2014-25299. Amendment to the Annual Privacy Notice Requirement Under the Gramm-Leach-Bliley Act (Regulation P)  

  • Start Preamble Start Printed Page 64057

    AGENCY:

    Bureau of Consumer Financial Protection.

    ACTION:

    Final rule.

    SUMMARY:

    The Bureau of Consumer Financial Protection (Bureau) is amending Regulation P, which requires, among other things, that financial institutions provide an annual disclosure of their privacy policies to their customers. The amendment creates an alternative delivery method for this annual disclosure, which financial institutions will be able to use under certain circumstances.

    DATES:

    This final rule is effective on October 28, 2014.

    Start Further Info

    FOR FURTHER INFORMATION CONTACT:

    Nora Rigby and Joseph Devlin, Counsels; Office of Regulations, at (202) 435-7700.

    End Further Info End Preamble Start Supplemental Information

    SUPPLEMENTARY INFORMATION:

    I. Summary of the Rule

    The Gramm-Leach-Bliley Act (GLBA) [1] and Regulation P mandate that financial institutions provide their customers with initial and annual notices regarding their privacy policies. If financial institutions share certain customer information with particular types of third parties, the institutions are also required to provide notice to their customers and an opportunity to opt out of the sharing. The Fair Credit Reporting Act (FCRA) requires similar notices of opt-out rights. Many financial institutions currently mail printed copies of annual GLBA privacy notices to their customers, including notices of GLBA and/or FCRA opt-out rights, where applicable, but some of these institutions have expressed concern that this practice causes information overload for consumers and unnecessary expense.

    In response to such concerns, the Bureau proposed and now finalizes this rule to allow financial institutions to use an alternative delivery method to provide annual privacy notices through posting the annual notices on their Web sites if they meet certain conditions. Specifically, financial institutions may use the alternative delivery method for annual privacy notices if: (1) No opt-out rights are triggered by the financial institution's information sharing practices under GLBA or FCRA section 603, and opt-out notices required by FCRA section 624 have previously been provided, if applicable, or the annual privacy notice is not the only notice provided to satisfy those requirements; (2) the information included in the privacy notice has not changed since the customer received the previous notice; and (3) the financial institution uses the model form provided in Regulation P as its annual privacy notice.

    To use the alternative method, the financial institution must continuously post the annual privacy notice in a clear and conspicuous manner on a page of its Web site, without requiring a login or similar steps or agreement to any conditions to access the notice. In addition, to assist customers with limited or no access to the Internet, the institution must mail annual notices to customers who request them by telephone, within ten days of the request.

    To make customers aware that its annual privacy notice is available through these means, the institution must insert a clear and conspicuous statement at least once per year on an account statement, coupon book, or a notice or disclosure the institution issues under any provision of law. The statement must inform customers that the annual privacy notice is available on the financial institution's Web site, the institution will mail the notice to customers who request it by calling a specific telephone number, and the notice has not changed.

    A financial institution is still required to use one of the permissible delivery methods that predate this rule change (referred to as the standard delivery methods) if the institution, among other things, has changed its privacy practices or engages in information-sharing activities for which customers have a right to opt out.

    II. Background

    A. The Statute and Regulation

    The GLBA was enacted into law in 1999.[2] The statute, among other things, is intended to provide a comprehensive framework for regulating the privacy practices of an extremely broad range of entities. “Financial institutions” for purposes of the GLBA include not only depository institutions and non-depository institutions providing consumer financial products or services (such as payday lenders, mortgage brokers, check cashers, debt collectors, and remittance transfer providers), but also many businesses that do not offer or provide consumer financial products or services.

    Rulemaking authority to implement the GLBA privacy provisions was initially spread among many agencies. The Federal Reserve Board (Board), the Office of Comptroller of the Currency (OCC), the Federal Deposit Insurance Corporation (FDIC), and the Office of Thrift Supervision (OTS) jointly adopted final rules in 2000 to implement the notice requirements of the GLBA.[3] The National Credit Union Administration (NCUA), Federal Trade Commission (FTC), Securities and Exchange Commission (SEC), and Commodity Futures Trading Commission (CFTC) were part of the same interagency process, but each of these agencies issued separate rules.[4] In 2009, all of the agencies with the authority to issue rules to implement the GLBA privacy provisions issued a joint final rule with a model form that financial institutions could use, at their option, to provide the required initial and annual privacy disclosures.[5]

    In 2011, the Dodd-Frank Wall Street Reform and Consumer Protection Act Start Printed Page 64058(Dodd-Frank Act) [6] transferred GLBA privacy notice rulemaking authority from the Board, NCUA, OCC, OTS, the FDIC, and the FTC (in part) to the Bureau.[7] The Bureau then restated the implementing regulations in Regulation P, 12 CFR part 1016, in late 2011.[8]

    The Bureau has the authority to promulgate GLBA privacy rules for depository institutions and many non-depository institutions. However, rulewriting authority with regard to securities and futures-related companies is vested in the SEC and CFTC, respectively, and rulewriting authority with respect to certain motor vehicle dealers is vested in the FTC.[9] The Bureau has consulted and coordinated with these agencies and with the National Association of Insurance Commissioners (NAIC) concerning the alternative delivery method.[10] The Bureau has also consulted with other appropriate federal agencies, as required under Section 1022 of the Dodd-Frank Act.

    1. Annual Privacy Notices

    The GLBA and its implementing regulation, Regulation P,[11] require that financial institutions [12] provide consumers with certain notices describing their privacy policies. Financial institutions are generally required to first provide an initial notice of these policies, and then an annual notice to customers every year that the relationship continues.[13] (When a financial institution has a continuing relationship with the consumer, an annual privacy notice is required and the consumer is then referred to as a “customer.”) [14] These notices describe whether and how the financial institution shares consumers' nonpublic personal information,[15] including personally identifiable financial information, with other entities. In some cases, these notices also explain how consumers can opt out of certain types of sharing. The notices further briefly describe how financial institutions protect the nonpublic personal information they collect and maintain. Financial institutions typically use U.S. postal mail to send initial and annual privacy notices to consumers.

    Section 502 of the GLBA and Regulation P at § 1016.6(a)(6) also require that initial and annual notices inform customers of their right to opt out of certain financial institution sharing of nonpublic personal information with some types of nonaffiliated third parties. For example, customers have the right to opt out of a financial institution selling the names and addresses of its mortgage customers to an unaffiliated home insurance company and, therefore, the institution would have to provide an opt-out notice before it sells the information. On the other hand, financial institutions are not required to allow consumers to opt out of the institutions' sharing involving third-party service providers, joint marketing arrangements, maintaining and servicing accounts, securitization, law enforcement and compliance, reporting to consumer reporting agencies, and certain other activities that are specified in the statute and regulation as exceptions to the opt-out requirement.[16] If a financial institution limits its types of sharing to those which do not trigger opt-out rights, it may provide a “simplified” annual privacy notice to its customers that does not include opt-out information.[17]

    In addition to opt-out rights under the GLBA, annual privacy notices also may include information about certain consumer opt-out rights under the FCRA. The annual privacy disclosures under the GLBA/Regulation P and affiliate disclosures under the FCRA/Regulation V interact in two ways. First, the FCRA imposes requirements on financial institutions providing “consumer reports” to others, but section 603(d)(2)(A)(iii) of the FCRA excludes from the statute's definition of a consumer report [18] the sharing of certain information about a consumer among the institution's affiliates if the consumer is notified of such sharing and is given an opportunity to opt out.[19] Section 503(c)(4) of the GLBA and Regulation P require financial institutions providing their customers with initial and annual privacy notices to incorporate into them any notification and opt-out disclosures provided pursuant to section 603(d)(2)(A)(iii) of the FCRA.[20]

    Second, section 624 of the FCRA and Regulation V's Affiliate Marketing Rule provide that an affiliate of a financial institution that receives certain information (e.g., transaction history) [21] from the institution about a consumer may not use the information to make solicitations for marketing purposes unless the consumer is notified of such use and provided with an opportunity to opt out of that use.[22] Regulation V also permits (but does not require) financial institutions providing their customers with initial and annual privacy notices under Regulation P to incorporate any opt-out disclosures provided under section 624 of the FCRA and subpart C of Regulation V into those notices.[23]

    Start Printed Page 64059

    2. Method of Delivering Annual Privacy Notices

    Section 503 of the GLBA sets forth the requirement that financial institutions provide initial and annual privacy disclosures to consumers. Specifically, it states that “a financial institution shall provide a clear and conspicuous disclosure to such consumer, in writing or in electronic form or other form permitted by the regulations prescribed under section 6804 of this title, of such financial institution's policies and practices with respect to” disclosing and protecting consumers' nonpublic personal information.[24] Although financial institutions provide most annual privacy notices by U.S. postal mail, Regulation P allows financial institutions to provide notices electronically (e.g., by email) to customers with their consent.[25]

    B. CFPB Streamlining Initiative

    In pursuit of the Bureau's goal of reducing unnecessary or unduly burdensome regulations, the Bureau in December 2011 issued a Request for Information seeking specific suggestions from the public for streamlining regulations the Bureau had inherited from other Federal agencies (Streamlining RFI). In that RFI, the Bureau specifically identified the annual privacy notice as a potential opportunity for streamlining and solicited comment on possible alternatives to delivering the annual privacy notice.[26]

    Numerous industry commenters strongly advocated eliminating or limiting the annual notice requirement. They stated that most customers ignore annual privacy notices. Even if customers do read them, according to industry stakeholders, the content of these disclosures provides little benefit, especially if customers have no right to opt out of information sharing because the financial institution does not share nonpublic personal information in a way that triggers such rights. Financial institutions argued that mailing these notices imposes significant costs and that there are other ways of conveying to customers the information in the written notices just as effectively but at a lower cost. Several industry commenters suggested that if an institution's privacy notice has not changed, the institution should be allowed to communicate on the consumer's periodic statement, via email, or by some other cost-effective means that the annual privacy notice is available on its Web site or upon request, by telephone.[27]

    A banking industry trade association and other industry commenters suggested that the Bureau eliminate or ease the annual notice requirement for financial institutions if their privacy policies have not changed and they do not share nonpublic personal information beyond the exceptions allowed by the GLBA (e.g., the exception that allows sharing nonpublic personal information with the servicer of an account). They argued that the GLBA exceptions were crafted to allow what Congress viewed as non-problematic sharing and, therefore, the law does not require financial institutions to permit consumers to opt out of such sharing. The need for an annual notice is thus less evident if a financial institution only shares nonpublic personal information pursuant to one of these exceptions. The trade association estimated that 75% of banks do not share beyond these exceptions and do not change their notices from year to year.

    Consumer advocacy groups generally stated that customers benefit from financial institutions providing them with printed annual privacy notices, which may remind customers of privacy rights that they may not have exercised previously. Consumer representatives argued that these notices make customers aware of their privacy rights in regard to financial institutions, even if customers have no opt-out rights. One compliance company commenter agreed with the consumer groups' view of the importance of the notices. One advocacy group suggested that a narrow easing of annual notice requirements where a financial institution shares information only with affiliates might not be objectionable, although it did not support changing the current requirements. The Bureau did not receive any comment on the annual privacy notice change from privacy advocacy groups.

    C. Understanding the Effects of Certain Deposit Regulations—Study

    In November 2013, the Bureau published a study assessing the effects of certain deposit regulations on financial institutions' operations.[28] This study provided operational insights from seven banks about their annual privacy notices.[29] Many of these banks use third-party vendors, who design or distribute the notices on the banks' behalf. All seven participants provided the annual notice as a separate mailing, which resulted in higher costs for postage, materials, and labor than if the notice were mailed with other material. Some financial institutions apparently send separate mailings to ensure that their disclosures are “clear and conspicuous,” [30] although 2009 guidance from the eight agencies promulgating the model privacy form explained that a separate mailing is not required.[31] This separate mailing practice contrasts with the usual financial institution preference (particularly for smaller study participants) to bundle mailings with monthly statements. Indeed, subsequent Bureau outreach suggests that many financial institutions do mail the annual privacy notice with other materials. Finally, while the study participants echoed the sentiment that few customers read privacy notices, participant banks with call centers also reported that after they send annual notices, the number of customers who call about the banks' privacy policies increases.

    Start Printed Page 64060

    D. Further Outreach

    In addition to the consultations with other government agencies discussed above, while preparing the proposed rule the Bureau conducted further outreach to industry and consumer advocate stakeholders. The Bureau held meetings with consumer groups, including groups and individuals with a specific interest in privacy issues. The Bureau also held meetings with industry groups that represent institutions that must comply with the annual privacy notice requirement, including banks, credit unions, mortgage servicers, and debt buyers.

    As with the responses to the Streamlining RFI, the consumer groups generally expressed the view that mailed privacy notices were useful, even when no opt-out rights were present, and that changes were not necessary. Among other comments, they suggested that the Bureau promote the use of the Regulation P model form. The industry participants also generally expressed similar views to those expressed by industry in response to the Streamlining RFI. They supported creation of an alternative delivery method for annual privacy notices.[32]

    E. Comments on the Proposed Rule

    On May 13, 2014, the Bureau published a proposed rule in the Federal Register to amend 12 CFR 1016.9, the Regulation P provision on annual privacy notices.[33] The comment period closed on July 14, 2014. In response to the proposal, the Bureau received approximately 130 comments from industry trade associations, consumer groups, public interest groups, individual financial institutions, and others. As discussed in more detail below, the Bureau has considered these comments in adopting this final rule.

    Two commenters discussed the proposed rule's relation to and potential conflicts with the law of certain states. During the preparation of this final rule, the Bureau consulted with the two states that were identified as having laws that might preclude use of the alternative delivery method and explained the nature and benefits of the change being made to Regulation P. The two states are reviewing their laws and considering how to proceed.

    F. Effective Date

    Numerous industry commenters requested that any final rule adopted be made effective immediately, to make the rule's benefits available as soon as possible. An agency must allow 30 days before a substantive rule is made effective, unless, among other things, the rule “grants or recognizes an exemption or relieves a restriction” [34] or “as otherwise provided by the agency for good cause found and published with the rule.” [35] This rule recognizes an exemption from or relieves a restriction on providing the Regulation P annual privacy notice according to the standard delivery methods, and does not create any new requirement because a financial institution can choose not to use the new method. Accordingly, the 30 day delay in effective date does not apply and the Bureau finds good cause to make this rule effective immediately on publication in the Federal Register, in order to allow financial institutions and consumers to enjoy the benefits of this rule as soon as possible.

    G. Privacy Considerations

    In developing the proposed rule and this final rule, the Bureau considered its potential impact on consumer privacy. The rule will not affect the collection or use of consumers' nonpublic personal information by financial institutions. The rule will expand the permissible methods by which financial institutions subject to Regulation P may deliver annual privacy notices to their customers in limited circumstances. Among other limitations, it will not expand the permissible delivery methods if financial institutions make various types of changes to their annual privacy notices or if their annual privacy notices afford customers the right to opt out of financial institutions' sharing of customers' nonpublic personal information. The rule is designed to ensure that when the alternative delivery method is used, customers will continue to have access to clear and conspicuous annual privacy notices.

    III. Legal Authority

    The Bureau is issuing this final rule pursuant to its authority under section 504 of the GLBA, as amended by section 1093 of the Dodd-Frank Act.[36] The Bureau is also issuing this rule pursuant to its authority under sections 1022 and 1061 of the Dodd-Frank Act.[37]

    Prior to July 21, 2011, rulemaking authority for the privacy provisions of the GLBA was shared by eight federal agencies: The Board, the FDIC, the FTC, the NCUA, the OCC, the OTS, the SEC, and the CFTC. The Dodd-Frank Act amended a number of Federal consumer financial laws, including the GLBA. Among other changes, the Dodd-Frank Act transferred rulemaking authority for most of Subtitle A of Title V of the GLBA, with respect to financial institutions described in section 504(a)(1)(A) of the GLBA, from the Board, FDIC, FTC, NCUA, OCC, and OTS (collectively, the transferor agencies) to the Bureau, effective July 21, 2011.

    IV. Section-by-Section Analysis

    Section 1016.1—Purpose and Scope

    The Bureau is making technical corrections to two U.S. Code citations in § 1016.1(b)(1).

    Section 1016.9—Delivering Privacy and Opt-Out Notices

    Section 1016.9 of Regulation P describes how a financial institution must provide both the initial notice required by § 1016.4 and the annual notice required by § 1016.5. Specifically, existing § 1016.9(a) requires the notice to be provided so that each consumer can reasonably be expected to receive actual notice in writing or, if the consumer agrees, electronically. Existing § 1016.9(b) provides examples of delivery that will result in reasonable expectation of actual notice, including hand delivery, delivery by mail, or electronic delivery for consumers who conduct transactions electronically. Existing § 1016.9(c), redesignated by this final rule as § 1016.9(c)(1), provides examples regarding reasonable expectation of actual notice that apply to annual notices only.

    In the proposed rule, the Bureau proposed to add § 1016.9(c)(2), which would create an alternative delivery method for annual privacy notices, by which financial institutions that met certain requirements could comply with the annual notice requirement in § 1016.9(a). For the reasons discussed below, the Bureau is adopting § 1016.9(c)(2) substantially as proposed, with certain minor modifications.

    Proposed Rule

    As stated above, the Bureau proposed to add § 1016.9(c)(2), which would create an alternative delivery method for annual privacy notices, by which financial institutions that met certain requirements could comply with the Start Printed Page 64061annual notice requirement in § 1016.9(a). The Bureau proposed to allow use of the alternative delivery method to reduce information overload, specifically by eliminating duplicative paper privacy notices in situations in which the customer generally has no ability to opt out of the financial institution's information sharing.[38] Moreover, the Bureau proposed to allow use of the alternative delivery method to decrease the burden on financial institutions of delivering notices, while typically continuing to require delivery of notices pursuant to the standard methods in situations in which customers could opt out of information sharing.

    Under the alternative delivery method as proposed, customers would have access via financial institutions' Web sites (or by postal mail on request) to annual privacy notices that are conveyed via the model form, that generally do not inform customers of any right to opt out, and that repeat the same information as in previous privacy notices. Further, because financial institutions would be required to post their privacy notices continuously on their Web sites, customers would be able to access privacy notices throughout the year rather than waiting for an annual mailing. Financial institutions would be required to deliver to customers an annual reminder, on another notice or disclosure, of the availability of the privacy notice on the institution's Web site and by mail upon telephone request. In light of these considerations, the Bureau believed that where the conditions set forth in the proposed rule would be satisfied, any incremental benefit in terms of customers' awareness of privacy issues that might accrue from requiring delivery of the annual privacy notice pursuant to the standard methods would be outweighed by the costs of providing the notice, costs that ultimately might be passed through to customers.

