Supporting Statement for Reg P

SUPPORTING STATEMENT
For the Privacy of Consumer Financial Information
Recordkeeping and Disclosure Requirements
Under the Gramm-Leach-Bliley Act and Regulation P, 12 CFR 1016
(OMB Control No. 3133-0163)
______________________________________________________________________
A. JUSTIFICATION
1. Necessity of Information Collection
Title V, Subtitle A of the Gramm-Leach-Bliley Act (Act), Public Law No. 106-102, governs the
treatment of nonpublic personal information about consumers by financial institutions. Section
502 of the Act, subject to certain exceptions, prohibits a financial institution from disclosing
nonpublic personal information about a consumer to nonaffiliated third parties, unless the
institution satisfies various notice and opt out requirements, and provided the consumer has not
elected to opt out of the disclosure. Section 503 of the Act requires a financial institution to
provide notice of its privacy policies and practices to its customers. Section 504 of the Act
originally granted rulemaking authority for the privacy provisions of the Act to be shared by eight
Federal agencies: the Board of Governors of the Federal Reserve System (FRB), the Federal
Deposit Insurance Corporation (FDIC), the Office of the Comptroller of the Currency (OCC), the
Office of Thrift Supervision (OTS), the National Credit Union Administration (NCUA), the
Federal Trade Commission (FTC), the Securities and Exchange Commission (SEC), and the
Commodity Futures Trading Commission (CFTC). Each of the agencies issued rules (which
were consistent and comparable) to implement the Act’s privacy provisions.
The Dodd-Frank Wall Street Reform and Consumer Protection Act (DFA) amended a number of
consumer financial protection laws, including the Act. Among other changes, the DFA
transferred rulemaking authority for most of Subtitle A of Title V of the Act, with respect to
financial institutions described in section 504(a)(1)(A) of the Act, from FRB, FDIC, OCC, OTS,
and NCUA to the Consumer Financial Protection Bureau (CFPB). Pursuant to the DFA and the
Act, as amended, the CFPB promulgated Regulation P, 12 CFR 1016, to implement those
privacy provisions of the Act for which CFPB has rulemaking authority.
Regulation P implements the requirements of the Act to provide consumers with financial
institutions’ privacy policies and practices, as well as describes when the consumer’s information
may be shared with nonaffiliated third parties, and provides a method for consumers to prevent
disclosure of their information to nonaffiliated third parties by opting out of that disclosure.
Regulation P details the specifics of how the Act should be implemented, which companies and
situations this applies to, and the method of delivering the information to consumers.
Regulation P includes model forms that can be used to comply with the disclosure requirements
of the Act and Regulation P, although the use of the model forms is not required. See Appendix
to Regulation P.

This information collection is necessary to provide credit union customers with the information
they need to understand and opt out of policies governing the sharing of consumer financial
information with nonaffiliated third parties. This information allows consumers to take an active
role in protecting their financial information if they so choose.
2. Purpose and Use of the Information Collection
Subpart A of Regulation P prescribes the required disclosures for privacy and opt-out notices.
The opt-out provisions of Regulation P enable consumers to prevent a financial institution from
disclosing nonpublic personal information to third parties that are not affiliated with the financial
institution. The provisions do not restrict the disclosure of nonpublic personal information
among affiliated companies nor do they restrict the disclosure of information about businesses or
corporations.
Privacy and Opt-Out Notices (Subpart A): Regulation P imposes three disclosure requirements
on financial institutions: initial privacy notice, annual privacy notice, and revised privacy notice.
Each of these notices may have to include an opt-out notice, depending upon the information
sharing practices of the financial institution. In addition, Regulation P imposes two reporting
requirements on consumers: an initial notification that the consumer elects to opt out (if the
consumer so chooses), and a notification to the financial institutions during the course of the
relationship if the consumer elects to change his or her opt-out status.
Financial Institutions’ Disclosure Requirements:
Initial Privacy Notice to Consumers (12 CFR 1016.4): A financial institution’s notice
must be clear and conspicuous and must accurately reflect its privacy policies and
practices. A financial institution is not required to provide an initial notice to a consumer
if it does not have a customer relationship with the consumer and it does not disclose any
nonpublic personal information about the consumer to any nonaffiliated third party, other
than as authorized by Regulation P.
Annual Privacy Notice to Customers (12 CFR 1016.5): Financial institutions must
provide to customers a clear and conspicuous notice that accurately reflects an
institution’s privacy policies and practices not less than once in a twelve-month period
during the continuation of the customer relationship.
Information to be included in privacy notices (12 CFR 1016.6): The initial notice and
annual notice each must include all of the following items of information:
•
•

