Browse: Departments Dates Agencies
COMMODITY FUTURES TRADING COMMISSION
Western Area Power Administration
CFR Citation: 17 CFR Part 160
RIN ID: RIN 3038-AB68
NOTICE: Part IV
DOCUMENT ACTION: Final rule.
SUBJECT CATEGORY: Privacy of Consumer Financial Information
DATES:
Effective Date: These rules are effective June 21, 2001.
Compliance Date: Compliance will be mandatory as of March 31, 2002. Joint marketing and service agreements in effect as of March 31, 2002 must be brought into compliance with section 160.13 by March 31, 2003.
DOCUMENT SUMMARY: The Commodity Futures Trading Commission is adopting part 160, privacy rules promulgated under section 5g of the Commodity Exchange Act, which directs the Commission to prescribe regulations under Title V of the GrammLeachBliley Act. Title V requires certain federal agencies to adopt rules implementing notice requirements and restrictions on the ability of financial institutions to disclose nonpublic personal information about consumers to nonaffiliated third parties. Under section 503 of the GrammLeachBliley Act, a financial institution must provide its customers with a notice of its privacy policies and practices, and must not disclose nonpublic personal information about a consumer to nonaffiliated third parties unless the institution provides certain information to the consumer and the consumer has not elected to opt out of the disclosure. Section 505 of the GrammLeachBliley Act further requires certain federal agencies to establish for financial institutions appropriate standards to protect customer information. The part 160 rules implement these requirements of the GrammLeachBliley Act with respect to futures commission merchants, commodity trading advisors, commodity pool operators and introducing brokers that are subject to the jurisdiction of the Commission under the Commodity Exchange Act as amended.
SUMMARY: Commodity Futures Trading Commission,
SUPPLEMENTAL INFORMATION
The Commodity Futures Trading Commission today is adopting new part 160, 17 CFR 160, under Subtitle A of Title V of the GrammLeachBliley Act (Pub. L. No. 106102, 113 Stat. 1338 (1999), to be codified at 15 U.S.C. 68016809) and section 5g of the Commodity Exchange Act, 7 U.S.C. 7b2, as amended by the Commodity Futures Modernization Act of 2000 (Pub. L. No. 106554, 114 Stat. 2763).Table of Contents
I. Background
II. Overview of Comments Received
III. SectionbySection Analysis
IV. CostBenefit Analysis
V. Related Matters
A. Paperwork Reduction Act
B. Regulatory Flexibility Act
Text of Final Rules
AppendixSample Clauses
I. Background
Subtitle A of Title V of the GrammLeachBliley Act (GLB Act),\1\
captioned ``Disclosure of Nonpublic Personal Information'' (Title V),
limits the instances in which a financial institution may disclose
nonpublic personal information about a consumer to nonaffiliated third
parties, and requires a financial institution to disclose to all of its
customers the institution's privacy policies and practices with respect
to information sharing with both affiliates and nonaffiliated third
parties.\2\ The Commodity Futures Trading Commission (Commission) and
entities subject to its jurisdiction originally were excluded from
Title V's coverage.\3\ The agencies that were covered by Title Vthe
Office of the Comptroller of the Currency (OCC), Board of Governors of
the Federal Reserve System (Federal Reserve Board), Federal Deposit
Insurance Corporation, Office of Thrift Supervision (collectively, the
Banking Agencies), Secretary of the Treasury, Securities and Exchange
Commission (SEC), National Credit Union Administration, and Federal
Trade Commission (FTC) (collectively with the Banking Agencies, the
Agencies)have each adopted implementing regulations under Title V.\4\
\1\ Pub. L. No. 106102, 113 Stat. 1338 (1999) (to be codified in scattered sections of 12 U.S.C. and 15 U.S.C.)
\2\ GLB Act Secs. 501510 (to be codified at 15 U.S.C. 6801
6809). As discussed in more detail below, the GLB Act distinguishes
``consumers'' from ``customers'' for purposes of its notice
requirements. Generally speaking, a customer is a consumer with whom
a financial institution has established a ``customer relationship.'' See id. Secs. 502(a), 503(a) and 509(9) and (11).
\3\ See id. Sec. 509(3)(B).
\4\ See 65 FR 40334 (June 29, 2000) (SEC); 65 FR 35162 (June 1,
2000) (Secretary of the Treasury and the Banking Agencies); 65 FR
33646 (May 24, 2000) (FTC); 65 FR 31722 (May 18, 2000) (National
Credit Union Administration). See also 66 FR 8616 (Feb. 1, 2001)
(Secretary of the Treasury and the Banking Agencies); 66 FR 8152
(Jan. 30, 2001) (National Credit Union Administration); 65 FR 54186
(Sept. 7, 2000) (FTCadvance notice of proposed rulemaking)
(Guidelines for Establishing Standards for Safeguarding Customer Information).
The Commodity Futures Modernization Act of 2000 (CFMA) amended the Commodity Exchange Act (CEA or Act) to provide that certain entities subject to the Commission's jurisdiction'specifically, futures commission merchants (FCMs), commodity trading advisors (CTAs), commodity pool operators (CPOs) and introducing brokers (IBs)shall be treated as financial institutions for purposes of Title V. At the same time, Congress also amended the CEA to make the Commission a federal functional regulator within the meaning of Title V and to require the Commission to prescribe regulations under Title V within six months.
The Commission has consulted with representatives from the Agencies throughout this rulemaking process, including during the comment period. The rules that we are adopting today are, to the extent possible, consistent with and comparable to the rules adopted by the Agencies. The rules include examples that illustrate the application of the general rules and an appendix of sample clauses that may, to the extent applicable, be used by FCMs, CTAs, CPOs and IBs to comply with the notice and optout requirements. These examples and sample clauses differ from those used by the Agencies in order to provide more meaningful guidance to the financial institutions subject to the Commission's jurisdiction. Furthermore, in order to minimize compliance burdens, the rules permit those firms that are registered with both the Commission and the SEC to comply with part 160 by complying with the privacy rules of the SEC, which are found at 17 CFR part 248. Similarly, the Commission has determined to permit CTAs that are also registered or required to be registered as an investment advisor with a state securities regulator to comply with part 160 by complying with the privacy rules of the FTC, 16 CFR part 313.
[[Page 21237]]
Title V also requires the Agencies to establish appropriate standards for financial institutions subject to their jurisdiction to safeguard customer records and information. The rules that we are adopting today require FCMs, CTAs, CPOs and IBs to adopt appropriate policies and procedures that address safeguards to protect this information.
