 |
Home | Previous Page | |
|
||
 |
|
|
|
||
 |
|
|
|
|
|||||||||||||||
|
|
|||||||||||||||
|
|
Final Rule:
|
| Note: For SEC staff responses to questions about this release, click here. |
Table of Contents
II. Overview of Comments Received
III. Section-by-section Analysis
A. Subpart A - Privacy and Opt Out Notices
B. Subpart B - Limits on Disclosure
D. Subpart D - Relation to Other Laws; Effective Date
VI. Guidance for Certain Institutions
IX. Summary of Final Regulatory Flexibility Analysis
X. Analysis of Effects on Efficiency, Competition, and Capital Formation
Subtitle A of Title V of the Gramm-Leach-Bliley Act ("G-L-B Act" or the "Act"), captioned Disclosure of Nonpublic Personal Information ("Title V"), limits the instances in which a financial institution may disclose nonpublic personal information about a consumer to nonaffiliated third parties, and requires a financial institution to disclose to all of its customers the institution's privacy policies and practices with respect to information sharing with both affiliates and nonaffiliated third parties. Title V also requires the Office of the Comptroller of the Currency, Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, Office of Thrift Supervision (collectively, the "Banking Agencies"), Secretary of the Treasury, National Credit Union Administration, Federal Trade Commission (collectively with the Banking Agencies, the "Agencies"), and the Commission, after consulting with representatives of State insurance authorities designated by the National Association of Insurance Commissioners, to prescribe regulations necessary to carry out the purposes of Title V.1
Commission representatives participated with representatives from the Agencies in drafting rules to implement Title V. As required by the G-L-B Act, the rules we are adopting today are, to the extent possible, consistent with and comparable to the rules adopted by the Agencies.2 Regulation S-P contains rules of general applicability that are substantially similar to the rules adopted by the Agencies. The rules also contain examples that illustrate the application of the general rules. These examples differ from those used by the Agencies in order to provide more meaningful guidance to the financial institutions subject to the Commission's jurisdiction.
Title V also requires the Commission (and each of the Agencies) to establish appropriate standards for financial institutions subject to their jurisdiction to safeguard customer information and records. Regulation S-P includes requirements for investment advisers registered with the Commission ("registered advisers"), brokers, dealers (collectively, "broker-dealers"), and investment companies ("funds") to adopt appropriate policies and procedures that address safeguards to protect this information.3
II. Overview of Comments Received
On March 2, 2000, the Commission issued a notice of proposed rulemaking (the "proposal" or "proposed rules").4 The Commission received a total of 115 comments in response to the proposal.5 Of these, approximately 14 were from individuals, virtually all of whom encouraged the Commission to provide greater protection of individuals' financial privacy. Many individuals noted their concerns generally about the loss of privacy and the receipt of unwanted solicitations by marketers.6
Other commenters advocated that we extend privacy protections in a number of ways. These suggestions included requiring (i) financial institutions to provide consumers with access to information about them maintained by the institutions and the opportunity to correct errors, (ii) more detailed disclosures of the information collected and disclosed, and (iii) disclosures of a financial institution's privacy policies and practices earlier in the process of establishing a customer relationship.
The National Association of Insurance Commissioners ("NAIC") submitted a comment on behalf of the State insurance authorities that generally supported the Commission's proposed rules. The NAIC also proposed various measures to provide certain protections for consumers, such as specifying means to exercise the right to opt out of the disclosure of information. The NAIC further advised the Commission to clarify the boundary of federal and State jurisdiction over privacy regulations and ensure that the financial privacy rules under the Act are compatible with the privacy rules relating to medical information that are to be issued by the Secretary of the Department of Health and Human Services ("HHS") under the Health Insurance Portability and Accountability Act ("HIPAA") of 1996.7
We received approximately 20 letters from broker-dealers, funds, registered advisers, insured depository institutions, bank holding companies, and their representatives.8 These commenters suggested many changes to the proposed rules. The most common suggestions included: (i) extending the effective date of the rules; (ii) amending the definition of "nonpublic personal information" to focus more clearly on what they believe is "financial" information; (iii) streamlining information required in the initial and annual disclosures; (iv) clarifying how one or more of the statutory exceptions operate; (v) revising or clarifying the definitions of "consumer" and "customer"; and (vi) adding flexibility to provide initial notices at some point other than "prior to" the time a customer relationship is established.
We have modified the proposed rules in light of the comments received.9 These comments, and our responses to them, are discussed in the following section-by-section analysis.
III. Section-by-section Analysis
The final Regulation presents the various sections in five subparts that consist of related sections. Related concepts are grouped together to make the rules easier to follow. A comparison table is included in section V to assist readers in locating provisions that appeared in the proposal. We also have added an Appendix to the final rules, setting out sample disclosures for broker-dealers, funds, and registered advisers to consider.
Section 248.1 Purpose and scope.
We are revising section 248.1, which identifies the purposes and scope of the rules. As stated in the proposal, the rule is intended to require a broker-dealer, fund, or registered adviser to provide notice to customers about its privacy policies and practices; to describe the conditions under which the institution may disclose nonpublic personal information about consumers to nonaffiliated third parties; and to provide a method for consumers to prevent the financial institution from disclosing that information to certain nonaffiliated third parties by "opting out" of that disclosure, subject to various exceptions as stated in the rules.
Most of the comments received on this section focused on the scope of the rules. Several commenters suggested that the Commission clarify how the rules apply to insurance companies. Section 505 of the G-L-B Act sets out the Commission's enforcement authority with respect to broker-dealers, funds, and registered advisers. The section explicitly excludes "persons providing insurance" from the Commission's (and the Agencies') enforcement authority (and, by operation of section 504(a)(1) of the G-L-B Act, from the Commission's and the Agencies' rulemaking authority). We believe that the G-L-B Act relies on the States to enforce Title V with respect to any insurance activities conducted by broker-dealers, funds, or registered advisers. Consistent with this reading of the statute, the final rule excludes the provision of insurance by a broker-dealer, fund, or registered adviser from the scope of Regulation S-P. If the insurance product also is a security, however, any broker-dealer or fund that provides that security, or registered adviser that provides advice with respect to that security is subject to Regulation S-P.10 In addition, insurance company separate accounts that are "investment companies" under the Investment Company Act are subject to this part.11
Several commenters stated that Regulation S-P should apply to foreign financial institutions that solicit business from individuals in the United States. As adopted, the requirements of Regulation S-P apply to any broker-dealer, fund, or investment adviser that is registered with the Commission, regardless of whether its consumers are U.S. persons or non-U.S. persons, and regardless of whether it conducts its activities through U.S. or non-U.S. offices or branches.12 We also have decided not to apply Regulation S-P to any foreign (or "non-resident") broker-dealer or fund that is not registered with the Commission. Despite the broad reach of the U.S. federal securities laws,13 we believe it would be impractical to apply Regulation S-P to those foreign unregistered entities. If a foreign broker-dealer or fund conducts activities through U.S. interstate commerce in a manner that subjects it to the registration requirements of the U.S. securities laws, it is subject to those requirements and any other applicable protections to investors, such as anti-fraud protections. We do not believe that subjecting these unregistered entities to the obligation to provide the privacy and opt out notices under Regulation S-P would add to the protections provided to investors under the G-L-B Act. As noted above, however, if a foreign broker-dealer, fund, or investment adviser decides to register with the Commission, it would be required to comply fully with Regulation S-P.14
Several commenters suggested that the rule should not apply to entities that must comply with regulations proposed by HHS to implement the HIPAA.15 We do not believe that broker-dealers, funds, or registered advisers would be subject to any rules HHS has proposed under HIPAA regarding protected health information. We recognize, however, that there could be areas of overlap between the rules adopted by HHS under HIPAA and the privacy rules. After HHS publishes its final rules, we will consult with HHS to avoid the imposition of duplicative or inconsistent requirements.
Section 248.2 Rule of construction.
We are revising section 248.2, which sets out a rule of construction intended to clarify the effect of the examples used in the rules, to include the sample clauses in the Appendix to the rules. As noted in the Proposing Release, the examples (and the sample clauses) are not intended to be exhaustive; rather, they are intended to provide guidance about how the rules would apply in specific situations.16
Commenters generally agreed that examples are helpful in clarifying how the rules will work in specific circumstances. Some commenters also suggested that we include more examples, and provide examples of model disclosures. A few commenters suggested that the regulation state that a financial institution is not obligated to comply with an example but has the latitude to comply with the general rules in other ways. Other commenters also requested that we treat the examples as safe harbors or establish a presumption that compliance with the examples constitutes compliance with the rules. Others stated that the examples ought to be identical in each privacy regulation adopted by the Commission and the Agencies.
We agree that more examples would be helpful, and have included additional examples in appropriate places throughout the rules. We also have provided sample clauses in the Appendix to assist broker-dealers, funds, and registered advisers in drafting privacy notices. The sample clauses are provided to illustrate the level of detail we believe is appropriate. We caution financial institutions against relying on the sample disclosures without determining the relevance or appropriateness of the disclosure for their operations. We have used statutory terms, such as "nonpublic personal information" and "nonaffiliated third parties," in the sample clauses to convey generally the subject of the clauses. However, a financial institution that uses these terms must provide sufficient information to enable consumers to understand what these terms mean in the context of the institution's notices.17
We have not added a statement in the final rule regarding a financial institution's ability to comply with the rules in ways other than as suggested in the examples. The rule states that the facts and circumstances of each individual situation will determine whether compliance with an example constitutes compliance with the applicable rule.18 The examples and the sample clauses do not provide a safe harbor.19 Nevertheless, we believe that, when read together, the rule of construction, examples, and sample clauses provide broker-dealers, funds, and registered advisers sufficient guidance on ways to comply with the rules as well as sufficient flexibility to comply with the regulation in ways appropriate for the institution.
