FICU Disclosure Requirements

Privacy of Consumer Financial Information, Regulation P, 12 CFR Part 1016

REG P_Axp_Model Privacy Forms_(1-1-19 ED)

FICU Disclosure Requirements

OMB: 3133-0163

Document [pdf]
Download: pdf | pdf
Bur. of Consumer Financial Protection

Pt. 1016, App.

the complaint or that is the subject of
the complaint.
APPENDIX TO PART 1016—MODEL PRIVACY FORM

511

VerDate Sep<11>2014

14:53 Mar 26, 2019

Jkt 247042

PO 00000

Frm 00521

Fmt 8010

Sfmt 8006

Q:\12\12V8.TXT

PC31

ER21DE11.058

kpayne on VMOFRWIN702 with $$_JOB

A. THE MODEL PRIVACY FORM

12 CFR Ch. X (1–1–19 Edition)

512

VerDate Sep<11>2014

14:53 Mar 26, 2019

Jkt 247042

PO 00000

Frm 00522

Fmt 8010

Sfmt 8006

Q:\12\12V8.TXT

PC31

ER21DE11.059

kpayne on VMOFRWIN702 with $$_JOB

Pt. 1016, App.

Pt. 1016, App.

513

VerDate Sep<11>2014

14:53 Mar 26, 2019

Jkt 247042

PO 00000

Frm 00523

Fmt 8010

Sfmt 8006

Q:\12\12V8.TXT

PC31

ER21DE11.060

kpayne on VMOFRWIN702 with $$_JOB

Bur. of Consumer Financial Protection

12 CFR Ch. X (1–1–19 Edition)

514

VerDate Sep<11>2014

14:53 Mar 26, 2019

Jkt 247042

PO 00000

Frm 00524

Fmt 8010

Sfmt 8006

Q:\12\12V8.TXT

PC31

ER21DE11.061

kpayne on VMOFRWIN702 with $$_JOB

Pt. 1016, App.

Pt. 1016, App.

515

VerDate Sep<11>2014

14:53 Mar 26, 2019

Jkt 247042

PO 00000

Frm 00525

Fmt 8010

Sfmt 8006

Q:\12\12V8.TXT

PC31

ER21DE11.062

kpayne on VMOFRWIN702 with $$_JOB

Bur. of Consumer Financial Protection

12 CFR Ch. X (1–1–19 Edition)

516

VerDate Sep<11>2014

14:53 Mar 26, 2019

Jkt 247042

PO 00000

Frm 00526

Fmt 8010

Sfmt 8006

Q:\12\12V8.TXT

PC31

ER21DE11.063

kpayne on VMOFRWIN702 with $$_JOB

Pt. 1016, App.

Bur. of Consumer Financial Protection

Pt. 1016, App.

B. GENERAL INSTRUCTIONS
1. How the Model Privacy Form Is Used
(a) The model form may be used, at the option of a financial institution, including a
group of financial institutions that use a
common privacy notice, to meet the content
requirements of the privacy notice and optout notice set forth in §§ 1016.6 and 1016.7 of
this part.
(b) The model form is a standardized form,
including page layout, content, format,
style, pagination, and shading. Institutions
seeking to obtain the safe harbor through
use of the model form may modify it only as
described in these Instructions.
(c) Note that disclosure of certain information, such as assets, income, and information
from a consumer reporting agency, may give
rise to obligations under the Fair Credit Reporting Act [15 U.S.C. 1681–1681x] (FCRA),
such as a requirement to permit a consumer
to opt out of disclosures to affiliates or designation as a consumer reporting agency if
disclosures are made to nonaffiliated third
parties.
(d) The word ‘‘customer’’ may be replaced
by the word ‘‘member’’ whenever it appears
in the model form, as appropriate.

3. The Format of the Model Privacy Form
The format of the model form may be
modified only as described below.
(a) Easily readable type font. Financial institutions that use the model form must use
an easily readable type font. While a number
of factors together produce easily readable
type font, institutions are required to use a
minimum of 10-point font (unless otherwise
expressly permitted in these Instructions)
and sufficient spacing between the lines of
type.
(b) Logo. A financial institution may include a corporate logo on any page of the notice, so long as it does not interfere with the
readability of the model form or the space
constraints of each page.

