Regulations last checked for updates: Nov 22, 2024

Title 17 - Commodity and Securities Exchanges last revised: Nov 19, 2024
§ 160.1 - Purpose and scope.

(a) Purpose. This part governs the treatment of nonpublic personal information about consumers by the financial institutions listed in paragraph (b) of this section. This part:

(1) Requires a financial institution to provide notice to customers about its privacy policies and practices;

(2) Describes the conditions under which a financial institution may disclose nonpublic personal information about consumers to nonaffiliated third parties; and

(3) Provides a method for consumers to prevent a financial institution from disclosing nonpublic personal information to most nonaffiliated third parties by “opting out” of that disclosure, subject to the exceptions in §§ 160.13, 160.14, and 160.15.

(b) Scope. This part applies only to nonpublic personal information about individuals who obtain financial products or services primarily for personal, family, or household purposes from the institutions listed below. This part does not apply to information about companies or about individuals who obtain financial products or services primarily for business, commercial, or agricultural purposes. This part applies to all futures commission merchants, retail foreign exchange dealers, commodity trading advisors, commodity pool operators, introducing brokers, major swap participants and swap dealers that are subject to the jurisdiction of the Commission, regardless whether they are required to register with the Commission. These entities are hereinafter referred to in this part as “you.” This part does not apply to foreign (non-resident) futures commission merchants, retail foreign exchange dealers, commodity trading advisors, commodity pool operators, introducing brokers, major swap participants and swap dealers that are not registered with the Commission.

[66 FR 21252, Apr. 27, 2001, as amended at 75 FR 55450, Sept. 10, 2010; 76 FR 43878, July 22, 2011]
§ 160.2 - Model privacy form and examples.

(a) Model privacy form. Use of the model privacy form in appendix A of this part, consistent with the instructions in appendix A, constitutes compliance with the notice content requirements of §§ 160.6 and 160.7 of this part, although use of the model privacy form is not required.

(b) Examples. The examples in this part are not exclusive. Compliance with an example, to the extent applicable, constitutes compliance with this part.

[74 FR 62974, Dec. 1, 2009]
§ 160.3 - Definitions.

For purposes of this part, unless the context requires otherwise:

(a) Affiliate of a futures commission merchant, retail foreign exchange dealer, commodity trading advisor, commodity pool operator, introducing broker, major swap participant, or swap dealer means any company that controls, is controlled by, or is under common control with a futures commission merchant, retail foreign exchange dealer, commodity trading advisor, commodity pool operator, introducing broker, major swap participant, or swap dealer that is subject to the jurisdiction of the Commission. In addition, a futures commission merchant, retail foreign exchange dealer, commodity trading advisor, commodity pool operator, introducing broker, major swap participant, or swap dealer subject to the jurisdiction of the Commission will be deemed an affiliate of a company for purposes of this part if:

(1) That company is regulated under title V of the GLB Act by the Bureau of Consumer Financial Protection or by a Federal functional regulator other than the Commission; and

(2) Rules adopted by the Bureau of Consumer Financial Protection or another Federal functional regulator under title V of the GLB Act treat the futures commission merchant, retail foreign exchange dealer, commodity trading advisor, commodity pool operator, introducing broker, major swap participant, or swap dealer as an affiliate of that company.

(b)(1) Clear and conspicuous means that a notice is reasonably understandable and designed to call attention to the nature and significance of the information in the notice.

(2) Examples—(i) Reasonably understandable. Your notice will be reasonably understandable if you:

(A) Present the information in the notice in clear, concise sentences, paragraphs and sections;

(B) Use short explanatory sentences or bullet lists whenever possible;

(C) Use definite, concrete, everyday words and active voice whenever possible;

(D) Avoid multiple negatives;

(E) Avoid legal and highly technical business terminology whenever possible; and

(F) Avoid explanations that are imprecise and readily subject to different interpretations.

(ii) Designed to call attention. Your notice is designed to call attention to the nature and significance of the information in it if you:

(A) Use a plain-language heading to call attention to the notice;

(B) Use a typeface and type size that are easy to read;

(C) Provide wide margins and ample line spacing;

(D) Use boldface or italics for key words; and

(E) Use distinctive type size, style and graphic devices, such as shading or sidebars when you combine your notice with other information.

(iii) Notices on web sites. If you provide notice on a web page, you design your notice to call attention to the nature and significance of the information in it if you use text or visual cues to encourage scrolling down the page, if necessary to view the entire notice, and ensure that other elements on the web site, such as text, graphics, hyperlinks or sound, do not distract from the notice, and you either:

(A) Place the notice on a screen that consumers frequently access, such as a page on which transactions are conducted; or

(B) Place a link on a screen that consumers frequently access, such as a page on which transactions are conducted, that connects directly to the notice and is labeled appropriately to convey the importance, nature and relevance of the notice.