II. Overview of Comments Received
On March 19, 2001, the Commission issued a notice of proposed rulemaking (the proposal'' or ``proposed rules'').\5\ The Commission received a total of four comments in response to the proposal. \5\ Privacy of Customer Information, 66 FR 15550 (Mar. 19, 2001).
Managed Futures Association (MFA), a trade association, commented on the following aspects of the proposal: The proposed compliance date; exemptions for unregistered entities; and substituted compliance for dual registrants and affiliated financial institutions. MFA expressed support for the Commission's statement regarding its jurisdiction under the privacy rules over entities that are either registered or exempt from registration, and its belief that the rules are consistent with Congressional intent as expressed in the CFMA and with the privacy rules adopted by the other federal functional regulators.
The Futures Industry Association (FIA) wrote generally in support of the proposed rules, endorsing the Commission's proposal to permit those Commission registrants who are also registered with the SEC to comply instead with the SEC's parallel rules. In this regard, FIA suggested that the Commission's final rules clarify the scope of its substituted compliance provision and expressed support for an expansion of the substituted compliance provision. FIA also recommended that the Commission's proposal to exclude from compliance nonU.S. entities that are exempt from registration pursuant to an order issued under Commission rule 30.10. Finally, FIA requested that the Commission expand the subsequent delivery exceptions to the initial notice requirement in proposed rule 160.4(e) to permit an FCM that accepts customer accounts in a bulk transfer pursuant to Commission rule 1.65 to provide its initial privacy notice subsequent to the establishment of a relationship with such customers.
Southwest Futures, Inc., an IB, objected to the ability of an FCM to share with others confidential information regarding an IB's customers. A member of the public expressed general support for rules to facilitate the privacy of citizens' nonpublic information but suggests that the definition of ``consumer'' be expanded.
These comments, and the Commission's responses, are discussed in greater detail below.
III. SectionbySection Analysis
Section 160.1 Purpose and Scope
Paragraph (a) of section 160.1 identifies three purposes of the rules. First, the rules require a financial institution to provide notice to customers about the institution's privacy policies and practices. Second, the rules describe the conditions under which a financial institution may disclose nonpublic personal information about a consumer to a nonaffiliated third party. Third, the rules provide a method for a consumer to ``opt out'' of the disclosure of that information to nonaffiliated third parties, subject to certain exceptions discussed below.
Paragraph (b) sets out the scope of the Commission's rules and identifies the financial institutions covered by the rules. The Commission proposed including all FCMs, CTAs, CPOs and IBs within the scope of part 160, whether or not such entities were required to register with the Commission. The Commission, however, specifically solicited comment on whether it should seek to exempt some or all categories of unregistered CTAs and CPOs from part 160's coverage. MFA commented that the Commission should exempt, or alternatively create a safe harbor permitting more limited compliance for, unregistered CTAs and CPOs that do not provide nonpublic information to nonaffiliated third parties outside those permitted under the service provider exception. MFA asserted that Congress did not intend to subject all financial institutions subject to the Commission's jurisdiction to the privacy rules, that the Commission had proposed exempting foreign unregistered FCMs from part 160's scope, and that an exemption for unregistered CTAs and CPOs would be consistent with Congress's intent to the extent that such unregistered entities are not sharing nonpublic consumer information with nonaffiliated third parties.
The Commission has carefully considered MFA's comment and has
decided not to amend the proposed rules to exempt or create a safe
harbor for unregistered CTAs and CPOs. From the face of the statute, it
appears that Congress intended to treat all CTAs and CPOs as financial
institutions, irrespective of their registration status.\6\ The
Commission also believes that it would be inconsistent with Title V of
the GLB Act to exempt unregistered CTAs and CPOs from part 160 because
that title is a consumer protection law that appears designed to afford
privacy protection to all consumers.\7\ For these reasons, the
Commission believes that all CTAs and CPOs should be required to comply
with the requirements of part 160 and notes the limited nature of those
requirements for CTAs and CPOs that do not share nonpublic personal information with nonaffiliated third parties.
\6\ Section 5g of the Act states in relevant part that ``any
futures commission merchant, commodity trading advisor, commodity
pool operator, or introducing broker that is subject to the
jurisdiction of the Commission with respect to any financial
activity shall be treated as a financial institution for purposes of
Title V [of the GLB Act] with respect to such financial activity.''
(emphasis added) The SEC also has applied its privacy regulations to
unregistered brokers, dealers and funds. 65 FR at 40335 n.12. In
accordance with section 505(a)(5) of the GLB Act, however, the SEC's
privacy rules do not apply to investment advisers that are not registered with the SEC. Id.
\7\ MFA correctly notes that the Commission is exempting foreign
unregistered FCMs from the scope of part 160. See infra. This
approach maintains consistency with the approach taken by the other
federal functional regulators with regard to offshore financial
institutions. To the Commission's knowledge, the other federal
functional regulators have not exempted any domestic entities from the scope of their privacy rules.
Paragraph (b) also provides that part 160 does not apply to any
foreign (or nonresident) FCM, CTA, CPO or IB that is not registered or
required to be registered with the Commission. The Commission believes
that it would be impracticable to apply part 160 to those foreign
unregistered entities and, further, that subjecting these unregistered
foreign entities to the obligations to provide the privacy and opt out
notices under part 160 would not add to the protections provided to
customers under the GLB Act. If a foreign financial institution
conducts activities through U.S. interstate commerce in a manner that
subjects it to the registration requirements of the Act, and such
foreign financial institution has not been exempted from registration
requirements by the Commission, it is subject to the part 160
requirements and any other applicable protections to customers, such as
antifraud protections. The Commission expressly sought comment on the
application of this approach to firms that have been exempted from
registration requirements pursuant to a rule 30.10 order. FIA observed
that it would be difficult, if not impossible, for the Commission to assure compliance
[[Page 21238]]
by such entities with its privacy rules and, moreover, that these
entities may be subject to privacy laws in their home countries that
are different from, and may be stricter than, the Commission's rules.
While the Commission supports consistent protections for consumers
regardless of the entity from whom a financial product or service is
obtained, at this stage the Commission does not believe that it is
appropriate to attempt to apply the rule to offshore offices of
financial institutions. Accordingly, the Commission has adopted the
rule as proposed, but will continue to consider this question.
We note that other federal, State, or applicable foreign laws may
impose limitations on disclosures of nonpublic personal information in
addition to those imposed by the GLB Act and the privacy rules the
Commission is adopting today. Thus, financial institutions will need to
monitor and comply with relevant legislative and regulatory
developments that affect the disclosure of consumer information.
Paragraph (b) also makes clear that nothing in the rules is intended to
supercede rules relating to medical information that have been issued
by the Secretary of Health and Human Services under the Health
Insurance Portability and Accountability Act of 1996, 42 U.S.C. 1320d 1320d8.\8\
\8\ See 65 FR 82462 (Dec. 28, 2000).
