Font Size: AAA // Print // Bookmark

07-1476

  • [Federal Register: March 29, 2007 (Volume 72, Number 60)]

    [Proposed Rules]

    [Page 14939-15000]

    From the Federal Register Online via GPO Access [wais.access.gpo.gov]

    [DOCID:fr29mr07-31]

    [[Page 14939]]

    -----------------------------------------------------------------------

    Part III

    Department of the Treasury

    Office of the Comptroller of the Currency

    12 CFR Part 40

    -----------------------------------------------------------------------

    Office of Thrift Supervision

    12 CFR Part 573

    -----------------------------------------------------------------------

    Federal Reserve System

    12 CFR Part 216

    -----------------------------------------------------------------------

    Federal Deposit Insurance Corporation

    12 CFR Part 332

    -----------------------------------------------------------------------

    National Credit Union Administration

    12 CFR Part 716

    -----------------------------------------------------------------------

    Federal Trade Commission

    16 CFR Part 313

    -----------------------------------------------------------------------

    Commodity Futures Trading Commission

    17 CFR Part 160

    -----------------------------------------------------------------------

    Securities and Exchange Commission

    17 CFR Part 248

    -----------------------------------------------------------------------

    Interagency Proposal for Model Privacy Form Under the Gramm-Leach-

    Bliley Act; Proposed Rule

    [[Page 14940]]

    -----------------------------------------------------------------------

    DEPARTMENT OF THE TREASURY

    Office of the Comptroller of the Currency

    12 CFR Part 40

    [Docket ID OCC-2007-0003]

    RIN 1557-AC80

    FEDERAL RESERVE SYSTEM

    12 CFR Part 216

    [Docket No. R-1280]

    FEDERAL DEPOSIT INSURANCE CORPORATION

    12 CFR Part 332

    RIN 3064-AD16

    DEPARTMENT OF THE TREASURY

    Office of Thrift Supervision

    12 CFR Part 573

    [Docket ID OTS-2007-0005]

    RIN 1550-AC12

    NATIONAL CREDIT UNION ADMINISTRATION

    12 CFR Part 716

    RIN 3133-AC84

    FEDERAL TRADE COMMISSION

    16 CFR Part 313

    [Project No. 034815]

    RIN 3084-AA94

    COMMODITY FUTURES TRADING COMMISSION

    17 CFR Part 160

    RIN 3038-AC04

    SECURITIES AND EXCHANGE COMMISSION

    17 CFR Part 248

    [Release Nos. 34-55497, IA-2598, IC-27755; File No. S7-09-07]

    RIN 3235-AJO6

    Interagency Proposal for Model Privacy Form Under the Gramm-

    Leach-Bliley Act

    AGENCIES: Office of the Comptroller of the Currency, Treasury (OCC);

    Board of Governors of the Federal Reserve System (Board); Federal

    Deposit Insurance Corporation (FDIC); Office of Thrift Supervision,

    Treasury (OTS); National Credit Union Administration (NCUA); Federal

    Trade Commission (FTC); Commodity Futures Trading Commission (CFTC);

    and Securities and Exchange Commission (SEC).

    ACTION: Proposed rule.

    -----------------------------------------------------------------------

    SUMMARY: The OCC, Board, FDIC, OTS, NCUA, FTC, CFTC, and SEC (the

    Agencies) are proposing amendments to their rules that implement the

    privacy provisions of the Gramm-Leach-Bliley Act (GLB Act), Title V,

    Subtitle A. These rules require financial institutions to provide

    initial and annual privacy notices to their customers. As required

    under section 728 of the Financial Services Regulatory Relief Act of

    2006 (Regulatory Relief Act or Act), the Agencies are proposing a safe

    harbor model privacy form that financial institutions may use to

    provide disclosures under the privacy rules. Institutions that use

    notices based on the Sample Clauses currently contained in most of the

    privacy rules would lose the benefit of a safe harbor for compliance

    with respect to those notices if they are provided more than one year

    following the date of publication of a final rule. Similarly,

    institutions that use notices based on the Sample Clauses in the SEC's

    privacy rule could no longer rely on the guidance provided with respect

    to those notices if they are provided more than one year following the

    date of publication of a final rule.

    DATES: Comments must be submitted on or before May 29, 2007.

    For information regarding the effective dates of the provisions

    proposed in this document, see the discussion under "Proposed

    Effective Dates" in the SUPPLEMENTARY INFORMATION section.

    ADDRESSES: Because the Agencies will jointly review all of the comments

    submitted, interested parties may send comments to any of the Agencies

    and need not send comments (or copies) to all of the Agencies.

    Commenters are encouraged to use the title "Model Privacy Form" to

    facilitate the organization and distribution of comments among the

    Agencies. Interested parties are invited to submit written comments to:

    Office of the Comptroller of the Currency: You may submit comments

    by any of the following methods:

    Federal eRulemaking Portal--"Regulations.gov": Go to

    http://frwebgate.access.gpo.gov/cgi-bin/leaving.cgi?from=leavingFR.html&log=linklog&to=http://www.regulations.gov, select "Comptroller of the Currency" from

    the agency drop-down menu, then click "Submit." In the "Docket ID"

    column, select "OCC-2007-0003" to submit or view public comments and

    to view supporting and related materials for this notice of proposed

    rulemaking. The "User Tips" link at the top of the Regulations.gov

    home page provides information on using Regulations.gov, including

    instructions for submitting or viewing public comments, viewing other

    supporting and related materials, and viewing the docket after the

    close of the comment period.

    Mail: Office of the Comptroller of the Currency, 250 E

    Street, SW., Mail Stop 1-5, Washington, DC 20219.

    Hand Delivery/Courier: 250 E Street, SW., Attn: Public

    Information Room, Mail Stop 1-5, Washington, DC 20219.

    Instructions: You must include "OCC" as the agency name and

    "Docket Number OCC-2007-0003" in your comment. In general, OCC will

    enter all comments received into the docket and publish them on

    Regulations.gov without change, including any business or personal

    information that you provide such as name and address information, e-

    mail addresses, or phone numbers. Comments, including attachments and

    other supporting materials, received are part of the public record and

    subject to public disclosure. Do not enclose any information in your

    comment or supporting materials that you consider confidential or

    inappropriate for public disclosure.

    You may review comments and other related materials by any of the

    following methods:

    Viewing Comments Electronically: Go to http://frwebgate.access.gpo.gov/cgi-bin/leaving.cgi?from=leavingFR.html&log=linklog&to=http://www.regulations.gov

    , select "Comptroller of the Currency" from the

    agency drop-down menu, then click "Submit." In the "Docket ID"

    column, select "OCC-2007-0003" to view public comments for this

    notice of proposed rulemaking.

    Viewing Comments Personally: You may personally inspect

    and photocopy comments at the OCC's Public Information Room, 250 E

    Street, SW., Washington, DC. You can make an appointment to inspect

    comments by calling (202) 874-5043.

    Docket: You may also view or request available background

    documents and project summaries using the methods described above.

    Board of Governors of the Federal Reserve System: You may submit

    comments, identified by Docket No. R-1280, by any of the following

    methods:

    Agency Web Site: http://frwebgate.access.gpo.gov/cgi-bin/leaving.cgi?from=leavingFR.html&log=linklog&to=http://www.federalreserve.gov Follow the instructions for submitting comments at http://frwebgate.access.gpo.gov/cgi-bin/leaving.cgi?from=leavingFR.html&log=linklog&to=http://www.federalreserve.gov/.

    .

    [[Page 14941]]

    Federal eRulemaking Portal: http://frwebgate.access.gpo.gov/cgi-bin/leaving.cgi?from=leavingFR.html&log=linklog&to=http://www.regulations.gov.

    Follow the instructions for submitting comments.

    number in the subject line of the message.

    Fax: 202/452-3819 or 202/452-3102.

    Mail: Jennifer J. Johnson, Secretary, Board of Governors

    of the Federal Reserve System, 20th Street and Constitution Avenue,

    NW., Washington, DC 20551.

    All public comments are available from the Board's Web site at

    http://frwebgate.access.gpo.gov/cgi-bin/leaving.cgi?from=leavingFR.html&log=linklog&to=http://www.federalreserve.gov/generalinfo/foia/ProposedRegs.cfm as

    submitted, unless modified for technical reasons. Accordingly, your

    comments will not be edited to remove any identifying or contact

    information. Public comments may also be viewed electronically or in

    paper in Room MP-500 of the Board's Martin Building (20th and C

    Streets, NW.,) between 9 a.m. and 5 p.m. on weekdays.

    FDIC: You may submit comments by any of the following methods:

    Agency Web Site: http://frwebgate.access.gpo.gov/cgi-bin/leaving.cgi?from=leavingFR.html&log=linklog&to=http://www.fdic.gov/regulations/laws/federal.

    Follow instructions for submitting comments on the Agency Web Site.

    E-mail: Comments@FDIC.gov. Include "Model Privacy Form" in the

    subject line of the message.

    Mail: Robert E. Feldman, Executive Secretary, Attention: Comments,

    Federal Deposit Insurance Corporation, 550 17th Street, NW.,

    Washington, DC 20429.

    Hand Delivery/Courier: Guard station at the rear of the 550 17th

    Street Building (located on F Street) on business days between 7 a.m.

    and 5 p.m. (EST).

    Federal eRulemaking Portal: http://frwebgate.access.gpo.gov/cgi-bin/leaving.cgi?from=leavingFR.html&log=linklog&to=http://www.regulations.gov. Follow the

    instructions for submitting comments.

    Public Inspection: All comments received will be posted without

    change to http://frwebgate.access.gpo.gov/cgi-bin/leaving.cgi?from=leavingFR.html&log=linklog&to=http://www.fdic.gov/regulations/laws/federal including any

    personal information provided. Comments may be inspected and

    photocopied in the FDIC Public Information Center, 3501 North Fairfax

    Drive, Room E-1002, Arlington, VA 22226, between 9 a.m. and 5 p.m.

    (EST) on business days. Paper copies of public comments may be ordered

    from the Public Information Center by telephone at (877) 275-3342 or

    (703) 562-2200.

    Office of Thrift Supervision: You may submit comments, identified

    by OTS-2007-0005, by any of the following methods:

    Federal eRulemaking Portal: Go to http://frwebgate.access.gpo.gov/cgi-bin/leaving.cgi?from=leavingFR.html&log=linklog&to=http://www.regulations.gov

    , select "Office of Thrift Supervision" from the

    agency drop-down menu, then click submit. Select Docket ID "OTS-2007-

    0005" to submit or view public comments and to view supporting and

    related materials for this notice of proposed rulemaking. The "User

    Tips" link at the top of the page provides information on using

    Regulations.gov, including instructions for submitting or viewing

    public comments, viewing other supporting and related materials, and

    viewing the docket after the close of the comment period.

    Mail: Regulation Comments, Chief Counsel's Office, Office

    of Thrift Supervision, 1700 G Street, NW., Washington, DC 20552,

    Attention: OTS-2007-0005.

    Hand Delivery/Courier: Guard's Desk, East Lobby Entrance,

    1700 G Street, NW., from 9 a.m. to 4 p.m. on business days, Attention:

    Regulation Comments, Chief Counsel's Office, Attention: OTS-2007-0005.

    Instructions: All submissions received must include the agency name

    and docket number for this rulemaking. All comments received will be

    entered into the docket and posted on Regulations.gov without change,

    including any personal information provided. Comments, including

    attachments and other supporting materials received are part of the

    public record and subject to public disclosure. Do not enclose any

    information in your comment or supporting materials that you consider

    confidential or inappropriate for public disclosure.

    Viewing Comments Electronically: Go to http://frwebgate.access.gpo.gov/cgi-bin/leaving.cgi?from=leavingFR.html&log=linklog&to=http://www.regulations.gov,

    select "Office of Thrift Supervision" from the agency drop-down menu,

    then click "Submit." Select Docket ID "OTS-2007-0005" to view

    public comments for this notice of proposed rulemaking.

    Viewing Comments On-Site: You may inspect comments at the Public

    Reading Room, 1700 G Street, NW., by appointment. To make an

    appointment for access, call (202) 906-5922, send an e-mail to

    public.info@ots.treas.gov, or send a facsimile transmission to (202)

    906-6518. (Prior notice identifying the materials you will be

    requesting will assist us in serving you.) We schedule appointments on

    business days between 10 a.m. and 4 p.m. In most cases, appointments

    will be available the next business day following the date we receive a

    request.

    National Credit Union Administration: Comments should be directed

    to Mary Rupp, Secretary of the Board. You may submit comments by any of

    the following methods (Please send comments by one method only):

    Federal eRulemaking Portal: http://frwebgate.access.gpo.gov/cgi-bin/leaving.cgi?from=leavingFR.html&log=linklog&to=http://www.regulations.gov.

    Follow the instructions for submitting comments.

    NCUA Web Site: http://frwebgate.access.gpo.gov/cgi-bin/leaving.cgi?from=leavingFR.html&log=linklog&to=http://www.ncua.gov/news/proposed_regs/proposed_regs.html.

    Follow the instructions for submitting comments. E-mail: Address to regcomments@ncua.gov. Include "[Your

    `[Your

    name] Comments on Proposed Rule Part 716 (Model Form for Privacy

    Notice)" in the e-mail subject line.

    Fax: (703) 518-6319. Use the subject line described above

    for e-mail.

    Mail: Address to Mary Rupp, Secretary of the Board,

    National Credit Union Administration, 1775 Duke Street, Alexandria,

    Virginia 22314-3428.

    Hand Delivery/Courier: Same as mail address.

    Federal Trade Commission: All persons are invited to submit written

    comments. Comments should refer to "Model Privacy Form, FTC File No.

    P034815" to facilitate the organization of comments. Comments filed in

    paper form should include this reference both in the text and on the

    envelope, and should be mailed or delivered to: Federal Trade

    Commission/Office of the Secretary, Room 135 (Annex C), 600

    Pennsylvania Avenue, NW., Washington, DC 20580. Because paper mail in

    the Washington area and at the Commission is subject to delay, please

    consider submitting your comments in electronic form, as prescribed

    below. If the comment contains any material for which confidential

    treatment is requested, it must be filed in paper (rather than

    electronic) form, and the first page of the document must be clearly

    labeled "Confidential." \1\ The FTC is requesting that any comment

    filed in paper form be sent by courier or overnight service, if

    possible.

    ---------------------------------------------------------------------------

    \1\ Commission Rule 4.2(d), 16 CFR 4.2(d). The comment must also

    be accompanied by an explicit request for confidential treatment,

    including the factual and legal basis for the request, and must

    identify the specific portions of the comment to be withheld from

    the public record. The request will be granted or denied by the

    Commission's General Counsel, consistent with applicable law and the

    public interest. See Commission Rule 4.9(c), 16 CFR 4.9(c).

    ---------------------------------------------------------------------------

    Comments filed in electronic form should be submitted by using the

    following Web link: http://frwebgate.access.gpo.gov/cgi-bin/leaving.cgi?from=leavingFR.html&log=linklog&to=https://secure.commentworks.com/ftc-modelform (and

    following the instructions on the Web-based form). To ensure that the

    Commission considers an electronic comment, you must file it on the

    Web-based form at the Web link http://frwebgate.access.gpo.gov/cgi-bin/leaving.cgi?from=leavingFR.html&log=linklog&to=https://secure.commentworks.com/ftc-modelform.

    If this notice appears at www.regulations.gov, you may also

    file an electronic comment through that

    [[Page 14942]]

    Web site. The Commission will consider all comments that

    http://frwebgate.access.gpo.gov/cgi-bin/leaving.cgi?from=leavingFR.html&log=linklog&to=http://www.regulations.gov forwards to it.\2\ The FTC Act and other laws the

    Commission administers permit the collection of public comments to

    consider and use in this proceeding as appropriate. All timely and

    responsive public comments with all required fields completed, whether

    filed in paper or electronic form, will be considered by the

    Commission, and will be available to the public on the FTC Web site, to

    the extent practicable, at http://frwebgate.access.gpo.gov/cgi-bin/leaving.cgi?from=leavingFR.html&log=linklog&to=http://www.ftc.gov. As a matter of

    discretion, the Commission makes every effort to remove home contact

    information for individuals it receives from the public comments before

    placing those comments on the FTC Web site. More information, including

    routine uses permitted by the Privacy Act, may be found in the FTC's

    privacy policy, at http://frwebgate.access.gpo.gov/cgi-bin/leaving.cgi?from=leavingFR.html&log=linklog&to=http://www.ftc.gov/ftc/privacy.htm.

    ---------------------------------------------------------------------------

    \2\ An electronic comment can be filed by (1) clicking on http://frwebgate.access.gpo.gov/cgi-bin/leaving.cgi?from=leavingFR.html&log=linklog&to=http://www.regulations.gov

    ; (2) selecting "Federal Trade Commission" at

    "Search for Open Regulations;" (3) locating the summary of this

    notice; (4) clicking on "Submit a Comment on this Regulation;" and

    (5) completing the form. For a given electronic comment, any

    information placed in the following fields--"Title," "First

    Name," "Last Name," "Organization Name," "State,"

    "Comment," and "Attachment"--will be publicly available on the

    FTC Web site. The fields marked with an asterisk on the form are

    required in order for the FTC to fully consider a particular

    comment. Commenters may choose not to fill in one or more of these

    fields, but if they do so, their comments may not be considered.

    ---------------------------------------------------------------------------

    Commodity Futures Trading Commission: Comments should be directed

    to Eileen Donovan, Acting Secretary of the Commission, Commodity

    Futures Trading Commission, Three Lafayette Centre, 1155 21st Street,

    NW., Washington, DC 20581. Comments may be sent by facsimile

    transmission to (202) 418-5528 or by e-mail to secretary@cftc.gov.

    Securities and Exchange Commission: Comments may be submitted by

    any of the following methods:

    Electronic Comments

    Use the Commission's Internet comment form (http://frwebgate.access.gpo.gov/cgi-bin/leaving.cgi?from=leavingFR.html&log=linklog&to=http://www.sec.gov/rules/proposed.shtml.

    ); or Send an e-mail to rule-comments@sec.gov. Please include

    File Number S7-09-07 and "Model Privacy Form" on the subject line; or

    Use the Federal eRulemaking Portal (http://frwebgate.access.gpo.gov/cgi-bin/leaving.cgi?from=leavingFR.html&log=linklog&to=http://www.regulations.gov

    ). Follow the instructions for submitting comments.

    Paper Comments

    Send paper comments in triplicate to Nancy M. Morris,

    Secretary, Securities and Exchange Commission, 100 F Street, NE.,

    Washington, DC 20549-1090.

    All submissions should refer to File Number S7-09-07 and "Model

    Privacy Form." This file number should be included on the subject line

    if e-mail is used. To help us process and review your comments more

    efficiently, please use only one method. The Commission will post all

    comments on the Commission's Internet Web site (http://frwebgate.access.gpo.gov/cgi-bin/leaving.cgi?from=leavingFR.html&log=linklog&to=http://www.sec.gov/rules/proposed.shtml

    ). Comments are also available for public

    inspection and copying in the Commission's Public Reference Room, 100 F

    Street, NE., Washington, DC 20549. All comments received will be posted

    without change; we do not edit personal identifying information from

    submissions. You should submit only information that you wish to make

    available publicly.

    FOR FURTHER INFORMATION CONTACT: OCC: Amy Friend, Assistant Chief

    Counsel, (202) 874-5200; Heidi Thomas, Special Counsel, Jonathan

    Mitchell, Attorney, Legislative and Regulatory Activities Division,

    (202) 874-5090; David H. Nebhut, Director, Policy Analysis, (202) 874-

    5387; or Paul Utterback, NBE Compliance Specialist, (202) 874-4428,

    Office of the Comptroller of the Currency, 250 E Street, SW.,

    Washington, DC 20219.

    Board: Adrianne Threatt, Counsel, Legal Division, (202) 452-3554;

    Jeanne Hogarth, Consumer Policies Program Manager, or Krista Ayoub,

    Senior Attorney, or Ky Tran-Trong, Counsel, Division of Consumer and

    Community Affairs, (202) 452-3667; or Michelle E. Shore, Federal

    Reserve Board Clearance Officer, (202) 452-3829 (for Paperwork

    Reduction Act questions only), Board of Governors of the Federal

    Reserve System, 20th Street and Constitution Avenue, NW., Washington,

    DC 20551.

    FDIC: David P. Lafleur, Senior Policy Analyst, Compliance Section,

    Division of Supervision and Consumer Protection, (202) 898-6569; or

    Ruth R. Amberg, Senior Counsel, (202) 898-3736, or Kimberly A. Stock,

    Attorney, (202) 898-3815, Legal Division; Federal Deposit Insurance

    Corporation, 550 17th Street, NW., Washington, DC 20429.

    OTS: Ekita Mitchell, Consumer Regulations Analyst, Examinations,

    Supervision, and Consumer Protection, (202) 906-6451; or Richard

    Bennett, Counsel, Regulations and Legislation Division, (202) 906-7409,

    1700 G Street, NW., Washington, DC 20552.

    NCUA: Regina Metz, Staff Attorney, (703) 518-6561, or Ross Kendall,

    Staff Attorney, Office of General Counsel, (703) 518-6562, National

    Credit Union Administration, 1775 Duke Street, Alexandria, Virginia

    22314-3428.

    FTC: Loretta Garrison, Senior Attorney, Division of Privacy and

    Identity Protection, Bureau of Consumer Protection, (202) 326-3043,

    Federal Trade Commission, 600 Pennsylvania Avenue, NW., Stop NJ-3158,

    Washington, DC 20580.

    CFTC: Laura Richards, Senior Assistant General Counsel, (202) 418-

    5126, or Gail B. Scott, Attorney, Office of General Counsel, (202) 418-

    5139, Commodity Futures Trading Commission, Three Lafayette Centre,

    1155 21st Street, NW., Washington, DC 20581.

    SEC: Catherine McGuire, Chief Counsel, or Brice Prince, Special

    Counsel, Office of the Chief Counsel, Division of Market Regulation,

    (202) 551-5550; or Penelope Saltzman, Branch Chief, or Vincent Meehan,

    Senior Counsel, Office of Regulatory Policy, Division of Investment

    Management, (202) 551-6792, Securities and Exchange Commission, 100 F

    Street, NE., Washington, DC 20549.

    SUPPLEMENTARY INFORMATION: The Agencies are proposing amendments to

    each of their rules (which are consistent and comparable) that

    implement the privacy provisions of the GLB Act: 12 CFR part 40 (OCC);

    12 CFR part 216 (Board); 12 CFR part 332 (FDIC); 12 CFR part 573 (OTS);

    12 CFR part 716 (NCUA); 16 CFR part 313 (FTC); 17 CFR part 160 (CFTC);

    and 17 CFR part 248 (SEC) (collectively, the "privacy rule").\3\

    ---------------------------------------------------------------------------

    \3\ Because each Agency's privacy rule has the same section

    numbers, relevant sections will be cited, for example, as "section

    --.6" unless otherwise noted.

    ---------------------------------------------------------------------------

    I. Background

    The Regulatory Relief Act was enacted on October 13, 2006.\4\

    Section 728 of the Act directs the Agencies to "jointly develop a

    model form which may be used, at the option of the financial

    institution, for the provision of disclosures under [section 503 of the

    GLB Act]." \5\ The Regulatory Relief Act stipulates that the model

    form shall be a safe harbor for financial institutions

    [[Page 14943]]

    that elect to use it. Section 728 further directs that the model form

    shall:

    ---------------------------------------------------------------------------

    \4\ Pub. L. 109-351 (Oct. 13, 2006), 120 Stat. 1966.

    \5\ Id., adding 15 U.S.C. 6803(e). Section 728 of the Regulatory

    Relief Act directs the agencies named in Section 504(a)(1) of the

    GLB Act, 15 U.S.C. 6804(a)(1), to develop a model form. The CFTC,

    which did not become subject to Title V of the GLB Act until 2000,

    is not named in that section. The Commodity Exchange Act ("CEA")

    was amended in 2000 by the Commodity Futures Modernization Act of

    2000 to make the CFTC a "federal functional regulator" subject to

    the GLB Act Title V. See Section 5g of the CEA, 7 U.S.C. 7b-2. The

    CFTC interprets Section 728 of the Regulatory Relief Act as applying

    to it through Section 5g.

    ---------------------------------------------------------------------------

    (A) Be comprehensible to consumers, with a clear format and design;

    (B) Provide for clear and conspicuous disclosures;

    (C) Enable consumers easily to identify the sharing practices of a

    financial institution and to compare privacy practices among financial

    institutions; and

    (D) Be succinct, and use an easily readable type font.

    The Agencies are required to propose a model form for public

    comment by April 11, 2007.

    A. The Gramm-Leach-Bliley Act Privacy Notices

    Subtitle A of title V of the GLB Act, captioned Disclosure of

    Nonpublic Personal Information,\6\ requires each financial institution

    to provide a notice of its privacy policies and practices to its

    customers who are consumers.\7\ In general, the privacy notices must

    describe a financial institution's policies and practices with respect

    to disclosing nonpublic personal information about a consumer to both

    affiliated and nonaffiliated third parties.\8\ The notices also must

    provide a consumer a reasonable opportunity to direct the institution

    generally not to share nonpublic personal information \9\ about the

    consumer (that is, to "opt out") with nonaffiliated third parties

    other than as permitted by the statute (for example, sharing for

    everyday business purposes, such as processing transactions and

    maintaining customers' accounts, and in response to properly executed

    governmental requests).\10\ The privacy notice must provide, where

    applicable under the Fair Credit Reporting Act (FCRA), a notice and an

    opportunity for a consumer to opt out of certain information sharing

    among affiliates.\11\

    ---------------------------------------------------------------------------

    \6\ Codified at 15 U.S.C. 6801-6809.

    \7\ 15 U.S.C. 6803(a). A "customer" means a consumer who has a

    "customer relationship with a financial institution." Privacy

    rule, section --.3(h), SEC section 248.3(j), CFTC section 160.3(k).

    A "consumer" is "an individual who obtains, from a financial

    institution, financial products or services which are to be used

    primarily for personal, family, or household purposes, and also

    means the legal representative of such an individual." 15 U.S.C.

    6809(9); privacy rule, section --.3(e), SEC section 248.3(g)(1),

    CFTC section 160.3(h)(1).

    \8\ 15 U.S.C. 6803(a)-(c).

    \9\ 15 U.S.C. 6809(4). "Nonpublic personal information" is

    generally defined as personally identifiable financial information

    provided by a consumer to a financial institution, resulting from

    any transaction or any service performed for the consumer, or

    otherwise obtained by the financial institution. See privacy rule,

    sections --.3(n) and (o), SEC sections 248.3(t) and (u), CFTC

    sections 160.3(t) and (u).

    \10\ 15 U.S.C. 6802; privacy rule, sections --.14 and --.15.

    \11\ 15 U.S.C. 1681a(d)(2)(A)(iii) (FCRA); 15 U.S.C. 6803(c)(4)

    (GLB Act).

