bank has given the consumera reasonable opportunity, before thetime that the bank discloses theinformation to the nonaffiliated thirdparty, to opt out of the disclosure; and

(iv) The consumer does not opt out.(2) How to provide notice of change in

terms. A bank must provide the revisednotice of its policies and practices and

opt out notice to a consumer using themeans permitted for providing theinitial notice and opt out notice to thatconsumer under § 40.4(d) and paragraph(b) of this section, respectively.

(3) Examples—(i) Except as otherwisepermitted by §§ 40.9,40.10 and 40.11, achange-in-terms notice is required if abank:

(A) Discloses a new category ofnonpublic personal information to anynonaffiliated third party; or

(B) Discloses nonpublic personalinformation to a new category ofnonaffiliated third party.

(ii) A change-in-terms notice is notrequired if a bank discloses nonpublicpersonal information to a newnonaffiliated third party that isadequately described by the bank’s priornotice.

(d) Continuing right to opt out. Aconsumer may exercise the right to optout at any time, and the bank receivingthe opt out direction must comply withthat direction as soon as reasonablypracticable.

(e) Duration of consumer’s opt outdirection. A consumer’s direction to optout under this section is effective untilrevoked by the consumer in writing, orif the consumer agrees, in electronicform.

§ 40.9 Exception to opt out requirementsfor service providers and joint marketing.

(a) General rule. The opt outrequirements in §§ 40.7 and 40.8 do notapply when a bank provides nonpublicpersonal information about a consumerto a nonaffiliated third party to performservices for the bank or functions on thebank’s behalf, if the bank:

(1) Provides the initial notice inaccordance with § 40.4; and

(2) Enters into a contractualagreement with the third party that:

(i) Requires the third party tomaintain the confidentiality of theinformation to at least the same extentthat the bank must maintain thatconfidentiality under this part; and

(ii) Limits the third party’s use ofinformation the bank discloses solely tothe purposes for which the informationis disclosed or as otherwise permittedby §§ 40.10 and 40.11 of this part.

(b) Service may include jointmarketing. The services performed for abank by a nonaffiliated third partyunder paragraph (a) of this section mayinclude marketing of the bank’s ownproducts or services or marketing offinancial products or services offeredpursuant to joint agreements betweenthe bank and one or more financialinstitutions.

(c) Definition of joint agreement. Forpurposes of this section, joint agreement

means a written contract pursuant towhich a bank and one or more financialinstitutions jointly offer, endorse, orsponsor a financial product or service.

§ 40.10 Exceptions to notice and opt outrequirements for processing and servicingtransactions.

(a) Exceptions for processingtransactions at consumer’s request. Therequirements for initial notice in§ 40.4(a)(2), the opt out in §§ 40.7 and40.8 and service providers and jointmarketing in § 40.9 do not apply if thebank discloses nonpublic personalinformation:

(1) As necessary to effect, administer,or enforce a transaction requested orauthorized by the consumer;

(2) To service or process a financialproduct or service requested orauthorized by the consumer;

(3) To maintain or service theconsumer’s account with the bank, orwith another entity as part of a privatelabel credit card program or otherextension of credit on behalf of suchentity; or

(4) In connection with a proposed oractual securitization, secondary marketsale (including sales of servicing rights)or similar transaction related to atransaction of the consumer.

(b) Necessary to effect, administer, orenforce a transaction means that thedisclosure is:

(1) Required, or is one of the lawfulor appropriate methods, to enforce thebank’s rights or the rights of otherpersons engaged in carrying out thefinancial transaction or providing theproduct or service; or

(2) Required, or is a usual, appropriateor acceptable method:

(i) To carry out the transaction or theproduct or service business of which thetransaction is a part, and record, serviceor maintain the consumer’s account inthe ordinary course of providing thefinancial service or financial product;

(ii) To administer or service benefitsor claims relating to the transaction orthe product or service business of whichit is a part;

(iii) To provide a confirmation,statement or other record of thetransaction, or information on the statusor value of the financial service orfinancial product to the consumer or theconsumer’s agent or broker;

(iv) To accrue or recognize incentivesor bonuses associated with thetransaction that are provided by thebank or any other party;

(v) To underwrite insurance at theconsumer’s request or for reinsurancepurposes, or for any of the followingpurposes as they relate to a consumer’sinsurance: Account administration,



reporting, investigating, or preventingfraud or material misrepresentation,processing premium payments,processing insurance claims,administering insurance benefits(including utilization review activities),participating in research projects, or asotherwise required or specificallypermitted by Federal or State law;

(vi) In connection with settling atransaction, including:

(A) The authorization, billing,processing, clearing, transferring,reconciling or collection of amountscharged, debited, or otherwise paidusing a debit, credit or other paymentcard, check or account number, or byother payment means;

(B) The transfer of receivables,accounts or interests therein; or

(C) The audit of debit, credit or otherpayment information.

§ 40.11 Other exceptions to notice and optout requirements.

(a) Exceptions to opt outrequirements. The requirements forinitial notice to consumers in§ 40.4(a)(2), the opt out in §§ 40.7 and40.8 and service providers and jointmarketing in § 40.9 do not apply whena bank discloses nonpublic personalinformation:

(1) With the consent or at thedirection of the consumer, provided thatthe consumer has not revoked theconsent or direction;

(2) (i) To protect the confidentiality orsecurity of the bank’s records pertainingto the consumer, service, product ortransaction;

(ii) To protect against or preventactual or potential fraud, unauthorizedtransactions, claims or other liability;

(iii) For required institutional riskcontrol or for resolving consumerdisputes or inquiries;

(iv) To persons holding a legal orbeneficial interest relating to theconsumer; or

(v) To persons acting in a fiduciary orrepresentative capacity on behalf of theconsumer;

(3) To provide information toinsurance rate advisory organizations,guaranty funds or agencies, agenciesthat are rating the bank, persons that areassessing the bank’s compliance withindustry standards, and the bank’sattorneys, accountants and auditors;

(4) To the extent specificallypermitted or required under otherprovisions of law and in accordancewith the Right to Financial Privacy Actof 1978 (12 U.S.C. 3401 et seq.), to lawenforcement agencies (includinggovernment regulators), self-regulatoryorganizations, or for an investigation ona matter related to public safety;

(5)(i) To a consumer reporting agencyin accordance with the Fair CreditReporting Act (15 U.S.C. 1681 et seq.);or

(ii) From a consumer report reportedby a consumer reporting agency;

(6) In connection with a proposed oractual sale, merger, transfer, or exchangeof all or a portion of a business oroperating unit if the disclosure ofnonpublic personal informationconcerns solely consumers of suchbusiness or unit; or

(7)(i) To comply with Federal, State orlocal laws, rules and other applicablelegal requirements;

(ii) To comply with a properlyauthorized civil, criminal or regulatoryinvestigation, or subpoena or summonsby Federal, State or local authorities; or

(iii) To respond to judicial process orgovernment regulatory authoritieshaving jurisdiction over the bank forexamination, compliance or otherpurposes as authorized by law.

(b) Examples of consent andrevocation of consent. (1) A consumermay specifically consent to a bank’sdisclosure to a nonaffiliated insurancecompany of the fact that the consumerhas applied to the bank for a mortgageso that the insurance company can offerhomeowner’s insurance to theconsumer.

(2) A consumer may revoke consentby subsequently exercising the right toopt out of future disclosures ofnonpublic personal information aspermitted under § 40.8(d).

§ 40.12 Limits on redisclosure and reuseof information.

(a) Limits on the bank’s redisclosureand reuse. (1) Except as otherwiseprovided in this part, if a bank receivesnonpublic personal information about aconsumer from a nonaffiliated financialinstitution, the bank must not, directlyor through an affiliate, disclose theinformation to any other person that isnot affiliated with either the bank or theother financial institution, unless thedisclosure would be lawful if thefinancial institution made it directly tosuch other person.

(2) A bank may use nonpublicpersonal information about a consumerthat it receives from a nonaffiliatedfinancial institution in accordance withan exception under §§ 40.9, 40.10, or40.11 only for the purpose of thatexception.

(b) Limits on redisclosure and thereuse by other persons. (1) Except asotherwise provided in this part, if abank discloses nonpublic personalinformation about a consumer to anonaffiliated third party, that party mustnot, directly or through an affiliate,

disclose the information to any otherperson that is a nonaffiliated third partyof both the bank and that party, unlessthe disclosure would be lawful if thebank made it directly to such otherperson.

(2) A nonaffiliated third party mayuse nonpublic personal informationabout a consumer that it receives froma bank in accordance with an exceptionunder §§ 40.9, 40.10, or 40.11 only forthe purpose of that exception.

§ 40.13 Limits on sharing of accountnumber information for marketingpurposes.

A bank must not, directly or throughan affiliate, disclose, other than to aconsumer reporting agency, an accountnumber or similar form of accessnumber or access code for a credit cardaccount, deposit account or transactionaccount of a consumer to anynonaffiliated third party for use intelemarketing, direct mail marketing orother marketing through electronic mailto the consumer.

