[ad_1]
Federal Register, Volume 83 Issue 236 (Monday, December 10, 2018)
[Federal Register Volume 83, Number 236 (Monday, December 10, 2018)]
[Proposed Rules]
[Pages 63450-63456]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2018-26523]
=======================================================================
———————————————————————–
COMMODITY FUTURES TRADING COMMISSION
17 CFR Part 160
RIN 3038-AE80
Privacy of Consumer Financial Information–Amendment To Conform
Regulations to the Fixing America’s Surface Transportation Act
AGENCY: Commodity Futures Trading Commission.
ACTION: Proposed rule.
———————————————————————–
SUMMARY: The Commodity Futures Trading Commission (“CFTC” or
[[Page 63451]]
“Commission”) is proposing to revise its regulations requiring
covered persons to provide annual privacy notices to customers. The
proposed revisions implement the Fixing America’s Surface
Transportation Act’s (“FAST Act”) December 2015 statutory amendment
to the Gramm-Leach-Bliley Act (“GLB Act”) by providing an exception
to the annual notice requirement under certain conditions.
DATES: Comments must be received on or before February 8, 2019.
ADDRESSES: You may submit comments, identified by RIN 3038-AE80, by any
of the following methods:
CFTC Comments Portal: https://comments.cftc.gov. Select
the “Submit Comments” link for this rulemaking and follow the
instructions on the Public Comment Form.
Mail: Send to Christopher Kirkpatrick, Secretary of the
Commission, Commodity Futures Trading Commission, Three Lafayette
Center, 1155 21st Street, NW, Washington, DC 20581.
Hand Delivery/Courier: Follow the same instructions as for
Mail, above. Please submit your comments using only one of these
methods. Submissions through the CFTC Comments Portal are encouraged.
All comments must be submitted in English, or if not, accompanied
by an English translation. Comments will be posted as received to
https://comments.cftc.gov. You should submit only information that you
wish to make available publicly. If you wish the Commission to consider
information that you believe is exempt from disclosure under the
Freedom of Information Act (“FOIA”), a petition for confidential
treatment of the exempt information may be submitted according to the
procedures established in Sec. 145.9 of the Commission’s
regulations.1
—————————————————————————
1 17 CFR 145.9. Commission regulations referred to herein are
found at 17 CFR Chapter I.
—————————————————————————
The Commission reserves the right, but shall have no obligation, to
review, pre-screen, filter, redact, refuse or remove any or all of your
submission from https://comments.cftc.gov that it may deem to be
inappropriate for publication, such as obscene language. All
submissions that have been redacted or removed that contain comments on
the merits of the rulemaking will be retained in the public comment
file and will be considered as required under the Administrative
Procedure Act and other applicable laws, and may be accessible under
the FOIA.
FOR FURTHER INFORMATION CONTACT: Matthew Kulkin, Director, (202) 418-
5213, [email protected]; Frank Fisanich, Chief Counsel, (202) 418-5949,
[email protected]; or Jacob Chachkin, Special Counsel, (202) 418-5496,
[email protected], Division of Swap Dealer and Intermediary Oversight,
Commodity Futures Trading Commission, Three Lafayette Centre, 1155 21st
Street NW, Washington, DC 20581.
SUPPLEMENTARY INFORMATION:
I. Background
Title V, Subtitle A of the GLB Act 2 (“Title V”) mandates that
financial institutions provide their consumers with whom they have
customer relationships (“customers”) with annual notices regarding
those institutions’ privacy policies and practices.3 Further, subject
to certain exceptions, if financial institutions share nonpublic
personal information with particular types of third parties, the
financial institutions must also provide their consumers with an
opportunity to opt out of the sharing.4 The Commission and entities
subject to its jurisdiction were originally excluded from Title V’s
coverage.5 However, section 124 of the Commodity Futures
Modernization Act of 2000 6 amended the Commodity Exchange Act
(“CEA”) to add section 5g,7 providing that futures commission
merchants (“FCMs”), commodity trading advisors (“CTAs”), commodity
pool operators (“CPOs”), and introducing brokers (“IBs”) 8 fall
under the requirements of Title V and requiring the Commission to
prescribe regulations in furtherance of Title V. Thus, in 2001, the
Commission promulgated part 160 of its regulations to establish
standards relating to Title V.9
—————————————————————————
2 Title V, Subtitle A, Public Law 106-102, 113 Stat. 1338
(1999), as codified at 15 U.S.C. 6801-6809.
3 See 15 U.S.C. 6803.
4 See 15 U.S.C. 6802(b). See also 15 U.S.C. 6809(4)(A)
(defining “nonpublic personal information”).
5 15 U.S.C. 6809(3)(B).
6 Section 124, Appendix E of Public Law 106-554, 114 Stat.
2763 (2000).