    ---------------------------------------------------------------------------

    The privacy rule requires a financial institution to provide a

    privacy notice to its customers no later than when a customer

    relationship is formed and annually for as long as the relationship

    continues. The notice must accurately reflect the institution's

    information collection and disclosure practices and must include

    specific information. Section --.6 of the privacy rule requires the

    privacy notice to include the following:

    (1) The categories of nonpublic personal information that the

    institution collects;

    (2) With respect to both current and former customers, the

    categories of nonpublic personal information that it discloses and the

    categories of affiliates and nonaffiliated third parties to whom it

    discloses such information other than as permitted by the exceptions in

    sections --.14 and --.15;

    (3) Where the institution relies on the exception in section --.13

    to share nonpublic personal information (pertaining to joint

    marketing), the categories of information disclosed, and the categories

    of third parties with which the institution has contracted;

    (4) Where applicable, an explanation of the consumer's right under

    section --.10(a) to opt out of the disclosure of nonpublic personal

    information to nonaffiliated third parties and the methods by which the

    consumer may opt out;

    (5) Disclosures made under section 603(d)(2)(A)(iii) of the FCRA

    (pertaining to the ability to opt out of certain sharing with

    affiliates) and the applicable opt-out notice;

    (6) The institution's policies and practices with respect to

    protecting the confidentiality and security of nonpublic personal

    information; and

    (7) Where applicable, a statement that the institution discloses

    nonpublic personal information to nonaffiliated third parties pursuant

    to the section --.14 and --.15 exceptions.

    The privacy rule does not prescribe any specific format or

    standardized wording for these notices. Instead, institutions may

    design their own notices based on their individual practices provided

    they comply with the law and meet the "clear and conspicuous"

    standard in the statute and the privacy rule.\12\ The Appendix to the

    privacy rule contains model language (Sample Clauses) that institutions

    may use in privacy notices to satisfy the privacy rule.

    ---------------------------------------------------------------------------

    \12\ 15 U.S.C. 6802, 6803; privacy rule, section --.3(b), SEC

    248.3(c).

    ---------------------------------------------------------------------------

    Financial institutions first were required to distribute privacy

    notices to their customers by July 1, 2001.\13\ Many privacy notices in

    the initial effort were long and complex. In addition, because the

    privacy rule allows institutions flexibility in designing their privacy

    notices, notices have been formatted in various ways and as a result

    have been difficult to compare, even among financial institutions with

    identical privacy policies.

    ---------------------------------------------------------------------------

    \13\ The CFTC was added by Section 5g of the Commodity Exchange

    Act, 7 U.S.C. 7b-2 (as amended by the Commodity Futures

    Modernization Act of 2000), on December 21, 2000, and privacy

    notices were required to be delivered to consumers by March 31,

    2002.

    ---------------------------------------------------------------------------

    In response to broad-based concerns expressed by representatives of

    financial institutions, consumers, privacy advocates, and members of

    Congress, the Agencies conducted a workshop in December 2001 to provide

    a forum to consider how financial institutions could provide more

    useful privacy notices to consumers.\14\ The workshop featured panel

    presentations by financial institutions, consumer advocates, and

    communications experts, and highlighted key communication principles to

    improve the notices. A number of institutions, particularly those with

    complex information-sharing practices, described the challenges they

    faced in explaining their practices and the choices available to

    consumers in a simple fashion while meeting all of the legal

    requirements for notice. Some institutions described results of

    consumer testing and their efforts to make privacy notices clearer and

    more useful to consumers.

    ---------------------------------------------------------------------------

    \14\ Get Noticed: Writing Effective Financial Privacy Notices,

    Interagency Public Workshop (Dec. 4, 2001), workshop transcripts and

    other supporting documents are available at http://frwebgate.access.gpo.gov/cgi-bin/leaving.cgi?from=leavingFR.html&log=linklog&to=http://www.ftc.gov/bcp/workshops/glb/index.html

    .

    ---------------------------------------------------------------------------

    On December 30, 2003, the Agencies published an Advance Notice of

    Proposed Rulemaking to Consider Alternative Forms of Privacy Notices

    under the Gramm-Leach-Bliley Act \15\ (ANPR) to solicit comment on a

    wide range of issues related to improving privacy notices. The Agencies

    sought, for example, comment on issues associated with the format,

    elements, and language used in privacy notices that would make the

    notices more accessible, readable, and useful, and whether to develop a

    model privacy notice that would be short and simple. The Agencies also

    solicited examples of

    [[Page 14944]]

    forms, model clauses, and other information, such as applicable

    research that has been conducted in this area. The ANPR stated that the

    Agencies expected that consumer testing would be a key component in the

    development of any specific proposals.

    ---------------------------------------------------------------------------

    \15\ See Interagency Proposal to Consider Alternative Forms of

    Privacy Notices Under the Gramm-Leach-Bliley Act, 68 FR 75164 (Dec.

    30, 2003), available at http://frwebgate.access.gpo.gov/cgi-bin/leaving.cgi?from=leavingFR.html&log=linklog&to=http://www.ftc.gov/os/2003/12/031223anprfinalglbnotices.pdf

    .

    ---------------------------------------------------------------------------

    During January and February 2004, the Agencies met with a number of

    interested groups and individuals to discuss the issues raised in the

    ANPR.\16\ The Agencies received forty-four comments in response to the

    ANPR.\17\ While commenters expressed a variety of views on the

    questions posed in the ANPR, many commenters agreed that the Agencies

    should conduct consumer testing before proposing any alternative

    privacy notice.

    ---------------------------------------------------------------------------

    \16\ Summaries of the outside meetings are available at http://frwebgate.access.gpo.gov/cgi-bin/leaving.cgi?from=leavingFR.html&log=linklog&to=http://www.ftc.gov/privacy/privacyinitiatives/financial_rule_inrp.html

    .

    \17\ Public comments to the ANPR are available at http://frwebgate.access.gpo.gov/cgi-bin/leaving.cgi?from=leavingFR.html&log=linklog&to=http://www.ftc.gov/privacy/privacyinitiatives/financial_rule_inrp.html

    .

    ---------------------------------------------------------------------------

    B. The Interagency Notice Project

    In the summer of 2004, six Agencies \18\ agreed to launch a project

    to fund consumer research (Notice Project). Their goals were to

    identify barriers to consumer understanding of current privacy notices

    and to develop an alternative privacy notice, or elements of a notice,

    that consumers could more easily use and understand compared to current

    notices. When the Agencies initiated this project, they contemplated

    conducting the consumer research in two sequential phases. The first

    phase was designed as qualitative testing, that is, form development

    research. This research involved a series of in-depth individual

    consumer interviews to develop an alternative privacy notice that would

    be easier for consumers to use and understand. The second phase was

    designed as quantitative testing, to test the effectiveness of the

    alternative privacy notice developed in phase one among a larger number

    of consumers. The first phase has been completed and resulted in the

    model notice we are proposing for comment today. The Agencies expect to

    conduct the second phase of testing after receipt of comments in

    response to this proposal.\19\

    ---------------------------------------------------------------------------

    \18\ The six Agencies are the Board, FDIC, FTC, NCUA, OCC, and

    SEC. Information related to the Notice Project can be found at

    http://frwebgate.access.gpo.gov/cgi-bin/leaving.cgi?from=leavingFR.html&log=linklog&to=http://www.ftc.gov/privacy/privacyinitiatives/financial_rule_inrp.html

    .

    \19\ OTS has joined the Notice Project for the phase two

    research.

    ---------------------------------------------------------------------------

    In September 2004, the six Agencies selected Kleimann Communication

    Group, Inc. (Kleimann) as their contractor for the phase one form

    development research. The research objectives of the Notice Project

    included designing a privacy notice that consumers could understand and

    use, that facilitated comparison of sharing practices and policies

    across privacy notices, and that addressed all relevant legal

    requirements of the GLB Act and FCRA. At the outset of the research,

    the Agencies considered a range of possible options for the notice,

    including a short notice, a layered approach (highlighting key

    information upfront), as well as a longer fully-compliant notice. The

    Agencies limited the project to paper-based notices, reasoning that a

    successful paper notice could be readily adapted to another medium such

    as the Internet. The Agencies used a readable font \20\ and, in order

    not to confound the research findings on comprehension by introducing

    too many variables into the test notice, expressly did not use color,

    logos, or other graphical designs in the test notices. Instead, the

    Agencies focused on formulating and testing content that consumers

    could understand and use in order to develop a short, simplified

    privacy notice that met the research objectives.

    ---------------------------------------------------------------------------

    \20\ The text of the prototype notice is in 10 point BK Avenir

    Book font.

    ---------------------------------------------------------------------------

    The form development phase culminated in an extensive research

    report released by the Agencies in March 2006. Prepared by Kleimann,

    "Evolution of a Prototype Financial Privacy Notice," details the

    process by which the Agencies and Kleimann developed an alternative

    privacy notice.\21\ As explained more fully in the Kleimann Report,

    over a one-year period, Kleimann conducted two focus groups followed by

    a series of 46 in-depth, individual interviews, conducted sequentially

    at seven sites around the country. The interviews tested consumers on

    their ability to comprehend, use, and compare notices based on

    variations in vocabulary, ordering of content, and format. The

    structure, content, ordering of the text information, and title of the

    proposed model form all reflect the research findings in the

    qualitative consumer testing.

    ---------------------------------------------------------------------------

    \21\ See Kleimann Communication Group, Inc., Evolution of a

    Prototype Financial Privacy Notice: A Report on the Form Development

    Project (Feb. 28, 2006) (Kleimann Report). For a copy of the full

    report, go to http://frwebgate.access.gpo.gov/cgi-bin/leaving.cgi?from=leavingFR.html&log=linklog&to=http://www.ftc.gov/privacy/privacyinitiatives/ftcfinalreport060228.pdf For the executive summary, go to http://.

    //.

    FTCFinalReportExecutiveSummary.pdf.

    ---------------------------------------------------------------------------

    The Agencies now are proposing the model privacy notice produced in

    the form development phase with some minor revisions (the proposed

    model form) for comment in accordance with the Regulatory Relief Act.

    The Agencies contemplate that the safe harbor for the proposed model

    form will be effective upon publication of the final rule in order to

    permit institutions that elect to use the form to do so immediately.

    The Agencies recognize that institutions may post their privacy notices

    on their Internet sites, as well as deliver paper or email versions to

    their customers. The Agencies contemplate that institutions that post a

    pdf version of the proposed model privacy form may obtain a safe

    harbor, but are requesting comment on whether to develop a Web-based

    design for financial institutions to use on their Internet sites,

    including comment on particular design and/or technical considerations.

    The Agencies believe that the proposed model form meets all the

    requirements of the Act and is easier to understand than most privacy

    notices currently being disseminated. The following section describes

    the proposed model form and highlights some key research findings. For

    more detailed information on the research methodology and the form

    development process, commenters are encouraged to review the full

    Kleimann Report. The Agencies also are proposing instructions on how

    institutions may obtain a safe harbor by using the proposed model form,

    including an explanation of aspects of the form that may and may not be

    varied.\22\ Institutions would not be able to vary content or format,

    other than as described in this proposal, to take advantage of the safe

    harbor. Moreover, institutions would not be able to include any other

    information in the proposed model form nor incorporate this model form

    into any other document.

    ---------------------------------------------------------------------------

    \22\ While the model form would provide a safe harbor,

    institutions could continue to use other types of notices that vary

    from the model form so long as these notices comply with the privacy

    rule. For example, an institution could continue to use a simplified

    notice as described in section --.6(c)(5) (NCUA 716.6(e)(5)) of the

    privacy rule if it does not have affiliates and does not intend to

    share nonpublic personal information with nonaffiliated third

    parties outside of the exceptions provided in sections --.14 and

    --.15.

    ---------------------------------------------------------------------------

    II. The Proposed Model Form

    A. The Structure

    The proposed model form has either two or three pages, depending on

    whether the financial institution provides an opt-out. While the

    research showed that page one alone was adequate for comprehension and

    usability, page one together with page two address the legal

    requirements of applicable Federal financial privacy laws and increase

    consumer comprehension. Each of the pages of the model form is printed

    separately and

    [[Page 14945]]

    only on one side of an 8.5 by 11 inch piece of paper because, during

    testing, consumers expressed a preference for the model which allowed

    them to view the information on pages one and two side-by-side.\23\ The

    proposed model form in Appendix A is designed to be customized by each

    financial institution that elects to use it by inserting, for example,

    the institution's name, contact information, and information about

    affiliates, nonaffiliates, or joint marketing partners, if any, with

    which it shares personal information. In addition, the disclosure table

    requires that each institution complete the responses in each of the

    boxes provided in a manner that accurately reflects its information

    sharing policies and practices.

    ---------------------------------------------------------------------------

    \23\ The proposed model form has the opt-out options and

    instructions on a separate page. Staff of certain of the Agencies

    issued Frequently Asked Questions in December 2001 (Privacy FAQs),

    stating that a consumer should be able to detach a mail-in opt-out

    form from a privacy notice without removing text from the privacy

    policy. Otherwise, the institution may violate section --.9(e) of

    the privacy rule, which requires that a privacy policy must be

    provided in such a way that a customer can retain the text of the

    notices or obtain them later. See F.4 of the Privacy FAQs, available

    at http://frwebgate.access.gpo.gov/cgi-bin/leaving.cgi?from=leavingFR.html&log=linklog&to=http://www.ftc.gov/privacy/glbact/glb-faq.htm.

    ---------------------------------------------------------------------------

    Below is one example of a completed model form for a fictional

    financial institution, Neptune, whose privacy policy provides for broad

    sharing in a manner that triggers consumer opt-out rights. For

    comparison, a second example is also provided for another fictional

    institution, Mars, whose privacy policy limits sharing and does not

    trigger consumer opt-out rights. Each of these institutions uses and

    shares personal information in different ways; thus, their responses in

    the disclosure table vary, as do the descriptions of their affiliates,

    nonaffiliates, or joint marketing partners in the definition

    section.\24\ Importantly, since Mars does not share in a way that

    triggers an opt-out, the opt-out form (page 3 of the proposed model

    form) is not required and so is not included in the Mars notice. Thus,

    not every institution subject to the privacy rule will have to provide

    page three of the model form; only those institutions whose privacy

    practices require delivery of an opt-out notice or those institutions

    that choose to provide opt-outs beyond those required by law.

    ---------------------------------------------------------------------------

    \24\ The Agencies understand that many consumers are not

    familiar with institutions' information sharing practices. During

    the Notice Project's initial research, some consumers expressed

    concern about financial institutions changing their practices and

    policies without adequately informing consumers about such changes.

    A few consumers suggested that, at a minimum, the notices should be

    dated to reflect the most recent revision so consumers would know

    when the notice was last changed and could more easily identify the

    most recent policy statement. Changes to an institution's policy may

    be reflected in a revised notice under section --.8 of the privacy

    rule or in an annual notice. Some institutions highlight changes to

    their privacy notices in some distinctive way, so that consumers can

    readily identify the change. As discussed later in Section V, the

    Agencies invite comment on whether financial institutions should be

    required to alert consumers to changes in an institution's privacy

    practices as part of the proposed model form.

    ---------------------------------------------------------------------------

    [[Page 14946]]

    Example 1. Neptune Model Privacy Form

    [GRAPHIC] [TIFF OMITTED] TP29MR07.000

    [[Page 14947]]

    [GRAPHIC] [TIFF OMITTED] TP29MR07.001

    [[Page 14948]]

    [GRAPHIC] [TIFF OMITTED] TP29MR07.002

    [[Page 14949]]

    Example 2. Mars Model Privacy Form

    [GRAPHIC] [TIFF OMITTED] TP29MR07.003

    [[Page 14950]]

    [GRAPHIC] [TIFF OMITTED] TP29MR07.004

    [[Page 14951]]

    Example 3. Illustration of Type Size for the Various Elements of the

    Model Form \25\

    ---------------------------------------------------------------------------

    \25\ See infra note and accompanying text. This illustration

    displays the font sizes of the various elements in the model form.

    [GRAPHIC] [TIFF OMITTED] TP29MR07.005

    B. Page One--Background Information and the Disclosure Table

    Page one of the proposed model form has four parts: (1) The title;

    (2) an introductory section called the "key frame," which provides

    context to help the consumer better understand the required

    disclosures; (3) a table that describes the types of sharing Federal

    law allows, which of those types of sharing the institution actually

    does, and whether the consumer can opt out of any type of the

    institution's sharing; and (4) the institution's contact information.

    The research showed that the title, "FACTS What Does [name of

    financial

    [[Page 14952]]

    institution] Do With Your Personal Information," is more likely to

    catch consumers' attention so they will read the notice. The title can

    be used by all institutions regardless of their information sharing

    practices.

    The "key frame," with its three short headings--Why, What, and

    How--is included because the research showed that, unless consumers

    have some basic facts about information sharing, they are less likely

    to understand why they are receiving a privacy notice and what to do

    with one. The "Why" box tells consumers that Federal law requires

    that the financial institution send the notice. The "What" box

    explains the types of personal information financial institutions

    collect and share.\26\ The "How" box explains that some information

    sharing is necessary for all institutions in order to provide the

    products and services that consumers request. It also briefly explains

    what information consumers will find in the disclosure table below. The

    research found that these particular headings and the bulleted

    explanations enhanced consumers' understanding of the purpose of the

    notice, enabled them to make an informed decision about the use of

    their personal information, and aided their overall comprehension.

    ---------------------------------------------------------------------------

    \26\ The Agencies recognize that some financial institutions may

    not collect each type of information described in the "What" box.

    As reflected in the introductory clause, which states that the

    "information [collected] can include * * *," the standardized

    terms are designed to reflect the range of information typically

    collected by financial institutions required to provide privacy

    notices under the GLB Act and FCRA, rather than the specific

    information collected by each particular institution, and therefore,

    are not to be modified to reflect an institution's particular

    practices. The SEC's model privacy form reflects modified terms in

    the "What" box that are intended to include the range of

    information typically collected by brokers, dealers, investment

    advisers registered with the Commission, and investment companies.

    ---------------------------------------------------------------------------

    The disclosure table at the bottom of page one provides information

    about the financial institution's sharing practices. The research found

    that this table is the "heart" of the proposed model form,

    "enabl[ing] consumers to understand the details of their financial

    institution's sharing practices in the context of how other financial

    institutions can share. It is critical for comprehension and

    comparability." \27\ The table is featured on page one because it is

    one of the most important elements of the model form.

    ---------------------------------------------------------------------------

    \27\ See Kleimann Report, supra note , at v and 7.

    ---------------------------------------------------------------------------

    Key research findings were that providing this information in a

    table form greatly increased consumers' ability to readily identify and

    understand an institution's sharing practices and what, if any, choices

    they had to limit any of that sharing, and easily compare these

    practices and choices among institutions. The Agencies asked Kleimann

    to develop and test a "prose" version describing information sharing

    practices since such a format would be more comparable to notices

    currently used by financial institutions. However, the research found

    that the table design of the proposed model form outperformed the prose

    design on a variety of measures, including comprehension,

    comparability, and usability.\28\

    ---------------------------------------------------------------------------

    \28\ See id. at 185, 215, 256.

    ---------------------------------------------------------------------------

    The disclosure table includes a description of the possible types

    of sharing and uses of personal information and the associated opt-out

    choices that must be disclosed. The opt-out disclosures are required

    under: (1) Section 502(b) of the GLB Act (regarding certain sharing

    with nonaffiliated third parties); (2) section 603(d)(2)(A) of the FCRA

    (regarding sharing of creditworthiness and credit report information

    among affiliates); and (3) section 624 of the FCRA, as added by section

    214 of the Fair and Accurate Credit Transactions Act of 2003 (Fact

    Act), 15 U.S.C. 1681s-3 (use of that information for marketing).\29\

    The table provides important context about what information sharing a

    financial institution actually does relative to what it could do. The

    research showed that the table, with its standardized content,

    facilitates easy comparison of information sharing practices among

    different institutions. The structure of the disclosure table and the

    reasons for sharing are designed to be consistent for all financial

    institutions.\30\ The institution-specific information lies in the

    answers to the questions within each of the boxes. Accordingly, even if

    a financial institution does not share for one of the reasons listed in

    the table (for example, it has no affiliates and therefore does not

    share with affiliates), the institution could not exclude that reason

    from the table, but would answer "No" under "Does [name of financial

    institution] share?"

    ---------------------------------------------------------------------------

    \29\ Pub. L. 108-159, 117 Stat. 1952. Section 624 provides that

    information that may be shared among affiliates--including

    transaction and experience information and certain creditworthiness

    information--cannot be used for marketing purposes unless the

    consumer has received a notice of such use and an opportunity to opt

    out, and the consumer does not opt out. The Agencies have included

    language pertaining to this affiliate marketing provision and the

    related opt-out on the notice developed in the consumer research in

    response to comments to the ANPR. While the Agencies have not yet

    issued a final regulation implementing this provision of the FACT

    Act, they are coordinating this rulemaking with the affiliate

    marketing rulemaking to ensure that language addressing the section

    624 opt-out as incorporated in this model form (when finalized)

    would be deemed to comply with the affiliate marketing rule.

    Institutions would not be required to include reference to this

    provision until a final rule for section 624 is issued and becomes

    effective, and only in the event that institutions choose to

    consolidate the 624 notice and opt-out with the GLB Act privacy

    notice.

    \30\ The reasons for sharing are grouped into three main

    categories. The first three reasons describe what financial

    institutions do with their consumers' personal information. The next

    three reasons describe what a financial institution's affiliates do

    with that information. The last reason describes what nonaffiliated

    companies may do with the personal information, other than acting as

    a service provider to or acting jointly with the financial

    institution (that is, outside the exceptions provided in sections

    --.13, --.14, and --.15). This generally means marketing by the

    nonaffiliated company.

    ---------------------------------------------------------------------------

    The language used in the disclosure table is based on Kleimann's

    research. The simplified phrases describing information sharing

    practices were continually refined through the consumer testing process

    to allow consumers to better understand the information sharing and use

    possibilities. The laws governing the disclosure of consumers' personal

    information are not easily translated into short, comprehensible

    phrases that are also legally precise. Thus, the table in some cases

    uses more easily understandable short-hand terms to describe sharing

    practices required to be in the notice. For example, the table uses the

    term "everyday business purposes" to describe the sharing

    contemplated by the exceptions in sections --.14 and --.15 of the

    privacy rule, which does not trigger opt-out rights. The research found

    that consumers understood that "everyday business purposes" means

    that companies must share in some basic ways in order to provide the

    financial products or services that consumers request. The table also

    speaks in terms of the institution's own "marketing purposes" to

    capture the idea that nearly all, if not all, financial institutions

    share information in connection with marketing their own products and

    services to their customers (for example, with a service provider such

    as a bulk mailer or data processor) in a manner that does not trigger

    an opt-out right. With respect to the reasons for information sharing

    among affiliated companies that track the FCRA provisions \31\ (the

    sharing of "transaction and experience information" and the sharing

    of "other information"), the disclosure table uses "Information

    about your creditworthiness" as a short-hand term for the statutory

    term "other information."

    ---------------------------------------------------------------------------

    \31\ See section 603(d)(2)(A) of the FCRA.

    ---------------------------------------------------------------------------

    The institution's contact information appears at the bottom of page

    one in

    [[Page 14953]]

    response to consumers' preferences expressed during testing.

    C. Page Two--Supplemental Information

    The second page provides additional explanatory information that,

    in combination with page one, ensures that the notice includes all

    elements described in the GLB Act as implemented by the privacy rule.

    There is supplemental information in the form of Frequently Asked

    Questions (FAQs) \32\ at the top and definitions below.\33\ The

    research showed that although consumers generally understood the

    concepts of certain technical words, they found that the four

    definitions on page two provided helpful additional information that

    further clarified the nature and type of information sharing by a

    financial institution. Some of the definitions include institution-

    specific information required by the GLB Act. For example, an

    institution that has affiliates must identify the categories of its

    affiliates after the definition. Likewise, an institution that has no

    affiliates can explain after the definition that it does not have

    affiliates.

    ---------------------------------------------------------------------------

    \32\ Note that financial institutions should insert their names

    as indicated in the first three questions in this section.

    \33\ The FAQ box regarding sources of information does not

    permit a financial institution to customize the sources of

    information it collects. As with the standardized terms describing

    information the institution collects on page one, see supra note ,

    the disclosure is intended to include the range of information

    sources typically used by institutions subject to the GLB Act and

    FCRA rather than the information sources used by each particular

    institution. The SEC's model form reflects additional terms in this

    box that are intended to include the range of sources of information

    typically used by brokers, dealers, investment advisers registered

    with the Commission, and investment companies.

    ---------------------------------------------------------------------------

    Examples of institution-specific information are shown for the last

    three definitions in the italicized print in both the Neptune and Mars

    forms. Thus, Neptune has affiliates with which it shares certain

    information and, under the definition of "affiliates," Neptune

    includes information in italics that describes the categories of its

    affiliates. Since Mars has no affiliates, the Mars form states "Mars

    has no affiliates."

    D. Page Three--The Opt-Out Form

    The third page provides an opt-out form, for use by those financial

    institutions that share in a manner that triggers consumer opt-out

    rights under the GLB Act or FCRA (see the proposed model privacy form

    in Appendix A and the Neptune form). Institutions using the proposed

    model form must include page three in their notices only if they (1)

    share or use information in a manner that triggers an opt-out, or (2)

    choose to provide opt-outs beyond what is required by law.

    The opt-out page lists three common methods for opting out--by

    telephone, on the Web, and by mail--and summarizes the opt-out choices

    available to the consumer in a clear and easy-to-read format that the

    research found consumers appreciated. Financial institutions that

    provide opt-out forms are not required to provide all the opt-out

    choices and methods described in the Neptune opt-out form. The Agencies

    expect that institutions may need to tailor the opt-out page to reflect

    accurately the institution's particular practices.\34\ The model form,

    for example, includes information for the customer's account number as

    a means of identifying both the customer and account to which the opt-

    out should apply. Institutions requiring consumers with multiple

    account numbers to list each account number to which the opt-out should

    apply should modify that portion of the form. Institutions requiring

    information other than an account number should modify that portion of

    the form. Institutions that allow more than 30 days from issuing the

    notice may insert that time period in place of the number "30". The

    proposed rule accordingly provides instructions explaining permissible

    variations to page three of the Neptune notice.

    ---------------------------------------------------------------------------

    \34\ See note 29. For institutions that choose to consolidate

    the 624 notice into the model form and offer this opt-out, the

    italicized language accompanying the affiliate sharing opt-out

    choice on page three of the proposed model form is required only if

    an institution wants to limit the time of the opt-out period, with 5

    years the minimum opt-out period required by the statute. Where an

    institution elects to limit the time period for which the opt-out is

    effective, it should look to the Agencies' affiliate marketing rule

    for guidance on the manner and form in which to provide any

    additional notice that would effectively permit a consumer to renew

    or extend the opt-out period.

    ---------------------------------------------------------------------------

    E. Additional Opt-Outs in the Model Form

    The third column in the disclosure table in the proposed model form

    is intended to provide flexibility for financial institutions to

    include additional opt-out choices that are not required by Federal

    law. For example, a financial institution may give its customers the

    opportunity to limit sharing for joint marketing. In that case, the

    financial institution would answer the question "Can you limit this

    sharing?" in the far right column with "Yes (Check your choices, p.

    3)" and would describe the additional opt-out choice on its opt-out

    form, for example by stating, "Do not share my personal information

    with other financial institutions to jointly market to me." Likewise,

    if a financial institution wanted to offer its customers the

    opportunity to opt out of its own marketing, it could provide for that

    option by answering "Yes" in the appropriate box of the disclosure

    table and by describing the opt-out choice on the opt-out form, for

    example by stating "Do not share [or use] my personal information to

    market to me." To obtain the safe harbor for use of the proposed model

    form, an institution that uses the disclosure table to show any

    additional opt-out choice must include the opt-out form on page three

    to provide consumers with a method for opting out. The Agencies

    specifically invite comment on other opt-outs that financial

    institutions may provide, and on whether the Agencies should provide

    model language based on the opt-out provisions provided in the proposed

    model form.

