[Federal Register Volume 65, Number 35 (Tuesday, February 22, 2000)]
[Proposed Rules]
[Pages 8770-8816]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 00-3718]



[[Page 8769]]

-----------------------------------------------------------------------

Part II





Department of the Treasury





-----------------------------------------------------------------------



Officer of the Comptroller of the Currency



Office of Thrift Supervision



12 CFR Parts 40 and 573



-----------------------------------------------------------------------





Federal Reserve System





-----------------------------------------------------------------------

12 CFR Part 216





Federal Deposit Insurance Corporation





-----------------------------------------------------------------------

12 CFR Part 332



Privacy of Consumer Financial Information; Proposed Rule

  Federal Register / Vol. 65, No. 35 / Tuesday, February 22, 2000 / 
Proposed Rules  

[[Page 8770]]


-----------------------------------------------------------------------

DEPARTMENT OF THE TREASURY

Office of the Comptroller of the Currency

12 CFR Part 40

[Docket No. 00-05 ]
RIN 1557-AB77

FEDERAL RESERVE SYSTEM

12 CFR Part 216

[Docket No. R-1058]

FEDERAL DEPOSIT INSURANCE CORPORATION

12 CFR Part 332

RIN 3064-AC32

DEPARTMENT OF THE TREASURY

Office of Thrift Supervision

12 CFR Part 573

[Docket No. 2000-13]
RIN 1550-AB36


Privacy of Consumer Financial Information

AGENCIES: Office of the Comptroller of the Currency, Treasury; Board of 
Governors of the Federal Reserve System; Federal Deposit Insurance 
Corporation; and Office of Thrift Supervision, Treasury.

ACTION: Joint notice of proposed rulemaking.

-----------------------------------------------------------------------

SUMMARY: The Office of the Comptroller of the Currency, Board of 
Governors of the Federal Reserve System, Federal Deposit Insurance 
Corporation, and the Office of Thrift Supervision, (collectively, the 
Agencies) are requesting comment on proposed privacy rules published 
pursuant to section 504 of the Gramm-Leach-Bliley Act (the G-L-B Act or 
Act). Section 504 authorizes the Agencies to issue regulations as may 
be necessary to implement notice requirements and restrictions on a 
financial institution's ability to disclose nonpublic personal 
information about consumers to nonaffiliated third parties. Pursuant to 
section 503 of the G-L-B Act, a financial institution must provide its 
customers with a notice of its privacy policies and practices. Section 
502 prohibits a financial institution from disclosing nonpublic 
personal information about a consumer to nonaffiliated third parties 
unless the institution satisfies various disclosure and opt-out 
requirements and the consumer has not elected to opt out of the 
disclosure. These proposed rules implement the requirements outlined 
above.

DATES: Comments must be received by March 31, 2000.

ADDRESSES: Comments should be directed to: Office of the Comptroller of 
the Currency (OCC): Communications Division, Office of the Comptroller 
of the Currency, 250 E Street, SW., Washington, DC 20219, Attention: 
Docket No. 00-05; FAX number (202) 874-5274 or Internet address: 
[email protected]. Comments may be inspected and photocopied 
at the same location.
    Board of Governors of the Federal Reserve System (Board): Comments, 
which should refer to Docket No. R-1058, may be mailed to Ms. Jennifer 
J. Johnson, Secretary, Board of Governors of the Federal Reserve 
System, 20th and C Streets, NW, Washington, DC 20551 or mailed 
electronically to [email protected]. Comments addressed 
to Ms. Johnson also may be delivered to the Board's mail room between 
8:45 a.m. and 5:15 p.m. and to the security control room outside of 
those hours. Both the mail room and the security control room are 
accessible from the courtyard entrance on 20th Street between 
Constitution Avenue and C Street, NW. Comments may be inspected in Room 
MP-500 between 9 a.m. and 5 p.m., pursuant to Sec. 261.12, except as 
provided in Sec. 261.14, of the Board's Rules Regarding the 
Availability of Information, 12 CFR 261.12 and 261.14.
    Federal Deposit Insurance Corporation (FDIC): Send written comments 
to Robert E. Feldman, Executive Secretary, Attention: Comments/OES, 
Federal Deposit Insurance Corporation, 550 17th Street, NW., 
Washington, DC 20429. Comments may be hand delivered to the guard 
station at the rear of the 17th Street building (located on F Street) 
on business days between 7 a.m. and 5 p.m. (Fax number (202) 898-3838). 
Comments may be inspected and photocopied in the FDIC Public 
Information Center, Room 100, 801 17th Street, NW., Washington, DC 
20429, between 9 a.m. and 4:30 p.m. on business days.
    Comments may be submitted to the FDIC electronically over the 
Internet at www.fdic.gov. Further information concerning this option 
may be found below at ``FDIC's New Electronic Public Comment Site.'' 
Comments also may be mailed electronically to [email protected].
    Office of Thrift Supervision (OTS): Send comments to Manager, 
Dissemination Branch, Information Management & Services Division, 
Office of Thrift Supervision, 1700 G Street, NW., Washington, DC 20552, 
Attention Docket No. 2000-13. Hand deliver comments to Public Reference 
Room, 1700 G Street, NW., lower level, from 9:00 A.M. to 5:00 P.M. on 
business days. Send facsimile transmissions to FAX Number (202) 906-
7755 or (202) 906-6956 (if the comment is over 25 pages). Send e-mails 
to public.info@ots.treas.gov">public.info@ots.treas.gov and include your name and telephone 
number. Interested persons may inspect comments at 1700 G Street, NW., 
from 9 a.m. until 4 p.m. on business days.

FOR FURTHER INFORMATION CONTACT:

0CC

Amy Friend, Assistant Chief Counsel (202) 874-5200
Mark Tenhundfeld, Assistant Director, Legislative and Regulatory 
Activities Division (202) 874-5090
Michael Bylsma, Director, Community and Consumer Law (202) 874-5750
Steve Van Meter, Senior Attorney, Community and Consumer Law (202) 874-
5750
Karen Furst, Policy Analyst, Economic and Policy Analysis (202) 874-
4509
Paul Utterback, National Bank Examiner, Bank Supervision Policy (202) 
874-5461, or
Jeffery Abrahamson, Attorney, Legislative and Regulatory Activities 
Division (202) 874-5090

Board

Oliver I. Ireland, Associate General Counsel (202) 452-3625
Stephanie Martin, Managing Senior Counsel (202) 452-3198, or
Thomas Scanlon, Attorney (202) 452-3594, Legal Division, or
Adrienne D. Hurt, Assistant Director (202) 452-2412
Jane J. Gell, Managing Counsel (202) 452-3667, or
James H. Mann, Attorney (202) 452-2412, Division of Consumer and 
Community Affairs.
For the hearing impaired only, contact Diane Jenkins, 
Telecommunications Device for the Deaf (TDD) (202) 452-3544, Board of 
Governors of the Federal Reserve System, 20th and C Streets, NW, 
Washington, DC 20551.

FDIC

Deanna Caldwell, Community Affairs Officer, Division of Compliance and 
Consumer Affairs, (202) 736-0141
James K. Baebel, Senior Review Examiner, Division of Compliance and 
Consumer Affairs, (202) 736-0229
Robert A. Patrick, Counsel, Regulations and Legislation Section, (202) 
898-3757

[[Page 8771]]

Marc J. Goldstrom, Counsel, Regulations and Legislation Section, (202) 
898-8807
Marilyn E. Anderson, Senior Counsel, Regulations and Legislation 
Section, (202) 898-3522
Nancy Schucker Recchia, Counsel, Regulations and Legislation Section, 
(202) 898-8885.

OTS

Christine Harrington, Counsel (Banking and Finance), (202) 906-7957
Paul Robin, Assistant Chief Counsel, (202) 906-6648, Regulations and 
Legislation Division; or
Cindy Baltierra, Program Analyst, Compliance Policy (202) 906-6540, 
Office of Thrift Supervision, 1700 G Street, NW., Washington DC 20552.

SUPPLEMENTARY INFORMATION: The contents of this preamble are listed in 
the following outline:

I. Background
II. Section-by-Section Analysis
III. FDIC's New Electronic Public Comment Site
IV. Regulatory Analysis
    A. Paperwork Reduction Act
    B. Regulatory Flexibility Act
    C. Executive Order 12866
    D. Unfunded Mandates Act of 1995
V. Solicitation of Comments on Use of ``Plain Language''

I. Background

    On November 12, 1999, President Clinton signed the G-L-B Act (Pub. 
L. 106-102, codified at 15 U.S.C. 6801 et seq.) into law. Subtitle A of 
Title V of the Act, captioned Disclosure of Nonpublic Personal 
Information, limits the instances in which a financial institution may 
disclose nonpublic personal information about a consumer to 
nonaffiliated third parties, and requires a financial institution to 
disclose to all of its customers the institution's privacy policies and 
practices with respect to information sharing with both affiliates and 
nonaffiliated third parties. Title V also requires the Agencies, the 
Secretary of the Treasury, the National Credit Union Administration 
(NCUA), the Federal Trade Commission (FTC), and the Securities and 
Exchange Commission (SEC), after consulting with representatives of 
State insurance authorities designated by the National Association of 
Insurance Commissioners, to prescribe such regulations as may be 
necessary to carry out the purposes of the provisions in Title V that 
govern disclosure of nonpublic personal information.
    The Agencies have prepared proposed rules to implement Subtitle A 
that are consistent and comparable to the extent possible, as is 
required by the statute.\1\ Except where noted in the discussion of the 
proposed definitions of ``nonpublic personal information,'' 
``personally identifiable financial information,'' and ``publicly 
available information,'' the texts of the Agencies'' proposed 
regulations are substantively identical. The Agencies request comment 
on all aspects of the proposed rules as well as comment on the specific 
provisions and issues highlighted in the section-by-section analysis 
below.
---------------------------------------------------------------------------

    \1\ The NCUA, FTC, SEC, and the Treasury Department also have 
participated in the rulemaking process, and the NCUA, FTC, and SEC 
will separately issue comparable proposed rules.
---------------------------------------------------------------------------

II. Section-by-Section Analysis

    The discussion that follows applies to each of the Agencies' 
proposed rules. Given that each agency will assign a different part to 
its privacy rule, the citations are to sections only, leaving citations 
to part numbers blank.

Sec. __.1  Purpose and Scope

    Proposed paragraph (a) of this section identifies three purposes of 
the rules. First, the rules require a financial institution to provide 
notice to consumers about the institution's privacy policies and 
practices. Second, the rules describe the conditions under which a 
financial institution may disclose nonpublic personal information about 
a consumer to a nonaffiliated third party. Third, the rules provide a 
method for a consumer to ``opt out'' of the disclosure of that 
information to nonaffiliated third parties, subject to the exceptions 
in proposed Secs. __.9,__.10, and__.11, as discussed below.
    Proposed paragraph (b) sets out the scope of the banking agencies' 
rules and tracks the scope of enforcement set out in section 505(a) of 
the G-L-B Act. This paragraph notes that the rules apply only to 
information about individuals who obtain a financial product or service 
from a financial institution to be used for personal, family, or 
household purposes.
    The G-L-B Act and the proposed rules apply to domestic offices of 
United States banks and domestic branches and agencies of foreign 
banks. The Agencies request comment on whether the rules should apply 
to foreign financial institutions that solicit business in the United 
States but that do not have an office in the United States.

Sec. __.2  Rule of Construction

    Proposed Sec. __.2 of the rules sets out a rule of construction 
intended to clarify the effect of the examples used in the rules. Given 
the wide variety of transactions that Title V of the G-L-B Act covers, 
the Agencies propose to adopt rules of general applicability and 
provide examples of conduct that would, and would not, comply with the 
rule. While the general rules are consistent among the Agencies' 
proposals to the extent possible, the examples used by the Federal 
banking agencies differ on occasion from those used by the other 
agencies in order to provide guidance that may be most meaningful to 
entities within a given agency's jurisdiction.
    The examples are provided in furtherance of the Federal banking 
agencies' obligation under section 722 of the G-L-B Act to use ``plain 
language'' in all proposed and final rules published after January 1, 
2000. These examples are not intended to be exhaustive; rather, they 
are intended to provide guidance about how the rules would apply in 
specific situations. The Agencies invite comment on whether including 
examples in the rule is useful and suggestions on additional or 
different examples that may be helpful in illustrating compliance with 
the rule.

Sec. __.3  Definitions

    a. Affiliate. The proposed rules adopt the definition of 
``affiliate'' that is used in section 509(6) of the G-L-B Act. An 
affiliation will be found when one company ``controls'' (which is 
defined in Sec. __.3(g), below), is controlled by, or is under common 
control with another company. The definition includes both financial 
institutions and entities that are not financial institutions.
    b. Clear and conspicuous. Title V of the G-L-B Act and the proposed 
rules require that various notices be ``clear and conspicuous.'' The 
proposed rules define this term to mean that the notice is reasonably 
understandable and designed to call attention to the nature and 
significance of the information contained in the notice.
    The proposed rules do not mandate the use of any particular 
technique for making the notices clear and conspicuous, but instead 
allow each financial institution the flexibility to decide for itself 
how best to comply with this requirement. Ways in which a notice may 
satisfy the clear and conspicuous standard would include, for instance, 
using a plain-language caption, in a type set easily seen, that is 
designed to call attention to the information contained in the notice. 
Other plain language principles are provided in the examples that 
follow the general rule.
    c. Collect. The proposed rules define ``collect'' to mean obtaining 
any information that is organized or retrievable on a personally 
identifiable

[[Page 8772]]

basis, irrespective of the source of the underlying information. 
Several sections of the proposed rule (see, e.g., Secs. __.6 and__.7) 
impose obligations that arise when a financial institution collects 
information about a consumer. This proposed definition clarifies that 
these obligations arise when the information enables the user to 
identify a particular consumer. It also clarifies that the obligations 
arise regardless of whether the financial institution obtains the 
information from a consumer or from some other source.
    d. Company. The proposed rules define ``company,'' which is used in 
the definition of ``affiliate,'' as any corporation, limited liability 
company, business trust, general or limited partnership, association, 
or similar organization.
    e. Consumer. The proposed rules define ``consumer'' to mean an 
individual who obtains, from a financial institution, financial 
products or services that are to be used primarily for personal, 
family, or household purposes. An individual also will be deemed to be 
a consumer for purposes of a financial institution if that institution 
purchases the individual's account from some other institution. The 
definition also includes the legal representative of an individual.
    The G-L-B Act distinguishes ``consumers'' from ``customers'' for 
purposes of the notice requirements imposed by the Act. As explained 
more fully in the discussion of proposed Sec. __.4, below, a financial 
institution is required to give a ``consumer'' the notices required 
under Title V only if the institution intends to disclose nonpublic 
personal information about the consumer to a nonaffiliated third party 
for a purpose that is not authorized by one of several exceptions set 
out in proposed Secs. __.10 and__.11. By contrast, a financial 
institution must give all ``customers,'' at the time of establishing a 
customer relationship and annually thereafter during the continuation 
of the customer relationship, a notice of the institution's privacy 
policy.
    A person is a ``consumer'' under the proposed rules if he or she 
obtains a financial product or service from a financial institution. 
The definition of ``financial product or service'' in proposed 
Sec. __.3(k), below, includes, among other things, the evaluation by a 
financial institution of an application that a person submits to obtain 
a financial product or service. Thus, a financial institution that 
intends to share nonpublic personal information about a consumer with 
nonaffiliated third parties outside of the exceptions described in 
Secs. __.10 and__.11 will have to give the requisite notices, even if 
the consumer does not enter into a customer relationship with the 
institution.
    The examples that follow the definition of ``consumer'' clarify 
when someone is a consumer. They include situations where someone 
applies for a loan or provides information for the purpose of 
determining whether he or she prequalifies for a loan, a person 
providing information in connection with seeking to obtain financial 
advisory services, and a person who negotiates a workout of a loan. The 
examples also clarify the status of someone whose loan has been sold.
    f. Consumer reporting agency. The proposed rules adopt the 
definition of ``consumer reporting agency'' that is used in section 
603(f) of the Fair Credit Reporting Act (15 U.S.C. 1681a(f)). This term 
is used in proposed Secs. __.11 and__.13.
    g. Control. The proposed rules define ``control'' using the tests 
applied in section 23A of the Federal Reserve Act (12 U.S.C. 371c). 
This definition is used to determine when companies are affiliated (see 
discussion of proposed Sec. __.3(a), above), and would result in 
financial institutions being considered as affiliates regardless of 
whether the control is by a company or individual.
    h. Customer. The proposed rules define ``customer'' as any consumer 
who has a ``customer relationship'' with a particular financial 
institution. As is explained more fully in the discussion of proposed 
Sec. __.4, below, a consumer becomes a customer of a financial 
institution at the time of entering into a continuing relationship with 
the institution. Thus, for instance, a consumer would become a customer 
at the time the consumer executes the documents needed to open a 
deposit account or borrow money from a financial institution.
    The distinction between consumers and customers determines what 
notices a financial institution must provide. If a consumer never 
becomes a customer, the institution is not required to provide any 
notices to the consumer unless the institution intends to disclose 
nonpublic personal information about that consumer to nonaffiliated 
third parties outside of the exceptions as set out in Secs. __.10 
and__.11. By contrast, if a consumer becomes a customer, the 
institution must provide a copy of its privacy policy prior to the time 
it establishes the customer relationship and at least annually 
thereafter during the continuation of the customer relationship.
    i. Customer relationship. The proposed rules define ``customer 
relationship'' as a continuing relationship between a consumer and a 
financial institution whereby the institution provides a financial 
product or service that is to be used by the consumer primarily for 
personal, family, or household purposes.\2\ Because the G-L-B Act 
requires annual notices of the financial institution's privacy policies 
to its customers, the Agencies have interpreted the Act as requiring 
more than isolated transactions between a bank and a consumer to 
establish a customer relationship, unless it is reasonable to expect 
further contact about that transaction between the bank and consumer 
afterwards. Thus, the proposed rules define ``customer relationship'' 
as one that generally is of a continuing nature. As noted in the 
examples that follow the definition, this would include, for instance, 
maintaining a deposit, loan, trust, or investment account.
---------------------------------------------------------------------------

    \2\ A ``customer'' may be defined differently for purposes of 
other regulations. See, e.g., 12 CFR 7.4002.
---------------------------------------------------------------------------

    A one-time transaction may be sufficient to establish a customer 
relationship, depending on the nature of the transaction. The examples 
that follow the definition of ``customer relationship'' clarify, for 
instance, that a purchase of an insurance policy would be sufficient to 
establish a customer relationship because of the continuing nature of 
the product, whereas using an automated teller machine (ATM) at a bank 
at which a consumer transacts no other business, purchasing traveler's 
checks or money orders, or cashing a check would not. While a person 
engaging in one of these latter types of transactions would be a 
consumer under the regulation (thereby requiring the financial 
institution to provide notices if the institution intends to disclose 
nonpublic personal information about the consumer to nonaffiliated 
third parties outside of the exceptions), the consumer would not be a 
customer. A consumer would not necessarily become a customer simply by 
repeatedly engaging in isolated transactions, such as withdrawing funds 
at regular intervals from an ATM owned by an institution with whom the 
consumer has no account.
    The examples also clarify that a consumer will have a customer 
relationship with a financial institution that makes a loan to the 
consumer and then sells the loan but retains the servicing rights. In 
that case, the person will be a customer of both the institution that 
sold the loan and the institution that bought it.

[[Page 8773]]

    j. Financial institution. The proposed rules define ``financial 
institution'' as any institution the business of which is engaging in 
activities that are financial in nature, or incidental to such 
financial activities, as described in section 4(k) of the Bank Holding 
Company Act of 1956 (12 U.S.C. 1843(k)). The proposed rules also exempt 
from the definition of ``financial institution'' those entities 
specifically excluded by the G-L-B Act.
    k. Financial product or service. The proposed rules define 
``financial product or service'' as a product or service that a 
financial institution could offer as an activity that is financial in 
nature, or incidental to such a financial activity, under section 4(k) 
of the Bank Holding Company Act of 1956, as amended. An activity that 
is complementary to a financial activity, as described in section 4(k), 
is not included in the definition of ``financial product or service'' 
under this part. The proposed rules' definition includes the financial 
institution's evaluation of information collected in connection with an 
application by a consumer for a financial product or service even if 
the application ultimately is rejected or withdrawn. It also includes 
the distribution of information about a consumer for the purpose of 
assisting the consumer to obtain a financial product or service.
    l. Government regulator. The proposed rules adopt the definition of 
``government regulator'' that includes each of the Agencies 
participating in this rulemaking, the Secretary of the Treasury, the 
NCUA, FTC, SEC, and State insurance authorities under the circumstances 
identified in the definition. This term is used in the exception set 
out in proposed Sec. __.11(a)(4) for disclosures to law enforcement 
agencies, ``including government regulators.''
    m. Nonaffiliated third party. Paragraph (1) of the proposed 
definition of ``nonaffiliated third party'' provides that the term 
means any person (which includes natural persons as well as corporate 
entities such as corporations, partnerships, trusts, and so on) except: 
(1) An affiliate of a financial institution, and (2) a joint employee 
of a financial institution and a third party. This paragraph is 
intended to be substantively the same as the definition used in section 
509(5) of the G-L-B Act. Paragraph (2) of the proposed definition 
provides that ``nonaffiliated third party'' includes any company that 
is an affiliate by virtue of the direct or indirect ownership or 
control of the company by the financial institution or one of its 
affiliates in conducting merchant banking or investment banking 
activities of the type described in section 4(k)(4)(H) or insurance 
company activities of the type described in section 4(k)(4)(I) of the 
Bank Holding Company Act, whether or not the financial institution is 
affiliated with a bank or is relying on the authority of those 
sections.
    n. Nonpublic personal information. Section 509(4) of the G-L-B Act 
defines ``nonpublic personal information'' to mean ``personally 
identifiable financial information'' (which term is not defined in the 
Act) that is provided by a consumer to a financial institution, results 
from any transaction with the consumer or any service performed for the 
consumer, or is otherwise obtained by the financial institution. Any 
list, description, or other grouping of consumers--and ``publicly 
available information'' (which also is undefined in the G-L-B Act) 
pertaining to them-- that is derived using any nonpublic personal 
information other than publicly available information also is included 
in the definition of ``nonpublic personal information.''
    The proposed rules implement this provision of the G-L-B Act by 
restating, in paragraph (1) of proposed Sec. __.3(n), the categories of 
information described above. However, the proposed rules present two 
alternatives concerning the treatment, for purposes of the definition 
of ``nonpublic personal information,'' of information that can be 
obtained from sources available to the general public. The alternatives 
are based on differences in the definitions of ``personally 
identifiable financial information'' and ``publicly available 
information'' which, when read together, result in more information 
being treated as ``nonpublic personal information'' under Alternative A 
than would be the case under Alternative B.
    Alternative A excludes publicly available information from the 
scope of ``nonpublic personal information'' only in two circumstances. 
The first is when the information is part of a list, description, or 
other grouping of consumers that is derived without using personally 
identifiable financial information. The second is when information, not 
provided by a consumer and not resulting from a transaction with the 
consumer, is otherwise obtained by a financial institution in 
connection with providing a financial product or service to the 
consumer. However, in order for the information to be considered 
``publicly available'' under Alternative A, the information must be 
obtained from government records, widely distributed media, or 
government-mandated disclosures. The fact that the information is 
available from those sources is immaterial if the financial institution 
does not actually obtain the information from one of them.
    Alternative B \3\ similarly excludes publicly available information 
from the scope of ``nonpublic personal information'' when the 
information is part of a list, description, or other grouping of 
consumers that is derived without using personally identifiable 
financial information. However, Alternative B also excludes any other 
publicly available information, unless the information is part of a 
list, description, or other grouping of consumers that is derived using 
personally identifiable financial information. Under Alternative B, 
information need only be available from a public source for it to be 
considered ``publicly available.'' If the information is lawfully 
available to the general public, then it will be publicly available and 
excluded from the scope of ``nonpublic personal information'' 
regardless of whether the institution obtains it from a publicly 
available source (unless, as previously noted, it is part of a list of 
consumers that is derived using personally identifiable information). 
As a result of this approach, the fact that information has been given 
to a financial institution by a consumer does not automatically extend 
to that information the protections afforded to nonpublic personal 
information.
---------------------------------------------------------------------------

    \3\ The Board's proposed rule sets out Alternative B only.
---------------------------------------------------------------------------

    The two alternatives will produce the same results in many 
instances. Under Alternative A, a person's name, address, and other 
information that typically is thought of as publicly available is 
treated as nonpublic if that information is provided by the person to a 
bank in connection with obtaining a financial product or service. Thus, 
a bank would be unable to disclose such information under Alternative A 
to a nonaffiliated third party unless the bank complies with the notice 
and opt out requirements discussed below. Under Alternative B, if the 
person's name and address were available from public sources, they 
would be publicly available information. However, even under 
Alternative B, the bank would have to comply with the notice and opt 
out requirements before sharing that information with nonaffiliated 
third parties if the information was included on a customer list.
    The two alternatives will produce different results, however, in 
the situation where a bank wants to disclose the name, address, or 
other information

[[Page 8774]]

available to the general public about an individual. In that situation, 
Alternative A would require compliance with the notice and opt out 
requirements. Alternative B would not, because the information would 
not be part of a list, description, or other grouping of consumers. The 
Agencies invite comment on both alternatives.
    The Agencies also specifically invite comment on whether either 
definition of ``nonpublic personal information'' would cover 
information about a consumer that contains no indicators of a 
consumer's identity. For instance, if a mortgage lender provided 
information about its mortgage loans (such as loan-to-value ratios, 
interest rates, census tracts of mortgaged property, payment history, 
credit scores, and income) to a nonaffiliated third party for the 
purpose of preparing market studies, would the lender, without notice 
or opt out to the consumer, be permitted to do so if the information 
contains no personal identifiers?
    o. Personally identifiable financial information. As discussed 
above, the  G-L-B Act defines ``nonpublic personal information'' to 
include, among other things, ``personally identifiable financial 
information'' but does not define the latter term.
    As a general matter, the proposed rules treat any personally 
identifiable information as financial if it is obtained by a financial 
institution in connection with providing a financial product or service 
to a consumer. The Agencies believe that this approach reasonably 
interprets the word ``financial'' and creates a workable and clear 
standard for distinguishing information that is financial from other 
personal information. The Agencies recognize that this interpretation 
may result in certain information being covered by the rules that may 
not be considered intrinsically financial, such as health status, and 
specifically invite comment on the proposed definition of ``personally 
identifiable financial information.''
    The proposed rules define ``personally identifiable financial 
information'' to include three categories of information. While these 
three categories are for the most part identical in both alternatives 
(see discussion of category 3, below, concerning a difference between 
the categories), the differences in how Alternatives A and B treat 
publicly available information result in different applications of what 
personally identifiable financial information is included within the 
definition of ``nonpublic personal information.''
    The first category of information considered to be ``personally 
identifiable financial information'' is any information that a consumer 
provides a financial institution in order to obtain a financial product 
or service. As noted in the examples that follow the definition, this 
would include information provided on an application to obtain a loan, 
credit card, or other financial product or service. If, for instance, 
medical information is provided on an application to obtain a financial 
product or service (such as would be the case if a consumer applies for 
a life insurance policy), that information would be considered 
``personally identifiable financial information'' for purposes of the 
proposed rules.
    The second category of information covered by the proposed 
definition of ``personally identifiable financial information'' 
includes any information resulting from any transaction between the 
consumer and the financial institution involving a financial product or 
service. This would include, as noted in the examples following the 
definition, account balance information, payment or overdraft history, 
and credit or debit card purchase information.
    The third category includes any financial information about a 
consumer otherwise obtained by the financial institution in connection 
with providing a financial product or service to the consumer. This 
would include, for example, information obtained from a consumer report 
or from an outside source to verify information a consumer provides on 
an application to obtain a financial product or service. There is a 
difference in the statement of the third category between Alternatives 
A and B. Alternative A expressly excludes from this category publicly 
available information, while Alternative B does not. However, given the 
definitions of ``nonpublic personal information'' and ``publicly 
available information'' in Alternative B, the result is that any of the 
three categories of personally identifiable information in Alternative 
B will exclude publicly available information from the personally 
identifiable financial information that is considered ``nonpublic 
personal information.''
    The examples clarify that the definition of ``personally 
identifiable financial information'' does not include a list of names 
and addresses of people who are customers of an entity that is not a 
financial institution. Thus, the names and addresses of people who 
subscribe, for instance, to a particular magazine fall outside the 
definition. If, however, a financial institution includes those names 
and addresses as part of a list of the institution's customers, then 
the names and addresses become nonpublic personal information.
    The Agencies note that there are other laws that may impose 
limitations on disclosures of nonpublic personal information in 
addition to those imposed by the G-L-B Act and these proposed rules. 
For instance, the Fair Credit Reporting Act imposes conditions on the 
sharing of application information between affiliates and nonaffiliated 
third parties. The recently proposed Department of Health and Human 
Services regulations \4\ that implement the Health Insurance 
Portability and Accountability Act of 1996 would, if adopted in final 
form, limit the circumstances under which medical information may be 
disclosed. There may be State laws that affect a financial 
institution's ability to disclose information. Thus, financial 
institutions will need to monitor and comply with applicable 
legislative and regulatory developments that affect the disclosure of 
consumer information.
---------------------------------------------------------------------------

    \4\ 64 FR 59918 (Nov. 3, 1999).
---------------------------------------------------------------------------

    The Agencies seek comment on whether further definition of 
``personally identifiable financial information'' would be helpful.
    p. Publicly available information. The proposed rules contain two 
versions of the definition of ``publicly available information.'' For 
the most part, the definitions are identical, and differ only in that 
Alternative A does not treat information as publicly available unless 
it is obtained from one of the public sources listed in the proposed 
rules. Alternative B, by contrast, treats information as publicly 
available if it could be obtained from one of the public sources listed 
in the rules, even if it was obtained from a source not listed in the 
definition. The Agencies invite comments on which alternative is more 
appropriate.
    The remaining parts of the two alternative versions are identical. 
Thus, under either alternative, the definition of ``publicly available 
information'' includes information from official public records, such 
as real estate recordations or security interest filings. It also 
includes information from widely distributed media (such as a telephone 
book, television or radio program, or newspaper) and information that 
is required to be disclosed to the general public by Federal, State, or 
local law (such as securities disclosure documents). The proposed rules 
state that information obtained over the Internet will be considered 
publicly available information if the information

[[Page 8775]]

is obtainable from a site available to the general public without 
requiring a password or similar restriction. The Agencies invite 
comment on what information is appropriately considered publicly 
available, particularly in the context of information available over 
the Internet.
    q. You. For those Agencies that use the pronoun ``you'' to refer to 
entities within their primary jurisdiction,\5\ the definition of this 
term will vary with each of the Agencies' regulations based upon the 
financial institutions under their jurisdictions.
---------------------------------------------------------------------------

    \5\ The OCC has used the term ``bank'' instead of ``you'' in its 
regulation.
---------------------------------------------------------------------------

Sec. __.4  Initial Notice to Consumers of Privacy Policies and 
Practices Required

    Initial notice required. The G-L-B Act requires a financial 
institution to provide an initial notice of its privacy policies and 
practices in two circumstances. For customers, the notice must be 
provided at the time of establishing a customer relationship. For 
consumers who do not become customers, the notice must be provided 
prior to disclosing nonpublic personal information about the consumer 
to a nonaffiliated third party.
    Paragraph (a) of proposed Sec. __.4 states the general rule 
regarding these notices. Pursuant to that paragraph, a financial 
institution must provide a clear and conspicuous notice (i.e., a notice 
that is reasonably understandable and designed to call attention to the 
nature and significance of the information it provides) that accurately 
reflects the institution's privacy policies and practices. Thus, a 
financial institution may not fail to maintain the protections that it 
represents in the notice that it will provide. The Agencies expect that 
financial institutions will take appropriate measures to adhere to 
their stated privacy policies and practices.
    The proposed rules do not prohibit affiliated institutions from 
using a common initial, annual, or opt out notice, so long as the 
notice is delivered in accordance with the rule and is accurate for all 
recipients. Similarly, the rules do not prohibit an institution from 
establishing different privacy policies and practices for different 
categories of consumers, customers, or products, so long as each 
particular consumer or customer receives a notice that is accurate with 
respect to him or her.
    Notice to customers. The proposed rules require that a financial 
institution provide an individual a privacy notice prior to the time 
that it establishes a customer relationship. Thus, the notices may be 
provided at the same time a financial institution is required to give 
other notices, such as those required by the Board's regulations 
implementing the Truth in Lending Act (12 CFR 226.6). This approach is 
intended to strike a balance between: (1) Ensuring that consumers will 
receive privacy notices at a meaningful point along the continuum of 
``establishing a customer relationship''; and (2) minimizing 
unnecessary burdens on financial institutions that may result if a 
financial institution is required to provide a consumer with a series 
of notices at different times in a transaction. Nothing in the proposed 
rules is intended to discourage a financial institution from providing 
an individual with a privacy notice at an earlier point in the 
relationship if the institution wishes to do so in order to make it 
easier for the individual to compare its privacy policies and practices 
with those of other institutions in advance of conducting transactions.
    Paragraph (c) of proposed Sec. __.4 identifies the time a customer 
relationship is established as the point at which a financial 
institution and a consumer enter into a continuing relationship. The 
examples that are provided after the statement of the general rule 
inform the reader that, for customer relationships that are contractual 
in nature (including, for instance, deposit accounts, loans, or 
purchases of a nondeposit product), a customer relationship is 
established upon the execution by the consumer of the contract that is 
necessary to conduct the transaction in question. In the case of a 
credit card account, the customer relationship is established when the 
consumer opens the account. A consumer opens a credit card account when 
he or she becomes obligated on the account, such as when he or she 
makes the first purchase, receives the first advance, or becomes 
obligated for any fee or charges under the account other than an 
application fee or refundable membership fee. For transactions that may 
not involve a contract (including, for instance, providing investment 
advisory services), a customer relationship will be established if the 
consumer pays or agrees to pay a fee or commission for the service.
    Notice to consumers. For consumers who do not establish a customer 
relationship, the initial notice may be provided at any point before 
the financial institution discloses nonpublic personal information to 
nonaffiliated third parties. As provided in paragraph (b) of the 
proposed rule, if the institution does not intend to disclose the 
information in question or intends to make only those disclosures that 
are authorized by one of the exceptions set out in Secs. __.10 and 
__.11 of the proposed rule, it is not required to provide the initial 
notice.
    How to provide notice. Paragraph (d) of proposed Sec. __.4 sets out 
the rules governing how financial institutions must provide the initial 
notices. The general rule requires that the initial notice be provided 
so that each recipient can reasonably be expected to receive actual 
notice. The Agencies invite comment on who should receive a notice in 
situations where there is more than one party to an account.
    The notice may be delivered in writing or, if the consumer agrees, 
electronically. Oral notices alone are insufficient. In the case of 
customers, the notice must be given in a way so that the customer may 
either retain it or access it at a later time. This requirement that 
the notice be given in a manner permitting access at a later time does 
not preclude a financial institution from changing its privacy policy. 
See proposed Sec. __.8(c), below. Rather, the rules are intended only 
to require that a customer be able to access the most recently adopted 
privacy policy.
    Examples of acceptable ways the notice may be delivered include 
hand-delivering a copy of the notice, mailing a copy to the consumer's 
last known address, or sending it via electronic mail to a consumer who 
obtains a financial product or service from the institution 
electronically. It would not be sufficient to provide only a posted 
copy of the notice in a lobby. Similarly, it would not be sufficient to 
provide the initial notice only on a Web page, unless the consumer is 
required to access that page to obtain the product or service in 
question. Electronic delivery generally should be in the form of 
electronic mail so as to ensure that a consumer actually receives the 
notice. In those circumstances where a consumer is in the process of 
conducting a transaction over the Internet, electronic delivery also 
may include posting the notice on a Web page as described above. If a 
financial institution and consumer orally agree to enter into a 
contract for a financial product or service over the telephone, the 
institution may provide the consumer with the option of receiving the 
initial notice after providing the product or service so as not to 
delay the transaction. The Agencies invite comment on the regulatory 
burden of providing the initial notices and on the methods financial 
institutions anticipate using to provide the notices.

