Privacy of Consumer Financial Information
June 14, 2000
Circular No. 11251

Adoption of New Regulation P

Effective November 13, 2000 (Compliance Optional Until July 1, 2001)

To All State Member Banks, Bank Holding Companies, Edge and Agreement Corporations, and U.S. Branches and Agencies of Foreign Banks in the Second Federal Reserve District:

The following is from a joint press release issued last month by the federal banking agencies:

The Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the Office of the Comptroller of the Currency, and the Office of Thrift Supervision have approved the issuance of final regulations implementing the provisions of the Gramm-Leach-Bliley Act governing the privacy of consumer financial information.

The regulations resulted from an interagency effort. They impose three main requirements established by the Act:

Financial institutions must provide initial notices to customers about their privacy policies, describing the conditions under which they may disclose nonpublic personal information to nonaffiliated third parties and affiliates. These notices must be accurate, clear, and conspicuous.

Financial institutions must provide annual notices of their privacy policies to their current customers. These notices must be accurate, clear, and conspicuous.

Financial institutions must provide a reasonable method for consumers to "opt out" of disclosures to nonaffiliated third parties. That is, consumers must be given a reasonable opportunity to "opt out" and a reasonable means to do so. Consumers may exercise their "opt out" option at any time.

The agencies' regulations, which are identical in all substantive respects, apply to financial institutions for which the agencies have primary supervisory authority. The regulations limit disclosure by financial institutions of "nonpublic personal information" about individuals who obtain financial products or services for personal, family, or household purposes. Subject to certain exceptions allowed by law, the regulations cover information sharing between financial institutions and nonaffiliated third parties.

The regulations are effective November 13, 2000, but in order to provide sufficient time for financial institutions to establish policies and procedures and to put in place systems to implement the requirements of the regulations, the time for full compliance with the regulations is extended until July 1, 2001.

The new regulations were originally proposed by the agencies in February (see our Circular No. 11231). The final regulations (pdf - 514kb), as published in the Federal Register of June 1, is available and will become effective on November 13, 2000, with full compliance optional until July 1, 2001.

Questions on this matter may be directed, at this Bank, to Janice A. Oser, Bank Supervision Officer, Compliance Examinations Department.