    F. Appearance of the Model Form

    In addition to the requirements that the proposed model form be

    comprehensible, clear and conspicuous, and allow for easy comparison of

    privacy practices among financial institutions, the law requires that

    the model form use an easily readable type font. The prototype notice

    developed in the Agencies' phase one research and shown here as the

    proposed model form, reflects consideration of a number of

    typographical factors in the design.\35\ Type size, type style,

    leading, x-height, serif versus sans serif,\36\ upper and lower case

    type, along with the page layout--all play an important role in

    designing a typeface that is highly readable. Consumers who saw the

    prototype notice during the research process commented on how easy the

    type was to see and read.\37\

    ---------------------------------------------------------------------------

    \35\ The prototype notice developed in the consumer research is

    10 on 12 BK Avenir Book. The "10 on 12" means that the font size

    is 10 points, and the leading (that is, the additional space between

    the lines of type) is 2 points of spacing.

    \36\ Serif typeface has small strokes at the ends of the lines

    that form each letter. Sans serif typeface does not have those small

    strokes.

    \37\ Example 3 in this proposal illustrates the different font

    sizes used in the prototype notice for the title, headings, and key

    text. Thus, the word "FACTS" in the title is in 17-point type; the

    remainder of the title is in 11-point; the Why, Why, How, and

    Contact Us headings are in 14 point; the headings in the disclosure

    table, the reasons in the left column of the disclosure table, and

    the questions in the left column of the FAQs are in 10.5-point; and

    the text in the body of the form is in 10-point. This information

    shows the relative sizes of the various elements of the prototype

    and is intended only as a guide (and not a requirement) to those

    institutions that elect to use the proposed model form so that they

    can design the key elements, such as the headings and title, larger

    than the 10-point font size in the text.

    ---------------------------------------------------------------------------

    [[Page 14954]]

    All of these factors together affect the readability of a document.

    Therefore, in considering these various factors for the design of an

    easily readable type font, the Agencies are proposing 10-point font as

    the minimum type size and sufficient spacing between the lines of type

    (leading). The Agencies are further providing general guidance on type

    styles.

    Type size: The readability of type size is highly dependent on the

    selection of the type style. Some styles in 10-point font are more

    readable than others in 12-point font and appear larger because of

    their design. Accordingly, the Agencies are proposing 10-point type

    size as the minimum size for use on the model form.

    Leading: Leading is the spacing between lines of type, measured in

    points. If the line spacing is too narrow, the type is hard to read. In

    such a case, the ascenders (such as the upward line in the letter

    "h") and descenders (such as the downward line in a "g") may touch,

    blending the lines of type and making it much harder to distinguish the

    letters on the page. Research on the legibility of typography indicates

    that people read faster when text is set with 1 to 4 points of

    leading.\38\ The Agencies are proposing a requirement that the leading

    used allow for sufficient spacing between the lines, but are not

    mandating a specific amount. Nevertheless, the Agencies are providing

    these general recommendations for use with the model form: 10- or 11-

    point type should have between 1 and 3 points of leading. Twelve-point

    type should have between 2 and 4 points of leading.\39\

    ---------------------------------------------------------------------------

    \38\ Karen A. Schriver, Dynamics In Document Design, 274 (1997).

    \39\ Id. at 262; see also James Hartley, Designing Instructional

    Text (1994); and Barbara Chaparro et al., Reading Online Text: A

    Comparison of Four White Space Layouts, 6(2) (2004).

    ---------------------------------------------------------------------------

    Type style and "x"-height: Experts differ on the question of the

    most desirable type style. The model form uses both sans serif and

    "monoweight" type, and upper and lower case lettering in the body of

    the form. While much of the printed material in the United States and

    western Europe uses serif styles, Web designers are increasingly using

    sans serif type, as they have found that serif type is harder to read

    in this new medium. These changes in Web design are also beginning to

    affect font styles in printed materials. Accordingly, some typography

    designers are now using sans serif typefaces, as well as type with a

    uniform thickness throughout the letter (monoweight typeface), finding

    such typefaces easier to read than those with variable thickness. While

    a variety of type styles would be suitable for the model notice, the

    Agencies caution that institutions that use idiosyncratic fonts or

    highly stylized typefaces will not meet the model form safe harbor

    standard.

    Larger x-height \40\ makes a font appear larger and thus more

    readable, and fonts with larger x-heights are better for smaller text.

    Research shows that our eyes "scan the top of the letters" x-heights

    during the normal reading process, so that is where the primary

    identification of each letter takes place." \41\ Generally, a font

    with an x-height ratio of around .66 is easier to read.\42\

    ---------------------------------------------------------------------------

    \40\ The "x-height" is the height of the lower-case "x" in

    relation to full height letters, such as a capital G. X-height is

    critical to type legibility.

    \41\ Erik Spiekermann & E.M. Ginger, Stop Stealing Sheep & Find

    Out How Type Works, 93 (1993).

    \42\ See, e.g., Hewlett-Packard Corporation, Panose

    Classification Metrics Guide (2006), available at http://frwebgate.access.gpo.gov/cgi-bin/leaving.cgi?from=leavingFR.html&log=linklog&to=http://www.monotypeimaging.com/productsservices/pan2.aspx

    .

    ---------------------------------------------------------------------------

    The Agencies are not mandating a particular type style or x-height

    in order for a financial institution to obtain a safe harbor.

    Nevertheless, based on the research, the Agencies are providing these

    general guidelines for type style in the model form: For typefaces with

    a smaller x-height, 11- or 12-point font should be used; for typefaces

    with a larger x-height, a 10-point font would be sufficient.\43\ Fonts

    that satisfy the type style and x-height guidelines for the proposed

    model form include sans serif fonts such as Tahoma, Century Gothic,

    Myriad, Avant Garde, Bk Avenir Book, ITS Franklin Gothic, Arial, and

    Gill Sans, and serif fonts such as the Chaparral Pro Family, Minion

    Pro, Garamond, Monotype Bodoni, and Monotype Century.\44\

    ---------------------------------------------------------------------------

    \43\ See Schriver, supra note at 264; see also pp. 258-59.

    \44\ A number of these font styles, including Arial, Tahoma,

    Century Gothic, Garamond, and Bodoni, are preloaded on commonly used

    operating systems with most new personal computers. The other font

    styles are commercially available as well.

    ---------------------------------------------------------------------------

    For ease of reference, the following table summarizes the

    recommendations discussed here for institutions that choose to use the

    model form and obtain the safe harbor.

    ----------------------------------------------------------------------------------------------------------------

    If Then use And use And use font with

    ----------------------------------------------------------------------------------------------------------------

    Font is 10-point................. 1-3 points leading............... Monoweight Large x-height sans

    typeface. serif (around .66

    ratio).

    Font is 11-point................. 1-3 points leading............... Monoweight Smaller x-height is

    typeface. acceptable; either

    serif or sans serif

    (less than .66 ratio

    is acceptable).

    Font is 12-point................. 2-4 points leading............... Monoweight or Smaller x-height is

    variable typeface. acceptable; either

    serif or sans serif

    (less than .66 ratio

    is acceptable).

    ----------------------------------------------------------------------------------------------------------------

    G. Printing, Logos, and Color

    The Agencies recognize that financial institutions have a strong

    interest in ensuring that documents they provide to the public have a

    distinctive look that may be readily recognized by consumers. Thus, a

    financial institution that uses the proposed model form may include its

    corporate logo on any of the pages, so long as the logo design does not

    interfere with the readability of the model form or space constraints

    of each page.

    The model form used in the consumer testing was printed on 8.5 by

    11 inch non-glossy paper, using varying shades of black ink to achieve

    the black and gray tones in the published prototype. The Agencies

    propose printing each page of the model form on one side of an 8.5 by

    11 inch piece of paper so that each page of the model form can be

    viewed simultaneously. The Agencies seek comment on other formats that

    may achieve the readability and ease of use preferred by consumers.

    The Agencies propose that institutions using the model form use

    white or light color paper (such as cream) with black or suitable

    contrasting color ink. Spot color is permitted to achieve visual

    interest to the model form, so long as the color contrast is

    distinctive and the color does not detract from the form's readability.

    The Agencies seek comment on whether, how, and to what extent

    institutions that elect to use the model form will use logos and/or

    color.

    [[Page 14955]]

    III. The Sample Clauses

    The proposed model form is a standardized notice that would replace

    the Sample Clauses currently found in Appendix A of the privacy rule.

    It could be used by a financial institution at its option to comply

    with requirements for a clear and conspicuous privacy notice that meets

    the content requirements in sections --.6 and --.7 of the privacy

    rule.\45\ Research to date indicates that the language in the Sample

    Clauses is confusing, and accordingly, the Agencies propose to

    eliminate the Sample Clauses from the privacy rule.

    ---------------------------------------------------------------------------

    \45\ The Agencies are also proposing conforming amendments to

    sections --.2, --.6, and --.7 of the privacy rule and to the

    Appendix.

    ---------------------------------------------------------------------------

    However, to ease the compliance burden for those institutions that

    currently have privacy notices based on the Sample Clauses, the

    Agencies are proposing a transition period of one year after which

    financial institutions would no longer obtain a safe harbor by using

    the sample clauses. Privacy notices using the Sample Clauses that are

    delivered to consumers (either in paper form or by electronic delivery

    such as email) or, alternatively, are posted electronically to meet the

    annual notice requirement of section --.9(c), would have a safe harbor

    for one year. Privacy notices using the Sample Clauses that are

    delivered or posted electronically after the one-year transition period

    would no longer obtain the safe harbor. Since institutions are required

    to send notices annually to their customers, annual notices that are

    delivered to consumers (either in paper form or by electronic delivery

    such as email) within the transition period would continue to get the

    safe harbor until the next annual privacy notice is due one year

    later.\46\ The Sample Clauses would be rescinded one year after the

    transition period ends.

    ---------------------------------------------------------------------------

    \46\ For example, if an institution provides a notice using the

    Sample Clauses on day 361 after the effective date of the rule, it

    would continue to have the safe harbor for one year until its next

    annual notice is due. If an institution provides a notice using the

    Sample Clauses on day 369 after the effective date of the rule, it

    would not obtain the safe harbor. Privacy notices using the Sample

    Clauses posted on an institution's Web site to meet the annual

    notice requirements of section --.9(c) would no longer get the safe

    harbor beginning one year after the final rule becomes effective.

    ---------------------------------------------------------------------------

    The Agencies note that the SEC's privacy rule does not provide a

    safe harbor for financial institutions that use the Sample Clauses.

    Rather, the Sample Clauses provide guidance concerning the SEC privacy

    rule's application in ordinary circumstances.\47\ Consistent with this

    proposal, the SEC proposes that one year after the end of the

    transition period, the Sample Clauses would be rescinded and no longer

    provide guidance regarding the rule's application to financial

    institutions subject to the SEC's privacy rule.

    ---------------------------------------------------------------------------

    \47\ See SEC privacy rule, section 248.2(a). The facts and

    circumstances of each individual situation determine whether use of

    the Sample Clauses constitutes compliance with the SEC's privacy

    rule.

    ---------------------------------------------------------------------------

    IV. Proposed Effective Dates

    The provisions of the final rule will be effective [DATE OF

    PUBLICATION OF THE FINAL RULE], with the following exceptions:

    Sec. --.6, paragraph (g) will be effective [DATE OF PUBLICATION OF

    THE FINAL RULE] until [DATE 2 YEARS AFTER PUBLICATION OF THE FINAL

    RULE].

    Newly redesignated Appendix B will be effective [DATE OF

    PUBLICATION OF THE FINAL RULE] until [DATE 2 YEARS AFTER PUBLICATION OF

    THE FINAL RULE].

    V. Request for Comments

    The Agencies seek comment on all aspects of the proposed model

    form. The Agencies also invite commenters to submit any additional

    consumer research that may inform the statutory requirements.

    Commenters proposing alternative model notices or elements of a notice

    should submit any available supporting consumer research and

    documentation demonstrating that these alternatives meet the statutory

    requirements. The Agencies expect to do additional testing before

    finalizing a model form. We solicit comment on particular approaches to

    consumer testing for the Agencies to consider.

    The Agencies particularly seek comment on the following issues:

    A. Content of the Model Form

    1. Whether a commenter believes particular aspects of the form are

    not clear and conspicuous or comprehensible; and, if so, identify those

    aspects and explain in detail the basis for that conclusion.

    2. Whether financial institutions can accurately disclose their

    information sharing practices by using the standardized provisions and

    vocabulary in the proposed model form, including whether the proposed

    disclosure table provides a financial institution with sufficient

    flexibility to disclose its sharing practices, or any additional opt-

    outs it offers, including a detailed explanation of why or why not.

    3. The extent to which modifications to the opt-out form are

    necessary for a financial institution to describe its information

    practices accurately, facilitate consumer use of the opt-out form, or

    offer additional opt-outs, including an explanation of the

    modifications that could be made to page one and/or page three in

    accordance with legal requirements and the intent to keep the table on

    the first page of the form.

    4. The extent to which financial institutions intend to incorporate

    the FCRA section 624 disclosure and opt-out for affiliate marketing in

    the model form, with an explanation of why or why not, and the time

    period they may offer to consumers for the opt-out period.

    5. Whether financial institutions should be required to alert

    consumers to changes in an institution's privacy practices as part of

    the model form.

    B. Format of the Model Form

    1. Whether each page of the proposed model form should be required

    to be on a separate piece of paper or whether another format could also

    allow consumers to readily see all the information in the model form at

    the same time.

    2. Whether the guidance on easily readable type font in the

    instructions is helpful and/or sufficient for institutions that use the

    proposed model form.

    3. What size paper would be appropriate for the model form while

    conforming to the guidance for easily readable type font and layout.

    4. Whether financial institutions want to use color and/or logos on

    the proposed model form, and the manner and extent to which they would

    use them without conflicting with readability of the form and space

    requirements.

    C. Additional Information

    1. The extent to which financial institutions subject to the GLB

    Act are likely to use the proposed model form, including a detailed

    explanation of why the commenter does or does not expect financial

    institutions to use the form.

    2. Particular approaches to additional consumer testing of the

    model form that the Agencies should consider.

    3. The proposal to replace the Sample Clauses with the proposed

    model form, including--(1) the transition period after which use of

    these clauses no longer qualifies for a safe harbor, or, for

    institutions subject to the SEC's privacy rule, guidance concerning the

    rule's application and (2) whether the Agencies should retain Sample

    Clauses A-1, A-3, and A-7, or develop model clauses to replace those

    sample clauses, for use as a safe harbor only by those institutions

    that provide the simplified notice described in section --.6(c)(5)

    (NCUA 716.6(e)(5)) of the privacy rule.

    4. Whether the Agencies should develop a Web-based design for those

    [[Page 14956]]

    financial institutions that would like to use an electronic version of

    the proposed model form, and if so, whether institutions have

    suggestions for particular design and/or technical considerations.

    5. Whether the Agencies should develop and make available on their

    Web sites a readily accessible and downloadable model form with

    "fillable" fields for institutions that wish to use the model form to

    create their own privacy notices; if so, whether institutions would use

    this downloadable model form; and whether it would be useful,

    particularly for smaller institutions that want to obtain the safe

    harbor.

    6. Whether an SEC-regulated entity and an affiliated institution

    regulated by another Agency that intend to provide a joint privacy

    notice should be able to choose to rely on either the SEC model privacy

    form or the model privacy form proposed by the other Agency.\48\

    ---------------------------------------------------------------------------

    \48\ As noted above, see supra notes 26, 33, the SEC model

    privacy form provides slightly modified terms on pages one and two

    of the model form, which include the range of information typically

    collected by brokers, dealers, investment advisers registered with

    the SEC, and investment companies.

    ---------------------------------------------------------------------------

    7. The Agencies are aware that many institutions, but not all,

    currently request the customer to provide his or her account number or

    Social Security number (or other personal information, separately or in

    conjunction with such information) in order to opt out, whether by

    toll-free telephone, by electronic means such as e-mail, or by regular

    mail. Do institutions need that information in order to process opt-out

    requests, or would the customer's name and address alone, or the

    customer's name, address, and a truncated account number for a single

    account, be sufficient to process opt-out requests, including for

    customers with multiple accounts at the same institution? Should the

    Agencies consider omitting a line for such information on the opt-out

    page for the model privacy form in order to better protect customers

    and make it easier to opt out? Alternatively, should the opt-out page

    on the model form contain a line for a truncated account number or

    other identifying information?

    The SEC specifically requests the following additional comment from

    its regulated entities:

    1. Whether the standardized provisions and vocabulary in the

    proposed model form for SEC-regulated financial institutions are

    sufficient to allow these financial institutions accurately to disclose

    their information sharing practices, and specifically on the terms used

    in: (a) the description of the types of personal information that may

    be collected (in the key frame on page one), and (b) the examples of

    sources of information collection (in the FAQ on sharing practices on

    page two). The SEC requests that commenters who believe the proposed

    terms are not sufficient suggest alternative or additional terms that

    would be more accurate and explain why those terms would more

    accurately reflect typical information collection and sharing practices

    for brokers, dealers, investment advisers registered with the SEC, and

    investment companies.

    2. Whether institutions should be able to omit certain terms that

    may not apply to their information collection practices or their

    sources of information.

    VI. Regulatory Flexibility Act

    The Regulatory Flexibility Act ("RFA"), 5 U.S.C. 601-612,

    requires an agency to provide an Initial Regulatory Flexibility

    Analysis ("IRFA") with a proposed rule and a Final Regulatory

    Flexibility Analysis ("FRFA") with the final rule, if any, unless the

    agency certifies that the rule would not have a significant economic

    impact on a substantial number of small entities. See 5 U.S.C. 603-605.

    Because the use of the model form issued in this proposal is optional,

    the Agencies do not expect that the rule will have a significant

    economic impact on a substantial number of small entities. However,

    because the statute creates a new safe harbor for institutions by

    replacing the Sample Clauses in the current rule, with a model form, we

    have determined that it is appropriate to publish the following IRFA in

    order to inquire into the impact of the proposed rule on small

    entities.

    A. Reasons for the Proposed Action

    The Agencies are issuing this proposed rule for comment because the

    Regulatory Relief Act specifically requires them, no later than April

    11, 2007, to publish for comment a model form that financial

    institutions may use as a safe harbor to satisfy their notice

    requirements under the Agencies' existing privacy rule.

    B. Objectives of, and Legal Basis for, the Proposed Action

    The goal of the proposed amendments is to satisfy the requirements

    of section 728 of the Regulatory Relief Act, which requires that the

    Agencies propose a model form that is comprehensible, clear and

    conspicuous, and succinct. The final model form that the Agencies adopt

    after reviewing comments would, if properly used, serve as a safe

    harbor for satisfying the privacy rule's requirements regarding content

    of privacy notices. The Act also requires that the proposed model form

    enable consumers easily to identify a financial institution's sharing

    practices and compare it with others.

    As indicated in Section I of this release, the amendments to

    Appendix A of the Agencies' privacy rule are proposed pursuant to the

    authority set forth in Sec. 503 (as amended by section 728 of the

    Regulatory Relief Act) and Sec. 504 of the GLB Act.\49\

    ---------------------------------------------------------------------------

    \49\ The SEC also is proposing the amendments under section 504

    of the GLB Act [15 U.S.C. 6804], section 23 of the Securities

    Exchange Act of 1934 [15 U.S.C. 78w], section 38(a) of the

    Investment Company Act of 1940 [15 U.S.C. 80a-37(a)], and section

    211 of the Investment Advisers Act of 1940 [15 U.S.C. 80b-11].

    The CFTC also is proposing the amendments under Section 504 of

    the GLB Act [15 U.S.C. 6804], and Sections 5g and 8a(5) of the

    Commodity Exchange Act [7 U.S.C. 7b-2, 12a(5)].

    ---------------------------------------------------------------------------

    C. Small Entities Subject to the Proposed Rule Amendments

    The proposed amendments to Appendix A and conforming amendments to

    sections --.2, --.6, and --.7 of the Agencies' privacy rules could

    potentially affect financial institutions, including financial

    institutions that are small businesses or small organizations, that

    choose to rely on the proposed model privacy form as a safe harbor.

    1. OCC. The OCC estimates that 1,050 insured national banks,

    uninsured national banks and trust companies, and foreign branches and

    agencies are small entities for purpose of the Regulatory Flexibility

    Act.

    2. Board. The Board estimates that 473 state member banks are small

    entities for purposes of the Regulatory Flexibility Act.

    3. FDIC. The FDIC estimates that 3,302 state nonmember banks are

    small entities for purposes of the Regulatory Flexibility Act.

    4. OTS. The OTS estimates that 429 small savings associations are

    small entities for purposes of the Regulatory Flexibility Act.

    5. NCUA. The Regulatory Flexibility Act requires NCUA to prepare an

    analysis to describe any significant economic impact a regulation may

    have on a substantial number of small credit unions (primarily those

    under $10 million in assets). The NCUA estimates that 3,805 credit

    unions are small entities for purposes of the Regulatory Flexibility

    Act.

    6. FTC. Determining a precise estimate of the number of small

    entities that are financial institutions within the meaning of the

    proposed rule is not readily feasible. The GLB Act does not identify

    for purposes of the Commission's jurisdiction any specific

    [[Page 14957]]

    category of financial institution. In the absence of such information,

    there is no way to estimate precisely the number of affected entities

    that share nonpublic personal information with nonaffiliated third

    parties or that establish customer relationships with consumers and

    therefore assume greater disclosure obligations.

    7. CFTC. The CFTC is unable to determine a precise estimate of its

    registrants that are small entities, or that would be using the model

    form.

    8. SEC. The SEC estimates that 911 broker-dealers, 210 investment

    companies registered with the Commission, and 710 investment advisers

    registered with the Commission are small entities for purposes of the

    Regulatory Flexibility Act.\50\

    ---------------------------------------------------------------------------

    \50\ For purposes of the Regulatory Flexibility Act, under the

    Securities Exchange Act of 1934 a small entity is a broker or dealer

    that (i) had total capital of less than $500,000 on the date in its

    prior fiscal year as of which its audited financial statements were

    prepared or, if not required to file audited financial statements,

    on the last business day of its prior fiscal year, and (ii) is not

    affiliated with any person that is not a small entity and is not

    affiliated with any person that is not a small entity. 17 CFR 240.0-

    1. Under the Investment Company Act of 1940, a "small entity" is

    an investment company that, together with other investment companies

    in the same group of related investment companies, has net assets of

    $50 million or less as of the end of its most recent fiscal year. 17

    CFR 270.0-10. Under the Investment Advisers Act of 1940, a small

    entity is an investment adviser that "(i) manages less than $25

    million in assets, (ii) has total assets of less than $5 million on

    the last day of its most recent fiscal year, and (iii) does not

    control, is not controlled by, and is not under common control with

    another investment adviser that manages $25 million or more in

    assets, or any person that had total assets of $5 million or more on

    the last day of the most recent fiscal year." 17 CFR 275.0-7.

    ---------------------------------------------------------------------------

    Because use of the model privacy form would be entirely voluntary,

    the Agencies have no way to estimate how many small financial

    institutions would use it.\51\ The Agencies expect, however, that small

    financial institutions, particularly those that do not have permanent

    staff available to address compliance matters associated with the

    privacy rule, would be relatively more likely to rely on the model

    privacy form than larger institutions. We believe that most financial

    institutions currently have legal counsel review their privacy notices

    for compliance with the GLB Act, the FCRA, and the privacy rule. We

    believe that a financial institution that uses the model form for its

    privacy notice would need little, if any, review by legal counsel

    because the proposed regulation does not permit institutions to vary

    the form to obtain the benefit of a safe harbor, except as necessary to

    identify their sharing and opt-out policies.

    ---------------------------------------------------------------------------

    \51\ The Agencies have requested comment on the likelihood that

    financial institutions would use the model privacy form. See supra

    section V.

    ---------------------------------------------------------------------------

    D. Reporting, Recordkeeping, and Other Compliance Requirements

    The proposed rule does not itself impose any additional

    recordkeeping, reporting, disclosure, or compliance requirements.

    Financial institutions, including small entities, have been required to

    provide notice to consumers about the institution's privacy policies

    and practices since July 1, 2001 (or March 31, 2002 in the case of the

    CFTC). The proposed amendments would not affect these requirements and

    financial institutions would be under no obligation to modify their

    current privacy notices as a result of the proposed amendments.

    Instead, the amendments propose a specific model privacy form that a

    financial institution may use to comply with notice requirements under

    the GLB Act, the FCRA (as amended by the FACT Act), and the privacy

    rule. Nonetheless, if the proposed amendments are adopted, some of the

    financial institutions that rely on the Sample Clauses in the current

    privacy rules' appendixes may wish to transition to the proposed model

    form and may incur some small, incremental costs in making this

    transition.\52\ The Agencies expect, however, that the availability of

    a standardized model form would offset these costs because the form's

    standardized formatting and language would make it easier for

    institutions to prepare and revise their privacy policies.

    ---------------------------------------------------------------------------

    \52\ We believe that institutions review their privacy policies

    annually, and the costs associated with this annual review,

    including professional costs, for compliance are likely to be the

    same as the costs to complete the proposed model form.

    ---------------------------------------------------------------------------

    E. Duplicative, Overlapping, or Conflicting Federal Rules

    We believe there are no federal rules that duplicate, overlap, or

    conflict with the proposed amendments. In fact, the Agencies have

    designed the model form so that a financial institution may use it to

    satisfy disclosure requirements for both the GLB Act and the FCRA (as

    amended by the FACT Act).

    F. Significant Alternatives

    The RFA directs the Agencies to consider significant alternatives

    that would accomplish the stated objectives, while minimizing any

    significant adverse impact on small entities. In connection with the

    proposed amendments, we considered the following alternatives:

    1. Different reporting or compliance standards. As noted above, the

    Regulatory Relief Act requires the Agencies to publish "a" model form

    that, among other things, will facilitate comparison of the information

    sharing practices of different financial institutions. In light of

    these statutory requirements, the Agencies are proposing only one model

    form, which includes alternative language in some places that allows a

    financial institution to accurately describe its particular information

    sharing practices. The specific model form that the Agencies are

    proposing was developed as part of a careful and thorough consumer

    testing process designed to produce a clear, comprehensible, and

    comparable notice. The proposed model form emerged as the most

    effective of several notice formats considered as part of this testing.

    Although the Agencies know of no other model privacy notice that has

    been developed in this manner, we are specifically inviting comments

    about alternative model notices or elements of notices, along with

    supporting research and documentation. The Agencies will carefully

    consider any such submissions before adopting a final model form.

    2. Clarification, consolidation, or simplification of reporting and

    compliance requirements. The Agencies believe that the proposed model

    form would simplify the reporting requirements for all entities,

    including small entities, that choose to use the model form. We

    anticipate that financial institutions that choose to use the proposed

    model form would spend less time preparing notices than if they had to

    draft one on their own. Because the model form was developed as part of

    a consumer testing process, it is difficult for the Agencies to further

    clarify, consolidate, or simplify the model notice without compromising

    the research findings.

    3. Performance rather than design standards. Section 728 of the

    Regulatory Relief Act specifically requires that the Agencies propose a

    model form. The model form is an alternative means of providing a

    privacy notice that institutions may choose to use. The privacy rule

    does not mandate the format of privacy notices; thus neither the rule

    nor the proposed amendment would impose a design standard.

    4. Exempting small entities. We believe that an exemption for small

    entities would not be appropriate or desirable. The Agencies note that

    the model form is available for use at the discretion of all financial

    institutions, including small institutions. Moreover, two key

    objectives of the proposed model form are that (1) consumers can

    understand an institution's information sharing practices and (2) they

    may more

    [[Page 14958]]

    easily compare financial institutions' sharing practices and policies

    across privacy notices. An exemption for small entities would directly

    conflict with both of these key objectives, particularly enabling

    comparison across notices.

