3170-0010 GLB (P) 2018 renewal-30-day FRN

30-day Federal Register Notice Version
BUREAU OF CONSUMER FINANCIAL PROTECTION
PAPERWORK REDUCTION ACT SUBMISSION
INFORMATION COLLECTION REQUEST
SUPPORTING STATEMENT PART A
GRAMM-LEACH-BLILEY ACT
(REGULATION P) 12 CFR 1016
(OMB CONTROL NUMBER: 3170-0010)
OMB TERMS OF CLEARANCE:
Not applicable. The Office of Management and Budget (OMB) did not provide Terms of
Clearance when approved this information collection on September 22, 2015.
ABSTRACT:
Section 502 of the Gramm-Leach-Bliley Act (GLBA) (Pub. L. 106-102) generally
prohibits a financial institution from sharing nonpublic personal information about a consumer
with nonaffiliated third parties unless the institution satisfies various disclosure requirements
(including provision of initial privacy notices, annual notices, notices of revisions to the
institution's privacy policy, and opt-out notices) and the consumer has not elected to opt out of
the information sharing. The Bureau of Consumer Financial Protection (Bureau) promulgated
regulation P 12 CFR 1016 to implement the GLB Act's notice requirements and restrictions on a
financial institution's ability to disclose nonpublic personal information about consumers to
nonaffiliated third parties.
JUSTIFICATION
1. Circumstances Necessitating the Data Collection
Regulation P implements the requirements of GLBA to provide consumers with financial
institutions’ privacy policies and practices, as well as describing when the consumer’s
information may be shared with nonaffiliated third parties, and provides a method for consumers
to prevent disclosure of their information to non-affiliated third parties by “opting out” of that
disclosure. Regulation P details the specifics of how GLBA should be implemented, which
companies and situations this applies to, and the method of delivering the information to
consumers.
Regulation P includes model forms that can be used to comply with the disclosure
requirements of the GLBA and Regulation P, although use of the model forms is not required.
See Appendix to Regulation P.

2. Use of the Information
Consumers use the privacy notice to determine whether they want personal information
disclosed to third parties that are not affiliated with the institution. Further, consumers use the
opt-out notice mechanism to advise the institution of their wishes regarding disclosure of their
personal information. Institutions use the opt-out information to determine the wishes of their
consumers and to act in accordance with their customers’ instructions.
The Bureau, the Federal Trade Commission (FTC), and the Prudential Regulators all
enforce against the requirements of Regulation P to ensure privacy notices are being mailed out
and that consumers’ preferences are being followed with respect to opting out of informationsharing.
3. Use of Information Technology
The information collections are disclosures, filings from consumers, and internal
institution records. Institutions are not prohibited from using any technology that facilitates
consumer understanding and response, and that permits review, as appropriate, by examiners.
4. Efforts to Identify Duplication
The collections of information are unique and cover the institution’s particular
circumstances. No duplication exists with any other federal information collection or program.
5. Efforts to Minimize Burdens on Small Entities
The information collection requirements of the regulation do not impose any significant
burden beyond that required by statute. In addition, as directed by section 728 of the “Financial
Services Regulatory Relief Act of 2006” (Pub. L. No. 109-351), section 1016.2 and Appendix A
provide a model form for the disclosures, which may be used at the option of the financial
institution. Use of the model form should minimize the burden of this collection. Further, in
2014, the Bureau issued a rule Published October 28, 2014 at 79 FR 64057, to allow financial
institutions to use an alternative delivery method to provide annual privacy notices through
posting the annual notices on their Web sites if they meet certain conditions. Use of the
alternative delivery method should also minimize the burden of this collection.
6. Consequences of Less Frequent Collection and Obstacles to Burden Reduction
The information collection requirements closely follow the GLB Act, which requires
institutions to provide an annual notice of their privacy policies and practices to their customers,
and to permit customers to opt-out of the disclosure of their personal information. There is no
flexibility under the GLB Act to collect the information less frequently.

Page 2 of 6

7. Circumstances Requiring Special Information Collection
Not applicable. The collections of information in Regulation P are consistent with the
applicable guidelines contained in 5 CFR 1320.5(d)(2).
8. Consultation Outside the Agency
In accordance with 5 CFR §1320.8(d)(1), the Bureau has published a notice in the
Federal Register allowing the public 60 days to comment on the proposed extension (renewal) of
this currently approved collection of information. No comments were received in response to that
notice. Additionally, in accordance with 5 CFR §1320.5(a)(1)(iv) the Bureau also published a
notice in the Federal Register allowing the public 30 days to comment on the submission of this
information collection request to the Office of Management and Budget.
9. Payments or Gifts to Respondents
No payments or gifts are provided to respondents.
10. Assurances of Confidentiality
The recordkeeping and written disclosure requirements contain private information about
consumers who opt out of disclosure of their information to third-parties. Such information is
protected by the Right to Financial Privacy Act, 12 U.S.C. 3401 et seq. Such records may also
constitute confidential customer lists. However, there is no part of the rule that mandates
information collection by the Bureau.
To the extent that information covered by a requirement of Regulation P is collected by
the Bureau for law enforcement purposes, the confidentiality provisions of the Bureau’s rules on
Disclosure of Records and Information, 12 CFR Part 1070, would apply.
11. Justification for Sensitive Questions
Regulation P requires institutions to ascertain whether consumers want to opt out of
third-party information sharing, which can constitute a collection of sensitive information. This
requirement is necessary to ensure consumers are given an option about what is done with their
personal financial information, and is used for consumers’ protection and privacy.

