[Federal Register Volume 79, Number 92 (Tuesday, May 13, 2014)]
[Proposed Rules]
[Pages 27214-27230]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2014-10713]


=======================================================================
-----------------------------------------------------------------------

BUREAU OF CONSUMER FINANCIAL PROTECTION

12 CFR Part 1016

[Docket No. CFPB-2014-0010]
RIN 3170-AA39


Amendment to the Annual Privacy Notice Requirement Under the 
Gramm-Leach-Bliley Act (Regulation P)

AGENCY: Bureau of Consumer Financial Protection.

ACTION: Proposed rule with request for comment.

-----------------------------------------------------------------------

SUMMARY: The Bureau of Consumer Financial Protection (Bureau) is 
proposing to amend Regulation P, which among other things requires that 
financial institutions provide an annual disclosure of their privacy 
policies to their customers. The amendment would create an alternative 
delivery method for this annual disclosure, which financial 
institutions would be able to use under certain circumstances.

DATES: Comments must be received on or before June 12, 2014.

ADDRESSES: You may submit comments, identified by Docket No. CFPB-2014-
0010 or RIN 3170-AA39, by any of the following methods:
     Electronic: http://www.regulations.gov. Follow the 
instructions for submitting comments.
     Mail/Hand Delivery/Courier: Monica Jackson, Office of the 
Executive Secretary, Consumer Financial Protection Bureau, 1700 G 
Street NW., Washington, DC 20552.
    Instructions: All submissions should include the agency name and 
docket number or Regulatory Information Number (RIN) for this 
rulemaking. Because paper mail in the Washington, DC area and at the 
Bureau is subject to delay, commenters are encouraged to submit 
comments electronically. In general, all comments received will be 
posted without change to http://www.regulations.gov. In addition, 
comments will be available for public inspection and copying at the 
Bureau's offices in Washington, DC on official business days between 
the hours of 10 a.m. and 5 p.m. Eastern Time. You can make an 
appointment to inspect the documents by telephoning (202) 435-7275.
    All comments, including attachments and other supporting materials, 
will become part of the public record and subject to public disclosure. 
Sensitive personal information, such as account numbers or Social 
Security numbers, should not be included.

[[Page 27215]]


FOR FURTHER INFORMATION CONTACT: Nora Rigby and Joseph Devlin, 
Counsels; Office of Regulations, at (202) 435-7700.

SUPPLEMENTARY INFORMATION:

I. Summary of the Proposed Rule

    The Gramm-Leach-Bliley Act (GLBA) \1\ mandates that financial 
institutions provide their customers with initial and annual notices 
regarding their privacy policies. If financial institutions share 
certain customer information with particular types of third parties, 
the institutions are also required to provide notice to their customers 
and an opportunity to opt out of the sharing. Many financial 
institutions currently mail printed copies of the annual GLBA privacy 
notices to their customers, but have expressed concern that this 
practice causes information overload for consumers and unnecessary 
expense.
---------------------------------------------------------------------------

    \1\ 15 U.S.C. 6801 et seq.
---------------------------------------------------------------------------

    In response to such concerns, the Bureau is proposing to allow 
financial institutions that do not engage in certain types of 
information-sharing activities to stop mailing an annual disclosure if 
they post the annual notices on their Web sites and meet certain other 
conditions. Specifically, the proposal would allow financial 
institutions to use the proposed alternative delivery method for annual 
privacy notices if: (1) The financial institution does not share the 
customer's nonpublic personal information with nonaffiliated third 
parties in a manner that triggers GLBA opt-out rights; (2) the 
financial institution does not include on its annual privacy notice an 
opt-out notice under section 603(d)(2)(A)(iii) of the Fair Credit 
Reporting Act (FCRA); (3) the financial institution's annual privacy 
notice is not the only notice provided to satisfy the requirements of 
section 624 of the FCRA; (4) the information included in the privacy 
notice has not changed since the customer received the previous notice; 
and (5) the financial institution uses the model form provided in the 
GLBA's implementing Regulation P. A financial institution would still 
be required to use the currently permitted delivery method if the 
institution, among other things, has changed its privacy practices or 
engages in information-sharing activities for which customers have a 
right to opt out.
    In using the proposed alternative method, a financial institution 
would have to insert a clear and conspicuous statement at least once 
per year on a notice or disclosure the institution issues under any 
other provision of law announcing that: the annual privacy notice is 
available on the financial institution's Web site; it will be mailed to 
customers who request it by calling a toll-free telephone number; and 
it has not changed. The financial institution would have to 
continuously post the annual privacy notice in a clear and conspicuous 
manner on a page of its Web site, without requiring a login or similar 
steps to access the notice. In addition, to assist customers with 
limited or no access to the internet, financial institutions would have 
to mail annual notices promptly to customers who request them by phone.
    The proposal would apply to various types of financial institutions 
that provide consumer financial products and services. The Bureau is 
seeking comment on the proposal through June 12, 2014. The Bureau is 
also coordinating and consulting with other agencies that have 
authority to issue rules implementing GLBA with regard to certain other 
types of financial institutions, such as securities and futures 
traders, as well as consulting with other agencies that enforce the 
GLBA.

II. Background

A. The Statute and Regulation

    The GLBA was enacted into law in 1999.\2\ The GLBA, among other 
things, is intended to provide a comprehensive framework for regulating 
the privacy practices of an extremely broad range of entities. 
``Financial institutions'' for purposes of the GLBA include not only 
depository institutions and non-depository institutions providing 
consumer financial products or services (such as payday lenders, 
mortgage brokers, check cashers, debt collectors, and remittance 
transfer providers), but also many businesses that do not offer or 
provide consumer financial products or services.
---------------------------------------------------------------------------

    \2\ Public Law 106-102.
---------------------------------------------------------------------------

    Rulemaking authority to implement the GLBA privacy provisions was 
initially spread among many agencies. The Federal Reserve Board 
(Board), the Office of Comptroller of the Currency (OCC), the Federal 
Deposit Insurance Corporation (FDIC), and the Office of Thrift 
Supervision (OTS) jointly adopted final rules to implement the notice 
requirements of GLBA in 2000.\3\ The National Credit Union 
Administration (NCUA), Federal Trade Commission (FTC), Securities and 
Exchange Commission (SEC), and Commodity Futures Trading Commission 
(CFTC) were part of the same interagency process, but issued their 
rules separately.\4\ In 2009, all these agencies issued a joint final 
rule with a model form that financial institutions could use, at their 
option, to provide the required initial and annual privacy 
disclosures.\5\
---------------------------------------------------------------------------

    \3\ 65 FR 35162 (June 1, 2000).
    \4\ 65 FR 31722 (May 18, 2000) (NCUA final rule); 65 FR 33646 
(May 24, 2000) (FTC final rule); 65 FR 40334 (June 29, 2000) (SEC 
final rule); 66 FR 21252 (Apr. 27, 2001) (CFTC final rule).
    \5\ 74 FR 62890 (Dec. 1, 2009).
---------------------------------------------------------------------------

    In 2011, the Dodd-Frank Wall Street Reform and Consumer Protection 
Act (Dodd-Frank Act) \6\ transferred GLBA privacy notice rulemaking 
authority from the Board, NCUA, OCC, OTS, the FDIC, and the FTC (in 
part) to the Bureau.\7\ The Bureau then restated the implementing 
regulations in Regulation P, 12 CFR part 1016, in late 2011.\8\
---------------------------------------------------------------------------

    \6\ Public Law 111-203, 124 Stat. 1376 (2010).
    \7\ Public Law 111-203, section 1093. The FTC retained 
rulewriting authority over any financial institution that is a 
person described in 12 U.S.C. 5519 (i.e., motor vehicle dealers 
predominantly engaged in the sale and servicing of motor vehicles, 
the leasing and servicing of motor vehicles, or both).
    \8\ 76 FR 79025 (Dec. 21, 2011).
---------------------------------------------------------------------------

    The Bureau has the authority to promulgate GLBA privacy rules for 
depository institutions and many non-depository institutions. However, 
rulewriting authority with regard to securities and futures-related 
companies is vested in the SEC and CFTC, respectively, and rulewriting 
authority with respect to certain motor vehicle dealers is vested in 
the FTC.\9\ The Bureau has consulted and coordinated with these 
agencies and with the National Association of Insurance Commissioners 
(NAIC) concerning the proposed alternative delivery method.\10\ The 
Bureau has also consulted with other appropriate federal agencies, as 
required under Section 1022 of the Dodd-Frank Act.
---------------------------------------------------------------------------

    \9\ 15 U.S.C 6804, 6809; 12 U.S.C. 1843(k)(4); 12 CFR 1016.1(b).
    \10\ In regard to any Regulation P rulemaking, section 504 of 
GLBA provides that each of the agencies authorized to prescribe GLBA 
regulations (currently the Bureau, FTC, SEC, and CFTC) ``shall 
consult and coordinate with the other such agencies and, as 
appropriate, . . . with representatives of State insurance 
authorities designated by the National Association of Insurance 
Commissioners, for the purpose of assuring, to the extent possible, 
that the regulations prescribed by each such agency are consistent 
and comparable with the regulations prescribed by the other such 
agencies.'' 15 U.S.C. 6804(a)(2).
---------------------------------------------------------------------------

1. Annual Privacy Notices
    The GLBA and its implementing regulation, Regulation P,\11\ require 
that financial institutions \12\ provide consumers with certain notices

[[Page 27216]]

describing their privacy policies. Financial institutions are generally 
required to first provide an initial notice of these policies, and then 
an annual notice to customers every year that the relationship 
continues.\13\ (When a financial institution has a continuing 
relationship with the consumer, an annual privacy notice is required 
and the consumer is then referred to as a ``customer.'') \14\ These 
notices describe whether and how the financial institution shares 
consumers' nonpublic personal information,\15\ including personally 
identifiable financial information, with other entities, and in some 
cases explain how consumers can opt out of certain types of sharing. 
The notices also briefly describe how financial institutions protect 
the nonpublic personal information they collect and maintain. Financial 
institutions typically use U.S. postal mail to send initial and annual 
privacy notices to consumers.
---------------------------------------------------------------------------

    \11\ 12 CFR part 1016.
    \12\ Regulation P defines ``financial institution.'' See 12 CFR 
1016.3(l).
    \13\ 12 CFR 1016.4, 1016.5(a)(1).
    \14\ 12 CFR 1016.3(i).
    \15\ Regulation P defines ``nonpublic personal information.'' 
See 12 CFR 1016.3(p).
---------------------------------------------------------------------------

    Implementing GLBA section 503, Regulation P generally requires the 
initial privacy notice,\16\ and also mandates that financial 
institutions ``provide a clear and conspicuous notice to customers that 
accurately reflects [their] privacy policies and practices not less 
than annually during the continuation of the customer relationship.'' 
\17\
---------------------------------------------------------------------------

    \16\ 12 CFR 1016.4(a).
    \17\ 12 CFR 1016.5(a)(1) (emphasis added).
---------------------------------------------------------------------------

    Section 502 of the GLBA and Regulation P at Sec.  1016.6(a)(6) also 
require that initial and annual notices inform customers of their right 
to opt out of certain financial institution sharing of nonpublic 
personal information with some types of nonaffiliated third parties. 
For example, customers have the right to opt out of a financial 
institution selling the names and addresses of its mortgage customers 
to an unaffiliated home insurance company and, therefore, the 
institution would have to provide an opt-out notice before it sells the 
information. On the other hand, financial institutions are not required 
to allow consumers to opt out of the institutions' sharing involving 
third-party service providers, joint marketing arrangements, 
maintaining and servicing accounts, securitization, law enforcement and 
compliance, reporting to consumer reporting agencies, and certain other 
activities that are specified in the statute and regulation as 
exceptions to the opt-out requirement.\18\ If a financial institution 
limits its types of sharing to those which do not trigger opt-out 
rights, it may provide a ``simplified'' annual privacy notice to its 
customers that does not include opt-out information.\19\
---------------------------------------------------------------------------

    \18\ 15 U.S.C. 6802(b)(2), (e); 12 CFR 1016.13, 1016.14, 
1016.15.
    \19\ Section 1016.6(c)(5) allows financial institutions to 
provide ``simplified notices'' if they do not disclose, and do not 
wish to reserve the right to disclose, nonpublic personal 
information about customers or former customers to affiliates or 
nonaffiliated third parties except as authorized under Sec. Sec.  
1016.14 and 1016.15. The exceptions at Sec. Sec.  1016.14 and 
1016.15 track statutory exemptions and cover a variety of 
situations, such as maintaining and servicing the customer's 
account, securitization and secondary market sale, and fraud 
prevention. They directly exempt institutions from the opt-out 
requirements. The exception that includes service providers and 
joint marketing arrangements, at Sec.  1016.13, is also statutory, 
but financial institutions that share according to this exception 
may not use the simplified notice, even though consumers cannot opt 
out of this sharing.
---------------------------------------------------------------------------

