National Credit Union Administration
SUPPORTING STATEMENT
Privacy of Consumer Financial Information
Recordkeeping and Disclosure Requirements
Under the Gramm-Leach-Bliley Act and Regulation P, 12 CFR 1016
OMB Control No. 3133-0163
______________________________________________________________________
Summary of Action:
The National Credit Union Administration (NCUA) is requesting approval from the Office of Management and Budget (OMB) for renewal an information collection associated with recordkeeping and disclosure requirements under the Gramm-Leach-Bliley Act (Act), Public Law No. 106-102, and Regulation P.
A. JUSTIFICATION
1. Circumstances that make the collection of information necessary:
Title V, Subtitle A of the Act, governs the treatment of nonpublic personal information about consumers by financial institutions. Section 502 of the Act, subject to certain exceptions, prohibits a financial institution from disclosing nonpublic personal information about a consumer to nonaffiliated third parties, unless the institution satisfies various notice and opt out requirements, and provided the consumer has not elected to opt out of the disclosure. Section 503 of the Act requires a financial institution to provide notice of its privacy policies and practices to its customers. Section 504 of the Act originally granted rulemaking authority for the privacy provisions of the Act to be shared by eight Federal agencies: the Board of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance Corporation (FDIC), the Office of the Comptroller of the Currency (OCC), the Office of Thrift Supervision (OTS), the National Credit Union Administration (NCUA), the Federal Trade Commission (FTC), the Securities and Exchange Commission (SEC), and the Commodity Futures Trading Commission (CFTC). Each of the agencies issued rules (which were consistent and comparable) to implement the Act’s privacy provisions.
The Dodd-Frank Wall Street Reform and Consumer Protection Act (DFA) amended a number of consumer financial protection laws, including the Act. Among other changes, the DFA transferred rulemaking authority for most of Subtitle A of Title V of the Act, with respect to financial institutions described in section 504(a)(1)(A) of the Act, from FRB, FDIC, OCC, OTS, and NCUA to the Consumer Financial Protection Bureau (CFPB). Pursuant to the DFA and the Act, as amended, the CFPB promulgated Regulation P, 12 CFR 1016, to implement those privacy provisions of the Act for which CFPB has rulemaking authority.
Regulation P implements the requirements of the Act to provide consumers with financial institutions’ privacy policies and practices, as well as describes when the consumer’s information may be shared with nonaffiliated third parties, and provides a method for consumers to prevent disclosure of their information to nonaffiliated third parties by opting out of that disclosure. Regulation P details the specifics of how the Act should be implemented, which companies and situations this applies to, and the method of delivering the information to consumers.
Regulation P includes model forms that can be used to comply with the disclosure requirements of the Act and Regulation P, although the use of the model forms is not required. See Appendix to Regulation P.
This information collection is necessary to provide credit union customers with the information they need to understand and opt out of policies governing the sharing of consumer financial information with nonaffiliated third parties. This information allows consumers to take an active role in protecting their financial information if they so choose.
2. Purpose and use of the information collected:
Subpart A of Regulation P prescribes the required disclosures for privacy and opt-out notices. The opt-out provisions of Regulation P enable consumers to prevent a financial institution from disclosing nonpublic personal information to third parties not affiliated with the financial institution. The provisions do not restrict the disclosure of nonpublic personal information among affiliated companies nor do they restrict the disclosure of information about businesses or corporations.
Privacy and Opt-Out Notices (Subpart A): Regulation P imposes three disclosure requirements on financial institutions: initial privacy notice, annual privacy notice, and revised privacy notice. Each of these notices may have to include an opt-out notice, depending upon the information sharing practices of the financial institution. In addition, Regulation P imposes two reporting requirements on consumers: an initial notification that the consumer elects to opt out (if the consumer so chooses), and a notification to the financial institutions during the course of the relationship if the consumer elects to change his or her opt-out status.
Financial Institutions’ Disclosure Requirements:
Initial Privacy Notice to Consumers (12 CFR 1016.4): A financial institution’s notice must be clear and conspicuous and must accurately reflect its privacy policies and practices. A financial institution is not required to provide an initial notice to a consumer if it does not have a customer relationship with the consumer and it does not disclose any nonpublic personal information about the consumer to any nonaffiliated third party, other than as authorized by Regulation P.
Annual Privacy Notice to Customers (12 CFR 1016.5): Financial institutions must provide to customers a clear and conspicuous notice that accurately reflects an institution’s privacy policies and practices not less than once in a twelve-month period during the continuation of the customer relationship.
