[Federal Register Volume 79, Number 208 (Tuesday, October 28, 2014)]
[Rules and Regulations]
[Pages 64057-64082]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2014-25299]



 ========================================================================
 Rules and Regulations
                                                 Federal Register
 ________________________________________________________________________
 
 This section of the FEDERAL REGISTER contains regulatory documents 
 having general applicability and legal effect, most of which are keyed 
 to and codified in the Code of Federal Regulations, which is published 
 under 50 titles pursuant to 44 U.S.C. 1510.
 
 The Code of Federal Regulations is sold by the Superintendent of Documents. 
 Prices of new books are listed in the first FEDERAL REGISTER issue of each 
 week.
 
 ========================================================================
 

  Federal Register / Vol. 79, No. 208 / Tuesday, October 28, 2014 / 
Rules and Regulations  

[[Page 64057]]



BUREAU OF CONSUMER FINANCIAL PROTECTION

12 CFR Part 1016

[Docket No. CFPB-2014-0010]
RIN 3170-AA39


Amendment to the Annual Privacy Notice Requirement Under the 
Gramm-Leach-Bliley Act (Regulation P)

AGENCY: Bureau of Consumer Financial Protection.

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: The Bureau of Consumer Financial Protection (Bureau) is 
amending Regulation P, which requires, among other things, that 
financial institutions provide an annual disclosure of their privacy 
policies to their customers. The amendment creates an alternative 
delivery method for this annual disclosure, which financial 
institutions will be able to use under certain circumstances.

DATES: This final rule is effective on October 28, 2014.

FOR FURTHER INFORMATION CONTACT: Nora Rigby and Joseph Devlin, 
Counsels; Office of Regulations, at (202) 435-7700.

SUPPLEMENTARY INFORMATION: 

I. Summary of the Rule

    The Gramm-Leach-Bliley Act (GLBA) \1\ and Regulation P mandate that 
financial institutions provide their customers with initial and annual 
notices regarding their privacy policies. If financial institutions 
share certain customer information with particular types of third 
parties, the institutions are also required to provide notice to their 
customers and an opportunity to opt out of the sharing. The Fair Credit 
Reporting Act (FCRA) requires similar notices of opt-out rights. Many 
financial institutions currently mail printed copies of annual GLBA 
privacy notices to their customers, including notices of GLBA and/or 
FCRA opt-out rights, where applicable, but some of these institutions 
have expressed concern that this practice causes information overload 
for consumers and unnecessary expense.
---------------------------------------------------------------------------

    \1\ 15 U.S.C. 6801 et seq.
---------------------------------------------------------------------------

    In response to such concerns, the Bureau proposed and now finalizes 
this rule to allow financial institutions to use an alternative 
delivery method to provide annual privacy notices through posting the 
annual notices on their Web sites if they meet certain conditions. 
Specifically, financial institutions may use the alternative delivery 
method for annual privacy notices if: (1) No opt-out rights are 
triggered by the financial institution's information sharing practices 
under GLBA or FCRA section 603, and opt-out notices required by FCRA 
section 624 have previously been provided, if applicable, or the annual 
privacy notice is not the only notice provided to satisfy those 
requirements; (2) the information included in the privacy notice has 
not changed since the customer received the previous notice; and (3) 
the financial institution uses the model form provided in Regulation P 
as its annual privacy notice.
    To use the alternative method, the financial institution must 
continuously post the annual privacy notice in a clear and conspicuous 
manner on a page of its Web site, without requiring a login or similar 
steps or agreement to any conditions to access the notice. In addition, 
to assist customers with limited or no access to the Internet, the 
institution must mail annual notices to customers who request them by 
telephone, within ten days of the request.
    To make customers aware that its annual privacy notice is available 
through these means, the institution must insert a clear and 
conspicuous statement at least once per year on an account statement, 
coupon book, or a notice or disclosure the institution issues under any 
provision of law. The statement must inform customers that the annual 
privacy notice is available on the financial institution's Web site, 
the institution will mail the notice to customers who request it by 
calling a specific telephone number, and the notice has not changed.
    A financial institution is still required to use one of the 
permissible delivery methods that predate this rule change (referred to 
as the standard delivery methods) if the institution, among other 
things, has changed its privacy practices or engages in information-
sharing activities for which customers have a right to opt out.

II. Background

A. The Statute and Regulation

    The GLBA was enacted into law in 1999.\2\ The statute, among other 
things, is intended to provide a comprehensive framework for regulating 
the privacy practices of an extremely broad range of entities. 
``Financial institutions'' for purposes of the GLBA include not only 
depository institutions and non-depository institutions providing 
consumer financial products or services (such as payday lenders, 
mortgage brokers, check cashers, debt collectors, and remittance 
transfer providers), but also many businesses that do not offer or 
provide consumer financial products or services.
---------------------------------------------------------------------------

    \2\ Public Law 106-102, 113 Stat. 1338 (1999).
---------------------------------------------------------------------------

    Rulemaking authority to implement the GLBA privacy provisions was 
initially spread among many agencies. The Federal Reserve Board 
(Board), the Office of Comptroller of the Currency (OCC), the Federal 
Deposit Insurance Corporation (FDIC), and the Office of Thrift 
Supervision (OTS) jointly adopted final rules in 2000 to implement the 
notice requirements of the GLBA.\3\ The National Credit Union 
Administration (NCUA), Federal Trade Commission (FTC), Securities and 
Exchange Commission (SEC), and Commodity Futures Trading Commission 
(CFTC) were part of the same interagency process, but each of these 
agencies issued separate rules.\4\ In 2009, all of the agencies with 
the authority to issue rules to implement the GLBA privacy provisions 
issued a joint final rule with a model form that financial institutions 
could use, at their option, to provide the required initial and annual 
privacy disclosures.\5\
---------------------------------------------------------------------------

    \3\ 65 FR 35162 (June 1, 2000).
    \4\ 65 FR 31722 (May 18, 2000) (NCUA final rule); 65 FR 33646 
(May 24, 2000) (FTC final rule); 65 FR 40334 (June 29, 2000) (SEC 
final rule); 66 FR 21252 (Apr. 27, 2001) (CFTC final rule).
    \5\ 74 FR 62890 (Dec. 1, 2009).
---------------------------------------------------------------------------

    In 2011, the Dodd-Frank Wall Street Reform and Consumer Protection 
Act

[[Page 64058]]

(Dodd-Frank Act) \6\ transferred GLBA privacy notice rulemaking 
authority from the Board, NCUA, OCC, OTS, the FDIC, and the FTC (in 
part) to the Bureau.\7\ The Bureau then restated the implementing 
regulations in Regulation P, 12 CFR part 1016, in late 2011.\8\
---------------------------------------------------------------------------

    \6\ Public Law 111-203, 124 Stat. 1376 (2010).
    \7\ Public Law 111-203, section 1093. The FTC retained 
rulewriting authority over any financial institution that is a 
person described in 12 U.S.C. 5519 (i.e., motor vehicle dealers 
predominantly engaged in the sale and servicing of motor vehicles, 
the leasing and servicing of motor vehicles, or both).
    \8\ 76 FR 79025 (Dec. 21, 2011).
---------------------------------------------------------------------------

    The Bureau has the authority to promulgate GLBA privacy rules for 
depository institutions and many non-depository institutions. However, 
rulewriting authority with regard to securities and futures-related 
companies is vested in the SEC and CFTC, respectively, and rulewriting 
authority with respect to certain motor vehicle dealers is vested in 
the FTC.\9\ The Bureau has consulted and coordinated with these 
agencies and with the National Association of Insurance Commissioners 
(NAIC) concerning the alternative delivery method.\10\ The Bureau has 
also consulted with other appropriate federal agencies, as required 
under Section 1022 of the Dodd-Frank Act.
---------------------------------------------------------------------------

    \9\ 15 U.S.C 6804, 6809; 12 U.S.C. 1843(k)(4); 12 CFR 1016.1(b).
    \10\ In regard to any Regulation P rulemaking, section 504 of 
GLBA provides that each of the agencies authorized to prescribe GLBA 
regulations (currently the Bureau, FTC, SEC, and CFTC) ``shall 
consult and coordinate with the other such agencies and, as 
appropriate, . . . with representatives of State insurance 
authorities designated by the National Association of Insurance 
Commissioners, for the purpose of assuring, to the extent possible, 
that the regulations prescribed by each such agency are consistent 
and comparable with the regulations prescribed by the other such 
agencies.'' 15 U.S.C. 6804(a)(2).
---------------------------------------------------------------------------

1. Annual Privacy Notices
    The GLBA and its implementing regulation, Regulation P,\11\ require 
that financial institutions \12\ provide consumers with certain notices 
describing their privacy policies. Financial institutions are generally 
required to first provide an initial notice of these policies, and then 
an annual notice to customers every year that the relationship 
continues.\13\ (When a financial institution has a continuing 
relationship with the consumer, an annual privacy notice is required 
and the consumer is then referred to as a ``customer.'') \14\ These 
notices describe whether and how the financial institution shares 
consumers' nonpublic personal information,\15\ including personally 
identifiable financial information, with other entities. In some cases, 
these notices also explain how consumers can opt out of certain types 
of sharing. The notices further briefly describe how financial 
institutions protect the nonpublic personal information they collect 
and maintain. Financial institutions typically use U.S. postal mail to 
send initial and annual privacy notices to consumers.
---------------------------------------------------------------------------

    \11\ 12 CFR part 1016.
    \12\ Regulation P defines ``financial institution.'' See 12 CFR 
1016.3(l).
    \13\ 12 CFR 1016.4, 1016.5(a)(1).
    \14\ 12 CFR 1016.3(i).
    \15\ Regulation P defines ``nonpublic personal information.'' 
See 12 CFR 1016.3(p).
---------------------------------------------------------------------------

    Section 502 of the GLBA and Regulation P at Sec.  1016.6(a)(6) also 
require that initial and annual notices inform customers of their right 
to opt out of certain financial institution sharing of nonpublic 
personal information with some types of nonaffiliated third parties. 
For example, customers have the right to opt out of a financial 
institution selling the names and addresses of its mortgage customers 
to an unaffiliated home insurance company and, therefore, the 
institution would have to provide an opt-out notice before it sells the 
information. On the other hand, financial institutions are not required 
to allow consumers to opt out of the institutions' sharing involving 
third-party service providers, joint marketing arrangements, 
maintaining and servicing accounts, securitization, law enforcement and 
compliance, reporting to consumer reporting agencies, and certain other 
activities that are specified in the statute and regulation as 
exceptions to the opt-out requirement.\16\ If a financial institution 
limits its types of sharing to those which do not trigger opt-out 
rights, it may provide a ``simplified'' annual privacy notice to its 
customers that does not include opt-out information.\17\
---------------------------------------------------------------------------

    \16\ 15 U.S.C. 6802(b)(2), (e); 12 CFR 1016.13, 1016.14, 
1016.15.
    \17\ Section 1016.6(c)(5) allows financial institutions to 
provide ``simplified notices'' if they do not disclose, and do not 
wish to reserve the right to disclose, nonpublic personal 
information about customers or former customers to affiliates or 
nonaffiliated third parties except as authorized under Sec. Sec.  
1016.14 and 1016.15. The exceptions at Sec. Sec.  1016.14 and 
1016.15 track statutory exemptions and cover a variety of 
situations, such as maintaining and servicing the customer's 
account, securitization and secondary market sale, and fraud 
prevention. They directly exempt institutions from the opt-out 
requirements. The exception that includes service providers and 
joint marketing arrangements, at Sec.  1016.13, is also statutory, 
but financial institutions that share according to this exception 
may not use the simplified notice, even though consumers cannot opt 
out of this sharing.
---------------------------------------------------------------------------

    In addition to opt-out rights under the GLBA, annual privacy 
notices also may include information about certain consumer opt-out 
rights under the FCRA. The annual privacy disclosures under the GLBA/
Regulation P and affiliate disclosures under the FCRA/Regulation V 
interact in two ways. First, the FCRA imposes requirements on financial 
institutions providing ``consumer reports'' to others, but section 
603(d)(2)(A)(iii) of the FCRA excludes from the statute's definition of 
a consumer report \18\ the sharing of certain information about a 
consumer among the institution's affiliates if the consumer is notified 
of such sharing and is given an opportunity to opt out.\19\ Section 
503(c)(4) of the GLBA and Regulation P require financial institutions 
providing their customers with initial and annual privacy notices to 
incorporate into them any notification and opt-out disclosures provided 
pursuant to section 603(d)(2)(A)(iii) of the FCRA.\20\
---------------------------------------------------------------------------

    \18\ The FCRA defines ``consumer report'' generally as ``any 
written, oral, or other communication of any information by a 
consumer reporting agency bearing on a consumer's credit worthiness, 
credit standing, credit capacity, character, general reputation, 
personal characteristics, or mode of living which is used or 
expected to be used or collected in whole or in part for the purpose 
of serving as a factor in establishing the consumer's eligibility 
for: (A) Credit or insurance to be used primarily for personal, 
family, or household purposes; (B) employment purposes; or (C) any 
other purpose authorized under section 1681b of this title.'' 15 
U.S.C. 1681a.
    \19\ 15 U.S.C. 1681a(d)(2)(A)(iii).
    \20\ 15 U.S.C. 6803(c)(4); 12 CFR 1016.6(a)(7).
---------------------------------------------------------------------------

    Second, section 624 of the FCRA and Regulation V's Affiliate 
Marketing Rule provide that an affiliate of a financial institution 
that receives certain information (e.g., transaction history) \21\ from 
the institution about a consumer may not use the information to make 
solicitations for marketing purposes unless the consumer is notified of 
such use and provided with an opportunity to opt out of that use.\22\ 
Regulation V also permits (but does not require) financial institutions 
providing their customers with initial and annual privacy notices under 
Regulation P to incorporate any opt-out disclosures provided under 
section 624 of the FCRA and subpart C of Regulation V into those 
notices.\23\
---------------------------------------------------------------------------

    \21\ The type of information to which section 624 applies is 
information that would be a consumer report, but for the exclusions 
provided by section 603(d)(2)(A)(i), (ii), or (iii) of the FCRA 
(i.e., a report solely containing information about transactions or 
experiences between the consumer and the institution making the 
report, communication of that information among persons related by 
common ownership or affiliated by corporate control, or 
communication of other information as discussed above).
    \22\ 15 U.S.C. 1681s-3 and 12 CFR part 1022, subpart C.
    \23\ 12 CFR 1022.23(b).

---------------------------------------------------------------------------

[[Page 64059]]

2. Method of Delivering Annual Privacy Notices
    Section 503 of the GLBA sets forth the requirement that financial 
institutions provide initial and annual privacy disclosures to 
consumers. Specifically, it states that ``a financial institution shall 
provide a clear and conspicuous disclosure to such consumer, in writing 
or in electronic form or other form permitted by the regulations 
prescribed under section 6804 of this title, of such financial 
institution's policies and practices with respect to'' disclosing and 
protecting consumers' nonpublic personal information.\24\ Although 
financial institutions provide most annual privacy notices by U.S. 
postal mail, Regulation P allows financial institutions to provide 
notices electronically (e.g., by email) to customers with their 
consent.\25\
---------------------------------------------------------------------------

    \24\ 15 U.S.C. 6803(a) (emphasis added).
    \25\ 12 CFR 1016.9(a) states that a financial institution may 
deliver the notice electronically if the consumer agrees. After 
discussions with industry stakeholders, however, the Bureau believes 
that most consumers do not receive electronic disclosures.
---------------------------------------------------------------------------

B. CFPB Streamlining Initiative

    In pursuit of the Bureau's goal of reducing unnecessary or unduly 
burdensome regulations, the Bureau in December 2011 issued a Request 
for Information seeking specific suggestions from the public for 
streamlining regulations the Bureau had inherited from other Federal 
agencies (Streamlining RFI). In that RFI, the Bureau specifically 
identified the annual privacy notice as a potential opportunity for 
streamlining and solicited comment on possible alternatives to 
delivering the annual privacy notice.\26\
---------------------------------------------------------------------------

    \26\ 76 FR 75825, 75828 (Dec. 5, 2011).
---------------------------------------------------------------------------

    Numerous industry commenters strongly advocated eliminating or 
limiting the annual notice requirement. They stated that most customers 
ignore annual privacy notices. Even if customers do read them, 
according to industry stakeholders, the content of these disclosures 
provides little benefit, especially if customers have no right to opt 
out of information sharing because the financial institution does not 
share nonpublic personal information in a way that triggers such 
rights. Financial institutions argued that mailing these notices 
imposes significant costs and that there are other ways of conveying to 
customers the information in the written notices just as effectively 
but at a lower cost. Several industry commenters suggested that if an 
institution's privacy notice has not changed, the institution should be 
allowed to communicate on the consumer's periodic statement, via email, 
or by some other cost-effective means that the annual privacy notice is 
available on its Web site or upon request, by telephone.\27\
---------------------------------------------------------------------------

    \27\ On a related issue, industry commenters stated that the 
annual notice causes confusion and unnecessary opt-out requests from 
customers who do not recall that they have already opted out in a 
previous year. As stated in the Supplementary Information to the 
Final Model Privacy Form Under the Gramm-Leach-Bliley Act, a 
financial institution is free to provide additional information in 
other, supplemental materials to customers if it wishes to do so. 
See 74 FR at 62908. For example, a financial institution that uses 
the model form could include supplemental materials outside the 
model form advising those customers who previously opted out that 
they do not need to opt out again if the institution has not changed 
its notice to include new opt-out options. See 74 FR at 62905. In 
the proposed rule, the Bureau requested comment on whether financial 
institutions would want to include on the privacy notice itself a 
statement describing the customer's opt-out status. The response to 
this request was overwhelmingly negative, with industry commenters 
stating that indicating opt-out status on the annual notice would 
add significant costs because the financial institution would have 
to track customers' status and send specific, different forms.
---------------------------------------------------------------------------

    A banking industry trade association and other industry commenters 
suggested that the Bureau eliminate or ease the annual notice 
requirement for financial institutions if their privacy policies have 
not changed and they do not share nonpublic personal information beyond 
the exceptions allowed by the GLBA (e.g., the exception that allows 
sharing nonpublic personal information with the servicer of an 
account). They argued that the GLBA exceptions were crafted to allow 
what Congress viewed as non-problematic sharing and, therefore, the law 
does not require financial institutions to permit consumers to opt out 
of such sharing. The need for an annual notice is thus less evident if 
a financial institution only shares nonpublic personal information 
pursuant to one of these exceptions. The trade association estimated 
that 75% of banks do not share beyond these exceptions and do not 
change their notices from year to year.
    Consumer advocacy groups generally stated that customers benefit 
from financial institutions providing them with printed annual privacy 
notices, which may remind customers of privacy rights that they may not 
have exercised previously. Consumer representatives argued that these 
notices make customers aware of their privacy rights in regard to 
financial institutions, even if customers have no opt-out rights. One 
compliance company commenter agreed with the consumer groups' view of 
the importance of the notices. One advocacy group suggested that a 
narrow easing of annual notice requirements where a financial 
institution shares information only with affiliates might not be 
objectionable, although it did not support changing the current 
requirements. The Bureau did not receive any comment on the annual 
privacy notice change from privacy advocacy groups.

C. Understanding the Effects of Certain Deposit Regulations--Study

    In November 2013, the Bureau published a study assessing the 
effects of certain deposit regulations on financial institutions' 
operations.\28\ This study provided operational insights from seven 
banks about their annual privacy notices.\29\ Many of these banks use 
third-party vendors, who design or distribute the notices on the banks' 
behalf. All seven participants provided the annual notice as a separate 
mailing, which resulted in higher costs for postage, materials, and 
labor than if the notice were mailed with other material. Some 
financial institutions apparently send separate mailings to ensure that 
their disclosures are ``clear and conspicuous,'' \30\ although 2009 
guidance from the eight agencies promulgating the model privacy form 
explained that a separate mailing is not required.\31\ This separate 
mailing practice contrasts with the usual financial institution 
preference (particularly for smaller study participants) to bundle 
mailings with monthly statements. Indeed, subsequent Bureau outreach 
suggests that many financial institutions do mail the annual privacy 
notice with other materials. Finally, while the study participants 
echoed the sentiment that few customers read privacy notices, 
participant banks with call centers also reported that after they send 
annual notices, the number of customers who call about the banks' 
privacy policies increases.
---------------------------------------------------------------------------

    \28\ Consumer Financial Protection Bureau, ``Understanding the 
Effects of Certain Deposit Regulations on Financial Institutions' 
Operations: Findings on Relative Costs for Systems, Personnel, and 
Processes at Seven Institutions'' (Nov. 2013), available at http://files.consumerfinance.gov/f/201311_cfpb_report_findings-relative-costs.pdf.
    \29\ Information collected for the study may be used to assist 
the Bureau in its investigations of ``the effects of a potential or 
existing regulation on the business decisions of providers.'' OMB 
Information Request--Control Number: 3170-0032.
    \30\ 15 U.S.C. 6803 (``[In the initial and annual privacy 
notices] a financial institution shall provide a clear and 
conspicuous disclosure. . . .''); 12 CFR 1016.3(b)(1) (defining 
``clear and conspicuous'' as ``reasonably understandable and 
designed to call attention to the nature and significance of the 
information in the notice.'')
    \31\ See 74 FR at 62897-62898.