    In addition to opt-out rights under GLBA, financial institutions 
also may include in the annual privacy notice information about certain 
consumer opt-out rights under FCRA. The annual privacy disclosures 
under the GLBA/Regulation P and affiliate disclosures under the FCRA/
Regulation V interact in two ways. First, section 603(d)(2)(A)(iii) of 
the FCRA excludes from the statute's definition of a consumer report 
\20\ the sharing of certain information about a consumer among 
affiliates if the consumer is notified of such sharing and is given an 
opportunity to opt out.\21\ Section 503(c)(4) of the GLBA and 
Regulation P, in turn, generally require financial institutions 
providing their customers with initial and annual privacy notices to 
incorporate into them any notification and opt-out disclosures provided 
pursuant to section 603(d)(2)(A)(iii) of the FCRA.\22\
---------------------------------------------------------------------------

    \20\ The FCRA defines ``consumer report'' generally as ``any 
written, oral, or other communication of any information by a 
consumer reporting agency bearing on a consumer's credit worthiness, 
credit standing, credit capacity, character, general reputation, 
personal characteristics, or mode of living which is used or 
expected to be used or collected in whole or in part for the purpose 
of serving as a factor in establishing the consumer's eligibility 
for: (A) credit or insurance to be used primarily for personal, 
family, or household purposes; (B) employment purposes; or (C) any 
other purpose authorized under section 1681b of this title.'' 15 
U.S.C. 1681a.
    \21\ 15 U.S.C. 1681a(d)(2)(A)(iii).
    \22\ 15 U.S.C. 6803(c)(4); 12 CFR 1016.6(a)(7).
---------------------------------------------------------------------------

    Second, section 624 of the FCRA and Regulation V's Affiliate 
Marketing Rule provide that an affiliate of a financial institution 
that receives certain information \23\ about a consumer from the 
financial institution may not use the information to make solicitations 
for marketing purposes unless the consumer is notified of such use and 
provided with an opportunity to opt out of that use.\24\ Regulation V, 
in turn, permits (but does not require) financial institutions 
providing their customers with initial and annual privacy notices under 
Regulation P to incorporate any opt-out disclosures provided under 
section 624 of the FCRA and subpart C of Regulation V into those 
notices.\25\
---------------------------------------------------------------------------

    \23\ The type of information to which section 624 applies is 
information that would be a consumer report, but for the exclusions 
provided by section 603(d)(2)(A)(i), (ii), or (iii) of the FCRA 
(i.e., a report solely containing information about transactions or 
experiences between the consumer and the institution making the 
report, communication of that information among persons related by 
common ownership or affiliated by corporate control, or 
communication of other information as discussed above).
    \24\ 15 U.S.C. 1681s-3 and 12 CFR pt. 1022, subpart C.
    \25\ 12 CFR 1022.23(b).
---------------------------------------------------------------------------

2. Method of Delivering Annual Privacy Notices
    Section 503 of the GLBA sets forth the requirement that financial 
institutions provide initial and annual privacy disclosures to a 
consumer. Specifically, it states that ``a financial institution shall 
provide a clear and conspicuous disclosure to such consumer, in writing 
or in electronic form or other form permitted by the regulations 
prescribed under section 6804 of this title, of such financial 
institution's policies and practices with respect to'' disclosing and 
protecting consumers' nonpublic personal information.\26\ Although 
financial institutions provide most annual privacy notices by U.S. 
postal mail, Regulation P allows financial institutions to provide 
notices electronically (e.g., by email) to customers with their 
consent.\27\
---------------------------------------------------------------------------

    \26\ 15 U.S.C. 6803(a) (emphasis added).
    \27\ 12 CFR 1016.9(a) states that a financial institution may 
deliver the notice electronically if the consumer agrees. After 
discussions with industry stakeholders, however, the Bureau believes 
that most consumers have not agreed to receive electronic 
disclosures.
---------------------------------------------------------------------------

B. CFPB Streamlining Initiative

    In pursuit of the Bureau's goal of reducing unnecessary or unduly 
burdensome regulations, in December 2011, the Bureau issued a Request 
for Information seeking specific suggestions from the public for 
streamlining regulations the Bureau had inherited from other Federal 
agencies (Streamlining RFI). In that RFI, the Bureau specifically 
identified the annual privacy notice as a potential opportunity for 
streamlining and solicited comment on possible alternatives to 
delivering the annual privacy notice.\28\
---------------------------------------------------------------------------

    \28\ 76 FR 75825, 75828 (Dec. 5, 2011).

---------------------------------------------------------------------------

[[Page 27217]]

    Numerous industry commenters strongly advocated eliminating or 
limiting the annual notice requirement. They stated that most customers 
ignore annual privacy notices. Even if customers do read them, 
according to industry stakeholders, the content of these disclosures 
provides little benefit, especially if customers have no right to opt 
out of information sharing because the financial institution does not 
share nonpublic personal information in a way that triggers such 
rights. Financial institutions argued that mailing these notices 
imposes significant costs and that there are other ways of conveying to 
customers the information in the written notices just as effectively 
but at a lower cost. Several industry commenters suggested that if an 
institution's privacy notice has not changed, the institution should be 
allowed to communicate on the consumer's periodic statement, via email, 
or by some other cost-effective means that the annual privacy notice is 
available on its Web site or upon request, by phone.\29\
---------------------------------------------------------------------------

    \29\ On a related issue, industry commenters stated that the 
annual notice causes confusion and unnecessary opt-out requests from 
customers who do not recall that they have already opted out in a 
previous year. As stated in the Supplementary Information to the 
Final Model Privacy Form Under the Gramm-Leach-Bliley Act, a 
financial institution is free to provide additional information in 
other, supplemental materials to customers if it wishes to do so. 
See 74 FR 62890, 62908 (Dec. 1, 2009). A financial institution could 
include supplemental materials advising those customers who 
previously opted out that they do not need to opt out again.
---------------------------------------------------------------------------

    A banking industry trade association and other industry commenters 
suggested that the Bureau eliminate or ease the annual notice 
requirement for financial institutions if their privacy policies have 
not changed and they do not share nonpublic personal information beyond 
the exceptions allowed by the GLBA (e.g., sharing nonpublic personal 
information with the servicer of an account). They argued that the GLBA 
exceptions were crafted to allow what Congress viewed as non-
problematic sharing and, therefore, the law does not permit consumers 
to opt out of such sharing. The need for an annual notice is thus less 
evident if a financial institution only shares nonpublic personal 
information pursuant to one of these exceptions. The trade association 
estimated that 75% of banks do not share beyond these exceptions and do 
not change their notices from year to year.
    Consumer advocacy groups generally stated that customers benefit 
from financial institutions providing them with printed annual privacy 
notices, which may remind customers of privacy rights that they may not 
have exercised previously. Consumer representatives argued that these 
notices make customers aware of their privacy rights in regard to 
financial institutions, even if they have no opt-out rights. One 
compliance company commenter agreed with the consumer groups' view of 
the importance of the notices. One advocacy group suggested that a 
narrow easing of annual notice requirements where a financial 
institution shares information only with affiliates might not be 
objectionable, although it did not support changing the current 
requirements. The Bureau did not receive any comment on the annual 
privacy notice change from privacy advocacy groups.

C. Understanding the Effects of Certain Deposit Regulations--Study

    In November of 2013, the Bureau published a study assessing the 
effects of certain deposit regulations on financial institutions' 
operations.\30\ This study provided operational insights from seven 
banks about their annual privacy notices.\31\ Many of these banks use 
third-party vendors, who design or distribute the notices on their 
behalf. All seven participants provided the annual notice as a separate 
mailing, which resulted in higher costs for postage, materials, and 
labor than if the notice were mailed with other material. Some 
financial institutions apparently send separate mailings to ensure that 
their disclosures are ``clear and conspicuous,'' \32\ although 2009 
guidance from the eight agencies promulgating the model privacy form 
explained that a separate mailing is not required.\33\ This separate 
mailing practice contrasts with the usual financial institution 
preference (particularly for smaller study participants) to bundle 
mailings with monthly statements. Indeed, subsequent Bureau outreach 
suggests that many financial institutions do mail the annual privacy 
notice with other materials. Finally, while the study participants 
echoed the sentiment that few customers read privacy notices, 
participant banks with call centers also reported that after they send 
annual notices, the number of customers who call about the banks' 
privacy policies increases.
---------------------------------------------------------------------------

    \30\ Consumer Financial Protection Bureau, ``Understanding the 
Effects of Certain Deposit Regulations on Financial Institutions' 
Operations: Findings on Relative Costs for Systems, Personnel, and 
Processes at Seven Institutions'' (Nov. 2013), available at http://files.consumerfinance.gov/f/201311_cfpb_report_findings-relative-costs.pdf.
    \31\ Information collected for the study may be used to assist 
the Bureau in its investigations of ``the effects of a potential or 
existing regulation on the business decisions of providers.'' OMB 
Information Request--Control Number: 3170-0032.
    \32\ 15 U.S.C. 6803 (``[In the initial and annual privacy 
notices] a financial institution shall provide a clear and 
conspicuous disclosure . . .''); 12 CFR 1016.3(b)(1) (defining 
``clear and conspicuous'' as ``reasonably understandable and 
designed to call attention to the nature and significance of the 
information in the notice.'')
    \33\ See 74 FR 62890, 62897-62898.
---------------------------------------------------------------------------

D. Further Outreach

    In addition to the consultations with other government agencies 
discussed above, while preparing this proposed rule the Bureau 
conducted further outreach to industry and consumer advocate 
stakeholders. The Bureau held meetings with consumer groups, including 
groups and participants with a specific interest in privacy issues. The 
Bureau also held meetings with industry groups that represent 
institutions that must comply with the annual privacy notice 
requirement, including banks, credit unions, mortgage servicers, and 
debt buyers.
    As with the responses to the Streamlining RFI, the consumer groups 
generally expressed the view that mailed privacy notices were useful, 
even when no opt-out rights were present, and that changes were not 
necessary. Among other comments, they suggested that the Bureau promote 
the use of the Regulation P model form. The industry participants also 
generally expressed similar views to those expressed by industry in 
response to the Streamlining RFI. They supported creation of an 
alternative delivery method for annual privacy notices.\34\
---------------------------------------------------------------------------

    \34\ Recently Congress considered proposed legislation that 
would provide burden relief as to annual privacy notices, though no 
law has been enacted. See, e.g., H.R. 749, passed by the House and 
referred to the Senate in March of 2013; and S. 635, introduced in 
the Senate in late 2013.
---------------------------------------------------------------------------

E. Privacy Considerations

    In developing the proposal, the Bureau considered its potential 
impact on consumer privacy. The proposal would not affect the 
collection or use of consumers' nonpublic personal information by 
financial institutions. The proposal would expand the permissible 
methods by which financial institutions subject to Regulation P may 
deliver annual privacy notices to their customers in limited 
circumstances. Among other limitations, it would not expand the 
permissible delivery methods when financial institutions make various 
types of changes to their annual privacy notices or when their annual 
privacy notices afford customers the right to opt out of the sharing of 
their nonpublic personal information by financial institutions. The 
proposal is

[[Page 27218]]

designed to ensure that when the alternative delivery method is used, 
customers would continue to have access to clear and conspicuous annual 
privacy notices.

III. Legal Authority

    The Bureau is issuing this proposed rule pursuant to its authority 
under section 504 of the GLBA, as amended by section 1093 of the Dodd-
Frank Act.\35\ The Bureau is also issuing this proposed rule pursuant 
to its authority under sections 1022 and 1061 of the Dodd-Frank 
Act.\36\
---------------------------------------------------------------------------

    \35\ 15 U.S.C. 6804.
    \36\ 12 U.S.C. 5512, 5581.
---------------------------------------------------------------------------

    Prior to July 21, 2011, rulemaking authority for the privacy 
provisions of the GLBA was shared by eight federal agencies: the Board, 
the FDIC, the FTC, the NCUA, the OCC, the OTS, the SEC, and the CFTC. 
The Dodd-Frank Act amended a number of Federal consumer financial laws, 
including the GLBA. Among other changes, the Dodd-Frank Act transferred 
rulemaking authority for most of Subtitle A of Title V of the GLBA, 
with respect to financial institutions described in section 
504(a)(1)(A) of the GLBA, from the Board, FDIC, FTC, NCUA, OCC, and OTS 
(collectively, the transferor agencies) to the Bureau, effective July 
21, 2011.

