Rules and Regulations. Proposed rules
41,821 words·~190 min read·
/register/2001/03/19/01-6621A research copy — for the controlling text, always check the official state or federal source. Not legal advice.
BILLING CODE 3410-05-P 66 53 Monday, March 19, 2001 Proposed Rules Part III Commodity Futures Trading Commission 17 CFR Part 160 Privacy of Customer Information; Proposed Rule COMMODITY FUTURES TRADING COMMISSION 17 CFR Part 160 RIN 3038-AB68 Privacy of Customer Information AGENCY: Commodity Futures Trading Commission. ACTION: Proposed rules. SUMMARY: The Commodity Futures Trading Commission requests comment on proposed privacy rules published under section 5g of the Commodity Exchange Act which directs the Commission to prescribe regulations under Title V of the Gramm-Leach-Bliley Act.
Title V requires certain federal agencies to adopt rules implementing notice requirements and restrictions on the ability of certain financial institutions to disclose nonpublic personal information about consumers to nonaffiliated third parties. Under section 503, a financial institution must provide its customers with a notice of its privacy policies and practices, and must not disclose nonpublic personal information about a consumer to nonaffiliated third parties unless the institution provides certain information to the consumer and the consumer has not elected to opt out of the disclosure.
Section 505 further requires certain federal agencies to establish for financial institutions appropriate standards to protect customer information. The proposed rules implement these requirements of the Gramm-Leach-Bliley Act with respect to futures commission merchants, commodity trading advisors, commodity pool operators and introducing brokers that are subject to the jurisdiction of the Commission under the Commodity Exchange Act as amended. DATES: Comments must be received by April 18, 2001.
ADDRESSES: Comments should be sent to the Commodity Futures Trading Commission, Three Lafayette Centre, 1155 21st Street, NW., Washington, DC 20581, attention: Office of the Secretariat. Comments may be sent by facsimile transmission to
(202)418-5521, or by e-mail to secretary@cftc.gov. Reference should be made to “Privacy Rules.” FOR FURTHER INFORMATION CONTACT: Susan W. Nathan, Assistant General Counsel, or Bella Rozenberg, Attorney, Office of General Counsel; Nancy E. Yanofsky, Assistant Chief Counsel, Division of Economic Analysis; or Ky Tran-Trong, Attorney, Division of Trading and Markets, Commodity Futures Trading Commission, Three Lafayette Centre, 1155 21st Street, NW., Washington, DC 20581. Telephone:
(202)418-5000, E-mail: (SNathan@cftc.gov), (BRozenberg@cftc.gov), (NYanofsky@cftc.gov), or (KTran-Trong@cftc.gov). SUPPLEMENTARY INFORMATION: The Commodity Futures Trading Commission today is proposing for public comment a new part 160, 17 CFR part 160, under Subtitle A of Title V of the Gramm-Leach-Bliley Act (Pub. L. 106-102, 113 Stat. 1338 (1999), to be codified at 15 U.S.C. 6801-6809) and the Commodity Exchange Act as amended by the Commodity Futures Modernization Act of 2000 (7 U.S.C. 1 *et seq.* , as amended by Appendix __ of Pub. L. 106-554, 114 Stat. 2763). Table of Contents I. Background II. Section-by-Section Analysis III. General Request for Comments IV. Cost-Benefit Analysis V. Related Matters A. Paperwork Reduction Act B. Regulatory Flexibility Act VI. Summary of Initial Regulatory Flexibility Analysis VII. Statutory Authority Text of Proposed Rules I. Background On November 12, 1999, President Clinton signed the Gramm-Leach-Bliley Act (GLB Act) 1 into law. Subtitle A of Title V of the Act, captioned “Disclosure of Nonpublic Personal Information” (Title V), limits the instances in which a financial institution may disclose nonpublic personal information about a consumer to nonaffiliated third parties, and requires a financial institution to disclose to all of its customers the institution's privacy policies and practices with respect to information sharing with both affiliates and nonaffiliated third parties. 2 The Commodity Futures Trading Commission (Commission) and entities subject to its jurisdiction originally were excluded from Title V's coverage. The agencies that were covered by Title V—the Office of the Comptroller of the Currency (OCC), Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, Office of Thrift Supervision (collectively, the Banking Agencies), Secretary of the Treasury, Securities and Exchange Commission (SEC), National Credit Union Administration, and Federal Trade Commission
(FTC)(collectively with the Banking Agencies, the Agencies)—have each adopted implementing regulations under Title V. 3 1 Pub. L. 106-102, 113 Stat. 1338
(1999)(to be codified in scattered sections of 12 U.S.C. and 15 U.S.C. 2 *Id.* (to be codified at 15 U.S.C. 6801-6809). As discussed in more detail below, the GLB Act distinguishes “consumers” from “customers” for purposes of its notice requirements. Generally speaking, a customer is a consumer with whom a financial institution has established a “customer relationship.” *See* sections 502(a), 503(a) and 509(9) and
(11)of the GLB Act. 3 *See* 65 FR 40334 (June 29, 2000) (SEC); 65 FR 35162 (June 1, 2000) (Secretary of the Treasury and the Banking Agencies); 65 FR 33646 (May 24, 2000) (FTC); 65 FR 31722 (May 18, 2000) (National Credit Union Administration). *See also* 66 FR 8616 (Feb. 1, 2001) (Secretary of the Treasury and the Banking Agencies); 66 FR 8152 (Jan. 30, 2001) (National Credit Union Administration); 65 FR 54186 (Sept. 7, 2000) (FTC—advance notice of proposed rulemaking) (Guidelines for Establishing Standards for Safeguarding Customer Information). On December 21, 2000, as part of the Commodity Futures Modernization Act of 2000 (CFMA), Congress amended the Commodity Exchange Act (CEA or Act) to provide that certain entities subject to the Commission's jurisdiction—specifically, futures commission merchants (FCMs), commodity trading advisors (CTAs), commodity pool operators
(CPOs)and introducing brokers (IBs)—shall be treated as financial institutions for purposes of Title V. At the same time, Congress also amended the CEA to provide that the Commission shall be treated as a Federal functional regulator within the meaning of Title V and to require the Commission to prescribe regulations under Title V within six months. The Commission has consulted with representatives from the Agencies in drafting these proposed rules to implement Title V. The rules that we are proposing today are, to the extent possible, consistent with and comparable to the rules adopted by the Agencies. Proposed part 160 contains rules of general applicability that are substantially similar to the rules adopted by the Agencies. The proposed rules also contain examples that illustrate the application of the general rules and an appendix of sample clauses that may, to the extent applicable, be used by FCMs, CTAs, CPOs and IBs to comply with the notice and opt-out requirements. These proposed examples and sample clauses differ from those used by the Agencies in order to provide more meaningful guidance to the financial institutions subject to the Commission's jurisdiction. Furthermore, in order to minimize the compliance burden for FCMs that are also registered with the SEC as broker-dealers (“dual registrants”), the Commission is proposing to permit dual registrants to comply with part 160 by complying with the privacy rules of the SEC, which are found at 17 CFR part 248. Title V also requires the Agencies to establish appropriate standards for financial institutions subject to their jurisdiction to safeguard customer information and records. The rules that we are proposing today include requirements for FCMs, CTAs, CPOs and IBs to adopt appropriate policies and procedures that address safeguards to protect this information. We request comment on all aspects of the proposed rules as well as comment on the specific provisions and issues highlighted in the section-by-section analysis below. We specifically request comment on the proposed examples and sample clauses and any additional examples or sample clauses that would be helpful. II. Section-by-Section Analysis Section 160.1 Purpose and Scope Proposed paragraph
(a)of section 160.1 identifies three purposes of the rules. First, the rules require a financial institution to provide notice to consumers about the institution's privacy policies and practices. Second, the rules describe the conditions under which a financial institution may disclose nonpublic personal information about a consumer to a nonaffiliated third party. Third, the rules provide a method for a consumer to “opt out” of the disclosure of that information to nonaffiliated third parties, subject to certain exceptions discussed below. Proposed paragraph
(b)sets out the scope of the Commission's rules and identifies the financial institutions covered by the rules. This paragraph notes that the rules apply only to information about individuals who obtain a financial product or service primarily for personal, family, or household purposes. The financial institutions covered by the rules are FCMs, CTAs, CPOs and IBs. Consistent with section 5g of the Act, the rules as proposed apply to these categories of financial institutions whether or not they are required to register with the Commission. 4 Thus, as proposed, the rules would apply to CTAs that, pursuant to section 4m(1) of the CEA, are not required to register with the Commission because they have not advised more than 15 people in the past year and they do not hold themselves out generally to the public as CTAs. The rules also would apply to CTAs and CPOs that the Commission, by rule, has exempted from registering as a CTA or CPO. 5 The Commission solicits comment on whether it should seek to exempt some or all of these unregistered categories of CTAs and CPOs from part 160. 4 The rules, however, will not apply to institutions that operate pursuant to a provision of the CEA that excludes or exempts the underlying activity from section 5g of the Act. See, *e.g.,* 7 U.S.C. 2(d), (e), (f), (g),
(h)and 7a-3, as amended by the CFMA. 5 *See, e.g.* , 17 CFR 4.13 (exemption from registration as a CPO for the operators of certain small pools) and 17 CFR 4.14(a)(9) (exemption from registration for CTAs that do not direct client accounts or provide commodity trading advice based on, or tailored to, the commodity interest or cash market positions or other circumstances or characteristics of particular clients). Proposed paragraph
(b)also provides that part 160 does not apply to any foreign (or “non-resident”) FCM, CTA, CPO or IB that is not registered with the Commission. The Commission believes that it would be impracticable to apply part 160 to those foreign unregistered entities. If a foreign financial institution conducts activities through U.S. interstate commerce in a manner that subjects it to the registration requirements of the CEA, it is subject to the part 160 requirements and any other applicable protections to customers, such as anti-fraud protections. We do not believe that subjecting unregistered foreign entities to the obligation to provide the privacy and opt out notices under part 160 would add to the protections provided to customers under the GLB Act. The Commission, however, is seeking comment on the application of this approach to firms that are subject to a rule 30.10 order. Such firms deal directly with U.S. customers and, but for relief provided in accordance with rule 30.10, would be required to register with the Commission. We note that other federal, State, or applicable foreign laws may impose limitations on disclosures of nonpublic personal information in addition to those imposed by the GLB Act and these proposed rules. Thus, financial institutions will need to monitor and comply with relevant legislative and regulatory developments that affect the disclosure of consumer information. Proposed paragraph
(b)also makes clear that nothing in the rules is intended to supersede rules relating to medical information that have been issued by the Secretary of Health and Human Services under the Health Insurance Portability and Accountability Act of 1996, 42 U.S.C. 1320d—1320d-8. 6 6 *See* 65 FR 82462 (Dec. 28, 2000). Section 160.2 Rule of Construction Paragraph
(a)of proposed § 160.2 sets out a rule of construction intended to clarify the effect of the examples used in the rules and the sample clauses in the appendix to the rules. Given the wide variety of transactions that Title V covers, the proposal would include rules of general applicability and provide examples that are intended to assist financial institutions in complying with the rule. The examples are not intended to be exhaustive; rather, they are intended to provide guidance on how the rules would apply in specific situations. The proposed rule also states that compliance with the examples will constitute compliance with the rule. 7 The Commission believes that, when read together, these provisions give financial institutions sufficient flexibility to comply with the regulation and sufficient guidance about the use of the examples. 7 *Compare* 65 FR at 35227 (OCC rules) *with* 65 FR at 40363 (SEC rules). Paragraph
(b)of proposed § 160.2 provides that an FCM that is also registered with the SEC as a broker-dealer may comply with part 160 by complying with the privacy rules of the SEC, which are found at 17 CFR part 248. The Commission invites comment on whether it should provide for a broader form of substituted compliance, by permitting an FCM that is affiliated with a financial holding company, a bank holding company, a national bank or a broker-dealer to comply with part 160 by complying with the privacy rules of the functional regulator for the affiliated entity. Section 160.3 Definitions
(a)*Affiliate.* The proposed rules incorporate the definition of “affiliate” used in section 509(6) of the GLB Act. Thus, an FCM, CTA, CPO or IB will be considered affiliated with another company if it “controls,” is controlled by, or is under common control with the other company. 8 The definition includes both financial institutions and entities that are not financial institutions. The proposed rules also provide that an FCM, CTA, CPO or IB will be considered an affiliate of another company for purposes of the privacy rules if
(i)the other company is regulated under Title V by one of the Agencies and
(ii)the privacy rules adopted by that Agency treat the FCM, CTA, CPO or IB as an affiliate of the other company. 9 8 We have defined “control” for purposes of an FCM, CPO, CTA or IB to mean the power to exercise a controlling influence over the management or policies of a company whether through ownership of securities, by contract, or otherwise. In addition, ownership of more than 25 percent of a company's voting securities creates a presumption of control of the company. *See infra* discussion of proposed § 160.3(k). *Compare* 65 FR at 35207 (Board of Governors of the Federal Reserve System). 9 Proposed § 160.3(a)(1)-(2). This part of the proposed definition is designed to prevent the disparate treatment of affiliates within a holding company structure. Without this provision, an FCM in a bank holding company structure might not be considered affiliated with another entity in that organization under the Commission's proposed rules, even though the two entities would be considered affiliated under the privacy rules of the Banking Agencies.