[[Page 8776]]

    The Agencies recognize that in some circumstances a customer does 
not have a choice as to the institution with which he or she has a 
customer relationship, such as when an institution purchases the 
customer's loan in the secondary market. In these situations, it may 
not be practicable for the institution to provide a notice prior to 
establishing the customer relationship. The proposed rules provide that 
if a financial institution purchases a loan or assumes a deposit 
liability from another financial institution or in the secondary market 
and the customer does not have a choice about the purchase or 
assumption, the acquiring financial institution may provide the initial 
notice within a reasonable time thereafter. The Agencies invite comment 
on whether there are other similar situations for which an exception is 
necessary.
    The Agencies also recognize that certain consumers may have 
requested that a financial institution not send statements, notices, or 
other communications to them, such as in certain private banking 
relationships. The Agencies request comment on whether and how the 
rules should address these situations with respect to the notices 
required by these rules. The Agencies also request comment on whether 
there are other situations where providing notice by mail is 
impracticable.

Sec. __.5  Annual Notice to Customers Required

    Section 503 of the G-L-B Act requires a financial institution to 
provide notices of its privacy policies and practices at least annually 
to its customers. The proposed rules implement this requirement by 
requiring a clear and conspicuous notice that accurately reflects the 
privacy policies and practices then in effect to be provided at least 
once during any period of twelve consecutive months. The rules 
governing how to provide an initial notice also apply to annual 
notices.
    Section 503(a) of the G-L-B Act requires that the annual notices be 
provided ``during the continuation'' of a customer relationship. To 
implement this requirement, the proposed rules state that a financial 
institution is not required to provide annual notices to a customer 
with whom it no longer has a continuing relationship. The examples that 
follow this general rule provide guidance on when there no longer is a 
continuing relationship for purposes of the rules. These include, for 
instance, deposit accounts that are treated as dormant by a financial 
institution, loans that are paid in full or charged off, or assets sold 
without retaining servicing rights.
    There will be certain customer relationships (such as obtaining 
investment advice from a stock broker) that do not present a clear 
event after which there is no longer a customer relationship. The 
proposed rules contain an example intended to cover these situations, 
stating that a relationship will no longer be deemed continuing for 
purposes of the proposed rules if the financial institution has not 
communicated with a customer, other than providing an annual privacy 
policy notice, for a period of 12 consecutive months.
    The Agencies invite comment generally on whether the examples 
provided in proposed Sec. __.5 are adequate and on whether the proposed 
standard deeming an account relationship to have terminated after 12 
months of no communication is appropriate. The Agencies specifically 
request comment on whether, in the example of dormant accounts, the 
applicable standard should be the institution's policies or applicable 
State law. The Agencies also invite comment on the regulatory burden of 
providing the annual notices and on the methods financial institutions 
anticipate using to provide the notices.

Sec. __.6  Information To Be Included in Initial and Annual Notices of 
Privacy Policies and Practices

    Section 503 of the G-L-B Act identifies the items of information 
that must be included in a financial institution's initial and annual 
notices. Section 503(a) of the G-L-B Act sets out the general 
requirement that a financial institution must provide customers with a 
notice describing the institution's policies and practices with respect 
to, among other things, disclosing nonpublic personal information to 
affiliates and nonaffiliated third parties. Section 503(b) of the Act 
identifies certain elements that must be addressed in that notice.
    The required content is the same for both the initial and annual 
notices of privacy policies and practices. While the information 
contained in the notices must be accurate as of the time the notices 
are provided, a financial institution may prepare its notices based on 
current and anticipated policies and practices.
    The information to be included is as follows:
1. Categories of Nonpublic Personal Information That a Financial 
Institution May Collect
    Section 503(b)(2) requires a financial institution to inform its 
customers about the categories of nonpublic personal information that 
the institution collects. The proposed rules implement this requirement 
in Sec. __.6(a)(1) and provide an example of how to comply with this 
requirement that focuses the notice on the source of the information 
collected. As noted in the example, a financial institution will 
satisfy this requirement if it categorizes the information according to 
the sources, such as application information, transaction information, 
and consumer report information. Financial institutions may provide 
more detail about the categories of information collected but are not 
required to do so by the proposed rules.
2. Categories of Nonpublic Personal Information That a Financial 
Institution May Disclose
    Section 503(a)(1) of the G-L-B Act requires the financial 
institution's initial and annual notice to provide information about 
the categories of nonpublic personal information that may be disclosed 
either to affiliates or nonaffiliated third parties.
    The proposed rules implement this requirement in proposed 
Sec. __.6(a)(2). The examples of how to comply with this rule focus on 
the content of information to be disclosed. As stated in the relevant 
examples, a financial institution may satisfy this requirement by 
categorizing information according to source and providing illustrative 
examples of the content of the information. These categories might 
include application information (such as assets and income), 
identifying information (such as name, address, and social security 
number), transaction information (such as information about account 
activity, account balances, and purchases), and information from 
consumer reports (such as credit history).
    Financial institutions are free to provide more detailed 
information in the initial and annual notices if they choose to do so. 
Conversely, if a financial institution does not disclose, and does not 
intend to disclose, nonpublic personal information to affiliates or 
nonaffiliated third parties, its initial and annual notices may simply 
state this fact without further elaboration about categories of 
information disclosed.

[[Page 8777]]

3. Categories of Affiliates and Nonaffiliated Third Parties to Whom a 
Financial Institution Discloses Nonpublic Personal Information
    As previously noted, section 503(a) includes a general requirement 
that a financial institution provide a notice to its customers of the 
institution's policies and practices with respect to disclosing 
nonpublic personal information to affiliates and nonaffiliated third 
parties. Section 503(b) states that the notice required by section 
503(a) shall include certain specified items. Among those is the 
requirement, set out in section 503(b)(1), that a financial institution 
inform its customers about its policies and practices with respect to 
disclosing nonpublic personal information to nonaffiliated third 
parties. The Agencies believe that, when read together, sections 503(a) 
and 503(b) of the G-L-B Act require a financial institution's notice to 
address disclosures of nonpublic personal information to both 
affiliates and nonaffiliated third parties.
    The proposed rules implement this requirement in Sec. __.6(a)(3). 
The example illustrating how a financial institution may comply with 
the rules states that a financial institution will adequately 
categorize the affiliates and nonaffiliated third parties to whom it 
discloses nonpublic personal information about consumers if it 
identifies the types of businesses in which they engage. Types of 
businesses may be described by general terms, such as financial 
products or services, if the financial institution provides 
illustrative examples of the significant lines of businesses of the 
recipient, such as retail banking, mortgage lending, life insurance, or 
securities brokerage.
    The G-L-B Act does not require a financial institution to list the 
categories of persons to whom information may be disclosed pursuant to 
one of the exceptions set out in proposed Secs. __.10 and __.11. The 
proposed rules state that a financial institution is required only to 
inform consumers that it makes disclosures as permitted by law to 
nonaffiliated third parties in addition to those described in the 
notice. The Agencies invite comment on whether such a notice would be 
adequate.
    If a financial institution does not disclose, and does not intend 
to disclose, nonpublic personal information to affiliates or 
nonaffiliated third parties, its initial and annual notices may simply 
state this fact without further elaboration about categories of third 
parties.
4. Information About Former Customers
    Section 503(a)(2) of the Act requires the financial institution's 
initial and annual privacy notices to include the institution's 
policies and practices with respect to disclosing nonpublic personal 
information of persons who have ceased to be customers of the 
institution. Section 503(b)(1)(B) requires that this information be 
provided with respect to information disclosed to nonaffiliated third 
parties.
    The Agencies have concluded that, when read together, sections 
503(a)(2) and 503(b)(1)(B) require a financial institution to include 
in the initial and annual notices the institution's policies and 
practices with respect to sharing information about former customers 
with all affiliates and nonaffiliated third parties. This requirement 
is set out in the proposed rules at Sec. __.6(a)(4). This requirement 
does not require a financial institution to provide a notice and 
opportunity to opt out to a former customer before sharing nonpublic 
personal information about that former customer with an affiliate.
5. Information Disclosed to Service Providers
    Section 502(b)(2) of the G-L-B Act permits a financial institution 
to disclose nonpublic personal information about a consumer to a 
nonaffiliated third party for the purpose of the third party performing 
services for the institution, including marketing financial products or 
services under a joint agreement between the financial institution and 
at least one other financial institution. In this case, a consumer has 
no right to opt out, but the financial institution must inform the 
consumer that it will be disclosing the information in question unless 
the service falls within one of the exceptions listed in section 502(e) 
of the Act.
    The proposed rules implement these provisions, in Sec. __.6(a)(5), 
by requiring that, if a financial institution discloses nonpublic 
personal information to a nonaffiliated third party pursuant to the 
exception for service providers and joint marketing, the institution is 
to include in the initial and annual notices a separate description of 
the categories of information that are disclosed and the categories of 
third parties providing the services. A financial institution may 
comply with these requirements by providing the same level of detail in 
the notice as is required to satisfy the requirements in proposed 
Secs. __.6(a)(2) and (3).
6. Right to Opt Out
    As previously noted, sections 503(a)(1) and 503(b)(1) of the G-L-B 
Act require a financial institution to provide customers with a notice 
of its privacy policies and practices concerning, among other things, 
disclosing nonpublic personal information consistent with section 502 
of the Act.
    The proposed rules implement this requirement, in proposed 
Sec. __.6(a)(6), by requiring the initial and annual notices to explain 
the right to opt out of disclosures of nonpublic personal information 
to nonaffiliated third parties, including the methods available to 
exercise that right.
7. Disclosures Made Under the Fair Credit Reporting Act (FCRA)
    Section 503(b)(4) of the G-L-B Act requires a financial 
institution's initial and annual notice to include the disclosures 
required, if any, under section 603(d)(2)(A)(iii) of the FCRA. Section 
603(d)(2)(A)(iii) excludes from the definition of ``consumer report'' 
the communication of certain consumer information among affiliated 
entities if the consumer is notified about the disclosure of such 
information and given an opportunity to opt out of that information 
sharing. The information that can be shared among affiliates under this 
provision includes, for instance, information from consumer reports and 
applications for financial products or services. In general, this 
information represents personal information provided directly by the 
consumer to the institution, such as income and social security number, 
in addition to information contained within credit bureau reports.
    The proposed rules implement section 503(b)(4) of the G-L-B Act by 
including the requirement that a financial institution's initial and 
annual notice include any disclosures a financial institution makes 
under section 603(d)(2)(A)(iii) of the FCRA.
8. Confidentiality, Security, and Integrity
    Section 503(a)(3) of the G-L-B Act requires the initial and annual 
notices to provide information about a financial institution's policies 
and practices with respect to protecting the nonpublic personal 
information of consumers. Section 503(b)(3) of the Act requires the 
notices to include the policies that the institution maintains to 
protect the confidentiality and security of nonpublic personal 
information, in accordance with section 501 (which requires the 
Agencies to establish standards governing the administrative,

[[Page 8778]]

technical, and physical safeguards of customer information).
    The proposed rules implement these provisions by requiring a 
financial institution to include in the initial and annual notices the 
institution's policies and practices with respect to protecting the 
confidentiality, security, and integrity of nonpublic personal 
information. The relevant example in the proposed rules states that a 
financial institution may comply with the requirement as it concerns 
confidentiality and security if the institution explains matters such 
as who has access to the information and the circumstances under which 
the information may be accessed. The information about integrity should 
focus on the measures the institution takes to protect against 
reasonably anticipated threats or hazards. The proposed rules do not 
require a financial institution to provide technical or proprietary 
information about how it safeguards consumer information.
    The Agencies are in the process of preparing the section 501 
standards relating to administrative, technical, and physical 
safeguards, and anticipate having those standards in place at the time 
of the issuance of the final privacy rules. This will enable financial 
institutions to develop the initial and annual notices in light of 
those standards.

Sec. __.7  Limitation on disclosure of nonpublic personal information 
about consumers to nonaffiliated third parties.

    Section 502(a) of the G-L-B Act generally prohibits a financial 
institution from sharing nonpublic personal information about a 
consumer with a nonaffiliated third party unless the institution 
provides the consumer with a notice of the institution's privacy 
policies and practices. Section 502(b) further requires that the 
financial institution provide the consumer with a clear and conspicuous 
notice that the consumer's nonpublic personal information may be 
disclosed to nonaffiliated third parties, that the consumer be given an 
opportunity to opt out of that disclosure, and that the consumer be 
informed of how to opt out.
    Section __.7 of the proposed rules implements these provisions. 
Paragraph (a)(1) of Sec. __.7 sets out the criteria that a financial 
institution must satisfy before disclosing nonpublic personal 
information to nonaffiliated third parties. As stated in the text of 
the proposed rules, these criteria apply to direct and indirect 
disclosures through an affiliate. The Agencies invite comment on how 
the right to opt out should apply in the case of joint accounts. 
Should, for instance, a financial institution require all parties to an 
account to opt out before the opt out becomes effective? If not and 
only one of the parties opts out, should the opt out apply only to 
information about the party opting out or should it apply to 
information about all parties to the account? The Agencies also request 
comment on how the opt out right should apply to commingled trust 
accounts, where a trustee manages a single account on behalf of 
multiple beneficiaries.
    Paragraph (a)(2) defines ``opt out'' in a way that incorporates the 
exceptions to the right to opt out stated in proposed Secs. __.9, 
__.10, and __.11.
    The proposed rules implement the requirement that a consumer be 
given an opportunity to opt out before information is disclosed by 
requiring that the opportunity be reasonable. The examples that follow 
the general rule provide guidance in situations involving notices that 
are mailed and notices that are provided in connection with isolated 
transactions. In the former case, a consumer will have a reasonable 
opportunity to opt out if the financial institution provides 30 days in 
which to opt out. In the latter case, an opportunity will be reasonable 
if the consumer must decide as part of the transaction whether to opt 
out before completing the transaction. The Agencies invite comment on 
whether 30 days is a reasonable opportunity to opt out in the case of 
notices sent by mail, and on whether an example in the context of 
transactions conducted using an electronic medium would be helpful.
    The requirement that a consumer have a reasonable opportunity to 
opt out does not mean that a consumer forfeits that right once the 
opportunity lapses. The consumer always has the right to opt out (as 
discussed further in proposed Sec. __.8, below). However, if an 
individual does not exercise that opt out right when first presented 
with an opportunity, the financial institution would be permitted to 
disclose nonpublic personal information to nonaffiliated third parties 
for the period of time necessary to implement the consumer's opt out 
direction.
    Paragraph (b) of proposed Sec. __.7 clarifies that the right to opt 
out applies regardless of whether a consumer has established a customer 
relationship with a financial institution. As noted above, all 
customers are consumers under the proposed rules. Thus, the fact that a 
consumer establishes a customer relationship with a financial 
institution does not change the institution's obligations to comply 
with the requirements of proposed Sec. __.7(a) before sharing nonpublic 
personal information about that consumer with nonaffiliated third 
parties. This also applies in the context of a consumer who had a 
customer relationship with a financial institution but then terminated 
that relationship. Paragraph (b) also clarifies that the consumer 
protections afforded by paragraph (a) of proposed Sec. __.7 apply to 
all nonpublic personal information collected by a financial 
institution, regardless of when collected. Thus, if a consumer elects 
to opt out of information sharing with nonaffiliated third parties, 
that election applies to all nonpublic personal information about that 
consumer in the financial institution's possession, regardless of when 
the information is obtained.
    Paragraph (c) of proposed Sec. __.7 states that a financial 
institution may, but is not required to, provide consumers with the 
option of a partial opt out in addition to the opt out required by this 
section. This could enable a consumer to limit, for instance, the types 
of information disclosed to nonaffiliated third parties or the types of 
recipients of the nonpublic personal information about that consumer. 
If the partial opt out option is provided, a financial institution must 
state this option in a way that clearly informs the consumer about the 
choices available and consequences thereof.

Sec. __.8  Form and Method of Providing Opt Out Notice to Consumers

    Paragraph (a) of proposed Sec. __.8 requires that any opt out 
notice provided by a financial institution pursuant to proposed 
Sec. __.7 be clear and conspicuous and accurately explain the right to 
opt out. The notice must inform the consumer that the institution may 
disclose nonpublic personal information to nonaffiliated third parties, 
state that the consumer has a right to opt out, and provide the 
consumer with a reasonable means by which to opt out.
    The examples that follow the general rule state that a financial 
institution will adequately provide notice of the right to opt out if 
it identifies the categories of information that may be disclosed and 
the categories of nonaffiliated third parties to whom the information 
may be disclosed and that the consumer may opt out of those 
disclosures. A financial institution that plans to disclose only 
limited types of information or to only a specific type of 
nonaffiliated third party may provide a correspondingly narrow notice 
to consumers. However, to minimize the number of opt out notices a 
financial institution must provide, the institution may wish to

[[Page 8779]]

base its notices on current and anticipated information sharing plans. 
A new opt out notice is not required for disclosures to different types 
of nonaffiliated third parties or of different types of information, 
provided that the most recent opt out notice is sufficiently broad to 
cover the entities or information in question. Nor is a financial 
institution required to provide subsequent opt out notices when a 
consumer establishes a new type of customer relationship with that 
financial institution, unless the institution's opt out policies differ 
depending on the type of customer relationship.
    The examples also suggest several ways in which a financial 
institution may provide reasonable means to opt out, including check-
off boxes, reply forms, and electronic mail addresses. A financial 
institution does not provide a reasonable means to opt out if the only 
means provided is for a consumer to write his or her own letter to the 
institution to exercise the right, although an institution may honor 
such a letter if received.
    Paragraph (b) applies the same rules to delivery of the opt out 
notice that apply to delivery of the initial and annual notices. In 
addition, paragraph (b) clarifies that the opt out notice may be 
provided together with, or on the same form as, the initial and annual 
notices. However, if the opt out notice is provided after the initial 
notice, a financial institution must provide a copy of the initial 
notice along with the opt out notice. If a financial institution and 
consumer orally agree to enter into a customer relationship, the 
institution may provide the opt out notice within a reasonable time 
thereafter if the consumer agrees. The Agencies invite comment on 
whether a more specific time by which the notice must be given would be 
appropriate.
    Paragraph (c) sets out the rules governing a financial 
institution's obligations in the event the institution changes its 
disclosure policies. As stated in that paragraph, a financial 
institution may not disclose nonpublic personal information to a 
nonaffiliated third party unless the institution first provides a 
revised notice and new opportunity to opt out. The institution must 
wait a reasonable period of time before disclosing information 
according to the terms of the revised notice in order to afford the 
consumer a reasonable opportunity to opt out. A financial institution 
must provide the revised notice of its policies and practices and opt 
out notice to a consumer using the means permitted for providing the 
initial notice and opt out notice to that consumer under Sec. __.4(c) 
and Sec. __.8(b), respectively, which require that the notices be given 
in a manner so that each consumer can reasonably be expected to receive 
actual notice in writing or, if the consumer agrees, in electronic 
form.
    Paragraph (d) states that a consumer has the right to opt out at 
any time. The Agencies considered whether to include a time limit by 
which financial institutions must effectuate a consumer's opt out 
election, but decided that the wide variety of practices of financial 
institutions made one limit inappropriate. Instead, the Agencies' rules 
require that disclosures stop as soon as reasonably practicable.
    Paragraph (e) states that an opt out will continue until a consumer 
revokes it. The rules require that such revocation be in writing, or, 
if the consumer has agreed, electronically.
    The Agencies invite comment on the likely burden of complying with 
the requirement to provide opt out notices, the methods financial 
institutions anticipate using to deliver the opt out notices, and the 
approximate number of opt out notices they expect to deliver and 
process.

Sec. __.9  Exception to Opt Out Requirements for Service Providers and 
Joint Marketing

    Section 502(b) of the G-L-B Act creates an exception to the opt out 
rules for the disclosure of information to a nonaffiliated third party 
for use by the third party to perform services for, or functions on 
behalf of, the financial institution, including the marketing of the 
financial institution's own products or services or financial products 
or services offered pursuant to a joint agreement between two or more 
financial institutions. A consumer will not have the right to opt out 
of disclosing nonpublic personal information about the consumer to 
nonaffiliated third parties under these circumstances, if the financial 
institution satisfies certain requirements.
    First, the institution must, as stated in section 502(b), ``fully 
disclose'' to the consumer that it will provide this information to the 
nonaffiliated third party before the information is shared. This 
disclosure should be provided as part of the initial notice that is 
required by Sec. __.4. The Agencies invite comment on whether the 
proposed rules appropriately implement the ``fully disclose'' 
requirement in section 502(b)(2).
    Second, the financial institution must enter into a contract with 
the third party that requires the third party to maintain the 
confidentiality of the information. This contract should be designed to 
ensure that the third party: (a) Will maintain the confidentiality of 
the information at least to the same extent as is required for the 
financial institution that discloses it; and (b) will use the 
information solely for the purposes for which the information is 
disclosed or as otherwise permitted by Secs. __.10 and __.11 of the 
proposed rules. The Agencies invite comment on the application of 
proposed Sec. __.9(a)(2)(ii) in the context of financial institutions 
that contract with credit scoring vendors to evaluate borrower 
creditworthiness. Specifically, would that section prohibit the vendor 
from also using the consumers' information without the indicators of 
personal identity to help improve its scoring models?
    The G-L-B Act allows the Agencies to impose requirements on the 
disclosure of information pursuant to the exception for service 
providers beyond those imposed in the statute. The Agencies have not 
done so in the proposed rules, but invite comment on whether additional 
requirements should be imposed, and, if so, what those requirements 
should address. The Agencies note, for instance, that joint agreements 
have the potential to create reputation risk and legal risk for a 
financial institution entering into such an agreement. The Agencies 
seek comment on whether the rules should require a financial 
institution to take steps to assure itself that the product being 
jointly marketed and the other participants in the joint marketing 
agreement do not present undue risks for the institution. These steps 
might include, for instance, ensuring that the financial institution's 
sponsorship of the product or service in question is evident from the 
marketing of that product or service. The Agencies also invite comments 
on any other requirements that would be appropriate to protect a 
consumer's financial privacy, and on whether the rules should provide 
examples of the types of joint agreements that are covered.

Sec. __.10  Exceptions to Notice and Opt Out Requirements for 
Processing and Servicing Transactions

    Section 502(e) of the G-L-B Act creates exceptions to the 
requirements that apply to the disclosure of nonpublic personal 
information to nonaffiliated third parties. Paragraph (1) of that 
section sets out certain exceptions for disclosures made, generally 
speaking, in connection with the administration, processing, servicing, 
and sale of a consumer's account.

[[Page 8780]]

    Paragraph (a) of proposed Sec. __.10 sets out those exceptions, 
making only stylistic changes to the statutory text that are intended 
to make the exceptions easier to read. Paragraph (b) sets out the 
definition of ``necessary to effect, administer, or enforce'' that is 
contained in section 509(7) of the G-L-B Act, making only stylistic 
changes intended to clarify the definition.
    The exceptions set out in proposed Sec. __.10, and the exceptions 
discussed in proposed Sec. __.11, below, do not affect a financial 
institution's obligation to provide initial notices of its privacy 
policies and practices prior to the time it establishes a customer 
relationship and annual notices thereafter. Those notices must be 
provided to all customers, even if the institution intends to disclose 
the nonpublic personal information only pursuant to the exceptions in 
proposed Sec. __.10.

Sec. __.11  Other exceptions to notice and opt out requirements.

    As noted above, section 502(e) contains several exceptions to the 
requirements that otherwise would apply to the disclosures of nonpublic 
personal information to nonaffiliated third parties. Proposed 
Sec. __.11 sets out those exceptions that are not made in connection 
with the administration, processing, servicing, and sale of a 
consumer's account, and makes stylistic changes intended to clarify the 
exceptions.
    One of the exceptions stated in proposed Sec. __.11 is for 
disclosures made with the consent or at the direction of the consumer, 
provided the consumer has not revoked the consent. Following the list 
of exceptions is an example of consent in which a financial institution 
that has received an application from a consumer for a mortgage loan 
informs a nonaffiliated insurance company that the consumer has applied 
for a loan so that the insurance company can contact the person about 
homeowner's insurance. Consent in such a situation would enable the 
financial institution to make the disclosure to the third party without 
first providing the initial notice required by Sec. __.4 or the opt out 
notice required by Sec. __.7, but the disclosure must not exceed the 
purposes for which consent was given. The example also states that 
consent may be revoked by a consumer at any time by the consumer 
exercising the right to opt out of future disclosures. The Agencies 
invite comment on whether safeguards should be added to the exception 
for consent in order to minimize the potential for consumer confusion. 
Such safeguards might include, for instance, a requirement that consent 
be written, that it be indicated on a separate signature line in a 
relevant document or on a distinct Web page, or that it may be 
effective for only a limited period of time.

Sec. __.12  Limits on Redisclosure and Reuse of Information

    Section __.12 of the proposed rules implements the Act's 
limitations on redisclosure and reuse of nonpublic personal information 
about consumers. Section 502(c) of the Act provides that a 
nonaffiliated third party that receives nonpublic personal information 
from a financial institution shall not, directly or indirectly through 
an affiliate, disclose the information to any person that is not 
affiliated with either the financial institution or the third party, 
unless the disclosure would be lawful if made directly by the financial 
institution. Paragraph (a)(1) sets out the Act's redisclosure 
limitation as it applies to a financial institution that receives 
information from another nonaffiliated financial institution. Paragraph 
(b)(1) mirrors the provisions of paragraph (a)(1), but applies the 
redisclosure limits to any nonaffiliated third party that receives 
nonpublic personal information from a financial institution.
    The Act appears to place the institution that receives the 
information into the shoes of the institution that disclosed the 
information for purposes of determining whether redisclosures by the 
receiving institution are ``lawful.'' Thus, the Act appears to permit 
the receiving institution to redisclose the information to: (1) An 
entity to whom the original transferring institution could disclose the 
information pursuant to one of the exceptions in Secs. __.9, __.10, or 
;__.11, or (2) an entity to whom the original transferring institution 
could have disclosed the information as described under its notice of 
privacy policies and practices, unless the consumer has exercised the 
right to opt out of that disclosure. Because a consumer can exercise 
the right to opt out of a disclosure at any time, the Act may 
effectively preclude third parties that receive information to which 
the opt out right applies from redisclosing the information, except 
pursuant to one of the exceptions in Secs. __.9, __.10, or __.11. The 
Agencies invite comment on whether the rules should require a financial 
institution that discloses nonpublic personal information to a 
nonaffiliated third party to develop policies and procedures to ensure 
that the third party complies with the limits on redisclosure of that 
information.
    Sections 502(b)(2) and 502(e) (as implemented by Secs. __.9, __.10, 
and __.11 of the proposed rules) describe when a financial institution 
may disclose nonpublic personal information without providing the 
consumer with the initial privacy notice and an opportunity to opt out, 
but those exceptions apply only when the information is used for the 
specific purposes set out in those sections. Paragraph (a)(2) of 
proposed Sec. __.12 clarifies this limitation on reuse as it applies to 
financial institutions. Paragraph (a)(2) provides that a financial 
institution may use nonpublic personal information about a consumer 
that it receives from a nonaffiliated financial institution in 
accordance with an exception under Secs. __.9, __.10, or __.11 only for 
the purpose of that exception. Paragraph (b)(2) applies the same limits 
on reuse to any nonaffiliated third party that receives nonpublic 
personal information from a financial institution. The Agencies request 
comment on whether proposed Secs. __.12(a)(2) and __.12(b)(2) would 
restrict a nonaffiliated third party from using information obtained in 
accordance with the exceptions in Secs. __.9, __.10, and __.11 for 
purposes beyond the scope of those exceptions if the information is not 
used in a personally identifiable form. This might occur, for example, 
in the case of a credit scoring vendor using information to improve its 
scoring models.
    The Agencies invite comments on the meaning of the word ``lawful'' 
as that term is used in section 502(c). The Agencies specifically 
solicit comment on whether it would be lawful for a nonaffiliated third 
party to disclose information pursuant to the exception provided in 
proposed Sec. __.9 of the rules. Under that exception, a financial 
institution must comply with certain requirements before disclosing 
information to a nonaffiliated third party. Given that the statute and 
proposed rules impose those requirements on the financial institution 
making the initial disclosure, the Agencies invite comment on whether 
subsequent disclosures by the third party could satisfy the requirement 
that those disclosures be lawful when the financial institution is not 
party to the subsequent disclosure.

Sec. __.13  Limits on Sharing of Account Number Information for 
Marketing Purposes

    Section 502(d) of the G-L-B Act prohibits a financial institution 
from disclosing, other than to a consumer reporting agency, account 
numbers or similar form of access number or access code for a credit 
card account, deposit account, or transaction account of a

[[Page 8781]]

consumer to any nonaffiliated third party for use in telemarketing, 
direct mail marketing, or other marketing through electronic mail to 
the consumer. Proposed Sec. __.13 applies this statutory prohibition to 
disclosures made directly or indirectly by a financial institution.
    The Agencies note that there is no exception in Title V to the flat 
prohibition established by section 502(d). The Statement of Managers 
contained in the Conference Report to S. 900 encourages the Agencies to 
adopt an exception to section 502(d) to permit disclosures of account 
numbers in limited instances. It states:

    In exercising their authority under section 504(b) [which vests 
the Agencies with authority to grant exceptions to section 502(a)-
(d) beyond those set out in the statute], the agencies and 
authorities described in section 504(a)(1) may consider it 
consistent with the purposes of this subtitle to permit the 
disclosure of customer account numbers or similar forms of access 
numbers or access codes in an encrypted, scrambled, or similarly 
coded form, where the disclosure is expressly authorized by the 
customer and is necessary to service or process a transaction 
expressly requested or authorized by the customer.

Managers' Statement at 18. The Agencies have not proposed an exception 
to the prohibition of section 502(d) because of the risks associated 
with third parties' direct access to a consumer's account. The Agencies 
seek comment on whether an exception to the section 502(d) prohibition 
that permits third parties access to account numbers is appropriate, 
the circumstances under which an exception would be appropriate, and 
how such an exception should be formulated to provide consumers with 
adequate protection. The Agencies also seek comment on whether a flat 
prohibition as set out in section 502(d) might unintentionally disrupt 
certain routine practices, such as the disclosure of account numbers to 
a service provider who handles the preparation and distribution of 
monthly checking account statements for a financial institution coupled 
with a request by the institution that the service provider include 
literature with the statement about a product. In addition, the 
Agencies invite comment on whether a consumer ought to be able to 
consent to the disclosure of his or her account number, notwithstanding 
the general prohibition in section 502(d) and, if so, what standards 
should apply. The Agencies also seek comment on whether section 502(d) 
prohibits the disclosure by a financial institution to a marketing firm 
of encrypted account numbers if the financial institution does not 
provide the marketer the key to decrypt the number.

Sec. __.14  Protection of Fair Credit Reporting Act

    Section 506 makes several amendments to the FCRA to vest rulemaking 
authority in various agencies and to restore the Agencies' regular 
examination authority. Paragraph (c) of section 506 states that, except 
for the amendments noted regarding rulemaking authority, nothing in 
Title V is to be construed to modify, limit, or supersede the operation 
of the FCRA, and no inference is to be drawn on the basis of the 
provisions of Title V whether information is transaction or experience 
information under section 603 of the FCRA.
    Proposed Sec. __.14 implements section 506(c) of the G-L-B Act by 
restating the statute, making only minor stylistic changes intended to 
make the rule clearer.

Sec. __.15  Relation to State Laws

    Section 507 of the G-L-B Act states, in essence, that Title V does 
not preempt any State law that provides greater protections than are 
provided by Title V. Determinations of whether a State law or Title V 
provides greater protections are to be made by the Federal Trade 
Commission (FTC) after consultation with the agency that regulates 
either the party filing a complaint or the financial institution about 
whom the complaint was filed. Determinations of whether State or 
Federal law afford greater protections may be initiated by any 
interested party or on the FTC's own motion.
    Proposed Sec. __.15 is substantively identical to section 507, 
noting that the proposed rules (as opposed to the statute) do not 
preempt State laws that provide greater protection for consumers than 
do the rules.