Section 248.3 Definitions.
(a) Affiliate. We are adopting the definition of "affiliate" as proposed. The rule incorporates the definition of "affiliate" in the G-L-B Act.20 An affiliation exists when one company "controls" (as defined in section 248.3(g) below), is controlled by, or is under common control with another company. The definition includes both financial institutions and entities that are not financial institutions. The proposed rule also provided that a broker-dealer, fund, or registered adviser would be considered an affiliate of another company if the other company is regulated under Title V by one of the Agencies, and under that Agency's rules, the other entity would be affiliated with the broker-dealer, fund, or registered adviser. Few commenters addressed this definition, and none disagreed with it.
(b) Broker. We are adopting the definition of "broker" as proposed. The definition incorporates the meaning of "broker" in the Exchange Act. One commenter suggested that the definition exclude foreign banks and savings institutions because they will be subject to the privacy rules of the Banking Agencies. 21 We disagree, and the rule does not include this exception.22 Brokers registered with the Commission include foreign entities that may not be subject to the Banking Agencies' privacy rules, which do not extend to foreign entities that do not have offices within the United States.23
(c) Clear and conspicuous. We are revising the definition of "clear and conspicuous" in response to issues raised by commenters. The proposed rules required various notices to be "clear and conspicuous," and defined the term to mean that the notice must be reasonably understandable and designed to call attention to the nature and significance of the information contained in the notice. The proposal did not mandate the use of any particular technique for making the notices clear and conspicuous, but provided examples of how a notice may be made clear and conspicuous. As noted in the Proposing Release, each financial institution would retain the flexibility to decide for itself how best to comply with this requirement.24
We received a large number of comments on the proposed definition. Several commenters favored adopting the definition as proposed, with some advocating that the final rule include a requirement that disclosures be on a separate piece of paper in order to ensure that they will be conspicuous. Others stated that the definition was unnecessary, given the experience financial institutions have in complying with requirements that disclosures mandated by other laws be clear and conspicuous. Several commenters stated that the definition is inconsistent with requirements in other consumer protection regulations such as Regulation Z25 and the Truth in Savings regulation,26 which require only that a disclosure be reasonably understandable.27 A few commenters questioned how the requirement would work in a document that contains several disclosures that are required to be clear and conspicuous, while others raised questions about how a disclosure may be clear and conspicuous on an Internet web site.
New standard for "clear and conspicuous." The proposed definition developed the concept of "clear and conspicuous." The phrase "designed to call attention to the nature and significance of the information contained" was intended to provide meaning to the term "conspicuous." We believe that this standard will result in notices to consumers that communicate effectively the information consumers need in order to make an informed choice about the privacy of their information, including whether to open a brokerage account, purchase fund shares, or enter into an advisory contract with an adviser.
Examples of "clear and conspicuous." We recognize that many of the examples are imprecise. We believe, however, that more prescriptive examples, while perhaps easier to conform to, likely would result in requirements that would be inappropriate in a given circumstance. To avoid this result, the examples provide generally applicable guidance about ways in which a broker-dealer, fund, or registered adviser may make a disclosure clear and conspicuous. We note that the examples do not mandate how to make a disclosure clear and conspicuous. A financial institution must decide for itself how best to comply with the general rule, and may use techniques not listed in the examples. To address concerns about the imprecision of the examples, we have incorporated several of the commenters' suggestions in the final rule for ways to make the guidance more helpful.28
Combination of several notices. Commenters stated that a document may combine different types of disclosures that are subject to specific disclosure requirements under different regulations. For example, a fund that includes a privacy notice in its prospectus would have to make the privacy notice clear and conspicuous, and would have to prepare the prospectus according to certain standards under the Securities Act of 1933.29 The final rule provides an example of how a financial institution may make privacy disclosures conspicuous, including privacy disclosures that are combined in a document with other information.30 In order to avoid the potential conflicts between two different rules requiring different sets of disclosures that are subject to different standards, the final rule does not mandate precise specifications for presenting various disclosures.
Disclosures on Internet web pages. Several commenters requested guidance on how they may clearly and conspicuously disclose privacy-related information on their Internet sites. Disclosures over the Internet may present some issues that will not arise in paper-based disclosures. Consumers may view various web pages within a financial institution's web site in a different order each time they access the site, aided by hypertext links. Depending on the hardware and software used to access the Internet, some web pages may require consumers to scroll down to view the entire page. To address these issues, the example concerning Internet disclosures states that broker-dealers, funds, and registered advisers may comply with the rule if they use text or visual cues to encourage scrolling down the page if necessary to view the entire notice and ensure that other elements on the web site (such as text, graphics, hypertext links, or sound) do not distract attention from the notice.31 The examples also note that the institution should place a notice or a conspicuous link on a screen that consumers frequently access, such as a page on which consumers conduct transactions.
There is a range of approaches a broker-dealer, fund, or registered adviser could use based on current technology. For example, a broker-dealer could use a dialog box that pops up to provide the disclosure before a consumer provides information to a financial institution. Another approach would be a simple, clearly labeled graphic located near the top of the page or in close proximity to the financial institution's logo, directing the customer, through a hypertext link or hotlink, to the privacy disclosures on a separate web page.
(d) Collect. We are revising the definition of "collect" to clarify the scope of the term.32 The G-L-B Act requires a financial institution to disclose in its initial and annual notices the categories of nonpublic personal information that the institution collects. The proposal defined "collect" to mean obtaining any information that is organized or retrievable on a personally identifiable basis, irrespective of the source of the underlying information. This definition was included to provide guidance about the information that a broker-dealer, fund, or registered adviser must include in its notices and to clarify that the obligations arise regardless of whether the institution obtains the information from a consumer or from some other source.
Commenters suggested that the final rule treat information that is not organized and retrievable in an automated fashion as not "collected." We disagree that information should not be deemed to be collected simply because it is not retrievable in an automated fashion. We believe that the method of retrieval is irrelevant to whether information should be protected under the rule. We agree, however, that the scope of the regulation should be refined, and have changed the definition of "collect" by using language from the Privacy Act of 1974.33
Other commenters requested that the rule clarify that information that a broker-dealer, fund, or registered adviser receives but then immediately passes along without retaining a copy, is not "collected." We believe that merely receiving information without retaining it would not be "collecting" the information. The final rule reflects this by stating that the information must be organized or retrievable by the financial institution.
(f) Company. We received no substantive comments on the proposed definition of "company" and are adopting it as proposed.34
(g) Consumer. We are adopting as proposed the definition of "consumer," and are revising the examples under the definition in response to issues raised by commenters. The G-L-B Act distinguishes "consumers" from "customers" for purposes of the statute's notice requirements. A broker-dealer, fund, or registered adviser is required to give a "consumer" the notices required under Title V only if the institution intends to disclose nonpublic personal information about the consumer to a nonaffiliated third party for purposes other than as permitted by section 502(e) of the statute.35 We received a large number of comments on this proposed definition that raised questions about how the definition would apply in a variety of situations.
Evaluation of a request for a financial product or service. The proposal defined "consumer" to mean an individual (and his or her legal representative) who obtains, from a financial institution, financial products or services that are to be used primarily for personal, family, or household purposes.36 Because "financial product or service" includes a financial institution's evaluation of an application or request to obtain a financial product or service, a person becomes a consumer even if the application or request is denied or withdrawn.37 The examples for the definition of "consumer" clarify that a consumer includes an individual who provides nonpublic personal information when seeking to obtain brokerage or investment advisory services. For example, an investor who provides nonpublic personal information to several registered advisers (whether orally or in writing) in seeking financial advisory services would be a consumer of each registered adviser, even if the investor does not enter into an advisory contract with any of the advisers.
Many commenters disagreed that someone should be deemed a consumer of a financial institution by virtue of the institution evaluating nonpublic personal information provided by the individual in an application or otherwise. These commenters maintained that the individual has not obtained a financial product or service, as is required by the G-L-B Act. We believe, however, that a "financial product or service" includes the evaluation of information an individual provides to the financial institution in order to obtain some other financial product or service. Broker-dealers, funds, and registered advisers frequently provide a range of services in connection with the delivery of a financial product, including the evaluation of information provided by an individual. The evaluation may be the sole financial product or service delivered, or one of several services provided in connection with establishing a customer relationship. For example, an investor who seeks to invest in certain investment products, such as stock options, must provide a broker-dealer or registered adviser with nonpublic personal information in connection with the request. Based on this nonpublic personal information, the broker-dealer or registered adviser may open an account for the investor, but deny his or her request to invest in options. Whether the evaluation is the sole product or service or one of several, the institution's evaluation of the individual's information is a separate financial product or service.
The proposed definition of "consumer" also is consistent with one of the primary purposes of Title V: to enable an individual to restrict a financial institution from sharing nonpublic personal information about the individual with a nonaffiliated third party. The information an individual provides to a financial institution before a customer relationship is established is likely to contain precisely the types of information that the statute is designed to protect. This information is no less deserving of protection simply because an application is denied or withdrawn. For these reasons, we have retained in the examples in the definition of "consumer" an individual who provides nonpublic personal information to a broker-dealer or investment adviser in connection with obtaining brokerage or investment advisory services.38
Loan sales. Several commenters requested clarification of circumstances in which a borrower becomes a consumer. The final rule provides that a person will be a consumer of any entity that holds ownership or servicing rights to an individual's loan.39 We believe that financial institutions that own or service a loan provide a financial product or service to the individual borrower in question. In some cases, the product or service is the funding of the loan, directly or indirectly. In other cases, the product or service is the processing of payments, sending account-related notices, responding to consumer questions, and complaints about the handling of the account. The final rule defines "consumer" in a way that covers individuals receiving financial products or services in each of these situations.
