16 cfr part 313 confidentiality

7/29/2019 16 CFR Part 313 Confidentiality

1/45

Wednesday,

May 24, 2000

Part III

Federal TradeCommission16 CFR Part 313

Privacy of Consumer FinancialInformation; Final Rule

VerDate 112000 14:49 May 23, 2000 Jkt 190000 PO 00000 Frm 00001 Fmt 4717 Sfmt 4717 E:\FR\FM\24MYR3.SGM pfrm01 PsN: 24MYR3


2/45

33646 Federal Register / Vol. 65, No. 101/ Wednesday, May 24, 2000/ Rules and Regulations

1The Fair Credit Reporting Act (FCRA), 15 U.S.C.1681 et seq, provides no limitation oncommunication by an entity solely of its owntransactions or experiences with the consumer(e.g., the individuals account history). However, itlimits the reporting of information obtained fromother sources, such as consumer applicationinformation or credit report information. Aninstitution may normally share such data with itsaffiliates only if it has complied with the notice andopt-out procedures set forth in FCRA 603(d)(2)(A)(iii), which are very similar to thoseset forth in Section 502(b)(1) of the Act. Sharingsuch data with nonaffiliates may be effectively

prohibited by the FCRA, because the institutionlikely would become a consumer reporting agencysubject to its restrictions on reporting ofinformation to third parties.

2Office of the Comptroller of the Currency (OCC),Board of Governors of the Federal Reserve System(FRB), Federal Deposit Insurance Corporation(FDIC), Office of Thrift Supervision (OTS), andSecretary of the Treasury.

3National Credit Union Administration (NCUA)and Securities and Exchange Commission (SEC).

4Those proposed rules, which were consistentand comparable with the proposals published bythe Commission, appeared in the Federal Registerat 65 FR 8770 (Feb. 22, 2000) (OCC, FRB, FDIC, andOTS jointly), 65 FR 10988 (Mar. 1, 2000) (NCUA),and 65 FR 12354 (Mar. 8, 2000) (SEC).

5These proposed regulations were published forcomment at 64 FR 59918 (Nov. 3, 1999).

FEDERAL TRADE COMMISSION

16 CFR Part 313

Privacy of Consumer FinancialInformation

AGENCY: Federal Trade Commission.ACTION: Final Rule.

SUMMARY: The Federal TradeCommission (the Commission orFTC) is publishing a final privacyrule, as required by section 504(a) of theGramm-Leach-Bliley Act, Pub. L. 106-102 (the G-L-B Act or Act), withrespect to financial institutions andother persons under the Commissionsjurisdiction, as set forth in section505(a)(7) of the Act. Section 504 of theAct requires the Commission and otherfederal regulatory agencies to issueregulations as may be necessary toimplement notice requirements andrestrictions on a financial institutions

ability to disclose nonpublic personalinformation about consumers tononaffiliated third parties. Pursuant tosection 503 of the G-L-B Act, a financialinstitution must provide its customerswith a notice of its privacy policies andpractices. Section 502 prohibits afinancial institution from disclosingnonpublic personal information about aconsumer to nonaffiliated third partiesunless the institution satisfies variousdisclosure and opt-out requirements andthe consumer has not elected to opt outof the disclosure. This final ruleimplements the requirements outlinedabove.

EFFECTIVE DATE: This rule is effectiveNovember 13, 2000. Full compliance isrequired by July 1, 2001.FOR FURTHER INFORMATION CONTACT:Kellie A. Cosgrove or ClarkeBrinckerhoff, Attorneys, Division ofFinancial Practices, Federal TradeCommission, Washington, DC 20580,2023263224.SUPPLEMENTARY INFORMATION:

Section A. Background

On November 12, 1999, PresidentClinton signed the G-L-B Act (Public

Law 106102) into law. Subtitle A ofTitle V of the Act, captioned Disclosureof Nonpublic Personal Information,limits the instances in which a financialinstitution may disclose nonpublicpersonal information about a consumerto nonaffiliated third parties, andrequires a financial institution todisclose to all of its customers theinstitutions privacy policies andpractices with respect to informationsharing with both affiliates andnonaffiliated third parties. TheCommission notes that there are other

laws that may impose limitations ondisclosures of nonpublic personalinformation in addition to thoseimposed by the G-L-B Act and this rule.For instance, the Fair Credit ReportingAct imposes conditions on the sharingof application information and creditreport information between affiliatesand nonaffiliated third parties.1 Title V

also requires the Commission, alongwith the Federal banking agencies 2 andother Federal regulatory authorities,3

after consulting with representatives ofState insurance authorities designated

by the National Association of InsuranceCommissioners (NAIC), to prescribesuch regulations as may be necessary tocarry out the purposes of the provisionsin Title V, Subtitle A, that governdisclosure of nonpublic personalinformation. The Federal agencies aresometimes referred to collectively inthis document as the Agencies (orother Agencies when excluding the

Commission).The Agencies are all issuing finalrules to implement Subtitle A that areconsistent and comparable to the extentpossible, as is required by the statute.

Section B. Overview of CommentsReceived

On March 1, 2000, the Commissionpublished a notice of proposedrulemaking (the proposal or proposedrule) in the Federal Register (65 FR11174). The other Agencies publishedtheir proposed rules on different dates.4

The Commission received a total of 640comments, and the other Agencies

collectively received a total of 8,337comments in response to the variousproposed rules. Many commenters sent

the same letter to multiple Agencies.Many of the comments were fromindividuals, virtually all of whomencouraged the Agencies to providegreater protection of individualsfinancial privacy. Many individualsnoted their concerns generally about theloss of privacy and the receipt ofunwanted solicitations by marketers. A

large number of individuals alsorequested the Agencies to supportlegislation that the commenters believewould provide additional protections.

The Agencies also received severalletters from members of Congress. Intwo letters signed by several members ofthe House of Representatives, theAgencies were encouraged to exercisetheir rulemaking authority to providegreater protections than provided in theAct. Other Representatives requested, inseparate letters, that some otherAgencies (a) create a limited exceptionto the prohibition against the sharing of

account numbers for marketingpurposes and (b) ensure that socialsecurity numbers are considerednonpublic personal information.

The NAIC submitted a comment onbehalf of the State insurance authoritiesthat generally supported the Agenciesproposed rule. The NAIC also proposedvarious measures to provide greaterprotections for consumers, such asspecifying more convenient means toexercise the right to opt out of thedisclosure of information. The NAICfurther advised the Agencies to clarifythe boundary of Federal and Statejurisdiction over privacy regulations

and ensure that the financial privacyrules under the Act are compatible withthe privacy rules relating to medicalinformation that are to be issued by theSecretary of the Department of Healthand Human Services (HHS) under theHealth Insurance Portability andAccountability Act (HIPPA) of 1996.5

Other comments were received fromconsumer groups and others advocatingthat the Agencies extend privacyprotections in a number of ways, suchas by requiring (a) financial institutionsto provide consumers with access totheir information maintained by the

institutions and the opportunity tocorrect errors, (b) more detaileddisclosures of the information collectedand disclosed, and (c) disclosures of afinancial institutions privacy policiesand practices earlier in the process ofestablishing a customer relationship. Aletter signed by 33 State AttorneysGeneral urged some other Agencies toadd certain consumer protections to thedisclosure requirements and to the



3/45

33647Federal Register / Vol. 65, No. 101/ Wednesday, May 24, 2000/ Rules and Regulations

6Section 4(k)(4)(AE) states the followingactivities shall be considered to be financial innature: (A) Lending, exchanging, transferring,

investing for others, or safeguarding money orsecurities. (B) Insuring, guaranteeing, orindemnifying against loss, harm, damage, illness,disability, or death, or providing and issuingannuities, and acting as principal, agent, or brokerfor purposes of the foregoing, in any State. (C)Providing financial, investment, or economicadvisory services, including advising an investmentcompany (as defined in section 3 of the InvestmentCompany Act of 1940). (D) Issuing or sellinginstruments representing interests in pools of assetspermissible for a bank to hold directly. (E)Underwriting, dealing in, or making a market insecurities.

7Section 4(k)(4)(F). The Boards list of suchactivities is found in 12 CFR 225.28 and 12 CFR225.86(a). The latter subsection was added as aninterim rule published by the Board in the FederalRegister upon enactment of the G-L-B Act (65 FR

14433; Mar. 14, 2000), subject to revision after apublic comment period ending on May 12, 2000.The activities listed in 12 CFR 225.28 include incertain circumstances: brokering or servicing loans;leasing real or personal property (or acting as agent,broker, or advisor in such leasing) withoutoperating, maintaining or repairing the property;appraising real or personal property; checkguaranty, collection agency, credit bureau, and realestate settlement services; providing financial orinvestment advisory activities including taxplanning, tax preparation, and instruction onindividual financial management; managementconsulting and counseling activities (includingproviding financial career counseling); courierservices for banking instruments; printing andselling checks and related documents; community

development or advisory activities; selling moneyorders, savings bonds, or travelers checks; andproviding financial data processing andtransmission services, facilities (includinghardware, software, documentation, or operatingpersonnel), data bases, advice, or access to these bytechnological means.

