[Federal Register Volume 65, Number 46 (Wednesday, March 8, 2000)]
[Proposed Rules]
[Pages 12354-12376]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 00-5526]



[[Page 12353]]

-----------------------------------------------------------------------

Part III





Securities and Exchange Commission





-----------------------------------------------------------------------



17 CFR Part 248



Privacy of Consumer Financial Information (Regulation S-P); Proposed 
Rule

  Federal Register / Vol. 65, No. 46 / Wednesday, March 8, 2000 / 
Proposed Rules  

[[Page 12354]]


-----------------------------------------------------------------------

SECURITIES AND EXCHANGE COMMISSION

17 CFR part 248

[Release Nos. 34-42484, IC-24326, IA-1856; File No. S7-6-00]
RIN 3235-AH90


Privacy of Consumer Financial Information (Regulation S-P)

AGENCY: Securities and Exchange Commission.

ACTION: Proposed rule.

-----------------------------------------------------------------------

SUMMARY: The Securities and Exchange Commission requests comment on 
proposed Regulation S-P, privacy rules published under section 504 of 
the Gramm-Leach-Bliley Act. Section 504 requires the Commission and 
other federal agencies to adopt rules implementing notice requirements 
and restrictions on the ability of certain financial institutions to 
disclose nonpublic personal information about consumers to 
nonaffiliated third parties. Under the Gramm-Leach-Bliley Act, a 
financial institution must provide its customers with a notice of its 
privacy policies and practices, and must not disclose nonpublic 
personal information about a consumer to nonaffiliated third parties 
unless the institution provides certain information to the consumer and 
the consumer has not elected to opt out of the disclosure. The Gramm-
Leach-Bliley Act also requires the Commission to establish for 
financial institutions appropriate standards to protect customer 
information. The proposed rules implement these requirements of the 
Gramm-Leach-Bliley Act with respect to financial institutions subject 
to the Commission's jurisdiction under that Act.

DATES: Comments must be received by March 31, 2000.

ADDRESSES: Comments should be submitted in triplicate to Jonathan G. 
Katz, Secretary, Securities and Exchange Commission, 450 5th Street, 
NW, Washington, DC 20549-0609. Comments also may be submitted 
electronically to the following E-mail address: [email protected]. 
All comment letters should refer to File No. S7-6-00; this file number 
should be included on the subject line if E-mail is used. Comment 
letters will be available for public inspection and copying in the 
Commission's Public Reference Room, 450 5th Street, NW, Washington, DC 
20549. Electronically submitted comment letters will be posted on the 
Commission's Internet web site (http://www.sec.gov).

FOR FURTHER INFORMATION CONTACT: For information regarding the proposed 
rules as they relate to brokers or dealers, contact George Lavdas, 
Office of Chief Counsel, at the Division of Market Regulation, (202) 
942-0073, or regarding the proposed rules as they relate to investment 
companies or investment advisers, Penelope W. Saltzman, Office of 
Regulatory Policy, (202) 942-0690, at the Division of Investment 
Management, Securities and Exchange Commission, 450 5th Street, NW, 
Washington, DC 20549.

SUPPLEMENTARY INFORMATION: The Securities and Exchange Commission (the 
``Commission'') today is proposing for public comment new Regulation S-
P, 17 CFR 248.1-248.30, under the Gramm-Leach-Bliley Act [Pub. L. No. 
106-102, 113 Stat. 1338 (1999), to be codified at 15 U.S.C. 6801-6809], 
the Securities Exchange Act of 1934 [15 U.S.C. 78a] (''Exchange Act''), 
the Investment Company Act of 1940 [15 U.S.C. 80a] (``Investment 
Company Act''), and the Investment Advisers Act of 1940 [15 U.S.C. 80b] 
(``Investment Advisers Act'').

Table of Contents

I. Background
II. Section-by-Section Analysis
III. General Request for Comments
IV. Cost-Benefit Analysis
V. Paperwork Reduction Act
VI. Summary of Initial Regulatory Flexibility Analysis
VII. Analysis of Effects on Efficiency, Competition, and Capital 
Formation
VIII. Statutory Authority
Text of Proposed Rules

I. Background

    On November 12, 1999, President Clinton signed the Gramm-Leach-
Bliley Act (``G-L-B Act'') \1\ into law. Subtitle A of Title V of the 
Act, captioned ``Disclosure of Nonpublic Personal Information'' 
(``Title V'') limits the instances in which a financial institution may 
disclose nonpublic personal information about a consumer to 
nonaffiliated third parties, and requires a financial institution to 
disclose to all of its customers the institution's privacy policies and 
practices with respect to information sharing with both affiliates and 
nonaffiliated third parties. Title V also requires the Office of the 
Comptroller of the Currency, Board of Governors of the Federal Reserve 
System, Federal Deposit Insurance Corporation, Office of Thrift 
Supervision (collectively, the ``banking agencies''), Secretary of the 
Treasury, National Credit Union Administration, Federal Trade 
Commission (collectively with the banking agencies, the ``Agencies''), 
and the Commission, after consulting with representatives of State 
insurance authorities designated by the National Association of 
Insurance Commissioners, to prescribe such regulations as may be 
necessary to carry out the purposes of the provisions in Title V that 
govern disclosure of nonpublic personal information.
---------------------------------------------------------------------------

    \1\ Pub. L. 106-102, 113 Stat. 1338 (1999) (to be codified at 15 
U.S.C. 6801-6809).
---------------------------------------------------------------------------

    Commission representatives participated with representatives from 
the Agencies in drafting proposed rules to implement Title V. As is 
required by the G-L-B Act, the rules we are proposing today are, to the 
extent possible, consistent with and comparable to the rules proposed 
by the Agencies. Proposed Regulation S-P contains rules of general 
applicability that are substantially similar to the rules proposed by 
the banking agencies.\2\ The proposed rules also contain examples that 
illustrate the application of the general rules. These examples differ 
from those used by the banking agencies in order to provide more 
meaningful guidance to the financial institutions subject to the 
Commission's jurisdiction.
---------------------------------------------------------------------------

    \2\ 2. See G-L-B Act Sec. 504(a). The banking agencies published 
a joint release proposing rules to implement Title V earlier this 
month. Privacy of Consumer Financial Information, 65 FR 8770 (Feb. 
22, 2000) (``Banking Agencies'' Proposal''). The Federal Trade 
Commision proposed its privacy rules on February 24, 2000 [Privacy 
of Consumer Financial Information, available at www.ftc.gov>]. The 
National Credit Union Administration approved its rule proposal the 
same day [Privacy of Consumer Financial Information, Requirements 
for Insurance, available at www.ncua.gov>].
---------------------------------------------------------------------------

    Title V also requires the Commission (and each of the Agencies) to 
establish appropriate standards for financial institutions subject to 
their jurisdiction to safeguard customer information and records. The 
rules we are proposing today include requirements for brokers, dealers, 
and investment companies, as well as investment advisers registered 
with the Commission (''registered investment advisers''), to adopt 
appropriate policies and procedures that address safeguards to protect 
this information.
    We request comment on all aspects of the proposed rules as well as 
comment on the specific provisions and issues highlighted in the 
section-by-section analysis below. We specifically request comment on 
the proposed examples and on any additional examples that would be 
helpful.

II. Section-by-Section Analysis

Section 248.1  Purpose and Scope

    Proposed paragraph (a) of section 248.1 identifies three purposes 
of the

[[Page 12355]]

rules. First, the rules require a financial institution to provide 
notice to consumers about the institution's privacy policies and 
practices. Second, the rules describe the conditions under which a 
financial institution may disclose nonpublic personal information about 
a consumer to a nonaffiliated third party. Third, the rules provide a 
method for a consumer to ``opt out'' of the disclosure of that 
information to nonaffiliated third parties, subject to certain 
exceptions discussed below.
    Proposed paragraph (b) sets out the scope of the Commission's rules 
and lists the entities subject to the Commission's enforcement 
jurisdiction under section 505(a) of the G-L-B Act.\3\ This paragraph 
notes that the rules apply only to information about individuals who 
obtain a financial product or service from a financial institution to 
be used for personal, family, or household purposes.
---------------------------------------------------------------------------

    \3\ Section 505(a) of the G-L-B Act requires the Commission to 
enforce the G-L-B Act and regulations adopted under the Act as 
follows: with respect to brokers and dealers under the Exchange Act, 
with respect to investment companies under the Investment Company 
Act, and with respect to investment advisers registered with the 
Commission under the Investment Advisers Act. Therefore, in addition 
to its authority under section 504 of the G-L-B Act, the Commission 
is proposing this part under its rulemaking authority under the 
Exchange Act, the Investment Company Act, and the Investment 
Advisers Act. Financial institutions subject to this part would also 
be subject to the Commission's enforcement of this part under those 
statutes.
---------------------------------------------------------------------------

    We note that other federal, State, or applicable foreign laws may 
impose limitations on disclosures of nonpublic personal information in 
addition to those imposed by the G-L-B Act and these proposed rules.\4\ 
Thus, financial institutions will need to monitor and comply with 
relevant legislative and regulatory developments that affect the 
disclosure of consumer information.
---------------------------------------------------------------------------

    \4\ For example, an investment adviser may be subject to 
fiduciary principles under state law that impose additional limits 
on the adviser's ability to disclose information about its customers 
to any third party. See Restatement (Second) of Agency Sec. 395 (an 
agent is subject to a duty to the principal not to use or to 
communicate information confidentially given him by the principal or 
acquired by him during the course of his agency); General 
Acquisition, Inc. v. Gencorp Inc., 766 F.Supp. 1460, 1475 (S.D. Ohio 
1990) (``[I]t is well settled that a fiduciary is under a duty not 
to disclose or use for his own benefit confidential information 
acquired in the course of its fiduciary relationship'').
---------------------------------------------------------------------------

Section 248.2  Rule of Construction

    Proposed section 248.2 sets out a rule of construction intended to 
clarify the effect of the examples used in the rules. Given the wide 
variety of transactions that Title V covers, the proposal would include 
rules of general applicability and provide examples that are intended 
to assist financial institutions in complying with the rule. These 
examples are not intended to be exhaustive; rather, they are intended 
to provide guidance about how the rules are likely to apply in specific 
situations.\5\ We invite comment on whether including examples in the 
rule is useful, and suggestions on additional or different examples 
that may be helpful in providing guidance as to the applicability of 
the rule.
---------------------------------------------------------------------------

    \5\ The banking agencies' proposal provides that, to the extent 
applicable, compliance with the examples would constitute compliance 
with the applicable rule. See, e.g., Banking Agencies' Proposal, 
proposed Secs. 40.2, 216.2, 332.2, 573.2. The examples in our 
proposed rules, however, would not provide the same safe harbor. The 
examples are intended to describe ordinary situations that would 
comply with the applicable rule, but the particular facts and 
circumstances relating to each specific situation will determine 
whether compliance with an example constitutes compliance with the 
rule.
---------------------------------------------------------------------------

Section 248.3  Definitions

    (a) Affiliate. The proposed rules incorporate the definition of 
``affiliate'' used in section 509(6) of the G-L-B Act. A broker, 
dealer, investment company, or registered investment adviser will be 
considered affiliated with another company if it ``controls,'' is 
controlled by, or is under common control with the other company.\6\ 
The definition includes both financial institutions and entities that 
are not financial institutions.
---------------------------------------------------------------------------

    \6\ We have defined ``control'' for purposes of brokers, 
dealers, investment companies, and registered investment advisers to 
mean the power to exercise a controlling influence over the 
management or policies of a company whether through ownership of 
securities, by contract, or otherwise. In addition, ownership of 
more than 25 percent of a company's voting securities creates a 
presumption of control of the company. See infra discussion of 
proposed section 248.3(i).
---------------------------------------------------------------------------

    The Commission's definition of control differs from the definition 
adopted by the Agencies.\7\ The proposed rules also provide that a 
broker, dealer, investment company, or registered investment adviser 
will be considered an affiliate of another company for purposes of the 
privacy rules if: (i) the other company is regulated under Title V by 
one of the Agencies and (ii) the privacy rules adopted by that Agency 
treat the broker, dealer, investment company, or registered investment 
adviser as an affiliate of the other company.\8\
---------------------------------------------------------------------------

    \7\ Under the Banking Agencies' Proposal, for example, control 
means ownership of 25 percent of a company's voting securities, 
control over the election of a majority of the directors, trustees 
or general partners of the company, or the power to exercise a 
controlling influence over management or policies of a company, as 
determined by the particular agency. See, e.g., Banking Agencies' 
Proposal, proposed Secs. 40.3(g), 216.3(g), 332.3(g), 573.3(g).
    \8\ Proposed Sec. 248.3(a)(1)-(2). This part of the proposed 
definition is designed to prevent the disparate treatment of 
affiliates within a holding company structure. Without this 
provision, a broker-dealer in a bank holding company structure might 
not be considered affiliated with another entity in that 
organization under the Commission's proposed rules, even though the 
two entities would be considered affiliated under the Banking 
Agencies' Proposal.
---------------------------------------------------------------------------

    (b) Broker. For purposes of this part, the term ``broker'' is 
defined to have the same meaning as in section 3(a)(4) of the Exchange 
Act,\9\ whether or not the institution is registered under section 
15(b) of the Exchange Act.\10\ The term includes a municipal securities 
broker as defined in section 3(a)(31) of the Exchange Act,\11\ whether 
or not it is registered under section 15(b) of the Exchange Act.\12\ 
The definition also includes a government securities broker as defined 
in section 3(a)(43) of the Exchange Act \13\ (other than a bank as 
defined in section 3(a)(6) of the Exchange Act \14\ ) whether or not 
the broker is registered under sections 15(b) or 15C(a)(2) of the 
Exchange Act.\15\
---------------------------------------------------------------------------

    \9\ 15 U.S.C. 78c(a)(4).
    \10\ 15 U.S.C. 78o(b).
    \11\ 15 U.S.C. 78c(a)(31).
    \12\ 15 U.S.C. 78o(b).
    \13\ 15 U.S.C. 78c(a)(43).
    \14\ 15 U.S.C. 78c(a)(6). For purposes of this definition and 
the definition of ``dealer'' (see proposed Sec. 248.3(l)), the term 
``bank'' does not include a foreign bank (as that term is defined in 
section 1(b)(7) the International Banking Act of 1978, 12 U.S.C. 
3101(7)) or a savings association (as defined in section 3(b) of the 
Federal Deposit Insurance Act, 12 U.S.C. 1813(b)) the deposits of 
which are insured by the Federal Deposit Insurance Corporation.
    \15\ 15 U.S.C. 78o(b), 78o-5(a)(2).
---------------------------------------------------------------------------

    (c) Clear and conspicuous. Title V and the proposed rules require 
that various notices be ``clear and conspicuous.'' The proposed rules 
define this term to mean that the notice is reasonably understandable 
and designed to call attention to the nature and significance of the 
information contained in the notice.
    The proposed rules do not mandate the use of any particular 
technique for making the notices clear and conspicuous, but instead 
allow each financial institution the flexibility to decide for itself 
how best to comply with this requirement. A notice could satisfy the 
clear and conspicuous standard, for instance, by using a plain-language 
caption, in a type set easily read, that is designed to call attention 
to the information contained in the notice. Other plain language 
principles are provided in the examples that follow the general rule.
    (d) Collect. The proposed rules define ``collect'' to mean 
obtaining any

[[Page 12356]]

information that is organized or retrievable on a personally 
identifiable basis, irrespective of the source of the underlying 
information. Several sections of the proposed rules impose obligations 
that arise when a financial institution collects information about a 
consumer.\16\ This proposed definition clarifies that these obligations 
arise when the information enables the user to identify a particular 
consumer. It also clarifies that the obligations arise regardless of 
whether the financial institution obtains the information from a 
consumer or from some other source.
---------------------------------------------------------------------------

    \16\ See, e.g., proposed Secs. 248.6, 248.7.
---------------------------------------------------------------------------

    (f) Company. The proposed rules define ``company,'' which is used 
in the definition of ``affiliate,'' as any corporation, limited 
liability company, business trust, general or limited partnership, 
association, or similar organization.
    (g) Consumer. The proposed rules define ``consumer'' to mean an 
individual who obtains, from a financial institution, financial 
products or services that are to be used primarily for personal, 
family, or household purposes. An individual also will be deemed to be 
a consumer for purposes of a financial institution if that institution 
purchases the individual's account from some other institution. The 
definition also includes the legal representative of an individual.
    The G-L-B Act distinguishes ``consumers'' from ``customers'' for 
purposes of the notice requirements imposed by the Act. As explained 
below in the discussion of proposed section 248.4, a financial 
institution must give a ``consumer'' the notices required under Title V 
only if the institution intends to disclose nonpublic personal 
information about the consumer to a nonaffiliated third party for a 
purpose that is not authorized by one of several exceptions set out in 
proposed sections 248.10 and 248.11. By contrast, a financial 
institution must give all ``customers,'' at the time of establishing a 
customer relationship and annually thereafter during the continuation 
of the customer relationship, a notice of the institution's privacy 
policy.
    A person is a ``consumer'' under the proposed rules if he or she 
obtains a financial product or service from a financial institution. 
The definition of ``financial product or service'' in proposed section 
248.3(n) includes, among other things, a financial institution's 
evaluation of an individual's application to obtain a financial product 
or service. Thus, a financial institution that intends to share 
nonpublic personal information about a consumer with nonaffiliated 
third parties outside of the exceptions described in sections 248.10 
and 248.11 will have to give the requisite notices, even if the 
consumer does not enter into a customer relationship with the 
institution.
    The examples that follow the definition of ``consumer'' explain 
when someone is a consumer. The examples clarify that a consumer 
includes someone who provides nonpublic personal information in 
connection with seeking to obtain brokerage or investment advisory 
services, but does not include someone who provides only name, address, 
and areas of investment interest in order to obtain a prospectus, 
investment adviser brochure, or other information about a financial 
product.\17\ An individual who has an account with an introducing 
broker and whose securities are carried by a clearing broker in a 
special omnibus account in the name of the introducing broker is not a 
consumer for purposes of the clearing broker if it receives no 
nonpublic personal information about the consumer. Similarly, 
investment company shareholders who are not the record owners of their 
shares would not be consumers for purposes of the investment 
company.\18\
---------------------------------------------------------------------------

