Privacy of Consumer Financial Information; Conforming Amendments Under Dodd-Frank Act (United States)

Privacy of Consumer Financial Information; Conforming Amendments Under Dodd-Frank Act

Published: 2011-07-22

Subscribe to a Global-Regulation Premium Membership Today!

Key Benefits:

Unlimited Searches
Weekly Updates on New Laws
Access to 5,345,848 Global Laws from 110 Countries
View the Original Law Side-by-Side with the Translation

Subscribe Now for only USD$40 per month.

ACTION:
Final rule.
SUMMARY:
The Commodity Futures Trading Commission (“Commission” or “CFTC”) is amending its rules implementing new statutory provisions enacted by titles VII and X of the Dodd-Frank Wall Street Reform and Consumer Protection Act (the “Dodd-Frank Act”). Section 1093 of the Dodd-Frank Act provides for certain amendments to title V of the Gramm-Leach-Bliley Act (the “GLB Act”). The GLB Act sets forth certain protections for the privacy of consumer financial information and was amended by the Dodd-Frank Act to affirm the Commission's jurisdiction in this area. The Commission's amendments to its regulations, inter alia, broaden the scope of part 160 to cover two new entities created by title VII of the Dodd-Frank Act: swap dealers and major swap participants.
DATES:
Effective date: September 20, 2011.
Compliance dates: Futures commission merchants, commodity pool operators, commodity trading advisors, introducing brokers, and retail foreign exchange dealers shall be in compliance with these rules not later than November 21, 2011. Swap dealers and major swap participants shall be in compliance with these rules not later than 60 days after the effective date of the final entities definition rulemaking, which the Commission will publish in the Federal Register at a future date.
FOR FURTHER INFORMATION CONTACT:
Carl E. Kennedy, Counsel, Office of General Counsel, (202) 418-6625, e-mail: c_kennedy@cftc.gov, Commodity Futures Trading Commission, Three Lafayette Centre, 1155 21st Street, NW., Washington, DC 20581.
SUPPLEMENTARY INFORMATION:
I. Background
Section 5g(b) of the CEA provides the Commission with the authority to prescribe regulations that establish appropriate standards for financial institutions subject to its jurisdiction to safeguard customer records and information in accordance with title V of the GLB Act. 1
Pursuant to this authority, the Commission promulgated part 160 of its regulations to require certain CFTC-regulated entities 2
to adopt appropriate policies and procedures that address safeguards to customer records and information, including initial and annual privacy notice requirements, opt-out provisions to the extent that these registrants wish to share such records and information with non-affiliates, and other measures to protect nonpublic consumer information. 3
On October 27, 2010, the Commission published for comment in the Federal Register proposed amendments to part 160 of its regulations (the “Proposal”) 4
to implement certain provisions in titles VII and X of the Dodd-Frank Wall Street Financial Reform and Consumer Protection Act (the “Dodd-Frank Act”). 5
In the Proposal, the Commission sought comments on proposed amendments to part 160 in accordance with section 1093 6
and title VII of the Dodd-Frank Act to, inter alia, broaden the types of entities that are subject to the Commission's jurisdiction 7
to provide certain privacy protections for consumer financial information to include swap dealers (SDs) and major swap participants (MSPs). In addition, the Commission proposed: (1) in accordance with the transfer of authority in title X, changing all references in part 160 from the FTC to the Bureau; and (2) renaming part 160 to “Privacy of Consumer Financial Information under the Gramm-Leach-Bliley Act” to harmonize the title of part 160 with a new part of the Commission's regulations. 8
The 60-day public comment period on the Proposal expired on December 27, 2010. In response to the Proposal, the Commission received a total of six comments: Two substantive comments and four other comments that did not address the merits or substance of the Proposal.
The Securities Industry and Financial Markets Association (“SIFMA”) commented on the following aspects of the proposal: (1) The proposed compliance date; (2) the annual burden estimate for the purpose of the Paperwork Reduction Act analysis and cost-benefit analysis; and (3) the appropriate standard applicable with regard to state laws.