517

VerDate Sep<11>2014

14:53 Mar 26, 2019

Jkt 247042

PO 00000

Frm 00527

Fmt 8010

Sfmt 8002

Q:\12\12V8.TXT

PC31

ER21DE11.064

kpayne on VMOFRWIN702 with $$_JOB

2. The Contents of the Model Privacy Form
The model form consists of two pages,
which may be printed on both sides of a single sheet of paper, or may appear on two separate pages. Where an institution provides a
long list of institutions at the end of the
model form in accordance with Instruction
C.3(a)(1), or provides additional information
in accordance with Instruction C.3(c), and
such list or additional information exceeds
the space available on page two of the model

form, such list or additional information
may extend to a third page.
(a) Page One. The first page consists of the
following components:
(1) Date last revised (upper right-hand corner).
(2) Title.
(3) Key frame (Why?, What?, How?).
(4) Disclosure table (‘‘Reasons we can share
your personal information’’).
(5) ‘‘To limit our sharing’’ box, as needed,
for the financial institution’s opt-out information.
(6) ‘‘Questions’’ box, for customer service
contact information.
(7) Mail-in opt-out form, as needed.
(b) Page Two. The second page consists of
the following components:
(1) Heading (Page 2).
(2) Frequently Asked Questions (‘‘Who we
are’’ and ‘‘What we do’’).
(3) Definitions.
(4) ‘‘Other important information’’ box, as
needed.

Pt. 1016, App.

12 CFR Ch. X (1–1–19 Edition)

(c) Page size and orientation. Each page of
the model form must be printed on paper in
portrait orientation, the size of which must
be sufficient to meet the layout and minimum font size requirements, with sufficient
white space on the top, bottom, and sides of
the content.
(d) Color. The model form must be printed
on white or light color paper (such as cream)
with black or other contrasting ink color.
Spot color may be used to achieve visual interest, so long as the color contrast is distinctive and the color does not detract from
the readability of the model form. Logos
may also be printed in color.
(e) Languages. The model form may be
translated into languages other than
English.
C. INFORMATION REQUIRED IN THE MODEL
PRIVACY FORM
The information in the model form may be
modified only as described below:
1. Name of the Institution or Group of Affiliated
Institutions Providing the Notice
Insert the name of the financial institution
providing the notice or a common identity of
affiliated institutions jointly providing the
notice on the form wherever [name of financial institution] appears.

kpayne on VMOFRWIN702 with $$_JOB

2. Page One
(a) Last revised date. The financial institution must insert in the upper right-hand corner the date on which the notice was last revised. The information shall appear in minimum 8-point font as ‘‘rev. [month/year]’’
using either the name or number of the
month, such as ‘‘rev. July 2009’’ or ‘‘rev. 7/
09’’.
(b) General instructions for the ‘‘What?’’ box.
(1) The bulleted list identifies the types of
personal information that the institution
collects and shares. All institutions must use
the term ‘‘Social Security number’’ in the
first bullet.
(2) Institutions must use five (5) of the following terms to complete the bulleted list:
Income; account balances; payment history;
transaction history; transaction or loss history; credit history; credit scores; assets; investment experience; credit-based insurance
scores; insurance claim history; medical information; overdraft history; purchase history; account transactions; risk tolerance;
medical-related debts; credit card or other
debt; mortgage rates and payments; retirement assets; checking account information;
employment information; wire transfer instructions.
(c) General instructions for the disclosure
table. The left column lists reasons for sharing or using personal information. Each reason correlates to a specific legal provision
described in paragraph C.2(d) of this Instruc-