    \17\ Individuals may provide this information, for example, on 
``tear-out'' cards from magazines, or in telephone or Internet 
requests for prospectuses or brochures.
    \18\ 
    See also infra discussion of proposed section 248.3(k) 
(definition of ``customer relationship'').
---------------------------------------------------------------------------

    (h) Consumer reporting agency. The proposed rules incorporate the 
definition of ``consumer reporting agency'' in section 603(f) of the 
Fair Credit Reporting Act.\19\ This term is used in proposed sections 
248.11 and 248.13.
---------------------------------------------------------------------------

    \19\ 15 U.S.C. 1681a(f).
---------------------------------------------------------------------------

    (i) Control. The proposed rules define ``control'' for purposes of 
brokers, dealers, investment companies, and registered investment 
advisers to mean the power to exercise a controlling influence over the 
management or policies of a company whether through ownership of 
securities, by contract, or otherwise.\20\ In addition, ownership of 
more than 25 percent of a company's voting securities creates a 
presumption of control of the company.\21\ This definition is used to 
determine when companies are affiliated,\22\ and would result in 
financial institutions being considered as affiliates regardless of 
whether the control is exercised by a company or individual.
---------------------------------------------------------------------------

    \20\ See, e.g., 17 CFR 240.19g2-1(b)(2).
    \21\ This presumption may be rebutted by evidence, but, in the 
case of an investment company, will continue until the Commission 
makes a decision to the contrary according to the procedures 
described in section 2(a)(9) of the Investment Company Act [15 
U.S.C. 80a-2(a)(9)].
    \22\ See discussion of proposed Sec. 248.3(a), supra.
---------------------------------------------------------------------------

    (j) Customer. The proposed rules define ``customer'' as any 
consumer who has a ``customer relationship'' with a particular 
financial institution. As explained more fully in the discussion of 
proposed section 248.4 below, a consumer becomes a customer of a 
financial institution when he or she enters into a continuing 
relationship with the institution. For example, a consumer would become 
a customer when he or she enters into an investment advisory contract 
(whether written or oral), completes the documents needed to open a 
brokerage account, or purchases shares of an investment company in his 
or her own name.
    The distinction between consumers and customers determines the 
notices that a financial institution must provide. If a consumer never 
becomes a customer, the institution is not required to provide any 
notices to the consumer unless the institution intends to disclose 
nonpublic personal information about that consumer to nonaffiliated 
third parties (outside of the exceptions as set out in sections 248.10 
and 248.11). By contrast, if a consumer becomes a customer, the 
institution must provide a copy of its privacy policy before it 
establishes the customer relationship and at least annually during the 
continuation of the customer relationship.
    (k) Customer relationship. The proposed rules define ``customer 
relationship'' as a continuing relationship between a consumer and a 
financial institution in which the institution provides a financial 
product or service that is to be used by the consumer primarily for 
personal, family, or household purposes. Because the G-L-B Act requires 
annual notices of the financial institution's privacy policies to its 
customers, we have interpreted the Act as requiring more than isolated 
transactions between a financial institution and a consumer to 
establish a customer relationship, unless it is reasonable to expect 
further contact about that transaction between the institution and 
consumer afterwards. Thus, the proposed rules define ``customer 
relationship'' as one that generally is of a continuing nature. As 
noted in the examples that follow the definition, this would include a 
brokerage account or investment advisory relationship. A broker would 
have a customer relationship with a consumer when the broker regularly 
effects securities transactions for the

[[Page 12357]]

customer, even if the broker holds none of the customer's assets.
    A one-time transaction may be sufficient to establish a customer 
relationship, depending on the nature of the transaction. The examples 
that follow the definition of ``customer relationship'' clarify that an 
individual's purchase of securities through a broker with whom the 
customer opens an account would be sufficient to establish a customer 
relationship because of the continuing nature of the service. The 
individual would be a customer even if the account is established only 
to hold securities or other assets as collateral for a loan made by 
another institution. By contrast, an individual who purchases 
securities through a broker would not be the broker's customer if the 
broker provides the service as an accommodation but does not open an 
account for the individual.\23\ Similarly, a consumer does not become a 
broker's customer when the broker liquidates securities for the 
consumer on a one-time basis.
---------------------------------------------------------------------------

    \23\ The individual would, however, be a consumer for purposes 
of the broker, which would require the broker to provide notices if 
it intends to disclose nonpublic personal information about the 
consumer to nonaffiliated third parties outside of the exceptions.
---------------------------------------------------------------------------

    The examples also clarify that a consumer will have a customer 
relationship with an investment company whose shares the consumer owns 
in his or her own name, even if the consumer purchased those shares 
through a broker or investment adviser. In that case, the individual 
will be a customer of both the broker or investment adviser who sold 
the shares and the investment company. Similarly, an introducing 
broker's customer will also be a customer of the broker that clears 
customer transactions for the introducing broker on a fully disclosed 
basis.
    (l) Dealer. The proposed rules define the term ``dealer'' to have 
the same meaning as in section 3(a)(5) of the Exchange Act,\24\ whether 
or not the dealer is registered under section 15(b) of the Exchange 
Act. The term includes a municipal securities dealer as defined in 
section 3(a)(30) of the Exchange Act,\25\ other than a bank (as defined 
in section 3(a)(6) of the Exchange Act \26\), whether or not the dealer 
is registered under sections 15(b) or 15B(a)(2) of the Exchange Act. 
The term also includes a government securities dealer as defined in 
section 3(a)(44) of the Exchange Act,\27\ whether or not the dealer is 
registered under sections 15(b) or 15C(a)(2) of the Exchange Act.
---------------------------------------------------------------------------

    \24\ 15 U.S.C. 78c(a)(5).
    \25\ 15 U.S.C. 78c(a)(30).
    \26\ See supra note 14.
    \27\ 15 U.S.C. 78c(a)(44).
---------------------------------------------------------------------------

    (m) Financial institution. The proposed rules define ``financial 
institution'' as any institution the business of which is engaging in 
activities that are financial in nature, or incidental to such 
financial activities, as described in section 4(k) of the Bank Holding 
Company Act of 1956 (``Bank Holding Company Act''),\28\ including 
brokers, dealers, investment companies, and registered investment 
advisers. The proposed rules also exempt from the definition of 
``financial institution'' those entities specifically excluded by the 
G-L-B Act.
---------------------------------------------------------------------------

    \28\ 12 U.S.C. 1843(k).
---------------------------------------------------------------------------

    (n) Financial product or service. The proposed rules define 
``financial product or service,'' for purposes of Regulation S-P only, 
as a product or service that a financial institution could offer as an 
activity that is financial in nature, or incidental to such a financial 
activity, under section 4(k) of the Bank Holding Company Act. An 
activity that is complementary to a financial activity, as described in 
section 4(k), is not included in the definition of ``financial product 
or service'' under this part. The proposed definition includes the 
financial institution's evaluation of information collected in 
connection with an application by a consumer for a financial product or 
service even if the application ultimately is rejected or withdrawn. It 
also includes the distribution of information about a consumer for the 
purpose of assisting the consumer to obtain a financial product or 
service. To avoid confusion as to whether an investment company 
shareholder is an owner or a customer of the institution, the proposed 
definition clarifies that, for purposes of this regulation, the term 
``financial product'' includes shares of an investment company.
    (p) Government regulator. The proposed rules define ``government 
regulator'' to include the Commission and each of the Agencies and 
State insurance authorities. This term is used in two places. First, 
the term is used in proposed section 248.3(a), the definition of 
``affiliate.'' Second, the term is used in the exception set out in 
proposed section 248.11(a)(4) for disclosures to law enforcement 
agencies, ``including government regulators.''
    (q) Investment adviser. The proposed definition incorporates the 
definition of investment adviser in section 202(a)(11) of the 
Investment Advisers Act.\29\
---------------------------------------------------------------------------

    \29\ 15 U.S.C. 80b-2(a)(11).
---------------------------------------------------------------------------

    (r) Investment company. The proposed definition incorporates the 
meaning of investment company in section 3 of the Investment Company 
Act, whether or not the investment company is registered with the 
Commission.\30\ The definition also clarifies that the term includes a 
separate series of an investment company.
---------------------------------------------------------------------------

    \30\ 15 U.S.C. 80a-3. Thus, a business development company, 
which is an investment company but is not required to register with 
the Commission, would be subject to this part. See 15 U.S.C. 80a-
2(a)(48).
---------------------------------------------------------------------------

    (s) Nonaffiliated third party. Paragraph (1) of the proposed 
definition of ``nonaffiliated third party'' provides that the term 
means any person (which is defined in proposed section 248.3(u) and 
includes natural persons as well as legal entities such as 
corporations, partnerships, and trusts) except (i) an affiliate of a 
financial institution, and (ii) a joint employee of a financial 
institution and a third party. This paragraph is intended to be 
substantively the same as the definition used in section 509(5) of the 
G-L-B Act.
    (t) Nonpublic personal information. Section 509(4) of the G-L-B Act 
defines ``nonpublic personal information'' to mean ``personally 
identifiable financial information'' (which the Act does not define) 
that (i) is provided by a consumer to a financial institution, (ii) 
results from any transaction with the consumer or any service performed 
for the consumer, or (iii) is otherwise obtained by the financial 
institution. ``Nonpublic personal information'' also includes any list, 
description, or other grouping of consumers--and ``publicly available 
information'' pertaining to them--that is derived using any nonpublic 
personal information.
    The proposed rules implement this provision of the G-L-B Act by 
restating, in paragraph (1) of proposed section 248.3(t), the general 
categories of information described above. Paragraph (2) provides that 
``nonpublic personal information'' does not include publicly available 
information when the information is part of a list, description, or 
other grouping of consumers that is derived without using personally 
identifiable financial information.\31\ The definition also excludes 
any other publicly available information, unless the information is 
part of a list, description, or other grouping of consumers that is 
derived using

[[Page 12358]]

personally identifiable financial information.
---------------------------------------------------------------------------

    \31\ Nonpublic personal information does include publicly 
available information that is disclosed in a manner that otherwise 
indicates the individual is a financial institution's consumer. See 
proposed Sec. 248.3(t)(2)(i). We believe that, in most cases, 
sharing information (including publicly available information) about 
a consumer with a third party identifies the individual as the 
institution's consumer.
---------------------------------------------------------------------------

    We invite comment on whether the definition of ``nonpublic personal 
information'' should cover information about a consumer that contains 
no indicators of a consumer's identity. For example, if a broker 
provided aggregate information about its brokerage accounts (such as 
securities transaction information) to a nonaffiliated third party for 
the purpose of preparing market studies, should the broker, without 
giving notice or opportunity to opt out to the consumer, be permitted 
to do so if the information contains no personal identifiers?
    (v) Personally identifiable financial information. As discussed 
above, the G-L-B Act defines ``nonpublic personal information'' to 
include, among other things, ``personally identifiable financial 
information'' but does not define the latter term. As a general matter, 
the proposed rules treat any personally identifiable information as 
financial if the financial institution obtains the information in 
connection with providing a financial product or service to a consumer. 
We believe that this approach reasonably interprets the word 
``financial'' and creates a workable and clear standard for 
distinguishing information that is financial from other personal 
information. This interpretation would cover a broad range of personal 
information provided to a financial institution, including, for 
example, information about the consumer's health.
    The proposed rules define ``personally identifiable financial 
information'' to include three categories of information. The first 
category includes any information that a consumer provides a financial 
institution in order to obtain a financial product or service from the 
institution. As noted in the examples that follow the definition, this 
would include information provided when opening a brokerage account, 
entering into an investment advisory contract, or obtaining a margin 
loan or a financial plan. If, for example, a consumer provides medical 
information on an application to obtain a financial product or service 
(such as a variable life insurance contract offered by an insurance 
company separate account), that information would be considered 
``personally identifiable financial information'' for purposes of the 
proposed rules. Similarly, information that may be required for 
financial planning purposes, including details about retirement and 
family obligations, such as the care of a disabled child, would be 
covered by the definition.
    The second category includes any information about a consumer 
resulting from any transaction between the consumer and the financial 
institution involving a financial product or service. This would 
include, as noted in the examples following the definition, information 
about account balance, payment or overdraft history, credit or debit 
card purchases, securities positions, or financial products purchased 
or sold.
    The third category includes any financial information about a 
consumer otherwise obtained by the financial institution in connection 
with providing a financial product or service.
    This would include, for example, information obtained from a 
consumer report or from an outside source to verify information a 
consumer provides on an application to obtain a financial product or 
service. It would not, however, include information that is publicly 
available (unless, as previously noted, the information is part of a 
list of consumers that is derived using personally identifiable 
financial information).
    The examples clarify that the definition of ``personally 
identifiable financial information'' does not include a list of names 
and addresses of people who are customers of an entity that is not a 
financial institution. Thus, the names and addresses of people who 
subscribe, for instance, to a particular magazine would fall outside 
the definition. The Commission seeks comment on whether further 
definition of ``personally identifiable financial information'' would 
be helpful.
    (w) Publicly available information. The proposed rules define 
``publicly available information'' as information the financial 
institution reasonably believes is lawfully made available to members 
of the general public from three broad types of sources.\32\ First, it 
includes information from official public records, such as real estate 
recordations or security interest filings. Second, it includes 
information from widely distributed media, such as a telephone book, 
radio program, or newspaper. Third, it includes information from 
disclosures required to be made to the general public by federal, 
State, or local law, such as securities disclosure documents. The 
proposed rules state that information obtained over the Internet will 
be considered publicly available information if the information is 
obtainable from a site available to the general public without 
requiring a password or similar restriction. The Commission invites 
comment on what information is appropriately considered publicly 
available, particularly in the context of information available over 
the Internet.
---------------------------------------------------------------------------

    \32\ We recognize that some information that is available to the 
general public may have been published illegally. In some cases, 
such as a list of customer account numbers posted on a web site, the 
publication will be obviously unlawful. In other cases, the legality 
of the publication may be unclear or unresolved. The proposed rule 
would provide that information is ``publicly available'' if the 
institution reasonably believes that informaiton is lawfully 
available to the public.
---------------------------------------------------------------------------

    The proposed rules treat information as publicly available if it 
could be obtained from one of the public sources listed in the rules. 
If an institution reasonably believes the information is lawfully made 
available to the general public from one of the listed public sources, 
then the information will be considered publicly available and excluded 
from the scope of ``nonpublic personal information,'' whether or not 
the institution obtains it from a publicly available source (unless, as 
previously noted, it is part of a list of consumers that is derived 
using personally identifiable financial information). Under this 
approach, the fact that a consumer has given information to a financial 
institution would not automatically extend to that information the 
protections afforded to nonpublic personal information.
    The Commission invites comment on whether the proposed definition 
of ``publicly available information'' should treat information that is 
publicly available as nonpublic if the institution does not obtain the 
information from a listed public source (``alternative 
definition'').\33\ In many cases, the proposed definition and the 
alternative definition would result in the same treatment of 
information that may be publicly available. For example, under either 
definition, names and addresses that are publicly available would be 
treated as nonpublic personal information if they appear in a customer 
list. An institution that intends to share a customer list containing 
that information with nonaffiliated third parties would have to comply 
with the proposed rule's notice and opt out requirements. The 
alternative definition could, however, result in different notice and 
opt out requirements when an institution shares information available 
from public sources about individual customers. In that situation the 
proposed definition would not require the institution to comply with 
notice and opt out requirements as long

[[Page 12359]]

as the institution did not share the information in a manner that would 
indicate that the individual is or had been the institution's customer. 
The alternative definition, however, would require compliance with the 
notice and opt out requirements because the institution did not obtain 
the information from a public source.
---------------------------------------------------------------------------

    \33\ The Banking Agencies Proposal (other than the Federal 
Reserve Board, which proposed the same definition as the Commission) 
includes this alternative definition. See, e.g., Banking Agencies' 
Proposal, proposed Secs. 40.3(n)-(p), 573.3(n)-(p), Alternatives A 
and B.
---------------------------------------------------------------------------

    (q) You. The term ``you'' is used in order to make the rules easier 
to understand and use. The proposed definition refers to the entities 
within the Commission's jurisdiction under Title V. The term includes 
brokers, dealers, investment companies, and registered investment 
advisers.