The International Swaps and Derivatives Association, Inc. (“ISDA”) and the Financial Services Roundtable (“FSR”) jointly submitted a comment letter generally in support of the Proposal. That is, ISDA and the FSR did not provide specific comments in response to the Proposal. ISDA and the FSR, however, encouraged the Commission to work collaboratively with other agencies to decrease duplication in regulation and increase efficiency industry-wide.
The Commission's final rules, the specific comments noted above and the Commission's responses to those specific comments are discussed in greater detail below. 9
II. Rule Amendments
A. Renaming the Title of Part 160
The Commission is renaming the title of part 160 to reflect the scope of the part 160 regulations. The Commission's part 160 regulations implement certain protections for the privacy of consumer financial information under the GLB Act. To harmonize the title of part 160 with the new part 162 being adopted under a separate rulemaking, 10
Part 160 is renamed “Privacy of Consumer Financial Information under the Gramm-Leach-Bliley Act.”
B. Scope of 17 CFR 160.1(b)
Regulation 160.1(b) sets out the scope of the Commission's rules and identifies the financial institutions covered by the rules that include CFTC registrants regardless of whether they are required to register with the Commission. As referenced above, the Commission is amending the scope of part 160 to add SDs and MSPs.
C. Section 160.3—Definitions
Since the scope of the regulations extends to SDs and MSPs, the Commission amends § 160.3 to add the definitions of SDs and MSPs to the list of defined terms under § 160.3. Specifically, the Commission defines “major swap participant” to have the same meaning as in section 1a(33) of the CEA, as further defined by the Commission's regulations, and includes any person registered as such thereunder. The Commission defines “swap dealer” to have the same meaning as in section 1a(49) of the CEA, as further defined by the Commission's regulations, and includes any person registered as such thereunder.
There are existing definitions and related provisions under part 160 that are amended to include these new registrants. Specifically, the definitions of “financial institution”, “affiliate”, and “you” are amended to include swap dealers and major swap participants.
D. Section 160.15—Other Exceptions to Notice and Opt-out Requirements
As noted above, title X of the Dodd-Frank Act transferred certain authority from the FTC to the Bureau. Accordingly, the Commission is changing the reference from the FTC to the Bureau in § 160.15 to reflect that the Bureau is now a Federal functional regulator.
E. Section 160.17(b)—Relation to State Laws
Existing § 160.17(b) of the Commission's regulations clarifies the relationship of title V to state consumer protection laws. As a result of the creation of the Bureau and the transfer of certain authority from the FTC to the Bureau, the Commission proposed to amend § 160.17(b) by replacing it with the standard set out in section 1041(a)(2) of the Dodd-Frank Act. In the Commission's view, while the language of the standard in section 1041(a)(2) is structured slightly different from the existing standard in § 160.17(b), the Commission believed that the proposed language was nearly identical in substance to the current standard in § 160.17(b).
SIFMA commented that the standard for relation to state laws should be the same as the standard under section 507(b) of the GLB Act. SIFMA asserted that the appropriate standard should more closely follow section 507(b)—not section 1041 of the Dodd-Frank Act—because the former standard would achieve maximum consistency with the rules of the Office of the Comptroller of the Currency, the Board of Governors of the Federal Reserve System, the Federal Depository Insurance Corporation, the Office of Thrift Supervision, the National Credit Union Administration, and the Securities and Exchange Commission (collectively, the “Agencies”) and would maintain the settled expectations of the market participants, which have complied with the standards of GLB Act for several years.
The Commission has carefully considered SIFMA's comment and has amended § 160.17(b) to use the language of section 507(b) of the GLB Act, as amended by section 1093(6) of the Dodd-Frank Act. The Commission recognizes that market participants are familiar with the standard in section 507(b) of the GLB Act, and therefore, changing the language of the standard ever so slightly from what is in section 507(b) may create unnecessary and unintended confusion.
F. Section 160.30—Procedures to Safeguard Customer Records and Information
Section 160.30 requires CFTC registrants to adopt policies and procedures that, among other things, address administrative, technical and physical safeguards for the protection of customer records and information. The Commission amends the introductory sentence of § 160.30 to add SDs and MSPs to the list of CFTC registrants that must comply with this requirement.