Section 160.2 Rule of Construction
Paragraph (a) of section 160.2 sets out a rule of construction
intended to clarify the effect of the examples used in the rules and
the sample clauses in the appendix to the rules. Given the wide variety
of transactions that Title V covers, new part 160 includes rules of
general applicability and provides examples that are intended to assist
financial institutions in complying with the rule. The examples are not
intended to be exhaustive; rather, they are intended to provide
guidance on how the rules would apply in specific situations. The rule
also states that compliance with the examples will constitute
compliance with the rule.\9\ The Commission believes that, when read
together, these provisions give financial institutions sufficient
flexibility to comply with the regulation and sufficient guidance about
the use of the examples. FIA endorses this approach and has asked that
the Commission consider publishing additional guidance similar to that
published by the federal banking regulators when they promulgated their privacy rules.
\9\ Compare 65 FR at 35227 (OCC rules) with 65 FR at 40363 (SEC rules).
Paragraph (b) of section 160.2 authorizes ``substituted
compliance'' in certain situations. Specifically, paragraph (b)(1)
provides that an FCM, CTA, CPO or IB that is also registered with the
SEC in an equivalent capacity may comply with part 160 by complying
with Regulation SP, the privacy rules of the SEC, which are found at
17 CFR part 248. Similarly, under this provision, securities broker
dealers registered with the SEC that are also registered with the
Commission as an FCM or IB pursuant to a notice registration for the
purpose of trading security futures products \10\ will also be deemed
to be in compliance with part 160 if they are subject to and in
compliance with Regulation SP. Paragraph (b)(2) of section 160.2
provides that a CTA that is a stateregistered investment adviser may
comply with part 160 by complying with the privacy rules of the FTC, which are found at 16 CFR part 313.\11\
\10\ See CFMA Sec. 252.
\11\ This provision responds to a comment of NFA seeking broader
substituted compliance for investment advisers that are state
registered and therefore subject to the FTC's privacy rules rather
than the SEC's privacy rules. Financial institutions that choose to
substitute compliance with the FTC's rules should nonetheless refer to the examples provided throughout part 160.
Section 160.2's authorization of substituted compliance is in no way designed to affect or limit the Commission's authority to enforce its privacy rules against FCMs, CTAs, CPOs and IBs engaged in activities subject to its jurisdiction. Rather, this provision simply authorizes the identified financial institutions to comply with part 160 by complying with certain other substantially similar regulations, and to establish that they have complied with part 160 by establishing that they have complied with those other regulations. In this regard, because the Commission has provided part 160 examples that are tailored to entities under its jurisdiction, the Commission encourages those entities that elect to comply with the substituted compliance provisions in paragraph (b) to look to the Commission's examples for guidance in complying with the privacy rules of the SEC and FTC, respectively.
In its proposal, the Commission requested comment on whether it
should provide for a broader form of substituted compliance by
permitting an FCM that is affiliated with a financial holding company,
a bank holding company, a national bank or a brokerdealer to comply
with part 160 by complying with the privacy rules of the functional
regulator for the affiliated entity. Both MFA and the FIA endorsed
substituted compliance for affiliated financial institutions. While the
Commission believes that permitting broader substituted compliance is a
desirable goal, we have decided not to adopt this approach at this
time. Rather, we believe it would be preferable to address this issue
after we have gained some administrative experience under these rules
and have further consulted with the other federal functional regulators.
Section 160.3 Definitions
(a) Affiliate. The rules incorporate the definition of
``affiliate'' used in section 509(6) of the GLB Act. Thus, an FCM, CTA,
CPO or IB is considered affiliated with another company if it
``controls,'' is controlled by, or is under common control with the
other company.\12\ The definition includes both financial institutions
and entities that are not financial institutions. The rules also
provide that an FCM, CTA, CPO or IB will be considered an affiliate of
another company for purposes of the privacy rules if (i) the other
company is regulated under Title V by one of the Agencies and (ii) the
privacy rules adopted by that Agency treat the FCM, CTA, CPO or IB as an affiliate of the other company.\13\
\12\ We have defined ``control'' for purposes of an FCM, CPO,
CTA or IB to mean the power to exercise a controlling influence over
the management or policies of a company whether through ownership of
securities, by contract, or otherwise. In addition, ownership of
more than 25 percent of a company's voting securities creates a
presumption of control of the company. See infra discussion of
section 160.3(j). Compare 65 FR at 35207 (Federal Reserve Board).
\13\ Section 160.3(a)(1)(2). This part of the definition is
designed to prevent the disparate treatment of affiliates within a
holding company structure. For example, without this provision an
FCM in a bank holding company structure might not be considered
affiliated with another entity in that organization under the
Commission's rules, even though the two entities would be considered
affiliated under the privacy rules of the Banking Agencies.
(b) Clear and conspicuous. Title V and the final rules require that
various notices be ``clear and conspicuous.'' The Commission has
defined that term as it has been defined in the respective rules of the
Agencies, with conforming changes.\14\ Section 160.3(b) defines the
term to mean that the notice must be ``reasonably understandable and
designed to call attention to the nature and significance of the
information in the notice.'' This phrase is intended to provide meaning
to the term ``conspicuous.'' The Commission believes that this standard will result in
[[Page 21239]]
notices to consumers that communicate effectively the information
consumers need in order to make an informed choice about the privacy of
their information, including whether to open a commodity interest account or enter into an advisory agreement.
\14\ See, e.g., 12 CFR 40.3(b) (OCC rules) and 17 CFR 248.3(c) (SEC rules).
Examples of ``clear and conspicuous.'' The rules provide generally applicable guidance about ways in which an FCM, CTA, CPO or IB may make a disclosure clear and conspicuous. We note that the examples do not mandate how to make a disclosure clear and conspicuous. A financial institution must decide for itself how best to comply with the general rule, and may use techniques not listed in the examples.
Combination of several notices. The Commission is aware that a
document may combine different types of disclosures that are subject to
specific disclosure requirements under different regulations. For
example, a CTA that includes a privacy notice in its disclosure
document would have to make the privacy notice clear and conspicuous,
and would have to prepare the disclosure document according to certain
standards under the CEA and Commission regulations.\15\ The rule
provides an example of how a financial institution may make privacy
disclosures conspicuous, including privacy disclosures that are
combined in a document with other information.\16\ In order to avoid
the potential conflicts between two different rules requiring different
sets of disclosures that are subject to different standards, the rule
does not mandate precise specifications for presenting various disclosures.
\15\ See 7 U.S.C. 6m; 17 CFR part 4.