The categories of nonpublic personal information about the consumers that the
financial institution collects;
The categories of nonpublic personal information about the consumers that the
financial institution discloses;

2

•
•

•

•
•
•
•

The categories of affiliates and nonaffiliated third parties to whom the financial
institution discloses nonpublic personal information about the consumers, other
than those parties excepted under Regulation P;
The categories of nonpublic personal information about former consumers that the
financial institution discloses and the categories of affiliates and nonaffiliated
third parties to whom the financial institution discloses nonpublic personal
information about former consumers, other than those parties excepted under
Regulation P;
If a financial institution discloses nonpublic personal information to service
providers or joint marketers, a description of the categories of information the
institution discloses and the categories of third parties with whom the institution
has contracted;
An explanation of the consumer’s right to opt out of the disclosure of nonpublic
personal information to nonaffiliated third parties, including the methods by
which the consumer may exercise that right;
Any disclosures regarding the ability to opt out of disclosures of information
among affiliates;
The financial institution’s policies and practices with respect to protecting the
confidentiality and security of nonpublic personal information; and
A description of nonaffiliated third parties subject to exceptions under Regulation
P.

Revised Privacy Notice (12 CFR 1016.8): Certain changes to a financial institution’s
privacy policies or practices trigger a requirement to provide consumers with a revised
notice that accurately describes the institution’s current policies and practices. After a
financial institution has made certain changes to its disclosure practices, it may not
directly or through affiliates disclose nonpublic personal information about a consumer
other than as described in the initial notice unless it provides the consumer with: (1) a
new notice that accurately describes the policies and practices; (2) a new opt out notice
and (3) a reasonable opportunity to opt out.
Notice of Right to Opt Out (12 CFR 1016.9): Depending on the financial institution’s
information-sharing practices, the financial institution must provide an opt-out notice to a
customer or to a consumer. An opt-out notice may also be required when the financial
institution issues a revised privacy notice.
Consumers’ Reporting Requirements:
Consumer’s Notice of Right to Opt Out (12 CFR 1016.10(a)(2) and 1016.10(c)):
Consumers must take affirmative actions to exercise their rights to prevent financial
institutions from sharing their information with nonaffiliated parties:
•

Opt Out – Consumers may direct that the credit union may not disclose nonpublic
personal information about them to a nonaffiliated third party, other than
permitted by 12 CFR 1016.13-1016.15.
3

•

Partial Opt Out – Consumers also may exercise partial opt out rights by selecting
certain nonpublic personal information or certain nonaffiliated third parties with
respect to which the consumer wishes to opt out.

The consumer must be given a reasonable opportunity to opt out before information may
be shared with a non-affiliated third party outside of the permitted exceptions.
Consumer’s Continuing Right to Opt Out (12 CFR 1016.7(h) and 1016.7(i)): Consumers
may exercise the right to opt out at any time. A consumer’s direction to opt out is
effective until the consumer revokes it in writing or, if the consumer agrees,
electronically. When a customer relationship terminates, the customer’s opt out direction
continues to apply.
Consumers use the privacy notice information to determine whether they want personal
information disclosed to third parties that are not affiliated with the credit union. Further,
consumers use the opt-out notice mechanism to advise the credit union of their wishes regarding
disclosure of their personal information. Credit unions use the opt-out information to determine
the wishes of their consumers and to act appropriately.
3. Consideration Given to Information Technology
The collections are disclosures, filings from consumers, and internal credit union records. Credit
unions are not prohibited from using any technology that facilitates consumer understanding and
response and that permits review, as appropriate, by examiners.
Further, in 2014, CFPB issued a rule at 79 FR 64057, to allow financial institutions to use an
alternative delivery method to provide annual privacy notices through posting the annual notices
on their websites if they meet certain conditions. Use of the alternative delivery method should
also minimize the burden of this collection.
4. Duplication
These collections of information are unique and cover the credit union’s particular
circumstances. No duplication exists.
5. Effect on Small Entities
The information collection requirements do not impose any significant burden beyond that
required by the Act. In addition, section 728 of the “Financial Services Regulatory Relief Act of
2006” (Pub. L. No. 109-351) provides for the development of a model form for the disclosures.
Regulation P includes model forms that can be used to comply with the disclosure requirements
of the Act and Regulation P. Although the use of the model forms is not required, the use of the
model form should minimize the burden of this collection. 1 See Appendix to Regulation P.