7 7 U.S.C. 7b-2.
8 For the definitions of these intermediary categories, see
section 1a of the CEA and Sec. 1.3 of the Commission’s regulations.
7 U.S.C. 1a and 17 CFR 1.3.
9 Privacy of Customer Information, 66 FR 21235 (April 27,
2001). The Commission later modified its part 160 regulations to
apply them to retail foreign exchange dealers (“RFEDs”), swap
dealers (“SDs”), and major swap participants (“MSPs”).
Regulation of Off-Exchange Retail Foreign Exchange Transactions and
Intermediaries, 75 FR 55409 (Sept. 10, 2010) for RFEDs, and Privacy
of Consumer Financial Information; Conforming Amendments Under Dodd-
Frank Act, 76 FR 43874 (July 22, 2011) for SDs and MSPs. For the
definition of RFED, see Sec. 5.1(h). 17 CFR 5.1(h). For the
definitions of SD and MSP, see section 1a of the CEA and Sec. 1.3
of the Commission’s regulations. 7 U.S.C. 1a and 17 CFR 1.3.
—————————————————————————
Consistent with Title V, part 160 requires that, generally, all
FCMs, RFEDs, CTAs, CPOs, IBs, MSPs, and SDs that are subject to the
jurisdiction of the Commission, regardless of whether they are required
to register with the Commission (“Covered Persons”), provide a clear
and conspicuous notice to customers that accurately reflects their
privacy policies and practices not less than annually during the life
of the customer relationship.10
—————————————————————————
10 17 CFR 160.1 and 160.5. Part 160 does not apply to foreign
(non-resident) FCMs, RFEDs, CTAs, CPOs, IBs, MSPs, and SDs that are
not registered with the Commission. 17 CFR 160.1. Therefore, they
are not “Covered Persons” as defined in this release.
—————————————————————————
On December 4, 2015, Congress amended Title V as part of the FAST
Act.11 This amendment, titled “Eliminate Privacy Notice Confusion,”
added section 503(f) to the GLB Act to limit the circumstances under
which a financial institution must provide a privacy notice to its
customers on an annual basis.12 In particular, under section 503(f),
a financial institution is excepted from the requirement to send
privacy notices on an annual basis if that financial institution (1)
does not share nonpublic personal information except as described in
certain specified exceptions; and (2) has not changed its policies and
practices with regard to disclosing nonpublic personal information from
those policies and practices that the institution disclosed in the most
recent disclosure it sent to consumers in accordance with section
503.13 This amendment to the GLB Act became effective upon enactment
of the FAST Act in December 2015. The Commission is now proposing to
amend Sec. 160.5 of the Commission’s regulations (the “Proposal”) to
implement the FAST Act amendments to the GLB Act with respect to
Covered Persons, as described below.14
—————————————————————————
11 Section 75001, Public Law 114-94, 129 Stat. 1312 (2015),
available at http://transportation.house.gov/uploadedfiles/fastact_xml.pdf (last visited Nov. 30, 2018).
12 Id.
13 See 15 U.S.C. 6803(f).
14 In developing the Proposal, pursuant to Section 6804(a)(2)
of the GLB Act, the Commission consulted and coordinated with the
Bureau of Consumer Financial Protection (“BCFP”), the Securities
and Exchange Commission, the Federal Trade Commission, and the
National Association of Insurance Commissioners, including regarding
consistency and comparability with the regulations prescribed by
such agencies. See 15 U.S.C. 6804(a)(2). In addition, the Proposal
is consistent with rules recently finalized by the BCFP (“BCFP
Final Rule”). See Amendment to the Annual Privacy Notice
Requirement Under the Gramm-Leach-Bliley Act (Regulation P), 83 FR
40945 (Aug. 2018).
—————————————————————————
[[Page 63452]]
II. Proposal
The Proposal would amend Sec. 160.5 to modify the first sentence
of paragraph (a) and add a new paragraph (d). The modification to Sec.
160.5(a) would add a reference to the exception, contained in new
paragraph (d), to the requirement that a Covered Person annually
provide a clear and conspicuous notice to customers that reflects the
Covered Person’s privacy policies and practices (“annual privacy
notice”) during the life of the customer relationship. Section
160.5(d)(1) would describe that exception by stating that a Covered
Person is not required to deliver an annual privacy notice to customers
pursuant to Sec. 160.5(a) if it: (1) Provides nonpublic personal
information to nonaffiliated third parties only in accordance with the
provisions of Sec. Sec. 160.13, 160.14, 160.15 and any other
exceptions adopted by the Commission pursuant to section 504(b) of the
GLB Act;15 and (2) has not changed its policies and practices with
regard to disclosing nonpublic personal information from the policies
and practices that were disclosed to the customer under Sec.