\16\ See section 160.3(b)(2)(ii)(E). Because we believe that
privacy disclosures may be clear and conspicuous when combined with
other disclosures, this section does not mandate that privacy disclosures be provided on a separate piece of paper. The
requirement is not necessary and might significantly increase the burden on financial institutions.
Disclosures on Internet web pages. The rule provides guidance on how financial institutions may clearly and conspicuously disclose privacyrelated information on their Internet sites. Disclosures over the Internet may present some issues that will not arise in paperbased disclosures. Consumers may view various web pages within a financial institution's web site in a different order each time they access the site, aided by hypertext links. Depending on the hardware and software used to access the Internet, some web pages may require consumers to scroll down to view the entire page. To address these issues, the rule provides an example concerning Internet disclosures stating that FCMs, CTAs, CPOs and IBs may comply with the rule if they use text or visual cues to encourage scrolling down the page if necessary to view the entire notice, and ensure that other elements on the web site (such as text, graphics, hypertext links, or sound) do not distract attention from the notice.\17\ The examples also note that the institution should place a notice or a conspicuous link on a screen that consumers frequently access, such as a page on which consumers conduct transactions.
\17\ Section 1603.(b)(2)(iii).
There is a range of approaches an FCM, CTA, CPO or IB could use
based on current technology. For example, an FCM could use a dialog box
that pops up to provide the disclosure before a consumer provides
information to a financial institution. Another approach would be a
simple, clearly labeled graphic located near the top of the page or in
close proximity to the financial institution's logo, directing the
customer, through a hypertext link or hotlink, to the privacy disclosures on a separate web page.
(c) Collect. The GLB Act requires a financial institution to
disclose in its initial and annual notices the categories of
information that the institution collects. The Commission has defined
this term to mean obtaining information that can be organized or
retrieved by the name of the individual or by another identifying
number, symbol, or other identifying particular assigned to the
individual,\18\ irrespective of the source of the underlying
information. The definition is intended to provide guidance about the
information that an FCM, CTA, CPO or IB must include in its notices and
to clarify that the obligations arise regardless of whether the
institution obtains the information from a consumer or from some other
source. This definition is not intended to include information that an
FCM, CTA, CPO or IB receives but then immediately passes on without
retaining a copy, as such information would not be organized and retrievable.
\18\ The definition uses language from the Privacy Act of 1974, 5 U.S.C. 552a.
(d) Commission. The term ``Commission'' means Commodity Futures Trading Commission.
(e) Commodity pool operator. The term ``commodity pool operator''
has the same meaning as in section 1a(5) of the Commodity Exchange Act,
as amended, and includes anyone registered as such under the Act.
(f) Commodity trading advisor. The term ``commodity trading''
advisor has the same meaning as in section 1a(6) of the Commodity
Exchange Act, as amended, and includes anyone registered as such under the Act.
(g) Company. The rules define ``company'' to mean any corporation,
limited liability company, business trust, general or limited partnership, association or similar organization.
(h) Consumer. The rules define ``consumer'' as an individual
(including his or her legal representative) who obtains a financial
product or service from an FCM, CTA, CPO or IB that is to be used
primarily for personal, family or household purposes. An individual
also will be deemed to be a consumer for purposes of a financial
institution if that institution purchases the individual's account from
some other institution. The GLB Act distinguishes ``consumers'' from
``customers'' for purposes of the notice requirements imposed by that
Act. As explained in the discussion of section 160.4, a financial
institution must give a ``consumer'' the notices required under Title V
only if the institution intends to disclose nonpublic personal
information about the consumer to a nonaffiliated third party for a
purpose that is not authorized by one of several exceptions set out in
sections 160.14 and 160.15. By contrast, a financial institution must
give all ``customers,'' not later than the time of establishing a
customer relationship and annually thereafter during the continuation
of the customer relationship, a notice of the institution's privacy policy.
A person is a ``consumer'' under the rules if he or she obtains a financial product or service from a financial institution that is to be used primarily for personal, family or household purposes. The definition of ``financial product or service'' in section 160.3(o) includes, among other things, a financial institution's evaluation of an individual's application to obtain a financial product or service. Thus, a financial institution that intends to share nonpublic personal information about a consumer with nonaffiliated third parties outside of the exceptions described in sections 160.14 and 160.15 will have to give the requisite notices, even if the application or request is denied or withdrawn.
The examples that follow the definition of ``consumer'' explain
when someone is a consumer. The examples clarify that a consumer
includes someone who provides nonpublic personal information in
connection with seeking to obtain commodity interest trading or
advisory services, but does not include someone who provides only his
or her name, address, and areas of investment interest in order to obtain a
[[Page 21240]]
brochure or other information about a financial product or service.\19\
An individual who has an account with an originating FCM and whose
positions are carried by a clearing FCM in an omnibus account in the
name of the originating FCM is not a consumer for purposes of the
clearing FCM if the clearing FCM receives no nonpublic personal information about the consumer.
\19\ Individuals may provide this information, for example, on
``tearout'' cards from magazines, or in telephone or Internet requests for brochures or other information.
Requirements arising from consumer relationship. While the rules
define ``consumer'' broadly, we note that this definition will not
result in any additional burden to an FCM, CTA, CPO or IB if (i) no
customer relationship is established and (ii) the institution does not
intend to disclose nonpublic personal information about the consumer to
nonaffiliated third parties. Under this approach, an FCM, CTA, CPO or
IB is under no obligation to provide a consumer who is not a customer
with any privacy disclosures unless it intends to disclose the
consumer's nonpublic personal information to nonaffiliated third
parties outside the exceptions in sections 160.14 and 160.15. The
institution may disclose a consumer's nonpublic personal information to
nonaffiliated third parties if it delivers the requisite notices and
the consumer does not opt out. Thus, the rule allows a financial
institution to avoid all of the rule's requirements for consumers who
are not customers if the institution chooses not to share information
about the consumers with nonaffiliated third parties except as provided
in the exceptions. Conversely, if an FCM, CTA, CPO or IB chooses to
share consumers' nonpublic personal information with nonaffiliated
third parties, the financial institution is free to do so, provided it
notifies consumers about the sharing and affords them a reasonable
opportunity to opt out. In this way, the rule attempts to strike a
balance between protecting an individual's nonpublic personal
information and minimizing the burden on a financial institution.
(i) Consumer reporting agency. The rules incorporate the definition
of ``consumer reporting agency'' in section 603(f) of the Fair Credit
Reporting Act (FCRA).\20\ The term is used in sections 160.12 and 160.15.
\20\ 15 U.S.C. 1681a(f).
