Rule 248.30

Securities and Exchange Commission

§ 248.30

(b)(1) Notice requirement for consumers
who are your customers on the compliance
date. By July 1, 2001, you must have
provided an initial notice, as required
by § 248.4, to consumers who are your
customers on July 1, 2001.
(2) Example. You provide an initial
notice to consumers who are your customers on July 1, 2001, if, by that date,
you have established a system for providing an initial notice to all new customers and have mailed the initial notice to all your existing customers.
(c) Two-year grandfathering of service
agreements. Until July 1, 2002, a contract that you have entered into with a
nonaffiliated third party to perform
services for you or functions on your
behalf satisfies the provisions of
§ 248.13(a)(2), even if the contract does
not include a requirement that the
third party maintain the confidentiality of nonpublic personal information, as long as you entered into the
agreement on or before July 1, 2000.
§§ 248.19–248.29

[Reserved]

§ 248.30 Procedures to safeguard customer records and information; disposal of consumer report information.
(a) Every broker, dealer, and investment company, and every investment
adviser registered with the Commission
must adopt written policies and procedures that address administrative,
technical, and physical safeguards for
the protection of customer records and
information. These written policies and
procedures must be reasonably designed to:
(1) Insure the security and confidentiality of customer records and information;
(2) Protect against any anticipated
threats or hazards to the security or
integrity of customer records and information; and
(3) Protect against unauthorized access to or use of customer records or
information that could result in substantial harm or inconvenience to any
customer.
(b) Disposal of consumer report information and records—(1) Definitions (i)
Consumer report has the same meaning
as in section 603(d) of the Fair Credit
Reporting Act (15 U.S.C. 1681a(d)).

(ii) Consumer report information means
any record about an individual, whether in paper, electronic or other form,
that is a consumer report or is derived
from a consumer report. Consumer report information also means a compilation of such records. Consumer report
information does not include information that does not identify individuals,
such as aggregate information or blind
data.
(iii) Disposal means:
(A) The discarding or abandonment
of consumer report information; or
(B) The sale, donation, or transfer of
any medium, including computer
equipment, on which consumer report
information is stored.
(iv) Notice-registered broker-dealers
means a broker or dealer registered by
notice with the Commission under section 15(b)(11) of the Securities Exchange Act of 1934 (15 U.S.C. 78o(b)(11)).
(v) Transfer agent has the same meaning as in section 3(a)(25) of the Securities Exchange Act of 1934 (15 U.S.C.
78c(a)(25)).
(2) Proper disposal requirements—(i)
Standard. Every broker and dealer
other than notice-registered brokerdealers, every investment company,
and every investment adviser and
transfer agent registered with the
Commission, that maintains or otherwise possesses consumer report information for a business purpose must
properly dispose of the information by
taking reasonable measures to protect
against unauthorized access to or use
of the information in connection with
its disposal.
(ii) Relation to other laws. Nothing in
this section shall be construed:
(A) To require any broker, dealer, or
investment company, or any investment adviser or transfer agent registered with the Commission to maintain or destroy any record pertaining
to an individual that is not imposed
under other law; or
(B) To alter or affect any requirement imposed under any other provision of law to maintain or destroy any
of those records.
[65 FR 40362, June 29, 2000, as amended at 69
FR 71329, Dec. 8, 2004]