(b)*Clear and conspicuous.* Title V and the proposed rules require that various notices be “clear and conspicuous.” The Commission is proposing to define that term as it has been defined in the respective rules of the Agencies, with conforming changes. 10 Proposed § 160.3(b) defines the term to mean that the notice must be “reasonably understandable and designed to call attention to the nature and significance of the information in the notice.” This phrase is intended to provide meaning to the term “conspicuous.” The Commission believes that this standard will result in notices to consumers that communicate effectively the information consumers need in order to make an informed choice about the privacy of their information, including whether to open an account or enter into an advisory agreement. 10 *See, e.g.* , 12 CFR 40.3(b) (OCC rules) and 17 CFR 248.3(c) (SEC rules). *Examples of “clear and conspicuous.”* The proposed rules provide generally applicable guidance about ways in which an FCM, CTA, CPO or IB may make a disclosure clear and conspicuous. We note that the examples do not mandate how to make a disclosure clear and conspicuous. A financial institution must decide for itself how best to comply with the general rule, and may use techniques not listed in the examples. *Combination of several notices.* The Commission is aware that a document may combine different types of disclosures that are subject to specific disclosure requirements under different regulations. For example, a CTA that includes a privacy notice in its disclosure document would have to make the privacy notice clear and conspicuous, and would have to prepare the disclosure document according to certain standards under the CEA. 11 The proposed rule provides an example of how a financial institution may make privacy disclosures conspicuous, including privacy disclosures that are combined in a document with other information. 12 In order to avoid the potential conflicts between two different rules requiring different sets of disclosures that are subject to different standards, the proposed rule does not mandate precise specifications for presenting various disclosures. 11 *See* 7 U.S.C. 6m; 17 CFR Part 4. 12 *See* proposed § 160.3(b)(2)(ii)(E). Because we believe that privacy disclosures may be clear and conspicuous when combined with other disclosures, the proposal does not mandate that privacy disclosures be provided on a separate piece of paper. The requirement is not necessary and would significantly increase the burden on financial institutions. *Disclosures on Internet web pages.* The proposed rule provides guidance on how financial institutions may clearly and conspicuously disclose privacy-related information on their Internet sites. Disclosures over the Internet may present some issues that will not arise in paper-based disclosures. Consumers may view various web pages within a financial institution's web site in a different order each time they access the site, aided by hypertext links. Depending on the hardware and software used to access the Internet, some web pages may require consumers to scroll down to view the entire page. To address these issues, the proposed rule provides an example concerning Internet disclosures stating that FCMs, CTAs, CPOs and IBs may comply with the rule if they use text or visual cues to encourage scrolling down the page if necessary to view the entire notice, and ensure that other elements on the web site (such as text, graphics, hypertext links, or sound) do not distract attention from the notice. 13 The examples also note that the institution should place a notice or a conspicuous link on a screen that consumers frequently access, such as a page on which consumers conduct transactions. 13 Proposed § 160.3(b)(2)(iii). There is a range of approaches an FCM, CTA, CPO or IB could use based on current technology. For example, an FCM could use a dialog box that pops up to provide the disclosure before a consumer provides information to a financial institution. Another approach would be a simple, clearly labeled graphic located near the top of the page or in close proximity to the financial institution's logo, directing the customer, through a hypertext link or hotlink, to the privacy disclosures on a separate web page.
(c)*Collect.* The GLB Act requires a financial institution to disclose in its initial and annual notices the categories of information that the institution collects. The Commission is proposing to define this term to mean obtaining information that can be organized or retrieved by the name of the individual or by another identifying number, symbol, or other identifying particular assigned to the individual, 14 irrespective of the source of the underlying information. The proposed definition is intended to provide guidance about the information that an FCM, CTA, CPO or IB must include in its notices and to clarify that the obligations arise regardless of whether the institution obtains the information from a consumer or from some other source. This definition is not intended to include information that an FCM, CTA, CPO or IB receives but then immediately passes on without retaining a copy, as such information would not be organized and retrievable. 14 The definition uses language from the Privacy Act of 1974, 5 U.S.C. 552a.
(d)*Commission.* The term Commission means Commodity Futures Trading Commission.
(e)*Commodity pool operator.* The term commodity pool operator has the same meaning as in section 1a(5) of the Commodity Exchange Act, as amended, and includes anyone registered as such under the Act.
(f)*Commodity trading advisor.* The term commodity trading advisor has the same meaning as in section 1a(6) of the Commodity Exchange Act, as amended, and includes anyone registered as such under the Act.
(g)*Company.* The proposed rules define company to mean any corporation, limited liability company, business trust, general or limited partnership, association or similar organization.
(h)*Consumer.* The proposed rules define consumer as an individual (including his or her legal representative) who obtains a financial product or service from an FCM, CTA, CPO or IB that is to be used primarily for personal, family or household purposes. An individual also will be deemed to be a consumer for purposes of a financial institution if that institution purchases the individual's account from some other institution. The GLB Act distinguishes “consumers” from “customers” for purposes of the notice requirements imposed by that Act. As explained below in the discussion of proposed § 160.4, a financial institution must give a “consumer” the notices required under Title V only if the institution intends to disclose nonpublic personal information about the consumer to a nonaffiliated third party for a purpose that is not authorized by one of several exceptions set out in proposed §§ 160.14 and 160.15. By contrast, a financial institution must give all “customers,” not later than the time of establishing a customer relationship and annually thereafter during the continuation of the customer relationship, a notice of the institution's privacy policy. A person is a “consumer” under the proposed rules if he or she obtains a financial product or service from a financial institution that is to be used primarily for personal, family or household purposes. The definition of “financial product or service” in proposed § 160.3(m) includes, among other things, a financial institution's evaluation of an individual's application to obtain a financial product or service. Thus, a financial institution that intends to share nonpublic personal information about a consumer with nonaffiliated third parties outside of the exceptions described in §§ 160.14 and 160.15 will have to give the requisite notices, even if the application or request is denied or withdrawn. The examples that follow the definition of “consumer” explain when someone is a consumer. The examples clarify that a consumer includes someone who provides nonpublic personal information in connection with seeking to obtain commodity interest brokerage or trading or advisory services, but does not include someone who provides only name, address, and areas of investment interest in order to obtain a brochure or other information about a financial product or service. 15 An individual who has an account with an originating FCM and whose positions are carried by a clearing FCM in an omnibus account in the name of the originating FCM is not a consumer for purposes of the clearing FCM if it receives no nonpublic personal information about the consumer. 15 Individuals may provide this information, for example, on “tear-out” cards from magazines, or in telephone or Internet requests for brochures or other information. *Requirements arising from consumer relationship.* While the proposed rules define “consumer” broadly, we note that this definition will not result in any additional burden to an FCM, CTA, CPO or IB if
(i)no customer relationship is established and
(ii)the institution does not intend to disclose nonpublic personal information about the consumer to nonaffiliated third parties. Under the approach proposed, an FCM, CTA, CPO or IB is under no obligation to provide a consumer who is not a customer with any privacy disclosures unless it intends to disclose the consumer's nonpublic personal information to nonaffiliated third parties outside the exceptions in §§ 160.14 and 160.15. The institution may disclose a consumer's nonpublic personal information to nonaffiliated third parties if it delivers the requisite notices and the consumer does not opt out. Thus, as proposed, the rule allows a financial institution to avoid all of the rule's requirements for consumers who are not customers if the institution chooses not to share information about the consumers with nonaffiliated third parties except as provided in the exceptions. Conversely, if an FCM, CTA, CPO or IB chooses to share consumers' nonpublic personal information with nonaffiliated third parties, the financial institution is free to do so, provided it notifies consumers about the sharing and affords them a reasonable opportunity to opt out. In this way, the rule attempts to strike a balance between protecting an individual's nonpublic personal information and minimizing the burden on a financial institution.
(i)*Consumer reporting agency.* The proposed rules incorporate the definition of “consumer reporting agency” in section 603(f) of the Fair Credit Reporting Act (FCRA). 16 The term is used in proposed §§ 160.12 and 160.15. 16 15 U.S.C. 1681a(f).
(j)*Control.* The proposed rules define “control” for purposes of FCMs, CTAs, CPOs or IBs to mean the power to exercise a controlling influence over the management or policies of a company whether through ownership of securities, by contract, or otherwise. In addition, ownership of more than 25 percent of a company's voting securities creates a presumption of control of the company. This definition is used to determine when companies are affiliated, and would result in financial institutions being considered as affiliates regardless of whether the control is exercised by a company or individual.
(k)*Customer.* The proposed rules define “customer” as any consumer who has a “customer relationship” with a particular financial institution. As explained more fully in the discussion of proposed § 160.4 below, a consumer becomes a customer of a financial institution when he or she enters into a continuing relationship with the institution. For example, a consumer would become a customer when he or she completes the documents needed to open a commodity interest account or enters into an advisory agreement (whether written or oral). The distinction between consumers and customers determines the notices that a financial institution must provide. If a consumer never becomes a customer, the institution is not required to provide any notices to the consumer unless the institution intends to disclose nonpublic personal information about that consumer to nonaffiliated third parties (outside of the exceptions as set out in §§ 160.14 and 160.15). By contrast, if a consumer becomes a customer, the institution must provide a copy of its privacy policy before it establishes the customer relationship and at least annually during the continuation of the customer relationship.
(l)*Customer relationship.* The proposed rules define “customer relationship” as a continuing relationship between a consumer and a financial institution in which the institution provides a financial product or service that is to be used by the consumer primarily for personal, family, or household purposes. Because the GLB Act requires annual notices of the financial institution's privacy policies to its customers, we have interpreted that Act as requiring more than isolated transactions between a financial institution and a consumer to establish a customer relationship, unless it is reasonable to expect further contact about that transaction between the institution and consumer afterwards. Thus, the proposed rules define “customer relationship” as one that generally is of a continuing nature. As noted in the examples that follow the definition, this would include a commodity interest account or an advisory relationship. An FCM would have a customer relationship with a consumer when the FCM regularly enters orders for the customer, even if the FCM holds none of the customer's assets. A one-time transaction may be sufficient to establish a customer relationship, depending on the nature of the transaction. The examples that follow the definition of “customer relationship” clarify that an individual's purchase or sale of a futures or options contract through an FCM with whom the customer opens an account would be sufficient to establish a customer relationship because of the continuing nature of the service. By contrast, an individual who is merely referred by an IB to an FCM would not be the IB's customer if the IB does not regularly enter orders for the individual. 17 The Commission specifically invites comment on the nature and scope of the transactions that would be sufficient to establish a customer relationship. 17 The individual would, however, be a consumer for purposes of the IB, which would require the IB to provide notices if it intends to disclose nonpublic personal information about the consumer to nonaffiliated third parties outside of the exceptions.
(m)*Federal functional regulator.* The proposed rules define the term federal functional regulator to include the Commission and each of the Agencies. This term is used in two places. First, it is used in proposed § 160.3(a), the definition of affiliate. Second, it is used in proposed § 160.15(a)(4) for disclosures to law enforcement agencies, “including federal functional regulators.”
(n)*Financial institution.* The proposed rules define financial institution as
(i)an FCM, CTA, CPO or IB that is registered with the Commission as such or is otherwise subject to the Commission's jurisdiction, and
(ii)any institution the business of which is engaging in activities that are financial in nature or incidental to such financial activities as described in section 4(k) of the Bank Holding Company Act of 1956 (BHCA). 18 The proposed rules exempt from the definition of “financial institution” those entities specifically excluded by the GLB Act, except to the extent those entities were brought within the scope of Title V by section 5g of the CEA. 18 12 U.S.C. 1843(k). The GLB Act excludes “any person or entity” that is subject to the Commission's jurisdiction from Title V's coverage. 19 Section 5g of the CEA partially reverses that exclusion by providing that certain entities subject to the Commission's jurisdiction—specifically, FCMs, CTAs, CPOs and IBs—shall be covered by Title V with respect to their financial activity. 20 The proposed rule retains the exclusion of the GLB Act, to the extent that it has not been superseded by section 5g of the CEA, to make clear that floor brokers and various trading facilities and clearing organizations that are subject to the Commission's jurisdiction are not “financial institutions” for purposes of the GLB Act. 19 Section 509(3)(B) of the GLB Act provides: Notwithstanding subparagraph (A), the term “financial institution” does not include any person or entity with respect to any financial activity that is subject to the jurisdiction of the Commodity Futures Trading Commission under the Commodity Exchange Act. 20 Section 5g of the CEA provides: Notwithstanding section 509(3)(B) of the Gramm-Leach-Bliley Act, any futures commission merchant, commodity trading advisor, commodity pool operator, or introducing broker that is subject to the jurisdiction of the Commission under this Act with respect to any financial activity shall be treated as a financial institution for purposes of title V of such Act with respect to such financial activity.
(o)*Financial product or service.* The proposed rules define “financial product or service” as a product or service
(i)that an FCM, CTA, CPO or IB could offer that is subject to the Commission's jurisdiction, or
(ii)that a financial institution could offer that is financial in nature, or incidental to such a financial activity, under section 4(k) of the BHCA. An activity that is complementary to a financial activity, as described in section 4(k), is not included in the definition of “financial product or service” under this part. The Commission's proposed definition of “financial product or service” differs from that of the other Agencies to the extent that it includes any product or service that an FCM, CTA, CPO or IB could offer subject to the Commission's jurisdiction that is not otherwise included as a financial activity under section 4(k) of the BHCA. The other Agencies have defined financial product or service as any product or service that a financial institution could offer that is financial in nature, or incidental to such a financial activity, under section 4(k) of the BHCA. The Commission's proposed broader definition would include certain activity—such as acting as a CPO—which is not financial in nature, or incidental to such a financial activity, under section 4(k) of the BHCA. 21 The Commission's proposed definition of “financial product or service” is designed to implement Congress” intent in section 5g of the CEA that customers of FCMs, CTAs, CPOs and IBs be accorded the same privacy rights as customers of other financial institutions and is solely for purposes of part 160. The Commission specifically invites comments on its proposed definition of financial product or service. 21 *See* 12 CFR 225.86 (66 FR 400, 418 (Jan. 3, 2001)). The proposed definition includes the financial institution's evaluation of information collected in connection with an application by a consumer for a financial product or service even if the application ultimately is rejected or withdrawn. It also includes the distribution of information about a consumer for the purpose of assisting the consumer to obtain a financial product or service.
(p)*Futures commission merchant.* The term futures commission merchant has the same meaning as in section 1a(20) of the Commodity Exchange Act, as amended, and includes anyone registered as such under the Act.
(q)*GLB Act.* The term GLB Act means the Gramm-Leach-Bliley Act (Pub. L. 106-102, 113 Stat. 1338 (1999)).
(r)*Introducing broker.* The term introducing broker has the same meaning as in section 1a(23) of the Commodity Exchange Act, as amended, and includes anyone registered as such under the Act.
(s)*Nonaffiliated third party.* The proposed rule would define nonaffiliated third party to mean any person (including natural persons as well as corporate entities) except
(i)an affiliate of a financial institution and
(ii)a joint employee of a financial institution and a third party. Information received by a joint employee will be deemed to have been given to the financial institution that is providing the financial product or service in question. Thus, for example, if an employee of a broker-dealer is also an employee of an FCM, information that the employee received in connection with a securities transaction conducted with the broker-dealer would be considered as received by the broker-dealer.