(j) Control. The rules define ``control'' for purposes of FCMs,
CTAs, CPOs or IBs to mean the power to exercise a controlling influence
over the management or policies of a company whether through ownership
of securities, by contract, or otherwise. In addition, ownership of
more than 25 percent of a company's voting securities creates a
presumption of control of the company. This definition is used to
determine when companies are affiliated, and results in financial
institutions being considered as affiliates regardless of whether the control is exercised by a company or individual.
(k) Customer. The rules define ``customer'' as any consumer who has
a ``customer relationship'' with a particular financial institution.
Thus, a consumer becomes a customer of a financial institution when he
or she enters into a continuing relationship with the institution. For
example, a consumer would become a customer when he or she completes
the documents needed to open a commodity interest account or enters into an advisory agreement (whether in writing or orally).
The distinction between consumers and customers determines the
notices that a financial institution must provide. If a consumer never
becomes a customer, the institution is not required to provide any
notices to the consumer unless the institution intends to disclose
nonpublic personal information about that consumer to nonaffiliated
third parties (outside of the exceptions as set out in sections 160.14
and 160.15). By contrast, if a consumer becomes a customer, the
institution must provide a copy of its privacy policy no later than at
the time it establishes the customer relationship and at least annually during the continuation of the customer relationship.
(l) Customer relationship. The rules define ``customer
relationship'' as a continuing relationship between a consumer and a
financial institution in which the institution provides a financial
product or service that is to be used by the consumer primarily for
personal, family, or household purposes. Because the GLB Act requires
annual notices of the financial institution's privacy policies to its
customers, we have interpreted that Act as requiring more than isolated
transactions between a financial institution and a consumer to
establish a customer relationship, unless it is reasonable to expect
further contact about that transaction between the institution and
consumer afterwards. Thus, the rules define ``customer relationship''
as one that generally is of a continuing nature. As noted in the
examples that follow the definition, this would include a commodity
interest account or an advisory relationship. An FCM would have a
customer relationship with a consumer when the FCM regularly enters
orders for the customer, even if the FCM holds none of the customer's assets.
A onetime transaction may be sufficient to establish a customer
relationship, depending on the nature of the transaction. The examples
that follow the definition of ``customer relationship'' clarify that an
individual's purchase or sale of a futures or options contract through
an FCM with whom the customer opens an account would be sufficient to
establish a customer relationship because of the continuing nature of
the service. By contrast, an individual who is merely referred by an IB
to an FCM would not be the IB's customer if the IB does not enter orders for the individual.\21\
\21\ The individual would, however, be a consumer of the IB for
purposes of the privacy rules, which would require the IB to provide
notices if it intends to disclose nonpublic personal information
about the consumer to nonaffiliated third parties outside of the exceptions.
(m) Federal functional regulator. The rules define the term
``federal functional regulator'' to include the Commission and each of
the Agencies. This term is used in two places. First, it is used in
section 160.3(a), the definition of affiliate. Second, it is used in
section 160.15(a)(4) for disclosures to law enforcement agencies, ``including federal functional regulators.''
(n) Financial institution. The rules define ``financial
institution'' as (i) an FCM, CTA, CPO or IB that is registered with the
Commission as such or is otherwise subject to the Commission's
jurisdiction, and (ii) any institution the business of which is
engaging in activities that are financial in nature or incidental to
such financial activities as described in section 4(k) of the Bank
Holding Company Act of 1956 (BHCA).\22\ The rules exempt from the
definition of ``financial institution'' those entities specifically
excluded by the GLB Act, except to the extent those entities were
brought within the scope of Title V by section 5g of the CEA. \22\ 12 U.S.C. 1843(k).
The GLB Act excludes ``any person or entity'' that is subject to
the Commission's jurisdiction from Title V's coverage.\23\ Section 5g
of the CEA partially reverses that exclusion by providing that certain entities subject to
[[Page 21241]]
the Commission's jurisdictionspecifically, FCMs, CTAs, CPOs and IBs
shall be covered by Title V with respect to their financial
activity.\24\ The rule retains the exclusion of the GLB Act, to the
extent that it has not been superseded by section 5g of the CEA, to
make clear that floor brokers and various trading facilities and
clearing organizations that are subject to the Commission's
jurisdiction are not ``financial institutions'' for purposes of the GLB Act.
\23\ Section 509(3)(B) of the GLB Act provides:
Notwithstanding subparagraph (A), the term ``financial institution'' does not include any person or entity with respect to any financial activity that is subject to the jurisdiction of the Commodity Futures Trading Commission under the Commodity Exchange Act.
\24\ Section 5g of the CEA provides:
Notwithstanding section 509(3)(B) of the GrammLeachBliley Act,
any futures commission merchant, commodity trading advisor,
commodity pool operator, or introducing broker that is subject to
the jurisdiction of the Commission under this Act with respect to
any financial activity shall be treated as a financial institution
for purposes of title V of such Act with respect to such financial activity.
(o) Financial product or service. The rules define ``financial
product or service'' as a product or service (i) that an FCM, CTA, CPO
or IB could offer that is subject to the Commission's jurisdiction, or
(ii) that a financial institution could offer that is financial in
nature, or incidental to such a financial activity, under section 4(k)
of the BHCA. An activity that is complementary to a financial activity,
as described in section 4(k), is not included in the definition of ``financial product or service'' under this paragraph.
The Commission's definition of ``financial product or service''
differs from that of the other Agencies to the extent that it includes
any product or service that an FCM, CTA, CPO or IB could offer that is
subject to the Commission's jurisdiction and that is not otherwise
included as a financial activity under section 4(k) of the BHCA. The
other Agencies have defined financial product or service as any product
or service that a financial institution could offer that is financial
in nature, or incidental to such a financial activity, under section
4(k) of the BHCA. The Commission's broader definition includes certain
activitysuch as acting as a CPOwhich is not financial in nature, or
incidental to such a financial activity, under section 4(k) of the
BHCA.\25\ The Commission's definition of ``financial product or
service'' is designed to implement Congress'' intent in section 5g of
the CEA that customers of FCMs, CTAs, CPOs and IBs be accorded the same
privacy rights as customers of other financial institutions and is solely for purposes of part 160.
\25\ See 12 CFR 225.86 (66 FR 400, 418 (Jan. 3, 2001)).
The definition includes the financial institution's evaluation of
information collected in connection with an application by a consumer
for a financial product or service even if the application ultimately
is rejected or withdrawn. It also includes the distribution of
information about a consumer for the purpose of assisting the consumer to obtain a financial product or service.
(p) Futures commission merchant. The term ``futures commission
merchant'' has the same meaning as in section 1a(20) of the Commodity
Exchange Act, as amended, and includes anyone registered as such under the Act.