(c) Collect means to obtain information that you organize or can retrieve by the name of an individual or by identifying number, symbol or other identifying particular assigned to the individual, irrespective of the source of the underlying information.

(d) Commission means the Commodity Futures Trading Commission.

(e) Commodity pool operator has the same meaning as in section 1a(5) of the Commodity Exchange Act, as amended, and includes anyone registered as such under the Act.

(f) Commodity trading advisor has the same meaning as in section 1a(6) of the Commodity Exchange Act, as amended, and includes anyone registered as such under the Act.

(g) Company means any corporation, limited liability company, business trust, general or limited partnership, association or similar organization.

(h)(1) Consumer means an individual who obtains or has obtained a financial product or service from you that is to be used primarily for personal, family or household purposes, or that individual's legal representative.

(2) Examples. (i) An individual is your consumer if he or she provides nonpublic personal information to you in connection with obtaining or seeking to obtain brokerage or advisory services, whether or not you provide services to the individual or establish a continuing relationship with the individual.

(ii) An individual is not your consumer if he or she provides you only with his or her name, address and general areas of investment interest in connection with a request for a brochure or other information about financial products or services.

(iii) An individual is not your consumer if he or she has an account with another futures commission merchant (originating futures commission merchant) for which you provide clearing services for an account in the name of the originating futures commission merchant.

(iv) An individual who is a consumer of another financial institution is not your consumer solely because you act as agent for, or provide processing or other services to, that financial institution.

(v) An individual is not your consumer solely because he or she has designated you as trustee for a trust.

(vi) An individual is not your consumer solely because he or she is a beneficiary of a trust for which you are a trustee.

(vii) An individual is not your consumer solely because he or she is a participant or a beneficiary of an employee benefit plan that you sponsor or for which you act as a trustee or fiduciary.

(i) Consumer reporting agency has the same meaning as in section 603(f) of the Fair Credit Reporting Act (15 U.S.C. 1681a(f)).

(j) Control of a company means the power to exercise a controlling influence over the management or policies of a company whether through ownership of securities, by contract, or otherwise. Any person who owns beneficially, either directly or through one or more controlled companies, more than 25 percent of the voting securities of any company is presumed to control the company. Any person who does not own more than 25 percent of the voting securities of a company will be presumed not to control the company.

(k) Customer means a consumer who has a customer relationship with you.

(l)(1) Customer relationship means a continuing relationship between a consumer and you under which you provide one or more financial products or services to the consumer that are to be used primarily for personal, family or household purposes.

(2) Examples—(i) Continuing relationship. A consumer has a continuing relationship with you if:

(A) You are a futures commission merchant through whom a consumer has opened an account, or that carries the consumer's account on a fully-disclosed basis, or that effects or engages in commodity interest transactions with or for a consumer, even if you do not hold any assets of the consumer.

(B) You are a retail foreign exchange dealer with whom a consumer has opened an account, or that effects or engages in retail forex transactions with or for a consumer, even if you do not hold any assets of the consumer;

(C) You are an introducing broker that solicits or accepts specific orders for trades;

(D) You are a commodity trading advisor with whom a consumer has a contract or subscription, either written or oral, regardless of whether the advice is standardized, or is based on, or tailored to, the commodity interest or cash market positions or other circumstances or characteristics of the particular consumer;

(E) You are a commodity pool operator, and you accept or receive from the consumer, funds, securities, or property for the purpose of purchasing an interest in a commodity pool;

(F) You hold securities or other assets as collateral for a loan made to the consumer, even if you did not make the loan or do not effect any transactions on behalf of the consumer; or

(G) You regularly effect or engage in commodity interest transactions with or for a consumer even if you do not hold any assets of the consumer.

(ii) No continuing relationship. A consumer does not have a continuing relationship with you if:

(A) You have acted solely as a “finder” for a futures commission merchant, and you do not solicit or accept specific orders for trades; or

(B) You have solicited the consumer to participate in a pool or to direct his or her account and he or she has not provided you with funds to participate in a pool or entered into any agreement for you to direct his or her account.

(m) Federal functional regulator means:

(1) The Board of Governors of the Federal Reserve System;

(2) The Office of the Comptroller of the Currency;

(3) The Board of Directors of the Federal Deposit Insurance Corporation;

(4) The Director of the Office of Thrift Supervision;

(5) The National Credit Union Administration Board;

(6) The Securities and Exchange Commission; and

(7) The Commodity Futures Trading Commission.

(n)(1) Financial institution means:

(i) Any futures commission merchant, retail foreign exchange dealer, commodity trading advisor, commodity pool operator, introducing broker, major swap participant, or swap dealer that is registered with the Commission as such or is otherwise subject to the Commission's jurisdiction; and

(2) Financial institution does not include:

(i) Any person or entity, other than a futures commission merchant, retail foreign exchange dealer, commodity trading advisor, commodity pool operator, introducing broker, major swap participant, or swap dealer that, with respect to any financial activity, is subject to the jurisdiction of the Commission under the Act.