§ 40.14 Protection of Fair Credit ReportingAct.

Nothing in this part shall beconstrued to modify, limit, or supersedethe operation of the Fair CreditReporting Act (15 U.S.C. 1681 et seq.),and no inference shall be drawn on thebasis of the provisions of this partregarding whether information istransaction or experience informationunder section 603 of that Act.

§ 40.15 Relation to State laws.(a) In general. This part shall not be

construed as superseding, altering, oraffecting any statute, regulation, order orinterpretation in effect in any State,except to the extent that such Statestatute, regulation, order orinterpretation is inconsistent with theprovisions of this part, and then only tothe extent of the inconsistency.

(b) Greater protection under State law.For purposes of this section, a Statestatute, regulation, order orinterpretation is not inconsistent withthe provisions of this part if theprotection such statute, regulation,order or interpretation affords anyconsumer is greater than the protectionprovided under this part, as determinedby the Federal Trade Commission, afterconsultation with the OCC, on theFederal Trade Commission’s ownmotion or upon the petition of anyinterested party.

§ 40.16 Effective date; transition rule.(a) Effective date. This part is effective

November 13, 2000.(b) Notice requirement for consumers

who were customers on the effective



date. No later than 30 days after theeffective date of this part, a bank mustprovide an initial notice, as required by§ 40.4, to consumers who were thebank’s customers on the effective date ofthis part.

Dated: February 2, 2000.John D. Hawke, Jr.,Comptroller of the Currency.

Board of Governors of the FederalReserve System

12 CFR Chapter II

Authority and Issuance

For the reasons set out in the jointpreamble, Title 12, Chapter II, of theCode of Federal Regulations is proposedto be amended by adding a new part 216to read as follows:

PART 216—PRIVACY OF CONSUMERFINANCIAL INFORMATION(REGULATION P)





216.8 Form and method of providing optout notice to consumers.








Authority: 15 U.S.C. 6801 et seq.

§ 216.1 Purpose and scope.

(a) Purpose. This part governs thetreatment of nonpublic personalinformation about consumers by thefinancial institutions listed in paragraph(b) of this section. This part:



(3) Provides a method for consumersto prevent a financial institution fromdisclosing that information to mostnonaffiliated third parties by ‘‘optingout’’ of that disclosure, subject to theexceptions in §§ 216.9, 216.10, and216.11.

(b) Scope. The rules established bythis part apply only to nonpublicpersonal information about individualswho obtain financial products orservices for personal, family orhousehold purposes from theinstitutions listed below. This part doesnot apply to information aboutcompanies or about individuals whoobtain financial products or services forbusiness purposes. This part applies toentities for which the Board has primarysupervisory authority. They are referredto in this part as ‘‘you.’’ These are: Statemember banks, bank holding companiesand certain of their nonbanksubsidiaries or affiliates, Stateuninsured branches and agencies offoreign banks, commercial lendingcompanies owned or controlled byforeign banks, and Edge and Agreementcorporations.

§ 216.2 Rule of construction.The examples in this part are not

exclusive. Compliance with an example,to the extent applicable, constitutescompliance with this part.

§ 216.3 Definitions.As used in this part, unless the

context requires otherwise:(a) Affiliate means any company that

controls, is controlled by, or is undercommon control with another company.

(b) (1) Clear and conspicuous meansthat a notice is reasonablyunderstandable and designed to callattention to the nature and significanceof the information contained in thenotice.

(2) Examples. (i) You make yournotice reasonably understandable if, tothe extent applicable, you:

(A) Present the information containedin the notice in clear, concise sentences,paragraphs and sections;

(B) Use short explanatory sentencesand bullet lists, whenever possible;

(C) Use definite, concrete, everydaywords and active voice, wheneverpossible;

(D) Avoid multiple negatives;(E) Avoid legal and highly technical

business terminology; and(F) Avoid boilerplate explanations

that are imprecise and readily subject todifferent interpretations.

(ii) You design your notice to callattention to the nature and significanceof the information contained in it if, tothe extent applicable, you:

(A) Use a plain-language heading tocall attention to the notice;

(B) Use a typeface and type size thatare easy to read; and

(C) Provide wide margins and ampleline spacing.

(iii) If you provide a notice on thesame form as another notice or otherdocument, you design your notice tocall attention to the nature andsignificance of the informationcontained in the notice if you use:






(e)(1) Consumer means an individualwho obtains or has obtained a financialproduct or service from you that is to beused primarily for personal, family orhousehold purposes, and thatindividual’s legal representative.

(2) Examples. (i) An individual whoapplies to you for credit for personal,family or household purposes is aconsumer of a financial service,regardless of whether the credit isextended.

(ii) An individual who providesnonpublic personal information to youin order to obtain a determination aboutwhether he or she may qualify for a loanto be used primarily for personal, familyor household purposes is a consumer ofa financial service, regardless ofwhether the loan is extended by you oranother financial institution.

(iii) An individual who providesnonpublic personal information to youin connection with obtaining or seekingto obtain financial, investment oreconomic advisory services is aconsumer regardless of whether youestablish an ongoing advisoryrelationship.

(iv) An individual who negotiates aworkout with you for a loan that youown is a consumer regardless ofwhether you originally extended theloan to the individual.

(v) An individual who has a loan fromyou is your consumer even if you:

(A) Hire an agent to collect on theloan;

(B) Sell the rights to service the loan;or




(vi) An individual is not yourconsumer solely because you processinformation about the individual onbehalf of a financial institution thatextended the loan to the individual.





(3) The power to exercise, directly orindirectly, a controlling influence overthe management or policies of thecompany, as determined by the Board.

(h) Customer means a consumer whohas a customer relationship with you.

(i)(1) Customer relationship means acontinuing relationship between aconsumer and you under which youprovide one or more financial productsor services to the consumer that are tobe used primarily for personal, family orhousehold purposes.

(2) Examples. (i) A consumer has acontinuing relationship with you if theconsumer:

(A) Has a deposit, credit, trust orinvestment account with you;

(B) Purchases an insurance productfrom you;

(C) Holds an investment productthrough you;

(D) Enters into an agreement orunderstanding with you whereby youundertake to arrange or broker a homemortgage loan for the consumer;

(E) Has a loan that you service whereyou own the servicing rights;

(F) Enters into a lease of personalproperty with you; or

(G) Obtains financial, investment oreconomic advisory services from you fora fee.

(ii) A consumer does not, however,have a continuing relationship with youif:

(A) The consumer only obtains afinancial product or service in anisolated transaction, such aswithdrawing cash from your ATM orpurchasing a cashier’s check or moneyorder;

(B) You sell the consumer’s loan anddo not retain the rights to service thatloan; or

(C) You sell the consumer airlinetickets, travel insurance or traveler’schecks in an isolated transaction.







(2) Financial service includes yourevaluation, brokerage or distribution ofinformation that you collect inconnection with a request or anapplication from a consumer for afinancial product or service.











means any person except:(i) Your affiliate; or

(ii) A person employed jointly by youand any company that is not youraffiliate (but nonaffiliated third partyincludes the other company that jointlyemploys the person).


(n) (1) Nonpublic personalinformation means:

(i) Personally identifiable financialinformation; and

(ii) Any list, description or othergrouping of consumers (and publiclyavailable information pertaining tothem) that is derived using anypersonally identifiable financialinformation.

(2) Nonpublic personal informationdoes not include:


(ii) Any list, description, or othergrouping of consumers (and publiclyavailable information pertaining tothem) that is derived without using anypersonally identifiable financialinformation.



(i) Provided by a consumer to you toobtain a financial product or servicefrom you;

(ii) About a consumer resulting fromany transaction involving a financialproduct or service between you and aconsumer; or

(iii) You otherwise obtain about aconsumer in connection with providinga financial product or service to thatconsumer.


(A) Information a consumer providesto you on an application to obtain aloan, credit card, insurance or otherfinancial product or service, including,among other things, medicalinformation;




(C) The fact that an individual is orhas been one of your customers or hasobtained a financial product or servicefrom you, unless that fact is derivedusing only publicly availableinformation, such as government realestate records or bankruptcy records;

(D) Other information about yourconsumer if it is disclosed in a mannerthat indicates the individual is or hasbeen your consumer;

(E) Any information provided by aconsumer or otherwise obtained by youor your agent in connection withcollecting on a loan or servicing a loan;and



(p) (1) Publicly available informationmeans any information that is lawfullymade available to the general publicfrom:






(q) You means:(1) A State member bank, as defined

in 12 CFR 208.3(g) and its subsidiaries;(2) A bank holding company, as

defined in 12 CFR 225.2(c);(3) A subsidiary (as defined in 12 CFR

225.2(o)) or affiliate of a bank holdingcompany, except for a:

(i) National bank or a State bank thatis not a member of the Federal ReserveSystem;

(ii) Broker, as defined in 15 U.S.C.78c(a)(4);

(iii) Dealer, as defined in 15 U.S.C.78c(a)(5);

(iv) Person, to the extent that personis engaged in the business of insurancein a State as principal or agent andrequired to be licensed by theappropriate State insurance authority;

(v) Investment company, as defined in15 U.S.C. 80a–3; or

(vi) Investment adviser, as defined in15 U.S.C. 80b–2(a)(11);

(4) A State agency or State branch ofa foreign bank, as those terms aredefined in 12 U.S.C. 3101(b)(11) and(12), the deposits of which agency orbranch are not insured by the FederalDeposit Insurance Corporation;

(5) A commercial lending company,as defined in 12 CFR 211.21(f), that isowned or controlled by a foreign bank,as defined in 12 CFR 211.21(m); or

(6) A corporation organized undersection 25A of the Federal Reserve Act(12 U.S.C. 611–631) or a corporationhaving an agreement or undertakingwith the Board under section 25 of theFederal Reserve Act (12 U.S.C. 601–604a).