160.6(a)(2) through (5) and Sec. 160.6(a)(9) in the most recent
privacy notice provided to such customer pursuant to part 160 of the
Commission’s regulations.
—————————————————————————
15 Section 503(f)(1) of the GLB Act permits a financial
institution to share nonpublic personal information in accordance
with the provisions of sections 502(b)(2) or (e) of the GLB Act or
regulations prescribed under section 504(b) of the GLB Act. See 15
U.S.C. 6802 and 6803. Sharing by a financial institution, as
described in sections 502(b)(2) or (e), does not trigger the
consumer’s statutory right to opt out of such sharing. These
exceptions are incorporated into existing Commission regulations at
17 CFR 160.13 (Exception to opt out requirements for service
providers and joint marketing), 160.14 (Exceptions to notice and opt
out requirements for processing and servicing transactions), and
160.15 (Other exceptions to notice and opt out requirements).
Section 504(b) of the GLB Act gives the Commission and other
relevant agencies authority to include additional exceptions to
certain regulations promulgated under Title V as are deemed
consistent with Title V’s purposes. See 15 U.S.C. 6804(b).
—————————————————————————
Paragraphs (1) through (9) of Sec. 160.6(a) set forth the specific
types of information that a Covered Person must include in its privacy
notices.16 The information required by Sec. 160.6(a)(2) through (5)
and Sec. 160.6(a)(9), which Sec. 160.5(d)(1)(ii) references,
specifically relate to the policies and practices connected to
disclosing nonpublic personal information. The Commission believes that
other types of information required by Sec. 160.6(a), such as the
information under Sec. 160.6(a)(1) (information collection) and Sec.
160.6(a)(8) (confidentiality and security), do not relate to disclosure
of nonpublic personal information.17 Thus, since new GLB Act section
503(f)(2) states that a condition for the annual privacy notice
exception is that a financial institution must not have changed its
policies and practices with regard to disclosing nonpublic personal
information from the policies and practices that were disclosed in the
most recent notice sent to consumers, the Commission is proposing to
frame the scope of the exception to reference only the types of
information listed in Sec. 160.6(a)(2) through (5) and Sec.
160.6(a)(9).
—————————————————————————
16 17 CFR 160.6 (a)(1)-(9). Section 160.6(a) provides that a
Covered Person must include the following information in annual
privacy notices sent to customers: (1) The categories of nonpublic
personal information it collects; (2) the categories of nonpublic
personal information it discloses; (3) subject to limited exception,
the categories of affiliates and nonaffiliated third parties to whom
it discloses nonpublic personal information; (4) subject to limited
exception, the categories of nonpublic personal information about
its former customers that it discloses and the categories of
affiliates and nonaffiliated third parties to whom it discloses
nonpublic personal information about its former customers; (5) if it
discloses nonpublic personal information to a nonaffiliated third
party under Sec. 160.13 (and no other exception applies to that
disclosure), a separate statement of the categories of information
it discloses and the categories of third parties with whom it has
contracted; (6) an explanation of the customer’s rights under Sec.
160.10(a) to opt out of the disclosure of nonpublic personal
information to nonaffiliated third parties, including the method(s)
by which the customer may exercise that right at that time; (7) any
disclosures that it makes under section 603(d)(2)(A)(iii) of the
Fair Credit Reporting Act (“FCRA”) (15 U.S.C. 1681a(d)(2)(A)(iii))
(that is, notices regarding the ability to opt out of disclosures of
information among affiliates); (8) its policies and practices with
respect to protecting the confidentiality and security of nonpublic
personal information; and (9) any disclosure that it makes under
Sec. 160.6(b).
17 Id. The Commission notes that Sec. 160.6(a)(7) requires
that annual privacy notices incorporate opt-out disclosures provided
under FCRA section 603(d)(2)(A)(iii) (that is, notices regarding the
ability to opt out of disclosures of information among affiliates).
GLB Act section 503(f)(1) does not mention these FCRA affiliate opt-
out disclosures. The Commission believes that changes to these FCRA
disclosures do not affect whether GLB Act section 503(f)(1) is
satisfied and therefore should not affect whether a Covered Person
satisfies proposed Sec. 160.5(d)(1). The proposed rule is also
consistent in this respect with the BCFP Final Rule.
—————————————————————————
GLB Act section 503(f) states that a financial institution that
meets the requirements for the annual notice exception will not be
required to provide annual notices “until such time” as that
financial institution fails to comply with the criteria described in
section 503(f)(1) and 503(f)(2), which would be implemented in proposed
Sec. 160.5(d)(1).18 Covered Persons that no longer meet the
conditions for the exception must provide customers with annual privacy
notices. However, because the GLB Act is silent as to when a financial
institution that has relied on and no longer meets the requirements of
the exception must next provide an annual privacy notice, the
Commission is proposing a framework for these circumstances.