Section 248.4  Initial Notice to Consumers of Privacy Policies and 
Practices Required

    Initial notice required. The G-L-B Act requires a financial 
institution to provide an initial notice of its privacy policies and 
practices in two circumstances. For customers, the notice must be 
provided at the time of establishing a customer relationship. For 
consumers who do not (or have not yet) become customers, the notice 
must be provided before disclosing nonpublic personal information about 
the consumer to a nonaffiliated third party.
    Paragraph (a) of proposed section 248.4 states the general rule 
regarding these notices. A financial institution must provide a clear 
and conspicuous \34\ notice that accurately reflects the institution's 
privacy policies and practices. Thus, a financial institution must 
maintain the protections that the notice represents the institution 
will provide. The Commission expects that brokers, dealers, investment 
companies, and registered investment advisers will take appropriate 
measures to adhere to their stated privacy policies and practices.
---------------------------------------------------------------------------

    \34\ See proposed Sec. 248.3(c).
---------------------------------------------------------------------------

    The proposed rules do not prohibit two or more institutions from 
providing a joint initial, annual, or opt out notice, as long as the 
notice is delivered in accordance with the rule and is accurate for all 
recipients. For example, institutions that could give a joint initial, 
annual, or opt out notice include: (i) An introducing broker and its 
clearing broker (that clears on a fully disclosed basis) and (ii) an 
investment company and a broker-dealer that distributes its shares. The 
rules also do not preclude an institution from establishing different 
privacy policies and practices for different categories of consumers, 
customers, or products, if each particular consumer or customer 
receives a notice that is accurate with respect to that individual.
    Notice to customers. The proposed rules require that a financial 
institution provide an individual a privacy notice prior to the time 
that it establishes a customer relationship. Thus, the notices may be 
provided at the same time a financial institution is required to give 
other notices, such as the requirement that credit terms in margin 
transactions be disclosed under Exchange Act rule 10b-16,\35\ or that 
customers be notified in writing of the existence of a carrying or 
clearing arrangement for accounts introduced on a fully disclosed basis 
to another broker, under rules applicable to members of the New York 
Stock Exchange and National Association of Securities Dealers.\36\ This 
approach is intended to strike a balance between (i) ensuring that 
consumers will receive privacy notices at a meaningful point when 
``establishing a customer relationship'' and (ii) minimizing 
unnecessary burdens on financial institutions that may result if a 
financial institution is required to provide a consumer with a series 
of notices at different times in a transaction. Nothing in the proposed 
rules is intended to discourage a financial institution from providing 
an individual with a privacy notice at an earlier point in the 
relationship if the institution wishes to do so in order to help the 
individual compare its privacy policies with those of other 
institutions before conducting transactions.
---------------------------------------------------------------------------

    \35\ 17 CFR 240.10b-16.
    \36\ See Rule 382 of the New York Stock Exchange, Inc. 
(``NYSE'') Operation of Member Organizations, NYSE Guide (CCH) 3639-
40 (1999); Rule 3230 of the National Association of Securities 
Dealers (``NASD'') Conduct Rules, NASD Manual (CCH) 4922 (1999).
---------------------------------------------------------------------------

    Paragraph (c) of proposed section 248.4 identifies the time a 
customer relationship is established as the point at which a financial 
institution and a consumer enter into a continuing relationship. The 
examples in paragraph (c) clarify that, for customer relationships that 
are contractual in nature (including, for example, investment advisory 
relationships), a customer relationship is established when the 
consumer enters into the contract (whether in writing or orally) that 
is necessary to conduct the transaction in question. Thus, a customer 
relationship is established with a broker-dealer when a consumer 
executes a securities trade through the broker-dealer or opens a 
brokerage account with the broker-dealer under its procedures.\37\ The 
examples further clarify that a consumer who opens an account with an 
introducing broker establishes a customer relationship with the 
introducing broker's clearing broker (that clears on a fully disclosed 
basis) at the same time. Similarly, when a consumer purchases 
investment company shares (in his or her own name) through a principal 
underwriter, the consumer establishes a customer relationship with the 
underwriter and the investment company. We request comment on whether 
there are different times at which customer relationships with brokers, 
dealers, investment companies, or investment advisers are established.
---------------------------------------------------------------------------

    \37\ As indicated in the examples under the definition of a 
customer relationship, we do not believe that a customer 
relationship exists when a broker-dealer executes a securities trade 
for a consumer as an accommodation or to liquidate securities on a 
one-time basis, i.e., when there is no expectation of further 
transactions.
---------------------------------------------------------------------------

    Notice to consumers. For consumers who do not establish a customer 
relationship, the initial notice may be provided at any point before 
the financial institution discloses nonpublic personal information to 
nonaffiliated third parties. As provided in paragraph (b) of the 
proposed rule, if the institution does not intend to disclose the 
information in question or intends to make only those disclosures that 
are authorized by one of the exceptions for, among other things, 
processing and servicing accounts or as required by law,\38\ the 
institution is not required to provide the initial notice.
---------------------------------------------------------------------------

    \38\ See proposed Secs. 248.10 and 248.11.
---------------------------------------------------------------------------

    How to provide notice. Paragraph (d) of proposed section 248.4 sets 
out the rules governing how financial institutions must provide the 
initial notices. The general rule requires that the initial notice be 
provided so that each recipient can reasonably be expected to receive 
actual notice. The Commission invites comment on who should receive a 
notice in situations in which there is more than one party to an 
account.
    The notice may be delivered in writing or, if the consumer agrees, 
electronically. Oral notices alone are insufficient. In the case of 
customers, the notice must be given in a way so that the customer may 
either retain it or access it at a later time.\39\
---------------------------------------------------------------------------

    \39\ The requirement that the notice be given in a manner 
permitting access at a later time does not preclude a financial 
institution from changing its privacy policy. See proposed 
Sec. 248.8(c). Rather the requirement is intended to provide that a 
customer will be able to access the most recently adopted privacy 
policy.
---------------------------------------------------------------------------

    Examples of acceptable ways to deliver the notice include hand-
delivering a copy of the notice, mailing a copy to the consumer's last 
known address, or sending it by electronic mail

[[Page 12360]]

to a consumer who obtains a financial product or service from the 
institution electronically. It would not be sufficient to provide only 
a posted copy of the notice in a lobby. Similarly, it would not be 
sufficient to provide the initial notice only on a Web page, unless the 
consumer is required to access that page to obtain the product or 
service in question. Electronic delivery generally should be in the 
form of electronic mail to ensure that a consumer actually receives the 
notice. In those circumstances in which a consumer is in the process of 
conducting a transaction over the Internet, electronic delivery also 
may include posting the notice on a Web page as described above. If a 
financial institution and consumer enter into a contract for a 
financial product or service over the telephone, the institution may 
provide the consumer with the option of receiving the initial notice 
after providing the product or service in order not to delay the 
transaction. We invite comment on the regulatory burden of providing 
the initial notices and on the methods financial institutions 
anticipate using to provide the notices. We also request comment on 
whether there are additional circumstances in which an institution 
should be permitted to provide notices within a reasonable time after 
the customer relationship is established.

Section 248.5  Annual Notice to Customers Required

    Section 503 of the G-L-B Act requires a financial institution to 
provide notices of its privacy policies and practices at least annually 
to its customers. The proposed rules implement this requirement by 
requiring a clear and conspicuous notice that accurately reflects the 
current privacy policies and practices to be provided at least once 
during any period of twelve consecutive months. The rules governing how 
to provide an initial notice also apply to annual notices.
    Section 503(a) of the G-L-B Act requires that the annual notices be 
provided ``during the continuation'' of a customer relationship. To 
implement this requirement, the proposed rules state that a financial 
institution is not required to provide annual notices to a customer 
with whom it no longer has a continuing relationship.\40\ The examples 
that follow this general rule provide guidance on when there no longer 
is a continuing relationship for purposes of the rules.
---------------------------------------------------------------------------

    \40\ Proposed Sec. 248.5(c).
---------------------------------------------------------------------------

    These include, for instance, a brokerage account that has been 
closed or an investment advisory contract that has been terminated. In 
addition, an investment company shareholder who has redeemed all of his 
or her shares or is determined to be a lost securityholder under rule 
17a-24 under the Exchange Act would no longer be considered to be a 
customer of the investment company.\41\
---------------------------------------------------------------------------

    \41\ 17 CFR 240.17a-24. This rule requires recordkeeping 
transfer agents to file reports with the Commission on lost 
securityholder accounts. A ``lost securityholder'' is a 
securityholder to whom correspondence has been sent at the address 
contained in the transfer agent's master securityholder file, that 
has been returned as undeliverable and for whom the transfer agent 
has not received information regarding a new address. 17 CFR 
240.17a-24(b). The definition permits the transfer agent to deem the 
securityholder lost as of the date the item has been returned as 
undeliverable after having been re-sent.
---------------------------------------------------------------------------

    The Commission invites comment generally on whether the examples 
provided in proposed section 248.5 are adequate and whether there are 
other situations in which an individual may have an account with an 
institution but the customer relationship has ended. We also invite 
comment on the regulatory burden of providing the annual notices and on 
the methods financial institutions anticipate using to provide the 
notices.

Section 248.6  Information To Be Included in Initial and Annual Notices 
of Privacy Policies and Practices

    Section 503 of the G-L-B Act identifies the items of information 
that must be included in a financial institution's initial and annual 
notices. Section 503(a) of the G-L-B Act establishes the general 
requirement that a financial institution must provide customers with a 
notice describing the institution's policies and practices with respect 
to, among other things, disclosing nonpublic personal information to 
affiliates and nonaffiliated third parties. Section 503(b) of the Act 
identifies certain elements that the notice must address.
    The required content is the same for both the initial and annual 
notices of privacy policies and practices. While the information 
contained in the notices must be accurate as of the time the notices 
are provided, a financial institution may prepare its notices based on 
current and anticipated policies and practices.
    The information to be included is as follows:
    1. Categories of nonpublic personal information that a financial 
institution may collect. Section 503(b)(2) requires a financial 
institution to inform its customers about the categories of nonpublic 
personal information that the institution collects. The proposed rules 
implement this requirement in section 248.6(a)(1) and provide an 
example of how to comply with this requirement that focuses the notice 
on the source of the information collected. As noted in the example, a 
financial institution will satisfy this requirement if it categorizes 
the information according to the sources, such as application 
information, transaction information, and consumer report information. 
Financial institutions may provide more detail about the categories of 
information collected but are not required to do so.
    2. Categories of nonpublic personal information that a financial 
institution may disclose. Section 503(a)(1) of the G-L-B Act requires 
the financial institution's initial and annual notice to provide 
information about the categories of nonpublic personal information that 
may be disclosed either to affiliates or nonaffiliated third parties. 
The proposed rules implement this requirement in proposed section 
248.6(a)(2). The examples of how to comply with this rule focus on the 
content of information to be disclosed. A financial institution may 
satisfy this requirement by categorizing information according to 
source and providing examples of the content of the information. These 
categories might include application information (such as assets, 
income, investment goals, and investment risk tolerance), identifying 
information (such as name, address, and social security number), 
transaction information (such as information about account activity, 
account balances, securities positions, and securities purchases and 
sales), and information from consumer reports (such as credit history).
    Financial institutions may choose to provide more detailed 
information in the initial and annual notices. Conversely, if a 
financial institution does not disclose, and does not intend to 
disclose, nonpublic personal information to affiliates or nonaffiliated 
third parties, its initial and annual notices may simply state this 
fact without further elaboration about categories of information 
disclosed.
    3. Categories of affiliates and nonaffiliated third parties to whom 
a financial institution discloses nonpublic personal information. As 
previously noted, section 503(a) of the G-L-B Act includes a general 
requirement that a financial institution provide a notice to its 
customers of the institution's policies and practices with respect to 
disclosing nonpublic personal information to affiliates and 
nonaffiliated third parties. Section 503(b) states that the notice

[[Page 12361]]

required by section 503(a) must include certain specified items. Among 
those is the requirement, set out in section 503(b)(1), that a 
financial institution inform its customers about its policies and 
practices with respect to disclosing nonpublic personal information to 
nonaffiliated third parties. We believe that sections 503(a) and 503(b) 
of the G-L-B Act require a financial institution's notice to address 
disclosures of nonpublic personal information to both affiliates and 
nonaffiliated third parties.
    The proposed rules implement this notice requirement in section 
248.6(a)(3). The example states that a financial institution will 
adequately categorize the affiliates and nonaffiliated third parties to 
whom it discloses nonpublic personal information about consumers if it 
identifies the types of businesses in which they engage. Types of 
businesses may be described by general terms, such as financial 
products or services, if the financial institution provides examples of 
the significant lines of businesses of the recipient, such as retail 
banking, mortgage lending, life insurance, or securities brokerage.
    The G-L-B Act does not require a financial institution to list the 
categories of persons to whom information may be disclosed under any of 
the exceptions set out in proposed sections 248.10 and 248.11. The 
proposed rules state that a financial institution is required only to 
inform consumers that it makes disclosures as permitted by law to 
nonaffiliated third parties in addition to those described in the 
notice. We invite comment on whether such a notice would be adequate.
    If a financial institution does not disclose, and does not intend 
to disclose, nonpublic personal information to affiliates or 
nonaffiliated third parties, its initial and annual notices may simply 
state this fact without further elaboration about categories of third 
parties.
    4. Information about former customers. Section 503(a)(2) of the G-
L-B Act requires the financial institution's initial and annual privacy 
notices to include the institution's policies and practices with 
respect to disclosing nonpublic personal information of persons who 
have ceased to be customers of the institution. Section 503(b)(1)(B) 
requires that this information be provided with respect to information 
disclosed to nonaffiliated third parties.
    We have concluded that sections 503(a)(2) and 503(b)(1)(B) require 
a financial institution to include in the initial and annual notices 
the institution's policies and practices with respect to sharing 
information about former customers with all affiliates and 
nonaffiliated third parties. This requirement is set out in the 
proposed rules at section 248.6(a)(4). This provision does not require 
a financial institution to provide a notice to a former customer before 
sharing nonpublic personal information about that former customer with 
an affiliate.\42\
---------------------------------------------------------------------------

    \42\ An institution that intends to share nonpublic personal 
information about a former customer with a nonaffiliated third party 
would be required to provide the customer with notice and 
opportunity to opt out before sharing the information with the third 
party.
---------------------------------------------------------------------------

    5. Information disclosed to service providers. Section 502(b)(2) of 
the G-L-B Act permits a financial institution to disclose nonpublic 
personal information about a consumer to a nonaffiliated third party 
for the purpose of the third party performing services for the 
institution, including marketing financial products or services under a 
joint agreement between the financial institution and at least one 
other financial institution. In this case, a consumer has no right to 
opt out, but the financial institution must inform the consumer that it 
will be disclosing the information in question unless the service falls 
within one of the exceptions listed in section 502(e) of the Act.
    The proposed rules implement these provisions, in section 
248.6(a)(5), by requiring that, if a financial institution discloses 
nonpublic personal information to a nonaffiliated third party under the 
exception for service providers and joint marketing, the institution is 
to include in the initial and annual notices a separate description of 
the categories of information that are disclosed and the categories of 
third parties providing the services. A financial institution may 
comply with these requirements by providing the same level of detail in 
the notice as is required to satisfy proposed sections 248.6(a)(2) and 
(3).
    6. Right to opt out. As previously noted, sections 503(a)(1) and 
503(b)(1) of the G-L-B Act require a financial institution to provide 
customers with a notice of its privacy policies and practices 
concerning, among other things, disclosing nonpublic personal 
information consistent with section 502 of the Act. Proposed rule 
248.6(a)(6) implements this section by requiring the initial and annual 
notices to explain the right to opt out of disclosures of nonpublic 
personal information to nonaffiliated third parties, including the 
methods available to exercise that right.
    7. Disclosures made under the FCRA. Section 503(b)(4) of the G-L-B 
Act requires a financial institution's initial and annual notice to 
include the disclosures required, if any, under section 
603(d)(2)(A)(iii) of the Fair Credit Reporting Act (``FCRA'').\43\ 
Section 603(d)(2)(A)(iii) excludes from the definition of ``consumer 
report'' (and, therefore, the protections provided under the FCRA for 
information contained in those reports) the communication of certain 
consumer information among affiliated entities if the consumer is 
notified about the disclosure of that information and given an 
opportunity to opt out of the information sharing. The information that 
can be shared among affiliates under this provision includes, for 
instance, information from consumer reports and applications for 
financial products or services. In general, this information represents 
personal information provided directly by the consumer to the 
institution, such as income and social security number, in addition to 
information contained within credit bureau reports.
---------------------------------------------------------------------------

    \43\ 15 U.S.C. 1681a(d)(2)(A)(iii).
---------------------------------------------------------------------------

    The proposed rules implement section 503(b)(4) of the G-L-B Act by 
including the requirement that a financial institution's initial and 
annual notice include any disclosures a financial institution makes 
under section 603(d)(2)(A)(iii) of the FCRA.\44\
---------------------------------------------------------------------------

    \44\ See proposed Sec. 248.6(a)(7).
---------------------------------------------------------------------------

    8. Confidentiality, security, and integrity. Section 503(a)(3) of 
the G-L-B Act requires the initial and annual notices to provide 
information about a financial institution's policies and practices with 
respect to protecting the nonpublic personal information of consumers. 
Section 503(b)(3) of the Act requires the notices to include the 
policies that the institution maintains to protect the confidentiality 
and security of nonpublic personal information, in accordance with 
section 501 (which requires the Commission to establish standards 
governing the administrative, technical, and physical safeguards of 
customer information).
    The proposed rules implement these provisions by requiring a 
financial institution to include in the initial and annual notices the 
institution's policies and practices with respect to protecting the 
confidentiality, security, and integrity of nonpublic personal 
information.\45\ The example in the proposed rules states that a 
financial institution may comply with the requirement as it concerns 
confidentiality and security if the institution explains matters such 
as who has access to the information and the

[[Page 12362]]

circumstances under which the information may be accessed. The 
information about integrity should focus on the measures the 
institution takes to protect against reasonably anticipated threats or 
hazards. The proposed rules do not require a financial institution to 
provide technical or proprietary information about how it safeguards 
consumer information.\46\
---------------------------------------------------------------------------

    \45\ See proposed Sec. 248.6(a)(8).
    \46\ The proposed rules require brokers, dealers, investment 
companies, and registered investment advisers to adopt policies and 
procedures relating to administrative, technical, and physical 
safeguards (see proposed Sec. 248.30).
---------------------------------------------------------------------------

Section 248.7  Limitation on Disclosure of Nonpublic Personal 
Information About Consumers to Nonaffiliated Third Parties

