Skip Header

Federal Deposit
Insurance Corporation

Each depositor insured to at least $250,000 per insured bank



Home > Regulation & Examinations > Laws & Regulations > FDIC Federal Register Citations




FDIC Federal Register Citations

IV. Guidance for Certain Institutions

To minimize the burden and costs to a financial institution ("you") and generally clarify the operation of the final rule, the Agencies have included this guidance that you may use in conjunction with the sample clauses in Appendix A. This guidance specifically applies to you if you:

(1) do not have any affiliates;

(2) only disclose nonpublic personal information to nonaffiliated third parties in accordance with an exception under ' __.14 or ___.15, such as in connection with servicing or processing a financial product or service that a consumer requests or authorizes ; and

(3) do not reserve the right to disclose nonpublic personal information to nonaffiliated third parties, except under '  __.14 and ___.15.

In addition, if you disclose nonpublic personal information in accordance with the exception in §   __.13, for service providers and joint marketers, you also must include an accurate description of that information, as illustrated by the sample clause in section (K) below.

In general, if you disclose nonpublic personal information to nonaffiliated third parties only as authorized under an exception, then your only responsibilities under the regulation are to provide initial and annual notices to each of your customers. You do not need to provide an opt out notice or opt out rights to your customers.

A. Initial notice to customers. You must provide an initial notice to each of your customers. A customer is a natural person who has a continuing relationship with you, as described in §  __.4(c). For instance, an individual who opens a credit card or checking account with you is your customer. By contrast, an individual who uses your ATM to withdraw funds from a checking account at another financial institution is not your customer. Even if an individual repeatedly uses your ATM that individual is not your customer. In other words, you must provide initial and annual notices to each of your customers, but not to others.

B. Time to provide initial notice. You must provide an initial privacy notice to each of your customers not later than when you establish a customer relationship (§  __.4(a)(1)). For instance, you must provide a privacy notice to an individual not later than when that individual executes the contract to open a checking account. Thus, you can provide the notice to a checking account customer together with the account agreement and signature card.

Similarly, in the case of a loan, you must provide a privacy notice to an individual not later than when that individual executes the loan contract. For example, you can provide the notice to an individual together with the documents (or other forms) that constitute the loan contract. You may always deliver your privacy notices earlier than required.

If one of your existing customers obtains a new financial product or service from you, then you need not provide another initial notice to that customer (§  __.4(d)) if that earlier notice covered the subsequent product.

For instance, if Alison Individual walks into Bank for the first time on July 2, 2001, to open a checking account, then Bank complies with §  __.4(a)(1) of the rule if it provides an initial notice to Alison together with the deposit contract. When Alison opens her checking account, she becomes a customer of Bank. Alison maintains her checking account and, six months later, returns to Bank to obtain a loan. If the initial notice that Bank provided to Alison was accurate with respect to that loan, then Bank need not provide another initial notice to her when she obtains the loan because it has provided a notice to Alison that covered the loan when she opened her checking account.

C. Method of providing the initial notice. You must provide your initial notice so that each customer can reasonably be expected to receive actual notice of it, in writing (§  __.9(a)). For example, you may provide the initial notice by mailing a printed copy of it together with a loan contract. Similarly, you may provide the initial notice by hand-delivering a printed copy of it to the customer together with a deposit account agreement.

D. Compliance with initial notice requirement for existing customers by effective date. You must provide an initial notice to each of your current customers not later than July 1, 2001 (§  __.18(b)). You may do so by mailing a printed copy of the notice to the customer's last known address.

E. Annual notice. During the continuation of the customer relationship, you must provide an annual notice to the customer, as described in §  __.5(a). You must provide an annual notice to each customer at least once in any period of 12 consecutive months during which the customer relationship exists. You may define the 12-consecutive-month period, but must consistently apply that period to the customer. You may define the 12-consecutive-month period as a calendar year and provide the annual notice to the customer once in each calendar year following the calendar year in which you provided the initial notice.

For example, assume that Bank defines the 12-consecutive-month period as a calendar year and provides annual notices to all of its customers on October 1 of each year. If Alison Individual opens a checking account with a Bank on July 2, 2001, thereby becoming a customer, then Bank must provide an initial notice to Alison together with the deposit agreement or earlier. Bank must provide an annual notice to Alison by December 31, 2002. If Bank provides an annual notice to Alison on October 1, 2002, as it does for other customers, then it must provide the next annual notice to Alison not later than October 1, 2003.

F. Method of providing the annual notice. Like the initial notice, you must provide the annual notice so that each customer can reasonably be expected to receive actual notice of it, in writing (§  __.9(a)). You may do so by mailing a printed copy of the notice to the customer's last known address.

G. Joint accounts. If two or more customers jointly obtain a financial product or service, then you may provide one initial notice to those customers jointly. Similarly, you may provide one annual notice to those customers jointly (§  __.9(g)).

H. Information described in the initial and annual notices. The initial and annual notices must include an accurate description of the following four items of information:

  1. The categories of nonpublic personal information that you collect (' __.6(a)(1));
  2. The fact that you do not disclose nonpublic personal information about your current and former customers to affiliates or nonaffiliated third parties, except as authorized by '' ___.14 and ___.15 (' __.6(a)(2)-(4)). When describing the categories with respect to those parties, you are required to state only that you make disclosures to other nonaffiliated third parties as permitted by law (§  __.6(c));
  3. Your policies and practices with respect to protecting the confidentiality and security of nonpublic personal information (§  __.6(a)(8)).

For each of these items of information above, you may use a sample clause from Appendix A. The Agencies emphasize that you may use a sample clause only if that clause accurately describes your actual policies and practices.

I. Example of notice. A financial institution ("Bank") that (i) does not have any affiliates and (ii) only discloses nonpublic personal information to nonaffiliated third parties as authorized under ' ___.14 and ___.15, may comply with the requirements of §  __.6 of the rule by using the following notice, if applicable.

Bank collects nonpublic personal information about you from the following sources:

Information we receive from you on applications or other forms;

Information about your transactions with us or others; and

Information we receive from a consumer reporting agency.

We do not disclose any nonpublic personal information about you to anyone, except as permitted by law.

If you decide to close your account(s) or become an inactive customer, we will adhere to the privacy policies and practices as described in this notice.

Bank restricts access to your personal and account information to those employees who need to know that information to provide products or services to you. Bank maintains physical, electronic, and procedural safeguards that comply with federal standards to guard your nonpublic personal information.

J. Initial and annual notices must be clear and conspicuous. The Agencies emphasize that you must ensure that both the initial and annual notices are clear and conspicuous, as defined in §  __.3(b).

