Subpart A — Regulation S-P: Privacy of Consumer Financial Information and Safeguarding Personal Information
248.1 — Purpose and scope.
(a) Purpose. This subpart governs the treatment of nonpublic personal information about consumers by the financial institutions listed in paragraph (b) of this section. This subpart:
(1) Requires a financial institution to provide notice to customers about its privacy policies and practices;
(2) Describes the conditions under which a financial institution may disclose nonpublic personal information about consumers to nonaffiliated third parties; and
(3) Provides a method for consumers to prevent a financial institution from disclosing that information to most nonaffiliated third parties by “opting out” of that disclosure, subject to the exceptions in §§ 248.13, 248.14, and 248.15.
(b) Scope. Except with respect to § 248.30(b), this subpart applies only to nonpublic personal information about individuals who obtain financial products or services primarily for personal, family, or household purposes from the institutions listed below. This subpart does not apply to information about companies or about individuals who obtain financial products or services primarily for business, commercial, or agricultural purposes. This part applies to brokers, dealers, and investment companies, as well as to investment advisers that are registered with the Commission. It also applies to foreign (non-resident) brokers, dealers, investment companies and investment advisers that are registered with the Commission. These entities are referred to in this subpart as “you.” This subpart does not apply to foreign (non-resident) brokers, dealers, investment companies and investment advisers that are not registered with the Commission. Nothing in this subpart modifies, limits, or supersedes the standards governing individually identifiable health information promulgated by the Secretary of Health and Human Services under the authority of sections 262 and 264 of the Health Insurance Portability and Accountability Act of 1996 (42 U.S.C. 1320d-1320d-8).
[65 FR 40362, June 29, 2000, as amended at 69 FR 71329, Dec. 8, 2004]
248.2 — Model privacy form: rule of construction.
(a) Model privacy form. Use of the model privacy form in appendix A to subpart A of this part, consistent with the instructions in appendix A to subpart A, constitutes compliance with the notice content requirements of §§ 248.6 and 248.7 of this part, although use of the model privacy form is not required.
(b) Examples. The examples in this part provide guidance concerning the rule's application in ordinary circumstances. The facts and circumstances of each individual situation, however, will determine whether compliance with an example, to the extent practicable, constitutes compliance with this part.
(c) Substituted compliance with CFTC financial privacy rules by futures commission merchants and introducing brokers. Except with respect to § 248.30(b), any futures commission merchant or introducing broker (as those terms are defined in the Commodity Exchange Act (7 U.S.C. 1, et seq.)) registered by notice with the Commission for the purpose of conducting business in security futures products pursuant to section 15(b)(11)(A) of the Securities Exchange Act of 1934 (15 U.S.C. 78o(b)(11)(A)) that is subject to and in compliance with the financial privacy rules of the Commodity Futures Trading Commission (17 CFR part 160) will be deemed to be in compliance with this part.
[74 FR 62984, Dec. 1, 2009]
248.3 — Definitions.
As used in this subpart, unless the context requires otherwise:
(a) Affiliate of a broker, dealer, or investment company, or an investment adviser registered with the Commission means any company that controls, is controlled by, or is under common control with the broker, dealer, or investment company, or investment adviser registered with the Commission. In addition, a broker, dealer, or investment company, or an investment adviser registered with the Commission will be deemed an affiliate of a company for purposes of this subpart if:
(1) That company is regulated under Title V of the GLBA by the Federal Trade Commission or by a Federal functional regulator other than the Commission; and
(2) Rules adopted by the Federal Trade Commission or another federal functional regulator under Title V of the GLBA treat the broker, dealer, or investment company, or investment adviser registered with the Commission as an affiliate of that company.
(b) Broker has the same meaning as in section 3(a)(4) of the Securities Exchange Act of 1934 (15 U.S.C. 78c(a)(4)).
(c)(1) Clear and conspicuous means that a notice is reasonably understandable and designed to call attention to the nature and significance of the information in the notice.
