12/08/2021 at 8:45 am. Description of Steps Taken To Minimize Significant Economic Impact, if Any, on Small Entities, Including Alternatives, PART 313PRIVACY OF CONSUMER FINANCIAL INFORMATION, https://www.federalregister.gov/d/2021-25735, MODS: Government Publishing Office metadata, https://www.federalregister.gov/documents/2001/04/27/01-10398/privacy-of-consumer-financial-information, https://www.federalregister.gov/documents/2000/05/24/00-12755/privacy-of-consumer-financial-information;, https://www.federalregister.gov/documents/2000/05/18/00-12014/privacy-of-consumer-financial-information-requirements-for-insurance;, https://www.federalregister.gov/documents/2000/06/29/00-16269/privacy-of-consumer-financial-information-regulation-s-p;, https://www.federalregister.gov/documents/2009/12/01/E9-27882/final-model-privacy-form-under-the-gramm-leach-bliley-act;, https://www.federalregister.gov/documents/2011/12/21/2011-31729/privacy-of-consumer-financial-information-regulation-p, https://www.federalregister.gov/documents/2012/04/13/2012-8748/rescission-of-rules, https://www.federalregister.gov/documents/2015/06/24/2015-14328/amendment-to-the-privacy-of-consumer-financial-information-rule-under-the-gramm-leach-bliley-act, https://www.federalregister.gov/documents/2014/10/28/2014-25299/amendment-to-the-annual-privacy-notice-requirement-under-the-gramm-leach-bliley-act-regulation-p, https://www.federalregister.gov/documents/2018/08/17/2018-17572/amendment-to-the-annual-privacy-notice-requirement-under-the-gramm-leach-bliley-act-regulation-p, https://www.federalregister.gov/documents/2017/10/16/2017-22334/agency-information-collection-activities-submission-for-omb-review-comment-request, https://www.sba.gov/document/support--table-size-standards. 1016.5 Annual privacy notice to customers required. Delivery of annual privacy notice after financial institution no longer meets requirements for exception. While every effort has been made to ensure that Accordingly, if a motor vehicle dealer limits its sharing to uses that do not trigger opt-out rights, it may provide an annual privacy notice to its customers that does not include information regarding opt-out rights. . (B) Executes the lease for personal property with you. Specifically, it requires covered entities to provide an initial notice of these policies,[13] Section 504 authorizes the issuance of regulations to implement these provisions. Your activities determine whether you are a "financial institution" under the Privacy Rule. Financial institutions must notify their customers about their information-sharing practices and tell consumers of their right to "opt-out" if they don't want their information shared with certain nonaffiliated third parties. This feature is not available for this document. Yes. You establish a customer relationship when the consumer: (A) Executes the contract to obtain credit from you or purchase insurance from you; or. Are You a Financial Institution? GLBA Law & Compliance GLBA Compliance Checklist - Lepide Blog: A Guide to IT Security [27] edition of the Federal Register. Once you receive an opt-out direction from your existing consumers or customers, you must comply with it as soon as is reasonably possible. The Gramm-Leach-Bliley Act requires financial institutions - companies that offer consumers financial products or services like loans, financial or investment advice, or insurance - to explain their information-sharing practices to their customers and to safeguard sensitive data. Second, how often does the business engage in a financial activity? [18] The CFPB then restated the implementing regulations in Regulation P, 12 CFR part 1016, in late 2011 (Regulation P). The Gramm-Leach-Bliley Act (GLBA), also known as the Financial Services Modernization Act of 1999, (Pub. Franchise Fundamentals: Considering, calculating, and consulting Examples The Commission does not agree that this example should be removed. Here's what you need to know about the Gramm-Leach-Bliley Act (GLBA) Privacy Notice requirements and the best way to fulfill them. and services, go to See The rule embodies two principles - notice and opt out. The second is the Franchise Agreement itself . However, you may only redisclose the information consistent with the privacy policy of the originating financial institution. 