(a) When initial notice is required.You must provide a clear andconspicuous notice that accuratelyreflects your privacy policies andpractices to:

(1) An individual who becomes yourcustomer, prior to the time that youestablish a customer relationship,except as provided in paragraph (d)(2)of this section; and

(2) A consumer, prior to the time thatyou disclose any nonpublic personalinformation about the consumer to anynonaffiliated third party, if you makesuch a disclosure other than asauthorized by §§ 216.10 and 216.11.

(b) When initial notice to a consumeris not required. You are not required toprovide an initial notice to a consumerunder paragraph (a)(1) of this section if:

(1) You do not disclose any nonpublicpersonal information about theconsumer to any nonaffiliated thirdparty, other than as authorized by§§ 216.10 and 216.11; and

(2) You do not have a customerrelationship with the consumer.

(c) When you establish a customerrelationship—(1) General rule. Youestablish a customer relationship at thetime you and the consumer enter into acontinuing relationship.

(2) Examples. You establish acustomer relationship when theconsumer:

(i) Opens a credit card account withyou;

(ii) Executes the contract to open adeposit account with you, obtains creditfrom you, or purchases insurance fromyou;

(iii) Agrees to obtain financial,economic or investment advisoryservices from you for a fee;

(iv) Becomes your client for thepurpose of your providing creditcounseling or tax preparation services.

(d) How to provide notice—(1)General rule. You must provide theprivacy notice required by paragraph (a)of this section so that each consumercan reasonably be expected to receiveactual notice in writing or, if theconsumer agrees, in electronic form.

(2) Exceptions to allow subsequentdelivery of notice. You may provide theinitial notice required by paragraph(a)(1) of this section within a reasonabletime after you establish a customerrelationship if:

(i) You purchase a loan or assume adeposit liability from another financialinstitution and the customer of that loanor deposit account does not have achoice about your purchase orassumption; or

(ii) You and the consumer orally agreeto enter into a customer relationshipand the consumer agrees to receive thenotice thereafter.

(3) Oral description of noticeinsufficient. You may not provide theinitial notice required by paragraph (a)of this section solely by orallyexplaining, either in person or over thetelephone, your privacy policies andpractices.

(4) Retention or accessibility of initialnotice for customers. For customersonly, you must provide the initial noticerequired by paragraph (a)(1) of thissection so that it can be retained orobtained at a later time by the customer,in a written form or, if the customeragrees, in electronic form.

(5) Examples. (i) You may reasonablyexpect that a consumer will receiveactual notice of your privacy policiesand practices if you:

(A) Hand-deliver a printed copy of thenotice to the consumer;

(B) Mail a printed copy of the noticeto the last known address of theconsumer;

(C) For the consumer who conductstransactions electronically, post thenotice on the electronic site and requirethe consumer to acknowledge receipt ofthe notice as a necessary step toobtaining a particular financial productor service;

(D) For an isolated transaction withthe consumer, such as an ATMtransaction, post the notice on the ATMscreen and require the consumer toacknowledge receipt of the notice as anecessary step to obtaining theparticular financial product or service.

(ii) You may not, however, reasonablyexpect that a consumer will receiveactual notice of your privacy policiesand practices if you:



(A) Only post a sign in your branchor office or generally publishadvertisements of your privacy policiesand practices;

(B) Send the notice via electronic mailto a consumer who obtains a financialproduct or service with you in person orthrough the mail and who does notagree to receive the noticeelectronically.

(iii) You provide the initial privacynotice to the customer so that it can beretained or obtained at a later time ifyou:

(A) Hand-deliver a printed copy of thenotice to the customer;

(B) Mail a printed copy of the noticeto the last known address of thecustomer upon request of the customer;

(C) Maintain the notice on a web site(or a link to another web site) for thecustomer who obtains a financialproduct or service electronically andwho agrees to receive the noticeelectronically.


(a) General rule. You must provide aclear and conspicuous notice tocustomers that accurately reflects yourprivacy policies and practices not lessthan annually during the continuationof the customer relationship. Annuallymeans at least once in any period of 12consecutive months during which thatrelationship exists.

(b) How to provide notice. You mustprovide the annual notice required byparagraph (a) of this section to acustomer using a means permitted forproviding the initial notice to thatcustomer under § 216.4(d).

(c)(1) Termination of customerrelationship. You are not required toprovide an annual notice to a customerwith whom you no longer have acontinuing relationship.

(2) Examples. You no longer have acontinuing relationship with anindividual if:

(i) In the case of a deposit account, theaccount is dormant under the bank’spolicies;

(ii) In the case of a closed-end loan,the consumer pays the loan in full, youcharge off the loan, or you sell the loanwithout retaining servicing rights;

(iii) In the case of a credit cardrelationship or other open-end creditrelationship, you no longer provide anystatements or notices to the consumerconcerning that relationship or you sellthe credit card receivables withoutretaining servicing rights; or

(iv) For other types of relationships,you have not communicated with theconsumer about the relationship for aperiod of 12 consecutive months, other

than to provide annual notices ofprivacy policies and practices.


(a) General rule. The initial andannual notices that you provide aboutyour privacy policies and practicesunder §§ 216.4 and 216.5 must includeeach of the following items ofinformation:

(1) The categories of nonpublicpersonal information about yourconsumers that you collect;

(2) The categories of nonpublicpersonal information about yourconsumers that you disclose;

(3) The categories of affiliates andnonaffiliated third parties to whom youdisclose nonpublic personal informationabout your consumers, other than thoseparties to whom you discloseinformation under §§ 216.10 and 216.11;

(4) The categories of nonpublicpersonal information about your formercustomers that you disclose and thecategories of affiliates and nonaffiliatedthird parties to whom you disclosenonpublic personal information aboutyour former customers, other than thoseparties to whom you discloseinformation under §§ 216.10 and 216.11;

(5) If you disclose nonpublic personalinformation to a nonaffiliated thirdparty under § 216.9 (and no otherexception applies to that disclosure), aseparate description of the categories ofinformation you disclose and thecategories of third parties with whomyou have contracted;


(7) Any disclosures that you makeunder section 603(d)(2)(A)(iii) of theFair Credit Reporting Act (15 U.S.C.1681a(d)(2)(A)(iii)) (that is, noticesregarding the ability to opt out ofdisclosures of information amongaffiliates); and

(8) Your policies and practices withrespect to protecting the confidentiality,security and integrity of nonpublicpersonal information.

(b) Description of nonaffiliated thirdparties subject to exceptions. If youdisclose nonpublic personal informationabout a consumer to third parties asauthorized under §§ 216.10 and 216.11,you are not required to list thoseexceptions in the initial or annualprivacy notices required by §§ 216.4 and216.5. When describing the categorieswith respect to those parties, you areonly required to state that you make

disclosures to other nonaffiliated thirdparties as permitted by law.

(c) Future disclosures. Your noticemay include:

(1) Categories of nonpublic personalinformation that you reserve the right todisclose in the future, but do notcurrently disclose; and

(2) Categories of affiliates ornonaffiliated third parties to whom youreserve the right in the future todisclose, but to whom you do notcurrently disclose, nonpublic personalinformation.

(d) Examples—(1) Categories ofnonpublic personal information thatyou collect. You adequately categorizethe nonpublic personal information youcollect if you categorize it according tothe source of the information, such asapplication information, informationabout transactions (such as informationregarding your deposit, loan, or creditcard account), and consumer reports.

(2) Categories of nonpublic personalinformation you disclose. Youadequately categorize nonpublicpersonal information you disclose if youcategorize it according to source, andprovide a few illustrative examples ofthe content of the information. Thesemight include application information,such as assets and income; identifyinginformation, such as name, address, andsocial security number; and transactioninformation, such as information aboutaccount balance, payment history,parties to the transaction, and creditcard usage; and information fromconsumer reports, such as a consumer’screditworthiness and credit history. Youdo not adequately categorize theinformation that you disclose if you useonly general terms, such as transactioninformation about the consumer.