Sec. __.16  Effective Date; Transition Rule

    Section 510 of the G-L-B Act states that, as a general rule, the 
relevant provisions of Title V take effect 6 months after the date on 
which rules are required to be prescribed. However, section 510(1) 
authorizes the Agencies to prescribe a later date in the rules enacted 
pursuant to section 504.
    Proposed Sec. __.16 states, in paragraph (a), an effective date of 
November 13, 2000. This assumes that a final rule will be adopted 
within the time frame prescribed by section 504(a)(3). The Agencies 
intend to provide at least six months following the adoption of a final 
rule for financial institutions to bring their policies and procedures 
into compliance with the requirements of the final rule. The Agencies 
invite comment on whether six months following adoption of final rules 
is sufficient to enable financial institutions to comply with the 
rules.
    Paragraph (b) of proposed Sec. __.16 provides a transition rule for 
consumers who were customers as of the effective date of the rules. 
Since those customer relationships already will have been established 
as of the rules' effective date (thereby making it inappropriate to 
require a financial institution to provide those customers with a copy 
of the institution's initial notice at the time of establishing a 
customer relationship), the rules require instead that the initial 
notice be provided within 30 days of the effective date. The Agencies 
invite comment on whether 30 days is enough time to permit a financial 
institution to deliver the required notices, bearing in mind that the 
G-L-B Act contemplates at least a six-month delayed effective date from 
the date the rules are adopted.
    If a financial institution intends to disclose nonpublic personal 
information about someone who was a consumer before the effective date, 
the institution must provide the notices required by Secs. __.4 and 
__.7 and provide a reasonable opportunity to opt out before the 
effective date. If, in this instance, the institution already is 
disclosing information about such a consumer, it may continue to do so 
without interruption until the consumer opts out, in which case the 
institution must stop disclosing nonpublic personal information about 
that consumer to nonaffiliated third parties as soon as reasonably 
practicable.

III. FDIC's New Electronic Public Comment Site

    The FDIC has developed a new page on its web site to facilitate the 
submission of electronic comments in response to this general 
solicitation (the EPC site). The EPC site provides an alternative to 
the written letter and may be a more convenient way for you to submit 
your comments. Commenting through the EPC site will assist the FDIC to 
more accurately and efficiently analyze comments submitted 
electronically. If you submit your comments through the EPC site your 
comments will receive the same consideration that they would receive if 
submitted in hard copy to the FDIC's street address. Information 
provided through the EPC site will be used by the FDIC only to assist 
in its analysis of the proposed regulation. The FDIC will not use an 
individual's name or any other personal identifier of an individual to 
retrieve records or information

[[Page 8782]]

submitted through the EPC site. Like comments submitted in hard copy to 
the FDIC's street address, EPC site comments will be made available in 
their entirety (including the commenter's name and address if the 
commenter chooses to provide them) for public inspection.
    The EPC site will be available on the FDIC's home page at http://www.fdic. gov. You will be able to provide general comments or comments 
on any specific sections of, or questions on, the proposed rule. You 
will also be able to view the regulation and Supplementary Information 
sections that relate to your comments directly on the site. Once you 
have finished commenting on the sections of interest to you, you may 
indicate your general approval or disapproval of the proposed 
regulation by answering the following question: Does the proposed 
regulation appropriately implement the G-L-B Act to provide the full 
extent of privacy protections intended by the Act?   [Yes/No].
    If you choose to answer this question, your response will be used 
in the FDIC's analysis of public comment on the regulation. The FDIC 
encourages you to provide written comments in the spaces provided in 
addition to responding to this specific question. Written comments 
enable the FDIC to thoughtfully consider possible changes to the 
proposed regulation.
    The FDIC is also interested in your feedback on the EPC site. We 
have provided a space for you to comment on the site itself. Answers to 
this question will help the FDIC evaluate the EPC site for use in 
future rulemaking.
    At the conclusion of the EPC site you will have an opportunity to 
provide us with your name, indicate whether you are an individual, 
bank, trade association, or government agency, and provide the name of 
the organization you represent, if applicable. Whether you choose to 
respond to these questions is entirely up to you. Any responses 
received may help the FDIC to better understand the public comments it 
receives.

IV. Regulatory Analysis

A. Paperwork Reduction Act

    The Agencies invite comment on:
    (1) Whether the collections of information contained in this notice 
of proposed rulemaking are necessary for the proper performance of each 
Agency's functions, including whether the information has practical 
utility;
    (2) The accuracy of each Agency's estimate of the burden of the 
proposed information collections;
    (3) Ways to enhance the quality, utility, and clarity of the 
information to be collected;
    (4) Ways to minimize the burden of the information collections on 
respondents, including the use of automated collection techniques or 
other forms of information technology; and
    (5) Estimates of capital or start-up costs and costs of operation, 
maintenance, and purchases of services to provide information.
    Recordkeepers are not required to respond to these collections of 
information unless they display a currently valid Office of Management 
and Budget (OMB) control number. The agencies are currently requesting 
their respective control numbers for these information collections from 
OMB.
    This proposed regulation contains several disclosure requirements. 
The respondents must prepare and provide the initial notice to all 
current customers and all new customers at the time of establishing a 
customer relationship (proposed Sec. __.4(a)). Subsequently, an annual 
notice must be provided to all customers at least once during a twelve-
month period during the continuation of the customer relationship 
(proposed Sec. __.5(a)). The opt out notice (and partial opt out 
notice, if applicable; see proposed Sec. __.7(a)(1)(iii)) must be 
provided prior to disclosing nonpublic personal information to certain 
nonaffiliated third parties. If a financial institution wishes to 
disclose information in a way that is inconsistent with the notices 
previously given to a consumer, the institution must provide consumers 
with revised notices (proposed Sec. __.8(c)).
    The proposed regulation also contains consumer reporting 
requirements. In order for consumers to opt out, they must respond to 
the institution's opt out notice (proposed Secs. __.7(a)(2), (a)(3)(i), 
and (c)). At any time during their continued relationship with the 
institution, consumers have the right to change or update their opt out 
status with the institution (proposed Secs. __.8(d) and (e)). The 
Agencies request public comment on all aspects of the collections of 
information contained in this proposed rule, including consumer 
responses to the opt-out notice and consumer changes to their opt-out 
status with an institution. In light of the uncertainty regarding what 
institutions will do to comply with the opt-out requirements and how 
consumers will react, the Agencies estimate a nominal burden stemming 
from consumer responses of one hour per institution, and will revisit 
this estimate in light of the comments received.

    OCC: The collection of information requirements contained in this 
notice of proposed rulemaking have been submitted to the Office of 
Management and Budget for review in accordance with the Paperwork 
Reduction Act of 1995 (44 U.S.C. 3507(d)). Comments on the collections 
of information should be sent to the Office of Management and Budget, 
Paperwork Reduction Project (1557--to be assigned), Washington, DC 
20503, with copies to the Legislative and Regulatory Activities 
Division (1557--to be assigned), Office of the Comptroller of the 
Currency, 250 E Street, SW, Washington, DC 20219.
    The likely respondents are national banks, District of Columbia 
banks, and Federal branches and agencies of foreign banks.
    Estimated average annual burden hours per bank respondent: 45.
    Estimated number of bank respondents: 2,400.
    Estimated total annual reporting burden: 108,000 hours.

    Board: In accordance with section 3506 of the Paperwork Reduction 
Act of 1995 (44 U.S.C. Ch. 35; 5 CFR 1320, appendix A.1), the Board 
reviewed the notice of proposed rulemaking under the authority 
delegated to the Board by the OMB. Comments on the collections of 
information should be sent to Mary M. West, Chief, Financial Reports 
Section, Division of Research and Statistics, Mail Stop 97, Board of 
Governors of the Federal Reserve System, Washington, DC 20551, with a 
copy to the Office of Management and Budget, Paperwork Reduction 
Project (7100--to be assigned), Washington, DC 20503.
    The likely respondents are state member banks, bank holding 
companies, affiliates and certain non-bank subsidiaries of bank holding 
companies, uninsured state agencies and branches of foreign banks, 
commercial lending companies owned or controlled by foreign banks, and 
Edge and agreement corporations.
    Estimated number of respondents: 9500.
    Estimated average annual burden hours per respondent: 45 hours.
    Estimated total annual reporting and disclosure burden: 427,500.

    FDIC: The collections of information contained in the notice of 
proposed rulemaking will be submitted to the OMB in accordance with the 
Paperwork Reduction Act of 1995. 44 U.S.C. 3507. The FDIC will use any 
comments received to develop its new burden estimates. Comments on the 
collections

[[Page 8783]]

of information should be sent to Steven F. Hanft, Office of the 
Executive Secretary, Federal Deposit Insurance Corporation, 550 17th 
Street, NW, Washington, DC 20429, with a copy to the Office of 
Management and Budget, Paperwork Reduction Project (3064--to be 
assigned), Washington, DC 20503.
    The likely respondents are insured nonmember banks.
    Estimated number of respondents: 5,764.
    Estimated average annual burden hours per respondent: 45 hours.
    Estimated total annual reporting and disclosure burden: 259,380 
hours.

    OTS: The collection of information requirements contained in the 
notice of proposed rulemaking will be submitted to the OMB in 
accordance with the Paperwork Reduction Act of 1995. 44 U.S.C. 3507. 
The OTS will use any comments received to develop its new burden 
estimates. Comments on the collection of information should be sent to 
the Dissemination Branch (1550-AB36), Office of Thrift Supervision, 
1700 G Street, NW, Washington, DC 20552, with a copy to the Office of 
Management and Budget, Paperwork Reduction Project (1550-AB36), 
Washington, DC 20503.
    The likely respondents are savings associations.
    Estimated number of respondents: 1,104.
    Estimated average annual burden hours per respondent: 45 hours.
    Estimated total annual disclosure and recordkeeping burden: 49,680 
hours.

B. Regulatory Flexibility Act

    OCC: Under the Regulatory Flexibility Act (RFA), the OCC must 
either provide an Initial Regulatory Flexibility Analysis (IRFA) with a 
proposed rule or certify that the proposed rule would not have a 
significant economic impact on a substantial number of small entities. 
The OCC has decided to publish the following analysis and invites the 
public's comments on the propose rule's impact on small entities (i.e., 
for purposes of RFA, small entities include banks with less than $100 
million in assets).
A. Reasons for and Objectives of the Proposed Rule; Legal Basis for 
Rule
    The proposed rule implements provisions of Title V, Subtitle A of 
the G-L-B Act addressing consumer privacy. In general, these statutory 
provisions require banks to provide notice to consumers about an 
institution's privacy policies and practices, restrict the ability of a 
bank to share nonpublic personal information about consumers to 
nonaffiliated third parties, and permit consumers to prevent the 
institution from disclosing nonpublic personal information about them 
to certain non-affiliated third parties by ``opting out'' of that 
disclosure.
    The notice and opt out requirements are imposed by Title V, 
Subtitle A of the G-L-B Act, and are to become effective within one 
year from the date the Act was signed into law. Section 504 of the G-L-
B Act authorizes the OCC to prescribe ``such regulations as may be 
necessary'' to carry out the purposes of Title V, Subtitle A. The OCC 
believes that a regulatory promulgation gives the private sector 
greater certainty on how to comply with the statute and clearer 
guidance regarding how it will be enforced.
B. Requirements of the Proposed Rule; Description of Small Entities to 
Whom Rule Would Apply
    Subject to certain exceptions explained below, the proposed rule 
generally requires that a bank provide all of its customers the 
following notices: (1) An initial privacy notice (prior to the time the 
customer relationship is established or, for existing customers, within 
30 days of the rule's effective date); (2) an opt out notice (prior to 
the disclosing of the individual's nonpublic personal information to 
nonaffiliated third parties); and (3) an annual privacy notice for the 
duration of the customer relationship. A bank's ``customer'' is a 
consumer with whom the bank has a ``continuing relationship'' (e.g., an 
ongoing deposit or loan relationship--but does not include a transient 
relationship, such as the mere purchase of traveler's checks from the 
bank).
    The proposed rule also requires a bank to provide its consumers an 
initial privacy notice and an opt out notice prior to disclosing the 
individual's nonpublic personal information with nonaffiliated third 
parties. If the bank does not intend to share such information about 
its consumers, then no privacy or opt out notice need be given. A 
bank's ``consumer,'' which is a broader concept than ``customer,'' 
includes: (1) Individuals who have applied to the bank for a financial 
service or product; and (2) individuals who have purchased a product or 
service that results in a transient (as opposed to continuing) 
relationship (e.g., mere purchase of traveler's checks from a bank).
    There are a host of exceptions to the general rules stated above. A 
bank may share a consumer's nonpublic personal information with 
nonaffiliated third parties without having to give a privacy and opt 
out notice if, for example, such sharing is necessary: (1) To effect, 
administer, or enforce a transaction requested or authorized by the 
consumer; (2) to protect the security of records pertaining to the 
consumer, service, product, or transaction; (3) to protect against or 
prevent actual or potential fraud, unauthorized transactions, claims or 
other liability; or (4) to provide information to rating agencies or 
the bank's attorneys, auditors, and accountants. Also, in cases where a 
bank enters into a contract with a nonaffiliated third party to 
undertake joint marketing or to have the third party perform certain 
functions on behalf of the bank, no opt out notice must be given. In 
such an instance, the bank must disclose to the consumer that it is 
providing the information and enter into a contract with the third 
party that restricts the third party's use of the information and 
requires the third party to maintain confidentiality of the 
information.
    Because the relevant statute did not provide a general exception 
for small banks, the proposed rule would apply to all banks, regardless 
of size, including those with assets of $100 million or less. As of 
September 30, 1999, 1213 (of 2,383 total) national banks had assets of 
$100 million or less.
    Compliance requirements will vary depending, for example, upon a 
bank's information sharing practices, whether the bank already has or 
discloses a privacy policy, and whether the bank already has an opt-out 
mechanism in place pursuant to the Fair Credit Reporting Act.
    As part of the requirement to provide a privacy notice, a bank's 
practices regarding its collection, sharing, and safeguarding of 
certain nonpublic personal information must be summarized in writing in 
a form that is required or permitted by the proposed regulation. 
However, if the bank does not share such information (or shares only to 
the extent permitted under the exceptions), its privacy notice may be 
streamlined. Various surveys suggest that a majority of banks already 
have privacy policies in place as part of usual and customary business 
practices. For these institutions, the costs for translating that 
policy into a notice format should be minimal.
    Further, to minimize the burden and costs of distributing privacy 
policies, the proposed regulation allows each bank to choose the method 
by which it will distribute required notices. For example, banks may 
include an annual privacy notice with periodic account statements that 
the bank already sends to the customer. Also, the initial privacy

[[Page 8784]]

notice may be provided with other already-required disclosure 
statements, such as those required under the Truth in Lending Act.
    The OCC believes that the burden imposed by the opt out requirement 
will be minimized to the extent that a bank must give opt out notices 
under the FCRA. Under the FCRA, a bank must have an opt out mechanism 
in place if the bank: (1) Shares certain consumer information (i.e., 
application or credit report information) with its affiliates, and (2) 
does not want to be treated as a consumer reporting agency (as will 
usually be the case). For a bank that gives FCRA notices and that wants 
to share nonpublic personal information with nonaffiliated third 
parties, the bank should be able to adapt its existing opt out 
mechanism to accommodate the requirements of the proposed rule. Of 
course, a bank need not provide any opt-out notices or set up any opt-
out mechanism if it will only be sharing nonpublic information with 
nonaffiliated third parties to the extent permitted by one of the many 
exceptions permitted in the proposed rule.
    Professional skills needed to comply with the proposed rule may 
include clerical, computer systems, personnel training, as well as 
legal drafting and advice. The information collection requirements 
imposed by the G-L-B Act and the proposed rule are further addressed in 
the section titled, ``Paperwork Reduction Act.''
C. Relevant Federal Rules Which May Duplicate, Overlap or Conflict With 
the Proposed Rule
    While the scope of the proposed regulation (pursuant to the G-L-B 
Act) is unique, there may be some overlap in certain circumstances with 
the following: As noted above, the Fair Credit Reporting Act requires a 
bank that: (1) Does not want to be treated as a consumer reporting 
agency; and (2) desires to share certain consumer information (i.e., 
application or credit report information) with its affiliates, to 
provide the consumer with a clear and conspicuous notice and an 
opportunity to opt out of such information sharing. Also, at the time a 
consumer contracts for an electronic fund transfer service, the 
Electronic Funds Transfer Act requires the terms and conditions of such 
transfer to be disclosed, including under what circumstances the bank 
will in the ordinary course of business disclose information concerning 
the consumer's account to third persons. The recently proposed 
Department of Health and Human Services regulations \6\ that implement 
the Health Insurance Portability and Accountability Act of 1996 would, 
if adopted in final form, limit the circumstances under which medical 
information may be disclosed. Finally, the Children's Online Privacy 
Protection Act (under which the Federal banking agencies are charged 
with enforcement of implementing regulations promulgated by the Federal 
Trade Commission) generally requires online service operators 
collecting personal information from a child to obtain parental consent 
and post a privacy notice on the web site. The OCC seeks comment on 
additional Federal rules that may duplicate, overlap, or conflict with 
the proposal.
---------------------------------------------------------------------------

    \6\ 64 FR 59918 (Nov. 3, 1999).
---------------------------------------------------------------------------

D. Significant Alternatives to the Proposed Rule That Minimize the 
Impact on Small Entities
    As previously noted, the proposed rule's requirements are expressly 
mandated by the G-L-B Act. The proposed rule attempts to clarify, 
consolidate, and simplify the statutory requirements for all covered 
entities, including small entities. The proposed rule also provides 
substantial flexibility so that any bank, regardless of size, may 
tailor its practices to its individual needs. While the OCC may grant 
exceptions to the opt out requirements set out in sections 502 (a) 
through (d), section 504(b) of the G-L-B Act requires such exceptions 
to be ``consistent with the purposes of this subtitle [i.e., Subtitle A 
of Title V].'' As stated in section 501(a) of the Act, ``It is the 
policy of the Congress that each financial institution has an 
affirmative and continuing obligation to respect the privacy of its 
customers and to protect the security and confidentiality of those 
customers' nonpublic personal information.'' (Emphasis added.) The OCC 
believes that an exception that would create different levels of 
protections for consumers based on the size of the institution with 
whom they conduct business would not be consistent with the purposes of 
Subtitle A. The OCC welcomes comment on any significant alternatives, 
consistent with the G-L-B Act, that would minimize the impact on small 
entities.
    Board: The Regulatory Flexibility Act (5 U.S.C. 603) requires an 
agency to publish an initial regulatory flexibility analysis with any 
notice of proposed rulemaking. A description of the reasons why action 
by the agency is being considered and a statement of the objectives of, 
and legal basis for, the proposed rule, are contained in the 
supplementary material above. The Board's proposed rule will apply to 
the following institutions (numbers approximate):

------------------------------------------------------------------------
                                                                Approx.
                     Type of institution                          No.
------------------------------------------------------------------------
State member banks..........................................       1,000
Bank holding companies......................................       5,900
Bank holding company subsidiaries...........................       2,100
U.S. branches and agencies of foreign banks.................         400
Edge/Agreement corporations, commercial lending companies...         100
                                                             -----------
    Total...................................................       9,500
------------------------------------------------------------------------

    The Board estimates that over 4,500 of the respondents could be 
considered small institutions with assets less than $100 million.
    Overlap with other Federal rules. While the scope of the proposed 
regulation (pursuant to the G-L-B Act) is unique, it may, in certain 
circumstances, overlap with the following statutes and regulations:
    1. The Fair Credit Reporting Act (15 U.S.C. 1681a(d)(2)) requires a 
bank that: (1) Does not want to be treated as a consumer reporting 
agency; and (2) desires to share certain consumer information (that is, 
application or credit report information) with its affiliates, to 
provide the consumer with a clear and conspicuous notice and an 
opportunity to opt out of such information sharing.
    2. At the time a consumer contracts for an electronic fund transfer 
service, the Electronic Funds Transfer Act (15 U.S.C. 1693c(a)(9)) 
requires the terms and conditions of such transfer to be disclosed, 
including under what circumstances the bank will in the ordinary course 
of business disclose information concerning the consumer's account to 
third persons.
    3. The recently proposed Department of Health and Human Services 
regulations \7\ that implement the Health Insurance Portability and 
Accountability Act of 1996 (42 U.S.C. 3120d-1 et seq.) would, if 
adopted in final form, limit the circumstances under which medical 
information may be disclosed.
---------------------------------------------------------------------------

    \7\ 64 FR 59918 (Nov. 3, 1999).
---------------------------------------------------------------------------

    4. The Children's Online Privacy Protection Act of 1998 (15 U.S.C. 
6502) (under which the Federal banking agencies are charged with 
enforcement of implementing regulations promulgated by the Federal 
Trade Commission) generally requires online service operators 
collecting personal information from a child to obtain

[[Page 8785]]

parental consent and post a privacy notice on the web site.
    New compliance requirements. The proposed rule contains new 
compliance requirements for all covered institutions, most of which are 
required by the G-L-B Act. The institutions will be required to prepare 
notices of their privacy policies and practices and provide those 
notices to consumers as specified in the rule. Institutions that 
disclose nonpublic personal information about consumers to 
nonaffiliated third parties will be required to provide opt out notices 
to consumers as well as a reasonable opportunity to opt out of certain 
disclosures. These institutions will have to develop systems for 
keeping track of consumers' opt out directions. Some institutions, 
particularly those that disclose nonpublic information about consumers 
to nonaffiliated third parties, will likely need the advice of legal 
counsel to ensure that they comply with the rule, and may also require 
computer programming changes and additional staff training. The Board 
does not have a practicable or reliable basis for quantifying the costs 
of the proposed rule or any alternatives, but seeks comment on the 
potential costs.
    Exemptions for small institutions. The Board believes the 
requirements of the Act and this rule will create additional burden for 
covered institutions, particularly those that disclose nonpublic 
personal information about consumers to nonaffiliated third parties. 
The rule applies to all covered institutions, regardless of size. The 
Act does not provide the Board with the authority to exempt a small 
institution from the requirement to provide a notice of its privacy 
policies and practices to a consumer with whom it establishes a 
customer relationship. Although the Board could exempt small 
institutions from providing a notice and opportunity for consumers to 
opt out of certain information disclosures, the Board does not believe 
that such an exemption would be appropriate, given the purpose of the 
Act to protect the confidentiality and security of nonpublic personal 
information about consumers. The Board believes that the burden is 
relatively small for institutions that do not disclose nonpublic 
personal information about consumers to nonaffiliated third parties. 
These institutions may provide relatively simple initial and annual 
notices to consumers with whom they establish customer relationships.
    The Board recognizes that the Congressional Conferees on the Act 
wished to ensure that smaller financial institutions are not placed at 
a competitive disadvantage by a statutory regime that permits certain 
information to be shared freely within an affiliate structure while 
limiting the ability to share that same information with nonaffiliated 
third parties. The Conferees stated that, in prescribing regulations, 
the federal regulatory agencies should take into consideration any 
adverse competitive effects upon small commercial banks, thrifts, and 
credit unions.\8\ At this time, it is not clear the extent to which 
small institutions will be placed at a disadvantage by information-
sharing among affiliates in large institutional families. The Board 
believes that further experience under the regulation would be 
appropriate before considering any exemptions in this area for small 
institutions.
---------------------------------------------------------------------------

    \8\ H. R. Conf. Rep. No. 106-434, at 173 (1999).
---------------------------------------------------------------------------

    The Board requests comment on the burdens associated with the 
proposed rule and whether any exemptions for small institutions would 
be appropriate.

    FDIC: The Regulatory Flexibility Act (5 U.S.C. 601-612) (RFA) 
requires an agency to publish an initial regulatory flexibility 
analysis with this proposed rule, except to the extent provided in the 
RFA, whenever the agency is required to publish a general notice of 
proposed rulemaking for a proposed rule. The FDIC cannot at this time 
determine whether the proposed rule would have a significant economic 
impact on a substantial number of small entities as defined by the 
RFA.\9\ Therefore, pursuant to subsections 603 (b) and (c) of the RFA, 
the FDIC provides the following initial regulatory flexibility 
analysis.
---------------------------------------------------------------------------

    \9\ The RFA defines the term ``small entity'' in 5 U.S.C. 601 by 
reference to definitions published by the Small Business 
Administration (SBA). The SBA has defined a ``small entity for 
banking purposes as a national or commercial bank, savings 
institution or credit union with less than $100 million in assets.'' 
See 13 CFR 121.201.
---------------------------------------------------------------------------

Reasons for Proposed Rule
    The FDIC is requesting comment on proposed privacy rules published 
pursuant to section 504 of the G-L-B Act. Section 504 requires the 
Agencies in consultation with representatives of State insurance 
authorities to issue regulations implementing notice requirements and 
restrictions on a financial institution's ability to disclose nonpublic 
personal information about consumers to nonaffiliated third parties. 
These requirements are expressly mandated by the G-L-B Act. It is the 
view of the FDIC that the G-L-B Act's requirements account for most, if 
not, all of the economic impact of the proposed rule.
Statement of Objectives and Legal Basis
    The Supplementary Information section above contains this 
information. The legal basis for the proposed rule is the G-L-B Act.
Description/Estimate of the Small Entities to Which the Rule Applies
    The proposed rule would apply to all FDIC-insured State nonmember 
banks, approximately 3,700 of which are small entities as defined by 
the RFA.
Projected Reporting, Recordkeeping and Other Compliance Requirements
    The information collection requirements imposed by G-L-B Act and 
the proposed rule are discussed above in the section titled, 
``Paperwork Reduction Act.''
General Requirements
    Pursuant to section 503 of the G-L-B Act and Secs. 332.4--332.6 of 
the regulation, a financial institution must provide its customers with 
a notice of its privacy policies and practices. Section 502 of the G-L-
B Act and Secs. 332.7-332.12 of the regulation prohibit a financial 
institution from disclosing nonpublic personal information about a 
consumer to nonaffiliated third parties unless the institution 
satisfies various disclosure requirements and the consumer has elected 
not to opt out of the disclosure.
    The statute and proposed rule require a financial institution to 
disclose to all of its customers the institution's privacy policies and 
practices with respect to information sharing with both affiliates and 
non-affiliated third parties. Institutions are required to provide this 
notice at the time of establishing a customer relationship and annually 
thereafter. Recent experience has shown that it is a usual and 
customary business practice of financial institutions. KPMG reported in 
a recent industry survey of large and small banks that 71% of bankers 
said their institutions already had privacy policies in place either 
company-wide or in some selected units.\10\ Another recent survey of 
Internet banking sites conducted by federal banking regulators 
concluded that over 62% of financial institutions that collected 
personal information online provided a privacy policy or information 
practice statement.\11\ Furthermore, a number of industry groups have 
developed model privacy policies that are available as part of their

[[Page 8786]]

self-regulatory efforts in the privacy area.\12\ The FDIC believes the 
establishment of a privacy policy is a usual and customary business 
practice and the costs for translating that policy into a disclosure 
format should be minimal. The FDIC seeks any information or comment on 
the costs for creating privacy policy disclosures.
---------------------------------------------------------------------------

    \10\ ``KPMG Analysis Consumer Privacy Policies: Write Now.'' 
Online Reuters 19 Jan. 2000.
    \11\ ``Interagency Financial Institution Web Site Privacy Survey 
Report.'' FDIC Press Release 9 November 1999.
    \12\ ``Banks Should Tell Customers of Policies to Protect 
Privacy, Banking Groups Say.'' Online BNA Electronic Commerce & Law 
16 September 1998.
---------------------------------------------------------------------------

    To minimize the burden and costs to financial institutions of 
distributing privacy policies, the proposed regulation allows each bank 
to choose the method by which it will distribute required disclosure 
statements. Institutions may provide customers with a privacy 
disclosure statement with periodic statements, with other required 
disclosure statements, via electronic mail to consumers who obtain a 
financial product or service electronically, and other acceptable means 
described in the proposed regulation. The FDIC believes that the cost 
of distributing privacy disclosure statements will be minimal and seeks 
any information or comment on the costs for distributing privacy policy 
disclosures.
    The statute and proposed rule describe the conditions under which a 
financial institution may disclose nonpublic personal information about 
a consumer to a nonaffiliated third party. A number of exceptions are 
provided for nonaffiliated third parties performing services for the 
institution. The rules require institutions to develop a method to 
allow customers to opt out of non-affiliated third party information 
sharing. Only those institutions that intend to share nonpublic 
personal information with third parties outside of the exemptions 
provided are required to establish ``opt out'' disclosure and 
processing procedures. Furthermore, only those institutions that share 
nonpublic personal information with third parties outside of the 
exemptions provided could be expected to encounter any reduction in 
revenue as a result of the diminished value of information sales. The 
FDIC informally surveyed its regional offices to determine the costs of 
implementing the opt out provisions of the proposed regulation. Based 
on the observations by FDIC examiners, the FDIC believes that the costs 
to implement opt out provisions of the regulation for small insured 
nonmember banks will be minimal. Few nonaffiliated third party 
information sharing arrangements could be identified that would fall 
outside the exceptions provided in the regulation. Congress recognized 
the lack of information available on affiliate information sharing 
practices by requiring the regulators to conduct a ``Study of 
Information Sharing Among Financial Affiliates'' that focuses on the 
practice of institutions sharing confidential customer information with 
affiliates and non-affiliated third parties. This study is due 
subsequent to release of this regulation. The FDIC seeks further 
comment on the information sharing practices and actual costs of 
implementing the opt out disclosure and processing requirements of the 
proposed regulation.
Identification of Duplicative, Overlapping, or Conflicting Federal 
Rules
    While the scope of the proposed regulation (pursuant to the G-L-B 
Act) is unique, there may be some overlap in certain circumstances with 
the following: As noted above, the FCRA requires a bank that: (1) Does 
not want to be treated as a consumer reporting agency; and (2) desires 
to share certain consumer information (i.e., application or credit 
report information) with its affiliates, to provide the consumer with a 
clear and conspicuous notice and an opportunity to opt out of such 
information sharing. Also, at the time a consumer contracts for an 
electronic fund transfer service, the Electronic Funds Transfer Act 
requires the terms and conditions of such transfer to be disclosed, 
including under what circumstances the bank will in the ordinary course 
of business disclose information concerning the consumer's account to 
third persons. Finally, the Children's Online Privacy Protection Act 
(under which the Federal banking agencies are charged with enforcement 
of implementing regulations promulgated by the Federal Trade 
Commission) generally requires online service operators collecting 
personal information from a child to obtain parental consent and post a 
privacy notice on the web site. The FDIC seeks comments and information 
about any such rules, as well as any other state, local, or industry 
rules or policies that require financial institutions to implement 
business practices that would comply with the requirements of the 
proposed rule.
Discussion of Significant Alternatives
    As previously noted, the proposed rule's requirements are expressly 
mandated by the G-L-B Act. The proposed rule attempts to clarify, 
consolidate, and simplify the statutory requirements for all covered 
entities, including small entities. The proposed rule also provides 
substantial flexibility so that any bank, regardless of size, may 
tailor its practices to its individual needs. While the FDIC may grant 
exceptions to the opt out requirements set out in sections 502(a) 
through (d), section 504(b) of the G-L-B Act requires such exceptions 
to be ``consistent with the purposes of this subtitle [i.e., Subtitle A 
of Title V].'' As stated in section 501(a) of the Act, ``It is the 
policy of the Congress that each financial institution has an 
affirmative and continuing obligation to respect the privacy of its 
customers and to protect the security and confidentiality of those 
customers' nonpublic personal information.'' (Emphasis added.) The FDIC 
believes that an exception that would create different levels of 
protections for consumers based on the size of the institution with 
whom they conduct business would not be consistent with the purposes of 
Subtitle A. The FDIC welcomes comment on any significant alternatives, 
consistent with the G-L-B Act, that would minimize the impact on small 
entities.
    OTS: The Regulatory Flexibility Act requires federal agencies to 
either prepare an initial regulatory flexibility analysis (IRFA) with 
this proposed rule or certify that the proposed rule would not have a 
significant economic impact on a substantial number of small entities. 
\13\ The OTS cannot, at this time, determine whether the proposed rule 
would have a significant economic impact on a substantial number of 
small institutions. Therefore, OTS includes the following IRFA.
---------------------------------------------------------------------------

    \13\ 5 U.S.C. 605(b).
---------------------------------------------------------------------------

    A description of the reasons why OTS is considering this action, 
and a statement of the objectives of, and legal basis for, the proposed 
rule are in the supplementary material above.
A. Small Entities to Which the Proposed Rule Would Apply
    The proposed rule would apply to all financial institutions, 
without regard to the institutions' size. Small depository institutions 
are generally defined, for Regulatory Flexibility Act purposes, as 
those with assets under $100 million. \14\ This proposed rule would 
apply to approximately 500 small savings associations.
---------------------------------------------------------------------------

    \14\ 13 CFR 121.201, Division H (1999).
---------------------------------------------------------------------------

B. Requirements of the Proposed Rule
    As described more fully above, the proposed rule contains new 
compliance requirements for all savings associations. Most of the 
requirements are mandated by the G-L-B Act. Savings associations will 
be required to prepare