(2) Examples — (i) Reasonably understandable. You make your notice reasonably understandable if you:
(A) Present the information in the notice in clear, concise sentences, paragraphs, and sections;
(B) Use short explanatory sentences or bullet lists whenever possible;
(C) Use definite, concrete, everyday words and active voice whenever possible;
(D) Avoid multiple negatives;
(E) Avoid legal and highly technical business terminology whenever possible; and
(F) Avoid explanations that are imprecise and readily subject to different interpretations.
(ii) Designed to call attention. You design your notice to call attention to the nature and significance of the information in it if you:
(A) Use a plain-language heading to call attention to the notice;
(B) Use a typeface and type size that are easy to read;
(C) Provide wide margins and ample line spacing;
(D) Use boldface or italics for key words; and
(E) Use distinctive type size, style, and graphic devices, such as shading or sidebars when you combine your notice with other information.
(iii) Notices on web sites. If you provide a notice on a web page, you design your notice to call attention to the nature and significance of the information in it if you use text or visual cues to encourage scrolling down the page if necessary to view the entire notice and ensure that other elements on the web site (such as text, graphics, hyperlinks, or sound) do not distract attention from the notice, and you either:
(A) Place the notice on a screen that consumers frequently access, such as a page on which transactions are conducted; or
(B) Place a link on a screen that consumers frequently access, such as a page on which transactions are conducted, that connects directly to the notice and is labeled appropriately to convey the importance, nature, and relevance of the notice.
(d) Collect means to obtain information that you organize or can retrieve by the name of an individual or by identifying number, symbol, or other identifying particular assigned to the individual, irrespective of the source of the underlying information.
(e) Commission means the Securities and Exchange Commission.
(f) Company means any corporation, limited liability company, business trust, general or limited partnership, association, or similar organization.
(g)(1) Consumer means an individual who obtains or has obtained a financial product or service from you that is to be used primarily for personal, family, or household purposes, or that individual's legal representative.
(2) Examples. (i) An individual is your consumer if he or she provides nonpublic personal information to you in connection with obtaining or seeking to obtain brokerage services or investment advisory services, whether or not you provide brokerage services to the individual or establish a continuing relationship with the individual.
(ii) An individual is not your consumer if he or she provides you only with his or her name, address, and general areas of investment interest in connection with a request for a prospectus, an investment adviser brochure, or other information about financial products or services.
(iii) An individual is not your consumer if he or she has an account with another broker or dealer (the introducing broker-dealer) that carries securities for the individual in a special omnibus account with you (the clearing broker-dealer) in the name of the introducing broker-dealer, and when you receive only the account numbers and transaction information of the introducing broker-dealer's consumers in order to clear transactions.
(iv) If you are an investment company, an individual is not your consumer when the individual purchases an interest in shares you have issued only through a broker or dealer or investment adviser who is the record owner of those shares.
(v) An individual who is a consumer of another financial institution is not your consumer solely because you act as agent for, or provide processing or other services to, that financial institution.
(vi) An individual is not your consumer solely because he or she has designated you as trustee for a trust.
(vii) An individual is not your consumer solely because he or she is a beneficiary of a trust for which you are a trustee.
(viii) An individual is not your consumer solely because he or she is a participant or a beneficiary of an employee benefit plan that you sponsor or for which you act as a trustee or fiduciary.
(h) Consumer reporting agency has the same meaning as in section 603(f) of the Fair Credit Reporting Act (15 U.S.C. 1681a(f)).
(i) Control of a company means the power to exercise a controlling influence over the management or policies of a company whether through ownership of securities, by contract, or otherwise. Any person who owns beneficially, either directly or through one or more controlled companies, more than 25 percent of the voting securities of any company is presumed to control the company. Any person who does not own more than 25 percent of the voting securities of any company will be presumed not to control the company. Any presumption regarding control may be rebutted by evidence, but, in the case of an investment company, will continue until the Commission makes a decision to the contrary according to the procedures described in section 2(a)(9) of the Investment Company Act of 1940 (15 U.S.C. 80a-2(a)(9)).
(j) Customer means a consumer who has a customer relationship with you.