---------------------------------------------------------------------------

[[Page 64060]]

D. Further Outreach

    In addition to the consultations with other government agencies 
discussed above, while preparing the proposed rule the Bureau conducted 
further outreach to industry and consumer advocate stakeholders. The 
Bureau held meetings with consumer groups, including groups and 
individuals with a specific interest in privacy issues. The Bureau also 
held meetings with industry groups that represent institutions that 
must comply with the annual privacy notice requirement, including 
banks, credit unions, mortgage servicers, and debt buyers.
    As with the responses to the Streamlining RFI, the consumer groups 
generally expressed the view that mailed privacy notices were useful, 
even when no opt-out rights were present, and that changes were not 
necessary. Among other comments, they suggested that the Bureau promote 
the use of the Regulation P model form. The industry participants also 
generally expressed similar views to those expressed by industry in 
response to the Streamlining RFI. They supported creation of an 
alternative delivery method for annual privacy notices.\32\
---------------------------------------------------------------------------

    \32\ Recently Congress considered proposed legislation that 
would provide burden relief as to annual privacy notices, though no 
law has been enacted. See, e.g., H.R. 749, passed by the House and 
referred to the Senate in March of 2013; and S. 635, introduced in 
the Senate in late 2013.
---------------------------------------------------------------------------

E. Comments on the Proposed Rule

    On May 13, 2014, the Bureau published a proposed rule in the 
Federal Register to amend 12 CFR 1016.9, the Regulation P provision on 
annual privacy notices.\33\ The comment period closed on July 14, 2014. 
In response to the proposal, the Bureau received approximately 130 
comments from industry trade associations, consumer groups, public 
interest groups, individual financial institutions, and others. As 
discussed in more detail below, the Bureau has considered these 
comments in adopting this final rule.
---------------------------------------------------------------------------

    \33\ See 79 FR 27214 (May 13, 2014). The Bureau subsequently 
extended the comment deadline. 79 FR 30485 (May 28, 2014).
---------------------------------------------------------------------------

    Two commenters discussed the proposed rule's relation to and 
potential conflicts with the law of certain states. During the 
preparation of this final rule, the Bureau consulted with the two 
states that were identified as having laws that might preclude use of 
the alternative delivery method and explained the nature and benefits 
of the change being made to Regulation P. The two states are reviewing 
their laws and considering how to proceed.

F. Effective Date

    Numerous industry commenters requested that any final rule adopted 
be made effective immediately, to make the rule's benefits available as 
soon as possible. An agency must allow 30 days before a substantive 
rule is made effective, unless, among other things, the rule ``grants 
or recognizes an exemption or relieves a restriction'' \34\ or ``as 
otherwise provided by the agency for good cause found and published 
with the rule.'' \35\ This rule recognizes an exemption from or 
relieves a restriction on providing the Regulation P annual privacy 
notice according to the standard delivery methods, and does not create 
any new requirement because a financial institution can choose not to 
use the new method. Accordingly, the 30 day delay in effective date 
does not apply and the Bureau finds good cause to make this rule 
effective immediately on publication in the Federal Register, in order 
to allow financial institutions and consumers to enjoy the benefits of 
this rule as soon as possible.
---------------------------------------------------------------------------

    \34\ 5 U.S.C. 553(d)(1).
    \35\ 5 U.S.C. 553(d)(3).
---------------------------------------------------------------------------

G. Privacy Considerations

    In developing the proposed rule and this final rule, the Bureau 
considered its potential impact on consumer privacy. The rule will not 
affect the collection or use of consumers' nonpublic personal 
information by financial institutions. The rule will expand the 
permissible methods by which financial institutions subject to 
Regulation P may deliver annual privacy notices to their customers in 
limited circumstances. Among other limitations, it will not expand the 
permissible delivery methods if financial institutions make various 
types of changes to their annual privacy notices or if their annual 
privacy notices afford customers the right to opt out of financial 
institutions' sharing of customers' nonpublic personal information. The 
rule is designed to ensure that when the alternative delivery method is 
used, customers will continue to have access to clear and conspicuous 
annual privacy notices.

III. Legal Authority

    The Bureau is issuing this final rule pursuant to its authority 
under section 504 of the GLBA, as amended by section 1093 of the Dodd-
Frank Act.\36\ The Bureau is also issuing this rule pursuant to its 
authority under sections 1022 and 1061 of the Dodd-Frank Act.\37\
---------------------------------------------------------------------------

    \36\ 15 U.S.C. 6804.
    \37\ 12 U.S.C. 5512, 5581.
---------------------------------------------------------------------------

    Prior to July 21, 2011, rulemaking authority for the privacy 
provisions of the GLBA was shared by eight federal agencies: The Board, 
the FDIC, the FTC, the NCUA, the OCC, the OTS, the SEC, and the CFTC. 
The Dodd-Frank Act amended a number of Federal consumer financial laws, 
including the GLBA. Among other changes, the Dodd-Frank Act transferred 
rulemaking authority for most of Subtitle A of Title V of the GLBA, 
with respect to financial institutions described in section 
504(a)(1)(A) of the GLBA, from the Board, FDIC, FTC, NCUA, OCC, and OTS 
(collectively, the transferor agencies) to the Bureau, effective July 
21, 2011.

IV. Section-by-Section Analysis

Section 1016.1--Purpose and Scope

    The Bureau is making technical corrections to two U.S. Code 
citations in Sec.  1016.1(b)(1).

Section 1016.9--Delivering Privacy and Opt-Out Notices

    Section 1016.9 of Regulation P describes how a financial 
institution must provide both the initial notice required by Sec.  
1016.4 and the annual notice required by Sec.  1016.5. Specifically, 
existing Sec.  1016.9(a) requires the notice to be provided so that 
each consumer can reasonably be expected to receive actual notice in 
writing or, if the consumer agrees, electronically. Existing Sec.  
1016.9(b) provides examples of delivery that will result in reasonable 
expectation of actual notice, including hand delivery, delivery by 
mail, or electronic delivery for consumers who conduct transactions 
electronically. Existing Sec.  1016.9(c), redesignated by this final 
rule as Sec.  1016.9(c)(1), provides examples regarding reasonable 
expectation of actual notice that apply to annual notices only.
    In the proposed rule, the Bureau proposed to add Sec.  
1016.9(c)(2), which would create an alternative delivery method for 
annual privacy notices, by which financial institutions that met 
certain requirements could comply with the annual notice requirement in 
Sec.  1016.9(a). For the reasons discussed below, the Bureau is 
adopting Sec.  1016.9(c)(2) substantially as proposed, with certain 
minor modifications.
Proposed Rule
    As stated above, the Bureau proposed to add Sec.  1016.9(c)(2), 
which would create an alternative delivery method for annual privacy 
notices, by which financial institutions that met certain requirements 
could comply with the

[[Page 64061]]

annual notice requirement in Sec.  1016.9(a). The Bureau proposed to 
allow use of the alternative delivery method to reduce information 
overload, specifically by eliminating duplicative paper privacy notices 
in situations in which the customer generally has no ability to opt out 
of the financial institution's information sharing.\38\ Moreover, the 
Bureau proposed to allow use of the alternative delivery method to 
decrease the burden on financial institutions of delivering notices, 
while typically continuing to require delivery of notices pursuant to 
the standard methods in situations in which customers could opt out of 
information sharing.
---------------------------------------------------------------------------

    \38\ The Bureau noted in the proposed rule that the alternative 
delivery method would be available even where a notice and opt out 
is offered under the Affiliate Marketing Rule, subpart C of 12 CFR 
part 1022, which relates to marketing based on information shared by 
a financial institution, as long as the Affiliate Marketing Rule 
notice and opt out is also provided separately from the Regulation P 
annual privacy notice. (For example, this separate Affiliate 
Marketing Rule notice and opt-out can be provided on the initial 
privacy notice under Regulation P, which cannot be delivered via the 
alternative delivery method in any case.) The final rule adopts this 
approach. See the section-by-section discussion of Sec.  
1016.9(c)(2)(i)(C), below.
---------------------------------------------------------------------------

    Under the alternative delivery method as proposed, customers would 
have access via financial institutions' Web sites (or by postal mail on 
request) to annual privacy notices that are conveyed via the model 
form, that generally do not inform customers of any right to opt out, 
and that repeat the same information as in previous privacy notices. 
Further, because financial institutions would be required to post their 
privacy notices continuously on their Web sites, customers would be 
able to access privacy notices throughout the year rather than waiting 
for an annual mailing. Financial institutions would be required to 
deliver to customers an annual reminder, on another notice or 
disclosure, of the availability of the privacy notice on the 
institution's Web site and by mail upon telephone request. In light of 
these considerations, the Bureau believed that where the conditions set 
forth in the proposed rule would be satisfied, any incremental benefit 
in terms of customers' awareness of privacy issues that might accrue 
from requiring delivery of the annual privacy notice pursuant to the 
standard methods would be outweighed by the costs of providing the 
notice, costs that ultimately might be passed through to customers.
Comments
    In the proposed rule, the Bureau sought data and other information 
concerning the effect on customer privacy rights if financial 
institutions were to use the alternative delivery method rather than 
the standard delivery methods. The Bureau further requested comment on 
whether the proposed alternative delivery method would be effective in 
reducing the potential for information overload on customers and 
reducing the burden on financial institutions of mailing hard copy 
privacy notices.
    Comments from industry and consumer and public interest groups 
stated that the alternative delivery method would be beneficial to or 
have no effect on customers' awareness and exercise of their privacy 
rights under Regulation P. Industry commenters indicated that the 
proposal would reduce information overload. In regard to burden 
reduction, comments and earlier outreach indicated that a majority of 
credit unions, a large number of banks, and many other financial 
institutions would benefit from being able to use the alternative 
delivery method. In addition, proposal comments and earlier outreach 
have indicated that small financial institutions are less likely to 
share their customers' nonpublic personal information in a way that 
triggers customers' opt-out rights, and so it is likely that many of 
those small institutions can decrease their costs through the use of 
the alternative delivery method.
    Many industry commenters, however, objected to certain aspects and 
requirements of the alternative delivery method, and stated that 
eliminating these conditions and requirements would significantly 
increase the rule's burden reduction. Consumer and public interest 
groups, though, supported the inclusion of the conditions and 
requirements. These comments are discussed below in relation to the 
specific provisions they address.
    In the proposal, the Bureau noted that the alternative delivery 
method would be available where customers have already consented to 
receive their privacy notices electronically pursuant to Sec.  
1016.9(a) and invited comment regarding how often privacy notices are 
delivered electronically under existing Regulation P. The Bureau 
further invited comment on whether the proposed alternative delivery 
method is appropriate for customers who already receive privacy notices 
electronically and whether financial institutions that currently 
provide the notice electronically would be likely to use the proposed 
alternative delivery method. Only a few commenters addressed this 
issue. Some financial institutions indicated that most customers do not 
receive their annual privacy notices by electronic means, but that the 
institutions may want to use the alternative delivery method for those 
that do. The institutions also requested clarification of how this 
should be done.
    In the proposed rule, the Bureau also noted that potential 
comparison shopping by consumers among financial institutions based on 
privacy policies was one of the objectives that GLBA model privacy 
notices, primarily initial privacy notices, were intended to 
accomplish. See 15 U.S.C. 6803(e).\39\ The Bureau invited empirical 
data on whether consumers do comparison shop among financial 
institutions based on privacy notices. The Bureau did not receive any 
such data.
---------------------------------------------------------------------------

    \39\ Facilitating comparison shopping based on privacy policies 
was also mentioned repeatedly in the preamble to the model privacy 
notice rule. See generally 74 FR 62890.
---------------------------------------------------------------------------

Final Rule
    As explained in the proposed rule, the specific language of section 
503(a) of the GLBA grants some latitude in specifying by rule the 
method of conveying the annual notices, as long as a ``clear and 
conspicuous disclosure'' is provided ``in writing or in electronic form 
or other form permitted by the regulations.'' The Bureau's statutory 
interpretation allowing the alternative delivery method provision to 
satisfy this disclosure requirement applies only to the specific type 
of disclosure involved in the rule and in the limited circumstances 
presented here, pursuant to the specific language of GLBA section 503.
    In relation to the comments regarding notices currently delivered 
electronically, the Bureau reiterates that the alternative delivery 
method is available in lieu of the existing standard delivery methods 
including electronic delivery. In addition, as discussed below, the 
Bureau now clarifies that the notice of availability required by Sec.  
1016.9(c)(2)(ii)(A) may be included on account statements, coupon 
books, or notices or disclosures an institution is required or 
expressly and specifically permitted to issue to the customer under any 
other provision of law and delivered through a means otherwise 
permitted for that type of account statement, coupon book, or notice or 
disclosure, including electronic delivery where applicable. For 
example, the notice of availability may be included on a mortgage 
loan's periodic statement that is delivered electronically if the 
electronic delivery is in compliance with the Electronic Signatures in 
Global

[[Page 64062]]

and National Commerce Act \40\ (E-Sign) as required by Regulation 
Z.\41\
---------------------------------------------------------------------------

    \40\ 15 U.S.C. 7001-7031.
    \41\ See 12 CFR 1026.31(b) and 1026.41.
---------------------------------------------------------------------------

    The Bureau adopts Sec.  1016.9(c)(2) substantially as proposed, 
with minor modifications. Comments on the specific provisions of Sec.  
1016.9(c)(2), and the specific provisions as adopted in this final 
rule, are discussed more fully below.

Section 1016.9(c)(2) Alternative Method for Providing Certain Annual 
Notices

Section 1016.9(c)(2)(i)

    Proposed Sec.  1016.9(c)(2) would have set forth an alternative to 
Sec.  1016.9(a) for providing certain annual notices. Proposed Sec.  
1016.9(c)(2)(i) would have provided that, notwithstanding the general 
notice requirement in Sec.  1016.9(a), a financial institution may use 
the alternative method set forth in proposed Sec.  1016.9(c)(2)(ii) to 
satisfy the requirement in Sec.  1016.5(a)(1) to provide an annual 
notice if the institution met certain conditions as specified in 
proposed Sec.  1016.9(c)(2)(i)(A) through (E). The Bureau is adopting 
Sec.  1016.9(c)(2)(i) as proposed. The Bureau also proposed certain 
technical amendments to accommodate the new provision, which are 
adopted unchanged in the final rule.\42\
---------------------------------------------------------------------------

    \42\ Existing Sec.  1016.9(c) is redesignated as Sec.  
1016.9(c)(1) and its subparagraphs redesignated as Sec.  
1016.9(c)(1)(i) and (ii), respectively, to accommodate the addition 
of Sec.  1016.9(c)(2). The Bureau is also adding a heading to new 
paragraph (c)(1) for technical reasons.
---------------------------------------------------------------------------

Comments
    The Bureau invited comment generally on the conditions in proposed 
Sec.  1016.9(c)(2)(i)(A) through (E) and whether any of those 
conditions should not be required or whether additional conditions 
should be added. Commenters generally discussed the conditions 
individually, and those comments are discussed in regard to each of 
those individual conditions below. No industry commenters suggested 
additional conditions. A consumer group and an academic commenter 
suggested unrelated enhancements to the privacy notice regulations that 
would severely impede the burden reduction achieved by this rule and 
have not been adopted. An industry trade association suggested that the 
Bureau remove the required conditions because the alternative delivery 
method is superior to the standard methods, and all customers and 
financial institutions should benefit from its use in all 
circumstances. Other industry commenters suggested that the conditions 
were unnecessary because customers do not read the notices anyway. 
Several industry commenters suggested that the Bureau's rule should not 
put more restrictions on the web posting of privacy notices than 
related pending legislation in Congress would if such legislation were 
enacted.\43\
---------------------------------------------------------------------------

    \43\ Certain requirements for use of the alternative delivery 
method, such as those relating to FCRA opt-outs and use of the model 
privacy form, are not mentioned in any of the versions of this 
pending legislation.
---------------------------------------------------------------------------

Final Rule
    The Bureau adopts Sec.  1016.9(c)(2)(i) as proposed. The Bureau 
believes that the alternative delivery method provides appropriate and 
sufficient notice if a privacy notice has not changed and is not needed 
to inform the customer of his or her opt-out rights. The Bureau, 
however, also believes that generally requiring financial institutions 
to use the standard delivery methods for notices that have changed or 
that are required to inform consumers of opt-out rights, is more 
consistent with the importance to the GLBA statutory scheme of 
customers' ability to exercise opt-out rights. The Bureau also believes 
that the continued use of standard delivery methods in these 
circumstances is more consumer-friendly than allowing use of the 
alternative delivery method where notices have changed or are required 
to inform customers of opt-out rights. In regard to pending bills in 
Congress, the Bureau notes that the final rule is promulgated to 
implement the current GLBA statutory scheme.

Section 1016.9(c)(2)(i)(A)

    Proposed Sec.  1016.9(c)(2)(i)(A) would have set forth the first 
condition for using the alternative delivery method: That the financial 
institution does not share the customer's information with 
nonaffiliated third parties other than through the activities specified 
under Sec. Sec.  1016.13, 1016.14 and 1016.15 that do not trigger opt-
out rights under the GLBA. For the reasons discussed below, the Bureau 
is finalizing Sec.  1016.9(c)(2)(i)(A) as proposed, with minor 
technical revisions.
Proposed Rule
    For the reasons stated in the proposal, the Bureau proposed to 
continue to require standard delivery of the annual notice where 
customers have opt-out rights. The Bureau further proposed limiting the 
alternative delivery method to circumstances in which customers have no 
information sharing opt-out rights under Regulation P as a way to 
reduce the burden of compliance generally while still mandating the use 
of the standard delivery methods to ensure that customers have direct 
notice of any opt-out rights they have. This approach was also 
reflected in proposed Sec.  1016.9(c)(2)(i)(B) and (C), discussed in 
detail below, which would have limited the use of the alternative 
delivery method where a financial institution shares customer 
information with affiliates in a way that triggers opt-out rights under 
FCRA sections 603(d)(2)(A)(iii) and 624.
Comments
    Many commenters addressed Sec.  1016.9(c)(2)(i)(A), (B), and (C) 
(the ``opt-out conditions'') collectively without distinguishing among 
them.\44\ For example, several consumer and privacy advocacy groups 
stated that they supported finalizing the opt-out conditions because 
many customers will not take the additional steps necessary to access 
or receive a privacy notice under the alternative delivery method and 
that it is therefore appropriate to permit use of it only if a customer 
does not have opt-out rights. Similarly, a civil rights public interest 
group supported the opt-out conditions in part, stating that these 
limitations would incentivize financial institutions not to share their 
customers' information. An organization representing state banking 
regulators also generally supported the proposed conditions for the 
alternative delivery method without specifically commenting on the opt-
out conditions. Several individual credit unions and community banks 
either expressly supported the opt-out conditions or supported the 
proposal generally without addressing the opt-out conditions. Many 
financial institution commenters also expressed support for legislation 
currently pending in Congress that would either eliminate the 
requirement to provide an annual notice or allow an institution to 
provide access to an annual notice electronically if a financial 
institution does not share information in a way that triggers opt-out 
rights under the GLBA and other conditions are met.\45\
---------------------------------------------------------------------------

    \44\ To the extent that commenters distinguished among the opt-
out conditions, they focused on the conditions proposed in Sec.  
1016.9(c)(2)(i)(B) and (C) which are discussed in detail in the 
section-by-section analysis below.
    \45\ See, e.g., H.R. 749, passed by the House and referred to 
the Senate in March of 2013; and S. 635, introduced in the Senate in 
late 2013.
---------------------------------------------------------------------------

    In contrast, however, other industry commenters, especially those 
representing larger financial institutions, objected to limiting the 
alternative delivery method to financial institutions that are not 
required to provide opt-out rights to their