[[Page 8787]]

notices of their privacy policies and practices and provide those 
notices to consumers. Savings associations that disclose nonpublic 
personal information about consumers to nonaffiliated third parties 
will be required to provide opt out notices to consumers as well as a 
reasonable opportunity to opt out of certain disclosures. These savings 
associations will have to develop systems for keeping track of 
consumers' opt out directions.
C. Reporting, Recordkeeping, and Other Compliance Requirements
    The proposed rule would require savings associations to disclose 
their privacy policies to consumers, and to keep track of any opt out 
notices the consumers submit.
    Many financial institutions may already have established privacy 
policies and practices and may already be partly or fully prepared to 
meet the requirements of this proposed rule. Additionally, OTS 
anticipates that trade associations and others will prepare compliance 
materials and guidance that financial institutions can use to meet the 
requirements of this proposed rule.
    To the extent that existing practices and available resources are 
insufficient, financial institutions would need professional skills to 
comply with this proposed rule. To prepare the required privacy 
disclosures and opt out notices, financial institutions may need legal 
or other professional advice and drafting. This would be true for the 
initial disclosures and notices, and for any subsequent changes to 
those documents. For financial institutions that publish privacy 
notices electronically or accept electronic opt outs, computer 
expertise would be necessary to convert the documents to the 
appropriate electronic form.
    The proposed regulation would allow financial institutions to share 
consumers' nonpublic personal information with a nonaffiliated third 
party to perform services for the financial institution. However, 
Sec. 573.9(a)(2) of the regulation would require institutions in that 
event to contractually require the third party recipient to maintain 
the privacy of shared information. In these cases, financial 
institutions may require legal advice and drafting to ensure that their 
contracts meet the requirements of the proposed rule.
    Financial institutions may further need professional skills to 
process opt out notices that consumers submit. Some financial 
institutions may use clerical or computer programmer skills to perform 
these tasks. Some degree of personnel training may be necessary, such 
as to train staff on the procedures for entering opt out data into a 
computer database.
    OTS does not have a practicable or reliable basis for quantifying 
the costs of this proposed rule, or of any alternative to the rule. OTS 
cannot predict how savings associations would comply with the proposed 
notice requirements, or how many opt out notices savings associations 
would receive and need to process. Some savings associations may 
currently derive revenue from selling information about their 
customers, and this rule may decrease the amount of that revenue. OTS 
has no reliable basis for determining the amount of this decrease in 
revenue at savings associations. The costs of this proposed rule or any 
alternative to the rule are unpredictable for two reasons. First, 
Congress has required this regulation to be finalized within six months 
after   G-L-B's enactment. This short time period makes it difficult to 
survey savings associations or trade organizations for reliable 
information. Second, and more importantly, the    G-L-B Act and this 
rulemaking are so new that the industry has not had enough time to 
learn what the law requires and decide how to proceed. Rather than 
merely guess at the regulatory burden of this proposed rule, OTS 
solicits comment on the burden and on ways to minimize it, consistent 
with the G-L-B Act.
D. Significant Alternatives
    The requirements in the proposed rule parallel those in the G-L-B 
Act. The proposed regulation would clarify the statutory requirements 
in certain areas, and would restate the requirements in a more 
understandable manner, but would not impose any substantially different 
requirements.
    Congress has decided that ``each'' financial institution must 
protect consumers' privacy, without regard to the size of the financial 
institutions with which consumers interact. \15\ OTS believes it does 
not have authority to exempt small entities from Subtitle V of the G-L-
B Act.
---------------------------------------------------------------------------

    \15\ G-L-B Act, Pub. Law. No. 106-102, 113 Stat. 1338, 
Sec. 501(a) (1999) (to be codified at 15 USC 6801).
---------------------------------------------------------------------------

    Although OTS could exempt small savings associations from providing 
a notice and opportunity for consumers to opt out of certain 
information disclosures, OTS does not believe that such an exemption 
would be appropriate, given the purpose of the  G-L-B Act to protect 
the confidentiality and security of nonpublic personal information 
about consumers. Savings associations that do not disclose nonpublic 
personal information about consumers to nonaffiliated third parties may 
provide relatively simple initial and annual notices to their 
customers.
    OTS recognizes that the Congressional Conferees on the Act wished 
to ensure that smaller financial institutions are not placed at a 
competitive disadvantage by a statutory regime that permits certain 
information to be shared freely within an affiliate structure while 
limiting the ability to share that same information with nonaffiliated 
third parties. The Conferees stated that, in prescribing regulations, 
the federal regulatory agencies should take into consideration any 
adverse competitive effects upon small commercial banks, thrifts, and 
credit unions. \16\ At this time, it is not clear the extent to which 
small institutions will be placed at a disadvantage by information-
sharing among affiliates in large institutional families. OTS believes 
that further experience under the regulation would be appropriate 
before considering any exemptions in this area for small institutions.
---------------------------------------------------------------------------

    \16\ H. R. Conf. Rep. No. 106-434, at 173 (1999).
---------------------------------------------------------------------------

    To reduce regulatory burden, consistent with the statutory 
requirements, this proposed regulation would provide financial 
institutions with substantial flexibility to use privacy practices 
tailored to their individual needs. For example, the Agencies 
considered setting a certain time within which financial institutions 
that receive opt out notices must comply with them. Because the 
Agencies thought a certain time limit might impose undue regulatory 
burden, the proposed rule would require compliance with opt out notices 
``as soon as reasonably practicable.'' Sec. 573.8(e). Similarly, the 
proposed rule would become effective on November 13, 2000. This is 
designed to allow financial institutions one year after   G-L-B was 
enacted, and six months after this rule's expected effective date, to 
come into compliance. Sec. 573.16(a). The Agencies are soliciting 
comments on whether these time limits would allow financial 
institutions sufficient time to comply with the rules.
    OTS requests comment on the burdens associated with the proposed 
rule and whether any exceptions for small institutions would be 
appropriate.
E. Other Matters
    While the scope of the proposed regulation (pursuant to the G-L-B 
Act) is unique, there may be some overlap in certain circumstances with 
certain Federal rules. As noted above, the Fair Credit Reporting Act 
requires a savings

[[Page 8788]]

association that (1) does not want to be treated as a consumer 
reporting agency and (2) desires to share certain consumer information 
(i.e., application or credit report information) with its affiliates, 
to provide the consumer with a clear and conspicuous notice and an 
opportunity to opt out of such information sharing. Also, at the time a 
consumer contracts for an electronic fund transfer service, the 
Electronic Funds Transfer Act requires the terms and conditions of such 
transfer to be disclosed, including under what circumstances the bank 
will in the ordinary course of business disclose information concerning 
the consumer's account to third persons. Finally, the Children's Online 
Privacy Protection Act (under which the Federal banking agencies are 
charged with enforcement of implementing regulations promulgated by the 
Federal Trade Commission) generally requires online service operators 
collecting personal information from a child to obtain parental consent 
and post a privacy notice on the web site. OTS seeks comment on 
additional Federal rules that may duplicate, overlap or conflict with 
the proposal.

C. Executive Order 12866

    OCC: The Comptroller of the Currency has determined that this 
proposed rule, if adopted as a final rule, does not constitute a 
``significant regulatory action'' for the purposes of Executive Order 
12866. The rule follows closely the requirements of title V, subtitle A 
of the G-L-B Act. Since, the G-L-B Act establishes the minimum 
requirements for this activity, the OCC has little discretion to 
propose regulatory options that might significantly reduce costs or 
other burdens. However, even absent the requirements of the G-L-B Act, 
if the OCC issued the rule under its own authority, the rule would not 
constitute a ``significant regulatory action'' for the purposes of 
Executive Order 12866.
    Nevertheless, the OCC acknowledges that the rule would impose costs 
on national banks by requiring them to make notifications and take 
other actions impacting their day to day operations. Therefore, the OCC 
invites national banks and the public to provide any cost estimates and 
related data that they think would be useful to the agency in 
evaluating the overall costs of the rule. The OCC will review carefully 
the comments and cost data that you provide and will revisit the cost 
aspects of the G-L-B Act as implemented by this proposal in developing 
the final rule.
    OTS: OTS has determined that this proposed rule, if adopted as a 
final rule, would not constitute a ``significant regulatory action'' 
for the purposes of Executive Order 12866. The rule follows closely the 
requirements of title V, subtitle A of the G-L-B Act. Since the G-L-B 
Act establishes the minimum requirements for this activity, OTS has 
little discretion to propose regulatory options that might 
significantly reduce costs or other burdens.
    Nevertheless, OTS acknowledges that the rule would impose costs on 
the thrift industry by requiring savings associations to make 
notifications and take other actions impacting their day to day 
operations. Therefore, OTS invites the thrift industry and the public 
to provide any cost estimates and related data that they think would be 
useful to the agency in evaluating the overall costs of the rule. OTS 
will review carefully the comments and cost data that you provide and 
will revisit the cost aspects of the G-L-B Act as implemented by this 
proposal in developing the final rule.

D. Unfunded Mandates Act of 1995

    Section 202 of the Unfunded Mandates Reform Act of 1995, 2 U.S.C. 
1532 (Unfunded Mandates Act), requires that an agency prepare a 
budgetary impact statement before promulgating any rule likely to 
result in a Federal mandate that may result in the expenditure by 
State, local, and tribal governments, in the aggregate, or by the 
private sector, of $100 million or more in any one year. If a budgetary 
impact statement is required, section 205 of the Unfunded Mandates Act 
also requires the agency to identify and consider a reasonable number 
of regulatory alternatives before promulgating the rule. However, an 
agency is not required to assess the effects of its regulatory actions 
on the private sector to the extent that such regulations incorporate 
requirements specifically set forth in law. 2 U.S.C. 1531. Most of the 
proposed rule's provisions are already mandated by the applicable 
provisions in Title V of the G-L-B Act, which would become effective 
and binding on the private sector without a regulatory promulgation. 
Therefore, the OCC and OTS have determined that this proposed 
regulation will not result in expenditures by State, local, and tribal 
governments, in the aggregate, or by the private sector, of $100 
million or more in any one year. Accordingly, the OCC and OTS have not 
prepared a budgetary impact statement or specifically addressed the 
regulatory alternatives considered.

V. Solicitation of Comments on Use of ``Plain Language''

    Section 722 of the G-L-B Act requires the Federal banking agencies 
to use ``plain language'' in all proposed and final rules published 
after January 1, 2000. We invite your comments on how to make this 
proposed rule easier to understand. For example:
     Have we organized the material to suit your needs? If not, 
how could the material be better organized?
     Are the requirements in the rule clearly stated? If not, 
how could the rule be more clearly stated?
     Does the rule contain technical language or jargon that 
isn't clear? If not, which language requires clarification? For 
example, is the phrase ``opt out'' confusing to the average reader? 
Should the Agencies require financial institutions to use a different 
phrase in their notices, such as ``choose not to have information 
shared''?
     Would a different format (grouping and order of sections, 
use of headings, paragraphing) make the rule easier to understand? If 
so, what changes to the format would make the rule easier to 
understand?
     Would more (but shorter) sections be better? If so, which 
sections should be changed?
     What else could we do to make the rule easier to 
understand?
     The Agencies solicit comment on whether the inclusion of 
examples in the regulation is appropriate. Elevating the fact patterns 
to safe harbors in the rule may generate certain problems over time. 
For example, changes in technology or practices may ultimately impact 
the fact patterns contained in the examples and require changes to the 
regulation. Are there alternative methods to offer illustrative 
guidance of the concepts portrayed by the examples?

List of Subjects

12 CFR Part 40

    Banks, banking, Consumer protection, National banks, Privacy, 
Reporting and recordkeeping requirements.

12 CFR Part 216

    Banks, banking, Consumer protection, Federal Reserve System, 
Foreign banking, Holding companies, Information, Privacy, Reporting and 
recordkeeping requirements.

12 CFR Part 332

    Banks, banking, Privacy.

12 CFR Part 573

    Consumer protection, Privacy, Savings associations.

[[Page 8789]]

Office of the Comptroller of the Currency

12 CFR Chapter I

Authority and Issuance

    For the reasons set out in the joint preamble, the OCC proposes to 
amend chapter I of title 12 of the Code of Federal Regulations by 
adding a new part 40 to read as follows:

PART 40--PRIVACY OF CONSUMER FINANCIAL INFORMATION

Sec.
40.1   Purpose and scope.
40.2   Rule of construction.
40.3   Definitions.
40.4   Initial notice to consumers of privacy policies and practices 
required.
40.5   Annual notice to customers required.
40.6   Information to be included in initial and annual notices of 
privacy policies and practices.
40.7   Limitation on disclosure of nonpublic personal information 
about consumers to nonaffiliated third parties.
40.8   Form and method of providing opt out notice to consumers.
40.9   Exception to opt out requirements for service providers and 
joint marketing.
40.10   Exceptions to notice and opt out requirements for processing 
and servicing transactions.
40.11   Other exceptions to notice and opt out requirements.
40.12   Limits on redisclosure and reuse of information.
40.13   Limits on sharing of account number information for 
marketing purposes.
40.14   Protection of Fair Credit Reporting Act.
40.15   Relation to State laws.
40.16   Effective date; transition rule.

    Authority: 12 U.S.C. 93a; 15 U.S.C. 6801 et seq.


Sec. 40.1  Purpose and scope.

    (a) Purpose. This part governs the treatment of nonpublic personal 
information about consumers by the financial institutions listed in 
paragraph (b) of this section. This part:
    (1) Requires a financial institution to provide notice to consumers 
about its privacy policies and practices;
    (2) Describes the conditions under which a financial institution 
may disclose nonpublic personal information about consumers to 
nonaffiliated third parties; and
    (3) Provides a method for consumers to prevent a financial 
institution from disclosing that information to certain nonaffiliated 
third parties by ``opting out'' of that disclosure, subject to the 
exceptions in Secs. 40.9, 40.10, and 40.11.
    (b) Scope. The rules established by this part apply only to 
nonpublic personal information about individuals who obtain financial 
products or services for personal, family or household purposes from 
the institutions listed below. This part does not apply to information 
about companies or about individuals who obtain financial products or 
services for business purposes. This part applies to entities for which 
the Office of the Comptroller of the Currency has primary supervisory 
authority. They are referred to in this part as ``the bank.'' These are 
national banks, District of Columbia banks, Federal branches and 
Federal agencies of foreign banks, and any subsidiaries of such 
entities except a broker or dealer that is registered under the 
Securities Exchange Act of 1934, a registered investment adviser (with 
respect to the investment advisory activities of the adviser and 
activities incidental to those investment advisory activities), an 
investment company registered under the Investment Company Act of 1940, 
an insurance company that is subject to supervision by a State 
insurance regulator (with respect to insurance activities of the 
company and activities incidental to those insurance activities), and 
an entity that is subject to regulation by the Commodity Futures 
Trading Commission.


Sec. 40.2  Rule of construction.

    The examples in this part are not exclusive. Compliance with an 
example, to the extent applicable, constitutes compliance with this 
part.


Sec. 40.3  Definitions.

    As used in this part, unless the context requires otherwise:
    (a) Affiliate means any company that controls, is controlled by, or 
is under common control with another company.
    (b)(1) Clear and conspicuous means that a notice is reasonably 
understandable and designed to call attention to the nature and 
significance of the information contained in the notice.
    (2) Examples. (i) The bank makes it notice reasonably 
understandable if, to the extent applicable, the bank:
    (A) Presents the information contained in the notice in clear, 
concise sentences, paragraphs and sections;
    (B) Uses short explanatory sentences and bullet lists, whenever 
possible;
    (C) Uses definite, concrete, everyday words and active voice, 
whenever possible;
    (D) Avoids multiple negatives;
    (E) Avoids legal and highly technical business terminology; and
    (F) Avoids boilerplate explanations that are imprecise and readily 
subject to different interpretations.
    (ii) The bank designs its notice to call attention to the nature 
and significance of the information contained in the notice if, to the 
extent applicable, the bank:
    (A) Uses a plain-language heading to call attention to the notice;
    (B) Uses a typeface and type size that are easy to read; and
    (C) Provides wide margins and ample line spacing.
    (iii) If the bank provides a notice on the same form as another 
notice or other document, the bank designs its notice to call attention 
to the nature and significance of the information contained in the 
notice if the bank uses:
    (A) Larger type size(s), boldface or italics in the text;
    (B) Wider margins and line spacing in the notice; or
    (C) Shading or sidebars to highlight the notice, whenever possible.
    (c) Collect means to obtain information that is organized or 
retrievable on a personally identifiable basis, irrespective of the 
source of the underlying information.
    (d) Company means any corporation, limited liability company, 
business trust, general or limited partnership, association or similar 
organization.
    (e) (1) Consumer means an individual who obtains or has obtained a 
financial product or service from the bank that is to be used primarily 
for personal, family or household purposes, and that individual's legal 
representative.
    (2) Examples. (i) An individual who applies to a bank for credit 
for personal, family or household purposes is a consumer of a financial 
service, regardless of whether the credit is extended.
    (ii) An individual who provides nonpublic personal information to a 
bank in order to obtain a determination about whether he or she may 
qualify for a loan to be used primarily for personal, family, or 
household purposes is a consumer of a financial service, regardless of 
whether the loan is extended by the bank or another financial 
institution.
    (iii) An individual who provides nonpublic personal information to 
a bank in connection with obtaining or seeking to obtain financial, 
investment or economic advisory services is a consumer regardless of 
whether the bank establishes an ongoing advisory relationship.
    (iv) An individual who negotiates a workout with a bank for a loan 
that the bank owns is a consumer regardless of whether the bank 
originally extended the loan to the individual.
    (v) An individual who has a loan from a bank is the bank's consumer 
even if the bank:
    (A) Hires an agent to collect on the loan;

[[Page 8790]]

    (B) Sells the rights to service the loan; or
    (C) Bought the loan from the financial institution that originated 
the loan.
    (vi) An individual is not a bank's consumer solely because the bank 
processes information about the individual on behalf of a financial 
institution that extended the loan to the individual.
    (f) Consumer reporting agency has the same meaning as in section 
603(f) of the Fair Credit Reporting Act (15 U.S.C. 1681a(f)).
    (g) Control of a company means:
    (1) Ownership, control, or power to vote 25 percent or more of the 
outstanding shares of any class of voting security of the company, 
directly or indirectly, or acting through one or more other persons;
    (2) Control in any manner over the election of a majority of the 
directors, trustees or general partners (or individuals exercising 
similar functions) of the company; or
    (3) The power to exercise, directly or indirectly, a controlling 
influence over the management or policies of the company, as determined 
by the OCC.
    (h) Customer means a consumer who has a customer relationship with 
a bank.
    (i) (1) Customer relationship means a continuing relationship 
between a consumer and a bank under which the bank provides one or more 
financial products or services to the consumer that are to be used 
primarily for personal, family, or household purposes.
    (2) Examples. (i) A consumer has a continuing relationship with a 
bank if the consumer:
    (A) Has a deposit, credit, trust or investment account with the 
bank;
    (B) Purchases an insurance product from the bank;
    (C) Holds an investment product through the bank;
    (D) Enters into an agreement or understanding with the bank whereby 
the bank undertakes to arrange or broker a home mortgage loan for the 
consumer;
    (E) Has a loan that the bank services where the bank owns the 
servicing rights;
    (F) Enters into a lease of personal property with the bank; or
    (G) Obtains financial, investment or economic advisory services 
from the bank for a fee.
    (ii) A consumer does not, however, have a continuing relationship 
with a bank if:
    (A) The consumer only obtains a financial product or service in an 
isolated transaction, such as withdrawing cash from the bank's 
automated teller machine (ATM) or purchasing a cashier's check or money 
order;
    (B) The bank sells the consumer's loan and does not retain the 
rights to service that loan; or
    (C) The bank sells the consumer airline tickets, travel insurance 
or traveler's checks in an isolated transaction.
    (j) (1) Financial institution means any institution the business of 
which is engaging in activities that are financial in nature or 
incidental to such financial activities as described in section 4(k) of 
the Bank Holding Company Act of 1956 (12 U.S.C. 1843(k)).
    (2) Financial institution does not include:
    (i) Any person or entity with respect to any financial activity 
that is subject to the jurisdiction of the Commodity Futures Trading 
Commission under the Commodity Exchange Act (7 U.S.C. 1 et seq.);
    (ii) The Federal Agricultural Mortgage Corporation or any entity 
chartered and operating under the Farm Credit Act of 1971 (12 U.S.C. 
2001 et seq.); or
    (iii) Institutions chartered by Congress specifically to engage in 
securitizations, secondary market sales (including sales of servicing 
rights) or similar transactions related to a transaction of a consumer, 
as long as such institutions do not sell or transfer nonpublic personal 
information to a nonaffiliated third party.
    (k) (1) Financial product or service means any product or service 
that a financial holding company could offer by engaging in an activity 
that is financial in nature or incidental to such a financial activity 
under section 4(k) of the Bank Holding Company Act of 1956 (12 U.S.C. 
1843(k)).
    (2) Financial service includes a bank's evaluation, brokerage or 
distribution of information that the bank collects in connection with a 
request or an application from a consumer for a financial product or 
service.
    (l) Government regulator means:
    (1) The Board of Governors of the Federal Reserve System;
    (2) The Office of the Comptroller of the Currency;
    (3) The Board of Directors of the Federal Deposit Insurance 
Corporation;
    (4) The Director of the Office of Thrift Supervision;
    (5) The National Credit Union Administration Board;
    (6) The Securities and Exchange Commission;
    (7) The Secretary of the Treasury, with respect to 31 U.S.C. 
Chapter 53, Subchapter II (Records and Reports on Monetary Instruments 
and Transactions) and 12 U.S.C. Chapter 21 (Financial Recordkeeping);
    (8) A State insurance authority, with respect to any person 
domiciled in that insurance authority's State that is engaged in 
providing insurance; and
    (9) The Federal Trade Commission.
    (m) (1) Nonaffiliated third party means any person except:
    (i) A bank's affiliate; or
    (ii) A person employed jointly by a bank and any company that is 
not the bank's affiliate (but nonaffiliated third party includes the 
other company that jointly employs the person).
    (2) Nonaffiliated third party includes any company that is an 
affiliate by virtue of the direct or indirect ownership or control of 
the company by the financial institution or any affiliate of the 
financial institution in conducting merchant banking or investment 
banking activities of the type described in section 4(k)(4)(H) or 
insurance company investment activities of the type described in 
section 4(k)(4)(I) of the Bank Holding Company Act (12 U.S.C. 
1843(k)(4)(H) and (I)).

Alternative A

    (n) (1) Nonpublic personal information means:
    (i) Personally identifiable financial information; and
    (ii) Any list, description or other grouping of consumers (and 
publicly available information pertaining to them) that is derived 
using any personally identifiable financial information.
    (2) Nonpublic personal information does not include any list, 
description, or other grouping of consumers (and publicly available 
information pertaining to them) that is derived without using any 
personally identifiable financial information.
    (3) Example. Nonpublic personal information includes any list of 
individuals' street addresses and telephone numbers that is derived 
using any information consumers provide to you on an application for a 
financial product or service.
    (o) (1) Personally identifiable financial information means any 
information:
    (i) Provided by a consumer to a bank to obtain a financial product 
or service from the bank;
    (ii) Resulting from any transaction involving a financial product 
or service between a bank and a consumer; or
    (iii) The bank otherwise obtains about a consumer in connection 
with providing a financial product or service to that consumer, other 
than publicly available information.
    (2) Examples. (i) Personally identifiable financial information 
includes:

[[Page 8791]]

    (A) Information a consumer provides to a bank on an application to 
obtain a loan, credit card, insurance or other financial product or 
service, including, among other things, medical information;
    (B) Account balance information, payment history, overdraft 
history, and credit or debit card purchase information;
    (C) The fact that an individual is or has been one of a bank's 
customers or has obtained a financial product or service from the bank, 
unless that fact is derived using only publicly available information, 
such as government real estate records or bankruptcy records;
    (D) Other information about a bank's consumer if it is disclosed in 
a manner that indicates the individual is or has been the bank's 
consumer;
    (E) Any information provided by a consumer or otherwise obtained by 
the bank or its agent in connection with collecting on a loan or 
servicing a loan; and
    (F) Information from a consumer report.
    (ii) Personally identifiable financial information does not include 
a list of names and addresses of customers of an entity that is not a 
financial institution.
    (p) (1) Publicly available information means any information that 
is lawfully made available to the general public that is obtained from:
    (i) Federal, State or local government records;
    (ii) Widely distributed media; or
    (iii) Disclosures to the general public that are required to be 
made by Federal, State or local law.
    (2) Examples--(i) Government records. Publicly available 
information contained in government records includes information 
contained in government real estate records and security interest 
filings.
    (ii) Widely distributed media. Publicly available information from 
widely distributed media includes information from a telephone book, a 
television or radio program, a newspaper or an Internet site that is 
available to the general public without requiring a password or similar 
restriction.

Alternative B

    (n) (1) Nonpublic personal information means:
    (i) Personally identifiable financial information; and
    (ii) Any list, description or other grouping of consumers (and 
publicly available information pertaining to them) that is derived 
using any personally identifiable financial information.
    (2) Nonpublic personal information does not include any:
    (i) Publicly available information, except as provided in paragraph 
(n)(1)(ii) of this section; or
    (ii) List, description, or other grouping of consumers (and 
publicly available information pertaining to them) that is derived 
without using any personally identifiable financial information.
    (3) Example. Nonpublic personal information includes any list of 
individuals' street addresses and telephone numbers that is derived 
using personally identifiable financial information, such as account 
numbers.
    (o) (1) Personally identifiable financial information means any 
information:
    (i) Provided by a consumer to a bank to obtain a financial product 
or service from the bank;
    (ii) About a consumer resulting from any transaction involving a 
financial product or service between the bank and a consumer; or
    (iii) The bank otherwise obtains about a consumer in connection 
with providing a financial product or service to that consumer.
    (2) Examples. (i) Personally identifiable financial information 
includes:
    (A) Information a consumer provides to a bank on an application to 
obtain a loan, credit card, insurance or other financial product or 
service, including, among other things, medical information;
    (B) Account balance information, payment history, overdraft 
history, and credit or debit card purchase information;
    (C) The fact that an individual is or has been one of the bank's 
customers or has obtained a financial product or service from the bank, 
unless that fact is derived using only publicly available information, 
such as government real estate records or bankruptcy records;
    (D) Other information about a bank's consumer if it is disclosed in 
a manner that indicates the individual is or has been the bank's 
consumer;
    (E) Any information provided by a consumer or otherwise obtained by 
a bank or its agent in connection with collecting on a loan or 
servicing a loan; and
    (F) Information from a consumer report.
    (ii) Personally identifiable financial information does not include 
a list of names and addresses of customers of an entity that is not a 
financial institution.
    (p) (1) Publicly available information means any information that 
is lawfully made available to the general public from:
    (i) Federal, State or local government records;
    (ii) Widely distributed media; or
    (iii) Disclosures to the general public that are required to be 
made by Federal, State or local law.
    (2) Examples--(i) Government records. Publicly available 
information contained in government records includes information 
contained in government real estate records and security interest 
filings.
    (ii) Widely distributed media. Publicly available information from 
widely distributed media includes information from a telephone book, a 
television or radio program, a newspaper or an Internet site that is 
available to the general public without requiring a password or similar 
restriction.


Sec. 40.4  Initial notice to consumers of privacy policies and 
practices required.

    (a) When initial notice is required. A bank must provide a clear 
and conspicuous notice that accurately reflects the bank's privacy 
policies and practices to:
    (1) An individual who becomes the bank's customer, prior to the 
time that the bank establishes a customer relationship, except as 
provided in paragraph (d)(2) of this section; and
    (2) A consumer, prior to the time that a bank discloses any 
nonpublic personal information about the consumer to any nonaffiliated 
third party, if the bank makes such a disclosure other than as 
authorized by Secs. 40.10 and 40.11.
    (b) When initial notice to a consumer is not required. The bank is 
not required to provide an initial notice to a consumer under paragraph 
(a)(1) of this section if:
    (1) The bank does not disclose any nonpublic personal information 
about the consumer to any nonaffiliated third party, other than as 
authorized by Secs. 40.10 and 40.11; and
    (2) The bank does not have a customer relationship with the 
consumer.
    (c) When the bank establishes a customer relationship--(1) General 
rule. A bank establishes a customer relationship at the time the bank 
and the consumer enter into a continuing relationship.
    (2) Examples. The bank establishes a customer relationship when the 
consumer:
    (i) Opens a credit card account with the bank;
    (ii) Executes the contract to open a deposit account with the bank, 
obtains credit from the bank, or purchases insurance from the bank;
    (iii) Agrees to obtain financial, economic or investment advisory 
services from the bank for a fee; or
    (iv) Becomes the bank's client for the purpose of the bank 
providing credit counseling or tax preparation services.

[[Page 8792]]

    (d) How to provide notice--(1) General rule. A bank must provide 
the privacy notice required by paragraph (a) of this section so that 
each consumer can reasonably be expected to receive actual notice in 
writing or, if the consumer agrees, in electronic form.
    (2) Exceptions to allow subsequent delivery of notice. The bank may 
provide the initial notice required by paragraph (a)(1) of this section 
within a reasonable time after it establishes a customer relationship 
if:
    (i) The bank purchases a loan or assumes a deposit liability from 
another financial institution and the customer of that loan or deposit 
account does not have a choice about the bank's purchase or assumption; 
or
    (ii) The bank and the consumer orally agree to enter into a 
customer relationship and the consumer agrees to receive the notice 
thereafter.
    (3) Oral description of notice insufficient. The bank may not 
provide the initial notice required by paragraph (a) of this section 
solely by orally explaining, either in person or over the telephone, 
the bank's privacy policies and practices.
    (4) Retention or accessibility of initial notice for customers. For 
customers only, the bank must provide the initial notice required by 
paragraph (a)(1) of this section so that it can be retained or obtained 
at a later time by the customer, in a written form or, if the customer 
agrees, in electronic form.
    (5) Examples. (i) A bank may reasonably expect that a consumer will 
receive actual notice of its privacy policies and practices if the 
bank:
    (A) Hand-delivers a printed copy of the notice to the consumer;
    (B) Mails a printed copy of the notice to the last known address of 
the consumer;
    (C) For the consumer who conducts transactions electronically, 
posts the notice on the electronic site and requires the consumer to 
acknowledge receipt of the notice as a necessary step to obtaining a 
particular financial product or service;
    (D) For an isolated transaction with the consumer, such as an ATM 
transaction, posts the notice on the ATM screen and requires the 
consumer to acknowledge receipt of the notice as a necessary step to 
obtaining the particular financial product or service.
    (ii) A bank may not, however, reasonably expect that a consumer 
will receive actual notice of the bank's privacy policies and practices 
if the bank:
    (A) Only posts a sign in its branch or office or generally 
publishes advertisements of its privacy policies and practices;
    (B) Sends the notice via electronic mail to a consumer who obtains 
a financial product or service from the bank in person or through the 
mail and who does not agree to receive the notice electronically.
    (iii) A bank provides the initial privacy notice to the customer so 
that it can be retained or obtained at a later time if the bank:
    (A) Hand-delivers a printed copy of the notice to the customer;
    (B) Mails a printed copy of the notice to the last known address of 
the customer upon request of the customer; or
    (C) Maintains the notice on a web site (or a link to another web 
site) for the customer who obtains a financial product or service 
electronically and who agrees to receive the notice electronically.


Sec. 40.5  Annual notice to customers required.

    (a) General rule. A bank must provide a clear and conspicuous 
notice to customers that accurately reflects the bank's privacy 
policies and practices not less than annually during the continuation 
of the customer relationship. Annually means at least once in any 
period of 12 consecutive months during which that relationship exists.
    (b) How to provide notice. A bank must provide the annual notice 
required by paragraph (a) of this section to a customer using a means 
permitted for providing the initial notice to that customer under 
Sec. 40.4(d).
    (c) (1) Termination of customer relationship. A bank is not 
required to provide an annual notice to a customer with whom the bank 
no longer has a continuing relationship.
    (2) Examples. A bank no longer has a continuing relationship with 
an individual if:
    (i) In the case of a deposit account, the account is dormant under 
the bank's policies;
    (ii) In the case of a closed-end loan, the consumer pays the loan 
in full, the bank charges off the loan, or the bank sells the loan 
without retaining servicing rights;
    (iii) In the case of a credit card relationship or other open-end 
credit relationship, the bank no longer provides any statements or 
notices to the consumer concerning that relationship or the bank sells 
the credit card receivables without retaining servicing rights; or
    (iv) For other types of relationships, the bank has not 
communicated with the consumer about the relationship for a period of 
12 consecutive months, other than to provide annual notices of privacy 
policies and practices.


Sec. 40.6  Information to be included in initial and annual notices of 
privacy policies and practices.