(ii) The Federal Agricultural Mortgage Corporation or any entity chartered and operating under the Farm Credit Act of 1971 (12 U.S.C. 2001 et seq.); or

(iii) Institutions chartered by Congress specifically to engage in securitizations, secondary market sales (including sales of servicing rights) or similar transactions related to a transaction of a consumer, as long as such institutions do not sell or transfer nonpublic personal information to a nonaffiliated third party.

(o)(1) Financial product or service means:

(i) Any product or service that a futures commission merchant, retail foreign exchange dealer, commodity trading advisor, commodity pool operator, introducing broker, major swap participant, or swap dealer could offer that is subject to the Commission's jurisdiction; and

(ii) Any product or service that any other financial institution could offer by engaging in an activity that is financial in nature or incidental to such a financial activity under section 4(k) of the Bank Holding Company Act of 1956, 12 U.S.C. 1843(k).

(2) Financial service includes your evaluation or brokerage of information that you collect in connection with a request or an application from a consumer for a financial product or service.

(p) Futures commission merchant has the same meaning as in section 1a(20) of the Commodity Exchange Act, as amended, and includes any person registered as such under the Act.

(q) GLB Act means the Gramm-Leach-Bliley Act (Pub. L. No. 106-102, 113 Stat. 1338 (1999)).

(r) Introducing broker has the same meaning as in section 1a(23) of the Commodity Exchange Act, as amended, and includes any person registered as such under the Act.

(s) Major swap participant. The term “major swap participant” has the same meaning as in section 1a(33) of the Commodity Exchange Act, 7 U.S.C. 1 et seq., as may be further defined by this title, and includes any person registered as such thereunder.

(t)(1) Nonaffiliated third party means any person except:

(i) Your affiliate; or

(ii) A person employed jointly by you and any company that is not your affiliate, but nonaffiliated third party includes the other company that jointly employs the person.

(2) Nonaffiliated third party includes any company that is an affiliate solely by virtue of your or your affiliate's direct or indirect ownership or control of the company in conducting merchant banking or investment banking activities of the type described in section 4(k)(4)(H) or insurance company investment activities of the type described in section 4(k)(4)(I) of the Bank Holding Company Act of 1956, 12 U.S.C. 1843(k)(4)(H) and (I).

(u)(1) Nonpublic personal information means:

(i) Personally identifiable financial information; and

(ii) Any list, description or other grouping of consumers, and publicly available information pertaining to them, that is derived using any personally identifiable financial information that is not publicly available information.

(2) Nonpublic personal information does not include:

(i) Publicly available information, except as included on a list described in paragraph (t)(1)(ii) of this section or when the publicly available information is disclosed in a manner that indicates the individual is or has been your consumer; or

(ii) Any list, description or other grouping of consumers, and publicly available information pertaining to them, that is derived without using any personally identifiable financial information that is not publicly available information.

(3) Examples of lists. (i) Nonpublic personal information includes any list of individuals' names and street addresses that is derived in whole or in part using personally identifiable financial information that is not publicly available information, such as account numbers.

(ii) Nonpublic personal information does not include any list of individuals' names and addresses that contains only publicly available information, is not derived in whole or in part using personally identifiable financial information that is not publicly available information, and is not disclosed in a manner that indicates that any of the individuals on the list is a consumer of a financial institution.

(v)(1) Personally identifiable financial information means any information:

(i) A consumer provides to you to obtain a financial product or service from you;

(ii) About a consumer resulting from any transaction involving a financial product or service between you and a consumer; or

(iii) You otherwise obtain about a consumer in connection with providing a financial product or service to that consumer.

(2) Examples—(i) Information included. Personally identifiable financial information includes:

(A) Information a consumer provides to you on an application to open a commodity interest trading account, to invest in a commodity pool, or to obtain another financial product or service;

(B) Account balance information, payment history, overdraft history, margin call history, trading history, and credit or debit card purchase information;

(C) The fact that an individual is or has been one of your customers or has obtained a financial product or service from you;

(D) Any information about your consumer if it is disclosed in a manner that indicates that the individual is or has been your consumer;

(E) Any information you collect through an Internet “cookie” (an information-collecting device from a web server); and

(F) Information from a consumer report.

(ii) Information not included. Personally identifiable financial information does not include:

(A) A list of names and addresses of customers of an entity that is not a financial institution; or

(B) Information that does not identify a consumer, such as aggregate information or blind data that does not contain personal identifiers such as account numbers, names or addresses.

(w)(1) Publicly available information means any information that you reasonably believe is lawfully made available to the general public from:

(i) Federal, state or local government records;

(ii) Widely distributed media; or

(iii) Disclosures to the general public that are required to be made by federal, state or local law.