K. Example of notice for disclosure to service providers and joint marketers. If you disclose nonpublic personal information in accordance with the exception in §   __.13, for service providers and joint marketers, you also must include an accurate description of that information. You may comply with the requirements of §  __.13 of the rule by including the following sample clause, if applicable, in the example of notice described in section (I) above:

We may disclose all of the information we collect, as described [describe location in the notice, such as "above" or "below"] to companies that perform marketing services on our behalf or to other financial institutions with whom we have joint marketing agreements.

V. Regulatory Analysis

A. Paperwork Reduction Act

The Agencies may not conduct or sponsor, and an organization is not required to respond to, an information collection unless it displays a currently valid Office of Management and Budget (OMB) control number. The OMB control numbers are listed below.

OCC: 1557-0216

Board: 7100-0294

FDIC: 3064-0136

OTS: 1550-0103

The Agencies sought comment on the burden estimates for the information collections listed below. Many commenters suggested, in response to specific proposed sections, that the rule would impose significant burden on them. Most of those suggestions concerned requirements that are imposed by the statute (such as the need to provide annual notices if an institution's previous notice remains accurate or the need to provide any notices at all in situations where an institution does not disclose nonpublic personal information to nonaffiliated third parties). The Agencies have attempted to address other concerns by amending several provisions as discussed above and by clarifying the Agencies' expectations as far as disclosures are concerned. Below is a brief summary of the remaining paperwork burdens implemented by this final rule.

The final rule contains several disclosure requirements. The respondents must prepare and provide the initial notice to all current customers and all new customers not later than when a respondent establishes a customer relationship (§ __.4(a)). Subsequently, an annual notice must be provided to all customers at least once during a twelve-month period during the continuation of the customer relationship (§ __.5(a)). The opt out notice (and partial opt out notice, if applicable; see § __.10(c)) must be provided prior to disclosing nonpublic personal information to certain nonaffiliated third parties. If a financial institution wishes to disclose information in a way that is inconsistent with the notices previously given to a consumer, the institution must provide consumers with revised notices (§ __.8(a)).

The final regulation also contains affirmative actions that consumers must take to exercise their rights. In order for consumers to prevent financial institutions from sharing their information with nonaffiliated third parties, they must opt out (' __.7(a)(2)(ii)), __.10(a)(2) and __.10(c)). At any time during their continued relationship with the institution, consumers have the right to change or update their opt out status with the institution (' __.7(f) and (g)).

OCC: The rule requires the collection of certain information from national banks, District of Columbia banks, and Federal branches and agencies of foreign banks. OMB has reviewed and approved the collections of information contained in the final rule under control number 1557-0216, in accordance with the Paperwork Reduction Act of 1995 (PRA) (44 U.S.C. 3501 et seq.). OMB clearance will expire on March 31, 2003. There are 2,400 respondents with a total annual burden of 108,000 hours.

Board: The rule requires the collection of certain information from state member banks, bank holding companies, affiliates and certain non-bank subsidiaries of bank holding companies, uninsured state agencies and branches of foreign banks, commercial lending companies owned or controlled by foreign banks, and Edge and agreement corporations. In accordance with the Paperwork Reduction Act of 1995 (44 U.S.C. 3506; 5 CFR 1320 Appendix A.1), the Board approved the rule under the authority delegated to the Board by OMB. The OMB control number is 7100-0294. There are 9,500 respondents with a total annual burden of 427,500 hours.

FDIC: The rule requires the collection of certain information from insured nonmember banks, insured state branches of foreign banks, and certain subsidiaries of these entities. The Office of Management and Budget (OMB) has reviewed and approved the collections of information contained in the final rule under control number 3064-0136, in accordance with the Paperwork Reduction Act of 1995 (PRA) (44 U.S.C. 3501 et seq.). OMB clearance will expire on April 30, 2003. There are 5,764 respondents with a total annual burden of 259,380 hours.

OTS: The rule requires the collection of certain information from savings associations and certain of their subsidiaries. OMB has reviewed and approved the collections of information under control number 1550-0103, in accordance with the Paperwork Reduction Act of 1995 (PRA) (44 U.S.C. 3501 et seq.). OMB clearance will expire on April 30, 2003. There are 1,104 respondents with a total annual burden of 49,680 hours.

The Agencies have a continuing interest in the public's opinion regarding collections of information. Members of the public may submit comments, at any time, regarding any aspect of these collections of information. Comments may be sent to:

OCC: Communications Division, Attention: 1557-0216, Office of the Comptroller of the Currency, 250 E Street, SW, Third Floor, Washington, D.C. 20219.

Board: Mary M. West, Federal Reserve Board Clearance Officer, Mail Stop 97, Division of Research and Statistics, Board of Governors of the Federal Reserve System, Washington, D.C. 20551.

FDIC: Steven F. Hanft, Assistant Executive Secretary (Regulatory Analysis), Federal Deposit Insurance Corporation, Room F-4080, 550 17th Street NW, Washington, D.C. 20429.

OTS: Dissemination Branch (1550-0103), Office of Thrift Supervision, 1700 G Street, NW, Washington, D.C. 20552.

A copy of all comments should also be sent to Office of Management and Budget, Paperwork Reduction Project (include OMB control number), Washington, D.C. 20503.

B. Regulatory Flexibility Act

OCC: Under the Regulatory Flexibility Act (RFA), the OCC must either provide a Final Regulatory Flexibility Analysis (FRFA) with a final rule or certify that the final rule "will not, if promulgated," have a significant economic impact on a substantial number of small entities. Given that the burden imposed on small institutions stems in large part from the statute, and in light of the significant number of changes described previously that reduce the rule's burden on financial institutions of all sizes, the OCC does not expect that the rule will have a significant economic impact on a substantial number of small entities. However, because the statute creates a set of requirements that are new both to the OCC and to financial institutions in general, the OCC has prepared the following FRFA and intends to publish a compliance guide for small entities.

A. Need for and Objectives of the Final Rule; Legal Basis for the Rule

The final rule implements the provisions of Title V, Subtitle A of the GLB Act addressing consumer privacy. In general, these statutory provisions require banks to provide notice to consumers about a bank's privacy policies and practices, restricts institutions from sharing nonpublic personal information about consumers to nonaffiliated third parties, and permits consumers to prevent institutions from disclosing nonpublic personal information about them to certain non-affiliated third parties by "opting out" of that disclosure.

Section 504 of the GLB Act authorizes the OCC to prescribe "such regulations as may be necessary" to carry out the purposes of Title V, Subtitle A. If no regulations were promulgated, substantive burdens imposed by the Act (e.g., the notice, information sharing restrictions, and opt out requirements) would have become effective and binding on banks one year from the date the Act was signed into law. The OCC believes that a regulatory promulgation gives the private sector greater certainty about how to comply with the statute and clearer guidance regarding how it will be enforced.

