Proposed Rule on the Privacy of Consumers' Financial Information
The Federal Deposit Insurance Corporation (FDIC), the Board of Governors of the Federal Reserve System, the Office of the Comptroller of the Currency, and the Office of Thrift Supervision have jointly proposed the attached rule on the privacy of consumers' financial information. This regulation is required by the Gramm-Leach-Bliley Act. Comments are due by March 31, 2000.
The Federal Trade Commission, the National Credit Union Administration, and the Securities and Exchange Commission will issue proposed privacy rules separately from the banking agencies.
The banking agencies' proposed rule:
requires a financial institution to provide notice to customers about its privacy policies and practices;
describes the conditions under which a financial institution may disclose nonpublic personal information about consumers to nonaffiliated third parties; and
provides a method for consumers to prevent the financial institution from disclosing that information to nonaffiliated third parties by "opting out" of that disclosure.
Restrictions on sharing information with nonaffiliated third parties under the Gramm-Leach-Bliley Act apply to "nonpublic personal information" about a consumer. The Act defines nonpublic personal information as "personally identifiable financial information" that is provided by a consumer to a financial institution, results from any transaction with or service performed for the consumer, or otherwise is obtained by the financial institution. The Act excludes "publicly available information" from the definition of nonpublic personal information.
The proposed rule seeks comment on two alternatives defining what information should be considered "nonpublic personal information." Both alternatives protect publicly available information about consumers if the information would be included in a list that would reveal a customer relationship with the institution.
Under the proposed rule, financial institutions must provide a clear and conspicuous notice that accurately reflects their privacy policies and practices to:
any individual who becomes a customer of the financial institution before that customer relationship is established, and annually as long as the relationship continues; and
any consumer who does not become a customer before nonpublic personal information may be shared with nonaffiliated third parties.
A customer relationship is defined in the proposed rule as the point at which a consumer and a financial institution enter into a continuing relationship under which the institution provides one or more financial products or services to be used primarily for personal, family or household purposes. This would occur, for example, when a consumer opens a credit card account or executes the contract to open a deposit account, obtain credit or purchase insurance.
A consumer is any individual who obtains, or has obtained, a financial product or service from an institution to be used primarily for personal, family or household purposes. A consumer includes an individual who applies for a financial product or service such as a loan even if the application is ultimately withdrawn or declined by the institution.
Opt Out Requirement
Under the proposal, before an institution shares nonpublic personal information with nonaffiliated third parties, consumers must be given a reasonable opportunity to "opt out" from having that information shared. The opt out notice must be given to:
customers as a part of the initial notice of the financial institution's privacy policies and practices, or prior to sharing nonpublic personal information about them with nonaffiliated third parties; and
individual consumers who do not become customers of the financial institution, and former customers, before nonpublic personal information about them may be shared with nonaffiliated third parties.
The Gramm-Leach-Bliley Act creates an exception to the opt out rules when a financial institution discloses information to a nonaffiliated third party for use by the third party to perform services for, or functions on behalf of, the financial institution. The exception includes marketing the institution's own products, or marketing financial products or services offered through a joint agreement between two or more financial institutions.
Additional statutory exceptions that permit a financial institution to share nonpublic information with third parties without providing privacy or opt out notices include disclosures made:
in connection with certain processing and servicing transactions;
with the consent of or at the direction of the consumer;
to protect against potential fraud or unauthorized transactions; and
to respond to judicial process.
Comments on the proposed rule may be submitted through the FDIC's Web site at www.fdic.gov.
For more information, please contact Deanna Caldwell (202-736-0141) or James K. Baebel (202-736-0229) in the FDIC's Division of Compliance and Consumer Affairs, or Marilyn E. Anderson (202-898-3522), Robert A. Patrick (202-898-3757), Nancy Shucker Recchia (202-898-8885), or Marc J. Goldstrom (202-898-8807) in the FDIC's Legal Division.
Distribution: FDIC-Supervised Banks (Commercial and Savings)
NOTE: Paper copies of FDIC financial institution letters may be obtained through the FDIC's Public Information Center, 801 17th Street, NW, Room 100, Washington, DC 20434 (800-276-6003 or (703) 562-2200).