13, 2012) available at https://www.federalregister.gov/documents/2001/04/27/01-10398/privacy-of-consumer-financial-information. Federal agencies are generally required to seek Office of Management and Budget (OMB) approval for information collection requirements prior to implementation. Financial institution Accordingly, the final rule removes 313.18 in its entirety. enforcement agencies (including the Consumer Financial Protection Bureau, a federal functional regulator, the Secretary of the Treasury, with respect to 31 U.S.C. Section 75001, Public Law 114-94, 129 Stat. GLBA explained: What the Graham-Leach-Bailey Act means for privacy and Resources to help industry understand, implement, and comply with the privacy provisions of the Gramm-Leach-Bliley Act (GLBA) and Regulation P. On August 17, 2018, the Bureau published an amendment to Regulation P to implement a December 2015 statutory amendment to the GLBA providing an exception to the annual notice requirement for financial institutions that meet certain conditions. In 313.3(i)(2)(i)(A) and 313.5(b)(2)(ii), references to mortgage loans were removed. (e) 15 U.S.C. Annual privacy notice to customers required. has no substantive legal effect. The GLBA, among other things, requires that financial institutions provide their customers with initial and annual notices regarding their privacy practices, and allow their customers to opt out of sharing their information with certain nonaffiliated third parties. 15 U.S.C. 6804(a)(1)(C)). 45. On June 24, 2015, the Commission published a notice of proposed rulemaking (2015 NPRM) proposing revisions to the Privacy Rule. https://www.federalregister.gov/documents/2017/10/16/2017-22334/agency-information-collection-activities-submission-for-omb-review-comment-request. It also removed the reference in the rule's scope to other persons, because the Commission no longer has rulemaking authority for the Privacy Rule over other persons. Finally, the Proposed Amendments eliminated from 313.1(b) the note indicating (1) the Privacy Rule does not modify, limit, or supersede the standards under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and (2) if a financial institution that is an institution of higher education is in compliance with the Federal Educational Rights and Privacy Act (FERPA) and its implementing regulations, such institution shall be deemed in compliance with the Privacy Rule. The section 13 exception also applies to marketing financial products or services offered through a "joint agreement" with one or more other financial institutions. The Gramm-Leach-Bliley Act's notice and opt out provisions are in addition to the obligations imposed by the Fair Credit Reporting Act (FCRA). The Gramm-Leach-Bliley Act (GLBA) is a US law that reformed the financial services industry, allowing commercial and investment banks, securities firms, and insurance companies to consolidate, and addressed concerns about protecting consumer privacy. That opt-out notice must be included in your GLB privacy notice (see "Fair Credit Reporting Act"). Gramm-Leach-Bliley Act | Federal Trade Commission The FTC has jurisdiction over any financial institution or other person not regulated by other government agencies. Accordingly, the Commission declines to remove this example from the final rule. Find legal resources and guidance to understand your business responsibilities and comply with the law. The Commission received no comments that suggested such entities exist. The prohibition applies to disclosures of account numbers for an individual's credit card account, deposit account, or "transaction account" to any nonaffiliated third party to use in telemarketing, direct mail marketing, or other marketing through electronic mail to any consumer. Your customer becomes a former customer when: (i) In the case of a closed-end loan, the customer pays the loan in full, you charge off the loan, or you sell the loan without retaining servicing rights. 1338 (1999). Therefore, the Commission certifies the rule will not have a significant economic impact on a substantial number of small businesses. If you have a question about the Bureaus rules and the statutes we implement, please first review the regulations and official interpretations (commentary) as well as the available guidance and compliance resources. About the Federal Register Amend 313.5 by adding a heading for paragraph (a), revising paragraphs (a)(1) and (b)(2), and adding paragraph (e) to read as follows: (a) The OFR/GPO partnership is committed to presenting accurate and reliable Only official editions of the activities is a motor vehicle dealer is not a financial institution merely because it accepts payment in the form of cash, checks, or credit cards that it did not issue. [16] informational resource until the Administrative Committee of the Federal Notices given orally or posted in your office(s) don't comply with the rule. According to the Bank Holding Company Act provision and regulations established by the Federal Reserve Board, "financial activities" include: These examples are taken from the section 4(k) provisions and regulations on financial activities. are not part of the published document itself. This repetition of headings to form internal navigation links [3] The Gramm-Leach-Bliley Act was enacted on November 12, 1999. Each document posted on the site includes a link to the 6805(a). list of a retailer's credit card customers, list of auto loan customers merged with list of car magazine subscribers. 