B. Small Entities to Which the Rule Will Apply

The proposed rule would apply to all banks, regardless of size, including those with assets of under $100 million. As of December 1999, 1203 (of 2365 total) national banks had assets of under $100 million. As explained below, Title V, Subtitle A of the GLB Act did not provide a general exception for small banks, nor did it appear that such an exception would be consistent with the purposes of the Act.

C. Compliance Requirements and Effects of the Final Rule on Small Entities

A detailed description of the final rule's requirements is set forth above in the section-by-section analysis (Supplementary Information, part III). Among other things, a bank will generally be required to prepare a notice of its privacy policies and practices and provide that notice to consumers under conditions as specified in the rule (e.g., a privacy notice must be provided no later than the time that a customer relationship is established and then once annually for the duration of that customer relationship). Banks that disclose nonpublic personal information about consumers to nonaffiliated third parties will be subject to additional mandates, including a requirement to provide an opt out notice to consumers along with a reasonable opportunity to opt out of certain disclosures.

There are a host of exceptions to the general rules stated above. For example, a bank may share a consumer's nonpublic personal information with nonaffiliated third parties without having to give an opt out notice if such sharing is necessary to effect, administer, or enforce a transaction requested or authorized by the consumer. These exceptions have the effect of minimizing the burden on institutions of all sizes.

To comply with the final rule, banks will need to, among other things, prepare disclosure forms, make various operational changes, and train staff. Professional skills needed to comply with the final rule may include clerical, computer systems, personnel training, as well as legal drafting and advice.

The compliance requirements and costs are likely to vary considerably among institutions, depending upon a number of factors, such as:

--Whether a bank intends to disclose covered information. A bank that does not disclose nonpublic personal information about consumers to third parties (or shares only to the extent permitted under the exceptions) (i) could have a streamlined privacy notice, (ii) will not need to provide an opt out notice to consumers, and (iii) will not need to implement procedures to honor the wishes of consumers that choose to opt out of certain information sharing.

--Whether the bank already has a notice describing its privacy policy. Various surveys suggest that a majority of banks already have privacy policies in place as part of usual and customary business practices. For these institutions, the costs for revising that policy to comply with the regulation are likely to be significantly less than would be the costs for those institutions having to develop a new policy.

--Whether the bank already has an opt-out mechanism in place pursuant to the Fair Credit Reporting Act (FCRA). Under the FCRA, a bank must provide opt out notices and have an opt out mechanism in place if the bank (i) shares certain consumer information (i.e., application or credit report information) with its affiliates, and (ii) does not want to be treated as a consumer reporting agency under the Act. A bank that already gives FCRA notices and wants to share nonpublic personal information with nonaffiliated third parties should be able to adapt its existing opt out mechanism to accommodate the requirements of the final rule.

D. Summary of Significant Issues Raised by the Public Comments; Description of Steps the Agency Has Taken to Minimize Burden

One approach to minimizing the burden on small entities would be to provide a specific exemption for such institutions. The OCC has no authority under the statute to grant an exception that would remove small institutions from the entire scope of the rule. The OCC does have exemptive authority under section 504(b) to grant such exceptions to the opt out provisions "as are deemed consistent with the purposes of" the statute. The OCC believes that a wholesale exemption for small banks from the opt out provisions would be inconsistent with the purposes of the Act. As stated in section 501(a) of the Act, "It is the policy of the Congress that each financial institution has an affirmative and continuing obligation to respect the privacy of its customers and to protect the security and confidentiality of those customers' nonpublic personal information." (Emphasis added.) The OCC believes the privacy of someone's nonpublic personal information is no less deserving of protection simply because the information is obtained by a small bank.

The final rule does, however, provide substantial flexibility so that any bank, regardless of size, may tailor its practices to its individual needs. For example, to minimize the burden and costs of distributing privacy policies, the final rule (i) allows each bank to choose the method by which it will distribute required notices (e.g., banks may include an annual privacy notice with periodic account statements that the bank already sends to the customer) and (ii) allows for the initial privacy notice to be provided with other Federally mandated consumer disclosures, such as those required under the Truth-in-Lending Act.

In addition, the OCC carefully considered comments that suggested a variety of other alternatives to reduce burden. In response to these comments, the agency attempted to minimize the burden on all businesses, including small entities, in a manner consistent with providing the privacy protections mandated by the Act. The discussion below reviews some of the changes adopted in the final rule to accomplish this purpose. For a more complete discussion of significant issues raised by public comments and the changes adopted in the final rule, see the section-by-section analysis above, which is incorporated herein by reference (Supplementary Information, part III).

Content of Disclosures. Many commenters interpreted the rule as requiring long, detailed privacy disclosures that, in these commenters' view, would be of little benefit to consumers. To address these comments, the final rule clarifies the level of detail that the OCC believes is appropriate under the statute. In particular, the final rule substantially revises the examples of disclosures that would satisfy the rule; Appendix A includes sample clauses that might be used; and the preamble states that the Agencies believe disclosures required by the rule could fit on a typical tri-fold brochure. Also, the Agencies have provided additional guidance under the caption Guidance for Certain Financial Institutions (Guidance) (Supplementary Information, Part IV). This Guidance, as well as the sample clauses in Appendix A, are intended to minimize the burden and costs for all banks, particularly small banks that will not generally be sharing nonpublic personal information with nonaffiliated third parties (except pursuant to the exceptions). In addition, the final rule permits a bank to provide a short-form privacy notice to a consumer that does not become a customer, provided the bank gives the consumer an opt out notice and notifies the consumer of a reasonably convenient method by which to obtain a copy of the full privacy notice.

Definition of Nonpublic Personal Information. A bank that wants to share nonpublic personal information about a consumer with a nonaffiliated third party generally must comply with the opt out restrictions in the rule. However, information that is considered "publicly available information" is excluded from the definition of nonpublic personal information. The proposed rule offered two alternatives. Under Alternative A, information that is generally available from a public source would not be considered "publicly available information" unless a bank actually obtains the information from a public source. Under Alternative B, the fact that the information could be obtained from a public source is sufficient for the information to be considered publicly available. For the reasons stated earlier in the preamble, the OCC adopted a slightly revised version of Alternative B, the less burdensome option.

Effective Date. By operation of section 510 of the statute, the relevant provisions of Title V take effective November 12, 2000. However, the statute authorizes the agencies to prescribe a later date if implementing regulations are adopted. The proposed rule used the effective date prescribed by the statute. The OCC received a large number of comments from banks, including many from small entities, that requested more time to comply. Many such comments suggested that overall compliance costs could be reduced by delaying the effective date. For the reasons stated earlier in the preamble, the OCC believes it would be appropriate to give banks until July 1, 2001, to comply with the rule.