    G. Solicitation of Comments

    We encourage the submission of comments with respect to any aspect

    of this IRFA. In particular, we request comments regarding: (i) The

    number of small entities that would be affected by the proposed

    amendments; (ii) the existence or nature of the potential impact of the

    proposed amendments on small entities discussed in the analysis; (iii)

    how to quantify the impact of the proposed amendments; and (iv) the

    consideration of alternatives. Commenters are asked to describe the

    nature of any impact and provide empirical data supporting the extent

    of the impact. As noted above in Section V, the Agencies specifically

    request comment on whether a downloadable version of the proposed model

    form would be useful for financial institutions, and particularly small

    entities that would like to take advantage of the safe harbor. All

    comments on this IRFA will be considered in the preparation of the

    Final Regulatory Flexibility Analysis, if the proposed amendments are

    adopted.

    VII. Paperwork Reduction Act

    The final rules governing the privacy of consumer financial

    information contain disclosures that are considered collections of

    information under the Paperwork Reduction Act (PRA, 44 U.S.C. 3501 et

    seq.). Before the Agencies issued their privacy rules, they obtained

    approval from OMB for the collections. OMB control numbers for the

    collections appear below. These proposed rules do not introduce any new

    collections of information into the Agencies' privacy rules, nor do

    they amend the rules in a way that substantively modifies the

    collections of information that OMB has approved. Therefore, no PRA

    submissions to OMB are required.

    OCC: Control number 1557-0216.

    Board: Control number 7100-0294.

    FDIC: Control number 3064-0136.

    OTS: Control number 1550-0103.

    NCUA: Control number 3133-0163 (NCUA in separate submissions to OMB

    is currently in the process of requesting reinstatement, with revisions

    due to the decrease in the number of respondent credit unions, to this

    number.)

    FTC: Control number 3084-0121.

    SEC: Control number 3235-0537.

    CFTC: Control number 3038-0055.

    OCC and OTS Executive Order 12866 Determination

    The OCC and OTS each has determined that its portion of the

    proposed rulemaking is not a significant regulatory action under

    Executive Order 12866.

    OCC and OTS Executive Order 13132 Determination

    The OCC and OTS each has determined that its portion of the

    proposed rulemaking does not have any federalism implications, as

    required by Executive Order 13132.

    NCUA Executive Order 13132 Determination

    Executive Order 13132 encourages independent regulatory agencies to

    consider the impact of their actions on State and local interests. In

    adherence to fundamental federalism principles, the NCUA, an

    independent regulatory agency as defined in 44 U.S.C. 3502(5)

    voluntarily complies with the Executive Order. The proposed rule would

    not have substantial direct effects on the States, on the connection

    between the national government and the States, or on the distribution

    of power and responsibilities among the various levels of government.

    The NCUA has determined that this proposed rule does not constitute a

    policy that has federalism implications for purposes of the Executive

    Order.

    OCC and OTS Unfunded Mandates Reform Act of 1995 Determination

    Section 202 of the Unfunded Mandates Reform Act of 1995, Public Law

    104-4 (Unfunded Mandates Act) requires that an agency prepare a

    budgetary impact statement before promulgating a rule that includes a

    Federal mandate that may result in expenditure by State, local, and

    tribal governments, in the aggregate, or by the private sector, of $100

    million or more in any one year. If a budgetary impact statement is

    required, section 205 of the Unfunded Mandates Act also requires an

    agency to identify and consider a reasonable number of regulatory

    alternatives before promulgating a rule. However, the Unfunded Mandates

    Act provisions do not apply to regulations that incorporate

    requirements specifically set forth in law. Because this notice of

    proposed rulemaking is issued pursuant to section 728 of the Regulatory

    Relief Act, the OTS and OCC are not required to conduct an Unfunded

    Mandates Analysis for this rulemaking. Nevertheless, the OCC and OTS

    each has determined that this proposed rule will not result in

    expenditures by State, local, and tribal governments, or by the private

    sector, of $100 million or more. Accordingly, neither the OCC nor the

    OTS has prepared a budgetary impact statement or specifically addressed

    the regulatory alternatives considered.

    SEC Cost Benefit Analysis

    The SEC is sensitive to the costs and benefits imposed by its

    rules. As discussed above, the amendments the Agencies are proposing

    today would replace the sample clauses included in Regulation S-P's

    Appendix A (17 CFR part 248, appendix A) with a model privacy form that

    financial institutions could choose to provide to consumers. The

    proposed amendments are designed to implement section 728 of the

    Regulatory Relief Act. This Act directs the Agencies to "jointly

    develop a model form which may be used, at the option of the financial

    institution, for the provision of disclosures under [section 503 of the

    GLB Act]." Use of the model form would be voluntary so a financial

    institution could itself determine the benefits and costs in deciding

    whether using the model form would be suitable for its business and

    customers. Moreover, a financial institution that elected to use the

    model privacy form would benefit from the safe harbor it provides for

    disclosures required under the GLB Act. There would be no incremental

    costs of the information requirements for the proposed model privacy

    form because the disclosures are already required under Regulation S-P.

    However, financial institutions could incur some personnel costs in

    implementing the proposed model form. We expect these would be minimal

    because the language and format in the form are standardized and

    particularly if the form could be downloaded from a Web site.\53\

    Financial institutions can only customize very limited sections of the

    model privacy form. Insofar as the Sample Clauses in current Regulation

    S-P may have some value to some financial institutions, their phase-out

    under the proposed amendments to the rule could create some costs to

    those institutions. If financial institutions, including SEC-regulated

    institutions, make widespread use of the model privacy form, we

    anticipate that consumers will benefit from notices that are more

    comprehensible and easier to compare and use.

    ---------------------------------------------------------------------------

    \53\ We have asked for comment in section V on whether a

    downloadable version of the model form would be useful.

    ---------------------------------------------------------------------------

    [[Page 14959]]

    A. Benefits

    We anticipate that brokers, dealers, investment advisers registered

    with the SEC, and investment companies would benefit from the proposed

    model privacy form's standardized formatting and language. The notice

    requirements of Regulation S-P have been effective since July 1, 2001,

    and would not be altered by the proposed amendments, but new brokers,

    dealers, investment companies, and registered investment advisers would

    be able to use the model privacy form without investing the time and

    resources previously necessary to develop their own notices. We believe

    that institutions currently review their Regulation S-P privacy

    policies annually. To the extent that these institutions are required

    to change their policies to reflect changes in their privacy practices,

    they may find it easier to use the proposed model privacy form as a

    revised or annual privacy notice rather than to revise their existing

    notices. In addition, the SEC expects that revisions to an

    institution's privacy policies would be easier to record in the model

    form's standardized format. The SEC also anticipates that a financial

    institution that chooses to use the model notice would need little, if

    any, ongoing review by legal counsel because an institution cannot vary

    the form except as necessary to identify certain specific sharing and

    opt-out policies.

    Appendix A of Regulation S-P currently contains sample clauses that

    the SEC has said provide guidance in ordinary circumstances. The SEC

    has said, however, that the "facts and circumstances of each

    individual situation" will determine whether "use of a sample

    clause" constitutes compliance.\54\ In contrast, if the proposed

    amendments are adopted, SEC-regulated institutions would benefit from

    the certainty that proper use of the model notice entitles them to a

    safe harbor for disclosures required under the GLB Act and FCRA.

    ---------------------------------------------------------------------------

    \54\ See 17 CFR 248.2(a).

    ---------------------------------------------------------------------------

    Finally, as discussed more fully in section I.B above, the proposed

    model form was developed in an extensive consumer research testing

    process that evaluated consumers' ability to comprehend, use, and

    compare privacy notices. The SEC anticipates therefore that if

    financial institutions choose to use the proposed model form,

    consumers' comprehension and their ability to use and compare privacy

    policies would be enhanced. Institutions also might benefit from

    consumers' enhanced ability to understand and use the notices to the

    extent that consumers have more trust and confidence in an

    institution's privacy policies because the consumers understand those

    policies.

    B. Costs

    While the proposed amendments would not affect Regulation S-P's

    substantive requirements, and financial institutions would be under no

    obligation to modify their current privacy notices, we believe that

    financial institutions that elect to use the model privacy form could

    incur some small, incremental costs in making the transition from their

    current notices to the proposed model form. These costs could include

    staff time to review the model form and its instructions and complete

    the proposed form. As noted above, we anticipate there would be minimal

    computer costs associated with using the form, particularly if the form

    could be downloaded from a Web site. We also believe that a financial

    institution that would use the model privacy form would need little, if

    any, review by legal counsel because almost all the disclosures in the

    form are mandated. Institution-specific information consists of contact

    information, "yes" or "no" answers and brief descriptions, as

    necessary, of the types of entities with which they share information.

    Moreover, we believe that financial institutions currently review their

    privacy polices annually, and we anticipate that the costs associated

    with this annual review would likely be the same as the costs of

    completing the model form. Although there may be some costs to firms

    that currently rely on the sample clauses for guidance in preparing

    their privacy notices, we expect those costs to be minimal. As noted

    above, we believe that financial institutions take approximately the

    same time to prepare a notice using the proposed form as they currently

    take to review annual notices. Moreover, the Agencies are proposing to

    give financial institutions one year in which they can continue to rely

    on the Sample Clauses as guidance, which should allow time to minimize

    the costs of transition for institutions that would transition to the

    model privacy form. The SEC requests commenters to provide data on

    these and any other costs of transition or implementation, and to

    specify the type of financial institution (broker, dealer, investment

    adviser registered with the Commission, or investment company) that

    would incur the estimated costs.

    As discussed above, we cannot estimate the number of institutions

    that would take advantage of the safe harbor. Accordingly, we cannot

    estimate the overall costs to broker-dealers, investment advisers

    registered with the Commission, and investment companies that may use

    the proposed model form.

    C. Request for Comments

    The SEC requests comment on the potential costs and benefits of the

    proposed amendments to Appendix A of Regulation S-P. The SEC

    specifically requests comment on the costs of each item discussed above

    that institutions could incur in using the model form and whether any

    of those costs would differ if the form were downloadable from a Web

    site. Commenters should specify the type of institution associated with

    estimates of cost and benefits. The SEC encourages commenters to

    identify, discuss, analyze, and supply relevant data regarding any

    additional costs and benefits. For purposes of the Small Business

    Regulatory Enforcement Fairness Act of 1996,\55\ the SEC also requests

    information regarding the potential impact of the proposals on the U.S.

    economy on an annual basis.

    ---------------------------------------------------------------------------

    \55\ Pub. L. 104-121, Title II, 110 Stat. 857 (1996).

    ---------------------------------------------------------------------------

    SEC Consideration of Burden on Competition

    Securities Exchange Act Section 23(a)(2) requires the SEC, in

    adopting rules under that Act, to consider the impact that any such

    rule would have on competition.\56\ Section 23(a)(2) also prohibits the

    SEC from adopting any rule that would impose a burden on competition

    not necessary or appropriate in furtherance of the purposes of the

    Securities Exchange Act.

    ---------------------------------------------------------------------------

    \56\ See 15 U.S.C. 78w(a)(2).

    ---------------------------------------------------------------------------

    As discussed above, the proposed amendments to Regulation S-P,

    including the proposed model form, are designed to comply with section

    728 of the Regulatory Relief Act, mandating that the Agencies propose a

    model form that is comprehensible, clear and conspicuous, and succinct.

    If adopted, SEC-regulated institutions would be able to use the model

    form in order to comply with the notice requirements under the GLB Act,

    the FCRA, and Regulation S-P.

    The SEC does not expect the proposed amendments to have a

    significant impact on competition, and believes that any effect on

    competition would be favorable. Use of the proposed model form would be

    voluntary, permitting a financial institution to determine whether

    using the model form would enhance its competitive position. All

    brokers and dealers, investment companies, and registered investment

    advisers would be able to use the model form and take advantage of the

    safe

    [[Page 14960]]

    harbor. Other financial institutions would be able to use the form and

    take advantage of the safe harbor under comparable rules proposed by

    the other Agencies. Under the Regulatory Relief Act, the Agencies have

    worked in consultation in order to ensure the consistency and

    comparability of the proposed amendments. Therefore, all financial

    institutions would have the same opportunity to use the model form and

    rely on the safe harbor.

    Further, if financial institutions choose to use the proposed model

    form, the proposed amendments could promote competition by enabling

    consumers more easily to understand and compare competing institutions'

    privacy policies. The SEC also anticipates that the proposed model

    form's standardized formatting would reduce the relative burden of

    compliance on smaller financial institutions, allowing them to compete

    more effectively with larger institutions that are more likely to have

    a dedicated compliance staff. As such, the SEC expects any small impact

    on competition caused by the proposed amendments would be beneficial.

    We request comment on whether the proposal, if adopted, would have an

    impact or burden on competition. Commenters are requested to provide

    empirical data and other factual support for their views if possible.

    NCUA: The Treasury and General Government Appropriations Act, 1999--

    Assessment of Federal Regulations and Policies on Families

    The NCUA has determined that this proposed rule would not affect

    family well-being within the meaning of section 654 of the Treasury and

    General Government Appropriations Act, 1999, Pub. L. 105-277, 112 Stat.

    2681 (1998).

    CFTC Cost-Benefit Analysis

    Section 15 of the Commodity Exchange Act requires the CFTC to

    consider the costs and benefits of its action before issuing a new

    regulation under the Act. The CFTC understands that, by its terms,

    section 15 does not require the CFTC to quantify the costs and benefits

    of a new regulation or to determine whether the benefits of the

    proposed regulation outweigh its costs. Nor does it require that each

    proposed rule be analyzed piecemeal or in isolation when that rule is a

    component of a larger package of rules or rule revisions. Rather,

    section 15 simply requires the CFTC to "consider the costs and

    benefits" of its action.

    Section 15 further specifies that costs and benefits shall be

    evaluated in light of five broad areas of market and public concern:

    Protection of market participants and the public; efficiency,

    competitiveness, and financial integrity of futures markets; price

    discovery; sound risk management practices; and other public interest

    considerations. Accordingly, the CFTC could in its discretion give

    greater weight to any one of the five enumerated areas of concern and

    could in its discretion determine that, notwithstanding its costs, a

    particular rule was necessary or appropriate to protect the public

    interest or to effectuate any of the provisions or to accomplish any of

    the purposes of the Act.

    The CFTC has considered the costs and benefits of the proposed

    model form as a totality. The form provides a voluntary alternative

    means of complying with existing requirements of the privacy provisions

    of the GLB Act and section 5g of the CEA, and thus imposes no mandatory

    new costs. The CFTC solicits comment on the transitional costs that may

    be incurred by institutions electing to use the model form, including

    costs in addition to those already imposed. The CFTC believes that the

    model form should benefit futures industry consumer customers in better

    understanding a financial institution's privacy policies, and may

    facilitate customers in comparing the privacy policies of financial

    institutions. The Commission invites public comment on its application

    of the cost-benefit provision. Commenters also are invited to submit

    any data that they may have quantifying the costs and benefits of the

    proposed rules with their comment letters.

    List of Subjects

    12 CFR Part 40

    Banks, banking, Consumer protection, National banks, Privacy,

    Reporting and recordkeeping requirements.

    12 CFR Part 216

    Banks, banking, Consumer protection, Foreign banking, Holding

    companies, Privacy, Reporting and recordkeeping requirements.

    12 CFR Part 332

    Banks, banking, Consumer protection, Foreign banking, Privacy,

    Reporting and recordkeeping requirements.

    12 CFR Part 573

    Consumer protection, Privacy, Reporting and recordkeeping

    requirements, Savings associations.

    12 CFR Part 716

    Consumer protection, Credit unions, Privacy, Reporting and

    recordkeeping requirements.

    16 CFR Part 313

    Consumer protection, Credit, Privacy, Reporting and recordkeeping

    requirements, Trade practices.

    17 CFR Part 160

    Brokers, Consumer protection, Privacy, Reporting and recordkeeping

    requirements.

    17 CFR Part 248

    Brokers, Consumer protection, Investment companies, Privacy,

    Reporting and recordkeeping requirements, Securities.

    Office of the Comptroller of the Currency

    12 CFR Chapter I

    Authority and Issuance

    For the reasons set forth in the joint preamble, part 40 of chapter

    I of title 12 of the Code of Federal Regulations is proposed to be

    revised as follows:

    PART 40--PRIVACY OF CONSUMER FINANCIAL INFORMATION

    1. The authority citation for part 40 continues to read as follows:

    Authority: 12 U.S.C. 93a; 15 U.S.C. 6801 et seq.

    2. Revise Sec. 40.2 to read as follows:

    Sec. 40.2 Model privacy form and examples.

    (a) Model privacy form. Use of the model privacy form in Appendix A

    of this part, consistent with the instructions in Appendix A,

    constitutes compliance with the notice content requirements of

    Sec. Sec. 40.6 and 40.7 of this part, although use of the model

    privacy form is not required.

    (b) Examples. The examples in this part are not exclusive.

    Compliance with an example, to the extent applicable, constitutes

    compliance with this part.

    3. In Sec. 40.6, revise paragraph (f) and add paragraph (g) to

    read as follows:

    Sec. 40.6 Information to be included in privacy notices.

    * * * * *

    (f) Model privacy form. Pursuant to Sec. 40.2(a) of this part, a

    model privacy form that meets the notice content requirements of this

    section is included in Appendix A of this part.

    (g) Sample clauses. Sample clauses illustrating some of the notice

    content required by this section are included in Appendix B of this

    part. Use of a sample clause in a privacy notice provided on or before

    [DATE ONE YEAR FOLLOWING THE DATE OF PUBLICATION OF THE FINAL RULE], to

    the extent applicable, constitutes compliance with this part.

    [[Page 14961]]

    4. In Sec. 40.7, add paragraph (i) to read as follows:

    Sec. 40.7 Form of opt-out notice to consumers; opt-out methods.

    * * * * *

    (i) Model privacy form. Pursuant to Sec. 40.2(a) of this part, a

    model privacy form that meets the notice content requirements of this

    section is included in Appendix A of this part.

    Appendix A [Redesignated as Appendix B]

    5. Redesignate Appendix A as Appendix B.

    6. Add new Appendix A to read as follows:

    Appendix A to Part 40--Model Privacy Form

    A. The Model Privacy Form

    [GRAPHIC] [TIFF OMITTED] TP29MR07.006

    [[Page 14962]]

    [GRAPHIC] [TIFF OMITTED] TP29MR07.007

    [[Page 14963]]

    [GRAPHIC] [TIFF OMITTED] TP29MR07.008

    B. General Instructions

    1. How the Model Privacy Form Is Used

    The model form may be used, at the option of a financial

    institution, including a group of financial holding company

    affiliates that use a common privacy notice, to meet the content

    requirements of the privacy notice and opt-out notice set forth in

    sections 40.6 and 40.7 of this part.

    (Note that disclosure of certain information, such as assets,

    income, and information from a consumer reporting agency, may give

    rise to obligations under the Fair Credit Reporting Act [15 U.S.C.

    1681-1681x] (FCRA), such as a requirement to permit a consumer to

    opt out of disclosures to affiliates or designation as a consumer

    reporting agency if disclosures are made to nonaffiliated third

    parties.)

    2. The Contents of the Model Privacy Form

    The model form consists of two or three pages, depending on

    whether a financial institution shares in a manner that requires it

    to provide a third page with opt-out information.

    (a) Page One. The first page consists of the following

    components:

    (1) The title.

    (2) The key frame (Why?, What?, How?).

    (3) The disclosure table ("Reasons we can share your personal

    information").

    (4) Contact information.

    (b) Page Two. The second page consists of the following

    components:

    (1) The title.

    (2) The Frequently Asked Questions on sharing practices.

    (3) The definitions.

    (c) Page Three. The third page consists of a financial

    institution's opt-out form.

    3. The Format of the Model Privacy Form

    The model form is a standardized form, including page layout,

    page content, format, style, pagination, and shading. No other

    information may be included in the model form, and the model form

    may be modified only as described below.

    (a) Easily readable type font. Financial institutions that use

    the model form must use an easily readable type font. Easily

    readable type font includes a minimum of 10-point font and

    sufficient spacing between the lines of type.

    (b) Logo. A financial institution may include a corporate logo

    on any page of the notice, so long as it does not interfere with the

    readability of the model form or the space constraints of each page.

    (c) Page size and orientation. Each page of the model form must

    be printed on one side of an 8.5 by 11 inch paper in portrait

    orientation.

    (d) Color. The model form may be printed on white or light color

    paper (such as cream) with black or suitable contrasting color ink.

    Spot color may be used to achieve visual interest, so long as the

    color contrast is distinctive and the color does not detract from

    the readability of the model form.

    [[Page 14964]]

    C. Information Required in the Model Privacy Form

    The model form is a standardized form, and institutions seeking

    to obtain the safe harbor through use of the model form may modify

    the form only as described below:

    1. Name of the Institution or Group of Affiliated Institutions

    Providing the Notice

    Include the name of the financial institution or group of

    affiliated institutions providing the notice on the form wherever

    [name of financial institution] appears. Contact information, such

    as the institution's toll-free telephone number, Web address, or

    mailing address, or other contact information, should be inserted as

    appropriate, wherever [toll-free telephone] or [web address] or

    [mailing address] appear.

    2. Page One

    (a) General instructions for the disclosure table. There are

    reasons for sharing or using personal information listed in the left

    column of the disclosure table. Each of these reasons correlates to

    certain legal provisions described below. In the middle column, each

    institution must provide a "Yes" or "No" response in each box

    that accurately reflects its information sharing policies and

    practices with respect to the reason listed on the left. Each

    institution also must complete each box in the right column as to

    whether a consumer can limit such sharing. If an institution answers

    "No" to sharing for a particular reason in the middle column, it

    must answer "We don't share" in the corresponding right column. If

    an institution answers "Yes" to sharing for a particular reason in

    the middle column, it must, in the right column, answer either

    "No" if it does not offer an opt-out or "Yes (Check your choices,

    p.3)" if it does offer an opt-out. Except for the sixth row ("For

    our affiliates to market to you"), an institution must list all

    reasons for sharing, and complete the middle and right columns of

    the disclosure table.

    (b) Specific disclosures and corresponding legal provisions.

    (1) For our everyday business purposes. Because all financial

    institutions share information for everyday business purposes, as

    contemplated by sections 40.14 and 40.15 of this part, the financial

    institution must answer "Yes" to the sharing of such information

    and "No" to the availability of an opt-out.

    (2) For our marketing purposes. The financial institution must

    answer "Yes" or "No" in the middle column. An institution that

    does not share for this reason must answer "We don't share" in the

    right column. An institution that shares for this reason may or may

    not elect to provide an opt-out and must provide the corresponding

    answer in the right column as described in paragraph C.2.(a) of this

    Instruction. This provision includes service providers contemplated

    by section 40.13 of this part.

    (3) For joint marketing with other financial companies. As

    contemplated by section 40.13 of this part, the financial

    institution must answer "Yes" or "No" in the middle column. An

    institution that does not share for this reason must answer "We

    don't share" in the right column. An institution that shares for

    this reason may or may not elect to provide an opt-out and must

    provide the corresponding answer in the right column as described in

    paragraph C.2.(a) of this Instruction.

    (4) For our affiliates' everyday business purposes--information

    about transactions and experiences. This provision applies to

    sharing of certain information with an institution's affiliates, as

    contemplated by sections 603(d)(2)(A)(i) and (ii) of the FCRA. The

    financial institution must answer "Yes" or "No" in the middle

    column. An institution that does not share for this reason must

    answer "We don't share" in the right column. An institution that

    does not have any affiliates will also use this answer. Institutions

    that share for this reason may or may not elect to provide an opt-

    out and must provide the corresponding answer in the right column as

    described in paragraph C.2.(a) of this Instruction.

    (5) For our affiliates' everyday business purposes--information

    about creditworthiness. This provision applies to the sharing of

    certain information with an institution's affiliates, as

    contemplated by section 603(d)(2)(A)(iii) of the FCRA. The financial

    institution must answer "Yes" or "No" in the middle column. An

    institution that does not share for this reason must answer "We

    don't share" in the right column. An institution that does not have

    any affiliates will also use this answer. Institutions that share

    for this reason must provide an opt-out and must provide the

    appropriate answer in the right column as described in paragraph

    C.2.(a) of this Instruction.

    (6) For our affiliates to market to you. This provision applies

    to information shared among affiliates that is used by those

    affiliates for marketing, as contemplated by section 624 of the

    FCRA. Following the effective date of the rules implementing section

    624, institutions that elect to incorporate this provision into the

    model form to satisfy their obligations under this part must include

    this reason for sharing as set forth in the model form in order to

    obtain the benefit of the safe harbor. Institutions whose affiliates

    receive such information and use it for marketing must answer

    "Yes" in the middle column, and "Yes (Check your choices, p.3)"

    in the right column corresponding to the availability of an opt-out.

    Institutions whose affiliates receive such information and do not

    use it for marketing may elect to include this provision in the

    model form and answer "No" in the middle column and "We don't

    share" in the right column; however, institutions whose affiliates

    receive such information and do not use it for marketing are not

    required to use this provision. Institutions that do not have

    affiliates and elect to include this provision in their notice will

    answer "No" in the middle column and "We don't share" in the

    right column.

    (7) For nonaffiliates to market to you. This provision applies

    to sharing under sections 40.7 and 40.10(a) of this part. Financial

    institutions that do not share for this reason must answer "No" in

    the middle column and "We don't share" in the right column.

    Financial institutions that do share for this reason must answer

    "Yes" in the middle column and "Yes (check your choices, p. 3)"

    corresponding to the availability of an opt-out.

    (8) Additional opt-outs. A financial institution may customize

    the model form to offer opt-outs beyond those required under Federal

    law, so long as the additional information falls within the space

    constraints of the model form. If the institution chooses to offer

    its customers an opt-out for its own marketing or for joint

    marketing, for example, it can provide for that option by stating:

    "Yes (Check your choices, p.3)" as to the availability of the opt-

    out.

    3. Page Two

    (a) General instructions for the Definitions. The financial

    institution must customize the space below the last three

    definitions in this section (affiliates, nonafffiliates, and joint

    marketing). This specific information must be in italicized

    lettering to set off the information from the standardized

    definitions.

    (b) Affiliates. As required by section 40.6(a)(3) of this part,

    the financial institution must identify the categories of its

    affiliates or state "[name of financial institution] has no

    affiliates" in italicized lettering where [affiliate information]

    appears. A financial institution that shares with affiliates must

    use, as applicable, the following format: "Our affiliates include

    companies with a [name of financial institution] name; financial

    companies such as [list companies]; and nonfinancial companies, such

    as [list companies]."

    (c) Nonaffiliates. If the financial institution shares with

    nonaffiliated third parties outside the exceptions in sections 40.14

    and 40.15 of this part, the institution must identify the types of

    nonaffiliated third parties with which it shares or state "[name of

    financial institution] does not share with nonaffiliates so they can

    market to you." in italicized lettering where [nonaffiliate

    information] appears. A financial institution that shares with

    nonaffiliated third parties as described here must use, as

    applicable, the following format: "Nonaffiliates we share with can

    include [list categories of companies such as mortgage companies,

    insurance companies, direct marketing companies, and nonprofit

    organizations]."

    (d) Joint Marketing. As required by section 40.13 of this part,

    the financial institution must identify the types of financial

    institutions with which it engages in joint marketing or state

    "[name of financial institution] doesn't jointly market." in

    italicized lettering where [joint marketing] appears. A financial

    institution that shares with joint marketing partners must use, as

    applicable, the following format: "Our joint marketing partners

    include [list categories of companies such as credit card

    companies]."

    4. Page Three

    Opt-out form. Financial institutions must use page three only if

    they: (1) share or use information in a manner that triggers an opt-

    out; or (2) choose to provide an opt-out (as disclosed in the table

    on page 1) in addition to what is required by law. The model opt-out

    form must be provided on a separate page of the model form.