IV. Section-by-Section Analysis

Section 1016.9--Delivering Privacy and Opt-Out Notices

    Existing Sec.  1016.9 describes how a financial institution must 
provide both the initial notice required by Sec.  1016.4 and the annual 
notice required by Sec.  1016.5. Specifically, Sec.  1016.9(a) requires 
the notice to be provided so that each consumer can reasonably be 
expected to receive actual notice in writing or, if the consumer 
agrees, electronically. Section 1016.9(b) provides examples of delivery 
that would result in reasonable expectation of actual notice, including 
hand delivery, delivery by mail, or electronic delivery for consumers 
who conduct transactions electronically. Section 1016.9(c) provides 
examples regarding reasonable expectation of actual notice that apply 
to annual notices only.
    The Bureau believes that use of the alternative delivery method by 
financial institutions that meet the requirements discussed below is 
likely to reduce information overload, specifically by eliminating 
duplicative paper privacy notices in situations in which the customer 
generally has no ability to opt out of the financial institution's 
information sharing.\37\ Moreover, the Bureau believes that the 
proposed rule's alternative delivery method would be likely to decrease 
the burden on financial institutions of delivering notices,\38\ while 
generally continuing to require delivery of notices pursuant to the 
existing requirements in situations in which customers can opt out of 
information sharing. In response to the Streamlining RFI, a banking 
industry trade association estimated that 75% of banks do not change 
their notices from year to year and do not share information in a way 
that gives rise to customer opt-out rights. Accordingly, the Bureau 
believes that a large number of banks would be able to use the proposed 
alternative delivery method. Bureau outreach also suggests that a large 
majority of credit unions and many non-depository financial 
institutions would benefit from being able to use the alternative 
delivery method. In addition, because small financial institutions 
appear to be less likely to share their customers' nonpublic personal 
information in a way that triggers customers' opt-out rights, it is 
likely that many of them could decrease their costs through the use of 
the alternative delivery method.
---------------------------------------------------------------------------

    \37\ The Bureau notes that the proposed alternative delivery 
method would be available even where a financial institution offers 
a notice and opt out under the Affiliate Marketing Rule, subpart C 
of 12 CFR part 1022, which relates to marketing based on information 
shared by a financial institution, as long as the Affiliate 
Marketing Rule notice and opt out is also provided separately from 
the Regulation P privacy notice. See the section-by-section 
discussion of proposed Sec.  1016.9(c)(2)(i)(C), below.
    \38\ The Bureau notes that under current Regulation P, financial 
institutions are not required to deliver the privacy notice 
separately from other documents, although the Bureau believes that 
many financial institutions do so.
---------------------------------------------------------------------------

    Under the alternative delivery method, customers would have access 
via financial institutions' Web sites (or by postal mail on request) to 
annual privacy notices that use the model form, that generally do not 
inform customers of any right to opt out, and that convey the same 
information as in previous notices. Further, financial institutions 
would be required to post their privacy notice continuously on their 
Web sites and thus customers would be able to access the privacy notice 
throughout the year rather than waiting for an annual mailing.\39\ 
Financial institutions would be required to deliver to customers an 
annual reminder, on another notice or disclosure, of the availability 
of the privacy notice on the institution's Web site. In light of these 
considerations, the Bureau believes that where the conditions set forth 
in the proposed rule are satisfied, any incremental benefit in terms of 
customers' awareness of privacy issues that might accrue from requiring 
delivery pursuant to the existing methods of the annual privacy notice 
could be outweighed by the costs of providing the notice, costs that 
ultimately may be passed through to customers. The Bureau has 
determined that the specific language of section 503(a) of the GLBA 
grants some latitude in specifying by rule the method of conveying the 
annual notices, so long as a ``clear and conspicuous disclosure'' is 
provided ``in writing or in electronic form or other form permitted by 
the regulations.'' This statutory interpretation would apply only to 
the specific type of disclosure involved in the limited circumstances 
proposed pursuant to the specific language of GLBA section 503.\40\
---------------------------------------------------------------------------

    \39\ Fostering comparison shopping by consumers among financial 
institutions was one of the objectives that GLBA model privacy 
notices, primarily initial privacy notices, were intended to 
accomplish. See 15 U.S.C. 6803(e). Facilitating comparison shopping 
based on privacy policies was also mentioned repeatedly in the 
preamble to the model privacy notice rule. See 74 FR 62890 (Dec. 1, 
2009). The Bureau invites empirical data on whether consumers do 
comparison shop among financial institutions based on privacy 
notices.
    \40\ While the agencies previously charged with GLBA privacy 
notice rulemaking authority appear to have read the statutory grant 
of authority more restrictively (See, e.g., 65 FR at 35174 (June 1, 
2000), those agencies did not cite or interpret the statutory 
language quoted above and were not considering a form of electronic 
notice. Commenters to the agencies' proposed rule had suggested that 
the notice (including opt outs) be available only on request, or 
that a short-form notice be permitted in certain circumstances, and 
the agencies interpreted the statute as not allowing such 
arrangements. The Bureau's proposed rule's disclosure strategy is 
very different, and allows immediate access to the privacy notice 
for the overwhelming majority of customers.
    Further, circumstances have changed since the 2000 rulemaking. 
In 2000, only 41.5% of U.S. households had internet access at home. 
In contrast, as of 2012, 74.8% of U.S. households had internet 
access at home and 80% of U.S. adults were using the internet, thus 
making easy access to electronic notices significantly more 
widespread. See U.S. Census data, ``Households With a Computer and 
Internet Use: 1984 to 2012,'' available at https://www.census.gov/hhes/computer/publications/2012.html and Pew Research Internet 
Project, available at http://www.pewinternet.org/2014/02/27/summary-of-findings-3/.
---------------------------------------------------------------------------

    The Bureau seeks data and other information concerning the effect 
on customer privacy rights if financial institutions were to use the 
alternative delivery method rather than their current delivery method. 
The Bureau further requests comment on whether the proposed alternative 
delivery method would be effective in reducing the potential for 
information overload on customers and reducing the burden on financial 
institutions of mailing hard copy privacy notices. The Bureau also has 
been informed by some financial institutions and consumer advocates

[[Page 27219]]

that financial institutions and customers are unnecessarily burdened by 
redundant opt-out requests because customers who receive the privacy 
notice are often unaware that they have previously opted out of 
information sharing. The Bureau notes that a financial institution may 
currently include with its privacy notice a separate notice explaining 
a customer's opt-out status, though the Bureau does not believe that 
many financial institutions do so. Although the Bureau is not proposing 
to change the model form or instructions in Regulation P at this time, 
the Bureau requests comment on whether financial institutions would 
want to include on the privacy notice itself a statement describing the 
customer's opt-out status.
    Lastly, the Bureau notes that the proposed alternative delivery 
method would be available where customers have already consented to 
receive their privacy notices electronically pursuant to Sec.  
1016.9(a) and invites comment regarding how often privacy notices are 
delivered electronically under existing Regulation P. The Bureau 
further invites comment on whether the proposed alternative delivery 
method is appropriate for customers who already receive privacy notices 
electronically and whether financial institutions that currently 
provide the notice electronically would be likely to use the proposed 
alternative delivery method.

9(c)(2) Alternative Method for Providing Certain Annual Notices

9(c)(2)(i)
    Proposed Sec.  1016.9(c)(2) sets forth an alternative to Sec.  
1016.9(a) for providing certain annual notices. (Existing Sec.  
1016.9(c) would be redesignated as Sec.  1016.9(c)(1) and its 
subparagraphs redesignated as Sec.  1016.9(c)(1)(i) and (ii), 
respectively, to accommodate the new addition. The Bureau is also 
proposing to add a heading to new paragraph (c)(1) for technical 
reasons.) Specifically, proposed Sec.  1016.9(c)(2)(i) would provide 
that, notwithstanding the general requirement in Sec.  1016.9(a) that a 
notice be provided so that each consumer can reasonably be expected to 
receive actual notice, a financial institution may use the alternative 
method set forth in proposed Sec.  1016.9(c)(2)(ii) to satisfy the 
requirement in Sec.  1016.5(a)(1) to provide an annual notice if the 
institution meets certain conditions as specified in proposed Sec.  
1016.9(c)(2)(i)(A) through (E), which are discussed in detail below. 
The Bureau invites comment generally on the conditions in proposed 
Sec.  1016.9(c)(2)(i)(A) through (E) and whether any of those 
conditions should not be required or whether additional conditions 
should be added. The Bureau notes that the proposed alternative 
delivery method would not alter the requirement in Sec.  1016.5(a)(1) 
that the notice be provided annually.
9(c)(2)(i)(A)
    Proposed Sec.  1016.9(c)(2)(i)(A) would set forth the first 
condition for using the alternative delivery method: that the financial 
institution does not share the customer's information with 
nonaffiliated third parties other than through the activities specified 
under Sec. Sec.  1016.13, 1016.14 and 1016.15 that do not trigger opt-
out rights under the GLBA. Pursuant to Sec.  1016.10(a), a financial 
institution generally may not disclose nonpublic personal information 
about a consumer to a nonaffiliated third party without first providing 
the consumer with a notice and opportunity to opt out of that sharing. 
Sections 1016.13, 1016.14, and 1016.15 lay out certain exceptions to 
the general opt-out requirement.\41\ Accordingly, where a financial 
institution shares with nonaffiliated third parties as permitted by 
Sec. Sec.  1016.13, 1016.14, and 1016.15, the financial institution is 
not required to provide the consumer with an opportunity to opt out of 
such sharing.
---------------------------------------------------------------------------

    \41\ Specifically, Sec.  1016.13 provides that the opt-out 
requirement generally does not apply where a financial institution 
shares nonpublic personal information with nonaffiliated third 
parties to provide services to the sharing financial institution, 
including for marketing products or services of the financial 
institution or those of other financial institutions with which the 
sharing institution has joint marketing agreements. Section 1016.14 
provides that the opt-out requirement generally does not apply where 
the financial institution shares nonpublic personal information as 
required to process or service transactions for the consumer's 
account. Section 1016.15 provides that the opt-out requirement does 
not apply to certain specific types of information sharing by the 
financial institution, including, for example, at the consumer's 
request, to protect the confidentiality of the financial 
institution's records, to a consumer reporting agency, and to comply 
with a properly authorized civil, criminal or regulatory 
investigation.
---------------------------------------------------------------------------

    The Bureau believes that the alternative delivery method, while 
reducing burden, might not be as effective in alerting customers to 
their ability to opt out of certain types of information sharing as the 
current delivery method where a financial institution shares beyond the 
exceptions in Sec. Sec.  1016.13, 1016.14, and 1016.15. The Bureau thus 
believes that the current delivery method for the annual notice 
pursuant to existing Sec.  1016.9(a) is likely to be important for 
customers who have the right to opt out of information sharing. The 
Bureau believes that limiting the alternative delivery method to 
circumstances in which customers have no information sharing opt-out 
rights under Regulation P would generally reduce the burden of 
compliance while still mandating the use of the current delivery method 
to ensure that customers have notice of their opt-out rights where they 
exist. For the foregoing reasons, the Bureau proposes Sec.  
1016.9(c)(2)(i)(A).
    The Bureau invites comment on the extent to which different 
financial institutions share beyond the exceptions in Sec. Sec.  
1016.13, 1016.14, and 1016.15 and thus would be precluded from using 
the proposed alternative delivery method. The Bureau further invites 
comment on the impact on customers of receiving the annual privacy 
notice pursuant to the current delivery method, rather than the 
proposed alternative delivery method, where the notice informs the 
customer of opt-out rights pursuant to Regulation P.
9(c)(2)(i)(B)
    Proposed Sec.  1016.9(c)(2)(i)(B) would set forth the second 
condition for using the alternative delivery method for the annual 
privacy notice: that the financial institution not include on its 
annual notice an opt out under section 603(d)(2)(A)(iii) of the 
FCRA.\42\ As discussed in part II above, FCRA section 603(d)(2)(A)(iii) 
excludes from the statute's definition of ``consumer report'' a 
financial institution's sharing of certain information about a consumer 
with its affiliates if the financial institution provides the consumer 
with notice and an opportunity to opt out of the information sharing. 
Though this notice and opt out is a product of the FCRA rather than the 
GLBA, section 503(b)(4) of the GLBA and Sec.  1016.6(a)(7) require a 
financial institution's privacy notice to include any disclosures the 
financial institution makes under section 603(d)(2)(A)(iii) of the 
FCRA. Accordingly, to the extent that a financial institution chooses 
to provide an opt out pursuant to FCRA section 603(d)(2)(A)(iii), Sec.  
1016.6(a)(7) requires the privacy notice to include that opt out.\43\ 
For the same reasons as discussed with respect to proposed Sec.  
1016.9(c)(2)(i)(A), the Bureau proposes to allow a financial 
institution to use the alternative delivery method only if it does not 
share information in a way that triggers information sharing opt-out 
rights for the customer, including those under section 
603(d)(2)(A)(iii) of the FCRA. Accordingly, the Bureau proposes Sec.  
1016.9(c)(2)(i)(B).
---------------------------------------------------------------------------

    \42\ 15 U.S.C. 1681a(d)(2)(A)(iii).
    \43\ See 64 FR 35162, 35176 (June 1, 2000).
---------------------------------------------------------------------------