    Section 502(a) of the G-L-B Act generally prohibits a financial 
institution from sharing nonpublic personal information about a 
consumer with a nonaffiliated third party unless the institution 
provides the consumer with a notice of the institution's privacy 
policies and practices. Section 502(b) further requires that the 
financial institution provide the consumer with a clear and conspicuous 
notice that the consumer's nonpublic personal information may be 
disclosed to nonaffiliated third parties, that the consumer be given an 
opportunity to opt out of that disclosure, and that the consumer be 
informed of how to opt out.
    Section 248.7 of the proposed rules implements these provisions. 
Paragraph (a)(1) of section 248.7 sets out the criteria that a 
financial institution must satisfy before disclosing nonpublic personal 
information to nonaffiliated third parties. As stated in the text of 
the proposed rules, these criteria apply to direct and indirect 
disclosures through an affiliate. We invite comment on how the right to 
opt out should apply in the case of joint accounts. Should, for 
instance, a financial institution require all parties to an account to 
opt out before the opt out becomes effective? If not and only one of 
the parties opts out, should the opt out apply only to information 
about the party opting out or should it apply to information about all 
parties to the account? We also request comment on how the opt out 
right should apply to an investment adviser who manages a trust account 
on behalf of multiple beneficiaries.
    Paragraph (a)(2) defines ``opt out'' in a way that incorporates the 
exceptions to the right to opt out stated in proposed sections 248.9, 
248.10, and 248.11, which permit disclosures of nonpublic personal 
information to nonaffiliated third parties without first providing the 
initial privacy notice and giving the consumer the right to opt out.
    The proposed rules implement the requirement that a consumer be 
given an opportunity to opt out before information is disclosed by 
requiring that the opportunity be reasonable. The examples that follow 
the general rule provide guidance in situations involving notices that 
are mailed and notices that are provided in connection with isolated 
transactions. In the former case, a consumer will be considered to have 
a reasonable opportunity to opt out if the financial institution 
provides 30 days in which to opt out. In the latter case, an 
opportunity will be reasonable if the consumer must decide as part of 
the transaction whether to opt out before completing the transaction. 
We invite comment on whether 30 days is a reasonable opportunity to opt 
out in the case of notices sent by mail, and on whether an example in 
the context of transactions conducted using an electronic medium would 
be helpful.
    The requirement that a consumer have a reasonable opportunity to 
opt out does not mean that a consumer forfeits that right once the 
opportunity lapses. The consumer always has the right to opt out (as 
discussed further in proposed section 248.8, below). However, if an 
individual does not exercise that opt out right when first presented 
with an opportunity, the financial institution would be permitted to 
disclose nonpublic personal information to nonaffiliated third parties 
during the period of time before it implements the consumer's opt out 
direction.
    Paragraph (b) of proposed section 248.7 clarifies that the right to 
opt out applies regardless of whether a consumer has established a 
customer relationship with a financial institution. As noted above, all 
customers are consumers under the proposed rules. Thus, the fact that a 
consumer establishes a customer relationship with a financial 
institution does not change the institution's obligations to comply 
with the requirements of proposed section 248.7(a) before sharing 
nonpublic personal information about that consumer with nonaffiliated 
third parties. This also applies in the context of a consumer who had a 
customer relationship with a financial institution but then terminated 
that relationship. Paragraph (b) also clarifies that the consumer 
protections afforded by paragraph (a) of proposed section 248.7 apply 
to all nonpublic personal information collected by a financial 
institution, regardless of when collected. Thus, if a consumer elects 
to opt out of information sharing with nonaffiliated third parties, 
that election applies to all nonpublic personal information about that 
consumer in the financial institution's possession, regardless of when 
the information is obtained.
    Paragraph (c) of proposed section 248.7 states that a financial 
institution may, but is not required to, provide consumers with the 
option of a partial opt out in addition to the opt out required by this 
section. This could enable a consumer to limit, for instance, the types 
of information disclosed to nonaffiliated third parties or the types of 
recipients of the nonpublic personal information about that consumer. 
If the partial opt out option is provided, a financial institution must 
state this option in a way that clearly informs the consumer about the 
choices available and the resulting consequences.

Section 248.8  Form and Method of Providing Opt Out Notice to Consumers

    Paragraph (a) of proposed section 248.8 requires that any opt out 
notice provided by a financial institution pursuant to proposed section 
248.7 be clear and conspicuous, and accurately explain the right to opt 
out. The notice must inform the consumer that the institution may 
disclose nonpublic personal information to nonaffiliated third parties, 
state that the consumer has a right to opt out, and provide the 
consumer with a reasonable means by which to opt out.
    The examples that follow the general rule state that a financial 
institution will adequately provide notice of the right to opt out if 
it identifies the categories of information that may be disclosed and 
the categories of nonaffiliated third parties to whom the information 
may be disclosed and explains that the consumer may opt out of those 
disclosures. A financial institution that plans to disclose only 
limited types of information or to only a specific type of 
nonaffiliated third party may provide a correspondingly narrow notice 
to consumers. However, to minimize the number of opt out notices a 
financial institution must provide, the institution may wish to base 
its notices on current and anticipated information sharing plans. A new 
opt out notice is not required for disclosures to different types of 
nonaffiliated third parties or of different types of information, 
provided that the most recent opt out notice is sufficiently broad to 
cover the entities or information in question. A financial institution 
also need not provide subsequent opt out notices when a consumer 
establishes a new type of customer relationship with that financial 
institution, unless the

[[Page 12363]]

institution's opt out policies differ based on the type of customer 
relationship.
    The examples suggest several ways in which a financial institution 
may provide reasonable means to opt out, including check-off boxes, 
reply forms, and electronic mail addresses. A financial institution 
does not provide a reasonable means to opt out if the only means 
provided is for consumers to send their own letters to the institution 
to exercise their right, although an institution may honor such a 
letter if received. We also invite comment on whether a financial 
institution that provides its notice electronically also should be 
required to provide an electronic means to opt out.
    Paragraph (b) applies the same rules to delivery of the opt out 
notice that apply to delivery of the initial and annual notices. In 
addition, paragraph (b) clarifies that the opt out notice may be 
provided together with, or on the same form as, the initial and annual 
notices. However, if the opt out notice is provided after the initial 
notice, a financial institution must provide a copy of the initial 
notice along with the opt out notice. If a financial institution and 
consumer orally agree to enter into a customer relationship, the 
institution may provide the opt out notice within a reasonable time 
thereafter if the consumer agrees. We invite comment on whether the 
rules should specify the time by which the notice must be given.
    Paragraph (c) sets out the rules governing a financial 
institution's obligations in the event the institution changes its 
disclosure policies. As stated in that paragraph, a financial 
institution may not disclose nonpublic personal information to a 
nonaffiliated third party unless the institution first provides a 
revised notice and new opportunity to opt out. The institution must 
wait a reasonable period of time before disclosing information 
according to the terms of the revised notice in order to afford the 
consumer a reasonable opportunity to opt out. A financial institution 
must provide a consumer the revised notice of its policies and 
practices and opt out notice by using the means permitted for providing 
the initial notice and opt out notice to that consumer under section 
248.4(d) and section 248.8(b), respectively, which require that the 
notices be given in a manner so that each consumer can reasonably be 
expected to receive actual notice in writing or, if the consumer 
agrees, in electronic form.
    Paragraph (d) states that a consumer has the right to opt out at 
any time. We considered whether to include a time limit by which 
financial institutions must effectuate a consumer's opt out, but 
decided that the wide variety of practices of financial institutions 
made one limit inappropriate. Instead, the proposed rules require a 
financial institution to stop sharing information as soon as reasonably 
practicable. We request comment on whether the rules should specify a 
time within which an institution must stop sharing information, and if 
so, what the time period should be.
    Paragraph (e) states that an opt out will continue until a consumer 
revokes it. The rules require that such revocation be in writing, or, 
if the consumer has agreed, electronically.
    We invite comment on the likely burden of complying with the 
requirement to provide opt out notices, the methods financial 
institutions anticipate using to deliver the opt out notices, and the 
approximate number of opt out notices they expect to deliver and 
process.

Section 248.9  Exception To Opt Out Requirements for Service Providers 
and Joint Marketing

    Section 502(b)(2) of the G-L-B Act creates an exception to the opt 
out rules for the disclosure of information to a nonaffiliated third 
party for its use to perform services for, or functions on behalf of, 
the financial institution, including the marketing of the financial 
institution's own products or services or financial products or 
services offered under a joint agreement between two or more financial 
institutions. A consumer will not have the right to opt out of 
disclosing nonpublic personal information about the consumer to 
nonaffiliated third parties under these circumstances, if the financial 
institution satisfies certain requirements.
    First, the institution must, as stated in section 502(b)(2), 
``fully disclose'' to the consumer that it will provide this 
information to the nonaffiliated third party before the information is 
shared. This disclosure could appear in the initial notice required by 
section 248.4. We invite comment on whether the proposed rules 
appropriately implement the ``fully disclose'' requirement in section 
502(b)(2).
    Second, the financial institution must enter into a contract with 
the third party that requires the third party to maintain the 
confidentiality of the information. This contract should be designed to 
ensure that the third party (a) will maintain the confidentiality of 
the information at least to the same extent as is required for the 
financial institution that discloses it, and (b) will use the 
information solely for the purposes for which the information is 
disclosed or as otherwise permitted by sections 248.10 and 248.11 of 
the proposed rules.
    The G-L-B Act allows the Commission to impose requirements on the 
disclosure of information under the exception for service providers 
beyond those imposed in the statute. We have not done so in the 
proposed rules, but invite comment on whether additional requirements 
should be imposed, and, if so, what those requirements should address. 
We also invite comments on any other requirements that would be 
appropriate to protect a consumer's financial privacy, and on whether 
the rules should provide examples of the types of joint agreements that 
are covered.

Section 248.10  Exceptions for Processing and Servicing Transactions

    Section 502(e) of the G-L-B Act creates exceptions to the 
requirements that apply to the disclosure of nonpublic personal 
information to nonaffiliated third parties. Paragraph (1) of that 
section sets out certain exceptions for disclosures made, generally 
speaking, in connection with the administration, processing, servicing, 
and sale of a consumer's account.
    Paragraph (a) of proposed section 248.10 sets out those exceptions, 
making only stylistic changes to the statutory text that are intended 
to make the exceptions easier to read. Paragraph (b) sets out the 
definition of ``necessary to effect, administer, or enforce'' that is 
contained in section 509(7) of the G-L-B Act, making only stylistic 
changes intended to clarify the definition.
    The exceptions set out in proposed section 248.10, and the 
exceptions discussed in proposed section 248.11, below, do not affect a 
financial institution's obligation to provide initial notices of its 
privacy policies and practices prior to the time it establishes a 
customer relationship and annual notices thereafter. Those notices must 
be provided to all customers, even if the institution intends to 
disclose the nonpublic personal information only under the exceptions 
in proposed section 248.10.

Section 248.11  Other Exceptions To Opt Out Requirements

    As noted above, section 502(e) of the G-L-B Act contains several 
exceptions to the requirements that otherwise would apply to the 
disclosures of nonpublic personal information to nonaffiliated third 
parties. Proposed section 248.11 sets out those exceptions that are not 
made in connection with

[[Page 12364]]

the administration, processing, servicing, or sale of a consumer's 
account, and makes stylistic changes intended to clarify the 
exceptions.
    One of the exceptions stated in proposed section 248.11 is for 
disclosures made with the consent or at the direction of the consumer, 
provided the consumer has not revoked the consent. Following the list 
of exceptions is an example of consent in which a consumer consents to 
having a broker or investment adviser confirm the amount of assets in 
the customer's account to a nonaffiliated mortgage lender so that the 
lender can evaluate the customer's application for a loan. Consent in 
such a situation would enable the financial institution to make the 
disclosure to the third party without first providing the initial 
notice required by section 248.4 or the opt out notice required by 
section 248.7, but the disclosure must not exceed the purposes for 
which consent was given. The example also states that a consumer may 
revoke consent at any time by exercising the right to opt out of future 
disclosures. We invite comment on whether safeguards should be added to 
the exception for consent in order to minimize the potential for 
consumer confusion. Such safeguards might include, for instance, a 
requirement that consent be written or that it be indicated on a 
separate line in a relevant document or on a distinct Web page.

Section 248.12  Limits on Redisclosure and Reuse of Information

    Section 248.12 of the proposed rules implements the Act's 
limitations on redisclosure and reuse of nonpublic personal information 
about consumers. Section 502(c) of the Act provides that a 
nonaffiliated third party that receives nonpublic personal information 
from a financial institution shall not, directly or indirectly through 
an affiliate, disclose the information to any person that is not 
affiliated with either the financial institution or the third party, 
unless the disclosure would be lawful if made directly by the financial 
institution. Paragraph (a)(1) sets out the Act's redisclosure 
limitation as it applies to a financial institution that receives 
information from another nonaffiliated financial institution. Paragraph 
(b)(1) mirrors the provisions of paragraph (a)(1), but applies the 
redisclosure limits to any nonaffiliated third party that receives 
nonpublic personal information from a financial institution.
    The Act appears to place the institution that receives the 
information into the shoes of the institution that disclosed the 
information for purposes of determining whether redisclosures by the 
receiving institution are ``lawful.'' Thus, the Act appears to permit 
the receiving institution to redisclose the information to (i) an 
entity to whom the original transferring institution could disclose the 
information pursuant to one of the exceptions in section 248.9, 248.10, 
or 248.11, or (ii) an entity to whom the original transferring 
institution could have disclosed the information as described under its 
notice of privacy policies and practices, unless the consumer has 
exercised the right to opt out of that disclosure. Because a consumer 
can exercise the right to opt out of a disclosure at any time, the Act 
may effectively preclude third parties that receive information to 
which the opt out right applies from redisclosing the information, 
except under one of the exceptions in section 248.9, 248.10, or 248.11. 
We invite comment on whether the rules should require a financial 
institution that discloses nonpublic personal information to a 
nonaffiliated third party to develop policies and procedures to ensure 
that the third party complies with the limits on redisclosure of that 
information.
    Sections 502(b)(2) and 502(e) (as implemented by sections 248.9, 
248.10, and 248.11 of the proposed rules) describe when a financial 
institution may disclose nonpublic personal information without 
providing the consumer with the initial privacy notice and an 
opportunity to opt out, but those exceptions apply only when the 
information is used for the specific purposes set out in those 
sections. Paragraph (a)(2) of proposed section 248.12 clarifies this 
limitation on reuse as it applies to financial institutions. Paragraph 
(a)(2) provides that a financial institution may use nonpublic personal 
information about a consumer that it receives from a nonaffiliated 
financial institution in accordance with an exception under section 
248.9, 248.10, or 248.11 only for the purpose of that exception. 
Paragraph (b)(2) applies the same limits on reuse to any nonaffiliated 
third party that receives nonpublic personal information from a 
financial institution. The example in (b)(3) clarifies that a 
nonaffiliated transfer agent who receives nonpublic personal 
information from a financial institution may not directly or indirectly 
disclose the information to a nonaffiliated third party of the 
institution and the transfer agent unless the institution could 
lawfully share the information with that party.
    We invite comments on the meaning of the word ``lawful'' as that 
term is used in section 502(c). We specifically solicit comment on 
whether it would be lawful for a nonaffiliated third party to disclose 
information under the exception provided in proposed section 248.9 of 
the rules. Under that exception, a financial institution must comply 
with certain requirements before disclosing information to a 
nonaffiliated third party. Given that the statute and proposed rules 
impose those requirements on the financial institution that makes the 
initial disclosure, we invite comment on whether subsequent disclosures 
by the third party could satisfy the requirement that those disclosures 
be lawful when the financial institution is not party to the subsequent 
disclosure.

Section 248.13  Limits on Sharing of Account Number Information for 
Marketing Purposes

    Section 502(d) of the G-L-B Act prohibits a financial institution 
from disclosing, other than to a consumer reporting agency, account 
numbers or similar forms of access numbers or access codes for a credit 
card account, deposit account, or transaction account of a consumer to 
any nonaffiliated third party for use in telemarketing, direct mail 
marketing, or marketing through electronic mail to the consumer. 
Proposed section 248.13 applies this statutory prohibition to 
disclosures made directly or indirectly by a financial institution.
    We note that there is no exception in Title V to the flat 
prohibition established by section 502(d). The conference report for 
the G-L-B Act encourages the Commission (and the Agencies) to adopt an 
exception to section 502(d) to permit disclosures of account numbers in 
limited circumstances. It states:

    In exercising their authority under section 504(b) [which vests 
the Agencies with authority to grant exceptions to section 502(a)-
(d) beyond those set out in the statute], the agencies and 
authorities described in section 504(a)(1) may consider it 
consistent with the purposes of this subtitle to permit the 
disclosure of customer account numbers or similar forms of access 
numbers or access codes in an encrypted, scrambled, or similarly 
coded form, where the disclosure is expressly authorized by the 
customer and is necessary to service or process a transaction 
expressly requested or authorized by the customer. \47\
---------------------------------------------------------------------------

    \47\ H. Rep. No. 434, 106th Cong., 1st Sess. at 173 (1999).

    We have not proposed an exception to the prohibition of section 
502(d) because of the risks associated with third parties' direct 
access to a consumer's account. We seek comment

[[Page 12365]]

on whether an exception to the section 502(d) prohibition that permits 
third parties access to account numbers is appropriate, the 
circumstances under which an exception would be appropriate, and how 
such an exception should be formulated to provide consumers with 
adequate protection. In addition, we invite comment on whether a 
consumer ought to be able to consent to the disclosure of his or her 
account number, notwithstanding the general prohibition in section 
502(d) and, if so, what standards should apply. We also seek comment on 
whether section 502(d) prohibits the disclosure by a financial 
institution to a marketing firm of encrypted account numbers if the 
financial institution does not provide the marketer the key to decrypt 
the number.

