RegP.20060831.omb

Supporting Statement for the
Reporting and Disclosure Requirements Associated with
Regulation P (Reg P; OMB No. 7100-0294)
Summary
The Board of Governors of the Federal Reserve System, under delegated authority
from the Office of Management and Budget (OMB), proposes to extend for three years,
without revision, the reporting and disclosure requirements of Regulation P, which
implements the Protection of Nonpublic Personal Information provisions of the GrammLeach-Bliley Act of 1999 (GLBA). 1 The Paperwork Reduction Act (PRA) classifies
these requirements as an information collection and the PRA requires the Federal Reserve
to renew these requirements every three years. 2
The information collection pursuant to Regulation P is triggered by the
establishment of a relationship between a customer and a financial institution. The
regulation ensures that financial institutions provide customers notice of the privacy
policies and practices of financial institutions and a means to prevent the disclosure of
nonpublic personal information, in certain circumstances. Where applicable, financial
institutions are required to provide an initial and an annual notice of their privacy policies
and practices, opt-out notices, and revised notices that contain changes in policies and
procedures.
Under the PRA, the Federal Reserve accounts for the paperwork burden
associated with Regulation P for the financial institutions supervised by the Federal
Reserve that must comply with the regulation. 3 The estimated annual burden for the
409,367 respondents is 363,330 hours.
Background and Justification
The GLBA (Sec. 504), Public Law No. 106-102 directed the Federal Reserve
Board (Board), Federal Deposit Insurance Corporation (FDIC), the Office of the
Comptroller of the Currency (OCC), the Office of Thrift Supervision (OTS), National
Credit Union Administration (NCUA), Federal Trade Commission (FTC), and Securities
and Exchange Commission (SEC) “the agencies,” to issue regulations to implement the
notice requirements and restrictions on a financial institution’s ability to disclose
nonpublic personal information about consumers to nonaffiliated third parties.
A financial institution’s precise responsibilities under GLBA and the privacy
regulations depend on whether it is dealing with a “consumer” or a “customer.” A
consumer is an individual who obtains a financial product or service from a financial
1

The Protection of Nonpublic Personal Information provisions are codified at 15 U.S.C. § 6801 et seq.
Regulation P is located at 12 CFR Part 216.

2

The collection of information under Regulation P is assigned OMB No. 7100-0294 for purposes of the
PRA.

3

Section 216.3(q) of Regulation P generally defines Federal Reserve regulated financial institutions as:
State member banks, subsidiaries of state member banks, bank holding companies and its subsidiaries or
affiliates, branches and agencies of foreign banks, commercial lending companies owned or controlled by
foreign banks, and corporations operating under section 25 or 25A of the Federal Reserve Act.

institution that is primarily for personal, family, or household purposes; a customer is a
consumer who has a customer relationship (which means a continuing relationship) with
a financial institution. In general, a financial institution must provide notice to its
consumers about its privacy policies and practices, including notice of the consumers’
right to opt out of information sharing. A financial institution may not disclose nonpublic
personal information about any consumer to nonaffiliated third parties unless (1) the
consumer has not elected to opt out of the information sharing after receiving the required
notice, or (2) the disclosure is permitted under one of the regulation’s exceptions. A
financial institution is not required to provide an initial notice to a consumer if it does not
have a customer relationship with the consumer and it does not disclose any nonpublic
personal information about the consumer to any nonaffiliated third party, other than as
authorized by the regulation. A financial institution must also provide an annual privacy
notice to consumers who are its customers but does not have to provide an annual notice
to consumers who are not customers.
Description of Information Collection
Subpart A of the regulation prescribes the required disclosures for privacy and
opt-out notices. The opt-out provisions of the regulation enable consumers to prevent a
financial institution from disclosing nonpublic personal information to third parties that
are not affiliated with the financial institution. The provisions do not restrict the
disclosure of nonpublic personal information among affiliated companies nor do they
restrict the disclosure of information about businesses or corporations.
Privacy and opt-out notices (Subpart A)
Regulation P imposes four disclosure requirements on financial institutions: initial
privacy notice, annual privacy notice, revised privacy notice (notice of change in terms),
and opt-out notice. In addition, the regulation imposes two reporting requirements on
consumers: an initial notification that the consumer elects to opt out (if the consumer so
chooses), and a notification to the institution during the course of the relationship if the
consumer elects to change his or her opt-out status.
Financial Institutions’ Disclosure Requirements
Initial privacy notice to consumers. Generally, a financial institution must
provide consumers a clear and conspicuous notice that accurately reflects its privacy
policies and practices. An institution must have provided the initial privacy notice to all
current customers as of the regulation’s mandatory effective date of July 1, 2001. After
that date, a financial institution must provide the initial privacy notice to all new
customers when they commence the customer relationship. A financial institution is not
required to provide an initial notice to a consumer if it does not have a customer
relationship with the consumer and it does not disclose any nonpublic personal
information about the consumer to any nonaffiliated third party, other than as authorized
by the regulation. To reduce burden, the regulation authorizes simplified and short forms
of the initial privacy notice for use under certain conditions.