(t)*Nonpublic personal information.* Section 509(4) of the GLB Act defines “nonpublic personal information” to mean “personally identifiable financial information” that
(i)is provided by a consumer to a financial institution,
(ii)results from any transaction with the consumer or any service performed for the consumer, or
(iii)is otherwise obtained by the financial institution. The term also includes any “list, description, or other grouping of consumers, and publicly available information pertaining to them, that is derived using any nonpublic personal information that is not publicly available information.” The GLB Act excludes publicly available information (unless provided as part of the list, description, or other grouping described above), as well as any list, description, or other grouping of consumers (and publicly available information pertaining to them) that is derived without using nonpublic personal information. The GLB Act does not define either “personally identifiable financial information” or “publicly available information.” The proposed rule implements the definition of “nonpublic personal information” under the GLB Act by restating the categories of information described above. The proposed rule provides that information will be deemed to be “publicly available” and therefore excluded from the definition of “nonpublic personal information” if an FCM, CTA, CPO or IB reasonably believes that the information is lawfully made available to the general public from one of the three categories of sources listed in the rule. 22 The examples provided in the proposed rule clarify when an FCM, CTA, CPO or IB has a reasonable belief that information is lawfully made available to the general public. For example, an institution would have a reasonable belief if
(i)the institution has confirmed, or the consumer has represented, that the information is publicly available from a public source, or
(ii)the institution has taken steps to submit the information, in accordance with its internal procedures and policies and with applicable law, to a keeper of federal, State, or local government records who is required by law to make the information publicly available. 23 The examples also state that an FCM, CTA, CPO or IB would have a reasonable belief that a telephone number is publicly available if the institution located the number in a telephone book or Internet listing service or if the consumer told the institution that the number is not unlisted. 24 Moreover, the examples make clear that an institution may not assume information about a particular consumer is publicly available simply because that type of information is normally provided to a government record keeper and made available to the public by the record keeper, because the consumer may have the ability to keep that information nonpublic or to screen his or her identity. 22 *See* proposed § 60.3(v)(1). 23 *See* proposed § 160.3(v)(2)(i)(B). 24 *See* proposed § 160.3(v)(2)(i)(C). The approach of the proposed rule is the same as that taken by the Agencies in their rules 25 and is based on the underlying principle that a consumer in many circumstances can control the public availability or identification of his or her information and that a financial institution therefore should not assume that the information about that consumer is in fact publicly available. Thus, even though a lender typically enters a mortgage in public records in order to protect its security interest, when a borrower can maintain the privacy of his or her personal information by owning the property and obtaining the loan through a separate legal entity, the customer's name would not appear in the public record. In the case of a telephone number, a person may request that his or her number be unlisted. Thus, in evaluating whether it is reasonable to believe that information is publicly available, a financial institution must determine whether the consumer has kept the information or his or her identity from being a matter of public record. 25 *See, e.g.* , 65 FR at 35208 (Board of Governors of the Federal Reserve System); 65 FR at 35218 (Federal Deposit Insurance Corporation); 65 FR at 40364-65 (SEC). To implement the complex definition of “nonpublic personal information” that is provided in the statute, the proposed rule would adopt a definition that consists, generally speaking, of
(i)personally identifiable financial information, plus
(ii)a consumer list or description or grouping of consumers (and publicly available information pertaining to the consumers) that is derived using any personally identifiable financial information that is not publicly available information. From that body of information, the proposed rule excludes publicly available information (except as noted above or if the information is disclosed in a manner that indicates that the individual is the institution's consumer) and any consumer list that is derived without using personally identifiable financial information that is not publicly available information. 26 Examples illustrate how this definition applies in the context of consumer lists. 27 26 *See* proposed § 160.3(t)(2). 27 *See* proposed § 160.3(t)(3).
(u)*Personally identifiable financial information. * As discussed above, the GLB Act defines “nonpublic personal information” to include, among other things, “personally identifiable financial information” but does not define the latter term. As a general matter, the proposed rules treat any personally identifiable information as financial if the financial institution obtains the information in connection with providing a financial product or service to a consumer. We believe that this approach reasonably interprets the word “financial” and creates a workable and clear standard for distinguishing information that is financial from other personal information. This interpretation would cover a broad range of personal information provided to a financial institution, including, for example, information about the consumer's health. The proposed rules define “personally identifiable financial information” to include three categories of information. The first category includes any information that a consumer provides a financial institution in order to obtain a financial product or service from the institution. As noted in the examples that follow the definition, this would include information provided on an application to obtain a loan, credit card, or other financial product or service. If, for example, a consumer provides medical information on an application to obtain a financial product or service, that information would be considered “personally identifiable financial information” for purposes of the proposed rules. Similarly, information that may be required for financial planning purposes, including details about retirement and family obligations, such as the care of a disabled child, would be covered by the definition. The second category includes any information about a consumer resulting from any transaction between the consumer and the financial institution involving a financial product or service. This would include, as noted in the examples following the definition, information about account balance, payment or overdraft history, credit or debit card purchases or financial products purchased or sold. The third category includes any financial information about a consumer otherwise obtained by the financial institution in connection with providing a financial product or service. This would include information obtained through an information-collecting device from a web server, often referred to as a “cookie.” It would also include information from a consumer report or from an outside source to verify information a consumer provides on an application to obtain a financial product or service. It would not, however, include information that is publicly available (unless, as previously noted, the information is part of a list of consumers that is derived using personally identifiable financial information). The examples clarify that the definition of “personally identifiable financial information” does not include a list of names and addresses of people who are customers of an entity that is not a financial institution. Thus, the names and addresses of people who subscribe, for instance, to a particular magazine would fall outside the definition. The examples also clarify that aggregate information (or “blind data”) lacking personal identifiers is not covered by the definition of “personally identifiable financial information.”
(v)*Publicly available information. * The proposed rules define “publicly available information” as information the financial institution reasonably believes is lawfully made available to members of the general public from three broad types of sources. 28 First, it includes information from official public records, such as real estate recordations or security interest filings. Second, it includes information from widely distributed media, such as a telephone book, radio program, or newspaper. Third, it includes information from disclosures required to be made to the general public by federal, State, or local law, such as securities disclosure documents. The proposed rules state that information obtained over the Internet will be considered publicly available information if the information is obtainable from a site available to the general public on an unrestricted basis. 29 28 We recognize that some information that is available to the general public may have been published illegally. In some cases, such as a list of customer account numbers posted on a web site, the publication will be obviously unlawful. In other cases, the legality of the publication may be unclear or unresolved. The proposed rule would provide that information is “publicly available” if the institution reasonably believes that information is lawfully available to the public. 29 The examples further explain that an Internet site is not restricted merely because an Internet service provider or a site operator requires a fee or password as long as access is otherwise available to the general public. This recognizes that the “widely distributed” requirement focuses on whether the information is lawfully available to the general public, rather than on the type of medium from which information is obtained. As discussed in greater detail above, the proposed rules treat information as publicly available if it could be obtained from one of the public sources listed in the rules. If an institution reasonably believes the information is lawfully made available to the general public from one of the listed public sources, then the information will be considered publicly available and excluded from the scope of “nonpublic personal information,” whether or not the institution obtains it from a publicly available source (unless, as previously noted, it is part of a list of consumers that is derived using personally identifiable financial information). Under this approach, the fact that a consumer has given information to a financial institution would not automatically extend to that information the protections afforded to nonpublic personal information. The proposal incorporates the concept of information being lawfully obtained. Thus, under the proposal, information unlawfully obtained will not be deemed to be publicly available notwithstanding that it may be available to the general public through widely distributed media.
(w)*You. * The proposed rules define you as any FCM, CTA, CPO or IB subject to the jurisdiction of the Commission. The term “you” is used in order to make the rules easier to understand and use. Subpart A—Privacy and Opt Out Notices Section 160.4 Initial Privacy Notice to Consumers Required *Initial notice required. * The GLB Act requires that a financial institution provide an initial notice of its privacy policies and practices in two circumstances. For customers, the notice must be provided at the time of establishing a customer relationship. For consumers who do not, or have not yet, become customers, the notice must be provided before disclosing nonpublic personal information about the consumer to a nonaffiliated third party. Paragraph
(a)of proposed § 160.4 states the general rule regarding these notices. A financial institution must provide a clear and conspicuous notice, as defined in proposed § 160.3(b), that accurately reflects the institution's privacy policies and practices. Accordingly, a financial institution must maintain the protections that its notice represents it will provide. The Commission expects that FCMs, CTAs, CPOs and IBs will take appropriate measures to adhere to their stated privacy policies and practices. The proposed rules do not prohibit two or more institutions from providing a joint initial, annual or opt out notice, as long as the notice is delivered in accordance with the rules and is accurate with respect to all institutions. For example, institutions that could provide joint notices include:
(i)An IB and its FCM;
(ii)a CTA and the FCM carrying the customer's account; and
(iii)a clearing FCM and an executing FCM. Similarly, the rules do not preclude an institution from establishing different privacy policies and practices for different categories of consumers, customers or products so long as each particular consumer or customer receives a notice that is accurate with respect to that individual. *Notice to customers. * The proposed rules require that a financial institution provide an individual a privacy notice not later than the time that it establishes a customer relationship subject to the limited circumstances set forth in paragraph (e), as discussed below. Thus, the initial notice may be provided at the same time an FCM, CTA, CPO or IB is required to give other notices, such as the rule 1.55 risk disclosure statement that an FCM or IB is required to provide before opening an account for a customer and the part 4 disclosure document that a CPO or CTA is required to provide before soliciting or accepting funds from pool participants (in the case of a CPO) or soliciting or entering into an agreement to direct a client's account (in the case of a CTA). 30 This approach is intended to strike a balance between
(i)ensuring that consumers will receive privacy notices at a meaningful point during the process of “establishing a customer relationship” and
(ii)minimizing unnecessary burdens on FCMs, CTAs, CTOs and IBs that may otherwise result if the rule were to require financial institutions to provide consumers with a series of notices at various times in a transaction. 30 The Commission recognizes that the disclosure requirements of part 4 apply as early as the solicitation stage, which often occurs before a customer relationship has been established. *See* 17 CFR 4.21 (CPO disclosure document) and 17 CFR 4.31 (CTA disclosure document). In these circumstances, a CPO or CTA would not be required to provide the initial privacy notice until such time as the customer relationship has been established, although it could elect to provide the notice earlier at the time of the solicitation. Paragraph
(c)of proposed § 160.4 identifies the time a customer relationship is established as the point at which a financial institution and a consumer enter into a continuing relationship. The examples in paragraph
(c)clarify that, for customer relationships that are contractual in nature including, for example, a commodity interest advisory relationship, a customer relationship is established when the customer enters into the contract (whether written or oral) that is necessary to engage in the activity in question. Thus, for example, a customer relationship is established with an FCM when the customer executes a commodity interest trade through the FCM or opens an account with the FCM under its procedures. We request comment on whether there are other times at which customer relationships with FCMs, CTAs, CPOs and IBs may be established. *Notice to consumers. * For consumers who do not establish a customer relationship, the initial privacy notice may be provided at any point before the financial institution discloses nonpublic personal information to nonaffiliated third parties. As provided in paragraph
(b)of proposed § 160.4, if the institution does not intend to disclose the information in question or intends to make only those disclosures that are authorized by one of the exceptions or as required by law, the institution is not required to provide the initial notice. 31 31 *See * proposed §§ 160.13, 160.14, 160.15. *How to provide notice. * When you are required by this proposed section to deliver an initial privacy notice, the notice must be delivered according to the provisions of proposed § 160.9. The general rule requires that the initial notice be provided so that each recipient can reasonably be expected to receive actual notice. *Existing customers. * Proposed paragraph
(d)provides that a financial institution is not required to provide new notices for new products or services if it has previously provided the same customer with an initial, revised, or annual notice (as appropriate) that is accurate with respect to the new product or service. *Exceptions to allow subsequent delivery of notice. * Proposed paragraph
(e)permits a financial institution to provide subsequent delivery of the initial notice required by proposed paragraph (a)(1) within a reasonable time after the customer relationship is established in three instances. First, the institution may provide notice after the fact if the customer has not elected to establish the customer relationship. This might occur, for example, when a commodity interest account is transferred from one FCM to another by a trustee in a commodity broker liquidation proceeding under chapter 11 of the Bankruptcy Code. 32 Second, a financial institution may send a notice after establishing a customer relationship when to do otherwise would substantially delay the consumer's transaction and the consumer agrees to receive the notice at a later time. An example of this is when a customer requests over the telephone that an FCM execute a trade. The final example states that delayed delivery is permissible when a nonaffiliated financial institution establishes a customer relationship on behalf of the customer. 32 *See * 11 U.S.C. 761-766. We note that in most situations, a financial institution should give the initial notice at a point when the consumer still has a meaningful choice about whether to enter into the customer relationship. The exceptions listed in the examples, while not exhaustive, are intended to illustrate the less frequent situations when delivery either would pose a significant impediment to the conduct of a routine business practice or the consumer agrees to receive the notice later in order to obtain a financial product or service immediately. Section 160.5 Annual Privacy Notice to Customers Required Section 503 of the GLB Act requires a financial institution to provide notices of its privacy policies and practices to its customers at least annually. Proposed § 160.5 implements this requirement by providing that a clear and conspicuous notice that accurately reflects the institution's current privacy policies and practices be provided at least once during any period of twelve consecutive months during which the customer relationship exists. The rules governing how to provide an initial notice also apply to annual notices. Section 503(a) of the GLB Act requires that the annual notice be provided “during the continuation” of a customer relationship. Accordingly, the proposed rules state that a financial institution is not required to provide an annual notice to a customer with whom it no longer has a continuing relationship. For example, a customer becomes a former customer when the individual's account is closed. The Commission invites comment generally on whether there are other situations in which an individual may have an account with a financial institution but the customer relationship has ended. We also invite comment on the regulatory burden of providing annual notices and on the methods financial institutions anticipate using to provide the notices. Section 160.6 Information To Be Included in Privacy Notices Section 503 of the GLB Act identifies the categories of information that must be included in a financial institution's initial and annual privacy notices and establishes the general requirement that a financial institution must provide customers with a notice describing the institution's policies and practices with respect to, among other things, disclosing nonpublic personal information to both affiliates and nonaffiliated third parties. Section 503(b) of the GLB Act identifies certain elements that the notice must address. The required content is the same for initial and annual notices of privacy policies and practices. While the information contained in the notices must be accurate as of the time the notices are provided, a financial institution may prepare its notices based on current and anticipated policies and practices. Paragraph
(a)of proposed § 160.6 prescribes the information to be included; proposed paragraph
(c)provides examples of how to comply with this requirement.