New Notices Not Required for Each New Financial Product or Service. Some banks, including small entities, expressed concern that the proposed rule may require a new initial notice each time a consumer obtains a new financial product or service. This would be especially burdensome for banks that adopt a universal privacy policy that covers multiple products and services. To address these concerns and minimize economic burden, the final rule clarifies that a new initial notice is not required if the bank has given the customer the bank's initial notice, and that the bank's initial notice remains accurate with respect to the new product or service.

Annual Notice Requirement. Many banks, including small entities, suggested alternative, less burdensome methods for complying with the requirement that banks provide their customers with an annual privacy notice. As discussed earlier in the preamble, the OCC responded to these comments with a provision in the final rule that permits a bank to comply with the annual privacy notice requirements for customers under certain circumstances by continually posting the notice on the bank's web site in a clear and conspicuous manner.

Notice to Joint Account Holders. As noted earlier in the preamble, the final rule allows banks to provide one notice to joint account holders, with the understanding being that a decision to opt out made by one of the account holders will, absent a provision in the opt out notice to the contrary, prevent the bank from disclosing any nonpublic personal information about any of the account holders. This is particularly advantageous for banks, including small entities, that do not intend to share nonpublic personal information with nonaffiliated third parties (except as permitted under the exceptions).

The OCC, along with the other Agencies, intends to publish a small entity compliance guideCseparate from and in addition to the guidance for certain financial institutions included as part of this Federal Register noticeCthat will clarify the operation of and compliance with the rule.

Board: The Regulatory Flexibility Act (5 U.S.C. 604) requires an agency to publish a final regulatory flexibility analysis when promulgating a final rule that was subject to notice and comment.

Need for and objectives of rule. As discussed above, this rule implements the privacy provisions in sections 502-510 of the GLB Act. The rule's objectives are to protect nonpublic personal information about consumers collected by financial institutions by:

(1) Requiring a financial institution to provide notice to customers about its privacy policies and practices;

(2) Describing the conditions under which a financial institution may disclose nonpublic personal information about consumers to nonaffiliated third parties; and

(3) Providing a method for consumers to prevent a financial institution from disclosing that information to most nonaffiliated third parties by "opting out" of that disclosure, subject to certain exceptions.

Comments on the initial regulatory flexibility analysis. Although few commenters addressed the initial regulatory flexibility analysis specifically, many commenters addressed the regulatory burdens that were discussed in that analysis. Commenters provided a wide range of estimates of the costs of compliance, demonstrating the difficulty of precisely measuring the implementation costs for GLB Act privacy provisions. For example, one commenter representing a $4 billion dollar multi-bank holding company with ten financial institutions, estimated compliance costs at $160,000/year (an average of $16,000 per institution), contrasted with a $500 million institution that estimated compliance costs at $40,000/year. Another commenter representing an $18 billion dollar bank holding company estimated compliance costs at $2.1 million, while one of the nation's largest financial institutions estimated compliance costs between $2.5-$18 million. In another comment, a public policy group estimated that the costs of the rule "may likely exceed $223 million annually" based on a sample of deposit accounts and estimated loan accounts at 54 "major institutions" around the United States.

Many commenters principally discussed the burdens that would be imposed by the proposed rule due to the effective date and the amount of detail that financial institutions would have to describe in their initial and annual notices.

Many commenters urged the Board to extend the proposed November 13, 2000, effective date, for periods ranging from six months to two years. Most of these commenters argued that complying with the rule by November 13, 2000, would place an extraordinary burden on their businesses, particularly because the notices required by the rule would mandate changes to computer software, employee training, and compliance systems. To address these concerns, compliance with the final rule will be deferred until July 1, 2001.

Many commenters urged the Board to reduce the level of detail that they perceived would be required in the notices under the proposed rule. Commenters argued, for instance, that requiring a detailed description of all of the sources of information that they use to collect information about their customers would make the notices too lengthy and complicated. In a similar vein, many commenters proposed that the Board should issue model forms to demonstrate the kinds of notices that would be permitted by the rule.

The Board believes that the intent of the original proposal on the level of detail expected under the proposed rule was widely misinterpreted. The notices section has been redrafted in an effort to clarify the requirements. This should lead to modular provisions based on examples in the regulations that could be used by most institutions. The Board and the other Agencies have included, in an appendix to the final rule, sample clauses illustrating elements of the notice requirements for a small institution that does not sell information for marketing purposes and a large holding company with multiple affiliates that distributes information broadly. To further assist institutions in complying with the rule, the Board and the other Agencies have included in this Federal Register notice guidance for certain institutions that do not disclose nonpublic personal information to nonaffiliated third parties outside of the statutory exceptions.

Nevertheless, some institutions may have to craft notice provisions to cover unique aspects of their privacy practices. This is necessary because it is impossible for the Board to anticipate all disclosure practices. In the absence of knowledge of these practices, any attempt to craft "model notices" that could be used by all institutions runs a substantial risk of being misleading.

The Board also modified the final rule to clarify that a financial institution need not provide another initial notice to an existing customer who obtains a new financial product or service so long as the previous notice provided to that customer was accurate with respect to the new financial product or service. The Board believes that this provision will enable a financial institution to adopt a single, comprehensive privacy policy for its financial products and services, and at the same time, reduce the costs to ensure that it delivers an accurate copy of its policy to each customer.

The Board also clarified the final rule to permit a financial institution to provide one copy of the initial, annual, and revised notices, respectively, to consumers who jointly obtain a financial product or service. Correspondingly, the Board clarified that a financial institution may provide one opt out notice, if applicable, to consumers who jointly obtain a financial product or service.

Institutions covered. The Board's final rule will apply to approximately 9,500 institutions, including state member banks, bank holding companies and certain of their nonbank subsidiaries or affiliates, state uninsured branches and agencies of foreign banks, commercial lending companies owned or controlled by foreign banks, and Edge and Agreement corporations. The Board estimates that over 4,500 of the institutions are small institutions with assets less than $100 million.

New compliance requirements. The final rule contains new compliance requirements for all covered institutions, most of which are required by the GLB Act. The institutions will be required to prepare notices of their privacy policies and practices and provide those notices to consumers as specified in the rule. Institutions that disclose nonpublic personal information about consumers to nonaffiliated third parties will be required to provide opt out notices to consumers as well as a reasonable opportunity to opt out of certain disclosures. These institutions will have to develop systems for keeping track of consumers' opt out directions. Some institutions, particularly those that disclose nonpublic information about consumers to nonaffiliated third parties, will likely need the advice of legal counsel to ensure that they comply with the rule, and may also require computer programming changes and additional staff training.