III. Effective Date
In the Proposal, the Commission proposed to adopt the amendments to part 160 on July 21, 2011, which coincides with the designated transfer date when various Federal agencies transfer their consumer protection authority to the Consumer Financial Protection Bureau pursuant to section 1100H of the Dodd-Frank Act. 11
In response to the proposed effective date, SIFMA expressed concern that this timeframe would not provide covered entities with a reasonable amount of time to address and implement the new rules. To address this concern, SIFMA requested that the Commission extend the effective date of the final rules to commence nine months from the date of the rules' publication in the Federal Register to ensure a reasonable time for compliance.
The Commission partly agrees with SIFMA's comment in that SDs and MSPs may need a reasonable amount of time to comply with the amendments to part 160 since these are two new types of Commission-regulated entities. The Commission, however, believes that nine months is more time than is necessary for these new regulated entities to comply with part 160. The Commission has decided to establish staggered compliance dates for its regulated entities that fall within the scope of part 160. 12
Specifically, with respect to those Commission-regulated entities that were previously complying with part 160—FCMs, IBs, CPOs, CTA, and RFEDs—the amendments to part 160 will not require that these entities materially alter their compliance programs. Accordingly, in the Commission's view, the appropriate compliance date for these entities is 120 days from the date of publication in the Federal Register . With respect to SDs and MSPs, the compliance date for these entities is 60 days from the date of publication of the Commission's final entities definitional rulemaking, which shall be published in the Federal Register at a date in the future. 13
IV. Related Matters
A. Cost-Benefit Considerations.
Section 15(a) of the CEA explicitly requires the Commission to consider the costs and benefits of its actions before issuing a rule or order under the CEA. By its terms, section 15(a) neither requires the Commission to quantify the costs and benefits of amendments to regulations, nor does it require the Commission to determine whether the benefits of the amendments outweigh its costs. Section 15(a) specifies that the costs and benefits shall be evaluated in light of five broad areas of market and public concern: (1) Protection of market participants and the public; (2) efficiency, competitiveness and financial integrity of futures markets; (3) price discovery; (4) sound risk management practices; and (5) other public interest considerations. The Commission may in its discretion give greater weight to any one of the five enumerated areas and could in its discretion determine that, notwithstanding its costs, a particular amendment is necessary or appropriate to protect the public interest or to effectuate any of the provisions or accomplish any of the purposes of the CEA.
Promulgated in 2001, part 160 of the Commission's regulations currently applies to several types of Commission-regulated entities, including FCMs, IBs, CTAs, CPOs and RFEDs. The Commission proposed and later promulgated the rules in part 160 in concert with the Agencies in order to broadly protect individual customers from all types of regulated businesses (including businesses that are regulated with the Commission) that have access to nonpublic personal information. Part 160 imposes disclosure and procedural requirements that are either mandated by or fully consistent with the privacy provisions of the GLB Act and section 5g of the CEA.
The Dodd-Frank Act created two new entities over which the Commission has jurisdiction ( i.e., SDs and MSPs), and specifically mandated that the Commission has the authority to prescribe regulations as necessary to carry out the purposes of title V of the GLB Act for entities under its jurisdiction. In its Proposal, the Commission primarily sought to expand the scope of part 160 to cover these new entities because the Commission believes that, like FCMs, IBs, CTAs, CPOs and RFEDs, these new entities are more likely to have access to nonpublic personal information. The cost-benefit discussion in the Proposal analyzed the costs and benefits of extending the existing regulatory regime in part 160 to these new entities.
The Commission has considered the costs and benefits of the final rule in light of comments received and the specific areas of concern identified in section 15(a). An analysis of the section 15(a) factors is set out immediately below, followed by a discussion of the comments received in response to the Commission's cost-benefit discussion in the Proposal.
1. Protection of market participants and the public. The requirements to provide opt out notices and to protect customer information will benefit market participants and the public by protecting the privacy of their nonpublic personal information. The Commission believes that extending these requirements to SDs and MSPs will further ensure the protection of nonpublic personal information. The Commission further believes that the costs, which will be placed on these new entities will not exceed those costs currently placed on FCMs, IBs, CTAs, CPOs and RFEDs. In the Commission's view, SDs and MSPs will likely have similar resources and administrative infrastructure to comply with the part 160 requirements. Moreover, while these new entities will likely incur some incremental costs in complying with part 160, the privacy protection benefits that will accrue to the general public far outweigh those costs.