[[Page 64063]]

customers, stating that such conditions would prevent them from using 
the alternative delivery method. These commenters stated that most 
large financial institutions, including most large non-bank financial 
institutions, share information in such a way that they are required to 
offer opt-out rights to their customers under either the GLBA or the 
FCRA (or both) and thus they would not be able to use the proposed 
alternative delivery method.\46\ These commenters asserted that the 
opt-out conditions would significantly limit the burden reduction from 
the proposal.
---------------------------------------------------------------------------

    \46\ A national trade association representing business 
interests stated that banks that hold collectively half of all U.S. 
deposits would not be able to use the alternative delivery method as 
proposed.
---------------------------------------------------------------------------

    Moreover, commenters objecting to not allowing the use of the 
alternative delivery method if customers have opt-out rights stated 
that customers only very infrequently exercise their rights to opt out 
of information sharing after receiving mailed annual privacy notices 
and thus the Bureau does not need to require standard delivery of 
notices even if opt-out rights exist. One national trade association 
representing business interests stated that the Bureau's admission in 
the proposal that it is unlikely that fewer customers would read the 
privacy notice if financial institutions deliver it pursuant to the 
alternative method than read it if mailed undercuts the notion that 
mailed notices are more effective.
Final Rule
    The Bureau is adopting Sec.  1016.9(c)(2)(i)(A) as proposed except 
for technical revisions to revise the wording from ``share with'' to 
``disclose to'' to be consistent with most of the rest of the existing 
rule text in part 1016 and to clarify that the information that may not 
be disclosed is the ``customer's nonpublic personal information.'' The 
Bureau is aware that the proposed opt-out conditions in Sec.  
1016.9(c)(2)(i)(A), (B), and (C) will preclude some financial 
institutions from using the alternative delivery method. Nonetheless, 
the Bureau believes that because of the importance to the statutory 
scheme of customers' ability to exercise opt-out rights, financial 
institutions must continue to satisfy requirements to provide 
information about these rights through the standard delivery methods. 
In addition, as shown by the Bureau's research in connection with the 
proposal \47\ and by comments received on the proposal, the Bureau 
believes that even with these conditions, many financial institutions 
will be able to use the alternative method which will relieve burden 
for them and reduce information overload for their customers.\48\ With 
respect to the comment that few customers opt out of information 
sharing when they receive notices through the standard delivery 
methods, the Bureau believes that standard delivery of the annual 
privacy notice is a more consumer-friendly method for conveying the 
existence of opt-out rights to customers and allowing them to exercise 
those rights. As to whether fewer customers will read the privacy 
notice when delivered pursuant to the alternative delivery method, the 
Bureau notes that there is no reliable evidence bearing on this 
question. In the absence of such evidence the Bureau opts to continue 
the standard delivery methods (e.g., mail) that require the least 
amount of effort from consumers to exercise their opt-out rights.
---------------------------------------------------------------------------

    \47\ 79 FR at 27227.
    \48\ Apart from individual institutions that stated whether they 
would be able to use the alternative method, few commenters provided 
data on how many financial institutions would be precluded from 
using the alternative delivery method because of the opt-out 
condition. One state association representing banks did provide such 
data noting that only 11 of 99 banks that responded to the 
association's survey would not be eligible to use the proposed 
alternative delivery method.
---------------------------------------------------------------------------

Section 1016.9(c)(2)(i)(B) and 9(c)(2)(i)(C)

    Proposed Sec.  1016.9(c)(2)(i)(B) would have set forth the second 
condition for using the alternative delivery method for the annual 
privacy notice: That the financial institution not include on its 
annual notice an opt out under section 603(d)(2)(A)(iii) of the 
FCRA.\49\ Proposed Sec.  1016.9(c)(2)(i)(C) would have presented the 
third condition for using the alternative delivery method: that the 
annual privacy notice is not the only notice provided to satisfy the 
requirements of section 624 of the FCRA \50\ and subpart C of 12 CFR 
part 1022 (the ``Affiliate Marketing Rule''). For the reasons discussed 
below, the Bureau is finalizing Sec.  1016.9(c)(2)(i)(B) as proposed 
and is finalizing Sec.  1016.9(c)(2)(i)(C) as revised.
---------------------------------------------------------------------------

    \49\ 15 U.S.C. 1681a(d)(2)(A)(iii).
    \50\ 15 U.S.C. 1681s-3.
---------------------------------------------------------------------------

Proposed Rule
    As discussed in part II above, FCRA section 603(d)(2)(A)(iii) 
excludes from the statute's definition of ``consumer report'' a 
financial institution's sharing of certain information about a consumer 
with its affiliates if the financial institution provides the consumer 
with notice and an opportunity to opt out of the information sharing. 
Section 503(b)(4) of the GLBA expressly requires a financial 
institution's privacy notice to include any disclosures the financial 
institution is required to make under section 603(d)(2)(A)(iii) of the 
FCRA, if any. Section 1016.6(a)(7), which implements this statutory 
directive, requires a financial institution's privacy notice to include 
any disclosures the institution makes under section 603(d)(2)(A)(iii). 
As stated in the proposal, because the Bureau proposed the alternative 
delivery method be available only if notices are not required to inform 
customers of opt-out rights, proposed Sec.  1016.9(c)(2)(i)(B) provided 
that annual notices that inform customers of FCRA section 
603(d)(2)(A)(iii) opt-out rights, like notices that inform customers of 
GLBA opt-out rights, would have to continue to be delivered pursuant to 
the standard delivery methods.
    In contrast to the FCRA section 603(d)(2)(A)(iii) notice and opt-
out right, the Affiliate Marketing Rule notice and opt out is not 
required by either the GLBA or Regulation P to be included on the 
annual privacy notice. The Affiliate Marketing Rule notice and opt out 
may be included on this notice, however. Given that the Affiliate 
Marketing Rule notice and opt out is not required on the annual privacy 
notice (and indeed does not have to be provided annually),\51\ the 
Bureau believes, as stated in the proposal, that including the 
Affiliate Marketing Rule opt-out on the annual notice should not 
preclude a financial institution from using the alternative delivery 
method. The Bureau therefore proposed Sec.  1016.9(c)(2)(i)(C), which 
would have allowed a financial institution to use the alternative 
delivery method if it provides the customer with an opt-out right under 
the Affiliate Marketing Rule as long as the Regulation P annual privacy 
notice was not the only notice provided to satisfy the Affiliate 
Marketing Rule, if applicable.
---------------------------------------------------------------------------

    \51\ 72 FR 62910, 62930 (Nov. 7, 2007).
---------------------------------------------------------------------------

    As it did in the proposal, the Bureau notes that the required 
duration of a consumer opt-out under the Affiliate Marketing Rule 
depends on whether the Affiliate Marketing Rule notice and opt out is 
included as part of the Regulation P model privacy notice or issued 
separately. If a financial institution includes the Affiliate Marketing 
Rule notice and opt out on the model privacy notice, Regulation P 
requires that opt out to be of indefinite duration.\52\ In contrast, if 
a financial institution provides the Affiliate Marketing Rule

[[Page 64064]]

notice and opt out separately, Regulation V allows the opt out to be 
offered for as few as five years, subject to renewal, and the 
disclosure of the duration of the opt out must be included on the 
separate notice.\53\ As stated in the proposal, the Bureau believes 
that prohibiting the use of the alternative delivery method if a 
financial institution voluntarily includes the Affiliate Marketing Rule 
notice and opt-out on its annual privacy notice could discourage 
financial institutions from including it. If so, it could be to the 
detriment of consumers who otherwise likely would not receive annual 
notice of their Affiliate Marketing Rule opt-out right.
---------------------------------------------------------------------------

    \52\ Regulation P provides, ``Institutions that include this 
reason [for sharing or using personal information] must provide an 
opt-out of indefinite duration.'' Appendix to part 1016 at C.2.d.6.
    \53\ 12 CFR 1022.22(b), 1022.23(a)(1)(iv).
---------------------------------------------------------------------------

Comments
    Comments that addressed the three opt-out conditions in proposed 
Sec.  1016.9(c)(2)(i)(A), (B), and (C) are discussed collectively above 
in the section-by-section analysis of Sec.  1016.9(c)(2)(i)(A). Though 
many commenters generally supported the opt-out conditions, they did 
not separately discuss Sec.  1016.9(c)(2)(i)(B) or (C). Commenters who 
specifically addressed Sec.  1016.9(c)(2)(i)(B) and (C) stated that 
because FCRA-covered information sharing with affiliates is more 
widespread among financial institutions than information sharing with 
third-parties not covered by a GLBA exception, these FCRA conditions 
were likely to prevent many more financial institutions from taking 
advantage of the alternative delivery method than Sec.  
1016.9(c)(2)(i)(A) relating to GLBA opt-out rights. These commenters 
asserted that the FCRA opt-out conditions in proposed Sec.  
1016.9(c)(2)(i)(B) and (C) should not be finalized even if the Bureau 
continues to require standard delivery methods to customers who have 
GLBA opt-out rights.
    A national trade association representing the consumer credit 
industry stated that proposed Sec.  1016.9(c)(2)(i)(B) and (C) would 
preclude non-depository institutions from using the alternative 
delivery method more than depository institutions because non-
depository institutions tend to share information with affiliates (and 
thereby trigger FCRA opt-out rights) more often than depository 
institutions. Several state community bank and credit union 
associations as well as several individual community banks and credit 
unions objected to Sec.  1016.9(c)(2)(i)(B) and (C) because they share 
information with affiliates to offer services to their customers that 
they otherwise could not offer. A ``think tank'' focused on data 
practices also opposed Sec.  1016.9(c)(2)(i)(B) and (C) because it said 
the FCRA opt-out conditions are too limiting to financial institutions 
and a mailed notice is not necessary to inform customers of those opt-
out rights. A mortgage industry group further opposed Sec.  
1016.9(c)(2)(i)(B) and (C) because information sharing governed by the 
FCRA is different in kind from that governed by the GLBA, and FCRA 
requirements should not determine the GLBA annual notice delivery 
requirements. Many industry commenters argued that the Bureau's 
proposal should track proposed legislation in Congress which would 
either eliminate the annual notice requirement or allow an institution 
to provide access to an annual notice electronically or in other forms 
if no GLBA opt-out rights exist (and certain other conditions are met). 
Such proposed legislation, however, does not address the relationship 
between an alternative delivery method and FCRA opt-out rights.
    Specifically with respect to proposed Sec.  1016.9(c)(2)(i)(C), 
several financial institutions stated that the requirement to 
separately provide the Affiliate Marketing Rule opt-out notice to use 
the alternative delivery method would negate the cost savings of the 
alternative delivery method.
Final Rule
    The Bureau is finalizing Sec.  1016.9(c)(2)(i)(B) as proposed and 
is finalizing Sec.  1016.9(c)(2)(i)(C) as revised. The Bureau 
understands that including Sec.  1016.9(c)(2)(i)(B) and (C) as 
conditions for using the alternative delivery method will limit the 
availability of the alternative delivery method more than if the Bureau 
finalized only the GLBA opt-out condition in Sec.  1016.9(c)(2)(i)(A). 
The Bureau further understands that the FCRA opt-out conditions may 
affect certain types of financial institutions more than others. The 
Bureau is nonetheless persuaded, for the same reasons discussed in 
regard to Sec.  1016.9(c)(2)(i)(A), that it is important for customers 
to receive standard delivery of the annual notice if that notice 
includes information concerning the right to opt out of information 
sharing. The Bureau believes that standard delivery is a more consumer-
friendly way of notifying customers of their opt-out rights and 
allowing them to exercise those rights.
    With respect to commenters who stated that FCRA requirements should 
not govern GLBA annual notice requirements, the Bureau notes that 
section 503(b)(4) of GLBA expressly requires that disclosures required 
under section 603(d)(2)(A)(iii) of FCRA be included on the GLBA privacy 
notice. Section 603(d)(2)(A)(iii) of the FCRA is silent as to how 
frequently the notice of opt-out rights must be delivered, but the 
agencies responsible for implementation of the GLBA interpreted it to 
require provision of annual notice of the FCRA section 
603(d)(2)(A)(iii) opt-out right.\54\ Accordingly, since it became 
effective in 2000, Sec.  1016.6(a)(7) has required financial 
institutions that offer the FCRA section 603(d)(2)(A)(iii) opt-out to 
include it on their annual privacy notice. The Bureau's determination 
that customers should continue to receive annual notices that inform 
them of opt-out rights pursuant to the standard delivery methods 
applies equally to those FCRA opt-out rights that are required by Sec.  
1016.6(a)(7) to be included on the GLBA annual privacy notice. FCRA 
opt-out rights conveyed on the annual notice under Sec.  1016.6(a)(7) 
are as important to customers and to the FCRA statutory scheme as the 
GLBA opt-out rights and thus should be delivered pursuant to the 
standard delivery methods.
---------------------------------------------------------------------------

    \54\ 65 FR 35162, 35176 (June 1, 2000).
---------------------------------------------------------------------------

    Regarding Sec.  1016.9(c)(2)(i)(C), the Bureau has substantially 
revised the provision to clarify how use of the model privacy notice to 
inform customers of opt-out rights under the Affiliate Marketing Rule 
interacts with use of the alternative delivery method. The Affiliate 
Marketing Rule requires that, before a financial institution may make 
solicitations based on eligibility information about a consumer it 
receives from an affiliate, the consumer must be provided with notice 
and an opportunity to opt out of such use. The Affiliate Marketing Rule 
further requires that a consumer's opt-out must be effective for a 
period of at least five years, but if the financial institution chooses 
to honor the customer's opt-out indefinitely, the notice need be 
delivered only once. As discussed above, this notice and opt-out may be 
included on a Regulation P privacy notice, but is not required to be. 
If the Affiliate Marketing Rule opt-out is incorporated in the model 
privacy notice, initial or annual, a financial institution must honor 
any customer opt-out request indefinitely.\55\ Accordingly, if a 
financial institution chooses to include the Affiliate Marketing Rule 
opt-out on its model privacy notice, the institution has no further 
Affiliate Marketing Rule disclosure obligations after the first

[[Page 64065]]

model privacy notice is delivered and the institution is free to 
continue including the Affiliate Marketing Rule opt-out on the annual 
privacy notice without jeopardizing its ability to use the alternative 
delivery method.\56\
---------------------------------------------------------------------------

    \55\ Appendix to part 1016 at C.2.d.6.
    \56\ A financial institution could also include the Affiliate 
Marketing Rule opt-out on a non-model privacy notice and choose to 
honor opt-outs indefinitely and have no further Affiliate Marketing 
Rule obligations after the first privacy notice is delivered.
---------------------------------------------------------------------------

    The language of Sec.  1016.9(c)(2)(i)(C) has been revised to make 
this more explicit by stating that the alternative delivery method is 
available to a financial institution if ``the requirements of [the 
Affiliate Marketing Rule], if applicable, have been satisfied 
previously or the annual privacy notice is not the only notice provided 
to satisfy such requirements.'' In light of this clarification, the 
Bureau disagrees with commenters who stated that there would be no cost 
savings from the alternative delivery method for institutions that are 
subject to the Affiliate Marketing Rule. If those institutions used the 
model privacy notice and standard delivery methods to disclose opt-out 
rights, then they could use the alternative delivery method for 
subsequent annual notices. If those institutions provided a separate 
Affiliate Marketing Rule opt-out because they wanted to limit the 
duration of that opt-out, no additional notices would be required and 
the alternative delivery method would still be available. If the 
customer had not already received the Affiliate Marketing Rule opt-out 
notice, the financial institution would be required to deliver that 
notice only once using standard methods to satisfy Sec.  
1016.9(c)(2)(i)(C). The Bureau believes that generally a customer would 
have already received the Affiliate Marketing Rule notice and the one-
time delivery still would not negate potential savings for annual 
notices in subsequent years.
    The Bureau acknowledges that some customers will no longer receive 
their annual privacy notice pursuant to standard delivery methods even 
though the notice informs them of a right to opt out that exists 
pursuant to the Affiliate Marketing Rule. The Bureau believes, however, 
that this concern is mitigated by the fact that if the customer had not 
already received notice of the Affiliate Marketing Rule opt out 
pursuant to standard delivery methods, the financial institution would 
have to provide a separate Affiliate Marketing Rule notice in order to 
satisfy Sec.  1016.9(c)(2)(i)(C).\57\ The Bureau considered but decided 
against prohibiting use of the alternative delivery method where a 
financial institution provides an opt out under the Affiliate Marketing 
Rule because neither the GLBA nor Regulation P requires the Affiliate 
Marketing Rule opt-out to be included on the annual privacy notice.
---------------------------------------------------------------------------

    \57\ Alternatively, the financial institution could continue to 
use the current delivery method and include the Affiliate Marketing 
opt out on the annual privacy notice, with no separate notice 
required.
---------------------------------------------------------------------------

Section 1016.9(c)(2)(i)(D)

    Proposed Sec.  1016.9(c)(2)(i)(D) would have presented the fourth 
condition for using the alternative delivery method: That the 
information a financial institution is required to convey on its annual 
privacy notice pursuant to Sec.  1016.6(a)(1) through (5), (8) and (9) 
has not changed since the immediately previous privacy notice (whether 
initial or annual) to the customer. For the reasons discussed below, 
the Bureau is adopting Sec.  1016.9(c)(2)(i)(D) with some 
modifications.
Proposed Rule
    The Bureau proposed to provide more flexibility in the method of 
delivering a notice that has not changed because it believed that 
delivery of the annual notice by the standard delivery methods is 
likely less useful if the customer has already received a privacy 
notice, the financial institution's sharing practices remain generally 
unchanged since that previous notice, and the other requirements of 
Sec.  1016.9(c)(2)(i) are met. Proposed Sec.  1016.9(c)(2)(i)(D) would 
have listed the specific disclosures of the privacy notice that must 
not change for a financial institution to take advantage of the 
alternative delivery method: Sec.  1016.9(a)(1) through (5), (8), and 
(9).
    The Bureau explained that the disclosures required by Sec.  
1016.6(a)(1) through (5) and (9) describe categories of nonpublic 
personal information collected and disclosed and categories of third 
parties with whom that information is disclosed. Accordingly, only a 
change in or addition of a category of information collected or shared 
or in a category of third party with whom the information is shared 
would have prevented a financial institution from satisfying proposed 
Sec.  1016.9(c)(2)(i)(D) based on the disclosures required by Sec.  
1016.6(a)(1) through (5) and (9). The Bureau also explained that the 
disclosure required by Sec.  1016.6(a)(8) would disallow use of the 
alternative delivery method if a financial institution changed the 
required description of its policies and practices with respect to 
protecting the confidentiality and security of nonpublic personal 
information. The Bureau explained that changes in the description of a 
financial institution's data security policy likely are significant 
enough that when they occur, the annual privacy notice should continue 
to be delivered according to the standard delivery methods. Indeed, in 
light of recent large-scale data security breaches, some customers may 
be more interested in the data security policies of their financial 
institutions than they were previously. The Bureau further noted in the 
proposal that stylistic changes in the wording of the notice that do 
not change the information conveyed on the notice would not prevent a 
financial institution from satisfying proposed Sec.  
1016.9(c)(2)(i)(D).
Comments
    Most commenters that addressed Sec.  1016.9(c)(2)(i)(D) supported 
the proposed requirement. A national association representing student 
loan servicers stated that proposed Sec.  1016.9(c)(2)(i)(D) is the 
most important element of the requirements for using the alternative 
delivery method. Several national associations representing both large 
and small financial institutions suggested retaining the requirement in 
Sec.  1016.9(c)(2)(i)(D), even though they advocated alternatives to 
other components of the proposal. As noted in the section-by-section 
analyses of Sec.  1016.9(c)(2)(i)(A) and (B), many commenters expressed 
their support for legislation pending in Congress that is somewhat 
similar to the proposal and includes the requirement that the financial 
institution's privacy notice remain unchanged from the previous notice. 
In contrast, a national business coalition relating to online privacy 
criticized proposed Sec.  1016.9(c)(2)(i)(D) as significantly reducing 
the opportunity for financial institutions to use the alternative 
delivery method, in conjunction with the other requirements of proposed 
Sec.  1016.9(c)(2)(i).
    Most other commenters suggested technical changes to proposed Sec.  
1016.9(c)(2)(i)(D) or requested clarification. A state association 
representing credit unions and a community bank commented that a 
revised privacy notice is required by Sec.  1016.8 if a financial 
institution shares information other than as described in the initial 
privacy notice. It thus proposed that Sec.  1016.9(c)(2)(i)(D) should 
allow financial institutions to use the alternative delivery method if 
the information disclosed on the privacy notice has not changed since 
the immediately previous privacy notice, initial, annual, or revised.
    A compliance services company commented that Regulation P requires