    Comments

    In the proposed rule, the Bureau sought data and other information concerning the effect on customer privacy rights if financial institutions were to use the alternative delivery method rather than the standard delivery methods. The Bureau further requested comment on whether the proposed alternative delivery method would be effective in reducing the potential for information overload on customers and reducing the burden on financial institutions of mailing hard copy privacy notices.

    Comments from industry and consumer and public interest groups stated that the alternative delivery method would be beneficial to or have no effect on customers' awareness and exercise of their privacy rights under Regulation P. Industry commenters indicated that the proposal would reduce information overload. In regard to burden reduction, comments and earlier outreach indicated that a majority of credit unions, a large number of banks, and many other financial institutions would benefit from being able to use the alternative delivery method. In addition, proposal comments and earlier outreach have indicated that small financial institutions are less likely to share their customers' nonpublic personal information in a way that triggers customers' opt-out rights, and so it is likely that many of those small institutions can decrease their costs through the use of the alternative delivery method.

    Many industry commenters, however, objected to certain aspects and requirements of the alternative delivery method, and stated that eliminating these conditions and requirements would significantly increase the rule's burden reduction. Consumer and public interest groups, though, supported the inclusion of the conditions and requirements. These comments are discussed below in relation to the specific provisions they address.

    In the proposal, the Bureau noted that the alternative delivery method would be available where customers have already consented to receive their privacy notices electronically pursuant to § 1016.9(a) and invited comment regarding how often privacy notices are delivered electronically under existing Regulation P. The Bureau further invited comment on whether the proposed alternative delivery method is appropriate for customers who already receive privacy notices electronically and whether financial institutions that currently provide the notice electronically would be likely to use the proposed alternative delivery method. Only a few commenters addressed this issue. Some financial institutions indicated that most customers do not receive their annual privacy notices by electronic means, but that the institutions may want to use the alternative delivery method for those that do. The institutions also requested clarification of how this should be done.

    In the proposed rule, the Bureau also noted that potential comparison shopping by consumers among financial institutions based on privacy policies was one of the objectives that GLBA model privacy notices, primarily initial privacy notices, were intended to accomplish. See 15 U.S.C. 6803(e).[39] The Bureau invited empirical data on whether consumers do comparison shop among financial institutions based on privacy notices. The Bureau did not receive any such data.

    Final Rule

    As explained in the proposed rule, the specific language of section 503(a) of the GLBA grants some latitude in specifying by rule the method of conveying the annual notices, as long as a “clear and conspicuous disclosure” is provided “in writing or in electronic form or other form permitted by the regulations.” The Bureau's statutory interpretation allowing the alternative delivery method provision to satisfy this disclosure requirement applies only to the specific type of disclosure involved in the rule and in the limited circumstances presented here, pursuant to the specific language of GLBA section 503.

    In relation to the comments regarding notices currently delivered electronically, the Bureau reiterates that the alternative delivery method is available in lieu of the existing standard delivery methods including electronic delivery. In addition, as discussed below, the Bureau now clarifies that the notice of availability required by § 1016.9(c)(2)(ii)(A) may be included on account statements, coupon books, or notices or disclosures an institution is required or expressly and specifically permitted to issue to the customer under any other provision of law and delivered through a means otherwise permitted for that type of account statement, coupon book, or notice or disclosure, including electronic delivery where applicable. For example, the notice of availability may be included on a mortgage loan's periodic statement that is delivered electronically if the electronic delivery is in compliance with the Electronic Signatures in Global Start Printed Page 64062and National Commerce Act [40] (E-Sign) as required by Regulation Z.[41]

    The Bureau adopts § 1016.9(c)(2) substantially as proposed, with minor modifications. Comments on the specific provisions of § 1016.9(c)(2), and the specific provisions as adopted in this final rule, are discussed more fully below.

    Section 1016.9(c)(2) Alternative Method for Providing Certain Annual Notices

    Section 1016.9(c)(2)(i)

    Proposed § 1016.9(c)(2) would have set forth an alternative to § 1016.9(a) for providing certain annual notices. Proposed § 1016.9(c)(2)(i) would have provided that, notwithstanding the general notice requirement in § 1016.9(a), a financial institution may use the alternative method set forth in proposed § 1016.9(c)(2)(ii) to satisfy the requirement in § 1016.5(a)(1) to provide an annual notice if the institution met certain conditions as specified in proposed § 1016.9(c)(2)(i)(A) through (E). The Bureau is adopting § 1016.9(c)(2)(i) as proposed. The Bureau also proposed certain technical amendments to accommodate the new provision, which are adopted unchanged in the final rule.[42]

    Comments

    The Bureau invited comment generally on the conditions in proposed § 1016.9(c)(2)(i)(A) through (E) and whether any of those conditions should not be required or whether additional conditions should be added. Commenters generally discussed the conditions individually, and those comments are discussed in regard to each of those individual conditions below. No industry commenters suggested additional conditions. A consumer group and an academic commenter suggested unrelated enhancements to the privacy notice regulations that would severely impede the burden reduction achieved by this rule and have not been adopted. An industry trade association suggested that the Bureau remove the required conditions because the alternative delivery method is superior to the standard methods, and all customers and financial institutions should benefit from its use in all circumstances. Other industry commenters suggested that the conditions were unnecessary because customers do not read the notices anyway. Several industry commenters suggested that the Bureau's rule should not put more restrictions on the web posting of privacy notices than related pending legislation in Congress would if such legislation were enacted.[43]

    Final Rule

    The Bureau adopts § 1016.9(c)(2)(i) as proposed. The Bureau believes that the alternative delivery method provides appropriate and sufficient notice if a privacy notice has not changed and is not needed to inform the customer of his or her opt-out rights. The Bureau, however, also believes that generally requiring financial institutions to use the standard delivery methods for notices that have changed or that are required to inform consumers of opt-out rights, is more consistent with the importance to the GLBA statutory scheme of customers' ability to exercise opt-out rights. The Bureau also believes that the continued use of standard delivery methods in these circumstances is more consumer-friendly than allowing use of the alternative delivery method where notices have changed or are required to inform customers of opt-out rights. In regard to pending bills in Congress, the Bureau notes that the final rule is promulgated to implement the current GLBA statutory scheme.

    Section 1016.9(c)(2)(i)(A)

    Proposed § 1016.9(c)(2)(i)(A) would have set forth the first condition for using the alternative delivery method: That the financial institution does not share the customer's information with nonaffiliated third parties other than through the activities specified under §§ 1016.13, 1016.14 and 1016.15 that do not trigger opt-out rights under the GLBA. For the reasons discussed below, the Bureau is finalizing § 1016.9(c)(2)(i)(A) as proposed, with minor technical revisions.

    Proposed Rule

    For the reasons stated in the proposal, the Bureau proposed to continue to require standard delivery of the annual notice where customers have opt-out rights. The Bureau further proposed limiting the alternative delivery method to circumstances in which customers have no information sharing opt-out rights under Regulation P as a way to reduce the burden of compliance generally while still mandating the use of the standard delivery methods to ensure that customers have direct notice of any opt-out rights they have. This approach was also reflected in proposed § 1016.9(c)(2)(i)(B) and (C), discussed in detail below, which would have limited the use of the alternative delivery method where a financial institution shares customer information with affiliates in a way that triggers opt-out rights under FCRA sections 603(d)(2)(A)(iii) and 624.

    Comments

    Many commenters addressed § 1016.9(c)(2)(i)(A), (B), and (C) (the “opt-out conditions”) collectively without distinguishing among them.[44] For example, several consumer and privacy advocacy groups stated that they supported finalizing the opt-out conditions because many customers will not take the additional steps necessary to access or receive a privacy notice under the alternative delivery method and that it is therefore appropriate to permit use of it only if a customer does not have opt-out rights. Similarly, a civil rights public interest group supported the opt-out conditions in part, stating that these limitations would incentivize financial institutions not to share their customers' information. An organization representing state banking regulators also generally supported the proposed conditions for the alternative delivery method without specifically commenting on the opt-out conditions. Several individual credit unions and community banks either expressly supported the opt-out conditions or supported the proposal generally without addressing the opt-out conditions. Many financial institution commenters also expressed support for legislation currently pending in Congress that would either eliminate the requirement to provide an annual notice or allow an institution to provide access to an annual notice electronically if a financial institution does not share information in a way that triggers opt-out rights under the GLBA and other conditions are met.[45]

    In contrast, however, other industry commenters, especially those representing larger financial institutions, objected to limiting the alternative delivery method to financial institutions that are not required to provide opt-out rights to their Start Printed Page 64063customers, stating that such conditions would prevent them from using the alternative delivery method. These commenters stated that most large financial institutions, including most large non-bank financial institutions, share information in such a way that they are required to offer opt-out rights to their customers under either the GLBA or the FCRA (or both) and thus they would not be able to use the proposed alternative delivery method.[46] These commenters asserted that the opt-out conditions would significantly limit the burden reduction from the proposal.

    Moreover, commenters objecting to not allowing the use of the alternative delivery method if customers have opt-out rights stated that customers only very infrequently exercise their rights to opt out of information sharing after receiving mailed annual privacy notices and thus the Bureau does not need to require standard delivery of notices even if opt-out rights exist. One national trade association representing business interests stated that the Bureau's admission in the proposal that it is unlikely that fewer customers would read the privacy notice if financial institutions deliver it pursuant to the alternative method than read it if mailed undercuts the notion that mailed notices are more effective.

    Final Rule

    The Bureau is adopting § 1016.9(c)(2)(i)(A) as proposed except for technical revisions to revise the wording from “share with” to “disclose to” to be consistent with most of the rest of the existing rule text in part 1016 and to clarify that the information that may not be disclosed is the “customer's nonpublic personal information.” The Bureau is aware that the proposed opt-out conditions in § 1016.9(c)(2)(i)(A), (B), and (C) will preclude some financial institutions from using the alternative delivery method. Nonetheless, the Bureau believes that because of the importance to the statutory scheme of customers' ability to exercise opt-out rights, financial institutions must continue to satisfy requirements to provide information about these rights through the standard delivery methods. In addition, as shown by the Bureau's research in connection with the proposal [47] and by comments received on the proposal, the Bureau believes that even with these conditions, many financial institutions will be able to use the alternative method which will relieve burden for them and reduce information overload for their customers.[48] With respect to the comment that few customers opt out of information sharing when they receive notices through the standard delivery methods, the Bureau believes that standard delivery of the annual privacy notice is a more consumer-friendly method for conveying the existence of opt-out rights to customers and allowing them to exercise those rights. As to whether fewer customers will read the privacy notice when delivered pursuant to the alternative delivery method, the Bureau notes that there is no reliable evidence bearing on this question. In the absence of such evidence the Bureau opts to continue the standard delivery methods (e.g., mail) that require the least amount of effort from consumers to exercise their opt-out rights.

    Section 1016.9(c)(2)(i)(B) and 9(c)(2)(i)(C)

    Proposed § 1016.9(c)(2)(i)(B) would have set forth the second condition for using the alternative delivery method for the annual privacy notice: That the financial institution not include on its annual notice an opt out under section 603(d)(2)(A)(iii) of the FCRA.[49] Proposed § 1016.9(c)(2)(i)(C) would have presented the third condition for using the alternative delivery method: that the annual privacy notice is not the only notice provided to satisfy the requirements of section 624 of the FCRA [50] and subpart C of 12 CFR part 1022 (the “Affiliate Marketing Rule”). For the reasons discussed below, the Bureau is finalizing § 1016.9(c)(2)(i)(B) as proposed and is finalizing § 1016.9(c)(2)(i)(C) as revised.

    Proposed Rule

    As discussed in part II above, FCRA section 603(d)(2)(A)(iii) excludes from the statute's definition of “consumer report” a financial institution's sharing of certain information about a consumer with its affiliates if the financial institution provides the consumer with notice and an opportunity to opt out of the information sharing. Section 503(b)(4) of the GLBA expressly requires a financial institution's privacy notice to include any disclosures the financial institution is required to make under section 603(d)(2)(A)(iii) of the FCRA, if any. Section 1016.6(a)(7), which implements this statutory directive, requires a financial institution's privacy notice to include any disclosures the institution makes under section 603(d)(2)(A)(iii). As stated in the proposal, because the Bureau proposed the alternative delivery method be available only if notices are not required to inform customers of opt-out rights, proposed § 1016.9(c)(2)(i)(B) provided that annual notices that inform customers of FCRA section 603(d)(2)(A)(iii) opt-out rights, like notices that inform customers of GLBA opt-out rights, would have to continue to be delivered pursuant to the standard delivery methods.

    In contrast to the FCRA section 603(d)(2)(A)(iii) notice and opt-out right, the Affiliate Marketing Rule notice and opt out is not required by either the GLBA or Regulation P to be included on the annual privacy notice. The Affiliate Marketing Rule notice and opt out may be included on this notice, however. Given that the Affiliate Marketing Rule notice and opt out is not required on the annual privacy notice (and indeed does not have to be provided annually),[51] the Bureau believes, as stated in the proposal, that including the Affiliate Marketing Rule opt-out on the annual notice should not preclude a financial institution from using the alternative delivery method. The Bureau therefore proposed § 1016.9(c)(2)(i)(C), which would have allowed a financial institution to use the alternative delivery method if it provides the customer with an opt-out right under the Affiliate Marketing Rule as long as the Regulation P annual privacy notice was not the only notice provided to satisfy the Affiliate Marketing Rule, if applicable.

    As it did in the proposal, the Bureau notes that the required duration of a consumer opt-out under the Affiliate Marketing Rule depends on whether the Affiliate Marketing Rule notice and opt out is included as part of the Regulation P model privacy notice or issued separately. If a financial institution includes the Affiliate Marketing Rule notice and opt out on the model privacy notice, Regulation P requires that opt out to be of indefinite duration.[52] In contrast, if a financial institution provides the Affiliate Marketing Rule Start Printed Page 64064notice and opt out separately, Regulation V allows the opt out to be offered for as few as five years, subject to renewal, and the disclosure of the duration of the opt out must be included on the separate notice.[53] As stated in the proposal, the Bureau believes that prohibiting the use of the alternative delivery method if a financial institution voluntarily includes the Affiliate Marketing Rule notice and opt-out on its annual privacy notice could discourage financial institutions from including it. If so, it could be to the detriment of consumers who otherwise likely would not receive annual notice of their Affiliate Marketing Rule opt-out right.

    Comments

    Comments that addressed the three opt-out conditions in proposed § 1016.9(c)(2)(i)(A), (B), and (C) are discussed collectively above in the section-by-section analysis of § 1016.9(c)(2)(i)(A). Though many commenters generally supported the opt-out conditions, they did not separately discuss § 1016.9(c)(2)(i)(B) or (C). Commenters who specifically addressed § 1016.9(c)(2)(i)(B) and (C) stated that because FCRA-covered information sharing with affiliates is more widespread among financial institutions than information sharing with third-parties not covered by a GLBA exception, these FCRA conditions were likely to prevent many more financial institutions from taking advantage of the alternative delivery method than § 1016.9(c)(2)(i)(A) relating to GLBA opt-out rights. These commenters asserted that the FCRA opt-out conditions in proposed § 1016.9(c)(2)(i)(B) and (C) should not be finalized even if the Bureau continues to require standard delivery methods to customers who have GLBA opt-out rights.

    A national trade association representing the consumer credit industry stated that proposed § 1016.9(c)(2)(i)(B) and (C) would preclude non-depository institutions from using the alternative delivery method more than depository institutions because non-depository institutions tend to share information with affiliates (and thereby trigger FCRA opt-out rights) more often than depository institutions. Several state community bank and credit union associations as well as several individual community banks and credit unions objected to § 1016.9(c)(2)(i)(B) and (C) because they share information with affiliates to offer services to their customers that they otherwise could not offer. A “think tank” focused on data practices also opposed § 1016.9(c)(2)(i)(B) and (C) because it said the FCRA opt-out conditions are too limiting to financial institutions and a mailed notice is not necessary to inform customers of those opt-out rights. A mortgage industry group further opposed § 1016.9(c)(2)(i)(B) and (C) because information sharing governed by the FCRA is different in kind from that governed by the GLBA, and FCRA requirements should not determine the GLBA annual notice delivery requirements. Many industry commenters argued that the Bureau's proposal should track proposed legislation in Congress which would either eliminate the annual notice requirement or allow an institution to provide access to an annual notice electronically or in other forms if no GLBA opt-out rights exist (and certain other conditions are met). Such proposed legislation, however, does not address the relationship between an alternative delivery method and FCRA opt-out rights.

    Specifically with respect to proposed § 1016.9(c)(2)(i)(C), several financial institutions stated that the requirement to separately provide the Affiliate Marketing Rule opt-out notice to use the alternative delivery method would negate the cost savings of the alternative delivery method.

    Final Rule

    The Bureau is finalizing § 1016.9(c)(2)(i)(B) as proposed and is finalizing § 1016.9(c)(2)(i)(C) as revised. The Bureau understands that including § 1016.9(c)(2)(i)(B) and (C) as conditions for using the alternative delivery method will limit the availability of the alternative delivery method more than if the Bureau finalized only the GLBA opt-out condition in § 1016.9(c)(2)(i)(A). The Bureau further understands that the FCRA opt-out conditions may affect certain types of financial institutions more than others. The Bureau is nonetheless persuaded, for the same reasons discussed in regard to § 1016.9(c)(2)(i)(A), that it is important for customers to receive standard delivery of the annual notice if that notice includes information concerning the right to opt out of information sharing. The Bureau believes that standard delivery is a more consumer-friendly way of notifying customers of their opt-out rights and allowing them to exercise those rights.