(3) Categories of affiliates andnonaffiliated third parties to whom youdisclose. You adequately categorize theaffiliates and nonaffiliated third partiesto whom you disclose nonpublicpersonal information about consumers ifyou identify the types of businesses thatthey engage in. Types of businesses maybe described by general terms only ifyou use a few illustrative examples ofsignificant lines of business. Forexample, you may use the term financialproducts or services if you includeappropriate examples of significantlines of businesses, such as consumerbanking, mortgage lending, lifeinsurance or securities brokerage. Youalso may categorize the affiliates andnonaffiliated third parties to whom youdisclose nonpublic personal informationabout consumers using more detailedcategories.

(4) Simplified notices. If you do notdisclose, and do not intend to disclose,



nonpublic personal information toaffiliates or nonaffiliated third parties,you may simply state that fact, inaddition to the information you mustprovide under paragraphs (a)(1), (a)(8),and (b) of this section.

(5) Confidentiality, security andintegrity. You describe your policies andpractices with respect to protecting theconfidentiality and security ofnonpublic personal information if youexplain who has access to theinformation and the circumstancesunder which the information may beaccessed. You describe your policiesand practices with respect to protectingthe integrity of nonpublic personalinformation if you explain measures youtake to protect against reasonablyanticipated threats or hazards. You arenot required to describe technicalinformation about the safeguards youuse.


(a)(1) Conditions for disclosure.Except as otherwise authorized in thispart, you may not, directly or throughany affiliate, disclose any nonpublicpersonal information about a consumerto a nonaffiliated third party unless:

(i) You have provided to theconsumer an initial notice as requiredunder § 216.4;

(ii) You have provided to theconsumer an opt out notice as requiredin § 216.8;

(iii) You have given the consumer areasonable opportunity, before the timethat you disclose the information to thenonaffiliated third party, to opt out ofthe disclosure; and


a direction by the consumer that you notdisclose nonpublic personal informationabout that consumer to a nonaffiliatedthird party, other than as permitted by§§ 216.9, 216.10 and 216.11.

(3) Examples of reasonableopportunity to opt out—(i) By mail. Youprovide a consumer with whom youhave a customer relationship with areasonable opportunity to opt out if youmail the notices required in paragraph(a)(1) of this section to the consumerand allow the consumer a reasonableperiod of time, such as 30 days, to optout.

(ii) Isolated transaction withconsumer. For an isolated transaction,such as the purchase of a cashier’scheck by a consumer, you provide areasonable opportunity to opt out if youprovide the consumer with the requirednotices at the time of the transactionand request that the consumer decide,

as a necessary part of the transaction,whether to opt out before completingthe transaction.

(b) Application of opt out to allconsumers and all nonpublic personalinformation. (1) You must comply withthis section, regardless of whether youand the consumer have established acustomer relationship.

(2) Unless you comply with thissection, you may not, directly orthrough any affiliate, disclose anynonpublic personal information about aconsumer that you have collected,regardless of whether you collected itbefore or after receiving the direction toopt out from the consumer.

(c) Partial opt out. You may allow aconsumer to select certain nonpublicpersonal information or certainnonaffiliated third parties with respectto which the consumer wishes to optout.


(a)(1) Form of opt out notice. Youmust provide a clear and conspicuousnotice to each of your consumers thataccurately explains the right to opt outunder § 216.7(a)(1). The notice muststate:

(i) That you disclose or reserve theright to disclose nonpublic personalinformation about your consumer to anonaffiliated third party;



(2) Examples. (i) You provideadequate notice that the consumer canopt out of the disclosure of nonpublicpersonal information to a nonaffiliatedthird party if you identify all of thecategories of nonpublic personalinformation that you disclose or reservethe right to disclose to nonaffiliatedthird parties as described in § 216.6 andstate that the consumer can opt out ofthe disclosure of that information.

(ii) You provide a reasonable means toexercise an opt out right if you:

(A) Designate check-off boxes in aprominent position on the relevantforms with the opt out notice;

(B) Include a reply form together withthe opt out notice; or

(C) Provide an electronic means to optout, such as a form that can be sent viaelectronic mail or a process at your website, if the consumer agrees to theelectronic delivery of information.

(iii) You do not provide a reasonablemeans of opting out if the only meansof opting out is for the consumer towrite his or her own letter to exercisethat opt out right.

(b) How to provide opt out notice—(1)Delivery of notice. You must provide theopt out notice required by paragraph (a)of this section in a manner so that eachconsumer can reasonably be expected toreceive actual notice in writing or, if theconsumer agrees, in electronic form. Ifyou and the consumer orally agree toenter into a customer relationship, youmay provide the opt out notice requiredby paragraph (a) of this section withina reasonable time thereafter if theconsumer agrees.

(2) Oral description of opt out rightinsufficient. You may not provide theopt out notice solely by orallyexplaining, either in person or over thetelephone, the right of the consumer toopt out.

(3) Same form as initial noticepermitted. You may provide the opt outnotice together with or on the samewritten or electronic form as the initialnotice you provide in accordance with§ 216.4.

(4) Initial notice required when optout notice delivered subsequent toinitial notice. If you provide the opt outnotice at a later time than required forthe initial notice in accordance with§ 216.4, you must also include a copy ofthe initial notice in writing or, if theconsumer agrees, in an electronic formwith the opt out notice.

(c) Notice of change in terms—(1)General rule. Except as otherwiseauthorized in this part, you must not,directly or through any affiliate, discloseany nonpublic personal informationabout a consumer to a nonaffiliatedthird party other than as described inthe initial notice that you provided tothe consumer under § 216.4, unless:

(i) You have provided to theconsumer a revised notice thataccurately describes your policies andpractices;

(ii) You have provided to theconsumer a new opt out notice;



terms. You must provide the revisednotice of your policies and practices andopt out notice to a consumer using themeans permitted for providing theinitial notice and opt out notice to thatconsumer under § 216.4(d) andparagraph (b) of this section,respectively.

(3) Examples. (i) Except as otherwisepermitted by §§ 216.9, 216.10 and216.11, a change-in-terms notice isrequired if you:



(A) Disclose a new category ofnonpublic personal information to anynonaffiliated third party; or

(B) Disclose nonpublic personalinformation to a new category ofnonaffiliated third party.

(ii) A change-in-terms notice is notrequired if you disclose nonpublicpersonal information to a newnonaffiliated third party that isadequately described by your priornotice.

(d) Continuing right to opt out. Aconsumer may exercise the right to optout at any time, and you must complywith the consumer’s direction as soon asreasonably practicable.



(a) General rule. The opt outrequirements in §§ 216.7 and 216.8 donot apply when you provide nonpublicpersonal information about a consumerto a nonaffiliated third party to performservices for you or functions on yourbehalf, if you:

(1) Provide the initial notice inaccordance with § 216.4; and

(2) Enter into a contractual agreementwith the third party that:

(i) Requires the third party tomaintain the confidentiality of theinformation to at least the same extentthat you must maintain thatconfidentiality under this part; and

(ii) Limits the third party’s use ofinformation you disclose solely to thepurposes for which the information isdisclosed or as otherwise permitted by§§ 216.10 and 216.11 of this part.

(b) Service may include jointmarketing. The services performed foryou by a nonaffiliated third party underparagraph (a) of this section mayinclude marketing of your own productsor services or marketing of financialproducts or services offered pursuant tojoint agreements between you and oneor more financial institutions.

(c) Definition of joint agreement. Forpurposes of this section, joint agreementmeans a written contract pursuant towhich you and one or more financialinstitutions jointly offer, endorse, orsponsor a financial product or service.


(a) Exceptions for processingtransactions at consumer’s request. Therequirements for initial notice in

§ 216.4(a)(2), the opt out in §§ 216.7 and216.8 and service providers and jointmarketing in § 216.9 do not apply if youdisclose nonpublic personalinformation:



(3) To maintain or service theconsumer’s account with you, or withanother entity as part of a private labelcredit card program or other extensionof credit on behalf of such entity; or



(1) Required, or is one of the lawfulor appropriate methods, to enforce yourrights or the rights of other personsengaged in carrying out the financialtransaction or providing the product orservice; or

(2) Required, or is a usual, appropriateor acceptable method:




(iv) To accrue or recognize incentivesor bonuses associated with thetransaction that are provided by you orany other party;

(v) To underwrite insurance at theconsumer’s request or for reinsurancepurposes, or for any of the followingpurposes as they relate to a consumer’sinsurance: account administration,reporting, investigating, or preventingfraud or material misrepresentation,processing premium payments,processing insurance claims,administering insurance benefits(including utilization review activities),participating in research projects, or asotherwise required or specificallypermitted by Federal or State law;



(B) The transfer of receivables,accounts or interests therein; or

(C) The audit of debit, credit or otherpayment information.

§ 216.11 Other exceptions to notice andopt out requirements.