[[Page 64066]]

information to be included on the model privacy notice that, if 
changed, might be significant for customers but is not included in 
Sec.  1016.9(c)(2)(i)(D). Such information includes the name of the 
financial institution providing the notice, changes in the definitions 
section of the notice which describes the financial institution's 
affiliates, nonaffiliates with whom it shares information, and joint 
marketing practices, and changes in the ``Other Important Information'' 
section of the model form, such as those involving state law 
requirements. The compliance services company further commented that 
the statement on the notice of availability required by Sec.  
1016.9(c)(2)(ii)(A) that ``our privacy policy has not changed'' could 
be inaccurate if such information had in fact changed. Moreover, the 
compliance services company also explained that the Bureau's statement 
in the proposal that a financial institution could change its privacy 
policy so as to eliminate information sharing that triggers opt-out 
rights and then make use of the alternative delivery method for the 
next annual privacy notice \58\ conflicts with Sec.  1016.9(c)(2)(i)(D) 
as proposed. According to the commenter, eliminating a category of 
affiliates with whom the financial institution shares information would 
trigger changes to the disclosure required by Sec.  1016.6(a)(2) and 
thus would prevent a financial institution from complying with proposed 
Sec.  1016.9(c)(2)(i)(D).
---------------------------------------------------------------------------

    \58\ 79 FR at 27221 n.54.
---------------------------------------------------------------------------

    Lastly, the compliance services company requested guidance on the 
sequence of events that would allow a financial institution to use the 
alternative delivery method after a privacy policy change occurs. For 
example, the company asked for clarification on when a revised notice 
should be sent, a time period after the notice of availability was 
delivered within which the institution would be required to implement 
the requirements for Web site posting and establishing a telephone 
number to request the privacy notice, and a time frame after the change 
for the institution to wait before it starts using the statement that 
``our privacy policy has not changed.''
Final Rule
    The Bureau is adopting Sec.  1016.9(c)(2)(i)(D) with some 
modifications. Regarding the comment that proposed Sec.  
1016.9(c)(2)(i)(D) renders the alternative delivery method of limited 
availability to financial institutions, the Bureau believes that 
requiring notices that have changed to be delivered pursuant to 
standard delivery methods is a more consumer-friendly way of notifying 
customers of changes than requiring consumers to affirmatively seek out 
information about the changed policy. As to revised privacy notices, 
the Bureau agrees that a financial institution that has used standard 
delivery methods to provide customers with a revised privacy notice 
under Sec.  1016.8 should be able to use the alternative delivery 
method for its next annual notice. Accordingly, the Bureau is revising 
proposed Sec.  1016.9(c)(2)(i)(D) to permit a financial institution to 
use the alternative delivery method if the information contained on its 
privacy notice has not changed since it provided the immediately 
previous privacy notice (whether initial, annual, or revised).
    Regarding the comment that some pertinent information on the 
privacy notice could change and proposed Sec.  1016.9(c)(2)(i)(D) would 
still permit the financial institution to use the alternative delivery 
method, the Bureau is permitting use of the alternative delivery method 
following such changes to provide greater flexibility. For example, 
although information about the name of the financial institution or its 
affiliates is useful to customers, the Bureau does not believe that 
information is as important in the context of the privacy notice as 
changes to the categories of nonpublic personal information collected 
and disclosed by the financial institution, the categories of third 
parties with whom the institution discloses that information, and 
changes to the institution's policies and practices with respect to 
protecting the confidentiality and security of nonpublic personal 
information. Moreover, where a financial institution changes its name, 
that name change would likely be conveyed to the institutions' 
customers through means beyond the annual privacy notice. Indeed, 
including changes to the financial institution's name, the names of its 
affiliates, or its joint marketing practices in Sec.  
1016.9(c)(2)(i)(D) likely would limit the availability of the 
alternative method without much benefit to customers. Lastly, the 
Bureau believes that the statement required by Sec.  
1016.9(c)(2)(ii)(A) that ``our privacy policy has not changed'' is 
accurate even when information such as the financial institution's name 
or its affiliates have changed, as long as the policy the financial 
institution is required to describe on its annual privacy notice 
pursuant to Sec.  1016.6(a)(1) through (5), (8), and (9) has not 
changed.
    As to a financial institution that changes its privacy policy to 
eliminate information sharing that triggers opt-out rights, the Bureau 
determines that such an institution would be able to use the 
alternative delivery method for its next annual notice and agrees that 
this should be clarified in the rule text. Under the final rule, if an 
institution chooses to stop sharing certain categories of information 
or to stop sharing information with certain categories of third 
parties, the financial institution will be able to use the alternative 
delivery method for its next annual privacy notice without first 
sending out a privacy notice pursuant to standard delivery methods 
(provided it meets the requirements of in Sec.  1016.9(c)(2)). The 
Bureau is modifying Sec.  1016.9(c)(2)(i)(D) to permit financial 
institutions to use the alternative delivery method if the information 
the institution is required to convey has not changed other than to 
eliminate categories of information it discloses or categories of third 
parties to whom it discloses information.
    Lastly, as to the request for clarification about the process for 
using the alternative delivery method after a financial institution 
changes its sharing practices, the alternative delivery method does not 
alter either the requirements for providing a revised privacy notice in 
Sec.  1016.8 or any of the timing requirements in existing Sec.  
1016.5. Accordingly, to the extent that Sec.  1016.8 requires a 
financial institution to deliver a revised privacy notice if a 
financial institution changes its information sharing, the institution 
is still required to deliver that notice pursuant to Sec.  1016.9.\59\ 
Similarly, the adoption of Sec.  1016.9(c)(2) does not change the 
timing requirements for delivering the annual notice.
---------------------------------------------------------------------------

    \59\ The Bureau notes that a revised privacy notice may not be 
delivered using the alternative delivery method because the 
alternative method only may be used to satisfy the requirement to 
provide an annual notice in Sec.  1016.5(a)(1).
---------------------------------------------------------------------------

    Accordingly, if a financial institution makes a change to its 
information sharing practices that would prevent it from meeting the 
condition in Sec.  1016.9(c)(2)(i)(D), i.e., a change other than to 
eliminate categories of information it discloses or categories of third 
parties to whom it discloses, the financial institution could use the 
alternative delivery method to meet its next annual privacy notice 
requirement if it first sent a revised privacy notice pursuant to the 
standard delivery methods (provided it meets the requirements of Sec.  
1016.9(c)(2)). If the change is to its policies and practices regarding 
protecting the confidentiality and security of nonpublic personal 
information, no revised privacy notice would be required under Sec.  
1016.8 but a

[[Page 64067]]

financial institution could opt to provide one anyway so that it could 
use the alternative delivery method and the statement that its privacy 
policy has not changed to meet its next annual notice requirement. 
Alternatively, a financial institution that makes a change to its 
information sharing practices or its policies and practices with 
respect to protecting the confidentiality and security of nonpublic 
personal information that would prevent the institution from meeting 
the condition in Sec.  1016.9(c)(2)(i)(D) could send its next annual 
privacy notice using standard delivery methods and resume using the 
alternative delivery method thereafter.
    To the extent that a financial institution chooses to provide the 
notice of availability of its privacy policies more often than 
annually, it could include the statement that its privacy policy has 
not changed whenever the intervening change is not a change covered by 
Sec.  1016.9(c)(2)(i)(D); where the intervening change is one covered 
by Sec.  1016.9(c)(2)(i)(D), the financial institution could include 
the statement that its privacy policy has not changed once it delivers 
a revised privacy notice pursuant to the standard delivery methods. 
Regarding when a financial institution must implement the Web site 
posting of the privacy notice and the telephone number for requesting 
the notice, a financial institution may choose to adopt the alternative 
delivery method at any time. However, it would need to meet all of the 
requirements for using the alternative delivery method by the due date 
of the first annual privacy notice that the institution does not 
deliver using one of the standard delivery methods. This would include 
sending the notice of availability that informs customers of the 
existence of the Web site and the telephone number and providing 
customers access to the privacy notice by Web site and through 
telephone request by that due date.

Section 1016.9(c)(2)(i)(E)

    The last condition for use of the alternative delivery method 
included in the Bureau's proposed rule, which was set forth in proposed 
Sec.  1016.9(c)(2)(i)(E), would have required that a financial 
institution use the Regulation P model privacy form for its annual 
privacy notice. The Bureau now adopts the provision as proposed.
Proposed Rule
    The model form was adopted in 2009 as part of an interagency 
rulemaking mandated by Congress.\60\ The form was developed using 
consumer research to ensure that the model notice was easier to 
understand and use than most privacy notices then being used.\61\ 
During outreach prior to the Bureau's issuance of its May 13, 2014, 
proposed rule, consumer and privacy groups told the Bureau that the 
model form is easier for consumers to understand than other privacy 
notices. The Bureau's research on the impacts of its proposed rule \62\ 
determined that some non-model form privacy notices were not easily 
understood. This research also determined that a significant percentage 
of financial institutions already use the model privacy form. 
Accordingly, the Bureau proposed Sec.  1016.9(c)(2)(i)(E), which would 
permit use of the alternative delivery method only if a financial 
institution uses the model privacy form for its annual privacy notice.
---------------------------------------------------------------------------

    \60\ 15 U.S.C. 6803(e).
    \61\ 74 FR at 62891.
    \62\ See below, parts V and VI.
---------------------------------------------------------------------------

Comments
    The Bureau invited comment on the extent to which financial 
institutions currently use the model privacy form and, if they do not, 
whether they would choose to do so to take advantage of the proposed 
alternative delivery method. In addition, the Bureau invited comment on 
the benefit to customers of receiving a privacy notice in the model 
form rather than a privacy notice in a non-standardized format.
    The comments indicated that a significant number of industry 
participants are using the model form already. The Bureau did not 
receive much comment on whether the model form requirement would 
incentivize its use so that financial institutions could use the 
alternative delivery method. However, one industry commenter stated it 
would do so. On the other hand, some other industry commenters asserted 
that conditioning the use of the alternative delivery method on the use 
of the model form would significantly affect how many financial 
institutions could use the alternative delivery method and experience 
reduced burden.
    Consumer and public interest group commenters explicitly and 
strongly supported the model form requirement, explaining that the 
model form is easier for consumers to understand than other notices 
that individual financial institutions use because it does not have the 
legal jargon and complex vocabulary found in those other notices. An 
academic commenter described a project where notices are collected and 
compared, and stressed the importance of online standardized notices, 
such as those using the model form. Some credit union associations 
supported the model form requirement but requested that the Bureau 
clarify whether changes to the form would be acceptable and, if so, 
what types of changes would be acceptable.
    Many comments from industry members and groups supported the rule 
as proposed or only objected to requirements other than the model form, 
and so they did not appear to view the model form requirement as 
problematic. However, several industry trade associations and many 
individual institutions objected to the model form requirement. One 
trade association stated that many financial institutions currently use 
forms that they believe are more informative than the model form and 
that their customers are more familiar with. A student loan servicing 
trade association made a similar comment, stating that some servicers 
do not want to use the model form because their version provides 
customers with more information.
    Many trade association and individual industry commenters also were 
concerned that if they made changes to the model form to be clearer and 
more informative, it would preclude them from using the alternative 
delivery method. These commenters suggested that the Bureau state 
clearly that changes in wording and layout in the model form would be 
acceptable. Several commenters requested that the form used only have 
to comply with Regulation P, rather than having to follow the model 
form instructions. Two trade associations stated that the model form is 
one-size-fits-all and does not work for nontraditional financial 
institutions such as companies that offer long-term installment plans. 
Other commenters objected to the requirement that the Web page 
containing the model form have no other information and suggested that 
other privacy information should be allowed.
    The Bureau also invited comment on related state or international 
law requirements and their interaction with the model privacy notice. 
Although the Bureau did receive comments, as discussed above, on the 
proposed rule's relation to state law, those comments did not address 
the model form requirement.
    In addition, the Bureau solicited comment on whether adoption of 
the model form itself should be considered a change in the annual 
notice pursuant to proposed Sec.  1016.9(c)(2)(i)(D) such that an 
institution using the model form for the first time would be precluded 
from using the proposed alternative

[[Page 64068]]

delivery method until the following year's annual notice. Consumer and 
public interest group commenters did not address this issue, but some 
industry commenters stated that adoption of the model form should not 
be considered a change under Sec.  1016.9(c)(2)(i)(D).
Final Rule
    The Bureau adopts Sec.  1016.9(c)(2)(i)(E) as proposed. Based on 
the Bureau's impact analyses and the research that went into the 
development and testing of the model form,\63\ the Bureau continues to 
believe that requiring use of the model form as a condition of using 
the alternative delivery method will foster the use of a notice that 
is, in general, more consumer-friendly and effective in conveying 
privacy policy information to customers than non-standardized notices. 
The Bureau also continues to believe that Sec.  1016.9(c)(2)(i)(E) is 
likely to encourage some financial institutions that are not currently 
doing so to use the model form to take advantage of the cost savings 
associated with the alternative delivery method. Moreover, the Bureau 
does not believe that adopting the model form will entail significant 
costs for the minority of financial institutions that do not currently 
use it, and notes that there is an Online Form Builder that allows 
financial institutions to readily create customized privacy notices 
using the model form template.\64\ In addition, the Bureau believes 
that in a large majority of instances the one-time cost of adopting the 
model form will be offset quickly by the reduced cost of printing and 
mailing forms, which will then continue year after year.
---------------------------------------------------------------------------

    \63\ The research that went into the development and testing of 
the model form was detailed in four reports: (1) Financial Privacy 
Notice: A Report on Validation Testing Results (Kleimann Validation 
Report), February 12, 2009, available at http://www.ftc.gov/system/files/documents/reports/financial-privacy-notice-report-validation-testing-results-kleimann-validationreport/financial_privacy_notice_a_report_on_validation_testing_results_kleimann_validation_report.pdf; (2) Consumer Comprehension of Financial 
Privacy Notices: A Report on the Results of the Quantitative Testing 
(Levy-Hastak Report), December 15, 2008, available at http://www.ftc.gov/system/files/documents/reports/quantitative-research-levy-hastak-report/quantitative_research_-_levy-hastak_report.pdf; 
(3) Mall Intercept Study of Consumer Understanding of Financial 
Privacy Notices: Methodological Report (Macro International Report), 
September 18, 2008, available at http://www.ftc.gov/system/files/documents/reports/quantitative-research-macro-international-report/quantitative_research_-_macro_international_report.pdf; and (4) 
Evolution of a Prototype Financial Privacy Notice: A Report on the 
Form Development Project, March 31, 2006, available at http://kleimann.com/ftcprivacy.pdf. The development and testing of the 
model privacy notice is also discussed in L. Garrison, M. Hastak, 
J.M. Hogarth, S. Kleimann, A.S. Levy, Designing Evidence-based 
Disclosures: A Case Study of Financial Privacy Notices. The Journal 
of Consumer Affairs, Summer 2012: 204-234.
    \64\ This Online Form Builder is available at http://www.federalreserve.gov/newsevents/press/bcreg/20100415a.htm.
---------------------------------------------------------------------------

    While some financial institution commenters asserted that 
conditioning the use of the alternative delivery method on the use of 
the model form would significantly affect how many financial 
institutions could use the alternative delivery method and experience 
reduced regulatory burden, they did not submit data or substantive 
analysis on this point. In regard to comments about forms that comply 
with Regulation P but may not comply exactly with the model form 
instructions, potentially giving rise to violations when the 
alternative delivery method is used, the Bureau notes that financial 
institutions may consult counsel on how to comply so as to limit the 
risk of government enforcement.\65\ In regard to types of financial 
institutions that do not prefer to use the model form for whatever 
reason, the Bureau notes that the model form was carefully crafted to 
be usable by a wide variety of financial institutions,\66\ but any 
institutions that choose not to use it may continue to send annual 
privacy notices in the standard manner.
---------------------------------------------------------------------------

    \65\ The Bureau also notes that there is no private right of 
action under Regulation P.
    \66\ See 74 FR at 62901.
---------------------------------------------------------------------------

    The Bureau notes that the model form accommodates information that 
may be required by state or international law, as applicable, in a box 
called ``Other important information.'' \67\ Accordingly, the Bureau 
expects that a financial institution that has additional privacy 
disclosure obligations pursuant to state or international law will 
still be able to use the model form to take advantage of the proposed 
alternative delivery method. In regard to supplemental privacy 
information a financial institution wishes to convey, the discussion of 
Sec.  1016.9(c)(2)(ii)(B) below makes clear that a link to such 
information elsewhere on the financial institution's Web site may be 
included as part of the navigational materials on the Web page 
containing the model privacy form.
---------------------------------------------------------------------------

    \67\ Appendix to part 1016 at C.3.c.1.
---------------------------------------------------------------------------

    In addition, the Bureau has determined that a financial 
institution's adoption of the model privacy form, which may require 
changes to the wording and layout of the privacy notice but not to the 
substance of the information conveyed under Sec.  1016.6(a)(1) through 
(5), (8) and (9), will not constitute a change within the meaning of 
Sec.  1016.9(c)(2)(i)(D). A financial institution thus may adopt the 
model form and use the alternative delivery method with that model form 
immediately to satisfy its annual notice requirement under Regulation 
P. This interpretation is consistent with the interpretation by the 
agencies that promulgated the model notice at the time it was first 
issued with regard to whether adoption of the form required provision 
of a revised privacy notice under Sec.  1016.8.\68\
---------------------------------------------------------------------------

    \68\ See 74 FR at 62907 n. 196.
---------------------------------------------------------------------------

Section 1016.9(c)(2)(ii)

    In proposed Sec.  1016.9(c)(2)(ii), the Bureau would have set forth 
the alternative delivery method that would be permissible to satisfy 
the requirement in Sec.  1016.5(a)(1) to provide an annual notice if a 
financial institution met the conditions described in proposed Sec.  
1016.9(c)(2)(i). The Bureau proposed an alternative delivery method for 
financial institutions that met the conditions in proposed Sec.  
1016.9(c)(2)(i) where delivery of the annual privacy notice pursuant to 
the standard delivery requirements may be less important for customers. 
As stated in the proposal, the alternative delivery method would still 
inform customers of their financial institution's privacy policies 
effectively, but at a lower cost than the standard delivery methods.
    The Bureau received comments supporting the general framework of 
the alternative delivery method proposed in Sec.  1016.9(c)(2)(ii) from 
financial institutions, consumer groups, and privacy groups alike. For 
example, a national association representing business interests and a 
national association representing the consumer credit industry stated 
that the proposed alternative delivery method would be an effective 
mechanism for ensuring that all customers are aware of the 
institution's privacy policy and their opt-out rights. A national 
association representing credit unions, a public interest group 
representing consumers, and an organization of state banking 
supervisors all supported the framework of the alternative delivery 
method. The Bureau received many comments criticizing or supporting 
specific components of the alternative delivery method. These comments 
are discussed in detail below. The Bureau is adopting Sec.  
1016.9(c)(2)(ii) largely as proposed, for the reasons stated above and 
in the proposal. Changes to the individual paragraphs of Sec.  
1016.9(c)(2)(ii) will be discussed in detail below.