8Section 4(k)(4)(G). The scope of the Act is notlimited to activities abroad, because the text ofSection 4(k)(4)(G) is Engaging, in the UnitedStates, in any Section 4(k)(4)(G) activity that (i) abank holding company may engage in outside of theUnited States; and (ii) the Board has determined tobe usual in connection with the transaction of

banking and financial operations abroad.(Emphasis added.) The Board has provided a list ofsuch activities in 12 CFR 211.5(d) and 12 CFR225.86(b). The latter subsection was added as aninterim rule published by the Board in the FederalRegister upon enactment of the G-L-B Act (65 FR14433; Mar. 14, 2000), subject to revision followinga public comment period ending on May 12, 2000.The activities listed in 12 CFR 211.5(d) includeleasing real or personal property (or acting as agent,broker, or advisor in such leasing) where the leaseis functionally equivalent to an extension of credit;acting as fiduciary; providing investment, financial,or economic advisory services; and operating atravel agency in connection with financial services.

9Section 4(k)(4)(G) uses day before the date ofrather than date of in the quoted phrase.

provision permitting financialinstitutions to enter into joint marketingagreements.

Most of the remaining comments werefrom businesses concerned about theAct, and their representatives. Thisincluded not only creditors of varioustypes, but also representatives of thehealth care industry, retail merchants,

insurance companies, securities firms,private investigators, debt collectionagencies, consumer reporting agencies,institutions of higher education, taxprofessionals, and others. Thesecommenters offered a large number ofsuggested changes, with the mostcommonly advanced suggestionsincluding: an extension of the effectivedate of the rule; an amendment to thedefinition of nonpublic personalinformation to focus more narrowly onfinancial information; a streamliningof information required in the initialand annual disclosures; a clarification of

how one or more of the statutoryexceptions operate; an exclusion from,or clarification of, the definitions ofconsumer and customer in variouscontexts; and the addition of flexibilityto provide initial notices at some pointother than prior to the time acustomer relationship is established.

The Commission has made somemodifications to its proposed rule inlight of the comments received. Thesecomments, and the Commissionsresponses thereto, are discussed in thefollowing section-by-section analysis.Following the section-by-sectionanalysis, the Commission has provided

guidance for certain institutions in orderto provide additional direction on howthese institutions may comply with therule and avoid unnecessary burden.

Section C. Section-by-Section Analysis

As an initial matter, the Commissionnotes that the final rule, unlike theproposal, presents the various sectionsin subparts that consist of relatedsections. This change was made togroup related concepts together andthereby make the rule easier to follow.A derivation table is included followingthis preamble to assist readers in

locating provisions as set out in theCommission proposal. The Commissionhas also added an Appendix to the finalrule, setting out example disclosureclauses for financial institutions toconsider.

Section 313.1 Purpose and Scope

Purpose. Paragraph (a) of this sectionstates that the rule is intended to requirea financial institution to provide noticeto customers about its privacy policiesand practices; to describe the conditionsunder which a financial institution may

disclose nonpublic personal informationabout consumers to nonaffiliated thirdparties; and to provide a method forconsumers to prevent a financialinstitution from disclosing thatinformation to certain nonaffiliatedthird parties by opting out of thatdisclosure, subject to various exceptionsas stated in the rule. No significant

comments addressed this provision, andthe Commission made no substantivechange to this section.

Scope. Paragraph (b) sets out thescope of the rule, and tracks theenforcement role assigned to theCommission by section 505(a)(7) of theG-L-B Act. It states that the rule appliesonly to information about individualswho obtain a financial product orservice from a financial institution to beused for personal, family, or householdpurposes. The principal type of entitysubject to the rule is a financialinstitution, a term section 509(3) of the

G-L-B Act defines very broadly to meanany institution the business of whichis engaging in financial activities asdescribed in section 4(k) of the BankHolding Company Act of 1956 (12U.S.C. 1843(k)). Those financialactivities include not only a number oftraditional financial activities specifiedin section 4(k) itself,6but also thoseactivities that the Federal Reserve Boardhas found to be either closely related to

banking,7 or usual in connection with

the transaction of banking or otherfinancial operations abroad,8byregulation (or order or interpretation)in effect on the date of the enactmentof the Gramm-Leach-Bliley Act. 9

Section 313.1(b) also lists someexamples of financial institutionssubject to Commission jurisdictionunder the Act. Finally, this part notes

that the Commission is also authorizedto enforce the Act against otherpersons who are not financialinstitutions, but receive protectedinformation from a financial institutionand are subject to section 502(c) of theG-L-B Act (Limits on Reuse ofInformation), which imposesrestrictions on recipients of suchinformation as set forth in 16 CFR313.11, infra.

Many industry commenters suggestedrevising the financial institutiondefinition set forth in 313.3(k) tonarrow the scope to only those

businesses that engage in traditionalfinancial activities, arguing thatCongress did not intend to cover

businesses that conducted no suchactivities. On the other side, consumercommenters vigorously defended the

broad scope, contending that the need toprotect personal financial data extends

beyond traditional financial institutionsand that Congress intended to regulatea wide range of businesses that providefinancial services to consumers whenit enacted this statute. The G-L-B Actclearly covers more than parties in thecredit, insurance, or securitiesindustries; rather, an entity is a

financial institution if it engages inany activity that the Board hasdetermined to be a financial activity.



4/45


10However, as discussed in the definition offinancial institution in 313.3(k), theCommission has retained its interpretation that aninstitution is covered only if it is significantlyengaged in such activities.

11 Many entities that come within the broaddefinition of financial institution will likely not besubject to the disclosure requirements of the rulebecause not all financial institutions haveconsumers or establish customer relationships. 65 Fed. Reg. 11174, 11177 (Mar. 1, 2000).

12Thus, creditors may look at how this exemptionis applied under Reg. Z for guidance on the scopeof covered transactions under the privacy rule. Itshould be noted, however, that TILA exempts

several other types of transactions that would becovered under the privacy rule if they are for thepurpose of an individual obtaining a financialproduct or service as that term is defined in theprivacy regulation. See 15 U.S.C. 1603 (2) and (3).

After a careful review of the commentsreceived, the Commission finds nosound rationale for fundamentallyrevising the scope of the rule. Therefore,the Commission continues to interpretthe act as written and has made no

broad change to 16 CFR 313.1(b) in thatregard.10 However, as the Commissionnoted when it proposed this rule and

repeats hereafter, some businesses thatare technically financial institutionswill have no disclosure obligationsunder the Act.11 Furthermore, as isevident from the discussion of the termcustomer relationship that is definedin 16 CFR 313.3(i), many others willhave only limited duties because theywill not establish such relationships orthey will be of very short duration.

Several commenters requested thatthe Commission clarify how its ruleapplies to insurance companies. TheCommission notes that section 505 of G-L-B Act, which sets out the enforcement

authority of the Agencies, explicitlycommits the enforcement jurisdictionover persons engaged in providinginsurance to state insuranceauthorities, thus excluding them fromthe Commissions authority (and, byoperation of section 504(a)(1) of the G-L-B Act, from the Commissionsrulemaking authority).

Several other commenters asked thatthe final rule state that certaintransactions that are exempt from thecoverage of the Truth in Lending Act(TILA; 15 U.S.C. 1601 et seq.) andRegulation Z (Reg. Z, 12 CFR part 226)also be treated as beyond the scope ofthe privacy rule. TILA and Reg. Z,which impose disclosure requirementson credit extended to consumers undercertain circumstances, exempt severaltransactions, including those involving

business, commercial, or agriculturalcredit. 15 U.S.C. 1603(1); 12 CFR226.3(a). The Commission agrees thattransactions that fit within the business,commercial, and agriculturalexemptions from TILA and Reg. Z forthese types of credit also would falloutside the scope of the privacy rule,and has amended 313.1(b)accordingly.12

Several comments suggested that therule should not apply to entities thatmust comply with regulations issued bythe HHS that implement the HIPAA.Given the broad definition of financialinstitution under the G-L-B Act, certainentities are subject to these privacy rulesas well as rules promulgated underHIPAA regarding appropriate handling

of protected health information.Accordingly, financial institutions may

be covered both by this privacy rule andby the regulations promulgated by HHSunder the authority of sections 262 and264 of HIPAA once those regulations arefinalized. Based on the proposed HIPAArules, it appears likely that there will beareas of overlap between HIPAA andfinancial privacy rules. For instance,under the proposed HIPAA regulations,consumers must provide affirmativeauthorization before a coveredinstitution may disclose medicalinformation in certain instances,

whereas under the financial privacyrules, institutions need only provideconsumers with the opportunity to optout of disclosures. In this case, theAgencies anticipate that compliancewith the affirmative authorizationrequirement, consistent with theprocedures required under HIPAA,would satisfy the opt out requirementunder the financial privacy rules. AfterHHS publishes its final rules, theCommission and other Agencies willconsult with HHS to avoid theimposition of duplicative orinconsistent requirements.

