Supporting Statement for the
Reporting and Disclosure Requirements
Associated with Regulation P
(Reg P; OMB No. 7100-0294)
Summary
The Board of Governors of the Federal Reserve System, under delegated authority from the Office of Management and Budget (OMB), proposes to extend for three years, without revision, the reporting and disclosure requirements of Regulation P, which implements the Protection of Nonpublic Personal Information provisions of the Gramm-Leach-Bliley Act of 1999 (GLBA).1 The Federal Reserve Board (“Board”) is required to renew these requirements every three years pursuant to the Paperwork Reduction Act of 1995 (PRA), which classifies regulations such as Regulation P as required information collections.2
The information collection pursuant to Regulation P is triggered by the establishment of a customer relationship between a consumer and a financial institution or by the expected disclosure of nonpublic personal information about a consumer who obtains or has obtained a product or service from a financial institution primarily for personal, family, or household purposes. The regulation ensures that financial institutions provide customers with notice of the privacy policies and practices of financial institutions and consumers with a means to prevent the disclosure of nonpublic personal information in certain circumstances. Where applicable, financial institutions are required to provide an initial and an annual notice of their privacy policies and practices, opt-out notices, and revised notices that contain changes in policies and procedures.
The Board accounts for the paperwork burden associated with Regulation P only for Board-supervised institutions.3 Other federal agencies4 account for the paperwork burden on entities for which they have administrative enforcement authority. The Board estimates that with respect to Regulation P, there are 8,155 Board-supervised institutions and 442,225 consumers that are deemed “respondents” for purposes of the PRA; their collective annual burden is estimated to be 299,673 hours.
Additional information about the paperwork burden associated with Regulation P, including statutory and regulatory history, a description of the recordkeeping and disclosure requirements is discussed below.
Background and Justification
Section 504 of the GLBA (Public Law No. 106-102) directed the Board, Federal Deposit Insurance Corporation (FDIC), the Office of the Comptroller of the Currency (OCC), the Office of Thrift Supervision (OTS), National Credit Union Administration (NCUA), Federal Trade Commission (FTC), and Securities and Exchange Commission (SEC) “the agencies,” to issue regulations to implement the notice requirements and restrictions on a financial institution’s ability to disclose nonpublic personal information about consumers to nonaffiliated third parties.
A financial institution’s precise responsibilities under GLBA and the privacy regulations depend on whether it is dealing with a “consumer” or a “customer.” A consumer is an individual who obtains a financial product or service from a financial institution that is primarily for personal, family, or household purposes; a customer is a consumer who has a customer relationship (which means a continuing relationship) with a financial institution. In general, Regulation P sets out the requirements for when a financial institution must provide notice to its consumers about its privacy policies and practices, including notice of the consumers’ right to opt out of information sharing. A financial institution may not disclose nonpublic personal information about any consumer to nonaffiliated third parties unless (1) the required notice has been provided to the consumer, and the consumer has not elected to opt out of the information sharing, or (2) the disclosure is permitted under one of the regulation’s exceptions. A financial institution is not required to provide a notice to a consumer if it does not have a customer relationship with the consumer and it does not disclose any nonpublic personal information about the consumer to any nonaffiliated third party, other than as authorized by the regulation. A financial institution must also provide an annual privacy notice to consumers who are its customers but does not have to provide an annual notice to consumers who are not customers.
Description of Information Collection
Subpart A of the regulation prescribes the required disclosures for privacy and opt-out notices. The opt-out provisions of the regulation enable consumers to prevent a financial institution from disclosing nonpublic personal information to third parties that are not affiliated with the financial institution. The provisions do not restrict the disclosure of nonpublic personal information among affiliated companies nor do they restrict the disclosure of information about businesses or corporations.
Privacy and opt-out notices (Subpart A)
Regulation P imposes three disclosure requirements on financial institutions: initial privacy notice, annual privacy notice, and revised privacy notice. Each of these notices may have to include an opt-out notice, depending upon the information sharing practices of the financial institution. In addition, the regulation imposes two reporting requirements on consumers: an initial notification that the consumer elects to opt out (if the consumer so chooses), and a notification to the institution during the course of the relationship if the consumer elects to change his or her opt-out status.