    With respect to commenters who stated that FCRA requirements should not govern GLBA annual notice requirements, the Bureau notes that section 503(b)(4) of GLBA expressly requires that disclosures required under section 603(d)(2)(A)(iii) of FCRA be included on the GLBA privacy notice. Section 603(d)(2)(A)(iii) of the FCRA is silent as to how frequently the notice of opt-out rights must be delivered, but the agencies responsible for implementation of the GLBA interpreted it to require provision of annual notice of the FCRA section 603(d)(2)(A)(iii) opt-out right.[54] Accordingly, since it became effective in 2000, § 1016.6(a)(7) has required financial institutions that offer the FCRA section 603(d)(2)(A)(iii) opt-out to include it on their annual privacy notice. The Bureau's determination that customers should continue to receive annual notices that inform them of opt-out rights pursuant to the standard delivery methods applies equally to those FCRA opt-out rights that are required by § 1016.6(a)(7) to be included on the GLBA annual privacy notice. FCRA opt-out rights conveyed on the annual notice under § 1016.6(a)(7) are as important to customers and to the FCRA statutory scheme as the GLBA opt-out rights and thus should be delivered pursuant to the standard delivery methods.

    Regarding § 1016.9(c)(2)(i)(C), the Bureau has substantially revised the provision to clarify how use of the model privacy notice to inform customers of opt-out rights under the Affiliate Marketing Rule interacts with use of the alternative delivery method. The Affiliate Marketing Rule requires that, before a financial institution may make solicitations based on eligibility information about a consumer it receives from an affiliate, the consumer must be provided with notice and an opportunity to opt out of such use. The Affiliate Marketing Rule further requires that a consumer's opt-out must be effective for a period of at least five years, but if the financial institution chooses to honor the customer's opt-out indefinitely, the notice need be delivered only once. As discussed above, this notice and opt-out may be included on a Regulation P privacy notice, but is not required to be. If the Affiliate Marketing Rule opt-out is incorporated in the model privacy notice, initial or annual, a financial institution must honor any customer opt-out request indefinitely.[55] Accordingly, if a financial institution chooses to include the Affiliate Marketing Rule opt-out on its model privacy notice, the institution has no further Affiliate Marketing Rule disclosure obligations after the first Start Printed Page 64065model privacy notice is delivered and the institution is free to continue including the Affiliate Marketing Rule opt-out on the annual privacy notice without jeopardizing its ability to use the alternative delivery method.[56]

    The language of § 1016.9(c)(2)(i)(C) has been revised to make this more explicit by stating that the alternative delivery method is available to a financial institution if “the requirements of [the Affiliate Marketing Rule], if applicable, have been satisfied previously or the annual privacy notice is not the only notice provided to satisfy such requirements.” In light of this clarification, the Bureau disagrees with commenters who stated that there would be no cost savings from the alternative delivery method for institutions that are subject to the Affiliate Marketing Rule. If those institutions used the model privacy notice and standard delivery methods to disclose opt-out rights, then they could use the alternative delivery method for subsequent annual notices. If those institutions provided a separate Affiliate Marketing Rule opt-out because they wanted to limit the duration of that opt-out, no additional notices would be required and the alternative delivery method would still be available. If the customer had not already received the Affiliate Marketing Rule opt-out notice, the financial institution would be required to deliver that notice only once using standard methods to satisfy § 1016.9(c)(2)(i)(C). The Bureau believes that generally a customer would have already received the Affiliate Marketing Rule notice and the one-time delivery still would not negate potential savings for annual notices in subsequent years.

    The Bureau acknowledges that some customers will no longer receive their annual privacy notice pursuant to standard delivery methods even though the notice informs them of a right to opt out that exists pursuant to the Affiliate Marketing Rule. The Bureau believes, however, that this concern is mitigated by the fact that if the customer had not already received notice of the Affiliate Marketing Rule opt out pursuant to standard delivery methods, the financial institution would have to provide a separate Affiliate Marketing Rule notice in order to satisfy § 1016.9(c)(2)(i)(C).[57] The Bureau considered but decided against prohibiting use of the alternative delivery method where a financial institution provides an opt out under the Affiliate Marketing Rule because neither the GLBA nor Regulation P requires the Affiliate Marketing Rule opt-out to be included on the annual privacy notice.

    Section 1016.9(c)(2)(i)(D)

    Proposed § 1016.9(c)(2)(i)(D) would have presented the fourth condition for using the alternative delivery method: That the information a financial institution is required to convey on its annual privacy notice pursuant to § 1016.6(a)(1) through (5), (8) and (9) has not changed since the immediately previous privacy notice (whether initial or annual) to the customer. For the reasons discussed below, the Bureau is adopting § 1016.9(c)(2)(i)(D) with some modifications.

    Proposed Rule

    The Bureau proposed to provide more flexibility in the method of delivering a notice that has not changed because it believed that delivery of the annual notice by the standard delivery methods is likely less useful if the customer has already received a privacy notice, the financial institution's sharing practices remain generally unchanged since that previous notice, and the other requirements of § 1016.9(c)(2)(i) are met. Proposed § 1016.9(c)(2)(i)(D) would have listed the specific disclosures of the privacy notice that must not change for a financial institution to take advantage of the alternative delivery method: § 1016.9(a)(1) through (5), (8), and (9).

    The Bureau explained that the disclosures required by § 1016.6(a)(1) through (5) and (9) describe categories of nonpublic personal information collected and disclosed and categories of third parties with whom that information is disclosed. Accordingly, only a change in or addition of a category of information collected or shared or in a category of third party with whom the information is shared would have prevented a financial institution from satisfying proposed § 1016.9(c)(2)(i)(D) based on the disclosures required by § 1016.6(a)(1) through (5) and (9). The Bureau also explained that the disclosure required by § 1016.6(a)(8) would disallow use of the alternative delivery method if a financial institution changed the required description of its policies and practices with respect to protecting the confidentiality and security of nonpublic personal information. The Bureau explained that changes in the description of a financial institution's data security policy likely are significant enough that when they occur, the annual privacy notice should continue to be delivered according to the standard delivery methods. Indeed, in light of recent large-scale data security breaches, some customers may be more interested in the data security policies of their financial institutions than they were previously. The Bureau further noted in the proposal that stylistic changes in the wording of the notice that do not change the information conveyed on the notice would not prevent a financial institution from satisfying proposed § 1016.9(c)(2)(i)(D).

    Comments

    Most commenters that addressed § 1016.9(c)(2)(i)(D) supported the proposed requirement. A national association representing student loan servicers stated that proposed § 1016.9(c)(2)(i)(D) is the most important element of the requirements for using the alternative delivery method. Several national associations representing both large and small financial institutions suggested retaining the requirement in § 1016.9(c)(2)(i)(D), even though they advocated alternatives to other components of the proposal. As noted in the section-by-section analyses of § 1016.9(c)(2)(i)(A) and (B), many commenters expressed their support for legislation pending in Congress that is somewhat similar to the proposal and includes the requirement that the financial institution's privacy notice remain unchanged from the previous notice. In contrast, a national business coalition relating to online privacy criticized proposed § 1016.9(c)(2)(i)(D) as significantly reducing the opportunity for financial institutions to use the alternative delivery method, in conjunction with the other requirements of proposed § 1016.9(c)(2)(i).

    Most other commenters suggested technical changes to proposed § 1016.9(c)(2)(i)(D) or requested clarification. A state association representing credit unions and a community bank commented that a revised privacy notice is required by § 1016.8 if a financial institution shares information other than as described in the initial privacy notice. It thus proposed that § 1016.9(c)(2)(i)(D) should allow financial institutions to use the alternative delivery method if the information disclosed on the privacy notice has not changed since the immediately previous privacy notice, initial, annual, or revised.

    A compliance services company commented that Regulation P requires Start Printed Page 64066information to be included on the model privacy notice that, if changed, might be significant for customers but is not included in § 1016.9(c)(2)(i)(D). Such information includes the name of the financial institution providing the notice, changes in the definitions section of the notice which describes the financial institution's affiliates, nonaffiliates with whom it shares information, and joint marketing practices, and changes in the “Other Important Information” section of the model form, such as those involving state law requirements. The compliance services company further commented that the statement on the notice of availability required by § 1016.9(c)(2)(ii)(A) that “our privacy policy has not changed” could be inaccurate if such information had in fact changed. Moreover, the compliance services company also explained that the Bureau's statement in the proposal that a financial institution could change its privacy policy so as to eliminate information sharing that triggers opt-out rights and then make use of the alternative delivery method for the next annual privacy notice [58] conflicts with § 1016.9(c)(2)(i)(D) as proposed. According to the commenter, eliminating a category of affiliates with whom the financial institution shares information would trigger changes to the disclosure required by § 1016.6(a)(2) and thus would prevent a financial institution from complying with proposed § 1016.9(c)(2)(i)(D).

    Lastly, the compliance services company requested guidance on the sequence of events that would allow a financial institution to use the alternative delivery method after a privacy policy change occurs. For example, the company asked for clarification on when a revised notice should be sent, a time period after the notice of availability was delivered within which the institution would be required to implement the requirements for Web site posting and establishing a telephone number to request the privacy notice, and a time frame after the change for the institution to wait before it starts using the statement that “our privacy policy has not changed.”

    Final Rule

    The Bureau is adopting § 1016.9(c)(2)(i)(D) with some modifications. Regarding the comment that proposed § 1016.9(c)(2)(i)(D) renders the alternative delivery method of limited availability to financial institutions, the Bureau believes that requiring notices that have changed to be delivered pursuant to standard delivery methods is a more consumer-friendly way of notifying customers of changes than requiring consumers to affirmatively seek out information about the changed policy. As to revised privacy notices, the Bureau agrees that a financial institution that has used standard delivery methods to provide customers with a revised privacy notice under § 1016.8 should be able to use the alternative delivery method for its next annual notice. Accordingly, the Bureau is revising proposed § 1016.9(c)(2)(i)(D) to permit a financial institution to use the alternative delivery method if the information contained on its privacy notice has not changed since it provided the immediately previous privacy notice (whether initial, annual, or revised).

    Regarding the comment that some pertinent information on the privacy notice could change and proposed § 1016.9(c)(2)(i)(D) would still permit the financial institution to use the alternative delivery method, the Bureau is permitting use of the alternative delivery method following such changes to provide greater flexibility. For example, although information about the name of the financial institution or its affiliates is useful to customers, the Bureau does not believe that information is as important in the context of the privacy notice as changes to the categories of nonpublic personal information collected and disclosed by the financial institution, the categories of third parties with whom the institution discloses that information, and changes to the institution's policies and practices with respect to protecting the confidentiality and security of nonpublic personal information. Moreover, where a financial institution changes its name, that name change would likely be conveyed to the institutions' customers through means beyond the annual privacy notice. Indeed, including changes to the financial institution's name, the names of its affiliates, or its joint marketing practices in § 1016.9(c)(2)(i)(D) likely would limit the availability of the alternative method without much benefit to customers. Lastly, the Bureau believes that the statement required by § 1016.9(c)(2)(ii)(A) that “our privacy policy has not changed” is accurate even when information such as the financial institution's name or its affiliates have changed, as long as the policy the financial institution is required to describe on its annual privacy notice pursuant to § 1016.6(a)(1) through (5), (8), and (9) has not changed.

    As to a financial institution that changes its privacy policy to eliminate information sharing that triggers opt-out rights, the Bureau determines that such an institution would be able to use the alternative delivery method for its next annual notice and agrees that this should be clarified in the rule text. Under the final rule, if an institution chooses to stop sharing certain categories of information or to stop sharing information with certain categories of third parties, the financial institution will be able to use the alternative delivery method for its next annual privacy notice without first sending out a privacy notice pursuant to standard delivery methods (provided it meets the requirements of in § 1016.9(c)(2)). The Bureau is modifying § 1016.9(c)(2)(i)(D) to permit financial institutions to use the alternative delivery method if the information the institution is required to convey has not changed other than to eliminate categories of information it discloses or categories of third parties to whom it discloses information.

    Lastly, as to the request for clarification about the process for using the alternative delivery method after a financial institution changes its sharing practices, the alternative delivery method does not alter either the requirements for providing a revised privacy notice in § 1016.8 or any of the timing requirements in existing § 1016.5. Accordingly, to the extent that § 1016.8 requires a financial institution to deliver a revised privacy notice if a financial institution changes its information sharing, the institution is still required to deliver that notice pursuant to § 1016.9.[59] Similarly, the adoption of § 1016.9(c)(2) does not change the timing requirements for delivering the annual notice.

    Accordingly, if a financial institution makes a change to its information sharing practices that would prevent it from meeting the condition in § 1016.9(c)(2)(i)(D), i.e., a change other than to eliminate categories of information it discloses or categories of third parties to whom it discloses, the financial institution could use the alternative delivery method to meet its next annual privacy notice requirement if it first sent a revised privacy notice pursuant to the standard delivery methods (provided it meets the requirements of § 1016.9(c)(2)). If the change is to its policies and practices regarding protecting the confidentiality and security of nonpublic personal information, no revised privacy notice would be required under § 1016.8 but a Start Printed Page 64067financial institution could opt to provide one anyway so that it could use the alternative delivery method and the statement that its privacy policy has not changed to meet its next annual notice requirement. Alternatively, a financial institution that makes a change to its information sharing practices or its policies and practices with respect to protecting the confidentiality and security of nonpublic personal information that would prevent the institution from meeting the condition in § 1016.9(c)(2)(i)(D) could send its next annual privacy notice using standard delivery methods and resume using the alternative delivery method thereafter.

    To the extent that a financial institution chooses to provide the notice of availability of its privacy policies more often than annually, it could include the statement that its privacy policy has not changed whenever the intervening change is not a change covered by § 1016.9(c)(2)(i)(D); where the intervening change is one covered by § 1016.9(c)(2)(i)(D), the financial institution could include the statement that its privacy policy has not changed once it delivers a revised privacy notice pursuant to the standard delivery methods. Regarding when a financial institution must implement the Web site posting of the privacy notice and the telephone number for requesting the notice, a financial institution may choose to adopt the alternative delivery method at any time. However, it would need to meet all of the requirements for using the alternative delivery method by the due date of the first annual privacy notice that the institution does not deliver using one of the standard delivery methods. This would include sending the notice of availability that informs customers of the existence of the Web site and the telephone number and providing customers access to the privacy notice by Web site and through telephone request by that due date.

    Section 1016.9(c)(2)(i)(E)

    The last condition for use of the alternative delivery method included in the Bureau's proposed rule, which was set forth in proposed § 1016.9(c)(2)(i)(E), would have required that a financial institution use the Regulation P model privacy form for its annual privacy notice. The Bureau now adopts the provision as proposed.

    Proposed Rule

    The model form was adopted in 2009 as part of an interagency rulemaking mandated by Congress.[60] The form was developed using consumer research to ensure that the model notice was easier to understand and use than most privacy notices then being used.[61] During outreach prior to the Bureau's issuance of its May 13, 2014, proposed rule, consumer and privacy groups told the Bureau that the model form is easier for consumers to understand than other privacy notices. The Bureau's research on the impacts of its proposed rule [62] determined that some non-model form privacy notices were not easily understood. This research also determined that a significant percentage of financial institutions already use the model privacy form. Accordingly, the Bureau proposed § 1016.9(c)(2)(i)(E), which would permit use of the alternative delivery method only if a financial institution uses the model privacy form for its annual privacy notice.

    Comments

    The Bureau invited comment on the extent to which financial institutions currently use the model privacy form and, if they do not, whether they would choose to do so to take advantage of the proposed alternative delivery method. In addition, the Bureau invited comment on the benefit to customers of receiving a privacy notice in the model form rather than a privacy notice in a non-standardized format.

    The comments indicated that a significant number of industry participants are using the model form already. The Bureau did not receive much comment on whether the model form requirement would incentivize its use so that financial institutions could use the alternative delivery method. However, one industry commenter stated it would do so. On the other hand, some other industry commenters asserted that conditioning the use of the alternative delivery method on the use of the model form would significantly affect how many financial institutions could use the alternative delivery method and experience reduced burden.

    Consumer and public interest group commenters explicitly and strongly supported the model form requirement, explaining that the model form is easier for consumers to understand than other notices that individual financial institutions use because it does not have the legal jargon and complex vocabulary found in those other notices. An academic commenter described a project where notices are collected and compared, and stressed the importance of online standardized notices, such as those using the model form. Some credit union associations supported the model form requirement but requested that the Bureau clarify whether changes to the form would be acceptable and, if so, what types of changes would be acceptable.

    Many comments from industry members and groups supported the rule as proposed or only objected to requirements other than the model form, and so they did not appear to view the model form requirement as problematic. However, several industry trade associations and many individual institutions objected to the model form requirement. One trade association stated that many financial institutions currently use forms that they believe are more informative than the model form and that their customers are more familiar with. A student loan servicing trade association made a similar comment, stating that some servicers do not want to use the model form because their version provides customers with more information.

    Many trade association and individual industry commenters also were concerned that if they made changes to the model form to be clearer and more informative, it would preclude them from using the alternative delivery method. These commenters suggested that the Bureau state clearly that changes in wording and layout in the model form would be acceptable. Several commenters requested that the form used only have to comply with Regulation P, rather than having to follow the model form instructions. Two trade associations stated that the model form is one-size-fits-all and does not work for nontraditional financial institutions such as companies that offer long-term installment plans. Other commenters objected to the requirement that the Web page containing the model form have no other information and suggested that other privacy information should be allowed.

    The Bureau also invited comment on related state or international law requirements and their interaction with the model privacy notice. Although the Bureau did receive comments, as discussed above, on the proposed rule's relation to state law, those comments did not address the model form requirement.

    In addition, the Bureau solicited comment on whether adoption of the model form itself should be considered a change in the annual notice pursuant to proposed § 1016.9(c)(2)(i)(D) such that an institution using the model form for the first time would be precluded from using the proposed alternative Start Printed Page 64068delivery method until the following year's annual notice. Consumer and public interest group commenters did not address this issue, but some industry commenters stated that adoption of the model form should not be considered a change under § 1016.9(c)(2)(i)(D).

    Final Rule

    The Bureau adopts § 1016.9(c)(2)(i)(E) as proposed. Based on the Bureau's impact analyses and the research that went into the development and testing of the model form,[63] the Bureau continues to believe that requiring use of the model form as a condition of using the alternative delivery method will foster the use of a notice that is, in general, more consumer-friendly and effective in conveying privacy policy information to customers than non-standardized notices. The Bureau also continues to believe that § 1016.9(c)(2)(i)(E) is likely to encourage some financial institutions that are not currently doing so to use the model form to take advantage of the cost savings associated with the alternative delivery method. Moreover, the Bureau does not believe that adopting the model form will entail significant costs for the minority of financial institutions that do not currently use it, and notes that there is an Online Form Builder that allows financial institutions to readily create customized privacy notices using the model form template.[64] In addition, the Bureau believes that in a large majority of instances the one-time cost of adopting the model form will be offset quickly by the reduced cost of printing and mailing forms, which will then continue year after year.