(1)*Categories of nonpublic personal information that a financial institution may collect. * Section 503(b)(2) of the GLB Act requires a financial institution to inform its customers about the categories of nonpublic personal information that the institution collects. Proposed § 160.6(a)(1) implements this requirement and provides an example of compliance that focuses on the source of the information collected. As described in the example, a financial institution will satisfy this requirement if it categorizes the information according to the sources, such as application information, transaction information, and consumer report information. While financial institutions may provide more detail about the categories and information collected, they are not required to do so.
(2)*Categories of nonpublic personal information that a financial institution may disclose. * Section 503(a)(1) of the GLB Act requires the financial institution's initial and annual notice to provide information about the categories of nonpublic personal information that may be disclosed either to affiliates or nonaffiliated third parties. Proposed rule 160.6(a)(2) implements this requirement. The examples of how to comply with this rule focus on the content of the information to be disclosed. A financial institution may satisfy this requirement by categorizing information according to source and providing examples of the content of this information. These categories might include application information (such as assets, income, and investment goals), identifying information (such as name, address and social security number), transaction information (such as information about account activity and balances), and information from consumer reports (such as credit history). Financial institutions may choose to provide more detailed information in the initial and annual notices. If a financial institution does not disclose, and does not intend to disclose, nonpublic personal information to affiliates or nonaffiliated third parties, its initial and annual notices may simply state this fact without further elaboration about categories of information disclosed. 3. *Categories of affiliates and nonaffiliated third parties to whom a financial institution discloses nonpublic personal information. * Section 503(a) of the GLB Act includes a general requirement that a financial institution provide notice to its customers of the institution's policies and practices with respect to disclosing nonpublic personal information to affiliates and nonaffiliated third parties. Section 503(b) provides that the notice required by section 503(a) must include certain specified items, including the requirement that a financial institution inform its customers about its policies and practices with respect to disclosing nonpublic personal information to nonaffiliated third parties. We believe that sections 503(a) and 503(b) of the GLB Act, when read together, require a financial institution's notice to address disclosures of nonpublic personal information to both affiliates and nonaffiliated third parties. Proposed rule 160.6(a)(3) implements the notice requirement of section 503. The example explains that a financial institution will adequately categorize the affiliates and nonaffiliated third parties to whom it discloses nonpublic information about consumers if it identifies the types of businesses in which they engage. Types of business may be described in general terms, such as financial products or services, if the financial institution provides examples of the significant types of businesses engaged in by the recipient. Section 502(e) of the GLB Act creates exceptions to the requirements that apply to the disclosure of nonpublic personal information to nonaffiliated third parties. The Act does not require a financial institution to list the categories of persons to whom information may be disclosed under any of the enumerated exceptions. Accordingly, proposed rule 160.6(a)(4) requires only that a financial institution inform customers that it makes disclosures as permitted by law to nonaffiliated third parties in addition to those described in the notice. The Commission invites comment on whether such notice would be adequate. If a financial institution does not disclose, and does not intend to disclose, nonpublic personal information to affiliates or nonaffiliated third parties, its initial and annual notices may state this fact without further elaboration about categories of third parties. 4. *Information about former customers. * Section 503(a)(2) of the GLB Act requires that the financial institution's initial and annual privacy notices include the institution's policies and practices with respect to disclosing nonpublic personal information about persons who have ceased to be customers of the financial institution. Section 503(b)(1)(B) requires that this information be provided with respect to information disclosed to nonaffiliated third parties. We believe that, read together, sections 503(a)(2) and (b)(1)(B) require a financial institution to include in its initial and annual notices the institution's policies and practices with respect to sharing information about former customers with all affiliates and nonaffiliated third parties. Proposed rule 160.6(a)(4) sets forth this requirement. This rule does not require a financial institution to provide notice to a former customer before sharing nonpublic personal information about the former customer with an affiliate. 5. *Information disclosed to service providers.* Section 502(b)(2) of the GLB Act permits a financial institution to disclose nonpublic personal information about a consumer to a nonaffiliated third party that performs services for the institution, including marketing financial products or services under a joint agreement between the financial institution and at least one other financial institution. In such cases, a consumer has no right to opt out, but the financial institution must inform the consumer that it will be disclosing the information in question unless the service falls within one of the exceptions enumerated in section 502(e) of the GLB Act. Proposed rule 160.6(a)(5) implements these provisions by requiring that, if a financial institution discloses nonpublic personal information to a nonaffiliated third party under the GLB Act exception for service providers and joint marketing, it must include in its initial and annual privacy notices a separate description of the categories of information that are disclosed and the categories of third parties providing the services. A financial institution may comply with these requirements by providing the same level of detail in the notice as is required to satisfy proposed §§ 160.6(a)(2) and (3). 6. *Right to opt out.* Sections 503(a)(1) and (b)(2) of the GLB Act require a financial institution to provide customers with a notice of its privacy policies and practices concerning, among other things, disclosure of nonpublic personal information consistent with section 502 of the GLB Act. Proposed rule 160.6(a)(6) implements this section of the GLB Act by requiring the initial and annual privacy notices to explain the right to opt out of disclosures of nonpublic personal information to nonaffiliated third parties, and the methods available to exercise that right. 7. *Disclosures made under the Fair Credit Reporting Act.* Pursuant to section 503(b)(4) of the GLB Act, a financial institution's initial and annual notice must include the disclosures, if any, required under section 603(d)(2)(A)(iii) of the FCRA. 33 That section excludes from the definition of “consumer report” (and, accordingly, the protections provided under the FCRA for information contained in consumer reports) the communication of certain consumer information among affiliated entities if the consumer is notified about the disclosure of the information and given an opportunity to opt out of the information sharing. Information that can be shared among affiliates under this provision generally is personal information provided directly by the consumer to the financial institution, such as income and social security number, in addition to information contained in credit bureau reports. 33 15 U.S.C. 1681a(d)(2)(A)(iii). Proposed rule 160.6(a)(7) implements section 503(b)(4) of the GLB Act by requiring that a financial institution's initial and annual privacy notices include any disclosures the institution makes under section 603(d)(2)(A)(iii) of the FCRA. 8. *Confidentiality, security and integrity.* Pursuant to section 503(b)(3) of the GLB Act, a financial institution's initial and annual privacy notices must provide information about the institution's policies and practices with respect to protecting the nonpublic personal information of consumers. Section 503(b)(3) requires that the notices include the policies that the financial institution maintains to protect the confidentiality and security of nonpublic personal information in accordance with section 501, which requires the federal functional regulators to establish standards governing the administrative, technical and physical safeguards of customer information. 34 34 *See infra* proposed rule 160.30. Proposed rule 160.6(a)(8) implements these provisions by requiring a financial institution to include in its initial and annual privacy notices the institution's policies and practices with respect to protecting the confidentiality, security and integrity of nonpublic personal information. The example in the proposed rules states that a financial institution may comply with the requirement for confidentiality and security if the institution explains such matters as who has access to the information and the circumstances under which the information may be accessed. The information about integrity should focus on the measures the financial institution takes to protect against reasonably anticipated threats or hazards. The proposed rule does not require a financial institution to disclose technical or proprietary information about how it safeguards consumer information. Section 160.7 Form of Opt Out Notice to Consumers; Opt Out Methods Proposed § 160.7 provides that any opt out notice required by § 160.10(a) must provide a clear and conspicuous notice to each consumer that accurately explains the right to opt out. The notice must inform the consumer that the institution may disclose nonpublic personal information to nonaffiliated third parties, state that the consumer has the right to opt out, and provide the consumer with a reasonable means by which to opt out. The examples outlined in paragraph (a)(2) of proposed § 160.7 state that a financial institution will provide adequate notice of the right to opt out if it identifies the categories of nonaffiliated third parties to whom the information may be disclosed and explains that the consumer may opt out of those disclosures. A financial institution that plans to disclose only limited types of information or to make disclosures only to a specific type of nonaffiliated third party may provide a correspondingly narrow notice to consumers. To minimize the number of opt out notices a financial institution must provide, however, the institution may wish to base its notices on current and anticipated information sharing plans. A new opt out notice is not required for disclosures to different types of nonaffiliated third parties or of different types of information so long as the most recent opt out notice is sufficiently broad to cover the entities or information in question. A financial institution also need not provide subsequent opt out notices when a consumer establishes a new type of customer relationship with that financial institution, unless the institution's opt out policies vary based on the type of customer relationship. The examples suggest several methods of providing reasonable means to opt out, including check-off boxes, reply forms, electronic mail addresses, and toll-free telephone numbers. A financial institution does not provide a reasonable means of opting out if the only means provided is for the consumer to write his or her own letter requesting to opt out. The Commission invites comment on whether a financial institution that provides its notice electronically should be required to provide an electronic means to opt out. Paragraph
(b)of proposed § 160.7 applies to delivery of the opt out notice the same rules that apply to delivery of the initial and annual privacy notices and clarifies that the opt out notice may be provided together with, or on the same form as, the initial and annual notices. Paragraph
(c)provides that if the opt out notice is provided after the initial notice, a financial institution must provide a copy of the initial notice along with the opt out notice. Paragraph
(d)of proposed § 160.7 states that if two or more consumers jointly obtain a financial product or service from a financial institution, the institution may provide a single opt out notice. The opt out notice must, however, explain how the financial institution will treat an opt out direction by a joint customer. The Commission invites comment on how the right to opt out should apply in the case of joint accounts. For example, should a financial institution require all parties to an account to opt out before the opt out becomes effective? If not, and only one of the parties opts out, should the opt out apply only to that party or should it apply to information about all parties to the account? Paragraph
(e)provides that a financial institution must comply with the customer's opt out as soon as reasonably practicable after receiving it. Paragraph
(f)clarifies that a consumer has the right to opt out at any time. The Commission invites comment on whether the rules should specify a time within which an opt out must be honored. Paragraph
(g)states that an opt out will continue until it is revoked by the consumer in writing or, if the consumer agrees, electronically. When a customer relationship terminates, the customer's opt out direction continues to apply to the nonpublic personal information collected by the financial institution during or related to the relationship. If that individual subsequently establishes a new customer relationship with the financial institution, the opt out direction that applied to the former relationship does not apply to the new relationship and the institution must provide a new opt out notice to the customer in connection with the new relationship. The Commission invites comment on the likely burden of complying with the requirement to provide opt out notices, the methods financial institutions anticipate using to deliver the opt out notices, and the approximate number of opt out notices they anticipate delivering and processing. Section 160.8 Revised Privacy Notices This section sets forth the rules governing a financial institution's obligations in the event the institution changes its disclosure policies. As stated in this section, a financial institution may not directly or through an affiliate disclose nonpublic personal information to a nonaffiliated third party unless the institution first provides a revised notice and a new opportunity to opt out. The institution must wait a reasonable period of time before disclosing information according to the terms of the revised notice in order to afford the consumer a reasonable opportunity to opt out. A financial institution must provide a consumer the revised notice of its policies and practices and an opt out notice in a manner such that each consumer can reasonably be expected to receive actual notice, as provided in § 160.9. Section 160.9 Delivering Privacy and Opt Out Notices Paragraph
(a)of proposed § 160.9 requires that any privacy and opt out notices provided by a financial institution be provided in a manner such that each consumer can reasonably be expected to receive actual notice in writing or, if the customer agrees, electronically. Paragraph
(b)sets forth examples of reasonable expectation of actual notice, including, for example, hand-delivery to the consumer of a printed copy of the notice, mailing a printed copy of the notice to the last known address of the consumer, and, for a consumer who conducts transactions electronically, posting the notice on the electronic site and requiring the consumer to acknowledge receipt of the notice as a necessary step to obtaining the particular financial product or service. Paragraph
(c)describes additional examples of reasonable expectation of actual notice which apply only in the context of the annual privacy notice. A financial institution may reasonably expect that a customer who uses the institution's web site to obtain financial products and services will receive actual notice of the annual privacy notice if the customer has agreed to accept notices at the institution's web site and if the institution continuously posts a current notice of its privacy policies and practices in a clear and conspicuous manner on the web site. This paragraph also makes clear that a financial institution need not send the annual privacy notice to a customer who affirmatively requests no communication from the institution, provided that the notice is available upon request. Paragraph
(d)prohibits financial institutions from providing privacy notices orally. Paragraph
(e)clarifies that the requirement that a privacy policy be provided in a manner that permits a customer to retain or reaccess the policy may be satisfied if the financial institution makes available on its web site the privacy policy currently in effect. Proposed § 160.9(f) expressly permits the provision of joint notice from two or more financial institutions as long as the notice is accurate with respect to all financial institutions and identifies each institution by name. The Commission believes that FCMs, CTAs, CPOs and IBs should be able to combine initial, annual, or revised disclosures in one document and to give, on a collective basis, a consumer only one copy of the notice. For example, a clearing FCM could provide a joint notice with an executing FCM for which it clears transactions on a fully disclosed basis, or an IB could provide a joint notice with the FCM to which it introduces trades. The Commission emphasizes that this notice must be accurate for each institution that uses the notice and must identify each institution by name. Where two or more consumers jointly obtain a financial product or service from a financial institution, paragraph
(g)of proposed § 160.9 permits the financial institution to satisfy the initial, annual and revised notice requirements of this section by providing one notice to those customers jointly. The Commission invites comment with respect to whether this provision is likely to provide a reasonable expectation of actual notice in all situations. Subpart B—Limits on Disclosures Section 160.10 Limits on Disclosure of Nonpublic Personal Information to Nonaffiliated Third Parties Section 502(a) of the GLB Act generally prohibits a financial institution from sharing nonpublic personal information about a consumer with a nonaffiliated third party unless the institution provides the consumer with notice of the institution's privacy policies and practices. Section 502(b) further requires that the financial institution provide the consumer with a clear and conspicuous notice that the consumer's nonpublic personal information may be disclosed to nonaffiliated third parties, that the consumer be given an opportunity to opt out of that disclosure, and that the consumer be informed as to how to opt out. Proposed § 160.10 implements these provisions by setting forth the criteria that a financial institution must satisfy before disclosing nonpublic personal information to nonaffiliated third parties and by defining “opt out” in a way that incorporates the exceptions to the right to opt out enunciated in proposed §§ 160.13, 160.14 and 160.15. The proposed rule requires that the opportunity to opt out be “reasonable,” which recognizes that the appropriate waiting time before disclosure will vary depending on many factors including, for example, the method of delivery of the opt out notice. The examples that follow the general rule are intended to provide guidance in situations involving notices by mail and by electronic means and notices that are to be provided in the case of isolated transactions with a consumer. In the case of mail and electronic notices, the consumer will be considered to have had a reasonable opportunity to opt out if the financial institution provides 30 days in which to opt out. In the case of an isolated transaction, the opportunity will be reasonable if the consumer must decide as part of the transaction whether to opt out before completing the transaction. The Commission invites comment on whether 30 days is a reasonable opportunity to opt out in the case of notices sent by mail and by electronic means. The requirement that a consumer have a reasonable opportunity to opt out does not mean that the consumer forfeits that right once the opportunity passes. As provided in proposed § 160.7(f), a consumer always has the right to opt out. If, however, a consumer does not exercise the opt out right when first presented with the opportunity, the financial institution would be permitted to disclose nonpublic personal information to nonaffiliated third parties during the period of time before it implements the consumer's subsequent opt out direction. All customers are consumers under the proposed rules. Accordingly, paragraph