Section 248.14  Protection of Fair Credit Reporting Act

    Paragraph (c) of section 506 states that, except for the amendments 
noted regarding rulemaking authority, nothing in Title V is to be 
construed to modify, limit, or supersede the operation of the FCRA, and 
no inference is to be drawn on the basis of the provisions of Title V 
whether information is transaction or experience information under 
section 603 of the FCRA. Proposed section 248.14 implements section 
506(c) of the G-L-B Act by restating the statute, making only minor 
clarifying changes.

Section 248.15  Relation to State Laws

    Section 507 of the G-L-B Act provides that Title V does not preempt 
any State law that provides greater protections than are provided by 
Title V. Determinations of whether a State law or Title V provides 
greater protections are to be made by the Federal Trade Commission 
(``FTC'') after consultation with the agency that regulates either the 
party filing a complaint or the financial institution about whom the 
complaint was filed. Determinations of whether State or Federal law 
afford greater protections may be initiated by any interested party or 
on the FTC's own motion.
    Proposed section 248.15 is substantively identical to section 507, 
noting that the proposed rules (like the statute) do not preempt State 
laws that provide greater protection for consumers than does the 
regulation.

Section 248.16  Effective Date; Transition Rule

    Section 510 of the G-L-B Act states that, as a general rule, the 
relevant provisions of Title V take effect six months after the date on 
which rules are required to be prescribed. However, section 510(1) 
authorizes the Commission (and the Agencies) to prescribe a later date 
in the rules enacted pursuant to section 504.
    Proposed section 248.16(a) provides an effective date of November 
13, 2000. This provision is premised on adoption of a final rule within 
the time frame prescribed by section 504(a)(3). We intend to provide at 
least six months after the adoption of a final rule for financial 
institutions to bring their policies and procedures into compliance 
with the requirements of the final rule. We invite comment on whether 
six months after adoption of final rules is sufficient to enable 
financial institutions to comply with the rules.
    Proposed section 248.16(b) provides a transition rule for consumers 
who were customers as of the effective date of the rules. Since those 
customer relationships already will have been established as of the 
rules' effective date (thereby making it inappropriate to require a 
financial institution to provide those customers with a copy of the 
institution's initial notice at the time of establishing a customer 
relationship), the rules require instead that the initial notice be 
provided within 30 days of the effective date. We invite comment on 
whether 30 days is enough time to permit a financial institution to 
deliver the required notices, bearing in mind that the G-L-B Act 
contemplates at least a six-month delayed effective date from the date 
the rules are adopted.
    If a financial institution intends to disclose nonpublic personal 
information about someone who was a consumer before the effective date, 
the institution must provide the notices required by sections 248.4 and 
248.7 and provide a reasonable opportunity to opt out before the 
effective date. If, in this instance, the institution already is 
disclosing information about such a consumer, it may continue to do so 
without interruption until the consumer opts out, in which case the 
institution must stop sharing nonpublic personal information about that 
consumer with nonaffiliated third parties as soon as reasonably 
practicable. We request comment on whether the proposed rule should 
specify a time within which the institution must stop sharing 
information, and if so, what the time period should be.

Section 248.30  Procedures To Safeguard Customer Information and 
Records

    Section 501 of the G-L-B Act directs the Commission (and the 
Agencies) to establish appropriate standards for financial institutions 
relating to administrative, technical and physical safeguards to 
protect customer records and information. Proposed section 248.30 
implements this section by requiring every broker, dealer, investment 
company, and registered investment adviser to adopt policies and 
procedures to address the safeguards described above. Consistent with 
the Act, the proposed rule further requires that the policies and 
procedures be reasonably designed to: (i) Insure the security and 
confidentiality of customer records and information; (ii) protect 
against any anticipated threats or hazards to the security or integrity 
of customer records and information; and (iii) protect against 
unauthorized access to or use of customer records or information that 
could result in substantial harm or inconvenience to any customer.
    We have not prescribed specific policies or procedures that 
financial institutions must adopt. Rather, we believe it more 
appropriate for each institution to tailor its policies and procedures 
to its own systems of information gathering and transfer and the needs 
of its customers. We request comment on whether the proposed standards 
should be more specific, and if so, what specifications would be 
appropriate for particular financial institutions.

III. General Request for Comments

    The Commission requests comment on the proposed rules and 
suggestions for additional examples that may be appropriate to include 
in the rules. We also solicit comment on whether the inclusion of 
examples in this part is appropriate. Are there alternative methods to 
offer guidance of the concepts furnished by the examples?
    For purposes of the Small Business Regulatory Enforcement Fairness 
Act of 1996,\48\ we also request information regarding the potential 
effect of the proposals on the U.S. economy on an annual basis. 
Commenters are requested to provide empirical data to support their 
views.
---------------------------------------------------------------------------

    \48\ Pub. L. No. 104-121, Title II, 110 Stat. 857 (1996).
---------------------------------------------------------------------------

    The Commission strives to draft its rules according to principles 
outlined in its Plain English Handbook.\49\ We invite your comments on 
how to make the proposed rule more consistent with those principles and 
easier to understand.
---------------------------------------------------------------------------

    \49\ Office of Investor Education and Assistance, U.S. 
Securities and Exchange Commission, A Plain English Handbook (1998) 
(available on the Commission's web site at http://www.sec.gov>).

---------------------------------------------------------------------------

[[Page 12366]]

IV. Cost-Benefit Analysis

    The Commission is sensitive to the costs and benefits that result 
from its rules and understands that the proposed rules may impose costs 
on brokers, dealers, investment companies, and registered investment 
advisers. Nevertheless, the proposed rules implement the privacy 
provisions of Title V and, we believe, impose no costs in addition to 
those that would result from compliance with the G-L-B Act.
    We believe that the proposed requirements to provide opt out 
notices and to protect customer information will benefit consumers and 
customers by protecting the privacy of their nonpublic personal 
information. In addition, the proposed requirements to provide initial 
and annual notices will allow customers to compare the privacy policies 
of financial institutions.
    We also believe that the proposed rules will provide greater 
certainty to the private sector on how to comply with the G-L-B Act 
because they are consistent with and comparable to the rules proposed 
by the Agencies. The examples in the proposed rules also should provide 
guidance on how the rules will be enforced with respect to brokers, 
dealers, investment companies, and registered investment advisers. 
Finally, in order to reduce compliance burdens, the proposed rules 
would allow financial institutions flexibility to distribute notices 
and to adopt policies and procedures to protect customer information 
that are best suited to the institution's business and needs.
    We estimate that approximately 5500 broker-dealers, 4300 investment 
companies and 8100 registered investment advisers would be required to 
comply with the proposed rules. In the first year after the rules are 
adopted, these institutions would be required to comply with the 
following requirements: (i) Prepare notices describing the 
institution's privacy policies; (ii) provide an initial privacy notice 
and opt out form to each consumer; (iii) provide an initial privacy 
notice to each new customer (who did not receive a notice when he or 
she was a consumer); (iv) provide an annual privacy notice to each 
existing customer; (v) adopt policies and procedures that address the 
protection of customer information and records. After the first year, 
institutions would be required to revise notices only to reflect 
changes in their privacy policies. Similarly, institutions would have 
to revise their policies and procedures on safeguarding customer 
information as appropriate to ensure the protection of the information.
    Under the proposed rules, an initial and annual notice could be the 
same.\50\ Many broker-dealers, investment companies, and registered 
investment advisers currently provide notice of their privacy policies 
to consumers and customers.\51\ Thus, some of these institutions would 
be required to draft privacy notices, while others would have to review 
and revise their notices for compliance with the proposed rules.
---------------------------------------------------------------------------

    \50\ See proposed Sec. 248.6(a) (specifying the same content for 
initial and annual notices).
    \51\ See e.g., Charles Schwab & Co., The Schwab Privacy Pledge & 
Notification (Sept. 23, 1999) (available at http://www.schwab.com>); 
The Vanguard Group, Privacy Policy (available at http://
www.vanguard.com>).
---------------------------------------------------------------------------

    The amount of time required for each institution to prepare (or 
revise) its privacy policy notices will vary depending on the extent to 
which (i) the institution shares information and (ii) the institution's 
sharing policy differs for certain consumers or customers.\52\ We 
assume that while broker-dealers and investment companies share 
nonpublic personal information about consumers or customers with their 
affiliates (or as permitted under one of the exceptions discussed 
above), few, if any, share information with nonaffiliated third 
parties.\53\ In addition, we assume that most investment advisers do 
not share the information with any third parties.\54\ Based on these 
assumptions, we estimate that an investment adviser would require, on 
average, about 5 hours, and a broker-dealer or investment company would 
require from 5 to over 100 hours, with an average of about 40 hours, to 
prepare (or revise) its privacy notice. Assuming that an investment 
adviser would spend on average $615 \55\ to draft a notice, and a 
broker-dealer or investment company would spend on average $4920,\56\ 
we estimate that the total one-time cost to the industry of drafting 
privacy notices would be approximately $53.2 million.\57\
---------------------------------------------------------------------------

    \52\ An institution that does not share information with 
affiliates or nonaffiliated third parties may simply state that fact 
without further discussion. See discussion regarding proposed 
section 248.6 above. An institution that has many affiliates and has 
different policies on sharing based on the affiliate or the customer 
is likely to require much more time to draft its notices.
    \53\ This assumption is based on staff conversations with 
representatives of the securities industry.
    \54\ See Association for Investment Management and Research, 
Standards of Practice Handbook 123, 125 (1996) (standard requires 
members to preserve the confidentiality of information communicated 
by clients or prospects, and procedures for compliance explain the 
``simplest, most conservative, and most effective'' way to comply is 
to avoid disclosing any information received from a client except to 
authorized fellow employees who also work for the client).
    \55\ For purposes of the Paperwork Reduction Act, Commission 
staff has estimated that an investment adviser would require 4 hours 
of professional time (at $150 per hour) and 1 hour of clerical or 
administrative time (at $15 per hour) to prepare (or revise) its 
privacy notice, for a total of $615 ((4  x  $150) + (1  x  $15) = 
$615).
    \56\ For purposes of the Paperwork Reduction Act, Commission 
staff has estimated that a broker-dealer or investment company would 
require 32 hours of professional time and 8 hours of clerical or 
administrative time to prepare (or revise) its privacy notice, for a 
total of $4920 ((32  x  $150) + (8  x  $15) = $4920).
    \57\ This amount equals the sum of the costs for broker-dealers, 
investment companies, and investment advisers ((5500 + 4300)  x  
$4920) + (8,100  x  $615) = $53.2 million.
---------------------------------------------------------------------------

    As noted above, we assume that broker-dealers, investment 
companies, and registered investment advisers do not share nonpublic 
personal information with nonaffiliated third parties. Therefore, those 
institutions would not be required to provide consumers an initial 
notice or opportunity to opt out. We assume that those institutions 
generally will include initial and annual privacy notices to customers 
with disclosure documents or account statements that they currently 
receive.\58\ These statements generally are assembled and sent by 
organizations that specialize in mailing and distribution. We estimate 
that the additional material might result in an increase in total 
annual distribution costs of $2.6 million for broker-dealers, 
investment companies, and registered investment advisers.\59\
---------------------------------------------------------------------------

    \58\ Some customers receive all their correspondence 
electronically and could receive notices through the same medium. We 
believe that institutions would incur only minimal costs in 
transmitting notices to these customers electronically.
    \59\ The individual cost per institution would vary 
significantly depending on the number of the institution's 
customers. The estimate is based on an average additional cost per 
mailing of $0.02 for 130.7 million investor accounts. The number of 
investor accounts assumes there are 53 million brokerage accounts, 
77.3 million individual investment company shareholders (see 
Investment Company Institute, 1999 Mutual Fund Fact Book 41 (May 
1999)), and 400,000 customers of investment advisers. The estimated 
number of accounts may be significantly higher than the actual 
number because we are unable to estimate the number of individual 
accounts used for personal, family, or household purposes. See 
proposed Sec. 248.1(b).
---------------------------------------------------------------------------

    We understand that most if not all broker-dealers, investment 
companies, and registered investment advisers have established some 
policies and procedures to protect customer information.\60\ Each 
institution,

[[Page 12367]]

however, would be likely to review and, as appropriate, revise its 
protection policies to assure compliance with the proposed rules. 
Assuming that each institution will on average require approximately 30 
hours to review and revise its policies and procedures, the one-time 
cost to the industry to comply with the rules would be approximately 
$80.6 million.\61\
---------------------------------------------------------------------------

    \60\ See Use of Electronic Media by Broker-Dealers, Transfer 
Agents, and Investment Advisers for Delivery of Information, 
Securities Act Release No. 7288 (May 9, 1996) [61 FR 24644, 24647 
(May 15, 1996)] (advising broker-dealers, transfer agents, and 
investment advisers to take reasonable precautions to ensure the 
integrity, confidentiality, and security of information about a 
customer's personal financial matters, and to tailor those 
precautions to the medium used (whether electronic means or paper) 
to ensure the information is reasonably secure from tampering or 
alteration); Investment Company Institute, Protection of Data 
Privacy in the Investment Company Industry (June 22, 1998) 
(available at http://www.ici.org>) (investment companies and their 
managers often have written policies to ensure confidentiality of 
customer information).
    \61\ This estimate represents the costs of 30 hours of 
professional time (at $150 per hour) ((5500 + 4300 + 8100)  x  30 
x  $150 = $80.6 million). Our estimates are based on staff 
conversations with representatives from the industry. We understand 
that many large institutions currently have comprehensive policies 
and procedures for protecting customer information and records. 
Although the policies of those institutions may need little 
revision, there may be many departments or other divisions that will 
participate in the review. Smaller institutions that need less 
comprehensive policies may devote more time to implementation or 
revision of their policies and procedures.
---------------------------------------------------------------------------

    As discussed above, the privacy notices will allow customers of 
broker-dealers, investment companies, and registered investment 
advisers to compare the privacy policies of different institutions. 
This information is likely to result in some customers moving their 
accounts or relationships from one institution to another whose 
policies are better suited to the customer's needs. We are unable to 
estimate the number of customers who may make this transfer or the 
resulting economic impact on the industry. We do not believe, however, 
that customers would move their accounts from broker-dealers, 
investment companies, or investment advisers to a different type of 
financial institution (such as a bank), because we have no basis for 
assuming that the privacy policies adopted by 17,900 broker-dealers, 
investment companies, and registered investment advisers would not be 
sufficiently varied to address the needs of any customer.
    We request comment on the costs and benefits of the proposed rules. 
We specifically request comment on the anticipated costs of drafting or 
revising privacy notices. We also request comment on the extent to 
which broker-dealers, investment companies, and registered investment 
advisers have established policies to protect customer information and 
the extent to which those policies would have to be revised to comply 
with the proposed rules. We invite comment on the cost of including 
privacy notices in other mailings, as well as the proportion of 
individual account holders who may receive notices electronically and 
the resulting costs or savings.

V. Paperwork Reduction Act

    Certain provisions of the proposed rules contain ``collection of 
information'' requirements within the meaning of the Paperwork 
Reduction Act of 1995 (44 U.S.C. 3501 et seq.). The Commission has 
submitted these provisions to the Office of Management and Budget 
(``OMB'') for review in accordance with 44 U.S.C. 3507(d) and 5 CFR 
1320.11. The title for the collections of information is: ``Regulation 
S-P.'' An agency may not conduct or sponsor, and a person is not 
required to respond to, an information collection unless it displays a 
currently valid OMB control number.
    Pursuant to 44 U.S.C. 3506(c)(2)(B), the Commission solicits 
comment to:
    (1) Evaluate whether the proposed collections of information are 
necessary for the proper performance of the functions of the 
Commission, including whether the information will have practical 
utility;
    (2) Evaluate the accuracy of the Commission's estimate of the 
burden of the proposed collections of information;
    (3) Enhance the quality, utility, and clarity of the information to 
be collected; and
    (4) Minimize the burden of the collections of information on those 
who are to respond, including through the use of automated collection 
techniques or other forms of information technology.
    The proposed rules contain several disclosure requirements. The 
financial institutions must prepare and provide an initial notice to 
all current customers and all new customers at the time of establishing 
a customer relationship.\62\ Subsequently, an annual notice must be 
provided to all customers at least once during a twelve-month period 
during the continuation of the customer relationship.\63\ The initial 
notice and opt out notice must be provided to a consumer prior to 
disclosing nonpublic personal information to certain nonaffiliated 
third parties.\64\ If a financial institution wishes to disclose 
information in a way that is inconsistent with the notices previously 
given to a consumer, the financial institution must provide consumers 
with revised notices (proposed Sec. 248.8(c)).
---------------------------------------------------------------------------

    \62\ Proposed Sec. 248.4(a).
    \63\ Proposed Sec. 248.5(a).
    \64\ Proposed Secs. 248.7(a)(1)(i) and (ii).
---------------------------------------------------------------------------

    The proposed regulation also contains consumer reporting 
requirements. In order for consumers to opt out, they must respond to 
the opt out notice.\65\ At any time during their continued 
relationship, consumers have the right to change or update their opt 
out status.\66\ As discussed above, we believe that most, if not all, 
financial institutions will not share nonpublic personal information 
about consumers with nonaffiliated third parties and will not have to 
provide opt out notices to consumers or customers. Thus, few, if any, 
consumers will need to respond to opt out notices. The Commission 
therefore estimates that the annual burden of responding to an opt out 
notice will be nominal. The Commission requests public comment on all 
aspects of the collections of information contained in this proposed 
regulation, including consumer responses to the opt out notice and 
consumer changes to their opt out status with a financial institution.
---------------------------------------------------------------------------

    \65\ Proposed Secs. 248.7(a)(2), (a)(3)(i), (c).
    \66\ Proposed Secs. 248.8(d) and (e).
---------------------------------------------------------------------------

    The initial and annual privacy notices are mandatory. The opt out 
notice is not mandatory for institutions that do not share nonpublic 
personal information with nonaffiliated third parties. The likely 
respondents are brokers, dealers, investment companies, and registered 
investment advisers. The required notices are not submitted to the 
Commission, and there is no assurance of confidentiality of the 
collections of information. The Commission estimates that approximately 
5500 broker-dealers, 4300 investment companies, and 8100 registered 
investment advisers will respond to the proposed regulation.
    Estimated average annual burden hours per respondent: 40.
    Estimated average annual dollar burden per respondent: $145.00.\67\
---------------------------------------------------------------------------

    \67\ This amount represents an estimated annual cost to include 
privacy notices in account statements or shareholder reports sent to 
customers.
---------------------------------------------------------------------------

    Estimated number of respondents: 17,900.
    Estimated total annual hour burden: 716,000 hours.
    Estimated total annual dollar burden: $2.6 million.
    Persons desiring to submit comments on the collection of 
information requirements should direct them to the Office of Management 
and Budget, Attention: Desk Officer for the Securities and Exchange 
Commission, Office of Information and Regulatory Affairs, Washington, 
DC 20503, and should also send a copy to Jonathan G. Katz, Secretary, 
Securities and Exchange Commission, 450 Fifth Street, NW, Washington, 
DC 20549 with reference to File No. S7-6-00. OMB is required to make a 
decision concerning the collection of information between 30 and 60 
days after publication, so a comment to OMB is best assured of having 
its full effect if OMB receives it

[[Page 12368]]

within 30 days after publication. Requests for materials submitted to 
OMB by the Commission with regard to this collection of information 
should be in writing, refer to File No. S7-6-00, and be submitted to 
the Securities and Exchange Commission, Records Management, Office of 
Filings and Information Services, 450 5th Street, NW, Washington, DC 
20549.