Specifically, Sec. 160.5(d)(2) states that a Covered Person who has
been excepted from delivering an annual privacy notice pursuant to
Sec. 160.5(d)(1) and who changes its policies or practices in such a
way that it no longer meets the requirements for that exception, would,
if such a change required a revised privacy notice pursuant to Sec.
160.8,19 be required to provide an annual privacy notice in
accordance with the timing requirements in Sec. 160.5(a), treating the
revised privacy notice as an initial privacy notice. Further, if the
change in policies or practices did not require a revised privacy
notice pursuant to Sec. 160.8 to be sent, a Covered Person who has
been previously excepted from delivering an annual privacy notice would
be required to provide an annual privacy notice to customers within 100
days of the change in their policies or practices.20
—————————————————————————
18 15 U.S.C. 6803(f).
19 17 CFR 160.8 (Revised privacy notices).
20 In developing this framework, the Commission looked to
Sec. 160.8 because that provision already addresses circumstances
in which a Covered Person might change its privacy policies or
practices in a way that affects the content of the notices.
Specifically, Sec. 160.8 requires that a Covered Person provide a
revised notice to consumers before implementing certain types of
changes. In other cases, part 160 currently contemplates that a
change in policy or practice that affects the content of the notices
would simply be reflected on the next regular annual notice provided
to customers pursuant to Sec. 160.5. The Commission is therefore
proposing different timing requirements for resumption of delivery
of annual notices, depending on whether the change at issue would
trigger the requirement for a revised notice under Sec. 160.8 prior
to the change taking effect.
—————————————————————————
The Commission is proposing a 100-day period for providing the
annual privacy notice under these circumstances because, as affected
customers would not receive a revised notice from the Covered Person
prior to the Covered Person’s change in policies or practices, the
Commission believes the annual privacy notice should be delivered
within a relatively short time so that customers are informed of the
change in a timely manner. Further, the Commission preliminarily
believes that 100 days would allow a Covered Person to meet the notice
requirement without imposing additional costs on Covered Persons.
Particularly, a 100-day delivery period would accommodate the inclusion
of the notice with their quarterly statements.21 In addition, this
[[Page 63453]]
100-day delivery period is required under the BCFP Final Rule and
proposing the same delivery requirement as the BCFP furthers the
Commission’s goal of having its regulations be consistent with those of
other regulators, where appropriate.
—————————————————————————
21 The Commission also notes that a delivery requirement
resulting from a change in policies and practices described under
proposed Commission regulation 160.5(d)(1)(ii) is effectively a one-
time burden for a Covered Person absent additional changes to its
policies and practices. Specifically, after providing the one annual
privacy notice, the Covered Person would once again meet both of the
conditions for the exception–it would not be sharing other than as
described under Commission regulation 160.5(d)(1)(i) and its
policies and practices would not have changed since it provided the
annual privacy notice. Because the Covered Person would once again
meet the conditions for the exception, it would not be required to
provide future annual privacy notices.
—————————————————————————
To ensure that the Proposal, if adopted, achieves its stated
purpose, the Commission requests comment generally on all aspects of
the Proposal and this release.
III. Related Matters
A. Regulatory Flexibility Act
The Regulatory Flexibility Act 22 (“RFA”) requires federal
agencies to consider whether the rules they propose will have a
significant economic impact on a substantial number of small entities
and, if so, to provide a regulatory flexibility analysis regarding the
economic impact on those entities. The Proposal would add an exception
to Sec. 160.5’s requirement that Covered Persons deliver annual
privacy notices, as discussed above.
—————————————————————————
22 5 U.S.C. 601 et seq.
—————————————————————————
The Proposal would affect Covered Persons (i.e., certain FCMs,
RFEDs, CTAs, CPOs, IBs, MSPs, and SDs). To the extent that the Proposal
would impact Covered Persons that may be small entities for purposes of
the RFA,23 the Commission considered whether the Proposal would have
a significant economic impact on such Covered Persons.
—————————————————————————
23 The Commission has previously determined that certain
entities are not “small entities” for purposes of the RFA. See,
e.g., 47 FR 18618, 18619 (Apr. 30, 1982) (registered FCMs); 75 FR
55410, 55416 (Sept. 10, 2010) (RFEDs); 77 FR 2613, 2620 (Jan. 19,
2012) (SDs and MSPs). However, the Commission has determined that
CPOs exempt pursuant to 17 CFR 4.13(a) are small entities. See 46 FR
26004 (May 8, 1981); 47 FR at 18619. The definitions of IB and CTA
are also broad enough to potentially encompass “small entities.”
See 48 FR 35248, 35276 (Aug. 3, 1983) (recognizing that the IB
definition “undoubtedly encompasses many business enterprises of
variable size”); 47 FR at 18620 (the category of CTAs is “too
broad” for a general determination regarding their small entity
status).