1

The model form was published in 2009 at 74 FR 62889.

4

6. Consequences of Not Conducting Collection
The information collection requirements closely follow the Act, which requires financial
institutions to provide an annual notice of their privacy policies and procedures to their
customers, and to permit customers to opt out of disclosure of their personal information. There
is no flexibility under the Act to collect the information less frequently.
7. Inconsistencies with Guidelines in 5 CFR 1320.5(d)(2)
There are no special circumstances. This information collection is consistent with the guidelines
in 5 CFR 1320.5(d)(2).
8. Consultations Outside the Agency
The required Federal Register notice with a 60-day comment period soliciting comments on this
collection of information was published was published on [DATE] at [CITATION]. No public
comments were received.
9. Payment or Gift
There is no intent by NCUA to provide payment or gifts for information collected.
10. Confidentiality
This is a third-party disclosure requirement. Credit unions will not provide to NCUA the
information in the required disclosures.
11. Sensitive Questions
No questions of a sensitive nature are asked. The information collection does not collect any
Personally Identifiable Information (PII).
12. Burden of Information Collection
The annual burden for federally insured credit unions is estimated to be 101,104 hours for the
5,954 federally insured credit unions, based on NCUA Call Report ending on Q1 2016, that are
deemed to be respondents for purposes of PRA. The burden for consumers is estimated to be
285,000 hours. These estimated burdens arise exclusively from the regulation and are shown in
the table above. Total burden hours associated with this information collection is 386,104.

Privacy
12 CFR Part 1016

Federally Insured Credit Union Burden
Estimated Estimated
Estimated
Number of
Average
Annual
Annual
Respondents
Hours per
Burden
Frequency
Response
Hours
5

Initial privacy notice to
consumers (1016.4)
Annual privacy notice to
consumers (1016.5)
Revised privacy notice to
consumers (1016.8)
Opt out notice to
consumers (1016.7, 1016.9)
Total

73

1

80

5,954

1

8

5,954

1

8

5840

47,632
47,632
101,104

Consumer Burden
Consumers' rights to opt
out (1016.10(a), (c);
1016.7(h), (i))
Total

1,140,000

1

0.25

285,000
285,000

The annual cost for the 5,954 federally insured credit union respondents is estimated to be
$2,022,080 (at $20 hourly cost) and is shown in the table below; the annual cost to consumers is
estimated to be $6,840,000 (at $24 hourly cost) and is shown in the table below. Total annual
cost associated with this information collection is $8,862,080.
Cost to Federally Insured Credit Unions
Information Collection
Activity
Initial privacy notice to
consumers
Annual privacy notice to
customers
Revised privacy notices
Opt out notice to
consumers
Total
Consumers' rights to opt
out
Total

Annual
Hourly
Burden

Hourly $
Rate per
Response

Total $
Amount

5,840

20

$116,800

47,632

20

$952,640

47,632

20

$952,640
$2,022,080
Cost to Consumers

285,000

24

$6,840,000
$8,862,080

13. Costs to Respondents
All equipment needed to prepare and disclose this information is equipment used for the
customary and usual business of the credit union. No special or additional equipment is needed;
therefore, there is no additional cost.
6

14. Costs to Federal Government
There are no costs to the Federal Government.
15. Changes in Burden
This adjustment from the previously approved collection is due to three factors. First there has
been a reduction in the number of credit unions since the initial collection was approved.
Second, the program has matured such that most respondents have developed their initial privacy
policies and only a small number of respondents will need to develop initial privacy notifications.
Third, this adjustment includes the burden to consumers associated with exercising their opt out
rights to prevent financial institutions from sharing their information with nonaffiliated parties.
16. Information Collection Planned for Statistical Purposes
Not applicable. The information collection is not used for statistical purposes.
17. Approval to Omit OMB Expiration Date
The OMB control number and expiration date associated with this PRA submission will be
displayed on the Federal government’s electronic PRA docket at www.reginfo.gov, as well as in
the Federal Register notice of the submission.
18. Exceptions to Certification for Paperwork Reduction Act Submissions
This collection complies with the requirements in 5 CFR 1320.9.
B. COLLECTIONS OF INFORMATION EMPLOYING STATISTICAL METHODS
This collection does not involve statistical methods.

7