Financial Institutions’ Disclosure Requirements
Initial privacy notice to consumers (Section 216.4)
A financial institution’s notice must be clear and conspicuous notice and must accurately reflect its privacy policies and practices. An institution must have provided the initial privacy notice to all current customers as of the regulation’s mandatory effective date of July 1, 2001. After that date, a financial institution must provide the initial privacy notice to all new customers when they commence the customer relationship. A financial institution is not required to provide an initial notice to a consumer if it does not have a customer relationship with the consumer and it does not disclose any nonpublic personal information about the consumer to any nonaffiliated third party, other than as authorized by the regulation. To reduce burden, the regulation authorizes simplified and short forms of the initial privacy notice for use under certain conditions.
Annual privacy notice to customers (Section 216.5)
Financial institutions must provide to customers a clear and conspicuous notice that accurately reflects an institution’s privacy policies and practices not less than once in a twelve-month period during the continuation of the customer relationship.
Information to be included in privacy notices. The initial notice and annual notice each must include all of the following items of information:
the categories of nonpublic personal information about the consumers that the institution collects;
the categories of nonpublic personal information about the consumers that the institution discloses;
the categories of affiliates and nonaffiliated third parties to whom the institution discloses nonpublic personal information about the consumers, other than those parties excepted under the regulation;
the categories of nonpublic personal information about former consumers that the institution discloses and the categories of affiliates and nonaffiliated third parties to whom the institution discloses nonpublic personal information about former consumers, other than those parties excepted under the regulation;
if an institution discloses nonpublic personal information to service providers or joint marketers, a description of the categories of information the institution discloses and the categories of third parties with whom the institution has contracted;
an explanation of the consumer’s right to opt out of the disclosure of nonpublic personal information to nonaffiliated third parties, including the methods by which the consumer may exercise that right;
any disclosures regarding the ability to opt out of disclosures of information among affiliates;
the institutions’ policies and practices with respect to protecting the confidentiality and security of nonpublic personal information; and
description of nonaffiliated third parties subject to exceptions under the regulation.
Revised privacy notice (Section 216.8)
Certain changes to a financial institution’s privacy policies or practices trigger a requirement to provide consumers a revised notice that accurately describes the institution’s current policies and practices. After an institution has made certain changes to its disclosure practices, it may not directly or through affiliates disclose nonpublic personal information about a consumer other than as described in the initial notice unless it provides the consumer (1) a new notice that accurately describes the policies and practices, (2) a new opt-out notice, and (3) a reasonable opportunity to opt out.
Notice of right to opt out (Section 216.9)
Depending on a financial institution’s information-sharing practices, it must provide an opt-out notice to a customer or to a consumer. An opt-out notice may also be required when the institution issues a revised privacy notice.
Consumer’s notice of invocation of opt out right
To invoke his or her right to opt out, a consumer must notify the institution. The consumer must be given a reasonable opportunity to opt out before information may be shared with a non-affiliated third party outside of the permitted exceptions.
Consumer’s continuing right to opt out.
A consumer has the right to change or update his or her opt-out status with an institution at any time. The financial institution must comply with the consumer’s direction as soon as reasonably practicable, and the consumer’s direction to opt-out is effective until revoked by the consumer. If a customer relationship terminates, the customer’s opt-out direction continues to apply to the nonpublic personal information that the financial institution collected during or related to the relationship. If the individual subsequently establishes a new customer relationship with the institution, the opt-out direction that applied to the former relationship does not apply to the new relationship.
To facilitate compliance with these requirements, Regulation P gives examples of “nonpublic personal information,” “consumer,” “consumer reporting agency,” “customer” and “personally identifiable financial information” among other things. The regulation also provides guidance on the timing of notices to customers and the means by which consumers can exercise their opt-out rights. Appendix A of the regulation contains sample clauses to aid financial institutions in developing disclosure notices.
Time Schedule for Information Collection
The disclosure requirements of Regulation P are relationship-specific and must be provided within the time periods established by law and regulation as discussed above. The regulation also contains consumer reporting requirements. A consumer must be allowed a reasonable opportunity to opt out before nonpublic personal information is shared with a nonaffiliated third party for purposes not covered by any of the exceptions. A consumer has the right to opt-out or revoke his or her opt-out at any time.