Agents of financial institutions. Several commenters maintained that an individual should not be considered to be a consumer of an entity that is acting as agent for a financial institution.40 These commenters noted that the financial institution that hires the agent is responsible for that agent's conduct in carrying out the agency responsibilities. We agree and continue to believe that the broker-dealer, fund, or registered adviser has a consumer relationship, even if the institution uses agents to help it deliver its products or services. For example, fund consumers would not become consumers of the fund's transfer agent that services the fund's customer accounts. The final rule retains the examples addressing clearing agents and provides a more general example to illustrate this principle.41
Legal representative. We also agree with the suggestion by several commenters that the definition of "consumer" should clarify that a financial institution may satisfy the obligations stemming from a consumer relationship by dealing either with the individual who obtains a financial product or service from a financial institution or that individual's legal representative. We do not intend that the rule require a financial institution to send opt out and initial notices to both the individual and his or her legal representatives, and have amended the final rule accordingly.42
Trusts. We received several comments concerning whether an individual who obtains financial services in connection with trusts is a consumer or customer of a financial institution. Several commenters urged the Commission generally to exempt a financial institution from the requirements of the rules when it acts as a fiduciary or, in the alternative, to clarify the categories of individuals who are considered to be customers. Commenters proposed, for example, that individuals who are beneficiaries with current interests should be identified as customers, whereas individuals who are only contingent beneficiaries should not be customers. Other commenters stated that when the financial institution serves as trustee of a trust, neither the grantor nor beneficiary is a consumer or customer under the rules. In these commenters' view, the trust itself is the institution's "customer," and therefore the rules should not apply to a financial institution when it acts as trustee. These commenters also stated that when a financial institution is a trustee, it serves as a fiduciary and is subject to other obligations to protect the confidentiality of the beneficiaries' information that are more stringent than those under the provisions in the G-L-B Act. Similarly, these and other commenters claimed that an individual who is a participant in an employee benefit plan administered or advised by a financial institution does not qualify as a consumer or customer. They contended that plan participants have no direct relationship with the financial institution and, in any event, the financial institution is authorized to use information that would be covered under the G-L-B Act only in accordance with the directions of the plan sponsor. The commenters concluded, therefore, that the regulations should specifically exclude individuals who are participants in an employee benefit plan from the definition of customer.
We believe that the definition of "consumer" in the G-L-B Act does not squarely resolve whether the beneficiary of a trust is a consumer of the financial institution that is the trustee. We agree with the commenters who concluded that, when the financial institution serves as trustee of a trust, neither the grantor nor beneficiary is a consumer or customer under the rules. Instead, the trust itself is the entity that obtains the financial services, and the rules do not apply because the trust is not an individual.43 We note that a financial institution that is a trustee assumes obligations as a fiduciary, including the duty to protect the confidentiality of the beneficiaries' information, that are consistent with the purposes of the G-L-B Act and enforceable under State law. Accordingly, we have excluded an individual who is a beneficiary of a trust or a plan participant in an employee benefit plan, from the definitions of "consumer" and "customer." Nevertheless, we believe that an individual who selects a financial institution to be a custodian of securities or assets in an individual retirement account or individual retirement arrangement ("IRA") is a "consumer" under the G-L-B Act. We have included examples in the rule that appropriately illustrate this interpretation of the G-L-B Act.44
Requirements arising from consumer relationship. While the proposed and final rules define "consumer" broadly, we note that this definition will not result in any additional burden to a broker-dealer, fund, or registered adviser if (i) no customer relationship is established and (ii) the institution does not intend to disclose nonpublic personal information about the consumer to nonaffiliated third parties. Under the approach taken in the final rule, a broker-dealer, fund, or registered adviser is under no obligation to provide a consumer who is not a customer with any privacy disclosures unless it intends to disclose the consumer's nonpublic personal information to nonaffiliated third parties outside the exceptions in sections 248.14 and 248.15. The institution may disclose a consumer's nonpublic personal information to nonaffiliated third parties under the final rule, if it delivers the requisite notices and the consumer does not opt out. Thus, the rule allows a financial institution to avoid all of the rule's requirements for consumers who are not customers if the institution chooses not to share information about the consumers with nonaffiliated third parties. Conversely, if a broker-dealer, fund, or registered adviser chooses to share consumers' nonpublic personal information with nonaffiliated third parties, the financial institution is free to do so, provided it notifies consumers about the sharing and affords them a reasonable opportunity to opt out. In this way, the rule attempts to strike a balance between protecting an individual's nonpublic personal information and minimizing the burden on a financial institution.
(h) Consumer reporting agency. We received no comments on the proposed definition of "consumer reporting agency," and we are adopting it as proposed.45 The definition incorporates the definition of "consumer reporting agency" in the Fair Credit Reporting Act.46
(i) Control. We are adopting the definition of "control" as proposed. "Control" means the power to exercise a controlling influence over the management or policies of a company whether through ownership of securities, by contract, or otherwise. In addition, ownership of more than 25 percent of a company's voting securities creates a presumption of control of the company. This definition is used to determine when companies are affiliated.47 Under the definition, companies are considered to be affiliates regardless of whether the control is by a company or individual.
Some commenters suggested that the rule adopt the definition of control used in Form BD to determine when an entity is a "control affiliate."48 Another commenter suggested a test that focuses solely on percent of stock owned in a company in order to avoid the uncertainties from a "control-in-fact" test. One commenter suggested alternative definitions based on (i) the ability to control the use of information in a company in which an ownership interest exists or (ii) a bright line 10 percent ownership test that also provided for aggregating the interests of credit unions and their wholly owned subsidiaries.
We believe that a test based only on stock ownership is unlikely to be flexible enough to address all situations in which companies should be considered to be affiliated. In addition, the proposed definition of control is consistent with the definition in Form BD, except that the definition in Form BD creates a presumption of control in broader circumstances.49 The rule limits the presumption of control to ownership of more than 25 percent of the voting securities, consistent with the definition of control in the Investment Company Act.50 This definition does not prevent a finding of control-in-fact in the circumstances that create a presumption of control under the definition in Form BD.
(j), (k) Customer, Customer relationship. We received a large number of comments on the definition of "customer" and "customer relationship." A "customer" is a consumer who has a "customer relationship" with a financial institution, and a "customer relationship" is a continuing relationship between a consumer and a broker-dealer, fund, or registered adviser under which the institution provides a financial product or service that is to be used by the consumer primarily for personal, family, or household purposes. As noted in the proposal, a one-time transaction may be sufficient to establish a customer relationship, depending on the nature of the transaction. A consumer would not become a customer simply by engaging in an isolated transaction that by itself would be insufficient to establish a customer relationship, such as when an individual opens a brokerage account solely for the purpose of liquidating or purchasing securities as an accommodation, i.e., on a one-time basis, without the expectation of engaging in other transactions.
Point at which a consumer becomes a customer. Commenters criticized the vagueness of the standard for differentiating consumers from customers. Several suggested that the distinction should be based on when a consumer and financial institution enter into a written contract for a financial product or service.
We recognize that the distinction between consumers and customers will, in some instances, require a financial institution to make a judgment about whether a customer relationship is established. When an individual engages in a transaction and is not likely to expect further communication about that transaction from the financial institution (such as brokerage services as an accommodation to buy or liquidate securities), the individual will not have established a customer relationship as a result of that transaction. In other situations when a consumer typically would receive some measure of continued service following, or in connection with, a transaction (such as when a consumer opens a brokerage account, is the record owner of fund shares, or obtains investment advice), a customer relationship is established. We believe that the distinction set out in the proposed rule, as further clarified by the examples in the final rule of when a customer relationship is and is not established, provides a sufficiently clear line while retaining flexibility to address less clear-cut situations on a case-by-case basis.
Use of "isolated transaction" test. The final rule does not define the distinction between consumer and customer based solely on whether the transaction is an isolated event. We used this concept in an example in the proposed rule to illustrate one of the factors that may determine whether a relationship is of a continuing nature. Several commenters suggested that this approach was insufficiently precise to serve as a workable distinction between consumers and customers. We agree that the test may not be useful in all situations, but believe that it will help clarify the status of relationships in certain circumstances. Accordingly, the final rule retains the following example of an "isolated transaction": providing brokerage services as an accommodation to buy or liquidate securities without the expectation of engaging in further transactions does not establish a customer relationship.51
Purchase of insurance. Some commenters suggested that, in the context of financial institutions that engage in the sale of insurance and that are regulated by the Commission, the customer should be the policyholder and not the beneficiary. As discussed above, Regulation S-P does not apply to the provision of insurance by broker-dealers, funds, or registered advisers. A variable annuity or variable life insurance contract, however, is both an insurance product and a security.52 We agree with the commenters, and the final rule includes an example of purchasing a variable annuity as one situation in which a customer relationship is formed.53 In this case, the person obtaining a financial product or service from the financial institution is the person purchasing the annuity.54
Sales of loans. As noted above, several commenters raised questions about loan sales. They stated that when a financial institution sells the servicing rights for a loan to another financial institution, the borrower should not be considered a customer of both institutions. Commenters suggested that the entity with which the borrower communicates about the loan (i.e., the servicer) could have the customer relationship with the borrower, and that the other institutions could have a consumer relationship with the borrower.