(b)of proposed § 160.10 clarifies that the right to opt out applies regardless of whether a consumer has established a customer relationship with the financial institution. The fact that a consumer establishes a customer relationship with a financial institution does not change the institution's obligations to comply with the requirements of proposed § 160.10 before sharing nonpublic personal information about the consumer with nonaffiliated third parties. Importantly, the proposed rule applies as well in the context of a consumer who had a customer relationship with a financial institution and subsequently terminated the relationship. Paragraph
(b)establishes that the consumer protections afforded by paragraph
(a)apply to all nonpublic personal information collected by a financial institution, regardless of when collected. Thus, if a consumer elects to opt out of information sharing with nonaffiliated third parties, the election applies to all nonpublic information about the consumer in the financial institution's possession, regardless of when the information is obtained. Paragraph
(c)of proposed § 160.10 provides that a financial institution may—but is not required to—provide consumers with the option of a partial opt out in addition to the opt out required by this section. This option could enable a consumer to limit, for instance, the types of information disclosed to nonaffiliated third parties or the types of recipients of the nonpublic personal information about the consumer. If the financial institution elects to provide the partial opt out, it must state this option in a way that clearly informs the consumer about the choices available and the resulting consequences. Section 160.11 Limits on Redisclosure and Reuse of Information Section 502(c) of the GLB Act provides that a nonaffiliated third party that receives nonpublic personal information from a financial institution shall not, directly or through an affiliate, disclose the information to any person that is not affiliated with either the financial institution or the third party, unless the disclosure would be lawful if it were made directly by the financial institution. Proposed § 160.11 implements the GLB Act's restrictions on redisclosure and reuse of nonpublic personal information about consumers. The GLB Act places the institution that receives the nonpublic personal information in the shoes of the institution that discloses the information for the purpose of determining whether redisclosures by the receiving institution are lawful. Thus, the GLB Act permits the receiving institution to redisclose the information to an entity to whom the original transferring institution could disclose the information pursuant to one of the exceptions in proposed § 160.14 or § 160.15, or to an entity to whom the original transferring institution could have disclosed the information as described under its notice of privacy policies and practices, unless the consumer has exercised the right to opt out of that disclosure. Because a consumer can exercise the right to opt out of a disclosure at any time, the GLB Act may effectively preclude third parties that receive information to which the opt out right applies from redisclosing the information other than under one of the exceptions in proposed §§ 160.13, 160.14 or § 160.15. Sections 502(b)(2) and 502(e) of the GLB Act describe the circumstances under which a financial institution may disclose nonpublic personal information without providing the consumer with the initial privacy notice and an opportunity to opt out. Those exceptions apply only when the information is used for the specific purposes set forth in those sections which include, for example, disclosure as necessary to effect, administer, or enforce a transaction authorized by the consumer. Paragraph (a)(2) of proposed § 160.11 clarifies this limitation on reuse as it applies to financial institutions by providing that a financial institution may use nonpublic personal information about a consumer that it receives from a nonaffiliated financial institution in accordance with an exception under § 160.14 or § 160.15 only for the purpose of that exception. Paragraph (b)(2) applies the same restrictions on reuse to any nonaffiliated third party that received nonpublic personal information from a financial institution. Section 160.12 Limits on Sharing Account Number Information for Marketing Purposes Section 502(d) of the GLB Act prohibits a financial institution from disclosing, other than to a consumer reporting agency, account numbers or similar forms of access numbers or access codes for a credit card account, deposit account, or transaction account of a consumer to any nonaffiliated third party for use in telemarketing, direct mail marketing, or marketing through electronic mail to the consumer. Proposed § 160.12 applies this prohibition to disclosures made directly or indirectly as it has been applied by the Agencies, and incorporates the exceptions that have been established by the Agencies. 35 Thus, the proposed rule provides for two exceptions. First, it permits an FCM, CTA, CPO or IB to disclose account numbers to an agent for the purposes of marketing the institution's financial products or services so long as the agent has no authority to initiate charges to the account. Second, it permits disclosure in a private-label credit card or an affinity or similar program where the participants in the program are identified to the customer when the customer enters into the program. As a matter of clarification, the proposed rule also contains an example that provides that an account number, or similar form of access number or access code, does not include a number or code in an encrypted form, as long as you do not provide the recipient with a means to decode the number or code. 35 *See, e.g.,* 17 CFR 248.12 (SEC privacy rules). Subpart C—Exceptions Section 160.13 Exception to Opt Out Requirements for Service Providers and Joint Marketing Section 502(b)(2) of the GLB Act creates an exception to the opt out rules for the disclosure of information to a nonaffiliated third party for its use to perform services for or functions on behalf of the financial institution, including the marketing of the financial institution's own products or services or financial products or services offered under a joint agreement between two or more financial institutions. A consumer will not have the right to opt out of disclosing nonpublic personal information about the consumer to nonaffiliated third parties under these circumstances if the financial institution satisfies certain requirements. Before the information may be shared, section 502(b)(2) of the GLB Act requires the institution to
(i)“fully disclose” to the consumer that it will provide this information to the nonaffiliated third party and
(ii)enter into a contractual agreement with the third party that requires the third party to maintain the confidentiality of the information. Paragraph
(a)of proposed § 160.13 would implement these provisions of the GLB Act by requiring the FCM, CTA, CPO or IB to
(i)provide the initial notice required by proposed section 160.4 and
(ii)enter into a contract that prohibits the third party from disclosing or reusing the information other than to carry out the purposes for which the information was disclosed, including use under an exception in proposed rules 160.14 and 160.15 in the ordinary course of business to carry out those purposes. The contract should be designed to ensure that the third party will maintain the confidentiality of the information at least to the same extent as is required for the financial institution that discloses it, and will use the information solely for the purposes for which the information is disclosed or as otherwise permitted under the proposed rules. 36 36 Consistent with the approach taken by the Agencies, the Commission is proposing to grandfather existing service agreements. Thus, paragraph
(c)of proposed rule 160.18 provides that contracts entered into before the date of issuance of the final regulations must be brought into compliance with § 160.13 by December 31, 2002. The Commission invites comment on any other requirements that would be appropriate to protect a consumer's financial privacy and on whether the rules should provide examples of the types of joint agreements that are covered. Section 160.14 Exceptions to Notice and Opt Out Requirements for Processing and Servicing Transactions Section 502(e) of the GLB Act creates exceptions to the requirements that apply to the disclosure of nonpublic personal information to nonaffiliated third parties. Paragraph
(1)of that section provides certain exceptions for disclosures made in connection with the administration, processing, servicing and sale of a consumer's account. Proposed § 160.14 sets forth those exceptions and also the definition of “necessary to effect, administer, or enforce” contained in section 509(7) of the GLB Act. These exceptions and the exceptions discussed in proposed § 160.15, below, do not affect a financial institution's obligation to provide initial notices of its privacy policies and practices at or prior to the time it establishes a customer relationship and annual notices thereafter. These notices must be provided to all customers, even if the financial institution intends to disclose the nonpublic personal information only under the exceptions in proposed § 160.14. Section 160.15 Other Exceptions to Notice and Opt Out Requirements As discussed above, the GLB Act contains several exceptions to the requirements that otherwise would apply to the disclosures of nonpublic personal information to nonaffiliated third parties. Proposed § 160.15 sets forth the exceptions that are not made in connection with the administration, processing, servicing or sale of a consumer's account. Section 160.16 Protection of Fair Credit Reporting Act Section 506(c) of the GLB Act states that, except for the amendments regarding rulemaking authority, nothing in Title V is to be construed to modify, limit or supersede the operation of the FCRA, and no inference is to be drawn on the basis of the provisions of Title V whether information is transaction or experience information under section 603 of the FCRA. Proposed § 160.16 implements section 506(c) of the GLB Act by restating the GLB Act with clarifying changes. Section 160.17 Relation to State Laws Section 507 of the GLB Act provides that Title V does not preempt any state law that provides greater protections than are provided by Title V. Determinations whether a state law or Title V provide greater protections are to be made by the FTC after consultation with the agency that regulates either the party filing a complaint or the financial institution about which the complaint was filed. Determinations of whether state or federal law affords greater protection may be initiated by any interested party or on the FTC's own motion. Proposed § 160.17 is substantively identical to section 507, noting that the proposed rules (like the GLB Act) do not preempt state laws that provide greater protection for consumers than do the rules. Section 160.18 Effective Date; Transition Rule Proposed § 160.18 establishes an effective date for part 160 of June 21, 2001, which is the date by which the Commission is required to prescribe final rules implementing Title V. 37 Consistent with the approach taken by the other Agencies, the Commission is proposing a compliance date of December 31, 2001, in order to provide financial institutions sufficient time to bring their policies and procedures into compliance with the requirements of the final rules. The Commission is also proposing a provision that phases in compliance with respect to existing service agreements. 37 *See* section 5g of the CEA, as amended by section 124 the CFMA. Under the proposed rule, full compliance with the rules' restrictions on disclosures would be required by December 31, 2001. To be in full compliance, FCMs, CTAs, CPOs and IBs would be required to provide their existing customers with a privacy notice, an opt out notice, and a reasonable amount of time to opt out before that date. If these have not been provided, the disclosure restrictions would apply. This means that an FCM, CTA, CPO or IB would have to cease sharing customers' nonpublic personal information with nonaffiliated third parties on that date, unless it may share the information under an exception under § 160.14 or § 160.15. FCMs, CTAs, CPOs and IBs that both provide the required notices and allow a reasonable period of time to opt out before December 31, 2001, would be able to share nonpublic personal information after that date for customers who do not opt out. Under the proposed rule, FCMs, CTAs, CPOs and IBs would not be required to give initial notices to customers whose relationships had terminated before the date by which institutions must be in compliance with the rules. Thus, if under a financial institution's policies an account is inactive before December 31, 2001, then no initial notice would be required in connection with that account. However, because these former customers would remain consumers, an FCM, CTA, CPO or IB would have to provide a privacy and opt out notice to them if the institution intended to disclose their nonpublic personal information to nonaffiliated third parties beyond the exceptions in §§ 160.14 and 160.15. Section 160.30 Procedures to Safeguard Customer Information and Records Section 501 of the GLB Act directs the Agencies to establish appropriate safeguards for financial institutions relating to administrative, technical and physical safeguards to protect customer records and information. Proposed § 160.30 implements this directive by requiring every FCM, CTA, CPO or IB that is subject to the jurisdiction of the Commission to adopt policies and procedures to address the safeguards described above. Consistent with the GLB Act, the proposed rule further requires that the policies and procedures be reasonably designed to:
(i)Insure the security and confidentiality of customer records and information;
(ii)protect against any anticipated threats or hazards to the security or integrity of customer records and information; and
(iii)protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer. The Commission believes it is appropriate for each financial institution to tailor its policies and procedures to its own systems of information gathering and transfer and to the needs of its customers and has not prescribed specific policies or procedures that financial institutions must adopt. The Commission requests comment on whether the proposed standards should be more specific and, if so, what specifications would be appropriate to particular financial institutions. III. General Request for Comments The Commission requests comment on the proposed rules and suggestions for additional examples that may be appropriate to include in the rules. In light of the need to promulgate regulations by June 21, 2001—six months after the enactment of the CFMA—the Commission does not anticipate extending the comment period, and encourages commenters to submit their comments as early as possible during the comment period. For purposes of the Small Business Regulatory Enforcement Fairness Act of 1996, 38 the Commission also requests information regarding the potential effect of the proposals on the U.S. economy on an annual basis. Commenters are requested to provide empirical data to support their views. 38 Pub. L. 104-121, Title II, 110 Stat. 857 (1996). IV. Cost-Benefit Analysis Section 15 of the Act requires the Commission to consider the costs and benefits of its action before issuing a new regulation under the Act. The Commission understands that, by its terms, section 15 does not require the Commission to quantify the costs and benefits of a new regulation or to determine whether the benefits of the proposed regulation outweigh its costs. Nor does it require that each proposed rule be analyzed piecemeal or in isolation when that rule is a component of a larger package of rules or rule revisions. Rather, section 15 simply requires the Commission to “consider the costs and benefits” of its action. Section 15 further specifies that costs and benefits shall be evaluated in light of five broad areas of market and public concern: Protection of market participants and the public; efficiency, competitiveness, and financial integrity of futures markets; price discovery; sound risk management practices; and other public interest considerations. Accordingly, the Commission could in its discretion give greater weight to any one of the five enumerated areas of concern and could in its discretion determine that, notwithstanding its costs, a particular rule was necessary or appropriate to protect the public interest or to effectuate any of the provisions or to accomplish any of the purposes of the Act. Proposed part 160 constitutes a package of related rule provisions. The Commission has considered their costs and benefits as a totality. The rules impose disclosure and procedural requirements that are either mandated by or fully consistent with the privacy provisions of the GLB Act and section 5g of the CEA, and thus impose no costs in addition to those already imposed. The Commission has considered the costs and benefits of this rule package in light of the specific areas of concern identified in section 15: *1. Protection of market participants and the public.* The requirements to provide opt out notices and to protect customer information will benefit market participants and the public by protecting the privacy of their nonpublic personal information. *2. Efficiency and competition.* The requirements to provide initial and annual privacy notices will benefit efficiency and competition by allowing customers to compare the privacy policies of financial institutions. The Commission's proposed rules also benefit efficiency and competition by allowing FCMs, CTAs, CPOs and IBs flexibility to distribute notices and to adopt policies and procedures to protect customer information that are best suited to the institution's business and needs. *3. Financial integrity of futures markets, price discovery and sound risk management practices.* The proposed rules should have no effect, from the standpoint of imposing costs or creating benefits, on the financial integrity or price discovery function of the futures and options markets or on the risk management practices of FCMs, CTAs, CPOs or IBs. *4. Other public interest considerations.* The proposed rules are designed to minimize the costs of compliance by providing maximum flexibility, consistent with legal requirements, for firms to design their own compliance systems. The Commission is proposing to allow FCMs that are affiliated with broker-dealers to comply with the Commission's rules by complying with the privacy rules of the SEC. This proposal should significantly reduce the compliance costs for those firms. Moreover, the proposed rules provide greater certainty to the private sector on how to comply with the GLB Act because they are consistent with and comparable to the rules adopted by the Agencies. The examples in the rules and the sample clauses in the appendix also should provide guidance on how the rules will be enforced with respect to FCMs, CTAs, CPOs and IBs. After considering these factors, the Commission has determined to propose part 160 as discussed above. The Commission invites public comment on its application of the cost-benefit provision. Commenters also are invited to submit any data that they may have quantifying the costs and benefits of the proposed rules with their comment letters. V. Related Matters A. Paperwork Reduction Act of 1995 This proposed rulemaking contains information collection requirements within the meaning of the Paperwork Reduction Act of 1995 (PR”) (44 U.S.C. 3501 *et seq.* ). The Commission has submitted a copy of this section to the Office of Management and Budget