Exception to Annual Privacy Notice Requirement (12 CFR 1016.5(e)): On December 4, 2015, Congress amended the Act as part of the Fixing America’s Surface Transportation Act, Public Law 114-94 (FAST Act). This amendment, titled, Eliminate Privacy Notice Confusion, added a new subsection 503(f) to the Act. This subsection provides an exception under which financial institutions, including federally-insured credit unions that meet certain conditions, are not required to provide annual privacy notices to customers. To qualify for the exception, section 503(f)(1) prohibits a financial institution from sharing nonpublic personal information about customers, except as described in certain statutory exceptions. (Sharing, as described in these specified statutory exceptions, does not trigger the customer’s statutory right to opt out of the financial institution’s sharing.) In addition, section 503(f)(2) requires that the financial institution must not have changed its policies and practices with regard to disclosing nonpublic personal information from those that the institution disclosed in the most recent privacy notice it sent.
Section 503(f) took effect upon enactment in December 2015. The CFPB issued a final rule amending Regulation P to reflect the changes in the underlying law, published in the Federal Register on August 17, 2018 (83 FR 40945).
Information to be included in privacy notices (12 CFR 1016.6): The initial notice and annual notice each must include all of the following items of information:
The categories of nonpublic personal information about the consumers that the financial institution collects;
The categories of nonpublic personal information about the consumers that the financial institution discloses;
The categories of affiliates and nonaffiliated third parties to whom the financial institution discloses nonpublic personal information about the consumers, other than those parties excepted under Regulation P;
The categories of nonpublic personal information about former consumers that the financial institution discloses and the categories of affiliates and nonaffiliated third parties to whom the financial institution discloses nonpublic personal information about former consumers, other than those parties excepted under Regulation P;
If a financial institution discloses nonpublic personal information to service providers or joint marketers, a description of the categories of information the institution discloses and the categories of third parties with whom the institution has contracted;
An explanation of the consumer’s right to opt out of the disclosure of nonpublic personal information to nonaffiliated third parties, including the methods by which the consumer may exercise that right;
Any disclosures regarding the ability to opt out of disclosures of information among affiliates;
The financial institution’s policies and practices with respect to protecting the confidentiality and security of nonpublic personal information; and
A description of nonaffiliated third parties subject to exceptions under
Regulation P.
Revised Privacy Notice (12 CFR 1016.8): Certain changes to a financial institution’s privacy policies or practices trigger a requirement to provide consumers with a revised notice that accurately describes the institution’s current policies and practices. After a financial institution has made certain changes to its disclosure practices, it may not directly or through affiliates disclose nonpublic personal information about a consumer other than as described in the initial notice unless it provides the consumer with: (1) a new notice that accurately describes the policies and practices; (2) a new opt out notice and (3) a reasonable opportunity to opt out.
Notice of Right to Opt Out (12 CFR 1016.9): Depending on the financial institution’s information-sharing practices, the financial institution must provide an opt-out notice to a customer or to a consumer. An opt-out notice may also be required when the financial institution issues a revised privacy notice.
Consumers’ Reporting Requirements:
Consumer’s Notice of Right to Opt Out (12 CFR 1016.10(a)(2) and 1016.10(c)): Consumers must take affirmative actions to exercise their rights to prevent financial institutions from sharing their information with nonaffiliated parties:
Opt Out – Consumers may direct that the credit union may not disclose nonpublic personal information about them to a nonaffiliated third party, other than permitted by 12 CFR 1016.13-1016.15.
Partial Opt Out – Consumers also may exercise partial opt out rights by selecting certain nonpublic personal information or certain nonaffiliated third parties with respect to which the consumer wishes to opt out.
The consumer must be given a reasonable opportunity to opt out before information may be shared with a non-affiliated third party outside of the permitted exceptions.
Consumer’s Continuing Right to Opt Out (12 CFR 1016.7(h) and 1016.7(i)): Consumers may exercise the right to opt out at any time. A consumer’s direction to opt out is effective until the consumer revokes it in writing or, if the consumer agrees, electronically. When a customer relationship terminates, the customer’s opt out direction continues to apply.
Consumers use the privacy notice information to determine whether they want personal information disclosed to third parties that are not affiliated with the credit union. Further, consumers use the opt-out notice mechanism to advise the credit union of their wishes regarding disclosure of their personal information. Credit unions use the opt-out information to determine the wishes of their consumers and to act appropriately.
3. Use of information technology:
The collections are disclosures, filings from consumers, and internal credit union records. The FCU Act does not prescribe any particular form for this information collection. Therefore, federally-insured credit unions are not prohibited from using any technology that facilitates consumer understanding and response and that permits review, as appropriate, by examiners.