[[Page 64069]]

Section 1016.9(c)(2)(ii)(A)

    Proposed Sec.  1016.9(c)(2)(ii)(A) would have set forth the first 
component of the alternative delivery method: That a financial 
institution inform the customer of the availability of the annual 
privacy notice. For the reasons discussed below, the Bureau is adopting 
Sec.  1016.9(c)(2)(ii)(A) substantially as proposed but with some 
modifications.
Proposed Rule
    To satisfy proposed Sec.  1016.9(c)(2)(ii)(A), a financial 
institution would have been required to convey in a clear and 
conspicuous manner not less than annually on a notice or disclosure the 
institution is required or expressly and specifically permitted to 
issue under any other provision of law that its privacy notice has not 
changed, that the notice is available on its Web site, and that a hard 
copy of the notice will be mailed to customers if they call a toll-free 
telephone number to request one.
General Comments
    Several financial institution commenters objected to proposed Sec.  
1016.9(c)(2)(ii)(A) because there are some financial products for which 
financial institutions send no documents to customers and thus 
including a notice of availability on some other statement or notice 
currently used would not be possible. For example, national 
associations representing debt buyers and automobile dealers stated 
that those financial institutions do not send or may not send documents 
to their customers at all during the course of a year. Several 
individual depository institutions commented that they do not send 
statements or notices to certain types of customers, such as customers 
with certificates of deposit, passbook savings accounts, safe deposit 
vaults, and mortgage or installment loans with coupon books.
    National associations representing banks, community banks, and 
financial service providers as well as many individual banks and credit 
unions commented that the proposed notice of availability would be 
burdensome, even for financial institutions that do send statements or 
notices to some customers. First, these commenters stated that it would 
be difficult and expensive for financial institutions to determine 
which customers and accounts receive suitable documents on which to 
include the notice of availability and which ones do not. Second, some 
financial institution commenters stated that space was limited on their 
periodic statements and that it would be unworkable to include the 
notice of availability on them.
Final Rule
    The Bureau is adopting Sec.  1016.9(c)(2)(ii)(A) substantially as 
proposed but with modifications as discussed below. It is important 
that customers receive actual notice that the annual privacy notice is 
available on the financial institution's Web site through some 
statement or notice that they are likely to read. Although posting the 
privacy notice on a Web site will make the privacy notice widely 
available, customers likely would not be aware of its existence or its 
importance without the notice of availability, especially customers 
that do not use the financial institution's Web site. The Bureau 
understands that there are costs associated with sending an annual 
notice of availability and that doing so could negate the cost savings 
of the alternative delivery method for some financial institutions that 
do not already send statements or notices to their customers. However, 
the Bureau expects that most financial institutions will be able to 
incorporate the notice of availability in a mailing that the 
institution conducts in the normal course of business. In any event, 
the Bureau believes that financial institutions that choose to use the 
alternative delivery method must provide the notice of availability 
because it is an integral component of the alternative delivery method 
given that it informs customers that the privacy notice is available.
Not Less Than Annually
    The proposed rule would have required that financial institutions 
convey the notice of availability to customers not less than annually. 
Proposed Sec.  1016.9(c)(2)(ii)(A) also would have permitted it to be 
included more often than annually (e.g., quarterly or monthly) and 
invited comment on the advantages and disadvantages of it being 
provided on a more frequent basis. Several commenters, including a 
university privacy think tank and individual credit unions and 
community banks, commented that an annual notice of availability is 
sufficient to inform customers of the online availability of the 
institution's annual privacy notice. However, a national organization 
representing consumer and privacy rights stated that the notice of 
availability should be required at least quarterly.
    The Bureau continues to believe that an annual reminder is 
sufficient to inform customers of the availability of the privacy 
notice. Indeed, the GLBA requires that the privacy notice itself be 
delivered ``not less than annually'' after the initial customer 
relationship is established, and the Bureau believes that requiring the 
notice of availability not less than annually is consistent with the 
statute.\69\ To the extent that financial institutions would prefer for 
administrative or other reasons to include the notice of availability 
on statements or notices that are delivered to customers more often 
than annually, the Bureau notes that more frequent delivery is 
permissible under Sec.  1016.9(c)(2)(ii)(A).
---------------------------------------------------------------------------

    \69\ See generally GLBA section 503(a).
---------------------------------------------------------------------------

Type of Statement Used To Convey the Notice of Availability
    With respect to the type of statement that may be used to convey 
the notice of availability, proposed Sec.  1016.9(c)(2)(ii)(A) would 
have permitted it to be conveyed on a notice or disclosure the 
institution is required or expressly and specifically permitted to 
issue under any other provision of law. The Bureau noted in the 
proposal that a notice of availability could be included on a periodic 
statement which is permitted but not required by Regulation DD \70\ to 
satisfy proposed Sec.  1016.9(c)(2)(ii)(A) but that including it on 
advertising materials that were neither required nor specifically 
permitted by law would not satisfy proposed Sec.  1016.9(c)(2)(ii)(A). 
As stated in the proposal, Sec.  1016.9(c)(2)(ii)(A) would not have 
specified in more detail the type of statements on which the notice of 
availability must be conveyed because the Bureau intended the 
alternative delivery method to be flexible enough to be used by 
financial institutions whose business practices vary widely.
---------------------------------------------------------------------------

    \70\ 12 CFR 1030.6.
---------------------------------------------------------------------------

    Many financial institution commenters advocated that the Bureau 
expand the types of documents that financial institutions could use to 
provide the notice of availability. A national association representing 
student loan servicers suggested that the Bureau should add periodic 
statements to the types of documents that could include the notice, 
because the periodic notices for student loans are not required or 
expressly and specifically permitted under any other provision of law. 
An automotive finance company identified the same concern with its 
billing statements. Several individual financial institutions requested 
that they be allowed to include the notice of availability on coupon 
books. A national association representing credit unions,

[[Page 64070]]

two state credit union associations, and several individual credit 
unions suggested that they be allowed to use customer newsletters, 
branch posting, or advertisements to provide the notice of 
availability.
    The Bureau is persuaded by the comments that it should broaden the 
type of statement on which the notice of availability could be included 
to satisfy Sec.  1016.9(c)(2)(ii)(A) in the final rule. The Bureau 
proposed to require that the notice of availability be included on a 
statement or notice required or otherwise permitted by law to ensure 
that customers were likely to read the underlying document on which the 
notice of availability is included. The Bureau believes that customers 
also have compelling reasons to read account statements and coupon 
books that directly concern the status of their existing accounts even 
if they are not required or otherwise permitted by law. Accordingly, 
under the final rule, the Bureau is allowing a notice of availability 
included on an ``account statement'' or ``coupon book'' also to satisfy 
Sec.  1016.9(c)(2)(ii)(A). An account statement would include periodic 
statements or billing statements not required or expressly and 
specifically permitted by law. The Bureau intends the term ``account 
statement'' to be flexible enough to cover documents provided to 
customers by a diverse array of financial institutions. In contrast, 
the Bureau is concerned that customers may not read advertisements or 
newsletters on the assumption that they do not specifically concern the 
customer's existing account. The Bureau believes it would not be 
consumer-friendly to require customers to seek out and examine 
advertisements and newsletters to find the notice of availability. The 
Bureau therefore declines to revise proposed Sec.  1016.9(c)(2)(ii)(A) 
to be satisfied by a notice of availability included in such materials. 
Further, since nothing in Sec.  1016.9(c)(2)(ii)(A) alters laws or 
regulations governing account statements, coupon books, or other 
notices or disclosures, institutions should not include the notice of 
availability on such materials in a way that would cause the materials 
to fail to comply with applicable laws or regulations governing those 
materials.
    Regarding the request that the Bureau permit physical posting of 
the notice of availability in a financial institution's lobby to 
satisfy Sec.  1016.9(c)(2)(ii)(A), the Bureau notes that the GLBA 
contemplates providing individual notice to customers of opt-out rights 
and privacy practices. For example, section 502(b)(1)(A) of the GLBA 
requires opt outs to be disclosed ``to the consumer'' and section 
503(a) of the GLBA requires the privacy notice to be delivered ``to 
such consumer.'' While the Bureau believes that providing a notice of 
availability individually directing customers to a notice on a Web site 
is sufficient to inform them of the availability of the privacy notice 
under the parameters of this rule, posting a general notice of 
availability in the financial institution's lobby or elsewhere 
generally directing customers to the privacy notice is not. Similarly, 
the Bureau does not believe that publishing a general notice of 
availability in newspapers is sufficient. Indeed, some customers do not 
go to the institution's lobby or office and may not see published 
announcements. The Bureau believes it would not be consumer-friendly to 
require customers to seek out and examine postings in an institution's 
offices or announcements in certain newspapers to find the notice of 
availability. While the Bureau recognizes that there are other statutes 
and regulations that require notice to customers for other purposes by 
such public posting or publishing, the Bureau believes such public 
notices are not sufficient given the GLBA's framework that requires 
individualized notice. Indeed, Regulation P already provides with 
respect to privacy notices that an institution may not reasonably 
expect that a consumer will receive actual notice of its privacy 
policies and practices if it only posts a sign in a branch or office or 
generally publishes advertisements of its privacy policies and 
practices.\71\ The Bureau's approach as to notices of availability is 
consistent in this respect. The Bureau is therefore revising Sec.  
1016.9(c)(2)(ii)(A) to include that delivery of the notice of 
availability must be ``to the customer'' to clarify that Sec.  
1016.9(c)(2)(ii)(A) is not satisfied by including the notice of 
availability on other disclosures or notices required or expressly 
permitted by law to be publicly posted or published.
---------------------------------------------------------------------------

    \71\ 12 CFR 1016.9(b)(2)(i). The Bureau's rule on delivery of 
Affiliate Marketing Rule notices under Regulation V similarly 
provides that a consumer may not reasonably be expected to receive 
actual notice if the affiliate providing the notice only posts the 
notice on a sign in a branch or office or generally publishes the 
notice in a newspaper. 12 CFR 1022.26(c)(1).
---------------------------------------------------------------------------

Clear and Conspicuous
    Proposed Sec.  1016.9(c)(2)(ii)(A) would have used the term ``clear 
and conspicuous,'' which is defined in existing Sec.  1016.3(b)(1) as 
meaning ``reasonably understandable'' and ``designed to call attention 
to the nature and significance of the information.'' As stated in the 
proposal, the Bureau believed that the existing examples in Sec.  
1016.3(b)(2)(i) and (ii) for reasonably understandable and designed to 
call attention, respectively, likely would provide sufficient guidance 
on ways to make the notice of availability in proposed Sec.  
1016.9(c)(2)(ii)(A) clear and conspicuous. Some commenters, including a 
state and a national association representing credit unions, supported 
the proposed clear and conspicuous requirement as sufficient given 
existing Sec.  1016.3(b)(2)(i) which provides guidance on type size, 
style, and graphic devices, such as shading and side bars. A few 
commenters, including several national associations representing large 
banks, community banks, and other financial service providers, as well 
as a few individual community banks stated that clear and conspicuous 
should be further defined.
    As stated in the proposal, the Bureau believes that the existing 
definition of clear and conspicuous and examples in Sec.  1016.3(b) are 
sufficient for the notice of availability. Given the variety of 
statements on which the notice of availability may be included and the 
numerous ways in which they may be designed, the Bureau does not 
believe that it is feasible or practical to provide guidance as to what 
would be clear and conspicuous in all of these circumstances. The 
Bureau believes that financial institutions should be able to use the 
existing definition of clear and conspicuous and examples in Sec.  
1016.3(b) to design notices of availability that consumers will be 
likely to read and therefore the Bureau adopts this aspect of Sec.  
1016.9(c)(2)(ii)(A) without change.
Toll-Free Telephone Number
    Proposed Sec.  1016.9(c)(2)(ii)(A) also would have required that 
the notice of availability include a toll-free number a customer can 
call to request that the annual privacy notice be mailed. The Bureau 
explained in the proposal that this requirement was intended to assist 
customers who do not have internet access or would prefer to receive a 
hard copy of the privacy notice and that it expected that most 
institutions would already have a toll-free number.
    The majority of commenters on this provision, typically those from 
credit unions, community banks, and other small financial institutions, 
disagreed with this aspect of the proposal. These commenters objected 
to the toll-free number requirement because many smaller institutions 
do not currently have toll-free numbers and they stated that obtaining 
a toll-free number would offset the intended burden reduction of the 
proposal. Commenters further noted

[[Page 64071]]

that most credit unions and community banks operate in limited 
geographical areas such that customers are typically in the same area 
code as their financial institution and thus a toll-free telephone 
number is unnecessary. Lastly, many of these commenters stated that a 
toll-free number is unnecessary given that most customers have cellular 
telephone or home telephone plans under which they would incur no 
charges for calling their financial institution to request the annual 
privacy notice.
    A few commenters, including a national association representing 
student loan servicers and some individual community banks and credit 
unions, stated that they did not object to the toll-free number 
requirement because their institution or member institutions already 
have toll-free numbers or can obtain one without significant expense. 
No commenters expressly supported requiring a toll-free telephone 
number.
    The proposal also solicited comment on whether the final rule 
should require financial institutions to provide a dedicated telephone 
line for privacy notice requests to use the alternative delivery 
method. Commenters who addressed the issue included several national 
trade associations representing large and small banks, a national trade 
association representing student loan servicers and several individual 
community banks and credit unions. All commenters who addressed this 
issue stated that requiring a dedicated toll-free number to request an 
annual privacy notice was unnecessary. Some commenters also suggested 
that requiring a dedicated telephone number was so expensive as to 
offset the potential cost savings of the proposal for small entities. 
These commenters noted that customers rarely call their financial 
institutions to opt out of sharing when mailed an annual privacy notice 
and that customers are even less likely to call their financial 
institution to request a copy of the annual notice. Given the expected 
low call volume, these commenters believe that a dedicated telephone 
line is unnecessary and unduly expensive.
    The Bureau is persuaded that requiring a toll-free telephone number 
or a dedicated telephone line to request the privacy notice be mailed 
would offset the intended burden reduction of the proposal for many 
financial institutions without providing much benefit to customers. The 
Bureau believes that the cost to financial institutions of requiring a 
toll-free telephone number or a dedicated telephone line is not 
warranted given that customers likely will call infrequently to request 
a mailed copy of the annual privacy notice, especially because the 
privacy notices would be readily available on the institutions' Web 
sites. The Bureau also considered allowing institutions to choose 
between providing a toll-free number or a telephone number a customer 
could call and reverse the charge, i.e., a telephone number that would 
accept collect calls, an alternative available under several other 
Bureau regulations.\72\ The Bureau decided against this alternative 
because it believes, as stated by commenters, that financial 
institutions that do not already maintain toll-free telephone numbers 
typically have customers who live in the same area code as the 
institution and such customers likely would request a copy of the 
privacy notice using a free local call, rather than a collect call. In 
addition, a requirement that a financial institution without a toll-
free number accept collect calls for privacy notice requests could 
effectively require the institution to accept collect calls as a 
general practice, assuming that it did not pay for a dedicated line for 
the privacy notice calls, thereby adding to its costs.
---------------------------------------------------------------------------

    \72\ See, e.g., 12 CFR 1024.33(b)(4)(ii), 1026.16(e), 
1026.24(g)(2).
---------------------------------------------------------------------------

    For the reasons described, the Bureau is adopting Sec.  
1016.9(c)(2)(ii)(A) as revised to require the notice of availability to 
include a telephone number. The Bureau encourages financial 
institutions that already maintain a toll-free telephone number to use 
that number in the statement required by Sec.  1016.9(c)(2)(ii)(A), to 
simplify the process for a customer to call and request a mailed copy 
of the privacy notice.
Other Issues
    Proposed Sec.  1016.9(c)(2)(ii)(A) also would have required the 
institution to state on the notice of availability that its privacy 
policy has not changed. The Bureau intended this proposed requirement 
to help customers assess whether they are interested in reading and 
accessing the policy. This statement would always be accurate if the 
alternative delivery method is used correctly, because a financial 
institution could not use the alternative delivery method if its annual 
privacy notice had changed under Sec.  1016.9(c)(2)(i)(D). A compliance 
company commented that the statement that the privacy policy had not 
changed might not be accurate in certain situations where a financial 
institution eliminates categories of information it discloses or 
categories of third parties to whom it discloses information. That 
comment is addressed above in the section-by-section analysis of Sec.  
1016.9(c)(2)(i)(D).
    Proposed Sec.  1016.9(c)(2)(ii)(A) further would have required that 
the statement include a specific web address that takes customers 
directly to the Web page where the privacy notice is available. 
Proposed Sec.  1016.9(c)(2)(ii)(A) would have required a web address 
that the customer can type into a web browser to directly access the 
page that contains the privacy notice so that the customer need not 
click on any links after typing in the web address. The Bureau proposed 
this requirement because a direct link may make it easier and more 
convenient for customers to access the privacy notice, particularly for 
notices of availability delivered electronically that provide a 
hyperlink. While the Bureau recognizes that the length and complexity 
of the web address would affect how easy and convenient it is for 
customers to manually type in the address, the Bureau does not 
anticipate that institutions will provide addresses that are needlessly 
lengthy or complex. If this does not prove to be the case, the Bureau 
may consider measures in the future to ensure that the Web site 
addresses used are consumer-friendly. The Bureau did not receive any 
comments on this aspect of the proposal and adopts this element of 
Sec.  1016.9(c)(2)(ii)(A) as proposed.
    The Bureau further noted in the proposal that if two or more 
financial institutions provide a joint privacy notice pursuant to Sec.  
1016.9(f), proposed Sec.  1016.9(c)(2)(ii)(A) would require each 
financial institution to separately provide the notice of availability 
on a notice or disclosure that it is required or permitted to issue. 
The Bureau invited comment on how often financial institutions jointly 
provide privacy notices and whether the proposed alternative delivery 
method would be feasible for such jointly issued notices, but the 
Bureau received no comments on that issue. Section 1016.9(c)(2)(ii)(A) 
as finalized would require each institution providing a joint notice to 
send a notice of availability on an account statement, coupon book, or 
other notice or disclosure it is required or expressly and specifically 
permitted to issue to the customer. Financial institutions that jointly 
provide account statements, coupon books, or other notices or 
disclosures could also satisfy Sec.  1016.9(c)(2)(ii)(A) by including 
the notice of availability on such jointly provided materials.
    A national organization representing consumer and privacy interests 
suggested that the notice of availability include the fact that privacy 
notices

[[Page 64072]]

may be delivered by email upon the customers' request and provide 
instructions for how customers could exercise that option. The Bureau 
declines to require notification of email availability to be included 
in the notice because some financial institutions may not have the 
capability to provide privacy notices by email. The Bureau notes, 
however, that a financial institution could include such a statement in 
the notice of availability required by Sec.  1016.9(c)(2)(ii)(A) as 
long as the required content of the notice of availability is clear and 
conspicuous. For the reasons discussed, the Bureau is adopting Sec.  
1016.9(c)(2)(ii)(A) with the modifications described above.

Section 1016.9(c)(2)(ii)(B)

    Proposed Sec.  1016.9(c)(2)(ii)(B) would have set forth the second 
component of the alternative delivery method: That the financial 
institution post its current privacy notice continuously and in a clear 
and conspicuous manner on a page of the institution's Web site that 
contains only the privacy notice, without requiring the customer to 
provide any information such as a login name or password or agree to 
any conditions to access the page. The Bureau is adopting Sec.  
1016.9(c)(2)(ii)(B) as revised, for the reasons discussed below.
Proposed Rule
    The Bureau believes and comments on the proposal support the 
conclusion that many financial institutions already maintain Web sites 
where they could post the annual privacy notice. Moreover, encouraging 
financial institutions to post the notices would benefit consumers by 
making the notices more widely available. Proposed Sec.  
1016.9(c)(2)(ii)(B) would have required that the annual notice be 
posted on a page of the Web site that contains only the privacy notice.
Comments
    A state-chartered bank and a credit union opposed the requirement 
that the Web page contain only the privacy notice. These commenters 
stated that they include the privacy notice with other relevant privacy 
policies for their institution and thus customers could miss valuable 
privacy-related information if no other information were permitted to 
be included with the privacy notice. National associations representing 
large banks, community banks, and the financial services industry as 
well as a coalition of financial institutions focusing on e-commerce 
and privacy objected to the proposed requirement that the Web site not 
require a login name or password or that the customer agree to any 
terms to access it. These commenters argued that financial institutions 
often require customers to accept terms to initially access a Web site, 
particularly where customer account information accessed through the 
Web site may need to be protected for security reasons. Few other 
commenters addressed this issue, however.
    Other commenters raised a variety of concerns about the posting of 
the privacy notice. National associations representing large banks, 
community banks, the financial services industry, and credit unions and 
several individual banks and credit unions suggested that the Bureau 
remove the word ``continuously'' so that a financial institutions would 
not be in violation of Sec.  1016.9(c)(2)(ii)(B) in the event its Web 
site malfunctioned. An organization representing state banking 
supervisors suggested that Sec.  1016.9(c)(2)(ii)(B) require financial 
institutions to include a link to the privacy policy on their home 
page. Lastly, one credit union commenter requested that the Bureau 
allow the privacy notice to be posted physically in the lobby of the 
financial institution for financial institutions that do not maintain 
Web sites.
Final Rule
    The Bureau is adopting Sec.  1016.9(c)(2)(ii)(B) as revised. As to 
the commenters who stated that the requirement that the Web page 
contain only the privacy notice could prevent consumers from seeing 
supplemental privacy information, as stated in the proposal, the Bureau 
is concerned that permitting information other than the privacy notice 
to be included on the Web page could detract from the prominence of the 
notice and make it less likely that a customer would actually read it. 
The Bureau believes that the risk of such distracting information being 
included with the privacy notice outweighs any potential benefit to 
allowing additional content to be included on the page with the privacy 
notice. The Bureau is revising Sec.  1016.9(c)(2)(ii)(B) to clarify 
that the privacy notice must be the only content on the Web page. 
Information that is not content, however, such as navigational menus 
that link to other pages on the financial institution's Web site, could 
appear on the same page as the privacy notice pursuant to Sec.  
1016.9(c)(2)(ii)(B). Indeed, such navigational materials could include 
a link to another portion of the financial institution's Web site that 
contains supplemental information concerning other privacy or 
information management practices.\73\
---------------------------------------------------------------------------