    While some financial institution commenters asserted that conditioning the use of the alternative delivery method on the use of the model form would significantly affect how many financial institutions could use the alternative delivery method and experience reduced regulatory burden, they did not submit data or substantive analysis on this point. In regard to comments about forms that comply with Regulation P but may not comply exactly with the model form instructions, potentially giving rise to violations when the alternative delivery method is used, the Bureau notes that financial institutions may consult counsel on how to comply so as to limit the risk of government enforcement.[65] In regard to types of financial institutions that do not prefer to use the model form for whatever reason, the Bureau notes that the model form was carefully crafted to be usable by a wide variety of financial institutions,[66] but any institutions that choose not to use it may continue to send annual privacy notices in the standard manner.

    The Bureau notes that the model form accommodates information that may be required by state or international law, as applicable, in a box called “Other important information.” [67] Accordingly, the Bureau expects that a financial institution that has additional privacy disclosure obligations pursuant to state or international law will still be able to use the model form to take advantage of the proposed alternative delivery method. In regard to supplemental privacy information a financial institution wishes to convey, the discussion of § 1016.9(c)(2)(ii)(B) below makes clear that a link to such information elsewhere on the financial institution's Web site may be included as part of the navigational materials on the Web page containing the model privacy form.

    In addition, the Bureau has determined that a financial institution's adoption of the model privacy form, which may require changes to the wording and layout of the privacy notice but not to the substance of the information conveyed under § 1016.6(a)(1) through (5), (8) and (9), will not constitute a change within the meaning of § 1016.9(c)(2)(i)(D). A financial institution thus may adopt the model form and use the alternative delivery method with that model form immediately to satisfy its annual notice requirement under Regulation P. This interpretation is consistent with the interpretation by the agencies that promulgated the model notice at the time it was first issued with regard to whether adoption of the form required provision of a revised privacy notice under § 1016.8.[68]

    Section 1016.9(c)(2)(ii)

    In proposed § 1016.9(c)(2)(ii), the Bureau would have set forth the alternative delivery method that would be permissible to satisfy the requirement in § 1016.5(a)(1) to provide an annual notice if a financial institution met the conditions described in proposed § 1016.9(c)(2)(i). The Bureau proposed an alternative delivery method for financial institutions that met the conditions in proposed § 1016.9(c)(2)(i) where delivery of the annual privacy notice pursuant to the standard delivery requirements may be less important for customers. As stated in the proposal, the alternative delivery method would still inform customers of their financial institution's privacy policies effectively, but at a lower cost than the standard delivery methods.

    The Bureau received comments supporting the general framework of the alternative delivery method proposed in § 1016.9(c)(2)(ii) from financial institutions, consumer groups, and privacy groups alike. For example, a national association representing business interests and a national association representing the consumer credit industry stated that the proposed alternative delivery method would be an effective mechanism for ensuring that all customers are aware of the institution's privacy policy and their opt-out rights. A national association representing credit unions, a public interest group representing consumers, and an organization of state banking supervisors all supported the framework of the alternative delivery method. The Bureau received many comments criticizing or supporting specific components of the alternative delivery method. These comments are discussed in detail below. The Bureau is adopting § 1016.9(c)(2)(ii) largely as proposed, for the reasons stated above and in the proposal. Changes to the individual paragraphs of § 1016.9(c)(2)(ii) will be discussed in detail below.Start Printed Page 64069

    Section 1016.9(c)(2)(ii)(A)

    Proposed § 1016.9(c)(2)(ii)(A) would have set forth the first component of the alternative delivery method: That a financial institution inform the customer of the availability of the annual privacy notice. For the reasons discussed below, the Bureau is adopting § 1016.9(c)(2)(ii)(A) substantially as proposed but with some modifications.

    Proposed Rule

    To satisfy proposed § 1016.9(c)(2)(ii)(A), a financial institution would have been required to convey in a clear and conspicuous manner not less than annually on a notice or disclosure the institution is required or expressly and specifically permitted to issue under any other provision of law that its privacy notice has not changed, that the notice is available on its Web site, and that a hard copy of the notice will be mailed to customers if they call a toll-free telephone number to request one.

    General Comments

    Several financial institution commenters objected to proposed § 1016.9(c)(2)(ii)(A) because there are some financial products for which financial institutions send no documents to customers and thus including a notice of availability on some other statement or notice currently used would not be possible. For example, national associations representing debt buyers and automobile dealers stated that those financial institutions do not send or may not send documents to their customers at all during the course of a year. Several individual depository institutions commented that they do not send statements or notices to certain types of customers, such as customers with certificates of deposit, passbook savings accounts, safe deposit vaults, and mortgage or installment loans with coupon books.

    National associations representing banks, community banks, and financial service providers as well as many individual banks and credit unions commented that the proposed notice of availability would be burdensome, even for financial institutions that do send statements or notices to some customers. First, these commenters stated that it would be difficult and expensive for financial institutions to determine which customers and accounts receive suitable documents on which to include the notice of availability and which ones do not. Second, some financial institution commenters stated that space was limited on their periodic statements and that it would be unworkable to include the notice of availability on them.

    Final Rule

    The Bureau is adopting § 1016.9(c)(2)(ii)(A) substantially as proposed but with modifications as discussed below. It is important that customers receive actual notice that the annual privacy notice is available on the financial institution's Web site through some statement or notice that they are likely to read. Although posting the privacy notice on a Web site will make the privacy notice widely available, customers likely would not be aware of its existence or its importance without the notice of availability, especially customers that do not use the financial institution's Web site. The Bureau understands that there are costs associated with sending an annual notice of availability and that doing so could negate the cost savings of the alternative delivery method for some financial institutions that do not already send statements or notices to their customers. However, the Bureau expects that most financial institutions will be able to incorporate the notice of availability in a mailing that the institution conducts in the normal course of business. In any event, the Bureau believes that financial institutions that choose to use the alternative delivery method must provide the notice of availability because it is an integral component of the alternative delivery method given that it informs customers that the privacy notice is available.

    Not Less Than Annually

    The proposed rule would have required that financial institutions convey the notice of availability to customers not less than annually. Proposed § 1016.9(c)(2)(ii)(A) also would have permitted it to be included more often than annually (e.g., quarterly or monthly) and invited comment on the advantages and disadvantages of it being provided on a more frequent basis. Several commenters, including a university privacy think tank and individual credit unions and community banks, commented that an annual notice of availability is sufficient to inform customers of the online availability of the institution's annual privacy notice. However, a national organization representing consumer and privacy rights stated that the notice of availability should be required at least quarterly.

    The Bureau continues to believe that an annual reminder is sufficient to inform customers of the availability of the privacy notice. Indeed, the GLBA requires that the privacy notice itself be delivered “not less than annually” after the initial customer relationship is established, and the Bureau believes that requiring the notice of availability not less than annually is consistent with the statute.[69] To the extent that financial institutions would prefer for administrative or other reasons to include the notice of availability on statements or notices that are delivered to customers more often than annually, the Bureau notes that more frequent delivery is permissible under § 1016.9(c)(2)(ii)(A).

    Type of Statement Used To Convey the Notice of Availability

    With respect to the type of statement that may be used to convey the notice of availability, proposed § 1016.9(c)(2)(ii)(A) would have permitted it to be conveyed on a notice or disclosure the institution is required or expressly and specifically permitted to issue under any other provision of law. The Bureau noted in the proposal that a notice of availability could be included on a periodic statement which is permitted but not required by Regulation DD [70] to satisfy proposed § 1016.9(c)(2)(ii)(A) but that including it on advertising materials that were neither required nor specifically permitted by law would not satisfy proposed § 1016.9(c)(2)(ii)(A). As stated in the proposal, § 1016.9(c)(2)(ii)(A) would not have specified in more detail the type of statements on which the notice of availability must be conveyed because the Bureau intended the alternative delivery method to be flexible enough to be used by financial institutions whose business practices vary widely.

    Many financial institution commenters advocated that the Bureau expand the types of documents that financial institutions could use to provide the notice of availability. A national association representing student loan servicers suggested that the Bureau should add periodic statements to the types of documents that could include the notice, because the periodic notices for student loans are not required or expressly and specifically permitted under any other provision of law. An automotive finance company identified the same concern with its billing statements. Several individual financial institutions requested that they be allowed to include the notice of availability on coupon books. A national association representing credit unions, Start Printed Page 64070two state credit union associations, and several individual credit unions suggested that they be allowed to use customer newsletters, branch posting, or advertisements to provide the notice of availability.

    The Bureau is persuaded by the comments that it should broaden the type of statement on which the notice of availability could be included to satisfy § 1016.9(c)(2)(ii)(A) in the final rule. The Bureau proposed to require that the notice of availability be included on a statement or notice required or otherwise permitted by law to ensure that customers were likely to read the underlying document on which the notice of availability is included. The Bureau believes that customers also have compelling reasons to read account statements and coupon books that directly concern the status of their existing accounts even if they are not required or otherwise permitted by law. Accordingly, under the final rule, the Bureau is allowing a notice of availability included on an “account statement” or “coupon book” also to satisfy § 1016.9(c)(2)(ii)(A). An account statement would include periodic statements or billing statements not required or expressly and specifically permitted by law. The Bureau intends the term “account statement” to be flexible enough to cover documents provided to customers by a diverse array of financial institutions. In contrast, the Bureau is concerned that customers may not read advertisements or newsletters on the assumption that they do not specifically concern the customer's existing account. The Bureau believes it would not be consumer-friendly to require customers to seek out and examine advertisements and newsletters to find the notice of availability. The Bureau therefore declines to revise proposed § 1016.9(c)(2)(ii)(A) to be satisfied by a notice of availability included in such materials. Further, since nothing in § 1016.9(c)(2)(ii)(A) alters laws or regulations governing account statements, coupon books, or other notices or disclosures, institutions should not include the notice of availability on such materials in a way that would cause the materials to fail to comply with applicable laws or regulations governing those materials.

    Regarding the request that the Bureau permit physical posting of the notice of availability in a financial institution's lobby to satisfy § 1016.9(c)(2)(ii)(A), the Bureau notes that the GLBA contemplates providing individual notice to customers of opt-out rights and privacy practices. For example, section 502(b)(1)(A) of the GLBA requires opt outs to be disclosed “to the consumer” and section 503(a) of the GLBA requires the privacy notice to be delivered “to such consumer.” While the Bureau believes that providing a notice of availability individually directing customers to a notice on a Web site is sufficient to inform them of the availability of the privacy notice under the parameters of this rule, posting a general notice of availability in the financial institution's lobby or elsewhere generally directing customers to the privacy notice is not. Similarly, the Bureau does not believe that publishing a general notice of availability in newspapers is sufficient. Indeed, some customers do not go to the institution's lobby or office and may not see published announcements. The Bureau believes it would not be consumer-friendly to require customers to seek out and examine postings in an institution's offices or announcements in certain newspapers to find the notice of availability. While the Bureau recognizes that there are other statutes and regulations that require notice to customers for other purposes by such public posting or publishing, the Bureau believes such public notices are not sufficient given the GLBA's framework that requires individualized notice. Indeed, Regulation P already provides with respect to privacy notices that an institution may not reasonably expect that a consumer will receive actual notice of its privacy policies and practices if it only posts a sign in a branch or office or generally publishes advertisements of its privacy policies and practices.[71] The Bureau's approach as to notices of availability is consistent in this respect. The Bureau is therefore revising § 1016.9(c)(2)(ii)(A) to include that delivery of the notice of availability must be “to the customer” to clarify that § 1016.9(c)(2)(ii)(A) is not satisfied by including the notice of availability on other disclosures or notices required or expressly permitted by law to be publicly posted or published.

    Clear and Conspicuous

    Proposed § 1016.9(c)(2)(ii)(A) would have used the term “clear and conspicuous,” which is defined in existing § 1016.3(b)(1) as meaning “reasonably understandable” and “designed to call attention to the nature and significance of the information.” As stated in the proposal, the Bureau believed that the existing examples in § 1016.3(b)(2)(i) and (ii) for reasonably understandable and designed to call attention, respectively, likely would provide sufficient guidance on ways to make the notice of availability in proposed § 1016.9(c)(2)(ii)(A) clear and conspicuous. Some commenters, including a state and a national association representing credit unions, supported the proposed clear and conspicuous requirement as sufficient given existing § 1016.3(b)(2)(i) which provides guidance on type size, style, and graphic devices, such as shading and side bars. A few commenters, including several national associations representing large banks, community banks, and other financial service providers, as well as a few individual community banks stated that clear and conspicuous should be further defined.

    As stated in the proposal, the Bureau believes that the existing definition of clear and conspicuous and examples in § 1016.3(b) are sufficient for the notice of availability. Given the variety of statements on which the notice of availability may be included and the numerous ways in which they may be designed, the Bureau does not believe that it is feasible or practical to provide guidance as to what would be clear and conspicuous in all of these circumstances. The Bureau believes that financial institutions should be able to use the existing definition of clear and conspicuous and examples in § 1016.3(b) to design notices of availability that consumers will be likely to read and therefore the Bureau adopts this aspect of § 1016.9(c)(2)(ii)(A) without change.

    Toll-Free Telephone Number

    Proposed § 1016.9(c)(2)(ii)(A) also would have required that the notice of availability include a toll-free number a customer can call to request that the annual privacy notice be mailed. The Bureau explained in the proposal that this requirement was intended to assist customers who do not have internet access or would prefer to receive a hard copy of the privacy notice and that it expected that most institutions would already have a toll-free number.

    The majority of commenters on this provision, typically those from credit unions, community banks, and other small financial institutions, disagreed with this aspect of the proposal. These commenters objected to the toll-free number requirement because many smaller institutions do not currently have toll-free numbers and they stated that obtaining a toll-free number would offset the intended burden reduction of the proposal. Commenters further noted Start Printed Page 64071that most credit unions and community banks operate in limited geographical areas such that customers are typically in the same area code as their financial institution and thus a toll-free telephone number is unnecessary. Lastly, many of these commenters stated that a toll-free number is unnecessary given that most customers have cellular telephone or home telephone plans under which they would incur no charges for calling their financial institution to request the annual privacy notice.

    A few commenters, including a national association representing student loan servicers and some individual community banks and credit unions, stated that they did not object to the toll-free number requirement because their institution or member institutions already have toll-free numbers or can obtain one without significant expense. No commenters expressly supported requiring a toll-free telephone number.

    The proposal also solicited comment on whether the final rule should require financial institutions to provide a dedicated telephone line for privacy notice requests to use the alternative delivery method. Commenters who addressed the issue included several national trade associations representing large and small banks, a national trade association representing student loan servicers and several individual community banks and credit unions. All commenters who addressed this issue stated that requiring a dedicated toll-free number to request an annual privacy notice was unnecessary. Some commenters also suggested that requiring a dedicated telephone number was so expensive as to offset the potential cost savings of the proposal for small entities. These commenters noted that customers rarely call their financial institutions to opt out of sharing when mailed an annual privacy notice and that customers are even less likely to call their financial institution to request a copy of the annual notice. Given the expected low call volume, these commenters believe that a dedicated telephone line is unnecessary and unduly expensive.

    The Bureau is persuaded that requiring a toll-free telephone number or a dedicated telephone line to request the privacy notice be mailed would offset the intended burden reduction of the proposal for many financial institutions without providing much benefit to customers. The Bureau believes that the cost to financial institutions of requiring a toll-free telephone number or a dedicated telephone line is not warranted given that customers likely will call infrequently to request a mailed copy of the annual privacy notice, especially because the privacy notices would be readily available on the institutions' Web sites. The Bureau also considered allowing institutions to choose between providing a toll-free number or a telephone number a customer could call and reverse the charge, i.e., a telephone number that would accept collect calls, an alternative available under several other Bureau regulations.[72] The Bureau decided against this alternative because it believes, as stated by commenters, that financial institutions that do not already maintain toll-free telephone numbers typically have customers who live in the same area code as the institution and such customers likely would request a copy of the privacy notice using a free local call, rather than a collect call. In addition, a requirement that a financial institution without a toll-free number accept collect calls for privacy notice requests could effectively require the institution to accept collect calls as a general practice, assuming that it did not pay for a dedicated line for the privacy notice calls, thereby adding to its costs.

    For the reasons described, the Bureau is adopting § 1016.9(c)(2)(ii)(A) as revised to require the notice of availability to include a telephone number. The Bureau encourages financial institutions that already maintain a toll-free telephone number to use that number in the statement required by § 1016.9(c)(2)(ii)(A), to simplify the process for a customer to call and request a mailed copy of the privacy notice.

    Other Issues

    Proposed § 1016.9(c)(2)(ii)(A) also would have required the institution to state on the notice of availability that its privacy policy has not changed. The Bureau intended this proposed requirement to help customers assess whether they are interested in reading and accessing the policy. This statement would always be accurate if the alternative delivery method is used correctly, because a financial institution could not use the alternative delivery method if its annual privacy notice had changed under § 1016.9(c)(2)(i)(D). A compliance company commented that the statement that the privacy policy had not changed might not be accurate in certain situations where a financial institution eliminates categories of information it discloses or categories of third parties to whom it discloses information. That comment is addressed above in the section-by-section analysis of § 1016.9(c)(2)(i)(D).

    Proposed § 1016.9(c)(2)(ii)(A) further would have required that the statement include a specific web address that takes customers directly to the Web page where the privacy notice is available. Proposed § 1016.9(c)(2)(ii)(A) would have required a web address that the customer can type into a web browser to directly access the page that contains the privacy notice so that the customer need not click on any links after typing in the web address. The Bureau proposed this requirement because a direct link may make it easier and more convenient for customers to access the privacy notice, particularly for notices of availability delivered electronically that provide a hyperlink. While the Bureau recognizes that the length and complexity of the web address would affect how easy and convenient it is for customers to manually type in the address, the Bureau does not anticipate that institutions will provide addresses that are needlessly lengthy or complex. If this does not prove to be the case, the Bureau may consider measures in the future to ensure that the Web site addresses used are consumer-friendly. The Bureau did not receive any comments on this aspect of the proposal and adopts this element of § 1016.9(c)(2)(ii)(A) as proposed.