(OMB)for its review in accordance with 44 U.S.C. 3507(d) and 5 CFR 1320.11. *Collection of Information:* Rules Relating to Part 160, Privacy of Consumer Financial Information, OMB Control Number 3038-AB68. An agency may not conduct or sponsor, and a person is not required to respond to, an information collection unless it displays a currently valid OMB control number. The Commission is currently requesting a control number for this information collection from OMB. The proposed regulation contains several disclosure requirements. The financial institutions covered by this regulation must prepare and provide the initial notice to all current customers and all new customers at the time of establishing a customer relationship (proposed § 160.4(a)). Subsequently, an annual notice must be provided to all customers at least once during a twelve-month period during the continuation of the customer relationship (proposed § 160.5(a)). The initial notice and opt out notice must be provided to a consumer prior to disclosing nonpublic personal information to certain nonaffiliated third parties. If a financial institution wishes to disclose information in a way that is inconsistent with the notices previously given to a consumer, the institution must provide consumers with revised notices (proposed § 160.8(c)). The proposed regulation also contains consumer reporting requirements. In order for consumers to opt out, they must respond to the opt out notice (proposed §§ 160.10(a)(2), (a)(3)(i), and (c)). At any time during their continued relationship with the institution, consumers have the right to change or update their opt out status with the institution (proposed §§ 160.7(f) and (g)). The Commission believes that most, if not all, financial institutions will not share nonpublic personal information about consumers with nonaffiliated third parties and will not have to provide opt out notices to consumers or customers. Thus, the Commission estimates that the annual burden of responding to an opt out notice will be nominal. The Commission requests public comment on all aspects of the collections of information contained in this proposed regulation, including consumer responses to the opt out notice and consumer changes to their opt out status with a financial institution. The initial and annual privacy notices are mandatory. The opt out notice is not mandatory for institutions that do not share nonpublic personal information with nonaffiliated third parties. The likely respondents are FCMs, CTAs, CPOs and IBs. The required notices are not submitted to the Commission, and there is no assurance of confidentiality of the collections of information. The Commission estimates that approximately 200 FCMs, 920 CTAs, 1400 CPOs and 1400 IBs will respond to the proposed regulation. The estimated burden was calculated as follows: *Estimated number of respondents:* 3,920 *Reports annually by each respondent:* 77 39 39 This number includes one initial report for reviewing (or revising) an institution's privacy policies, and 76 annual reports to individual account holders and pool participants. *Total annual responses:* 301,420 *Estimated average number of hours per response:* 0.27 *Estimated number of hours of annual burden in fiscal year:* 81,375 *Frequency of response:* Annually Organizations and individuals wishing to submit comments on the information collection requirements that would be required by this proposed regulation should direct them to the Office of Information and Regulatory Affairs, Office of Management and Budget, Room 10202, New Executive Office Building, 725 17th Street, NW., Washington, DC 20503; Attention: Desk Officer for the Commodity Futures Trading Commission. The Commission considers comments by the public on this proposed collection of information in: • Evaluating whether the proposed collection of information is necessary for the proper performance of the functions of the Commission, including whether the information will have a practical use; • Evaluating the accuracy of the Commission's estimate of the burden of the proposed collection of information, including the validity of the methodology and assumptions used; • Enhancing the quality, usefulness, and clarity of the information to be collected; and • Minimizing the burden of collection of information on those who are to respond, including through the use of appropriate automated electronic, mechanical, or other technological collection techniques or other forms of information technology; *e.g.,* permitting electronic submission of responses. OMB is required to make a decision concerning the collection of information contained in this proposed regulation between 30 and 60 days after publication of this document in the **Federal Register** . Therefore, a comment to OMB is best assured of having its full effect if OMB receives it within 30 days of publication. This does not affect the deadline for the public to comment to the Commission on the proposed regulation. Copies of the information collection submission to OMB are available from the CFTC Clearance Officer, 1155 21st Street, NW., Washington, DC 20581,
(202)418-5160. B. Regulatory Flexibility Act The Regulatory Flexibility Act
(RFA)(5 U.S.C. 601 *et seq.* ) requires that federal agencies, in proposing rules, consider the impact of those rules on small businesses. The rules proposed herein would affect all FCMs, CTAs, CPOs and IBs, including CPOs and CTAs that are exempt from registration requirements. The Commission has previously established certain definitions of “small entities” to be used by the Commission in evaluating the impact of its rules on small entities in accordance with the RFA. 40 The Commission has previously determined that registered FCMs and registered CPOs are not small entities for the purpose of the RFA. 41 With respect to IBs and CTAs, the Commission has stated that it is appropriate to evaluate within the context of a particular rule proposal whether some or all of the affected entities should be considered small entities and, if so, to analyze the economic impact on them of any rule. The Commission has decided to publish the following initial regulatory flexibility analysis and invites the public's comments on the proposed regulations' impact on small entities. 40 47 FR 18618-21 (Apr. 30, 1982). 41 *Id.* at 18619-20. 1. Reasons for the Proposed Regulation; Legal Basis for Rule Section 5g of the Act, as added by section 124 of the CFMA, makes the Commission a Federal functional regulator 42 for purposes of applying the provisions of Title V, Subtitle A of the GLB Act addressing consumer privacy to any FCM, CTA, CPO or IB that is subject to the Commission's jurisdiction with respect to any financial activity. In general, Title V requires financial institutions to provide notice to consumers about the institution's privacy policies and practices, restricts the ability of a financial institution to share nonpublic personal information about consumers to nonaffiliated third parties, and permits consumers to prevent the institution from disclosing nonpublic personal information about them to certain non-affiliated third parties by “opting out” of that disclosure. Title V also requires the Commission to establish appropriate standards for financial institutions subject to their jurisdiction to safeguard customer information and records. 42 The other federal functional regulators authorized to adopt rules implementing Title V are: The Office of the Comptroller of the Currency, the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the Office of Thrift Supervision, the Secretary of the Treasury, the Securities and Exchange Commission, and the National Credit Union Administration. *See* GLB Act section 504. Each of these agencies, along with the FTC, has previously adopted final regulations implementing Title V, Subtitle A of the GLB Act. *See* note 3, *supra.* Section 5g of the Act directs the Commission to prescribe regulations necessary to implement Title V's provisions within 6 months from the date the CFMA was signed into law (December 21, 2000). The Commission believes that a regulatory promulgation will give the private sector greater certainty on how to comply with the GLB Act and clearer guidance regarding how the privacy provisions will apply with respect to FCMs, CTAs, CPOs and IBs that are subject to the Commission's jurisdiction with respect to any financial activity. 2. Requirements of the Proposed Rules; Description of Small Entities to Whom Rules Would Apply Because neither Title V of the GLB Act nor section 124 of the CFMA provide a general exception for small businesses, the proposed rules would apply to all FCMs, CTAs, CPOs and IBs, including those that are considered “small entities.” Subject to certain exceptions explained below, the proposed rule generally requires that a financial institution that is subject to the Commission's jurisdiction with respect to any financial activity ( *i.e.,* an FCM, CTA, CPO or IB) provide all of its customers the following notices:
(1)An initial privacy notice (at or prior to the time the customer relationship is established or, for existing customers, within 30 days of the rules' effective date);
(2)an opt out notice (prior to the disclosing of the individual's nonpublic personal information to nonaffiliated third parties); and
(3)an annual privacy notice for the duration of the customer relationship. A financial institution's “customer” is a consumer with whom the institution has a “continuing relationship.” A continuing relationship exists, for example, when a consumer
(i)has an account with an FCM;
(ii)has an advisory contract with a CTA; or
(iii)is a participant in a commodity pool. 43 43 The terms “consumer,” “customer,” and “customer relationship” are defined in proposed §§ 160.3(h), (k), (l). The proposed rules also require a financial institution to provide its consumers an initial privacy notice and an opt out notice prior to disclosing the individual's nonpublic personal information to nonaffiliated third parties. If a financial institution does not intend to share such information about its consumers, then the institution need not provide either notice. An institution's “consumer” includes a customer as well as an individual who has not established an ongoing relationship with a financial institution, such as an individual who applies for a financial product or service but does not obtain it, or an individual who has an FCM execute a trade without opening an account for the individual ( *e.g.,* in a give-up trade). There are many exceptions to the general rule stated above. An institution may share a consumer's nonpublic personal information with nonaffiliated third parties without having to give a privacy and opt out notice if, for example, such sharing is necessary:
(1)To effect, administer, or enforce a transaction requested or authorized by the consumer;
(2)to protect the security of records pertaining to the consumer, service, product, or transaction;
(3)to protect against or prevent actual or potential fraud, unauthorized transactions, claims or other liability; or
(4)to provide information to rating agencies or the institution's attorneys, auditors, and accountants. In addition, in cases where a financial institution enters into a contract with a nonaffiliated third party to undertake joint marketing or to have the third party perform certain functions on behalf of the institution, the institution need not give an opt out notice. In such case, the institution must disclose to the consumer that it is providing the information and enter into a contract with the third party that restricts the third party's use of the information and requires the third party to maintain confidentiality of the information. Compliance requirements will vary depending, for example, upon an institution's information sharing practices, whether the institution already has or discloses a privacy policy, and whether the institution already has established an opt-out mechanism. A financial institution would have to summarize its practices regarding its collection, sharing, and safeguarding of certain nonpublic personal information in its initial and annual notices. However, the institution may streamline its privacy notice, if it does not share that information (or shares only to the extent permitted under the exceptions). The Commission believes that a majority of financial institutions already have privacy policies in place either as part of usual and customary business practices, or as a result of initiatives undertaken to comply with the privacy provisions issued by the other Federal functional regulators. Thus, for these institutions, the costs for translating that policy into a notice format should be minimal. Further, to minimize the burden and costs of distributing privacy policies, the proposed rules do not specify the method for distributing required notices. For example, an FCM or CTA may include an annual privacy notice with periodic account statements that the FCM or CTA already sends to the customer. Customers of an IB may be provided a joint notice by the FCM carrying the customer accounts that would be applicable for both the FCM and the IB. The initial privacy notice also may be provided with other required disclosure statements, such as the risk disclosure document required under Commission Rule 1.55. The Commission estimates that the costs of distributing the notices will be minimal because institutions would include them in account statements or disclosures that the institution already sends to consumers and customers. In addition, the institution may deliver the required notices electronically with customer consent. The Commission understands that most, if not all, FCMs, CTAs, CPOs and IBs currently do not share nonpublic personal information about consumers with nonaffiliated third parties except as would be consistent with one of the many exceptions in the proposed rules. The Commission also understands that those institutions that do share information under one of the permitted exceptions generally have contract provisions that prohibit the third party's use of the information for purposes other than the purpose for which the information was shared. Thus, the Commission believes that as a result of the proposed rules, most if not all financial institutions will not have to provide opt out notices to consumers or customers, and will not need to revise their contracts with nonaffiliated third parties to restrict those parties' use of information. Section 501 of the GLB Act directs the Commission, and the other Federal functional regulators, to establish appropriate standards for administrative, technical and physical safeguards to protect customer records and information. The proposed rules implement this section by requiring every FCM, IB, CPO and CTA to adopt policies and procedures to address these safeguards. Consistent with the GLB Act, the proposed rules further require that the policies and procedures be reasonably designed to:
(i)Insure the security and confidentiality of customer records and information;
(ii)protect against any anticipated threats or hazards to the security or integrity of customer records and information; and
(iii)protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer. The Commission believes that most, if not all, financial institutions already have policies and procedures to address the safety and confidentiality of consumer records and information. Nevertheless, financial institutions may review and revise their policies after the rules are adopted. The amount of time an institution will spend reviewing and revising its policies will depend, among other things, on the institution's current policies and its sharing practices. The rules do not specify the means by which institutions must ensure the safety of customer information and records in order to allow each institution to tailor its policies and procedures to its own systems of information gathering and transfer, and the needs of its customers. The Commission has estimated that a financial institution would spend 15 hours on average to revise its procedures. Professional skills needed to comply with the proposed rules may include clerical, computer systems, personnel training, as well as legal drafting and advice. The information collection requirements imposed by the GLB Act, the CFMA, and the proposed rules are further addressed in the section titled, “Paperwork Reduction Act.” 3. Relevant Federal Rules Which May Duplicate, Overlap or Conflict With the Proposed Rule While the scope of the proposed regulation (pursuant to the GLB Act and the CFMA) is unique, there may be some overlap in certain circumstances with the following laws: As noted above, the Fair Credit Reporting Act requires a financial institution that
(i)does not want to be treated as a consumer reporting agency and
(ii)desires to share certain consumer information ( *i.e.,* application or credit report information) with its affiliates, to provide the consumer with a clear and conspicuous notice and an opportunity to opt out of the information sharing. In addition, when a consumer contracts for an electronic fund transfer service, the Electronic Funds Transfer Act requires the financial institution to disclose the terms and conditions of the transfer, including under what circumstances the institution will share information concerning the consumer's account with third persons. The recently adopted Department of Health and Human Services regulations 44 that implement the Health Insurance Portability and Accountability Act of 1996 limit the circumstances under which medical information may be disclosed. Finally, the Children's Online Privacy Protection Act generally requires online service operators collecting personal information from a child to obtain parental consent and post a privacy notice on the web site. The Commission seeks comment on additional Federal rules that may duplicate, overlap, or conflict with the proposal. 44 *See* 65 FR 82462. 4. Significant Alternatives to the Proposed Rules That Minimize the Impact on Small Entities The RFA directs the Commission to consider significant alternatives that would accomplish the stated objective, while minimizing any significant adverse impact on small entities. As previously noted, the proposed rules' requirements are expressly mandated by the GLB Act and the CFMA. The proposed rules attempt to clarify, consolidate, and simplify the statutory requirements for all financial institutions, including small entities. The proposed rules also provide substantial flexibility so that any financial institution, regardless of size, may tailor its practices to its individual needs. While the Commission may grant exceptions to the provisions of Title V of the GLB Act pursuant to its broad exemptive authority under section 4(c) of the Act, the Commission must first determine that the exemption would be consistent with the public interest. As stated in section 501(a) of the GLB Act, “It is the policy of the Congress that *each* financial institution has an affirmative and continuing obligation to respect the privacy of its customers and to protect the security and confidentiality of those customers' nonpublic personal information.” (Emphasis added.) Accordingly, the Commission believes that an exception that would create different levels of protections for consumers based on the size of the institution with whom they conduct business would not be consistent with the public interest or the purposes of Subtitle A. The Commission welcomes comment on any significant alternatives, consistent with the GLB Act, that would minimize the impact on small entities. List of Subjects in 17 CFR Part 160 Brokers, Consumer protection, Privacy, Reporting and recordkeeping requirements. Text of Proposed Rules For the reasons articulated in the preamble, the Commission proposes to amend Title 17 of the Code of Federal Regulations by adding a new part 160 to read as follows: PART 160—PRIVACY OF CONSUMER FINANCIAL INFORMATION Sec. 160.1 Purpose and scope. 160.2 Rule of construction. 160.3 Definitions. Subpart A—Privacy and Opt Out Notices 160.4 Initial privacy notice to consumers required. 160.5 Annual privacy notice to customers required. 160.6 Information to be included in privacy notices. 160.7 Form of opt out notice to consumers; opt out methods. 160.8 Revised privacy notices. 160.9 Delivering privacy and opt out notices. Subpart B—Limits on Disclosures 160.10 Limits on disclosure of nonpublic personal information to nonaffiliated third parties. 160.11 Limits on redisclosure and re-use of information. 160.12 Limits on sharing account number information for marketing purposes. Subpart C—Exceptions 160.13 Exception to opt out requirements for service providers and joint marketing. 160.14 Exceptions to notice and opt out requirements for processing and servicing transactions. 160.15 Other exceptions to notice and opt out requirements. Subpart D—Relation to Other Laws; Effective Date 160.16 Protection of Fair Credit Reporting Act. 160.17 Relation to state laws. 160.18 Effective date; compliance date; transition rule. 160.19-160.29 [Reserved] 160.30 Procedures to safeguard customer records and information. Appendix to Part 160—Sample Clauses Authority: 7 U.S.C. 7g and 8a(5); 15 U.S.C. 6801 *et seq.* § 160.1 Purpose and scope.