tion. In the middle column, each institution
must provide a ‘‘Yes’’ or ‘‘No’’ response that
accurately reflects its information sharing
policies and practices with respect to the
reason listed on the left. In the right column, each institution must provide in each
box one of the following three (3) responses,
as applicable, that reflects whether a consumer can limit such sharing: ‘‘Yes’’ if it is
required to or voluntarily provides an optout; ‘‘No’’ if it does not provide an opt-out;
or ‘‘We don’t share’’ if it answers ‘‘No’’ in the
middle column. Only the sixth row (‘‘For our
affiliates to market to you’’) may be omitted
at the option of the institution. See paragraph C.2(d)(6) of this Instruction.
(d) Specific disclosures and corresponding
legal provisions.
(1) For our everyday business purposes. This
reason incorporates sharing information
under §§ 1016.14 and 1016.15 and with service
providers pursuant to § 1016.13 of this part
other than the purposes specified in paragraphs C.2(d)(2) or C.2(d)(3) of these Instructions.
(2) For our marketing purposes. This reason
incorporates sharing information with service providers by an institution for its own
marketing pursuant to § 1016.13 of this part.
An institution that shares for this reason
may choose to provide an opt-out.
(3) For joint marketing with other financial
companies. This reason incorporates sharing
information under joint marketing agreements between two or more financial institutions and with any service provider used in
connection with such agreements pursuant
to § 1016.13 of this part. An institution that
shares for this reason may choose to provide
an opt-out.
(4) For our affiliates’ everyday business purposes—information about transactions and experiences. This reason incorporates sharing
information
specified
in
sections
603(d)(2)(A)(i) and (ii) of the FCRA. An institution that shares for this reason may
choose to provide an opt-out.
(5) For our affiliates’ everyday business purposes—information about creditworthiness. This
reason incorporates sharing information pursuant to section 603(d)(2)(A)(iii) of the FCRA.
An institution that shares for this reason
must provide an opt-out.
(6) For our affiliates to market to you. This
reason incorporates sharing information
specified in section 624 of the FCRA. This
reason may be omitted from the disclosure
table when: the institution does not have affiliates (or does not disclose personal information to its affiliates); the institution’s affiliates do not use personal information in a
manner that requires an opt-out; or the institution provides the affiliate marketing
notice separately. Institutions that include
this reason must provide an opt-out of indefinite duration. An institution that is required to provide an affiliate marketing opt-

518

VerDate Sep<11>2014

14:53 Mar 26, 2019

Jkt 247042

PO 00000

Frm 00528

Fmt 8010

Sfmt 8002

Q:\12\12V8.TXT

PC31

kpayne on VMOFRWIN702 with $$_JOB

Bur. of Consumer Financial Protection

Pt. 1016, App.

out, but does not include that opt-out in the
model form under this part, must comply
with section 624 of the FCRA and 12 CFR
part 1022, subpart C, with respect to the initial notice and opt-out and any subsequent
renewal notice and opt-out. An institution
not required to provide an opt-out under this
subparagraph may elect to include this reason in the model form.
(7) For nonaffiliates to market to you. This
reason incorporates sharing described in
§§ 1016.7 and 1016.10(a) of this part. An institution that shares personal information for
this reason must provide an opt-out.
(e) To limit our sharing: A financial institution must include this section of the model
form only if it provides an opt-out. The word
‘‘choice’’ may be written in either the singular or plural, as appropriate. Institutions
must select one or more of the applicable
opt-out methods described: Telephone, such
as by a toll-free number; a Web site; or use
of a mail-in opt-out form. Institutions may
include the words ‘‘toll-free’’ before telephone, as appropriate. An institution that
allows consumers to opt out online must provide either a specific Web address that takes
consumers directly to the opt-out page or a
general Web address that provides a clear
and conspicuous direct link to the opt-out
page. The opt-out choices made available to
the consumer who contacts the institution
through these methods must correspond accurately to the ‘‘Yes’’ responses in the third
column of the disclosure table. In the part titled ‘‘Please note,’’ institutions may insert a
number that is 30 or greater in the space
marked ‘‘[30].’’ Instructions on voluntary or
state privacy law opt-out information are in
paragraph C.2(g)(5) of these Instructions.
(f) Questions box. Customer service contact
information must be inserted as appropriate,
where [phone number] or [Web site] appear.
Institutions may elect to provide either a
phone number, such as a toll-free number, or
a web address, or both. Institutions may include the words ‘‘toll-free’’ before the telephone number, as appropriate.
(g) Mail-in opt-out form. Financial institutions must include this mail-in form only if
they state in the ‘‘To limit our sharing’’ box
that consumers can opt out by mail. The
mail-in form must provide opt-out options
that correspond accurately to the ‘‘Yes’’ responses in the third column in the disclosure
table. Institutions that require customers to
provide only name and address may omit the
section identified as ‘‘[account #].’’ Institutions that require additional or different information, such as a random opt-out number
or a truncated account number, to implement an opt-out election should modify the
‘‘[account #]’’ reference accordingly. This includes institutions that require customers
with multiple accounts to identify each account to which the opt-out should apply. An
institution must enter its opt-out mailing