    [[Page 14965]]

    (a) Contact us. The section describes three common methods by

    which a consumer exercises an opt-out--by telephone, on the Web, and

    by mail. Financial institutions may customize this section to

    provide for the particular opt-out methods and options the

    institution provides. For example, if an institution offers opting

    out by telephone and the Web but not by mail, it would provide only

    telephone and Web information as shown in the model form in the

    "Contact Us" box. Only institutions that allow more than 30 days

    after providing the notice before sharing information may change the

    number of days in the lower right hand section of the box.

    (b) Check your choices. Institutions must display the applicable

    opt-out options in the "Check your choices" box shown on this

    page. If an institution chooses not to offer an opt-out by mail, it

    must delete the boxes for name, address, account number, and mailing

    directions in the lower right-hand corner of the model form.

    Financial institutions that only offer one or two of the opt-out

    options listed on the model form must list only those options from

    the model form that apply to their practices and correspond

    accurately to the disclosures on page one. Thus, if an institution

    does not share in a manner that requires an opt-out for sharing with

    nonaffiliates, it must not include that opt-out option on page three

    of the model form. Institutions requiring information from consumers

    on the opt-out form other than an account number should modify that

    designation in the "Check your choices" box. Institutions that

    require customers with multiple accounts to identify each account to

    which the opt-out should apply should modify that portion of the

    model form.

    (c) Section 624 opt-out. If the financial institution's

    affiliates use information for marketing pursuant to section 624 of

    the FCRA, and the institution elects to consolidate that opt-out

    notice in the model form, it must include that disclosure and opt-

    out election as shown in the model form. Institutions that elect to

    limit the time for the affiliate marketing opt-out, consistent with

    the requirements of section 624, must adhere to the requirements of

    that section and the Agencies' implementing rule with respect to any

    subsequent notice and opt-out. Institutions that elect to limit the

    opt-out period must include a statement in italics, as shown on the

    model form, that states the period of time for which the opt-out

    applies.

    (d) Additional opt-outs. A financial institution that uses the

    disclosure table to indicate any opt-out choices available to

    consumers beyond those required by Federal law must include those

    opt-outs on page three of the model form. For example, if the

    financial institution discloses in the table that it offers an opt-

    out for joint marketing, the institution must revise the opt-out

    form on page three to reflect the availability of an opt-out, such

    as by adding a check-off box with the words "Do not share my

    personal information with other financial institutions to jointly

    market to me." Likewise, if a financial institution chooses to

    offer its customers an opt-out for its marketing, it can provide for

    that option in the disclosure table and on the opt-out form by

    adding a check-off box with the words "Do not share [or use] my

    personal information to market to me."

    7. Amend newly redesignated Appendix B by adding a new sentence

    immediately after the heading:

    Appendix B to Part 40--Sample Clauses

    This Appendix only applies to privacy notices provided until the

    date that is on or before one year following the date of final

    publication of this rule. * * *

    * * * * *

    Federal Reserve System

    12 CFR Chapter II

    Authority and Issuance

    For the reasons set forth in the joint preamble, the Board proposes

    to amend part 216 of chapter II of title 12 of the Code of Federal

    Regulations as follows:

    PART 216--PRIVACY OF CONSUMER FINANCIAL INFORMATION (REGULATION P)

    1. The authority citation for part 216 continues to read as

    follows:

    Authority: 15 U.S.C. 6801 et seq.

    2. Revise Sec. 216.2 to read as follows:

    Sec. 216.2 Model privacy form and examples.

    (a) Model privacy form. Use of the model privacy form in Appendix A

    of this part, consistent with the instructions in Appendix A,

    constitutes compliance with the notice content requirements of

    Sec. Sec. 216.6 and 216.7 of this part, although use of the model

    privacy form is not required.

    (b) Examples. The examples in this part are not exclusive.

    Compliance with an example, to the extent applicable, constitutes

    compliance with this part.

    3. In Sec. 216.6, revise paragraph (f) and add paragraph (g) to

    read as follows:

    Sec. 216.6 Information to be included in privacy notices.

    * * * * *

    (f) Model privacy form. Pursuant to Sec. 216.2(a) of this part, a

    model privacy form that meets the notice content requirements of this

    section is included in Appendix A of this part.

    (g) Sample clauses. Sample clauses illustrating some of the notice

    content required by this section are included in Appendix B of this

    part. Use of a sample clause in a privacy notice provided on or before

    [DATE ONE YEAR FOLLOWING THE DATE OF PUBLICATION OF THE FINAL RULE], to

    the extent applicable, constitutes compliance with this part.

    4. In Sec. 216.7, add paragraph (i) to read as follows:

    Sec. 216.7 Form of opt-out notice to consumers; opt-out methods.

    * * * * *

    (i) Model privacy form. Pursuant to Sec. 216.2(a) of this part, a

    model privacy form that meets the notice content requirements of this

    section is included in Appendix A of this part.

    Appendix A [Redesignated as Appendix B]

    5. Redesignate Appendix A as Appendix B.

    6. Add new Appendix A to read as follows:

    Appendix A to Part 216--Model Privacy Form

    A. The Model Privacy Form

    [[Page 14966]]

    [GRAPHIC] [TIFF OMITTED] TP29MR07.009

    [[Page 14967]]

    [GRAPHIC] [TIFF OMITTED] TP29MR07.010

    [[Page 14968]]

    [GRAPHIC] [TIFF OMITTED] TP29MR07.011

    B. General Instructions

    1. How the Model Privacy Form Is Used

    The model form may be used, at the option of a financial

    institution, including a group of financial holding company

    affiliates that use a common privacy notice, to meet the content

    requirements of the privacy notice and opt-out notice set forth in

    sections 216.6 and 216.7 of this part.

    (Note that disclosure of certain information, such as assets,

    income, and information from a consumer reporting agency, may give

    rise to obligations under the Fair Credit Reporting Act [15 U.S.C.

    1681-1681x] (FCRA), such as a requirement to permit a consumer to

    opt out of disclosures to affiliates or designation as a consumer

    reporting agency if disclosures are made to nonaffiliated third

    parties.)

    2. The Contents of the Model Privacy Form

    The model form consists of two or three pages, depending on

    whether a financial institution shares in a manner that requires it

    to provide a third page with opt-out information.

    (a) Page One. The first page consists of the following

    components:

    (1) The title.

    (2) The key frame (Why?, What?, How?).

    (3) The disclosure table ("Reasons we can share your personal

    information").

    (4) Contact information.

    (b) Page Two. The second page consists of the following

    components:

    (1) The title.

    (2) The Frequently Asked Questions on sharing practices.

    (3) The definitions.

    (c) Page Three. The third page consists of a financial

    institution's opt-out form.

    3. The Format of the Model Privacy Form

    The model form is a standardized form, including page layout,

    page content, format, style, pagination, and shading. No other

    information may be included in the model form, and the model form

    may be modified only as described below.

    (a) Easily readable type font. Financial institutions that use

    the model form must use an easily readable type font. Easily

    readable type font includes a minimum of 10-point font and

    sufficient spacing between the lines of type.

    (b) Logo. A financial institution may include a corporate logo

    on any page of the notice, so long as it does not interfere with the

    readability of the model form or the space constraints of each page.

    (c) Page size and orientation. Each page of the model form must

    be printed on one side of an 8.5 by 11 inch paper in portrait

    orientation.

    (d) Color. The model form may be printed on white or light color

    paper (such as cream) with black or suitable contrasting color ink.

    Spot color may be used to achieve visual interest, so long as the

    color contrast is distinctive and the color does not detract from

    the readability of the model form.

    [[Page 14969]]

    C. Information Required in the Model Privacy Form

    The model form is a standardized form, and institutions seeking

    to obtain the safe harbor through use of the model form may modify

    the form only as described below:

    1. Name of the Institution or Group of Affiliated Institutions

    Providing the Notice

    Include the name of the financial institution or group of

    affiliated institutions providing the notice on the form wherever

    [name of financial institution] appears. Contact information, such

    as the institution's toll-free telephone number, Web address, or

    mailing address, or other contact information, should be inserted as

    appropriate, wherever [toll-free telephone] or [web address] or

    [mailing address] appear.

    2. Page One

    (a) General instructions for the disclosure table. There are

    reasons for sharing or using personal information listed in the left

    column of the disclosure table. Each of these reasons correlates to

    certain legal provisions described below. In the middle column, each

    institution must provide a "Yes" or "No" response in each box

    that accurately reflects its information sharing policies and

    practices with respect to the reason listed on the left. Each

    institution also must complete each box in the right column as to

    whether a consumer can limit such sharing. If an institution answers

    "No" to sharing for a particular reason in the middle column, it

    must answer "We don't share" in the corresponding right column. If

    an institution answers "Yes" to sharing for a particular reason in

    the middle column, it must, in the right column, answer either

    "No" if it does not offer an opt-out or "Yes (Check your choices,

    p. 3)" if it does offer an opt-out. Except for the sixth row ("For

    our affiliates to market to you"), an institution must list all

    reasons for sharing, and complete the middle and right columns of

    the disclosure table.

    (b) Specific disclosures and corresponding legal provisions.

    (1) For our everyday business purposes. Because all financial

    institutions share information for everyday business purposes, as

    contemplated by sections 216.14 and 216.15 of this part, the

    financial institution must answer "Yes" to the sharing of such

    information and "No" to the availability of an opt-out.

    (2) For our marketing purposes. The financial institution must

    answer "Yes" or "No" in the middle column. An institution that

    does not share for this reason must answer "We don't share" in the

    right column. An institution that shares for this reason may or may

    not elect to provide an opt-out and must provide the corresponding

    answer in the right column as described in paragraph C.2.(a) of this

    Instruction. This provision includes service providers contemplated

    by section 216.13 of this part.

    (3) For joint marketing with other financial companies. As

    contemplated by section 216.13 of this part, the financial

    institution must answer "Yes" or "No" in the middle column. An

    institution that does not share for this reason must answer "We

    don't share" in the right column. An institution that shares for

    this reason may or may not elect to provide an opt-out and must

    provide the corresponding answer in the right column as described in

    paragraph C.2.(a) of this Instruction.

    (4) For our affiliates' everyday business purposes--information

    about transactions and experiences. This provision applies to

    sharing of certain information with an institution's affiliates, as

    contemplated by sections 603(d)(2)(A)(i) and (ii) of the FCRA. The

    financial institution must answer "Yes" or "No" in the middle

    column. An institution that does not share for this reason must

    answer "We don't share" in the right column. An institution that

    does not have any affiliates will also use this answer. Institutions

    that share for this reason may or may not elect to provide an opt-

    out and must provide the corresponding answer in the right column as

    described in paragraph C.2.(a) of this Instruction.

    (5) For our affiliates' everyday business purposes--information

    about creditworthiness. This provision applies to the sharing of

    certain information with an institution's affiliates, as

    contemplated by section 603(d)(2)(A)(iii) of the FCRA. The financial

    institution must answer "Yes" or "No" in the middle column. An

    institution that does not share for this reason must answer "We

    don't share" in the right column. An institution that does not have

    any affiliates will also use this answer. Institutions that share

    for this reason must provide an opt-out and must provide the

    appropriate answer in the right column as described in paragraph

    C.2.(a) of this Instruction.

    (6) For our affiliates to market to you. This provision applies

    to information shared among affiliates that is used by those

    affiliates for marketing, as contemplated by section 624 of the

    FCRA. Following the effective date of the rules implementing section

    624, institutions that elect to incorporate this provision into the

    model form to satisfy their obligations under this part must include

    this reason for sharing as set forth in the model form in order to

    obtain the benefit of the safe harbor. Institutions whose affiliates

    receive such information and use it for marketing must answer

    "Yes" in the middle column, and "Yes (Check your choices, p. 3)"

    in the right column corresponding to the availability of an opt-out.

    Institutions whose affiliates receive such information and do not

    use it for marketing may elect to include this provision in the

    model form and answer "No" in the middle column and "We don't

    share" in the right column; however, institutions whose affiliates

    receive such information and do not use it for marketing are not

    required to use this provision. Institutions that do not have

    affiliates and elect to include this provision in their notice will

    answer "No" in the middle column and "We don't share" in the

    right column.

    (7) For nonaffiliates to market to you. This provision applies

    to sharing under sections 216.7 and 216.10(a) of this part.

    Financial institutions that do not share for this reason must answer

    "No" in the middle column and "We don't share" in the right

    column. Financial institutions that do share for this reason must

    answer "Yes" in the middle column and "Yes (check your choices,

    p. 3)" corresponding to the availability of an opt-out.

    (8) Additional opt-outs. A financial institution may customize

    the model form to offer opt-outs beyond those required under Federal

    law, so long as the additional information falls within the space

    constraints of the model form. If the institution chooses to offer

    its customers an opt-out for its own marketing or for joint

    marketing, for example, it can provide for that option by stating:

    "Yes (Check your choices, p. 3)" as to the availability of the

    opt-out.

    3. Page Two

    (a) General instructions for the Definitions.

    The financial institution must customize the space below the

    last three definitions in this section (affiliates, nonafffiliates,

    and joint marketing). This specific information must be in

    italicized lettering to set off the information from the

    standardized definitions.

    (b) Affiliates. As required by section 216.6(a)(3) of this part,

    the financial institution must identify the categories of its

    affiliates or state "[name of financial institution] has no

    affiliates" in italicized lettering where [affiliate information]

    appears. A financial institution that shares with affiliates must

    use, as applicable, the following format: "Our affiliates include

    companies with a [name of financial institution] name; financial

    companies such as [list companies]; and nonfinancial companies, such

    as [list companies]."

    (c) Nonaffiliates. If the financial institution shares with

    nonaffiliated third parties outside the exceptions in sections

    216.14 and 216.15 of this part, the institution must identify the

    types of nonaffiliated third parties with which it shares or state

    "[name of financial institution] does not share with nonaffiliates

    so they can market to you." in italicized lettering where

    [nonaffiliate information] appears. A financial institution that

    shares with nonaffiliated third parties as described here must use,

    as applicable, the following format: "Nonaffiliates we share with

    can include [list categories of companies such as mortgage

    companies, insurance companies, direct marketing companies, and

    nonprofit organizations]."

    (d) Joint Marketing. As required by section 216.13 of this part,

    the financial institution must identify the types of financial

    institutions with which it engages in joint marketing or state

    "[name of financial institution] doesn't jointly market." in

    italicized lettering where [joint marketing] appears. A financial

    institution that shares with joint marketing partners must use, as

    applicable, the following format: "Our joint marketing partners

    include [list categories of companies such as credit card

    companies]."

    4. Page Three

    Opt-out form. Financial institutions must use page three only if

    they: (1) share or use information in a manner that triggers an opt-

    out; or (2) choose to provide an opt-out (as disclosed in the table

    on page 1) in addition to what is required by law. The model opt-out

    form must be provided on a separate page of the model form.

    [[Page 14970]]

    (a) Contact us. The section describes three common methods by

    which a consumer exercises an opt-out--by telephone, on the Web, and

    by mail. Financial institutions may customize this section to

    provide for the particular opt-out methods and options the

    institution provides. For example, if an institution offers opting

    out by telephone and the Web but not by mail, it would provide only

    telephone and Web information as shown in the model form in the

    "Contact Us" box. Only institutions that allow more than 30 days

    after providing the notice before sharing information may change the

    number of days in the lower right hand section of the box.

    (b) Check your choices. Institutions must display the applicable

    opt-out options in the "Check your choices" box shown on this

    page. If an institution chooses not to offer an opt-out by mail, it

    must delete the boxes for name, address, account number, and mailing

    directions in the lower right-hand corner of the model form.

    Financial institutions that only offer one or two of the opt-out

    options listed on the model form must list only those options from

    the model form that apply to their practices and correspond

    accurately to the disclosures on page one. Thus, if an institution

    does not share in a manner that requires an opt-out for sharing with

    nonaffiliates, it must not include that opt-out option on page three

    of the model form. Institutions requiring information from consumers

    on the opt-out form other than an account number should modify that

    designation in the "Check your choices" box. Institutions that

    require customers with multiple accounts to identify each account to

    which the opt-out should apply should modify that portion of the

    model form.

    (c) Section 624 opt-out. If the financial institution's

    affiliates use information for marketing pursuant to section 624 of

    the FCRA, and the institution elects to consolidate that opt-out

    notice in the model form, it must include that disclosure and opt-

    out election as shown in the model form. Institutions that elect to

    limit the time for the affiliate marketing opt-out, consistent with

    the requirements of section 624, must adhere to the requirements of

    that section and the Agencies' implementing rule with respect to any

    subsequent notice and opt-out. Institutions that elect to limit the

    opt-out period must include a statement in italics, as shown on the

    model form, that states the period of time for which the opt-out

    applies.

    (d) Additional opt-outs. A financial institution that uses the

    disclosure table to indicate any opt-out choices available to

    consumers beyond those required by Federal law must include those

    opt-outs on page three of the model form. For example, if the

    financial institution discloses in the table that it offers an opt-

    out for joint marketing, the institution must revise the opt-out

    form on page three to reflect the availability of an opt-out, such

    as by adding a check-off box with the words "Do not share my

    personal information with other financial institutions to jointly

    market to me." Likewise, if a financial institution chooses to

    offer its customers an opt-out for its marketing, it can provide for

    that option in the disclosure table and on the opt-out form by

    adding a check-off box with the words "Do not share [or use] my

    personal information to market to me."

    7. Amend newly redesignated Appendix B by adding a new sentence

    immediately after the heading:

    Appendix B to Part 216--Sample Clauses

    This Appendix only applies to privacy notices provided until the

    date that is on or before one year following the date of final

    publication of this rule. * * *

    * * * * *

    Federal Deposit Insurance Corporation

    12 CFR Chapter III

    Authority and Issuance

    For the reasons set forth in the joint preamble, the Federal

    Deposit Insurance Corporation proposes to amend part 332 of chapter III

    of title 12 of the Code of Federal Regulations as follows:

    PART 332--PRIVACY OF CONSUMER FINANCIAL INFORMATION

    1. The authority citation for part 332 continues to read as

    follows:

    Authority: 12 U.S.C. 1819 (Seventh and Tenth); 15 U.S.C. 6801 et

    seq.

    2. Revise Sec. 332.2 to read as follows:

    Sec. 332.2 Model privacy form and examples.

    (a) Model privacy form. Use of the model privacy form in Appendix A

    of this part, consistent with the instructions in Appendix A,

    constitutes compliance with the notice content requirements of

    Sec. Sec. 332.6 and 332.7 of this part, although use of the model

    privacy form is not required.

    (b) Examples. The examples in this part are not exclusive.

    Compliance with an example, to the extent applicable, constitutes

    compliance with this part.

    3. In Sec. 332.6, revise paragraph (f) and add paragraph (g) to

    read as follows:

    Sec. 332.6 Information to be included in privacy notices.

    * * * * *

    (f) Model privacy form. Pursuant to Sec. 332.2(a) of this part, a

    model privacy form that meets the notice content requirements of this

    section is included in Appendix A of this part.

    (g) Sample clauses. Sample clauses illustrating some of the notice

    content required by this section are included in Appendix B of this

    part. Use of a sample clause in a privacy notice provided on or before

    [DATE ONE YEAR FOLLOWING THE DATE OF PUBLICATION OF THE FINAL RULE], to

    the extent applicable, constitutes compliance with this part.

    4. In Sec. 332.7 add paragraph (i) to read as follows:

    Sec. 332.7 Form of opt-out notice to consumers; opt-out methods.

    * * * * *

    (i) Model privacy form. Pursuant to Sec. 332.2(a) of this part, a

    model privacy form that meets the notice content requirements of this

    section is included in Appendix A of this part.

    Appendix A [Redesignated as Appendix B]

    5. Redesignate Appendix A as Appendix B.

    6. Add new Appendix A to read as follows:

    Appendix A to Part 332--Model Privacy Form

    A. The Model Privacy Form

    [[Page 14971]]

    [GRAPHIC] [TIFF OMITTED] TP29MR07.012

    [[Page 14972]]

    [GRAPHIC] [TIFF OMITTED] TP29MR07.013

    [[Page 14973]]

    [GRAPHIC] [TIFF OMITTED] TP29MR07.014

    B. General Instructions

    1. How the Model Privacy Form Is Used

    The model form may be used, at the option of a financial

    institution, including a group of financial holding company

    affiliates that use a common privacy notice, to meet the content

    requirements of the privacy notice and opt-out notice set forth in

    sections 332.6 and 332.7 of this part.

    (Note that disclosure of certain information, such as assets,

    income, and information from a consumer reporting agency, may give

    rise to obligations under the Fair Credit Reporting Act [15 U.S.C.

    1681-1681x] (FCRA), such as a requirement to permit a consumer to

    opt out of disclosures to affiliates or designation as a consumer

    reporting agency if disclosures are made to nonaffiliated third

    parties.)

    2. The Contents of the Model Privacy Form

    The model form consists of two or three pages, depending on

    whether a financial institution shares in a manner that requires it

    to provide a third page with opt-out information.

    (a) Page One. The first page consists of the following

    components:

    (1) The title.

    (2) The key frame (Why?, What?, How?).

    (3) The disclosure table ("Reasons we can share your personal

    information").

    (4) Contact information.

    (b) Page Two. The second page consists of the following

    components:

    (1) The title.

    (2) The Frequently Asked Questions on sharing practices.

    (3) The definitions.

    (c) Page Three. The third page consists of a financial

    institution's opt-out form.

    3. The Format of the Model Privacy Form

    The model form is a standardized form, including page layout,

    page content, format, style, pagination, and shading. No other

    information may be included in the model form, and the model form

    may be modified only as described below.

    (a) Easily readable type font. Financial institutions that use

    the model form must use an easily readable type font. Easily

    readable type font includes a minimum of 10-point font and

    sufficient spacing between the lines of type.

    (b) Logo. A financial institution may include a corporate logo

    on any page of the notice, so long as it does not interfere with the

    readability of the model form or the space constraints of each page.

    (c) Page size and orientation. Each page of the model form must

    be printed on one side of an 8.5 by 11 inch paper in portrait

    orientation.

    (d) Color. The model form may be printed on white or light color

    paper (such as cream) with black or suitable contrasting color ink.

    Spot color may be used to achieve visual interest, so long as the

    color contrast is distinctive and the color does not detract from

    the readability of the model form.

    [[Page 14974]]

    C. Information Required in the Model Privacy Form

    The model form is a standardized form, and institutions seeking

    to obtain the safe harbor through use of the model form may modify

    the form only as described below:

    1. Name of the Institution or Group of Affiliated Institutions

    Providing the Notice

    Include the name of the financial institution or group of

    affiliated institutions providing the notice on the form wherever

    [name of financial institution] appears. Contact information, such

    as the institution's toll-free telephone number, Web address, or

    mailing address, or other contact information, should be inserted as

    appropriate, wherever [toll-free telephone] or [web address] or

    [mailing address] appear.

    2. Page One

    (a) General instructions for the disclosure table. There are

    reasons for sharing or using personal information listed in the left

    column of the disclosure table. Each of these reasons correlates to

    certain legal provisions described below. In the middle column, each

    institution must provide a "Yes" or "No" response in each box

    that accurately reflects its information sharing policies and

    practices with respect to the reason listed on the left. Each

    institution also must complete each box in the right column as to

    whether a consumer can limit such sharing. If an institution answers

    "No" to sharing for a particular reason in the middle column, it

    must answer "We don't share" in the corresponding right column. If

    an institution answers "Yes" to sharing for a particular reason in

    the middle column, it must, in the right column, answer either

    "No" if it does not offer an opt-out or "Yes (Check your choices,

    p. 3)" if it does offer an opt-out. Except for the sixth row ("For

    our affiliates to market to you"), an institution must list all

    reasons for sharing, and complete the middle and right columns of

    the disclosure table.

    (b) Specific disclosures and corresponding legal provisions.

    (1) For our everyday business purposes. Because all financial

    institutions share information for everyday business purposes, as

    contemplated by sections 332.14 and 332.15 of this part, the

    financial institution must answer "Yes" to the sharing of such

    information and "No" to the availability of an opt-out.

    (2) For our marketing purposes. The financial institution must

    answer "Yes" or "No" in the middle column. An institution that

    does not share for this reason must answer "We don't share" in the

    right column. An institution that shares for this reason may or may

    not elect to provide an opt-out and must provide the corresponding

    answer in the right column as described in paragraph C.2.(a) of this

    Instruction. This provision includes service providers contemplated

    by section 332.13 of this part.

    (3) For joint marketing with other financial companies. As

    contemplated by section 332.13 of this part, the financial

    institution must answer "Yes" or "No" in the middle column. An

    institution that does not share for this reason must answer "We

    don't share" in the right column. An institution that shares for

    this reason may or may not elect to provide an opt-out and must

    provide the corresponding answer in the right column as described in

    paragraph C.2.(a) of this Instruction.

    (4) For our affiliates' everyday business purposes--information

    about transactions and experiences. This provision applies to

    sharing of certain information with an institution's affiliates, as

    contemplated by sections 603(d)(2)(A)(i) and (ii) of the FCRA. The

    financial institution must answer "Yes" or "No" in the middle

    column. An institution that does not share for this reason must

    answer "We don't share" in the right column. An institution that

    does not have any affiliates will also use this answer. Institutions

    that share for this reason may or may not elect to provide an opt-

    out and must provide the corresponding answer in the right column as

    described in paragraph C.2.(a) of this Instruction.

    (5) For our affiliates' everyday business purposes--information

    about creditworthiness. This provision applies to the sharing of

    certain information with an institution's affiliates, as

    contemplated by section 603(d)(2)(A)(iii) of the FCRA. The financial

    institution must answer "Yes" or "No" in the middle column. An

    institution that does not share for this reason must answer "We

    don't share" in the right column. An institution that does not have

    any affiliates will also use this answer. Institutions that share

    for this reason must provide an opt-out and must provide the

    appropriate answer in the right column as described in paragraph

    C.2.(a) of this Instruction.

    (6) For our affiliates to market to you. This provision applies

    to information shared among affiliates that is used by those

    affiliates for marketing, as contemplated by section 624 of the

    FCRA. Following the effective date of the rules implementing section

    624, institutions that elect to incorporate this provision into the

    model form to satisfy their obligations under this part must include

    this reason for sharing as set forth in the model form in order to

    obtain the benefit of the safe harbor. Institutions whose affiliates

    receive such information and use it for marketing must answer

    "Yes" in the middle column, and "Yes (Check your choices, p. 3)"

    in the right column corresponding to the availability of an opt-out.

    Institutions whose affiliates receive such information and do not

    use it for marketing may elect to include this provision in the

    model form and answer "No" in the middle column and "We don't

    share" in the right column; however, institutions whose affiliates

    receive such information and do not use it for marketing are not

    required to use this provision. Institutions that do not have

    affiliates and elect to include this provision in their notice will

    answer "No" in the middle column and "We don't share" in the

    right column.

    (7) For nonaffiliates to market to you. This provision applies

    to sharing under sections 332.7 and 332.10(a) of this part.

    Financial institutions that do not share for this reason must answer

    "No" in the middle column and "We don't share" in the right

    column. Financial institutions that do share for this reason must

    answer "Yes" in the middle column and "Yes (check your choices,

    p. 3)" corresponding to the availability of an opt-out.

    (8) Additional opt-outs. A financial institution may customize

    the model form to offer opt-outs beyond those required under Federal

    law, so long as the additional information falls within the space

    constraints of the model form. If the institution chooses to offer

    its customers an opt-out for its own marketing or for joint

    marketing, for example, it can provide for that option by stating:

    "Yes (Check your choices, p. 3)" as to the availability of the

    opt-out.