The Commission also received severalcomments from colleges anduniversities and their representativesrequesting that institutions of highereducation be excluded from thedefinition of financial institution. TheCommission disagrees with thosecommenters who suggested that collegesand universities are not financialinstitutions. Many, if not all, suchinstitutions appear to be significantlyengaged in lending funds to consumers.However, such entities are subject to thestringent privacy provisions in theFederal Educational Rights and PrivacyAct (FERPA), 20 U.S.C. 1232g, and itsimplementing regulations, 34 CFR part99, which govern the privacy ofeducational records, including studentfinancial aid records. The Commissionhas noted in its final rule, therefore, thatinstitutions of higher education that arecomplying with FERPA to protect theprivacy of their student financial aid

records will be deemed to be incompliance with the Commissions rule.

Section 313.2 Rule of Construction

Proposed 313.2 of the rule sets outa rule of construction intended to clarifythe effect of the examples used in therule. As noted in the proposal, theseexamples are not intended to be

exhaustive; rather, they are intended toprovide guidance about how the rulewould apply in specific situations.

Commenters generally agreed thatexamples are helpful in clarifying howthe rule will work in specificcircumstances and suggested that theCommission should include moreexamples. Many commenters requestedthat the Commission provide examplesof model disclosures. Commenters alsogenerally agreed that it is useful to statethat the list of examples is not intendedto be exhaustive, and that compliancewith one of the examples would bedeemed compliance with the regulation.A few commenters suggested that theregulation state that a financialinstitution is not obligated to complywith an example but has the latitude tocomply with the general rule in otherways. Others stated that the examplesought to be identical in each privacyregulation adopted by the Agencies. TheCommission also received commentssuggesting that the Commission defer tothe expertise of other agencies whenconsidering application of its rule toentities such as credit unions orinvestment advisors under itsjurisdiction.

The Commission believes that moreexamples would be helpful and hasincluded additional examples inappropriate places throughout the rule.The Commission has also providedsample clauses in Appendix A to therule to aid financial institutions in theirdrafting of privacy notices. The sampleclauses are provided to illustrate thelevel of detail the Commission believesis appropriate. The Commissioncautions financial institutions againstrelying on the sample clauses withoutdetermining the relevance orappropriateness of the disclosure for

their operations. The Commission hasused statutory terms, such asnonpublic personal information andnonaffiliated third parties, in thesample clauses to convey generally thesubject of the clauses. However, afinancial institution that uses theseterms must provide sufficientinformation to enable consumers tounderstand what these terms mean inthe context of the institutions notices.Moreover, the Commission notes that, inproviding the sample disclosures, theCommission is addressing solely the



5/45


level of detail required and is notattempting to provide guidance onissues such as type size, margin width,clear and conspicuous generally, andso on.

The rule does not contain a statementregarding a financial institutions abilityto comply with the rule in ways otherthan as suggested in the examples, but

does provide that the examples are notexclusive. The rule also states thatcompliance with the examples willconstitute compliance with the rule.The Commission believes that, whenread together, these provisions givefinancial institutions sufficientflexibility to comply with the regulation

but also sufficient guidance about theuse of examples.

The Commission understands that theNCUA and SEC have issued, or willissue, final rules with examples that aretailored to entities under theirjurisdiction. Therefore, the Commission

has stated in 313.2 that compliance bynon-federally insured credit unionswith credit union examples in theNCUA rule will constitute compliancewith the Commissions rule. Similarly,compliance by interstate securities

broker-dealers and investment advisersthat are not registered with the SEC withapplicable examples in the SEC rulewill constitute compliance with theCommissions rule.

Section 313.3 Definitions

a. Affiliate. The proposal adopted thedefinition of affiliate that is used insection 509(6) of the G-L-B Act. An

affiliation exists when one companycontrols (which is defined in 313.3(g), below), is controlled by, or isunder common control with anothercompany. The definition includes bothfinancial institutions and entities thatare not financial institutions.

The Commission receivedcomparatively few comments inresponse to this definition. A fewcommenters requested that the final rulestate that a credit union serviceorganization will be deemed to be anaffiliate of every credit union that has aninterest in it. The Commission has

declined to adopt this suggestion. If therelationship between a credit union anda credit union service organizationsatisfies the test for affiliation set out inthe statute and regulation, then anaffiliation exists.

In light of the comparatively fewcomments received and the nature ofthose comments, the Commissionadopts the definition of affiliate asproposed.

b. Clear and conspicuous. Under theproposed rule, various notices must beclear and conspicuous. The proposed

rule defines this term to mean that thenotice must be reasonablyunderstandable and designed to callattention to the nature and significanceof the information contained in thenotice. The proposal did not mandatethe use of any particular technique formaking the notices clear andconspicuous, but provided examples of

how a notice may be made clear andconspicuous. As noted in the preambleto the proposed rule, each financialinstitution retains the flexibility todecide for itself how best to complywith this requirement.

The Commission received a largenumber of comments on this proposeddefinition. Some commenters favoredadopting the definition as proposed,with some of these advocating that thefinal rule add a requirement thatdisclosures must be on a separate pieceof paper in order to ensure that they will

be conspicuous. Others stated that the

definition was unnecessary, given theexperience financial institutions have incomplying with requirements thatdisclosures mandated by other laws beclear and conspicuous. Severalcommenters made the related point thatthe rule proposed is inconsistent withrequirements in other consumerprotection regulations such as Reg. Zand the Truth in Savings regulation(Regulation DD, 12 CFR part 230),which require only that a disclosure bereasonably understandable. Many ofthese commenters expressed concernthat the examples would invitelitigation because of ambiguities

inherent in terms used in the examplesin the proposed rule such as ampleline spacing, wide margins, andexplanations * * * subject to differentinterpretations. A few commentersquestioned how the requirement wouldwork in a document that containsseveral disclosures that each must beclearly and conspicuously disclosed,while others raised questions about howa disclosure may be clear andconspicuous on a web site. Thesecomments are addressed below.

New standard for clear andconspicuous The Commission

recognizes that the proposed definitionarticulates the concept of clear andconspicuous in ways perhaps notfamiliar to some commenters. However,the Commission included the phrasedesigned to call attention to the natureand significance of the informationcontained to provide added meaning tothe term conspicuous. TheCommission believes that this standard,when coupled with the existingstandard requiring that a disclosure bereadily understandable, likely willresult in notices to consumers that

communicate effectively theinformation needed by consumers tomake an informed choice about theprivacy of their information, includingwhether to transact business with afinancial institution.

The standard for clear andconspicuous adopted by theCommission in this rulemaking applies

solely to disclosures required under theprivacy rules. Disclosures governed byother rules requiring clear andconspicuous disclosures (such as Reg.Z) are beyond the scope of thisrulemaking.

Examples of clear and conspicuousThe Commission recognizes that manyof the examples require judgment intheir application. The Commission

believes, however, that moreprescriptive examples, while perhapseasier to conform to, likely would resultin requirements that would beinappropriate in a given circumstance.To avoid this result, the examplesprovide generally applicable guidanceabout ways in which a financialinstitution may make a disclosure clearand conspicuous. The Commissionnotes that the examples of how to makea disclosure clear and conspicuous arenot mandatory. A financial institutionmust decide for itself how best tocomply with the general rule and mayuse techniques not listed in theexamples. To address these concerns,the Commission has incorporatedseveral of the commenters suggestionsfor ways to make the guidance morehelpful.

Combination of several clear andconspicuous notices. A document maycombine several disclosures that eachmust be clear and conspicuous. Thefinal rule provides an example, in 313.3(b)(2)(ii)(E), of how a financialinstitution may make disclosuresconspicuous, including disclosures on acombined notice. In order to avoid thepotential conflicts envisioned by severalcommenters between two differentrequirements, the final rule does notmandate precise specifications for howvarious disclosures must be presented.