We believe that it is appropriate to consider that a loan transaction gives rise to only one customer relationship and that this customer relationship may be transferred in connection with a sale of part or all of the loan. In this way, the borrower will not be inundated by privacy notices, many of which might be from secondary market purchasers that the borrower did not know had any connection to his or her loan. We note, however, that a borrower will remain a consumer of the institution that transfers the servicing rights, as well as a consumer of any other institution that holds an interest in the loan.
Under the final rules, therefore, a financial institution will be considered to have established a customer relationship with any individual to whom it makes a loan. 55 If the institution transfers the servicing rights of that loan to another institution, the second institution will establish a customer relationship with the individual, and the first institution's customer relationship will end (if the relationship is based solely on the loan).56 If the originating lender sells the loan but continues to service the loan, it will continue to have a customer relationship with the borrower, and the purchaser will have a consumer relationship with the borrower.57 For example, a broker-dealer who purchases a loan, but not the servicing rights to the loan, will have a consumer relationship, but not a customer relationship, with the borrower.58
Fund shares purchased through an intermediary. Several commenters suggested that an individual who is the record owner of fund shares should not be a fund's "customer" if the fund is limited, under its contract with the intermediary who sold the shares, to servicing the investor's account. The commenters argue that these investors would be confused by receiving privacy notices from the fund. We proposed a "bright line" example of record ownership to establish the customer relationship because the fund clearly has nonpublic personal information about its record owners that is personally identifiable. We do not believe that an investor who receives account statements and other information from a fund that services the investor's account will be confused by receiving notices regarding the fund's privacy policies and practices. Moreover, an investor is unlikely to know whether a fund is contractually limited in its use of the investor's nonpublic personal information or whether those contract terms may change. For these reasons, we are adopting the proposed example that record owners of fund shares are the fund's customers.59
Fund complex. One commenter suggested that a customer of a fund should be considered a customer of the fund complex, which may include the fund's primary investment adviser, or that a fund customer, at least in some cases, should also be considered a customer of the fund's primary investment adviser. We noted in the Proposing Release that the record owner of fund shares has a customer relationship with both the fund and the principal underwriter (which is a broker-dealer) that sells the shares. 60 The customer relationship with the broker-dealer arises because the investor has an account with the broker-dealer, who provides financial services directly to the investor. By contrast, an investment adviser to a fund does not generally have an ongoing account relationship with each fund shareholder. Instead, it serves the fund shareholders indirectly through the portfolio management services it provides to the fund.
We recognize that the definition of "customer" may have disparate effects on the ability of some investment advisers to receive nonpublic personal information about fund investors. For example, if the underwriter of a fund is affiliated with the fund's investment adviser, the underwriter can share nonpublic personal information about its customers with the adviser. By contrast, if the underwriter is not affiliated with the fund's investment adviser, the underwriter can share this type of information only under an exception in section 248.13, 248.14, or 248.15, and the adviser's ability to reuse the information would be limited to the purpose for which it received the information. These limitations result from the language of the G-L-B Act, which defines affiliation in terms of "control," and we are unwilling to modify the definition of "customer relationship" to alter the effect of that definition.61 For these reasons, we believe that, in the absence of an advisory contract with the investor, a fund's primary investment adviser does not have a customer relationship with the fund's customers.62
Transferred accounts. One commenter requested clarification about whether an investor becomes a consumer of a broker-dealer when the consumer's account is transferred to the broker-dealer. An individual who has an account with a broker-dealer or a contract with a registered adviser has established a customer relationship with that broker-dealer or adviser. Thus, the investor is a customer of that broker-dealer or registered adviser, regardless of whether the account was transferred at the customer's request or as the result of a merger, acquisition, or assignment. Accordingly, the final rule includes an example that an individual is a customer of a broker-dealer or registered adviser if the individual's account is transferred to the broker-dealer or adviser.63
Trusts. The final rule adds an example to clarify that an individual will be deemed to establish a customer relationship when a broker-dealer, fund, or registered adviser acts as a custodian for securities or assets in an IRA.64 This example is consistent with the explanation set out above in the discussion of "consumer" concerning trusts.65
(l) Dealer. We received no comments on the proposed definition of "dealer" and are adopting it as proposed. The definition incorporates the definition of dealer in the Exchange Act.66
(m) Federal functional regulator. We are defining the term "federal functional regulator" in place of "government regulator." The proposal sought comment on a definition of "government regulator" which included each of the Agencies, the Commission, and State insurance authorities under the circumstances identified in the definition. This term was used in the exception in proposed section 248.15(a)(4) for disclosures to law enforcement agencies, "including government regulators."
For purposes of the privacy rules, this term is relevant in determining when an entity is an affiliate and when a broker-dealer, fund, or registered adviser may disclose information to a law enforcement agency.67 The exception for disclosure as stated in the G-L-B Act uses the term "Federal functional regulator,"68 which is defined in the statute at section 509(2) and includes the Secretary of the Treasury for purposes of the exception permitting disclosures to law enforcement agencies. We have decided that it is appropriate to use the term "federal functional regulator" instead of "government regulator."
(n) Financial institution. We are adopting the definition of "financial institution" as proposed. The proposal defined "financial institution" as any institution the business of which is engaging in activities that are financial in nature, or incidental to such financial activities, as described in section 4(k) of the Bank Holding Company Act of 1956.69 The G-L-B Act also defines "financial institution," and the proposal excepted from the definition those entities the G-L-B Act also excepts.70
Commenters suggested that the final rule include additional exceptions from the definition, such as for securitization trusts, debt buyers, and credit bureaus. We have not included these exceptions in the final rule. We believe it is inappropriate to exclude many of the activities suggested by commenters because the objective of the suggested exclusions can be achieved in other ways. Even if an entity is a financial institution as that term is used in the G-L-B Act, it will not have any disclosure responsibilities under the Act or this rule if it does not provide a financial product or service to a consumer. In most of the situations posited by the commenters, the entity in question will not meet that test and therefore will fall outside the scope of the rules with respect to privacy disclosures.71
(o) Financial product or service. We are adopting the definition of "financial product or service" as proposed. The proposal defined the term as a product or service that a broker-dealer, fund, or registered adviser could offer by engaging in an activity that is financial in nature, or incidental to such a financial activity, under section 4(k) of the Bank Holding Company Act. An activity that is complementary to a financial activity, as described in section 4(k), was not included in the proposed definition of "financial product or service." The proposal's definition included the broker-dealer, fund, or registered adviser's evaluation of nonpublic personal information collected in connection with a request by a consumer for a financial product or service even if the request ultimately is rejected or withdrawn.72 It also included the distribution of information about a consumer for the purpose of assisting the consumer in obtaining a financial product or service.
Several commenters criticized the proposed definition and suggested that the evaluation of application information should not be considered a financial product or service. For the reasons discussed above regarding the definition of "consumer," we continue to believe that it is appropriate to retain evaluation or brokerage of information as within the scope of financial products or services covered by the rules.
(q) Investment adviser. We received no comments on the proposed definition of "investment adviser" and are adopting it as proposed. The definition incorporates the definition of "investment adviser" under the Investment Advisers Act.73
(r) Investment company. We received no substantive comments on the proposed definition of "investment company" and are adopting it as proposed. The definition incorporates the definition of "investment company" under the Investment Company Act, whether or not the company is registered with the Commission.74
(s) Nonaffiliated third party. We are adopting the definition of nonaffiliated third party as proposed. The proposal defined the term as any "person" (including natural persons as well as corporate entities) except (i) an affiliate of a financial institution and (ii) a joint employee of a financial institution and a third party. The proposal clarified the circumstances under which a company that is controlled by a broker-dealer, fund, or registered adviser through that institution's merchant banking activities or insurance company activities would be a "nonaffiliated third party" of the broker-dealer, fund, or registered adviser.
We received very few comments in response to the proposed definition. One commenter requested that the final rule state that a disclosure of information to someone who is serving as a joint employee of two financial institutions should be deemed to have been disclosed to both financial institutions. We disagree with this result. Instead, we believe it is appropriate to deem the information to have been given to the financial institution that is providing the financial product or service in question. Thus, for example, if an employee of a bank is also an employee of a brokerage firm, information that employee receives in connection with a securities transaction conducted with the brokerage firm would be considered as received by the brokerage firm.
(t) Nonpublic personal information. We are revising the definition of "nonpublic personal information." Section 509(4) of the G-L-B Act defines the term to mean "personally identifiable financial information" that is provided by a consumer to a financial institution, results from any transaction with the consumer or any service performed for the consumer, or is otherwise obtained by the financial institution. The term also includes any "list, description, or other grouping of consumers (and publicly available information pertaining to them) that is derived using any nonpublic personal information that is not publicly available information." The G-L-B Act excludes publicly available information (unless provided as part of the list, description, or other grouping described above), as well as any list, description, or other grouping of consumers (and publicly available information pertaining to them) that is derived without using nonpublic personal information. The statute does not define either "personally identifiable financial information" or "publicly available information."
The proposed rules implemented the definition of "nonpublic personal information" under the G-L-B Act by restating the categories of information described above. The proposed rules treated information as publicly available if a broker-dealer, fund, or registered adviser could obtain it from a public source. We also asked for comment on an approach that would have deemed information as "publicly available" only if a financial institution actually obtained it from a public source ("alternative approach").75 Most commenters supported the proposed approach to publicly available information. They noted that the proposed rule was consistent with the Act and would be far less burdensome on financial institutions. They also stated that any requirement that the information actually be obtained from a public source would impose a needless burden on financial institutions (by requiring, for instance, that a financial institution "tag" information it obtained from public records) and is not required by the Act. Other commenters advocated the alternative approach. They argued that the alternative approach would provide the greatest protection for consumers by treating any information the consumer gives to a financial institution to obtain a financial product or service as nonpublic personal information. This protection would be lost only if a financial institution actually obtained the information from a public source. These commenters also preferred the bright-line distinction drawn by the alternative approach.