(q) GLB Act. The term ``GLB Act'' means the GrammLeachBliley Act (Pub. L. No. 106102, 113 Stat. 1338 (1999)).
(r) Introducing broker. The term ``introducing broker'' has the
same meaning as in section 1a(23) of the Commodity Exchange Act, as
amended, and includes anyone registered as such under the Act.
(s) Nonaffiliated third party. The rule defines ``nonaffiliated
third party'' to mean any person (including natural persons as well as
corporate entities) except (i) an affiliate of a financial institution
and (ii) a joint employee of a financial institution and a third party.
Information received by a joint employee will be deemed to have been
given to the financial institution that is providing the financial
product or service in question. Thus, for example, if an employee of a
brokerdealer is also an employee of an FCM, information that the
employee received in connection with a securities transaction conducted
with the brokerdealer would be considered as received by the broker dealer.
(t) Nonpublic personal information. Section 509(4) of the GLB Act
defines ``nonpublic personal information'' to mean ``personally
identifiable financial information'' that (i) is provided by a consumer
to a financial institution, (ii) results from any transaction with the
consumer or any service performed for the consumer, or (iii) is
otherwise obtained by the financial institution. The term also includes
any ``list, description, or other grouping of consumers, and publicly
available information pertaining to them, that is derived using any
nonpublic personal information that is not publicly available
information.'' The GLB Act excludes publicly available information
(unless provided as part of the list, description, or other grouping
described above), as well as any list, description, or other grouping
of consumers (and publicly available information pertaining to them)
that is derived without using nonpublic personal information. The GLB
Act does not define either ``personally identifiable financial information'' or ``publicly available information.''
The rule implements the definition of ``nonpublic personal
information'' under the GLB Act by restating the categories of
information described above. The rule provides that information will be
deemed to be ``publicly available'' and therefore excluded from the
definition of ``nonpublic personal information'' if an FCM, CTA, CPO or
IB reasonably believes that the information is lawfully made available
to the general public from one of the three categories of sources
listed in the rule.\26\ The examples provided in the rule clarify when
an FCM, CTA, CPO or IB has a reasonable belief that information is
lawfully made available to the general public. For example, an
institution would have a reasonable belief if (i) the institution has
confirmed, or the consumer has represented, that the information is
publicly available from a public source, or (ii) the institution has
taken steps to submit the information, in accordance with its internal
procedures and policies and with applicable law, to a keeper of
federal, State, or local government records who is required by law to
make the information publicly available.\27\ The examples also state
that an FCM, CTA, CPO or IB would have a reasonable belief that a
telephone number is publicly available if the institution located the
number in a telephone book or Internet listing service or if the
consumer told the institution that the number is not unlisted.\28\
Moreover, the examples make clear that an institution may not assume
information about a particular consumer is publicly available simply
because that type of information is normally provided to a government
record keeper and made available to the public by the record keeper,
because the consumer may have the ability to keep that information nonpublic or to screen his or her identity.
\26\ See section 160.3(v)(1).
\27\ See section 160.3(v)(2)(i)(B).
\28\ See section 160.3(v)(2)(i)(C).
The approach of the rule is the same as that taken by the Agencies
in their rules\29\ and is based on the underlying principle that a
consumer in many circumstances can control the public availability or identification of his or
[[Page 21242]]
her information and that a financial institution therefore should not
assume that the information about that consumer is in fact publicly
available. Thus, even though a lender typically enters a mortgage in
public records in order to protect its security interest, when a
borrower can maintain the privacy of his or her personal information by
owning the property and obtaining the loan through a separate legal
entity, the customer's name would not appear in the public record. In
the case of a telephone number, a person may request that his or her
number be unlisted. Thus, in evaluating whether it is reasonable to
believe that information is publicly available, a financial institution
must determine whether the consumer has kept the information or his or her identity from being a matter of public record.
\29\ See, e.g., 65 FR at 35208 (Federal Reserve Board); 65 FR at
35218 (Federal Deposit Insurance Corporation); 65 FR at 4036465 (SEC).
To implement the complex definition of ``nonpublic personal
information'' that is provided in the statute, the rule adopts a
definition that consists, generally speaking, of (i) personally
identifiable financial information, plus (ii) a consumer list or
description or grouping of consumers (and publicly available
information pertaining to the consumers) that is derived using any
personally identifiable financial information that is not publicly
available information. From that body of information, the rule excludes
publicly available information (except as noted above or if the
information is disclosed in a manner that indicates that the individual
is the institution's consumer) and any consumer list that is derived
without using personally identifiable financial information that is not
publicly available information.\30\ Examples are provided in section
160.3(t)(3) to illustrate how this definition applies in the context of consumer lists.
\30\ See section 160.3(t)(2).
(u) Personally identifiable financial information. As discussed
above, the GLB Act defines ``nonpublic personal information'' to
include, among other things, ``personally identifiable financial
information'' but does not define the latter term. As a general matter,
the rules treat any personally identifiable information as financial if
the financial institution obtains the information in connection with
providing a financial product or service to a consumer. We believe that
this approach reasonably interprets the word ``financial'' and creates
a workable and clear standard for distinguishing information that is
financial from other personal information. This interpretation would
cover a broad range of personal information provided to a financial
institution, including, for example, information about the consumer's
health, as well as the fact that an individual is a customer of a financial institution.
The rules define ``personally identifiable financial information'' to include three categories of information. The first category includes any information that a consumer provides a financial institution in order to obtain a financial product or service from the institution. As noted in the examples that follow the definition, this includes information provided on an application to open a commodity trading account, invest in a commodity pool or to obtain another financial product of service. If, for example, a consumer provides medical information on an application to obtain a financial product or service, that information would be considered ``personally identifiable financial information'' for purposes of the proposed rules. Similarly, information that may be required for financial planning purposes, including details about retirement and family obligations, such as the care of a disabled child, would be covered by the definition.
The second category includes any information about a consumer resulting from any transaction between the consumer and the financial institution involving a financial product or service. This would include, as noted in the examples following the definition, information about account balance, payment or overdraft history, credit or debit card purchases or financial products purchased or sold.
The third category includes any financial information about a consumer otherwise obtained by the financial institution in connection with providing a financial product or service. This would include information obtained through an informationcollecting device from a web server, often referred to as a ``cookie.'' It would also include information from a consumer report or from an outside source to verify information a consumer provides on an application to obtain a financial product or service. It would not, however, include information that is publicly available (unless, as previously noted, the information is part of a list of consumers that is derived using personally identifiable financial information).