(a) Exceptions to opt outrequirements. The requirements forinitial notice to consumers in§ 216.4(a)(2), the opt out in §§ 216.7 and216.8, and service providers and jointmarketing in § 216.9 do not apply whenyou disclose nonpublic personalinformation:


(2) (i) To protect the confidentiality orsecurity of your records pertaining tothe consumer, service, product ortransaction;





(3) To provide information toinsurance rate advisory organizations,guaranty funds or agencies, agenciesthat are rating you, persons that areassessing your compliance withindustry standards, and your attorneys,accountants and auditors;


(5) (i) To a consumer reporting agencyin accordance with the Fair CreditReporting Act (15 U.S.C. 1681 et seq.),or


(6) In connection with a proposed oractual sale, merger, transfer, or exchangeof all or a portion of a business oroperating unit if the disclosure ofnonpublic personal information



concerns solely consumers of suchbusiness or unit; or

(7) (i) To comply with Federal, Stateor local laws, rules and other applicablelegal requirements;

(ii) To comply with a properlyauthorized civil, criminal or regulatoryinvestigation, or subpoena or summonsby Federal, State or local authorities; or

(iii) To respond to judicial process orgovernment regulatory authoritieshaving jurisdiction over you forexamination, compliance or otherpurposes as authorized by law.

(b) Examples of consent andrevocation of consent. (1) A consumermay specifically consent to yourdisclosure to a nonaffiliated insurancecompany of the fact that the consumerhas applied to you for a mortgage so thatthe insurance company can offerhomeowner’s insurance to theconsumer.



(a) Limits on your redisclosure andreuse. (1) Except as otherwise providedin this part, if you receive nonpublicpersonal information about a consumerfrom a nonaffiliated financialinstitution, you must not, directly orthrough an affiliate, disclose theinformation to any other person that isnot affiliated with either the financialinstitution or you, unless the disclosurewould be lawful if the financialinstitution made it directly to such otherperson.

(2) You may use nonpublic personalinformation about a consumer that youreceive from a nonaffiliated financialinstitution in accordance with anexception under §§ 216.9, 216.10 or216.11 only for the purpose of thatexception.

(b) Limits on redisclosure and thereuse by other persons. (1) Except asotherwise provided in this part, if youdisclose nonpublic personal informationabout a consumer to a nonaffiliatedthird party, that party must not, directlyor through an affiliate, disclose theinformation to any other person that isa nonaffiliated third party of both youand that party, unless the disclosurewould be lawful if you made it directlyto such other person.

(2) A nonaffiliated third party mayuse nonpublic personal informationabout a consumer that it receives fromyou in accordance with an exceptionunder §§ 216.9, 216.10 or 216.11 onlyfor the purpose of that exception.


You must not, directly or through anaffiliate, disclose, other than to aconsumer reporting agency, an accountnumber or similar form of accessnumber or access code for a credit cardaccount, deposit account or transactionaccount of a consumer to anynonaffiliated third party for use intelemarketing, direct mail marketing orother marketing through electronic mailto the consumer.

§ 216.14 Protection of Fair CreditReporting Act.


§ 216.15 Relation to State laws.

(a) In general. This part shall not beconstrued as superseding, altering, oraffecting any statute, regulation, order orinterpretation in effect in any State,except to the extent that such Statestatute, regulation, order orinterpretation is inconsistent with theprovisions of this part, and then only tothe extent of the inconsistency.

(b) Greater protection under State law.For purposes of this section, a Statestatute, regulation, order orinterpretation is not inconsistent withthe provisions of this part if theprotection such statute, regulation,order or interpretation affords anyconsumer is greater than the protectionprovided under this part, as determinedby the Federal Trade Commission, afterconsultation with the Board, on theFederal Trade Commission’s ownmotion or upon the petition of anyinterested party.

§ 216.16 Effective date; transition rule.

(a) Effective date. This part is effectiveNovember 13, 2000.

(b) Notice requirement for consumerswho were your customers on theeffective date. No later than thirty daysafter the effective date of this part, youmust provide an initial notice, asrequired by § 216.4, to consumers whowere your customers on the effectivedate of this part.

By order of the Board of Governors of theFederal Reserve System, February 10, 2000.Jennifer J. Johnson,Secretary of the Board.

Federal Deposit Insurance Corporation12 CFR Chapter III


For the reasons set out in the jointpreamble, Title 12, Chapter III of theCode of Federal Regulations is proposedto be amended by adding a new part 332to read as follows:














Authority: 12 U.S.C. 1819 (Seventh andTenth); 15 U.S.C. 6801 et seq.





(3) Provides a method for consumersto prevent a financial institution fromdisclosing that information to certainnonaffiliated third parties by ‘‘optingout’’ of that disclosure, subject to theexceptions in §§ 332.9, 332.10, and332.11.



(b) Scope. The rules established bythis part apply only to nonpublicpersonal information about individualswho obtain financial products orservices for personal, family orhousehold purposes from theinstitutions listed in this paragraph (b).This part does not apply to informationabout companies or about individualswho obtain financial products orservices for business purposes. This partapplies to entities for which the FederalDeposit Insurance Corporation hasprimary supervisory authority. They arereferred to in this part as ‘‘you.’’ Theseare banks insured by the FederalDeposit Insurance Corporation (otherthan members of the Federal ReserveSystem), insured state branches offoreign banks, and any subsidiaries ofsuch entities, except a broker or dealerthat is registered under the SecuritiesExchange Act of 1934, a registeredinvestment adviser (with respect to theinvestment advisory activities of theadviser and activities incidental to thoseinvestment advisory activities), aninvestment company registered underthe Investment Company Act of 1940,an insurance company that is subject tosupervision by a State insuranceregulator (with respect to insuranceactivities of the company and activitiesincidental to those insurance activities),and an entity that is subject toregulation by the Commodity FuturesTrading Commission.

§ 332.2 Rule of construction.

The examples in this part are notexclusive. Compliance with an example,to the extent applicable, constitutescompliance with this part.

§ 332.3 Definitions.

As used in this part, unless thecontext requires otherwise:

(a) Affiliate means any company thatcontrols, is controlled by, or is undercommon control with another company.

(b)(1) Clear and conspicuous meansthat a notice is reasonablyunderstandable and designed to callattention to the nature and significanceof the information contained in thenotice.





(D) Avoid multiple negatives;

(E) Avoid legal and highly technicalbusiness terminology; and

(F) Avoid boilerplate explanationsthat are imprecise and readily subject todifferent interpretations.

(ii) You design your notice to callattention to the nature and significanceof the information contained in thenotice if, to the extent applicable, you:










(e) (1) Consumer means an individualwho obtains or has obtained a financialproduct or service from you that is to beused primarily for personal, family orhousehold purposes, and thatindividual’s legal representative.


(ii) An individual who providesnonpublic personal information to youin order to obtain a determination aboutwhether he or she may qualify for a loanto be used primarily for personal,family, or household purposes is aconsumer of a financial service,regardless of whether the loan isextended by you or another financialinstitution.


(iv) An individual who negotiates aworkout with you for a loan that youown is a consumer regardless of

whether you originally extended theloan to the individual.










(3) The power to exercise, directly orindirectly, a controlling influence overthe management or policies of thecompany, as determined by the FDIC.


(i) (1) Customer relationship means acontinuing relationship between aconsumer and you under which youprovide one or more financial productsor services to the consumer that are tobe used primarily for personal, family,or household purposes.


(A) Has a deposit, credit, trust orinvestment account with you;








(A) The consumer only obtains afinancial product or service in an



isolated transaction, such aswithdrawing cash from your ATM orpurchasing a cashier’s check or moneyorder;


(C) You sell the consumer airlinetickets, travel insurance or traveler’schecks in an isolated transaction.















with respect to 31 U.S.C. Chapter 53,Subchapter II (Records and Reports onMonetary Instruments and Transactions)

and 12 U.S.C. Chapter 21 (FinancialRecordkeeping);



means any person except:(i) Your affiliate; or(ii) A person employed jointly by you

and any company that is not youraffiliate (but nonaffiliated third partyincludes the other company that jointlyemploys the person).


Alternative A



(ii) Any list, description or othergrouping of consumers (and publiclyavailable information pertaining tothem) that is derived using anypersonally identifiable financialinformation.





(ii) Resulting from any transactioninvolving a financial product or servicebetween you and a consumer; or

(iii) You otherwise obtain about aconsumer in connection with providinga financial product or service to thatconsumer, other than publicly availableinformation.









(p) (1) Publicly available informationmeans any information that is lawfullymade available to the general public thatis obtained from:

(i) Federal, State, or local governmentrecords;


that are required to be made by Federal,State, or local law.



Alternative B



(ii) Any list, description or othergrouping of consumers (and publiclyavailable information pertaining tothem) that is derived using any



personally identifiable financialinformation.

















(p)(1) Publicly available informationmeans any information that is lawfully

made available to the general publicfrom:



that are required to be made by Federal,State, or local law.



(q) You means a bank insured by theFederal Deposit Insurance Corporation(other than a member of the FederalReserve System), an insured statebranch of a foreign bank, and anysubsidiary of either such entity except:

(1) A broker, as defined in 15 U.S.C.78c(a)(4);

(2) A dealer, as defined in 15 U.S.C.78c(a)(5);

(3) A person, to the extent that personis engaged in the business of insurancein a State as principal or agent andrequired to be licensed by theappropriate State insurance authority;

(4) An investment company, asdefined in 15 U.S.C. 80a–3(a)(1); or

(5) An investment adviser, as definedin 15 U.S.C. 80b–2(a)(20).