The final rule adopts an approach that we believe incorporates the benefits of both alternatives. As under the proposed rule, in the final rule information will be deemed to be "publicly available" and therefore excluded from the definition of "nonpublic personal information" if a broker-dealer, fund, or registered adviser reasonably believes that the information is lawfully made available to the general public from one of the three categories of sources listed in the rule.76 The examples provided in the rule clarify when a broker-dealer, fund, or registered adviser has a reasonable belief that information is lawfully made available to the general public. For example, an institution would have a reasonable belief if (i) the institution has confirmed, or the consumer has represented, that the information is publicly available from a public source, or (ii) the institution has taken steps to submit the information, in accordance with its internal procedures and policies and with applicable law, to a keeper of federal, State, or local government records who is required by law to make the information publicly available.77 The examples also state that a broker-dealer, fund, or registered adviser would have a reasonable belief that a telephone number is publicly available if the institution located the number in a telephone book or if the consumer told the institution that the number is not unlisted.78 Moreover, the examples make clear that an institution may not assume information about a particular consumer is publicly available simply because that type of information is normally provided to a government record keeper and made available to the public by the record keeper, because the consumer may have the ability to keep that information non public or to screen his or her identity.
The approach of the final rule is based on the underlying principle that a consumer in many circumstances can control the public availability or identification of his or her information and that a financial institution therefore should not assume that the information about that customer is in fact publicly available. Thus, even though a lender typically enters a mortgage in public records in order to protect its security interest, when a borrower can maintain the privacy of his or her personal information by owning the property and obtaining the loan through a separate legal entity, the customer's name would not appear in the public record. In the case of a telephone number, a person may request that his or her number be unlisted. Thus, in evaluating whether it is reasonable to believe that information is publicly available, a financial institution must determine whether the consumer has kept the information or his or her identity from being a matter of public record.79
To implement the complex definition of "nonpublic personal information" that is provided in the statute, the final rule adopts a definition that consists, generally speaking, of (i) personally identifiable financial information, plus (ii) a consumer list or description or grouping of consumers (and publicly available information pertaining to the consumers) that is derived using any personally identifiable financial information that is not publicly available information. From that body of information, the final rule excludes publicly available information (except as noted above or if the information is disclosed in a manner that indicates that the individual is the institution's consumer) and any consumer list that is derived without using personally identifiable financial information that is not publicly available information.80 Examples illustrate how this definition applies in the context of consumer lists.81
(u) Personally identifiable financial information. We are adopting the definition of "personally identifiable financial information" substantially as proposed. The proposed rule defined the term to include (i) information that a consumer provides a broker-dealer, fund, or registered adviser in order to obtain a financial product or service, (ii) information resulting from any transaction between the consumer and a broker-dealer, fund, or registered adviser involving a financial product or service, and (iii) information about a consumer that a broker-dealer, fund, or registered adviser otherwise obtains in connection with providing a financial product or service to the consumer. The proposed rule also treated the fact that someone is a consumer of a broker-dealer, fund, or registered adviser as personally identifiable financial information. In essence, the proposed rules treated any personally identifiable information as "financial" if a broker-dealer, fund, or registered adviser obtained the information in connection with providing a financial product or service to a consumer. We noted in the Proposing Release that this interpretation may result in certain information being covered by the rules that may not commonly be considered intrinsically financial, such as health status.82
We received a large number of comments in response to the definition of "personally identifiable financial information." Many commenters objected to including in the term certain identifying information that they did not view as "financial," such as name, address, and telephone number. Many commenters argued that "personally identifiable financial information" should not include the fact that someone is a customer of a financial institution. These commenters noted that many customer relationships are matters of public record (such as would be the case, for instance, any time a transaction results in the recording of a security interest) while other customer relationships are matters of public knowledge (because consumers frequently disclose the relationships by writing checks, using credit cards, and so on). Many commenters stated that aggregate data about a financial institution's customers that lack personal identifiers should not be considered personally identifiable financial information.
Treatment of identifying information as financial. We continue to believe that it is appropriate to treat any information as "financial" information if a financial institution obtains it in order to provide a financial product or service. We also believe this approach is consistent with the G-L-B Act. Although the statute does not define the term "financial," it does include a broad definition of "financial institution" used in the G-L-B Act, which encompasses a large number of entities (such as travel agencies, insurance companies, and data processors) that engage in activities not traditionally considered financial. As a consequence of that definition, the range of information that has a bearing on the terms and availability of a financial product or service or that a financial institution uses in connection with providing a financial product or service is extremely broad and may include, for instance, medical information and other types of information that might not commonly be thought of as financial. It includes information a broker-dealer, fund, or registered adviser requests from the consumer, obtains from a transaction involving a financial product or service with the consumer, or otherwise obtains in connection with providing a financial product or service to a consumer. Thus, the information included in the definition of "financial" is information the broker-dealer, fund, or registered adviser has determined is relevant to providing a financial product or service.
We are sensitive to the concern expressed by several commenters about the need for ready access to identifying information to locate individuals who are attempting to evade their financial obligations. These commenters suggested that names, addresses, and telephone numbers should not be treated as financial information. We believe, however, that this information is financial, and is covered by the G-L-B Act. Broker-dealers, funds, and registered advisers rely on a broad range of information, including information such as addresses and telephone numbers, when providing financial products or services. Broker-dealers, funds, and registered advisers use location information to provide a wide variety of financial services, such as sending account statements and disbursing funds to a consumer. We concluded that it would be inappropriate to exclude certain items of information from the definition of personally identifiable financial information simply because a particular broker-dealer, fund, or registered adviser might not rely on those items when providing a particular financial product or service.83
Customer relationship as "personally identifiable financial information." We disagree with those commenters who maintain that customer relationships should not be considered to be personally identifiable financial information. This information is "personally identifiable" because it identifies the individual as a customer of the institution. The information is financial because it reveals a financial relationship with the institution and the receipt of financial products or services from the institution.
Changes made to the definition. We have revised the definition of "personally identifiable financial information" to make it easier to read and understand. In addition, the final rule adds to the examples of information covered by the rule any information that the institution collects through an information-collecting device from a web server, often referred to as a "cookie."84 This example illustrates one of the many ways that a financial institution may obtain information about a consumer in connection with providing a financial product or service to that consumer.
In addition, in response to many comments from the securities industry, the final rule also includes an example that clarifies that aggregate information (or "blind data") lacking personal identifiers is not covered by the definition of "personally identifiable financial information."85 We agree with the commenters who argued that this type of data does not "identify" any individual.
(v) Publicly available information. We are adopting the definition of "publicly available information" substantially as proposed. The proposal defined the term to include information that is lawfully available to the general public from official public records (such as real estate recordations or security interest filings), information from widely distributed media (such as a telephone book, television or radio program, or newspaper), and information that is required to be disclosed to the general public by federal, State, or local law (such as prospectuses and periodic shareholder reports). The proposed rule stated that publicly available information from widely distributed media would include information from an Internet site that is available to the general public without requiring a password or similar restriction. As previously explained in the discussion of "nonpublic personal information," we have adopted the proposed approach in the final rule, but with additional clarifying provisions.
Many commenters questioned the appropriateness of excluding from the definition of "publicly available information" information that a person obtains over the Internet by using a password or complying with a similar restriction. These commenters noted that many Internet sites are available to a large number of people, each of whom needs a user name and identification number to access the sites. Several of these commenters suggested that it would be more appropriate to focus on whether the information was lawfully placed on the Internet.
We agree with these comments, and have revised the final rule to remove the reference to passwords or similar restrictions from the example of the Internet as a "widely distributed" medium of communication. In its place, we have substituted a standard that requires the information, whether from the Internet or otherwise, to be available on an unrestricted basis. Information that an individual specifically requests be compiled, such as information that a locator or "look up" service provides with respect to a particular individual that may combine confidential information in addition to publicly available information, will not be considered available to the general public on an unrestricted basis, regardless of whether the information is provided over the Internet or otherwise. The rule also states that an Internet site is not restricted merely because an Internet service provider or a site operator requires a fee or password, as long as access is otherwise available to the general public. One common use of passwords is to confine the access of web site users to specific, individual information. However, web site operators also may require user identifications and passwords as a method of tracking access rather than restricting access to the information available through the website. Internet service providers may charge fees to users to access the site rather than to restrict access to particular information. Other sites available to the general public, such as daily newspapers, also may charge a fee to access archived information. Therefore, we believe that the definition of "widely distributed media" should properly focus on whether the information is lawfully available to the general public, rather than on the type of medium from which information is obtained.
We note that the concept of information being lawfully obtained was included in the proposal, and is retained in the final rule.86 Thus, information unlawfully obtained will not be deemed to be publicly available notwithstanding that it may be available to the general public through widely distributed media.
(w) You. We are adopting the definition of "you" largely as proposed. The proposed definition of "you" referred to broker-dealers, funds, and registered advisers, which are the entities within the Commission's jurisdiction under Title V. We are, however, revising the definition to clarify that the provision of insurance by financial institutions under the Commission's primary jurisdiction is not covered under these rules.87
A. Subpart A - Privacy and Opt Out Notices
Sections 248.4 through 248.9 of Regulation S-P include requirements concerning the delivery of initial and annual notices about the privacy policies and practices of a financial institution, and about the opportunity and methods for consumers to opt out of their institution's sharing of their nonpublic personal information with nonaffiliated third parties.