(2) Examples—(i) Reasonable belief. (A) You have a reasonable belief that information about your consumer is made available to the general public if you have confirmed, or your consumer has represented to you, that the information is publicly available from a source described in paragraphs (v)(1)(i)-(iii) of this section.

(B) You have a reasonable belief that information about your consumer is made available to the general public if you have taken steps to submit the information, in accordance with your internal procedures and policies and with applicable law, to a keeper of federal, state or local government records that is required by law to make the information publicly available.

(C) You have a reasonable belief that an individual's telephone number is lawfully made available to the general public if you have located the telephone number in the telephone book or on an internet listing service, or the consumer has informed you that the telephone number is not unlisted.

(D) You do not have a reasonable belief that information about a consumer is publicly available solely because that information would normally be recorded with a keeper of federal, state or local government records that is required by law to make the information publicly available, if the consumer has the ability in accordance with applicable law to keep that information nonpublic, such as where a consumer may record a deed in the name of a blind trust.

(ii) Government records. Publicly available information in government records includes information in government real estate records and security interest filings.

(iii) Widely distributed media. Publicly available information from widely distributed media includes information from a telephone book, a television or radio program, a newspaper, or a web site that is available to the general public on an unrestricted basis. A web site is not restricted merely because an Internet service provider or a site operator requires a fee or password, so long as access is available to the general public.

(x) Swap dealer. The term “swap dealer” has the same meaning as in section 1a(49) of the Commodity Exchange Act, 7 U.S.C. 1 et seq., as may be further defined by this title, and includes any person registered as such thereunder.

(y) You means:

(1) Any futures commission merchant;

(2) Any retail foreign exchange dealer;

(3) Any commodity trading advisor;

(4) Any commodity pool operator;

(5) Any introducing broker;

(6) Any major swap participant; and

(7) Any swap dealer.

(z) Retail foreign exchange dealer has the same meaning as in § 5.3(i)(1) of this chapter.

[66 FR 21252, Apr. 27, 2001, as amended at 75 FR 55450, Sept. 10, 2010; 76 FR 43878, July 22, 2011]
Subpart A [§ 160.4 - § 160.9] - Subpart A—Privacy and Opt Out Notices
Subpart B [§ 160.10 - § 160.12] - Subpart B—Limits on Disclosures
Subpart C [§ 160.13 - § 160.15] - Subpart C—Exceptions
Subpart D [§ 160.16 - § 160.30] - Subpart D—Relation to Other Laws; Effective Date
Subpart 0 -
Appendix Appendix A - Appendix A to Part 160—Model Privacy Form

A. The Model Privacy Form

B. General Instructions 1. How the Model Privacy Form Is Used

(a) The model form may be used, at the option of a financial institution, including a group of financial institutions that use a common privacy notice, to meet the content requirements of the privacy notice and opt-out notice set forth in §§ 160.6 and 160.7 of this part.

(b) The model form is a standardized form, including page layout, content, format, style, pagination, and shading. Institutions seeking to obtain the safe harbor through use of the model form may modify it only as described in these Instructions.

(c) Note that disclosure of certain information, such as assets, income, and information from a consumer reporting agency, may give rise to obligations under the Fair Credit Reporting Act [15 U.S.C. 1681-1681x] (FCRA), such as a requirement to permit a consumer to opt out of disclosures to affiliates or designation as a consumer reporting agency if disclosures are made to nonaffiliated third parties.

(d) The word “customer” may be replaced by the word “member” whenever it appears in the model form, as appropriate.

2. The Contents of the Model Privacy Form

The model form consists of two pages, which may be printed on both sides of a single sheet of paper, or may appear on two separate pages. Where an institution provides a long list of institutions at the end of the model form in accordance with Instruction C.3(a)(1), or provides additional information in accordance with Instruction C.3(c), and such list or additional information exceeds the space available on page two of the model form, such list or additional information may extend to a third page.

(a) Page One. The first page consists of the following components:

(1) Date last revised (upper right-hand corner).

(2) Title.

(3) Key frame (Why?, What?, How?).

(4) Disclosure table (“Reasons we can share your personal information”).

(5) “To limit our sharing” box, as needed, for the financial institution's opt-out information.

(6) “Questions” box, for customer service contact information.

(7) Mail-in opt-out form, as needed.

(b) Page Two. The second page consists of the following components:

(1) Heading (Page 2).

(2) Frequently Asked Questions (“Who we are” and “What we do”).

(3) Definitions.

(4) “Other important information” box, as needed.

3. The Format of the Model Privacy Form

The format of the model form may be modified only as described below.

(a) Easily readable type font. Financial institutions that use the model form must use an easily readable type font. While a number of factors together produce easily readable type font, institutions are required to use a minimum of 10-point font (unless otherwise expressly permitted in these Instructions) and sufficient spacing between the lines of type.