VI. Summary of Initial Regulatory Flexibility Analysis

    The Commission has prepared an Initial Regulatory Flexibility 
Analysis (``IRFA'' or ``analysis'') for proposed Regulation S-P in 
accordance with 5 U.S.C. 603. The following summarizes the IRFA. A copy 
of the IRFA may be obtained by contacting Penelope W. Saltzman, 
Securities and Exchange Commission, 450 5th Street, NW, Washington, DC 
20549-0506.
    The analysis explains that in general, Title V requires financial 
institutions to provide notice to consumers about the institution's 
privacy policies and practices. The statute also restricts the ability 
of a financial institution to share nonpublic personal information 
about consumers with nonaffiliated third parties, and allows consumers 
to prevent the institution from sharing nonpublic personal information 
about them with certain nonaffiliated third parties by ``opting out'' 
of the information sharing. In addition, Title V requires the 
Commission to establish appropriate standards for financial 
institutions subject to their jurisdiction to safeguard customer 
information and records.
    Section 504 of the G-L-B Act authorizes the Commission and the 
Agencies to prescribe ``such regulations as may be necessary'' to carry 
out the purposes of Title V. As discussed in the analysis, we believe 
that by adopting rules implementing Title V that are consistent with 
and comparable to those of the Agencies, we will provide the private 
sector greater certainty on how to comply with the statute and clearer 
guidance on how the rules will be enforced with respect to the 
financial institutions subject to Title V that are under the 
Commission's jurisdiction.
    The analysis explains that subject to certain exceptions, the 
proposed rules generally require that a financial institution provide 
all of its customers the following notices: (i) An initial privacy 
notice (before the customer relationship is established or, for 
existing customers, within 30 days after the rule's effective date); 
(ii) an opt out notice (before sharing the individual's nonpublic 
personal information with nonaffiliated third parties); and (iii) an 
annual privacy notice for the duration of the customer relationship.
    The proposed rules also require a financial institution to provide 
its consumers an initial privacy notice and an opt out notice prior to 
disclosing the individual's nonpublic personal information with 
nonaffiliated third parties. If the institution does not intend to 
share such information about its consumers, then it need not provide a 
privacy or opt out notice.
    The many exceptions to the general rules stated above are set forth 
in proposed sections 248.9, 248.10, and 248.11. The analysis notes that 
in cases in which a financial institution enters into a contract with a 
nonaffiliated third party to undertake joint marketing or to have the 
third party perform certain functions on behalf of the institution, no 
opt out notice must be given. In those cases, the institution must 
disclose to the consumer that it is providing the information and enter 
into a contract with the third party that restricts the third party's 
use of the information and requires the third party to maintain 
confidentiality of the information.
    As discussed in the analysis, compliance requirements will vary 
depending, for example, on an institution's information sharing 
practices, whether the institution already has or discloses a privacy 
policy, and whether the institution already has established an opt-out 
mechanism. A financial institution would have to summarize its 
practices regarding its collection, sharing, and safeguarding of 
certain nonpublic personal information in its initial and annual 
notices. However, if the institution does not share that information 
(or shares only to the extent permitted under the exceptions), its 
privacy notice may be brief. We believe that a majority of financial 
institutions already have privacy policies in place as part of usual 
and customary business practices.\68\ We have estimated that a 
financial institution would spend approximately 40 hours on average to 
prepare the privacy notices.
---------------------------------------------------------------------------

    \68\ For example, investment advisers have fiduciary duties 
under state law that limit the ability of an investment adviser to 
share information with third parties. See supra note 4. This and 
other assumptions discussed in this paragraph also are based on 
staff conversations with representatives from the securities 
industry.
---------------------------------------------------------------------------

    To minimize the burden and costs of distributing privacy policies, 
the proposed rule does not specify the method for distributing required 
notices. As discussed more fully in the analysis, a financial 
institution may include an initial privacy statement with other 
required disclosure statements, and may include an annual notice with 
periodic account statements. We estimate that the costs of distributing 
the notices will be minimal because an institution will include the 
notices in mailings or distributions that it already sends to consumers 
and customers.
    The analysis notes that we understand that most, if not all, 
brokers, dealers, investment companies, and investment advisers 
currently do not share nonpublic personal information about consumers 
with nonaffiliated third parties except as would be consistent with one 
of the many exceptions in the proposed rules. We further understand 
that those institutions that do share information under one of the 
permitted exceptions generally have contract provisions that prohibit 
the third party's use of the information for purposes other than the 
purpose for which the information was shared. Thus we believe that, as 
a result of the proposed rules, most if not all financial institutions 
will not have to provide opt out notices to consumers or customers, and 
will not need to revise their contracts with nonaffiliated third 
parties to restrict those parties' use of information.
    The analysis explains that the proposed rule requires every broker, 
dealer, investment company, and registered investment adviser to adopt 
policies and procedures reasonably designed to safeguard customer 
records and information. We believe that most, if not all, financial 
institutions already have policies and procedures to address the safety 
and confidentiality of consumer records and information. Nevertheless, 
financial institutions may review and revise their policies after the 
rules are adopted. The amount of time an institution will spend 
reviewing and revising its policies will depend, among other things, on 
the institution's current policies and its sharing practices. The rules 
do not specify the means by which institutions must ensure the safety 
of customer information and records in order to allow each institution 
to tailor its policies and procedures to its own systems of information 
gathering and transfer, and the needs of its customers. We have 
estimated that in the first year after the proposed rules are adopted, 
a financial institution would spend an average of 30 hours to adopt or 
revise its policies.
    The proposed rules would affect all brokers, dealers, investment 
companies, and registered investment advisers, including small 
entities.\69\ We estimate

[[Page 12369]]

that approximately 1000 out of 5500 brokers and dealers, 227 out of 
4300 investment companies, and 1500 out of 8,100 registered investment 
advisers are small entities.
---------------------------------------------------------------------------

    \69\ For purposes of the Regulatory Flexibility Act, under the 
Exchange Act a small entity is a broker or dealer that had total 
capital of less than $500,000 on the date of its prior fiscal year 
and is not affiliated with any person that is not a small entity. 17 
CFR 240.0-10. Under the Investment Company Act a ``small entity'' is 
an investment company that, together with other investment companies 
in the same group of related investment companies, has net assets of 
$50 million or less as of the end of its most recent fiscal year. 17 
CFR 270.0-10. Under the Investment Advisers Act, a small entity is 
an investment adviser that ``(i) manages less than $25 million in 
assets, (ii) has total assets of less than $5 million on the last 
day of its most recent fiscal year, and (iii) does not control, is 
not controlled by, and is not under common control with another 
investment adviser that manages $25 million or more in assets, or 
any person that had total assets of $5 million or more on the last 
day of the most recent fiscal year. 17 CFR 275.0-7.
---------------------------------------------------------------------------

    As noted in the analysis, the scope of the proposed regulation 
(pursuant to the G-L-B Act) is unique. Nevertheless, as discussed in 
greater detail in the analysis, there may be some overlap in certain 
circumstances with certain federal laws.
    The analysis explains that the Reg. Flex. Act directs the 
Commission to consider significant alternatives that would accomplish 
the stated objective, while minimizing any significant adverse impact 
on small entities. In addition to clarifying and simplifying the 
statutory requirements for all financial institutions, the proposed 
rule also provides substantial flexibility so that any financial 
institution, regardless of size, may tailor its practices to its 
individual needs. As discussed more fully in the analysis, we believe 
that an exception that would create different levels of protections for 
consumers based on the size of the institution with which they conduct 
business would not be consistent with the purposes of Title V. The 
Commission welcomes comment on any significant alternatives, consistent 
with the G-L-B Act, that would minimize the impact on small entities.

VII. Analysis of Effects on Efficiency, Competition, and Capital 
Formation

    Section 23(a)(2) of the Exchange Act \70\ requires the Commission, 
in adopting rules under the Exchange Act, to consider the anti-
competitive effects of any rules it adopts. We do not believe that the 
proposed rules will result in anti-competitive effects. The proposed 
rules, which implement Title V, apply to all broker-dealers, investment 
companies, and registered investment advisers. Each of these 
institutions would be required to provide initial and annual privacy 
notices to customers as well as initial notices and opt out forms to 
consumers if the institution shares nonpublic personal information 
about consumers with nonaffiliated third parties. These institutions 
also would be required to establish standards for protecting customer 
information and records.
---------------------------------------------------------------------------

    \70\ 15 U.S.C. 78w(a)(2).
---------------------------------------------------------------------------

    Other financial institutions will be subject to substantially 
similar privacy notice and opt out requirements under rules proposed by 
other federal agencies.\71\ Under the G-L-B Act, these agencies also 
are required to adopt rules addressing policies and procedures for 
protecting customer information.\72\ Therefore, all financial 
institutions will have to bear the costs of implementing the proposed 
rules or substantially similar rules. Although these costs will vary 
among institutions, we do not believe that the costs will be 
significantly greater (as a proportion of the institutions' costs) for 
any particular institutions.
---------------------------------------------------------------------------

    \71\ See, e.g., Banking Agencies' Proposal, supra note 2.
    \72\ G-L-B Act Sec. 501(b).
---------------------------------------------------------------------------

    As noted above, some customers may move their accounts from one 
institution to another based on the institution's privacy policies. 
Thus, the proposed rules may promote competition among financial 
institutions based on customers' preferences regarding privacy 
policies. The rules do not, however, dictate the privacy policies of 
any financial institution. We have no basis for estimating the 
circumstances under which customers may move accounts. Thus, we cannot 
measure the potential benefits to competition or predict whether there 
may be anti-competitive effects with respect to institutions based on 
their privacy policies. We request comment on any anti-competitive 
effects of the proposed rules.
    Section 3(f) of the Exchange Act,\73\ and section 2(c) of the 
Investment Company Act \74\ require the Commission, when engaging in 
rulemaking that requires it to consider or determine whether an action 
is necessary or appropriate in the public interest, to consider whether 
the action will promote efficiency, competition, and capital formation. 
Our analysis on competition is discussed above. We believe the proposed 
rules will have little effect on efficiency and capital formation. We 
have estimated that the proposed rules will result in additional costs 
for financial institutions. Nevertheless, we believe the additional 
costs are small enough that they will not affect the efficiency of 
these institutions. The rules will allow customers of financial 
institutions to compare privacy policies, which may result in customers 
choosing to do business with a financial institution based on its 
policies. This may result in greater efficiencies if customers make 
this choice before doing business with an institution instead of having 
to close an account after learning that an institution shares 
information in ways the customer does not want. We have no basis, 
however, for estimating the extent of these potential efficiencies. We 
request comment on these matters in connection with the proposed rule.
---------------------------------------------------------------------------

    \73\ 15 U.S.C. 78c(f).
    \74\ 15 U.S.C. 80a-2(c).
---------------------------------------------------------------------------

VIII. Statutory Authority

    The Commission is proposing Regulation S-P under the authority set 
forth in section 504 of the G-L-B Act [15 U.S.C. 6804], sections 17 and 
23 of the Exchange Act [15 U.S.C. 78q, 78w], sections 31 and 38 of the 
Investment Company Act [15 U.S.C. 80a-30(a), 80a-37], and sections 204 
and 211 of the Investment Advisers Act [15 U.S.C. 80b-4, 80b-11].

List of Subjects in 17 CFR Part 248

    Brokers, Dealers, Investment advisers, Investment companies, 
Privacy, Reporting and recordkeeping requirements.

Text of Proposed Rules

    For the reasons set out in the preamble, the Commission proposes to 
amend Title 17, Chapter II of the Code of Federal Regulations by adding 
a new part 248 to read as follows:

PART 248--REGULATION S-P: PRIVACY OF CONSUMER FINANCIAL INFORMATION

Sec.
248.1   Purpose and scope.
248.2   Rule of construction.
248.3   Definitions.
248.4   Initial notice to consumers of privacy policies and 
practices required.
248.5   Annual notice to customers required.
248.6   Information to be included in initial and annual notices of 
privacy policies and practices.
248.7   Limitation on disclosure of nonpublic personal information 
about consumers to nonaffiliated third parties.
248.8   Form and method of providing opt out notice to consumers.
248.9   Exception to opt out requirements for service providers and 
joint marketing.
248.10   Exceptions to notice and opt out requirements for 
processing and servicing transactions.
248.11   Other exceptions to notice and opt out requirements.
248.12   Limits on redisclosure and reuse of information.

[[Page 12370]]

248.13   Limits on sharing of account number information for 
marketing purposes.
248.14   Protection of Fair Credit Reporting Act.
248.15   Relation to State laws.
248.16   Effective date; transition rule.
248.17-248.29   [Reserved]
248.30   Procedures to safeguard customer records and information.

    Authority: 15 U.S.C. 6801-6809; 15 U.S.C. 78q, 78w, 80a-30(a), 
80a-37, 80b-4, 80b-11.


Sec. 248.1  Purpose and scope.

    (a) Purpose. This part governs the treatment of nonpublic personal 
information about consumers by the financial institutions listed in 
paragraph (b) of this section. This part:
    (1) Requires a financial institution to provide notice to consumers 
about its privacy policies and practices;
    (2) Describes the conditions under which a financial institution 
may disclose nonpublic personal information about consumers to 
nonaffiliated third parties; and
    (3) Provides a method for consumers to prevent a financial 
institution from disclosing that information to most nonaffiliated 
third parties by ``opting out'' of that disclosure, subject to the 
exceptions in Secs. 248.9, 248.10, and 248.11.
    (b) Scope. The rules established by this part apply only to 
nonpublic personal information about individuals who obtain financial 
products or services for personal, family or household purposes from 
the institutions listed in section 248.3(x). This part does not apply 
to information about companies or about individuals who obtain 
financial products or services for business purposes. This part applies 
to brokers, dealers, and investment companies and to investment 
advisers that are registered with the Commission. These entities are 
referred to in this part as ``you.''


Sec. 248.2  Rule of construction.

    The examples in this part provide guidance concerning the rule's 
application in ordinary circumstances. The facts and circumstances of 
each individual situation, however, will determine whether compliance 
with an example constitutes compliance with the applicable rule.


Sec. 248.3  Definitions.