Section 248.4 Initial privacy notice to consumers required.
We are revising the requirements relating to initial privacy notices to consumers, in response to issues raised by commenters. The G-L-B Act requires a financial institution to provide an initial notice of its privacy policies and practices in two circumstances. For customers, the notice must be provided at the time of establishing a customer relationship.88 For consumers who are not customers, the notice must be provided before disclosing nonpublic personal information about the consumer to a nonaffiliated third party.89
The proposed rules implemented these requirements by mandating that a financial institution provide the initial notice to an individual prior to the time a customer relationship is established and the opt out notice prior to disclosing nonpublic personal information to nonaffiliated third parties. The rule required these disclosures to be clear and conspicuous and to accurately reflect the institution's privacy policies and practices. The proposal also set out rules governing when a customer relationship is established and how a financial institution is to provide notice.90
We received many comments raising concerns about proposed section 248.4. Most commenters from the securities industry raised questions about the time when initial notices must be provided, the point at which a customer relationship is established, and how initial notices may be provided.
Providing initial notices "prior to" time customer relationship is established. Almost all the commenters from the securities industry stated that, because the statute requires only that the initial notice be provided "at the time of establishing a customer relationship," the regulation should not require that the notice be provided "prior to" the point when a customer relationship is established. Some of these commenters were concerned that the rule could be interpreted as requiring a financial institution to provide disclosures at a point different from when they must provide other federally mandated consumer disclosures during the process of establishing a customer relationship.
Although we believe many commenters misinterpreted the proposed language concerning the timing for providing initial notices, we have revised the rule to clarify the requirement. The final rule states that, as a general rule, the initial notice must be given not later than the time when a financial institution establishes a customer relationship.91 As stated in the Proposing Release, the initial notices may be provided at the same time a broker-dealer, fund, or registered adviser is required to give other notices, such as the requirement that credit terms in margin transactions be disclosed,92 or that a registered adviser provide each client with a written disclosure statement ("brochure") not later than the time of entering an investment advisory contract with the client.93 This approach, like the approach taken in the proposed rule, strikes a balance between (i) ensuring that consumers will receive privacy notices at a meaningful point during the process of "establishing a customer relationship" and (ii) minimizing unnecessary burden on broker-dealers, funds, and registered advisers that may otherwise result if the final rule were to require financial institutions to provide consumers with a series of notices at various times in a transaction.
Providing notices after customer relationship is established. Several commenters stated that the rule should provide financial institutions with the flexibility to deliver the initial notice after the customer relationship is established under certain circumstances. These commenters offered several situations in which a customer relationship is established without direct contact between the consumer and the financial institution. The commenters stated that delivery of the initial notice before the customer relationship is established in these situations would be impractical. Commenters also indicated that in many circumstances requiring delivery at this time would have a significant adverse effect on the ability to provide a financial product or service to a consumer as quickly as the consumer desires.
To accommodate the wide range of situations presented by the commenters, we have modified the examples of when subsequent delivery of the initial notice is appropriate, so that they now are more broadly applicable. As stated in the final rule in section 248.4(e), a broker-dealer, fund, or registered adviser may satisfy the delivery requirement by providing the initial notice within a reasonable time after establishing a customer relationship, in three instances. First, the institution may provide notice after the fact if the customer has not elected to establish the customer relationship.94 This might occur, for example, when a brokerage account is transferred to another broker by a trustee selected by the Securities Investor Protection Corporation ("SIPC") and appointed by a United States Court.95 Second, a broker-dealer, fund, or registered adviser may send a notice after establishing a customer relationship when to do otherwise would substantially delay the consumer's transaction and the consumer agrees to receive the notice at a later time.96 An example of this is when an investor requests over the telephone that a broker-dealer execute a securities trade. The final example states that delayed delivery is permissible when a nonaffiliated broker-dealer or registered adviser purchases fund shares or establishes a brokerage account on behalf of a customer.97
We note that in most situations, a broker-dealer, fund, or registered adviser should give the initial notice at a point when the consumer still has a meaningful choice about whether to enter into the customer relationship.98 The exceptions listed in the examples, while not exhaustive, are intended to illustrate the less frequent situations when delivery either would pose a significant impediment to the conduct of a routine business practice or the consumer agrees to receive the notice later in order to obtain a financial product or service immediately.
In circumstances when it is appropriate to deliver an initial notice after the customer relationship is established, a broker-dealer, fund, or registered adviser should deliver the notice within a reasonable time thereafter. Several commenters requested that the final rule specify how many days a financial institution has in which to deliver the notice under these circumstances. However, we believe that a rule prescribing the maximum number of days would be inappropriate because (i) the circumstances of when an after-the-fact notice is appropriate are likely to vary significantly, and (ii) a rule that attempts to accommodate every circumstance is likely to provide more time than is appropriate in many instances. Therefore, we have retained the more general rule as set out in the proposal.99
As we noted in the Proposing Release, nothing in the rule is intended to discourage a financial institution from providing an individual with a privacy notice at an earlier point in the relationship in order to make it easier for the individual to compare its privacy policies and practices with those of other institutions in advance of conducting transactions.100
New notices not required for each new financial product or service. Several commenters asked whether a new initial notice is required every time a consumer obtains a financial product or service from that broker-dealer, fund, or registered adviser. These commenters suggested that a consumer would not materially benefit from repeated disclosures of the same information, and that requiring additional initial notices to be provided to the same consumer would be burdensome on financial institutions.
We agree that it would be burdensome, with little corresponding benefit to the consumer, to require a financial institution to provide the same consumer with additional copies of its initial notice every time the consumer obtains a financial product or service. Accordingly, the final rule states that a broker-dealer, fund, or registered adviser will satisfy the notice requirements when an existing customer obtains a new financial product or service if the institution's initial, revised, or annual notice (as appropriate) is accurate with respect to the new financial product or service.101
Joint accountholders. We agreed with several commenters who recommended that the final rule state that a financial institution is not obligated to provide more than one notice to joint accountholders.102 Accordingly, the final rule clarifies that one notice may be sent in connection with a joint account.103 A broker-dealer, fund, or registered adviser may, in its discretion, provide notices to each party to the account. This situation might arise, for example, when a financial institution does not want one opt out election to apply automatically to all joint accountholders.104
Mergers. A few commenters requested guidance on what notices are required in the event of a merger of two financial institutions or an acquisition of one financial institution by another. In such a situation, the need to provide new initial (and opt out) notices to the customers of the entity that ceases to exist will depend on whether the notices previously given to those customers accurately reflect the policies and practices of the surviving entity. If they do, the surviving entity will not be required under the rule to provide new notices.105
As was stated in the Proposing Release, a financial institution may not fail to maintain the protections that it represents in the notice that it will provide.106 We expect that broker-dealers, funds, and registered advisers will take appropriate measures to adhere to their stated policies and practices.
Section 248.5 Annual privacy notice to customers required.
We are adopting largely as proposed the requirements relating to annual privacy notices to consumers. Section 503 of the G-L-B Act requires a financial institution to provide notices of its privacy policies and practices at least annually to its customers "during the continuation" of a customer relationship. The proposed rules implemented this requirement by requiring a clear and conspicuous notice that accurately reflects the privacy policies and practices then in effect to be provided at least once during any period of twelve consecutive months.107 The proposed rule noted that the rule governing how to provide an initial notice also would apply to annual notices, and stated that a financial institution would not be required to provide annual notices to a customer with whom it no longer has a continuing relationship.108
Many commenters from the securities industry requested that the final rule permit annual notices to be given each calendar year, instead of every 12 months. A few commenters recommended that the rule require notices each calendar year, with no more than 15 months elapsing between mailings. To clarify the extent of financial institutions' flexibility, the final rule retains the general rule requiring annual notices but then provides an example, stating that a broker-dealer, fund, or registered adviser may select a calendar year as the 12-month period within which notices will be provided, and deliver the first annual notice at any point in the calendar year following the year in which the customer relationship was established.109 The final rule also requires that a broker-dealer, fund, or registered adviser apply the 12-consecutive-month period to its customers consistently.
Several commenters suggested that a financial institution be permitted to make the annual notice available upon request only, particularly if there have been no material changes to the notice since it was last delivered. These commenters argued that little value is added by providing customers with additional copies each year of the same information. Some suggested that financial institutions be permitted to provide a "short-form" annual notice, in which the institution informs its customers that there has been no change to its privacy policies and practices and that the customers may obtain a copy upon request.
We have not amended the final rule to permit this approach, for two reasons. First, we believe that the G-L-B Act requires a full set of disclosures to each customer once a year.110 Second, the revisions to the disclosure provisions reflected in the final rule clarify that a broker-dealer, fund, or registered adviser is not required to provide a lengthy and detailed privacy notice. Small institutions that do not share information with third parties beyond the statutory exceptions should be able to provide a short, streamlined notice. The rule also permits a broker-dealer, fund, or registered adviser to provide annual notices to customers over the institution's web site if the customer conducts transactions electronically and agrees to the electronic disclosures.111 As a result, the final rule achieves much of the burden reduction sought by those requesting a short-form annual notice option.112
Section 248.6 Information to be included in initial and annual privacy notices.
We are revising the requirements for information to be included in initial and annual privacy notices. The revisions clarify the level of detail required in these notices, and permit a "short-form" initial notice in certain circumstances.
Section 503 of the G-L-B Act identifies the items of information that a broker-dealer, fund, or registered adviser must include in its initial and annual notices. Section 503(a) of the G-L-B Act sets out the general requirement that a financial institution must provide customers with a notice describing the institution's policies and practices with respect to, among other things, disclosing nonpublic personal information to affiliates and nonaffiliated third parties. Section 503(b) of the Act identifies certain elements that must be addressed in that notice.