(iii) Agrees to obtain financial,economic or investment advisoryservices from you for a fee; or


(d) How to provide notice—(1)General rule. You must provide theprivacy notice required by paragraph (a)of this section so that each consumercan reasonably be expected to receiveactual notice in writing or, if theconsumer agrees, in electronic form.














(A) Only post a sign in your branchor office or generally publishadvertisements of your privacy policiesand practices; or

(B) Send the notice via electronic mailto a consumer who obtains a financialproduct or service from you in personor through the mail and who does notagree to receive the noticeelectronically.



(B) Mail a printed copy of the noticeto the last known address of thecustomer upon request of the customer;or







(i) In the case of a deposit account, theaccount is dormant under your policies;



(iv) For other types of relationships,you have not communicated with theconsumer about the relationship for aperiod of 12 consecutive months, otherthan to provide annual notices ofprivacy policies and practices.









(7) Any disclosures that you makeunder section 603(d)(2)(A)(iii) of theFair Credit Reporting Act (15 U.S.C.1681a(d)(2)(A)(iii)) (that is, noticesregarding the ability to opt out of

disclosures of information amongaffiliates); and

(8) Your policies and practices withrespect to protecting the confidentiality,security, and integrity of nonpublicpersonal information.

(b) Description of nonaffiliated thirdparties subject to exceptions. If youdisclose nonpublic personal informationabout a consumer to third parties asauthorized under §§ 332.10 and 332.11,you are not required to list thoseexceptions in the initial or annualprivacy notices required by §§ 332.4 and332.5. When describing the categorieswith respect to those parties, you areonly required to state that you makedisclosures to other nonaffiliated thirdparties as permitted by law.


(1) Categories of nonpublic personalinformation that you reserve the right todisclose in the future, but do notcurrently disclose; and

(2) Categories of affiliates ornonaffiliated third parties to whom youreserve the right in the future todisclose, but to whom you do notcurrently disclose, nonpublic personalinformation.

(d) Examples—(1) Categories ofnonpublic personal information thatyou collect. You adequately categorizethe nonpublic personal information youcollect if you categorize the informationaccording to the source of theinformation, such as applicationinformation, information abouttransactions (such as informationregarding a deposit, loan, or credit cardaccount), and consumer reports.

(2) Categories of nonpublic personalinformation you disclose. Youadequately categorize nonpublicpersonal information you disclose if youcategorize the information according tosource, and provide illustrativeexamples of the content of theinformation. These might includeapplication information, such as assetsand income; identifying information,such as name, address, and socialsecurity number; and transactioninformation, such as information aboutaccount balance, payment history,parties to the transaction, and creditcard usage; and information fromconsumer reports, such as a consumer’screditworthiness and credit history. Youdo not adequately categorize theinformation that you disclose if you useonly general terms, such as transactioninformation about the consumer.

(3) Categories of affiliates andnonaffiliated third parties to whom youdisclose. You adequately categorize theaffiliates and nonaffiliated third partiesto whom you disclose nonpublic



personal information about consumers ifyou identify the types of businesses thatthey engage in. Types of businesses maybe described by general terms only ifyou use illustrative examples ofsignificant lines of business. Forexample, you may use the term‘‘financial products or services’’ if youinclude appropriate examples ofsignificant lines of businesses, such asconsumer banking, mortgage lending,life insurance, or securities brokerage.You also may categorize the affiliatesand nonaffiliated third parties to whomyou disclose nonpublic personalinformation about consumers usingmore detailed categories.

(4) Simplified notices. If you do notdisclose, and do not intend to disclose,nonpublic personal information toaffiliates or nonaffiliated third parties,you may simply state that fact, inaddition to the information you mustprovide under paragraphs (a)(1), (a)(8),and (b) of this section.

(5) Confidentiality, security, andintegrity. You adequately describe yourpolicies and practices with respect toprotecting the confidentiality andsecurity of nonpublic personalinformation if you explain who hasaccess to the information and thecircumstances under which theinformation may be accessed. Youadequately describe your policies andpractices with respect to protecting theintegrity of nonpublic personalinformation if you explain measures youtake to protect against reasonablyanticipated threats or hazards. You arenot required to describe technicalinformation about the safeguards youuse.


(a) (1) Conditions for disclosure.Except as otherwise authorized in thispart, you may not, directly or throughany affiliate, disclose any nonpublicpersonal information about a consumerto a nonaffiliated third party unless:





a direction by the consumer that you notdisclose nonpublic personal informationabout that consumer to a nonaffiliated

third party, other than as permitted by§§ 332.9, 332.10, and 332.11.


(ii) Isolated transaction with aconsumer. For an isolated transaction,such as the purchase of a cashier’scheck by a consumer, you provide areasonable opportunity to opt out if youprovide the consumer with the requirednotices at the time of the transactionand request that the consumer decide,as a necessary part of the transaction,whether to opt out before completingthe transaction.

(b) Application of opt out to allconsumers and all nonpublic personalinformation. (1) You must comply withthis section regardless of whether youand the consumer have established acustomer relationship.

(2) Unless you comply with thissection, you may not, directly orthrough any affiliate, disclose anynonpublic personal information about aconsumer that you have collected,regardless of whether you collected theinformation before or after receiving thedirection to opt out from the consumer.



(a) (1) Form of opt out notice. Youmust provide a clear and conspicuousnotice to each of your consumers thataccurately explains the right to opt outunder § 332.7(a)(1). The notice muststate:




(2) Examples. (i) You provideadequate notice that the consumer canopt out of the disclosure of nonpublicpersonal information to a nonaffiliatedthird party if you identify all of thecategories of nonpublic personalinformation that you disclose or reservethe right to disclose to nonaffiliated

third parties as described in § 332.6 andstate that the consumer can opt out ofthe disclosure of that information.






(b) How to provide opt out notice—(1)Delivery of notice. You must provide theopt out notice required by paragraph (a)of this section in a manner so that eachconsumer can reasonably be expected toreceive actual notice in writing or, if theconsumer agrees, in electronic form. Ifyou and the consumer orally agree toenter into a customer relationship, youmay provide the opt out notice requiredby paragraph (a) of this section withina reasonable time thereafter if theconsumer agrees.











terms. You must provide the revisednotice of your policies and practices andopt out notice to a consumer using themeans permitted for providing theinitial notice and opt out notice to thatconsumer under § 332.4(d) andparagraph (b) of this section,respectively.

(3) Examples. (i) Except as otherwisepermitted by §§ 332.9, 332.10, and332.11, a change-in-terms notice isrequired if you:




(d) Continuing right to opt out. Aconsumer may exercise the right to optout at any time, and upon receiving theopt out direction you must comply withthat direction as soon as reasonablypracticable.








(b) Service may include jointmarketing. The services performed for

you by a nonaffiliated third party underparagraph (a) of this section mayinclude marketing of your own productsor services or marketing of financialproducts or services offered pursuant tojoint agreements between you and oneor more financial institutions.



(a) Exceptions for processingtransactions at consumer’s request. Therequirements for initial notice in§ 332.4(a)(2), the opt out in §§ 332.7 and332.8 and service providers and jointmarketing in § 332.9 do not apply if youdisclose nonpublic personalinformation:







(2) Required, or is a usual,appropriate, or acceptable method:




(iv) To accrue or recognize incentivesor bonuses associated with the

transaction that are provided by you orany other party;




(B) The transfer of receivables,accounts, or interests therein; or

(C) The audit of debit, credit, or otherpayment information.


(a) Exceptions to opt outrequirements. The requirements forinitial notice to consumers in§ 332.4(a)(2), the opt out in §§ 332.7 and332.8 and service providers and jointmarketing in § 332.9 do not apply whenyou disclose nonpublic personalinformation:


(2) (i) To protect the confidentiality orsecurity of your records pertaining tothe consumer, service, product, ortransaction;

(ii) To protect against or preventactual or potential fraud, unauthorizedtransactions, claims, or other liability;




(3) To provide information toinsurance rate advisory organizations,guaranty funds or agencies, agenciesthat are rating you, persons that areassessing your compliance withindustry standards, and your attorneys,accountants, and auditors;

(4) To the extent specificallypermitted or required under other



provisions of law and in accordancewith the Right to Financial Privacy Actof 1978 (12 U.S.C. 3401 et seq.), to lawenforcement agencies (includinggovernment regulators), self-regulatoryorganizations, or for an investigation ona matter related to public safety;

(5) (i) To a consumer reporting agencyin accordance with the Fair CreditReporting Act (15 U.S.C. 1681 et seq.);or



(7) (i) To comply with Federal, State,or local laws, rules and other applicablelegal requirements;

(ii) To comply with a properlyauthorized civil, criminal or regulatoryinvestigation, or subpoena or summonsby Federal, State, or local authorities; or





(a) Limits on your redisclosure andreuse. (1) Except as otherwise providedin this part, if you receive nonpublicpersonal information about a consumerfrom a nonaffiliated financialinstitution, you must not, directly orthrough an affiliate, disclose theinformation to any other person that isnot affiliated with either you or theother financial institution, unless thedisclosure would be lawful if thefinancial institution made it directly tosuch other person.