Because the Commission believes that

privacy disclosures may be clear andconspicuous when contained in adocument containing other disclosures,the rule does not mandate thatdisclosures be provided on a separatepiece of paper. Such a requirement isnot necessary and would significantlyincrease the burden on financialinstitutions. Moreover, it would notnecessarily provide the most effectivenotice in all circumstances.

Disclosures on web pages. Severalcommenters requested guidance on howthey may clearly and conspicuously



6/45


13However, the Commission did receive a fewcomments asking that sole proprietors be excludedfrom the definitions of both company andfinancial institution. Those comments arediscussed in the context of 313.3(k).

disclose privacy-related information ontheir Internet sites. The Commissionrecognizes that disclosures over theInternet present some issues that willnot arise in paper-based disclosures.There may be web pages within afinancial institutions website thatconsumers may view in a different ordereach time they access the site, aided by

hypertext links. Depending on thecustomer hardware and software used toaccess the Internet, some web pages mayrequire consumers to scroll down toview the entire page. To address theseissues, the Commission has included astatement in the example in 313.3(b)(2)(iii) concerning Internetdisclosures informing financialinstitutions that they may comply withthe rule if they use text or visual cuesto encourage scrolling down the page ifnecessary to view the entire notice andensure that other elements on the website (such as text, graphics, hyperlinks,

or sound) do not distract attention fromthe notice. In addition, a financialinstitution is to place either a notice ora conspicuous link on a page frequentlyaccessed by consumers, such as a pageon which transactions are conducted.

Given current technology, there are arange of approaches a financialinstitution could take to comply withthe rule. For example, a financialinstitution could use a dialog box thatpops up to provide the disclosure beforea consumer provides information to theinstitution. Another approach would bea simple, clearly labeled graphic located

near the top of the page or in closeproximity to the financial institutionslogo, directing the customer, through ahypertext link or hotlink, to the privacydisclosures on a separate web page.

For the reasons advanced above, theCommission has adopted the definitionof clear and conspicuous, with thechanges previously described and withcertain other changes intended to makethe definition easier to apply.

c. Collect. The statute requires afinancial institution to include in itsinitial and annual notices a disclosureof the categories of nonpublic personal

information that the institution collects.The proposal defined collect to meanobtaining any information that isorganized or retrievable on a personallyidentifiable basis, irrespective of thesource of the underlying information.This definition was included to provideguidance about the information that afinancial institution must include in itsnotices and to clarify that theobligations arise regardless of whetherthe financial institution obtains theinformation from a consumer or fromsome other source.

Commenters suggested that the finalrule treat information that is notorganized and retrievable in anautomated fashion as not collected.This approach would exclude separatedocuments not included in a file. TheCommission disagrees that informationshould not be deemed to be collectedsimply because it is not retrievable in an

automated fashion. The Commissionbelieves that the method of retrieval isirrelevant to whether informationshould be protected under the rule. TheCommission agrees, however, that thescope of the regulation should berefined, and has changed the definitionof collect by using language takenfrom the Privacy Act of 1974 (5 U.S.C.552a).

Other commenters requested that therule clarify that information that isreceived by a financial institution butthen immediately passed along withoutotherwise disclosing, using, or

maintaining a copy of the information isnot collected as this term is used inthe final rule. The Commission believesthat merely receiving informationwithout maintaining it would not becollecting the information. The finalrule reflects this by stating that theinformation must be organized orretrievable by the financial institution.Otherwise, the definition of collect isadopted as proposed.

d. Company. The proposal definedcompany, which is used in thedefinition of affiliate, as anycorporation, limited liability company,

business trust, general or limited

partnership, association, or similarorganization.

The Commission received nosubstantive comments on this proposeddefinition.13 Accordingly, theCommission adopts the definition ofcompany as proposed.

e. Consumer. The G-L-B Actdistinguishes consumers fromcustomers for purposes of the noticerequirements imposed by the Act. Afinancial institution is required to givea consumer the notices requiredunder Title V only if the institutionintends to disclose nonpublic personalinformation about the consumer to anonaffiliated third party for purposesother than as permitted by section502(e) of the statute (as implemented by 313.14 and 313.15). By contrast, afinancial institution must give allcustomers a notice of the institutionsprivacy policy at the time ofestablishing a customer relationship and

annually thereafter during thecontinuation of the customerrelationship.

The proposed rule definedconsumer to mean an individual (andhis or her legal representative) whoobtains, from a financial institution,financial products or services that are to

be used primarily for personal, family,

or household purposes. Becausefinancial product or service is definedto include the evaluation by a financialinstitution of an application to obtain afinancial product or service (see furtherdiscussion of this point, below), aperson becomes a consumer even if theapplication is denied or withdrawn. Anindividual also would be deemed to bea consumer (as well as a customer) of afinancial institution that purchases theindividuals account from some otherinstitution.

The Commission received a largenumber of comments on this proposeddefinition, raising questions about howthe definition would apply in a varietyof situations. These comments areaddressed below.

Distinction between consumer andcustomer. While many agreed withthe distinction drawn in the proposal

between consumer and customer, afew commenters suggested that nodistinction between consumer andcustomer should be made, given that,in these commenters views, the statuteappears to use the termsinterchangeably. The Commission

believes, however, that the distinctionwas deliberate and that the rule should

implement it accordingly. A plainreading of the statute supports theconclusion that Congress created one setof protections for anyone who obtains afinancial product or service (i.e., whoreceives a financial institutions privacypolicy and opt out notice only if afinancial institution intends to disclosenonpublic personal information tononaffiliated third parties), and anadditional set of protections for anyonewho establishes a relationship of a morelasting nature than an isolatedtransaction with a financial institution(i.e., who gets a notice of the

institutions privacy policy at the timeof establishing a customer relationship,and annual notices as appropriatethereafter). Because the statute tailorsthe notice requirements to the type ofrelationship an individual has with afinancial institution, that distinction ispreserved in the rule.

Applicants as consumers. Many ofthe comments received by theCommission concerning the proposeddefinition of consumer disagreed thatsomeone should be deemed a consumerof a financial institution simply by



7/45


14Such a person may not be a customer, however.See explanation of how the definition ofcustomer will be applied in the loan context, inthe discussion of the definition of 313.3(h) and (i)below. See also 313.4(c)(2) and (3)(ii) for furtherdiscussion concerning when a borrower establishesa customer relationship in the context of a loan sale.

15Of course, in some cases two institutions willeach provide a financial service to the consumer aspart of the same transaction, such as a loan brokerthat locates a creditor who makes a loan to theindividual, in which case the consumer will havea customer relationship with both financialinstitutions.

virtue of the institution evaluating anapplication. These commentersmaintained that the individual has notobtained a financial product or service,as is required by the statutory definitionof consumer. The Commission

believes that the better reading of the G-L-B Act is that an individual hasobtained a financial product or service

when a financial institution evaluatesinformation provided to the financialinstitution for the purpose of theindividual obtaining some otherfinancial product or service. Financialinstitutions frequently provide a rangeof services in connection with thedelivery of a financial product. Includedwithin these will be the evaluation bythe financial institution of informationprovided by an individual. In certaininstances, such as when an individual isshopping for the best rate on a mortgageloan or the lowest premium for aninsurance policy, that evaluation may be

the sole financial product or serviceobtained. In other instances, theevaluation may be one of severalservices provided that lead up to theeventual establishment of a customerrelationship. In either case, theindividual will have obtained afinancial product or service from thefinancial institution when the financialinstitution evaluates the informationand informs the individual of theoutcome of that evaluation.

In addition to being consistent withthe language of the statute, the proposeddefinition of consumer is consistentwith one of the primary purposes of

Title V of G-L-B Act, namely, to enablean individual to limit the sharing ofnonpublic personal information by afinancial institution with a nonaffiliatedthird party. The information provided

by a person to a financial institutionbefore a customer relationship isestablished is likely to contain preciselythe types of information that the statuteis designed to protect. This informationis no less deserving of protection simply

because an application is denied orwithdrawn. For these reasons, theCommission has retained the individualwhose application is evaluated by a

financial institution as an example ofconsumer in 313.3(e)(2)(i).Loan sales. Several commenters

requested clarification of whether anindividual becomes a consumer invarious other scenarios involving loans.Commenters posited a wide variety ofexamples, which, if each were to beaddressed specifically in the rule,would require a final rule of enormouscomplexity and detail. The Commission

believes that a rule setting forth ageneral principle that is flexible enoughto be applied in the array of loan

transactions posited by the commentersis more appropriate. Towards this end,the Commissions rule provides, byexample at 313.3(e)(2)(iv), that aperson will be a consumer of any entitythat holds ownership or servicing rightsto an individuals loan. 14 Financialinstitutions that own or service a loanare providing a financial product or

service to the individual borrower inquestion. In some cases, the product orservice is the funding of the loan,directly or indirectly. In other cases, theproduct or service is the processing ofpayments, sending account-relatednotices, responding to consumerquestions and complaints about thehandling of the account, and so on. Therule defines consumer in a way thatcovers individuals receiving financialproducts or services in each of thesesituations.