    The Bureau further noted in the proposal that if two or more financial institutions provide a joint privacy notice pursuant to § 1016.9(f), proposed § 1016.9(c)(2)(ii)(A) would require each financial institution to separately provide the notice of availability on a notice or disclosure that it is required or permitted to issue. The Bureau invited comment on how often financial institutions jointly provide privacy notices and whether the proposed alternative delivery method would be feasible for such jointly issued notices, but the Bureau received no comments on that issue. Section 1016.9(c)(2)(ii)(A) as finalized would require each institution providing a joint notice to send a notice of availability on an account statement, coupon book, or other notice or disclosure it is required or expressly and specifically permitted to issue to the customer. Financial institutions that jointly provide account statements, coupon books, or other notices or disclosures could also satisfy § 1016.9(c)(2)(ii)(A) by including the notice of availability on such jointly provided materials.

    A national organization representing consumer and privacy interests suggested that the notice of availability include the fact that privacy notices Start Printed Page 64072may be delivered by email upon the customers' request and provide instructions for how customers could exercise that option. The Bureau declines to require notification of email availability to be included in the notice because some financial institutions may not have the capability to provide privacy notices by email. The Bureau notes, however, that a financial institution could include such a statement in the notice of availability required by § 1016.9(c)(2)(ii)(A) as long as the required content of the notice of availability is clear and conspicuous. For the reasons discussed, the Bureau is adopting § 1016.9(c)(2)(ii)(A) with the modifications described above.

    Section 1016.9(c)(2)(ii)(B)

    Proposed § 1016.9(c)(2)(ii)(B) would have set forth the second component of the alternative delivery method: That the financial institution post its current privacy notice continuously and in a clear and conspicuous manner on a page of the institution's Web site that contains only the privacy notice, without requiring the customer to provide any information such as a login name or password or agree to any conditions to access the page. The Bureau is adopting § 1016.9(c)(2)(ii)(B) as revised, for the reasons discussed below.

    Proposed Rule

    The Bureau believes and comments on the proposal support the conclusion that many financial institutions already maintain Web sites where they could post the annual privacy notice. Moreover, encouraging financial institutions to post the notices would benefit consumers by making the notices more widely available. Proposed § 1016.9(c)(2)(ii)(B) would have required that the annual notice be posted on a page of the Web site that contains only the privacy notice.

    Comments

    A state-chartered bank and a credit union opposed the requirement that the Web page contain only the privacy notice. These commenters stated that they include the privacy notice with other relevant privacy policies for their institution and thus customers could miss valuable privacy-related information if no other information were permitted to be included with the privacy notice. National associations representing large banks, community banks, and the financial services industry as well as a coalition of financial institutions focusing on e-commerce and privacy objected to the proposed requirement that the Web site not require a login name or password or that the customer agree to any terms to access it. These commenters argued that financial institutions often require customers to accept terms to initially access a Web site, particularly where customer account information accessed through the Web site may need to be protected for security reasons. Few other commenters addressed this issue, however.

    Other commenters raised a variety of concerns about the posting of the privacy notice. National associations representing large banks, community banks, the financial services industry, and credit unions and several individual banks and credit unions suggested that the Bureau remove the word “continuously” so that a financial institutions would not be in violation of § 1016.9(c)(2)(ii)(B) in the event its Web site malfunctioned. An organization representing state banking supervisors suggested that § 1016.9(c)(2)(ii)(B) require financial institutions to include a link to the privacy policy on their home page. Lastly, one credit union commenter requested that the Bureau allow the privacy notice to be posted physically in the lobby of the financial institution for financial institutions that do not maintain Web sites.

    Final Rule

    The Bureau is adopting § 1016.9(c)(2)(ii)(B) as revised. As to the commenters who stated that the requirement that the Web page contain only the privacy notice could prevent consumers from seeing supplemental privacy information, as stated in the proposal, the Bureau is concerned that permitting information other than the privacy notice to be included on the Web page could detract from the prominence of the notice and make it less likely that a customer would actually read it. The Bureau believes that the risk of such distracting information being included with the privacy notice outweighs any potential benefit to allowing additional content to be included on the page with the privacy notice. The Bureau is revising § 1016.9(c)(2)(ii)(B) to clarify that the privacy notice must be the only content on the Web page. Information that is not content, however, such as navigational menus that link to other pages on the financial institution's Web site, could appear on the same page as the privacy notice pursuant to § 1016.9(c)(2)(ii)(B). Indeed, such navigational materials could include a link to another portion of the financial institution's Web site that contains supplemental information concerning other privacy or information management practices.[73]

    With respect to the requirement that the Web page not require a login name or password or that the customer agree to any conditions to access it, the Bureau declines to revise this requirement. The Bureau intends for the alternative delivery method to serve customers who may not already use the financial institution's Web site to manage their accounts and thus may not have agreed to terms or created login credentials. Indeed, as stated in the proposal, the Bureau is concerned that if customers were required to register for a login name or sign in to the financial institution's Web site simply to access the privacy notice, it could discourage some customers from accessing and reading the notice. The Bureau notes that financial institutions could still require customers to have login credentials or agree to terms and conditions to access other portions of the Web site, such as those containing sensitive account information or used to conduct transactions, including exercising the Affiliate Marketing Rule opt-out. Given that the alternative delivery method will require customers to seek out the annual privacy notice in a way that they have not previously been required to do, § 1016.9(c)(2)(ii)(B) is meant to make accessing the privacy notice on an institution's Web site as simple and straightforward as possible.

    As to the proposal's requirement that the privacy notice be posted continuously, the Bureau does not regard “continuously” to suggest that financial institutions would violate § 1016.9(c)(2)(ii)(B) if their Web site temporarily malfunctioned. This language requiring “continuously” posting on a Web site is used in existing § 1016.9(c)(1) (which is being recodified in this final rule as § 1016.9(c)(1)(i)). The Bureau understands from the comments that financial institutions would be unlikely to post standardized information, such as the privacy notice, on a non-continuous basis. Nevertheless, the Bureau emphasizes that § 1016.9(c)(2)(ii)(B) assumes that financial institutions will post the privacy notice on their Web sites so that the notice is available but for occasional or unavoidable interruptions, such as routine maintenance or unexpected malfunctions.

    Regarding requiring a link to the privacy notice from a financial Start Printed Page 64073institution's homepage, during outreach before the proposal, many financial institutions stated to the Bureau that space on their Web site's home page is extremely valuable and that requiring a link on the home page would limit their ability to use that space for other important communications with customers. Although the Bureau encourages financial institutions to include a link to the privacy policy on other pages of their Web sites, including the home page, the Bureau declines to require such a link. Because § 1016.9(c)(2)(ii)(A) requires the notice of availability to include a web address for the page containing the privacy notice, the Bureau expects that customers can easily locate the page. The Bureau further notes, as stated in the proposal, that other pages on the financial institution's Web site could link to the page containing the privacy notice. Nevertheless, a financial institution would still have to provide the customer a specific web address that takes the customer directly to the page where the privacy notice is available to satisfy the requirement to post the notice on the financial institution's Web site in § 1016.9(c)(2)(ii)(B).[74]

    As to the suggestion that the privacy notice be posted in the institution's lobby, rather than on a Web site, the Bureau understands that there may be some institutions that do not maintain Web sites. The Bureau believes, however, that Web site posting is an integral component of the alternative delivery method and ensures that the privacy notice be widely available when it is not sent to individual customers according to standard delivery methods. The Bureau does not believe that lobby posting of the privacy notice makes it sufficiently available to customers given the individualized notice contemplated by the GLBA and discussed more fully in the section-by-section analysis of § 1016.9(c)(2)(i)(A) above. Accordingly, the Bureau declines to revise § 1016.9(c)(2)(ii)(B) to permit posting of the notice in a lobby to satisfy the requirement. For the reasons discussed, the Bureau is adopting § 1016.9(c)(2)(ii)(B) as revised.

    Section 1016.9(c)(2)(ii)(C)

    Proposed § 1016.9(c)(2)(ii)(C) would have set forth the third component of the alternative delivery method: That the financial institution mail promptly its current privacy notice to those customers who request it by telephone. For the reasons discussed below, the Bureau adopts § 1016.9(c)(2)(ii)(C) as revised.

    Proposed Rule

    As stated in the proposal, the Bureau proposed this requirement to assist customers without internet access and customers with internet access who would prefer to receive a hard copy of the notice. The Bureau invited comment in the proposal on whether requiring prompt mailing is sufficient to ensure that customers receive privacy notices in a timely manner or whether “promptly” should be more specifically defined, such as by a certain number of days.

    Comments

    A few bank commenters stated that it was not necessary to define “promptly” further, but most financial institutions that commented on this issue stated that a specific number of days would be helpful. Suggestions included five days, ten business days, 15 days, and 30 days. A trade association representing mortgage lenders requested that the Bureau revise § 1016.9(c)(2)(ii)(C) to require the financial institution send the privacy notice, rather than mail it, to clarify that the financial institution could comply with the requirement by emailing the privacy notice. An organization representing consumers and privacy rights suggested that the Bureau expressly prohibit a financial institution from including other information, such as sales solicitations, in the mailing containing the annual privacy notice so as to avoid distracting customers with irrelevant information.

    Final Rule

    In response to the commenters' requests for clarity on how long financial institutions have to mail privacy notices upon request, the Bureau is adopting § 1016.9(c)(2)(ii)(C) as revised to require notices to be mailed within ten days of the customer's request. The Bureau notes that existing provisions of Regulation P define periods in terms of a number of days, meaning calendar days.[75] The Bureau believes that financial institutions should be able to provide a privacy notice within ten calendar days of a customer's request, even accounting for weekends and holidays during which the financial institution may be closed. As stated in the proposal, the Bureau notes that consistent with privacy notices currently provided under Regulation P, it expects that financial institutions will not charge the customer for delivering the annual notice, given that delivery of the annual notice is required by statute and regulation.

    Regarding email delivery of the privacy notice upon request, as stated in the proposal, § 1016.9(c)(2)(ii)(C) is intended primarily for customers without internet access to be able to receive a paper copy of the privacy notice through the U.S. mail. The Bureau expects that customers with internet access who receive the notice of availability are much more likely to go to the financial institution's Web site to access the privacy notice than to telephone the financial institution to request a privacy notice be sent to them.

    With respect to prohibiting the mailing containing the privacy notice from containing other information, such as solicitations, the Bureau declines to impose a blanket prohibition on the inclusion of such material. As discussed above, the Supplementary Information to the Final Model Privacy Form Under the Gramm-Leach-Bliley Act explained that financial institutions that use the model privacy form are not precluded from providing additional information in other, supplemental materials to customers if they wish to do so.[76] Further, the existing requirement at § 1016.5(a) that the annual notice be “clear and conspicuous” would apply to the mailing of this privacy notice as it does to the standard delivery methods for annual notices.[77] This requirement precludes the inclusion of other material in a manner that would render Start Printed Page 64074the privacy notice not reasonably understandable and designed to call attention to the nature and significance of the information in the notice. In light of this existing requirement and the fact that customers who have requested the privacy notice be mailed will be expecting it, the Bureau does not believe that it is necessary at this time to impose a blanket prohibition on the inclusion of other material with the mailing of the privacy notice.

    Section 1016.9(c)(2)(iii)

    Proposed § 1016.9(c)(2)(iii) would have provided an example of a notice of availability that satisfies § 1016.9(c)(2)(ii)(A). The Bureau is adopting § 1016.9(c)(2)(iii) substantially as proposed with minor technical revisions.

    Proposed Rule

    The Bureau intended the example in proposed § 1016.9(c)(2)(iii) to provide clear guidance on permissible content for the notice of availability to facilitate compliance. The proposed example would have included the heading “Privacy Notice” in boldface on the notice of availability. The proposed example further would have stated that Federal law requires the financial institution to tell customers how it collects, shares, and protects their personal information; this language mirrors the “Why” box on the model privacy notices.

    Comments

    One commenter requested that other forms of emphasis be permitted rather than boldface because they could not use boldface in their software system. A national and a state association representing credit unions requested that the Bureau create a model notice of availability with graphics and shading that would be a safe harbor for compliance with proposed § 1016.9(c)(2)(ii)(A).

    Final Rule

    The Bureau is adopting § 1016.9(c)(2)(ii) as revised. With respect to the comment that some financial institutions' software programs do not allow for boldface, the Bureau notes that § 1016.9(c)(2)(iii) is an example of how to comply with § 1016.9(c)(2)(ii)(A) but other language and formatting techniques could also satisfy that section. Nevertheless, the Bureau is revising § 1016.9(c)(2)(iii) to state that the heading “Privacy Notice” could be in boldface or otherwise emphasized. “Otherwise emphasized” could include using all capital letters or underlining. As to the requests to create a model notice of availability with shading and graphics, the Bureau declines to do so at this time because it believes that the example notice of availability in § 1016.9(c)(2)(iii) provides sufficient guidance to financial institutions on how to comply with § 1016.9(c)(2)(ii)(A). The Bureau is also modifying § 1016.9(c)(2)(iii) to reflect that the telephone number provided need not be a toll-free number, to be consistent with § 1016.9(c)(2)(ii)(A) as finalized.

    V. Section 1022(b)(2) of the Dodd-Frank Act

    A. Overview

    In developing the final rule, the Bureau has considered its potential benefits, costs, and impacts.[78] In addition, the Bureau has consulted and coordinated with the SEC, CFTC, FTC, and NAIC, and consulted with or offered to consult with the OCC, the Board, FDIC, NCUA, and HUD, including regarding consistency with any prudential, market, or systemic objectives administered by such agencies.

    This final rule amends § 1016.9(c) of Regulation P to provide an alternative method for delivering annual privacy notices. The primary purpose of the rule is to reduce unnecessary or unduly burdensome regulations, and the alternative delivery method will reduce the burden of providing these annual privacy notices. A financial institution may use the alternative delivery method if:

    (1) It does not disclose the customer's nonpublic personal information to nonaffiliated third parties in a manner that triggers GLBA opt-out rights;

    (2) It does not include on its annual privacy notice an opt-out notice under section 603(d)(2)(A)(iii) of the Fair Credit Reporting Act (FCRA);

    (3) The requirements of section 624 of the FCRA and the Affiliate Marketing Rule, if applicable, have been satisfied previously or the annual privacy notice is not the only notice provided to satisfy such requirements;

    (4) The information included in the privacy notice has not changed since the customer received the previous notice (subject to an exception); and

    (5) It uses the model form provided in the GLBA's implementing Regulation P.

    Under the alternative delivery method, the financial institution would have to:

    (1) Convey in a clear and conspicuous manner not less than annually on an account statement, coupon book, or a notice or disclosure the institution issues under any provision of law that its privacy notice is available on its Web site, it will be mailed to customers who request it by telephone, and it has not changed;

    (2) Post its current privacy notice in a continuous and clear and conspicuous manner on a page of its Web site on which the only content is the privacy notice, without requiring a login name or similar steps or agreeing to any conditions to access the page; and

    (3) Mail its current privacy notice to customers who request it by telephone within ten days of the request.

    B. Potential Benefits and Costs to Consumers and Covered Persons

    The requirements in § 1016.9(c)(2) provide certain benefits to consumers relative to the baseline established by the current provisions of Regulation P. These requirements provide an incentive for financial institutions to adopt the model privacy form and to post it on their Web sites, particularly when these changes are the only ones that would be needed to use the alternative delivery method. Recent research establishes that large numbers of banks, credit unions and other financial institutions do not post the model privacy form on their Web sites and presumably many have not adopted it.[79] Given the consumer testing that Start Printed Page 64075went into the development of the model form and the public input that went into its design, the Bureau believes that the model form is generally clearer and easier to understand than most privacy notices that deviate from the model.[80] While the Bureau does not know how many more financial institutions would adopt the model privacy form and post it on their Web sites in order to use the alternative delivery method, at least some additional consumers likely would be able to learn about the information sharing policies of financial institutions through the model privacy form as a result of § 1016.9(c)(2). It also may be more convenient for some consumers to learn about information sharing policies from a privacy policy on a Web site rather than a mailed copy, especially since financial institutions using the alternative delivery method must limit their information sharing to practices that do not give consumers opt-out rights. Thus, § 1016.9(c)(2) likely would make it easier for some consumers to review and understand privacy policies and to make comparisons across financial institutions with regard to privacy policies and opt outs.

    The requirements in § 1016.9(c)(2) also may benefit consumers who transact with financial institutions that adopt the alternative delivery method by disclosing that a financial institution's privacy policy has not changed. These consumers would not receive a notice presenting the full privacy policy unless the privacy policy has changed or when other requirements for use of the alternative delivery method are not met. There is no representative, administrative data available on the number of consumers who are indifferent to or dislike receiving full, unchanged privacy notices every year. The limited use of opt outs and anecdotal evidence suggest that there are such consumers. In addition, one national trade association surveyed its members and found that 76% of respondents were more likely to read a privacy notice when there were changes to it. The commenter concluded that notification of a change to a privacy policy was more important to its members than routinely sending privacy notices in the mail.

    The Bureau believes that few consumers would experience any costs from § 1016.9(c)(2). There is a risk that some consumers may be less informed about a financial institution's information sharing practices if the financial institution adopts the alternative delivery method. However, § 1016.9(c)(2)(ii)(A) mitigates this risk by requiring the inclusion annually on another notice or disclosure of a clear and conspicuous statement that the privacy notice is available on the Web site, and § 1016.9(c)(2)(ii)(B) ensures that the model privacy form is posted in a continuous and clear and conspicuous manner on the Web site. Consumers may print the privacy notice at their own expense, while under current § 1016.9(c)(2) the notice is delivered to them, which represents a transfer of costs from industry to consumers. However, § 1016.9(c)(2)(ii)(A) provides consumers with a specific telephone number to request that the privacy notice be mailed to the consumer, which gives consumers the option of obtaining the notice without incurring the cost of printing it. Further, the Bureau believes that a printed form is mostly valuable to consumers who would exercise opt-out rights. The only opt outs that could be available to the consumer under § 1016.9(c)(2) would be voluntary opt outs, i.e., opt outs from modes of sharing information that are not required by Regulation P, or (at the institution's discretion) an Affiliate Marketing Rule opt-out beyond those the institution has previously provided elsewhere. Voluntary opt outs do not appear to be common.[81]

    A number of commenters claimed that few consumers derive any benefit from the annual privacy notice, most do not read the notice, and some consumers may dislike receiving it. A national trade association surveyed its members and found that 25% of the respondents who recalled receiving an annual privacy notice either disposed of the notice without opening it or opened it without reading it. The remaining 75% would skim or read the notice. One state banking association asked its members if the bank ever received a complaint or comment about the bank's privacy notice from a customer. The commenter did not provide quantitative information but offered examples of responses. Among the responses were statements that customers would call after receiving the annual privacy notice to complain or to ask not to receive the notice in the future. These commenters generally conclude that there would be no cost to consumers and perhaps additional benefits from alternatives to the rule that allowed for more widespread adoption of the alternative delivery method.