(b) Logo. A financial institution may include a corporate logo on any page of the notice, so long as it does not interfere with the readability of the model form or the space constraints of each page.

(c) Page size and orientation. Each page of the model form must be printed on paper in portrait orientation, the size of which must be sufficient to meet the layout and minimum font size requirements, with sufficient white space on the top, bottom, and sides of the content.

(d) Color. The model form must be printed on white or light color paper (such as cream) with black or other contrasting ink color. Spot color may be used to achieve visual interest, so long as the color contrast is distinctive and the color does not detract from the readability of the model form. Logos may also be printed in color.

(e) Languages. The model form may be translated into languages other than English.

C. Information Required in the Model Privacy Form

The information in the model form may be modified only as described below:

1. Name of the Institution or Group of Affiliated Institutions Providing the Notice

Insert the name of the financial institution providing the notice or a common identity of affiliated institutions jointly providing the notice on the form wherever [name of financial institution] appears.

2. Page One

(a) Last revised date. The financial institution must insert in the upper right-hand corner the date on which the notice was last revised. The information shall appear in minimum 8-point font as “rev. [month/year]” using either the name or number of the month, such as “rev. July 2009” or “rev. 7/09”.

(b) General instructions for the “What?” box. (1) The bulleted list identifies the types of personal information that the institution collects and shares. All institutions must use the term “Social Security number” in the first bullet.

(2) Institutions must use five (5) of the following terms to complete the bulleted list: Income; account balances; payment history; transaction history; transaction or loss history; credit history; credit scores; assets; investment experience; credit-based insurance scores; insurance claim history; medical information; overdraft history; purchase history; account transactions; risk tolerance; medical-related debts; credit card or other debt; mortgage rates and payments; retirement assets; checking account information; employment information; wire transfer instructions.

(c) General instructions for the disclosure table. The left column lists reasons for sharing or using personal information. Each reason correlates to a specific legal provision described in paragraph C.2(d) of this Instruction. In the middle column, each institution must provide a “Yes” or “No” response that accurately reflects its information sharing policies and practices with respect to the reason listed on the left. In the right column, each institution must provide in each box one of the following three (3) responses, as applicable, that reflects whether a consumer can limit such sharing: “Yes” if it is required to or voluntarily provides an opt-out; “No” if it does not provide an opt-out; or “We don't share” if it answers “No” in the middle column. Only the sixth row (“For our affiliates to market to you”) may be omitted at the option of the institution. See paragraph C.2(d)(6) of this Instruction.

(d) Specific disclosures and corresponding legal provisions. (1) For our everyday business purposes. This reason incorporates sharing information under §§ 160.14 and 160.15 and with service providers pursuant to § 160.13 of this part other than the purposes specified in paragraphs C.2(d)(2) or C.2(d)(3) of these Instructions.

(2) For our marketing purposes. This reason incorporates sharing information with service providers by an institution for its own marketing pursuant to § 160.13 of this part. An institution that shares for this reason may choose to provide an opt-out.

(3) For joint marketing with other financial companies. This reason incorporates sharing information under joint marketing agreements between two or more financial institutions and with any service provider used in connection with such agreements pursuant to § 160.13 of this part. An institution that shares for this reason may choose to provide an opt-out.

(4) For our affiliates' everyday business purposes—information about transactions and experiences. This reason incorporates sharing information specified in sections 603(d)(2)(A)(i) and (ii) of the FCRA. An institution that shares for this reason may choose to provide an opt-out.

(5) For our affiliates' everyday business purposes—information about creditworthiness. This reason incorporates sharing information pursuant to section 603(d)(2)(A)(iii) of the FCRA. An institution that shares for this reason must provide an opt-out.

(6) For our affiliates to market to you. This reason incorporates sharing information specified in section 624 of the FCRA. This reason may be omitted from the disclosure table when: the institution does not have affiliates (or does not disclose personal information to its affiliates); the institution's affiliates do not use personal information in a manner that requires an opt-out; or the institution provides the affiliate marketing notice separately. Institutions that include this reason must provide an opt-out of indefinite duration. An institution not required to provide an opt-out under this subparagraph may elect to include this reason in the model form. Note: The CFTC's Regulations do not address the affiliate marketing rule.

(7) For nonaffiliates to market to you. This reason incorporates sharing described in §§ 160.7 and 160.10(a) of this part. An institution that shares personal information for this reason must provide an opt-out.