Agents of financial institutions.Several commenters agreed with theprinciple set out in the proposed rulethat an individual should not beconsidered to be a consumer of an entitythat is acting as agent for a financialinstitution. These commenters notedthat the financial institution that hiresthe agent is responsible for that agentsconduct in carrying out the agencyresponsibili ties. The Commissionagrees that the purposes of the G-L-BAct will be met provided the activitiesof the agent are the responsibility of thefinancial institution, and, therefore, thefinancial institution fulfills anyobligations regarding the agentshandling of consumer information that

otherwise would fall on the agents.15

Ofcourse, those providing services to afinancial institution will also be subjectto the limitations on reuse ofinformation. See 313.3(e)(2)(v).

Legal representative. TheCommission also agrees with thesuggestion made by several commentersthat the definition of consumershould clarify that the obligationsstemming from a consumer relationshipmay be satisfied by dealing either withthe individual who obtains a financialproduct or service from a financialinstitution orthat individualsrepresentative. The Commission doesnot intend for the rule to require a

financial institution to send opt out andinitial notices to both the individual andthe individuals legal representativesand has amended the final ruleaccordingly in 313.3(e)(1).

Trusts. The Commission and the otherAgencies received several commentsconcerning whether an individual whoobtains financial services in connection

with trusts is a consumer or customer ofa financial institution. Severalcommenters urged the Agencies toexempt generally a financial institutionfrom the requirements of the rule whenit acts as a fiduciary, or, in thealternative, to clarify the categories ofindividuals that are considered to becustomers. Commenters proposed, forexample, that individuals who are

beneficiaries with current interestsshould be identified as customers,whereas individuals who are onlycontingent beneficiaries should not becustomers. Other commenters stated

that when the financial institutionserves as trustee of a trust, neither thegrantor nor beneficiary is a consumer orcustomer under the rule. In thesecommenters view, the trust itself is theinstitutions customer, and, therefore,the rule should not apply to a financialinstitution when it acts as trustee. Thesecommenters also stated that when afinancial institution is a trustee, itserves as a fiduciary and is subject toother obligations to protect theconfidentiality of the beneficiariesinformation that are more stringent thanthose under the provisions in the G-L-B Act. Similarly, these and other

commenters claimed that an individualwho is a participant in an employee

benefit plan administered or advised bya financial institution does not qualifyas a consumer or customer. Thecommenters opined that the plansponsor, or the plan itself, is thecustomer for the purposes of theproposed rule. These commenterscontended that plan participants haveno direct relationship with the financialinstitution and, in any event, thefinancial institution is authorized to useinformation that would be coveredunder the G-L-B Act only in accordance

with the directions of the plan sponsor.The commenters concluded, therefore,that the regulations should specificallyexclude individuals who areparticipants in an employee benefit planfrom the definition of consumer.

The definition of consumer in theG-L-B Act does not squarely resolvewhether the beneficiary of a trust is aconsumer of the financial institutionthat is the trustee. One consideration isthat a financial institution that is atrustee assumes obligations as afiduciary, including the duty to protect



8/45


the confidentiality of the beneficiariesinformation, that are consistent with thepurposes of the G-L-B Act andenforceable under state law. TheCommission agrees with thecommenters who concluded that, whenthe financial institution serves as trusteeof a trust, neither the grantor nor the

beneficiary is a consumer or customer

under the rule. Instead, the trust itselfis the institutions customer, andtherefore, the rule does not apply

because the trust is not an individual.Similarly, the Commission has excludedan individual who is a beneficiary of atrust or a plan participant of anemployee benefit plan from thedefinitions of consumer andcustomer. Nevertheless, theCommission believes that an individualwho selects a financial institution to bea custodian of securities or assets, forexample in an IRA, is obtaining afinancial product or service from the

financial institution and is, therefore, aconsumer under the G-L-B Act. TheCommission has included examples inthe rule that appropriately illustrate thisinterpretation of the G-L-B Act in 313.3(e)(2)(vi)(viii) and313.3(i)(2)(i)(D).

Requirements arising from consumerrelationship. While the proposed andfinal rule defines consumer broadly,this will not result in any additional

burden to a financial institution insituations where (a) no customerrelationship is established and (b) theinstitution does not intend to disclose

nonpublic personal information about aconsumer to nonaffiliated third parties.Under the final rule, a financialinstitution is under no obligation toprovide a consumer who is not acustomer with any privacy disclosuresunless it intends to disclose theconsumers nonpublic personalinformation to nonaffiliated thirdparties outside the exceptions in 313.14 and 313.15. A financialinstitution that wants to disclose aconsumers nonpublic personalinformation to nonaffiliated thirdparties is not prohibited by the rule

from doing so, if the requisite noticesare delivered and the consumer does notopt out. Thus, a financial institutionthat does not wish to be subject to thedisclosure obligations of the rule as itapplies to consumers who are notcustomers may simply decide not toshare consumers information withnonaffiliated third parties. Conversely,if a financial institution determines thatthe benefits of such sharing outweighthe attendant burdens, the financialinstitution is free to do so provided itnotifies consumers about the disclosure

and affords them a reasonableopportunity to opt out. In this way, therule attempts to strike a balance

between protecting an individualsnonpublic personal information andminimizing the burden on a financialinstitution.

f. Consumer reporting agency. Theproposal adopted the definition of

consumer reporting agency that isused in section 603(f) of the Fair CreditReporting Act (15 U.S.C. 1681a(f)). It isused in 313.6(c), 313.12(a), and313.15(a)(5) of the final rule.

The Commission received nocomments suggesting any changes tothis definition. Accordingly, thedefinition is adopted as proposed.

g. Control. The proposal definedcontrol using the tests applied insection 23A of the Federal Reserve Act(12 U.S.C. 371c). This definition is usedto determine when companies areaffiliated (see discussion of 313.3(a),above), and would result in financialinstitutions being considered asaffiliates regardless of whether thecontrol is by a company or individual.

The Commission received fewcomments in response to this definition.Some commenters suggested that adefinition that did not require 25%ownership be adopted, while otherssuggested adopting a test focused solelyon percent of stock owned in a companyso as to avoid the uncertainties arisingfrom a control in fact test.

The Commission believes that theproposed test is sufficiently wellestablished and has concluded that an

alternative test to be used solely in theprivacy rule could create confusion. TheCommission also believes that any test

based only on stock ownership isunlikely to be flexible enough to addressall situations in which companies areappropriately deemed to be affiliatedand that including the stock ownershipas one measurement of control providesnecessary flexibility. Accordingly, theCommission adopts the definition ofcontrol as proposed.

h. Customer. The proposal definedcustomer as any consumer who has acustomer relationship with a

particular financial institution. As isexplained more fully in the discussionof 313.4, below, a consumer is acustomer of a financial institution whenthe consumer has a continuingrelationship with the institution.

The Commission received a largenumber of comments on the definitionof customer and customerrelationship. Given theinterdependence of the two terms, thefollowing analysis of the commentsreceived will address both under theheading customer relationship.

i. Customer relationship. Theproposed rule defined customerrelationship as a continuingrelationship between a consumer and afinancial institution whereby theinstitution provides a financial productor service that is to be used by theconsumer primarily for personal, family,or household purposes. As noted in the

proposal, a one-time transaction may besufficient to establish a customerrelationship, depending on the nature ofthe transaction. A consumer would not

become a customer simply byrepeatedly engaging in isolatedtransactions that by themselves would

be insufficient to establish a customerrelationship, such as withdrawing fundsat regular intervals from an ATM owned

by an institution at which the consumerhas no account. However, an individualwho becomes the client of a loan

brokerage, tax preparation firm, orfinancial counseling service would be a

customer. The proposal also stated thata consumer would have a customerrelationship with a financial institutionthat makes a loan to the consumer andthen sells the loan but retains theservicing rights. The Commissionreceived a large number of comments onthis definition, as discussed below.