—————————————————————————
As a Covered Person may continue to provide annual privacy notices
and not avail itself of the proposed exception to the annual privacy
notice requirement in Sec. 160.5, the Proposal would not impose any
new regulatory obligations on Covered Persons, including Covered
Persons that may be small entities for purposes of the RFA. Rather, to
the extent that a Covered person relies on the proposed exception, it
would simply avoid providing a privacy notice annually until such time
as it is no longer eligible for the exception. The Proposal’s
clarification that, once it is no longer eligible for the exception,
the Covered Person would need to provide a privacy notice either in
accordance with existing Sec. 160.8 or within 100 days would also not
result in any new burdens. Sections 160.5 and 160.8 are existing
requirements to deliver annual privacy notices and revised privacy
notices under certain circumstances. Further, the Commission endeavored
to reduce any burdens for those Covered Persons utilizing the exception
by allowing the proposed 100-day period following loss of the exception
to resume delivery of an annual privacy notice where a notice is not
already required pursuant to Sec. 160.8, as discussed above. The
Commission does not, therefore, expect that any small entities that may
be impacted by the rule to incur any additional costs as a result of
the Proposal.
Therefore, the Commission believes that the Proposal will not have
a significant economic impact on a substantial number of small
entities, as defined in the RFA.
Accordingly, the Chairman, on behalf of the Commission, hereby
certifies pursuant to 5 U.S.C. 605(b) that the Proposal will not have a
significant economic impact on a substantial number of small entities.
The Commission invites comment on the impact of the Proposal on small
entities.
B. Paperwork Reduction Act
The Paperwork Reduction Act of 1995 (“PRA”) 24 imposes certain
requirements on Federal agencies, including the Commission, in
connection with their conducting or sponsoring any collection of
information, as defined by the PRA. The Commission may not conduct or
sponsor, and a person is not required to respond to, a collection of
information unless it displays a currently valid Office of Management
and Budget (“OMB”) control number.
—————————————————————————
24 44 U.S.C. 3501 et seq.
—————————————————————————
The Commission believes that the Proposal would not impose any new
recordkeeping or information collection requirements, or other
collections of information that require approval of OMB under the PRA.
However, by providing the exception to the requirement to provide
annual privacy notices to customers discussed above, the Proposal would
modify a collection of information for which the Commission has
previously received a control number from OMB. The title for this
collection of information is “Privacy of Consumer Financial
Information, OMB control number 3038-0055”.25 Collection 3038-0055
is currently in force with its control number having been provided by
OMB. Accordingly, the Commission will submit to OMB revisions to OMB
control number 3038-0055 to reflect the proposed addition of this
exception and the resulting reduction of burden. In particular, the
Commission estimates that the availability of the exception in
Commission regulation 160.5(d) will reduce the current number of annual
privacy notices by approximately 30%. Accordingly, in accordance with
its previous estimates, the Commission estimates that the Proposal
would reduce the total number of responses by 113,620 responses
annually and reduce the time burden by approximately 1,136 hours
annually. The Commission believes that the one-time cost of adopting
the annual privacy notice exception for Covered Persons that adopt it
is de minimis.
—————————————————————————
25 See OMB Control No. 3038-0055, http://www.reginfo.gov/public/do/PRAOMBHistory?ombControlNumber=3038-0055# (last visited
Nov. 30, 2018).
—————————————————————————
The Commission invites the public and other Federal agencies to
comment on any aspect of the proposed information collection
requirements discussed above. Pursuant to 44 U.S.C. 3506(c)(2)(B), the
Commission solicits comments in order to: (1) Evaluate whether the
proposed collection of information is necessary for the proper
performance of the functions of the Commission, including whether the
information will have practical utility; (2) evaluate the accuracy of
the Commission’s estimate of the burden of the proposed collection of
information; (3) determine whether there are ways to enhance the
quality, utility, and clarity of the information to be collected; and
(4) minimize the burden of the collection of information on those who
are to respond, including through the use of automated collection
techniques or other forms of information technology.
Comments may be submitted directly to the Office of Information and
Regulatory Affairs, by fax at (202) 395-6566, or by email at
[email protected]. Please provide the Commission with a copy
of submitted
[[Page 63454]]
comments so that all comments can be summarized and addressed in the
final rule preamble. Refer to the ADDRESSES section of this document
for comment submission instructions to the Commission. A copy of the
supporting statements for the collection of information discussed above
may be obtained by visiting RegInfo.gov. OMB is required to make a
decision concerning the collection of information between 30 and 60
days after publication of this document in the Federal Register.
Therefore, a comment is best assured of having its full effect if OMB
receives it within 30 days of publication.