    3. Page Two

    (a) General instructions for the Definitions.

    The financial institution must customize the space below the

    last three definitions in this section (affiliates, nonaffiliates,

    and joint marketing). This specific information must be in

    italicized lettering to set off the information from the

    standardized definitions.

    (b) Affiliates. As required by section 332.6(a)(3) of this part,

    the financial institution must identify the categories of its

    affiliates or state "[name of financial institution] has no

    affiliates" in italicized lettering where [affiliate information]

    appears. A financial institution that shares with affiliates must

    use, as applicable, the following format: "Our affiliates include

    companies with a [name of financial institution] name; financial

    companies such as [list companies]; and nonfinancial companies, such

    as [list companies]."

    (c) Nonaffiliates. If the financial institution shares with

    nonaffiliated third parties outside the exceptions in sections

    332.14 and 332.15 of this part, the institution must identify the

    types of nonaffiliated third parties with which it shares or state

    "[name of financial institution] does not share with nonaffiliates

    so they can market to you." in italicized lettering where

    [nonaffiliate information] appears. A financial institution that

    shares with nonaffiliated third parties as described here must use,

    as applicable, the following format: "Nonaffiliates we share with

    can include [list categories of companies such as mortgage

    companies, insurance companies, direct marketing companies, and

    nonprofit organizations]."

    (d) Joint Marketing. As required by section 332.13 of this part,

    the financial institution must identify the types of financial

    institutions with which it engages in joint marketing or state

    "[name of financial institution] doesn't jointly market." in

    italicized lettering where [joint marketing] appears. A financial

    institution that shares with joint marketing partners must use, as

    applicable, the following format: "Our joint marketing partners

    include [list categories of companies such as credit card

    companies]."

    4. Page Three

    Opt-out form. Financial institutions must use page three only if

    they: (1) share or use information in a manner that triggers an opt-

    out; or (2) choose to provide an opt-out (as disclosed in the table

    on page 1) in addition to what is required by law. The model opt-out

    form must be provided on a separate page of the model form.

    [[Page 14975]]

    (a) Contact us. The section describes three common methods by

    which a consumer exercises an opt-out--by telephone, on the Web, and

    by mail. Financial institutions may customize this section to

    provide for the particular opt-out methods and options the

    institution provides. For example, if an institution offers opting

    out by telephone and the Web but not by mail, it would provide only

    telephone and Web information as shown in the model form in the

    "Contact Us" box. Only institutions that allow more than 30 days

    after providing the notice before sharing information may change the

    number of days in the lower right hand section of the box.

    (b) Check your choices. Institutions must display the applicable

    opt-out options in the "Check your choices" box shown on this

    page. If an institution chooses not to offer an opt-out by mail, it

    must delete the boxes for name, address, account number, and mailing

    directions in the lower right-hand corner of the model form.

    Financial institutions that only offer one or two of the opt-out

    options listed on the model form must list only those options from

    the model form that apply to their practices and correspond

    accurately to the disclosures on page one. Thus, if an institution

    does not share in a manner that requires an opt-out for sharing with

    nonaffiliates, it must not include that opt-out option on page three

    of the model form. Institutions requiring information from consumers

    on the opt-out form other than an account number should modify that

    designation in the "Check your choices" box. Institutions that

    require customers with multiple accounts to identify each account to

    which the opt-out should apply should modify that portion of the

    model form.

    (c) Section 624 opt-out. If the financial institution's

    affiliates use information for marketing pursuant to section 624 of

    the FCRA, and the institution elects to consolidate that opt-out

    notice in the model form, it must include that disclosure and opt-

    out election as shown in the model form. Institutions that elect to

    limit the time for the affiliate marketing opt-out, consistent with

    the requirements of section 624, must adhere to the requirements of

    that section and the Agencies' implementing rule with respect to any

    subsequent notice and opt-out. Institutions that elect to limit the

    opt-out period must include a statement in italics, as shown on the

    model form, that states the period of time for which the opt-out

    applies.

    (d) Additional opt-outs. A financial institution that uses the

    disclosure table to indicate any opt-out choices available to

    consumers beyond those required by Federal law must include those

    opt-outs on page three of the model form. For example, if the

    financial institution discloses in the table that it offers an opt-

    out for joint marketing, the institution must revise the opt-out

    form on page three to reflect the availability of an opt-out, such

    as by adding a check-off box with the words "Do not share my

    personal information with other financial institutions to jointly

    market to me." Likewise, if a financial institution chooses to

    offer its customers an opt-out for its marketing, it can provide for

    that option in the disclosure table and on the opt-out form by

    adding a check-off box with the words "Do not share [or use] my

    personal information to market to me."

    7. Amend newly redesignated Appendix B by adding a new sentence

    immediately after the heading:

    Appendix B to Part 332--Sample Clauses

    This Appendix only applies to privacy notices provided until the

    date that is on or before one year following the date of final

    publication of this rule. * * *

    * * * * *

    Office of Thrift Supervision

    12 CFR Chapter V

    Authority and Issuance

    For the reasons set forth in the joint preamble, the Office of

    Thrift Supervision proposes to amend part 573 of Chapter V of title 12

    of the Code of Federal Regulations as follows:

    PART 573--PRIVACY OF CONSUMER FINANCIAL INFORMATION

    1. The authority citation for part 573 continues to read as

    follows:

    Authority: 12 U.S.C. 1462a; 1463, 1464, 1828; 15 U.S.C. 6801 et

    seq.

    2. Revise Sec. 573.2 to read as follows:

    Sec. 573.2 Model privacy form and examples.

    (a) Model privacy form. Use of the model privacy form in Appendix A

    of this part, consistent with the instructions in Appendix A,

    constitutes compliance with the notice content requirements of

    Sec. Sec. 573.6 and 573.7 of this part, although use of the model

    privacy form is not required.

    (b) Examples. The examples in this part are not exclusive.

    Compliance with an example, to the extent applicable, constitutes

    compliance with this part.

    3. In Sec. 573.6, revise paragraph (f) and add paragraph (g) to

    read as follows:

    Sec. 573.6 Information to be included in privacy notices.

    * * * * *

    (f) Model privacy form. Pursuant to Sec. 573.2(a) of this part, a

    model privacy form that meets the notice content requirements of this

    section is included in Appendix A of this part.

    (g) Sample clauses. Sample clauses illustrating some of the notice

    content required by this section are included in Appendix B of this

    part. Use of a sample clause in a privacy notice provided on or before

    [DATE ONE YEAR FOLLOWING THE DATE OF PUBLICATION OF THE FINAL RULE], to

    the extent applicable, constitutes compliance with this part.

    4. In Sec. 573.7, add paragraph (i) to read as follows:

    Sec. 573.7 Form of opt-out notice to consumers; opt-out methods.

    * * * * *

    (i) Model privacy form. Pursuant to Sec. 573.2(a) of this part, a

    model privacy form that meets the notice content requirements of this

    section is included in Appendix A of this part.

    Appendix A [Redesignated as Appendix B]

    5. Redesignate Appendix A as Appendix B.

    6. Add new Appendix A to read as follows:

    Appendix A to Part 573--Model Privacy Form

    A. The Model Privacy Form

    [[Page 14976]]

    [GRAPHIC] [TIFF OMITTED] TP29MR07.015

    [[Page 14977]]

    [GRAPHIC] [TIFF OMITTED] TP29MR07.016

    [[Page 14978]]

    [GRAPHIC] [TIFF OMITTED] TP29MR07.017

    B. General Instructions

    1. How the Model Privacy Form Is Used

    The model form may be used, at the option of a financial

    institution, including a group of financial holding company

    affiliates that use a common privacy notice, to meet the content

    requirements of the privacy notice and opt-out notice set forth in

    sections 573.6 and 573.7 of this part.

    (Note that disclosure of certain information, such as assets,

    income, and information from a consumer reporting agency, may give

    rise to obligations under the Fair Credit Reporting Act [15 U.S.C.

    1681-1681x] (FCRA), such as a requirement to permit a consumer to

    opt out of disclosures to affiliates or designation as a consumer

    reporting agency if disclosures are made to nonaffiliated third

    parties.)

    2. The Contents of the Model Privacy Form

    The model form consists of two or three pages, depending on

    whether a financial institution shares in a manner that requires it

    to provide a third page with opt-out information.

    (a) Page One. The first page consists of the following

    components:

    (1) The title.

    (2) The key frame (Why?, What?, How?).

    (3) The disclosure table ("Reasons we can share your personal

    information").

    (4) Contact information.

    (b) Page Two. The second page consists of the following

    components:

    (1) The title.

    (2) The Frequently Asked Questions on sharing practices.

    (3) The definitions.

    (c) Page Three. The third page consists of a financial

    institution's opt-out form.

    3. The Format of the Model Privacy Form

    The model form is a standardized form, including page layout,

    page content, format, style, pagination, and shading. No other

    information may be included in the model form, and the model form

    may be modified only as described below.

    (a) Easily readable type font. Financial institutions that use

    the model form must use an easily readable type font. Easily

    readable type font includes a minimum of 10-point font and

    sufficient spacing between the lines of type.

    (b) Logo. A financial institution may include a corporate logo

    on any page of the notice, so long as it does not interfere with the

    readability of the model form or the space constraints of each page.

    (c) Page size and orientation. Each page of the model form must

    be printed on one side of an 8.5 by 11 inch paper in portrait

    orientation.

    (d) Color. The model form may be printed on white or light color

    paper (such as cream) with black or suitable contrasting color ink.

    Spot color may be used to achieve visual interest, so long as the

    color contrast is distinctive and the color does not detract from

    the readability of the model form.

    [[Page 14979]]

    C. Information Required in the Model Privacy Form

    The model form is a standardized form, and institutions seeking

    to obtain the safe harbor through use of the model form may modify

    the form only as described below:

    1. Name of the Institution or Group of Affiliated Institutions

    Providing the Notice

    Include the name of the financial institution or group of

    affiliated institutions providing the notice on the form wherever

    [name of financial institution] appears. Contact information, such

    as the institution's toll-free telephone number, Web address, or

    mailing address, or other contact information, should be inserted as

    appropriate, wherever [toll-free telephone] or [web address] or

    [mailing address] appear.

    2. Page One

    (a) General instructions for the disclosure table. There are

    reasons for sharing or using personal information listed in the left

    column of the disclosure table. Each of these reasons correlates to

    certain legal provisions described below. In the middle column, each

    institution must provide a "Yes" or "No" response in each box

    that accurately reflects its information sharing policies and

    practices with respect to the reason listed on the left. Each

    institution also must complete each box in the right column as to

    whether a consumer can limit such sharing. If an institution answers

    "No" to sharing for a particular reason in the middle column, it

    must answer "We don't share" in the corresponding right column. If

    an institution answers "Yes" to sharing for a particular reason in

    the middle column, it must, in the right column, answer either

    "No" if it does not offer an opt-out or "Yes (Check your choices,

    p. 3)" if it does offer an opt-out. Except for the sixth row ("For

    our affiliates to market to you"), an institution must list all

    reasons for sharing, and complete the middle and right columns of

    the disclosure table.

    (b) Specific disclosures and corresponding legal provisions.

    (1) For our everyday business purposes. Because all financial

    institutions share information for everyday business purposes, as

    contemplated by sections 573.14 and 573.15 of this part, the

    financial institution must answer "Yes" to the sharing of such

    information and "No" to the availability of an opt-out.

    (2) For our marketing purposes. The financial institution must

    answer "Yes" or "No" in the middle column. An institution that

    does not share for this reason must answer "We don't share" in the

    right column. An institution that shares for this reason may or may

    not elect to provide an opt-out and must provide the corresponding

    answer in the right column as described in paragraph C.2.(a) of this

    Instruction. This provision includes service providers contemplated

    by section 573.13 of this part.

    (3) For joint marketing with other financial companies. As

    contemplated by section 573.13 of this part, the financial

    institution must answer "Yes" or "No" in the middle column. An

    institution that does not share for this reason must answer "We

    don't share" in the right column. An institution that shares for

    this reason may or may not elect to provide an opt-out and must

    provide the corresponding answer in the right column as described in

    paragraph C.2.(a) of this Instruction.

    (4) For our affiliates' everyday business purposes--information

    about transactions and experiences. This provision applies to

    sharing of certain information with an institution's affiliates, as

    contemplated by sections 603(d)(2)(A)(i) and (ii) of the FCRA. The

    financial institution must answer "Yes" or "No" in the middle

    column. An institution that does not share for this reason must

    answer "We don't share" in the right column. An institution that

    does not have any affiliates will also use this answer. Institutions

    that share for this reason may or may not elect to provide an opt-

    out and must provide the corresponding answer in the right column as

    described in paragraph C.2.(a) of this Instruction.

    (5) For our affiliates' everyday business purposes--information

    about creditworthiness. This provision applies to the sharing of

    certain information with an institution's affiliates, as

    contemplated by section 603(d)(2)(A)(iii) of the FCRA. The financial

    institution must answer "Yes" or "No" in the middle column. An

    institution that does not share for this reason must answer "We

    don't share" in the right column. An institution that does not have

    any affiliates will also use this answer. Institutions that share

    for this reason must provide an opt-out and must provide the

    appropriate answer in the right column as described in paragraph

    C.2.(a) of this Instruction.

    (6) For our affiliates to market to you. This provision applies

    to information shared among affiliates that is used by those

    affiliates for marketing, as contemplated by section 624 of the

    FCRA. Following the effective date of the rules implementing section

    624, institutions that elect to incorporate this provision into the

    model form to satisfy their obligations under this part must include

    this reason for sharing as set forth in the model form in order to

    obtain the benefit of the safe harbor. Institutions whose affiliates

    receive such information and use it for marketing must answer

    "Yes" in the middle column, and "Yes (Check your choices, p. 3)"

    in the right column corresponding to the availability of an opt-out.

    Institutions whose affiliates receive such information and do not

    use it for marketing may elect to include this provision in the

    model form and answer "No" in the middle column and "We don't

    share" in the right column; however, institutions whose affiliates

    receive such information and do not use it for marketing are not

    required to use this provision. Institutions that do not have

    affiliates and elect to include this provision in their notice will

    answer "No" in the middle column and "We don't share" in the

    right column.

    (7) For nonaffiliates to market to you. This provision applies

    to sharing under sections 573.7 and 573.10(a) of this part.

    Financial institutions that do not share for this reason must answer

    "No" in the middle column and "We don't share" in the right

    column. Financial institutions that do share for this reason must

    answer "Yes" in the middle column and "Yes (check your choices,

    p. 3)" corresponding to the availability of an opt-out.

    (8) Additional opt-outs. A financial institution may customize

    the model form to offer opt-outs beyond those required under Federal

    law, so long as the additional information falls within the space

    constraints of the model form. If the institution chooses to offer

    its customers an opt-out for its own marketing or for joint

    marketing, for example, it can provide for that option by stating:

    "Yes (Check your choices, p. 3)" as to the availability of the

    opt-out.

    3. Page Two

    (a) General instructions for the Definitions.

    The financial institution must customize the space below the

    last three definitions in this section (affiliates, nonafffiliates,

    and joint marketing). This specific information must be in

    italicized lettering to set off the information from the

    standardized definitions.

    (b) Affiliates. As required by section 573.6(a)(3) of this part,

    the financial institution must identify the categories of its

    affiliates or state "[name of financial institution] has no

    affiliates" in italicized lettering where [affiliate information]

    appears. A financial institution that shares with affiliates must

    use, as applicable, the following format: "Our affiliates include

    companies with a [name of financial institution] name; financial

    companies such as [list companies]; and nonfinancial companies, such

    as [list companies]."

    (c) Nonaffiliates. If the financial institution shares with

    nonaffiliated third parties outside the exceptions in sections

    573.14 and 573.15 of this part, the institution must identify the

    types of nonaffiliated third parties with which it shares or state

    "[name of financial institution] does not share with nonaffiliates

    so they can market to you." in italicized lettering where

    [nonaffiliate information] appears. A financial institution that

    shares with nonaffiliated third parties as described here must use,

    as applicable, the following format: "Nonaffiliates we share with

    can include [list categories of companies such as mortgage

    companies, insurance companies, direct marketing companies, and

    nonprofit organizations]."

    (d) Joint Marketing. As required by section 573.13 of this part,

    the financial institution must identify the types of financial

    institutions with which it engages in joint marketing or state

    "[name of financial institution] doesn't jointly market." in

    italicized lettering where [joint marketing] appears. A financial

    institution that shares with joint marketing partners must use, as

    applicable, the following format: "Our joint marketing partners

    include [list categories of companies such as credit card

    companies]."

    4. Page Three

    Opt-out form. Financial institutions must use page three only if

    they: (1) share or use information in a manner that triggers an opt-

    out; or (2) choose to provide an opt-out (as disclosed in the table

    on page 1) in addition to what is required by law. The model opt-out

    form must be provided on a separate page of the model form.

    [[Page 14980]]

    (a) Contact us. The section describes three common methods by

    which a consumer exercises an opt-out " by telephone, on the Web,

    and by mail. Financial institutions may customize this section to

    provide for the particular opt-out methods and options the

    institution provides. For example, if an institution offers opting

    out by telephone and the Web but not by mail, it would provide only

    telephone and Web information as shown in the model form in the

    "Contact Us" box. Only institutions that allow more than 30 days

    after providing the notice before sharing information may change the

    number of days in the lower right hand section of the box.

    (b) Check your choices. Institutions must display the applicable

    opt-out options in the "Check your choices" box shown on this

    page. If an institution chooses not to offer an opt-out by mail, it

    must delete the boxes for name, address, account number, and mailing

    directions in the lower right-hand corner of the model form.

    Financial institutions that only offer one or two of the opt-out

    options listed on the model form must list only those options from

    the model form that apply to their practices and correspond

    accurately to the disclosures on page one. Thus, if an institution

    does not share in a manner that requires an opt-out for sharing with

    nonaffiliates, it must not include that opt-out option on page three

    of the model form. Institutions requiring information from consumers

    on the opt-out form other than an account number should modify that

    designation in the "Check your choices" box. Institutions that

    require customers with multiple accounts to identify each account to

    which the opt-out should apply should modify that portion of the

    model form.

    (c) Section 624 opt-out. If the financial institution's

    affiliates use information for marketing pursuant to section 624 of

    the FCRA, and the institution elects to consolidate that opt-out

    notice in the model form, it must include that disclosure and opt-

    out election as shown in the model form. Institutions that elect to

    limit the time for the affiliate marketing opt-out, consistent with

    the requirements of section 624, must adhere to the requirements of

    that section and the Agencies' implementing rule with respect to any

    subsequent notice and opt-out. Institutions that elect to limit the

    opt-out period must include a statement in italic, as shown on the

    model form, that states the period of time for which the opt-out

    applies.

    (d) Additional opt-outs. A financial institution that uses the

    disclosure table to indicate any opt-out choices available to

    consumers beyond those required by Federal law must include those

    opt-outs on page three of the model form. For example, if the

    financial institution discloses in the table that it offers an opt-

    out for joint marketing, the institution must revise the opt-out

    form on page three to reflect the availability of an opt-out, such

    as by adding a check-off box with the words "Do not share my

    personal information with other financial institutions to jointly

    market to me." Likewise, if a financial institution chooses to

    offer its customers an opt-out for its marketing, it can provide for

    that option in the disclosure table and on the opt-out form by

    adding a check-off box with the words "Do not share [or use] my

    personal information to market to me."

    7. Amend newly redesignated Appendix B by adding a new sentence

    immediately after the heading:

    Appendix B to Part 573--Sample Clauses

    This Appendix only applies to privacy notices provided until the

    date that is on or before one year following the date of final

    publication of this rule. * * *

    * * * * *

    National Credit Union Administration

    12 CFR Chapter V

    Authority and Issuance

    For the reasons set forth in the joint preamble, the National

    Credit Union Administration proposes to amend part 716 of Chapter V of

    title 12 of the Code of Federal Regulations as follows:

    PART 716--PRIVACY OF CONSUMER FINANCIAL INFORMATION

    1. The authority citation for part 716 continues to read as

    follows:

    Authority: 12 U.S.C. 1751 et seq.; 15 U.S.C. 6801 et seq.

    2. Revise Sec. 716.2 to read as follows:

    Sec. 716.2 Model privacy form and examples.

    (a) Model privacy form. Use of the model privacy form in Appendix A

    of this part, consistent with the instructions in Appendix A,

    constitutes compliance with the notice content requirements of

    Sec. Sec. 716.6 and 716.7 of this part, although use of the model

    privacy form is not required.

    (b) Examples. The examples in this part are not exclusive.

    Compliance with an example, to the extent applicable, constitutes

    compliance with this part.

    3. In Sec. 716.6, add paragraphs (f) and (g) to read as follows:

    Sec. 716.6 Information to be included in privacy notices.

    * * * * *

    (f) Model privacy form. Pursuant to Sec. 716.2(a) of this part, a

    model privacy form that meets the notice content requirements of this

    section is included in Appendix A of this part.

    (g) Sample clauses. Sample clauses illustrating some of the notice

    content required by this section are included in Appendix B of this

    part. Use of a sample clause in a privacy notice provided on or before

    [DATE ONE YEAR FOLLOWING THE DATE OF PUBLICATION OF THE FINAL RULE], to

    the extent applicable, constitutes compliance with this part.

    4. In Sec. 716.7 add paragraph (i) to read as follows:

    Sec. 716.7 Form of opt-out notice to consumers; opt-out methods.

    * * * * *

    (i) Model privacy form. Pursuant to Sec. 716.2(a) of this part, a

    model privacy form that meets the notice content requirements of this

    section is included in Appendix A of this part.

    Appendix A [Redesignated as Appendix B]

    5. Redesignate Appendix A as Appendix B.

    6. Add new Appendix A to read as follows:

    [[Page 14981]]

    Appendix A to Part 716--Model Privacy Form

    A. The Model Privacy Form

    [GRAPHIC] [TIFF OMITTED] TP29MR07.018

    [[Page 14982]]

    [GRAPHIC] [TIFF OMITTED] TP29MR07.019

    [[Page 14983]]

    [GRAPHIC] [TIFF OMITTED] TP29MR07.020

    B. General Instructions

    1. How the Model Privacy Form Is Used

    The model form may be used, at the option of a financial

    institution, including a group of affiliates that use a common

    privacy notice, to meet the content requirements of the privacy

    notice and opt-out notice set forth in sections 716.6 and 716.7 of

    this part.

    (Note that disclosure of certain information, such as assets,

    income, and information from a consumer reporting agency, may give

    rise to obligations under the Fair Credit Reporting Act [15 U.S.C.

    1681-1681x] (FCRA), such as a requirement to permit a consumer to

    opt out of disclosures to affiliates or designation as a consumer

    reporting agency if disclosures are made to nonaffiliated third

    parties.)

    2. The Contents of the Model Privacy Form

    The model form consists of two or three pages, depending on

    whether a financial institution shares in a manner that requires it

    to provide a third page with opt-out information.

    (a) Page One. The first page consists of the following

    components:

    (1) The title.

    (2) The key frame (Why?, What?, How?).

    (3) The disclosure table ("Reasons we can share your personal

    information").

    (4) Contact information.

    (b) Page Two. The second page consists of the following

    components:

    (1) The title.

    (2) The Frequently Asked Questions on sharing practices.

    (3) The definitions.

    (c) Page Three. The third page consists of a financial

    institution's opt-out form.

    3. The Format of the Model Privacy Form

    The model form is a standardized form, including page layout,

    page content, format, style, pagination, and shading. No other

    information may be included in the model form, and the model form

    may be modified only as described below.

    (a) Easily readable type font. Financial institutions that use

    the model form must use an easily readable type font. Easily

    readable type font includes a minimum of 10-point font and

    sufficient spacing between the lines of type.

    (b) Logo. A financial institution may include a corporate logo

    on any page of the notice, so long as it does not interfere with the

    readability of the model form or the space constraints of each page.

    (c) Page size and orientation. Each page of the model form must

    be printed on one side of an 8.5 by 11 inch paper in portrait

    orientation.

    (d) Color. The model form may be printed on white or light color

    paper (such as cream) with black or suitable contrasting color ink.

    Spot color may be used to achieve visual interest, so long as the

    color contrast is distinctive and the color does not detract from

    the readability of the model form.

    [[Page 14984]]

    C. Information Required in the Model Privacy Form

    The model form is a standardized form, and institutions seeking

    to obtain the safe harbor through use of the model form may modify

    the form only as described below:

    1. Name of the Institution or Group of Affiliated Institutions

    Providing the Notice

    Include the name of the financial institution or group of

    affiliated institutions providing the notice on the form wherever

    [name of financial institution] appears. Contact information, such

    as the institution's toll-free telephone number, Web address, or

    mailing address, or other contact information, should be inserted as

    appropriate, wherever [toll-free telephone] or [web address] or

    [mailing address] appear.

    2. Page One

    (a) General instructions for the disclosure table. There are

    reasons for sharing or using personal information listed in the left

    column of the disclosure table. Each of these reasons correlates to

    certain legal provisions described below. In the middle column, each

    institution must provide a "Yes" or "No" response in each box

    that accurately reflects its information sharing policies and

    practices with respect to the reason listed on the left. Each

    institution also must complete each box in the right column as to

    whether a consumer can limit such sharing. If an institution answers

    "No" to sharing for a particular reason in the middle column, it

    must answer "We don't share" in the corresponding right column. If

    an institution answers "Yes" to sharing for a particular reason in

    the middle column, it must, in the right column, answer either

    "No" if it does not offer an opt-out or "Yes (Check your choices,

    p. 3)" if it does offer an opt-out. Except for the sixth row ("For

    our affiliates to market to you"), an institution must list all

    reasons for sharing, and complete the middle and right columns of

    the disclosure table.

    (b) Specific disclosures and corresponding legal provisions.

    (1) For our everyday business purposes. Because all financial

    institutions share information for everyday business purposes, as

    contemplated by sections 716.14 and 716.15 of this part, the

    financial institution must answer "Yes" to the sharing of such

    information and "No" to the availability of an opt-out.

    (2) For our marketing purposes. The financial institution must

    answer "Yes" or "No" in the middle column. An institution that

    does not share for this reason must answer "We don't share" in the

    right column. An institution that shares for this reason may or may

    not elect to provide an opt-out and must provide the corresponding

    answer in the right column as described in paragraph C.2.(a) of this

    Instruction. This provision includes service providers contemplated

    by section 716.13 of this part.

    (3) For joint marketing with other financial companies. As

    contemplated by section 716.13 of this part, the financial

    institution must answer "Yes" or "No" in the middle column. An

    institution that does not share for this reason must answer "We

    don't share" in the right column. An institution that shares for

    this reason may or may not elect to provide an opt-out and must

    provide the corresponding answer in the right column as described in

    paragraph C.2.(a) of this Instruction.

    (4) For our affiliates' everyday business purposes--information

    about transactions and experiences. This provision applies to

    sharing of certain information with an institution's affiliates, as

    contemplated by sections 603(d)(2)(A)(i) and (ii) of the FCRA. The

    financial institution must answer "Yes" or "No" in the middle

    column. An institution that does not share for this reason must

    answer "We don't share" in the right column. An institution that

    does not have any affiliates will also use this answer. Institutions

    that share for this reason may or may not elect to provide an opt-

    out and must provide the corresponding answer in the right column as

    described in paragraph C.2.(a) of this Instruction.