(k)(1) Customer relationship means a continuing relationship between a consumer and you under which you provide one or more financial products or services to the consumer that are to be used primarily for personal, family, or household purposes.
(2) Examples — (i) Continuing relationship. A consumer has a continuing relationship with you if:
(A) The consumer has a brokerage account with you, or if a consumer's account is transferred to you from another broker-dealer;
(B) The consumer has an investment advisory contract with you (whether written or oral);
(C) The consumer is the record owner of securities you have issued if you are an investment company;
(D) The consumer holds an investment product through you, such as when you act as a custodian for securities or for assets in an Individual Retirement Arrangement;
(E) The consumer purchases a variable annuity from you;
(F) The consumer has an account with an introducing broker or dealer that clears transactions with and for its customers through you on a fully disclosed basis;
(G) You hold securities or other assets as collateral for a loan made to the consumer, even if you did not make the loan or do not effect any transactions on behalf of the consumer; or
(H) You regularly effect or engage in securities transactions with or for a consumer even if you do not hold any assets of the consumer.
(ii) No continuing relationship. A consumer does not, however, have a continuing relationship with you if you open an account for the consumer solely for the purpose of liquidating or purchasing securities as an accommodation, i.e., on a one time basis, without the expectation of engaging in other transactions.
(l) Dealer has the same meaning as in section 3(a)(5) of the Securities Exchange Act of 1934 (15 U.S.C. 78c(a)(5)).
(m) Federal functional regulator means:
(1) The Board of Governors of the Federal Reserve System;
(2) The Office of the Comptroller of the Currency;
(3) The Board of Directors of the Federal Deposit Insurance Corporation;
(4) The Director of the Office of Thrift Supervision;
(5) The National Credit Union Administration Board
(6) The Securities and Exchange Commission; and
(7) The Commodity Futures Trading Commission.
(n)(1) Financial institution means any institution the business of which is engaging in activities that are financial in nature or incidental to such financial activities as described in section 4(k) of the Bank Holding Company Act of 1956 (12 U.S.C. 1843(k)).
(2) Financial institution does not include:
(i) The Federal Agricultural Mortgage Corporation or any entity chartered and operating under the Farm Credit Act of 1971 (12 U.S.C. 2001 et seq.); or
(ii) Institutions chartered by Congress specifically to engage in securitizations, secondary market sales (including sales of servicing rights), or similar transactions related to a transaction of a consumer, as long as such institutions do not sell or transfer nonpublic personal information to a nonaffiliated third party.
(o)(1) Financial product or service means any product or service that a financial holding company could offer by engaging in an activity that is financial in nature or incidental to such a financial activity under section 4(k) of the Bank Holding Company Act of 1956 (12 U.S.C. 1843(k)).
(2) Financial service includes your evaluation or brokerage of information that you collect in connection with a request or an application from a consumer for a financial product or service.
(p) GLBA means the Gramm-Leach-Bliley Act (Pub. L. No. 106-102, 113 Stat. 1338 (1999)).
(q) Investment adviser has the same meaning as in section 202(a)(11) of the Investment Advisers Act of 1940 (15 U.S.C. 80b-2(a)(11)).
(r) Investment company has the same meaning as in section 3 of the Investment Company Act of 1940 (15 U.S.C. 80a-3), and includes a separate series of the investment company.
(s)(1) Nonaffiliated third party means any person except:
(i) Your affiliate; or
(ii) A person employed jointly by you and any company that is not your affiliate (but nonaffiliated third party includes the other company that jointly employs the person).
(2) Nonaffiliated third party includes any company that is an affiliate solely by virtue of your or your affiliate's direct or indirect ownership or control of the company in conducting merchant banking or investment banking activities of the type described in section 4(k)(4)(H) or insurance company investment activities of the type described in section 4(k)(4)(I) of the Bank Holding Company Act (12 U.S.C. 1843(k)(4)(H) and (I)).
(t)(1) Nonpublic personal information means:
(i) Personally identifiable financial information; and
(ii) Any list, description, or other grouping of consumers (and publicly available information pertaining to them) that is derived using any personally identifiable financial information that is not publicly available information.