The examples clarify that the definition of ``personally
identifiable financial information'' does not include a list of names
and addresses of people who are customers of an entity that is not a
financial institution. Thus, the names and addresses of people who
subscribe, for instance, to a particular magazine would fall outside
the definition. The examples also clarify that aggregate information
(or ``blind data'') lacking personal identifiers is not covered by the
definition of ``personally identifiable financial information.''
(v) Publicly available information. The rules define ``publicly
available information'' as information the financial institution
reasonably believes is lawfully made available to members of the
general public from three broad types of sources.\31\ First, it
includes information from official public records, such as real estate
recordations or security interest filings. Second, it includes
information from widely distributed media, such as a telephone book,
radio program, or newspaper. Third, it includes information from
disclosures required to be made to the general public by federal,
State, or local law, such as securities disclosure documents. The rules
state that information obtained over the Internet will be considered
publicly available information if the information is obtainable from a
site available to the general public on an unrestricted basis.\32\
\31\ We recognize that some information that is available to the
general public may have been published illegally. In some cases,
such as a list of customer account numbers posted on a web site, the
publication will be obviously unlawful. In other cases, the legality
of the publication may be unclear or unresolved. The rules provide
that information is ``publicly available'' if the institution
reasonably believes that information is lawfully available to the public.
\32\ The examples further explain that an Internet site is not
restricted merely because an Internet service provider or a site
operator requires a fee or password as long as access is otherwise
available to the general public. This recognizes that the ``widely
distributed'' requirement focuses on whether the information is
lawfully available to the general public, rather than on the type of medium from which information is obtained.
The rules treat information as publicly available if it could be
obtained from one of the public sources listed in the rules. If an
institution reasonably believes the information is lawfully made
available to the general public from one of the listed public sources,
then the information will be considered publicly available and excluded
from the scope of ``nonpublic personal information,'' whether or not
the institution obtains it from a publicly available source (unless, as
previously noted, it is part of a list of consumers that is derived
using personally identifiable financial information). Under this
approach, the fact that a consumer has given information to a financial
institution would not automatically extend to that information [[Page 21243]]
the protections afforded to nonpublic personal information.
The rules incorporate the concept of information being lawfully
obtained. Thus, information unlawfully obtained will not be deemed to
be publicly available notwithstanding that it may be available to the general public through widely distributed media.
(w) You. The rules define you as any FCM, CTA, CPO or IB subject to
the jurisdiction of the Commission. The term ``you'' is used in order to make the rules easier to understand and use.
Subpart APrivacy and Opt Out Notices
Section 160.4 Initial Privacy Notice to Consumers Required
Initial notice required. The GLB Act requires that a financial institution provide an initial notice of its privacy policies and practices in two circumstances. For customers, the notice must be provided no later than at the time of establishing a customer relationship. For consumers who do not, or have not yet, become customers, the notice must be provided before disclosing nonpublic personal information about the consumer to a nonaffiliated third party.
Paragraph (a) of section 160.4 states the general rule regarding these notices. A financial institution must provide a clear and conspicuous notice, as defined in section 160.3(b), that accurately reflects the institution's privacy policies and practices. Accordingly, a financial institution must maintain the protections that its notice represents it will provide. The Commission expects that FCMs, CTAs, CPOs and IBs will take appropriate measures to adhere to their stated privacy policies and practices.
The rules do not prohibit two or more institutions from providing a joint initial, annual or opt out notice, as long as the notice is delivered in accordance with the rules and is accurate with respect to all institutions.\33\ For example, institutions that could provide joint notices include: (i) an IB and its FCM; (ii) a CTA and the FCM carrying the customer's account; and (iii) a clearing FCM and an executing FCM. Similarly, the rules do not preclude an institution from establishing different privacy policies and practices for different categories of consumers, customers or products so long as each particular consumer or customer receives a notice that is accurate with respect to that individual.
\33\ See also infra discussion of section 160.9(f).
Notice to customers. The rules require that a financial institution
provide an individual a privacy notice not later than the time that it
establishes a customer relationship subject to the limited
circumstances set forth in paragraph (e), as discussed below. Thus, the
initial notice may be provided at the same time an FCM, CTA, CPO or IB
is required to give other notices, such as the rule 1.55 risk
disclosure statement that an FCM or IB is required to provide before
opening an account for a customer and the part 4 disclosure document
that a CPO or CTA is required to provide before soliciting or accepting
funds from pool participants (in the case of a CPO) or soliciting or
entering into an agreement to direct a client's account (in the case of
a CTA).\34\ This approach is intended to strike a balance between (i)
ensuring that consumers will receive privacy notices at a meaningful
point during the process of ``establishing a customer relationship''
and (ii) minimizing unnecessary burdens on FCMs, CTAs, CPOs and IBs
that may otherwise result if the rule were to require financial
institutions to provide consumers with a series of notices at various times in a transaction.
\34\ The Commission recognizes that the disclosure requirements
of part 4 apply as early as the solicitation stage, which often
occurs before a customer relationship has been established. See 17
CFR 4.21 (CPO disclosure document) and 17 CFR 4.31 (CTA disclosure
document). In these circumstances, a CPO or CTA would not be
required to provide the initial privacy notice until such time as
the customer relationship has been established, although it could
elect to provide the notice earlier at the time of the solicitation.
Paragraph (c) of section 160.4 identifies the time a customer relationship is established as the point at which a financial institution and a consumer enter into a continuing relationship. The examples in paragraph (c) clarify that, for customer relationships that are contractual in nature including, for example, a commodity interest advisory relationship, a customer relationship is established when the customer enters into the contract (whether written or oral) that is necessary to engage in the activity in question. Thus, for example, a customer relationship is established with an FCM when the customer executes a commodity interest trade through the FCM or opens an account with the FCM under its procedures.
Notice to consumers. For consumers who do not establish a customer relationship, the initial privacy notice may be provided at any point before the financial institution discloses nonpublic personal information to nonaffiliated third parties. As provided in paragraph (b) of section 160.4, if the institution does not intend to disclose the information in question or intends to make only those disclosures that are authorized by one of the exceptions or as required by law,\35\ the institution is not required to provide the initial notice. \35\ See sections 160.14, 160.15.
How to provide notice. When you are required by this section to deliver an initial privacy notice, the notice must be delivered according to the provisions of section 160.9. The general rule requires that the initial notice be provided so that each recipient can reasonably be expected to receive actual notice.
New notices not required for each new financial product or service. The Commission believes that it would be burdensome, with little corresponding benefit to the consumer, to require a financial institution to provide the same consumer with additional copies of its initial notice every time the consumer obtains a financial product or service. Accordingly, the final rule states, in section 160.4(d), that a financial institution will satisfy the notice requirements when an existing customer obtains a new financial product or service if the institution's initial, revised or annual notice is accurate with respect to the new financial product or service.