    (5) For our affiliates' everyday business purposes--information

    about creditworthiness. This provision applies to the sharing of

    certain information with an institution's affiliates, as

    contemplated by section 603(d)(2)(A)(iii) of the FCRA. The financial

    institution must answer "Yes" or "No" in the middle column. An

    institution that does not share for this reason must answer "We

    don't share" in the right column. An institution that does not have

    any affiliates will also use this answer. Institutions that share

    for this reason must provide an opt-out and must provide the

    appropriate answer in the right column as described in paragraph

    C.2.(a) of this Instruction.

    (6) For our affiliates to market to you. This provision applies

    to information shared among affiliates that is used by those

    affiliates for marketing, as contemplated by section 624 of the

    FCRA. Following the effective date of the rules implementing section

    624, institutions that elect to incorporate this provision into the

    model form to satisfy their obligations under this part must include

    this reason for sharing as set forth in the model form in order to

    obtain the benefit of the safe harbor. Institutions whose affiliates

    receive such information and use it for marketing must answer

    "Yes" in the middle column, and "Yes (Check your choices, p. 3)"

    in the right column corresponding to the availability of an opt-out.

    Institutions whose affiliates receive such information and do not

    use it for marketing may elect to include this provision in the

    model form and answer "No" in the middle column and "We don't

    share" in the right column; however, institutions whose affiliates

    receive such information and do not use it for marketing are not

    required to use this provision. Institutions that do not have

    affiliates and elect to include this provision in their notice will

    answer "No" in the middle column and "We don't share" in the

    right column.

    (7) For nonaffiliates to market to you. This provision applies

    to sharing under sections 716.7 and 716.10(a) of this part.

    Financial institutions that do not share for this reason must answer

    "No" in the middle column and "We don't share" in the right

    column. Financial institutions that do share for this reason must

    answer "Yes" in the middle column and "Yes (check your choices,

    p. 3)" corresponding to the availability of an opt-out.

    (8) Additional opt-outs. A financial institution may customize

    the model form to offer opt-outs beyond those required under Federal

    law, so long as the additional information falls within the space

    constraints of the model form. If the institution chooses to offer

    its customers an opt-out for its own marketing or for joint

    marketing, for example, it can provide for that option by stating:

    "Yes (Check your choices, p.3)" as to the availability of the opt-

    out.

    3. Page Two

    (a) General instructions for the definitions.

    The financial institution must customize the space below the

    last three definitions in this section (affiliates, nonaffiliates,

    and joint marketing). This specific information must be in

    italicized lettering to set off the information from the

    standardized definitions.

    (b) Affiliates. As required by section 716.6(a)(3) of this part,

    the financial institution must identify the categories of its

    affiliates or state "[name of financial institution] has no

    affiliates" in italicized lettering where [affiliate information]

    appears. A financial institution that shares with affiliates must

    use, as applicable, the following format: "Our affiliates include

    companies with a [name of financial institution] name; financial

    companies such as [list companies]; and nonfinancial companies, such

    as [list companies]."

    (c) Nonaffiliates. If the financial institution shares with

    nonaffiliated third parties outside the exceptions in sections

    716.14 and 716.15 of this part, the institution must identify the

    types of nonaffiliated third parties with which it shares or state

    "[name of financial institution] does not share with nonaffiliates

    so they can market to you." in italicized lettering where

    [nonaffiliate information] appears. A financial institution that

    shares with nonaffiliated third parties as described here must use,

    as applicable, the following format: "Nonaffiliates we share with

    can include [list categories of companies such as mortgage

    companies, insurance companies, direct marketing companies, and

    nonprofit organizations]."

    (d) Joint Marketing. As required by section 716.13 of this part,

    the financial institution must identify the types of financial

    institutions with which it engages in joint marketing or state

    "[name of financial institution] doesn't jointly market." in

    italicized lettering where [joint marketing] appears. A financial

    institution that shares with joint marketing partners must use, as

    applicable, the following format: "Our joint marketing partners

    include [list categories of companies such as credit card

    companies]."

    4. Page Three

    Opt-out form. Financial institutions must use page three only if

    they: (1) Share or use information in a manner that triggers an opt-

    out; or (2) choose to provide an opt-out (as disclosed in the table

    on page 1) in addition to what is required by law. The model opt-

    [[Page 14985]]

    out form must be provided on a separate page of the model form.

    (a) Contact us. The section describes three common methods by

    which a consumer exercises an opt-out--by telephone, on the Web, and

    by mail. Financial institutions may customize this section to

    provide for the particular opt-out methods and options the

    institution provides. For example, if an institution offers opting

    out by telephone and the Web but not by mail, it would provide only

    telephone and Web information as shown in the model form in the

    "Contact Us" box. Only institutions that allow more than 30 days

    after providing the notice before sharing information may change the

    number of days in the lower right hand section of the box.

    (b) Check your choices. Institutions must display the applicable

    opt-out options in the "Check your choices" box shown on this

    page. If an institution chooses not to offer an opt-out by mail, it

    must delete the boxes for name, address, account number, and mailing

    directions in the lower right-hand corner of the model form.

    Financial institutions that only offer one or two of the opt-out

    options listed on the model form must list only those options from

    the model form that apply to their practices and correspond

    accurately to the disclosures on page one. Thus, if an institution

    does not share in a manner that requires an opt-out for sharing with

    nonaffiliates, it must not include that opt-out option on page three

    of the model form. Institutions requiring information from consumers

    on the opt-out form other than an account number should modify that

    designation in the "Check your choices" box. Institutions that

    require customers with multiple accounts to identify each account to

    which the opt-out should apply should modify that portion of the

    model form.

    (c) Section 624 opt-out. If the financial institution's

    affiliates use information for marketing pursuant to section 624 of

    the FCRA, and the institution elects to consolidate that opt-out

    notice in the model form, it must include that disclosure and opt-

    out election as shown in the model form. Institutions that elect to

    limit the time for the affiliate marketing opt-out, consistent with

    the requirements of section 624, must adhere to the requirements of

    that section and the Agencies' implementing rule with respect to any

    subsequent notice and opt-out. Institutions that elect to limit the

    opt-out period must include a statement in italics, as shown on the

    model form, that states the period of time for which the opt-out

    applies.

    (d) Additional opt-outs. A financial institution that uses the

    disclosure table to indicate any opt-out choices available to

    consumers beyond those required by Federal law must include those

    opt-outs on page three of the model form. For example, if the

    financial institution discloses in the table that it offers an opt-

    out for joint marketing, the institution must revise the opt-out

    form on page three to reflect the availability of an opt-out, such

    as by adding a check-off box with the words "Do not share my

    personal information with other financial institutions to jointly

    market to me." Likewise, if a financial institution chooses to

    offer its customers an opt-out for its marketing, it can provide for

    that option in the disclosure table and on the opt-out form by

    adding a check-off box with the words "Do not share [or use] my

    personal information to market to me."

    7. Amend newly redesignated Appendix B by adding a new sentence

    immediately after the heading:

    Appendix B to Part 716--Sample Clauses

    This Appendix only applies to privacy notices provided until the

    date that is on or before one year following the date of final

    publication of this rule. * * *

    * * * * *

    Federal Trade Commission

    16 CFR Chapter I

    Authority and Issuance

    For the reasons set forth in the joint preamble, the Federal Trade

    Commission proposes to amend part 313 of chapter I of title 16 of the

    Code of Federal Regulations as follows:

    PART 313--PRIVACY OF CONSUMER FINANCIAL INFORMATION

    1. The authority citation for part 313 continues to read as

    follows:

    Authority: 15 U.S.C. 6801 et seq.

    2. Revise Sec. 313.2 to read as follows:

    Sec. 313.2 Model privacy form and rules of construction.

    (a) Model privacy form. Use of the model privacy form in Appendix A

    of this part, consistent with the instructions in Appendix A,

    constitutes compliance with the notice content requirements of

    Sec. Sec. 313.6 and 313.7 of this part, although use of the model

    privacy form is not required.

    (b) Examples. The examples in this part are not exclusive.

    Compliance with an example, to the extent applicable, constitutes

    compliance with this part.

    (c) Compliance. For non-federally insured credit unions, compliance

    with an example contained in 12 CFR part 716, to the extent applicable,

    constitutes compliance with this part. For intrastate securities

    broker-dealers and investment advisors not registered with the

    Securities and Exchange Commission, compliance with an example

    contained in 17 CFR part 248, to the extent applicable, constitutes

    compliance with this part.

    3. In Sec. 313.6, revise paragraph (f) and add paragraph (g) to

    read as follows:

    Sec. 313.6 Information to be included in privacy notices.

    * * * * *

    (f) Model privacy form. Pursuant to Sec. 313.2(a) of this part, a

    model privacy form that meets the notice content requirements of this

    section is included in Appendix A of this part.

    (g) Sample clauses. Sample clauses illustrating some of the notice

    content required by this section are included in Appendix B of this

    part. Use of a sample clause in a privacy notice provided on or before

    [DATE ONE YEAR FOLLOWING THE DATE OF PUBLICATION OF THE FINAL RULE], to

    the extent applicable, constitutes compliance with this part.

    4. In Sec. 313.7 add paragraph (i) to read as follows:

    Sec. 313.7 Form of opt-out notice to consumers; opt-out methods.

    * * * * *

    (i) Model privacy form. Pursuant to Sec. 313.2(a) of this part, a

    model privacy form that meets the notice content requirements of this

    section is included in Appendix A of this part.

    Appendix A [Redesignated as Appendix B]

    5. Redesignate Appendix A as Appendix B.

    6. Add new Appendix A to read as follows:

    [[Page 14986]]

    Appendix A to Part 313--Model Privacy Form

    A. The Model Privacy Form

    [GRAPHIC] [TIFF OMITTED] TP29MR07.021

    [[Page 14987]]

    [GRAPHIC] [TIFF OMITTED] TP29MR07.022

    [[Page 14988]]

    [GRAPHIC] [TIFF OMITTED] TP29MR07.023

    B. General Instructions

    1. How the model privacy form is used.

    The model form may be used, at the option of a financial

    institution, including a group of financial holding company

    affiliates that use a common privacy notice, to meet the content

    requirements of the privacy notice and opt-out notice set forth in

    sections 313.6 and 313.7 of this part.

    (Note that disclosure of certain information, such as assets,

    income, and information from a consumer reporting agency, may give

    rise to obligations under the Fair Credit Reporting Act [15 U.S.C.

    1681-1681x] (FCRA), such as a requirement to permit a consumer to

    opt out of disclosures to affiliates or designation as a consumer

    reporting agency if disclosures are made to nonaffiliated third

    parties.)

    2. The Contents of the Model Privacy Form

    The model form consists of two or three pages, depending on

    whether a financial institution shares in a manner that requires it

    to provide a third page with opt-out information.

    (a) Page One. The first page consists of the following

    components:

    (1) The title.

    (2) The key frame (Why?, What?, How?).

    (3) The disclosure table ("Reasons we can share your personal

    information").

    (4) Contact information.

    (b) Page Two. The second page consists of the following

    components:

    (1) The title.

    (2) The Frequently Asked Questions on sharing practices.

    (3) The definitions.

    (c) Page Three. The third page consists of a financial

    institution's opt-out form.

    3. The Format of the Model Privacy Form

    The model form is a standardized form, including page layout,

    page content, format, style, pagination, and shading. No other

    information may be included in the model form, and the model form

    may be modified only as described below.

    (a) Easily readable type font. Financial institutions that use

    the model form must use an easily readable type font. Easily

    readable type font includes a minimum of 10-point font and

    sufficient spacing between the lines of type.

    (b) Logo. A financial institution may include a corporate logo

    on any page of the notice, so long as it does not interfere with the

    readability of the model form or the space constraints of each page.

    (c) Page size and orientation. Each page of the model form must

    be printed on one side of an 8.5 by 11 inch paper in portrait

    orientation.

    (d) Color. The model form may be printed on white or light color

    paper (such as cream) with black or suitable contrasting color ink.

    Spot color may be used to achieve visual interest, so long as the

    color contrast is distinctive and the color does not detract from

    the readability of the model form.

    [[Page 14989]]

    C. Information Required in the Model Privacy Form

    The model form is a standardized form, and institutions seeking

    to obtain the safe harbor through use of the model form may modify

    the form only as described below:

    1. Name of the Institution or Group of Affiliated Institutions

    Providing the Notice

    Include the name of the financial institution or group of

    affiliated institutions providing the notice on the form wherever

    [name of financial institution] appears. Contact information, such

    as the institution's toll-free telephone number, Web address, or

    mailing address, or other contact information, should be inserted as

    appropriate, wherever [toll-free telephone] or [web address] or

    [mailing address] appear.

    2. Page One

    (a) General instructions for the disclosure table. There are

    reasons for sharing or using personal information listed in the left

    column of the disclosure table. Each of these reasons correlates to

    certain legal provisions described below. In the middle column, each

    institution must provide a "Yes" or "No" response in each box

    that accurately reflects its information sharing policies and

    practices with respect to the reason listed on the left. Each

    institution also must complete each box in the right column as to

    whether a consumer can limit such sharing. If an institution answers

    "No" to sharing for a particular reason in the middle column, it

    must answer "We don't share" in the corresponding right column. If

    an institution answers "Yes" to sharing for a particular reason in

    the middle column, it must, in the right column, answer either

    "No" if it does not offer an opt-out or "Yes (Check your choices,

    p. 3)" if it does offer an opt-out. Except for the sixth row ("For

    our affiliates to market to you"), an institution must list all

    reasons for sharing, and complete the middle and right columns of

    the disclosure table.

    (b) Specific disclosures and corresponding legal provisions.

    (1) For our everyday business purposes. Because all financial

    institutions share information for everyday business purposes, as

    contemplated by sections 313.14 and 313.15 of this part, the

    financial institution must answer "Yes" to the sharing of such

    information and "No" to the availability of an opt-out.

    (2) For our marketing purposes. The financial institution must

    answer "Yes" or "No" in the middle column. An institution that

    does not share for this reason must answer "We don't share" in the

    right column. An institution that shares for this reason may or may

    not elect to provide an opt-out and must provide the corresponding

    answer in the right column as described in paragraph C.2.(a) of this

    Instruction. This provision includes service providers contemplated

    by section 313.13 of this part.

    (3) For joint marketing with other financial companies. As

    contemplated by section 313.13 of this part, the financial

    institution must answer "Yes" or "No" in the middle column. An

    institution that does not share for this reason must answer "We

    don't share" in the right column. An institution that shares for

    this reason may or may not elect to provide an opt-out and must

    provide the corresponding answer in the right column as described in

    paragraph C.2.(a) of this Instruction.

    (4) For our affiliates' everyday business purposes--information

    about transactions and experiences. This provision applies to

    sharing of certain information with an institution's affiliates, as

    contemplated by sections 603(d)(2)(A)(i) and (ii) of the FCRA. The

    financial institution must answer "Yes" or "No" in the middle

    column. An institution that does not share for this reason must

    answer "We don't share" in the right column. An institution that

    does not have any affiliates will also use this answer. Institutions

    that share for this reason may or may not elect to provide an opt-

    out and must provide the corresponding answer in the right column as

    described in paragraph C.2.(a) of this Instruction.

    (5) For our affiliates' everyday business purposes--information

    about creditworthiness. This provision applies to the sharing of

    certain information with an institution's affiliates, as

    contemplated by section 603(d)(2)(A)(iii) of the FCRA. The financial

    institution must answer "Yes" or "No" in the middle column. An

    institution that does not share for this reason must answer "We

    don't share" in the right column. An institution that does not have

    any affiliates will also use this answer. Institutions that share

    for this reason must provide an opt-out and must provide the

    appropriate answer in the right column as described in paragraph

    C.2.(a) of this Instruction.

    (6) For our affiliates to market to you. This provision applies

    to information shared among affiliates that is used by those

    affiliates for marketing, as contemplated by section 624 of the

    FCRA. Following the effective date of the rules implementing section

    624, institutions that elect to incorporate this provision into the

    model form to satisfy their obligations under this part must include

    this reason for sharing as set forth in the model form in order to

    obtain the benefit of the safe harbor. Institutions whose affiliates

    receive such information and use it for marketing must answer

    "Yes" in the middle column, and "Yes (Check your choices, p. 3)"

    in the right column corresponding to the availability of an opt-out.

    Institutions whose affiliates receive such information and do not

    use it for marketing may elect to include this provision in the

    model form and answer "No" in the middle column and "We don't

    share" in the right column; however, institutions whose affiliates

    receive such information and do not use it for marketing are not

    required to use this provision. Institutions that do not have

    affiliates and elect to include this provision in their notice will

    answer "No" in the middle column and "We don't share" in the

    right column.

    (7) For nonaffiliates to market to you. This provision applies

    to sharing under sections 313.7 and 313.10(a) of this part.

    Financial institutions that do not share for this reason must answer

    "No" in the middle column and "We don't share" in the right

    column. Financial institutions that do share for this reason must

    answer "Yes" in the middle column and "Yes (check your choices,

    p. 3)" corresponding to the availability of an opt-out.

    (8) Additional opt-outs. A financial institution may customize

    the model form to offer opt-outs beyond those required under Federal

    law, so long as the additional information falls within the space

    constraints of the model form. If the institution chooses to offer

    its customers an opt-out for its own marketing or for joint

    marketing, for example, it can provide for that option by stating:

    "Yes (Check your choices, p. 3)" as to the availability of the

    opt-out.

    3. Page Two

    (a) General instructions for the Definitions.

    The financial institution must customize the space below the

    last three definitions in this section (affiliates, nonafffiliates,

    and joint marketing). This specific information must be in

    italicized lettering to set off the information from the

    standardized definitions.

    (b) Affiliates. As required by section 313.6(a)(3) of this part,

    the financial institution must identify the categories of its

    affiliates or state "[name of financial institution] has no

    affiliates" in italicized lettering where [affiliate information]

    appears. A financial institution that shares with affiliates must

    use, as applicable, the following format: "Our affiliates include

    companies with a [name of financial institution] name; financial

    companies such as [list companies]; and nonfinancial companies, such

    as [list companies]."

    (c) Nonaffiliates. If the financial institution shares with

    nonaffiliated third parties outside the exceptions in sections

    313.14 and 313.15 of this part, the institution must identify the

    types of nonaffiliated third parties with which it shares or state

    "[name of financial institution] does not share with nonaffiliates

    so they can market to you." in italicized lettering where

    [nonaffiliate information] appears. A financial institution that

    shares with nonaffiliated third parties as described here must use,

    as applicable, the following format: "Nonaffiliates we share with

    can include [list categories of companies such as mortgage

    companies, insurance companies, direct marketing companies, and

    nonprofit organizations]."

    (d) Joint Marketing. As required by section 313.13 of this part,

    the financial institution must identify the types of financial

    institutions with which it engages in joint marketing or state

    "[name of financial institution] doesn't jointly market." in

    italicized lettering where [joint marketing] appears. A financial

    institution that shares with joint marketing partners must use, as

    applicable, the following format: "Our joint marketing partners

    include [list categories of companies such as credit card

    companies]."

    4. Page Three

    Opt-out form. Financial institutions must use page three only if

    they: (1) share or use information in a manner that triggers an opt-

    out; or (2) choose to provide an opt-out (as disclosed in the table

    on page 1) in addition to what is required by law. The model opt-out

    form must be provided on a separate page of the model form.

    [[Page 14990]]

    (a) Contact us. The section describes three common methods by

    which a consumer exercises an opt-out--by telephone, on the Web, and

    by mail. Financial institutions may customize this section to

    provide for the particular opt-out methods and options the

    institution provides. For example, if an institution offers opting

    out by telephone and the Web but not by mail, it would provide only

    telephone and Web information as shown in the model form in the

    "Contact Us" box. Only institutions that allow more than 30 days

    after providing the notice before sharing information may change the

    number of days in the lower right hand section of the box.

    (b) Check your choices. Institutions must display the applicable

    opt-out options in the "Check your choices" box shown on this

    page. If an institution chooses not to offer an opt-out by mail, it

    must delete the boxes for name, address, account number, and mailing

    directions in the lower right-hand corner of the model form.

    Financial institutions that only offer one or two of the opt-out

    options listed on the model form must list only those options from

    the model form that apply to their practices and correspond

    accurately to the disclosures on page one. Thus, if an institution

    does not share in a manner that requires an opt-out for sharing with

    nonaffiliates, it must not include that opt-out option on page three

    of the model form. Institutions requiring information from consumers

    on the opt-out form other than an account number should modify that

    designation in the "Check your choices" box. Institutions that

    require customers with multiple accounts to identify each account to

    which the opt-out should apply should modify that portion of the

    model form.

    (c) Section 624 opt-out. If the financial institution's

    affiliates use information for marketing pursuant to section 624 of

    the FCRA, and the institution elects to consolidate that opt-out

    notice in the model form, it must include that disclosure and opt-

    out election as shown in the model form. Institutions that elect to

    limit the time for the affiliate marketing opt-out, consistent with

    the requirements of section 624, must adhere to the requirements of

    that section and the Agencies' implementing rule with respect to any

    subsequent notice and opt-out. Institutions that elect to limit the

    opt-out period must include a statement in italics, as shown on the

    model form, that states the period of time for which the opt-out

    applies.

    (d) Additional opt-outs. A financial institution that uses the

    disclosure table to indicate any opt-out choices available to

    consumers beyond those required by Federal law must include those

    opt-outs on page three of the model form. For example, if the

    financial institution discloses in the table that it offers an opt-

    out for joint marketing, the institution must revise the opt-out

    form on page three to reflect the availability of an opt-out, such

    as by adding a check-off box with the words "Do not share my

    personal information with other financial institutions to jointly

    market to me." Likewise, if a financial institution chooses to

    offer its customers an opt-out for its marketing, it can provide for

    that option in the disclosure table and on the opt-out form by

    adding a check-off box with the words "Do not share [or use] my

    personal information to market to me."

    7. Amend newly redesignated Appendix B by adding a new sentence

    immediately after the heading:

    Appendix B to Part 313-Sample Clauses

    This Appendix only applies to privacy notices provided until the

    date that is on or before one year following the date of final

    publication of this rule. * * *

    * * * * *

    Commodity Futures Trading Commission

    17 CFR Chapter I

    Authority and Issuance

    For the reasons set forth in the joint preamble, the Commodity

    Futures Trading Commission proposes to amend part 160 of chapter I of

    title 17 of the Code of Federal Regulations as follows:

    PART 160--PRIVACY OF CONSUMER FINANCIAL INFORMATION

    1. The authority citation for part 160 continues to read as

    follows:

    Authority: 7 U.S.C. 7b-2 and 12a(5); 15 U.S.C. 6801 et seq.

    2. Revise Sec. 160.2 to read as follows:

    Sec. 160.2 Model privacy form and rules of construction.

    (a) Model privacy form. Use of the model privacy form in Appendix A

    of this part, consistent with the instructions in Appendix A,

    constitutes compliance with the notice content requirements of

    Sec. Sec. 160.6 and 160.7 of this part, although use of the model

    privacy form is not required.

    (b) Examples. The examples in this part are not exclusive.

    Compliance with an example, to the extent applicable, constitutes

    compliance with this part.

    (c) Substituted compliance.

    (1) Any person or entity otherwise subject to this part that is

    subject to and in compliance with the Securities and Exchange

    Commission Regulation S-P, 17 CFR part 248, will be deemed to be in

    compliance with this part.

    (2) Any commodity trading advisor otherwise subject to this part

    that is registered or required to be registered as an investment

    adviser in the state in which it maintains its principal office and

    place of business as defined in Sec. 275.203A-3 of this title, and

    that is subject to and in compliance with 16 CFR part 313, will be

    deemed to be in compliance with this part.

    3. In Sec. 160.6, revise paragraph (f) and add paragraph (g) to

    read as follows:

    Sec. 160.6 Information to be included in privacy notices.

    * * * * *

    (f) Model privacy form. Pursuant to Sec. 160.2(a) of this part, a

    model privacy form that meets the notice content requirements of this

    section is included in Appendix A of this part.

    (g) Sample clauses. Sample clauses illustrating some of the notice

    content required by this section are included in Appendix B of this

    part. Use of a sample clause in a privacy notice provided on or before

    [DATE ONE YEAR FOLLOWING THE DATE OF PUBLICATION OF THE FINAL RULE], to

    the extent applicable, constitutes compliance with this part.

    4. In Sec. 160.7 add paragraph (i) to read as follows:

    Sec. 160.7 Form of opt-out notice to consumers; opt-out methods.

    * * * * *

    (i) Model privacy form. Pursuant to Sec. 160.2(a) of this part, a

    model privacy form that meets the notice content requirements of this

    section is included in Appendix A of this part.

    Appendix A [Redesignated as Appendix B]

    5. Redesignate Appendix A as Appendix B.

    6. Add new Appendix A to read as follows:

    Appendix A to Part 160--Model Privacy Form

    A. The Model Privacy Form

    [[Page 14991]]

    [GRAPHIC] [TIFF OMITTED] TP29MR07.024

    [[Page 14992]]

    [GRAPHIC] [TIFF OMITTED] TP29MR07.025

    [[Page 14993]]

    [GRAPHIC] [TIFF OMITTED] TP29MR07.026

    B. General Instructions

    1. How the Model Privacy Form Is Used

    The model form may be used, at the option of a financial

    institution, including a group of financial holding company

    affiliates that use a common privacy notice, to meet the content

    requirements of the privacy notice and opt-out notice set forth in

    sections 160.6 and 160.7 of this part.

    (Note that disclosure of certain information, such as assets,

    income, and information from a consumer reporting agency, may give

    rise to obligations under the Fair Credit Reporting Act [15 U.S.C.

    1681-1681x] (FCRA), such as a requirement to permit a consumer to

    opt out of disclosures to affiliates or designation as a consumer

    reporting agency if disclosures are made to nonaffiliated third

    parties.)

    2. The Contents of the Model Privacy Form

    The model form consists of two or three pages, depending on

    whether a financial institution shares in a manner that requires it

    to provide a third page with opt-out information.

    (a) Page One. The first page consists of the following

    components:

    (1) The title.

    (2) The key frame (Why?, What?, How?).

    (3) The disclosure table ("Reasons we can share your personal

    information").

    (4) Contact information.

    (b) Page Two. The second page consists of the following

    components:

    (1) The title.

    (2) The Frequently Asked Questions on sharing practices.

    (3) The definitions.

    (c) Page Three. The third page consists of a financial

    institution's opt-out form.

    3. The Format of the Model Privacy Form

    The model form is a standardized form, including page layout,

    page content, format, style, pagination, and shading. No other

    information may be included in the model form, and the model form

    may be modified only as described below.

    (a) Easily readable type font. Financial institutions that use

    the model form must use an easily readable type font. Easily

    readable type font includes a minimum of 10-point font and

    sufficient spacing between the lines of type.

    (b) Logo. A financial institution may include a corporate logo

    on any page of the notice, so long as it does not interfere with the

    readability of the model form or the space constraints of each page.

    (c) Page size and orientation. Each page of the model form must

    be printed on one side of an 8.5 by 11 inch paper in portrait

    orientation.

    (d) Color. The model form may be printed on white or light color

    paper (such as cream) with black or suitable contrasting color ink.

    Spot color may be used to achieve visual interest, so long as the

    color contrast is distinctive and the color does not detract from

    the readability of the model form.

    [[Page 14994]]

    C. Information Required in the Model Privacy Form

    The model form is a standardized form, and institutions seeking

    to obtain the safe harbor through use of the model form may modify

    the form only as described below:

    1. Name of the Institution or Group of Affiliated Institutions

    Providing the Notice

    Include the name of the financial institution or group of

    affiliated institutions providing the notice on the form wherever

    [name of financial institution] appears. Contact information, such

    as the institution's toll-free telephone number, Web address, or

    mailing address, or other contact information, should be inserted as

    appropriate, wherever [toll-free telephone] or [web address] or

    [mailing address] appear.