C. Cost-Benefit Considerations
Section 15(a) of the CEA requires the Commission to consider the
costs and benefits of its actions before promulgating a regulation
under the CEA. Section 15(a) further specifies that the costs and
benefits shall be evaluated in light of the following five broad areas
of market and public concern: (1) Protection of market participants and
the public; (2) efficiency, competitiveness, and financial integrity of
futures markets; (3) price discovery; (4) sound risk management
practices; and (5) other public interest considerations. The Commission
considers the costs and benefits resulting from its discretionary
determinations with respect to the section 15(a) considerations.
As discussed above, the Commission is proposing to implement the
FAST Act’s amendments to the GLB Act by amending Sec. 160.5 to
incorporate an exception to a Covered Person’s obligation to provide an
annual privacy notice under certain specified circumstances, consistent
with section 503(f) of the GLB Act and address when a Covered Person
that has relied on and no longer meets the requirements of that
exception must next provide an annual privacy notice.
Below, the Commission discusses the costs and benefits of the
Proposal.26 The baseline against which the costs and benefits are
considered is the current status quo for Covered Persons with respect
to their obligation to provide annual privacy notices. The Commission
recognizes that there are inherent costs and benefits to Covered
Persons and their customers associated with providing an exception to
the annual privacy notice requirement, which Congress took into account
in amending the GLB Act under the FAST Act. The Commission further
recognizes that there are costs and benefits due to discretionary
actions taken by the Commission in implementing the exception. In
formulating the Proposal, the Commission was mindful of the policy
goals that drove Congress to create this exception and endeavored not
to impose unnecessary burdens on Covered Persons in proposing when a
Covered Person would next need to provide an annual privacy notice
after loss of the exception.27
—————————————————————————
26 The Commission endeavors to assess the expected costs and
benefits of its proposed rule in quantitative terms where possible.
Where estimation or quantification is not feasible, the Commission
provides its discussion in qualitative terms. Given a general lack
of relevant data, the Commission’s assessment is generally provided
in qualitative terms.
27 The Commission notes that the consideration of costs and
benefits below is based on the understanding that the markets
function internationally, with many transactions involving United
States firms taking place across international boundaries; with some
commission registrants being organized outside of the United States;
with some leading industry members typically conducting operations
both within and outside the United States; and with industry members
commonly following substantially similar business practices wherever
located. Where the Commission does not specifically refer to matters
of location, the discussion of costs and benefits below refers to
the effects of this proposal on all activity subject to the proposed
and amended regulations, whether by virtue of the activity’s
physical location in the United States or by virtue of the
activity’s connection with or effect on United States commerce under
CEA section 2(i). In particular, the Commission notes that some
Covered Persons are located outside of the United States.
—————————————————————————
The Commission anticipates that some Covered Persons may avail
themselves of the exception in the Proposal and not provide annual
privacy notices. The Proposal would benefit these Covered Persons that
are opting out of providing annual privacy notices by reducing their
costs associated with sending such notices. Further, because no Covered
Person is required to avail themselves of the exception in the
Proposal, as discussed above, the Commission believes that it is
reasonable to conclude that only those Covered Persons that expect a
net benefit from the Proposal will stop providing annual privacy
notices under the proposed exception.
The Commission recognizes that, as a result of the Proposal,
certain customers of Covered Persons may no longer receive privacy
notices annually and therefore would not be made aware of the Covered
Persons’ policies and procedures as frequently. However, the scope of
the exception is tailored such that customers of Covered Persons could
only not receive an annual privacy notice to the extent that the
Covered Person: (1) Provides nonpublic personal information to
nonaffiliated third parties only in accordance with the provisions of
Sec. Sec. 160.13, 160.14, 160.15 and any other exceptions adopted by
the Commission pursuant to section 504(b) of the GLB Act; and (2) has
not changed its policies and practices with regard to disclosing
nonpublic personal information from the policies and practices that
were disclosed to the customer under Sec. 160.6(a)(2) through (5) and
Sec. 160.6(a)(9) in the most recent privacy notice provided to such
customer pursuant to part 160 of the Commission’s regulations. Thus,
the Proposal may reduce confusion among customers by providing them
with disclosures when they would be most relevant, i.e., when
disclosure policies change after the customer relationship begins and
to the extent an institution shares sensitive personal information with
third parties for marketing purposes.
In proposing when to require the resumption of annual privacy
notices following the loss of the proposed exception, the Commission
endeavored to propose requirements consistent with existing timing
requirements for privacy notices under current regulations, as
discussed above, and to provide clarity to Covered Persons.28
Specifically, in proposing to require the resumption of annual privacy
notices within 100 days of the loss of the exception where a revised
privacy notice is not required under Sec. 160.8, the Commission has
tried not to impose unnecessary burdens on Covered Persons while taking
into account the potential impact on a Covered Person’s customers of
not receiving such notices in a timely manner. The Commission
considered different requirements for the resumption of annual privacy
notices in these circumstances (e.g., requiring a notice before the
change in the policy or practice causing the loss of the availability
of the exception or immediately following such change, or within 60 or
90 days of such change). The Commission is proposing the 100 day period
because it believes the proposal to be consistent with the revisions of
the GLB Act in the FAST Act and current regulations while allowing
Covered Persons some flexibility in resuming annual privacy notices.