    The Bureau invites comment on the extent to which different 
financial

[[Page 27220]]

institutions provide a FCRA section 603(d)(2)(A)(iii) opt out and thus 
would be precluded from using the proposed alternative delivery method. 
The Bureau further invites comment on the benefit to customers of 
receiving the annual privacy notice pursuant to the current delivery 
method, rather than the proposed alternative delivery method, where the 
notice informs the customer of opt-out rights pursuant to FCRA section 
603(d)(2)(A)(iii).
9(c)(2)(i)(C)
    Proposed Sec.  1016.9(c)(2)(i)(C) would contain the third condition 
for using the alternative delivery method: that the annual privacy 
notice is not the only notice provided to satisfy the requirements of 
section 624 of the FCRA \44\ and subpart C of 12 CFR part 1022 (the 
``Affiliate Marketing Rule''). The Bureau is proposing to provide 
flexibility in the manner in which an annual notice which contains 
disclosures under the Affiliate Marketing Rule is provided since 
proposed Sec.  1016.9(c)(2)(i)(C) would require the consumer to be 
provided the Affiliate Marketing notice and opt out separately, as 
discussed below. FCRA section 624, as implemented by the Affiliate 
Marketing Rule, provides that a person may not use certain information 
about a consumer that it receives from an affiliate to make 
solicitations for marketing purposes unless the consumer receives 
notice and the opportunity to opt out of this use from an affiliate 
with whom the consumer has or had a pre-existing business 
relationship.\45\ The Affiliate Marketing Rule further governs the 
content, scope, and duration of that notice and opt out and the method 
by which it must be provided to consumers.\46\
---------------------------------------------------------------------------

    \44\ 15 U.S.C. 1681s-3.
    \45\ 12 CFR 1022.21(a).
    \46\ 12 CFR 1022.22, 1022.23, 1022.24, 1022.25, 1022.26, and 
1022.27.
---------------------------------------------------------------------------

    In contrast to the FCRA section 603(d)(2)(A)(iii) notice and opt-
out right, which is generally required to be included on the annual 
privacy notice by Sec.  1016.6(a)(7) if a financial institution offers 
that opt out, the Affiliate Marketing Rule notice and opt out is not 
required to be included on the Regulation P privacy notice. The 
Affiliate Marketing Rule notice and opt out may be included on the 
privacy notice, however. Moreover, the model privacy notice includes a 
notice and opt out under FCRA section 624 and the Affiliate Marketing 
Rule,\47\ and the Affiliate Marketing Rule specifically provides that 
its opt out may be incorporated into the GLBA privacy notice.\48\ The 
instructions to the GLBA model privacy notice make clear that a 
financial institution subject to the Affiliate Marketing Rule may omit 
that notice and opt out from the GLBA model privacy notice, provided 
the institution separately complies with the Affiliate Marketing 
Rule.\49\
---------------------------------------------------------------------------

    \47\ Appendix to part 1016 at C.2.d.6.
    \48\ 12 CFR 1022.23(b).
    \49\ Appendix to part 1016 at C.2.d.6.
---------------------------------------------------------------------------

    Given that the Affiliate Marketing Rule notice and opt out is not 
required on the annual privacy notice (and indeed does not have to be 
provided annually),\50\ the Bureau believes that the existence of an 
opt-out right under the Affiliate Marketing Rule should not preclude a 
financial institution from using the proposed alternative delivery 
method. Instead, the Bureau is proposing that the alternative delivery 
method would be available for a financial institution that must provide 
a notice and opt out under the Affiliate Marketing Rule as long as the 
annual privacy notice is not the only notice provided to the customer 
explaining that opt-out right. In other words, a financial institution 
that undertakes opt-out obligations under the Affiliate Marketing Rule 
may use the alternative delivery method provided that it fulfills those 
notice and opt-out obligations separately from the annual privacy 
notice.
---------------------------------------------------------------------------

    \50\ 72 FR 62910, 62930 (Nov. 7, 2007).
---------------------------------------------------------------------------

    The Bureau notes that certain requirements for the Affiliate 
Marketing notice and opt out differ, depending on whether it is 
included as part of the model privacy notice or issued separately. 
Where a financial institution includes the Affiliate Marketing notice 
and opt out on the model privacy notice, Regulation P requires that opt 
out to be of indefinite duration.\51\ In contrast, where a financial 
institution provides the Affiliate Marketing notice and opt out 
separately, Regulation V allows the opt out to be offered for as little 
as five years, subject to renewal, and the disclosure of the duration 
of the opt out must be included on the notice.\52\ Because inclusion of 
the Affiliate Marketing opt out on the model privacy notice requires a 
financial institution to honor the opt out indefinitely, a financial 
institution that also offers the opt out right separately in order to 
use the alternative delivery method would be able to comply with both 
Regulations P and V by stating in the separate Affiliate Marketing 
notice that the opt out is of indefinite duration and by honoring such 
opt-out requests indefinitely.
---------------------------------------------------------------------------

    \51\ Regulation P provides, ``Institutions that include this 
reason [for sharing or using personal information] must provide an 
opt-out of indefinite duration.'' Appendix to part 1016 at C.2.d.6.
    \52\ 12 CFR 1022.22(b). 12 CFR 1022.23(a)(1)(iv).
---------------------------------------------------------------------------

    The Bureau acknowledges that under this proposal some customers 
will no longer receive their annual privacy notice pursuant to the 
current delivery requirements even though the notice informs them of a 
right to opt out that exists pursuant to the Affiliate Marketing Rule. 
The Bureau believes, however, that this concern is mitigated by the 
fact that in such cases, proposed Sec.  1016.9(c)(2)(i)(C) would 
require that the Affiliate Marketing Rule opt-out notice also be 
delivered separately from the annual privacy notice.\53\ The Bureau 
considered but decided against proposing to prohibit use of the 
alternative delivery method where a financial institution provides an 
opt out under the Affiliate Marketing Rule. The Bureau believes that 
prohibiting the use of the alternative delivery method in that 
circumstance could discourage financial institutions from voluntarily 
providing the Affiliate Marketing notice and opt out through its annual 
privacy notice and could be at odds with a financial institution's 
choice whether to use the annual privacy notice to comply with its opt-
out obligations under the Affiliate Marketing Rule. Accordingly, the 
Bureau is proposing Sec.  1016.9(c)(2)(i)(C) which would permit use of 
the alternative delivery method for a financial institution that 
provides a notice and opt out under the Affiliate Marketing Rule, 
provided that the financial institution does not use the annual privacy 
notice as the sole means of providing notice to customers of that opt-
out right.
---------------------------------------------------------------------------

    \53\ Alternatively, the financial institution could continue to 
use the current delivery method and include the Affiliate Marketing 
opt out on the annual privacy notice, with no separate notice 
required.
---------------------------------------------------------------------------

    The Bureau invites comment on the extent to which financial 
institutions include the Affiliate Marketing Rule opt out on their 
Regulation P privacy notices and thus would be precluded from using the 
proposed alternative delivery method unless they separately delivered 
an Affiliate Marketing Rule opt-out notice. The Bureau further invites 
comment on the benefit or harm to customers of receiving the annual 
privacy notice pursuant to the alternative delivery method if the 
notice informs the customer of opt-out rights pursuant to the Affiliate 
Marketing Rule and the customer would receive a separate Affiliate 
Marketing rule opt-out notice.

[[Page 27221]]

9(c)(2)(i)(D)
    Proposed Sec.  1016.9(c)(2)(i)(D) would present the fourth 
condition for using the alternative delivery method: that the 
information a financial institution is required to convey on its annual 
privacy notice pursuant to Sec.  1016.6(a)(1) through (5), (8) and (9) 
has not changed since the immediately previous privacy notice, initial 
or annual, to the customer. The Bureau is proposing to provide more 
flexibility in the method by which a notice that has not changed may be 
delivered because it believes that delivery of the annual notice as 
currently required by Sec.  1016.9(a) is likely less useful if the 
customer has already received a privacy notice, the financial 
institution's sharing practices remain generally unchanged since that 
previous notice, and the other requirements of proposed Sec.  
1016.9(c)(2)(i) are met. Proposed Sec.  1016.9(c)(2)(i)(D) lists the 
specific disclosures of the privacy notice that must not change in 
order for a financial institution to take advantage of the alternative 
delivery method. They are:
    (1) the categories of nonpublic personal information that the 
financial institution collects (Sec.  1016.6(a)(1));
    (2) the categories of nonpublic personal information that the 
financial institution discloses (Sec.  1016.6(a)(2));
    (3) the categories of affiliates and nonaffiliated third parties to 
whom the financial institution discloses nonpublic personal 
information, other than those parties to whom the financial institution 
discloses information under Sec. Sec.  1016.14 and 1016.15 (Sec.  
1016.6(a)(3));
    (4) the categories of nonpublic personal information about the 
financial institution's former customers that the financial institution 
discloses and the categories of affiliates and nonaffiliated third 
parties to whom the financial institution discloses nonpublic personal 
information about the financial institution's former customers, other 
than those parties to whom the financial institution discloses 
information under Sec. Sec.  1016.14 and 1016.15 (Sec.  1016.6(a)(4));
    (5) if the financial institution discloses nonpublic personal 
information to a nonaffiliated third party under Sec.  1016.13 (and no 
other exception in Sec.  1016.14 or Sec.  1016.15 applies to that 
disclosure), a separate statement of the categories of information the 
financial institution discloses and the categories of third parties 
with whom the financial institution has contracted (Sec.  
1016.6(a)(5));
    (6) the financial institution's policies and practices with respect 
to protecting the confidentiality and security of nonpublic personal 
information (Sec.  1016.6(a)(8)); and
    (7) any description of nonaffiliated third parties subject to 
exceptions as described in Sec.  1016.6(b) (Sec.  1016.6(a)(9)).\54\
---------------------------------------------------------------------------

    \54\ Note that the information disclosed pursuant to Sec.  
1016.6(a)(6) and (7) are not among the provisions in proposed Sec.  
1016.9(c)(2)(i)(D) because those disclosures relate to opt-out 
rights the existence of which would make the alternative delivery 
method unavailable for a financial institution under proposed Sec.  
1016.9(c)(2)(i)(A) and (B), as discussed above. In addition, the 
omission from proposed Sec.  1016.9(c)(2)(i)(D) of the opt-out 
disclosures under GLBA and FCRA makes clear that a financial 
institution may change its privacy policy so as to eliminate 
information sharing that triggers opt-out rights and may then make 
use of the alternative delivery method for the next annual privacy 
notice.
---------------------------------------------------------------------------

    With respect to disclosures required by Sec.  1016.6(a)(1) through 
(5) and (9) (items 1-5 and 7 in the list above), the Bureau emphasizes 
that a financial institution would be precluded from using the 
alternative delivery method only if it made changes in the category of 
information it collects or discloses so as to require changes to the 
disclosure on the notice itself. The disclosures required by Sec.  
1016.6(a)(1) through (5) and (9) describe categories of nonpublic 
personal information collected and disclosed and categories of third 
parties with whom that information is disclosed. Accordingly, only a 
change in or addition of a category of information collected or shared 
or in a category of third party with whom the information is shared 
would prevent a financial institution from satisfying proposed Sec.  
1016.9(c)(2)(i)(D). The Bureau further notes that stylistic changes in 
the wording of the notice that do not change the information conveyed 
on the notice would not prevent a financial institution from satisfying 
proposed Sec.  1016.9(c)(2)(i)(D).
    For example, assume a financial institution begins collecting 
information regarding potential customers' assets as part of an 
application process that the institution had not previously collected. 
If the institution had previously disclosed on its privacy notice that 
the nonpublic personal information it collected included information 
received from customers on applications or other forms, the financial 
institution would satisfy proposed Sec.  1016.9(c)(2)(i)(D) 
notwithstanding the fact that the institution had not previously 
collected asset information. Similarly, a financial institution's 
decision to begin sharing its customers' nonpublic personal information 
with a mortgage broker, even where it had not previously shared that 
information with any mortgage brokers, would not prohibit the financial 
institution from satisfying proposed Sec.  1016.9(c)(2)(i)(D) provided 
that the financial institution had previously disclosed on its privacy 
notice that it shared information with financial service providers.
    With respect to the disclosure required by Sec.  1016.6(a)(8), the 
Bureau notes that proposed Sec.  1016.9(c)(2)(i)(D) would disallow the 
use of the alternative delivery method if a financial institution 
changes the required description of its policies and practices with 
respect to protecting the confidentiality and security of nonpublic 
personal information. The Bureau recognizes that this information is 
distinguishable from the information required by Sec.  1016.6(a)(1) 
through (5) and (9) in that the information required by Sec.  
1016.6(a)(8) does not describe the financial institution's collecting 
or sharing of nonpublic personal information but instead describes the 
financial institution's overall data security policy. The Bureau 
believes that changes in the description of a financial institution's 
data security policy likely are significant enough that when they 
occur, the annual privacy notice should continue to be delivered 
according to the existing methods in Sec.  1016.9. Indeed, in light of 
recent large-scale data security breaches, the Bureau believes that 
some customers may be more interested in the data security policies of 
their financial institutions than they were previously.
    The Bureau notes that stylistic changes to the description of the 
data security policy that do not change the information conveyed on the 
notice would not prevent a financial institution from satisfying 
proposed Sec.  1016.9(c)(2)(i)(D). The Bureau further notes that 
(similar to the information required by Sec.  1016.6(a)(1) through (5) 
and (9)) changes to the underlying data security policy would preclude 
financial institutions from using the alternative delivery method only 
if these policy changes are substantial enough under Regulation P to 
trigger changes in the description of that policy on the annual notice 
itself. The Bureau believes, therefore, that financial institutions 
likely will be able to make improvements to their data security 
practices without necessarily changing information disclosed pursuant 
to Sec.  1016.6(a)(8).
    The Bureau invites comment about the effect on customers of 
conditioning availability of the alternative delivery method on there 
being no change from the previous year's notice without regard to the 
conditions that would be required by proposed Sec.  1016.9(c)(2)(i)(A) 
through (C). The Bureau further invites comment on how