    As explained at length above, the Bureau believes that requiring notices that have changed or that include required consumer opt-outs to be physically delivered, unless the consumer has agreed to receive them electronically, is more consistent with the importance to the statutory scheme of customers' ability to exercise opt-out rights and more consumer-friendly than allowing use of the alternative delivery method where notices have changed or include required opt-outs. That discussion is incorporated here. Further, the Bureau believes that while some consumers may prefer not to receive annual privacy notices even when those notices include required opt-outs, others may feel differently, and consumers who would fail to exercise an opt out if the alternative delivery method were available incur a cost. Finally, the Bureau notes that the data from one commenter described above at least suggests that consumers may benefit from physical delivery when the notice has changed.

    Regarding benefits and costs to covered persons, the primary effect of the final rule is to reduce burden by lowering the costs to industry of providing annual privacy notices. The requirements in § 1016.9(c)(2) impose no new compliance requirements on any financial institution. All methods of Start Printed Page 64076compliance under current law remain available to a financial institution, and a financial institution that is in compliance with current law is not required to take any different or additional action. The Bureau believes that a financial institution would adopt the alternative delivery method only if it expected the costs of complying with the alternative delivery method would be lower than the costs of complying with existing Regulation P.

    By definition, the expected cost savings to financial institutions from the adoption of § 1016.9(c)(2) is the expected number of annual privacy notices that would be provided through the alternative delivery method multiplied by the expected reduction in the cost per-notice from using the alternative delivery method. As explained below, many financial institutions would not be able to use the alternative delivery method without changing their information sharing practices, and the Bureau believes that few financial institutions would find it in their interest to change information sharing practices just to reduce the costs of providing the annual privacy notice. Thus, the first step in estimating the expected cost savings to financial institutions from § 1016.9(c)(2) would be to identify the financial institutions whose current information sharing practices would allow them to use the alternative delivery method. The Bureau would then need to determine their currents costs for providing the annual privacy notices and the expected costs of providing these notices under § 1016.9(c)(2).[82]

    The Bureau does not have sufficient data to perform every step of this analysis, but it performed a number of analyses and outreach activities to approximate the expected cost savings. Regarding banks, the Bureau examined the privacy policies of the 19 banks with assets over $100 billion as well as the privacy policies of 106 additional banks selected through random sampling.[83] The Bureau found that the overall average rate at which banks' information sharing practices would make them eligible for using the alternative delivery method if other conditions were met is 80%.[84] However, only 21% of sampled banks with assets over $10 billion could clearly use the alternative delivery method, while 81% of sampled banks with assets of $10 billion or less and 88% of sampled banks with assets of $500 million or less could clearly use the alternative delivery method. These results indicate that a large majority of smaller banks would likely be able to use the alternative delivery method but most of the largest banks would not.[85]

    One state banking association surveyed its members and provided data that is generally consistent with the finding that the vast majority of smaller banks would likely be able to use the alternative delivery method. Ninety-nine institutions responded to at least one of six questions. Fifty-three provided their banks total assets; of these, 50 reported assets under $500 million. However, only 12 respondents stated that they would not be eligible to use the alternative delivery method. If these 12 respondents were among the 53 that provided their bank's total assets and all 53 responded to the question about eligibility, between 76% and 82% of this association's members with assets under $500 million believed they would be eligible to use the alternative delivery method.[86]

    The Bureau also examined the privacy policies of the four credit unions with assets over $10 billion as well as the privacy policies of 50 additional credit unions selected through random sampling. The Bureau found that three of the four credit unions with assets over $10 billion clearly could use the alternative delivery method without changing their information sharing policies. Further, 67% of sampled credit unions with assets over $500 million could clearly use the alternative delivery method. However, the Bureau also found that only 13 of the 25 sampled credit unions with assets of $500 million or less either posted the model privacy form on their Web sites or provided enough information about their sharing practices to permit a clear determination regarding whether the alternative delivery method would be available to them (2 of the 25 did not have Web sites). The Bureau found that 11 of the 13 (85%) for which a determination could be made would be able to use the alternative delivery method, and the Bureau believes that a significant majority of the sample of 25 would be able to use the alternative delivery method (perhaps after adopting the model form). For purposes of this analysis, the Bureau conservatively assumes that only 11 of the 25 sampled credit unions with assets of $500 million or less would be able to use the alternative delivery method, although the actual figure is likely much higher.

    The Bureau requested comment on how to improve this estimate of the number of small credit unions that would be able to use the alternative delivery method. The Bureau did not receive comments on this specific issue. Comments that relate to the general accuracy of these estimates are discussed below.

    Although these estimates provide some insight into the numbers of banks and credit unions that could use the alternative delivery method, the Bureau does not have precise data on the number of annual privacy notices these institutions currently provide. Thus, it is not possible to directly compute the total number of annual privacy notices that would no longer be sent. The Bureau does, however, have information about the burden on banks, credit unions and non-depository financial institutions from providing the annual privacy notices from the Paperwork Reduction Act Supporting Statements for Regulation P on file with the Office of Management and Budget. This information can be used to obtain an estimate of the ongoing savings from the alternative delivery method.[87]

    In estimating this savings for banks and credit unions, the analysis above establishes that it is essential to take into account the variation by size of banks and credit unions in relation to the likelihood they could use the alternative delivery method. To ensure that these differences inform the estimates, the Bureau allocated the total burden of providing the annual privacy notices to asset classes in proportion to the share of assets in the class. The Bureau then estimated an amount of burden reduction specific to each asset Start Printed Page 64077class using the results from the sampling described above. The total burden reduction is then the sum of the burden reductions in each asset class. For banks and credit unions combined, the estimated reduction in burden using this methodology is approximately $6.9 million annually.

    Regarding non-depository financial institutions, the proposed analysis stated that based on initial outreach, a majority were likely to be able to use the alternative delivery method. The proposed analysis stated that the prohibition on disclosing information to third parties in the Fair Debt Collection Practices Act (FDCPA) suggested that financial institutions subject to those limits likely would be able to use the alternative delivery method when GLBA notice requirements apply.[88] The proposed analysis then used the overall average rate at which banks could utilize the alternative delivery method in its calculations of burden reduction for non-depository financial institutions. The Bureau stated that it would continue to refine its knowledge of the information sharing practices of non-depository financial institutions and requested comment and the submission of information relevant to this issue.

    The Bureau received comment letters from a debt buyer, a trade association for debt buyers and one student loan servicer that identified proposed requirements that would have limited the ability of these non-depository financial institutions to use the alternative delivery method. All three commenters stated that restrictions on how financial institutions could provide the proposed notice of availability would limit use of the alternative delivery method. All three also stated that the requirement to use the model form would limit use of the alternative delivery method. These issues are discussed below.[89]

    The two debt-buying entities commented that restrictions on how the proposed notice of availability could be provided would eliminate any savings from the alternative delivery method. Specifically, proposed § 1016.9(c)(2)(ii)(A) required the notice of availability to be provided on a notice or disclosure the financial institution was required or expressly and specifically permitted to issue under any other provision of law. One of these commenters stated that debt buyers are not required or specifically permitted to issue notices to consumers on a regular or annual basis. Thus, the alternative delivery method would simply exchange one annual privacy notice requirement for another. The other debt-buyer commenter stated that consumers whose accounts were not in active collections may not receive any correspondence from the commenter in the course of a year other than the annual privacy notice. Thus, the notice of availability would eliminate the savings intended by the alternative delivery method. In contrast, the student loan servicer commented that lenders and servicers of private education loans send periodic statements, but since no law requires them, proposed § 1016.9(c)(2)(ii)(A) would not allow its members to use periodic statements to provide the notice of availability.

    As discussed above, the Bureau is revising proposed § 1016.9(c)(2)(ii)(A) to permit the notice of availability to be included on an account statement which would include periodic statements or billing statements not required or expressly permitted by law. The Bureau believes that this would permit student loan servicers and other non-depository financial institutions to use the alternative delivery method, as was assumed in the proposed analysis. This change from the proposed rule may also permit additional debt buyers to reduce costs by adopting the alternative delivery method.[90] The Bureau recognizes, however, that final § 1016.9(c)(2)(ii)(A) may still deter many debt buyers from adopting the alternative delivery method.

    All three commenters also stated that the requirement to use the model form would limit use of the alternative delivery method. The two debt-buying entities cited requirements in the FDCPA that they stated made it difficult for them to adopt the model form. In contrast, the student loan servicer stated that some of its members that do not currently use the model form might not adopt it because they believed that the information they provide is more comprehensive.

    As discussed above, while the Bureau is requiring use of the model form, the Bureau is modifying proposed § 1016.9(c)(2)(ii)(B) to clarify that information that is not content, such as navigational menus that link to other pages on the financial institution's Web site, could appear on the same page as the privacy notice and link to another portion of the financial institution's Web site that contains information supplemental to the privacy notice. The Bureau believes that this would encourage student loan servicers as well as other non-depository financial institutions to adopt the model form and use the alternative delivery method.

    There is necessarily considerable uncertainty around any estimate of the number of non-depository financial institutions that could use the alternative delivery method. However, the Bureau did not receive any comments directly on the assumption that non-depository financial institutions will be able to utilize the alternative delivery method at the same overall average rate as banks. Further, partly in response to comments from non-depository financial institutions, the Bureau is adopting § 1016.9(c)(2)(ii)(A) with changes from the proposal so that it is less of a barrier to adoption of the alternative delivery method. Finally, while the Bureau recognizes that many debt buyers may not be able to use the alternative delivery method, debt buyers are one group in the extremely large and heterogeneous group of non-depository financial institutions subjection to Regulation P. The Bureau therefore continues to estimate the reduction in burden on non-depository financial institutions as approximately $10 million annually.[91]

    Thus, the Bureau believes that the total reduction in burden is approximately $17 million dollars annually. This represents about 58% of the total $30 million annual cost of providing the annual privacy notice and opt-out notice under Regulation P.[92]

    Start Printed Page 64078

    The Bureau did not receive comments directly on this estimate or the methodology. The Bureau did receive quantitative information from individual financial institutions and state associations about the costs of providing annual privacy notices and in some cases the expected savings from the alternative delivery method. It not possible to use this information to precisely estimate market-wide totals for the baseline cost and expected savings. The data is, however, informative regarding the Bureau's estimates.

    Regarding banks, a state banking association that surveyed its members provided data in which the average cost of providing the notices was about $1,700. All but one of the respondents had assets under $500 million. A bank with $367 million in assets reported spending $1,800 on printing. A bank with $442 million in assets reported spending $1,900 on printing and mailing. A bank with $1.1 billion in assets reported spending $3,800 on printing and stated it delivers the annual privacy notice with an account statement. A bank with $3 billion in assets reported spending $20,000 on notice distribution. It is not possible to extrapolate precisely from this data to the entire market without additional information regarding the representativeness of this data, the relationship between assets and costs, the proportion of banks that incur mailing costs when distributing the notice, and the costs for banks above $3 billion in assets. However, applying these figures to the roughly 7,000 banks in the United States suggests costs of well over $40 million to the banking sector alone.

    The Bureau received similar information from credit unions. A credit union with $12 million in assets and 3,000 members reported that it would save $150 per year with the alternative delivery method. A credit union with approximately $1 billion in assets reported spending $4,200 on printing and $36,800 on mailing. A credit union with $5 billion in assets reported spending $10,000 on printing and delivers the annual notice with an account statement. In addition, one trade association for debt-buyers reported that debt buyers alone spend approximately $28 million on mailing annual privacy notices.[93]

    The data provided by commenters suggests that the total cost of providing annual privacy notices by financial institutions subject to Regulation P may currently be larger than the $30 million reported above. To improve this estimate would require extensive data collection from a wide range of financial institutions and is not reasonably available to the Bureau. The previous analysis does not, however, indicate any significant error in the estimate that the alternative delivery method may relieve about 58% of the total annual cost of providing the annual privacy notice and opt-out notice under Regulation P. The Bureau has a continuing interest in improving its estimates of regulatory burden and burden reduction and welcomes comments on these estimates at any time.

    The Bureau notes that these estimates of ongoing savings are gross figures and do not take into account any one-time or ongoing costs associated with the alternative delivery method. The Bureau believes that one-time costs associated with using the alternative delivery method would be minimal and would not prevent adoption of the alternative delivery method, as long as the institution already has a Web site and currently annually provides an account statement, coupon book, or notice or disclosure as described in § 1016.9(c)(2)(ii)(A). In the analysis above, the Bureau found that all but two financial institutions had Web sites and assumed that these two institutions would not adopt the alternative delivery method. However, the Bureau recognizes that it sampled very few of the smallest financial institutions and that these are the ones most likely not to have Web sites.

    Comments on the proposed rule were generally consistent with the Bureau's analysis. One state banking association commented that approximately 5% of its members do not have a Web site. Another state banking association reported that 5 respondents to a survey that received 99 responses stated that they do not have a Web site. One state banking association reported that, when asked to estimate the cost of putting the annual privacy notice on a Web page that only contains the privacy notice, 15 responded that the cost would be “minimal,” one responded it would cost $500, and one that it would cost $3000. One bank with approximately $3 billion in assets commented that the cost of adding a Web page would be “insignificant.” A bank with under $500 million in assets commented that it had paid $700 to its vendor to make an electronic version of its privacy notice available on its Web site. These results are consistent with the Bureau's own research and analysis. The Bureau requested information regarding the use of Web sites by non-depository financial institutions but did not receive any data on this subject.

    The Bureau believes that the one-time costs associated with providing the notice of availability annually on an account statement, coupon book, or notice or disclosure as described in § 1016.9(c)(2)(ii)(A) would be small. One state banking association commented that, given the range of customer relationship types, a bank may need to adjust a number of different notices in order to provide the notice of availability to all of its customers. The Bureau believes that the cost of each adjustment would be small. These costs would also be recouped over time through the savings achieved from no longer delivering the annual privacy notice through the mail or even through some of the other delivery methods that the existing rule permits.[94]

    Similarly, the Bureau believes that the requirements for using the alternative delivery method would provide few sources of additional ongoing costs relative to the baseline to financial institutions that adopt it. These costs would consist of additional text on an account statement, coupon book, notice or disclosure the institution already provides, maintaining a Web page dedicated to the annual privacy notice if one does not already exist, additional telephone calls from consumers requesting that the model form be mailed, and the costs of mailing the forms prompted by these calls. The Bureau currently believes that few consumers will request that the form be mailed in order to read it or to exercise any voluntary or FCRA Affiliate Marketing Rule opt-out right. A number of commenters stated that the proposed requirement to maintain a toll-free telephone number for requesting annual privacy notices (and the alternative considered of a dedicated toll-free number) would impose an unnecessary expense. Final § 1016.9(c)(2)(ii)(A) does not require the telephone number to be toll-free.

    One caveat regarding these estimates concerns the use of consolidated privacy notices by entities regulated by different agencies. For example, entities that could comply with Regulation P by adopting the alternative delivery Start Printed Page 64079method would not do so if they still needed to send these customers an additional disclosure in order to comply with the GLBA regulations of other agencies. The Bureau believes that among the entities that will continue to use a standard delivery method, few will do so solely because of the need to comply with the GLBA regulations of multiple agencies. Rather, most such entities will also be large financial institutions and will not satisfy the requirements on information sharing in § 1016.9(c)(2)(i)(A)-(C). Thus, the Bureau believes that its estimates regarding the adoption of the alternative delivery method are accurate, notwithstanding the use of consolidated privacy notices, since the use of consolidated privacy notices is likely highly correlated with information sharing practices that alone prevent the adoption of the alternative delivery method. The Bureau requested data and other factual information regarding the extent to which the use of consolidated privacy notices may prevent the adoption of the alternative delivery method. The Bureau did not receive any comments on this issue.

    In developing the rule, the Bureau considered alternatives to the requirements it is adopting. As discussed at length above, the Bureau believes that the alternative delivery method might not adequately alert customers to their ability to opt out of certain types of information sharing were it available where a financial institution shares a customer's nonpublic personal information beyond the exceptions in §§ 1016.13, 1016.14, and 1016.15. Thus, the Bureau considered but is not adopting an option in which the alternative delivery method could be used where a financial institution shares beyond one or more of these exceptions. For the same reason, the Bureau considered but is not adopting an option in which the alternative delivery method could be used where a financial institution shares information in a way that triggers information sharing opt-out rights under section 603(d)(2)(A)(iii) of the FCRA. On the other hand, the Bureau considered an option in which the alternative delivery method could never be used where a customer has an opt-out right under the Affiliate Marketing Rule. A financial institution may use the alternative delivery method if the requirements under section 624 of the FCRA and the Affiliate Marketing Rule have been satisfied previously or the annual privacy notice is not the only notice provided to satisfy such requirements. This case is distinguishable from the other two in that the Affiliate Marketing Rule opt-out notice is not required to be included on the annual privacy notice and may be sent separately. As explained above, a financial institution could send the separate Affiliate Marketing Rule opt-out only once (as long as it honored that opt-out indefinitely) and use the alternative delivery method to meet its yearly annual notice requirement, with or without including the Affiliate Marketing Rule opt-out notice on the model form.

    The Bureau also considered alternatives to the requirements regarding the types of information that cannot have changed since the previous annual notice to be able to use the alternative delivery method. The Bureau discussed these alternatives at length above and incorporates that discussion here.