    \73\ See generally 74 FR at 62908 (noting, in response to 
industry requests for the flexibility to add other information to 
the model privacy form, that the agencies were not precluding an 
institution from providing such information on other, supplemental 
materials).
---------------------------------------------------------------------------

    With respect to the requirement that the Web page not require a 
login name or password or that the customer agree to any conditions to 
access it, the Bureau declines to revise this requirement. The Bureau 
intends for the alternative delivery method to serve customers who may 
not already use the financial institution's Web site to manage their 
accounts and thus may not have agreed to terms or created login 
credentials. Indeed, as stated in the proposal, the Bureau is concerned 
that if customers were required to register for a login name or sign in 
to the financial institution's Web site simply to access the privacy 
notice, it could discourage some customers from accessing and reading 
the notice. The Bureau notes that financial institutions could still 
require customers to have login credentials or agree to terms and 
conditions to access other portions of the Web site, such as those 
containing sensitive account information or used to conduct 
transactions, including exercising the Affiliate Marketing Rule opt-
out. Given that the alternative delivery method will require customers 
to seek out the annual privacy notice in a way that they have not 
previously been required to do, Sec.  1016.9(c)(2)(ii)(B) is meant to 
make accessing the privacy notice on an institution's Web site as 
simple and straightforward as possible.
    As to the proposal's requirement that the privacy notice be posted 
continuously, the Bureau does not regard ``continuously'' to suggest 
that financial institutions would violate Sec.  1016.9(c)(2)(ii)(B) if 
their Web site temporarily malfunctioned. This language requiring 
``continuously'' posting on a Web site is used in existing Sec.  
1016.9(c)(1) (which is being recodified in this final rule as Sec.  
1016.9(c)(1)(i)). The Bureau understands from the comments that 
financial institutions would be unlikely to post standardized 
information, such as the privacy notice, on a non-continuous basis. 
Nevertheless, the Bureau emphasizes that Sec.  1016.9(c)(2)(ii)(B) 
assumes that financial institutions will post the privacy notice on 
their Web sites so that the notice is available but for occasional or 
unavoidable interruptions, such as routine maintenance or unexpected 
malfunctions.
    Regarding requiring a link to the privacy notice from a financial

[[Page 64073]]

institution's homepage, during outreach before the proposal, many 
financial institutions stated to the Bureau that space on their Web 
site's home page is extremely valuable and that requiring a link on the 
home page would limit their ability to use that space for other 
important communications with customers. Although the Bureau encourages 
financial institutions to include a link to the privacy policy on other 
pages of their Web sites, including the home page, the Bureau declines 
to require such a link. Because Sec.  1016.9(c)(2)(ii)(A) requires the 
notice of availability to include a web address for the page containing 
the privacy notice, the Bureau expects that customers can easily locate 
the page. The Bureau further notes, as stated in the proposal, that 
other pages on the financial institution's Web site could link to the 
page containing the privacy notice. Nevertheless, a financial 
institution would still have to provide the customer a specific web 
address that takes the customer directly to the page where the privacy 
notice is available to satisfy the requirement to post the notice on 
the financial institution's Web site in Sec.  1016.9(c)(2)(ii)(B).\74\
---------------------------------------------------------------------------

    \74\ With regard to the proposed requirement that the notice be 
posted in a ``clear and conspicuous'' manner, the Bureau notes that 
existing Sec.  1016.3(b)(2)(iii) gives examples of what clear and 
conspicuous means for a privacy notice posted on a Web site. One 
example provides that a financial institution designs its notice to 
call attention to the nature and significance of the information in 
the notice if it uses text or visual cues to encourage scrolling 
down the page if necessary to view the entire notice and ensures 
that other elements on the Web site (such as text, graphics, 
hyperlinks, or sound) do not distract attention from the notice. 
Section 1016.3(b)(2)(iii)(A) and (B) also provides examples of clear 
and conspicuous placement of the notice within the financial 
institution's Web site but these examples do not seem relevant to 
the posting of the notice for the alternative delivery method 
because customers will be typing into their web browser the web 
address of the specific page that contains the annual notice, rather 
than navigating to the annual notice from the financial 
institution's home page. To the extent that a financial institution 
is satisfying existing Sec.  1016.9(a) and not the alternative 
delivery method in Sec.  1016.9(c)(2) by posting the privacy notice 
on its Web site, the clear and conspicuous examples in Sec.  
1016.3(b)(2)(iii)(A) and (B) still apply.
---------------------------------------------------------------------------

    As to the suggestion that the privacy notice be posted in the 
institution's lobby, rather than on a Web site, the Bureau understands 
that there may be some institutions that do not maintain Web sites. The 
Bureau believes, however, that Web site posting is an integral 
component of the alternative delivery method and ensures that the 
privacy notice be widely available when it is not sent to individual 
customers according to standard delivery methods. The Bureau does not 
believe that lobby posting of the privacy notice makes it sufficiently 
available to customers given the individualized notice contemplated by 
the GLBA and discussed more fully in the section-by-section analysis of 
Sec.  1016.9(c)(2)(i)(A) above. Accordingly, the Bureau declines to 
revise Sec.  1016.9(c)(2)(ii)(B) to permit posting of the notice in a 
lobby to satisfy the requirement. For the reasons discussed, the Bureau 
is adopting Sec.  1016.9(c)(2)(ii)(B) as revised.

Section 1016.9(c)(2)(ii)(C)

    Proposed Sec.  1016.9(c)(2)(ii)(C) would have set forth the third 
component of the alternative delivery method: That the financial 
institution mail promptly its current privacy notice to those customers 
who request it by telephone. For the reasons discussed below, the 
Bureau adopts Sec.  1016.9(c)(2)(ii)(C) as revised.
Proposed Rule
    As stated in the proposal, the Bureau proposed this requirement to 
assist customers without internet access and customers with internet 
access who would prefer to receive a hard copy of the notice. The 
Bureau invited comment in the proposal on whether requiring prompt 
mailing is sufficient to ensure that customers receive privacy notices 
in a timely manner or whether ``promptly'' should be more specifically 
defined, such as by a certain number of days.
Comments
    A few bank commenters stated that it was not necessary to define 
``promptly'' further, but most financial institutions that commented on 
this issue stated that a specific number of days would be helpful. 
Suggestions included five days, ten business days, 15 days, and 30 
days. A trade association representing mortgage lenders requested that 
the Bureau revise Sec.  1016.9(c)(2)(ii)(C) to require the financial 
institution send the privacy notice, rather than mail it, to clarify 
that the financial institution could comply with the requirement by 
emailing the privacy notice. An organization representing consumers and 
privacy rights suggested that the Bureau expressly prohibit a financial 
institution from including other information, such as sales 
solicitations, in the mailing containing the annual privacy notice so 
as to avoid distracting customers with irrelevant information.
Final Rule
    In response to the commenters' requests for clarity on how long 
financial institutions have to mail privacy notices upon request, the 
Bureau is adopting Sec.  1016.9(c)(2)(ii)(C) as revised to require 
notices to be mailed within ten days of the customer's request. The 
Bureau notes that existing provisions of Regulation P define periods in 
terms of a number of days, meaning calendar days.\75\ The Bureau 
believes that financial institutions should be able to provide a 
privacy notice within ten calendar days of a customer's request, even 
accounting for weekends and holidays during which the financial 
institution may be closed. As stated in the proposal, the Bureau notes 
that consistent with privacy notices currently provided under 
Regulation P, it expects that financial institutions will not charge 
the customer for delivering the annual notice, given that delivery of 
the annual notice is required by statute and regulation.
---------------------------------------------------------------------------

    \75\ E.g., 12 CFR 1016.10(a)(3).
---------------------------------------------------------------------------

    Regarding email delivery of the privacy notice upon request, as 
stated in the proposal, Sec.  1016.9(c)(2)(ii)(C) is intended primarily 
for customers without internet access to be able to receive a paper 
copy of the privacy notice through the U.S. mail. The Bureau expects 
that customers with internet access who receive the notice of 
availability are much more likely to go to the financial institution's 
Web site to access the privacy notice than to telephone the financial 
institution to request a privacy notice be sent to them.
    With respect to prohibiting the mailing containing the privacy 
notice from containing other information, such as solicitations, the 
Bureau declines to impose a blanket prohibition on the inclusion of 
such material. As discussed above, the Supplementary Information to the 
Final Model Privacy Form Under the Gramm-Leach-Bliley Act explained 
that financial institutions that use the model privacy form are not 
precluded from providing additional information in other, supplemental 
materials to customers if they wish to do so.\76\ Further, the existing 
requirement at Sec.  1016.5(a) that the annual notice be ``clear and 
conspicuous'' would apply to the mailing of this privacy notice as it 
does to the standard delivery methods for annual notices.\77\ This 
requirement precludes the inclusion of other material in a manner that 
would render

[[Page 64074]]

the privacy notice not reasonably understandable and designed to call 
attention to the nature and significance of the information in the 
notice. In light of this existing requirement and the fact that 
customers who have requested the privacy notice be mailed will be 
expecting it, the Bureau does not believe that it is necessary at this 
time to impose a blanket prohibition on the inclusion of other material 
with the mailing of the privacy notice.
---------------------------------------------------------------------------

    \76\ See 74 FR at 62908.
    \77\ Cf. 74 FR at 62898 (``[T]he Agencies agree that 
institutions may incorporate the model form into another document 
but they must do so in a way that meets all the requirements of the 
privacy rule and the model form instructions, including that: The 
model form must be presented in a way that is clear an conspicuous; 
it must be intact so that the customer can retain the content of the 
model form; and it must retain the same page orientation, content, 
format, and order as provided for in this Rule.'') (footnotes 
omitted).
---------------------------------------------------------------------------

Section 1016.9(c)(2)(iii)

    Proposed Sec.  1016.9(c)(2)(iii) would have provided an example of 
a notice of availability that satisfies Sec.  1016.9(c)(2)(ii)(A). The 
Bureau is adopting Sec.  1016.9(c)(2)(iii) substantially as proposed 
with minor technical revisions.
Proposed Rule
    The Bureau intended the example in proposed Sec.  1016.9(c)(2)(iii) 
to provide clear guidance on permissible content for the notice of 
availability to facilitate compliance. The proposed example would have 
included the heading ``Privacy Notice'' in boldface on the notice of 
availability. The proposed example further would have stated that 
Federal law requires the financial institution to tell customers how it 
collects, shares, and protects their personal information; this 
language mirrors the ``Why'' box on the model privacy notices.
Comments
    One commenter requested that other forms of emphasis be permitted 
rather than boldface because they could not use boldface in their 
software system. A national and a state association representing credit 
unions requested that the Bureau create a model notice of availability 
with graphics and shading that would be a safe harbor for compliance 
with proposed Sec.  1016.9(c)(2)(ii)(A).
Final Rule
    The Bureau is adopting Sec.  1016.9(c)(2)(ii) as revised. With 
respect to the comment that some financial institutions' software 
programs do not allow for boldface, the Bureau notes that Sec.  
1016.9(c)(2)(iii) is an example of how to comply with Sec.  
1016.9(c)(2)(ii)(A) but other language and formatting techniques could 
also satisfy that section. Nevertheless, the Bureau is revising Sec.  
1016.9(c)(2)(iii) to state that the heading ``Privacy Notice'' could be 
in boldface or otherwise emphasized. ``Otherwise emphasized'' could 
include using all capital letters or underlining. As to the requests to 
create a model notice of availability with shading and graphics, the 
Bureau declines to do so at this time because it believes that the 
example notice of availability in Sec.  1016.9(c)(2)(iii) provides 
sufficient guidance to financial institutions on how to comply with 
Sec.  1016.9(c)(2)(ii)(A). The Bureau is also modifying Sec.  
1016.9(c)(2)(iii) to reflect that the telephone number provided need 
not be a toll-free number, to be consistent with Sec.  
1016.9(c)(2)(ii)(A) as finalized.

V. Section 1022(b)(2) of the Dodd-Frank Act

A. Overview

    In developing the final rule, the Bureau has considered its 
potential benefits, costs, and impacts.\78\ In addition, the Bureau has 
consulted and coordinated with the SEC, CFTC, FTC, and NAIC, and 
consulted with or offered to consult with the OCC, the Board, FDIC, 
NCUA, and HUD, including regarding consistency with any prudential, 
market, or systemic objectives administered by such agencies.
---------------------------------------------------------------------------

    \78\ Specifically, section 1022(b)(2)(A) of the Dodd-Frank Act 
calls for the Bureau to consider the potential benefits and costs of 
a regulation to consumers and covered persons, including the 
potential reduction of access by consumers to consumer financial 
products or services; the impact on depository institutions and 
credit unions with $10 billion or less in total assets as described 
in section 1026 of the Dodd-Frank Act; and the impact on consumers 
in rural areas.
---------------------------------------------------------------------------

    This final rule amends Sec.  1016.9(c) of Regulation P to provide 
an alternative method for delivering annual privacy notices. The 
primary purpose of the rule is to reduce unnecessary or unduly 
burdensome regulations, and the alternative delivery method will reduce 
the burden of providing these annual privacy notices. A financial 
institution may use the alternative delivery method if:
    (1) It does not disclose the customer's nonpublic personal 
information to nonaffiliated third parties in a manner that triggers 
GLBA opt-out rights;
    (2) It does not include on its annual privacy notice an opt-out 
notice under section 603(d)(2)(A)(iii) of the Fair Credit Reporting Act 
(FCRA);
    (3) The requirements of section 624 of the FCRA and the Affiliate 
Marketing Rule, if applicable, have been satisfied previously or the 
annual privacy notice is not the only notice provided to satisfy such 
requirements;
    (4) The information included in the privacy notice has not changed 
since the customer received the previous notice (subject to an 
exception); and
    (5) It uses the model form provided in the GLBA's implementing 
Regulation P.
    Under the alternative delivery method, the financial institution 
would have to:
    (1) Convey in a clear and conspicuous manner not less than annually 
on an account statement, coupon book, or a notice or disclosure the 
institution issues under any provision of law that its privacy notice 
is available on its Web site, it will be mailed to customers who 
request it by telephone, and it has not changed;
    (2) Post its current privacy notice in a continuous and clear and 
conspicuous manner on a page of its Web site on which the only content 
is the privacy notice, without requiring a login name or similar steps 
or agreeing to any conditions to access the page; and
    (3) Mail its current privacy notice to customers who request it by 
telephone within ten days of the request.

B. Potential Benefits and Costs to Consumers and Covered Persons

    The requirements in Sec.  1016.9(c)(2) provide certain benefits to 
consumers relative to the baseline established by the current 
provisions of Regulation P. These requirements provide an incentive for 
financial institutions to adopt the model privacy form and to post it 
on their Web sites, particularly when these changes are the only ones 
that would be needed to use the alternative delivery method. Recent 
research establishes that large numbers of banks, credit unions and 
other financial institutions do not post the model privacy form on 
their Web sites and presumably many have not adopted it.\79\ Given the 
consumer testing that

[[Page 64075]]

went into the development of the model form and the public input that 
went into its design, the Bureau believes that the model form is 
generally clearer and easier to understand than most privacy notices 
that deviate from the model.\80\ While the Bureau does not know how 
many more financial institutions would adopt the model privacy form and 
post it on their Web sites in order to use the alternative delivery 
method, at least some additional consumers likely would be able to 
learn about the information sharing policies of financial institutions 
through the model privacy form as a result of Sec.  1016.9(c)(2). It 
also may be more convenient for some consumers to learn about 
information sharing policies from a privacy policy on a Web site rather 
than a mailed copy, especially since financial institutions using the 
alternative delivery method must limit their information sharing to 
practices that do not give consumers opt-out rights. Thus, Sec.  
1016.9(c)(2) likely would make it easier for some consumers to review 
and understand privacy policies and to make comparisons across 
financial institutions with regard to privacy policies and opt outs.
---------------------------------------------------------------------------

    \79\ See L. F. Cranor, K. Idouchi, P. G. Leon, M. Sleeper, B. 
Ur, Are They Actually Any Different? Comparing Thousands of 
Financial Institutions' Privacy Practices. The Twelfth Workshop on 
the Economics of Information Security (WEIS 2013), June 11-12, 2013, 
Washington, DC, available at http://weis2013.econinfosec.org/papers/CranorWEIS2013.pdf. They find that only about 51% of FDIC insured 
depositories for which a Web site domain name is listed in the FDIC 
directory of financial institutions (3,422 out of 6,701) post the 
model privacy form on their Web sites. A Web site was not listed for 
an additional 371 institutions, and these institutions were excluded 
from the analysis. Some of these authors recently replicated and 
extended this work; see L. F. Cranor, P. G. Leon, B. Ur, A Large-
Scale Evaluation of U.S. Financial Institutions' Standardized 
Privacy Notices, undated, available at http://www.andrew.cmu.edu/user/pgl/financialnotices.pdf. These authors find that 56% of FDIC 
insured depositories for which a Web site domain name is listed in 
the FDIC directory of financial institutions (3,594 out of 6,409) 
post the model privacy form on their Web sites. They also analyzed a 
much larger group of insured depositories, credit unions and credit 
card companies, first searching for an institution's Web site (when 
the Web site URL was not on lists of financial institutions they 
obtained from the FDIC, NCUA and the Federal Reserve) and then 
searching for the institution's model privacy form. With this 
methodology, the authors find that only about 32% (6,191 of 19,329) 
of this larger group of financial institutions posts the model 
privacy form on Web sites.
    \80\ The research that went into the development and testing of 
the model form was detailed in four reports: (1) Financial Privacy 
Notice: A Report on Validation Testing Results (Kleimann Validation 
Report), February 12, 2009, available at http://www.ftc.gov/system/files/documents/reports/financial-privacy-notice-report-validation-testing-results-kleimann-validationreport/financial_privacy_notice_a_report_on_validation_testing_results_kleimann_validation_report.pdf; (2) Consumer Comprehension of Financial 
Privacy Notices: A Report on the Results of the Quantitative Testing 
(Levy-Hastak Report), December 15, 2008, available at http://www.ftc.gov/system/files/documents/reports/quantitative-research-levy-hastak-report/quantitative_research_-_levy-hastak_report.pdf; 
(3) Mall Intercept Study of Consumer Understanding of Financial 
Privacy Notices: Methodological Report (Macro International Report), 
September 18, 2008, available at http://www.ftc.gov/system/files/documents/reports/quantitative-research-macro-international-report/quantitative_research_-_macro_international_report.pdf; and (4) 
Evolution of a Prototype Financial Privacy Notice: A Report on the 
Form Development Project, March 31, 2006, available at  http://kleimann.com/ftcprivacy.pdf. The development and testing of the 
model privacy notice is also discussed in L. Garrison, M. Hastak, 
J.M. Hogarth, S. Kleimann, A.S. Levy, Designing Evidence-based 
Disclosures: A Case Study of Financial Privacy Notices. The Journal 
of Consumer Affairs, Summer 2012: 204-234.
---------------------------------------------------------------------------

    The requirements in Sec.  1016.9(c)(2) also may benefit consumers 
who transact with financial institutions that adopt the alternative 
delivery method by disclosing that a financial institution's privacy 
policy has not changed. These consumers would not receive a notice 
presenting the full privacy policy unless the privacy policy has 
changed or when other requirements for use of the alternative delivery 
method are not met. There is no representative, administrative data 
available on the number of consumers who are indifferent to or dislike 
receiving full, unchanged privacy notices every year. The limited use 
of opt outs and anecdotal evidence suggest that there are such 
consumers. In addition, one national trade association surveyed its 
members and found that 76% of respondents were more likely to read a 
privacy notice when there were changes to it. The commenter concluded 
that notification of a change to a privacy policy was more important to 
its members than routinely sending privacy notices in the mail.
    The Bureau believes that few consumers would experience any costs 
from Sec.  1016.9(c)(2). There is a risk that some consumers may be 
less informed about a financial institution's information sharing 
practices if the financial institution adopts the alternative delivery 
method. However, Sec.  1016.9(c)(2)(ii)(A) mitigates this risk by 
requiring the inclusion annually on another notice or disclosure of a 
clear and conspicuous statement that the privacy notice is available on 
the Web site, and Sec.  1016.9(c)(2)(ii)(B) ensures that the model 
privacy form is posted in a continuous and clear and conspicuous manner 
on the Web site. Consumers may print the privacy notice at their own 
expense, while under current Sec.  1016.9(c)(2) the notice is delivered 
to them, which represents a transfer of costs from industry to 
consumers. However, Sec.  1016.9(c)(2)(ii)(A) provides consumers with a 
specific telephone number to request that the privacy notice be mailed 
to the consumer, which gives consumers the option of obtaining the 
notice without incurring the cost of printing it. Further, the Bureau 
believes that a printed form is mostly valuable to consumers who would 
exercise opt-out rights. The only opt outs that could be available to 
the consumer under Sec.  1016.9(c)(2) would be voluntary opt outs, 
i.e., opt outs from modes of sharing information that are not required 
by Regulation P, or (at the institution's discretion) an Affiliate 
Marketing Rule opt-out beyond those the institution has previously 
provided elsewhere. Voluntary opt outs do not appear to be common.\81\
---------------------------------------------------------------------------