    As used in this part, unless the context requires otherwise:
    (a) Affiliate of a broker, dealer, or investment company, or an 
investment adviser registered with the Commission means any company 
that controls, is controlled by, or is under common control with the 
broker, dealer, or investment company, or investment adviser registered 
with the Commission. In addition, a broker, dealer, or investment 
company, or an investment adviser registered with the Commission will 
be deemed an affiliate of a company for purposes of this part if:
    (1) That company is regulated under Title V of the G-L-B Act by a 
government regulator other than the Commission; and
    (2) Rules adopted by the other government regulator under Title V 
of the G-L-B Act treat the broker, dealer, or investment company, or 
investment adviser registered with the Commission as an affiliate of 
that company.
    (b) Broker has the same meaning as in section 3(a)(4) of the 
Securities Exchange Act of 1934 (15 U.S.C. 78c(a)(4)).
    (c)(1) Clear and conspicuous means that a notice is reasonably 
understandable and designed to call attention to the nature and 
significance of the information contained in the notice.
    (2) Examples. (i) You make your notice reasonably understandable if 
you:
    (A) Present the information contained in the notice in clear, 
concise sentences, paragraphs and sections;
    (B) Use short explanatory sentences and bullet lists, whenever 
possible;
    (C) Use definite, concrete, everyday words and active voice, 
whenever possible;
    (D) Avoid multiple negatives;
    (E) Avoid legal and highly technical business terminology; and
    (F) Avoid boilerplate explanations that are imprecise and readily 
subject to different interpretations.
    (ii) You design your notice to call attention to the nature and 
significance of the information contained in it if, whenever possible, 
you:
    (A) Use a plain-language heading to call attention to the notice;
    (B) Use a typeface and type size that are easy to read; and
    (C) Provide wide margins and ample line spacing.
    (iii) If you provide a notice on the same form as another notice or 
other document, you design your notice to call attention to the nature 
and significance of the information contained in the notice if you use:
    (A) Larger type size(s);
    (B) Boldface or italics for key words in the text;
    (C) Wider margins and line spacing in the notice; or
    (D) Shading or sidebars to highlight the notice.
    (d) Collect means to obtain information that is organized or 
retrievable on a personally identifiable basis, irrespective of the 
source of the underlying information.
    (e) Commission means the Securities and Exchange Commission.
    (f) Company means any corporation, limited liability company, 
business trust, general or limited partnership, association, or similar 
organization.
    (g)(1) Consumer means an individual who obtains or has obtained a 
financial product or service from you that is to be used primarily for 
personal, family, or household purposes, and that individual's legal 
representative.
    (2) Examples. (i) An individual who provides nonpublic personal 
information to you in connection with obtaining or seeking to obtain 
brokerage services or investment advisory services is a consumer 
whether or not you provide brokerage services to the individual or 
establish an ongoing advisory relationship with the individual.
    (ii) An individual who provides you with name, address, and areas 
of investment interest in connection with a request for a prospectus or 
an investment adviser brochure or other information about financial 
products is not a consumer.
    (iii) An individual is not a consumer for your purposes when the 
individual has an account with another broker or dealer that carries 
securities for the individual in a special omnibus account with you in 
the name of the broker or dealer, and when you do not routinely receive 
any information about the consumer.
    (iv) If you are an investment company, an individual is not a 
consumer for your purposes when the individual purchases an interest in 
shares you have issued only through a broker or investment adviser who 
is the record owner of those shares.
    (h) Consumer reporting agency has the same meaning as in section 
603(f) of the Fair Credit Reporting Act (15 U.S.C. 1681a(f)).
    (i) Control means the power to exercise a controlling influence 
over the management or policies of a company whether through ownership 
of securities, by contract, or otherwise. Any person who owns 
beneficially, either directly or through one or more controlled 
companies, more than 25 percent of the voting securities of any company 
is presumed to control the company. Any person who does not own 25 
percent of the voting securities of any company will be presumed not to 
control the company. Any presumption regarding control may be rebutted 
by evidence, but, in the case of an investment company, will continue 
until the Commission makes a decision to the contrary according to the 
procedures described in section 2(a)(9)

[[Page 12371]]

of the Investment Company Act of 1940 (15 U.S.C. 80a-2(a)(9)).
    (j) Customer means a consumer who has a customer relationship with 
you.
    (k)(1) Customer relationship means a continuing relationship 
between a consumer and you under which you provide one or more 
financial products or services to the consumer that are to be used 
primarily for personal, family, or household purposes.
    (2) Examples. (i) A consumer has a continuing relationship with you 
if the consumer:
    (A) Has a brokerage account with you;
    (B) Has an investment advisory contract with you (whether written 
or oral); or
    (C) Is the record owner of securities you have issued if you are an 
investment company.
    (ii) You have a customer relationship with a consumer if the 
consumer has an account with an introducing broker-dealer that clears 
transactions with and for its customers through you on a fully 
disclosed basis.
    (iii) You have a customer relationship with a consumer if you hold 
securities or other assets as collateral for a loan made to the 
consumer, even if you did not make the loan or do not effect any 
transactions on behalf of the consumer.
    (iv) You have a customer relationship with a consumer if you 
regularly effect or engage in securities transactions with or for a 
consumer even if you do not hold any assets of the consumer.
    (v) A consumer who does not establish an account with you does not 
have a continuing relationship with you if you provide brokerage 
services to the consumer on a one-time basis as an accommodation or to 
liquidate securities without the expectation of engaging in other 
transactions.
    (l) Dealer has the same meaning as in section 3(a)(5) of the 
Securities Exchange Act of 1934 (15 U.S.C. 78c(a)(5)).
    (m)(1) Financial institution means any institution the business of 
which is engaging in activities that are financial in nature or 
incidental to such financial activities as described in section 4(k) of 
the Bank Holding Company Act of 1956 (12 U.S.C. 1843(k)).
    (2) Financial institution does not include:
    (i) Any person or entity with respect to any financial activity 
that is subject to the jurisdiction of the Commodity Futures Trading 
Commission under the Commodity Exchange Act (7 U.S.C. 1 et seq.);
    (ii) The Federal Agricultural Mortgage Corporation or any entity 
chartered and operating under the Farm Credit Act of 1971 (12 U.S.C. 
2001 et seq.); or
    (iii) Institutions chartered by Congress specifically to engage in 
securitizations, secondary market sales (including sales of servicing 
rights) or similar transactions related to a transaction of a consumer, 
as long as such institutions do not sell or transfer nonpublic personal 
information to a nonaffiliated third party.
    (n)(1) Financial product or service means any product or service 
that a financial holding company could offer by engaging in an activity 
that is financial in nature or incidental to such a financial activity 
under section 4(k) of the Bank Holding Company Act of 1956 (12 U.S.C. 
1843(k)).
    (2) Financial service includes your evaluation, brokerage or 
distribution of information that you collect in connection with a 
request or an application from a consumer for a financial product or 
service.
    (3) Financial product, for purposes of this part, includes an 
equity interest in an investment company.
    (o) G-L-B Act means the Gramm-Leach-Bliley Act (Pub. L. No. 106-
102, 113 Stat. 1338 (1999)).
    (p) Government regulator means:
    (1) The Board of Governors of the Federal Reserve System;
    (2) The Office of the Comptroller of the Currency;
    (3) The Board of Directors of the Federal Deposit Insurance 
Corporation;
    (4) The Director of the Office of Thrift Supervision;
    (5) The National Credit Union Administration Board;
    (6) The Securities and Exchange Commission;
    (7) The Secretary of the Treasury, with respect to 31 U.S.C. 
Chapter 53, Subchapter II (Records and Reports on Monetary Instruments 
and Transactions) and 12 U.S.C. Chapter 21 (Financial Recordkeeping);
    (8) A State insurance authority, with respect to any person 
domiciled in that insurance authority's State that is engaged in 
providing insurance; and
    (9) The Federal Trade Commission.
    (q) Investment adviser has the same meaning as in section 
202(a)(11) of the Investment Advisers Act of 1940 (15 U.S.C. 80b-
2(a)(11)).
    (r) Investment company has the same meaning as in section 3 of the 
Investment Company Act of 1940 (15 U.S.C. 80a-3), and includes a 
separate series of the investment company.
    (s)(1) Nonaffiliated third party means any person except:
    (i) Your affiliate; or
    (ii) A person employed jointly by you and any company that is not 
your affiliate (but nonaffiliated third party includes the other 
company that jointly employs the person).
    (2) Nonaffiliated third party includes any company that is an 
affiliate by virtue of the direct or indirect ownership or control of 
the company by the financial institution or any affiliate of the 
financial institution in conducting merchant banking or investment 
banking activities of the type described in section 4(k)(4)(I) of the 
Bank Holding Company Act (12 U.S.C. 1843(k)(4)(I)).
    (t)(1) Nonpublic personal information means:
    (i) Personally identifiable financial information; and
    (ii) Any list, description or other grouping of consumers (and 
publicly available information about them) that is derived using any 
personally identifiable financial information.
    (2) Nonpublic personal information does not include:
    (i) Publicly available information, except as provided in paragraph 
(t)(1)(ii) of this section or when the publicly available information 
is disclosed in a manner that indicates the individual is or has been 
your customer; or
    (ii) Any list, description, or other grouping of consumers (and 
publicly available information about them) that is derived without 
using any personally identifiable financial information.
    (3) Example. Nonpublic personal information includes any list of 
individuals' street addresses and telephone numbers that is derived 
using personally identifiable financial information, such as account 
numbers.
    (u) Person has the same meaning as in section 3(a)(9) of the 
Securities Exchange Act of 1934 (15 U.S.C. 78c(a)(9)).
    (v)(1) Personally identifiable financial information means any 
information:
    (i) Provided by a consumer to you to obtain a financial product or 
service from you;
    (ii) About a consumer resulting from any transaction involving a 
financial product or service between you and a consumer; or
    (iii) You otherwise obtain about a consumer in connection with 
providing a financial product or service to that consumer.
    (2) Examples. (i) Personally identifiable financial information 
includes:
    (A) Information a consumer provides to you on an application to 
establish a brokerage account, enter into an investment advisory 
contract, or to purchase securities or other financial products or 
services, including, among other things, medical information;
    (B) Information about account balance, payment history, overdraft 
history, credit or debit card purchases,

[[Page 12372]]

securities positions, or investment products purchased or sold;
    (C) The fact that an individual is or has been one of your 
customers or has obtained a financial product or service from you, 
unless that fact is derived using only publicly available information, 
such as bankruptcy records;
    (D) Other information about your consumer if it is disclosed in a 
manner that indicates the individual is or has been your consumer;
    (E) Any information provided by a consumer or otherwise obtained by 
you or your agent in connection with collecting on a loan or servicing 
a loan; and
    (F) Information from a consumer report.
    (ii) Personally identifiable financial information does not include 
a list of names and addresses of customers of an entity that is not a 
financial institution.
    (w)(1) Publicly available information means any information that 
you reasonably believe is lawfully made available to the general public 
from:
    (i) Federal, State or local government records;
    (ii) Widely distributed media; or
    (iii) Disclosures to the general public that are required to be 
made by federal, State or local law.
    (2) Examples. (i) Government records. Publicly available 
information contained in government records includes information 
contained in government real estate records, security interest filings, 
and bankruptcy filings.
    (ii) Widely distributed media. Publicly available information from 
widely distributed media includes information from a telephone book, a 
television or radio program, a newspaper or an Internet site that is 
available to the general public without requiring a password or similar 
restriction.
    (x) You means:
    (1) Any broker or dealer,
    (2) Any investment company; and
    (3) Any investment adviser registered with the Commission under the 
Investment Advisers Act of 1940.


Sec. 248.4  Initial notice to consumers of privacy policies and 
practices required.

    (a) When initial notice is required. You must provide a clear and 
conspicuous notice that accurately reflects your privacy policies and 
practices to:
    (1) An individual who becomes your customer, prior to the time that 
you establish a customer relationship, except as provided in paragraph 
(d)(1) of this section; and
    (2) A consumer (who has not become your customer), prior to the 
time that you disclose any nonpublic personal information about the 
consumer to any nonaffiliated third party, if you make such a 
disclosure other than as authorized by Secs. 248.10 and 248.11.
    (b) When initial notice to a consumer is not required. You are not 
required to provide an initial notice to a consumer under paragraph 
(a)(1) of this section if:
    (1) You do not disclose any nonpublic personal financial 
information about the consumer to any nonaffiliated third party, other 
than as authorized by Secs. 248.9, 248.10, or 248.11; and
    (2) You do not have a customer relationship with the consumer.
    (c) When you establish a customer relationship. (1) General rule. 
You establish a customer relationship at the time you and the consumer 
enter into a continuing relationship.
    (2) Examples. You establish a customer relationship with a consumer 
when the consumer:
    (i) Effects a securities transaction with you or opens a brokerage 
account with you under your procedures;
    (ii) Opens a brokerage account with an introducing broker or dealer 
that clears transactions with and for its customers through you on a 
fully disclosed basis;
    (iii) Enters into an advisory contract with you (whether in writing 
or orally); or
    (iv) Purchases shares you have issued (and the consumer is the 
record owner of the shares), if you are an investment company.
    (d) How to provide notice. (1) General rule. You must provide the 
privacy notice required by paragraph (a) of this section so that each 
consumer can reasonably be expected to receive actual notice in writing 
or, if the consumer agrees, in electronic form.
    (2) Exceptions to allow subsequent delivery of notice. You may 
provide the initial notice required by paragraph (a) of this section 
within a reasonable time after you establish a customer relationship if 
you and the consumer orally agree to enter into a customer relationship 
and the consumer agrees to receive the notice thereafter.
    (3) Oral description of notice insufficient. You may not provide 
the initial notice required by paragraph (a) of this section solely by 
orally explaining, either in person or over the telephone, your privacy 
policies and practices.
    (4) Retention or accessibility of initial notice for customers. For 
customers only, you must provide the initial notice required by 
paragraph (a)(1) of this section so that it can be retained or obtained 
at a later time by the customer, in a written form or, if the customer 
agrees, in electronic form.
    (5) Examples. (i) You may reasonably expect that a consumer will 
receive actual notice of your privacy policies and practices if you:
    (A) Hand-deliver a printed copy of the notice to the consumer;
    (B) Mail a printed copy of the notice to the last known address of 
the consumer;
    (C) For the consumer who conducts transactions electronically, post 
the notice on the electronic site and require the consumer to 
acknowledge receipt of the notice as a necessary step to obtaining a 
particular financial product or service;
    (D) For an isolated transaction with the consumer, such as an ATM 
transaction, post the notice on the ATM screen and require the consumer 
to acknowledge receipt of the notice as a necessary step to obtaining 
the particular financial product or service.
    (ii) You may not, however, reasonably expect that a consumer will 
receive actual notice of your privacy policies and practices if you:
    (A) Only post a sign in your branch or office or generally publish 
advertisements of your privacy policies and practices;
    (B) Send the notice by electronic mail to a consumer who obtains a 
financial product or service with you in person or through the mail and 
who does not agree to receive the notice electronically.
    (iii) You provide the initial privacy notice to the customer so 
that it can be retained or obtained at a later time if you:
    (A) Hand-deliver a printed copy of the notice to the customer;
    (B) Mail a printed copy of the notice to the last known address of 
the customer upon request of the customer;
    (C) Maintain the notice on a web site (or a link to another web 
site) for the customer who obtains a financial product or service 
electronically and who agrees to receive the notice electronically.


Sec. 248.5  Annual notice to customers required.

    (a) General rule. You must provide a clear and conspicuous notice 
to customers that accurately reflects your privacy policies and 
practices not less than annually during the continuation of the 
customer relationship. Annually means at least once in any period of 
twelve consecutive months during which that relationship exists.
    (b) How to provide notice. You must provide the annual notice 
required by paragraph (a) of this section to a

[[Page 12373]]

customer using a means permitted for providing the initial notice to 
that customer under Sec. 248.4(d).
    (c)(1) Termination of customer relationship. You are not required 
to provide an annual notice to a customer with whom you no longer have 
a continuing relationship.
    (2) Examples. You no longer have a continuing relationship with an 
individual if:
    (i) The individual's brokerage account is closed;
    (ii) The individual's investment advisory contract is terminated;
    (iii) You are an investment company and the individual no longer 
holds shares in the company; or
    (iv) You are an investment company and your customer has been 
determined to be a lost securityholder as defined in 17 CFR 240.17a-
24(b).


Sec. 248.6  Information to be included in initial and annual notices of 
privacy policies and practices.

    (a) General rule. The initial and annual notices that you provide 
about your privacy policies and practices under Secs. 248.4 and 248.5 
must include each of the following items of information:
    (1) The categories of nonpublic personal information about your 
consumers that you collect;
    (2) The categories of nonpublic personal information about your 
consumers that you disclose;
    (3) The categories of affiliates and nonaffiliated third parties to 
whom you disclose nonpublic personal information about your consumers, 
other than those parties to whom you disclose information under 
Secs. 248.10 (exceptions for processing and servicing accounts or 
transactions) and 248.11 (exceptions for consumer consent and to comply 
with various legal requirements);
    (4) The categories of nonpublic personal information about your 
former customers that you disclose and the categories of affiliates and 
nonaffiliated third parties to whom you disclose nonpublic personal 
information about your former customers, other than those parties to 
whom you disclose information under Secs. 248.10 and 248.11;
    (5) If you disclose nonpublic personal information to a 
nonaffiliated third party under Sec. 248.9 (and no other exception 
applies to that disclosure), a separate description of the categories 
of information you disclose and the categories of third parties with 
whom you have contracted;
    (6) An explanation of the right under Sec. 248.8(a) of the consumer 
to opt out of the disclosure of nonpublic personal information to 
nonaffiliated third parties, including the methods by which the 
consumer may exercise that right;
    (7) Any disclosures that you make under section 603(d)(2)(A)(iii) 
of the Fair Credit Reporting Act (15 U.S.C. 1681a(d)(2)(A)(iii)) (that 
is, notices regarding the ability to opt out of disclosures of 
information among affiliates); and
    (8) Your policies and practices with respect to protecting the 
confidentiality, security and integrity of nonpublic personal 
information.
    (b) Description of nonaffiliated third parties subject to 
exceptions. If you disclose nonpublic personal information about a 
consumer to third parties as authorized under Secs. 248.10 and 248.11, 
you are not required to list those exceptions in the initial or annual 
privacy notices required by Secs. 248.4 and 248.5. When describing the 
categories with respect to those parties, you are only required to 
state that you make disclosures to other nonaffiliated third parties as 
permitted by law.
    (c) Future disclosures. Your notice may include:
    (1) Categories of nonpublic personal information that you reserve 
the right to disclose in the future, but do not currently disclose; and
    (2) Categories of affiliates or nonaffiliated third parties to whom 
you reserve the right in the future to disclose, but to whom you do not 
currently disclose, nonpublic personal information.
    (d) Examples. (1) Categories of nonpublic personal information that 
you collect. You adequately categorize the nonpublic personal 
information you collect if you categorize it according to the source of 
the information, such as application information, information about 
transactions (such as information regarding your brokerage or 
investment advisory account), and consumer reports.
    (2) Categories of nonpublic personal information you disclose. You 
adequately categorize nonpublic personal information you disclose if 
you categorize it according to source, and provide a few illustrative 
examples of the content of the information. These might include 
application information, such as assets and income, investment goals, 
or investment risk tolerance; identifying information, such as name, 
address, and social security number; and transaction information, such 
as information about account balance, payment history, parties to the 
transaction, credit card usage, securities positions, or securities 
purchases and sales; and information from consumer reports, such as a 
consumer's creditworthiness and credit history. You do not adequately 
categorize the information that you disclose if you use only general 
terms, such as transaction information about the consumer.
    (3) Categories of affiliates and nonaffiliated third parties to 
whom you disclose. You adequately categorize the affiliates and 
nonaffiliated third parties to whom you disclose nonpublic personal 
information about consumers if you identify the types of businesses 
that they engage in. Types of businesses may be described by general 
terms only if you use a few illustrative examples of significant lines 
of business. For example, you may use the term financial products or 
services if you include appropriate examples of significant lines of 
businesses, such as consumer banking, mortgage lending, life insurance, 
securities brokerage, or financial planning. You also may categorize 
the affiliates and nonaffiliated third parties to whom you disclose 
nonpublic personal information about consumers using more detailed 
categories.
    (4) Simplified notices. If you do not disclose, and do not intend 
to disclose, nonpublic personal information to affiliates or 
nonaffiliated third parties, you may simply state that fact, in 
addition to the information you must provide under paragraphs (a)(1) 
and (a)(8), and (b) of this section.
    (5) Confidentiality, security, and integrity. You describe your 
policies and practices with respect to protecting the confidentiality 
and security of nonpublic personal information if you explain who has 
access to the information and the circumstances under which the 
information may be accessed. You describe your policies and practices 
with respect to protecting the integrity of nonpublic personal 
information if you explain measures you take to protect against 
reasonably anticipated threats or hazards. You are not required to 
describe technical information about the safeguards you use.