    C. Potential Specific Impacts of the Rule

    The Bureau currently understands that 81% of banks with $10 billion or less in assets would be able to utilize the alternative delivery method, with a greater opportunity for utilization among the smaller banks. Thus, the rule may have differential impacts on insured depository institutions with $10 billion or less in assets as described in section 1026 of the Dodd-Frank Act. The Bureau also currently understands that at least 46% of credit unions with $10 billion or less in assets, and perhaps substantially more, would be able to utilize the alternative delivery method, with a greater opportunity for utilization among credit unions in the middle of this group. The uncertainty reflects the relatively large number of very small credit unions that do not post the model form on their Web sites and which therefore could not clearly use the alternative delivery method.

    The Bureau does not believe that the rule would reduce consumers' access to consumer financial products or services. The rule may, however, benefit consumers in rural areas less than consumers in non-rural areas. Rural consumers in most states have far less access to broadband and the alternative delivery method may displace delivery of paper notices with notices posted on Web sites.[95] Rural consumers likely still would benefit overall, however, given the general availability of the disclosure through slower internet access or on request by telephone and the potentially greater use of the model form.

    VI. Regulatory Flexibility Act

    The Regulatory Flexibility Act (RFA), as amended by the Small Business Regulatory Enforcement Fairness Act of 1996, requires each agency to consider the potential impact of its regulations on small entities, including small businesses, small governmental units, and small not-for-profit organizations. The RFA generally requires an agency to conduct an initial regulatory flexibility analysis (IRFA) and a final regulatory flexibility analysis (FRFA) of any rule subject to notice-and-comment rulemaking requirements, unless the agency certifies that the rule will not have a significant economic impact on a substantial number of small entities.[96] The Bureau also is subject to certain additional procedures under the RFA involving the convening of a panel to consult with small business representatives prior to proposing a rule for which an IRFA is required.[97]

    The Bureau now certifies that a FRFA is not required for this final rule because it will not have a significant economic impact on a substantial number of small entities. The Bureau does not expect the final rule to impose costs on small entities. All methods of compliance under current law will remain available to small entities under the final rule. Thus, a small entity that is in compliance with current law need not take any different or additional action. In addition, the Bureau believes that the alternative delivery method would allow some small institutions to reduce costs, but by a small amount relative to overall costs given that this rulemaking addresses a single disclosure.

    Accordingly, the undersigned certifies that this rule will not have a significant economic impact on a substantial number of small entities.

    VII. Paperwork Reduction Act

    Under the Paperwork Reduction Act of 1995 (PRA),[98] Federal agencies are generally required to seek Office of Management and Budget (OMB) approval for information collection requirements prior to implementation. This final rule will amend Regulation P, 12 CFR part 1016. The collections of information related to Regulation P have been previously reviewed and approved by OMB in accordance with the PRA and assigned OMB Control Number 3170-0010. Under the PRA, the Bureau may not conduct or sponsor, and, Start Printed Page 64080notwithstanding any other provision of law, a person is not required to respond to an information collection, unless the information collection displays a valid control number assigned by OMB.

    As explained below, the Bureau has determined that this rule does not contain any new or substantively revised information collection requirements other than those previously approved by OMB. Under this rule, a financial institution will be permitted, but not required, to use an alternative delivery method for the annual privacy notice if:

    (1) It does not disclose the customer's nonpublic personal information to nonaffiliated third parties in a manner that triggers GLBA opt-out rights;

    (2) It does not include on its annual privacy notice an opt-out notice under section 603(d)(2)(A)(iii) of the Fair Credit Reporting Act (FCRA);

    (3) The requirements of section 624 of the FCRA and the Affiliate Marketing Rule, if applicable, have been satisfied previously or the annual privacy notice is not the only notice provided to satisfy such requirements;

    (4) The information included in the privacy notice has not changed since the customer received the previous notice (subject to an exception); and

    (5) It uses the model form provided in the GLBA's implementing Regulation P.

    Under the alternative delivery method, the financial institution would have to:

    (1) Convey in a clear and conspicuous manner not less than annually on an account statement, coupon book, or a notice or disclosure the institution issues under any provision of law that its privacy notice is available on its Web site, it will be mailed to customers who request it by telephone, and it has not changed;

    (2) Post its current privacy notice continuously and in a clear and conspicuous manner on a page of its Web site on which the only content is the privacy notice, without requiring the customer to provide any information such as a login name or password or agree to any conditions to access the page; and

    (3) Mail its current privacy notice to customers who request it by telephone within ten days of the request.

    Under Regulation P, the Bureau generally accounts for the paperwork burden for the following respondents pursuant to its enforcement/supervisory authority: Insured depository institutions with more than $10 billion in total assets, their depository institution affiliates, and certain non-depository financial institutions. The Bureau and the FTC generally both have enforcement authority over non-depository financial institutions subject to Regulation P. Accordingly, the Bureau has allocated to itself half of the final rule's estimated burden on non-depository institutions subject to Regulation P. Other Federal agencies, including the FTC, are responsible for estimating and reporting to OMB the paperwork burden for the institutions for which they have enforcement and/or supervision authority. They may use the Bureau's burden estimation methodology, but need not do so.

    The Bureau does not believe that this rule would impose any new or substantively revised collections of information as defined by the PRA, and instead believes that it would have the overall effect of reducing the previously approved estimated burden on industry for the information collections associated with the Regulation P annual privacy notice. Using the Bureau's burden estimation methodology, the reduction in the estimated ongoing burden would be approximately 584,000 hours annually for the roughly 13,500 banks and credit unions subject to the rule, including Bureau respondents, and the roughly 29,400 entities subject to the Federal Trade Commission's enforcement authority also subject to the rule. The reduction in estimated ongoing costs from the reduction in ongoing burden would be approximately $17 million annually.

    The Bureau believes that the one-time cost of adopting the alternative delivery method for financial institutions that would adopt it is de minimis. Financial institutions that already use the model form and would adopt the alternative delivery method would incur minor one-time legal, programming, and training costs. These institutions would have to communicate on an account statement, coupon book, or notice or disclosure that the privacy notice is available. The expense of adding this notice would be minor, particularly where the institution would be issuing the account statement, coupon book, or notice or disclosure anyway. Staff may need some additional training in storing copies of the model form and sending it to customers on request. Institutions that do not use the model form would incur a one-time cost for creating one. However, since the promulgation of the model privacy form in 2009, an Online Form Builder has existed which any institution can use to readily create customized privacy notices using the model form template.[99] The Bureau assumes that financial institutions that do not currently have Web sites would not choose to comply with these requirements in order to use the alternative delivery method.

    The Bureau's methodology for estimating the reduction in ongoing burden was discussed at length above. The Bureau defined five strata for banks under $100 billion and three strata for credit unions under $10 billion, drew random samples from each of the strata (separately for banks and credit unions) and examined the GLBA privacy notices available on the financial institutions' Web sites, if any. The Bureau separately examined the Web sites of all banks over $100 billion (one additional bank stratum) and all credit unions over $10 billion (one additional credit union stratum). This process provided an estimate of the fraction of institutions within each bank or credit union stratum which would likely be able to use the alternative delivery method. In order to compute the reduction in ongoing burden (by stratum and overall) for these financial institutions, the Bureau apportioned the existing ongoing burden to each stratum according to the share of overall assets held by the financial institutions within the stratum. This was done separately for banks and credit unions. Note that this procedure ensures that the largest financial institutions, while few in number, are apportioned most of the existing burden. The Bureau then multiplied the estimate of the fraction of institutions within each stratum that would likely be able to use the alternative delivery method by the estimate of the existing ongoing burden within each stratum, separately for banks and credit unions. As discussed above, the largest bank and credit union strata tended to have the lowest share of financial institutions that could use the alternative delivery method.

    For the non-depository institutions subject to the FTC's enforcement authority that are subject to the Bureau's Regulation P, the Bureau estimated the reduction in ongoing burden by applying the overall share of banks that would likely be able to use the alternative delivery method (80%) to the current ongoing burden on non-depository financial institutions (exclusive of auto dealers) from providing the annual privacy notices and opt outs.

    The Bureau takes all of the reduction in ongoing burden from banks and credit unions with assets $10 billion and above and half the reduction in ongoing burden from the non-depository institutions subject to the FTC enforcement authority that are subject to Start Printed Page 64081the Bureau's Regulation P. The current Bureau burden for all information collections in Regulation P is 516,000 hours. The total reduction in ongoing burden taken by 14,844 Bureau respondents is 261,904 hours. The remaining Bureau burden for all information collections in Regulation P is 254,096 hours.

    Summary of Burden Changes

    Information collectionsPreviously approved total burden hoursNet change in burden hoursNew total burden hours
    Notices and disclosures516,000−261,904254,096

    The Bureau has determined that the rule does not contain any new or substantively revised information collection requirements as defined by the PRA and that the burden estimate for the previously-approved information collections should be revised as explained above.

    Start List of Subjects

    List of Subjects in 12 CFR Part 1016

    • Banks
    • Banking
    • Consumer protection
    • Credit
    • Credit unions
    • Foreign banking
    • Holding companies
    • National banks
    • Privacy
    • Reporting and recordkeeping requirements
    • Savings associations
    • Trade practices
    End List of Subjects

    Authority and Issuance

    For the reasons set forth in the preamble, the Bureau amends Regulation P, 12 CFR part 1016, as set forth below:

    Start Part

    PART 1016—PRIVACY OF CONSUMER FINANCIAL INFORMATION (REGULATION P)

    End Part Start Amendment Part

    1. The authority citation for part 1016 continues to read as follows:

    End Amendment Part Start Authority

    Authority: 12 U.S.C. 5512, 5581; 15 U.S.C. 6804.

    End Authority Start Amendment Part

    2. Section 1016.1(b)(1) is revised to read as follows:

    End Amendment Part
    Purpose and scope.
    * * * * *

    (b) Scope. (1) This part applies only to nonpublic personal information about individuals who obtain financial products or services primarily for personal, family, or household purposes from the institutions listed below. This part does not apply to information about companies or about individuals who obtain financial products or services for business, commercial, or agricultural purposes. This part applies to those financial institutions and other persons for which the Bureau of Consumer Financial Protection (Bureau) has rulemaking authority pursuant to section 504(a)(1)(A) of the Gramm-Leach-Bliley Act (GLB Act) (15 U.S.C. 6804(a)(1)(A)). Specifically, this part applies to any financial institution and other covered person or service provider that is subject to Subtitle A of Title V of the GLB Act, including third parties that are not financial institutions but that receive nonpublic personal information from financial institutions with whom they are not affiliated. This part does not apply to certain motor vehicle dealers described in 12 U.S.C. 5519 or to entities for which the Securities and Exchange Commission or the Commodity Futures Trading Commission has rulemaking authority pursuant to sections 504(a)(1)(A)-(B) of the GLB Act (15 U.S.C. 6804(a)(1)(A)-(B)). Except as otherwise specifically provided herein, entities to which this part applies are referred to in this part as “you.”

    Subpart A—Privacy and Opt-Out Notices

    Start Amendment Part

    3. Section 1016.9(c) is revised to read as follows:

    End Amendment Part
    Delivering privacy and opt out notices.
    * * * * *

    (c) Annual notices only— (1) Reasonable expectation. You may reasonably expect that a customer will receive actual notice of your annual privacy notice if:

    (i) The customer uses your Web site to access financial products and services electronically and agrees to receive notices at the Web site, and you post your current privacy notice continuously in a clear and conspicuous manner on the Web site; or

    (ii) The customer has requested that you refrain from sending any information regarding the customer relationship, and your current privacy notice remains available to the customer upon request.

    (2) Alternative method for providing certain annual notices. (i) Notwithstanding paragraph (a) of this section, you may use the alternative method described in paragraph (c)(2)(ii) of this section to satisfy the requirement in § 1016.5(a)(1) to provide a notice if:

    (A) You do not disclose the customer's nonpublic personal information to nonaffiliated third parties other than for purposes under §§ 1016.13, 1016.14, and 1016.15;

    (B) You do not include on your annual privacy notice pursuant to § 1016.6(a)(7) an opt out under section 603(d)(2)(A)(iii) of the Fair Credit Reporting Act (15 U.S.C. 1681a(d)(2)(A)(iii));

    (C) The requirements of section 624 of the Fair Credit Reporting Act (15 U.S.C. 1681s-3) and subpart C of part 1022 of this chapter, if applicable, have been satisfied previously or the annual privacy notice is not the only notice provided to satisfy such requirements;

    (D) The information you are required to convey on your annual privacy notice pursuant to § 1016.6(a)(1) through (5), (8), and (9) has not changed since you provided the immediately previous privacy notice (whether initial, annual, or revised) to the customer, other than to eliminate categories of information you disclose or categories of third parties to whom you disclose information; and

    (E) You use the model privacy form in the appendix to this part for your annual privacy notice.

    (ii) For an annual privacy notice that meets the requirements in paragraph (c)(2)(i) of this section, you satisfy the requirement in § 1016.5(a)(1) to provide a notice if you:

    (A) Convey in a clear and conspicuous manner not less than annually on an account statement, coupon book, or a notice or disclosure you are required or expressly and specifically permitted to issue to the customer under any other provision of law that your privacy notice is available on your Web site and will be mailed to the customer upon request by telephone. The statement must state that your privacy notice has not changed and must include a specific Web address that takes the customer directly to the page where the privacy notice is posted and a telephone number for the customer to request that it be mailed;

    (B) Post your current privacy notice continuously and in clear and conspicuous manner on a page of your Web site on which the only content is the privacy notice, without requiring the customer to provide any information such as a login name or password or Start Printed Page 64082agree to any conditions to access the page; and

    (C) Mail your current privacy notice to those customers who request it by telephone within ten days of the request.

    (iii) An example of a statement that satisfies paragraph (c)(2)(ii)(A) of this section is as follows with the words “Privacy Notice” in boldface or otherwise emphasized: Privacy Notice—Federal law requires us to tell you how we collect, share, and protect your personal information. Our privacy policy has not changed and you may review our policy and practices with respect to your personal information at [Web address] or we will mail you a free copy upon request if you call us at [telephone number].

    * * * * *
    Start Signature

    Dated: October 17, 2014.

    Richard Cordray,

    Director, Bureau of Consumer Financial Protection.

    End Signature End Supplemental Information

    Footnotes

    2.  Public Law 106-102, 113 Stat. 1338 (1999).

    Back to Citation

    3.  65 FR 35162 (June 1, 2000).

    Back to Citation

    4.  65 FR 31722 (May 18, 2000) (NCUA final rule); 65 FR 33646 (May 24, 2000) (FTC final rule); 65 FR 40334 (June 29, 2000) (SEC final rule); 66 FR 21252 (Apr. 27, 2001) (CFTC final rule).

    Back to Citation

    5.  74 FR 62890 (Dec. 1, 2009).

    Back to Citation

    6.  Public Law 111-203, 124 Stat. 1376 (2010).

    Back to Citation

    7.  Public Law 111-203, section 1093. The FTC retained rulewriting authority over any financial institution that is a person described in 12 U.S.C. 5519 (i.e., motor vehicle dealers predominantly engaged in the sale and servicing of motor vehicles, the leasing and servicing of motor vehicles, or both).

    Back to Citation

    8.  76 FR 79025 (Dec. 21, 2011).

    Back to Citation

    10.  In regard to any Regulation P rulemaking, section 504 of GLBA provides that each of the agencies authorized to prescribe GLBA regulations (currently the Bureau, FTC, SEC, and CFTC) “shall consult and coordinate with the other such agencies and, as appropriate, . . . with representatives of State insurance authorities designated by the National Association of Insurance Commissioners, for the purpose of assuring, to the extent possible, that the regulations prescribed by each such agency are consistent and comparable with the regulations prescribed by the other such agencies.” 15 U.S.C. 6804(a)(2).

    Back to Citation

    12.  Regulation P defines “financial institution.” See 12 CFR 1016.3(l).

    Back to Citation

    15.  Regulation P defines “nonpublic personal information.” See 12 CFR 1016.3(p).

    Back to Citation

    17.  Section 1016.6(c)(5) allows financial institutions to provide “simplified notices” if they do not disclose, and do not wish to reserve the right to disclose, nonpublic personal information about customers or former customers to affiliates or nonaffiliated third parties except as authorized under §§ 1016.14 and 1016.15. The exceptions at §§ 1016.14 and 1016.15 track statutory exemptions and cover a variety of situations, such as maintaining and servicing the customer's account, securitization and secondary market sale, and fraud prevention. They directly exempt institutions from the opt-out requirements. The exception that includes service providers and joint marketing arrangements, at § 1016.13, is also statutory, but financial institutions that share according to this exception may not use the simplified notice, even though consumers cannot opt out of this sharing.

    Back to Citation

    18.  The FCRA defines “consumer report” generally as “any written, oral, or other communication of any information by a consumer reporting agency bearing on a consumer's credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living which is used or expected to be used or collected in whole or in part for the purpose of serving as a factor in establishing the consumer's eligibility for: (A) Credit or insurance to be used primarily for personal, family, or household purposes; (B) employment purposes; or (C) any other purpose authorized under section 1681b of this title.” 15 U.S.C. 1681a.

    Back to Citation

    21.  The type of information to which section 624 applies is information that would be a consumer report, but for the exclusions provided by section 603(d)(2)(A)(i), (ii), or (iii) of the FCRA (i.e., a report solely containing information about transactions or experiences between the consumer and the institution making the report, communication of that information among persons related by common ownership or affiliated by corporate control, or communication of other information as discussed above).

    Back to Citation

    24.  15 U.S.C. 6803(a) (emphasis added).

    Back to Citation

    25.  12 CFR 1016.9(a) states that a financial institution may deliver the notice electronically if the consumer agrees. After discussions with industry stakeholders, however, the Bureau believes that most consumers do not receive electronic disclosures.

    Back to Citation

    26.  76 FR 75825, 75828 (Dec. 5, 2011).

    Back to Citation

    27.  On a related issue, industry commenters stated that the annual notice causes confusion and unnecessary opt-out requests from customers who do not recall that they have already opted out in a previous year. As stated in the Supplementary Information to the Final Model Privacy Form Under the Gramm-Leach-Bliley Act, a financial institution is free to provide additional information in other, supplemental materials to customers if it wishes to do so. See 74 FR at 62908. For example, a financial institution that uses the model form could include supplemental materials outside the model form advising those customers who previously opted out that they do not need to opt out again if the institution has not changed its notice to include new opt-out options. See 74 FR at 62905. In the proposed rule, the Bureau requested comment on whether financial institutions would want to include on the privacy notice itself a statement describing the customer's opt-out status. The response to this request was overwhelmingly negative, with industry commenters stating that indicating opt-out status on the annual notice would add significant costs because the financial institution would have to track customers' status and send specific, different forms.