Exceptions to allow subsequent delivery of notice. As proposed, section 160.4(e) would permit a financial institution to provide subsequent delivery of the initial notice required by paragraph (a)(1) within a reasonable time after the customer relationship is established in limited instances. For example, the institution may provide notice after the fact if the customer has not elected to establish a customer relationship. This might occur, for instance, when a commodity interest account is transferred from a financiallydistressed FCM to another FCM in an emergency situation. Subsequent delivery of the initial notice would also be permitted after the establishment of a customer relationship when to do otherwise would substantially delay the consumer's transaction and the customer agrees to receive the notice at a later time. An example of this is when an investor requests over the telephone that an FCM execute a trade.
In response to the proposed rules, FIA commented that it was
unclear how the subsequent delivery exceptions would apply in the
context of a bulk transfer under Commission Rule 1.65. Rule 1.65
establishes a ``negative consent'' procedure for the transfer of
customers'' accounts from one FCM to another. Because the customer has
the right to move his or her account to another FCM prior to the transfer, FIA requested
[[Page 21244]]
clarification regarding the ability of a transferee FCM to take
advantage of the section 160.4(e) exceptions. FIA expressed the belief
that subsequent delivery of the initial notice should also be permitted
in the bulk transfer context, and asked the Commission to amend the
rule accordingly. The Commission agrees with this interpretation and
notes that historically, the Commission has considered a bulk transfer
to be a transfer that is not at the customer's election. Nevertheless,
to provide further guidance, the Commission has determined to add a new
exception in paragraph (e)(1)(iv) that specifically addresses a bulk transfer carried out in accordance with Rule 1.65.
We note that, in most situations, a financial institution should give the initial notice at a point when the consumer still has a meaningful choice about whether to enter into the customer relationship. The exceptions listed in the examples, while not exhaustive, are intended to illustrate the less frequent situations when delivery either would pose a significant impediment to the conduct of a routine business practice or the customer agrees to receive the notice later in order to obtain a financial product or service immediately.
In circumstances when it is appropriate to deliver an initial
notice after the customer relationship has been established, a
financial institution should deliver an initial notice within a
reasonable time thereafter. The Commission believes that a rule
prescribing the maximum number of days in which a financial institution
must deliver a notice in these circumstances would be inappropriate
because (a) the circumstances when an afterthefact notice is
appropriate are likely to vary significantly, and (b) a rule that
attempts to accommodate every circumstance is likely to provide more time than is appropriate in many circumstances.\36\
\36\ The Commission believes, however, that allowing the
transferee FCM 60 days to deliver the initial privacy notice to the
customer following a Rule 1.65 bulk transfer as requested by FIA
would be unreasonable and inconsistent with the intent of the
privacy rules. Instead, the transferee FCM would be expected to
deliver the initial privacy notice no later than the time that it
delivers the monthly account statements required by Rule 1.33. Section 160.5 Annual Privacy Notice to Customers Required
Section 503 of the GLB Act requires a financial institution to provide notices of its privacy policies and practices to its customers at least annually. Section 160.5 implements this requirement by requiring that a clear and conspicuous notice that accurately reflects the institution's current privacy policies and practices be provided at least once during any period of twelve consecutive months during which the customer relationship exists. An institution may select a calendar year as the 12month period within which notices will be provided and provide the first annual notice at any point in the calendar year following the year in which the customer relationship was established. Section 160.5(a)(1) also requires that an institution apply the 12 month rule to its customers on a consistent basis. The rules governing how to provide an initial notice also apply to annual notices.
Section 503(a) of the GLB Act requires that the annual notice be
provided ``during the continuation'' of a customer relationship.
Accordingly, the rules state that a financial institution is not
required to provide an annual notice to a customer with whom it no
longer has a continuing relationship. For example, a customer becomes a former customer when the individual's account is closed.
Section 160.6 Information To Be Included in Privacy Notices
Section 503 of the GLB Act identifies the categories of information that must be included in a financial institution's initial and annual privacy notices and establishes the general requirement that a financial institution must provide customers with a notice describing the institution's policies and practices with respect to, among other things, disclosing nonpublic personal information to both affiliates and nonaffiliated third parties. Section 503(b) of the GLB Act identifies certain elements that the notice must address.
The required content is the same for initial and annual notices of privacy policies and practices. While the information contained in the notices must be accurate as of the time the notices are provided, a financial institution may prepare its notices based on current and anticipated policies and practices.
Subsection (a) of section 160.6 prescribes the information to be included; subsection (c) provides examples of how to comply with this requirement.
1. Categories of nonpublic personal information that a financial institution may collect. Section 503(b)(2) of the GLB Act requires a financial institution to inform its customers about the categories of nonpublic personal information that the institution collects. Section 160.6(a)(1) implements this requirement and paragraph (c)(1) provides an example of compliance that focuses on the source of the information collected. As described in the example, a financial institution will satisfy this requirement if it categorizes the information according to the sources, such as application information, transaction information, and consumer report information. While financial institutions may provide more detail about the categories and information collected, they are not required to do so.
2. Categories of nonpublic personal information that a financial institution may disclose. Section 503(a)(1) of the GLB Act requires the financial institution's initial and annual notice to provide information about the categories of nonpubl
FOR FURTHER INFORMATION CONTACT Susan Nathan, Assistant General Counsel, or Bella Rozenberg, Attorney, Office of General Counsel; Nancy E. Yanofsky, Assistant Chief Counsel, Division of Economic Analysis; or Ky TranTrong, Attorney, Division of Trading and Markets, Commodity Futures Trading Commission, Three Lafayette Centre, 1155 21st Street, NW., Washington, DC 20581. Telephone: (202) 4185000, Email: (SNathan@cftc.gov), (BRozenberg@cftc.gov), (NYanofsky@cftc.gov), or (KTranTrong@cftc.gov).
Common CFR Searches
14 CFR Part 39 40 CFR Part 52 14 CFR Part 71 33 CFR Part 165 50 CFR Part 679 47 CFR Part 73 26 CFR Part 1 40 CFR Part 180 33 CFR Part 117 50 CFR Part 17 44 CFR Part 67 50 CFR Part 648 14 CFR Part 97 33 CFR Part 100 40 CFR Part 63 50 CFR Part 622 44 CFR Part 65 50 CFR Part 660 26 CFR Part 301 39 CFR Part 111 40 CFR Part 300 6 CFR Part 5 40 CFR Part 271 47 CFR Part 64 40 CFR Parts 52 and 81 50 CFR Part 665 44 CFR Part 64 10 CFR Part 50 49 CFR Part 571 47 CFR Part 76