    (a) General rule. The initial and annual notices that a bank 
provides about its privacy policies and practices under Secs. 40.4 and 
40.5 must include each of the following items of information:
    (1) The categories of nonpublic personal information about the 
bank's consumers that the bank collects;
    (2) The categories of nonpublic personal information about the 
bank's consumers that the bank discloses;
    (3) The categories of affiliates and nonaffiliated third parties to 
whom the bank discloses nonpublic personal information about its 
consumers, other than those parties to whom the bank discloses 
information under Secs. 40.10 and 40.11;
    (4) The categories of nonpublic personal information about the 
bank's former customers that it discloses and the categories of 
affiliates and nonaffiliated third parties to whom the bank discloses 
nonpublic personal information about its former customers, other than 
those parties to whom it discloses information under Secs. 40.10 and 
40.11;
    (5) If the bank discloses nonpublic personal information to a 
nonaffiliated third party under Sec. 40.9 (and no other exception 
applies to that disclosure), a separate description of the categories 
of information the bank discloses and the categories of third parties 
with whom the bank has contracted;
    (6) An explanation of the right under Sec. 40.8(a) of the consumer 
to opt out of the disclosure of nonpublic personal information to 
nonaffiliated third parties, including the methods by which the 
consumer may exercise that right;
    (7) Any disclosures that the bank makes under section 
603(d)(2)(A)(iii) of the Fair Credit Reporting Act (15 U.S.C. 
1681a(d)(2)(A)(iii)) (that is, notices regarding the ability to opt out 
of disclosures of information among affiliates); and
    (8) The bank's policies and practices with respect to protecting 
the confidentiality, security, and integrity of nonpublic personal 
information.
    (b) Description of nonaffiliated third parties subject to 
exceptions. If a bank discloses nonpublic personal information about a 
consumer to third parties as authorized under Secs. 40.10 and 40.11, 
the bank is not required to list those exceptions in the initial or 
annual

[[Page 8793]]

privacy notices required by Secs. 40.4 and 40.5. When describing the 
categories with respect to those parties, the bank is only required to 
state that it makes disclosures to other nonaffiliated third parties as 
permitted by law.
    (c) Future disclosures. The bank's notice may include:
    (1) Categories of nonpublic personal information that the bank 
reserves the right to disclose in the future, but does not currently 
disclose; and
    (2) Categories of affiliates or nonaffiliated third parties to whom 
the bank reserves the right in the future to disclose, but to whom the 
bank does not currently disclose, nonpublic personal information.
    (d) Examples--(1) Categories of nonpublic personal information that 
the bank collects. A bank adequately categorizes the nonpublic personal 
information it collects if it categorizes the information according to 
the source of the information, such as application information, 
information about transactions (such as information regarding a 
deposit, loan, or credit card account), and consumer reports.
    (2) Categories of nonpublic personal information the bank 
discloses. A bank adequately categorizes nonpublic personal information 
it discloses if the bank categorizes the information according to 
source, and provides illustrative examples of the content of the 
information. These might include application information, such as 
assets and income; identifying information, such as name, address, and 
social security number; and transaction information, such as 
information about account balance, payment history, parties to the 
transaction, and credit card usage; and information from consumer 
reports, such as a consumer's creditworthiness and credit history. A 
bank does not adequately categorize the information that it discloses 
if it uses only general terms, such as transaction information about 
the consumer.
    (3) Categories of affiliates and nonaffiliated third parties to 
whom the bank discloses. A bank adequately categorizes the affiliates 
and nonaffiliated third parties to whom it discloses nonpublic personal 
information about consumers if the bank identifies the types of 
businesses that they engage in. Types of businesses may be described by 
general terms only if the bank uses illustrative examples of 
significant lines of business. For example, a bank may use the term 
``financial products or services'' if the bank includes appropriate 
examples of significant lines of businesses, such as consumer banking, 
mortgage lending, life insurance, or securities brokerage. The bank 
also may categorize the affiliates and nonaffiliated third parties to 
whom the bank discloses nonpublic personal information about consumers 
using more detailed categories.
    (4) Simplified notices. If the bank does not disclose, and does not 
intend to disclose, nonpublic personal information to affiliates or 
nonaffiliated third parties, the bank may simply state that fact, in 
addition to the information the bank must provide under paragraphs 
(a)(1), (a)(8), and (b) of this section.
    (5) Confidentiality, security, and integrity. A bank adequately 
describes its policies and practices with respect to protecting the 
confidentiality and security of nonpublic personal information if it 
explains who has access to the information and the circumstances under 
which the information may be accessed. The bank adequately describes 
its policies and practices with respect to protecting the integrity of 
nonpublic personal information if it explains measures the bank takes 
to protect against reasonably anticipated threats or hazards. A bank is 
not required to describe technical information about the safeguards the 
bank uses.


Sec. 40.7  Limitation on disclosure of nonpublic personal information 
about consumers to nonaffiliated third parties.

    (a) (1) Conditions for disclosure. Except as otherwise authorized 
in this part, a bank may not, directly or through any affiliate, 
disclose any nonpublic personal information about a consumer to a 
nonaffiliated third party unless:
    (i) The bank has provided to the consumer an initial notice as 
required under Sec. 40.4;
    (ii) The bank has provided to the consumer an opt out notice as 
required in Sec. 40.8;
    (iii) The bank has given the consumer a reasonable opportunity, 
before the time that the bank discloses the information to the 
nonaffiliated third party, to opt out of the disclosure; and
    (iv) The consumer does not opt out.
    (2) Opt out definition. Opt out means a direction by the consumer 
that the bank not disclose nonpublic personal information about that 
consumer to a nonaffiliated third party, other than as permitted by 
Secs. 40.9, 40.10, and 40.11.
    (3) Examples of reasonable opportunity to opt out--(i) By mail. A 
bank provides a consumer with whom it has a customer relationship with 
a reasonable opportunity to opt out if the bank mails the notices 
required in paragraph (a)(1) of this section to the consumer and allows 
the consumer a reasonable period of time, such as 30 days, to opt out.
    (ii) Isolated transaction with a consumer. For an isolated 
transaction, such as the purchase of a cashier's check by a consumer, a 
bank provides a reasonable opportunity to opt out if the bank provides 
the consumer with the required notices at the time of the transaction 
and requests that the consumer decide, as a necessary part of the 
transaction, whether to opt out before completing the transaction.
    (b) Application of opt out to all consumers and all nonpublic 
personal information. (1) A bank must comply with this section 
regardless of whether the bank and the consumer have established a 
customer relationship.
    (2) Unless a bank complies with this section, it may not, directly 
or through any affiliate, disclose any nonpublic personal information 
about a consumer that the bank has collected, regardless of whether it 
collected the information before or after receiving the direction to 
opt out from the consumer.
    (c) Partial opt out. A bank may allow a consumer to select certain 
nonpublic personal information or certain nonaffiliated third parties 
with respect to which the consumer wishes to opt out.


Sec. 40.8  Form and method of providing opt out notice to consumers.

    (a)(1) Form of opt out notice. A bank must provide a clear and 
conspicuous notice to each of its consumers that accurately explains 
the right to opt out under Sec. 40.7(a)(1). The notice must state:
    (i) That the bank discloses or reserves the right to disclose 
nonpublic personal information about its consumer to a nonaffiliated 
third party;
    (ii) That the consumer has the right to opt out of that disclosure; 
and
    (iii) A reasonable means by which the consumer may exercise the opt 
out right.
    (2) Examples. (i) A bank provides adequate notice that the consumer 
can opt out of the disclosure of nonpublic personal information to a 
nonaffiliated third party if the bank identifies all of the categories 
of nonpublic personal information that the bank discloses or reserves 
the right to disclose to nonaffiliated third parties as described in 
Sec. 40.6 and states that the consumer can opt out of the disclosure of 
that information.
    (ii) A bank provides a reasonable means of opting out if it:
    (A) Designates check-off boxes in a prominent position on the 
relevant forms with the opt out notice;
    (B) Includes a reply form together with the opt out notice; or
    (C) Provides an electronic means to opt out, such as a form that 
can be sent

[[Page 8794]]

via electronic mail or a process at the bank's web site, if the 
consumer agrees to the electronic delivery of information.
    (iii) A bank does not provide a reasonable means of opting out if 
the only means of opting out is for the consumer to write his or her 
own letter to exercise that opt out right.
    (b) How to provide opt out notice--(1) Delivery of notice. A bank 
must provide the opt out notice required by paragraph (a) of this 
section in a manner so that each consumer can reasonably be expected to 
receive actual notice in writing or, if the consumer agrees, in 
electronic form. If the bank and the consumer orally agree to enter 
into a customer relationship, the bank may provide the opt out notice 
required by paragraph (a) of this section within a reasonable time 
thereafter if the consumer agrees.
    (2) Oral description of opt out right insufficient. A bank may not 
provide the opt out notice solely by orally explaining, either in 
person or over the telephone, the right of the consumer to opt out.
    (3) Same form as initial notice permitted. A bank may provide the 
opt out notice together with or on the same written or electronic form 
as the initial notice the bank provides in accordance with Sec. 40.4.
    (4) Initial notice required when opt out notice delivered 
subsequent to initial notice. If the bank provides the opt out notice 
at a later time than required for the initial notice in accordance with 
Sec. 40.4, the bank must also include a copy of the initial notice in 
writing or, if the consumer agrees, in an electronic form with the opt 
out notice.
    (c) Notice of change in terms--(1) General rule. Except as 
otherwise authorized in this part, the bank must not, directly or 
through any affiliate, disclose any nonpublic personal information 
about a consumer to a nonaffiliated third party other than as described 
in the initial notice that the bank provided to the consumer under 
Sec. 40.4, unless:
    (i) The bank has provided to the consumer a revised notice that 
accurately describes the bank's policies and practices;
    (ii) The bank has provided to the consumer a new opt out notice;
    (iii) The bank has given the consumer a reasonable opportunity, 
before the time that the bank discloses the information to the 
nonaffiliated third party, to opt out of the disclosure; and
    (iv) The consumer does not opt out.
    (2) How to provide notice of change in terms. A bank must provide 
the revised notice of its policies and practices and opt out notice to 
a consumer using the means permitted for providing the initial notice 
and opt out notice to that consumer under Sec. 40.4(d) and paragraph 
(b) of this section, respectively.
    (3) Examples--(i) Except as otherwise permitted by Secs. 40.9,40.10 
and 40.11, a change-in-terms notice is required if a bank:
    (A) Discloses a new category of nonpublic personal information to 
any nonaffiliated third party; or
    (B) Discloses nonpublic personal information to a new category of 
nonaffiliated third party.
    (ii) A change-in-terms notice is not required if a bank discloses 
nonpublic personal information to a new nonaffiliated third party that 
is adequately described by the bank's prior notice.
    (d) Continuing right to opt out. A consumer may exercise the right 
to opt out at any time, and the bank receiving the opt out direction 
must comply with that direction as soon as reasonably practicable.
    (e) Duration of consumer's opt out direction. A consumer's 
direction to opt out under this section is effective until revoked by 
the consumer in writing, or if the consumer agrees, in electronic form.


Sec. 40.9  Exception to opt out requirements for service providers and 
joint marketing.

    (a) General rule. The opt out requirements in Secs. 40.7 and 40.8 
do not apply when a bank provides nonpublic personal information about 
a consumer to a nonaffiliated third party to perform services for the 
bank or functions on the bank's behalf, if the bank:
    (1) Provides the initial notice in accordance with Sec. 40.4; and
    (2) Enters into a contractual agreement with the third party that:
    (i) Requires the third party to maintain the confidentiality of the 
information to at least the same extent that the bank must maintain 
that confidentiality under this part; and
    (ii) Limits the third party's use of information the bank discloses 
solely to the purposes for which the information is disclosed or as 
otherwise permitted by Secs. 40.10 and 40.11 of this part.
    (b) Service may include joint marketing. The services performed for 
a bank by a nonaffiliated third party under paragraph (a) of this 
section may include marketing of the bank's own products or services or 
marketing of financial products or services offered pursuant to joint 
agreements between the bank and one or more financial institutions.
    (c) Definition of joint agreement. For purposes of this section, 
joint agreement means a written contract pursuant to which a bank and 
one or more financial institutions jointly offer, endorse, or sponsor a 
financial product or service.


Sec. 40.10  Exceptions to notice and opt out requirements for 
processing and servicing transactions.

    (a) Exceptions for processing transactions at consumer's request. 
The requirements for initial notice in Sec. 40.4(a)(2), the opt out in 
Secs. 40.7 and 40.8 and service providers and joint marketing in 
Sec. 40.9 do not apply if the bank discloses nonpublic personal 
information:
    (1) As necessary to effect, administer, or enforce a transaction 
requested or authorized by the consumer;
    (2) To service or process a financial product or service requested 
or authorized by the consumer;
    (3) To maintain or service the consumer's account with the bank, or 
with another entity as part of a private label credit card program or 
other extension of credit on behalf of such entity; or
    (4) In connection with a proposed or actual securitization, 
secondary market sale (including sales of servicing rights) or similar 
transaction related to a transaction of the consumer.
    (b) Necessary to effect, administer, or enforce a transaction means 
that the disclosure is:
    (1) Required, or is one of the lawful or appropriate methods, to 
enforce the bank's rights or the rights of other persons engaged in 
carrying out the financial transaction or providing the product or 
service; or
    (2) Required, or is a usual, appropriate or acceptable method:
    (i) To carry out the transaction or the product or service business 
of which the transaction is a part, and record, service or maintain the 
consumer's account in the ordinary course of providing the financial 
service or financial product;
    (ii) To administer or service benefits or claims relating to the 
transaction or the product or service business of which it is a part;
    (iii) To provide a confirmation, statement or other record of the 
transaction, or information on the status or value of the financial 
service or financial product to the consumer or the consumer's agent or 
broker;
    (iv) To accrue or recognize incentives or bonuses associated with 
the transaction that are provided by the bank or any other party;
    (v) To underwrite insurance at the consumer's request or for 
reinsurance purposes, or for any of the following purposes as they 
relate to a consumer's insurance: Account administration,

[[Page 8795]]

reporting, investigating, or preventing fraud or material 
misrepresentation, processing premium payments, processing insurance 
claims, administering insurance benefits (including utilization review 
activities), participating in research projects, or as otherwise 
required or specifically permitted by Federal or State law;
    (vi) In connection with settling a transaction, including:
    (A) The authorization, billing, processing, clearing, transferring, 
reconciling or collection of amounts charged, debited, or otherwise 
paid using a debit, credit or other payment card, check or account 
number, or by other payment means;
    (B) The transfer of receivables, accounts or interests therein; or
    (C) The audit of debit, credit or other payment information.


Sec. 40.11  Other exceptions to notice and opt out requirements.

    (a) Exceptions to opt out requirements. The requirements for 
initial notice to consumers in Sec. 40.4(a)(2), the opt out in 
Secs. 40.7 and 40.8 and service providers and joint marketing in 
Sec. 40.9 do not apply when a bank discloses nonpublic personal 
information:
    (1) With the consent or at the direction of the consumer, provided 
that the consumer has not revoked the consent or direction;
    (2) (i) To protect the confidentiality or security of the bank's 
records pertaining to the consumer, service, product or transaction;
    (ii) To protect against or prevent actual or potential fraud, 
unauthorized transactions, claims or other liability;
    (iii) For required institutional risk control or for resolving 
consumer disputes or inquiries;
    (iv) To persons holding a legal or beneficial interest relating to 
the consumer; or
    (v) To persons acting in a fiduciary or representative capacity on 
behalf of the consumer;
    (3) To provide information to insurance rate advisory 
organizations, guaranty funds or agencies, agencies that are rating the 
bank, persons that are assessing the bank's compliance with industry 
standards, and the bank's attorneys, accountants and auditors;
    (4) To the extent specifically permitted or required under other 
provisions of law and in accordance with the Right to Financial Privacy 
Act of 1978 (12 U.S.C. 3401 et seq.), to law enforcement agencies 
(including government regulators), self-regulatory organizations, or 
for an investigation on a matter related to public safety;
    (5)(i) To a consumer reporting agency in accordance with the Fair 
Credit Reporting Act (15 U.S.C. 1681 et seq.); or
    (ii) From a consumer report reported by a consumer reporting 
agency;
    (6) In connection with a proposed or actual sale, merger, transfer, 
or exchange of all or a portion of a business or operating unit if the 
disclosure of nonpublic personal information concerns solely consumers 
of such business or unit; or
    (7)(i) To comply with Federal, State or local laws, rules and other 
applicable legal requirements;
    (ii) To comply with a properly authorized civil, criminal or 
regulatory investigation, or subpoena or summons by Federal, State or 
local authorities; or
    (iii) To respond to judicial process or government regulatory 
authorities having jurisdiction over the bank for examination, 
compliance or other purposes as authorized by law.
    (b) Examples of consent and revocation of consent. (1) A consumer 
may specifically consent to a bank's disclosure to a nonaffiliated 
insurance company of the fact that the consumer has applied to the bank 
for a mortgage so that the insurance company can offer homeowner's 
insurance to the consumer.
    (2) A consumer may revoke consent by subsequently exercising the 
right to opt out of future disclosures of nonpublic personal 
information as permitted under Sec. 40.8(d).


Sec. 40.12  Limits on redisclosure and reuse of information.

    (a) Limits on the bank's redisclosure and reuse. (1) Except as 
otherwise provided in this part, if a bank receives nonpublic personal 
information about a consumer from a nonaffiliated financial 
institution, the bank must not, directly or through an affiliate, 
disclose the information to any other person that is not affiliated 
with either the bank or the other financial institution, unless the 
disclosure would be lawful if the financial institution made it 
directly to such other person.
    (2) A bank may use nonpublic personal information about a consumer 
that it receives from a nonaffiliated financial institution in 
accordance with an exception under Secs. 40.9, 40.10, or 40.11 only for 
the purpose of that exception.
    (b) Limits on redisclosure and the reuse by other persons. (1) 
Except as otherwise provided in this part, if a bank discloses 
nonpublic personal information about a consumer to a nonaffiliated 
third party, that party must not, directly or through an affiliate, 
disclose the information to any other person that is a nonaffiliated 
third party of both the bank and that party, unless the disclosure 
would be lawful if the bank made it directly to such other person.
    (2) A nonaffiliated third party may use nonpublic personal 
information about a consumer that it receives from a bank in accordance 
with an exception under Secs. 40.9, 40.10, or 40.11 only for the 
purpose of that exception.


Sec. 40.13  Limits on sharing of account number information for 
marketing purposes.

    A bank must not, directly or through an affiliate, disclose, other 
than to a consumer reporting agency, an account number or similar form 
of access number or access code for a credit card account, deposit 
account or transaction account of a consumer to any nonaffiliated third 
party for use in telemarketing, direct mail marketing or other 
marketing through electronic mail to the consumer.


Sec. 40.14  Protection of Fair Credit Reporting Act.

    Nothing in this part shall be construed to modify, limit, or 
supersede the operation of the Fair Credit Reporting Act (15 U.S.C. 
1681 et seq.), and no inference shall be drawn on the basis of the 
provisions of this part regarding whether information is transaction or 
experience information under section 603 of that Act.


Sec. 40.15  Relation to State laws.

    (a) In general. This part shall not be construed as superseding, 
altering, or affecting any statute, regulation, order or interpretation 
in effect in any State, except to the extent that such State statute, 
regulation, order or interpretation is inconsistent with the provisions 
of this part, and then only to the extent of the inconsistency.
    (b) Greater protection under State law. For purposes of this 
section, a State statute, regulation, order or interpretation is not 
inconsistent with the provisions of this part if the protection such 
statute, regulation, order or interpretation affords any consumer is 
greater than the protection provided under this part, as determined by 
the Federal Trade Commission, after consultation with the OCC, on the 
Federal Trade Commission's own motion or upon the petition of any 
interested party.


Sec. 40.16  Effective date; transition rule.

    (a) Effective date. This part is effective November 13, 2000.
    (b) Notice requirement for consumers who were customers on the 
effective

[[Page 8796]]

date. No later than 30 days after the effective date of this part, a 
bank must provide an initial notice, as required by Sec. 40.4, to 
consumers who were the bank's customers on the effective date of this 
part.

    Dated: February 2, 2000.
John D. Hawke, Jr.,
Comptroller of the Currency.

Board of Governors of the Federal Reserve System

12 CFR Chapter II

Authority and Issuance

    For the reasons set out in the joint preamble, Title 12, Chapter 
II, of the Code of Federal Regulations is proposed to be amended by 
adding a new part 216 to read as follows:

PART 216--PRIVACY OF CONSUMER FINANCIAL INFORMATION (REGULATION P)

Sec.
216.1   Purpose and scope.
216.2   Rule of construction.
216.3   Definitions.
216.4   Initial notice to consumers of privacy policies and 
practices required.
216.5   Annual notice to customers required.
216.6   Information to be included in initial and annual notices of 
privacy policies and practices.
216.7   Limitation on disclosure of nonpublic personal information 
about consumers to nonaffiliated third parties.
216.8   Form and method of providing opt out notice to consumers.
216.9   Exception to opt out requirements for service providers and 
joint marketing.
216.10   Exceptions to notice and opt out requirements for 
processing and servicing transactions.
216.11   Other exceptions to notice and opt out requirements.
216.12   Limits on redisclosure and reuse of information.
216.13   Limits on sharing of account number information for 
marketing purposes.
216.14   Protection of Fair Credit Reporting Act.
216.15   Relation to State laws.
216.16   Effective date; transition rule.

    Authority: 15 U.S.C. 6801 et seq.


Sec. 216.1  Purpose and scope.

    (a) Purpose. This part governs the treatment of nonpublic personal 
information about consumers by the financial institutions listed in 
paragraph (b) of this section. This part:
    (1) Requires a financial institution to provide notice to consumers 
about its privacy policies and practices;
    (2) Describes the conditions under which a financial institution 
may disclose nonpublic personal information about consumers to 
nonaffiliated third parties; and
    (3) Provides a method for consumers to prevent a financial 
institution from disclosing that information to most nonaffiliated 
third parties by ``opting out'' of that disclosure, subject to the 
exceptions in Secs. 216.9, 216.10, and 216.11.
    (b) Scope. The rules established by this part apply only to 
nonpublic personal information about individuals who obtain financial 
products or services for personal, family or household purposes from 
the institutions listed below. This part does not apply to information 
about companies or about individuals who obtain financial products or 
services for business purposes. This part applies to entities for which 
the Board has primary supervisory authority. They are referred to in 
this part as ``you.'' These are: State member banks, bank holding 
companies and certain of their nonbank subsidiaries or affiliates, 
State uninsured branches and agencies of foreign banks, commercial 
lending companies owned or controlled by foreign banks, and Edge and 
Agreement corporations.


Sec. 216.2  Rule of construction.

    The examples in this part are not exclusive. Compliance with an 
example, to the extent applicable, constitutes compliance with this 
part.


Sec. 216.3  Definitions.

    As used in this part, unless the context requires otherwise:
    (a) Affiliate means any company that controls, is controlled by, or 
is under common control with another company.
    (b) (1) Clear and conspicuous means that a notice is reasonably 
understandable and designed to call attention to the nature and 
significance of the information contained in the notice.
    (2) Examples. (i) You make your notice reasonably understandable 
if, to the extent applicable, you:
    (A) Present the information contained in the notice in clear, 
concise sentences, paragraphs and sections;
    (B) Use short explanatory sentences and bullet lists, whenever 
possible;
    (C) Use definite, concrete, everyday words and active voice, 
whenever possible;
    (D) Avoid multiple negatives;
    (E) Avoid legal and highly technical business terminology; and
    (F) Avoid boilerplate explanations that are imprecise and readily 
subject to different interpretations.
    (ii) You design your notice to call attention to the nature and 
significance of the information contained in it if, to the extent 
applicable, you:
    (A) Use a plain-language heading to call attention to the notice;
    (B) Use a typeface and type size that are easy to read; and
    (C) Provide wide margins and ample line spacing.
    (iii) If you provide a notice on the same form as another notice or 
other document, you design your notice to call attention to the nature 
and significance of the information contained in the notice if you use:
    (A) Larger type size(s), boldface or italics in the text;
    (B) Wider margins and line spacing in the notice; or
    (C) Shading or sidebars to highlight the notice, whenever possible.
    (c) Collect means to obtain information that is organized or 
retrievable on a personally identifiable basis, irrespective of the 
source of the underlying information.
    (d) Company means any corporation, limited liability company, 
business trust, general or limited partnership, association or similar 
organization.
    (e)(1) Consumer means an individual who obtains or has obtained a 
financial product or service from you that is to be used primarily for 
personal, family or household purposes, and that individual's legal 
representative.
    (2) Examples. (i) An individual who applies to you for credit for 
personal, family or household purposes is a consumer of a financial 
service, regardless of whether the credit is extended.
    (ii) An individual who provides nonpublic personal information to 
you in order to obtain a determination about whether he or she may 
qualify for a loan to be used primarily for personal, family or 
household purposes is a consumer of a financial service, regardless of 
whether the loan is extended by you or another financial institution.
    (iii) An individual who provides nonpublic personal information to 
you in connection with obtaining or seeking to obtain financial, 
investment or economic advisory services is a consumer regardless of 
whether you establish an ongoing advisory relationship.
    (iv) An individual who negotiates a workout with you for a loan 
that you own is a consumer regardless of whether you originally 
extended the loan to the individual.
    (v) An individual who has a loan from you is your consumer even if 
you:
    (A) Hire an agent to collect on the loan;
    (B) Sell the rights to service the loan; or
    (C) Bought the loan from the financial institution that originated 
the loan.

[[Page 8797]]

    (vi) An individual is not your consumer solely because you process 
information about the individual on behalf of a financial institution 
that extended the loan to the individual.
    (f) Consumer reporting agency has the same meaning as in section 
603(f) of the Fair Credit Reporting Act (15 U.S.C. 1681a(f)).
    (g) Control of a company means:
    (1) Ownership, control, or power to vote 25 percent or more of the 
outstanding shares of any class of voting security of the company, 
directly or indirectly, or acting through one or more other persons;
    (2) Control in any manner over the election of a majority of the 
directors, trustees or general partners (or individuals exercising 
similar functions) of the company; or
    (3) The power to exercise, directly or indirectly, a controlling 
influence over the management or policies of the company, as determined 
by the Board.
    (h) Customer means a consumer who has a customer relationship with 
you.
    (i)(1) Customer relationship means a continuing relationship 
between a consumer and you under which you provide one or more 
financial products or services to the consumer that are to be used 
primarily for personal, family or household purposes.
    (2) Examples. (i) A consumer has a continuing relationship with you 
if the consumer:
    (A) Has a deposit, credit, trust or investment account with you;
    (B) Purchases an insurance product from you;
    (C) Holds an investment product through you;
    (D) Enters into an agreement or understanding with you whereby you 
undertake to arrange or broker a home mortgage loan for the consumer;
    (E) Has a loan that you service where you own the servicing rights;
    (F) Enters into a lease of personal property with you; or
    (G) Obtains financial, investment or economic advisory services 
from you for a fee.
    (ii) A consumer does not, however, have a continuing relationship 
with you if:
    (A) The consumer only obtains a financial product or service in an 
isolated transaction, such as withdrawing cash from your ATM or 
purchasing a cashier's check or money order;
    (B) You sell the consumer's loan and do not retain the rights to 
service that loan; or
    (C) You sell the consumer airline tickets, travel insurance or 
traveler's checks in an isolated transaction.
    (j) (1) Financial institution means any institution the business of 
which is engaging in activities that are financial in nature or 
incidental to such financial activities as described in section 4(k) of 
the Bank Holding Company Act of 1956 (12 U.S.C. 1843(k)).
    (2) Financial institution does not include:
    (i) Any person or entity with respect to any financial activity 
that is subject to the jurisdiction of the Commodity Futures Trading 
Commission under the Commodity Exchange Act (7 U.S.C. 1 et seq.);
    (ii) The Federal Agricultural Mortgage Corporation or any entity 
chartered and operating under the Farm Credit Act of 1971 (12 U.S.C. 
2001 et seq.); or
    (iii) Institutions chartered by Congress specifically to engage in 
securitizations, secondary market sales (including sales of servicing 
rights) or similar transactions related to a transaction of a consumer, 
as long as such institutions do not sell or transfer nonpublic personal 
information to a nonaffiliated third party.
    (k) (1) Financial product or service means any product or service 
that a financial holding company could offer by engaging in an activity 
that is financial in nature or incidental to such a financial activity 
under section 4(k) of the Bank Holding Company Act of 1956 (12 U.S.C. 
1843(k)).
    (2) Financial service includes your evaluation, brokerage or 
distribution of information that you collect in connection with a 
request or an application from a consumer for a financial product or 
service.
    (l) Government regulator means:
    (1) The Board of Governors of the Federal Reserve System;
    (2) The Office of the Comptroller of the Currency;
    (3) The Board of Directors of the Federal Deposit Insurance 
Corporation;
    (4) The Director of the Office of Thrift Supervision;
    (5) The National Credit Union Administration Board;
    (6) The Securities and Exchange Commission;
    (7) The Secretary of the Treasury, with respect to 31 U.S.C. 
Chapter 53, Subchapter II (Records and Reports on Monetary Instruments 
and Transactions) and 12 U.S.C. Chapter 21 (Financial Recordkeeping);
    (8) A State insurance authority, with respect to any person 
domiciled in that insurance authority's State that is engaged in 
providing insurance; and
    (9) The Federal Trade Commission.
    (m) (1) Nonaffiliated third party means any person except:
    (i) Your affiliate; or
    (ii) A person employed jointly by you and any company that is not 
your affiliate (but nonaffiliated third party includes the other 
company that jointly employs the person).
    (2) Nonaffiliated third party includes any company that is an 
affiliate by virtue of the direct or indirect ownership or control of 
the company by the financial institution or any affiliate of the 
financial institution in conducting merchant banking or investment 
banking activities of the type described in section 4(k)(4)(H) or 
insurance company investment activities of the type described in 
section 4(k)(4)(I) of the Bank Holding Company Act (12 U.S.C. 
1843(k)(4)(H) and (I)).
    (n) (1) Nonpublic personal information means:
    (i) Personally identifiable financial information; and
    (ii) Any list, description or other grouping of consumers (and 
publicly available information pertaining to them) that is derived 
using any personally identifiable financial information.
    (2) Nonpublic personal information does not include:
    (i) Publicly available information, except as provided in paragraph 
(n)(1)(ii) of this section; or
    (ii) Any list, description, or other grouping of consumers (and 
publicly available information pertaining to them) that is derived 
without using any personally identifiable financial information.
    (3) Example. Nonpublic personal information includes any list of 
individuals' street addresses and telephone numbers that is derived 
using personally identifiable financial information, such as account 
numbers.
    (o) (1) Personally identifiable financial information means any 
information:
    (i) Provided by a consumer to you to obtain a financial product or 
service from you;
    (ii) About a consumer resulting from any transaction involving a 
financial product or service between you and a consumer; or
    (iii) You otherwise obtain about a consumer in connection with 
providing a financial product or service to that consumer.
    (2) Examples. (i) Personally identifiable financial information 
includes:
    (A) Information a consumer provides to you on an application to 
obtain a loan, credit card, insurance or other financial product or 
service, including, among other things, medical information;

[[Page 8798]]

    (B) Account balance information, payment history, overdraft 
history, and credit or debit card purchase information;
    (C) The fact that an individual is or has been one of your 
customers or has obtained a financial product or service from you, 
unless that fact is derived using only publicly available information, 
such as government real estate records or bankruptcy records;
    (D) Other information about your consumer if it is disclosed in a 
manner that indicates the individual is or has been your consumer;
    (E) Any information provided by a consumer or otherwise obtained by 
you or your agent in connection with collecting on a loan or servicing 
a loan; and
    (F) Information from a consumer report.
    (ii) Personally identifiable financial information does not include 
a list of names and addresses of customers of an entity that is not a 
financial institution.
    (p) (1) Publicly available information means any information that 
is lawfully made available to the general public from:
    (i) Federal, State or local government records;
    (ii) Widely distributed media; or
    (iii) Disclosures to the general public that are required to be 
made by Federal, State or local law.
    (2) Examples--(i) Government records. Publicly available 
information contained in government records includes information 
contained in government real estate records and security interest 
filings.
    (ii) Widely distributed media. Publicly available information from 
widely distributed media includes information from a telephone book, a 
television or radio program, a newspaper or an Internet site that is 
available to the general public without requiring a password or similar 
restriction.
    (q) You means:
    (1) A State member bank, as defined in 12 CFR 208.3(g) and its 
subsidiaries;
    (2) A bank holding company, as defined in 12 CFR 225.2(c);
    (3) A subsidiary (as defined in 12 CFR 225.2(o)) or affiliate of a 
bank holding company, except for a:
    (i) National bank or a State bank that is not a member of the 
Federal Reserve System;
    (ii) Broker, as defined in 15 U.S.C. 78c(a)(4);
    (iii) Dealer, as defined in 15 U.S.C. 78c(a)(5);
    (iv) Person, to the extent that person is engaged in the business 
of insurance in a State as principal or agent and required to be 
licensed by the appropriate State insurance authority;
    (v) Investment company, as defined in 15 U.S.C. 80a-3; or
    (vi) Investment adviser, as defined in 15 U.S.C. 80b-2(a)(11);
    (4) A State agency or State branch of a foreign bank, as those 
terms are defined in 12 U.S.C. 3101(b)(11) and (12), the deposits of 
which agency or branch are not insured by the Federal Deposit Insurance 
Corporation;
    (5) A commercial lending company, as defined in 12 CFR 211.21(f), 
that is owned or controlled by a foreign bank, as defined in 12 CFR 
211.21(m); or
    (6) A corporation organized under section 25A of the Federal 
Reserve Act (12 U.S.C. 611-631) or a corporation having an agreement or 
undertaking with the Board under section 25 of the Federal Reserve Act 
(12 U.S.C. 601-604a).


Sec. 216.4  Initial notice to consumers of privacy policies and 
practices required.

    (a) When initial notice is required. You must provide a clear and 
conspicuous notice that accurately reflects your privacy policies and 
practices to:
    (1) An individual who becomes your customer, prior to the time that 
you establish a customer relationship, except as provided in paragraph 
(d)(2) of this section; and
    (2) A consumer, prior to the time that you disclose any nonpublic 
personal information about the consumer to any nonaffiliated third 
party, if you make such a disclosure other than as authorized by 
Secs. 216.10 and 216.11.
    (b) When initial notice to a consumer is not required. You are not 
required to provide an initial notice to a consumer under paragraph 
(a)(1) of this section if:
    (1) You do not disclose any nonpublic personal information about 
the consumer to any nonaffiliated third party, other than as authorized 
by Secs. 216.10 and 216.11; and
    (2) You do not have a customer relationship with the consumer.
    (c) When you establish a customer relationship--(1) General rule. 
You establish a customer relationship at the time you and the consumer 
enter into a continuing relationship.
    (2) Examples. You establish a customer relationship when the 
consumer:
    (i) Opens a credit card account with you;
    (ii) Executes the contract to open a deposit account with you, 
obtains credit from you, or purchases insurance from you;
    (iii) Agrees to obtain financial, economic or investment advisory 
services from you for a fee;
    (iv) Becomes your client for the purpose of your providing credit 
counseling or tax preparation services.
    (d) How to provide notice--(1) General rule. You must provide the 
privacy notice required by paragraph (a) of this section so that each 
consumer can reasonably be expected to receive actual notice in writing 
or, if the consumer agrees, in electronic form.
    (2) Exceptions to allow subsequent delivery of notice. You may 
provide the initial notice required by paragraph (a)(1) of this section 
within a reasonable time after you establish a customer relationship 
if:
    (i) You purchase a loan or assume a deposit liability from another 
financial institution and the customer of that loan or deposit account 
does not have a choice about your purchase or assumption; or
    (ii) You and the consumer orally agree to enter into a customer 
relationship and the consumer agrees to receive the notice thereafter.
    (3) Oral description of notice insufficient. You may not provide 
the initial notice required by paragraph (a) of this section solely by 
orally explaining, either in person or over the telephone, your privacy 
policies and practices.
    (4) Retention or accessibility of initial notice for customers. For 
customers only, you must provide the initial notice required by 
paragraph (a)(1) of this section so that it can be retained or obtained 
at a later time by the customer, in a written form or, if the customer 
agrees, in electronic form.
    (5) Examples. (i) You may reasonably expect that a consumer will 
receive actual notice of your privacy policies and practices if you:
    (A) Hand-deliver a printed copy of the notice to the consumer;
    (B) Mail a printed copy of the notice to the last known address of 
the consumer;
    (C) For the consumer who conducts transactions electronically, post 
the notice on the electronic site and require the consumer to 
acknowledge receipt of the notice as a necessary step to obtaining a 
particular financial product or service;
    (D) For an isolated transaction with the consumer, such as an ATM 
transaction, post the notice on the ATM screen and require the consumer 
to acknowledge receipt of the notice as a necessary step to obtaining 
the particular financial product or service.
    (ii) You may not, however, reasonably expect that a consumer will 
receive actual notice of your privacy policies and practices if you:

[[Page 8799]]

    (A) Only post a sign in your branch or office or generally publish 
advertisements of your privacy policies and practices;
    (B) Send the notice via electronic mail to a consumer who obtains a 
financial product or service with you in person or through the mail and 
who does not agree to receive the notice electronically.
    (iii) You provide the initial privacy notice to the customer so 
that it can be retained or obtained at a later time if you:
    (A) Hand-deliver a printed copy of the notice to the customer;
    (B) Mail a printed copy of the notice to the last known address of 
the customer upon request of the customer;
    (C) Maintain the notice on a web site (or a link to another web 
site) for the customer who obtains a financial product or service 
electronically and who agrees to receive the notice electronically.