    \81\ See Cranor et al. (2013). Their findings (Table 2) imply 
that at most 15% of the 3,422 FDIC insured depositories that post 
the model privacy form on their Web sites offer at least one 
voluntary opt out. Data from a much larger group of financial 
institutions analyzed by Cranor et al. (undated) imply (Table 2) 
that at most 27% of the 6,191 financial institutions that post the 
model privacy form on their Web sites offer at least one voluntary 
opt out.
---------------------------------------------------------------------------

    A number of commenters claimed that few consumers derive any 
benefit from the annual privacy notice, most do not read the notice, 
and some consumers may dislike receiving it. A national trade 
association surveyed its members and found that 25% of the respondents 
who recalled receiving an annual privacy notice either disposed of the 
notice without opening it or opened it without reading it. The 
remaining 75% would skim or read the notice. One state banking 
association asked its members if the bank ever received a complaint or 
comment about the bank's privacy notice from a customer. The commenter 
did not provide quantitative information but offered examples of 
responses. Among the responses were statements that customers would 
call after receiving the annual privacy notice to complain or to ask 
not to receive the notice in the future. These commenters generally 
conclude that there would be no cost to consumers and perhaps 
additional benefits from alternatives to the rule that allowed for more 
widespread adoption of the alternative delivery method.
    As explained at length above, the Bureau believes that requiring 
notices that have changed or that include required consumer opt-outs to 
be physically delivered, unless the consumer has agreed to receive them 
electronically, is more consistent with the importance to the statutory 
scheme of customers' ability to exercise opt-out rights and more 
consumer-friendly than allowing use of the alternative delivery method 
where notices have changed or include required opt-outs. That 
discussion is incorporated here. Further, the Bureau believes that 
while some consumers may prefer not to receive annual privacy notices 
even when those notices include required opt-outs, others may feel 
differently, and consumers who would fail to exercise an opt out if the 
alternative delivery method were available incur a cost. Finally, the 
Bureau notes that the data from one commenter described above at least 
suggests that consumers may benefit from physical delivery when the 
notice has changed.
    Regarding benefits and costs to covered persons, the primary effect 
of the final rule is to reduce burden by lowering the costs to industry 
of providing annual privacy notices. The requirements in Sec.  
1016.9(c)(2) impose no new compliance requirements on any financial 
institution. All methods of

[[Page 64076]]

compliance under current law remain available to a financial 
institution, and a financial institution that is in compliance with 
current law is not required to take any different or additional action. 
The Bureau believes that a financial institution would adopt the 
alternative delivery method only if it expected the costs of complying 
with the alternative delivery method would be lower than the costs of 
complying with existing Regulation P.
    By definition, the expected cost savings to financial institutions 
from the adoption of Sec.  1016.9(c)(2) is the expected number of 
annual privacy notices that would be provided through the alternative 
delivery method multiplied by the expected reduction in the cost per-
notice from using the alternative delivery method. As explained below, 
many financial institutions would not be able to use the alternative 
delivery method without changing their information sharing practices, 
and the Bureau believes that few financial institutions would find it 
in their interest to change information sharing practices just to 
reduce the costs of providing the annual privacy notice. Thus, the 
first step in estimating the expected cost savings to financial 
institutions from Sec.  1016.9(c)(2) would be to identify the financial 
institutions whose current information sharing practices would allow 
them to use the alternative delivery method. The Bureau would then need 
to determine their currents costs for providing the annual privacy 
notices and the expected costs of providing these notices under Sec.  
1016.9(c)(2).\82\
---------------------------------------------------------------------------

    \82\ The analysis that follows makes certain additional 
assumptions about adjustments that financial institutions are not 
likely to undertake just to be able to adopt the alternative 
delivery method. For example, a small institution without a Web site 
might not find it worthwhile to establish one given the relatively 
small savings in costs that might result. These assumptions are 
discussed further below.
---------------------------------------------------------------------------

    The Bureau does not have sufficient data to perform every step of 
this analysis, but it performed a number of analyses and outreach 
activities to approximate the expected cost savings. Regarding banks, 
the Bureau examined the privacy policies of the 19 banks with assets 
over $100 billion as well as the privacy policies of 106 additional 
banks selected through random sampling.\83\ The Bureau found that the 
overall average rate at which banks' information sharing practices 
would make them eligible for using the alternative delivery method if 
other conditions were met is 80%.\84\ However, only 21% of sampled 
banks with assets over $10 billion could clearly use the alternative 
delivery method, while 81% of sampled banks with assets of $10 billion 
or less and 88% of sampled banks with assets of $500 million or less 
could clearly use the alternative delivery method. These results 
indicate that a large majority of smaller banks would likely be able to 
use the alternative delivery method but most of the largest banks would 
not.\85\
---------------------------------------------------------------------------

    \83\ The Bureau defined five strata for banks under $100 billion 
and three strata for credit unions under $10 billion and drew random 
samples from each of the strata. We obtained privacy policies from 
the Web sites of financial institutions.
    \84\ In these and subsequent calculations, entities that stated 
that they shared information so their affiliates could market to the 
consumer were considered eligible for the alternative delivery 
method since they could use the alternative delivery method as long 
as the annual privacy notice is not the only notice on which they 
provide the opt-out; see Sec.  1016.9(c)(2)(i)(C).
    \85\ As discussed in the section-by-section analysis, a banking 
trade association commenting on the Streamlining RFI estimated that 
75% of banks do not change their notices from year to year and do 
not share information in a way that gives rise to customer opt-out 
rights. The Bureau's estimate is consistent with this comment.
---------------------------------------------------------------------------

    One state banking association surveyed its members and provided 
data that is generally consistent with the finding that the vast 
majority of smaller banks would likely be able to use the alternative 
delivery method. Ninety-nine institutions responded to at least one of 
six questions. Fifty-three provided their banks total assets; of these, 
50 reported assets under $500 million. However, only 12 respondents 
stated that they would not be eligible to use the alternative delivery 
method. If these 12 respondents were among the 53 that provided their 
bank's total assets and all 53 responded to the question about 
eligibility, between 76% and 82% of this association's members with 
assets under $500 million believed they would be eligible to use the 
alternative delivery method.\86\
---------------------------------------------------------------------------

    \86\ Unfortunately, more precise calculations are not possible 
without more information about responses conditional on asset size 
and the response rate to each question.
---------------------------------------------------------------------------

    The Bureau also examined the privacy policies of the four credit 
unions with assets over $10 billion as well as the privacy policies of 
50 additional credit unions selected through random sampling. The 
Bureau found that three of the four credit unions with assets over $10 
billion clearly could use the alternative delivery method without 
changing their information sharing policies. Further, 67% of sampled 
credit unions with assets over $500 million could clearly use the 
alternative delivery method. However, the Bureau also found that only 
13 of the 25 sampled credit unions with assets of $500 million or less 
either posted the model privacy form on their Web sites or provided 
enough information about their sharing practices to permit a clear 
determination regarding whether the alternative delivery method would 
be available to them (2 of the 25 did not have Web sites). The Bureau 
found that 11 of the 13 (85%) for which a determination could be made 
would be able to use the alternative delivery method, and the Bureau 
believes that a significant majority of the sample of 25 would be able 
to use the alternative delivery method (perhaps after adopting the 
model form). For purposes of this analysis, the Bureau conservatively 
assumes that only 11 of the 25 sampled credit unions with assets of 
$500 million or less would be able to use the alternative delivery 
method, although the actual figure is likely much higher.
    The Bureau requested comment on how to improve this estimate of the 
number of small credit unions that would be able to use the alternative 
delivery method. The Bureau did not receive comments on this specific 
issue. Comments that relate to the general accuracy of these estimates 
are discussed below.
    Although these estimates provide some insight into the numbers of 
banks and credit unions that could use the alternative delivery method, 
the Bureau does not have precise data on the number of annual privacy 
notices these institutions currently provide. Thus, it is not possible 
to directly compute the total number of annual privacy notices that 
would no longer be sent. The Bureau does, however, have information 
about the burden on banks, credit unions and non-depository financial 
institutions from providing the annual privacy notices from the 
Paperwork Reduction Act Supporting Statements for Regulation P on file 
with the Office of Management and Budget. This information can be used 
to obtain an estimate of the ongoing savings from the alternative 
delivery method.\87\
---------------------------------------------------------------------------

    \87\ It is worth noting at the outset that, with this 
methodology, the total cost of providing the annual privacy notice 
and opt-out notice under Regulation P is approximately $30 million 
per year.
---------------------------------------------------------------------------

    In estimating this savings for banks and credit unions, the 
analysis above establishes that it is essential to take into account 
the variation by size of banks and credit unions in relation to the 
likelihood they could use the alternative delivery method. To ensure 
that these differences inform the estimates, the Bureau allocated the 
total burden of providing the annual privacy notices to asset classes 
in proportion to the share of assets in the class. The Bureau then 
estimated an amount of burden reduction specific to each asset

[[Page 64077]]

class using the results from the sampling described above. The total 
burden reduction is then the sum of the burden reductions in each asset 
class. For banks and credit unions combined, the estimated reduction in 
burden using this methodology is approximately $6.9 million annually.
    Regarding non-depository financial institutions, the proposed 
analysis stated that based on initial outreach, a majority were likely 
to be able to use the alternative delivery method. The proposed 
analysis stated that the prohibition on disclosing information to third 
parties in the Fair Debt Collection Practices Act (FDCPA) suggested 
that financial institutions subject to those limits likely would be 
able to use the alternative delivery method when GLBA notice 
requirements apply.\88\ The proposed analysis then used the overall 
average rate at which banks could utilize the alternative delivery 
method in its calculations of burden reduction for non-depository 
financial institutions. The Bureau stated that it would continue to 
refine its knowledge of the information sharing practices of non-
depository financial institutions and requested comment and the 
submission of information relevant to this issue.
---------------------------------------------------------------------------

    \88\ FDCPA section 805(b) generally prohibits communication with 
third parties in connection with the collection of a debt.
---------------------------------------------------------------------------

    The Bureau received comment letters from a debt buyer, a trade 
association for debt buyers and one student loan servicer that 
identified proposed requirements that would have limited the ability of 
these non-depository financial institutions to use the alternative 
delivery method. All three commenters stated that restrictions on how 
financial institutions could provide the proposed notice of 
availability would limit use of the alternative delivery method. All 
three also stated that the requirement to use the model form would 
limit use of the alternative delivery method. These issues are 
discussed below.\89\
---------------------------------------------------------------------------

    \89\ The Bureau requested comment on, but did not propose, 
requiring a dedicated telephone number for privacy notice requests. 
The student loan servicer commented that this requirement would not 
be a good use of resources for small lenders. The Bureau is not 
requiring a dedicated telephone number for these requests in the 
final rule; further, the Bureau is not finalizing the proposed 
requirement that the telephone number for these requests be toll-
free.
---------------------------------------------------------------------------

    The two debt-buying entities commented that restrictions on how the 
proposed notice of availability could be provided would eliminate any 
savings from the alternative delivery method. Specifically, proposed 
Sec.  1016.9(c)(2)(ii)(A) required the notice of availability to be 
provided on a notice or disclosure the financial institution was 
required or expressly and specifically permitted to issue under any 
other provision of law. One of these commenters stated that debt buyers 
are not required or specifically permitted to issue notices to 
consumers on a regular or annual basis. Thus, the alternative delivery 
method would simply exchange one annual privacy notice requirement for 
another. The other debt-buyer commenter stated that consumers whose 
accounts were not in active collections may not receive any 
correspondence from the commenter in the course of a year other than 
the annual privacy notice. Thus, the notice of availability would 
eliminate the savings intended by the alternative delivery method. In 
contrast, the student loan servicer commented that lenders and 
servicers of private education loans send periodic statements, but 
since no law requires them, proposed Sec.  1016.9(c)(2)(ii)(A) would 
not allow its members to use periodic statements to provide the notice 
of availability.
    As discussed above, the Bureau is revising proposed Sec.  
1016.9(c)(2)(ii)(A) to permit the notice of availability to be included 
on an account statement which would include periodic statements or 
billing statements not required or expressly permitted by law. The 
Bureau believes that this would permit student loan servicers and other 
non-depository financial institutions to use the alternative delivery 
method, as was assumed in the proposed analysis. This change from the 
proposed rule may also permit additional debt buyers to reduce costs by 
adopting the alternative delivery method.\90\ The Bureau recognizes, 
however, that final Sec.  1016.9(c)(2)(ii)(A) may still deter many debt 
buyers from adopting the alternative delivery method.
---------------------------------------------------------------------------

    \90\ One of the debt-buyer commenters recommended that the 
Bureau allow the statement of availability to be provided on ``any 
legally permissible'' mailed materials. The Bureau intends the term 
account statement to be flexible and it might include some of the 
legally permissible materials mentioned by this debt buyer. However, 
it would not include materials such as advertisements or 
newsletters.
---------------------------------------------------------------------------

    All three commenters also stated that the requirement to use the 
model form would limit use of the alternative delivery method. The two 
debt-buying entities cited requirements in the FDCPA that they stated 
made it difficult for them to adopt the model form. In contrast, the 
student loan servicer stated that some of its members that do not 
currently use the model form might not adopt it because they believed 
that the information they provide is more comprehensive.
    As discussed above, while the Bureau is requiring use of the model 
form, the Bureau is modifying proposed Sec.  1016.9(c)(2)(ii)(B) to 
clarify that information that is not content, such as navigational 
menus that link to other pages on the financial institution's Web site, 
could appear on the same page as the privacy notice and link to another 
portion of the financial institution's Web site that contains 
information supplemental to the privacy notice. The Bureau believes 
that this would encourage student loan servicers as well as other non-
depository financial institutions to adopt the model form and use the 
alternative delivery method.
    There is necessarily considerable uncertainty around any estimate 
of the number of non-depository financial institutions that could use 
the alternative delivery method. However, the Bureau did not receive 
any comments directly on the assumption that non-depository financial 
institutions will be able to utilize the alternative delivery method at 
the same overall average rate as banks. Further, partly in response to 
comments from non-depository financial institutions, the Bureau is 
adopting Sec.  1016.9(c)(2)(ii)(A) with changes from the proposal so 
that it is less of a barrier to adoption of the alternative delivery 
method. Finally, while the Bureau recognizes that many debt buyers may 
not be able to use the alternative delivery method, debt buyers are one 
group in the extremely large and heterogeneous group of non-depository 
financial institutions subjection to Regulation P. The Bureau therefore 
continues to estimate the reduction in burden on non-depository 
financial institutions as approximately $10 million annually.\91\
---------------------------------------------------------------------------

    \91\ Note that this figure excludes auto dealers. Auto dealers 
are regulated by the FTC and would not be directly impacted by this 
amendment to Regulation P.
---------------------------------------------------------------------------

    Thus, the Bureau believes that the total reduction in burden is 
approximately $17 million dollars annually. This represents about 58% 
of the total $30 million annual cost of providing the annual privacy 
notice and opt-out notice under Regulation P.\92\
---------------------------------------------------------------------------

    \92\ The Bureau recognizes that this analysis does not take into 
account the possibility that, as with banks and credit unions, the 
largest non-depository financial institutions may be least likely to 
be able to use the alternative delivery method. Assuming the size 
distribution and utilization rate are the same as for credit unions, 
the reduction in burden on non-depository financial institutions 
would be approximately $7.5 million annually instead of $10 million 
annually.

---------------------------------------------------------------------------

[[Page 64078]]

    The Bureau did not receive comments directly on this estimate or 
the methodology. The Bureau did receive quantitative information from 
individual financial institutions and state associations about the 
costs of providing annual privacy notices and in some cases the 
expected savings from the alternative delivery method. It not possible 
to use this information to precisely estimate market-wide totals for 
the baseline cost and expected savings. The data is, however, 
informative regarding the Bureau's estimates.
    Regarding banks, a state banking association that surveyed its 
members provided data in which the average cost of providing the 
notices was about $1,700. All but one of the respondents had assets 
under $500 million. A bank with $367 million in assets reported 
spending $1,800 on printing. A bank with $442 million in assets 
reported spending $1,900 on printing and mailing. A bank with $1.1 
billion in assets reported spending $3,800 on printing and stated it 
delivers the annual privacy notice with an account statement. A bank 
with $3 billion in assets reported spending $20,000 on notice 
distribution. It is not possible to extrapolate precisely from this 
data to the entire market without additional information regarding the 
representativeness of this data, the relationship between assets and 
costs, the proportion of banks that incur mailing costs when 
distributing the notice, and the costs for banks above $3 billion in 
assets. However, applying these figures to the roughly 7,000 banks in 
the United States suggests costs of well over $40 million to the 
banking sector alone.
    The Bureau received similar information from credit unions. A 
credit union with $12 million in assets and 3,000 members reported that 
it would save $150 per year with the alternative delivery method. A 
credit union with approximately $1 billion in assets reported spending 
$4,200 on printing and $36,800 on mailing. A credit union with $5 
billion in assets reported spending $10,000 on printing and delivers 
the annual notice with an account statement. In addition, one trade 
association for debt-buyers reported that debt buyers alone spend 
approximately $28 million on mailing annual privacy notices.\93\
---------------------------------------------------------------------------

    \93\ A financial corporation with $2 billion in assets reported 
sending approximately 37,000 annual privacy notices and needing 100 
hours for this work.
---------------------------------------------------------------------------

    The data provided by commenters suggests that the total cost of 
providing annual privacy notices by financial institutions subject to 
Regulation P may currently be larger than the $30 million reported 
above. To improve this estimate would require extensive data collection 
from a wide range of financial institutions and is not reasonably 
available to the Bureau. The previous analysis does not, however, 
indicate any significant error in the estimate that the alternative 
delivery method may relieve about 58% of the total annual cost of 
providing the annual privacy notice and opt-out notice under Regulation 
P. The Bureau has a continuing interest in improving its estimates of 
regulatory burden and burden reduction and welcomes comments on these 
estimates at any time.
    The Bureau notes that these estimates of ongoing savings are gross 
figures and do not take into account any one-time or ongoing costs 
associated with the alternative delivery method. The Bureau believes 
that one-time costs associated with using the alternative delivery 
method would be minimal and would not prevent adoption of the 
alternative delivery method, as long as the institution already has a 
Web site and currently annually provides an account statement, coupon 
book, or notice or disclosure as described in Sec.  
1016.9(c)(2)(ii)(A). In the analysis above, the Bureau found that all 
but two financial institutions had Web sites and assumed that these two 
institutions would not adopt the alternative delivery method. However, 
the Bureau recognizes that it sampled very few of the smallest 
financial institutions and that these are the ones most likely not to 
have Web sites.
    Comments on the proposed rule were generally consistent with the 
Bureau's analysis. One state banking association commented that 
approximately 5% of its members do not have a Web site. Another state 
banking association reported that 5 respondents to a survey that 
received 99 responses stated that they do not have a Web site. One 
state banking association reported that, when asked to estimate the 
cost of putting the annual privacy notice on a Web page that only 
contains the privacy notice, 15 responded that the cost would be 
``minimal,'' one responded it would cost $500, and one that it would 
cost $3000. One bank with approximately $3 billion in assets commented 
that the cost of adding a Web page would be ``insignificant.'' A bank 
with under $500 million in assets commented that it had paid $700 to 
its vendor to make an electronic version of its privacy notice 
available on its Web site. These results are consistent with the 
Bureau's own research and analysis. The Bureau requested information 
regarding the use of Web sites by non-depository financial institutions 
but did not receive any data on this subject.
    The Bureau believes that the one-time costs associated with 
providing the notice of availability annually on an account statement, 
coupon book, or notice or disclosure as described in Sec.  
1016.9(c)(2)(ii)(A) would be small. One state banking association 
commented that, given the range of customer relationship types, a bank 
may need to adjust a number of different notices in order to provide 
the notice of availability to all of its customers. The Bureau believes 
that the cost of each adjustment would be small. These costs would also 
be recouped over time through the savings achieved from no longer 
delivering the annual privacy notice through the mail or even through 
some of the other delivery methods that the existing rule permits.\94\
---------------------------------------------------------------------------