Minimizing impact on small institutions. The Board believes the requirements of the Act and this rule will create additional burden for covered institutions, particularly those that disclose nonpublic personal information about consumers to nonaffiliated third parties. The rule applies to all covered institutions, regardless of size. The Act does not provide the Board with the authority to exempt a small institution from the requirement to provide a notice of its privacy policies and practices to its customers. Although the Board could exempt small institutions from providing a notice and opportunity for consumers to opt out of certain information disclosures, the Board does not believe that such an exemption would be appropriate, given that one of the purposes of the Act is to provide notice to consumers about the disclosure of nonpublic personal information.

The Board believes that the burden is significantly lower for institutions that do not disclose nonpublic personal information about consumers to nonaffiliated third parties. These institutions may provide relatively simple initial and annual notices to consumers with whom they establish customer relationships. Also, the Board intends to publish a small entity compliance guideCseparate from and in addition to the guidance for certain financial institutions included as part of this Federal Register noticeC aimed to generally clarify the operation of and compliance with the rule.

FDIC: The Regulatory Flexibility Act (5 U.S.C. 601-612) (RFA) requires, subject to certain exceptions, that federal agencies prepare an initial regulatory flexibility analysis (IRFA) with a proposed rule and a final regulatory flexibility analysis (FRFA) with a final rule, unless the agency certifies that the rule will not have a significant economic impact on a substantial number of small entities. At the time of issuance of the proposed rule, the FDIC could not make such a determination for certification, therefore the FDIC issued an IRFA pursuant to section 603 of the RFA. After considering the comments submitted in response to the proposed rule, the FDIC believes that it does not have sufficient information to determine whether the final rule would have a significant economic impact on a substantial number of small entities. Therefore, pursuant to section 604 of the RFA, the FDIC provides the following FRFA.

This FRFA incorporates the FDIC's initial findings, as set forth in the IRFA; addressees the comments submitted in response to the IRFA; and describes the steps the FDIC has taken in the final rule to minimize the impact on small entities, consistent with the objectives of the GLB Act. Also, in accordance with Section 212 of the Small Business Regulatory Enforcement Fairness Act of 1996 (Public Law 104-121), the FDIC will in the near future issue a Small Entity Compliance Guide to assist small entities in complying with this rule.

Statement of the Need/Objectives of the Rule

The final rule implements the provisions of Title V, Subtitle A of the GLB Act addressing consumer privacy. In general, these statutory provisions require banks to provide notice to consumers about an institution's privacy policies and practices, restrict institutions from sharing nonpublic personal information about consumers with nonaffiliated third parties, and permit consumers to prevent institutions from disclosing nonpublic personal information about them to certain non-affiliated third parties by "opting out" of that disclosure. Section 504 of the GLB Act requires the FDIC, in consultation with representatives of State insurance authorities, to prescribe "such regulations as may be necessary" to carry out the purposes of Title V, Subtitle A. If no regulations were promulgated, substantive burdens imposed by the Act (e.g., the notice, information sharing restrictions, and opt out requirements) would have become effective and binding on banks one year from the date the Act was signed into law. The FDIC believes that the final rule gives the private sector greater certainty on how to comply with the statute and clearer guidance regarding how it will be enforced.

Summary of Significant Issues Raised in Public Comments

In the IRFA, the FDIC specifically requested information on the costs of creating privacy policy disclosures, distributing privacy policy disclosures, implementing "opt out" disclosure and processing requirements, and complying with the proposed rule in its entirety. The FDIC received few comments responsive to the issue of implementation costs. While the majority of commenters representing the financial services industry indicated that compliance with the regulation would require significant effort, these comments most often requested additional time to comply with the final rule, and did not address estimated costs to comply with the regulation.

The few comments that the FDIC did receive quantifying the economic costs of compliance reflected a wide range of estimates, demonstrating the difficulty of precisely measuring the implementation costs for GLB Act privacy provisions. For example, one commenter representing a $4 billion dollar multi-bank holding company with ten financial institutions, estimated compliance costs at $160,000/year (an average of $16,000 per institution), contrasted with a $500 million dollar institution that estimated compliance costs at $40,000/year. Another commenter representing an $18 billion dollar bank holding company estimated compliance costs at $2.1 million, while one of the nation's largest financial institutions estimated compliance costs between $2.5-$18 million. In another comment, a public policy group estimated that the costs of the rule "may likely exceed $223 million annually" based on a sample of deposit accounts and estimated loan accounts at 54 "major institutions" around the United States.

Summary of the Agency Assessment of Issues Raised in Public Comments

Both the limited numbers of comments received that discussed compliance costs and the wide range of estimates provided, reflect the uncertainty of estimating the costs of implementing the GLB Act requirements. The new compliance requirements will indeed create additional economic costs for institutions, especially those that disclose information to nonaffiliated third parties. These costs include, but are not limited to (1) reviewing current information sharing practices; (2) determining operational changes necessary; (3) identifying sources/uses of customer information; (4) preparing disclosure forms; and (5) training staff. Most, if not, all of these costs result from requirements expressly mandated by the GLB Act.

After a careful review of the comments received, the FDIC does not have a practicable or reliable basis for quantifying the costs of implementing the requirements of the GLB Act. We expect that compliance costs will vary significantly between institutions depending on information sharing practices. The FDIC continues to believe that the costs of implementing the opt out provisions of the final rule will be insubstantial for financial institutions that do not disclose nonpublic personal information to nonaffiliated third parties or only do so pursuant to the exceptions provided under sections 332.14 and 332.15. FDIC's determination is based on the observations of FDIC examiners, which were discussed in the IRFA, and the analysis of comments received in response to the proposed rule. These institutions may provide relatively simple initial and annual notices to consumers with whom they establish customer relationships. However, the FDIC cannot determine either the number or identity of institutions that will not disclose nonpublic personal information about consumers to nonaffiliated third parties or that only do so pursuant to the exceptions provided under sections 332.14 and 332.15.

Description/Estimate of Small Entities to which the Rule will Apply

The final rule will apply to approximately 3,700 FDIC-insured State nonmember banks that are small entities (assets less than $100 million) as defined by the RFA.

Description of Projected Reporting, Recordkeeping, and Other Compliance Requirements

The final rule contains new compliance requirements for all covered institutions, most of which are required by the GLB Act. The institutions will be required to prepare notices of their privacy policies and practices, and provide those notices to consumers as specified in the rule. Institutions that disclose nonpublic personal information about consumers to nonaffiliated third parties will be required to provide opt out notices to consumers, as well as a reasonable opportunity to opt out of certain disclosures. These institutions will have to develop systems for keeping track of consumers' opt out directions. Some institutions, particularly those that disclose nonpublic information about consumers to nonaffiliated third parties, will likely need the advice of legal counsel to ensure that they comply with the rule, and may also require computer programming changes and additional staff training. As discussed earlier, the FDIC does not have a practicable or reliable basis for quantifying the compliance costs of the final rule. Nor can the FDIC determine the number of small entities that will disclose nonpublic personal information about consumers to nonaffiliated third parties.