611

VerDate Aug<31>2005

10:28 Apr 25, 2006

Jkt 208056

PO 00000

Frm 00621

Fmt 8010

Sfmt 8010

Y:\SGML\208056.XXX

208056

Pt. 248, App. A

17 CFR Ch. II (4–1–06 Edition)

APPENDIX A TO PART 248—SAMPLE
CLAUSES
Financial institutions, including a group of
financial holding company affiliates that use
a common privacy notice, may use the following sample clauses, if the clause is accurate for each institution that uses the notice. (Note that disclosure of certain information, such as assets, income, and information from a consumer reporting agency, may
give rise to obligations under the Fair Credit
Reporting Act, such as a requirement to permit a consumer to opt out of disclosures to
affiliates or designation as a consumer reporting agency if disclosures are made to
nonaffiliated third parties.)
A–1—CATEGORIES OF INFORMATION YOU
COLLECT (ALL INSTITUTIONS)
You may use this clause, as applicable, to
meet the requirement of § 248.6(a)(1) to describe the categories of nonpublic personal
information you collect.
Sample Clause A–1:
We collect nonpublic personal information
about you from the following sources:
• Information we receive from you on applications or other forms;
• Information about your transactions
with us, our affiliates, or others; and
• Information we receive from a consumer
reporting agency.
A–2—CATEGORIES OF INFORMATION YOU DISCLOSE (INSTITUTIONS THAT DISCLOSE OUTSIDE OF THE EXCEPTIONS)
You may use one of these clauses, as applicable, to meet the requirement of § 248.6(a)(2)
to describe the categories of nonpublic personal information you disclose. You may use
these clauses if you disclose nonpublic personal information other than as permitted
by the exceptions in §§ 248.13, 248.14, and
248.15.
Sample Clause A–2, Alternative 1:
We may disclose the following kinds of
nonpublic personal information about you:
• Information we receive from you on applications or other forms, such as [provide illustrative examples, such as ‘‘your name, address, social security number, assets, and income’’];
• Information about your transactions
with us, our affiliates, or others, such as
[provide illustrative examples, such as ‘‘your account balance, payment history, parties to
transactions, and credit card usage’’]; and
• Information we receive from a consumer
reporting agency, such as [provide illustrative
examples, such as ‘‘your creditworthiness and
credit history’’].
Sample Clause A–2, Alternative 2:
We may disclose all of the information
that we collect, as described [describe location
in the notice, such as ‘‘above’’ or ‘‘below’’].

A–3—CATEGORIES OF INFORMATION YOU DISCLOSE AND PARTIES TO WHOM YOU DISCLOSE
(INSTITUTIONS THAT DO NOT DISCLOSE OUTSIDE OF THE EXCEPTIONS)
You may use this clause, as applicable, to
meet the requirements of §§ 248.6(a)(2), (3),
and (4) to describe the categories of nonpublic personal information about customers
and former customers that you disclose and
the categories of affiliates and nonaffiliated
third parties to whom you disclose. You may
use this clause if you do not disclose nonpublic personal information to any party,
other than as permitted by the exceptions in
§§ 248.14 and 248.15.
Sample Clause A–3:
We do not disclose any nonpublic personal
information about our customers or former
customers to anyone, except as permitted by
law.
A–4—CATEGORIES OF PARTIES TO WHOM YOU
DISCLOSE (INSTITUTIONS THAT DISCLOSE
OUTSIDE OF THE EXCEPTIONS)
You may use this clause, as applicable, to
meet the requirement of § 248.6(a)(3) to describe the categories of affiliates and nonaffiliated third parties to whom you disclose
nonpublic personal information. You may
use this clause if you disclose nonpublic personal information other than as permitted
by the exceptions in §§ 248.13, 248.14, and
248.15, as well as when permitted by the exceptions in §§ 248.14 and 248.15.
Sample Clause A–4:
We may disclose nonpublic personal information about you to the following types of
third parties:
• Financial service providers, such as
[provide illustrative examples, such as ‘‘mortgage bankers, securities broker-dealers, and insurance agents’’];
• Non-financial companies, such as [provide
illustrative examples, such as ‘‘retailers, direct
marketers, airlines, and publishers’’]; and
• Others, such as [provide illustrative examples, such as ‘‘non-profit organizations’’].
We may also disclose nonpublic personal
information about you to nonaffiliated third
parties as permitted by law.
A–5—SERVICE PROVIDER/JOINT MARKETING
EXCEPTION
You may use one of these clauses, as applicable, to meet the requirements of
§ 248.6(a)(5) related to the exception for service providers and joint marketers in § 248.13.
If you disclose nonpublic personal information under this exception, you must describe
the categories of nonpublic personal information you disclose and the categories of
third parties with whom you have contracted.
Sample Clause A–5, Alternative 1:

612

VerDate Aug<31>2005

10:28 Apr 25, 2006

Jkt 208056

PO 00000

Frm 00622

Fmt 8010

Sfmt 8002

Y:\SGML\208056.XXX

208056

Securities and Exchange Commission

Pt. 249

We may disclose the following information
to companies that perform marketing services on our behalf or to other financial institutions with which we have joint marketing
agreements:
• Information we receive from you on applications or other forms, such as [provide illustrative examples, such as ‘‘your name, address, social security number, assets, and income’’];
• Information about your transactions
with us, our affiliates, or others, such as
[provide illustrative examples, such as ‘‘your account balance, payment history, parties to
transactions, and credit card usage’’]; and
• Information we receive from a consumer
reporting agency, such as [provide illustrative
examples, such as ‘‘your creditworthiness and
credit history’’].
Sample Clause A–5, Alternative 2:
We may disclose all of the information we
collect, as described [describe location in the
notice, such as ‘‘above’’ or ‘‘below’’] to companies that perform marketing services on our
behalf or to other financial institutions with
whom we have joint marketing agreements.
A–6—EXPLANATION OF OPT OUT RIGHT (INSTITUTIONS THAT DISCLOSE OUTSIDE OF THE EXCEPTIONS)
You may use this clause, as applicable, to
meet the requirement of § 248.6(a)(6) to provide an explanation of the consumer’s right
to opt out of the disclosure of nonpublic personal information to nonaffiliated third parties, including the method(s) by which the
consumer may exercise that right. You may
use this clause if you disclose nonpublic personal information other than as permitted
by the exceptions in §§ 248.13, 248.14, and
248.15.
Sample Clause A–6:
If you prefer that we not disclose nonpublic personal information about you to
nonaffiliated third parties, you may opt out
of those disclosures, that is, you may direct
us not to make those disclosures (other than
disclosures permitted by law). If you wish to
opt out of disclosures to nonaffiliated third
parties, you may [describe a reasonable means
of opting out, such as ‘‘call the following tollfree number: (insert number)’’].
A–7—CONFIDENTIALITY AND SECURITY (ALL
INSTITUTIONS)
You may use this clause, as applicable, to
meet the requirement of § 248.6(a)(8) to describe your policies and practices with respect to protecting the confidentiality and
security of nonpublic personal information.
Sample Clause A–7:
We restrict access to nonpublic personal
information about you to [provide an appropriate description, such as ‘‘those employees
who need to know that information to provide
products or services to you’’]. We maintain

physical, electronic, and procedural safeguards that comply with federal standards to
guard your nonpublic personal information.

PART 249—FORMS, SECURITIES
EXCHANGE ACT OF 1934
Sec.
249.0–1

Availability of forms.

Subpart A—Forms for Registration or Exemption of, and Notification of Action
Taken by, National Securities Exchanges
249.1 Form 1, for application for, and
amendments to applications for, registration as a national securities exchange or exemption from registration
pursuant to Section 5 of the Exchange
Act.
249.10 Form 1–N for notice registration as a
national securities exchange.
249.11 Form R31 for reporting covered sales
and covered round turn transactions
under section 31 of the Act.
249.25 Form 25, for notification of removal
from listing and/or registration.
249.26 Form 26, for notification of the admission to trading of a substituted or additional class of security under Rule 12a–
5 (§ 240.12a–5 of this chapter).

Subpart B—Forms for Reports To Be Filed
by Officers, Directors, and Security Holders
249.103 Form 3, initial statement of beneficial ownership of securities.
249.104 Form 4, statement of changes in beneficial ownership of securities.
249.105 Form 5, annual statement of beneficial ownership of securities.

Subpart C—Forms for Applications for Registration of Securities on National Securities Exchanges and Similar Matters
249.208 [Reserved]
249.208a Form 8–A, for registration of certain classes of securities pursuant to section 12(b) or (g) of the Securities Exchange Act of 1934.
249.208b–249.208c [Reserved]
249.210 Form 10 and Form 10–SB, general
form for registration of securities pursuant to section 12 (b) or (g) of the Securities Exchange Act of 1934.
249.210b Form 10–SB, optional form for the
registration of securities of a small business issuer.
249.218 Form 18, for foreign governments
and political subdivisions thereof.
249.220f Form 20–F, registration of securities of foreign private issuers pursuant to
section 12(b) or (g), annual and transition
reports pursuant to sections 13 and 15(d),
and shell company reports required

613

VerDate Aug<31>2005

10:28 Apr 25, 2006

Jkt 208056

PO 00000

Frm 00623

Fmt 8010

Sfmt 8010

Y:\SGML\208056.XXX

208056