12. Estimated Burden of Information Collection

Page 3 of 6

Exhibit 1: Burden Hour Summary
All Bureau Respondents (DI and Non-DI)
Information
Collection
Requirement
Initial Notice
§1016.4(a)
Annual and
Revised Notices
and Opt-Out
Notice
§1016.5(d),
§1016.7,
§1016.8
Consumer OptOut Notice
§1016.7

No. of
Respondents
29,544

Annual
Burden
Hours

Annual
Responses

.07125

2,105

14.50

30,523

1,055

15,298

1

29,544

5.293

156,376

14,844

104,264

1

433,216

0.25

108,304

433,216

108,304

.0142

420

10.00

4,200

210

2,100

.07

2,100

3.00

6,300

1,050

3,150

.071

2,100

20.00

42,000

1,050

21,000

.995

29,400

4.00

117,600

14,700

58,800

\\\\\\\\\\\\\\

498,885

\\\\\\\\\\\

465,303

466,125

312,916

Institutions

29,544

433,216

Individuals

Institutions
29,544

Creating
Disclosure
Documents

29,544

Reviewing
Internal GLBA
Policies (Initial)

29,544

Totals:

Average
Response
Time

Frequency

Institutions

Changes to
Privacy Policies
and Disclosures
(Ongoing)
§1016.8

Reviewing
Internal GLBA
Policies
(Ongoing)

Type of
Respondent

Bureau Portion of
Burden
Annual
Annual
Burden
Responses
Hours

Institutions
Institutions

Institutions
29,544
462,760*

\\\\\\\\\\\\\\

* The total estimated number of respondents is 29,544 institutions plus 433,216 individuals.

For Paperwork Reduction Act (PRA) burden calculation purposes, the Bureau
assumes all burden for depository institutions with more than $10 billion in assets as well as
their affiliates, for which Bureau has primary enforcement authority with respect to
regulation P. In addition, the Bureau and Federal Trade Commission (FTC) share
enforcement authority for those non-depository institutions subject to the Bureau’s
regulation P.
Associated Labor Costs: $12,788,877
The Bureau used an overall hourly average wage of $40.87 for the burden associated with
these information collections, which multiplied by the Bureau burden hours amounts to
Page 4 of 6

$14,046,529 in labor costs. Specifically, the Bureau estimates on average each hour requires
20% administration at $18.21/hour, 45% management at $39.64/hour, 20% senior management
at $50.34/hour, and 15% legal at $57.33/hour. 1
13. Estimated Total Annual Cost Burden to Respondents or Recordkeepers
There are no additional materials costs for this regulation.
14. Estimated Cost to the Federal Government
As the Bureau does not collect any information, there are no additional costs to the
Federal Government.
15. Program Changes or Adjustments
Exhibit 2: Summary of Burden Changes table
Total Requested
Current OMB Inventory

Total
Annual Responses Burden Hours
Respondents
462,760
466,125
312,916
29,554
466,125
366,134

Cost
Burden
$0
$0

Difference (+/-)
Program Change

+433,216
0

0
0

-53,218
-53,218

$0

Discretionary

0

0

0

$0

Due to New Statute

0

0

-53,218

$0

0

0

$0

0

0

$0

Violation
Adjustment

+433,216

$0

The Burden changes reflected above are as a result of a final rule published August 17th
2018 in which the Bureau published a final rule (83 FR 40945) making changes to regulation P
in order to conform with legislative changes to the GLBA. The final rule implements a
December 2015 statutory amendment to the GLBA providing an exception to this annual notice
requirement for financial institutions that meet certain conditions. The Bureau believes that this
amendment results in reduced burden under Regulation P.
The change in total respondents is due to the Bureau correcting an earlier clerical error in its
previous filing by accounting for the number of individuals who respond to the opt-out notice.
The total number of respondents has not changed; it is just now being accurately accounted.

1

See respectively http://www.bls.gov/ooh/office-and-administrative-support/secretaries-and-administrativeassistants.htm, http://www.bls.gov/ooh/business-and-financial/management-analysts.htm,
http://www.bls.gov/ooh/management/top-executives.htm, http://www.bls.gov/ooh/legal/lawyers.htm.

Page 5 of 6

16. Plans for Tabulation, Statistical Analysis, and Publication
There are no plans to provide any publications based on the information collection of this
regulation.
17. Display of Expiration Date
The OMB control number and expiration date associated with this PRA submission will
be displayed on the Federal government’s electronic PRA docket at www.reginfo.gov, as well as
in the Federal Register Notice of the submission. Inasmuch as all forms associated with this
collection are model forms and therefore their use is voluntary, the display of the OMB control
number would not be appropriate on them.
18. Exceptions to the Certification Requirement
The Bureau certifies that this collection of information is consistent with the requirements
of 5 CFR 1320.9, and the related provisions of 5 CFR 1320.8(b)(3) and is not seeking an
exemption to these certification requirements.
###

Page 6 of 6