2

Annual privacy notice to customers. Financial institutions must provide to
customers a clear and conspicuous notice that accurately reflects an institution’s privacy
policies and practices not less than once in a twelve-month period during the continuation
of the customer relationship.
Information to be included in privacy notices. The initial notice and annual notice
each must include all of the following items of information:

• the categories of nonpublic personal information about the consumers that the
•
•
•

•
•
•
•
•

institution collects;
the categories of nonpublic personal information about the consumers that the
institution discloses;
the categories of affiliates and nonaffiliated third parties to whom the institution
discloses nonpublic personal information about the consumers, other than those
parties excepted under the regulation;
the categories of nonpublic personal information about former consumers that the
institution discloses and the categories of affiliates and nonaffiliated third parties to
whom the institution discloses nonpublic personal information about former
consumers, other than those parties excepted under the regulation;
if an institution discloses nonpublic personal information to service providers or joint
marketers, a description of the categories of information the institution discloses and
the categories of third parties with whom the institution has contracted;
an explanation of the consumer’s right to opt out of the disclosure of nonpublic
personal information to nonaffiliated third parties, including the methods by which
the consumer may exercise that right;
any disclosures regarding the ability to opt out of disclosures of information among
affiliates;
the institutions’ policies and practices with respect to protecting the confidentiality
and security of nonpublic personal information; and
description of nonaffiliated third parties subject to exceptions under the regulation.

Revised privacy notice (notice of change in terms). Certain changes to a
financial institution’s privacy policies or practices trigger a requirement to provide
consumers a revised notice that accurately describes the institution’s current policies and
practices. After an institution has made certain changes to its disclosure practices, it may
not directly or through affiliates disclose of nonpublic personal information about a
consumer other than as described in the initial notice unless it provides the consumer (1)
a new notice that accurately describes the policies and practices, (2) a new opt-out notice,
and (3) a reasonable opportunity to opt out.
Notice of right to opt out. Depending on a financial institution’s informationsharing practices, it must provide an opt-out notice to a consumer or to a customer. An
opt-out notice may also be required when the institution issues a revised privacy notice.

3

Consumers’ Reporting Requirements
Consumer’s notice of invocation of opt out right. To invoke his or her right to
opt out, a consumer must notify the institution. The consumer must be given a
reasonable opportunity to opt out before information may be shared with a non-affiliated
third party outside of the permitted exceptions.
Consumer’s continuing right to opt out. A consumer has the right to change or
update his or her opt-out status with an institution at any time. The financial institution
must comply with the consumer’s direction as soon as reasonably practicable, and the
consumer’s direction to opt-out under the regulation is effective until revoked by the
consumer. If a customer relationship terminates, the customer’s opt-out direction
continues to apply to the nonpublic personal information that the financial institution
collected during or related to the relationship. If the individual subsequently establishes a
new customer relationship with the institution, the opt-out direction that applied to the
former relationship does not apply to the new relationship.
To facilitate compliance with these requirements, Regulation P gives examples of
“nonpublic personal information,” “consumer,” “consumer reporting agency,”
“customer” and “personally identifiable financial information” among other things. The
regulation also provides guidance on the timing of notices to customers and the means by
which consumers can exercise their opt-out rights. Appendix A of the regulation contains
sample clauses to aid financial institutions in developing disclosure notices.
Time Schedule for Information Collection
The disclosure requirements of Regulation P are relationship-specific and must be
provided within the time periods established by law and regulation as discussed above.
The regulation also contains consumer reporting requirements. A consumer must be
allowed a reasonable opportunity to opt out before otherwise permitted information
sharing may occur. A consumer has the right to change or update the consumer’s opt-out
status with the institution at any time during a continued relationship.
Legal Status
The Board's Legal Division has determined that the consumer reporting
requirements and financial institution disclosure requirements associated with the
regulation are authorized by section 504 of Gramm-Leach-Bliley Act (GLBA) (15 U.S.C
§ 6804). Since the Federal Reserve does not collect any information, no issue of
confidentiality normally arises.
Consultation Outside of the Agency
On July 3, 2006, the Federal Reserve published a notice in the Federal Register
(71 FR 37935) requesting public comment for 60 days on the extension, without revision,
of reporting and disclosure requirements of Regulation P. The comment period for this
notice expired on September 1, 2006. No comments were received.
4

Sensitive Questions
This collection of information contains no questions of a sensitive nature, as
defined by OMB guidelines.
Estimate of Respondent Burden
The estimated total annual burden for the reporting and disclosure requirements of
this information collection is 369,330 hours as shown in the table below. The overall
disclosure burden for financial institutions is estimated to be 167,992 hours. The
reporting burden for consumers is estimated to be 201,338 hours. The estimated total
annual burden represents approximately 8 percent of the total Federal Reserve System
paperwork burden.
Estimated
number of
respondents

Estimated
annual
frequency

Estimated
response
time

Estimated
annual
burden hours

Initial notice
Annual notice and
notice of change in terms

1,311

1

80 hours

104,880

6,692

1

8 hours

53,536

Opt out notice

1,197

1

8 hours

9,576

Institution disclosure
requirements

167,992

subtotal
Consumer reporting
requirements
Opt out notice

402,675

1

30 minutes

201,338

subtotal

201,338

Total

369,330

The total cost to financial institutions is estimated to be $23,964,041. 4 Based on
an hourly rate 5 of $17.67, the estimated cost to consumers for this information collection
is $3,557,642.
Estimate of Cost to the Federal Reserve System
Since the Federal Reserve does not collect any information, the cost to the Federal
Reserve System is negligible.

4

Total cost to financial institutions was estimated using the following formula. Percent of staff time, multiplied by annual burden
hours of 167,992, multiplied by hourly rate: 25% - Clerical @ $25.00; 40% - Managerial or Technical @ $55.00; 25% - Senior
Management @ $100.00; and 10% - Legal Counsel @ $144.00.
5
According to the U.S. Department of Labor Bureau of Labor Statistics, 2002 Quarterly Census of Employment and Wages
http://www.bls.gov/cew/state2002.txt

5