The proposed rule implemented section 503 by requiring a financial institution to provide information concerning:
We received a large number of comments concerning these requirements, and most made the points summarized below.
Level of detail required. Many commenters observed that the level of detail required by the proposed rule would result in lengthy, complicated, and confusing disclosures. These comments have led us to revise the rule to clarify the level of detail required in a financial institution's initial and annual disclosures.
We do not intend to require a broker-dealer, fund, or registered adviser to publish lengthy disclosures that precisely identify every type of information collected or shared, the name of every entity with which the institution shares information, and a complete description of the technical specifications of how the institution protects its customers' records or the identity of each employee who has access to those records. Instead, the rule is intended to require notices that provide consumers with the types of third parties with which a financial institution shares nonpublic personal information, the types of information it shares, and the other information about the institution's privacy policies and practices listed above. The final rule, like the proposal, permits a broker-dealer, fund, or registered adviser to comply with these notice requirements by describing its privacy policies and practices.113 We believe that in most cases the initial and annual disclosure requirements can be satisfied by disclosures contained in a tri-fold brochure.
In response to commenters' concerns that consumers will not read long, detailed disclosures, we have revised the examples of the disclosures to clarify the level of detail that we think is appropriate. We have provided sample clauses in the Appendix to the rules, and have set out a compliance guide below in this release. Because the examples are not exclusive, the final rule permits a financial institution to use different categories than those provided in the examples, thereby providing additional flexibility for financial institutions in complying with the disclosure requirements. In addition, we have revised the language that precedes the items of information to be addressed in the initial notice, to clarify that a broker-dealer, fund, or registered adviser is required only to address those items that apply to the institution. Thus, for instance, if an investment adviser does not disclose nonpublic personal information to third parties, it may simply omit any reference to the categories of affiliates and nonaffiliated third parties to whom the institution discloses nonpublic personal information.
As noted in the Proposing Release, the required content is the same for both the initial and annual notices of privacy policies and practices.114 While the information contained in the notices must be accurate as of the time the notices are provided, a financial institution may prepare its notices based on current and anticipated policies and practices.
Short-form initial notice. We have reconsidered the need to give consumers a copy of a financial institution's complete initial notice when there is no customer relationship. In these circumstances, we believe that the objectives of the statute can be accomplished in a less burdensome way than was proposed. Accordingly, we have exercised our exemptive authority under section 504(b) to create an exception to the general rule that a financial institution must provide both the initial and opt out notices to a consumer before disclosing nonpublic personal information about that consumer to nonaffiliated third parties.
Section 248.6(d) provides that a financial institution may provide a "short-form" initial privacy policy notice along with the opt out notice to a consumer with whom the institution does not have a customer relationship. The short-form notice must clearly and conspicuously state that the disclosure containing information about the institution's privacy policies and practices is available on request, and must provide one or more reasonable means by which the consumer may obtain a copy of the notice. We believe that the short-form is appropriate because a consumer who does not become a customer of a broker-dealer, fund, or registered adviser may have less interest in certain elements of the institution's privacy policies. Thus, the consumer may receive greater benefit from obtaining a short-form notice with the opt out notice, which informs the consumer about the categories of his or her information the institution may share and the categories of nonaffiliated third parties that may receive the information. The rule also requires a broker-dealer, fund, or registered adviser to provide a consumer who is interested in the more complete privacy disclosures with a reasonable means to obtain them.
Information about affiliate sharing. Several commenters suggested that the rule should not require that initial and annual notices include categories of affiliates with whom a financial institution shares information. These commenters noted that the Act specifically requires disclosures of categories of nonaffiliated third parties only, and that the only statutorily mandated disclosures concerning affiliate sharing are disclosures required, if any, concerning affiliate sharing under the Fair Credit Reporting Act ("FCRA").115 These commenters concluded that the Commission and the Agencies, by expanding the disclosure requirements in the manner prescribed in the proposed rule, would be exceeding their rulemaking authority and imposing an unnecessary burden on financial institutions.
We believe that the language and legislative history of section 503 support requiring disclosures of affiliate sharing beyond what may be required by the FCRA. First, section 503(b) does not state that the items listed in the section are to be the only items set out in a financial institution's initial and annual disclosures. Instead, it uses the nonrestrictive phrase "shall include" when discussing the contents of the disclosures, thereby preserving flexibility for the Commission (which was expressly granted authority under section 503(a) to prescribe rules governing these notices) to require that additional items be addressed in the disclosures consistent with those specifically enumerated.
Second, section 503(a) states that the financial institution shall provide in its initial and annual notices "a clear and conspicuous disclosure ... of such financial institution's policies and practices with respect to -- (1) disclosing nonpublic personal information to affiliates and nonaffiliated third parties, consistent with section 502, including the categories of information that may be disclosed; ...." While the FCRA disclosures would be a subset of the disclosures required by section 503(a)(1), they may not be sufficient to fully satisfy that requirement.
Third, the legislative history of the G-L-B Act suggests that Congress intended the disclosures to provide more information about affiliate sharing than what may be required under the FCRA.116 That history underscores the Congressional intent of ensuring that individuals are given the opportunity to make informed decisions about the privacy policies and practices of financial institutions. We believe that limiting the disclosures about affiliate sharing just to those disclosures that may be required under the FCRA would frustrate that purpose.117
Disclosures of the right to opt out. Other commenters suggested that the final rule eliminate the requirement that the initial and annual notices contain disclosures about a consumer's right to opt out. These commenters pointed out that the statute does not specifically require these disclosures.
As previously discussed, section 503(a) of the statute requires a financial institution to disclose its policies and practices with respect to sharing information, both with affiliated and nonaffiliated third parties. Given that a financial institution's practices with respect to sharing nonpublic personal information with nonaffiliated third parties will be affected by the opt out rights created by the statute, an institution will need to describe these opt out rights in order to provide a complete disclosure that satisfies the statute.
Other comments. We received many comments expressing support for a number of the provisions in proposed section 248.6. For example, several commenters agreed with the approach of permitting a financial institution to state generally that it makes disclosures to nonaffiliated third parties "as permitted by law" to describe disclosures made under one of the exceptions. Others agreed with the proposed flexibility to allow a disclosure to be based on current and contemplated information sharing. In light of these comments, we have adopted proposed section 248.6 with changes as discussed above. The final rule makes several other stylistic changes to the material in section 248.6 that are intended to make the rule easier to read.
Section 248.7 Form of opt out notice to consumers; opt out methods.
We are adopting as proposed the requirement that any opt out notice provided by a broker-dealer, fund, or registered adviser be clear and conspicuous and accurately explain the right to opt out.118 The final rule also requires, as proposed, that a financial institution provide the consumer with a reasonable means by which to opt out, and honor an opt out election as soon as reasonably practicable. The rule also states that an opt out election survives until revoked by the consumer. In addition, we have adopted provisions to address the application of these rules to joint accounts, the means by which an opt out right may be exercised, duration of an opt out, the level of detail required in the opt out notice, and the time by which an opt out election must be honored. The final rule also includes stylistic changes to make it easier to read.
Joint accounts. We agree with the commenters who stated that a financial institution should have the option of providing one notice per account, regardless of the number of persons on the account, and the final rule includes a new section to address this issue.119 Under the final rule, a financial institution may provide one initial, annual, and opt out notice per account. However, each of the accountholders must have the right to opt out. The final rule also requires a broker-dealer, fund, and registered adviser to state in the opt out notice provided to a joint accountholder whether the institution will consider an opt out by a joint accountholder as an opt out by all of the accountholders or whether each accountholder is permitted to opt out separately.
Means of opting out. At the suggestion of many commenters, the final rule includes a provision that permits a broker-dealer, fund, or registered adviser to require that a consumer opt out through a specific means, if the means is reasonable for the consumer.120 We recognize that a financial institution may not have systems in place or trained personnel to handle opt out elections at each point of contact between a consumer and financial institution and therefore may choose not to honor opt out elections communicated to the institution through means other than those specified for the consumer.
As was proposed, the examples provide that a broker-dealer, fund, or registered adviser may not require a consumer to write his or her own letter in order to opt out.121 The final rule adds an example of a toll-free telephone number as another way by which financial institutions may allow consumers to opt out.122
Duration of opt out. Several commenters requested changes to the proposed provision concerning duration of an opt out.123 They noted that a financial institution would be required to keep track of opt out elections if, for example, a person opts out during the course of establishing a customer relationship with a financial institution, terminates that relationship, and then establishes another customer relationship several years later, perhaps under a different name or with someone on a joint account. The commenters suggested that it would be more appropriate in these circumstances to treat the opt out election made in connection with the first relationship as applying solely to that relationship.
We agree with the commenters' suggestions. Under the final rule, a broker-dealer, fund, or registered adviser is to treat an opt out election made by a customer in connection with a prior customer relationship as applying solely to the nonpublic personal information that the institution collected during, or related to, that relationship. That opt out will continue until the customer revokes it. 124 However, if the customer relationship terminates and a new one is established at a later point, the institution must then provide a new opt out notice to the customer in connection with the new relationship, and any prior opt out election does not apply to the new relationship.125
Level of detail required in opt out notice. We are adopting as proposed the rule requirements for the form of the opt out notice.126 A few commenters interpreted the proposal as requiring a more detailed disclosure of categories of nonpublic personal information and nonaffiliated third parties in the opt out notice than is required in the initial and annual notices.127 We did not intend this result, and specifically referred to section 248.6 in the proposed opt out provision to address precisely this concern. The disclosures in the initial and annual notices of the categories of nonpublic personal information being disclosed and the categories of nonaffiliated third parties to whom the information is disclosed will suffice for the opt out notices as well. If the opt out notice is a part of the same document that contains the disclosures that must be included in the initial notice, then the financial institution is not required to restate those disclosures in the opt out notice. In these circumstances, the rule requires only that when the opt out and privacy notices are read together, they clearly disclose the categories of nonpublic personal information the institution intends to share and the categories of nonaffiliated third parties with whom it will share.