4. Duplication of information:
These collections of information are unique and cover the credit union’s particular circumstances. No duplication exists.
5. Efforts to reduce burden on small entities:
The information collection requirements do not impose any significant burden beyond that required by the Act. In addition, section 728 of the “Financial Services Regulatory Relief Act of 2006” (Pub. L. No. 109-351) provides for the development of a model form for the disclosures. Regulation P includes model forms that can be used to comply with the disclosure requirements of the Act and Regulation P. Although the use of the model forms is not required, the use of the model form should minimize the burden of this collection.1 See Appendix to Regulation P.
6. Consequences of not conducting the collection:
The information collection requirements closely follow the Act, which requires financial institutions to provide an annual notice of their privacy policies and procedures to their customers, and to permit customers to opt out of disclosure of their personal information. There is no flexibility under the Act to collect the information less frequently.
7. Inconsistencies with guidelines in 5 CFR 1320.5(d)(2):
There are no special circumstances. This information collection is consistent with the guidelines in 5 CFR 1320.5(d)(2).
8. Efforts to consult with persons outside the agency:
A 60-day notice was published in the Federal Register on November 14, 2019, at 84 FR 61941. No public comments were received.
9. Payment or gifts to respondents:
There is no intent by NCUA to provide payment or gifts for information collected.
10. Assurance of confidentiality:
There is no assurance of confidentiality other than that provided by law.
11. Questions of a sensitive nature:
No questions of a sensitive nature are asked. The information collection does not collect any Personally Identifiable Information.
12. Burden of information collection:
The annual burden for federally insured credit unions is estimated to be 43,124 hours for the 5,308 federally insured credit unions, based on NCUA Call Report ending on Q2 2019, that are deemed to be respondents for purposes of PRA. The burden for consumers is estimated to be 340,000 hours. These estimated burdens arise exclusively from the regulation and are shown in the table below. Total burden hours associated with this information collection is 383,124.
|
Federally Insured Credit Union Burden |
|||
Privacy 12 CFR Part 1016 |
Number of Respondents |
Estimated Annual Frequency |
Estimated Average Hours per Response |
Estimated Annual Burden Hours |
Initial privacy notice to consumers (1016.4) |
11 |
1 |
60 |
660 |
Annual privacy notice to consumers (1016.5) |
|
|
|
|
Revised privacy notice to consumers (1016.8) |
2,654 |
1 |
8 |
21,232 |
Opt out notice to consumers (1016.7, 1016.9) |
2,654 |
1 |
8 |
21,232 |
Total |
43,124 |
|||
|
Consumer Burden |
|||
Consumers' rights to opt out (1016.10(a), (c); 1016.7(h), (i)) |
1,360,000 |
1 |
0.25 |
340,000 |
Total |
|
|
|
383,124 |
The annual cost for the credit union respondents is estimated to be $1,509,340 (at $35 hourly cost); the annual cost to consumers is estimated to be $12,478,000 (at $36.70 hourly cost). Total annual cost associated with this information collection is $13,987,340.
13. Capital start-up or on-going maintenance costs:
Other than the costs to respondents that are associated with the usual and customary business practice, there are no capital, start-up or operating and maintenance costs associated with this information collection.
14. Annualized costs to Federal government:
There are no costs to the Federal government.
15. Changes in burden:
Adjustments to the burden are due to a change in the NCUA’s estimate of respondents. First, the number of regulated entities has decreased. Second, the 73 respondents should have provided a clear and conspicuous notice to customers and consumers that accurately reflect its privacy policies and practices. So the estimated number of respondents has been reduced from 73 to 11 (the estimated number of new credit unions that need to provide the initial notice).
Third, the NCUA believes the FAST Act amendment providing an exception to the annual privacy notice requirement results in reduced burden under Regulation P. Therefore, the estimated number of respondents providing the annual or revised private notice, and the opt-out notice to consumers, has been reduced. Finally, the NCUA believes the time to comply with the initial privacy notice has decreased due to technological advances.
16. Information collection planned for statistical purposes:
This information is not planned for publication.
17. Request non-display the expiration date of the OMB control number:
Not applicable.
18. Exceptions to Certification for Paperwork Reduction Act Submissions
There are no exceptions to the certification statement.
B. COLLECTIONS OF INFORMATION EMPLOYING STATISTICAL METHODS
This collection does not involve statistical methods.
1 The model form was published in 2009 at 74 FR 62889.
OMB
No. 3133-0163; January 2020
| File Type | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
| File Title | Supporting Statement for Paperwork Reduction Act Submission |
| Author | NCUA |
| File Modified | 0000-00-00 |
| File Created | 2021-01-14 |