(e) To limit our sharing: A financial institution must include this section of the model form only if it provides an opt-out. The word “choice” may be written in either the singular or plural, as appropriate. Institutions must select one or more of the applicable opt-out methods described: telephone, such as by a toll-free number; a Web site; or use of a mail-in opt-out form. Institutions may include the words “toll-free” before telephone, as appropriate. An institution that allows consumers to opt out online must provide either a specific Web address that takes consumers directly to the opt-out page or a general Web address that provides a clear and conspicuous direct link to the opt-out page. The opt-out choices made available to the consumer who contacts the institution through these methods must correspond accurately to the “Yes” responses in the third column of the disclosure table. In the part titled “Please note” institutions may insert a number that is 30 or greater in the space marked “[30].” Instructions on voluntary or state privacy law opt-out information are in paragraph C.2(g)(5) of these Instructions.

(f) Questions box. Customer service contact information must be inserted as appropriate, where [phone number] or [Web site] appear. Institutions may elect to provide either a phone number, such as a toll-free number, or a Web address, or both. Institutions may include the words “toll-free” before the telephone number, as appropriate.

(g) Mail-in opt-out form. Financial institutions must include this mail-in form only if they state in the “To limit our sharing” box that consumers can opt out by mail. The mail-in form must provide opt-out options that correspond accurately to the “Yes” responses in the third column in the disclosure table. Institutions that require customers to provide only name and address may omit the section identified as “[account #].” Institutions that require additional or different information, such as a random opt-out number or a truncated account number, to implement an opt-out election should modify the “[account #]” reference accordingly. This includes institutions that require customers with multiple accounts to identify each account to which the opt-out should apply. An institution must enter its opt-out mailing address: in the far right of this form (see version 3); or below the form (see version 4). The reverse side of the mail-in opt-out form must not include any content of the model form.

(1) Joint accountholder. Only institutions that provide their joint accountholders the choice to opt out for only one accountholder, in accordance with paragraph C.3(a)(5) of these Instructions, must include in the far left column of the mail-in form the following statement: “If you have a joint account, your choice(s) will apply to everyone on your account unless you mark below. Apply my choice(s) only to me.” The word “choice” may be written in either the singular or plural, as appropriate. Financial institutions that provide insurance products or services, provide this option, and elect to use the model form may substitute the word “policy” for “account” in this statement. Institutions that do not provide this option may eliminate this left column from the mail-in form.

(2) FCRA Section 603(d)(2)(A)(iii) opt-out. If the institution shares personal information pursuant to section 603(d)(2)(A)(iii) of the FCRA, it must include in the mail-in opt-out form the following statement: “Do not share information about my creditworthiness with your affiliates for their everyday business purposes.”

(3) FCRA Section 624 opt-out. If the institution incorporates section 624 of the FCRA in accord with paragraph C.2(d)(6) of these Instructions, it must include in the mail-in opt-out form the following statement: “Do not allow your affiliates to use my personal information to market to me.”

(4) Nonaffiliate opt-out. If the financial institution shares personal information pursuant to § 160.10(a) of this part, it must include in the mail-in opt-out form the following statement: “Do not share my personal information with nonaffiliates to market their products and services to me.”

(5) Additional opt-outs. Financial institutions that use the disclosure table to provide opt-out options beyond those required by Federal law must provide those opt-outs in this section of the model form. A financial institution that chooses to offer an opt-out for its own marketing in the mail-in opt-out form must include one of the two following statements: “Do not share my personal information to market to me.” or “Do not use my personal information to market to me.” A financial institution that chooses to offer an opt-out for joint marketing must include the following statement: “Do not share my personal information with other financial institutions to jointly market to me.”

(h) Barcodes. A financial institution may elect to include a barcode and/or “tagline” (an internal identifier) in 6-point font at the bottom of page one, as needed for information internal to the institution, so long as these do not interfere with the clarity or text of the form.

3. Page Two

(a) General Instructions for the Questions. Certain of the Questions may be customized as follows:

(1) “Who is providing this notice?” This question may be omitted where only one financial institution provides the model form and that institution is clearly identified in the title on page one. Two or more financial institutions that jointly provide the model form must use this question to identify themselves as required by § 160.9(f) of this part. Where the list of institutions exceeds four (4) lines, the institution must describe in the response to this question the general types of institutions jointly providing the notice and must separately identify those institutions, in minimum 8-point font, directly following the “Other important information” box, or, if that box is not included in the institution's form, directly following the “Definitions.” The list may appear in a multi-column format.

(2) “How does [name of financial institution] protect my personal information?” The financial institution may only provide additional information pertaining to its safeguards practices following the designated response to this question. Such information may include information about the institution's use of cookies or other measures it uses to safeguard personal information. Institutions are limited to a maximum of 30 additional words.