[[Page 27222]]

often financial institutions change their privacy notice such that they 
would be precluded from using the proposed alternative delivery method. 
Lastly, the Bureau invites comment on the extent to which a financial 
institution's changing its data security policy might preclude it from 
using the proposed alternative delivery method and whether the 
information disclosed pursuant to Sec.  1016.6(a)(8) should be included 
in proposed Sec.  1016.9(c)(2)(i)(D).
9(c)(2)(i)(E)
    The last condition for use of the alternative delivery method, 
which would be set forth in proposed Sec.  1016.9(c)(2)(i)(E), requires 
that the financial institution use the model privacy form for its 
annual privacy notice. Though use of the model form constitutes 
compliance with the notice content requirements of Sec. Sec.  1016.6 
and 1016.7, Regulation P does not require use of the model notice.\55\ 
However, the Bureau believes that a large majority of financial 
institutions use the model notice. The model notice was adopted in 2009 
as part of an interagency rulemaking because consumer research revealed 
that the model notice was easier to understand and use than most 
privacy notices then being used.\56\ During outreach, consumer and 
privacy groups told the Bureau that that the model notice is easier for 
consumers to understand than other privacy notices. The Bureau is 
proposing to require use of the model notice as a condition of using 
the alternative delivery method to foster the use of a form of notice 
that appears to be more effective in conveying privacy policy 
information to customers than non-standard notices and thus enhance the 
effectiveness of the notice provided under the alternative method.
---------------------------------------------------------------------------

    \55\ 12 CFR 1016.2.
    \56\ 74 FR 62890, 62891 (Dec. 1, 2009).
---------------------------------------------------------------------------

    Accordingly, the Bureau is proposing Sec.  1016.9(c)(2)(i)(E), 
which would permit use of the alternative delivery method only if a 
financial institution uses the model privacy form for its annual 
privacy notice. The Bureau believes that proposed Sec.  
1016.9(c)(2)(i)(E) is likely to encourage some financial institutions 
that are not currently doing so to use the model notice in order to 
take advantage of the cost savings associated with the alternative 
delivery method. Moreover, the Bureau does not believe that requiring 
use of the model notice to be eligible for the alternative delivery 
method creates a significant compliance burden for the minority of 
financial institutions that do not currently use it, especially given 
that financial institutions would not choose to use the alternative 
delivery method if the one-time cost of adopting the model notice were 
not more than offset by the ongoing burden reduction of the alternative 
delivery method for the annual notice.
    The Bureau notes that the model form accommodates information that 
may be required by state or international law, as applicable, in a box 
called ``Other important information.'' \57\ Accordingly, the Bureau 
expects that a financial institution that has additional privacy 
disclosure obligations pursuant to state or international law would 
still be able to use the model form in order to take advantage of the 
proposed alternative delivery method. The Bureau invites comment on 
related state or international law requirements and their interaction 
with the model privacy notice as well as the proposed alternative 
delivery method in general.
---------------------------------------------------------------------------

    \57\ Appendix to part 1016 at C.3.c.1.
---------------------------------------------------------------------------

    The Bureau does not contemplate that adoption of the model privacy 
form, which may require changes to the wording and layout of the 
privacy notice but not to the information conveyed, would constitute a 
change within the meaning of proposed Sec.  1016.9(c)(2)(i)(D). In a 
somewhat analogous situation, the agencies that promulgated the model 
privacy notice explained: ``Adoption of the model form, with no change 
in policies or practices, would not constitute a revised notice [for 
purposes of the rule section on revised privacy notices], although 
institutions may elect to consider the format change as revision, at 
their option.'' \58\ The Bureau solicits comment on whether adoption of 
the model form instead should be considered a change in the annual 
notice pursuant to proposed Sec.  1016.9(c)(2)(i)(D) such that an 
institution adopting the model form in the first instance would be 
precluded from using the proposed alternative delivery method until the 
following year's annual notice. The Bureau further invites comment on 
the extent to which financial institutions currently use the model 
privacy notice and if they do not, whether they would choose to do so 
to take advantage of the proposed alternative delivery method. Lastly, 
the Bureau invites comment on the benefit to customers of receiving the 
model privacy notice rather than a privacy notice in a non-standard 
format.
---------------------------------------------------------------------------

    \58\ 74 FR 62890, 62907 n. 196.
---------------------------------------------------------------------------

9(c)(2)(ii)
    In proposed Sec.  1016.9(c)(2)(ii), the Bureau sets forth the 
alternative delivery method that would be permissible to satisfy the 
requirement in Sec.  1016.5(a)(1) to provide an annual notice if a 
financial institution meets the conditions described in proposed Sec.  
1016.9(c)(2)(i). For the reasons discussed above, the Bureau believes 
that delivery of the annual privacy notice pursuant to the existing 
delivery requirements may be less important for customers if the 
requirements of proposed Sec.  1016.9(c)(2)(i) are met. The Bureau 
believes that delivery pursuant to the alternative delivery method 
proposed, described in detail below, would inform customers of their 
financial institution's privacy policies effectively and at a lower 
cost than the current delivery methods. Although the Bureau believes it 
is unlikely, the Bureau recognizes the possibility that fewer customers 
may read the privacy notice when it is delivered pursuant to the 
alternative method than would have read the notice if it had been 
delivered to them using the current delivery methods. The Bureau 
requests comment on how frequently customers read privacy notices 
delivered pursuant to existing Sec.  1016.9(a) and how frequently the 
notices would be read if they were provided pursuant to the proposed 
alternative delivery method. The Bureau further invites comment 
generally on the components of the alternative delivery method in 
proposed Sec.  1016.9(c)(2)(ii)(A) through (C) and whether any of those 
components should not be required or whether additional components 
should be added.
9(c)(2)(ii)(A)
    Proposed Sec.  1016.9(c)(2)(ii)(A) would set forth the first 
component of the alternative delivery method: that a financial 
institution inform the customer of the availability of the annual 
privacy notice. To satisfy proposed Sec.  1016.9(c)(2)(ii)(A), a 
financial institution would be required to convey in a clear and 
conspicuous manner not less than annually on a notice or disclosure the 
institution is required or expressly and specifically permitted to use 
under any other provision of law that its privacy notice has not 
changed, that the notice is available on its Web site and that a hard 
copy of the notice will be mailed to customers if they call a toll-free 
number to request one.
    Proposed Sec.  1016.9(c)(2)(ii)(A) would use the term ``clear and 
conspicuous,'' which is defined in existing Sec.  1016.3(b)(1) as 
meaning ``reasonably understandable'' and ``designed to call attention 
to the nature and significance of the information.'' The Bureau 
believes that the existing examples in

[[Page 27223]]

Sec.  1016.3(b)(2)(i) and (ii) for reasonably understandable and 
designed to call attention, respectively, likely would provide 
sufficient guidance on ways to make the notice of availability in 
proposed Sec.  1016.9(c)(2)(ii)(A) clear and conspicuous. Specifically, 
because the notice of availability would be combined with another 
notice or disclosure sent to the customer, the Bureau points to 
existing Sec.  1016.3(b)(2)(ii)(E), which states that on a form that 
combines a notice with other information, a notice containing 
distinctive type size, style, and graphic devices, such as shading or 
sidebars, is designed to call attention to the nature and significance 
of the information, as required under the clear and conspicuous 
definition.
    With respect to the notice of availability being conveyed not less 
than annually, the Bureau notes that the proposed rule would permit it 
being included more often than annually (e.g., quarterly or monthly). 
Although the Bureau is proposing to require the notice of availability 
annually, the Bureau invites comment on the advantages and 
disadvantages of it being provided on a more frequent basis.
    With respect to the type of statement that may be used to convey 
the notice of availability, proposed Sec.  1016.9(c)(2)(ii)(A) would 
permit it to be conveyed on a notice or disclosure the institution is 
required or expressly and specifically permitted to issue under any 
other provision of law. This language is similar to that used in 
Regulation V, which provides that ``a notice required by this subpart 
may be coordinated and consolidated with any other notice or disclosure 
required to be issued under any other provision of law. . . .'' \59\ 
Proposed Sec.  1016.9(c)(2)(ii)(A) would add to that language in order 
to ensure that the notice of availability could be included on 
disclosures that are expressly and specifically permitted by law, even 
if not required. The Bureau notes that a notice of availability would 
satisfy proposed Sec.  1016.9(c)(2)(ii)(A) if it were included on a 
periodic statement which is permitted but not required by Regulation DD 
\60\ but would not satisfy proposed Sec.  1016.9(c)(2)(ii)(A) if 
included on advertising materials that were neither required nor 
specifically permitted by law. Proposed Sec.  1016.9(c)(2)(ii)(A) does 
not specify in more detail the type of statement on which the notice of 
availability must be conveyed because the Bureau intends the 
alternative delivery method to be flexible enough to be used by 
financial institutions whose business practices vary widely. The Bureau 
invites comment on the benefits and costs of requiring the notice of 
availability to be included on a document required or expressly and 
specifically permitted under any other provision of law.
---------------------------------------------------------------------------

    \59\ 12 CFR 1022.23(b).
    \60\ 12 CFR 1030.6.
---------------------------------------------------------------------------

    The Bureau further notes that where two or more financial 
institutions provide a joint privacy notice pursuant to Sec.  
1016.9(f), proposed Sec.  1016.9(c)(2)(ii)(A) would require each 
financial institution to separately provide the notice of availability 
on a notice or disclosure that it is required or permitted to issue. 
The Bureau invites comment on how often financial institutions jointly 
provide privacy notices and whether the proposed alternative delivery 
method would be feasible for such jointly issued notices.
    Proposed Sec.  1016.9(c)(2)(ii)(A) also would require the 
institution to state on the notice that its privacy policy has not 
changed. The Bureau intends this proposed requirement to help customers 
assess whether they are interested in reading the policy. This 
statement would always be accurate if the alternative delivery method 
is used correctly, since a financial institution could not use the 
alternative delivery method if its annual privacy notice had changed.
    Proposed Sec.  1016.9(c)(2)(ii)(A) would further require that the 
statement include a specific web address that takes customers directly 
to the page where the privacy notice is available and a toll-free 
telephone number for customers to call and request that a hard copy of 
the annual notice be mailed to them. With respect to the specific web 
address, the Bureau notes that the language of proposed Sec.  
1016.9(c)(2)(ii)(A) is somewhat similar to an option used on the model 
privacy notice to provide an online opt out of information sharing.\61\ 
Proposed Sec.  1016.9(c)(2)(ii)(A) requires a web address that the 
customer can type into a web browser to directly access the page that 
contains the privacy notice so that the customer need not click on any 
links after typing in the web address. The Bureau believes that a 
direct link may make it easier and more convenient for customers to 
access the privacy notice.
---------------------------------------------------------------------------

    \61\ Appendix to 12 CFR part 1016, at C.2.e.
---------------------------------------------------------------------------

    Proposed Sec.  1016.9(c)(2)(ii)(A) would also require that the 
notice of availability include a toll-free number a customer can call 
to request a hard copy of the annual privacy notice. This requirement 
is intended to assist customers who do not have internet access or 
would prefer to receive a hard copy of the privacy notice. The Bureau 
notes that Regulation P currently contains provisions on the use of a 
toll-free number. For example, existing Sec.  1016.6(d)(4)(i) lists a 
financial institution providing a toll-free number that the consumer 
may call to request a notice as an example of reasonable means by which 
a consumer who is not a customer may obtain a copy of an institution's 
privacy notice. The Bureau expects that most financial institutions 
will already have a toll-free number for their customers to contact 
them and thus providing a toll-free number for this purpose would not 
be a significant burden. Further, the Bureau is concerned that 
requiring a customer to pay for a call to the financial institution to 
request a copy of the privacy notice could impose a new cost on the 
customer that could deter customers from calling to request a hard copy 
of the notice.
    The Bureau invites comment about the advantages and disadvantages 
of requiring financial institutions to provide a toll-free number and 
whether there would be other appropriate ways to balance customers' 
interests and to distinguish between small and large financial 
institutions. The Bureau further invites comment on the relative need 
that the telephone number for customers to request a copy of the 
privacy notice be toll-free, given recent technological and billing 
practice changes to the telephone industry. Lastly, the Bureau invites 
comment on the advantages and disadvantages of requiring financial 
institutions to provide a dedicated telephone number for privacy notice 
requests so that customers can easily request a hard copy of the notice 
without navigating a complicated automated telephone menu.
9(c)(2)(ii)(B)
    Proposed Sec.  1016.9(c)(2)(ii)(B) would set forth the second 
component of the alternative delivery method: That the financial 
institution post its current privacy notice continuously and in a clear 
and conspicuous manner on a page of the institution's Web site that 
contains only the privacy notice. The Bureau believes, based on its 
outreach, that this provision of the alternative delivery method is 
feasible for most financial institutions. Even for a financial 
institution that does not currently post its annual notice on its Web 
site, creating a specific page for this purpose is a one-time process 
that the Bureau believes most financial institutions could implement 
without significant cost. Further, the Bureau