2. Efficiency and competition. The requirements to provide initial and annual privacy notices will benefit efficiency and competition by allowing customers to compare the privacy policies of financial institutions. The Commission's final rules also will benefit efficiency and competition by allowing SDs and MSPs flexibility to distribute notices and to adopt policies and procedures to protect customer information that are best suited to the institution's business and needs. As noted above, the Commission believes that the costs, which will be placed on these new entities will not exceed those costs currently placed on FCMs, IBs, CTAs, CPOs and RFEDs. Indeed, SDs and MSPs will likely have similar resources and administrative infrastructure to comply with the part 160 requirements.
3. Price discovery and financial integrity of futures and swaps markets, price discovery and sound risk management practices. The final rules should have no effect, from the standpoint of imposing costs or creating benefits, on the price discovery function or financial integrity of the futures and swaps markets or on the risk management practices of SDs or MSPs.
4. Other public interest considerations. In the same manner that part 160 was designed to minimize the costs of compliance on FCMs, IBs, CTAs, CPOs and RFEDs, part 160 will similarly provide SDs and MSPs with maximum flexibility, consistent with legal requirements, to design their own compliance systems. Ultimately, the Commission believes that extending the scope of part 160 to SDs and MSPs will harmonize privacy protections for individual customers across the futures and swaps markets.
5. Response to comments. In its Proposal, the Commission solicited comment on its consideration of these costs and benefits. The Commission received one comment with respect to costs and benefits of the Proposal. Specifically, SIFMA argued that the Commission also should consider anticipated additional costs associated with monitoring the privacy and opt-out notice process, addressing consumer issues, and adjusting records to comport with consumer requests. SIFMA did not provide specific cost information to support its comments.
Despite SIFMA's argument that the Commission did not consider the additional costs identified above, there are several Commission-regulated entities that already comply with part 160, and the final rule simply extends this protection to new registrants, SDs and MSPs. As noted above, the Commission believes that the costs, which will be placed on these new entities will be no greater than those costs currently placed on FCMs, IBs, CTAs, CPOs and RFEDs. In the Commission's view, there is no reason why SDs and MSPs should be excluded from these requirements to the extent that they conduct business with a natural person. SDs and MSPs will likely have similar resources and administrative infrastructure to comply with the part 160 requirements. The additional costs that SIFMA raised (but did not articulate with specificity) were subsumed within the considerations discussed in the Proposal. 14
In line with Section 15(a) of the CEA, the Commission believes that extending these provisions to SDs and MSPs is in the public interest and will further protect market the general public, promote efficiency and competition, and address other public interest considerations such as the harmonization of regulation across the futures and swaps markets. In the Commission's view, these benefits far outweigh the additional costs that SIFMA cited.
B. Paperwork Reduction Act.
This rule contains information collection requirements. As required by the Paperwork Reduction Act of 1995, 44 U.S.C. 3501 et seq., the Commission submitted a copy of the Proposal to the Office of Management and Budget (“OMB”) for review. The Commission may not sponsor, and a person is not required to respond to an information collection unless it displays a currently valid OMB control number.
The final rule, affecting part 160, titled “Privacy of Consumer Financial Information,” OMB Control Number 3038-0055, expands the scope of this part to cover SDs and MSPs, two new classes of registrants, now subject to Commission jurisdiction. The final rule imposes mandatory requirements for these entities. SDs and MSPs must provide initial and annual privacy and opt-out notices to all customers that are natural persons.
In response to the Commission's request in the notice of proposed rulemaking for comments on any potential paperwork burden associated with this regulation, only one commenter provided a substantive comment addressing the merits of the Commission's proposed PRA calculations. In particular, SIFMA proposed that the burden estimate should be refined to reflect anticipated additional burden hours associated with monitoring the privacy and opt-out notice process, addressing consumer issues, and adjusting records to comport with consumer requests.