One commenter suggested that, while a broker-dealer, fund, or registered adviser should have the option of providing an opt out notice that is sufficiently broad to cover anticipated disclosures, the institution also should be permitted to provide a customer who already has opted out with a new opt out notice in connection with a new financial product or service. If the consumer does not opt out a second time, the institution would be free to disclose nonpublic personal information obtained in connection with that financial product or service.
We agree that a broker-dealer, fund, or registered adviser should have the flexibility to provide opt out notices that are either narrowly tailored to specific types of nonpublic personal information and types of nonaffiliated third parties or that are more broadly worded to anticipate future disclosure plans. We note, however, that when a consumer has elected to opt out of sharing certain nonpublic personal information, the opt out remains in effect until the consumer affirmatively revokes the opt out. Similarly, when a consumer opts out after receiving an opt out notice that is broad enough to cover the new type of information the institution intends to share, the consumer does not have to opt out again.
Time by which opt out must be honored. We are adopting in the final rule the proposed requirement that a financial institution comply with an opt out election "as soon as reasonably practicable."128 Many commenters asked us to clarify in the final rule when a financial institution must stop disclosing nonpublic personal information to nonaffiliated third parties after it receives an opt out. Suggestions for a more precise standard ranged from immediate to several months after receiving the opt out. We believe that a more general rule is appropriate in light of the wide range of practices among financial institutions. A broker-dealer, fund, or registered adviser might view a specific standard as a safe harbor in all circumstances and thus fail to implement an opt out as early as it could. In addition, a standard that reflects existing industry practices and capabilities is likely to become outmoded quickly as advances in technology increase efficiency. We therefore decline to adopt a more rigid standard.
Section 248.8 Revised privacy notices.
We are adopting as proposed the rule regarding revised privacy notices.129 The rule prohibits a financial institution, directly or through its affiliates, from disclosing nonpublic personal information about its consumers to nonaffiliated third parties unless the institution first provided a copy of its privacy notice and opt out notice. The rule also requires that these notices be accurate when given.130 Thus, if a broker-dealer, fund, or registered adviser wants to disclose nonpublic personal information in a way that is not accurately described in its notices, the institution must provide new notices before disclosing that information. The rule also provides examples of when a new notice is required.131
Section 248.9 Delivering privacy and opt out notices.
The requirements for delivery of initial, annual, and opt out notices were set out in three different sections of the proposed rules.132 The final rules combine in one section the requirements for delivery of each type of notice.133 The general provision requires that an institution provide a notice to a consumer in a manner such that the consumer can reasonably be expected to receive actual notice in writing, or, if the consumer agrees, electronically.134
Posting initial notices on an Internet web site. The final rule retains the proposed example of posting a notice on an Internet web site and requiring a consumer to acknowledge receipt of the notice as a step in the process of obtaining a financial product or service, as one way to comply with the rule.135 A few commenters suggested that a financial institution be allowed to deliver initial notices simply by posting the institution's notice on its Internet web site. We believe that posting the notice on a web site alone would not be sufficient in all cases for a broker-dealer, fund, or registered adviser reasonably to expect that its consumers will receive the notice.136 Accordingly, we have not expanded the rule beyond the circumstances described in the proposed example.
Posting annual notices on an Internet web site. At the suggestion of several commenters, the final rule clarifies that a broker-dealer, fund, or registered adviser may reasonably expect a customer who uses the institution's Internet web site to obtain financial products or services will receive actual notice if the customer has agreed to accept notices at the institution's web site, and if the institution continuously posts a current notice of its privacy policies and practices in a clear and conspicuous manner on the web site.137 We agree that it is appropriate to provide annual notices in this way for customers who conduct transactions electronically and agree to accept notices on a web site. We also believe that this revision will reduce the burden on broker-dealers, funds, and registered advisers while ensuring that customers who transact business electronically will have continuous access to institutions' privacy policies and practices.
Householding. Two commenters requested that the Commission permit broker-dealers and funds to deliver a single privacy notice to consumers who share the same address ("householding"). The Commission currently permits householding of prospectuses and fund shareholder reports, and the commenters argue that the same justifications that support the existing householding rules, such as reducing the number of duplicate documents investors receive, would apply with respect to privacy notices.138 We agree that householding is appropriate in certain circumstances, and the final rule adds an example that allows a broker-dealer or fund to consider that customers have actually received an annual privacy notice if the institution includes the notice with or in a prospectus or shareholder report delivered under conditions set forth in rules permitting householding of those documents.139
The example requires that the annual privacy notice be delivered with or in a prospectus or shareholder report that is householded because we believe that customers whose disclosure documents are householded also would consent to having their annual privacy notices householded. We cannot assume that the same would be true for other customers. The example also limits householding to annual privacy notices because we believe that any reduction in the number of initial notices consumers might receive due to householding would be minimal. Individuals who share the same address may not become consumers of a broker-dealer, fund, or registered adviser at the same time.
Disclosures to customers requesting no communication. We received comment that the final rule clarify that a financial institution may honor a customer's request not to receive information from the institution about his or her relationship with the institution. The final rule clarifies that a broker-dealer, fund, or registered adviser need not send an annual privacy notice to a customer who affirmatively requests no communication from the institution, provided that the notice is available upon request.140
Reaccessing a notice. The final rule provides an example that permits a broker-dealer, fund, or registered adviser to provide only the current privacy notice on a web site to someone seeking to obtain the privacy notice after having received the initial notice.141 This example responds to a request for clarification in the rule concerning potential confusion and burden that might result if the rule required a financial institution to make available every version of its privacy policies.
Joint notices. The final rule affirms that two or more financial institutions may provide a joint notice as long as the notice is accurate with respect to each institution. 142 This provision reflects requests by many commenters from the securities industry that the rule permit this flexibility. We believe that broker-dealers, funds, and registered advisers should be able to combine initial, annual, or revised disclosures in one document and to give, on a collective basis, a consumer only one copy of the notice. For example, a clearing broker could provide a joint notice with an introducing broker for which it clears transactions on a fully disclosed basis, or a fund complex could provide a joint notice for all the funds in the complex. We emphasize that the notice must be accurate for each institution that uses the notice, and must identify each institution by name.143
B. Subpart B - Limits on Disclosure
Sections 248.10 through 248.12 of Regulation S-P contain limitations concerning (i) disclosure of nonpublic personal information to nonaffiliated third parties, (ii) redisclosure or reuse of information that a financial institution discloses to other parties, and (iii) sharing of account number information for marketing purposes.
Section 248.10 Limits on disclosure of nonpublic personal information to nonaffiliated third parties.
We are adopting the limits on disclosure of nonpublic personal information to nonaffiliated third parties, substantially as proposed.144 Section 502(a) of the G-L-B Act generally prohibits a financial institution, directly or through its affiliates, from sharing nonpublic personal information about a consumer with a nonaffiliated third party unless the institution (i) provides the consumer with a notice of the institution's privacy policies and practices, (ii) provides the consumer with a clear and conspicuous notice that the consumer's nonpublic personal information may be disclosed to nonaffiliated third parties, (iii) gives the consumer an opportunity to opt out of that disclosure, and (iv) informs the consumer how to opt out.145
Most commenters on this section focused on the question of what is a reasonable opportunity to opt out. Some suggested that the rule permit a financial institution to begin sharing information immediately after it provides the opt out and initial notice in connection with an electronic transaction, such as an ATM transaction. Others advocated a mandatory delay of 120 days after the notices are provided.
We believe that the wide variety of suggestions underscores the appropriateness of a more general test rather than a mandatory waiting period in all cases. If a broker-dealer intends to disclose nonpublic personal information that it obtains through an isolated transaction and the consumer is provided a convenient means of opting out as part of the transaction, it would be reasonable not to force the broker-dealer to wait before sharing the information.146 For notices that are provided by mail, however, we believe the consumer should have additional time. In these latter circumstances, we consider it reasonable to permit the consumer to opt out by mailing back a form, by calling a toll-free number, or by any other reasonable means within 30 days after the date the opt out notice was mailed.147 The final rule also provides an example of a reasonable opportunity for opting out in connection with accounts opened electronically.148 However, we have not tried to anticipate every scenario and establish a specific period for each. Instead, the rule provides that the consumer must be given a reasonable opportunity to opt out and then includes some illustrative examples of what would be reasonable in different contexts.149
Section 248.11 Limits on redisclosure and reuse of information.
We are revising the limits on redisclosure and reuse to clarify their scope. The limits on redisclosure and reuse that apply to recipients of nonpublic personal information and their affiliates will depend on whether the information was provided under an exception in section 502(e) of the G-L-B Act.
Section 502(c) of the G-L-B Act provides that a nonaffiliated third party that receives nonpublic personal information from a financial institution must not, directly or indirectly through an affiliate, disclose that information to any person that is not affiliated with the financial institution or the third party, unless the disclosure would be lawful if made directly by the financial institution. A broker-dealer, fund, or registered adviser generally may disclose nonpublic personal information to a nonaffiliated third party (i) for any purpose if the consumer has received a privacy and opt out notice and has not exercised the right to opt out, (ii) under section 502(b), and (iii) in accordance with specific enumerated exceptions under section 502(e)