Steps Agency has taken to Minimize the Significant Economic Impact on Small Entities

The final rule incorporates new compliance requirements, which are expressly mandated by the GLB Act. The GLB Act mandates (1) providing notice of privacy policies/practices; (2) restricting the conditions under which a financial institution may disclose nonpublic personal information to nonaffiliated third parties; and (3) providing a method for consumers to prevent their nonpublic personal information from being shared with nonaffiliated third parties. The FDIC has sought to minimize the burden on all businesses, including small entities, in promulgating this final rule. Nonetheless, the statute does not authorize the FDIC to create exemptions from the GLB Act based on an institution's size. While the final rule attempts to clarify, consolidate, and simplify the statutory requirements for all entities, the FDIC has little discretion, if any, to mandate different compliance standards for small entities. Moreover, different compliance standards would be inconsistent with the purposes of GLB Act.

Throughout this rulemaking proceeding, the FDIC sought to gather information regarding the economic impact of the GLB Act's requirements for all financial institutions, including small entities. The proposed rule and the IRFA included a number of questions for public comment regarding the costs associated with complying with the rule and the impact on small entities. In addition, the FDIC held a public forum on privacy during the comment period, which included representatives of small insured depository institutions and topics designed to elicit information about the rule's economic impact. The FDIC carefully considered comments that suggested a variety of alternatives that could minimize the economic and overall burden of complying with the final rule. The discussion below reviews some of the significant changes adopted in the final rule to accomplish this purpose. For a more complete discussion of the changes adopted in the final rule, see the "Section-by-section analysis" under Supplementary Information, Part III.

1. Sample Disclosure Clauses (Appendix A to Part 332) and Guidance for Certain Institutions (Supplementary Information, Part IV).

Many commenters expressed concern over the amount of detail that appears to be required in both initial and annual Notices. In addition many of the commenters requested model forms for guidance as to the level of detail required. The FDIC did not intend for the disclosures to be overly detailed and thus, burdensome for institutions and potentially overwhelming for consumers. In response to these comments, Appendix A to Part 332 contains sample clauses to clarify the level of detail that the FDIC believes is necessary and appropriate to be consistent with the statute. The FDIC has also provided additional assistance under the caption Guidance for Certain Institutions (Guidance) (Supplementary Information, Part IV). The Guidance generally clarifies the operation of the final rule. It also provides an example of a notice for institutions that only share nonpublic personal information with nonaffiliated third parties pursuant to the exceptions provided in Sections 332.14 and 332.15. The Guidance may be used in conjunction with the sample clauses contained in Appendix A.

The sample clauses under Appendix A and the Guidance are intended to minimize the burden and costs to financial institutions, including small entities. This is especially true for small institutions that do not share nonpublic peronal information with nonaffiliated third parties or only do so pursuant to the exceptions provided in sections 332.14 and 332.15. These institutions may provide relatively simple initial and annual notices to consumers with whom they establish customer relationships.

2. Definition of nonpublic personal information

In the proposed rule, the FDIC provided two alternatives for defining nonpublic personal information. The first, (Alternative A) deemed information as publicly available only if a financial institution actually obtained the information from a public source, whereas the second (Alternative B) treated information as publicly available if a financial institution could obtain it from such a source. A significant majority of commenters who commented on Alternatives A and B favored Alternative B. Many commenters suggested that implementing Alternative A would be overly burdensome. Institutions would have to develop some sort of methodology to distinguish between information obtained from consumers, versus information obtained through public sources. In response to these comments, the final rule adopts a modified version of Alternative B (refer to Section-by-section analysis for additional information) that treats information as publicly available if a financial institution could obtain the information from a public source. The final rule addresses the concerns of financial institutionsCincluding small institutionsCby adopting the less economically burdensome definition of nonpublic personal information.

3. Effective Date

Section 510 of the GLB Act states that, as a general rule, the relevant provisions of Title V take effect 6 months after the date on which rules are required to be prescribed, i.e., November 12, 2000. However, section 510(1) authorizes the Agencies to prescribe a later date in the rules enacted pursuant to section 504. The proposed rule sought comment on the effective date prescribed by the statute. The overwhelming majority of financial institution commenters requested additional time to comply with the final rule. Several commenters noted that financial institutions may encounter difficulty managing the expenses and resources required to comply with the final rule as the institution's budget for the current year was established prior to the issuance of the proposed regulation. This may be especially true for small institutions that face already tight budgetary constraints due to heightened competition. For the reasons stated in the preamble, the FDIC has retained the effective date of November 13, 2000, but, in order to provide sufficient time for institutions to establish policies and systems to comply with the requirements of this part, the FDIC has extended the time for compliance with this part until July 1, 2001. This additional time will allow financial institutions to properly budget for any necessary expenses and staff resources required to comply with this rule and to make all necessary operational changes.

4. New notices not required for each new financial product or service

Some commenters expressed concern that the proposed rule may require a new initial notice each time a consumer obtains a new financial product or service. This would be especially burdensome for institutions that adopt a universal privacy policy that covers multiple products and services. To address these concerns and minimize economic burden, the final rule was clarified to instruct institutions that a new initial notice is not required if the institution has given the customer the institution's initial notice, and that the institution's initial notice remains accurate with respect to the new product or service.

5. Short form Initial Notice for Consumers

In the proposed rule, financial institutions were required to provide consumers a copy of their complete initial notice when there is no customer relationship. In response to comments that suggested that the objectives of the initial notice requirements of the statute could be accomplished in a less burdensome way, the FDIC has exercised its exemptive authority as provided in section 504(b) to create an exception to the general rule that otherwise requires a financial institution to provide both the initial and opt out notices to a consumer before disclosing nonpublic personal information about that consumer to nonaffiliated third parties. A financial institution may provide a "short-form" initial notice along with the opt out notice to a consumer with whom the institution does not have a customer relationship. This short-form notice must state that the disclosure containing information about the institution's privacy policies and practices is available upon request and provide one or more reasonable means by which the consumer may obtain a copy of the notice. This provision in the final rule will lessen the burden on financial institutions, including small entities.

6. Notice to Joint Account Holders.

As noted earlier in the preamble, the final rule allows financial institutions to provide one notice to joint account holders, with the understanding that a decision to opt out made by one of the account holders will, absent a provision in the opt out notice to the contrary, prevent the institution from disclosing any nonpublic personal information about any of the account holders. This is particularly advantageous for institutions, including small entities, that do not intend to share nonpublic personal information with nonaffiliated third parties (except as permitted under the exceptions).