Based on this comment, the Commission estimates that the approximately 300 SDs and MSPs may incur additional burden hours. Consequently, it is anticipated the 300 SDs and MSPs may incur an additional aggregate of 1440 burden hours than what was stated in the Proposal, monitoring an average of 20 notices per year, with an average monitoring time of .24 hours per notice. Accordingly, the Commission has submitted to the OMB an amended calculation of the annual burden hours for SDs and MSPs. OMB has approved a revision to Control Number 3038-0055 to cover the revision in the Commission's annual burden calculation.
C. Regulatory Flexibility Act.
The Regulatory Flexibility Act, 5 U.S.C. 601 et seq., requires that Federal agencies consider whether their proposed regulations will have a significant economic impact on a substantial number of small entities. The rule amendments adopted herein now will affect SDs and MSPs, in addition to the certain Commission regulated entities that are currently subject to Commission's regulations under part 160. These regulations require periodic notice to be provided to individuals who obtain financial products or services primarily for personal, family, or household purposes from the institutions, and may be satisfied by the use of a model notice developed by the Commission and other regulatory agencies to minimize the burden of compliance. The Commission certified in the Proposal that these rules will not have a significant economic impact on a substantial number of small entities. Accordingly, because the Commission received no substantive comments from the public addressing the merits of the proposed rule, nothing alters the Commission's determination that the obligations created by these rule amendments will not create a significant economic impact on a substantial number of small entities.
D. Regulatory Text.
List of Subjects in 17 CFR Part 160
Brokers, Dealers, Consumer protection, Privacy, Reporting and recordkeeping requirements.
For the reasons articulated in the preamble, the Commission amends part 160 of title 17 of the Code of Federal Regulations as follows:
1. The authority citation for part 160 is revised to read as follows:
Authority:
7 U.S.C. 7b-2 and 12a(5); 15 U.S.C 6801, et seq., and sec. 1093, Pub. L. 111-203, 124 Stat. 1376.
2. The heading for part 160 is revised to read as follows:
PART 160—PRIVACY OF CONSUMER FINANCIAL INFORMATION UNDER TITLE V OF THE GRAMM-LEACH-BLILEY ACT
3. Amend section 160.1 by revising paragraph (b) to read as follows:
§ 160.1
(b) Scope. This part applies only to nonpublic personal information about individuals who obtain financial products or services primarily for personal, family, or household purposes from the institutions listed below. This part does not apply to information about companies or about individuals who obtain financial products or services primarily for business, commercial, or agricultural purposes. This part applies to all futures commission merchants, retail foreign exchange dealers, commodity trading advisors, commodity pool operators, introducing brokers, major swap participants and swap dealers that are subject to the jurisdiction of the Commission, regardless whether they are required to register with the Commission. These entities are hereinafter referred to in this part as “you.” This part does not apply to foreign (non-resident) futures commission merchants, retail foreign exchange dealers, commodity trading advisors, commodity pool operators, introducing brokers, major swap participants and swap dealers that are not registered with the Commission.
4. Amend § 160.3 as follows:
a. Revise paragraphs (a), (n)(1)(i), (n)(1)(ii), and (o)(1)(i);
b. Redesignating paragraphs (w) and (x) as paragraphs (y) and (z);
c. Redesignating paragraphs (s) through (v) as paragraphs (t) through (w);
d. Adding new paragraphs (s) and (x);
e. Revising new designated paragraphs (y)(4) and (y)(5); and
f. Adding new paragraph (y)(6) and (7) to read as follows:
§ 160.3
(a) Affiliate of a futures commission merchant, retail foreign exchange dealer, commodity trading advisor, commodity pool operator, introducing broker, major swap participant, or swap dealer means any company that controls, is controlled by, or is under common control with a futures commission merchant, retail foreign exchange dealer, commodity trading advisor, commodity pool operator, introducing broker, major swap participant, or swap dealer that is subject to the jurisdiction of the Commission. In addition, a futures commission merchant, retail foreign exchange dealer, commodity trading advisor, commodity pool operator, introducing broker, major swap participant, or swap dealer subject to the jurisdiction of the Commission will be deemed an affiliate of a company for purposes of this part if:
(1) That company is regulated under title V of the GLB Act by the Bureau of Consumer Financial Protection or by a Federal functional regulator other than the Commission; and
(2) Rules adopted by the Bureau of Consumer Financial Protection or another Federal functional regulator under title V of the GLB Act treat the futures commission merchant, retail foreign exchange dealer, commodity trading advisor, commodity pool operator, introducing broker, major swap participant, or swap dealer as an affiliate of that company.