(3) “How does [name of financial institution] collect my personal information?” Institutions must use five (5) of the following terms to complete the bulleted list for this question: Open an account; deposit money; pay your bills; apply for a loan; use your credit or debit card; seek financial or tax advice; apply for insurance; pay insurance premiums; file an insurance claim; seek advice about your investments; buy securities from us; sell securities to us; direct us to buy securities; direct us to sell your securities; make deposits or withdrawals from your account; enter into an investment advisory contract; give us your income information; provide employment information; give us your employment history; tell us about your investment or retirement portfolio; tell us about your investment or retirement earnings; apply for financing; apply for a lease; provide account information; give us your contact information; pay us by check; give us your wage statements; provide your mortgage information; make a wire transfer; tell us who receives the money; tell us where to send the money; show your government-issued ID; show your driver's license; order a commodity futures or option trade. Institutions that collect personal information from their affiliates and/or credit bureaus must include after the bulleted list the following statement: “We also collect your personal information from others, such as credit bureaus, affiliates, or other companies.” Institutions that do not collect personal information from their affiliates or credit bureaus but do collect information from other companies must include the following statement instead: “We also collect your personal information from other companies.” Only institutions that do not collect any personal information from affiliates, credit bureaus, or other companies can omit both statements.

(4) “Why can't I limit all sharing?” Institutions that describe state privacy law provisions in the “Other important information” box must use the bracketed sentence: “See below for more on your rights under state law.” Other institutions must omit this sentence.

(5) “What happens when I limit sharing for an account I hold jointly with someone else?” Only financial institutions that provide opt-out options must use this question. Other institutions must omit this question. Institutions must choose one of the following two statements to respond to this question: “Your choices will apply to everyone on your account.” or “Your choices will apply to everyone on your account—unless you tell us otherwise.” Financial institutions that provide insurance products or services and elect to use the model form may substitute the word “policy” for “account” in these statements.

(b) General Instructions for the Definitions. The financial institution must customize the space below the responses to the three definitions in this section. This specific information must be in italicized lettering to set off the information from the standardized definitions.

(1) Affiliates. As required by § 160.6(a)(3) of this part, where [affiliate information] appears, the financial institution must:

(i) If it has no affiliates, state: “[name of financial institution] has no affiliates”;

(ii) If it has affiliates but does not share personal information, state: “[name of financial institution] does not share with our affiliates”; or

(iii) If it shares with its affiliates, state, as applicable: “Our affiliates include companies with a [common corporate identity of financial institution] name; financial companies such as [insert illustrative list of companies]; nonfinancial companies, such as [insert illustrative list of companies]; and others, such as [insert illustrative list].”

(2) Nonaffiliates. As required by § 160.6(c)(3) of this part, where [nonaffiliate information] appears, the financial institution must:

(i) If it does not share with nonaffiliated third parties, state: ” [name of financial institution] does not share with nonaffiliates so they can market to you”; or

(ii) If it shares with nonaffiliated third parties, state, as applicable: “Nonaffiliates we share with can include [list categories of companies such as mortgage companies, insurance companies, direct marketing companies, and nonprofit organizations].”

(3) Joint Marketing. As required by § 160.13 of this part, where [joint marketing] appears, the financial institution must:

(i) If it does not engage in joint marketing, state: “[name of financial institution] doesn't jointly market”; or

(ii) If it shares personal information for joint marketing, state, as applicable: “Our joint marketing partners include [list categories of companies such as credit card companies].”

(c) General instructions for the “Other important information” box. This box is optional. The space provided for information in this box is not limited. Only the following types of information can appear in this box.

(1) State and/or international privacy law information; and/or

(2) Acknowledgment of receipt form.

[74 FR 62975, Dec. 1, 2009]
Appendix Appendix B - Appendix B to Part 160—Sample Clauses

This appendix only applies to privacy notices provided before January 1, 2011. Financial institutions, including a group of financial holding company affiliates that use a common privacy notice, may use the following sample clauses, if the clause is accurate for each institution that uses the notice. Note that disclosure of certain information, such as assets, income and information from a consumer reporting agency, may give rise to obligations under the Fair Credit Reporting Act, such as a requirement to permit a consumer to opt out of disclosures to affiliates or designation as a consumer reporting agency if disclosures are made to nonaffiliated third parties.

A-1—Categories of Information You Collect (All Institutions)

You may use this clause, as applicable, to meet the requirement of § 160.6(a)(1) to describe the categories of nonpublic personal information you collect.

Sample Clause A-1

We collect nonpublic personal information about you from the following sources:

• Information we receive from you on applications or other forms;

• Information about your transactions with us, our affiliates or others; and

• Information we receive from a consumer reporting agency.

A-2—Categories of Information You Disclose (Institutions That Disclose Outside of the Exceptions)

You may use one of these clauses, as applicable, to meet the requirement of § 160.6(a)(2) to describe the categories of nonpublic personal information you disclose. You may use these clauses if you disclose nonpublic personal information other than as permitted by the exceptions in §§ 160.13, 160.14 and 160.15.

