Compliance with Privacy of Consumer Financial Information
October 29, 2001
To the Chief Executive Officer of the Institution Addressed:
Re: Compliance with Privacy of Consumer Financial Information
The purpose of this letter is to remind institutions regulated by the New York State Banking Department's (hereinafter "the Department") Licensed Financial Services and Mortgage Banking Divisions of the importance of complying with privacy regulations promulgated by the Federal Trade Commission as set out in 16 CFR part 313 entitled "Privacy of Consumer Financial Information".
On November 12, 1999 the "Gramm-Leach-Bliley Act" (hereinafter "GLBA") became law. Subtitle A of Title V of the GLBA, captioned "Disclosure of Nonpublic Personal Information", limits the instances in which a financial institution may disclose nonpublic personal information about a consumer to nonaffiliated parties, and requires a financial institution to disclose to all of its customers the institution's privacy policies and practices with respect to information sharing with both affiliates and nonaffiliated third parties.
Title V of the GLBA requires that the Federal Trade Commission (hereinafter "the Commission"), along with the Federal banking agencies and other Federal regulatory authorities, promulgate such regulations as may be necessary to carry out the purposes of the provisions in Title V, Subtitle A, that govern disclosure of nonpublic personal information. Accordingly, on March 1, 2000, the Commission published a Notice of Proposed Rulemaking in the Federal Register. After receiving and reviewing some 640 comments, the Commission published on May 24, 2000 a final privacy rule. The rule became effective on November 13, 2000 with full compliance being required by July 1, 2001.
The Purpose of part 313 is to require a financial institution to provide notice to customers about its privacy policies and practices; to describe the conditions under which a financial institution may disclose nonpublic personal information to nonaffiliated third parties; and to provide a method for consumers to prevent a financial institution from disclosing that information to certain nonaffiliated third parties by "opting out" of that disclosure, subject to various exceptions as stated in the rule. The rule only applies to information about individuals who obtain a financial product or service from a financial institution to be used for personal, family, or household purposes. The principal type of entity subject to the rule is a "financial institution," which is defined broadly under section 509(3) of the GLBA to mean "any institution the business of which is engaging in financial activities as described in section 4(k) of the Bank Holding Company Act of 1956 [12 U.S.C. 1843 (k)]."
Subpart A of the rule specifically deals with the privacy and opt-out notices. Section 313.4 (a) provides in pertinent part that a financial institution must provide clear and conspicuous notice that accurately reflects its privacy policies and practices to customers, not later than when it establishes a customer relationship and to consumers, before the financial institution discloses any nonpublic personal public information about the consumer to any nonaffiliated third party. Subsection (b) of Section 313.4 states that a financial institution is not required to provide an initial notice to a consumer under 313.4 (a) if the institution does not disclose any nonpublic personal information about the consumer to any nonaffiliated third party other than as authorized by sections 313.14 and 313.15 and the institution does not have a customer relationship with the consumer. As set out in length in Sections 313.3 and 313.4(c), a customer relationship is established when an institution enters into a continuing relationship with the consumer. Examples of customer relationships include, but are not limited to the following:
- Origination of a loan to a consumer for personal, family or household purposes;
- Opening of a credit card account;
- Execution of a contract to obtain credit or purchase insurance;
- An agreement to obtain financial, economic or investment advisory services for a fee; or
- Execution of a lease for personal property.
In terms of its customers, section 313.5 provides that a financial institution must provide a clear and conspicuous notice that accurately reflects its privacy policies and practices annually during the continuation of the customer relationship. The rule furthers states that "annually" means at least once in any period of 12 consecutive months during which that relationship exists. The financial institution may define the 12-consecutive-month period, but it must be applied on a consistent basis.
Section 313.6 provides the specific items of information that must be included in privacy notices. These items include among other things categories of nonpublic personal information that an institution collects; categories of nonpublic personal information that is disclosed; and categories of nonaffiliated third parties to whom nonpublic personal information is disclosed to.
The form of opt-out notice to consumers and the opt-out methods are set out in section 313.7, which provides that if an institution is required to provide opt-out notice under section 313.10(a), the institution must provide a clear and conspicuous notice to each of its consumers that accurately explains the right to opt-out under that section. The notice must state the following:
- That the institution discloses or reserves the right to disclose nonpublic personal information about its consumer to a nonaffiliated third party;
- That the consumer has the right to opt-out of that disclosure; and
- A reasonable means by which the consumer may exercise the opt-out right.
The remainder of section 313.7 provides examples of adequate opt-out notices, reasonable and unreasonable opt-out means, and deals with the issue of joint relationships. Financial institutions should note that 313.7(b) allows them to provide the opt-out notice together with or on the same written or electronic form as the initial notice provided in accordance with section 313.4.
Section 313.8 deals with the issue of revised notices and the duty that an institution has to provide a revised notice and when that duty arises. Section 313.9 sets out the requirements regarding delivering privacy and opt-out notices and provides examples.
Subpart B of the rule covers sections 313.10 through 313.13 and deals with limits on disclosure, redisclosure and reuse of information, and limits on sharing account number information for marketing purposes. Subpart C, which includes sections 313.13 through 313.15 sets forth exceptions to notice and opt-out requirements. The remainder of the regulation deals with its relation to other laws and its effective date.
In conclusion, let me repeat that the Department will be examining for compliance with the FTC rule. Institutions are urged to conduct their own research on Part 313 and not merely rely upon the Department's summary. Should you have any questions, feel free to contact the Department's Licensed Financial Services or Mortgage Banking Divisions or visit the FTC website on privacy at http://www.ftc.gov/privacy/.
Very truly yours,
Superintendent of Banks