Point at which one becomes acustomer. The Commission receivedmany comments in response to thedefinitions of customer andcustomer relationship. Somecommenters criticized what theyconsidered to be the ill-defined linedistinguishing consumers from

customers. These commenters statedthat the proposed distinction makes itdifficult for a financial institution toknow when the obligations attendant toa customer relationship arise. Severalsuggested that the distinction should be

based on when a consumer andfinancial institution enter into a writtencontract for a financial product orservice.

The Commission recognizes that thedistinction between consumers andcustomers will, in some instances,require a financial institution toevaluate whether the particular facts of

its consumer transactions fit within thedefinition of customer relationship. Inthose cases where an individual engagesin a transaction that is isolated in nature(such as ATM transactions, purchases ofmoney orders, or cashing of checks), theindividual will not have established acustomer relationship as a result of thattransaction. In other situations, where aconsumer typically would receive somemeasure of service such that theconsumers contact with the financialinstitution is more significant (such aswould be the case when a consumer



9/45


16Many of the customer relationships establishedby institutions under the Commissions jurisdictionmay well be short-term, as can be seen from theexamples in 313.5(b)(2) of when a customerrelationship terminates.

17Despite its lack of enforcement jurisdictionover persons providing insurance, the Commissionretains this example because it may be useful inevaluating analogous situations. Some commentersalso asked for further clarification of purchase inthis context. The Commission does not believe suchclarification is necessary and has retained theexample as proposed.

18 A consumer has a customer relationshipwith a debt collector that purchases an accountfrom the original creditor (because he or she wouldhave a credit account with the collector), but notwith a debt collector that simply attempts to collectamounts owed to the creditor. 65 FR 11174 at11176 (Mar. 1, 2000).

19Those issues are discussed under 313.1(b),313.3(k) and 313.4.

20This fear is unfounded, because such acommunication by a collection agency reporting toa creditor that has retained ownership of an accountwould be permitted under 313.15(a)(2)(iv). Thatsection allows communications to parties holding alegal interest relating to the consumer, which wouldcertainly include a creditor that owns the debt.

borrows money, obtains investmentadvice, or becomes the client of aninstitution for the purpose of receivingtax preparation, loan brokerage, orcredit counseling services), a customerrelationship will be established. In thosecases, the nature of the relationshipindicates that it is not an isolatedtransaction, even though it may be

short-term in duration.16 TheCommission believes that thedistinction set out in the proposed rule,as further clarified by the examples inthe final rule regarding theestablishment of a customerrelationship, provides sufficiently clearprinciples that can be applied to mostfact situations that arise in the financialmarketplace.

Customer relationship defined bywritten contract. The Commissionagrees with those commenters whoconsider the execution of a writtencontract by a consumer and financial

institution as clear evidence that acustomer relationship has beenestablished. The proposal cited theexecution of a written contract as anexample of when a customerrelationship is established, and the finalrule retains that example in 313.4(c)(3)(i)(B). However, a test basedsolely on whether there is a writtencontract could inappropriately excludesituations in which an individual is acustomer of a financial institution as aresult of obtaining, for instance,financial, economic, or investmentadvisory services from a financialinstitution. Accordingly, the final rule

does not define a customer relationshipsolely by the execution of a writtencontract.

Purchase of insurance. Othercommenters suggested that, in thecontext of financial institutions thatengage in the sale of insurance, thecustomer should be the policyholderand not the beneficiary. TheCommission agrees and has retained theexample in 313.3(i)(2)(i)(C) ofpurchasing an insurance product as onesituation in which a customerrelationship is formed.17 In this case,the person obtaining a financial product

or service from the financial institutionis the person purchasing the policy. The

beneficiaries would be recipients of theinsurance proceeds, thereby entitlingthem to the protections affordedconsumers.

Sales of loans. As previously noted,several commenters raised questions inthe context of loan sales. Manycommenters stated that, under the finalrule, a person should not be considered

a customer of two financial institutionswhen the originating bank sells theservicing rights. A point consistentlymade by these commenters was that a

borrower would be equally wellprotected with less risk of confusion ifthe borrower is deemed to be a customerof only one entity in connection with aloan, with that entity perhaps being theparty with whom the borrowercommunicates about the loan. TheCommission believes that it isappropriate to consider a loantransaction as giving rise to only onecustomer relationship, with the

recognition that this customerrelationship may be transferred inconnection with a sale of part or all ofthe loan. In this way, the borrower willnot be inundated by privacy notices (butrather will normally receive annualnotices from the loan servicer), many ofwhich might be from subservicers thatthe borrower did not know had anyconnection to his or her loan. However,that customer will remain a consumer ofthe entity that transfers the servicingrights, as well as a consumer of anyother entity that holds an interest in theloan.

In order to satisfy the statutory

requirement that a customer receive anannual notice from a financialinstitution until that relationshipterminates, the final rule provides thatthe borrower must be deemed to have acustomer relationship with at least oneof the entities that hold an interest inthe loan. A financial institution thatmakes a loan, retains it in its portfolio,and provides servicing for the loanclearly would have a customerrelationship with the borrower. Morecomplex, however, are situations inwhich servicing is sold or investorspurchase a partial interest in a loan. The

Commission has adopted an approachdesigned to ensure that a customerreceives annual notices for the durationof the customer relationship from themost appropriate financial institution.

Under the final rule, as stated in 313.3(i)(2)(i)(B), a customerrelationship will be established as ageneral rule with the financialinstitution that makes a loan to anindividual. This customer relationshipthen will attach to the entity providingservicing. Thus, if the originating lenderretains the servicing, it will continue to

have a customer relationship with theborrower and will be obligated toprovide annual notices for the durationof the customer relationship. If theservicing is sold, then the purchaser ofthe servicing rights will establish acustomer relationship (and theoriginating lender will have a consumerrelationship with the borrower). See

313.3(i)(2)(ii)(B). In this way, theborrower will be entitled to receive aninitial notice and annual notices fromthe loan servicer, but will not beinundated by initial and annual noticesfrom entities that hold interests in theloan but are unknown to the consumer(and who do not share the consumersnonpublic personal information withunaffiliated third parties).

Collection agencies that purchaseaccounts in their own name. TheCommission received a substantialnumber of comments from differenttypes of debt collectors and theirrepresentatives. This section addressesseveral comments the Commissionreceived concerning the proposed rulesdifferentiation between collectors whoassist creditors in collecting delinquentaccounts, and those who purchase themin their own name.18 The Commissionalso received comments from all typesof collection agencies on other points.Several contested the Commissionstreatment of debt collectors as financialinstitutions.19 Others were concernedthat the rule would prohibitcommunications with a creditor thatretained ownership on the account and

hired the agency to obtain payment fromdebtors.20

Representatives of two major tradeassociations of debt collectors pointedto the definitions set forth in section 803of the Fair Debt Collection Practices Act,which specifically exempts anycreditor collecting its own accountsin its own name from being within thedefinition of a debt collector subjectto that statute, and the case law holdingthat the creditor exemption does notinclude debt collectors that purchasedefaulted accounts in their own name



10/45


2115 U.S.C. 1692a(4) and 1692a(6). Cirkot v.Diversified Fin. Sys., Inc., 839 F. Supp. 941, 94445 (D. Conn. 1993); Holmes v. Telecredit ServiceCorp., 736 F. Supp. 1289, 1293 (D. Del. 1990);Kimber v. Federal Fin. Corp., 668 F. Supp. 1480,148586 (D. Ala. 1987).

22This term was used in the exception set out in 313.11(a)(4) of the proposal as it related todisclosures to law enforcement agencies, includinggovernment regulators.

23See also the discussion of the effective date at 313.18, infra. Section 4(k) of the Bank HoldingCompany Act established procedures whereby theBoard can add activities to the list of activities thatit is permissible for financial holding companies toengage in. To the extent these later added activitiesare financial activities, and not incidental activities,the rule will not be effective as to those newfinancial institutions until the Commission sodetermines.

24See footnotes 58 and accompanying text,supra. These are activities either specified in

for collection.21 The commenters arguedthat, because the FDCPA does not treatcollection agencies that purchasedefaulted accounts in their own name ascreditors, the G-L-B Act should not beinterpreted to do so. In addition, debt

buyers stated that they frequently madebulk purchases of defaulted accountsfrom creditors, immediately discarded

and never even attempted to collectmany of the accounts they purchased,and were unable to locate many of theaccount debtors from whom theywanted to collect amounts due.