    \94\ The Bureau believes that banks and credit unions have 
relatively few customers to whom they do not send at least once per 
year, an account statement, coupon book, or other notice or 
disclosure that meets the conditions in final Sec.  
1016.9(c)(2)(ii)(A). Some banks and credit unions and their 
associations commented that Sec.  1016.9(c)(2)(ii)(A) was too 
restrictive in this regard and might limit adoption of the 
alternative delivery method. As discussed above, final Sec.  
1016.9(c)(2)(ii)(A) is less restrictive.
---------------------------------------------------------------------------

    Similarly, the Bureau believes that the requirements for using the 
alternative delivery method would provide few sources of additional 
ongoing costs relative to the baseline to financial institutions that 
adopt it. These costs would consist of additional text on an account 
statement, coupon book, notice or disclosure the institution already 
provides, maintaining a Web page dedicated to the annual privacy notice 
if one does not already exist, additional telephone calls from 
consumers requesting that the model form be mailed, and the costs of 
mailing the forms prompted by these calls. The Bureau currently 
believes that few consumers will request that the form be mailed in 
order to read it or to exercise any voluntary or FCRA Affiliate 
Marketing Rule opt-out right. A number of commenters stated that the 
proposed requirement to maintain a toll-free telephone number for 
requesting annual privacy notices (and the alternative considered of a 
dedicated toll-free number) would impose an unnecessary expense. Final 
Sec.  1016.9(c)(2)(ii)(A) does not require the telephone number to be 
toll-free.
    One caveat regarding these estimates concerns the use of 
consolidated privacy notices by entities regulated by different 
agencies. For example, entities that could comply with Regulation P by 
adopting the alternative delivery

[[Page 64079]]

method would not do so if they still needed to send these customers an 
additional disclosure in order to comply with the GLBA regulations of 
other agencies. The Bureau believes that among the entities that will 
continue to use a standard delivery method, few will do so solely 
because of the need to comply with the GLBA regulations of multiple 
agencies. Rather, most such entities will also be large financial 
institutions and will not satisfy the requirements on information 
sharing in Sec.  1016.9(c)(2)(i)(A)-(C). Thus, the Bureau believes that 
its estimates regarding the adoption of the alternative delivery method 
are accurate, notwithstanding the use of consolidated privacy notices, 
since the use of consolidated privacy notices is likely highly 
correlated with information sharing practices that alone prevent the 
adoption of the alternative delivery method. The Bureau requested data 
and other factual information regarding the extent to which the use of 
consolidated privacy notices may prevent the adoption of the 
alternative delivery method. The Bureau did not receive any comments on 
this issue.
    In developing the rule, the Bureau considered alternatives to the 
requirements it is adopting. As discussed at length above, the Bureau 
believes that the alternative delivery method might not adequately 
alert customers to their ability to opt out of certain types of 
information sharing were it available where a financial institution 
shares a customer's nonpublic personal information beyond the 
exceptions in Sec. Sec.  1016.13, 1016.14, and 1016.15. Thus, the 
Bureau considered but is not adopting an option in which the 
alternative delivery method could be used where a financial institution 
shares beyond one or more of these exceptions. For the same reason, the 
Bureau considered but is not adopting an option in which the 
alternative delivery method could be used where a financial institution 
shares information in a way that triggers information sharing opt-out 
rights under section 603(d)(2)(A)(iii) of the FCRA. On the other hand, 
the Bureau considered an option in which the alternative delivery 
method could never be used where a customer has an opt-out right under 
the Affiliate Marketing Rule. A financial institution may use the 
alternative delivery method if the requirements under section 624 of 
the FCRA and the Affiliate Marketing Rule have been satisfied 
previously or the annual privacy notice is not the only notice provided 
to satisfy such requirements. This case is distinguishable from the 
other two in that the Affiliate Marketing Rule opt-out notice is not 
required to be included on the annual privacy notice and may be sent 
separately. As explained above, a financial institution could send the 
separate Affiliate Marketing Rule opt-out only once (as long as it 
honored that opt-out indefinitely) and use the alternative delivery 
method to meet its yearly annual notice requirement, with or without 
including the Affiliate Marketing Rule opt-out notice on the model 
form.
    The Bureau also considered alternatives to the requirements 
regarding the types of information that cannot have changed since the 
previous annual notice to be able to use the alternative delivery 
method. The Bureau discussed these alternatives at length above and 
incorporates that discussion here.

C. Potential Specific Impacts of the Rule

    The Bureau currently understands that 81% of banks with $10 billion 
or less in assets would be able to utilize the alternative delivery 
method, with a greater opportunity for utilization among the smaller 
banks. Thus, the rule may have differential impacts on insured 
depository institutions with $10 billion or less in assets as described 
in section 1026 of the Dodd-Frank Act. The Bureau also currently 
understands that at least 46% of credit unions with $10 billion or less 
in assets, and perhaps substantially more, would be able to utilize the 
alternative delivery method, with a greater opportunity for utilization 
among credit unions in the middle of this group. The uncertainty 
reflects the relatively large number of very small credit unions that 
do not post the model form on their Web sites and which therefore could 
not clearly use the alternative delivery method.
    The Bureau does not believe that the rule would reduce consumers' 
access to consumer financial products or services. The rule may, 
however, benefit consumers in rural areas less than consumers in non-
rural areas. Rural consumers in most states have far less access to 
broadband and the alternative delivery method may displace delivery of 
paper notices with notices posted on Web sites.\95\ Rural consumers 
likely still would benefit overall, however, given the general 
availability of the disclosure through slower internet access or on 
request by telephone and the potentially greater use of the model form.
---------------------------------------------------------------------------

    \95\ For a comparison of access to broadband by rural and non-
rural consumers, see Bringing Broadband to Rural America: Update to 
Report on a Rural Broadband Strategy, June 17, 2011, pages 22-24, 
available at https://apps.fcc.gov/edocs_public/attachmatch/DOC-320924A1.pdf.
---------------------------------------------------------------------------

VI. Regulatory Flexibility Act

    The Regulatory Flexibility Act (RFA), as amended by the Small 
Business Regulatory Enforcement Fairness Act of 1996, requires each 
agency to consider the potential impact of its regulations on small 
entities, including small businesses, small governmental units, and 
small not-for-profit organizations. The RFA generally requires an 
agency to conduct an initial regulatory flexibility analysis (IRFA) and 
a final regulatory flexibility analysis (FRFA) of any rule subject to 
notice-and-comment rulemaking requirements, unless the agency certifies 
that the rule will not have a significant economic impact on a 
substantial number of small entities.\96\ The Bureau also is subject to 
certain additional procedures under the RFA involving the convening of 
a panel to consult with small business representatives prior to 
proposing a rule for which an IRFA is required.\97\
---------------------------------------------------------------------------

    \96\ 5 U.S.C. 603-605.
    \97\ 5 U.S.C. 609.
---------------------------------------------------------------------------

    The Bureau now certifies that a FRFA is not required for this final 
rule because it will not have a significant economic impact on a 
substantial number of small entities. The Bureau does not expect the 
final rule to impose costs on small entities. All methods of compliance 
under current law will remain available to small entities under the 
final rule. Thus, a small entity that is in compliance with current law 
need not take any different or additional action. In addition, the 
Bureau believes that the alternative delivery method would allow some 
small institutions to reduce costs, but by a small amount relative to 
overall costs given that this rulemaking addresses a single disclosure.
    Accordingly, the undersigned certifies that this rule will not have 
a significant economic impact on a substantial number of small 
entities.

VII. Paperwork Reduction Act

    Under the Paperwork Reduction Act of 1995 (PRA),\98\ Federal 
agencies are generally required to seek Office of Management and Budget 
(OMB) approval for information collection requirements prior to 
implementation. This final rule will amend Regulation P, 12 CFR part 
1016. The collections of information related to Regulation P have been 
previously reviewed and approved by OMB in accordance with the PRA and 
assigned OMB Control Number 3170-0010. Under the PRA, the Bureau may 
not conduct or sponsor, and,

[[Page 64080]]

notwithstanding any other provision of law, a person is not required to 
respond to an information collection, unless the information collection 
displays a valid control number assigned by OMB.
---------------------------------------------------------------------------

    \98\ 44 U.S.C. 3501 et seq.
---------------------------------------------------------------------------

    As explained below, the Bureau has determined that this rule does 
not contain any new or substantively revised information collection 
requirements other than those previously approved by OMB. Under this 
rule, a financial institution will be permitted, but not required, to 
use an alternative delivery method for the annual privacy notice if:
    (1) It does not disclose the customer's nonpublic personal 
information to nonaffiliated third parties in a manner that triggers 
GLBA opt-out rights;
    (2) It does not include on its annual privacy notice an opt-out 
notice under section 603(d)(2)(A)(iii) of the Fair Credit Reporting Act 
(FCRA);
    (3) The requirements of section 624 of the FCRA and the Affiliate 
Marketing Rule, if applicable, have been satisfied previously or the 
annual privacy notice is not the only notice provided to satisfy such 
requirements;
    (4) The information included in the privacy notice has not changed 
since the customer received the previous notice (subject to an 
exception); and
    (5) It uses the model form provided in the GLBA's implementing 
Regulation P.
    Under the alternative delivery method, the financial institution 
would have to:
    (1) Convey in a clear and conspicuous manner not less than annually 
on an account statement, coupon book, or a notice or disclosure the 
institution issues under any provision of law that its privacy notice 
is available on its Web site, it will be mailed to customers who 
request it by telephone, and it has not changed;
    (2) Post its current privacy notice continuously and in a clear and 
conspicuous manner on a page of its Web site on which the only content 
is the privacy notice, without requiring the customer to provide any 
information such as a login name or password or agree to any conditions 
to access the page; and
    (3) Mail its current privacy notice to customers who request it by 
telephone within ten days of the request.
    Under Regulation P, the Bureau generally accounts for the paperwork 
burden for the following respondents pursuant to its enforcement/
supervisory authority: Insured depository institutions with more than 
$10 billion in total assets, their depository institution affiliates, 
and certain non-depository financial institutions. The Bureau and the 
FTC generally both have enforcement authority over non-depository 
financial institutions subject to Regulation P. Accordingly, the Bureau 
has allocated to itself half of the final rule's estimated burden on 
non-depository institutions subject to Regulation P. Other Federal 
agencies, including the FTC, are responsible for estimating and 
reporting to OMB the paperwork burden for the institutions for which 
they have enforcement and/or supervision authority. They may use the 
Bureau's burden estimation methodology, but need not do so.
    The Bureau does not believe that this rule would impose any new or 
substantively revised collections of information as defined by the PRA, 
and instead believes that it would have the overall effect of reducing 
the previously approved estimated burden on industry for the 
information collections associated with the Regulation P annual privacy 
notice. Using the Bureau's burden estimation methodology, the reduction 
in the estimated ongoing burden would be approximately 584,000 hours 
annually for the roughly 13,500 banks and credit unions subject to the 
rule, including Bureau respondents, and the roughly 29,400 entities 
subject to the Federal Trade Commission's enforcement authority also 
subject to the rule. The reduction in estimated ongoing costs from the 
reduction in ongoing burden would be approximately $17 million 
annually.
    The Bureau believes that the one-time cost of adopting the 
alternative delivery method for financial institutions that would adopt 
it is de minimis. Financial institutions that already use the model 
form and would adopt the alternative delivery method would incur minor 
one-time legal, programming, and training costs. These institutions 
would have to communicate on an account statement, coupon book, or 
notice or disclosure that the privacy notice is available. The expense 
of adding this notice would be minor, particularly where the 
institution would be issuing the account statement, coupon book, or 
notice or disclosure anyway. Staff may need some additional training in 
storing copies of the model form and sending it to customers on 
request. Institutions that do not use the model form would incur a one-
time cost for creating one. However, since the promulgation of the 
model privacy form in 2009, an Online Form Builder has existed which 
any institution can use to readily create customized privacy notices 
using the model form template.\99\ The Bureau assumes that financial 
institutions that do not currently have Web sites would not choose to 
comply with these requirements in order to use the alternative delivery 
method.
---------------------------------------------------------------------------

    \99\ This Online Form Builder is available at http://www.federalreserve.gov/newsevents/press/bcreg/20100415a.htm.
---------------------------------------------------------------------------

    The Bureau's methodology for estimating the reduction in ongoing 
burden was discussed at length above. The Bureau defined five strata 
for banks under $100 billion and three strata for credit unions under 
$10 billion, drew random samples from each of the strata (separately 
for banks and credit unions) and examined the GLBA privacy notices 
available on the financial institutions' Web sites, if any. The Bureau 
separately examined the Web sites of all banks over $100 billion (one 
additional bank stratum) and all credit unions over $10 billion (one 
additional credit union stratum). This process provided an estimate of 
the fraction of institutions within each bank or credit union stratum 
which would likely be able to use the alternative delivery method. In 
order to compute the reduction in ongoing burden (by stratum and 
overall) for these financial institutions, the Bureau apportioned the 
existing ongoing burden to each stratum according to the share of 
overall assets held by the financial institutions within the stratum. 
This was done separately for banks and credit unions. Note that this 
procedure ensures that the largest financial institutions, while few in 
number, are apportioned most of the existing burden. The Bureau then 
multiplied the estimate of the fraction of institutions within each 
stratum that would likely be able to use the alternative delivery 
method by the estimate of the existing ongoing burden within each 
stratum, separately for banks and credit unions. As discussed above, 
the largest bank and credit union strata tended to have the lowest 
share of financial institutions that could use the alternative delivery 
method.
    For the non-depository institutions subject to the FTC's 
enforcement authority that are subject to the Bureau's Regulation P, 
the Bureau estimated the reduction in ongoing burden by applying the 
overall share of banks that would likely be able to use the alternative 
delivery method (80%) to the current ongoing burden on non-depository 
financial institutions (exclusive of auto dealers) from providing the 
annual privacy notices and opt outs.
    The Bureau takes all of the reduction in ongoing burden from banks 
and credit unions with assets $10 billion and above and half the 
reduction in ongoing burden from the non-depository institutions 
subject to the FTC enforcement authority that are subject to

[[Page 64081]]

the Bureau's Regulation P. The current Bureau burden for all 
information collections in Regulation P is 516,000 hours. The total 
reduction in ongoing burden taken by 14,844 Bureau respondents is 
261,904 hours. The remaining Bureau burden for all information 
collections in Regulation P is 254,096 hours.

                                            Summary of Burden Changes
----------------------------------------------------------------------------------------------------------------
                                                                  Previously
                   Information collections                      approved total   Net change in      New total
                                                                 burden hours     burden hours     burden hours
----------------------------------------------------------------------------------------------------------------
Notices and disclosures......................................         516,000         -261,904          254,096
----------------------------------------------------------------------------------------------------------------

    The Bureau has determined that the rule does not contain any new or 
substantively revised information collection requirements as defined by 
the PRA and that the burden estimate for the previously-approved 
information collections should be revised as explained above.

List of Subjects in 12 CFR Part 1016

    Banks, Banking, Consumer protection, Credit, Credit unions, Foreign 
banking, Holding companies, National banks, Privacy, Reporting and 
recordkeeping requirements, Savings associations, Trade practices.

Authority and Issuance

    For the reasons set forth in the preamble, the Bureau amends 
Regulation P, 12 CFR part 1016, as set forth below:

PART 1016--PRIVACY OF CONSUMER FINANCIAL INFORMATION (REGULATION P)

0
1. The authority citation for part 1016 continues to read as follows:

    Authority:  12 U.S.C. 5512, 5581; 15 U.S.C. 6804.

0
2. Section 1016.1(b)(1) is revised to read as follows:


Sec.  1016.1  Purpose and scope.

* * * * *
    (b) Scope. (1) This part applies only to nonpublic personal 
information about individuals who obtain financial products or services 
primarily for personal, family, or household purposes from the 
institutions listed below. This part does not apply to information 
about companies or about individuals who obtain financial products or 
services for business, commercial, or agricultural purposes. This part 
applies to those financial institutions and other persons for which the 
Bureau of Consumer Financial Protection (Bureau) has rulemaking 
authority pursuant to section 504(a)(1)(A) of the Gramm-Leach-Bliley 
Act (GLB Act) (15 U.S.C. 6804(a)(1)(A)). Specifically, this part 
applies to any financial institution and other covered person or 
service provider that is subject to Subtitle A of Title V of the GLB 
Act, including third parties that are not financial institutions but 
that receive nonpublic personal information from financial institutions 
with whom they are not affiliated. This part does not apply to certain 
motor vehicle dealers described in 12 U.S.C. 5519 or to entities for 
which the Securities and Exchange Commission or the Commodity Futures 
Trading Commission has rulemaking authority pursuant to sections 
504(a)(1)(A)-(B) of the GLB Act (15 U.S.C. 6804(a)(1)(A)-(B)). Except 
as otherwise specifically provided herein, entities to which this part 
applies are referred to in this part as ``you.''

Subpart A--Privacy and Opt-Out Notices

0
3. Section 1016.9(c) is revised to read as follows:


Sec.  1016.9  Delivering privacy and opt out notices.

* * * * *
    (c) Annual notices only--(1) Reasonable expectation. You may 
reasonably expect that a customer will receive actual notice of your 
annual privacy notice if:
    (i) The customer uses your Web site to access financial products 
and services electronically and agrees to receive notices at the Web 
site, and you post your current privacy notice continuously in a clear 
and conspicuous manner on the Web site; or
    (ii) The customer has requested that you refrain from sending any 
information regarding the customer relationship, and your current 
privacy notice remains available to the customer upon request.
    (2) Alternative method for providing certain annual notices. (i) 
Notwithstanding paragraph (a) of this section, you may use the 
alternative method described in paragraph (c)(2)(ii) of this section to 
satisfy the requirement in Sec.  1016.5(a)(1) to provide a notice if:
    (A) You do not disclose the customer's nonpublic personal 
information to nonaffiliated third parties other than for purposes 
under Sec. Sec.  1016.13, 1016.14, and 1016.15;
    (B) You do not include on your annual privacy notice pursuant to 
Sec.  1016.6(a)(7) an opt out under section 603(d)(2)(A)(iii) of the 
Fair Credit Reporting Act (15 U.S.C. 1681a(d)(2)(A)(iii));
    (C) The requirements of section 624 of the Fair Credit Reporting 
Act (15 U.S.C. 1681s-3) and subpart C of part 1022 of this chapter, if 
applicable, have been satisfied previously or the annual privacy notice 
is not the only notice provided to satisfy such requirements;
    (D) The information you are required to convey on your annual 
privacy notice pursuant to Sec.  1016.6(a)(1) through (5), (8), and (9) 
has not changed since you provided the immediately previous privacy 
notice (whether initial, annual, or revised) to the customer, other 
than to eliminate categories of information you disclose or categories 
of third parties to whom you disclose information; and
    (E) You use the model privacy form in the appendix to this part for 
your annual privacy notice.
    (ii) For an annual privacy notice that meets the requirements in 
paragraph (c)(2)(i) of this section, you satisfy the requirement in 
Sec.  1016.5(a)(1) to provide a notice if you:
    (A) Convey in a clear and conspicuous manner not less than annually 
on an account statement, coupon book, or a notice or disclosure you are 
required or expressly and specifically permitted to issue to the 
customer under any other provision of law that your privacy notice is 
available on your Web site and will be mailed to the customer upon 
request by telephone. The statement must state that your privacy notice 
has not changed and must include a specific Web address that takes the 
customer directly to the page where the privacy notice is posted and a 
telephone number for the customer to request that it be mailed;
    (B) Post your current privacy notice continuously and in clear and 
conspicuous manner on a page of your Web site on which the only content 
is the privacy notice, without requiring the customer to provide any 
information such as a login name or password or

[[Page 64082]]

agree to any conditions to access the page; and
    (C) Mail your current privacy notice to those customers who request 
it by telephone within ten days of the request.
    (iii) An example of a statement that satisfies paragraph 
(c)(2)(ii)(A) of this section is as follows with the words ``Privacy 
Notice'' in boldface or otherwise emphasized: Privacy Notice--Federal 
law requires us to tell you how we collect, share, and protect your 
personal information. Our privacy policy has not changed and you may 
review our policy and practices with respect to your personal 
information at [Web address] or we will mail you a free copy upon 
request if you call us at [telephone number].
* * * * *

    Dated: October 17, 2014.
Richard Cordray,
Director, Bureau of Consumer Financial Protection.
[FR Doc. 2014-25299 Filed 10-27-14; 8:45 am]
BILLING CODE 4810-AM-P