address: in the far right of this form (see
version 3); or below the form (see version 4).
The reverse side of the mail-in opt-out form
must not include any content of the model
form.
(1) Joint accountholder. Only institutions
that provide their joint accountholders the
choice to opt out for only one accountholder,
in accordance with paragraph C.3(a)(5) of
these Instructions, must include in the far
left column of the mail-in form the following
statement: ‘‘If you have a joint account,
your choice(s) will apply to everyone on your
account unless you mark below. Apply my
choice(s) only to me.’’ The word ‘‘choice’’
may be written in either the singular or plural, as appropriate. Financial institutions
that provide insurance products or services,
provide this option, and elect to use the
model form may substitute the word ‘‘policy’’ for ‘‘account’’ in this statement. Institutions that do not provide this option may
eliminate this left column from the mail-in
form.
(2) FCRA section 603(d)(2)(A)(iii) opt-out. If
the institution shares personal information
pursuant to section 603(d)(2)(A)(iii) of the
FCRA, it must include in the mail-in opt-out
form the following statement: ‘‘ Do not share
information about my creditworthiness with
your affiliates for their everyday business
purposes.’’
(3) FCRA section 624 opt-out. If the institution incorporates section 624 of the FCRA in
accord with paragraph C.2(d)(6) of these Instructions, it must include in the mail-in
opt-out form the following statement: ‘‘ Do
not allow your affiliates to use my personal
information to market to me.’’
(4) Nonaffiliate opt-out. If the financial institution shares personal information pursuant to § 1016.10(a) of this part, it must include
in the mail-in opt-out form the following
statement: ‘‘ Do not share my personal information with nonaffiliates to market their
products and services to me.’’
(5) Additional opt-outs. Financial institutions that use the disclosure table to provide
opt-out options beyond those required by
Federal law must provide those opt-outs in
this section of the model form. A financial
institution that chooses to offer an opt-out
for its own marketing in the mail-in opt-out
form must include one of the two following
statements: ‘‘ Do not share my personal information to market to me.’’ or ‘‘ Do not use
my personal information to market to me.’’
A financial institution that chooses to offer
an opt-out for joint marketing must include
the following statement: ‘‘ Do not share my
personal information with other financial institutions to jointly market to me.’’
(h) Barcodes. A financial institution may
elect to include a barcode and/or ‘‘tagline’’
(an internal identifier) in 6-point font at the
bottom of page one, as needed for information internal to the institution, so long as

519

VerDate Sep<11>2014

14:53 Mar 26, 2019

Jkt 247042

PO 00000

Frm 00529

Fmt 8010

Sfmt 8002

Q:\12\12V8.TXT

PC31

Pt. 1016, App.

12 CFR Ch. X (1–1–19 Edition)

these do not interfere with the clarity or
text of the form.