The Commission recognizes that thesebusinesses have some attributes ofcreditors who buy active accounts(where the debtors clearly becomecustomers of the account purchaser) andsome attributes of regular debt collectorswho attempt to collect amounts due on

behalf of the creditor (where the debtorsclearly remain the creditors customer).After careful consideration of the

comments and the purposes of the Act,the Commission retains its view that ifa business purchases a defaultedaccount for collection, it may establisha customer relationship with theaccount debtor. However, such arelationship occurs only in thoseinstances where the agency locates theindividual and tries to obtain paymentson the debt. This approach reflects thereality that the collector has purchasedthe account (albeit for less than it wouldpay for a current account) and avoidsthe result that otherwise the individualwould not have a customerrelationship with anyone because the

former relationship with the creditorwill have been terminated. At the sametime, it responds to industrycommenters that contested theCommissions previous position thatpurchase of the account automaticallyestablishes a customer relationship. Theapplicable example in 313.3(i)(2)(i)(J)makes it clear that a debt buyer does nothave a customer relationship if it doesnot attempt to collect payments from, oris unable to locate, the individualnamed on an account it has purchased.

Brokers. Several commenterssuggested that the use of a mortgage

broker, or other business that procurescredit on behalf of a consumer, such asfinancing to purchase an automobile,should not create a customerrelationship. The Commission disagrees.A relationship between such a businessand a consumer is more than an isolatedtransaction, given that the broker will

likely provide significant services for aconsumer, such as providinginformation or advice about financingoptions, actively assisting the consumerin contacting potential financingsources, analyzing financialinformation, or performing creditchecks. In some cases, the broker willalso negotiate with other financial

institutions on the consumers behalfand/or assist with paperwork and loanclosings. In light of the nature of theservices provided by a loan broker orother credit arranger in assisting theconsumer with financial transactions, itis appropriate to consider the businessto be a financial institution thatestablishes a customer relationshipwhen it undertakes to arrange or brokera home mortgage loan or other credit forthe consumer. The final rule reflects thisconclusion in 313.3(i)(2)(i)(E).

IRA Custodians. The final rule addsan example in 313.3(i)(2)(i)(D) to

clarify that an individual will bedeemed to establish a customerrelationship when a financial institutionacts as a custodian for securities orassets in an IRA. This example isconsistent with the explanation set outabove in the discussion of consumerconcerning trusts.

j. Federal functional regulator. Theproposal sought comment on adefinition of government regulatorthat included all of the Agencies andState insurance authorities under thecircumstances identified in thedefinition.22

The few comments that were receivedon this definition suggested that it beexpanded to include additionalgovernmental entities. The Commissionnotes that, for purposes of the privacyrule, this term (which does not includethe Commission) is relevant only in thediscussion of when a financialinstitution may disclose information toa law enforcement agency. Theexception as stated in the statute usesthe term federal functional regulator(see section 502(e)(5)), which term isdefined in the statute at section 509(2)and also includes the Commission andSecretary of the Treasury, for purposes

of the exception permitting disclosuresto law enforcement agencies. TheCommission has decided simply to usethe statutory term.

k. Financial institution. TheCommissions proposed rule definedfinancial institution as any institutionthe business of which is engaging inactivities that are financial in nature as

described in section 4(k) of the BankHolding Company Act * * * Throughthe examples, the Commissionexpressed its view that an institution isa financial institution the business ofwhich is engaging in activities that arefinancial in nature only if the entity issignificantly engaged in such activities.The Commission received numerous

comments concerning this definition.Some commenters requested that the

Commission adopt the definition offinancial institution contained in theother Agencies definition. The otherAgencies defined financial institution asany institution the business of whichis engaging in activities that arefinancial in nature or incidental to such

financial activities as described insection 4(k) of the Bank HoldingCompany Act. Section 509(3) of the GLB Act defines the term as anyinstitution the business of which isengaging in financial activities as

described in section 4(k) of the BankHolding Company Act of 1956. Section4(k) of the Bank Holding Company Actrefers to three types of activities that theBoard may determine permissible forfinancial holding companies: those thatare financial in nature, those that areincidental to such financial activity, andthose that are complementary tofinancial activities. The Commissioninterprets the G-L-B Act to refer to thoseactivities in Section 4(k) that aredescribed as financial in nature atpresent, and not to includeautomatically those activities that theBoard later determines are incidental or

complementary to financial activities.Such activities are not necessarilythemselves financial activities and,therefore, should not have an impact onthe definition of financial institution.Thus, the final rule incorporates thestatutory language in 313.3(k).23

Given the breadth of the definition,some commenters requested that theCommission provide a definitive list ofthe entities that are subject to the rule.The Commission deems it inappropriateto publish such a definitive list. Theinstitutions covered by the rulecurrently are defined by reference to the

comprehensive list of activities found atsection 4(k)(4) of the Bank HoldingCompany Act.24 The Commission has



11/45


Section 4(k)(4) itself, or are activities listed in Boardregulations referenced in Section 4(k)(4) already ineffect on the effective date of the GLB Act. Thislist of activities may expand as the Board exercisesits authority to add additional activities that arefinancial in nature pursuant to Section 4(k)(13) ofthe Bank Holding Company Act.

25The statute is clear that debt collection agenciesare financial institutions under its terms. As notedin the discussion of the definition of financialinstitution below, the statute treats a broad rangeof activities as financial in nature. Section 509(3)of the G-L-B Act defines the term to mean anyinstitution the business of which is engaging infinancial activities as described in section 4(k) of

the Bank Holding Company Act of 1956. Section4(k)(4)(F) of the Bank Holding Company Actincludes all financial activities deemed by theFederal Reserve Board to be so closely related tobanking or managing or controlling banks as to bea proper incident thereto. In Regulation Y, 12 CFR225.28(b)(2)(iv), the Board specifically designatedcollection agency services as such a financialactivity.

26See footnote 5 of the Commissions discussion

of the proposal at 65 FR 11176. Section 4(k)(4)(G)of the Bank Holding Company Act includes allfinancial activities conducted in the United Statesdeemed by the Federal Reserve Board to be usualin connection with the transaction of banking orother financial operations abroad. In Regulation K,12 CFR 211.(d)(15), the Board specificallydesignated [o]perating a travel agency * * * inconnection with financial services as such afinancial activity.

27This analysis is consistent with an interim rulepublished by the Board at 12 CFR 225.86(b)(2), inwhich it characterized the travel agency activityoperating a travel agency in connection withfinancial services offered by the financial holdingcompany or others. 65 FR 14433, 14439 (Mar. 17,2000).

28See the Commissions discussion of financialproduct or service in the next section, as it relatesto the Acts inapplicability to nonfinancial productsor services of financial institutions.

reformatted and added additionalexamples of financial institutions in thefinal rule to guide the analysis ofwhether a particular entity is a financialinstitution through reference to section4(k)(4) and particular sections of theBoard regulations that are incorporatedtherein by reference.

The Commission received several

comments on the significantlyengaged standard set forth in theexamples in the proposed rule. A fewexpressed concern that thesignificantly engaged test was tooimprecise to allow some businesses toknow whether they were within thedefinition, usually suggestingalternatives that would exclude theindustries they represent. The final ruledoes not define significantly engaged.The revenue tests suggested by somecommenters are too inflexible to takeinto consideration all instances wherean institution may be significantly

engaged in a financial activity. The finalrule retains the flexibility of thesignificantly engaged standard andprovides guidance through examples.To that end, the Commission has movedthe significantly engaged languageinto the text of the final rule and retainsin the final rule those examples from theproposed rule of entities that are and arenot significantly engaged in a financialactivity. A retail business that issues itsown credit card directly to consumers isa financial institution significantlyengaged in the extension of credit, buta retail business that merely allows its

retail clients to make payments throughoccasional lay-away plans is notsignificantly engaged in a financialactivity. Similarly, a small merchantthat informally extends credit when itruns a tab for some individuals is notsignificantly engaged in the business ofextending credit. The Commission

believes that the concept ofsignificantly engaged is sufficientlyclear to provide guidance to mostentities in analyzing their specificfactual situations.

Many commenters, especially somerepresentatives of the consumer debtcollection industry,25 expressed concern

at the breadth of the definition andasserted that Congress could not haveintended to include all institutions thatengage in the activities referenced inSection 4(k). The plain language of thestatute, however, dictates that breadthand grants the Commission no authorityto exclude particular entities from thedefinition. The broad scope of the Act,

and the comments received by theCommission, are also discussed abovein more detail in the context of 313.1(b). While it is not possible todiscuss every potential financialinstitution in detail, the Commissionspecifically sought comment on certainof the activities listed in section 4(k)and the Board regulations that areincorporated by reference.