Sec. 216.5  Annual notice to customers required.

    (a) General rule. You must provide a clear and conspicuous notice 
to customers that accurately reflects your privacy policies and 
practices not less than annually during the continuation of the 
customer relationship. Annually means at least once in any period of 12 
consecutive months during which that relationship exists.
    (b) How to provide notice. You must provide the annual notice 
required by paragraph (a) of this section to a customer using a means 
permitted for providing the initial notice to that customer under 
Sec. 216.4(d).
    (c)(1) Termination of customer relationship. You are not required 
to provide an annual notice to a customer with whom you no longer have 
a continuing relationship.
    (2) Examples. You no longer have a continuing relationship with an 
individual if:
    (i) In the case of a deposit account, the account is dormant under 
the bank's policies;
    (ii) In the case of a closed-end loan, the consumer pays the loan 
in full, you charge off the loan, or you sell the loan without 
retaining servicing rights;
    (iii) In the case of a credit card relationship or other open-end 
credit relationship, you no longer provide any statements or notices to 
the consumer concerning that relationship or you sell the credit card 
receivables without retaining servicing rights; or
    (iv) For other types of relationships, you have not communicated 
with the consumer about the relationship for a period of 12 consecutive 
months, other than to provide annual notices of privacy policies and 
practices.


Sec. 216.6  Information to be included in initial and annual notices of 
privacy policies and practices.

    (a) General rule. The initial and annual notices that you provide 
about your privacy policies and practices under Secs. 216.4 and 216.5 
must include each of the following items of information:
    (1) The categories of nonpublic personal information about your 
consumers that you collect;
    (2) The categories of nonpublic personal information about your 
consumers that you disclose;
    (3) The categories of affiliates and nonaffiliated third parties to 
whom you disclose nonpublic personal information about your consumers, 
other than those parties to whom you disclose information under 
Secs. 216.10 and 216.11;
    (4) The categories of nonpublic personal information about your 
former customers that you disclose and the categories of affiliates and 
nonaffiliated third parties to whom you disclose nonpublic personal 
information about your former customers, other than those parties to 
whom you disclose information under Secs. 216.10 and 216.11;
    (5) If you disclose nonpublic personal information to a 
nonaffiliated third party under Sec. 216.9 (and no other exception 
applies to that disclosure), a separate description of the categories 
of information you disclose and the categories of third parties with 
whom you have contracted;
    (6) An explanation of the right under Sec. 216.8(a) of the consumer 
to opt out of the disclosure of nonpublic personal information to 
nonaffiliated third parties, including the methods by which the 
consumer may exercise that right;
    (7) Any disclosures that you make under section 603(d)(2)(A)(iii) 
of the Fair Credit Reporting Act (15 U.S.C. 1681a(d)(2)(A)(iii)) (that 
is, notices regarding the ability to opt out of disclosures of 
information among affiliates); and
    (8) Your policies and practices with respect to protecting the 
confidentiality, security and integrity of nonpublic personal 
information.
    (b) Description of nonaffiliated third parties subject to 
exceptions. If you disclose nonpublic personal information about a 
consumer to third parties as authorized under Secs. 216.10 and 216.11, 
you are not required to list those exceptions in the initial or annual 
privacy notices required by Secs. 216.4 and 216.5. When describing the 
categories with respect to those parties, you are only required to 
state that you make disclosures to other nonaffiliated third parties as 
permitted by law.
    (c) Future disclosures. Your notice may include:
    (1) Categories of nonpublic personal information that you reserve 
the right to disclose in the future, but do not currently disclose; and
    (2) Categories of affiliates or nonaffiliated third parties to whom 
you reserve the right in the future to disclose, but to whom you do not 
currently disclose, nonpublic personal information.
    (d) Examples--(1) Categories of nonpublic personal information that 
you collect. You adequately categorize the nonpublic personal 
information you collect if you categorize it according to the source of 
the information, such as application information, information about 
transactions (such as information regarding your deposit, loan, or 
credit card account), and consumer reports.
    (2) Categories of nonpublic personal information you disclose. You 
adequately categorize nonpublic personal information you disclose if 
you categorize it according to source, and provide a few illustrative 
examples of the content of the information. These might include 
application information, such as assets and income; identifying 
information, such as name, address, and social security number; and 
transaction information, such as information about account balance, 
payment history, parties to the transaction, and credit card usage; and 
information from consumer reports, such as a consumer's 
creditworthiness and credit history. You do not adequately categorize 
the information that you disclose if you use only general terms, such 
as transaction information about the consumer.
    (3) Categories of affiliates and nonaffiliated third parties to 
whom you disclose. You adequately categorize the affiliates and 
nonaffiliated third parties to whom you disclose nonpublic personal 
information about consumers if you identify the types of businesses 
that they engage in. Types of businesses may be described by general 
terms only if you use a few illustrative examples of significant lines 
of business. For example, you may use the term financial products or 
services if you include appropriate examples of significant lines of 
businesses, such as consumer banking, mortgage lending, life insurance 
or securities brokerage. You also may categorize the affiliates and 
nonaffiliated third parties to whom you disclose nonpublic personal 
information about consumers using more detailed categories.
    (4) Simplified notices. If you do not disclose, and do not intend 
to disclose,

[[Page 8800]]

nonpublic personal information to affiliates or nonaffiliated third 
parties, you may simply state that fact, in addition to the information 
you must provide under paragraphs (a)(1), (a)(8), and (b) of this 
section.
    (5) Confidentiality, security and integrity. You describe your 
policies and practices with respect to protecting the confidentiality 
and security of nonpublic personal information if you explain who has 
access to the information and the circumstances under which the 
information may be accessed. You describe your policies and practices 
with respect to protecting the integrity of nonpublic personal 
information if you explain measures you take to protect against 
reasonably anticipated threats or hazards. You are not required to 
describe technical information about the safeguards you use.


Sec. 216.7  Limitation on disclosure of nonpublic personal information 
about consumers to nonaffiliated third parties.

    (a)(1) Conditions for disclosure. Except as otherwise authorized in 
this part, you may not, directly or through any affiliate, disclose any 
nonpublic personal information about a consumer to a nonaffiliated 
third party unless:
    (i) You have provided to the consumer an initial notice as required 
under Sec. 216.4;
    (ii) You have provided to the consumer an opt out notice as 
required in Sec. 216.8;
    (iii) You have given the consumer a reasonable opportunity, before 
the time that you disclose the information to the nonaffiliated third 
party, to opt out of the disclosure; and
    (iv) The consumer does not opt out.
    (2) Opt out definition. Opt out means a direction by the consumer 
that you not disclose nonpublic personal information about that 
consumer to a nonaffiliated third party, other than as permitted by 
Secs. 216.9, 216.10 and 216.11.
    (3) Examples of reasonable opportunity to opt out--(i) By mail. You 
provide a consumer with whom you have a customer relationship with a 
reasonable opportunity to opt out if you mail the notices required in 
paragraph (a)(1) of this section to the consumer and allow the consumer 
a reasonable period of time, such as 30 days, to opt out.
    (ii) Isolated transaction with consumer. For an isolated 
transaction, such as the purchase of a cashier's check by a consumer, 
you provide a reasonable opportunity to opt out if you provide the 
consumer with the required notices at the time of the transaction and 
request that the consumer decide, as a necessary part of the 
transaction, whether to opt out before completing the transaction.
    (b) Application of opt out to all consumers and all nonpublic 
personal information. (1) You must comply with this section, regardless 
of whether you and the consumer have established a customer 
relationship.
    (2) Unless you comply with this section, you may not, directly or 
through any affiliate, disclose any nonpublic personal information 
about a consumer that you have collected, regardless of whether you 
collected it before or after receiving the direction to opt out from 
the consumer.
    (c) Partial opt out. You may allow a consumer to select certain 
nonpublic personal information or certain nonaffiliated third parties 
with respect to which the consumer wishes to opt out.


Sec. 216.8  Form and method of providing opt out notice to consumers.

    (a)(1) Form of opt out notice. You must provide a clear and 
conspicuous notice to each of your consumers that accurately explains 
the right to opt out under Sec. 216.7(a)(1). The notice must state:
    (i) That you disclose or reserve the right to disclose nonpublic 
personal information about your consumer to a nonaffiliated third 
party;
    (ii) That the consumer has the right to opt out of that disclosure; 
and
    (iii) A reasonable means by which the consumer may exercise the opt 
out right.
    (2) Examples. (i) You provide adequate notice that the consumer can 
opt out of the disclosure of nonpublic personal information to a 
nonaffiliated third party if you identify all of the categories of 
nonpublic personal information that you disclose or reserve the right 
to disclose to nonaffiliated third parties as described in Sec. 216.6 
and state that the consumer can opt out of the disclosure of that 
information.
    (ii) You provide a reasonable means to exercise an opt out right if 
you:
    (A) Designate check-off boxes in a prominent position on the 
relevant forms with the opt out notice;
    (B) Include a reply form together with the opt out notice; or
    (C) Provide an electronic means to opt out, such as a form that can 
be sent via electronic mail or a process at your web site, if the 
consumer agrees to the electronic delivery of information.
    (iii) You do not provide a reasonable means of opting out if the 
only means of opting out is for the consumer to write his or her own 
letter to exercise that opt out right.
    (b) How to provide opt out notice--(1) Delivery of notice. You must 
provide the opt out notice required by paragraph (a) of this section in 
a manner so that each consumer can reasonably be expected to receive 
actual notice in writing or, if the consumer agrees, in electronic 
form. If you and the consumer orally agree to enter into a customer 
relationship, you may provide the opt out notice required by paragraph 
(a) of this section within a reasonable time thereafter if the consumer 
agrees.
    (2) Oral description of opt out right insufficient. You may not 
provide the opt out notice solely by orally explaining, either in 
person or over the telephone, the right of the consumer to opt out.
    (3) Same form as initial notice permitted. You may provide the opt 
out notice together with or on the same written or electronic form as 
the initial notice you provide in accordance with Sec. 216.4.
    (4) Initial notice required when opt out notice delivered 
subsequent to initial notice. If you provide the opt out notice at a 
later time than required for the initial notice in accordance with 
Sec. 216.4, you must also include a copy of the initial notice in 
writing or, if the consumer agrees, in an electronic form with the opt 
out notice.
    (c) Notice of change in terms--(1) General rule. Except as 
otherwise authorized in this part, you must not, directly or through 
any affiliate, disclose any nonpublic personal information about a 
consumer to a nonaffiliated third party other than as described in the 
initial notice that you provided to the consumer under Sec. 216.4, 
unless:
    (i) You have provided to the consumer a revised notice that 
accurately describes your policies and practices;
    (ii) You have provided to the consumer a new opt out notice;
    (iii) You have given the consumer a reasonable opportunity, before 
the time that you disclose the information to the nonaffiliated third 
party, to opt out of the disclosure; and
    (iv) The consumer does not opt out.
    (2) How to provide notice of change in terms. You must provide the 
revised notice of your policies and practices and opt out notice to a 
consumer using the means permitted for providing the initial notice and 
opt out notice to that consumer under Sec. 216.4(d) and paragraph (b) 
of this section, respectively.
    (3) Examples. (i) Except as otherwise permitted by Secs. 216.9, 
216.10 and 216.11, a change-in-terms notice is required if you:

[[Page 8801]]

    (A) Disclose a new category of nonpublic personal information to 
any nonaffiliated third party; or
    (B) Disclose nonpublic personal information to a new category of 
nonaffiliated third party.
    (ii) A change-in-terms notice is not required if you disclose 
nonpublic personal information to a new nonaffiliated third party that 
is adequately described by your prior notice.
    (d) Continuing right to opt out. A consumer may exercise the right 
to opt out at any time, and you must comply with the consumer's 
direction as soon as reasonably practicable.
    (e) Duration of consumer's opt out direction. A consumer's 
direction to opt out under this section is effective until revoked by 
the consumer in writing, or if the consumer agrees, in electronic form.


Sec. 216.9  Exception to opt out requirements for service providers and 
joint marketing.

    (a) General rule. The opt out requirements in Secs. 216.7 and 216.8 
do not apply when you provide nonpublic personal information about a 
consumer to a nonaffiliated third party to perform services for you or 
functions on your behalf, if you:
    (1) Provide the initial notice in accordance with Sec. 216.4; and
    (2) Enter into a contractual agreement with the third party that:
    (i) Requires the third party to maintain the confidentiality of the 
information to at least the same extent that you must maintain that 
confidentiality under this part; and
    (ii) Limits the third party's use of information you disclose 
solely to the purposes for which the information is disclosed or as 
otherwise permitted by Secs. 216.10 and 216.11 of this part.
    (b) Service may include joint marketing. The services performed for 
you by a nonaffiliated third party under paragraph (a) of this section 
may include marketing of your own products or services or marketing of 
financial products or services offered pursuant to joint agreements 
between you and one or more financial institutions.
    (c) Definition of joint agreement. For purposes of this section, 
joint agreement means a written contract pursuant to which you and one 
or more financial institutions jointly offer, endorse, or sponsor a 
financial product or service.


Sec. 216.10  Exceptions to notice and opt out requirements for 
processing and servicing transactions.

    (a) Exceptions for processing transactions at consumer's request. 
The requirements for initial notice in Sec. 216.4(a)(2), the opt out in 
Secs. 216.7 and 216.8 and service providers and joint marketing in 
Sec. 216.9 do not apply if you disclose nonpublic personal information:
    (1) As necessary to effect, administer, or enforce a transaction 
requested or authorized by the consumer;
    (2) To service or process a financial product or service requested 
or authorized by the consumer;
    (3) To maintain or service the consumer's account with you, or with 
another entity as part of a private label credit card program or other 
extension of credit on behalf of such entity; or
    (4) In connection with a proposed or actual securitization, 
secondary market sale (including sales of servicing rights) or similar 
transaction related to a transaction of the consumer.
    (b) Necessary to effect, administer, or enforce a transaction means 
that the disclosure is:
    (1) Required, or is one of the lawful or appropriate methods, to 
enforce your rights or the rights of other persons engaged in carrying 
out the financial transaction or providing the product or service; or
    (2) Required, or is a usual, appropriate or acceptable method:
    (i) To carry out the transaction or the product or service business 
of which the transaction is a part, and record, service or maintain the 
consumer's account in the ordinary course of providing the financial 
service or financial product;
    (ii) To administer or service benefits or claims relating to the 
transaction or the product or service business of which it is a part;
    (iii) To provide a confirmation, statement or other record of the 
transaction, or information on the status or value of the financial 
service or financial product to the consumer or the consumer's agent or 
broker;
    (iv) To accrue or recognize incentives or bonuses associated with 
the transaction that are provided by you or any other party;
    (v) To underwrite insurance at the consumer's request or for 
reinsurance purposes, or for any of the following purposes as they 
relate to a consumer's insurance: account administration, reporting, 
investigating, or preventing fraud or material misrepresentation, 
processing premium payments, processing insurance claims, administering 
insurance benefits (including utilization review activities), 
participating in research projects, or as otherwise required or 
specifically permitted by Federal or State law;
    (vi) In connection with settling a transaction, including:
    (A) The authorization, billing, processing, clearing, transferring, 
reconciling or collection of amounts charged, debited, or otherwise 
paid using a debit, credit or other payment card, check or account 
number, or by other payment means;
    (B) The transfer of receivables, accounts or interests therein; or
    (C) The audit of debit, credit or other payment information.


Sec. 216.11  Other exceptions to notice and opt out requirements.

    (a) Exceptions to opt out requirements. The requirements for 
initial notice to consumers in Sec. 216.4(a)(2), the opt out in 
Secs. 216.7 and 216.8, and service providers and joint marketing in 
Sec. 216.9 do not apply when you disclose nonpublic personal 
information:
    (1) With the consent or at the direction of the consumer, provided 
that the consumer has not revoked the consent or direction;
    (2) (i) To protect the confidentiality or security of your records 
pertaining to the consumer, service, product or transaction;
    (ii) To protect against or prevent actual or potential fraud, 
unauthorized transactions, claims or other liability;
    (iii) For required institutional risk control or for resolving 
consumer disputes or inquiries;
    (iv) To persons holding a legal or beneficial interest relating to 
the consumer; or
    (v) To persons acting in a fiduciary or representative capacity on 
behalf of the consumer;
    (3) To provide information to insurance rate advisory 
organizations, guaranty funds or agencies, agencies that are rating 
you, persons that are assessing your compliance with industry 
standards, and your attorneys, accountants and auditors;
    (4) To the extent specifically permitted or required under other 
provisions of law and in accordance with the Right to Financial Privacy 
Act of 1978 (12 U.S.C. 3401 et seq.), to law enforcement agencies 
(including government regulators), self-regulatory organizations, or 
for an investigation on a matter related to public safety;
    (5) (i) To a consumer reporting agency in accordance with the Fair 
Credit Reporting Act (15 U.S.C. 1681 et seq.), or
    (ii) From a consumer report reported by a consumer reporting 
agency;
    (6) In connection with a proposed or actual sale, merger, transfer, 
or exchange of all or a portion of a business or operating unit if the 
disclosure of nonpublic personal information

[[Page 8802]]

concerns solely consumers of such business or unit; or
    (7) (i) To comply with Federal, State or local laws, rules and 
other applicable legal requirements;
    (ii) To comply with a properly authorized civil, criminal or 
regulatory investigation, or subpoena or summons by Federal, State or 
local authorities; or
    (iii) To respond to judicial process or government regulatory 
authorities having jurisdiction over you for examination, compliance or 
other purposes as authorized by law.
    (b) Examples of consent and revocation of consent. (1) A consumer 
may specifically consent to your disclosure to a nonaffiliated 
insurance company of the fact that the consumer has applied to you for 
a mortgage so that the insurance company can offer homeowner's 
insurance to the consumer.
    (2) A consumer may revoke consent by subsequently exercising the 
right to opt out of future disclosures of nonpublic personal 
information as permitted under Sec. 216.8(d).


Sec. 216.12  Limits on redisclosure and reuse of information.

    (a) Limits on your redisclosure and reuse. (1) Except as otherwise 
provided in this part, if you receive nonpublic personal information 
about a consumer from a nonaffiliated financial institution, you must 
not, directly or through an affiliate, disclose the information to any 
other person that is not affiliated with either the financial 
institution or you, unless the disclosure would be lawful if the 
financial institution made it directly to such other person.
    (2) You may use nonpublic personal information about a consumer 
that you receive from a nonaffiliated financial institution in 
accordance with an exception under Secs. 216.9, 216.10 or 216.11 only 
for the purpose of that exception.
    (b) Limits on redisclosure and the reuse by other persons. (1) 
Except as otherwise provided in this part, if you disclose nonpublic 
personal information about a consumer to a nonaffiliated third party, 
that party must not, directly or through an affiliate, disclose the 
information to any other person that is a nonaffiliated third party of 
both you and that party, unless the disclosure would be lawful if you 
made it directly to such other person.
    (2) A nonaffiliated third party may use nonpublic personal 
information about a consumer that it receives from you in accordance 
with an exception under Secs. 216.9, 216.10 or 216.11 only for the 
purpose of that exception.


Sec. 216.13  Limits on sharing of account number information for 
marketing purposes.

    You must not, directly or through an affiliate, disclose, other 
than to a consumer reporting agency, an account number or similar form 
of access number or access code for a credit card account, deposit 
account or transaction account of a consumer to any nonaffiliated third 
party for use in telemarketing, direct mail marketing or other 
marketing through electronic mail to the consumer.


Sec. 216.14  Protection of Fair Credit Reporting Act.

    Nothing in this part shall be construed to modify, limit, or 
supersede the operation of the Fair Credit Reporting Act (15 U.S.C. 
1681 et seq.), and no inference shall be drawn on the basis of the 
provisions of this part regarding whether information is transaction or 
experience information under section 603 of that Act.


Sec. 216.15  Relation to State laws.

    (a) In general. This part shall not be construed as superseding, 
altering, or affecting any statute, regulation, order or interpretation 
in effect in any State, except to the extent that such State statute, 
regulation, order or interpretation is inconsistent with the provisions 
of this part, and then only to the extent of the inconsistency.
    (b) Greater protection under State law. For purposes of this 
section, a State statute, regulation, order or interpretation is not 
inconsistent with the provisions of this part if the protection such 
statute, regulation, order or interpretation affords any consumer is 
greater than the protection provided under this part, as determined by 
the Federal Trade Commission, after consultation with the Board, on the 
Federal Trade Commission's own motion or upon the petition of any 
interested party.


Sec. 216.16  Effective date; transition rule.

    (a) Effective date. This part is effective November 13, 2000.
    (b) Notice requirement for consumers who were your customers on the 
effective date. No later than thirty days after the effective date of 
this part, you must provide an initial notice, as required by 
Sec. 216.4, to consumers who were your customers on the effective date 
of this part.

    By order of the Board of Governors of the Federal Reserve 
System, February 10, 2000.
Jennifer J. Johnson,
Secretary of the Board.

Federal Deposit Insurance Corporation 12 CFR Chapter III

Authority and Issuance

    For the reasons set out in the joint preamble, Title 12, Chapter 
III of the Code of Federal Regulations is proposed to be amended by 
adding a new part 332 to read as follows:

PART 332--PRIVACY OF CONSUMER FINANCIAL INFORMATION

Sec.
332.1   Purpose and scope.
332.2   Rule of construction.
332.3   Definitions.
332.4   Initial notice to consumers of privacy policies and 
practices required.
332.5   Annual notice to customers required.
332.6   Information to be included in initial and annual notices of 
privacy policies and practices.
332.7   Limitation on disclosure of nonpublic personal information 
about consumers to nonaffiliated third parties.
332.8   Form and method of providing opt out notice to consumers.
332.9   Exception to opt out requirements for service providers and 
joint marketing.
332.10   Exceptions to notice and opt out requirements for 
processing and servicing transactions.
332.11   Other exceptions to notice and opt out requirements.
332.12   Limits on redisclosure and reuse of information.
332.13   Limits on sharing of account number information for 
marketing purposes.
332.14   Protection of Fair Credit Reporting Act.
332.15   Relation to State laws.
332.16   Effective date; transition rule.

    Authority: 12 U.S.C. 1819 (Seventh and Tenth); 15 U.S.C. 6801 et 
seq.


Sec. 332.1  Purpose and scope.

    (a) Purpose. This part governs the treatment of nonpublic personal 
information about consumers by the financial institutions listed in 
paragraph (b) of this section. This part:
    (1) Requires a financial institution to provide notice to consumers 
about its privacy policies and practices;
    (2) Describes the conditions under which a financial institution 
may disclose nonpublic personal information about consumers to 
nonaffiliated third parties; and
    (3) Provides a method for consumers to prevent a financial 
institution from disclosing that information to certain nonaffiliated 
third parties by ``opting out'' of that disclosure, subject to the 
exceptions in Secs. 332.9, 332.10, and 332.11.

[[Page 8803]]

    (b) Scope. The rules established by this part apply only to 
nonpublic personal information about individuals who obtain financial 
products or services for personal, family or household purposes from 
the institutions listed in this paragraph (b). This part does not apply 
to information about companies or about individuals who obtain 
financial products or services for business purposes. This part applies 
to entities for which the Federal Deposit Insurance Corporation has 
primary supervisory authority. They are referred to in this part as 
``you.'' These are banks insured by the Federal Deposit Insurance 
Corporation (other than members of the Federal Reserve System), insured 
state branches of foreign banks, and any subsidiaries of such entities, 
except a broker or dealer that is registered under the Securities 
Exchange Act of 1934, a registered investment adviser (with respect to 
the investment advisory activities of the adviser and activities 
incidental to those investment advisory activities), an investment 
company registered under the Investment Company Act of 1940, an 
insurance company that is subject to supervision by a State insurance 
regulator (with respect to insurance activities of the company and 
activities incidental to those insurance activities), and an entity 
that is subject to regulation by the Commodity Futures Trading 
Commission.


Sec. 332.2  Rule of construction.

    The examples in this part are not exclusive. Compliance with an 
example, to the extent applicable, constitutes compliance with this 
part.


Sec. 332.3  Definitions.

    As used in this part, unless the context requires otherwise:
    (a) Affiliate means any company that controls, is controlled by, or 
is under common control with another company.
    (b)(1) Clear and conspicuous means that a notice is reasonably 
understandable and designed to call attention to the nature and 
significance of the information contained in the notice.
    (2) Examples. (i) You make your notice reasonably understandable 
if, to the extent applicable, you:
    (A) Present the information contained in the notice in clear, 
concise sentences, paragraphs and sections;
    (B) Use short explanatory sentences and bullet lists, whenever 
possible;
    (C) Use definite, concrete, everyday words and active voice, 
whenever possible;
    (D) Avoid multiple negatives;
    (E) Avoid legal and highly technical business terminology; and
    (F) Avoid boilerplate explanations that are imprecise and readily 
subject to different interpretations.
    (ii) You design your notice to call attention to the nature and 
significance of the information contained in the notice if, to the 
extent applicable, you:
    (A) Use a plain-language heading to call attention to the notice;
    (B) Use a typeface and type size that are easy to read; and
    (C) Provide wide margins and ample line spacing.
    (iii) If you provide a notice on the same form as another notice or 
other document, you design your notice to call attention to the nature 
and significance of the information contained in the notice if you use:
    (A) Larger type size(s), boldface or italics in the text;
    (B) Wider margins and line spacing in the notice; or
    (C) Shading or sidebars to highlight the notice, whenever possible.
    (c) Collect means to obtain information that is organized or 
retrievable on a personally identifiable basis, irrespective of the 
source of the underlying information.
    (d) Company means any corporation, limited liability company, 
business trust, general or limited partnership, association or similar 
organization.
    (e) (1) Consumer means an individual who obtains or has obtained a 
financial product or service from you that is to be used primarily for 
personal, family or household purposes, and that individual's legal 
representative.
    (2) Examples. (i) An individual who applies to you for credit for 
personal, family or household purposes is a consumer of a financial 
service, regardless of whether the credit is extended.
    (ii) An individual who provides nonpublic personal information to 
you in order to obtain a determination about whether he or she may 
qualify for a loan to be used primarily for personal, family, or 
household purposes is a consumer of a financial service, regardless of 
whether the loan is extended by you or another financial institution.
    (iii) An individual who provides nonpublic personal information to 
you in connection with obtaining or seeking to obtain financial, 
investment or economic advisory services is a consumer regardless of 
whether you establish an ongoing advisory relationship.
    (iv) An individual who negotiates a workout with you for a loan 
that you own is a consumer regardless of whether you originally 
extended the loan to the individual.
    (v) An individual who has a loan from you is your consumer even if 
you:
    (A) Hire an agent to collect on the loan;
    (B) Sell the rights to service the loan; or
    (C) Bought the loan from the financial institution that originated 
the loan.
    (vi) An individual is not your consumer solely because you process 
information about the individual on behalf of a financial institution 
that extended the loan to the individual.
    (f) Consumer reporting agency has the same meaning as in section 
603(f) of the Fair Credit Reporting Act (15 U.S.C. 1681a(f)).
    (g) Control of a company means:
    (1) Ownership, control, or power to vote 25 percent or more of the 
outstanding shares of any class of voting security of the company, 
directly or indirectly, or acting through one or more other persons;
    (2) Control in any manner over the election of a majority of the 
directors, trustees or general partners (or individuals exercising 
similar functions) of the company; or
    (3) The power to exercise, directly or indirectly, a controlling 
influence over the management or policies of the company, as determined 
by the FDIC.
    (h) Customer means a consumer who has a customer relationship with 
you.
    (i) (1) Customer relationship means a continuing relationship 
between a consumer and you under which you provide one or more 
financial products or services to the consumer that are to be used 
primarily for personal, family, or household purposes.
    (2) Examples. (i) A consumer has a continuing relationship with you 
if the consumer:
    (A) Has a deposit, credit, trust or investment account with you;
    (B) Purchases an insurance product from you;
    (C) Holds an investment product through you;
    (D) Enters into an agreement or understanding with you whereby you 
undertake to arrange or broker a home mortgage loan for the consumer;
    (E) Has a loan that you service where you own the servicing rights;
    (F) Enters into a lease of personal property with you; or
    (G) Obtains financial, investment or economic advisory services 
from you for a fee.
    (ii) A consumer does not, however, have a continuing relationship 
with you if:
    (A) The consumer only obtains a financial product or service in an

[[Page 8804]]

isolated transaction, such as withdrawing cash from your ATM or 
purchasing a cashier's check or money order;
    (B) You sell the consumer's loan and do not retain the rights to 
service that loan; or
    (C) You sell the consumer airline tickets, travel insurance or 
traveler's checks in an isolated transaction.
    (j) (1) Financial institution means any institution the business of 
which is engaging in activities that are financial in nature or 
incidental to such financial activities as described in section 4(k) of 
the Bank Holding Company Act of 1956 (12 U.S.C. 1843(k)).
    (2) Financial institution does not include:
    (i) Any person or entity with respect to any financial activity 
that is subject to the jurisdiction of the Commodity Futures Trading 
Commission under the Commodity Exchange Act (7 U.S.C. 1 et seq.);
    (ii) The Federal Agricultural Mortgage Corporation or any entity 
chartered and operating under the Farm Credit Act of 1971 (12 U.S.C. 
2001 et seq.); or
    (iii) Institutions chartered by Congress specifically to engage in 
securitizations, secondary market sales (including sales of servicing 
rights) or similar transactions related to a transaction of a consumer, 
as long as such institutions do not sell or transfer nonpublic personal 
information to a nonaffiliated third party.
    (k) (1) Financial product or service means any product or service 
that a financial holding company could offer by engaging in an activity 
that is financial in nature or incidental to such a financial activity 
under section 4(k) of the Bank Holding Company Act of 1956 (12 U.S.C. 
1843(k)).
    (2) Financial service includes your evaluation, brokerage or 
distribution of information that you collect in connection with a 
request or an application from a consumer for a financial product or 
service.
    (l) Government regulator means:
    (1) The Board of Governors of the Federal Reserve System;
    (2) The Office of the Comptroller of the Currency;
    (3) The Board of Directors of the Federal Deposit Insurance 
Corporation;
    (4) The Director of the Office of Thrift Supervision;
    (5) The National Credit Union Administration Board;
    (6) The Securities and Exchange Commission;
    (7) The Secretary of the Treasury, with respect to 31 U.S.C. 
Chapter 53, Subchapter II (Records and Reports on Monetary Instruments 
and Transactions) and 12 U.S.C. Chapter 21 (Financial Recordkeeping);
    (8) A State insurance authority, with respect to any person 
domiciled in that insurance authority's State that is engaged in 
providing insurance; and
    (9) The Federal Trade Commission.
    (m) (1) Nonaffiliated third party means any person except:
    (i) Your affiliate; or
    (ii) A person employed jointly by you and any company that is not 
your affiliate (but nonaffiliated third party includes the other 
company that jointly employs the person).
    (2) Nonaffiliated third party includes any company that is an 
affiliate by virtue of the direct or indirect ownership or control of 
the company by the financial institution or any affiliate of the 
financial institution in conducting merchant banking or investment 
banking activities of the type described in section 4(k)(4)(H) or 
insurance company investment activities of the type described in 
section 4(k)(4)(I) of the Bank Holding Company Act (12 U.S.C. 
1843(k)(4)(H) and (I)).

Alternative A

    (n) (1) Nonpublic personal information means:
    (i) Personally identifiable financial information; and
    (ii) Any list, description or other grouping of consumers (and 
publicly available information pertaining to them) that is derived 
using any personally identifiable financial information.
    (2) Nonpublic personal information does not include any list, 
description, or other grouping of consumers (and publicly available 
information pertaining to them) that is derived without using any 
personally identifiable financial information.
    (3) Example. Nonpublic personal information includes any list of 
individuals' street addresses and telephone numbers that is derived 
using any information consumers provide to you on an application for a 
financial product or service.
    (o) (1) Personally identifiable financial information means any 
information:
    (i) Provided by a consumer to you to obtain a financial product or 
service from you;
    (ii) Resulting from any transaction involving a financial product 
or service between you and a consumer; or
    (iii) You otherwise obtain about a consumer in connection with 
providing a financial product or service to that consumer, other than 
publicly available information.
    (2) Examples. (i) Personally identifiable financial information 
includes:
    (A) Information a consumer provides to you on an application to 
obtain a loan, credit card, insurance or other financial product or 
service, including, among other things, medical information;
    (B) Account balance information, payment history, overdraft 
history, and credit or debit card purchase information;
    (C) The fact that an individual is or has been one of your 
customers or has obtained a financial product or service from you, 
unless that fact is derived using only publicly available information, 
such as government real estate records or bankruptcy records;
    (D) Other information about your consumer if it is disclosed in a 
manner that indicates the individual is or has been your consumer;
    (E) Any information provided by a consumer or otherwise obtained by 
you or your agent in connection with collecting on a loan or servicing 
a loan; and
    (F) Information from a consumer report.
    (ii) Personally identifiable financial information does not include 
a list of names and addresses of customers of an entity that is not a 
financial institution.
    (p) (1) Publicly available information means any information that 
is lawfully made available to the general public that is obtained from:
    (i) Federal, State, or local government records;
    (ii) Widely distributed media; or
    (iii) Disclosures to the general public that are required to be 
made by Federal, State, or local law.
    (2) Examples--(i) Government records. Publicly available 
information contained in government records includes information 
contained in government real estate records and security interest 
filings.
    (ii) Widely distributed media. Publicly available information from 
widely distributed media includes information from a telephone book, a 
television or radio program, a newspaper or an Internet site that is 
available to the general public without requiring a password or similar 
restriction.