This flexibility would allow, for example, these notices to be included
with quarterly statements to reduce any costs from resuming providing
such notices. In proposing timing requirements for the resumption of
annual privacy notices where a revised
[[Page 63455]]
notice is required under Sec. 160.8, the Commission is proposing to
clarify the effect of such a revised notice on the requirement that a
Covered Person provide an annual privacy notice and on the eligibility
for the proposed exception to this requirement. Specifically, the
Commission is clarifying that a Covered Person should provide the
notice currently required by Sec. 160.8 and treat such notice as an
initial privacy notice.
—————————————————————————
28 In addition, as discussed above, the Commission notes that
a Covered Person’s obligation to resume providing annual privacy
notices may be effectively a one-time burden absent additional
changes to their policies and practices.
—————————————————————————
3. Section 15(a) Considerations
In light of the foregoing, the CFTC has evaluated the costs and
benefits of the Proposal pursuant to the five considerations identified
in section 15(a) of the CEA as follows:
(1) Protection of Market Participants and the Public
The requirements of Sec. 160.5 protect market participants by
ensuring that customers of Covered Persons are informed about such
Covered Persons’ practices and policies with respect to nonpublic
personal information and certain other information described in Sec.
160.6. As discussed above, the Commission recognizes that, as a result
of the Proposal, some customers of Covered Persons may no longer
receive privacy notices annually and therefore would not be made aware
of the Covered Persons’ policies and procedures as frequently. However,
the scope of the exception is tailored such that customers of Covered
Persons could only not receive an annual privacy notice to the extent
that the Covered Person: (1) Provides nonpublic personal information to
nonaffiliated third parties only in accordance with the provisions of
Sec. Sec. 160.13, 160.14, 160.15 and any other exceptions adopted by
the Commission pursuant to section 504(b) of the GLB Act; and (2) has
not changed its policies and practices with regard to disclosing
nonpublic personal information from the policies and practices that
were disclosed to the customer under Sec. 160.6(a)(2) through (5) and
Sec. 160.6(a)(9) in the most recent privacy notice provided to such
customer pursuant to part 160 of the Commission’s regulations. Further,
as discussed above, the Proposal may reduce confusion among customers
by providing them with disclosures when they would be most relevant. In
addition, the Commission preliminarily believes that the proposed
requirements for the resumption of annual privacy notices following the
loss of the exception in the Proposal will allow customers of Covered
Persons to receive annual privacy notices in a timely manner while not
causing Covered Persons to incur any additional costs.
(2) Efficiency, Competitiveness, and Financial Integrity of Markets
The Commission believes that the Proposal may improve competition
by reducing costs for Covered Persons that meet the requirements of the
exception in proposed Sec. 160.5(d) to not deliver an annual privacy
notice and elect to not deliver such notices. Specifically, the
Commission expects that the Proposal would likely result in fewer
substantially similar annual privacy notices being delivered, which
would reduce costs associated with producing and delivering such
privacy notices. Further, to the extent that a Covered Person is no
longer able to take advantage of the exception to providing annual
privacy notices and is required to resume providing them, the
Commission preliminary believes that a Covered Person will not incur
any additional costs in doing so, as the Covered Person would simply
need to resume sending annual privacy notices as currently required.
(3) Price Discovery
The Commission has not identified an impact on price discovery as a
result of the Proposal.
(4) Sound Risk Management
The Commission has not identified an impact on sound risk
management as a result of the Proposal.
(5) Other Public Interest Considerations
The Commission has not identified an impact on other public
interest considerations as a result of the Proposal.
4. Request for Comments on Cost-Benefit Considerations
The Commission invites public comment on its cost-benefit
considerations, including the section 15(a) factors described above.
Commenters are also invited to submit any data or other information
that they may have quantifying or qualifying the costs and benefits of
the Proposal with their comment letters.
D. Antitrust Considerations
Section 15(b) of the CEA requires the Commission to take into
consideration the public interest to be protected by the antitrust laws
and endeavor to take the least anticompetitive means of achieving the
purposes of the CEA, in issuing any order or adopting any Commission
rule or regulation (including any exemption under section 4(c) or
4c(b)), or in requiring or approving any bylaw, rule, or regulation of
a contract market or registered futures association established
pursuant to section 17 of the CEA.29
—————————————————————————
29 7 U.S.C. 19(b).