Sample Clause A-2, Alternative 1

We may disclose the following kinds of nonpublic personal information about you:

• Information we receive from you on applications or other forms, such as [provide illustrative examples, such as “your name, address, Social Security number, assets and income”];

• Information about your transactions with us, our affiliates or others, such as [provide illustrative examples, such as “your account balance, payment history, parties to transactions and credit card usage”]; and

• Information we receive from a consumer reporting agency, such as [provide illustrative examples, such as “your creditworthiness and credit history”].

Sample Clause A-2, Alternative 2

We may disclose all of the information that we collect, as described [describe location in the notice, such as “above” or “below”].

A-3—Categories of Information You Disclose and Parties To Whom You Disclose (Institutions That Do Not Disclose Outside of the Exceptions)

You may use this clause, as applicable, to meet the requirements of §§ 160.6(a)(2), (3) and (4) to describe the categories of nonpublic personal information about customers and former customers that you disclose and the categories of affiliates and nonaffiliated third parties to whom you disclose. You may use this clause if you do not disclose nonpublic personal information to any party, other than as is permitted by the exceptions in §§ 160.14 and 160.15.

Sample Clause A-3

We do not disclose any nonpublic personal information about our customers or former customers to anyone, except as permitted by law.

A-4—Categories of Parties To Whom You Disclose (Institutions That Disclose Outside of the Exceptions)

You may use this clause, as applicable, to meet the requirement of § 160.6(a)(3) to describe the categories of affiliates and nonaffiliated third parties to whom you disclose nonpublic personal information. You may use this clause if you disclose nonpublic personal information other than as permitted by the exceptions in §§ 160.13, 160.14 and 160.15, as well as when permitted by the exceptions in §§ 160.14 and 160.15.

Sample Clause A-4

We may disclose nonpublic personal information about you to the following types of third parties:

• Financial service providers, such as [provide illustrative examples, such as “mortgage bankers”];

• Non-financial companies, such as [provide illustrative examples, such as “retailers, direct marketers, airlines and publishers”]; and

• Others, such as [provide illustrative examples, such as “non-profit organizations”].

We may also disclose nonpublic personal information about you to nonaffiliated third parties as permitted by law.

A-5—Service Provider/Joint Marketing Exception

You may use one of these clauses, as applicable, to meet the requirements of § 160.6(a)(5) related to the exception for service providers and joint marketers in § 160.13. If you disclose nonpublic personal information under this exception, you must describe the categories of nonpublic personal information you disclose and the categories of third parties with whom you have contracted.

Sample Clause A-5, Alternative 1

We may disclose the following information to companies that perform marketing services on our behalf or to other financial institutions with which we have joint marketing agreements:

• Information we receive from you on applications or other forms, such as [provide illustrative examples, such as “your name, address, Social Security number, assets and income”];

• Information about your transactions with us, our affiliates, or others, such as [provide illustrative examples, such as “your account balance, payment history, parties to transactions and credit card usage”]; and

• Information we receive from a consumer reporting agency, such as [provide illustrative examples, such as “your creditworthiness and credit history”].

Sample Clause A-5, Alternative 2

We may disclose all of the information we collect, as described [describe location in the notice, such as “above” or “below”] to companies that perform marketing services on our behalf or to other financial institutions with which we have joint marketing agreements.

A-6—Explanation of Opt Out Right (Institutions That Disclose Outside of the Exceptions)

You may use this clause, as applicable, to meet the requirement of § 160.6(a)(6) to provide an explanation of the consumer's right to opt out of the disclosure of nonpublic personal information to nonaffiliated third parties, including the method(s) by which the consumer may exercise that right. You may use this clause if you disclose nonpublic personal information other than as permitted by the exceptions in §§ 160.13, 160.14 and 160.15.

Sample Clause A-6

If you prefer that we not disclose nonpublic personal information about you to nonaffiliated third parties you may opt out of those disclosures; that is, you may direct us not to make those disclosures (other than disclosures permitted or required by law). If you wish to opt out of disclosures to nonaffiliated third parties, you may [describe a reasonable means of opting out, such as “call the following toll-free number: (insert number)”].

A-7—Confidentiality and Security (All Institutions)

You may use this clause, as applicable, to meet the requirement of § 160.6(a)(8) to describe your policies and practices with respect to protecting the confidentiality and security of nonpublic personal information.

Sample Clause A-7

We restrict access to nonpublic personal information about you to [provide an appropriate description, such as “those employees who need to know that information to provide products or services to you”]. We maintain physical, electronic and procedural safeguards that comply with federal standards to safeguard your nonpublic personal information.

[66 FR 21252, Apr. 27, 2001, as amended at 74 FR 62984, Dec. 1, 2009]
authority: 7 U.S.C. 7b-2 and 12a(5); 15 U.S.C 6801,
source: 66 FR 21252, Apr. 27, 2001, unless otherwise noted.
cite as: 17 CFR 160.1