Alternative B

    (n) (1) Nonpublic personal information means:
    (i) Personally identifiable financial information; and
    (ii) Any list, description or other grouping of consumers (and 
publicly available information pertaining to them) that is derived 
using any

[[Page 8805]]

personally identifiable financial information.
    (2) Nonpublic personal information does not include:
    (i) Publicly available information, except as provided in paragraph 
(n)(1)(ii) of this section; or
    (ii) Any list, description, or other grouping of consumers (and 
publicly available information pertaining to them) that is derived 
without using any personally identifiable financial information.
    (3) Example. Nonpublic personal information includes any list of 
individuals' street addresses and telephone numbers that is derived 
using personally identifiable financial information, such as account 
numbers.
    (o) (1) Personally identifiable financial information means any 
information:
    (i) Provided by a consumer to you to obtain a financial product or 
service from you;
    (ii) About a consumer resulting from any transaction involving a 
financial product or service between you and a consumer; or
    (iii) You otherwise obtain about a consumer in connection with 
providing a financial product or service to that consumer.
    (2) Examples. (i) Personally identifiable financial information 
includes:
    (A) Information a consumer provides to you on an application to 
obtain a loan, credit card, insurance or other financial product or 
service, including, among other things, medical information;
    (B) Account balance information, payment history, overdraft 
history, and credit or debit card purchase information;
    (C) The fact that an individual is or has been one of your 
customers or has obtained a financial product or service from you, 
unless that fact is derived using only publicly available information, 
such as government real estate records or bankruptcy records;
    (D) Other information about your consumer if it is disclosed in a 
manner that indicates the individual is or has been your consumer;
    (E) Any information provided by a consumer or otherwise obtained by 
you or your agent in connection with collecting on a loan or servicing 
a loan; and
    (F) Information from a consumer report.
    (ii) Personally identifiable financial information does not include 
a list of names and addresses of customers of an entity that is not a 
financial institution.
    (p)(1) Publicly available information means any information that is 
lawfully made available to the general public from:
    (i) Federal, State, or local government records;
    (ii) Widely distributed media; or
    (iii) Disclosures to the general public that are required to be 
made by Federal, State, or local law.
    (2) Examples--(i) Government records. Publicly available 
information contained in government records includes information 
contained in government real estate records and security interest 
filings.
    (ii) Widely distributed media. Publicly available information from 
widely distributed media includes information from a telephone book, a 
television or radio program, a newspaper or an Internet site that is 
available to the general public without requiring a password or similar 
restriction.
    (q) You means a bank insured by the Federal Deposit Insurance 
Corporation (other than a member of the Federal Reserve System), an 
insured state branch of a foreign bank, and any subsidiary of either 
such entity except:
    (1) A broker, as defined in 15 U.S.C. 78c(a)(4);
    (2) A dealer, as defined in 15 U.S.C. 78c(a)(5);
    (3) A person, to the extent that person is engaged in the business 
of insurance in a State as principal or agent and required to be 
licensed by the appropriate State insurance authority;
    (4) An investment company, as defined in 15 U.S.C. 80a-3(a)(1); or
    (5) An investment adviser, as defined in 15 U.S.C. 80b-2(a)(20).


Sec. 332.4  Initial notice to consumers of privacy policies and 
practices required.

    (a) When initial notice is required. You must provide a clear and 
conspicuous notice that accurately reflects your privacy policies and 
practices to:
    (1) An individual who becomes your customer, prior to the time that 
you establish a customer relationship, except as provided in paragraph 
(d)(2) of this section; and
    (2) A consumer, prior to the time that you disclose any nonpublic 
personal information about the consumer to any nonaffiliated third 
party, if you make such a disclosure other than as authorized by 
Secs. 332.10 and 332.11.
    (b) When initial notice to a consumer is not required. You are not 
required to provide an initial notice to a consumer under paragraph 
(a)(1) of this section if:
    (1) You do not disclose any nonpublic personal information about 
the consumer to any nonaffiliated third party, other than as authorized 
by Secs. 332.10 and 332.11; and
    (2) You do not have a customer relationship with the consumer.
    (c) When you establish a customer relationship--(1) General rule. 
You establish a customer relationship at the time you and the consumer 
enter into a continuing relationship.
    (2) Examples. You establish a customer relationship when the 
consumer:
    (i) Opens a credit card account with you;
    (ii) Executes the contract to open a deposit account with you, 
obtains credit from you, or purchases insurance from you;
    (iii) Agrees to obtain financial, economic or investment advisory 
services from you for a fee; or
    (iv) Becomes your client for the purpose of your providing credit 
counseling or tax preparation services.
    (d) How to provide notice--(1) General rule. You must provide the 
privacy notice required by paragraph (a) of this section so that each 
consumer can reasonably be expected to receive actual notice in writing 
or, if the consumer agrees, in electronic form.
    (2) Exceptions to allow subsequent delivery of notice. You may 
provide the initial notice required by paragraph (a)(1) of this section 
within a reasonable time after you establish a customer relationship 
if:
    (i) You purchase a loan or assume a deposit liability from another 
financial institution and the customer of that loan or deposit account 
does not have a choice about your purchase or assumption; or
    (ii) You and the consumer orally agree to enter into a customer 
relationship and the consumer agrees to receive the notice thereafter.
    (3) Oral description of notice insufficient. You may not provide 
the initial notice required by paragraph (a) of this section solely by 
orally explaining, either in person or over the telephone, your privacy 
policies and practices.
    (4) Retention or accessibility of initial notice for customers. For 
customers only, you must provide the initial notice required by 
paragraph (a)(1) of this section so that it can be retained or obtained 
at a later time by the customer, in a written form or, if the customer 
agrees, in electronic form.
    (5) Examples. (i) You may reasonably expect that a consumer will 
receive actual notice of your privacy policies and practices if you:
    (A) Hand-deliver a printed copy of the notice to the consumer;
    (B) Mail a printed copy of the notice to the last known address of 
the consumer;

[[Page 8806]]

    (C) For the consumer who conducts transactions electronically, post 
the notice on the electronic site and require the consumer to 
acknowledge receipt of the notice as a necessary step to obtaining a 
particular financial product or service;
    (D) For an isolated transaction with the consumer, such as an ATM 
transaction, post the notice on the ATM screen and require the consumer 
to acknowledge receipt of the notice as a necessary step to obtaining 
the particular financial product or service.
    (ii) You may not, however, reasonably expect that a consumer will 
receive actual notice of your privacy policies and practices if you:
    (A) Only post a sign in your branch or office or generally publish 
advertisements of your privacy policies and practices; or
    (B) Send the notice via electronic mail to a consumer who obtains a 
financial product or service from you in person or through the mail and 
who does not agree to receive the notice electronically.
    (iii) You provide the initial privacy notice to the customer so 
that it can be retained or obtained at a later time if you:
    (A) Hand-deliver a printed copy of the notice to the customer;
    (B) Mail a printed copy of the notice to the last known address of 
the customer upon request of the customer; or
    (C) Maintain the notice on a web site (or a link to another web 
site) for the customer who obtains a financial product or service 
electronically and who agrees to receive the notice electronically.


Sec. 332.5  Annual notice to customers required.

    (a) General rule. You must provide a clear and conspicuous notice 
to customers that accurately reflects your privacy policies and 
practices not less than annually during the continuation of the 
customer relationship. Annually means at least once in any period of 12 
consecutive months during which that relationship exists.
    (b) How to provide notice. You must provide the annual notice 
required by paragraph (a) of this section to a customer using a means 
permitted for providing the initial notice to that customer under 
Sec. 332.4(d).
    (c)(1) Termination of customer relationship. You are not required 
to provide an annual notice to a customer with whom you no longer have 
a continuing relationship.
    (2) Examples. You no longer have a continuing relationship with an 
individual if:
    (i) In the case of a deposit account, the account is dormant under 
your policies;
    (ii) In the case of a closed-end loan, the consumer pays the loan 
in full, you charge off the loan, or you sell the loan without 
retaining servicing rights;
    (iii) In the case of a credit card relationship or other open-end 
credit relationship, you no longer provide any statements or notices to 
the consumer concerning that relationship or you sell the credit card 
receivables without retaining servicing rights; or
    (iv) For other types of relationships, you have not communicated 
with the consumer about the relationship for a period of 12 consecutive 
months, other than to provide annual notices of privacy policies and 
practices.


Sec. 332.6  Information to be included in initial and annual notices of 
privacy policies and practices.

    (a) General rule. The initial and annual notices that you provide 
about your privacy policies and practices under Secs. 332.4 and 332.5 
must include each of the following items of information:
    (1) The categories of nonpublic personal information about your 
consumers that you collect;
    (2) The categories of nonpublic personal information about your 
consumers that you disclose;
    (3) The categories of affiliates and nonaffiliated third parties to 
whom you disclose nonpublic personal information about your consumers, 
other than those parties to whom you disclose information under 
Secs. 332.10 and 332.11;
    (4) The categories of nonpublic personal information about your 
former customers that you disclose and the categories of affiliates and 
nonaffiliated third parties to whom you disclose nonpublic personal 
information about your former customers, other than those parties to 
whom you disclose information under Secs. 332.10 and 332.11;
    (5) If you disclose nonpublic personal information to a 
nonaffiliated third party under Sec. 332.9 (and no other exception 
applies to that disclosure), a separate description of the categories 
of information you disclose and the categories of third parties with 
whom you have contracted;
    (6) An explanation of the right under Sec. 332.8(a) of the consumer 
to opt out of the disclosure of nonpublic personal information to 
nonaffiliated third parties, including the methods by which the 
consumer may exercise that right;
    (7) Any disclosures that you make under section 603(d)(2)(A)(iii) 
of the Fair Credit Reporting Act (15 U.S.C. 1681a(d)(2)(A)(iii)) (that 
is, notices regarding the ability to opt out of disclosures of 
information among affiliates); and
    (8) Your policies and practices with respect to protecting the 
confidentiality, security, and integrity of nonpublic personal 
information.
    (b) Description of nonaffiliated third parties subject to 
exceptions. If you disclose nonpublic personal information about a 
consumer to third parties as authorized under Secs. 332.10 and 332.11, 
you are not required to list those exceptions in the initial or annual 
privacy notices required by Secs. 332.4 and 332.5. When describing the 
categories with respect to those parties, you are only required to 
state that you make disclosures to other nonaffiliated third parties as 
permitted by law.
    (c) Future disclosures. Your notice may include:
    (1) Categories of nonpublic personal information that you reserve 
the right to disclose in the future, but do not currently disclose; and
    (2) Categories of affiliates or nonaffiliated third parties to whom 
you reserve the right in the future to disclose, but to whom you do not 
currently disclose, nonpublic personal information.
    (d) Examples--(1) Categories of nonpublic personal information that 
you collect. You adequately categorize the nonpublic personal 
information you collect if you categorize the information according to 
the source of the information, such as application information, 
information about transactions (such as information regarding a 
deposit, loan, or credit card account), and consumer reports.
    (2) Categories of nonpublic personal information you disclose. You 
adequately categorize nonpublic personal information you disclose if 
you categorize the information according to source, and provide 
illustrative examples of the content of the information. These might 
include application information, such as assets and income; identifying 
information, such as name, address, and social security number; and 
transaction information, such as information about account balance, 
payment history, parties to the transaction, and credit card usage; and 
information from consumer reports, such as a consumer's 
creditworthiness and credit history. You do not adequately categorize 
the information that you disclose if you use only general terms, such 
as transaction information about the consumer.
    (3) Categories of affiliates and nonaffiliated third parties to 
whom you disclose. You adequately categorize the affiliates and 
nonaffiliated third parties to whom you disclose nonpublic

[[Page 8807]]

personal information about consumers if you identify the types of 
businesses that they engage in. Types of businesses may be described by 
general terms only if you use illustrative examples of significant 
lines of business. For example, you may use the term ``financial 
products or services'' if you include appropriate examples of 
significant lines of businesses, such as consumer banking, mortgage 
lending, life insurance, or securities brokerage. You also may 
categorize the affiliates and nonaffiliated third parties to whom you 
disclose nonpublic personal information about consumers using more 
detailed categories.
    (4) Simplified notices. If you do not disclose, and do not intend 
to disclose, nonpublic personal information to affiliates or 
nonaffiliated third parties, you may simply state that fact, in 
addition to the information you must provide under paragraphs (a)(1), 
(a)(8), and (b) of this section.
    (5) Confidentiality, security, and integrity. You adequately 
describe your policies and practices with respect to protecting the 
confidentiality and security of nonpublic personal information if you 
explain who has access to the information and the circumstances under 
which the information may be accessed. You adequately describe your 
policies and practices with respect to protecting the integrity of 
nonpublic personal information if you explain measures you take to 
protect against reasonably anticipated threats or hazards. You are not 
required to describe technical information about the safeguards you 
use.


Sec. 332.7  Limitation on disclosure of nonpublic personal information 
about consumers to nonaffiliated third parties.

    (a) (1) Conditions for disclosure. Except as otherwise authorized 
in this part, you may not, directly or through any affiliate, disclose 
any nonpublic personal information about a consumer to a nonaffiliated 
third party unless:
    (i) You have provided to the consumer an initial notice as required 
under Sec. 332.4;
    (ii) You have provided to the consumer an opt out notice as 
required in Sec. 332.8;
    (iii) You have given the consumer a reasonable opportunity, before 
the time that you disclose the information to the nonaffiliated third 
party, to opt out of the disclosure; and
    (iv) The consumer does not opt out.
    (2) Opt out definition. Opt out means a direction by the consumer 
that you not disclose nonpublic personal information about that 
consumer to a nonaffiliated third party, other than as permitted by 
Secs. 332.9, 332.10, and 332.11.
    (3) Examples of reasonable opportunity to opt out--(i) By mail. You 
provide a consumer with whom you have a customer relationship with a 
reasonable opportunity to opt out if you mail the notices required in 
paragraph (a)(1) of this section to the consumer and allow the consumer 
a reasonable period of time, such as 30 days, to opt out.
    (ii) Isolated transaction with a consumer. For an isolated 
transaction, such as the purchase of a cashier's check by a consumer, 
you provide a reasonable opportunity to opt out if you provide the 
consumer with the required notices at the time of the transaction and 
request that the consumer decide, as a necessary part of the 
transaction, whether to opt out before completing the transaction.
    (b) Application of opt out to all consumers and all nonpublic 
personal information. (1) You must comply with this section regardless 
of whether you and the consumer have established a customer 
relationship.
    (2) Unless you comply with this section, you may not, directly or 
through any affiliate, disclose any nonpublic personal information 
about a consumer that you have collected, regardless of whether you 
collected the information before or after receiving the direction to 
opt out from the consumer.
    (c) Partial opt out. You may allow a consumer to select certain 
nonpublic personal information or certain nonaffiliated third parties 
with respect to which the consumer wishes to opt out.


Sec. 332.8  Form and method of providing opt out notice to consumers.

    (a) (1) Form of opt out notice. You must provide a clear and 
conspicuous notice to each of your consumers that accurately explains 
the right to opt out under Sec. 332.7(a)(1). The notice must state:
    (i) That you disclose or reserve the right to disclose nonpublic 
personal information about your consumer to a nonaffiliated third 
party;
    (ii) That the consumer has the right to opt out of that disclosure; 
and
    (iii) A reasonable means by which the consumer may exercise the opt 
out right.
    (2) Examples. (i) You provide adequate notice that the consumer can 
opt out of the disclosure of nonpublic personal information to a 
nonaffiliated third party if you identify all of the categories of 
nonpublic personal information that you disclose or reserve the right 
to disclose to nonaffiliated third parties as described in Sec. 332.6 
and state that the consumer can opt out of the disclosure of that 
information.
    (ii) You provide a reasonable means to exercise an opt out right if 
you:
    (A) Designate check-off boxes in a prominent position on the 
relevant forms with the opt out notice;
    (B) Include a reply form together with the opt out notice; or
    (C) Provide an electronic means to opt out, such as a form that can 
be sent via electronic mail or a process at your web site, if the 
consumer agrees to the electronic delivery of information.
    (iii) You do not provide a reasonable means of opting out if the 
only means of opting out is for the consumer to write his or her own 
letter to exercise that opt out right.
    (b) How to provide opt out notice--(1) Delivery of notice. You must 
provide the opt out notice required by paragraph (a) of this section in 
a manner so that each consumer can reasonably be expected to receive 
actual notice in writing or, if the consumer agrees, in electronic 
form. If you and the consumer orally agree to enter into a customer 
relationship, you may provide the opt out notice required by paragraph 
(a) of this section within a reasonable time thereafter if the consumer 
agrees.
    (2) Oral description of opt out right insufficient. You may not 
provide the opt out notice solely by orally explaining, either in 
person or over the telephone, the right of the consumer to opt out.
    (3) Same form as initial notice permitted. You may provide the opt 
out notice together with or on the same written or electronic form as 
the initial notice you provide in accordance with Sec. 332.4.
    (4) Initial notice required when opt out notice delivered 
subsequent to initial notice. If you provide the opt out notice at a 
later time than required for the initial notice in accordance with 
Sec. 332.4, you must also include a copy of the initial notice in 
writing or, if the consumer agrees, in an electronic form with the opt 
out notice.
    (c) Notice of change in terms--(1) General rule. Except as 
otherwise authorized in this part, you must not, directly or through 
any affiliate, disclose any nonpublic personal information about a 
consumer to a nonaffiliated third party other than as described in the 
initial notice that you provided to the consumer under Sec. 332.4, 
unless:
    (i) You have provided to the consumer a revised notice that 
accurately describes your policies and practices;
    (ii) You have provided to the consumer a new opt out notice;

[[Page 8808]]

    (iii) You have given the consumer a reasonable opportunity, before 
the time that you disclose the information to the nonaffiliated third 
party, to opt out of the disclosure; and
    (iv) The consumer does not opt out.
    (2) How to provide notice of change in terms. You must provide the 
revised notice of your policies and practices and opt out notice to a 
consumer using the means permitted for providing the initial notice and 
opt out notice to that consumer under Sec. 332.4(d) and paragraph (b) 
of this section, respectively.
    (3) Examples. (i) Except as otherwise permitted by Secs. 332.9, 
332.10, and 332.11, a change-in-terms notice is required if you:
    (A) Disclose a new category of nonpublic personal information to 
any nonaffiliated third party; or
    (B) Disclose nonpublic personal information to a new category of 
nonaffiliated third party.
    (ii) A change-in-terms notice is not required if you disclose 
nonpublic personal information to a new nonaffiliated third party that 
is adequately described by your prior notice.
    (d) Continuing right to opt out. A consumer may exercise the right 
to opt out at any time, and upon receiving the opt out direction you 
must comply with that direction as soon as reasonably practicable.
    (e) Duration of consumer's opt out direction. A consumer's 
direction to opt out under this section is effective until revoked by 
the consumer in writing, or if the consumer agrees, in electronic form.


Sec. 332.9  Exception to opt out requirements for service providers and 
joint marketing.

    (a) General rule. The opt out requirements in Secs. 332.7 and 332.8 
do not apply when you provide nonpublic personal information about a 
consumer to a nonaffiliated third party to perform services for you or 
functions on your behalf, if you:
    (1) Provide the initial notice in accordance with Sec. 332.4; and
    (2) Enter into a contractual agreement with the third party that:
    (i) Requires the third party to maintain the confidentiality of the 
information to at least the same extent that you must maintain that 
confidentiality under this part; and
    (ii) Limits the third party's use of information you disclose 
solely to the purposes for which the information is disclosed or as 
otherwise permitted by Secs. 332.10 and 332.11 of this part.
    (b) Service may include joint marketing. The services performed for 
you by a nonaffiliated third party under paragraph (a) of this section 
may include marketing of your own products or services or marketing of 
financial products or services offered pursuant to joint agreements 
between you and one or more financial institutions.
    (c) Definition of joint agreement. For purposes of this section, 
joint agreement means a written contract pursuant to which you and one 
or more financial institutions jointly offer, endorse, or sponsor a 
financial product or service.


Sec. 332.10  Exceptions to notice and opt out requirements for 
processing and servicing transactions.

    (a) Exceptions for processing transactions at consumer's request. 
The requirements for initial notice in Sec. 332.4(a)(2), the opt out in 
Secs. 332.7 and 332.8 and service providers and joint marketing in 
Sec. 332.9 do not apply if you disclose nonpublic personal information:
    (1) As necessary to effect, administer, or enforce a transaction 
requested or authorized by the consumer;
    (2) To service or process a financial product or service requested 
or authorized by the consumer;
    (3) To maintain or service the consumer's account with you, or with 
another entity as part of a private label credit card program or other 
extension of credit on behalf of such entity; or
    (4) In connection with a proposed or actual securitization, 
secondary market sale (including sales of servicing rights) or similar 
transaction related to a transaction of the consumer.
    (b) Necessary to effect, administer, or enforce a transaction means 
that the disclosure is:
    (1) Required, or is one of the lawful or appropriate methods, to 
enforce your rights or the rights of other persons engaged in carrying 
out the financial transaction or providing the product or service; or
    (2) Required, or is a usual, appropriate, or acceptable method:
    (i) To carry out the transaction or the product or service business 
of which the transaction is a part, and record, service or maintain the 
consumer's account in the ordinary course of providing the financial 
service or financial product;
    (ii) To administer or service benefits or claims relating to the 
transaction or the product or service business of which it is a part;
    (iii) To provide a confirmation, statement or other record of the 
transaction, or information on the status or value of the financial 
service or financial product to the consumer or the consumer's agent or 
broker;
    (iv) To accrue or recognize incentives or bonuses associated with 
the transaction that are provided by you or any other party;
    (v) To underwrite insurance at the consumer's request or for 
reinsurance purposes, or for any of the following purposes as they 
relate to a consumer's insurance: account administration, reporting, 
investigating, or preventing fraud or material misrepresentation, 
processing premium payments, processing insurance claims, administering 
insurance benefits (including utilization review activities), 
participating in research projects, or as otherwise required or 
specifically permitted by Federal or State law;
    (vi) In connection with settling a transaction, including:
    (A) The authorization, billing, processing, clearing, transferring, 
reconciling or collection of amounts charged, debited, or otherwise 
paid using a debit, credit or other payment card, check or account 
number, or by other payment means;
    (B) The transfer of receivables, accounts, or interests therein; or
    (C) The audit of debit, credit, or other payment information.


Sec. 332.11  Other exceptions to notice and opt out requirements.

    (a) Exceptions to opt out requirements. The requirements for 
initial notice to consumers in Sec. 332.4(a)(2), the opt out in 
Secs. 332.7 and 332.8 and service providers and joint marketing in 
Sec. 332.9 do not apply when you disclose nonpublic personal 
information:
    (1) With the consent or at the direction of the consumer, provided 
that the consumer has not revoked the consent or direction;
    (2) (i) To protect the confidentiality or security of your records 
pertaining to the consumer, service, product, or transaction;
    (ii) To protect against or prevent actual or potential fraud, 
unauthorized transactions, claims, or other liability;
    (iii) For required institutional risk control or for resolving 
consumer disputes or inquiries;
    (iv) To persons holding a legal or beneficial interest relating to 
the consumer; or
    (v) To persons acting in a fiduciary or representative capacity on 
behalf of the consumer;
    (3) To provide information to insurance rate advisory 
organizations, guaranty funds or agencies, agencies that are rating 
you, persons that are assessing your compliance with industry 
standards, and your attorneys, accountants, and auditors;
    (4) To the extent specifically permitted or required under other

[[Page 8809]]

provisions of law and in accordance with the Right to Financial Privacy 
Act of 1978 (12 U.S.C. 3401 et seq.), to law enforcement agencies 
(including government regulators), self-regulatory organizations, or 
for an investigation on a matter related to public safety;
    (5) (i) To a consumer reporting agency in accordance with the Fair 
Credit Reporting Act (15 U.S.C. 1681 et seq.); or
    (ii) From a consumer report reported by a consumer reporting 
agency;
    (6) In connection with a proposed or actual sale, merger, transfer, 
or exchange of all or a portion of a business or operating unit if the 
disclosure of nonpublic personal information concerns solely consumers 
of such business or unit; or
    (7) (i) To comply with Federal, State, or local laws, rules and 
other applicable legal requirements;
    (ii) To comply with a properly authorized civil, criminal or 
regulatory investigation, or subpoena or summons by Federal, State, or 
local authorities; or
    (iii) To respond to judicial process or government regulatory 
authorities having jurisdiction over you for examination, compliance or 
other purposes as authorized by law.
    (b) Examples of consent and revocation of consent. (1) A consumer 
may specifically consent to your disclosure to a nonaffiliated 
insurance company of the fact that the consumer has applied to you for 
a mortgage so that the insurance company can offer homeowner's 
insurance to the consumer.
    (2) A consumer may revoke consent by subsequently exercising the 
right to opt out of future disclosures of nonpublic personal 
information as permitted under Sec. 332.8(d).


Sec. 332.12  Limits on redisclosure and reuse of information.

    (a) Limits on your redisclosure and reuse. (1) Except as otherwise 
provided in this part, if you receive nonpublic personal information 
about a consumer from a nonaffiliated financial institution, you must 
not, directly or through an affiliate, disclose the information to any 
other person that is not affiliated with either you or the other 
financial institution, unless the disclosure would be lawful if the 
financial institution made it directly to such other person.
    (2) You may use nonpublic personal information about a consumer 
that you receive from a nonaffiliated financial institution in 
accordance with an exception under Secs. 332.9, 332.10, or 332.11 only 
for the purpose of that exception.
    (b) Limits on redisclosure and the reuse by other persons. (1) 
Except as otherwise provided in this part, if you disclose nonpublic 
personal information about a consumer to a nonaffiliated third party, 
that party must not, directly or through an affiliate, disclose the 
information to any other person that is a nonaffiliated third party of 
both you and that party, unless the disclosure would be lawful if you 
made it directly to such other person.
    (2) A nonaffiliated third party may use nonpublic personal 
information about a consumer that it receives from you in accordance 
with an exception under Secs. 332.9, 332.10, or 332.11 only for the 
purpose of that exception.


Sec. 332.13  Limits on sharing of account number information for 
marketing purposes.

    You must not, directly or through an affiliate, disclose, other 
than to a consumer reporting agency, an account number or similar form 
of access number or access code for a credit card account, deposit 
account or transaction account of a consumer to any nonaffiliated third 
party for use in telemarketing, direct mail marketing or other 
marketing through electronic mail to the consumer.


Sec. 32.14  Protection of Fair Credit Reporting Act.

    Nothing in this part shall be construed to modify, limit, or 
supersede the operation of the Fair Credit Reporting Act (15 U.S.C. 
1681 et seq.), and no inference shall be drawn on the basis of the 
provisions of this part regarding whether information is transaction or 
experience information under section 603 of that Act.


Sec. 332.15  Relation to State laws.

    (a) In general. This part shall not be construed as superseding, 
altering, or affecting any statute, regulation, order or interpretation 
in effect in any State, except to the extent that such State statute, 
regulation, order or interpretation is inconsistent with the provisions 
of this part, and then only to the extent of the inconsistency.
    (b) Greater protection under State law. For purposes of this 
section, a State statute, regulation, order or interpretation is not 
inconsistent with the provisions of this part if the protection such 
statute, regulation, order or interpretation affords any consumer is 
greater than the protection provided under this part, as determined by 
the Federal Trade Commission, after consultation with the FDIC, on the 
Federal Trade Commission's own motion or upon the petition of any 
interested party.


Sec. 332.16  Effective date; transition rule.

    (a) Effective date. This part is effective November 13, 2000.
    (b) Notice requirement for consumers who were customers on the 
effective date. No later than 30 days after the effective date of this 
part, you must provide an initial notice, as required by Sec. 332.4, to 
consumers who were your customers on the effective date of this part.

    By order of the Board of Directors.

Federal Deposit Insurance Corporation.

    Dated at Washington, DC, this 9th day of February, 2000.

Robert E. Feldman,
Executive Secretary.

OFFICE OF THRIFT SUPERVISION

12 CFR Chapter V

Authority and Issuance

    For the reasons set out in the joint preamble, OTS proposes to 
amend Chapter V of Title 12 of the Code of Federal regulations by 
adding part 573 to read as follows:

PART 573--PRIVACY OF CONSUMER FINANCIAL INFORMATION

Sec.
573.1   Purpose and scope.
573.2   Rule of construction.
573.3   Definitions.
573.4   Initial notice to consumers of privacy policies and 
practices required.
573.5   Annual notice to customers required.
573.6   Information to be included in initial and annual notices of 
privacy policies and practices.
573.7   Limitation on disclosure of nonpublic personal information 
about consumers to nonaffiliated third parties.
573.8   Form and method of providing opt out notice to consumers.
573.9   Exception to opt out requirements for service providers and 
joint marketing.
573.10   Exceptions to notice and opt out requirements for 
processing and servicing transactions.
573.11   Other exceptions to notice and opt out requirements.
573.12   Limits on redisclosure and reuse of information.
573.13   Limits on sharing of account number information for 
marketing purposes.
573.14   Protection of Fair Credit Reporting Act.
573.15   Relation to State laws.
573.16   Effective date; transition rule.

    Authority: 12 U.S.C. 1462a, 1463, 1464, 1828; 15 U.S.C. 6801 et 
seq.


Sec. 573.1  Purpose and scope.

    (a) Purpose. This part governs the treatment of nonpublic personal 
information about consumers by the financial institutions listed in 
paragraph (b) of this section. This part:

[[Page 8810]]

    (1) Requires a financial institution to provide notice to consumers 
about its privacy policies and practices;
    (2) Describes the conditions under which a financial institution 
may disclose nonpublic personal information about consumers to 
nonaffiliated third parties; and
    (3) Provides a method for consumers to prevent a financial 
institution from disclosing that information to most nonaffiliated 
third parties by ``opting out'' of that disclosure, subject to the 
exceptions in Secs. 573.9, 573.10, and 573.11.
    (b) Scope. The rules established by this part apply only to 
nonpublic personal information about individuals who obtain financial 
products or services for personal, family or household purposes from 
the institutions listed below. This part does not apply to information 
about companies or about individuals who obtain financial products or 
services for business purposes. This part applies to savings 
associations whose deposits are insured by the Federal Deposit 
Insurance Corporation, and any subsidiaries of such savings 
associations, but not to subsidiaries that are brokers, dealers, 
persons providing insurance, investment companies, or investment 
advisers. This part refers to these entities as ``you.''


Sec. 573.2  Rule of construction.

    The examples in this part are not exclusive. Compliance with an 
example, to the extent applicable, constitutes compliance with this 
part.


Sec. 573.3  Definitions.