—————————————————————————
The Commission believes that the public interest to be protected by
the antitrust laws is generally to protect competition. The Commission
requests comment on whether the Proposal implicates any other specific
public interest to be protected by the antitrust laws.
The Commission has considered the Proposal to determine whether it
is anticompetitive and has preliminarily identified no anticompetitive
effects. The Commission requests comment on whether the Proposal is
anticompetitive and, if it is, what the anticompetitive effects are.
Because the Commission has preliminarily determined that the
Proposal is not anticompetitive and has no anticompetitive effects, the
Commission has not identified any less anticompetitive means of
achieving the purposes of the CEA. The Commission requests comment on
whether there are less anticompetitive means of achieving the relevant
purposes of the CEA that would otherwise be served by adopting the
Proposal.
List of Subjects in 17 CFR Part 160
Brokers, Consumer protection, Privacy, Reporting and recordkeeping
requirements.
For the reasons stated in the preamble, the Commodity Futures
Trading Commission proposes to amend 17 CFR chapter I as follows:
PART 160–PRIVACY OF CONSUMER FINANCIAL INFORMATION UNDER TITLE V
OF THE GRAMM-LEACH-BLILEY ACT
0
1. The authority citation for part 160 continues to read as follows:
Authority: 7 U.S.C. 7b-2 and 12a(5); 15 U.S.C. 6801, et seq.,
and sec. 1093, Pub. L. 111-203, 124 Stat. 1376.
0
2. In Sec. 160.5, revise the first sentence of paragraph (a)(1) and
add paragraph (d) to read as follows:
Sec. 160.5 Annual privacy notice to customers required.
(a)(1) * * * Except as provided by paragraph (d) of this section,
you must provide a clear and conspicuous notice to customers that
accurately reflects your privacy policies and practices not less than
annually during the life of the customer relationship. * * *
* * * * *
[[Page 63456]]
(d) Exception to annual privacy notice requirement. (1) You are not
required to deliver an annual privacy notice if you:
(i) Provide nonpublic personal information to nonaffiliated third
parties only in accordance with the provisions of Sec. Sec. 160.13
through 160.15 and any other exceptions adopted by the Commission
pursuant to section 504(b) of the GLB Act; and
(ii) Have not changed your policies and practices with regard to
disclosing nonpublic personal information from the policies and
practices that were disclosed to the customer under Sec. 160.6(a)(2)
through (5) and Sec. 160.6(a)(9) in the most recent privacy notice
sent to the customer pursuant to this part.
(2) Delivery of annual privacy notice after you no longer meet
requirements for exception. If you have been excepted from delivering
an annual privacy notice pursuant to paragraph (d)(1) of this section
and change your policies or practices in such a way that you no longer
meet the requirements for that exception, you must comply with
paragraph (d)(2)(i) or (ii) of this section, as applicable.
(i) Changes preceded by a revised privacy notice. If you no longer
meet the requirements of paragraph (d)(1) of this section because you
change your policies or practices in such a way that Sec. 160.8
requires you to provide a revised privacy notice, you must provide an
annual privacy notice in accordance with the timing requirements in
paragraph (a) of this section, treating the revised privacy notice as
an initial privacy notice.
(ii) Changes not preceded by a revised privacy notice. If you no
longer meet the requirements of paragraph (d)(1) of this section
because you change your policies or practices in such a way that Sec.
160.8 does not require you to provide a revised privacy notice, you
must provide an annual privacy notice within 100 days of the change in
your policies or practices that causes you to no longer meet the
requirements of paragraph (d)(1) of this section.
Issued in Washington, DC, on November 30, 2018, by the
Commission.
Christopher Kirkpatrick,
Secretary of the Commission.
Note: The following appendices will not appear in the Code of
Federal Regulations.
Appendices to Privacy of Consumer Financial Information–Amendment To
Conform Regulations to the Fixing America’s Surface Transportation
Act–Commission Voting Summary and Chairman’s Statement
Appendix 1–Commission Voting Summary
On this matter, Chairman Giancarlo and Commissioners Quintenz,
Behnam, Stump, and Berkovitz voted in the affirmative. No
Commissioner voted in the negative.
Appendix 2–Statement of Chairman J. Christopher Giancarlo
This proposal will revise Commission regulation 160.5’s privacy
notice requirements to implement the Fixing America’s Surface
Transportation (FAST) Act’s December 2015 statutory amendment to the
Gramm-Leach-Bliley Act (GLBA). In proposing to implement what is now
almost a three-year-old statutory requirement, this proposal is a
good demonstration of this Commission’s commitment to supporting
good governance.
[FR Doc. 2018-26523 Filed 12-7-18; 8:45 am]
BILLING CODE 6351-01-P
[ad_2]
Source link