(2) Nonpublic personal information does not include:
(i) Publicly available information, except as included on a list described in paragraph (t)(1)(ii) of this section or when the publicly available information is disclosed in a manner that indicates the individual is or has been your consumer; or
(ii) Any list, description, or other grouping of consumers (and publicly available information pertaining to them) that is derived without using any personally identifiable financial information that is not publicly available information.
(3) Examples of lists. (i) Nonpublic personal information includes any list of individuals' names and street addresses that is derived in whole or in part using personally identifiable financial information that is not publicly available information, such as account numbers.
(ii) Nonpublic personal information does not include any list of individuals' names and addresses that contains only publicly available information, is not derived in whole or in part using personally identifiable financial information that is not publicly available information, and is not disclosed in a manner that indicates that any of the individuals on the list is a consumer of a financial institution.
(u)(1) Personally identifiable financial information means any information:
(i) A consumer provides to you to obtain a financial product or service from you;
(ii) About a consumer resulting from any transaction involving a financial product or service between you and a consumer; or
(iii) You otherwise obtain about a consumer in connection with providing a financial product or service to that consumer.
(2) Examples — (i) Information included. Personally identifiable financial information includes:
(A) Information a consumer provides to you on an application to obtain a loan, credit card, or other financial product or service;
(B) Account balance information, payment history, overdraft history, and credit or debit card purchase information;
(C) The fact that an individual is or has been one of your customers or has obtained a financial product or service from you;
(D) Any information about your consumer if it is disclosed in a manner that indicates that the individual is or has been your consumer;
(E) Any information that a consumer provides to you or that you or your agent otherwise obtain in connection with collecting on a loan or servicing a loan;
(F) Any information you collect through an Internet “cookie” (an information collecting device from a web server); and
(G) Information from a consumer report.
(ii) Information not included. Personally identifiable financial information does not include:
(A) A list of names and addresses of customers of an entity that is not a financial institution; or
(B) Information that does not identify a consumer, such as aggregate information or blind data that does not contain personal identifiers such as account numbers, names, or addresses.
(v)(1) Publicly available information means any information that you reasonably believe is lawfully made available to the general public from:
(i) Federal, State, or local government records;
(ii) Widely distributed media; or
(iii) Disclosures to the general public that are required to be made by federal, State, or local law.
(2) Examples — (i) Reasonable belief. (A) You have a reasonable belief that information about your consumer is made available to the general public if you have confirmed, or your consumer has represented to you, that the information is publicly available from a source described in paragraphs (v)(1)(i)-(iii) of this section;
(B) You have a reasonable belief that information about your consumer is made available to the general public if you have taken steps to submit the information, in accordance with your internal procedures and policies and with applicable law, to a keeper of federal, State, or local government records that is required by law to make the information publicly available.
(C) You have a reasonable belief that an individual's telephone number is lawfully made available to the general public if you have located the telephone number in the telephone book or the consumer has informed you that the telephone number is not unlisted.
(D) You do not have a reasonable belief that information about a consumer is publicly available solely because that information would normally be recorded with a keeper of federal, State, or local government records that is required by law to make the information publicly available, if the consumer has the ability in accordance with applicable law to keep that information nonpublic, such as where a consumer may record a deed in the name of a blind trust.
(ii) Government records. Publicly available information in government records includes information in government real estate records and security interest filings.
(iii) Widely distributed media. Publicly available information from widely distributed media includes information from a telephone book, a television or radio program, a newspaper, or a web site that is available to the general public on an unrestricted basis. A web site is not restricted merely because an Internet service provider or a site operator requires a fee or a password, so long as access is available to the general public.
(w) You means:
(1) Any broker or dealer;
(2) Any investment company; and
(3) Any investment adviser registered with the Commission under the Investment Advisers Act of 1940.
[65 FR 40362, June 29, 2000, as amended at 66 FR 45147, Aug. 27, 2001; 74 FR 40431, Aug. 11, 2009]