[[Page 27224]]

believes that encouraging financial institutions that do not already do 
so to post the privacy notice on their Web sites may benefit consumers 
by making the notices more widely available.
    Proposed Sec.  1016.9(c)(2)(ii)(B) would require that the annual 
notice be posted on a page of the Web site that contains only the 
privacy notice because the Bureau believes that were the notice 
included on a page with other content, such as other disclosures or 
promotions for products, that content could detract from the prominence 
of the notice and make it less likely that a customer would actually 
read it. However, information that is not content, such as navigational 
menus to other pages on the Web site, could appear on the same page as 
the privacy notice. The Bureau notes that other pages on the financial 
institution's Web site could link to the page containing the privacy 
notice but the customer would still have to be provided a specific web 
address that takes the customer directly to the page where the privacy 
notice is available to satisfy the requirement to post the notice on 
the financial institution's Web site in proposed Sec.  
1016.9(c)(2)(ii)(B).\62\
---------------------------------------------------------------------------

    \62\ With regard to the proposed requirement that the notice be 
posted in a ``clear and conspicuous'' manner, the Bureau notes that 
existing Sec.  1016.3(b)(2)(iii) gives examples of what clear and 
conspicuous means for a privacy notice posted on a Web site. One 
example provides that a financial institution designs its notice to 
call attention to the nature and significance of the information in 
the notice if it uses text or visual cues to encourage scrolling 
down the page if necessary to view the entire notice and ensures 
that other elements on the Web site (such as text, graphics, 
hyperlinks, or sound) do not distract attention from the notice. 
Section 1016.3(b)(2)(iii)(A) and (B) also provides examples of clear 
and conspicuous placement of the notice within the financial 
institution's Web site but these examples do not seem relevant to 
the posting of the notice for the alternative delivery method 
because consumers will be typing into their web browser the web 
address of the specific page that contains the annual notice, rather 
than navigating to the annual notice from the financial 
institution's home page. To the extent that a financial institution 
is satisfying existing Sec.  1016.9(a) and not the alternative 
delivery method proposed in Sec.  1016.9(c)(2) by posting the 
privacy notice on its Web site, the clear and conspicuous examples 
in Sec.  1016.3(b)(2)(iii)(A) and (B) still apply.
---------------------------------------------------------------------------

    Proposed Sec.  1016.9(c)(2)(ii)(B) would further require that the 
Web page that contains the privacy notice be accessible to the customer 
without requiring the customer to provide any information such as a 
login name or password or agree to any conditions to access the page. 
The Bureau is concerned that if customers were required to register for 
a login name or sign in to the financial institution's Web site simply 
to access the privacy notice, it could discourage some customers from 
accessing and reading the notice. Given that the alternative delivery 
method will require customers to seek out the annual notice in a way 
that they have not previously been required to do, proposed Sec.  
1016.9(c)(2)(ii)(B) intends to make accessing the privacy notice on an 
institution's Web site as simple and straightforward as possible. For 
the reasons described above, the Bureau proposes Sec.  
1016.9(c)(2)(ii)(B).
    The Bureau invites comment regarding the prevalence of financial 
institutions that currently maintain Web sites, whether they currently 
post the Regulation P privacy notice on those Web sites, and if they do 
not currently do these things, how costly it would be to do so. The 
Bureau additionally seeks comment on whether financial institutions 
provide different privacy notices for different groups of customers, 
depending on the type of account the customer has with the financial 
institution, such that posting multiple privacy notices on the 
financial institution's Web site may create confusion as to which is 
the relevant privacy notice for any particular customer. Lastly, the 
Bureau seeks comment on the relative benefit or harm to customers of 
accessing the privacy notice on a financial institution's Web site as 
proposed.
9(c)(2)(ii)(C)
    Proposed Sec.  1016.9(c)(2)(ii)(C) would set forth the third 
component of the alternative delivery method: That the financial 
institution promptly mail its current privacy notice to those customers 
who request it by telephone. The Bureau proposes this requirement to 
assist customers without internet access and customers with internet 
access who would prefer to receive a hard copy of the notice. Proposed 
Sec.  1016.9(c)(2)(ii)(C) would include a requirement that the notice 
be mailed promptly to indicate that a financial institution may not, 
for example, wait to mail the privacy notice until another notice or 
disclosure is sent to the customer, but would instead be required to 
mail the privacy notice shortly after receiving the customer's request 
to do so. The Bureau notes that consistent with privacy notices 
currently provided under Regulation P, financial institutions will not 
charge the customer for delivering the annual notice, given that 
delivery of the annual notice is required by statute and regulation. 
For these reasons, the Bureau proposes Sec.  1016.9(c)(2)(ii)(C). The 
Bureau invites comment on whether prompt mailing of the privacy notice 
upon request is feasible for financial institutions and on the relative 
cost associated with mailing privacy notices on request. The Bureau 
further invites comment on whether requiring prompt mailing is 
sufficient to ensure that customers receive privacy notices in a timely 
manner or whether ``promptly'' should be more specifically defined, 
such as by a certain number of days.
9(c)(2)(iii)
    Proposed Sec.  1016.9(c)(2)(iii) would provide an example of a 
notice of availability that satisfies Sec.  1016.9(c)(2)(ii)(A). The 
Bureau intends this example to provide clear guidance on permissible 
content for the notice of availability to facilitate compliance. The 
content of the example notice of availability in proposed Sec.  
1016.9(c)(2)(iii) draws from language in the existing model privacy 
notice, which was previously subject to consumer testing.\63\ The 
proposed example would include the heading ``Privacy Notice'' in 
boldface on the notice of availability. The proposed example further 
would state that Federal law requires the financial institution to tell 
customers how it collects, shares, and protects their personal 
information; this language mirrors the ``Why'' box on the model privacy 
notices.\64\ The remaining portion of the proposed example would inform 
customers that the financial institution's privacy notice has not 
changed, the address of the Web site at which customers can access the 
privacy notice, and the toll-free phone number to call to request a 
free copy of the notice. Because the Bureau believes that this language 
would provide a compliant and effective notice of availability, the 
Bureau proposes Sec.  1016.9(c)(2)(iii).
---------------------------------------------------------------------------

    \63\ See Appendix to 12 CFR part 1016, at A.
    \64\ Id.
---------------------------------------------------------------------------

    The Bureau notes that the proposed example contains certain 
illustrative elements that would satisfy proposed Sec.  1016.9(c)(2) 
but are not specifically required by the proposed rule text. These 
include entitling the notice of availability ``Privacy Notice,'' 
including a statement that ``Federal law requires the financial 
institution to tell customers how it collects, shares, and protects 
their personal information,'' and stating that getting a copy of the 
notice is ``free'' to the consumer. The Bureau invites comment on 
whether the proposed example notice of availability would be feasible 
for financial institutions to implement, whether the illustrative 
elements not specifically required by the rule should be so required, 
and whether the proposed language would be effective in informing 
customers of the availability of the privacy notice.

[[Page 27225]]

V. Section 1022(b)(2) of the Dodd-Frank Act

A. Overview

    In developing the proposed rule, the Bureau has considered the 
potential benefits, costs, and impacts.\65\ The Bureau requests comment 
on the preliminary analysis presented below as well as the submission 
of additional data that could inform the Bureau's analysis of the 
benefits, costs, and impacts of the rule. The Bureau has consulted and 
coordinated with the SEC, CFTC, FTC, and NAIC, and consulted with or 
offered to consult with, the OCC, Federal Reserve Board, FDIC, NCUA, 
and HUD, including regarding consistency with any prudential, market, 
or systemic objectives administered by such agencies.
---------------------------------------------------------------------------

    \65\ Specifically, section 1022(b)(2)(A) of the Dodd-Frank Act 
calls for the Bureau to consider the potential benefits and costs of 
a regulation to consumers and covered persons, including the 
potential reduction of access by consumers to consumer financial 
products or services; the impact on depository institutions and 
credit unions with $10 billion or less in total assets as described 
in section 1026 of the Dodd-Frank Act; and the impact on consumers 
in rural areas.
---------------------------------------------------------------------------

    The proposal would amend Sec.  1016.9(c) of Regulation P to provide 
an alternative method for delivering annual privacy notices. A 
financial institution would be able to use the alternative delivery 
method if:
    (1) It does not share information with nonaffiliated third parties 
other than for purposes under the exclusions allowed under Regulation 
P;
    (2) It does not include on its annual privacy notice an opt out 
under section 603(d)(2)(A)(iii) of the FCRA;
    (3) The annual privacy notice is not the only method used to 
satisfy the requirements of section 624 of the FCRA and subpart C of 
part 1022, if applicable;
    (4) Certain information it is required to convey on its annual 
privacy notice has not changed since it provided the immediately 
previous privacy notice; and
    (5) It uses the Regulation P model privacy form for its annual 
privacy notice.
    Under the proposed alternative delivery method, the financial 
institution would have to:
    (1) Convey at least annually on another notice or disclosure that 
its privacy notice is available on its Web site and will be mailed upon 
request to a toll-free number. Among other things, the institution 
would have to include a specific web address that takes the customer 
directly to the privacy notice;
    (2) Post its current privacy notice continuously on a page of its 
Web site that contains only the privacy notice, without requiring a 
login or any conditions to access the page; and
    (3) Promptly mail its current privacy notice to customers who 
request it by telephone.

B. Potential Benefits and Costs to Consumers and Covered Persons

    Proposed Sec.  1016.9(c)(2) provides certain benefits to consumers 
relative to the baseline established by the current provisions of 
Regulation P. The proposal provides an incentive for financial 
institutions to adopt the model privacy form and to post it on their 
Web sites; or, if already adopted, to post the model privacy form on 
their Web sites; as long as there are no other reasons that the 
financial institutions would not be able to use the alternative 
delivery method. Recent research establishes that, at least for banks, 
a large number do not post the model privacy form on their Web sites. 
While the Bureau does not know how many of these financial institutions 
would need to make this change in order to use the alternative delivery 
method, at least some additional consumers would learn about the 
information sharing policies of financial institutions through the 
model privacy form as a result of proposed Sec.  1016.9(c)(2).\66\ 
Given the consumer testing that went into the development of the model 
form and the public input that went into its design, the Bureau 
believes that the model form is generally clearer and easier to 
understand than most privacy notices that deviate from the model.\67\ 
Thus, proposed Sec.  1016.9(c)(2) would likely make it easier for some 
consumers to review privacy policies and opt outs and to make 
comparisons across the privacy policies and opt outs of financial 
institutions.
---------------------------------------------------------------------------

    \66\ See L.F. Cranor, K. Idouchi, P.G. Leon, M. Sleeper, B. Ur, 
Are They Actually Any Different? Comparing Thousands of Financial 
Institutions' Privacy Practices. The Twelfth Workshop on the 
Economics of Information Security (WEIS 2013), June 11-12, 2013, 
Washington, DC. They find that only about half of FDIC insured 
depositories (3,422 out of 6,701) post the model privacy form on 
their Web sites.
    \67\ The development and testing of the model privacy notice is 
discussed in L. Garrison, M. Hastak, J.M. Hogarth, S. Kleimann, A.S. 
Levy, Designing Evidence-based Disclosures: A Case Study of 
Financial Privacy Notices. The Journal of Consumer Affairs, Summer 
2012: 204-234. See also the model privacy form final rule, 74 FR 
62890 (December 1, 2009).
---------------------------------------------------------------------------

    Proposed Sec.  1016.9(c)(2) may also benefit certain consumers by 
disclosing that a financial institution's privacy policy has not 
changed and by reducing the number of full, unchanged privacy policies 
certain consumers receive every year. Under the proposal, consumers who 
transact with financial institutions that adopt the alternative 
delivery method would be informed through a notice or disclosure they 
are already receiving that the privacy policy has not changed but is 
available for their review, and these consumers would only receive the 
full privacy policy as a matter of course when it has changed or other 
requirements for use of the alternative delivery method are not met. 
While there is no data available on the number of consumers who are 
indifferent to (or dislike) receiving full, unchanged privacy notices 
every year, the limited use of opt outs and anecdotal evidence suggest 
that there are such consumers.\68\ Some consumers who want to review 
privacy policies may prefer reading the privacy form on a Web site to 
being mailed one, especially since financial institutions using the 
alternative delivery method must limit their information sharing to 
practices that do not give consumers opt-out rights.
---------------------------------------------------------------------------

    \68\ One early analysis of the use of the opt outs reported at 
most 5% of consumers make use of them in any year, and likely fewer. 
See J.M. Lacker, The Economics of Financial Privacy: To Opt Out or 
Opt In? Federal Reserve Bank of Richmond Economic Quarterly, Volume 
88/3, Summer 2002.
---------------------------------------------------------------------------