kpayne on VMOFRWIN702 with $$_JOB

3. Page Two
(a) General Instructions for the Questions.
Certain of the Questions may be customized
as follows:
(1) ‘‘Who is providing this notice?’’ This question may be omitted where only one financial institution provides the model form and
that institution is clearly identified in the
title on page one. Two or more financial institutions that jointly provide the model
form must use this question to identify
themselves as required by § 1016.9(f) of this
part. Where the list of institutions exceeds
four (4) lines, the institution must describe
in the response to this question the general
types of institutions jointly providing the
notice and must separately identify those institutions, in minimum 8-point font, directly
following the ‘‘Other important information’’ box, or, if that box is not included in
the institution’s form, directly following the
‘‘Definitions.’’ The list may appear in a
multi-column format.
(2) ‘‘How does [name of financial institution]
protect my personal information?’’ The financial institution may only provide additional
information pertaining to its safeguards
practices following the designated response
to this question. Such information may include information about the institution’s use
of cookies or other measures it uses to safeguard personal information. Institutions are
limited to a maximum of 30 additional
words.
(3) ‘‘How does [name of financial institution]
collect my personal information?’’ Institutions
must use five (5) of the following terms to
complete the bulleted list for this question:
Open an account; deposit money; pay your
bills; apply for a loan; use your credit or
debit card; seek financial or tax advice;
apply for insurance; pay insurance premiums; file an insurance claim; seek advice
about your investments; buy securities from
us; sell securities to us; direct us to buy securities; direct us to sell your securities;
make deposits or withdrawals from your account; enter into an investment advisory
contract; give us your income information;
provide employment information; give us
your employment history; tell us about your
investment or retirement portfolio; tell us
about your investment or retirement earnings; apply for financing; apply for a lease;
provide account information; give us your
contact information; pay us by check; give
us your wage statements; provide your mortgage information; make a wire transfer; tell
us who receives the money; tell us where to
send the money; show your governmentissued ID; show your driver’s license; order a
commodity futures or option trade. Institutions that collect personal information from
their affiliates and/or credit bureaus must

include after the bulleted list the following
statement: ‘‘We also collect your personal
information from others, such as credit bureaus, affiliates, or other companies.’’ Institutions that do not collect personal information from their affiliates or credit bureaus
but do collect information from other companies must include the following statement
instead: ‘‘We also collect your personal information from other companies.’’ Only institutions that do not collect any personal information from affiliates, credit bureaus, or
other companies can omit both statements.
(4) ‘‘Why can’t I limit all sharing?’’ Institutions that describe state privacy law provisions in the ‘‘Other important information’’
box must use the bracketed sentence: ‘‘See
below for more on your rights under state
law.’’ Other institutions must omit this sentence.
(5) ‘‘What happens when I limit sharing for
an account I hold jointly with someone else?’’
Only financial institutions that provide optout options must use this question. Other institutions must omit this question. Institutions must choose one of the following two
statements to respond to this question:
‘‘Your choices will apply to everyone on your
account.’’ or ‘‘Your choices will apply to everyone on your account—unless you tell us
otherwise.’’ Financial institutions that provide insurance products or services and elect
to use the model form may substitute the
word ‘‘policy’’ for ‘‘account’’ in these statements.
(b) General Instructions for the Definitions.
The financial institution must customize the
space below the responses to the three definitions in this section. This specific information must be in italicized lettering to set off
the information from the standardized definitions.
(1) Affiliates. As required by § 1016.6(a)(3) of
this part, where [affiliate information] appears, the financial institution must:
(i) If it has no affiliates, state: ‘‘[name of financial institution] has no affiliates’’;
(ii) If it has affiliates but does not share
personal information, state: ‘‘[name of financial institution] does not share with our affiliates’’; or
(iii) If it shares with its affiliates, state, as
applicable: ‘‘Our affiliates include companies
with a [common corporate identity of financial
institution] name; financial companies such as
[insert illustrative list of companies]; nonfinancial companies, such as [insert illustrative
list of companies]; and others, such as [insert illustrative list].’’
(2) Nonaffiliates. As required by § 1016.6(c)(3)
of this part, where [nonaffiliate information]
appears, the financial institution must:
(i) If it does not share with nonaffiliated
third parties, state: ‘‘[name of financial institution] does not share with nonaffiliates so they
can market to you’’; or