(2) You may use nonpublic personalinformation about a consumer that youreceive from a nonaffiliated financialinstitution in accordance with anexception under §§ 332.9, 332.10, or332.11 only for the purpose of thatexception.


(2) A nonaffiliated third party mayuse nonpublic personal informationabout a consumer that it receives fromyou in accordance with an exceptionunder §§ 332.9, 332.10, or 332.11 onlyfor the purpose of that exception.


You must not, directly or through anaffiliate, disclose, other than to aconsumer reporting agency, an accountnumber or similar form of accessnumber or access code for a credit cardaccount, deposit account or transactionaccount of a consumer to anynonaffiliated third party for use intelemarketing, direct mail marketing orother marketing through electronic mailto the consumer.

§ 32.14 Protection of Fair Credit ReportingAct.


§ 332.15 Relation to State laws.(a) In general. This part shall not be

construed as superseding, altering, oraffecting any statute, regulation, order orinterpretation in effect in any State,except to the extent that such Statestatute, regulation, order orinterpretation is inconsistent with theprovisions of this part, and then only tothe extent of the inconsistency.

(b) Greater protection under State law.For purposes of this section, a Statestatute, regulation, order orinterpretation is not inconsistent withthe provisions of this part if theprotection such statute, regulation,order or interpretation affords anyconsumer is greater than the protectionprovided under this part, as determinedby the Federal Trade Commission, afterconsultation with the FDIC, on theFederal Trade Commission’s ownmotion or upon the petition of anyinterested party.



(b) Notice requirement for consumerswho were customers on the effectivedate. No later than 30 days after theeffective date of this part, you mustprovide an initial notice, as required by§ 332.4, to consumers who were yourcustomers on the effective date of thispart.

By order of the Board of Directors.Federal Deposit Insurance Corporation.

Dated at Washington, DC, this 9th day ofFebruary, 2000.

Robert E. Feldman,Executive Secretary.

OFFICE OF THRIFT SUPERVISION

12 CFR Chapter V


For the reasons set out in the jointpreamble, OTS proposes to amendChapter V of Title 12 of the Code ofFederal regulations by adding part 573to read as follows:














Authority: 12 U.S.C. 1462a, 1463, 1464,1828; 15 U.S.C. 6801 et seq.







(3) Provides a method for consumersto prevent a financial institution fromdisclosing that information to mostnonaffiliated third parties by ‘‘optingout’’ of that disclosure, subject to theexceptions in §§ 573.9, 573.10, and573.11.

(b) Scope. The rules established bythis part apply only to nonpublicpersonal information about individualswho obtain financial products orservices for personal, family orhousehold purposes from theinstitutions listed below. This part doesnot apply to information aboutcompanies or about individuals whoobtain financial products or services forbusiness purposes. This part applies tosavings associations whose deposits areinsured by the Federal DepositInsurance Corporation, and anysubsidiaries of such savingsassociations, but not to subsidiaries thatare brokers, dealers, persons providinginsurance, investment companies, orinvestment advisers. This part refers tothese entities as ‘‘you.’’

§ 573.2 Rule of construction.

The examples in this part are notexclusive. Compliance with an example,to the extent applicable, constitutescompliance with this part.

§ 573.3 Definitions.

As used in this part, unless thecontext requires otherwise:

(a) Affiliate means any company thatcontrols, is controlled by, or is undercommon control with another company.

(b) (1) Clear and conspicuous meansthat a notice is reasonablyunderstandable and designed to callattention to the nature and significanceof the information contained in thenotice.





(D) Avoid multiple negatives;(E) Avoid legal and highly technical

business terminology; and

(F) Avoid boilerplate explanationsthat are imprecise and readily subject todifferent interpretations.

(ii) You design your notice to callattention to the nature and significanceof the information contained in it if, tothe extent applicable, you:










(e) (1) Consumer means an individualwho obtains or has obtained a financialproduct or service from you that is to beused primarily for personal, family orhousehold purposes, and thatindividual’s legal representative.


(ii) An individual who providesnonpublic personal information to youin order to obtain a determination aboutwhether he or she may qualify for a loanto be used primarily for personal, familyor household purposes is a consumer ofa financial service, regardless ofwhether the loan is extended by you oranother financial institution.


(iv) An individual who negotiates aworkout with you for a loan that youown is a consumer regardless ofwhether you originally extended theloan to the individual.










(3) The power to exercise, directly orindirectly, a controlling influence overthe management or policies of thecompany, as determined by OTS.


(i) (1) Customer relationship means acontinuing relationship between aconsumer and you under which youprovide one or more financial productsor services to the consumer that are tobe used primarily for personal, family,or household purposes.


(A) Has a deposit, credit, trust, orinvestment account with you;








(A) The consumer only obtains afinancial product or service in anisolated transaction, such aswithdrawing cash from your ATM orpurchasing a cashier’s check or moneyorder;




(C) You sell the consumer travelinsurance or traveler’s checks in anisolated transaction.





(iii) Institutions chartered by Congressspecifically to engage in securitizations,secondary market sales (including salesof servicing rights), or similartransactions related to a transaction of aconsumer, as long as such institutionsdo not sell or transfer nonpublicpersonal information to a nonaffiliatedthird party.











(8) A State insurance authority, withrespect to any person domiciled in that

insurance authority’s State that isengaged in providing insurance; and


means any person except:(i) Your affiliate; or(ii) A person employed jointly by you

and any company that is not youraffiliate (but nonaffiliated third partyincludes the other company that jointlyemploys the person).

(2) Nonaffiliated third party includesany company that is an affiliate byvirtue of the direct or indirectownership or control of the company bythe financial institution or any affiliateof the financial institution inconducting merchant banking orinvestment banking activities of the typedescribed in section 4(k)(4)(H) orinsurance company investmentactivities of the type described insection 4(k)(4)(I) of the Bank HoldingCompany Act (12 U.S.C. 1843(k)(4)(H)and (I).

Alternative A(n) (1) Nonpublic personal








(ii) Resulting from any transactioninvolving a financial product or servicebetween you and a consumer; or

(iii) You otherwise obtain about aconsumer in connection with providinga financial product or service to thatconsumer, other than publicly availableinformation.


(A) Information a consumer providesto you on an application to obtain a

loan, credit card, insurance or otherfinancial product or service, including,among other things, medicalinformation;







(p) (1) Publicly available informationmeans any information that is lawfullymade available to the general public youobtain from:






Alternative B



(ii) Any list, description, or othergrouping of consumers (and publiclyavailable information pertaining tothem) that is derived using anypersonally identifiable financialinformation.







(o)(1) Personally identifiable financialinformation means any information:












(p)(1) Publicly available informationmeans any information that is lawfullymade available to the general publicfrom:

















(iii) Agrees to obtain financial,economic, or investment advisoryservices from you for a fee;


(d) How to provide notice—(1)General rule. You must provide the

privacy notice required by paragraph (a)of this section so that each consumercan reasonably be expected to receiveactual notice in writing or, if theconsumer agrees, in electronic form.












(A) Only post a sign in your branchor office or generally publishadvertisements of your privacy policiesand practices;

(B) Send the notice via electronic mailto a consumer who obtains a financial



product or service with you in person orthrough the mail and who does notagree to receive the noticeelectronically.



(B) Mail a printed copy of the noticeto the last known address of thecustomer upon request of the customer;or







(i) In the case of a deposit account, theaccount is dormant under your policies;



(iv) For other types of relationships,you have not communicated with theconsumer about the relationship for aperiod of 12 consecutive months, otherthan to provide annual notices ofprivacy policies and practices.









(7) Any disclosures that you makeunder section 603(d)(2)(A)(iii) of theFair Credit Reporting Act (15 U.S.C.1681a(d)(2)(A)(iii)) (that is, noticesregarding the ability to opt out ofdisclosures of information amongaffiliates); and

(8) Your policies and practices withrespect to protecting the confidentiality,security and integrity of nonpublicpersonal information.

(b) Description of nonaffiliated thirdparties subject to exceptions. If youdisclose nonpublic personal informationabout a consumer to third parties asauthorized under §§ 573.10 and 573.11,you are not required to list thoseexceptions in the initial or annualprivacy notices required by §§ 573.4 and573.5. When describing the categorieswith respect to those parties, you areonly required to state that you makedisclosures to other nonaffiliated thirdparties as permitted by law.


(1) Categories of nonpublic personalinformation that you reserve the right todisclose in the future, but do notcurrently disclose; and (2) Categories ofaffiliates or nonaffiliated third parties towhom you reserve the right in the futureto disclose, but to whom you do notcurrently disclose, nonpublic personalinformation.

(d) Examples—(1) Categories ofnonpublic personal information thatyou collect. You adequately categorizethe nonpublic personal information youcollect if you categorize it according tothe source of the information, such asapplication information, informationabout transactions (such as informationregarding your deposit, loan, or creditcard account), and consumer reports.