    Back to Citation

    28.  Consumer Financial Protection Bureau, “Understanding the Effects of Certain Deposit Regulations on Financial Institutions' Operations: Findings on Relative Costs for Systems, Personnel, and Processes at Seven Institutions” (Nov. 2013), available at http://files.consumerfinance.gov/​f/​201311_​cfpb_​report_​findings-relative-costs.pdf.

    Back to Citation

    29.  Information collected for the study may be used to assist the Bureau in its investigations of “the effects of a potential or existing regulation on the business decisions of providers.” OMB Information Request—Control Number: 3170-0032.

    Back to Citation

    30.  15 U.S.C. 6803 (“[In the initial and annual privacy notices] a financial institution shall provide a clear and conspicuous disclosure. . . .”); 12 CFR 1016.3(b)(1) (defining “clear and conspicuous” as “reasonably understandable and designed to call attention to the nature and significance of the information in the notice.”)

    Back to Citation

    31.  See 74 FR at 62897-62898.

    Back to Citation

    32.  Recently Congress considered proposed legislation that would provide burden relief as to annual privacy notices, though no law has been enacted. See, e.g., H.R. 749, passed by the House and referred to the Senate in March of 2013; and S. 635, introduced in the Senate in late 2013.

    Back to Citation

    33.  See 79 FR 27214 (May 13, 2014). The Bureau subsequently extended the comment deadline. 79 FR 30485 (May 28, 2014).

    Back to Citation

    38.  The Bureau noted in the proposed rule that the alternative delivery method would be available even where a notice and opt out is offered under the Affiliate Marketing Rule, subpart C of 12 CFR part 1022, which relates to marketing based on information shared by a financial institution, as long as the Affiliate Marketing Rule notice and opt out is also provided separately from the Regulation P annual privacy notice. (For example, this separate Affiliate Marketing Rule notice and opt-out can be provided on the initial privacy notice under Regulation P, which cannot be delivered via the alternative delivery method in any case.) The final rule adopts this approach. See the section-by-section discussion of § 1016.9(c)(2)(i)(C), below.

    Back to Citation

    39.  Facilitating comparison shopping based on privacy policies was also mentioned repeatedly in the preamble to the model privacy notice rule. See generally 74 FR 62890.

    Back to Citation

    42.  Existing § 1016.9(c) is redesignated as § 1016.9(c)(1) and its subparagraphs redesignated as § 1016.9(c)(1)(i) and (ii), respectively, to accommodate the addition of § 1016.9(c)(2). The Bureau is also adding a heading to new paragraph (c)(1) for technical reasons.

    Back to Citation

    43.  Certain requirements for use of the alternative delivery method, such as those relating to FCRA opt-outs and use of the model privacy form, are not mentioned in any of the versions of this pending legislation.

    Back to Citation

    44.  To the extent that commenters distinguished among the opt-out conditions, they focused on the conditions proposed in § 1016.9(c)(2)(i)(B) and (C) which are discussed in detail in the section-by-section analysis below.

    Back to Citation

    45.  See, e.g., H.R. 749, passed by the House and referred to the Senate in March of 2013; and S. 635, introduced in the Senate in late 2013.

    Back to Citation

    46.  A national trade association representing business interests stated that banks that hold collectively half of all U.S. deposits would not be able to use the alternative delivery method as proposed.

    Back to Citation

    47.  79 FR at 27227.

    Back to Citation

    48.  Apart from individual institutions that stated whether they would be able to use the alternative method, few commenters provided data on how many financial institutions would be precluded from using the alternative delivery method because of the opt-out condition. One state association representing banks did provide such data noting that only 11 of 99 banks that responded to the association's survey would not be eligible to use the proposed alternative delivery method.

    Back to Citation

    51.  72 FR 62910, 62930 (Nov. 7, 2007).

    Back to Citation

    52.  Regulation P provides, “Institutions that include this reason [for sharing or using personal information] must provide an opt-out of indefinite duration.” Appendix to part 1016 at C.2.d.6.

    Back to Citation

    53.  12 CFR 1022.22(b), 1022.23(a)(1)(iv).

    Back to Citation

    54.  65 FR 35162, 35176 (June 1, 2000).

    Back to Citation

    55.  Appendix to part 1016 at C.2.d.6.

    Back to Citation

    56.  A financial institution could also include the Affiliate Marketing Rule opt-out on a non-model privacy notice and choose to honor opt-outs indefinitely and have no further Affiliate Marketing Rule obligations after the first privacy notice is delivered.

    Back to Citation

    57.  Alternatively, the financial institution could continue to use the current delivery method and include the Affiliate Marketing opt out on the annual privacy notice, with no separate notice required.

    Back to Citation

    58.  79 FR at 27221 n.54.

    Back to Citation

    59.  The Bureau notes that a revised privacy notice may not be delivered using the alternative delivery method because the alternative method only may be used to satisfy the requirement to provide an annual notice in § 1016.5(a)(1).

    Back to Citation

    61.  74 FR at 62891.

    Back to Citation

    62.  See below, parts V and VI.

    Back to Citation

    63.  The research that went into the development and testing of the model form was detailed in four reports: (1) Financial Privacy Notice: A Report on Validation Testing Results (Kleimann Validation Report), February 12, 2009, available at http://www.ftc.gov/​system/​files/​documents/​reports/​financial-privacy-notice-report-validation-testing-results-kleimann-validationreport/​financial_​privacy_​notice_​a_​report_​on_​validation_​testing_​results_​kleimann_​validation_​report.pdf;​; (2) Consumer Comprehension of Financial Privacy Notices: A Report on the Results of the Quantitative Testing (Levy-Hastak Report), December 15, 2008, available at http://www.ftc.gov/​system/​files/​documents/​reports/​quantitative-research-levy-hastak-report/​quantitative_​research_​-_​levy-hastak_​report.pdf;​; (3) Mall Intercept Study of Consumer Understanding of Financial Privacy Notices: Methodological Report (Macro International Report), September 18, 2008, available at http://www.ftc.gov/​system/​files/​documents/​reports/​quantitative-research-macro-international-report/​quantitative_​research_​-_​macro_​international_​report.pdf;​; and (4) Evolution of a Prototype Financial Privacy Notice: A Report on the Form Development Project, March 31, 2006, available at http://kleimann.com/​ftcprivacy.pdf. The development and testing of the model privacy notice is also discussed in L. Garrison, M. Hastak, J.M. Hogarth, S. Kleimann, A.S. Levy, Designing Evidence-based Disclosures: A Case Study of Financial Privacy Notices. The Journal of Consumer Affairs, Summer 2012: 204-234.

    Back to Citation

    65.  The Bureau also notes that there is no private right of action under Regulation P.

    Back to Citation

    66.  See 74 FR at 62901.

    Back to Citation

    67.  Appendix to part 1016 at C.3.c.1.

    Back to Citation

    68.  See 74 FR at 62907 n. 196.

    Back to Citation

    69.  See generally GLBA section 503(a).

    Back to Citation

    71.  12 CFR 1016.9(b)(2)(i). The Bureau's rule on delivery of Affiliate Marketing Rule notices under Regulation V similarly provides that a consumer may not reasonably be expected to receive actual notice if the affiliate providing the notice only posts the notice on a sign in a branch or office or generally publishes the notice in a newspaper. 12 CFR 1022.26(c)(1).

    Back to Citation

    73.  See generally 74 FR at 62908 (noting, in response to industry requests for the flexibility to add other information to the model privacy form, that the agencies were not precluding an institution from providing such information on other, supplemental materials).

    Back to Citation

    74.  With regard to the proposed requirement that the notice be posted in a “clear and conspicuous” manner, the Bureau notes that existing § 1016.3(b)(2)(iii) gives examples of what clear and conspicuous means for a privacy notice posted on a Web site. One example provides that a financial institution designs its notice to call attention to the nature and significance of the information in the notice if it uses text or visual cues to encourage scrolling down the page if necessary to view the entire notice and ensures that other elements on the Web site (such as text, graphics, hyperlinks, or sound) do not distract attention from the notice. Section 1016.3(b)(2)(iii)(A) and (B) also provides examples of clear and conspicuous placement of the notice within the financial institution's Web site but these examples do not seem relevant to the posting of the notice for the alternative delivery method because customers will be typing into their web browser the web address of the specific page that contains the annual notice, rather than navigating to the annual notice from the financial institution's home page. To the extent that a financial institution is satisfying existing § 1016.9(a) and not the alternative delivery method in § 1016.9(c)(2) by posting the privacy notice on its Web site, the clear and conspicuous examples in § 1016.3(b)(2)(iii)(A) and (B) still apply.

    Back to Citation

    76.  See 74 FR at 62908.

    Back to Citation

    77.  Cf. 74 FR at 62898 (“[T]he Agencies agree that institutions may incorporate the model form into another document but they must do so in a way that meets all the requirements of the privacy rule and the model form instructions, including that: The model form must be presented in a way that is clear an conspicuous; it must be intact so that the customer can retain the content of the model form; and it must retain the same page orientation, content, format, and order as provided for in this Rule.”) (footnotes omitted).

    Back to Citation

    78.  Specifically, section 1022(b)(2)(A) of the Dodd-Frank Act calls for the Bureau to consider the potential benefits and costs of a regulation to consumers and covered persons, including the potential reduction of access by consumers to consumer financial products or services; the impact on depository institutions and credit unions with $10 billion or less in total assets as described in section 1026 of the Dodd-Frank Act; and the impact on consumers in rural areas.

    Back to Citation

    79.  See L. F. Cranor, K. Idouchi, P. G. Leon, M. Sleeper, B. Ur, Are They Actually Any Different? Comparing Thousands of Financial Institutions' Privacy Practices. The Twelfth Workshop on the Economics of Information Security (WEIS 2013), June 11-12, 2013, Washington, DC, available at http://weis2013.econinfosec.org/​papers/​CranorWEIS2013.pdf. They find that only about 51% of FDIC insured depositories for which a Web site domain name is listed in the FDIC directory of financial institutions (3,422 out of 6,701) post the model privacy form on their Web sites. A Web site was not listed for an additional 371 institutions, and these institutions were excluded from the analysis. Some of these authors recently replicated and extended this work; see L. F. Cranor, P. G. Leon, B. Ur, A Large-Scale Evaluation of U.S. Financial Institutions' Standardized Privacy Notices, undated, available at http://www.andrew.cmu.edu/​user/​pgl/​financialnotices.pdf. These authors find that 56% of FDIC insured depositories for which a Web site domain name is listed in the FDIC directory of financial institutions (3,594 out of 6,409) post the model privacy form on their Web sites. They also analyzed a much larger group of insured depositories, credit unions and credit card companies, first searching for an institution's Web site (when the Web site URL was not on lists of financial institutions they obtained from the FDIC, NCUA and the Federal Reserve) and then searching for the institution's model privacy form. With this methodology, the authors find that only about 32% (6,191 of 19,329) of this larger group of financial institutions posts the model privacy form on Web sites.

    Back to Citation

    80.  The research that went into the development and testing of the model form was detailed in four reports: (1) Financial Privacy Notice: A Report on Validation Testing Results (Kleimann Validation Report), February 12, 2009, available at http://www.ftc.gov/​system/​files/​documents/​reports/​financial-privacy-notice-report-validation-testing-results-kleimann-validationreport/​financial_​privacy_​notice_​a_​report_​on_​validation_​testing_​results_​kleimann_​validation_​report.pdf;​; (2) Consumer Comprehension of Financial Privacy Notices: A Report on the Results of the Quantitative Testing (Levy-Hastak Report), December 15, 2008, available at http://www.ftc.gov/​system/​files/​documents/​reports/​quantitative-research-levy-hastak-report/​quantitative_​research_​-_​levy-hastak_​report.pdf;​; (3) Mall Intercept Study of Consumer Understanding of Financial Privacy Notices: Methodological Report (Macro International Report), September 18, 2008, available at http://www.ftc.gov/​system/​files/​documents/​reports/​quantitative-research-macro-international-report/​quantitative_​research_​-_​macro_​international_​report.pdf;​; and (4) Evolution of a Prototype Financial Privacy Notice: A Report on the Form Development Project, March 31, 2006, available at http://kleimann.com/​ftcprivacy.pdf. The development and testing of the model privacy notice is also discussed in L. Garrison, M. Hastak, J.M. Hogarth, S. Kleimann, A.S. Levy, Designing Evidence-based Disclosures: A Case Study of Financial Privacy Notices. The Journal of Consumer Affairs, Summer 2012: 204-234.

    Back to Citation

    81.  See Cranor et al. (2013). Their findings (Table 2) imply that at most 15% of the 3,422 FDIC insured depositories that post the model privacy form on their Web sites offer at least one voluntary opt out. Data from a much larger group of financial institutions analyzed by Cranor et al. (undated) imply (Table 2) that at most 27% of the 6,191 financial institutions that post the model privacy form on their Web sites offer at least one voluntary opt out.

    Back to Citation

    82.  The analysis that follows makes certain additional assumptions about adjustments that financial institutions are not likely to undertake just to be able to adopt the alternative delivery method. For example, a small institution without a Web site might not find it worthwhile to establish one given the relatively small savings in costs that might result. These assumptions are discussed further below.

    Back to Citation

    83.  The Bureau defined five strata for banks under $100 billion and three strata for credit unions under $10 billion and drew random samples from each of the strata. We obtained privacy policies from the Web sites of financial institutions.

    Back to Citation

    84.  In these and subsequent calculations, entities that stated that they shared information so their affiliates could market to the consumer were considered eligible for the alternative delivery method since they could use the alternative delivery method as long as the annual privacy notice is not the only notice on which they provide the opt-out; see § 1016.9(c)(2)(i)(C).

    Back to Citation

    85.  As discussed in the section-by-section analysis, a banking trade association commenting on the Streamlining RFI estimated that 75% of banks do not change their notices from year to year and do not share information in a way that gives rise to customer opt-out rights. The Bureau's estimate is consistent with this comment.

    Back to Citation

    86.  Unfortunately, more precise calculations are not possible without more information about responses conditional on asset size and the response rate to each question.

    Back to Citation

    87.  It is worth noting at the outset that, with this methodology, the total cost of providing the annual privacy notice and opt-out notice under Regulation P is approximately $30 million per year.

    Back to Citation

    88.  FDCPA section 805(b) generally prohibits communication with third parties in connection with the collection of a debt.

    Back to Citation

    89.  The Bureau requested comment on, but did not propose, requiring a dedicated telephone number for privacy notice requests. The student loan servicer commented that this requirement would not be a good use of resources for small lenders. The Bureau is not requiring a dedicated telephone number for these requests in the final rule; further, the Bureau is not finalizing the proposed requirement that the telephone number for these requests be toll-free.

    Back to Citation

    90.  One of the debt-buyer commenters recommended that the Bureau allow the statement of availability to be provided on “any legally permissible” mailed materials. The Bureau intends the term account statement to be flexible and it might include some of the legally permissible materials mentioned by this debt buyer. However, it would not include materials such as advertisements or newsletters.

    Back to Citation

    91.  Note that this figure excludes auto dealers. Auto dealers are regulated by the FTC and would not be directly impacted by this amendment to Regulation P.

    Back to Citation

    92.  The Bureau recognizes that this analysis does not take into account the possibility that, as with banks and credit unions, the largest non-depository financial institutions may be least likely to be able to use the alternative delivery method. Assuming the size distribution and utilization rate are the same as for credit unions, the reduction in burden on non-depository financial institutions would be approximately $7.5 million annually instead of $10 million annually.

    Back to Citation

    93.  A financial corporation with $2 billion in assets reported sending approximately 37,000 annual privacy notices and needing 100 hours for this work.

    Back to Citation

    94.  The Bureau believes that banks and credit unions have relatively few customers to whom they do not send at least once per year, an account statement, coupon book, or other notice or disclosure that meets the conditions in final § 1016.9(c)(2)(ii)(A). Some banks and credit unions and their associations commented that § 1016.9(c)(2)(ii)(A) was too restrictive in this regard and might limit adoption of the alternative delivery method. As discussed above, final § 1016.9(c)(2)(ii)(A) is less restrictive.

    Back to Citation

    95.  For a comparison of access to broadband by rural and non-rural consumers, see Bringing Broadband to Rural America: Update to Report on a Rural Broadband Strategy, June 17, 2011, pages 22-24, available at https://apps.fcc.gov/​edocs_​public/​attachmatch/​DOC-320924A1.pdf.

    Back to Citation

    [FR Doc. 2014-25299 Filed 10-27-14; 8:45 am]

    BILLING CODE 4810-AM-P

Document Information

Effective Date:
10/28/2014
Published:
10/28/2014
Department:
Consumer Financial Protection Bureau
Entry Type:
Rule
Action:
Final rule.
Document Number:
2014-25299
Dates:
This final rule is effective on October 28, 2014.
Pages:
64057-64082 (26 pages)
Docket Numbers:
Docket No. CFPB-2014-0010
RINs:
3170-AA39: Annual Privacy Notice
RIN Links:
https://www.federalregister.gov/regulations/3170-AA39/annual-privacy-notice
Topics:
Banks, banking, Banks, banking, Banks, banking, Banks, banking, Consumer protection, Credit, Credit unions, Foreign banking, Holding companies, National banks, Privacy, Reporting and recordkeeping requirements, Savings associations, Trade practices
PDF File:
2014-25299.pdf
Supporting Documents:
» Statement on Competition and Innovation
» Fair Credit Reporting Act Disclosures
» CARD Act Rules Review Pursuant to the Regulatory Flexibility Act; Request for Information Regarding Consumer Credit Card Market
» Truth in Lending (Regulation Z): Screening and Training Requirements for Mortgage Loan Originators with Temporary Authority
» Fair Lending Report of the Bureau of Consumer Financial Protection; Correction
» Availability of Funds
» Civil Penalty Inflation Adjustments
» Home Mortgage Disclosure (Regulation C) Adjustment to Asset-Size Exemption Threshold
» Truth in Lending Act (Regulation Z) Adjustment to Asset-Size Exemption Threshold: Official Interpretation
» Home Mortgage Disclosure (Regulation C) Adjustment to Asset-Size Exemption Threshold
CFR: (2)
12 CFR 1016.1
12 CFR 1016.9