OTS: The Regulatory Flexibility Act (5 U.S.C. 601-612) requires OTS to prepare a final regulatory flexibility analysis with a final rule, unless the agency certifies that the rule will not have a significant economic impact on a substantial number of small entities. OTS does not believe this rule will have a significant economic impact on a significant number of thrifts or thrift subsidiaries because the burden imposed on small thrifts stems in large part form the GLB Act rather than from the final rule. The rule restates and clarifies the statutory requirements. These clarifications should reduce the burden of complying with the GLB Act provisions. OTS has revised the proposed rule to reduce the regulatory burden on financial institutions of all sizes, as discussed below. In addition, OTS intends to publish a compliance guide to assist institutions in complying with this rule. However, because the GLB Act creates requirements that are new to both the OTS and to the thrift industry, and because OTS is uncertain what the economic impact will be of compliance with the new requirements, OTS has prepared the following final regulatory flexibility analysis.

Need for and Objectives of the Rule; Compliance Requirements; Institutions Covered

The final rule is needed to implement the provisions of Title V, Subtitle A of the GLB Act addressing consumer privacy. The objectives of the rule are to protect nonpublic personal information that financial institutions collect by:

(1) Requiring each financial institution to provide notice to customers about its privacy policies and practices;

(2) Describing the conditions under which a financial institution may disclose nonpublic personal information to nonaffiliated third parties;

(3) Providing a method for consumers to prevent a financial institution form disclosing that information to most nonaffiliated third parties by opting out of that disclosure, subject to certain exceptions.

The compliance requirements of the rule are detailed earlier in this preamble.

Financial institutions will need professional skills to comply with this rule. To prepare the required privacy disclosures and opt out disclosures, institutions may need legal or other professional advice and drafting. This is true for the initial disclosures and notices, as well as for any subsequent changes to those documents. For institutions that publish privacy notices electronically or accept electronic opt outs, computer expertise will be necessary to convert the documents to the appropriate electronic form. Financial institutions that contract with nonaffiliates to perform services for the institution may require legal advice and drafting to ensure that such contracts contain the required restrictions on the nonaffiliates' use of information it receives. Financial institutions that make disclosures from which consumers may opt out may require professional skills to process opt out directions. Some institutions may use clerical or computer programmer skills to perform these tasks. Some degree of personnel training will be necessary, such as to train staff on the procedures for entering opt out data into a computer database.

This rule will apply to approximately 486 small thrifts, approximately 97 of which have subsidiaries.

Effects of the Final rule.

Commenters provided a wide range of estimates of the costs of compliance, demonstrating the difficulty of measuring the costs of implementing the GLB Act privacy provisions.

Complying with consumers' opt out directions will account for a significant portion of the implementation costs. Measuring the costs of complying with opt outs is especially difficult because of two uncertainties. First, OTS does not know how many financial institutions now make the type of information disclosures that will give rise to consumer opt out rights. Some institutions that currently make such disclosures may cease doing so. OTS cannot predict how many institutions will make such disclosures in the future. A second uncertainty is the number of consumers who will opt out of information disclosures. Because such opt out rights are new, OTS has no basis upon which to predict future consumer elections. Thus, OTS does not know how many institutions will need to comply with opt out directions, and does not know how many opt out directions those institutions will receive. For these reasons, OTS cannot provide a practicable or reliable quantification of the effects of the rule or of any of the significant alternatives OTS considered.

OTS expects that compliance costs will vary significantly between thrifts depending on their information sharing practices. OTS expects that the costs of implementing the opt out provisions will be insubstantial for thrifts that do not disclose nonpublic personal information to nonaffiliated third parties. These institutions need only provide relatively simple initial and annual privacy notices to their customers.

OTS, consistent with the other Agencies, has revised some requirements in this rule so that they are less burdensome. The discussion below reviews the significant changes to reduce regulatory burden.

Summary of Significant Issues Raised in Public Comments; Significant Alternatives

Although few commenters addressed the initial regulatory flexibility analysis, many commenters addressed the regulatory burdens. These commenters included both large and small institutions. In response, OTS considered different alternatives, and made certain changes to the rule to reduce undue regulatory burden, consistent with the purposes of GLB. These efforts to reduce regulatory burden will affect both large and small institutions. The significant alternatives that commenters discussed and that OTS considered are as follows.

Effective date. One of the most significant comments on burden discussed the rule's effective date. Many industry commenters urged OTS to extend the rule's proposed November 13, 2000 effective date. As discussed above, many of these commenters argued that complying with the rule by November 13, 2000 would place an extraordinary burden on their businesses, particularly because the required privacy and opt out notices would necessitate changes to computer software and would require employee training. After considering these concerns, OTS has delayed mandatory compliance with the regulation until July 1, 2001. However, OTS encourages thrifts to comply with the rule before that date.

Content of privacy notices. Many commenters were concerned that the rule would require an inappropriate level of detail in privacy notices, making those notices too lengthy. Some commenters noted that detailed privacy notices would require burdensome and costly frequent revisions. Many commenters suggested that OTS issue model privacy disclosures. OTS responded to such comments by clarifying the requirements for the content of privacy notices, as discussed more fully in the preceding section-by-section analysis. These clarifications should ease the compliance burden of this rule.

Further, OTS has included an appendix to the rule, containing a variety of sample clauses for privacy notices. OTS also has included in this Federal Register notice a Compliance Guide. Both the Appendix and the Compliance Guide are designed to assist financial institutions, especially small institutions, in complying with this new rule.

Exemption for Small Institutions. Some commenters suggested that small institutions be exempt from many requirements of this rule. However, OTS does not believe the GLB Act allows alternative privacy rules based on a financial institution's size. As Congress stated in § 501(a) of the Act, "It is the policy of the Congress that each financial institution has an affirmative and continuing obligation to respect the privacy of its customers and to protect the security and confidentiality of those customers' nonpublic personal information." (Emphasis added.) OTS believes a person's privacy is equally deserving no matter the size of the financial institutions with which the person interacts. OTS did not, therefore, exempt small institutions from this rule.

Number of notices. Many commenters believe that the proposed rule would have required an undue number of privacy notices. In response, as discussed above, OTS considered alternative methods to reduce the burden of providing redundant or unhelpful privacy notices. First, the final rule makes clear that financial institutions do not need to provide a repetitive privacy notice each time an existing customer obtains a new financial product or service, as long as that customer already received a notice covering the new product or service.

Second, the final rule clarifies the notice requirements in connection with joint accounts. It makes clear that financial institutions do not necessarily have to provide privacy and opt out notices to each joint account holder.

Third, the final rule does not require a financial institution to provide a full initial notice to consumers who do not establish a customer relationship with the institution, if the institution will not share that consumer's nonpublic personal information with nonaffiliated third parties. In these situations, the institution may instead provide a short-form initial notice, and give the consumer a reasonable means to obtain the full initial notice if the consumer wishes to do so. A full initial notice would not be helpful in these cases to consumers who have no continuing relationship with the institution. The institution is still restricted from disclosing that consumer's nonpublic personal information to nonaffiliated parties without first providing opt out rights, as GLB requires.