(a)*Purpose.* This part governs the treatment of nonpublic personal information about consumers by the financial institutions listed in paragraph
(b)of this section. This part:
(1)Requires a financial institution to provide notice to customers about its privacy policies and practices;
(2)Describes the conditions under which a financial institution may disclose nonpublic personal information about consumers to nonaffiliated third parties; and
(3)Provides a method for consumers to prevent a financial institution from disclosing nonpublic personal information to most nonaffiliated third parties by “opting out” of that disclosure, subject to the exceptions in §§ 160.13, 160.14, and 160.15.
(b)*Scope.* This part applies only to nonpublic personal information about individuals who obtain financial products or services primarily for personal, family, or household purposes from the institutions listed in this paragraph. This part does not apply to information about companies or about individuals who obtain financial products or services primarily for business, commercial, or agricultural purposes. This part applies to all futures commission merchants, commodity trading advisors, commodity pool operators and introducing brokers that are subject to the jurisdiction of the Commission, regardless whether they are required to register with the Commission. These entities are hereinafter referred to in this part as “you.” This part does not apply to foreign (non-resident) futures commission merchants, commodity trading advisors, commodity pool operators and introducing brokers that are not registered with the Commission. Nothing in this part modifies, limits or supercedes the standards governing individually identifiable health information promulgated by the Secretary of Health and Human Services under the authority of sections 262 and 264 of the Health Insurance Portability and Accountability Act of 1996, 42 U.S.C. 1320d—1320d-8. § 160.2 Rule of construction.
(a)*Safe harbor.* The examples in this part and the sample clauses in the Appendix to this part are not exclusive. Compliance with an example or use of a sample clause, to the extent applicable, constitutes compliance with this part.
(b)*Notice registrants;* Substituted compliance with Regulation S-P. Any person or entity otherwise subject to this Part that is subject to and in compliance with Securities and Exchange Commission Regulation S-P, 17 CFR part 248, will be deemed to be in compliance with this part. § 160.3 Definitions. For purposes of this part, unless the context requires otherwise:
(a)*Affiliate* of a futures commission merchant, commodity trading advisor, commodity pool operator or introducing broker means any company that controls, is controlled by, or is under common control with a futures commission merchant, commodity trading advisor, commodity pool operator or introducing broker that is subject to the jurisdiction of the Commission. In addition, a futures commission merchant, commodity trading advisor, commodity pool operator or introducing broker subject to the jurisdiction of the Commission will be deemed an affiliate of a company for purposes of this part if:
(1)That company is regulated under Title V of the GLB Act by the Federal Trade Commission or by a federal functional regulator other than the Commission; and
(2)Rules adopted by the Federal Trade Commission or another federal functional regulator under Title V of the GLB Act treat the futures commission merchant, commodity trading advisor, commodity pool operator or introducing broker as an affiliate of that company. (b)(1) *Clear and conspicuous* means that a notice is reasonably understandable and designed to call attention to the nature and significance of the information in the notice.
(2)*Examples.—*
(i)*Reasonably understandable.* Your notice will be reasonably understandable if you:
(A)Present the information in the notice in clear, concise sentences, paragraphs and sections;
(B)Use short explanatory sentences or bullet lists whenever possible;
(C)Use definite, concrete, everyday words and active voice whenever possible;
(D)Avoid multiple negatives;
(E)Avoid legal and highly technical business terminology whenever possible; and
(F)Avoid explanations that are imprecise and readily subject to different interpretations.
(ii)*Designed to call attention.* Your notice is designed to call attention to the nature and significance of the information in it if you:
(A)Use a plain-language heading to call attention to the notice;
(B)Use a typeface and type size that are easy to read;
(C)Provide wide margins and ample line spacing;
(D)Use boldface or italics for key words; and
(E)Use distinctive type size, style and graphic devices, such as shading or sidebars when you combine your notice with other information.
(iii)*Notices on web sites.* If you provide notice on a web page, you design your notice to call attention to the nature and significance of the information in it if you use text or visual cues to encourage scrolling down the page, if necessary to view the entire notice, and ensure that other elements on the web site, such as text, graphics, hyperlinks or sound, do not distract from the notice, and you either:
(A)Place the notice on a screen that consumers frequently access, such as a page on which transactions are conducted; or
(B)Place a link on a screen that consumers frequently access, such as a page on which transactions are conducted, that connects directly to the notice and is labeled appropriately to convey the importance, nature and relevance of the notice.
(c)*Collect* means to obtain information that you organize or can retrieve by the name of an individual or by identifying number, symbol or other identifying particular assigned to the individual, irrespective of the source of the underlying information.
(d)*Commission* means the Commodity Futures Trading Commission.
(e)*Commodity pool operator* has the same meaning as in section 1a(5) of the Commodity Exchange Act, as amended, and includes anyone registered as such under the Act.
(f)*Commodity trading advisor* has the same meaning as in section 1a(6) of the Commodity Exchange Act, as amended, and includes anyone registered as such under the Act.
(g)*Company* means any corporation, limited liability company, business trust, general or limited partnership, association or similar organization.
(1)*Consumer* means an individual who obtains or has obtained a financial product or service from you that is to be used primarily for personal, family or household purposes, or that individual's legal representative.
(2)*Examples.*
(i)An individual is your consumer if he or she provides nonpublic personal information to you in connection with obtaining or seeking to obtain brokerage or advisory services, whether or not you provide services to the individual or establish a continuing relationship with the individual.
(ii)An individual is not your consumer if he or she provides you only with his or her name, address and general areas of investment interest in connection with a request for a brochure or other information about financial products or services.
(iii)An individual is not your consumer if he or she has an account with another futures commission merchant (originating futures commission merchant) for which you provide clearing services for an account in the name of the originating futures commission merchant.
(iv)An individual who is a consumer of another financial institution is not your consumer solely because you act as agent for, or provide processing or other services to, that financial institution.
(v)An individual is not your consumer solely because he or she has designated you as trustee for a trust.
(vi)An individual is not your consumer solely because he or she is a beneficiary of a trust for which you are a trustee.
(vii)An individual is not your consumer solely because he or she is a participant or a beneficiary of an employee benefit plan that you sponsor or for which you act as a trustee or fiduciary.
(i)*Consumer reporting agency* has the same meaning as in section 603(f) of the Fair Credit Reporting Act (15 U.S.C. 1681a(f)).
(j)*Control* of a company means the power to exercise a controlling influence over the management and policies of a company whether through ownership of securities, by contract, or otherwise. Any person who owns beneficially, either directly or through one or more controlled companies, more than 25 percent of the voting securities of any company is presumed to control the company. Any person who does not own more than 25 percent of the voting securities of a company will be presumed not to control the company.
(k)*Customer* means a consumer who has a customer relationship with you.
(1)*Customer relationship* means a continuing relationship between a consumer and you under which you provide one or more financial products or services to the consumer that are to be used primarily for personal, family or household purposes.
(2)*Examples.—*
(i)*Continuing relationship.* A consumer has a continuing relationship with you if:
(A)You are a futures commission merchant through whom a consumer has opened an account, or that carries the consumer's account on a fully-disclosed basis, or that effects or engages in commodity interest transactions with or for a consumer, even if you do not hold any assets of the consumer.
(B)You are an introducing broker that regularly solicits or accepts specific orders for trades;
(C)You are a commodity trading advisor with whom a consumer has a contract or subscription, either written or oral, regardless of whether the advice is standardized, or is based on, or tailored to, the commodity interest or cash market positions or other circumstances or characteristics of the particular consumer;
(D)You are a commodity pool operator, and you accept or receive from the consumer, funds, securities, or property for the purpose of purchasing an interest in a commodity pool;
(E)You hold securities or other assets as collateral for a loan made to the consumer, even if you did not make the loan or do not effect any transactions on behalf of the consumer; or
(F)You regularly effect or engage in commodity interest transactions with or for a consumer even if you do not hold any assets of the consumer.
(ii)*No continuing relationship.* A consumer does not have a continuing relationship with you if:
(A)You have acted solely as a “finder” for a futures commission merchant, and you do not solicit or accept specific orders for trades; or
(B)You have solicited the consumer to participate in a pool or to direct his or her account and he or she has not provided you with funds to participate in a pool or entered into any agreement for you to direct his or her account.
(m)*Federal functional regulator* means:
(1)The Board of Governors of the Federal Reserve System;
(2)The Office of the Comptroller of the Currency;
(3)The Board of Directors of the Federal Deposit Insurance Corporation;
(4)The Director of the Office of Thrift Supervision;
(5)The National Credit Union Administration Board;
(6)The Securities and Exchange Commission; and
(7)The Commodity Futures Trading Commission.
(1)*Financial institution* means:
(i)any futures commission merchant, commodity trading advisor, commodity pool operator or introducing broker that is registered with the Commission as such or is otherwise subject to the Commission's jurisdiction; and
(ii)any other institution the business of which is engaging in financial activities as described in section 4(k) of the Bank Holding Company Act of 1956, 12 U.S.C. 1843(k).
(2)*Financial institution* does not include:
(i)Any person or entity, other than a futures commission merchant, commodity trading advisor, commodity pool operator or introducing broker, with respect to any financial activity, that is subject to the jurisdiction of the Commission under the Act;
(ii)The Federal Agricultural Mortgage Corporation or any entity chartered and operating under the Farm Credit Act of 1971 (12 U.S.C. 2001 *et seq.* ); or
(iii)Institutions chartered by Congress specifically to engage in securitizations, secondary market sales (including sales of servicing rights) or similar transactions related to a transaction of a consumer, as long as such institutions do not sell or transfer nonpublic personal information to a nonaffiliated third party.
(1)*Financial product or service* means:
(i)Any product or service that a futures commission merchant, commodity trading advisor, commodity pool operator, or introducing broker could offer that is subject to the Commission's jurisdiction; and
(ii)Any product or service that any other financial institution could offer by engaging in an activity that is financial in nature or incidental to such a financial activity under section 4(k) of the Bank Holding Company Act of 1956, 12 U.S.C. 1843(k).
(p)*Futures commission merchant* has the same meaning as in section 1a(20) of the Commodity Exchange Act, as amended, and includes any person registered as such under the Act.
(q)*GLB* Act means the Gramm-Leach-Bliley Act (Pub. L. No. 106-102, 113 Stat. 1338 (1999)).
(r)*Introducing broker* has the same meaning as in section 1a(23) of the Commodity Exchange Act, as amended, and includes any person registered as such under the Act.
(1)*Nonaffiliated third party* means any person except:
(i)Your affiliate; or
(ii)A person employed jointly by you and any company that is not your affiliate, but nonaffiliated third party includes the other company that jointly employs the person.
(2)*Nonaffiliated third party* includes any company that is an affiliate solely by virtue of your or your affiliate's direct or indirect ownership or control of the company in conducting merchant banking or investment banking activities of the type described in section 4(k)(4)(H) or insurance company investment activities of the type described in section 4(k)(4)(I) of the Bank Holding Company Act of 1956, 12 U.S.C. 1843(k)(4)
(H)and (I).
(1)*Nonpublic personal information* means:
(i)Personally identifiable financial information; and
(ii)any list, description or other grouping of consumers, and publicly available information pertaining to them, that is derived using any personally identifiable financial information that is not publicly available information.
(2)*Nonpublic personal information* does not include:
(i)Publicly available information, except as included on a list described in paragraph (t)(1)(ii) of this section or when the publicly available information is disclosed in a manner that indicates the individual is or has been your consumer; or
(ii)Any list, description or other grouping of consumers, and publicly available information pertaining to them, that is derived without using any personally identifiable financial information that is not publicly available information.