    The Bureau believes that few consumers would experience any costs 
from proposed Sec.  1016.9(c)(2). There is a risk that some consumers 
may be less informed about a financial institution's information 
sharing practices if the financial institution adopts the proposed 
alternative delivery method. However, proposed Sec.  
1016.9(c)(2)(ii)(A) mitigates this risk by requiring annually a clear 
and conspicuous statement that the privacy notice is available on the 
Web site, and proposed Sec.  1016.9(c)(2)(ii)(B) ensures that the model 
privacy form is posted continuously in a clear and conspicuous manner 
on the Web site. Consumers may print the privacy policy at their own 
expense, while under current Sec.  1016.9(c)(2) the notice is delivered 
to them, which represents a transfer of costs from industry to 
consumers. However, proposed Sec.  1016.9(c)(2)(ii)(A) would provide 
consumers with a toll-free telephone number to request that the privacy 
notice be mailed to the consumer, which gives consumers the option of 
obtaining the notice without incurring the cost of printing it. 
Further, the Bureau believes that a printed form is mostly valuable to 
consumers who would exercise opt-out rights. However, the only opt outs 
that could be available to the consumer under proposed Sec.  
1016.9(c)(2) would be voluntary opt

[[Page 27226]]

outs, i.e., opt outs from modes of sharing information that are covered 
by exceptions, or (at the institution's discretion) an Affiliate 
Marketing opt-out beyond those the institution has previously provided 
elsewhere. Voluntary opt outs do not appear to be common.\69\
---------------------------------------------------------------------------

    \69\ See Cranor et al. (2013). Their findings (Table 2) imply 
that at most 15% of the 3,422 FDIC insured depositories that post 
the model privacy form on their Web sites offer at least one 
voluntary opt out.
---------------------------------------------------------------------------

    Regarding benefits and costs to covered persons, the primary effect 
of the proposal would be burden reduction by lowering the costs to 
industry of providing annual privacy notices. Proposed Sec.  
1016.9(c)(2) would impose no new compliance requirements on any 
financial institution. All methods of compliance under current law 
would remain available to a financial institution if the proposal were 
adopted, and a financial institution that is in compliance with current 
law would not be required to take any different or additional action. 
The Bureau believes that a financial institution would adopt the 
proposed alternative delivery method only if it expected the costs of 
complying with the proposed alternative delivery method would be lower 
than the costs of complying with current Regulation P.
    By definition, the expected cost savings to financial institutions 
from the proposed revisions to Sec.  1016.9(c) is the expected number 
of annual privacy notices that would be provided through the proposed 
alternative delivery method multiplied by the expected reduction in the 
cost per-notice from using the alternative delivery method. As 
explained below, many financial institutions would not be able to use 
the proposed alternative delivery method without changing their 
information sharing practices. For example, the Bureau believes that 
few financial institutions would find it in their interest to change 
information sharing practices just to reduce the costs of providing the 
annual privacy notice. Thus, the first step in estimating the expected 
cost savings to financial institutions from proposed Sec.  1016.9(c)(2) 
would be to identify the financial institutions whose current 
information sharing practices would allow them to use the proposed 
alternative method. The Bureau would then need to determine their 
currents costs for providing the annual privacy notices and the 
expected costs of providing these notices under proposed Sec.  
1016.9(c)(2).\70\
---------------------------------------------------------------------------

    \70\ The analysis that follows makes certain additional 
assumptions about adjustments that financial institutions are not 
likely to make just to be able to adopt the alternative delivery 
method. For example, small institutions might not find it worthwhile 
to establish Web sites or toll-free numbers given the relatively 
small savings in costs that might result. These assumptions are 
discussed further below.
---------------------------------------------------------------------------

    The Bureau does not have sufficient data to perform every step of 
this analysis, but it performed a number of analyses and outreach 
activities to approximate the expected cost savings. Regarding banks, 
the Bureau examined the privacy policies of the 19 banks with assets 
over $100 billion as well as the privacy policies of 106 additional 
banks selected through random sampling.\71\ The Bureau found that the 
overall average rate at which banks' information sharing practices 
would make them eligible for using the alternative delivery method if 
other conditions were met is 80%. However, only 18% of sampled banks 
with assets over $10 billion could clearly use the proposed alternative 
delivery method, while 81% of sampled banks with assets of $10 billion 
or less and 88% of sampled banks with assets of $500 million or less 
could clearly use the proposed alternative delivery method. These 
results indicate that a large majority of smaller banks would likely be 
able to use the proposed alternative delivery method but most of the 
largest banks would not.\72\
---------------------------------------------------------------------------

    \71\ The Bureau defined five strata for banks under $100 billion 
and three strata for credit unions under $10 billion and drew random 
samples from each of the strata. We obtained privacy policies from 
the Web sites of financial institutions.
    \72\ As discussed in the Section-by-Section Analysis, a banking 
trade association commenting on the Streamlining RFI estimated that 
75% of banks do not change their notices from year to year and do 
not share information in a way that gives rise to customer opt-out 
rights. The Bureau's estimate is consistent with this comment.
---------------------------------------------------------------------------

    One caveat regarding these estimates and the ones that follow 
concerns the use of consolidated privacy notices by entities regulated 
by different agencies. Entities that could comply with Regulation P by 
adopting the alternative delivery method are not likely to do so unless 
they have large numbers of readily identified customers with whom 
compliance with GLBA does not further require compliance with the GLBA 
regulations of other agencies. While the Bureau does not have data on 
the frequency with which entities that use consolidated privacy notices 
also meet these additional conditions, the Bureau believes that many 
entities that use consolidated privacy notices are larger financial 
institutions with information sharing practices that would not allow 
them to use the alternative delivery method for compliance with 
Regulation P. The Bureau's estimates regarding the adoption of the 
alternative delivery method are accurate, notwithstanding the use of 
consolidated privacy notices, if the use of consolidated privacy 
notices is highly correlated with information sharing practices that 
alone would prevent the adoption of the alternative delivery mechanism. 
The Bureau requests data and other factual information regarding this 
correlation and more generally regarding the extent to which the use of 
consolidated privacy notices may prevent the adoption of the 
alternative delivery method.
    The Bureau also examined the privacy policies of the four credit 
unions with assets over $10 billion as well as the privacy policies of 
50 additional credit unions selected through random sampling. The 
Bureau found that two of the four credit unions with assets over $10 
billion could clearly use the proposed alternative delivery method 
without changing their information sharing policies. Further, 62% of 
sampled credit unions with assets over $500 million could clearly use 
the alternative delivery method. However, the Bureau also found that 
only 13 of the 25 sampled credit unions with assets of $500 million or 
less either posted the model privacy form on their Web sites or 
provided enough information about their sharing practices to permit a 
clear determination regarding whether the alternative delivery method 
would be available to them (2 of the 25 did not have Web sites). The 
Bureau found that 11 of the 13 (85%) for which a determination could be 
made would be able to use the proposed alternative delivery method, and 
the Bureau believes that a significant majority of the sample of 25 
would be able to use the proposed alternative delivery method (perhaps 
after adopting the model form). For purposes of this analysis, the 
Bureau conservatively assumes that 11 of the 25 sampled credit unions 
with assets of $500 million or less would be able to use the proposed 
alternative delivery method and requests comment on how to improve this 
estimate.
    Regarding non-depository financial institutions, the Bureau 
believes based on initial outreach that a majority are likely to be 
able to use the alternative delivery method. For instance, the 
prohibition on disclosing information to third parties in the Fair Debt 
Collection Practices Act (FDCPA) leads the Bureau to believe that 
financial institutions subject to those limits likely would be able to 
use the alternative delivery method when GLBA notice requirements 
apply.\73\ The Bureau will

[[Page 27227]]

continue to refine its knowledge of the information sharing practices 
of non-depository financial institutions and the extent to which they 
may be able to use the proposed alternative delivery method. The Bureau 
requests comment and the submission of information relevant to this 
issue.
---------------------------------------------------------------------------

    \73\ FDCPA section 805(b) prohibits communication with third 
parties in connection with the collection of a debt.
---------------------------------------------------------------------------

    Although these initial estimates provide some insight into the 
numbers of banks and credit unions that could use the alternative 
delivery method, the Bureau does not have precise data on the number of 
annual privacy notices these institutions currently provide. Thus, it 
is not possible to directly compute the total number of annual privacy 
notices that would no longer be sent. The Bureau does, however, have 
information on the burden of providing the annual privacy notices from 
the Paperwork Reduction Act Supporting Statements for Regulation P that 
are on file with the Office of Management and Budget. This information 
can be used to obtain an initial estimate of the ongoing savings from 
the alternative delivery method.\74\
---------------------------------------------------------------------------

    \74\ It is worth noting at the outset that, with this 
methodology, the total cost of providing the annual privacy notice 
is approximately $28.5 million per year.
---------------------------------------------------------------------------

    In estimating this savings for banks and credit unions, the 
analysis above establishes that it is essential to take into account 
the variation by the size of banks and credit unions in the likelihood 
they could use the alternative delivery method. To ensure that these 
differences inform the estimates, the Bureau allocated the total burden 
of providing the annual privacy notices to asset classes in proportion 
to the share of assets in the class. The Bureau then estimated an 
amount of burden reduction specific to each asset class using the 
results from the sampling described above. The total burden reduction 
is then the sum of the burden reductions in each asset class. For banks 
and credit unions combined, the estimated reduction in burden using 
this methodology is approximately $6 million annually. Regarding non-
depositories, the Bureau believes that a large fraction of non-
depositories of all sizes would be able to use the alternative delivery 
method and used the overall average rate at which banks could utilize 
the alternative delivery method. The estimated reduction in burden is 
approximately $10 million annually.\75\ Thus, the Bureau believes that 
the total reduction in burden is approximately $16 million dollars 
annually. This represents about 56% of the total $28.5 million annual 
cost of providing the annual privacy notice and opt-out notices under 
Regulation P.\76\ The Bureau requests comment on this preliminary 
analysis as well as the submission of additional data that could inform 
the Bureau's consideration of the cost savings to financial 
institutions.
---------------------------------------------------------------------------

    \75\ Note that this figure excludes auto dealers. Auto dealers 
are regulated by the FTC and would not be directly impacted by this 
amendment to Regulation P.
    \76\ The total reduction is approximately $17 million annually 
if 85% of credit unions with assets of $500 million or less use the 
proposed alternative delivery method. This represents about 60% of 
the total annual cost of providing these notices.
---------------------------------------------------------------------------

    The Bureau notes that these estimates of ongoing savings are gross 
figures and do not take into account any ongoing costs associated with 
the alternative delivery method. The Bureau believes that such ongoing 
costs would be minimal. They would consist of additional text on a 
notice or disclosure the institution already provides, additional phone 
calls from consumers requesting that the model form be mailed, and the 
costs of mailing the forms prompted by these calls. The Bureau 
currently believes that few consumers will request that the form be 
mailed in order to read it or to exercise any voluntary opt-out right. 
There would be minimal ongoing costs associated with the alternative 
delivery method from maintaining a Web page if a financial institution 
already has a Web site and none whatsoever if the financial institution 
already has a Web page dedicated to the annual privacy policy. The 
Bureau's research indicates that all but the smallest banks and credit 
unions have Web sites and the estimates of cost savings assume that 
they would not adopt the alternative delivery method. The Bureau is not 
aware of information regarding the use of Web sites by non-depository 
financial institutions and welcomes information relevant to 
understanding the costs to these institutions of adopting the 
alternative delivery method.
    In developing the proposed rule, the Bureau considered alternatives 
to the requirements it is proposing. As discussed at length above, the 
Bureau believes that the alternative delivery method might not 
adequately alert customers to their ability to opt out of certain types 
of information sharing were it available where a financial institution 
shares beyond the exceptions in Sec. Sec.  1016.13, 1016.14, and 
1016.15. Thus, the Bureau considered but is not proposing an option in 
which the alternative delivery method could be used where a financial 
institution shares beyond one or more of these exceptions. For the same 
reason, the Bureau considered but is not proposing an option in which 
the alternative delivery method could be used where a financial 
institution shares information in a way that triggers information 
sharing opt-out rights under section 603(d)(2)(A)(iii) of the FCRA. On 
the other hand, the Bureau considered but is not proposing an option in 
which the alternative delivery method could never be used where a 
financial institution provides an opt-out right under the Affiliate 
Marketing Rule. A financial institution may use the alternative 
delivery method if it fulfills its opt-out obligations under the 
Affiliate Marketing Rule separately from the annual privacy notice. 
This case is distinguishable from the other two in that the customer is 
not dependent on the alternative delivery method to be made aware of 
the opt-out right under the Affiliate Marketing Rule.
    The Bureau also considered alternatives to the requirements 
regarding the types of information that cannot have changed since the 
previous annual notice to be able to use the alternative delivery 
method. The Bureau discussed these alternatives at length above and 
incorporates that discussion here.

C. Potential Specific Impacts of the Rule

    The Bureau currently understands that 81% of banks with $10 billion 
or less in assets would be able to utilize the alternative delivery 
method, with a greater opportunity for utilization among the smaller 
banks. Thus, the proposed rule may have differential impacts on insured 
depository institutions with $10 billion or less in assets as described 
in section 1026 of the Dodd-Frank Act. The Bureau also currently 
understands that at least 45% of credit unions with $10 billion or less 
in assets, and perhaps substantially more, would be able to utilize the 
alternative delivery method, with a greater opportunity for utilization 
among banks in the middle of this group. The uncertainty reflects the 
relatively large number of very small credit unions that do not post 
the model form on their Web sites and which therefore could not clearly 
use the alternative delivery method.
    The Bureau does not believe that the proposed rule would reduce 
consumers' access to consumer financial products or services or have a 
unique impact on rural consumers.