Fourth, the final rule requires fewer notices than the proposed rule would have required, concerning loans that involve multiple financial institutions. The proposed rule would have required privacy notices to consumers from each financial institution that owns any part of, or that services, a single consumer loan. Commenters suggested that multiple privacy notices in these cases would be unnecessarily burdensome. In response to these comments, OTS has included a special rule for loans, discussed more fully earlier in this preamble, that would reduce the number of privacy notices required in these cases.

These changes are designed to reduce the number of redundant and unhelpful notices required, and thereby reduce the regulatory burden of this rule, without eroding consumer protections.

Annual notices. Many commenters requested that OTS reduce regulatory burden by requiring less frequent or shorter annual notices. The GLB Act plainly requires annual privacy notices to customers, so OTS lacks authority to eliminate the requirement altogether. However, as discussed earlier, the final rule does allow institutions under certain circumstances to provide annual notices on their web sites. This change should reduce costs of providing required annual notices, consistent with GLB Act mandates.

Outside service providers. Some commenters expressed concern that the proposed rule would have required burdensome contractual terms in connection with outside service providers. Disclosures a financial institution makes to its service providers are exempt from opt out requirements under §  573.13, but require the disclosing financial institution to restrict, by contract, the service provider's ability to use the information. Other disclosures are exempt from the rule's notice and opt out requirements under ' 573.14 and 573.15, but, unlike §  573.13, ' 573.14 and 573.15 do not require contractual restrictions on recipients' use of information. Commenters noted that some disclosures simultaneously quality for exemption under §  573.13 and under ' 573.14 or 573.15. These commenters requested that the final rule clarify whether, in such cases, the specific contractual requirements in §  573.13 apply. The final rule clarifies that they do not, as discussed more fully in the preceding section-by-section analysis.

This clarification may be especially important to smaller institutions because they may be more likely than large institutions to use outside parties to service transactions. Further, small institutions may be less likely to have in-house counsel available to advise them on, and to draft, the contractual terms that §  573.13 would have required without this clarification. Without this change, small institutions may have needed to seek expensive outside legal advice to comply with the rule. This clarification will allow small institutions to outsource transaction processing without having to use unnecessarily burdensome and costly contractual language.

Nonpublic Personal Information. Nonpublic personal information gets certain protections under this rule, but it is defined to exclude publicly available information. The proposed rule included two alternative definitions. Under proposed Alternative A, information would be considered publicly available if a financial institution were to actually obtain the information from a public source. Under proposed Alternative B, information would be considered publicly available if a financial institution could obtain it from a public source. Many commenters urged OTS to adopt Alternative B. They pointed out that Alternative A would require institutions to develop and maintain an information tracking system to determine whether particular information is publicly available. In response to these concerns, the final rule includes a definition of nonpublic personal information, discussed more fully above, that does not require financial institutions to create tracking systems for publicly available information.

Plain language. Some commenters, including small institutions, complained that the proposed rule was complex. Institutions expressed concerns that they could be exposed to legal liability because they could not understand what the rule requires. OTS responded to these comments by revising the proposed rule to be more understandable. The final rule is reorganized, is broken down into more sections, and has similar sections grouped together in subparts. This makes provisions of the rule easier to find. Additionally, OTS reworded its final rule to use more direct and clear language.

The OTS, along with the other Agencies, intends to publish a small entity compliance guideCseparate from and in addition to the guidance for certain financial institutions included as part of this Federal Register noticeCthat will clarify the operation of and compliance with the rule.

C. Executive Order 12866

OCC and OTS: The Comptroller of the Currency and Director of the Office of Thrift Supervision each has determined that this rule does not constitute a "significant regulatory action" for the purposes of Executive Order 12866. The rule follows closely the requirements of title V, subtitle A of the GLB Act. Since, the GLB Act establishes the minimum requirements for this activity, the OCC and OTS have little discretion to propose regulatory options that might significantly reduce costs or other burdens. However, even absent the requirements of the GLB Act, if the OCC and OTS issued the rule under its own authority, the rule would not constitute a "significant regulatory action" for the purposes of Executive Order 12866.

For a financial institution that does not intend to disclose nonpublic personal information about its consumers or customers to nonaffiliated third parties, the burden created by the statute and implementing regulation is that of preparing and distributing an initial and annual notice of the institution's privacy policies and practices. The institution need not provide an opt out notice or establish a system for consumers to opt out. For institutions that do intend to make such disclosures, they will do so only after determining that the benefits of making the disclosures of nonpublic personal information outweigh the costs. Accordingly, the regulation's provisions governing opt outs impose no net burden on those institutions disclosing nonpublic personal information. The final rule makes a large number of significant changes to the requirements governing initial and annual notices that reduce burden while preserving the consumer protections created by the statute.

D. Unfunded Mandates Act of 1995

Section 202 of the Unfunded Mandates Reform Act of 1995, 2 U.S.C. 1532 (Unfunded Mandates Act), requires that an agency prepare a budgetary impact statement before promulgating any rule likely to result in a Federal mandate that may result in the expenditure by State, local, and tribal governments, in the aggregate, or by the private sector, of $100 million or more in any one year. If a budgetary impact statement is required, section 205 of the Unfunded Mandates Act also requires the agency to identify and consider a reasonable number of regulatory alternatives before promulgating the rule. However, an agency is not required to assess the effects of its regulatory actions on the private sector to the extent that such regulations incorporate requirements specifically set forth in law. 2 U.S.C. 1531. Most of the rule's provisions are already mandated by the applicable provisions in Title V of the GLB Act, which would become effective and binding on the private sector even without a regulatory promulgation. Therefore, the OCC and OTS have determined that this regulation will not result in expenditures by State, local, and tribal governments, in the aggregate, or by the private sector, of $100 million or more in any one year. Accordingly, the OCC and OTS have not prepared a budgetary impact statement or specifically addressed the regulatory alternatives considered.

List of Subjects

12 CFR Part 40

Banks, banking, Consumer protection, National banks, Privacy, Reporting and recordkeeping requirements.

12 CFR Part 216

Banks, banking, Consumer protection, Federal Reserve System, Foreign banking, Holding companies, Information, Privacy, Reporting and recordkeeping requirements.

12 CFR Part 332

Banks, banking, Consumer protection, Foreign banking, Privacy, Reporting and recordkeeping requirements.

12 CFR Part 573

Consumer protection, Privacy, Savings associations.

Continue

Last Updated 05/30/2000 supervision@fdic.gov

Skip Footer back to content