Legal Status
The Board's Legal Division has determined that the consumer reporting requirements and financial institution disclosure requirements associated with the regulation are authorized by section 504 of the GLBA (15 U.S.C § 6804). Since the Federal Reserve does not collect any information, no issue of confidentiality normally arises.
The estimated total annual burden for the reporting and disclosure requirements of this information collection is 299,673 hours as shown in the table below. The overall disclosure burden for financial institutions is estimated to be 78,560 hours. The reporting burden for consumers is estimated to be 221,113 hours. The estimated total annual burden represents approximately 1.7 percent of the total Federal Reserve System paperwork burden.
|
Estimated number of respondents |
Estimated annual frequency |
Estimated response time |
Estimated annual burden hours |
Institution disclosure requirements |
|
|
|
|
Initial notice |
185 |
1 |
80 hours |
14,800 |
|
|
|
|
|
Annual & Revised notices |
6,735 |
1 |
8 hours |
53,880 |
Opt out notice |
1,235 |
1 |
8 hours |
9,880 |
Subtotal |
|
|
|
78,560 |
Consumer reporting requirements |
|
|
|
|
Opt out notice |
442,225 |
1 |
30 minutes |
221,113 |
Subtotal |
|
|
|
221,113 |
|
|
|
|
|
Total |
|
|
|
299,673 |
The total cost to financial institutions is estimated to be $4,843,224. The estimated cost to consumers for this information collection is $4,422,260.5
Estimate of Cost to the Federal Reserve System
Since the Federal Reserve does not collect any information, the cost to the Federal
Reserve System is negligible.
Consultation Outside of the Agency and Discussion of Public Comments
For the renewal of this information collection there has been no consultation outside the Board. On May 5, 2009, the Federal Reserve published a notice in the Federal Register (74 FR 23717) requesting public comment for 60 days on the Reg P information collection. The comment period for this notice expired on July 20, 2009. The Federal Reserve did not receive any comments. On July 28, 2009, the Federal Reserve published a final notice in the Federal Register (74 FR 37227).
Sensitive Questions
This collection of information contains no questions of a sensitive nature, as defined by OMB guidelines.
1 The Protection of Nonpublic Personal Information provisions are codified at 15 U.S.C. § 6801 et seq. Regulation P is located at 12 CFR Part 216.
2 The collection of information under Regulation P is assigned OMB No. 7100-0294 for purposes of the PRA.
3 Section 216.3(q) of Regulation P generally defines Board- regulated financial institutions as: State member banks, subsidiaries of state member banks, bank holding companies and its subsidiaries or affiliates, branches and agencies of foreign banks, commercial lending companies owned or controlled by foreign banks, and corporations operating under section 25 or 25A of the Federal Reserve Act.
4 Office of the Comptroller of the Currency (OMB No.1557–0216), Federal Deposit Insurance Corporation (OMB No. 3064–0136), Office of Thrift Supervision (OMB No. 1550–0103), National Credit Union Administration (OMB No. 3133–0163), Federal Trade Commission (OMB No. 3084–0121), Securities and Exchange Commission (OMB No. 3235–0537), and Commodity Futures and Trading Commission (OMB No. 3038–0055).
5 Total cost to the public was estimated using the following formula: percent of staff time, multiplied by annual burden hours, multiplied by hourly rate (30% Administrative or Junior Analyst @ $25, 45% Managerial or Technical @ $55, 15% Senior Management @ $100, and 10% Legal Counsel @ $144). Hourly rate estimates for each occupational group are averages using data from the Bureau of Labor and Statistics (BLS), Occupational Employment and Wages 2007, http://www.bls.gov/news.release/ocwage.nr0.htm Occupations are defined using the BLS Occupational Classification System, http://www.bls.gov/soc/
The average consumer cost of $20 is estimated using data from the BLS Economic News Release (Table B-3. Average hourly and weekly earnings of production and nonsupervisory workers (1) on private nonfarm payrolls by industry sector and selected industry detail), http://www.bls.gov/news.release/empsit.t16.htm
File Type | application/msword |
File Title | Supporting Statement for *** (FR ####; OMB No |
Author | m1mel00 |
Last Modified By | m1jas00 |
File Modified | 2009-07-28 |
File Created | 2009-05-11 |