12 U.S.C. Learn more here. Section 503 requires the institution to provide notice of its privacy policies and practices to its customers. The Gramm-Leach-Bliley Act (GLBA) is a federal law that establishes various legal requirements for companies that qualify as "financial institutions" under the Act. Amend 313.4 by adding a heading for paragraph (c)(3) and revising paragraphs (c)(3)(i) and (e) to read as follows: (3) So, first you look at whether it is permissible for a target bank to share information with an institution acquiring it.The regulation doesn't prohibit all sharing of NPI with third parties. Amend 313.1 by revising paragraph (b) to read as follows: (b) It believes the Privacy Rule should be substantively identical to Regulation P so financial institutions within the Commission's enforcement authority are subject to the same requirements, regardless of whether they are subject to Regulation P or the Privacy Rule. Document page views are updated periodically throughout the day and are cumulative counts for this document. Before you share NPI with nonaffiliated third parties outside of the exceptions described within (see "Exceptions"), you must give your non-customer consumers a privacy notice, including an opt-out notice. In these situations, you may only disclose and use the information in the ordinary course of business to carry out the purpose for which it was received. This amendment modifies 16 CFR part 313. For complete information about, and access to, our official publications Yuxiang Hao (comment 4). the institution satisfies various notice and opt-out requirements, and (ii) the consumer has not elected to opt out of the disclosure. electronic version on GPOs govinfo.gov. Until the ACFR grants it official status, the XML are activities that a financial holding company may engage in, until the Commission so determines. As discussed above, the Commission has determined herein that this rule applies to financial institutions that engage in activities financial in nature or incidental to such financial activities, including entities significantly engaged in activities the Federal Reserve Board has determined, after November 12, 1999, are activities a financial holding company may engage in. Chapter 53, Subchapter II (Records and Reports on Monetary Instruments and Transactions) and 12 U.S.C. that the information is generally made lawfully available to the public; and. ), the Office of Information and Regulatory Affairs designated this rule as not a major rule, as defined by 5 U.S.C. For the reasons stated above, the Federal Trade Commission amends 16 CFR part 313 as follows: 1. Technical Changes To Correspond to Statutory Changes Resulting From the Dodd-Frank Act, c. Examples of No Continuing Relationships, B. Second, the removal of certain examples provided in the rule that are not applicable to motor vehicle dealers will have no impact on existing information collection requirements. This rule finalizes that proposal. does not include entities that engage in financial activities but that are not significantly engaged in those financial activities. 39. Several other entities commented on the expansion of the definition of a financial institution in the Safeguards Rule. The Commission also proposed changing the Privacy Rule provisions governing how motor vehicle dealers should deliver annual privacy notices. setting forth amendments to the Privacy Rule (the Proposed Amendments) proposing three types of changes to the Privacy Rule: (1) Technical changes to the rule to correspond to the reduced scope of the rule due to Dodd-Frank Act changes, which primarily consist of removing references that do not apply to motor vehicle dealers; (2) modifications to the annual privacy notice requirements to reflect the changes made to the GLBA by the FAST Act; and (3) a modification to the scope and definition of financial institution to include entities engaged in activities incidental to financial activities, which would bring the rule into accord with the CFPB's Regulation P. The Commission received four comments related to the proposed amendments, to which it responds below.[25]. The amendments do not impose any new or substantively revised collections of information, as defined by the PRA. These activities cover services offered by credit counselors, financial planners, tax preparers, accountants, and investment advisors. First, if you are a "financial institution," you are covered. lending, exchanging, transferring, investing for others, or safeguarding money or securities. Annual Privacy Notice Requirement Under the Gramm-Leach-Bliley Act to the courts under 44 U.S.C.