520

VerDate Sep<11>2014

14:53 Mar 26, 2019

Jkt 247042

PO 00000

Frm 00530

Fmt 8010

Sfmt 8002

Q:\12\12V8.TXT

PC31

Bur. of Consumer Financial Protection

Pt. 1022

(ii) If it shares with nonaffiliated third parties, state, as applicable: ‘‘Nonaffiliates we
share with can include [list categories of companies such as mortgage companies, insurance
companies, direct marketing companies, and
nonprofit organizations].’’
(3) Joint Marketing. As required by § 1016.13
of this part, where [joint marketing] appears,
the financial institution must:
(i) If it does not engage in joint marketing,
state: ‘‘[name of financial institution] doesn’t
jointly market’’; or
(ii) If it shares personal information for
joint marketing, state, as applicable: ‘‘Our
joint marketing partners include [list categories
of companies such as credit card companies].’’
(c) General instructions for the ‘‘Other important information box.’’ This box is optional.
The space provided for information in this
box is not limited. Only the following types
of information can appear in this box.
(1) State and/or international privacy law
information; and/or
(2) Acknowledgment of receipt form.

PART 1022—FAIR CREDIT
REPORTING (REGULATION V)

1022.42 Reasonable policies and procedures
concerning the accuracy and integrity of
furnished information.
1022.43 Direct disputes.

Subpart F—Duties of Users Regarding
Obtaining and Using Consumer Reports
1022.50–1022.53 [Reserved]
1022.54 Duties of users making written firm
offers of credit or insurance based on information contained in consumer files.

Subpart G [Reserved]
Subpart H—Duties of Users Regarding RiskBased Pricing
1022.70 Scope.
1022.71 Definitions.
1022.72 General requirements for risk-based
pricing notices.
1022.73 Content, form, and timing of riskbased pricing notices.
1022.74 Exceptions.
1022.75 Rules of construction.

Subpart I—Duties of Users of Consumer
Reports Regarding Identity Theft

Subpart A—General Provisions
Sec.
1022.1 Purpose, scope, and model forms and
disclosures.
1022.2 Examples.
1022.3 Definitions.

1022.80–1022.81 [Reserved]
1022.82 Duties of users regarding address
discrepancies.

Subparts J–L [Reserved]
Subpart M—Duties of Consumer Reporting
Agencies Regarding Identity Theft

Subpart B [Reserved]
Subpart C—Affiliate Marketing
1022.20 Coverage and definitions.
1022.21 Affiliate marketing opt-out and exceptions.
1022.22 Scope and duration of opt-out.
1022.23 Contents of opt-out notice; consolidated and equivalent notices.
1022.24 Reasonable opportunity to opt out.
1022.25 Reasonable and simple methods of
opting out.
1022.26 Delivery of opt-out notices.
1022.27 Renewal of opt-out.

Subpart D—Medical Information

kpayne on VMOFRWIN702 with $$_JOB

1022.30 Obtaining or using medical information in connection with a determination
of eligibility for credit.
1022.31 Limits on redisclosure of information.
1022.32 Sharing medical information with
affiliates.

Subpart E—Duties of Furnishers of
Information
1022.40
1022.41

1022.120
1022.121
1022.122
1022.123

[Reserved]
Active duty alerts.
[Reserved]
Proof of identity.

Subpart N—Duties of Consumer Reporting
Agencies Regarding Disclosures to
Consumers
1022.130 Definitions
1022.131–1022.135 [Reserved]
1022.136 Centralized source for requesting
annual file disclosures from nationwide
consumer reporting agencies.
1022.137 Streamlined process for requesting
annual file disclosures from nationwide
specialty consumer reporting agencies.
1022.138 Prevention of deceptive marketing
of free credit reports.

Subpart O—Miscellaneous Duties of
Consumer Reporting Agencies
1022.140 Prohibition against circumventing
or evading treatment as a consumer reporting agency.
APPENDIX A TO PART 1022 [RESERVED]

Scope.
Definitions.

521

VerDate Sep<11>2014

14:53 Mar 26, 2019

Jkt 247042

PO 00000

Frm 00531

Fmt 8010

Sfmt 8010

Q:\12\12V8.TXT

PC31


File Typeapplication/pdf
File TitleCFR-2019-title12-vol8-part1016.pdf
AuthorDWOLFGANG
File Modified2020-01-27
File Created2020-01-27

© 2024 OMB.report | Privacy Policy