(n)(1) * * *
(i) Any futures commission merchant, retail foreign exchange dealer, commodity trading advisor, commodity pool operator, introducing broker, major swap participant, or swap dealer that is registered with the Commission as such or is otherwise subject to the Commission's jurisdiction; and
(2) * * *
(i) Any person or entity, other than a futures commission merchant, retail foreign exchange dealer, commodity trading advisor, commodity pool operator, introducing broker, major swap participant, or swap dealer that, with respect to any financial activity, is subject to the jurisdiction of the Commission under the Act.
(o)(1) * * *
(i) Any product or service that a futures commission merchant, retail foreign exchange dealer, commodity trading advisor, commodity pool operator, introducing broker, major swap participant, or swap dealer could offer that is subject to the Commission's jurisdiction; and
(s) Major swap participant. The term “major swap participant” has the same meaning as in section 1a(33) of the Commodity Exchange Act, 7 U.S.C. 1 et seq., as may be further defined by this title, and includes any person registered as such thereunder.
(x) Swap dealer. The term “swap dealer” has the same meaning as in section 1a(49) of the Commodity Exchange Act, 7 U.S.C. 1 et seq., as may be further defined by this title, and includes any person registered as such thereunder.
(y) * * *
(4) Any commodity pool operator;
(5) Any introducing broker;
(6) Any major swap participant; and
(7) Any swap dealer.
5. Revise § 160.15(a)(4) to read as follows:
§ 160.15
(4) To the extent specifically permitted or required under other provisions of law and in accordance with the Right to Financial Privacy Act of 1978, 12 U.S.C. 3401 et seq., to law enforcement agencies (including a Federal functional regulator, the Secretary of the Treasury, with respect to 31 U.S.C. Chapter 53, Subchapter II (Records and Reports on Monetary Instruments and Transactions) and 12 U.S.C. Chapter 21 (Financial Recordkeeping), a State insurance authority, with respect to any person domiciled in that insurance authority's state that is engaged in providing insurance, and the Bureau of Consumer Financial Protection), self-regulatory organizations, or for an investigation on a matter related to public safety;
6. Amend § 160.17 by revising paragraph (b) to read as follows:
§ 160.17
(b) Greater protection under state law. For purposes of this section, a state statute, regulation, order or interpretation is not inconsistent with the provisions of this part if the protection such statute, regulation, order or interpretation affords any person is greater than the protection provided under this part, as determined by the Bureau of Consumer Financial Protection, after consultation with the Commission, on its own motion or upon the petition of any interested party.
7. Revise § 160.30 to read as follows:
§ 160.30
Every futures commission merchant, retail foreign exchange dealer, commodity trading advisor, commodity pool operator, introducing broker, major swap participant, and swap dealer subject to the jurisdiction of the Commission must adopt policies and procedures that address administrative, technical and physical safeguards for the protection of customer records and information.
Issued in Washington, DC on July 7, 2011 by the Commission.
David A. Stawick,
Secretary of the Commission.
Appendices to Privacy of Consumer Financial Information; Conforming Amendments Under Dodd-Frank Act—Commission Voting Summary and Statements of Commissioners
Note:
The following appendices will not appear in the Code of Federal Regulations.
Appendix 1—Commission Voting Summary
On this matter, Chairman Gensler and Commissioners Dunn, Sommers, O'Malia and Chilton voted in the affirmative; no Commissioner voted in the negative.
Appendix 2—Statement of Chairman Gary Gensler
I support the final rulemaking to expand the scope of privacy protections for consumer financial information under the Gramm-Leach-Bliley Act. The rulemaking expands the scope of the Commission's existing privacy protections afforded to consumers' information—under the Commission's Part 160 rules—to swap dealers and major swap participants.
[FR Doc. 2011-17710 Filed 7-21-11; 8:45 am]
BILLING CODE 6351-01-P