(2) Categories of nonpublic personalinformation you disclose. Youadequately categorize nonpublicpersonal information you disclose if youcategorize it according to source, andprovide a few illustrative examples ofthe content of the information. Thesemight include application information,such as assets and income; identifyinginformation, such as name, address, andsocial security number; and transactioninformation, such as information aboutaccount balance, payment history,parties to the transaction, and creditcard usage; and information fromconsumer reports, such as a consumer’screditworthiness and credit history. Youdo not adequately categorize theinformation that you disclose if you useonly general terms, such as transactioninformation about the consumer.

(3) Categories of affiliates andnonaffiliated third parties to whom youdisclose. You adequately categorize theaffiliates and nonaffiliated third partiesto whom you disclose nonpublicpersonal information about consumers ifyou identify the types of businesses thatthey engage in. Types of businesses maybe described by general terms only ifyou use a few illustrative examples ofsignificant lines of business. Forexample, you may use the term financialproducts or services if you includeappropriate examples of significantlines of businesses, such as consumerbanking, mortgage lending, lifeinsurance or securities brokerage. Youalso may categorize the affiliates andnonaffiliated third parties to whom youdisclose nonpublic personal informationabout consumers using more detailedcategories.

(4) Simplified notices. If you do notdisclose, and do not intend to disclose,nonpublic personal information toaffiliates or nonaffiliated third parties,you may simply state that fact, in



addition to the information you mustprovide under paragraphs (a)(1), (a)(8),and (b) of this section.

(5) Confidentiality, security andintegrity. You describe your policies andpractices with respect to protecting theconfidentiality and security ofnonpublic personal information if youexplain who has access to theinformation and the circumstancesunder which the information may beaccessed. You describe your policiesand practices with respect to protectingthe integrity of nonpublic personalinformation if you explain measures youtake to protect against reasonablyanticipated threats or hazards. You arenot required to describe technicalinformation about the safeguards youuse.


(a) (1) Conditions for disclosure.Except as otherwise authorized in thispart, you may not, directly or throughany affiliate, disclose any nonpublicpersonal information about a consumerto a nonaffiliated third party unless:





a direction by the consumer that you notdisclose nonpublic personal informationabout that consumer to a nonaffiliatedthird party, other than as permitted by§§ 573.9, 573.10 and 573.11.


(ii) Isolated transaction withconsumer. For an isolated transaction,such as the purchase of a cashier’scheck by a consumer, you provide areasonable opportunity to opt out if youprovide the consumer with the requirednotices at the time of the transactionand request that the consumer decide,as a necessary part of the transaction,whether to opt out before completingthe transaction.

(b) Application of opt out to allconsumers and all nonpublic personalinformation.

(1) You must comply with thissection, regardless of whether you andthe consumer have established acustomer relationship.

(2) Unless you comply with thissection, you may not, directly orthrough any affiliate, disclose anynonpublic personal information about aconsumer that you have collected,regardless of whether you collected itbefore or after receiving the direction toopt out from the consumer.



(a) (1) Form of opt out notice. Youmust provide a clear and conspicuousnotice to each of your consumers thataccurately explains the right to opt outunder § 573.7(a)(1). The notice muststate:




(2) Examples. (i) You provideadequate notice that the consumer canopt out of the disclosure of nonpublicpersonal information to a nonaffiliatedthird party if you identify all of thecategories of nonpublic personalinformation that you disclose or reservethe right to disclose to nonaffiliatedthird parties as described in § 573.6 andstate that the consumer can opt out ofthe disclosure of that information.






(b) How to provide opt out notice—(1)Delivery of notice. You must provide the

opt out notice required by paragraph (a)of this section in a manner so that eachconsumer can reasonably be expected toreceive actual notice in writing or, if theconsumer agrees, in electronic form. Ifyou and the consumer orally agree toenter into a customer relationship, youmay provide the opt out notice requiredby paragraph (a) of this section withina reasonable time thereafter if theconsumer agrees.









terms. You must provide the revisednotice of your policies and practices andopt out notice to a consumer using themeans permitted for providing theinitial notice and opt out notice to thatconsumer under § 573.4(d) or paragraph(b) of this section respectively.

(3) Examples. (i) Except as otherwisepermitted by §§ 573.9, 573.10 and573.11, a change-in-terms notice isrequired if you:






(d) Continuing right to opt out. Aconsumer may exercise the right to optout at any time, and you must complywith the consumer’s direction as soon asreasonably practicable.








(b) Service may include jointmarketing. The services performed foryou by a nonaffiliated third party underparagraph (a) of this section mayinclude marketing of your own productsor services or marketing of financialproducts or services offered pursuant tojoint agreements between you and oneor more financial institutions.



(a) Exceptions for processingtransactions at consumer’s request. Therequirements for initial notice in§ 573.4(a)(2), the opt out in §§ 573.7 and573.8 and service providers and jointmarketing in § 573.9 do not apply if you

disclose nonpublic personalinformation:







(2) Required, or is a usual,appropriate, or acceptable method:

(i) To carry out the transaction or theproduct or service business of which thetransaction is a part, and record, service,or maintain the consumer’s account inthe ordinary course of providing thefinancial service or financial product;



(iv) To accrue or recognize incentivesor bonuses associated with thetransaction that are provided by you orany other party;



(A) The authorization, billing,processing, clearing, transferring,reconciling or collection of amountscharged, debited, or otherwise paid

using a debit, credit, or other paymentcard, check or account number, or byother payment means;

(B) The transfer of receivables,accounts, or interests therein; or

(C) The audit of debit, credit, or otherpayment information.


(a) Exceptions to opt outrequirements. The requirements forinitial notice to consumers in§ 573.4(a)(2), the opt out in §§ 573.7 and573.8 and service providers and jointmarketing in § 573.9 do not apply whenyou disclose nonpublic personalinformation:


(2) (i) To protect the confidentiality orsecurity of your records pertaining tothe consumer, service, product ortransaction;





(3) To provide information toinsurance rate advisory organizations,guaranty funds or agencies, agenciesthat are rating you, persons that areassessing your compliance withindustry standards, and your attorneys,accountants, and auditors;


(5) (i) To a consumer reporting agencyin accordance with the Fair CreditReporting Act (15 U.S.C. 1681 et seq.);or



(7) (i) To comply with Federal, State,or local laws, rules and other applicablelegal requirements;



(ii) To comply with a properlyauthorized civil, criminal, or regulatoryinvestigation, or subpoena or summonsby Federal, State, or local authorities; or





(a) Limits on your redisclosure andreuse. (1) Except as otherwise providedin this part, if you receive nonpublicpersonal information about a consumerfrom a nonaffiliated financialinstitution, you must not, directly orthrough an affiliate, disclose theinformation to any other person that isnot affiliated with either the financialinstitution or you, unless the disclosurewould be lawful if the financialinstitution made it directly to such otherperson.

(2) You may use nonpublic personalinformation about a consumer that youreceive from a nonaffiliated financialinstitution in accordance with anexception under §§ 573.9, 573.10 or573.11 only for the purpose of thatexception.


(2) A nonaffiliated third party mayuse nonpublic personal informationabout a consumer that it receives fromyou in accordance with an exceptionunder §§ 573.9, 573.10, or 573.11 onlyfor the purpose of that exception.


You must not, directly or through anaffiliate, disclose, other than to aconsumer reporting agency, an accountnumber or similar form of accessnumber or access code for a credit cardaccount, deposit account, or transactionaccount of a consumer to anynonaffiliated third party for use intelemarketing, direct mail marketing, orother marketing through electronic mailto the consumer.

§ 573.14 Protection of Fair CreditReporting Act.


§ 573.15 Relation to State laws.

(a) In general. This part shall not beconstrued as superseding, altering, oraffecting any statute, regulation, order,or interpretation in effect in any State,except to the extent that such Statestatute, regulation, order orinterpretation is inconsistent with theprovisions of this part, and then only tothe extent of the inconsistency.

(b) Greater protection under State law.For purposes of this section, a Statestatute, regulation, order, orinterpretation is not inconsistent withthe provisions of this part if theprotection such statute, regulation,order, or interpretation affords anyconsumer is greater than the protectionprovided under this part, as determinedby the Federal Trade Commission, afterconsultation with OTS, on the FederalTrade Commission’s own motion orupon the petition of any interestedparty.



(b) Notice requirement for consumerswho were your customers on theeffective date. No later than 30 daysafter the effective date of this part, youmust provide an initial notice, asrequired by § 573.4, to consumers whowere your customers on the effectivedate of this part.

Dated: February 9, 2000.By the Office of Thrift Supervision.

Ellen Seidman,Director.[FR Doc. 00–3718 Filed 2–18–00; 8:45 am]BILLING CODES 4810–33–P; 6210–01–P; 6714–01–P;6720–01–P


Documents

Department of the Treasury System - GPO · Tuesday, February 22, 2000 Part II Department of the Treasury Officer of the Comptroller of the Currency Office of Thrift Supervision 12