Sec. 248.7  Limitation on disclosure of nonpublic personal information 
about consumers to nonaffiliated third parties.

    (a)(1) Conditions for disclosure. Except as otherwise authorized in 
this part, you may not, directly or through any affiliate, disclose any 
nonpublic personal information about a consumer to a nonaffiliated 
third party unless:
    (i) You have provided to the consumer an initial notice as required 
under Sec. 248.4;
    (ii) You have provided to the consumer an opt out notice as 
required in Sec. 248.8;
    (iii) You have given the consumer a reasonable opportunity, before 
the time

[[Page 12374]]

that you disclose the information to the nonaffiliated third party, to 
opt out of the disclosure; and
    (iv) The consumer does not opt out.
    (2) Opt out definition. Opt out means a direction by the consumer 
that you not disclose nonpublic personal information about that 
consumer to a nonaffiliated third party, other than as permitted by 
Secs. 248.9, 248.10 and 248.11.
    (3) Examples of reasonable opportunity to opt out. (i) By mail. You 
provide a consumer with whom you have a customer relationship with a 
reasonable opportunity to opt out if you mail the notices required in 
paragraph (a)(1) of this section to the consumer and allow the consumer 
a reasonable period of time, such as 30 days, to opt out.
    (ii) Isolated transaction with consumer. For an isolated 
transaction, such as the provision of brokerage services as an 
accommodation to a consumer who does not establish an account with you, 
you provide a reasonable opportunity to opt out if you provide the 
consumer with the required notices at the time of the transaction and 
request that the consumer decide, as a necessary part of the 
transaction, whether to opt out before completing the transaction.
    (b) Application of opt out to all consumers and all nonpublic 
personal information.
    (1) You must comply with this section regardless of whether you and 
the consumer have established a customer relationship.
    (2) Unless you comply with this section, you may not, directly or 
through any affiliate, disclose any nonpublic personal information 
about a consumer that you have collected, regardless of whether you 
collected it before or after receiving the direction to opt out from 
the consumer.
    (c) Partial opt out. You may allow a consumer to select certain 
nonpublic personal information or certain nonaffiliated third parties 
with respect to which the consumer wishes to opt out.


Sec. 248.8  Form and method of providing opt out notice to consumers.

    (a)(1) Form of opt out notice. You must provide a clear and 
conspicuous notice to each of your consumers that accurately explains 
the right to opt out under Sec. 248.7(a)(1). The notice must state:
    (i) That you disclose or reserve the right to disclose nonpublic 
personal information about your consumer to a nonaffiliated third 
party;
    (ii) That the consumer has the right to opt out of that disclosure; 
and
    (iii) A reasonable means by which the consumer may exercise the opt 
out right.
    (2) Examples. (i) You provide adequate notice that the consumer can 
opt out of the disclosure of nonpublic personal information to a 
nonaffiliated third party if you identify all of the categories of 
nonpublic personal information that you disclose or reserve the right 
to disclose to nonaffiliated third parties as described in Sec. 248.6 
and state that the consumer can opt out of the disclosure of that 
information.
    (ii) You provide a reasonable means to exercise an opt out right if 
you:
    (A) Designate check-off boxes in a prominent position on the 
relevant forms with the opt out notice;
    (B) Include a reply form together with the opt out notice; or
    (C) Provide an electronic means to opt out, such as a form that can 
be sent by electronic mail or a process at your web site, if the 
consumer agrees to the electronic delivery of information.
    (iii) You do not provide a reasonable means of opting out if the 
only means of opting out is for the consumer to write his or her own 
letter to exercise that opt out right.
    (b) How to provide opt out notice. (1) Delivery of notice. You must 
provide the opt out notice required by paragraph (a) of this section in 
a manner so that each consumer can reasonably be expected to receive 
actual notice in writing or, if the consumer agrees, in electronic 
form. If you and the consumer orally agree to enter into a customer 
relationship, you may provide the opt out notice required by paragraph 
(a) of this section within a reasonable time thereafter if the consumer 
agrees.
    (2) Oral description of opt out right insufficient. You may not 
provide the opt out notice solely by orally explaining, either in 
person or over the telephone, the right of the consumer to opt out.
    (3) Same form as initial notice permitted. You may provide the opt 
out notice together with or on the same written or electronic form as 
the initial notice you provide in accordance with Sec. 248.4.
    (4) Initial notice required when opt out notice delivered 
subsequent to initial notice. If you provide the opt out notice at a 
later time than required for the initial notice in accordance with 
Sec. 248.4, you must also include a copy of the initial notice in 
writing or, if the consumer agrees, in an electronic form with the opt 
out notice.
    (c) Notice of change in terms. (1) General rule. Except as 
otherwise authorized in this part, you must not, directly or through 
any affiliate, disclose any nonpublic personal information about a 
consumer to a nonaffiliated third party other than as described in the 
initial notice that you provided to the consumer under Sec. 248.4, 
unless:
    (i) You have provided to the consumer a revised notice that 
accurately describes your policies and practices;
    (ii) You have provided to the consumer a new opt out notice;
    (iii) You have given the consumer a reasonable opportunity, before 
the time that you disclose the information to the nonaffiliated third 
party, to opt out of the disclosure; and
    (iv) The consumer does not opt out.
    (2) How to provide notice of change in terms. You must provide the 
revised notice of your policies and practices and opt out notice to a 
consumer using the means permitted for providing the initial notice and 
opt out notice to that consumer under Sec. 248.4(d) or Sec. 248.8(b).
    (3) Examples. (i) Except as otherwise permitted by Secs. 248.9, 
248.10 and 248.11, a change-in-terms notice is required if you:
    (A) Disclose a new category of nonpublic personal information to 
any nonaffiliated third party; or
    (B) Disclose nonpublic personal information to a new category of 
nonaffiliated third party.
    (ii) A change-in-terms notice is not required if you disclose 
nonpublic personal information to a new nonaffiliated third party that 
is adequately described by your prior notice.
    (d) Continuing right to opt out. A consumer may exercise the right 
to opt out at any time, and you must comply with the consumer's 
direction as soon as reasonably practicable.
    (e) Duration of consumer's opt out direction. A consumer's 
direction to opt out under this section is effective until revoked by 
the consumer in writing, or if the consumer agrees, in electronic form.


Sec. 248.9  Exception to opt out requirements for service providers and 
joint marketing.

    (a) General rule. The opt out requirements in Secs. 248.7 and 248.8 
do not apply when you provide nonpublic personal information about a 
consumer to a nonaffiliated third party to perform services for you or 
functions on your behalf, if you:
    (1) Provide the initial notice in accordance with Sec. 248.4; and
    (2) Enter into a contractual agreement with the third party that:
    (i) Requires the third party to maintain the confidentiality of the 
information to at least the same extent that you must maintain that 
confidentiality under this part; and

[[Page 12375]]

    (ii) Limits the third party's use of information you disclose 
solely to the purposes for which the information is disclosed or as 
otherwise permitted by Secs. 248.10 and 248.11.
    (b) Service may include joint marketing. The services performed for 
you by a nonaffiliated third party under paragraph (a) of this section 
may include marketing of your own products or services or marketing of 
financial products or services offered pursuant to joint agreements 
between you and one or more financial institutions.
    (c) Definition of joint agreement. For purposes of this section, 
joint agreement means a written contract pursuant to which you and one 
or more financial institutions jointly offer, endorse, or sponsor a 
financial product or service.


Sec. 248.10  Exceptions to notice and opt out requirements for 
processing and servicing transactions.

    (a) Exceptions for processing transactions at consumer's request. 
The requirements for initial notice in Sec. 248.4(a)(2), the opt out in 
Secs. 248.7 and 248.8, and service providers and joint marketing in 
Sec. 248.9, do not apply if you disclose nonpublic personal 
information:
    (1) As necessary to effect, administer, or enforce a transaction 
requested or authorized by the consumer;
    (2) To service or process a financial product or service requested 
or authorized by the consumer;
    (3) To maintain or service the consumer's account with you, or with 
another entity as part of a private label credit card program or other 
extension of credit on behalf of such entity; or
    (4) In connection with a proposed or actual securitization, 
secondary market sale (including sales of servicing rights) or similar 
transaction related to a transaction of the consumer.
    (b) Necessary to effect, administer, or enforce a transaction means 
that the disclosure is:
    (1) Required, or is one of the lawful or appropriate methods, to 
enforce your rights or the rights of other persons engaged in carrying 
out the financial transaction or providing the product or service; or
    (2) Required, or is a usual, appropriate, or acceptable method:
    (i) To carry out the transaction or the product or service business 
of which the transaction is a part, and record, service, or maintain 
the consumer's account in the ordinary course of providing the 
financial service or financial product;
    (ii) To administer or service benefits or claims relating to the 
transaction or the product or service business of which it is a part;
    (iii) To provide a confirmation, statement or other record of the 
transaction, or information on the status or value of the financial 
service or financial product to the consumer or the consumer's agent or 
broker;
    (iv) To accrue or recognize incentives or bonuses associated with 
the transaction that are provided by you or any other party;
    (v) To underwrite insurance at the consumer's request or for 
reinsurance purposes, or for any of the following purposes as they 
relate to a consumer's insurance: Account administration, reporting, 
investigating, or preventing fraud or material misrepresentation, 
processing premium payments, processing insurance claims, administering 
insurance benefits (including utilization review activities), 
participating in research projects, or as otherwise required or 
specifically permitted by federal or State law; or
    (vi) In connection with settling a transaction, including:
    (A) The authorization, billing, processing, clearing, transferring, 
reconciling, or collection of amounts charged, debited, or otherwise 
paid using a debit, credit, or other payment card, check or account 
number, or by other payment means;
    (B) The transfer of receivables, accounts, or interests therein; or
    (C) The audit of debit, credit or other payment information.


Sec. 248.11  Other exceptions to notice and opt out requirements.

    (a) Exceptions to opt out requirements. The requirements for 
initial notice to consumers in Sec. 248.4(a)(2), the opt out in 
Secs. 248.7 and 248.8, and initial notice to consumers under the 
exception for service providers and joint marketing in Sec. 248.9, do 
not apply when you disclose nonpublic personal information:
    (1) With the consent or at the direction of the consumer, provided 
that the consumer has not revoked the consent or direction;
    (2)(i) To protect the confidentiality or security of your records 
pertaining to the consumer, service, product, or transaction;
    (ii) To protect against or prevent actual or potential fraud, 
unauthorized transactions, claims, or other liability;
    (iii) For required institutional risk control or for resolving 
consumer disputes or inquiries;
    (iv) To persons holding a legal or beneficial interest relating to 
the consumer; or
    (v) To persons acting in a fiduciary or representative capacity on 
behalf of the consumer;
    (3) To provide information to insurance rate advisory 
organizations, guaranty funds or agencies, agencies that are rating 
you, persons that are assessing your compliance with industry 
standards, and your attorneys, accountants, and auditors;
    (4) To the extent specifically permitted or required under other 
provisions of law and in accordance with the Right to Financial Privacy 
Act of 1978 (12 U.S.C. 3401 et seq.), to law enforcement agencies 
(including government regulators), self-regulatory organizations, or 
for an investigation on a matter related to public safety;
    (5)(i) To a consumer reporting agency in accordance with the Fair 
Credit Reporting Act (15 U.S.C. 1681 et seq.), or
    (ii) From a consumer report reported by a consumer reporting 
agency;
    (6) In connection with a proposed or actual sale, merger, transfer, 
or exchange of all or a portion of a business or operating unit if the 
disclosure of nonpublic personal information concerns solely consumers 
of such business or unit; or
    (7)(i) To comply with federal, State, or local laws, rules and 
other applicable legal requirements, including rules or other 
applicable legal requirements of self-regulatory organizations;
    (ii) To comply with a properly authorized civil, criminal, or 
regulatory investigation, or subpoena or summons by federal, State, or 
local authorities or self-regulatory organizations; or
    (iii) To respond to judicial process, government regulatory 
authorities, or self-regulatory organizations having jurisdiction over 
you for examination, compliance, or other purposes as authorized by 
law.
    (b) Examples of consent and revocation of consent. (1) A consumer 
may specifically consent to your disclosure to a nonaffiliated mortgage 
lender of the value of the assets in the consumer's brokerage or 
investment advisory account so that the lender can evaluate the 
consumer's application for a mortgage loan.
    (2) A consumer may revoke consent by subsequently exercising the 
right to opt out of future disclosures of nonpublic personal 
information as permitted under Sec. 248.8(d).


Sec. 248.12  Limits on redisclosure and reuse of information.

    (a) Limits on your redisclosure and reuse. (1) Except as otherwise 
provided in this part, if you receive nonpublic personal information 
about a consumer from a nonaffiliated financial institution, you must 
not, directly or through an affiliate, disclose the

[[Page 12376]]

information to any other person that is not affiliated with either the 
financial institution or you, unless the disclosure would be lawful if 
the financial institution made it directly to that other person.
    (2) You may use nonpublic personal information about a consumer 
that you receive from a nonaffiliated financial institution in 
accordance with an exception under Secs. 248.9, 248.10, or 248.11 only 
for the purpose of that exception.
    (b) Limits on redisclosure and the reuse by other persons. (1) 
Except as otherwise provided in this part, if you disclose nonpublic 
personal information about a consumer to a nonaffiliated third party, 
that party must not, directly or through an affiliate, disclose the 
information to any other person that is a nonaffiliated third party of 
both you and that party, unless the disclosure would be lawful if you 
made it directly to such other person.
    (2) A nonaffiliated third party may use nonpublic personal 
information about a consumer that it receives from you in accordance 
with an exception under Secs. 248.9, 248.10, or 248.11 only for the 
purpose of that exception.
    (3) Example. If you provide nonpublic personal information to a 
nonaffiliated transfer agent that services your customer accounts, the 
transfer agent may not, directly or through an affiliate, disclose the 
nonpublic personal information to any other person that is a 
nonaffiliated third party of you and the transfer agent unless you 
could lawfully make the disclosure to that party.


Sec. 248.13  Limits on sharing of account number information for 
marketing purposes.

    You must not, directly or through an affiliate, disclose, other 
than to a consumer reporting agency, an account number or similar form 
of access number or access code for a credit card account, deposit 
account, or transaction account of a consumer to any nonaffiliated 
third party for use in telemarketing, direct mail marketing, or other 
marketing through electronic mail to the consumer.


Sec. 248.14  Protection of Fair Credit Reporting Act.

    Nothing in this part shall be construed to modify, limit, or 
supersede the operation of the Fair Credit Reporting Act (15 U.S.C. 
1681 et seq.), and no inference shall be drawn on the basis of the 
provisions of this part regarding whether information is transaction or 
experience information under section 603 of that Act.


Sec. 248.15  Relation to State laws.

    (a) In general. This part shall not be construed as superseding, 
altering, or affecting any statute, regulation, order, or 
interpretation in effect in any State, except to the extent that the 
State statute, regulation, order, or interpretation is inconsistent 
with the provisions of this part, and then only to the extent of the 
inconsistency.
    (b) Greater protection under State law. For purposes of this 
section, a State statute, regulation, order, or interpretation is not 
inconsistent with the provisions of this part if the protection that 
statute, regulation, order, or interpretation affords any consumer is 
greater than the protection provided under this part, as determined by 
the Federal Trade Commission, after consultation with the Commission, 
on the Federal Trade Commission's own motion or upon the petition of 
any interested party.


Sec. 248.16  Effective date; transition rule.

    (a) Effective date. This part is effective November 13, 2000.
    (b) Notice requirement for consumers who were your customers on the 
effective date. No later than thirty days after the effective date of 
this part, you must provide an initial notice, as required by 
Sec. 248.4, to consumers who were your customers on the effective date 
of this part.


Secs. 248.17-248.29  [Reserved]


Sec. 248.30  Procedures to safeguard customer records and information.

    Every broker, dealer, and investment company, and every investment 
adviser registered with the Commission must adopt policies and 
procedures that address administrative, technical, and physical 
safeguards for the protection of customer records and information. 
These policies and procedures must be reasonably designed to:
    (a) Insure the security and confidentiality of customer records and 
information;
    (b) Protect against any anticipated threats or hazards to the 
security or integrity of customer records and information; and
    (c) Protect against unauthorized access to or use of customer 
records or information that could result in substantial harm or 
inconvenience to any customer.

    By the Commission.

    Dated: March 2, 2000.
Margaret H. McFarland,
Deputy Secretary.
[FR Doc. 00-5526 Filed 3-3-00; 10:05 am]
BILLING CODE 8010-01-P