    As used in this part, unless the context requires otherwise:
    (a) Affiliate means any company that controls, is controlled by, or 
is under common control with another company.
    (b) (1) Clear and conspicuous means that a notice is reasonably 
understandable and designed to call attention to the nature and 
significance of the information contained in the notice.
    (2) Examples. (i) You make your notice reasonably understandable 
if, to the extent applicable, you:
    (A) Present the information contained in the notice in clear, 
concise sentences, paragraphs and sections;
    (B) Use short explanatory sentences and bullet lists, whenever 
possible;
    (C) Use definite, concrete, everyday words and active voice, 
whenever possible;
    (D) Avoid multiple negatives;
    (E) Avoid legal and highly technical business terminology; and
    (F) Avoid boilerplate explanations that are imprecise and readily 
subject to different interpretations.
    (ii) You design your notice to call attention to the nature and 
significance of the information contained in it if, to the extent 
applicable, you:
    (A) Use a plain-language heading to call attention to the notice;
    (B) Use a typeface and type size that are easy to read; and
    (C) Provide wide margins and ample line spacing.
    (iii) If you provide a notice on the same form as another notice or 
other document, you design your notice to call attention to the nature 
and significance of the information contained in the notice if you use:
    (A) Larger type size(s), boldface or italics in the text;
    (B) Wider margins and line spacing in the notice; or
    (C) Shading or sidebars to highlight the notice, whenever possible.
    (c) Collect means to obtain information that is organized or 
retrievable on a personally identifiable basis, irrespective of the 
source of the underlying information.
    (d) Company means any corporation, limited liability company, 
business trust, general or limited partnership, association or similar 
organization.
    (e) (1) Consumer means an individual who obtains or has obtained a 
financial product or service from you that is to be used primarily for 
personal, family or household purposes, and that individual's legal 
representative.
    (2) Examples. (i) An individual who applies to you for credit for 
personal, family or household purposes is a consumer of a financial 
service, regardless of whether the credit is extended.
    (ii) An individual who provides nonpublic personal information to 
you in order to obtain a determination about whether he or she may 
qualify for a loan to be used primarily for personal, family or 
household purposes is a consumer of a financial service, regardless of 
whether the loan is extended by you or another financial institution.
    (iii) An individual who provides nonpublic personal information to 
you in connection with obtaining or seeking to obtain financial, 
investment or economic advisory services is a consumer regardless of 
whether you establish an ongoing advisory relationship.
    (iv) An individual who negotiates a workout with you for a loan 
that you own is a consumer regardless of whether you originally 
extended the loan to the individual.
    (v) An individual who has a loan from you is your consumer even if 
you:
    (A) Hire an agent to collect on the loan;
    (B) Sell the rights to service the loan; or
    (C) Bought the loan from the financial institution that originated 
the loan.
    (vi) An individual is not your consumer solely because you process 
information about the individual on behalf of a financial institution 
that extended the loan to the individual.
    (f) Consumer reporting agency has the same meaning as in section 
603(f) of the Fair Credit Reporting Act (15 U.S.C. 1681a(f)).
    (g) Control of a company means:
    (1) Ownership, control, or power to vote 25 percent or more of the 
outstanding shares of any class of voting security of the company, 
directly or indirectly, or acting through one or more other persons;
    (2) Control in any manner over the election of a majority of the 
directors, trustees or general partners (or individuals exercising 
similar functions) of the company; or
    (3) The power to exercise, directly or indirectly, a controlling 
influence over the management or policies of the company, as determined 
by OTS.
    (h) Customer means a consumer who has a customer relationship with 
you.
    (i) (1) Customer relationship means a continuing relationship 
between a consumer and you under which you provide one or more 
financial products or services to the consumer that are to be used 
primarily for personal, family, or household purposes.
    (2) Examples. (i) A consumer has a continuing relationship with you 
if the consumer:
    (A) Has a deposit, credit, trust, or investment account with you;
    (B) Purchases an insurance product from you;
    (C) Holds an investment product through you;
    (D) Enters into an agreement or understanding with you whereby you 
undertake to arrange or broker a home mortgage loan for the consumer;
    (E) Has a loan that you service where you own the servicing rights;
    (F) Enters into a lease of personal property with you; or
    (G) Obtains financial, investment or economic advisory services 
from you for a fee.
    (ii) A consumer does not, however, have a continuing relationship 
with you if:
    (A) The consumer only obtains a financial product or service in an 
isolated transaction, such as withdrawing cash from your ATM or 
purchasing a cashier's check or money order;

[[Page 8811]]

    (B) You sell the consumer's loan and do not retain the rights to 
service that loan; or
    (C) You sell the consumer travel insurance or traveler's checks in 
an isolated transaction.
    (j) (1) Financial institution means any institution the business of 
which is engaging in activities that are financial in nature or 
incidental to such financial activities as described in section 4(k) of 
the Bank Holding Company Act of 1956 (12 U.S.C. 1843(k)).
    (2) Financial institution does not include:
    (i) Any person or entity with respect to any financial activity 
that is subject to the jurisdiction of the Commodity Futures Trading 
Commission under the Commodity Exchange Act (7 U.S.C. 1 et seq.);
    (ii) The Federal Agricultural Mortgage Corporation or any entity 
chartered and operating under the Farm Credit Act of 1971 (12 U.S.C. 
2001 et seq.); or
    (iii) Institutions chartered by Congress specifically to engage in 
securitizations, secondary market sales (including sales of servicing 
rights), or similar transactions related to a transaction of a 
consumer, as long as such institutions do not sell or transfer 
nonpublic personal information to a nonaffiliated third party.
    (k) (1) Financial product or service means any product or service 
that a financial holding company could offer by engaging in an activity 
that is financial in nature or incidental to such a financial activity 
under section 4(k) of the Bank Holding Company Act of 1956 (12 U.S.C. 
1843(k)).
    (2) Financial service includes your evaluation, brokerage or 
distribution of information that you collect in connection with a 
request or an application from a consumer for a financial product or 
service.
    (l) Government regulator means:
    (1) The Board of Governors of the Federal Reserve System;
    (2) The Office of the Comptroller of the Currency;
    (3) The Board of Directors of the Federal Deposit Insurance 
Corporation;
    (4) The Director of the Office of Thrift Supervision;
    (5) The National Credit Union Administration Board;
    (6) The Securities and Exchange Commission;
    (7) The Secretary of the Treasury, with respect to 31 U.S.C. 
Chapter 53, Subchapter II (Records and Reports on Monetary Instruments 
and Transactions) and 12 U.S.C. Chapter 21 (Financial Recordkeeping);
    (8) A State insurance authority, with respect to any person 
domiciled in that insurance authority's State that is engaged in 
providing insurance; and
    (9) The Federal Trade Commission.
    (m) (1) Nonaffiliated third party means any person except:
    (i) Your affiliate; or
    (ii) A person employed jointly by you and any company that is not 
your affiliate (but nonaffiliated third party includes the other 
company that jointly employs the person).
    (2) Nonaffiliated third party includes any company that is an 
affiliate by virtue of the direct or indirect ownership or control of 
the company by the financial institution or any affiliate of the 
financial institution in conducting merchant banking or investment 
banking activities of the type described in section 4(k)(4)(H) or 
insurance company investment activities of the type described in 
section 4(k)(4)(I) of the Bank Holding Company Act (12 U.S.C. 
1843(k)(4)(H) and (I).

Alternative A

    (n) (1) Nonpublic personal information means:
    (i) Personally identifiable financial information; and
    (ii) Any list, description or other grouping of consumers (and 
publicly available information pertaining to them) that is derived 
using any personally identifiable financial information.
    (2) Nonpublic personal information does not include any list, 
description, or other grouping of consumers (and publicly available 
information pertaining to them) that is derived without using any 
personally identifiable financial information.
    (3) Example. Nonpublic personal information includes any list of 
individuals' street addresses and telephone numbers that is derived 
using any information consumers provide to you on an application for a 
financial product or service.
    (o) (1) Personally identifiable financial information means any 
information:
    (i) Provided by a consumer to you to obtain a financial product or 
service from you;
    (ii) Resulting from any transaction involving a financial product 
or service between you and a consumer; or
    (iii) You otherwise obtain about a consumer in connection with 
providing a financial product or service to that consumer, other than 
publicly available information.
    (2) Examples. (i) Personally identifiable financial information 
includes:
    (A) Information a consumer provides to you on an application to 
obtain a loan, credit card, insurance or other financial product or 
service, including, among other things, medical information;
    (B) Account balance information, payment history, overdraft 
history, and credit or debit card purchase information;
    (C) The fact that an individual is or has been one of your 
customers or has obtained a financial product or service from you, 
unless that fact is derived using only publicly available information, 
such as government real estate records or bankruptcy records;
    (D) Other information about your consumer if it is disclosed in a 
manner that indicates the individual is or has been your consumer;
    (E) Any information provided by a consumer or otherwise obtained by 
you or your agent in connection with collecting on a loan or servicing 
a loan; and
    (F) Information from a consumer report.
    (ii) Personally identifiable financial information does not include 
a list of names and addresses of customers of an entity that is not a 
financial institution.
    (p) (1) Publicly available information means any information that 
is lawfully made available to the general public you obtain from:
    (i) Federal, State or local government records;
    (ii) Widely distributed media; or
    (iii) Disclosures to the general public that are required to be 
made by Federal, State or local law.
    (2) Examples--(i) Government records. Publicly available 
information contained in government records includes information 
contained in government real estate records and security interest 
filings.
    (ii) Widely distributed media. Publicly available information from 
widely distributed media includes information from a telephone book, a 
television or radio program, a newspaper or an Internet site that is 
available to the general public without requiring a password or similar 
restriction.

Alternative B

    (n) (1) Nonpublic personal information means:
    (i) Personally identifiable financial information; and
    (ii) Any list, description, or other grouping of consumers (and 
publicly available information pertaining to them) that is derived 
using any personally identifiable financial information.
    (2) Nonpublic personal information does not include:

[[Page 8812]]

    (i) Publicly available information, except as provided in paragraph 
(n)(1)(ii) of this section; or
    (ii) Any list, description, or other grouping of consumers (and 
publicly available information pertaining to them) that is derived 
without using any personally identifiable financial information.
    (3) Example. Nonpublic personal information includes any list of 
individuals' street addresses and telephone numbers that is derived 
using personally identifiable financial information, such as account 
numbers.
    (o)(1) Personally identifiable financial information means any 
information:
    (i) Provided by a consumer to you to obtain a financial product or 
service from you;
    (ii) About a consumer resulting from any transaction involving a 
financial product or service between you and a consumer; or
    (iii) You otherwise obtain about a consumer in connection with 
providing a financial product or service to that consumer.
    (2) Examples. (i) Personally identifiable financial information 
includes:
    (A) Information a consumer provides to you on an application to 
obtain a loan, credit card, insurance or other financial product or 
service, including, among other things, medical information;
    (B) Account balance information, payment history, overdraft 
history, and credit or debit card purchase information;
    (C) The fact that an individual is or has been one of your 
customers or has obtained a financial product or service from you, 
unless that fact is derived using only publicly available information, 
such as government real estate records or bankruptcy records;
    (D) Other information about your consumer if it is disclosed in a 
manner that indicates the individual is or has been your consumer;
    (E) Any information provided by a consumer or otherwise obtained by 
you or your agent in connection with collecting on a loan or servicing 
a loan; and
    (F) Information from a consumer report.
    (ii) Personally identifiable financial information does not include 
a list of names and addresses of customers of an entity that is not a 
financial institution.
    (p)(1) Publicly available information means any information that is 
lawfully made available to the general public from:
    (i) Federal, State, or local government records;
    (ii) Widely distributed media; or
    (iii) Disclosures to the general public that are required to be 
made by Federal, State or local law.
    (2) Examples--(i) Government records. Publicly available 
information contained in government records includes information 
contained in government real estate records and security interest 
filings.
    (ii) Widely distributed media. Publicly available information from 
widely distributed media includes information from a telephone book, a 
television or radio program, a newspaper or an Internet site that is 
available to the general public without requiring a password or similar 
restriction.


Sec. 573.4  Initial notice to consumers of privacy policies and 
practices required.

    (a) When initial notice is required. You must provide a clear and 
conspicuous notice that accurately reflects your privacy policies and 
practices to:
    (1) An individual who becomes your customer, prior to the time that 
you establish a customer relationship, except as provided in paragraph 
(d)(2) of this section; and
    (2) A consumer, prior to the time that you disclose any nonpublic 
personal information about the consumer to any nonaffiliated third 
party, if you make such a disclosure other than as authorized by 
Secs. 573.10 and 573.11.
    (b) When initial notice to a consumer is not required. You are not 
required to provide an initial notice to a consumer under paragraph 
(a)(1) of this section if:
    (1) You do not disclose any nonpublic personal information about 
the consumer to any nonaffiliated third party, other than as authorized 
by Secs. 573.10 and 573.11; and
    (2) You do not have a customer relationship with the consumer.
    (c) When you establish a customer relationship--(1) General rule. 
You establish a customer relationship at the time you and the consumer 
enter into a continuing relationship.
    (2) Examples. You establish a customer relationship when the 
consumer:
    (i) Opens a credit card account with you;
    (ii) Executes the contract to open a deposit account with you, 
obtains credit from you, or purchases insurance from you;
    (iii) Agrees to obtain financial, economic, or investment advisory 
services from you for a fee;
    (iv) Becomes your client for the purpose of your providing credit 
counseling or tax preparation services.
    (d) How to provide notice--(1) General rule. You must provide the 
privacy notice required by paragraph (a) of this section so that each 
consumer can reasonably be expected to receive actual notice in writing 
or, if the consumer agrees, in electronic form.
    (2) Exceptions to allow subsequent delivery of notice. You may 
provide the initial notice required by paragraph (a)(1) of this section 
within a reasonable time after you establish a customer relationship 
if:
    (i) You purchase a loan or assume a deposit liability from another 
financial institution and the customer of that loan or deposit account 
does not have a choice about your purchase or assumption; or
    (ii) You and the consumer orally agree to enter into a customer 
relationship and the consumer agrees to receive the notice thereafter.
    (3) Oral description of notice insufficient. You may not provide 
the initial notice required by paragraph (a) of this section solely by 
orally explaining, either in person or over the telephone, your privacy 
policies and practices.
    (4) Retention or accessibility of initial notice for customers. For 
customers only, you must provide the initial notice required by 
paragraph (a)(1) of this section so that it can be retained or obtained 
at a later time by the customer, in a written form or, if the customer 
agrees, in electronic form.
    (5) Examples. (i) You may reasonably expect that a consumer will 
receive actual notice of your privacy policies and practices if you:
    (A) Hand-deliver a printed copy of the notice to the consumer;
    (B) Mail a printed copy of the notice to the last known address of 
the consumer;
    (C) For the consumer who conducts transactions electronically, post 
the notice on the electronic site and require the consumer to 
acknowledge receipt of the notice as a necessary step to obtaining a 
particular financial product or service;
    (D) For an isolated transaction with the consumer, such as an ATM 
transaction, post the notice on the ATM screen and require the consumer 
to acknowledge receipt of the notice as a necessary step to obtaining 
the particular financial product or service.
    (ii) You may not, however, reasonably expect that a consumer will 
receive actual notice of your privacy policies and practices if you:
    (A) Only post a sign in your branch or office or generally publish 
advertisements of your privacy policies and practices;
    (B) Send the notice via electronic mail to a consumer who obtains a 
financial

[[Page 8813]]

product or service with you in person or through the mail and who does 
not agree to receive the notice electronically.
    (iii) You provide the initial privacy notice to the customer so 
that it can be retained or obtained at a later time if you:
    (A) Hand-deliver a printed copy of the notice to the customer;
    (B) Mail a printed copy of the notice to the last known address of 
the customer upon request of the customer; or
    (C) Maintain the notice on a web site (or a link to another web 
site) for the customer who obtains a financial product or service 
electronically and who agrees to receive the notice electronically.


Sec. 573.5  Annual notice to customers required.

    (a) General rule. You must provide a clear and conspicuous notice 
to customers that accurately reflects your privacy policies and 
practices not less than annually during the continuation of the 
customer relationship. Annually means at least once in any period of 12 
consecutive months during which that relationship exists.
    (b) How to provide notice. You must provide the annual notice 
required by paragraph (a) of this section to a customer using a means 
permitted for providing the initial notice to that customer under 
Sec. 573.4(d).
    (c)(1) Termination of customer relationship. You are not required 
to provide an annual notice to a customer with whom you no longer have 
a continuing relationship.
    (2) Examples. You no longer have a continuing relationship with an 
individual if:
    (i) In the case of a deposit account, the account is dormant under 
your policies;
    (ii) In the case of a closed-end loan, the consumer pays the loan 
in full, you charge off the loan, or you sell the loan without 
retaining servicing rights;
    (iii) In the case of a credit card relationship or other open-end 
credit relationship, you no longer provide any statements or notices to 
the consumer concerning that relationship or you sell the credit card 
receivables without retaining servicing rights; or
    (iv) For other types of relationships, you have not communicated 
with the consumer about the relationship for a period of 12 consecutive 
months, other than to provide annual notices of privacy policies and 
practices.


Sec. 573.6  Information to be included in initial and annual notices of 
privacy policies and practices.

    (a) General rule. The initial and annual notices that you provide 
about your privacy policies and practices under Secs. 573.4 and 573.5 
must include each of the following items of information:
    (1) The categories of nonpublic personal information about your 
consumers that you collect;
    (2) The categories of nonpublic personal information about your 
consumers that you disclose;
    (3) The categories of affiliates and nonaffiliated third parties to 
whom you disclose nonpublic personal information about your consumers, 
other than those parties to whom you disclose information under 
Secs. 573.10 and 573.11;
    (4) The categories of nonpublic personal information about your 
former customers that you disclose and the categories of affiliates and 
nonaffiliated third parties to whom you disclose nonpublic personal 
information about your former customers, other than those parties to 
whom you disclose information under Secs. 573.10 and 573.11;
    (5) If you disclose nonpublic personal information to a 
nonaffiliated third party under Sec. 573.9 (and no other exception 
applies to that disclosure), a separate description of the categories 
of information you disclose and the categories of third parties with 
whom you have contracted;
    (6) An explanation of the right under Sec. 573.8(a) of the consumer 
to opt out of the disclosure of nonpublic personal information to 
nonaffiliated third parties, including the methods by which the 
consumer may exercise that right;
    (7) Any disclosures that you make under section 603(d)(2)(A)(iii) 
of the Fair Credit Reporting Act (15 U.S.C. 1681a(d)(2)(A)(iii)) (that 
is, notices regarding the ability to opt out of disclosures of 
information among affiliates); and
    (8) Your policies and practices with respect to protecting the 
confidentiality, security and integrity of nonpublic personal 
information.
    (b) Description of nonaffiliated third parties subject to 
exceptions. If you disclose nonpublic personal information about a 
consumer to third parties as authorized under Secs. 573.10 and 573.11, 
you are not required to list those exceptions in the initial or annual 
privacy notices required by Secs. 573.4 and 573.5. When describing the 
categories with respect to those parties, you are only required to 
state that you make disclosures to other nonaffiliated third parties as 
permitted by law.
    (c) Future disclosures. Your notice may include:
    (1) Categories of nonpublic personal information that you reserve 
the right to disclose in the future, but do not currently disclose; and 
(2) Categories of affiliates or nonaffiliated third parties to whom you 
reserve the right in the future to disclose, but to whom you do not 
currently disclose, nonpublic personal information.
    (d) Examples--(1) Categories of nonpublic personal information that 
you collect. You adequately categorize the nonpublic personal 
information you collect if you categorize it according to the source of 
the information, such as application information, information about 
transactions (such as information regarding your deposit, loan, or 
credit card account), and consumer reports.
    (2) Categories of nonpublic personal information you disclose. You 
adequately categorize nonpublic personal information you disclose if 
you categorize it according to source, and provide a few illustrative 
examples of the content of the information. These might include 
application information, such as assets and income; identifying 
information, such as name, address, and social security number; and 
transaction information, such as information about account balance, 
payment history, parties to the transaction, and credit card usage; and 
information from consumer reports, such as a consumer's 
creditworthiness and credit history. You do not adequately categorize 
the information that you disclose if you use only general terms, such 
as transaction information about the consumer.
    (3) Categories of affiliates and nonaffiliated third parties to 
whom you disclose. You adequately categorize the affiliates and 
nonaffiliated third parties to whom you disclose nonpublic personal 
information about consumers if you identify the types of businesses 
that they engage in. Types of businesses may be described by general 
terms only if you use a few illustrative examples of significant lines 
of business. For example, you may use the term financial products or 
services if you include appropriate examples of significant lines of 
businesses, such as consumer banking, mortgage lending, life insurance 
or securities brokerage. You also may categorize the affiliates and 
nonaffiliated third parties to whom you disclose nonpublic personal 
information about consumers using more detailed categories.
    (4) Simplified notices. If you do not disclose, and do not intend 
to disclose, nonpublic personal information to affiliates or 
nonaffiliated third parties, you may simply state that fact, in

[[Page 8814]]

addition to the information you must provide under paragraphs (a)(1), 
(a)(8), and (b) of this section.
    (5) Confidentiality, security and integrity. You describe your 
policies and practices with respect to protecting the confidentiality 
and security of nonpublic personal information if you explain who has 
access to the information and the circumstances under which the 
information may be accessed. You describe your policies and practices 
with respect to protecting the integrity of nonpublic personal 
information if you explain measures you take to protect against 
reasonably anticipated threats or hazards. You are not required to 
describe technical information about the safeguards you use.


Sec. 573.7  Limitation on disclosure of nonpublic personal information 
about consumers to nonaffiliated third parties.

    (a) (1) Conditions for disclosure. Except as otherwise authorized 
in this part, you may not, directly or through any affiliate, disclose 
any nonpublic personal information about a consumer to a nonaffiliated 
third party unless:
    (i) You have provided to the consumer an initial notice as required 
under Sec. 573.4;
    (ii) You have provided to the consumer an opt out notice as 
required in Sec. 573.8;
    (iii) You have given the consumer a reasonable opportunity, before 
the time that you disclose the information to the nonaffiliated third 
party, to opt out of the disclosure; and
    (iv) The consumer does not opt out.
    (2) Opt out definition. Opt out means a direction by the consumer 
that you not disclose nonpublic personal information about that 
consumer to a nonaffiliated third party, other than as permitted by 
Secs. 573.9, 573.10 and 573.11.
    (3) Examples of reasonable opportunity to opt out--(i) By mail. You 
provide a consumer with whom you have a customer relationship with a 
reasonable opportunity to opt out if you mail the notices required in 
paragraph (a)(1) of this section to the consumer and allow the consumer 
a reasonable period of time, such as 30 days, to opt out.
    (ii) Isolated transaction with consumer. For an isolated 
transaction, such as the purchase of a cashier's check by a consumer, 
you provide a reasonable opportunity to opt out if you provide the 
consumer with the required notices at the time of the transaction and 
request that the consumer decide, as a necessary part of the 
transaction, whether to opt out before completing the transaction.
    (b) Application of opt out to all consumers and all nonpublic 
personal information. 
    (1) You must comply with this section, regardless of whether you 
and the consumer have established a customer relationship.
    (2) Unless you comply with this section, you may not, directly or 
through any affiliate, disclose any nonpublic personal information 
about a consumer that you have collected, regardless of whether you 
collected it before or after receiving the direction to opt out from 
the consumer.
    (c) Partial opt out. You may allow a consumer to select certain 
nonpublic personal information or certain nonaffiliated third parties 
with respect to which the consumer wishes to opt out.


Sec. 573.8  Form and method of providing opt out notice to consumers.

    (a) (1) Form of opt out notice. You must provide a clear and 
conspicuous notice to each of your consumers that accurately explains 
the right to opt out under Sec. 573.7(a)(1). The notice must state:
    (i) That you disclose or reserve the right to disclose nonpublic 
personal information about your consumer to a nonaffiliated third 
party;
    (ii) That the consumer has the right to opt out of that disclosure; 
and
    (iii) A reasonable means by which the consumer may exercise the opt 
out right.
    (2) Examples. (i) You provide adequate notice that the consumer can 
opt out of the disclosure of nonpublic personal information to a 
nonaffiliated third party if you identify all of the categories of 
nonpublic personal information that you disclose or reserve the right 
to disclose to nonaffiliated third parties as described in Sec. 573.6 
and state that the consumer can opt out of the disclosure of that 
information.
    (ii) You provide a reasonable means to exercise an opt out right if 
you:
    (A) Designate check-off boxes in a prominent position on the 
relevant forms with the opt out notice;
    (B) Include a reply form together with the opt out notice; or
    (C) Provide an electronic means to opt out, such as a form that can 
be sent via electronic mail or a process at your web site, if the 
consumer agrees to the electronic delivery of information.
    (iii) You do not provide a reasonable means of opting out if the 
only means of opting out is for the consumer to write his or her own 
letter to exercise that opt out right.
    (b) How to provide opt out notice--(1) Delivery of notice. You must 
provide the opt out notice required by paragraph (a) of this section in 
a manner so that each consumer can reasonably be expected to receive 
actual notice in writing or, if the consumer agrees, in electronic 
form. If you and the consumer orally agree to enter into a customer 
relationship, you may provide the opt out notice required by paragraph 
(a) of this section within a reasonable time thereafter if the consumer 
agrees.
    (2) Oral description of opt out right insufficient. You may not 
provide the opt out notice solely by orally explaining, either in 
person or over the telephone, the right of the consumer to opt out.
    (3) Same form as initial notice permitted. You may provide the opt 
out notice together with or on the same written or electronic form as 
the initial notice you provide in accordance with Sec. 573.4.
    (4) Initial notice required when opt out notice delivered 
subsequent to initial notice. If you provide the opt out notice at a 
later time than required for the initial notice in accordance with 
Sec. 573.4, you must also include a copy of the initial notice in 
writing or, if the consumer agrees, in an electronic form with the opt 
out notice.
    (c) Notice of change in terms--(1) General rule. Except as 
otherwise authorized in this part, you must not, directly or through 
any affiliate, disclose any nonpublic personal information about a 
consumer to a nonaffiliated third party other than as described in the 
initial notice that you provided to the consumer under Sec. 573.4, 
unless:
    (i) You have provided to the consumer a revised notice that 
accurately describes your policies and practices;
    (ii) You have provided to the consumer a new opt out notice;
    (iii) You have given the consumer a reasonable opportunity, before 
the time that you disclose the information to the nonaffiliated third 
party, to opt out of the disclosure; and
    (iv) The consumer does not opt out.
    (2) How to provide notice of change in terms. You must provide the 
revised notice of your policies and practices and opt out notice to a 
consumer using the means permitted for providing the initial notice and 
opt out notice to that consumer under Sec. 573.4(d) or paragraph (b) of 
this section respectively.
    (3) Examples. (i) Except as otherwise permitted by Secs. 573.9, 
573.10 and 573.11, a change-in-terms notice is required if you:
    (A) Disclose a new category of nonpublic personal information to 
any nonaffiliated third party; or

[[Page 8815]]

    (B) Disclose nonpublic personal information to a new category of 
nonaffiliated third party.
    (ii) A change-in-terms notice is not required if you disclose 
nonpublic personal information to a new nonaffiliated third party that 
is adequately described by your prior notice.
    (d) Continuing right to opt out. A consumer may exercise the right 
to opt out at any time, and you must comply with the consumer's 
direction as soon as reasonably practicable.
    (e) Duration of consumer's opt out direction. A consumer's 
direction to opt out under this section is effective until revoked by 
the consumer in writing, or if the consumer agrees, in electronic form.


Sec. 573.9  Exception to opt out requirements for service providers and 
joint marketing.

    (a) General rule. The opt out requirements in Secs. 573.7 and 573.8 
do not apply when you provide nonpublic personal information about a 
consumer to a nonaffiliated third party to perform services for you or 
functions on your behalf, if you:
    (1) Provide the initial notice in accordance with Sec. 573.4; and
    (2) Enter into a contractual agreement with the third party that:
    (i) Requires the third party to maintain the confidentiality of the 
information to at least the same extent that you must maintain that 
confidentiality under this part; and
    (ii) Limits the third party's use of information you disclose 
solely to the purposes for which the information is disclosed or as 
otherwise permitted by Secs. 573.10 and 573.11 of this part.
    (b) Service may include joint marketing. The services performed for 
you by a nonaffiliated third party under paragraph (a) of this section 
may include marketing of your own products or services or marketing of 
financial products or services offered pursuant to joint agreements 
between you and one or more financial institutions.
    (c) Definition of joint agreement. For purposes of this section, 
joint agreement means a written contract pursuant to which you and one 
or more financial institutions jointly offer, endorse, or sponsor a 
financial product or service.


Sec. 573.10  Exceptions to notice and opt out requirements for 
processing and servicing transactions.

    (a) Exceptions for processing transactions at consumer's request. 
The requirements for initial notice in Sec. 573.4(a)(2), the opt out in 
Secs. 573.7 and 573.8 and service providers and joint marketing in 
Sec. 573.9 do not apply if you disclose nonpublic personal information:
    (1) As necessary to effect, administer, or enforce a transaction 
requested or authorized by the consumer;
    (2) To service or process a financial product or service requested 
or authorized by the consumer;
    (3) To maintain or service the consumer's account with you, or with 
another entity as part of a private label credit card program or other 
extension of credit on behalf of such entity; or
    (4) In connection with a proposed or actual securitization, 
secondary market sale (including sales of servicing rights) or similar 
transaction related to a transaction of the consumer.
    (b) Necessary to effect, administer, or enforce a transaction means 
that the disclosure is:
    (1) Required, or is one of the lawful or appropriate methods, to 
enforce your rights or the rights of other persons engaged in carrying 
out the financial transaction or providing the product or service; or
    (2) Required, or is a usual, appropriate, or acceptable method:
    (i) To carry out the transaction or the product or service business 
of which the transaction is a part, and record, service, or maintain 
the consumer's account in the ordinary course of providing the 
financial service or financial product;
    (ii) To administer or service benefits or claims relating to the 
transaction or the product or service business of which it is a part;
    (iii) To provide a confirmation, statement or other record of the 
transaction, or information on the status or value of the financial 
service or financial product to the consumer or the consumer's agent or 
broker;
    (iv) To accrue or recognize incentives or bonuses associated with 
the transaction that are provided by you or any other party;
    (v) To underwrite insurance at the consumer's request or for 
reinsurance purposes, or for any of the following purposes as they 
relate to a consumer's insurance: account administration, reporting, 
investigating, or preventing fraud or material misrepresentation, 
processing premium payments, processing insurance claims, administering 
insurance benefits (including utilization review activities), 
participating in research projects, or as otherwise required or 
specifically permitted by Federal or State law;
    (vi) In connection with settling a transaction, including:
    (A) The authorization, billing, processing, clearing, transferring, 
reconciling or collection of amounts charged, debited, or otherwise 
paid using a debit, credit, or other payment card, check or account 
number, or by other payment means;
    (B) The transfer of receivables, accounts, or interests therein; or
    (C) The audit of debit, credit, or other payment information.


Sec. 573.11  Other exceptions to notice and opt out requirements.

    (a) Exceptions to opt out requirements. The requirements for 
initial notice to consumers in Sec. 573.4(a)(2), the opt out in 
Secs. 573.7 and 573.8 and service providers and joint marketing in 
Sec. 573.9 do not apply when you disclose nonpublic personal 
information:
    (1) With the consent or at the direction of the consumer, provided 
that the consumer has not revoked the consent or direction;
    (2) (i) To protect the confidentiality or security of your records 
pertaining to the consumer, service, product or transaction;
    (ii) To protect against or prevent actual or potential fraud, 
unauthorized transactions, claims or other liability;
    (iii) For required institutional risk control or for resolving 
consumer disputes or inquiries;
    (iv) To persons holding a legal or beneficial interest relating to 
the consumer; or
    (v) To persons acting in a fiduciary or representative capacity on 
behalf of the consumer;
    (3) To provide information to insurance rate advisory 
organizations, guaranty funds or agencies, agencies that are rating 
you, persons that are assessing your compliance with industry 
standards, and your attorneys, accountants, and auditors;
    (4) To the extent specifically permitted or required under other 
provisions of law and in accordance with the Right to Financial Privacy 
Act of 1978 (12 U.S.C. 3401 et seq.), to law enforcement agencies 
(including government regulators), self-regulatory organizations, or 
for an investigation on a matter related to public safety;
    (5) (i) To a consumer reporting agency in accordance with the Fair 
Credit Reporting Act (15 U.S.C. 1681 et seq.); or
    (ii) From a consumer report reported by a consumer reporting 
agency;
    (6) In connection with a proposed or actual sale, merger, transfer, 
or exchange of all or a portion of a business or operating unit if the 
disclosure of nonpublic personal information concerns solely consumers 
of such business or unit; or
    (7) (i) To comply with Federal, State, or local laws, rules and 
other applicable legal requirements;

[[Page 8816]]

    (ii) To comply with a properly authorized civil, criminal, or 
regulatory investigation, or subpoena or summons by Federal, State, or 
local authorities; or
    (iii) To respond to judicial process or government regulatory 
authorities having jurisdiction over you for examination, compliance or 
other purposes as authorized by law.
    (b) Examples of consent and revocation of consent. (1) A consumer 
may specifically consent to your disclosure to a nonaffiliated 
insurance company of the fact that the consumer has applied to you for 
a mortgage so that the insurance company can offer homeowner's 
insurance to the consumer.
    (2) A consumer may revoke consent by subsequently exercising the 
right to opt out of future disclosures of nonpublic personal 
information as permitted under Sec. 573.8(d).


Sec. 573.12  Limits on redisclosure and reuse of information.

    (a) Limits on your redisclosure and reuse. (1) Except as otherwise 
provided in this part, if you receive nonpublic personal information 
about a consumer from a nonaffiliated financial institution, you must 
not, directly or through an affiliate, disclose the information to any 
other person that is not affiliated with either the financial 
institution or you, unless the disclosure would be lawful if the 
financial institution made it directly to such other person.
    (2) You may use nonpublic personal information about a consumer 
that you receive from a nonaffiliated financial institution in 
accordance with an exception under Secs. 573.9, 573.10 or 573.11 only 
for the purpose of that exception.
    (b) Limits on redisclosure and the reuse by other persons. (1) 
Except as otherwise provided in this part, if you disclose nonpublic 
personal information about a consumer to a nonaffiliated third party, 
that party must not, directly or through an affiliate, disclose the 
information to any other person that is a nonaffiliated third party of 
both you and that party, unless the disclosure would be lawful if you 
made it directly to such other person.
    (2) A nonaffiliated third party may use nonpublic personal 
information about a consumer that it receives from you in accordance 
with an exception under Secs. 573.9, 573.10, or 573.11 only for the 
purpose of that exception.


Sec. 573.13  Limits on sharing of account number information for 
marketing purposes.

    You must not, directly or through an affiliate, disclose, other 
than to a consumer reporting agency, an account number or similar form 
of access number or access code for a credit card account, deposit 
account, or transaction account of a consumer to any nonaffiliated 
third party for use in telemarketing, direct mail marketing, or other 
marketing through electronic mail to the consumer.


Sec. 573.14  Protection of Fair Credit Reporting Act.

    Nothing in this part shall be construed to modify, limit, or 
supersede the operation of the Fair Credit Reporting Act (15 U.S.C. 
1681 et seq.), and no inference shall be drawn on the basis of the 
provisions of this part regarding whether information is transaction or 
experience information under section 603 of that Act.


Sec. 573.15  Relation to State laws.

    (a) In general. This part shall not be construed as superseding, 
altering, or affecting any statute, regulation, order, or 
interpretation in effect in any State, except to the extent that such 
State statute, regulation, order or interpretation is inconsistent with 
the provisions of this part, and then only to the extent of the 
inconsistency.
    (b) Greater protection under State law. For purposes of this 
section, a State statute, regulation, order, or interpretation is not 
inconsistent with the provisions of this part if the protection such 
statute, regulation, order, or interpretation affords any consumer is 
greater than the protection provided under this part, as determined by 
the Federal Trade Commission, after consultation with OTS, on the 
Federal Trade Commission's own motion or upon the petition of any 
interested party.


Sec. 573.16  Effective date; transition rule.

    (a) Effective date. This part is effective November 13, 2000.
    (b) Notice requirement for consumers who were your customers on the 
effective date. No later than 30 days after the effective date of this 
part, you must provide an initial notice, as required by Sec. 573.4, to 
consumers who were your customers on the effective date of this part.

    Dated: February 9, 2000.

    By the Office of Thrift Supervision.

Ellen Seidman,
Director.
[FR Doc. 00-3718 Filed 2-18-00; 8:45 am]
BILLING CODES 4810-33-P; 6210-01-P; 6714-01-P; 6720-01-P