VI. Regulatory Flexibility Act

    The Regulatory Flexibility Act (RFA), as amended by the Small 
Business Regulatory Enforcement Fairness Act of 1996, requires each 
agency to consider the potential impact of its regulations on small 
entities, including small businesses, small governmental units,

[[Page 27228]]

and small not-for-profit organizations. The RFA generally requires an 
agency to conduct an initial regulatory flexibility analysis (IRFA) and 
a final regulatory flexibility analysis (FRFA) of any rule subject to 
notice-and-comment rulemaking requirements, unless the agency certifies 
that the rule will not have a significant economic impact on a 
substantial number of small entities.\77\ The Bureau also is subject to 
certain additional procedures under the RFA involving the convening of 
a panel to consult with small business representatives prior to 
proposing a rule for which an IRFA is required.\78\
---------------------------------------------------------------------------

    \77\ 5 U.S.C. 603-605.
    \78\ 5 U.S.C. 609.
---------------------------------------------------------------------------

    An IRFA is not required here because the proposal, if adopted, 
would not have a significant economic impact on a substantial number of 
small entities. The Bureau does not expect the proposal to impose costs 
on small entities. All methods of compliance under current law will 
remain available to small entities if the proposal is adopted. Thus, a 
small entity that is in compliance with current law need not take any 
different or additional action if the proposal is adopted. In addition, 
as discussed above, the Bureau believes that the proposed alternative 
method would allow many institutions to reduce their costs, and that 
small financial institutions may be more likely to qualify for using 
the alternative delivery method than large institutions based on the 
complexity of large institutions' information sharing practices.
    Accordingly, the undersigned certifies that this proposal, if 
adopted, would not have a significant economic impact on a substantial 
number of small entities.

VII. Paperwork Reduction Act

    Under the Paperwork Reduction Act of 1995 (PRA),\79\ Federal 
agencies are generally required to seek Office of Management and Budget 
(OMB) approval for information collection requirements prior to 
implementation. This proposal would amend Regulation P, 12 CFR part 
1016. The collections of information related to Regulation P have been 
previously reviewed and approved by OMB in accordance with the PRA and 
assigned OMB Control Number 3170-0010. Under the PRA, the Bureau may 
not conduct or sponsor, and, notwithstanding any other provision of 
law, a person is not required to respond to an information collection, 
unless the information collection displays a valid control number 
assigned by OMB.
---------------------------------------------------------------------------

    \79\ 44 U.S.C. 3501 et seq.
---------------------------------------------------------------------------

    As explained below, the Bureau has determined that this proposed 
rule does not contain any new or substantively revised information 
collection requirements other than those previously approved by OMB. 
Under this proposal, a financial institution will be permitted, but not 
required, to use an alternative delivery method for the annual privacy 
notice if:
    (1) It does not share information with nonaffiliated third parties 
other than for purposes covered by the exclusions allowed under 
Regulation P;
    (2) It does not include on its annual privacy notice an opt out 
under section 603(d)(2)(A)(iii) of the FCRA;
    (3) The annual privacy notice is not the only method used to 
satisfy the requirements of section 624 of the FCRA and subpart C of 
part 1022, if applicable;
    (4) Certain information it is required to convey on its annual 
privacy notice has not changed since it provided the immediately 
previous privacy notice; and
    (5) It uses the Regulation P model privacy form for its annual 
privacy notice.
    Under the proposed alternative delivery method, the financial 
institution would have to:
    (1) Convey at least annually on another notice or disclosure that 
its privacy notice is available on its Web site and will be mailed upon 
request to a toll-free number. Among other things, the institution 
would have to include a specific web address that takes the customer 
directly to the privacy notice;
    (2) Post its current privacy notice continuously on a page of its 
Web site that contains only the privacy notice, without requiring a 
login or any conditions to access the page; and
    (3) Promptly mail its current privacy notice to customers who 
request it by telephone.
    Under Regulation P, the Bureau generally accounts for the paperwork 
burden for the following respondents pursuant to its enforcement/
supervisory authority: Insured depository institutions with more than 
$10 billion in total assets, their depository institution affiliates, 
and certain non-depository institutions. The Bureau and the FTC 
generally both have enforcement authority over non-depository 
institutions subject to Regulation P. Accordingly, the Bureau has 
allocated to itself half of the final rule's estimated burden to non-
depository institutions subject to Regulation P. Other Federal 
agencies, including the FTC, are responsible for estimating and 
reporting to OMB the paperwork burden for the institutions for which 
they have enforcement and/or supervision authority. They may use the 
Bureau's burden estimation methodology, but need not do so.
    The Bureau does not believe that this proposed rule would impose 
any new or substantively revised collections of information as defined 
by the PRA, and instead believes that it would have the overall effect 
of reducing the previously approved estimated burden on industry for 
the information collections associated with the Regulation P annual 
privacy notice. Using the Bureau's burden estimation methodology, the 
reduction in the estimated ongoing burden would be approximately 
567,000 hours annually for the roughly 13,500 banks and credit unions 
subject to the proposed rule, including Bureau respondents, and the 
roughly 29,400 entities regulated by the Federal Trade Commission also 
subject to the proposed rule. The reduction in estimated ongoing costs 
from the reduction in ongoing burden would be approximately $16 million 
annually.
    The Bureau believes that the one-time cost of adopting the 
alternative delivery method for financial institutions that would adopt 
it is de minimis. Financial institutions that already use the model 
form and would adopt the alternative delivery method would incur minor 
one-time legal, programming and training costs. These institutions 
would have to communicate on a notice or disclosure they are already 
issuing under any other provision of law that the privacy notice is 
available. The expense of adding this notice would be minor. Staff may 
need some additional training in storing copies of the model form and 
sending it to customers on request. Institutions that do not use the 
model form would incur a one-time cost for creating one. However, since 
the promulgation of the model privacy form in 2009, an Online Form 
Builder has existed which any institution can use to readily create a 
unique, customized privacy notice using the model form template.\80\ 
The Bureau assumes that financial institutions that do not currently 
have Web sites or provide a toll-free number to their customers would 
not choose to comply with these requirements in order to use the 
alternative delivery method.
---------------------------------------------------------------------------

    \80\ This Online Form Builder is available at http://www.federalreserve.gov/newsevents/press/bcreg/20100415a.htm.
---------------------------------------------------------------------------

    The Bureau's methodology for estimating the reduction in ongoing 
burden was discussed at length above. The Bureau defined five strata 
for banks under $100 billion and three strata for credit unions under 
$10 billion, drew

[[Page 27229]]

random samples from each of the strata (separately for banks and credit 
unions) and examined the GLBA privacy notices available on the 
financial institutions' Web sites, if any. The Bureau separately 
examined the Web sites of all banks over $100 billion (one additional 
bank stratum) and all credit unions over $10 billion (one additional 
credit union stratum). This process provided an estimate of the 
fraction of institutions within each bank or credit union stratum which 
would likely be able to use the alternative delivery method. In order 
to compute the reduction in ongoing burden (by stratum and overall) for 
these financial institutions, the Bureau apportioned the existing 
ongoing burden to each stratum according to the share of overall assets 
held by the financial institutions within the stratum. This was done 
separately for banks and credit unions. Note that this procedure 
ensures that the largest financial institutions, while few in number, 
are apportioned most of the existing burden. The Bureau then multiplied 
the estimate of the fraction of institutions within each stratum that 
would likely be able to use the alternative delivery method by the 
estimate of the existing ongoing burden within each stratum, separately 
for banks and credit unions. As discussed above, the largest bank and 
credit union strata tended to have the lowest share of financial 
institutions that could use the alternative delivery method.
    For the non-depository institutions subject to the FTC's 
enforcement authority that are subject to the Bureau's Regulation P, 
the Bureau estimated the reduction in ongoing burden by applying the 
overall share of banks that would likely be able to use the alternative 
delivery method (80%) to the current ongoing burden on non-depository 
financial institutions (exclusive of auto dealers) from providing the 
annual privacy notices and opt outs.
    The Bureau takes all of the reduction in ongoing burden from banks 
and credit unions with assets $10 billion and above and half the 
reduction in ongoing burden from the non-depository institutions 
subject to the FTC enforcement authority that are subject to the 
Bureau's Regulation P. The total reduction in ongoing burden taken by 
the Bureau is 256,000 hours or $6.2 million annually.
    The Bureau has determined that the proposed rule does not contain 
any new or substantively revised information collection requirements as 
defined by the PRA and that the burden estimate for the previously-
approved information collections should be revised as explained above. 
The Bureau welcomes comments on these determinations or any other 
aspect of the proposal for purposes of the PRA. Comments should be 
submitted as outlined in the ADDRESSES section above. All comments will 
become a matter of public record.

List of Subjects in 12 CFR Part 1016

    Banks, banking, Consumer protection, Credit, Credit unions, Foreign 
banking, Holding companies, National banks, Privacy, Reporting and 
recordkeeping requirements, Savings associations, Trade practices.

Authority and Issuance

    For the reasons set forth in the preamble, the Bureau proposes to 
amend Regulation P, 12 CFR part 1016, as set forth below:

PART 1016--PRIVACY OF CONSUMER FINANCIAL INFORMATION (REGULATION P)

0
1. The authority citation for part 1016 continues to read as follows:

    Authority:  12 U.S.C. 5512, 5581; 15 U.S.C. 6804.

Subpart A--Privacy and Opt-Out Notices

0
2. Section 1016.9(c) is revised to read as follows:


Sec.  1016.9  Delivering privacy and opt out notices.

* * * * *
    (c) Annual notices only. (1) Reasonable expectation. You may 
reasonably expect that a customer will receive actual notice of your 
annual privacy notice if:
    (i) The customer uses your Web site to access financial products 
and services electronically and agrees to receive notices at the Web 
site, and you post your current privacy notice continuously in a clear 
and conspicuous manner on the Web site; or
    (ii) The customer has requested that you refrain from sending any 
information regarding the customer relationship, and your current 
privacy notice remains available to the customer upon request.
    (2) Alternative method for providing certain annual notices. (i) 
Notwithstanding paragraph (a) of this section, you may use the 
alternative method described in paragraph (c)(2)(ii) of this section to 
satisfy the requirement in Sec.  1016.5(a)(1) to provide a notice if:
    (A) You do not share information with nonaffiliated third parties 
other than for purposes under Sec. Sec.  1016.13, 1016.14, and 1016.15;
    (B) You do not include on your annual privacy notice pursuant to 
Sec.  1016.6(a)(7) an opt out under section 603(d)(2)(A)(iii) of the 
Fair Credit Reporting Act (15 U.S.C. 1681a(d)(2)(A)(iii));
    (C) The annual privacy notice is not the only notice provided to 
satisfy the requirements of section 624 of the Fair Credit Reporting 
Act (15 U.S.C. 1681s-3) and subpart C of part 1022 of this chapter, if 
applicable;
    (D) The information you are required to convey on your annual 
privacy notice pursuant to Sec.  1016.6(a)(1) through (5), (8), and (9) 
has not changed since you provided the immediately previous privacy 
notice, initial or annual, to the customer; and
    (E) You use the model privacy form in the appendix to this part for 
your annual privacy notice.
    (ii) For an annual privacy notice that meets the requirements in 
paragraph (c)(2)(i) of this section, you satisfy the requirement in 
Sec.  1016.5(a)(1) to provide a notice if you:
    (A) Convey in a clear and conspicuous manner not less than annually 
on a notice or disclosure you are required or expressly and 
specifically permitted to issue under any other provision of law that 
your privacy notice is available on your Web site and will be mailed to 
the customer upon request by telephone to a toll-free number. The 
statement must state that your privacy notice has not changed and must 
include a specific Web address that takes the customer directly to the 
page where the privacy notice is posted and a toll-free telephone 
number for the customer to request that it be mailed;
    (B) Post your current privacy notice continuously in a clear and 
conspicuous manner on a page of your Web site that contains only the 
privacy notice, without requiring the customer to provide any 
information such as a login name or password or agree to any conditions 
to access the page; and
    (C) Mail promptly your current privacy notice to those customers 
who request it by telephone.
    (iii) An example of a statement that satisfies paragraph 
(c)(2)(ii)(A) of this section is: Privacy Notice [in boldface]--Federal 
law requires us to tell you how we collect, share, and protect your 
personal information. Our privacy policy has not changed and you may 
review our policy and practices with respect to your personal 
information at [Web address] or we will mail you a free copy upon 
request if you call us toll-free at [toll-free telephone number].
* * * * *


[[Page 27230]]


    Dated: May 6, 2014.
Richard Cordray,
Director, Bureau of Consumer Financial Protection.
[FR Doc. 2014-10713 Filed 5-12-14; 8:45 am]
BILLING CODE 4810-AM-P