    2. Page One

    (a) General instructions for the disclosure table. There are

    reasons for sharing or using personal information listed in the left

    column of the disclosure table. Each of these reasons correlates to

    certain legal provisions described below. In the middle column, each

    institution must provide a "Yes" or "No" response in each box

    that accurately reflects its information sharing policies and

    practices with respect to the reason listed on the left. Each

    institution also must complete each box in the right column as to

    whether a consumer can limit such sharing. If an institution answers

    "No" to sharing for a particular reason in the middle column, it

    must answer "We don't share" in the corresponding right column. If

    an institution answers "Yes" to sharing for a particular reason in

    the middle column, it must, in the right column, answer either

    "No" if it does not offer an opt-out or "Yes (Check your choices,

    p.3)" if it does offer an opt-out. Except for the sixth row ("For

    our affiliates to market to you"), an institution must list all

    reasons for sharing, and complete the middle and right columns of

    the disclosure table.

    (b) Specific disclosures and corresponding legal provisions.

    (1) For our everyday business purposes. Because all financial

    institutions share information for everyday business purposes, as

    contemplated by sections 160.14 and 160.15 of this part, the

    financial institution must answer "Yes" to the sharing of such

    information and "No" to the availability of an opt-out.

    (2) For our marketing purposes. The financial institution must

    answer "Yes" or "No" in the middle column. An institution that

    does not share for this reason must answer "We don't share" in the

    right column. An institution that shares for this reason may or may

    not elect to provide an opt-out and must provide the corresponding

    answer in the right column as described in paragraph C.2.(a) of this

    Instruction. This provision includes service providers contemplated

    by section 160.13 of this part.

    (3) For joint marketing with other financial companies. As

    contemplated by section 160.13 of this part, the financial

    institution must answer "Yes" or "No" in the middle column. An

    institution that does not share for this reason must answer "We

    don't share" in the right column. An institution that shares for

    this reason may or may not elect to provide an opt-out and must

    provide the corresponding answer in the right column as described in

    paragraph C.2.(a) of this Instruction.

    (4) For our affiliates' everyday business purposes "

    information about transactions and experiences. This provision

    applies to sharing of certain information with an institution's

    affiliates, as contemplated by sections 603(d)(2)(A) (i) and (ii) of

    the FCRA. The financial institution must answer "Yes" or "No" in

    the middle column. An institution that does not share for this

    reason must answer "We don't share" in the right column. An

    institution that does not have any affiliates will also use this

    answer. Institutions that share for this reason may or may not elect

    to provide an opt-out and must provide the corresponding answer in

    the right column as described in paragraph C.2.(a) of this

    Instruction.

    (5) For our affiliates' everyday business purposes "

    information about creditworthiness. This provision applies to the

    sharing of certain information with an institution's affiliates, as

    contemplated by section 603(d)(2)(A)(iii) of the FCRA. The financial

    institution must answer "Yes" or "No" in the middle column. An

    institution that does not share for this reason must answer "We

    don't share" in the right column. An institution that does not have

    any affiliates will also use this answer. Institutions that share

    for this reason must provide an opt-out and must provide the

    appropriate answer in the right column as described in paragraph

    C.2.(a) of this Instruction.

    (6) For our affiliates to market to you. This provision applies

    to information shared among affiliates that is used by those

    affiliates for marketing, as contemplated by section 624 of the

    FCRA. Following the effective date of the rules implementing section

    624, institutions that elect to incorporate this provision into the

    model form to satisfy their obligations under this part must include

    this reason for sharing as set forth in the model form in order to

    obtain the benefit of the safe harbor. Institutions whose affiliates

    receive such information and use it for marketing must answer

    "Yes" in the middle column, and "Yes (Check your choices, p.3)"

    in the right column corresponding to the availability of an opt-out.

    Institutions whose affiliates receive such information and do not

    use it for marketing may elect to include this provision in the

    model form and answer "No" in the middle column and "We don't

    share" in the right column; however, institutions whose affiliates

    receive such information and do not use it for marketing are not

    required to use this provision. Institutions that do not have

    affiliates and elect to include this provision in their notice will

    answer "No" in the middle column and "We don't share" in the

    right column.

    (7) For nonaffiliates to market to you. This provision applies

    to sharing under sections 160.7 and 160.10(a) of this part.

    Financial institutions that do not share for this reason must answer

    "No" in the middle column and "We don't share" in the right

    column. Financial institutions that do share for this reason must

    answer "Yes" in the middle column and "Yes (check your choices,

    p. 3)" corresponding to the availability of an opt-out.

    (8) Additional opt-outs. A financial institution may customize

    the model form to offer opt-outs beyond those required under Federal

    law, so long as the additional information falls within the space

    constraints of the model form. If the institution chooses to offer

    its customers an opt-out for its own marketing or for joint

    marketing, for example, it can provide for that option by stating:

    "Yes (Check your choices, p.3)" as to the availability of the opt-

    out.

    3. Page Two

    (a) General instructions for the Definitions.

    The financial institution must customize the space below the

    last three definitions in this section (affiliates, nonafffiliates,

    and joint marketing). This specific information must be in

    italicized lettering to set off the information from the

    standardized definitions.

    (b) Affiliates. As required by section 160.6(a)(3) of this part,

    the financial institution must identify the categories of its

    affiliates or state "[name of financial institution] has no

    affiliates" in italicized lettering where [affiliate information]

    appears. A financial institution that shares with affiliates must

    use, as applicable, the following format: "Our affiliates include

    companies with a [name of financial institution] name; financial

    companies such as [list companies]; and nonfinancial companies, such

    as [list companies]."

    (c) Nonaffiliates. If the financial institution shares with

    nonaffiliated third parties outside the exceptions in sections

    160.14 and 160.15 of this part, the institution must identify the

    types of nonaffiliated third parties with which it shares or state

    "[name of financial institution] does not share with nonaffiliates

    so they can market to you." in italicized lettering where

    [nonaffiliate information] appears. A financial institution that

    shares with nonaffiliated third parties as described here must use,

    as applicable, the following format: "Nonaffiliates we share with

    can include [list categories of companies such as mortgage

    companies, insurance companies, direct marketing companies, and

    nonprofit organizations]."

    (d) Joint Marketing. As required by section 160.13 of this part,

    the financial institution must identify the types of financial

    institutions with which it engages in joint marketing or state

    "[name of financial institution] doesn't jointly market." in

    italicized lettering where [joint marketing] appears. A financial

    institution that shares with joint marketing partners must use, as

    applicable, the following format: "Our joint marketing partners

    include [list categories of companies such as credit card

    companies]."

    4. Page Three

    Opt-out form. Financial institutions must use page three only if

    they: (1) Share or use information in a manner that triggers an opt-

    out; or (2) choose to provide an opt-out (as disclosed in the table

    on page 1) in addition to what is required by law. The model opt-out

    form must be provided on a separate page of the model form.

    [[Page 14995]]

    (a) Contact us. The section describes three common methods by

    which a consumer exercises an opt-out--by telephone, on the Web, and

    by mail. Financial institutions may customize this section to

    provide for the particular opt-out methods and options the

    institution provides. For example, if an institution offers opting

    out by telephone and the Web but not by mail, it would provide only

    telephone and Web information as shown in the model form in the

    "Contact Us" box. Only institutions that allow more than 30 days

    after providing the notice before sharing information may change the

    number of days in the lower right hand section of the box.

    (b) Check your choices. Institutions must display the applicable

    opt-out options in the "Check your choices" box shown on this

    page. If an institution chooses not to offer an opt-out by mail, it

    must delete the boxes for name, address, account number, and mailing

    directions in the lower right-hand corner of the model form.

    Financial institutions that only offer one or two of the opt-out

    options listed on the model form must list only those options from

    the model form that apply to their practices and correspond

    accurately to the disclosures on page one. Thus, if an institution

    does not share in a manner that requires an opt-out for sharing with

    nonaffiliates, it must not include that opt-out option on page three

    of the model form. Institutions requiring information from consumers

    on the opt-out form other than an account number should modify that

    designation in the "Check your choices" box. Institutions that

    require customers with multiple accounts to identify each account to

    which the opt-out should apply should modify that portion of the

    model form.

    (c) Section 624 opt-out. If the financial institution's

    affiliates use information for marketing pursuant to section 624 of

    the FCRA, and the institution elects to consolidate that opt-out

    notice in the model form, it must include that disclosure and opt-

    out election as shown in the model form. Institutions that elect to

    limit the time for the affiliate marketing opt-out, consistent with

    the requirements of section 624, must adhere to the requirements of

    that section and the Agencies' implementing rule with respect to any

    subsequent notice and opt-out. Institutions that elect to limit the

    opt-out period must include a statement in italics, as shown on the

    model form, that states the period of time for which the opt-out

    applies.

    (d) Additional opt-outs. A financial institution that uses the

    disclosure table to indicate any opt-out choices available to

    consumers beyond those required by Federal law must include those

    opt-outs on page three of the model form. For example, if the

    financial institution discloses in the table that it offers an opt-

    out for joint marketing, the institution must revise the opt-out

    form on page three to reflect the availability of an opt-out, such

    as by adding a check-off box with the words "Do not share my

    personal information with other financial institutions to jointly

    market to me." Likewise, if a financial institution chooses to

    offer its customers an opt-out for its marketing, it can provide for

    that option in the disclosure table and on the opt-out form by

    adding a check-off box with the words "Do not share [or use] my

    personal information to market to me."

    7. Amend newly redesignated Appendix B by adding a new sentence

    immediately after the heading:

    Appendix B to Part 160--Sample Clauses

    This Appendix only applies to privacy notices provided until the

    date that is on or before one year following the date of final

    publication of this rule. * * *

    * * * * *

    Securities and Exchange Commission

    Statutory Authority

    The Commission is proposing to amend Regulation S-P pursuant to

    authority set forth in section 728 of the Regulatory Relief Act [Pub.

    L. 109-351], section 504 of the GLB Act [15 U.S.C. 6804], section 23 of

    the Securities Exchange Act [15 U.S.C. 78w], section 38(a) of the

    Investment Company Act [15 U.S.C. 80a-37(a)], and section 211 of the

    Investment Advisers Act [15 U.S.C. 80b-11].

    Text of Proposed Amendments

    For the reasons set forth in the preamble, the Commission proposes

    to amend Title 17, Chapter II of the Code of Federal Regulations as

    follows:

    PART 248--REGULATION S-P: PRIVACY OF CONSUMER FINANCIAL INFORMATION

    1. Revise the authority citation for part 248 to read as follows:

    Authority: 15 U.S.C. 78q; 78w; 78mm; 80a-30(a); 80a-37; 80b-4;

    80b-11; 1681w; and 6801-6809.

    2. Revise Sec. 248.2 to read as follows:

    Sec. 248.2 Model privacy form; rule of construction.

    (a) Model privacy form. Use of Form S-P (see Appendix A of this

    part), consistent with the instructions to the form, constitutes

    compliance with the notice content requirements of Sec. Sec. 248.6 and

    248.7 of this part, although use of Form S-P is not required.

    (b) Examples. The examples in this part provide guidance concerning

    the rule's application in ordinary circumstances. The facts and

    circumstances of each individual situation, however, will determine

    whether compliance with an example, to the extent practicable,

    constitutes compliance with this part.

    (c) Substituted compliance with CFTC financial privacy rules by

    futures commission merchants and introducing brokers. Except with

    respect to Sec. 248.30(b), any futures commission merchant or

    introducing broker (as those terms are defined in the Commodity

    Exchange Act (7 U.S.C. 1, et seq.)) registered by notice with the

    Commission for the purpose of conducting business in security futures

    products pursuant to section 15(b)(11)(A) of the Securities Exchange

    Act of 1934 (15 U.S.C. 78o(b)(11)(A)) that is subject to and in

    compliance with the financial privacy rules of the Commodity Futures

    Trading Commission (17 CFR part 160) will be deemed to be in compliance

    with this part.

    * * * * *

    3. Amend Sec. 248.6 by revising paragraph (f) and adding paragraph

    (g) to read as follows:

    Sec. 248.6 Information to be included in privacy notices.

    * * * * *

    (f) Model Form S-P. Pursuant to Sec. 248.2(a) and Appendix A of

    this part, Form S-P meets the notice content requirements of this

    section.

    (g) Sample clauses. Sample clauses illustrating some of the notice

    content required by this section are included in Appendix B of this

    part. The sample clauses in Appendix B of this part provide guidance

    concerning the rule's application in ordinary circumstances in a

    privacy notice provided on or before [ONE YEAR FOLLOWING THE DATE OF

    PUBLICATION OF THE FINAL RULE]. The facts and circumstances of each

    individual situation, however, will determine whether compliance with a

    sample clause constitutes compliance with this part.

    4. Amend Sec. 248.7 by adding paragraph (i) to read as follows:

    Sec. 248.7 Form of opt-out notice to consumers; opt-out methods.

    * * * * *

    (i) Model Form S-P. Pursuant to Sec. 248.2(a) and Appendix A of

    this part, Form S-P meets the notice content requirements of this

    section.

    Appendix A [Redesignated as Appendix B]

    5. Redesignate Appendix A to Part 248 as Appendix B.

    6. Add new Appendix A to read as follows:

    Appendix A to Part 248--Form S-P

    (1) Any person may obtain a copy of Form S-P prescribed for use

    in this part by written request to the Securities and Exchange

    Commission, 100 F Street, NE., Washington, DC 20549. Any person also

    may view this form at: [Web site URL].

    (2) Use of Form S-P by brokers, dealers, and investment

    companies, and investment

    [[Page 14996]]

    advisers registered with the Commission constitutes compliance with

    the notice content requirements of Sec. Sec. 248.6 and 248.7 of

    this part.

    7. Form S-P (referenced in Appendix A of this part) is added to

    read as follows:

    Note: The text of Form S-P does not, and this amendment will

    not, appear in the Code of Federal Regulations.

    Securities and Exchange Commission--Form S-P

    A. Model Privacy Form

    [GRAPHIC] [TIFF OMITTED] TP29MR07.027

    [[Page 14997]]

    [GRAPHIC] [TIFF OMITTED] TP29MR07.028

    [[Page 14998]]

    [GRAPHIC] [TIFF OMITTED] TP29MR07.029

    B. General Instructions

    1. How the Model Privacy Form is Used

    The model form may be used, at the option of a financial

    institution, including a group of financial holding company

    affiliates that use a common privacy notice, to meet the content

    requirements of the privacy notice and opt-out notice set forth in

    sections 248.6 and 248.7 of this part.

    (Note that disclosure of certain information, such as assets,

    income, and information from a consumer reporting agency, may give

    rise to obligations under the Fair Credit Reporting Act [15 U.S.C.

    1681--1681x] (FCRA), such as a requirement to permit a consumer to

    opt out of disclosures to affiliates or designation as a consumer

    reporting agency if disclosures are made to nonaffiliated third

    parties.)

    2. The contents of the model privacy form

    The model form consists of two or three pages, depending on

    whether a financial institution shares in a manner that requires it

    to provide a third page with opt-out information.

    (a) Page One. The first page consists of the following

    components:

    (1) The title.

    (2) The key frame (Why?, What?, How?).

    (3) The disclosure table ("Reasons we can share your personal

    information").

    (4) Contact information.

    (b) Page Two. The second page consists of the following

    components:

    (1) The title.

    (2) The Frequently Asked Questions on sharing practices.

    (3) The definitions.

    (c) Page Three. The third page consists of a financial

    institution's opt-out form.

    3. The Format of the Model Privacy Form

    The model form is a standardized form, including page layout,

    page content, format, style, pagination, and shading. No other

    information may be included in the model form, and the model form

    may be modified only as described below.

    (a) Easily readable type font. Financial institutions that use

    the model form must use an easily readable type font. Easily

    readable type font includes a minimum of 10-point font and

    sufficient spacing between the lines of type.

    (b) Logo. A financial institution may include a corporate logo

    on any page of the notice, so long as it does not interfere with the

    readability of the model form or the space constraints of each page.

    [[Page 14999]]

    (c) Page size and orientation. Each page of the model form must

    be printed on one side of an 8.5 by 11 inch paper in portrait

    orientation.

    (d) Color. The model form may be printed on white or light color

    paper (such as cream) with black or suitable contrasting color ink.

    Spot color may be used to achieve visual interest, so long as the

    color contrast is distinctive and the color does not detract from

    the readability of the model form.

    C. Information Required in the Model Privacy Form

    The model form is a standardized form, and institutions seeking

    to obtain the safe harbor through use of the model form may modify

    the form only as described below:

    1. Name of the Institution or Group of Affiliated Institutions

    Providing the Notice

    Include the name of the financial institution or group of

    affiliated institutions providing the notice on the form wherever

    [name of financial institution] appears. Contact information, such

    as the institution's toll-free telephone number, Web address, or

    mailing address, or other contact information, should be inserted as

    appropriate, wherever [toll-free telephone] or [web address] or

    [mailing address] appear.

    2. Page One

    (a) General instructions for the disclosure table. There are

    reasons for sharing or using personal information listed in the left

    column of the disclosure table. Each of these reasons correlates to

    certain legal provisions described below. In the middle column, each

    institution must provide a "Yes" or "No" response in each box

    that accurately reflects its information sharing policies and

    practices with respect to the reason listed on the left. Each

    institution also must complete each box in the right column as to

    whether a consumer can limit such sharing. If an institution answers

    "No" to sharing for a particular reason in the middle column, it

    must answer "We don't share" in the corresponding right column. If

    an institution answers "Yes" to sharing for a particular reason in

    the middle column, it must, in the right column, answer either

    "No" if it does not offer an opt-out or "Yes (Check your choices,

    p.3)" if it does offer an opt-out. Except for the sixth row ("For

    our affiliates to market to you"), an institution must list all

    reasons for sharing, and complete the middle and right columns of

    the disclosure table.

    (b) Specific disclosures and corresponding legal provisions.

    (1) For our everyday business purposes. Because all financial

    institutions share information for everyday business purposes, as

    contemplated by sections 248.14 and 248.15 of this part, the

    financial institution must answer "Yes" to the sharing of such

    information and "No" to the availability of an opt-out.

    (2) For our marketing purposes. The financial institution must

    answer "Yes" or "No" in the middle column. An institution that

    does not share for this reason must answer "We don't share" in the

    right column. An institution that shares for this reason may or may

    not elect to provide an opt-out and must provide the corresponding

    answer in the right column as described in paragraph C.2.(a) of this

    Instruction. This provision includes service providers contemplated

    by section 248.13 of this part.

    (3) For joint marketing with other financial companies. As

    contemplated by section 248.13 of this part, the financial

    institution must answer "Yes" or "No" in the middle column. An

    institution that does not share for this reason must answer "We

    don't share" in the right column. An institution that shares for

    this reason may or may not elect to provide an opt-out and must

    provide the corresponding answer in the right column as described in

    paragraph C.2.(a) of this Instruction.

    (4) For our affiliates' everyday business purposes--information

    about transactions and experiences. This provision applies to

    sharing of certain information with an institution's affiliates, as

    contemplated by sections 603(d)(2)(A)(i) and (ii) of the FCRA. The

    financial institution must answer "Yes" or "No" in the middle

    column. An institution that does not share for this reason must

    answer "We don't share" in the right column. An institution that

    does not have any affiliates will also use this answer. Institutions

    that share for this reason may or may not elect to provide an opt-

    out and must provide the corresponding answer in the right column as

    described in paragraph C.2.(a) of this Instruction.

    (5) For our affiliates' everyday business purposes--information

    about creditworthiness. This provision applies to the sharing of

    certain information with an institution's affiliates, as

    contemplated by section 603(d)(2)(A)(iii) of the FCRA. The financial

    institution must answer "Yes" or "No" in the middle column. An

    institution that does not share for this reason must answer "We

    don't share" in the right column. An institution that does not have

    any affiliates will also use this answer. Institutions that share

    for this reason must provide an opt-out and must provide the

    appropriate answer in the right column as described in paragraph

    C.2.(a) of this Instruction.

    (6) For our affiliates to market to you. This provision applies

    to information shared among affiliates that is used by those

    affiliates for marketing, as contemplated by section 624 of the

    FCRA. Following the effective date of the rules implementing section

    624, institutions that elect to incorporate this provision into the

    notice required under this part must include this reason for sharing

    as set forth in the model form. Institutions whose affiliates

    receive such information and use it for marketing must answer

    "Yes" in the middle column, and "Yes (Check your choices, p.3)"

    in the right column corresponding to the availability of an opt-out.

    Institutions whose affiliates receive such information and do not

    use it for marketing may elect to include this provision in the

    model form and answer "No" in the middle column and "We don't

    share" in the right column; however, institutions whose affiliates

    receive such information and do not use it for marketing are not

    required to use this provision. Institutions that do not have

    affiliates and elect to include this provision in their notice will

    answer "No" in the middle column and "We don't share" in the

    right column.

    (7) For nonaffiliates to market to you. This provision applies

    to sharing under sections 248.7 and 248.10(a) of this part.

    Financial institutions that do not share for this reason must answer

    "No" in the middle column and "We don't share" in the right

    column. Financial institutions that do share for this reason must

    answer "Yes" in the middle column and "Yes (check your choices,

    p. 3)" corresponding to the availability of an opt-out.

    (8) Additional opt-outs. A financial institution may customize

    the model form to offer opt-outs beyond those required under Federal

    law, so long as the additional information falls within the space

    constraints of the model form. If the institution chooses to offer

    its customers an opt-out for its own marketing or for joint

    marketing, for example, it can provide for that option by stating:

    "Yes (Check your choices, p.3)" as to the availability of the opt-

    out.

    3. Page Two

    (a) General instructions for the Definitions.

    The financial institution must customize the space below the

    last three definitions in this section (affiliates, nonafffiliates,

    and joint marketing).

    This specific information must be in italicized lettering to set

    off the information from the standardized definitions.

    (b) Affiliates. As required by section 248.6(a)(3) of this part,

    the financial institution must identify the categories of its

    affiliates or state "[name of financial institution] has no

    affiliates" in italicized lettering where [affiliate information]

    appears. A financial institution that shares with affiliates must

    use, as applicable, the following format: "Our affiliates include

    companies with a [name of financial institution] name; financial

    companies such as [list companies]; and nonfinancial companies, such

    as [list companies]."

    (c) Nonaffiliates. If the financial institution shares with

    nonaffiliated third parties outside the exceptions in sections

    248.14 and 248.15 of this part, the institution must identify the

    types of nonaffiliated third parties with which it shares or state

    "[name of financial institution] does not share with nonaffiliates

    so they can market to you." in italicized lettering where

    [nonaffiliate information] appears. A financial institution that

    shares with nonaffiliated third parties as described here must use,

    as applicable, the following format: "Nonaffiliates we share with

    can include [list categories of companies such as mortgage

    companies, insurance companies, direct marketing companies, and

    nonprofit organizations]."

    (d) Joint Marketing. As required by section 248.13 of this part,

    the financial institution must identify the types of financial

    institutions with which it engages in joint marketing or state

    "[name of financial institution] doesn't jointly market." in

    italicized lettering where [joint marketing] appears. A financial

    institution that shares with joint marketing partners must use, as

    applicable, the following format: "Our joint marketing partners

    include [list categories of companies such as credit card

    companies]."

    [[Page 15000]]

    4. Page Three

    Opt-out form. Financial institutions must use page three only if

    they: (1) Share or use information in a manner that triggers an opt-

    out; or (2) choose to provide an opt-out (as disclosed in the table

    on page 1) in addition to what is required by law. The model opt-out

    form must be provided on a separate page of the model form.

    (a) Contact us. The section describes three common methods by

    which a consumer exercises an opt-out--by telephone, on the Web, and

    by mail. Financial institutions may customize this section to

    provide for the particular opt-out methods and options the

    institution provides. For example, if an institution offers opting

    out by telephone and the Web but not by mail, it would provide only

    telephone and Web information as shown in the model form in the

    "Contact Us" box. Only institutions that allow more than 30 days

    after providing the notice before sharing information may change the

    number of days in the lower right hand section of the box.

    (b) Check your choices. Institutions must display the applicable

    opt-out options in the "Check your choices" box shown on this

    page. If an institution chooses not to offer an opt-out by mail, it

    must delete the boxes for name, address, account number, and mailing

    directions in the lower right-hand corner of the model form.

    Financial institutions that only offer one or two of the opt-out

    options listed on the model form must list only those options from

    the model form that apply to their practices and correspond

    accurately to the disclosures on page one. Thus, if an institution

    does not share in a manner that requires an opt-out for sharing with

    nonaffiliates, it must not include that opt-out option on page three

    of the model form. Institutions requiring information from consumers

    on the opt-out form other than an account number should modify that

    designation in the "Check your choices" box. Institutions that

    require customers with multiple accounts to identify each account to

    which the opt-out should apply should modify that portion of the

    model form.

    (c) Section 624 opt-out. If the financial institution's

    affiliates use information for marketing pursuant to section 624 of

    the FCRA, and the institution elects to consolidate that opt-out

    notice in the model form, it must include that disclosure and opt-

    out election as shown in the model form. Institutions that elect to

    limit the time for the affiliate marketing opt-out, consistent with

    the requirements of section 624, must adhere to the requirements of

    that section and the Agencies' implementing rule with respect to any

    subsequent notice and opt-out. Institutions that elect to limit the

    opt-out period must include a statement in italics, as shown on the

    model form, that states the period of time for which the opt-out

    applies.

    (d) Additional opt-outs. A financial institution that uses the

    disclosure table to indicate any opt-out choices available to

    consumers beyond those required by Federal law must include those

    opt-outs on page three of the model form. For example, if the

    financial institution discloses in the table that it offers an opt-

    out for joint marketing, the institution must revise the opt-out

    form on page three to reflect the availability of an opt-out, such

    as by adding a check-off box with the words "Do not share my

    personal information with other financial institutions to jointly

    market to me." Likewise, if a financial institution chooses to

    offer its customers an opt-out for its marketing, it can provide for

    that option in the disclosure table and on the opt-out form by

    adding a check-off box with the words "Do not share [or use] my

    personal information to market to me."

    8. Amend newly designated Appendix B by adding a new sentence

    immediately after the heading to read as follows:

    Appendix B to Part 248--Sample Clauses

    This appendix provides guidance only for privacy notices provided

    on or before [ONE YEAR AFTER THE PUBLICATION DATE OF THE FINAL RULE]. *

    * *

    * * * * *

    Dated: March 9, 2007.

    John C. Dugan,

    Comptroller of the Currency.

    By order of the Board of Governors of the Federal Reserve

    System, March 16, 2007.

    Jennifer J. Johnson,

    Secretary of the Board.

    By order of the Board of Directors.

    Dated at Washington, DC, this 20th day of March, 2007.

    Federal Deposit Insurance Corporation.

    Robert E. Feldman,

    Executive Secretary.

    Dated: March 19, 2007.

    By the Office of Thrift Supervision.

    John M. Reich,

    Director.

    By the National Credit Union Administration Board on March 15,

    2007.

    Mary Rupp,

    Secretary of the Board.

    The Federal Trade Commission.

    Dated: March 20, 2007.

    By direction of the Commission.

    Donald S. Clark,

    Secretary.

    Dated: March 20, 2007.

    Eileen A. Donovan,

    Acting Secretary of the Commodity Futures Trading Commission.

    By the Securities and Exchange Commission.

    Dated: March 20, 2007.

    Florence E. Harmon,

    Deputy Secretary.

    [FR Doc. 07-1476 Filed 3-28-07; 8:45 am]

    BILLING CODE 4810-33-P

    Last Updated: June 27, 2007



See Also:

OpenGov Logo

CFTC's Commitment to Open Government

Gavel and Book

Follow the Status of Enforcement Actions