The proposed rule acknowledged thatone of the activities characterized asfinancial in nature in Section 4(k)(4) ofthe Bank Holding Company Act isoperating a travel agency in connection

with offering financial services.26

TheCommission received few comments onthe extent to which travel agents operatein connection with financial services.The comments did indicate that travelagents generally do sell travelers checks,trip insurance, and travel insurance, allof which constitute financial productsor services. However, the Commissiondoes not consider a travel agencysoperations to be in connection withoffering financial services andtherefore covered simply because itoffers travelers checks or travel relatedinsurance to their travel clients. Rather,the Commission interprets the G-L-B

Act to cover travel agencies only if theirtravel-related services are offered inaddition to offering other financialservices.27 This would cover, forexample, entities that offer credit,investment, or insurance products or

services, and also offer travel-relatedservices to their clients. For these typesof entities, travel operations wouldthereby become covered services andtheir travel transactions would beprotected by the G-L-B Act.28

Some commenters requestedclarification concerning whether certainInternet industries are affected by the

rule. The comments in this regard didnot provide sufficient detail for theCommission to evaluate all of theconcerns of the commenters, but theCommission notes that institutionsoperating on-line, like those operatingoff-line, will have to evaluate (1)whether they are engaged in a financialactivity, and (2) if so, whether they haveconsumers or customers that trigger thedisclosure or other requirements of theAct. On a related issue, the Commissionnotes that one of the financial activitiesincorporated by reference into Section4(k) of the Bank Holding Company Act

is:providing data processing and datatransmission services, facilities (includingdata processing and data transmissionhardware, software, documentation, oroperating personnel), data bases, advice, andaccess to such services, facilities, or data

bases by any technological means, if * * *[t]he data to be processed or furnished arefinancial, banking, or economic * * *.

12 CFR 225.28 (b)(14). The Commissionnotes with respect to this activity thatfinancial software and hardwaremanufacturers, as described, arefinancial institutions but will have no

disclosure obligations if they sell only tobusinesses. Furthermore, in the case ofan isolated one-time sale of software orhardware to a consumer, theirdisclosure obligations would be verylimited. In addition, this language

brings into the definition of financialinstitution an Internet company thatcompiles, or aggregates, an individualson-line accounts (such as credit cards,mortgages, and loans) at that companysweb site as a service to the individual,who then may access all of its accountinformation through that Internet site.

Many entities that come within thebroad definition of financial institution

will likely not be subject to thedisclosure requirements of the rule

because not all financial institutionshave consumers or establishcustomer relationships. Severalcommenters supported this distinctionand the Commission retains it here. Forexample, management consulting is afinancial activity but it is not likely



12/45


29 If such financial institutions receiveconsumers nonpublic personal information fromnonaffiliated financial institutions pursuant to oneof the exceptions set forth in 313.14 and 313.15,however, they would be required to observe the 313.11 limitations on reuse and redisclosure ofthat information.

30An individual who provides a financial serviceonly informally (e.g., preparing tax forms withoutremuneration for friends or family, or as communityservice) is not likely significantly engaged in afinancial activity.

that any individual obtains managementconsulting services for personal, familyor household purposes. Likewise,courier services, data processors, andreal estate appraisers who performservices for a financial institution, butdo not provide financial products orservices to individuals, will not berequired to make the disclosures

mandated by the rule because they donot have consumers or customersas defined by the rule.29 TheCommission declines to adopt adefinitive list, as requested by somecommenters, of all of the financialinstitutions that do not have consumersand customers. Such a list inevitablywill not be exclusive and may includesome institutions that operate so that insome instances they have consumersand customers and in others they donot.

Some commenters suggested that soleproprietors be exempt from the

definition, but provided no helpfulrationale for doing so, while othersrequested clarification as to whethernonprofit entities could be financialinstitutions covered by the rule.Whether or not a commercial enterpriseis operated by a single individual is notdeterminative in analyzing whether theentity is a financial institution. If anindividual is in the business of * * *engaging in financial activities * * *,that business is included within thefinancial institution definition.30

Similarly, nothing in the definition offinancial institution excludes nonprofitentities from the definition of financial

institution.Few commenters addressed proposed

313.3(j)(3)(iii), which incorporated theActs exemption for institutionschartered by Congress to engage insecondary market sales and similartransactions related to consumers, aslong as the institution does not sell ortransfer nonpublic personal informationto a nonaffiliated third party. Thisexemption applies even if the charteredinstitution sells or transfers informationas permitted by the exceptions to thenotice and opt out requirements inproposed 313.10 and 313.11

( 313.14 and 313.15 in the final rule).The Commission also sought commenton whether it should require chartered

institutions, as a condition of theirexemption, to enter into aconfidentiality agreement with anynonaffiliated third parties with whomthey share information pursuant to theexceptions. Chartered institutionssupported the interpretation; onecommenter contended that suchadditional language was not in keeping

with the intent of the exemption. TheCommission believes that itsinterpretation merely operates to allowchartered institutions to continue theirnormal business, and does not permitthem (or any party receivinginformation from them) to discloseinformation unrestrained. In accordwith the limitations on reuse andredisclosure in section 502(c) of the GLB Act, both chartered institutions andrecipients of nonpublic personalinformation are limited in that regard.The Commission has adopted theprovision as proposed.

l. Financial product or service. Theproposal defined financial product orservice as a product or service that afinancial institution could offer byengaging in an activity that is financialin nature under section 4(k) of the BankHolding Company Act of 1956. Theproposals definition included thefinancial institutions evaluation ofinformation collected in connectionwith an application by a consumer fora financial product or service even if theapplication ultimately is rejected orwithdrawn. It also included the

brokerage and distribution ofinformation about a consumer for the

purpose of assisting the consumer inobtaining a financial product or service.

The most frequent comment on thisproposed definition was that theevaluation of application informationshould not be considered a financialproduct or service. For the reasonsadvanced above in the discussion of thedefinition of consumer, theCommission concludes that it isappropriate to retain evaluation activitywithin the scope of financial product orservice covered by the rule. Evaluationis one of many financial servicesprovided by financial institutions.

Moreover, a consumer is likely toprovide the type of information that thestatute is designed to protect in thecourse of obtaining the financialinstitutions evaluation.

An entitys status as a financialinstitution does not cause every productor service offered by that entity to be afinancial product or service. A retailerthat issues its own credit card directlyto consumers provides a financialservice (credit) to consumers whoutilize the card; but when that sameretailer sells merchandise, it provides a

nonfinancial product or service (retailsale of merchandise).

The Commission has retained theessence of the proposed definition, buthas revised 313.(l)(1) to mirror itschange to the definition of financialinstitution in 313.3(k) and eliminatedthe word distribution from 313.3(l)(2) because it is not intended to

mean anything different frombrokerage and, therefore, its useinvites confusion.

m. Nonaffiliated third party. Theproposal defined nonaffiliated thirdparty as any person (which includesnatural persons as well as corporateentities) except (1) an affiliate of afinancial institution and (2) a jointemployee of a financial institution anda third party. The proposal clarified thecircumstances under which a companythat is controlled by a financialinstitution pursuant to that institutionsmerchant banking activities orinsurance company activities would bea nonaffiliated third party of thatfinancial institution.

The Commission received very fewcomments in response to this proposeddefinition. One commenter requestedthat the final rule provide that adisclosure of information to someonewho is serving as a joint employee oftwo financial institutions should bedeemed to have been disclosed to bothfinancial institutions. The Commissiondisagrees with this result. Instead, theCommission believes it is appropriate todeem the information to have beengiven to the financial institution that is

providing the financial product orservice in question. Thus, if anemployee of a mortgage lender is a dualemployee with a securities firm,information received by that person inconnection with a securities transactionconducted with the securities firmwould be deemed to have been received

by the securities firm.The Commission notes that its

proposal omitted a section included inthe other Agencies rules relating tocompanies engaged in merchant

banking, investment banking, orinvestment activities described in

section 4(k)(4)(HI) of the Bank HoldingCompany Act. For purposes ofconsistency with the rules to be adopted

by the other Agencies, the Commissionhas included it at 313.3(m)(2).Otherwise, the final rule definesnonaffiliated third party as proposed.

n. Nonpublic personal information.Section 509(4) of the G-L-B Act definesnonpublic personal information tomean personally identifiable financialinformation that is provided by aconsumer to a financial institution,results from any transaction with the



13/45


31The Drivers Privacy Protection Act, 18 U.S.C.27212725, restricts the states ability to disclose adrivers personal information without the driversconsent. Reno v. Condon U.S. , 120 S. Ct. 666(2000).

consumer or any service performed forthe consumer, or is otherwise obtained

by the financial institution. It alsoincludes any list, description, or othergrouping of consumers (and publiclyavailable information pertaining tothem) that is derived using anynonpublic personal information otherthan publicly available information.

The stat

16 cfr part 313 confidentiality

Documents