(3)*Examples of lists.*
(i)Nonpublic personal information includes any list of individuals' names and street addresses that is derived in whole or in part using personally identifiable financial information that is not publicly available information, such as account numbers.
(ii)Nonpublic personal information does not include any list of individuals' names and addresses that contains only publicly available information, is not derived in whole or in part using personally identifiable financial information that is not publicly available information, and is not disclosed in a manner that indicates that any of the individuals on the list is a consumer of a financial institution.
(1)*Personally identifiable financial information* means any information:
(i)A consumer provides to you to obtain a financial product or service from you;
(ii)About a consumer resulting from any transaction involving a financial product or service between you and a consumer; or
(iii)You otherwise obtain about a consumer in connection with providing a financial product or service to that consumer.
(2)*Examples.* —(i) *Information included* . Personally identifiable financial information includes:
(A)Information a consumer provides to you on an application to obtain a loan, credit card, or other financial product or service;
(B)Account balance information, payment history, overdraft history, and credit or debit card purchase information;
(C)The fact that an individual is or has been one of your customers or has obtained a financial product or service from you;
(D)Any information about your consumer if it is disclosed in a manner that indicates that the individual is or has been your consumer;
(E)Any information you collect through an Internet “cookie” (an information-collecting device from a web server); and
(F)Information from a consumer report.
(ii)*Information not included* . Personally identifiable financial information does not include:
(A)A list of names and addresses of customers of an entity that is not a financial institution; or
(B)Information that does not identify a consumer, such as aggregate information or blind data that does not contain personal identifiers such as account numbers, names or addresses. (v)(1) *Publicly available information* means any information that you reasonably believe is lawfully made available to the general public from:
(i)Federal, state or local government records;
(ii)Widely distributed media; or
(iii)Disclosures to the general public that are required to be made by federal, state or local law.
(2)*Examples* .—(i) *Reasonable belief* .
(A)You have a reasonable belief that information about your consumer is made available to the general public if you have confirmed, or your consumer has represented to you, that the information is publicly available from a source described in paragraphs (v)(1)(i)-(iii) of this section.
(B)You have a reasonable belief that information about your consumer is made available to the general public if you have taken steps to submit the information, in accordance with your internal procedures and policies and with applicable law, to a keeper of federal, state or local government records that is required by law to make the information publicly available.
(C)You have a reasonable belief that an individual's telephone number is lawfully made available to the general public if you have located the telephone number in the telephone book or on an internet listing service, or the consumer has informed you that the telephone number is not unlisted.
(D)You do not have a reasonable belief that information about a consumer is publicly available solely because that information would normally be recorded with a keeper of federal, state or local government records that is required by law to make the information publicly available, if the consumer has the ability in accordance with applicable law to keep that information nonpublic, such as where a consumer may record a deed in the name of a blind trust.
(ii)*Government records* . Publicly available information in government records includes information in government real estate records and security interest filings.
(iii)*Widely distributed media* . Publicly available information from widely distributed media includes information from a telephone book, a television or radio program, a newspaper, or a web site that is available to the general public on an unrestricted basis. A web site is not restricted merely because an Internet service provider or a site operator requires a fee or password, so long as access is available to the general public.
(w)*You* means any of the following persons or entities that are subject to the jurisdiction of the Commission:
(1)Any futures commission merchant;
(2)Any commodity trading advisor;
(3)Any commodity pool operator; and
(4)Any introducing broker. Subpart A—Privacy and Opt Out Notices § 160.4 Initial privacy notice to consumers required.
(a)*Initial notice requirement* . You must provide a clear and conspicuous notice that accurately reflects your privacy policies and practices to:
(1)*Customer* . An individual who becomes your customer, not later than when you establish a customer relationship, except as provided in paragraph
(e)of this section; and
(2)*Consumer* . A consumer, before you disclose any nonpublic personal information about the consumer to any nonaffiliated third party, if you make such a disclosure other than as authorized by §§ 160.14 and § 160.15.
(b)*When initial notice to a consumer is not required* . You are not required to provide an initial notice to a consumer under paragraph
(a)of this section if:
(1)You do not disclose any nonpublic personal information about the consumer to any nonaffiliated third party other than as authorized by §§ 160.13, 160.14 or 160.15.
(2)You do not have a customer relationship with the consumer.
(c)*When you establish a customer relationship* .
(1)*General rule* . You establish a customer relationship when you and the consumer enter into a continuing relationship.
(2)*Examples of establishing customer relationship* . You establish a customer relationship when the consumer:
(i)Instructs you to execute a commodity interest transaction for the consumer;
(ii)Opens a commodity interest account through an introducing broker or with a futures commission merchant that clears transactions for its customers through you on a fully-disclosed basis;
(iii)Transmits specific orders for commodity interest transactions to you that you pass on to a futures commission merchant for execution, if you are an introducing broker;
(iv)Enters into an advisory contract or subscription with you, whether in writing or orally, and whether you provide standardized, or individually tailored commodity trading advice based on the customer's commodity interest or cash market positions or other circumstances or characteristics.
(v)Provides to you funds, securities, or property for an interest in a commodity pool, if you are a commodity pool operator.
(d)*Existing customers* . When an existing customer obtains a new financial product or service from you that is to be used primarily for personal, family or household purposes, you satisfy the initial notice requirements of paragraph
(a)of this section as follows:
(1)You may provide a revised privacy notice under § 160.8 that covers the customer's new financial product or service; or
(2)If the initial, revised or annual notice that you most recently provided to that customer was accurate with respect to the new financial product or service, you do not need to provide a new privacy notice under paragraph
(a)of this section.
(e)*Exceptions to allow subsequent delivery of notice* .
(1)You may provide the initial notice required by paragraph (a)(1) of this section within a reasonable time after you establish a customer relationship if:
(i)Establishing the customer relationship is not at the customer's election;
(ii)Providing notice not later than when you establish a customer relationship would substantially delay the customer's transaction and the customer agrees to receive the notice at a later time; or
(iii)A nonaffiliated financial institution establishes a customer relationship between you and a consumer without your prior knowledge.
(2)*Examples of exceptions* .
(i)*Not at customer's election* . Establishing a customer relationship is not at the customer's election if you acquire the customer's commodity interest account from another financial institution and the customer does not have a choice about your acquisition.
(ii)*Substantial delay of customer's transaction* . Providing notice not later than when you establish a customer relationship would substantially delay the customer's transaction when you and the individual agree over the telephone to enter into a customer relationship involving prompt delivery of the financial product or service.
(iii)*No substantial delay of customer's transaction* . Providing notice not later than when you establish a customer relationship would not substantially delay the customer's transaction when the relationship is initiated in person at your office or through other means by which the customer may view the notice, such as on a web site.
(f)*Delivery of notice* . When you are required by this section to deliver an initial privacy notice, you must deliver it according to the provisions of § 160.9. If you use a short-form initial notice for non-customers according to § 160.6(d), you may deliver your privacy notice as provided in § 160.6(d)(3). § 160.5 Annual privacy notice to customers required. (a)(1) *General rule* . You must provide a clear and conspicuous notice to customers that accurately reflects your privacy policies and practices not less than annually during the life of the customer relationship. *Annually* means at least once in any period of 12 consecutive months during which that relationship exists. You may define the 12-consecutive-month period, but you must apply it to the customer on a consistent basis.
(2)*Example* . You provide notice annually if you define the 12-consecutive-month period as a calendar year and provide the annual notice to the customer once in each calendar year following the calendar year in which you provided the initial notice. For example, if a customer opens an account on any day of year 1, you must provide an annual notice to that customer by December 31 of year 2. (b)(1) *Termination of customer relationship* . You are not required to provide an annual notice to a former customer.
(2)*Examples* . Your customer becomes a former customer when:
(i)The individual's commodity interest account is closed;
(ii)The individual's advisory contract or subscription is terminated or expires;
(iii)The individual has redeemed all of his or her units in your pool.
(c)*Delivery of notice* . When you are required by this section to deliver an annual privacy notice, you must deliver it in the manner provided by § 160.9. § 160.6 Information to be included in privacy notices.
(a)*General Rule* . The initial, annual, and revised privacy notices that you provide under §§ 160.4, 160.5 and 160.8 must include each of the following items of information that applies to you or to the consumers to whom you send your privacy notice, in addition to any other information you wish to provide:
(1)The categories of nonpublic personal information that you collect;
(2)The categories of nonpublic personal information that you disclose;
(3)The categories of affiliates and nonaffiliated third parties to whom you disclose nonpublic personal information, other than those parties to whom you disclose information under §§ 160.14 and 160.15.
(4)The categories of nonpublic personal information about your former customers that you disclose and the categories of affiliates and nonaffiliated third parties to whom you disclose nonpublic personal information about your former customers, other than those parties to whom you disclose information under §§ 160.14 and 160.15;
(5)If you disclose nonpublic personal information to a nonaffiliated third party under § 160.13 (and no other exception applies to that disclosure), a separate statement of the categories of information you disclose and the categories of third parties which you have contracted;
(6)An explanation of the consumer's rights under § 160.10(a) to opt out of the disclosure of nonpublic personal information to nonaffiliated third parties, including the method(s) by which the consumer may exercise that right at that time;
(7)Any disclosures that you make under section 603(d)(2)(A)(iii) of the Fair Credit Reporting Act (15 U.S.C. 1681a(d)(2)(A)(iii)) (that is, notices regarding the ability to opt out of disclosures of information among affiliates);
(8)Your policies and practices with respect to protecting the confidentiality and security of nonpublic personal information; and
(9)Any disclosure that you make under paragraph
(b)of this section.
(b)*Description of nonaffiliated third parties subject to exceptions* . If you disclose nonpublic personal information to third parties as authorized under §§ 160.14 and 160.15, you are not required to list those exceptions in the initial or annual privacy notices required by §§ 160.4 and 160.5. When describing the categories with respect to those parties, you are required to state only that you make disclosures to other nonaffiliated parties as permitted by law.
(c)*Examples* .—(1) *Categories of nonpublic personal information that you collect* . You satisfy the requirement to categorize the nonpublic personal information that you collect if you list the following categories, as applicable:
(i)Information from the consumer;
(ii)Information about the consumer's transactions with you or your affiliates;
(iii)Information about the consumer's transactions with nonaffiliated third parties; and
(iv)Information from a consumer reporting agency.
(2)*Categories of nonpublic personal information you disclose* .
(i)You satisfy the requirement to categorize the nonpublic personal information you disclose if you list the categories described in paragraph (e)(1) of this section, as applicable, and a few examples to illustrate the types of information in each category.
(ii)If you reserve the right to disclose all of the nonpublic personal information about consumers that you collect, you may simply state that fact without describing the categories or examples of the nonpublic personal information you disclose.
(3)*Categories of affiliates and nonaffiliated third parties to whom you disclose* . You satisfy the requirement to categorize the affiliates and nonaffiliated third parties to whom you disclose nonpublic personal information if you list the following categories, as applicable, and a few examples to illustrate the types of third parties in each category:
(i)Financial service providers;
(ii)Non-financial companies; and
(iii)Others.
(4)*Disclosures under exception for service providers and joint marketers* . If you disclose nonpublic personal information under the exception in § 160.13 to a nonaffiliated third party to market products or services that you offer alone or jointly with another financial institution, you satisfy the disclosure requirement of paragraph (a)(5) of this section if you:
(i)List the categories of nonpublic personal information you disclose, using the same categories and examples you used to meet the requirements of paragraph (a)(2) of this section, as applicable; and
(ii)State whether the third party is:
(A)A service provider that performs marketing services on your behalf or on behalf of you and another financial institution; or
(B)A financial institution with which you have a joint marketing agreement.
(5)*Simplified notices* . If you do not disclose, and do not wish to reserve the right to disclose, nonpublic personal information to affiliates or nonaffiliated third parties except as authorized under §§ 160.14 and 160.15, you may simply state that fact, in addition to information you must provide under paragraphs (a)(1), (a)(8), (a)(9) and
(b)of this section.
(6)*Confidentiality and security* . You describe your policies and practices with respect to protecting the confidentiality and security of nonpublic personal information if you do both of the following:
(i)Describe in general terms who is authorized to have access to the information; and
(ii)State whether you have security practices and procedures in place to ensure the confidentiality of the information in accordance with your policy. You are not required to describe technical information about the safeguards you use.
(d)*Short-form initial notice with opt out notice for non-customers* .
(1)You may satisfy the initial notice requirements in §§ 160.4(a)(2), 160.7(b) and § 160.7(c) for a consumer who is not a customer by providing a short-form initial notice at the same time as you deliver an opt out notice as required in § 160.7.
(2)A short-form initial notice must:
(i)Be clear and conspicuous;
(ii)State that your privacy notice is available upon request; and
(iii)Explain a reasonable means by which the consumer may obtain your privacy notice.
(3)You must deliver your short-form initial notice according to § 160.9. You are not required to deliver your privacy notice with your short-form initial notice. You instead may simply provide the consumer a reasonable means to obtain your privacy notice. If a consumer who receives your short-form notice requests your privacy notice, you must deliver your privacy notice according to § 160.9.
(4)*Examples of obtaining privacy notice.* You provide a reasonable means by which a consumer may obtain a copy of your privacy notice if you:
(i)Provide a toll-free telephone number that the consumer may call to request the notice; or
(ii)For a consumer who conducts business in person at your office, maintain copies of the notice on hand that you provide to the consumer immediately upon request.
(e)*Future disclosures.* Your notice may include:
(1)Categories of nonpublic personal information that you reserve the right to disclose in the future, but do not currently disclose; and
(2)Categories of affiliates and nonaffiliated third parties to whom you reserve the right in the future to disclose, but to whom you do not currently disclose, nonpublic personal information.
(f)*Sample clauses.* Sample clauses illustrating some of the notice content required by this section are included in the Appendix to this part. § 160.7 Form of opt out notice to consumers; opt out methods. (a)(1) *Form of opt out notice.* If you are required to provide an opt out notice under § 160.10(a), you must provide a clear and conspicuous notice to each of your consumers that accurately explains the right to opt out under that section. The notice must state:
(i)That you disclose or reserve the right to disclose nonpublic personal information about your consumer to a nonaffiliated third party;
(ii)That the consumer has the right to opt out of that disclosure; and
(iii)A reasonable means by which the consumer may exercise the opt out right.
(2)*Examples.*
(i)*Adequate opt out notice.* You provide adequate notice that the consumer can opt out of the disclosure of nonpublic personal information to a nonaffiliated third party if you:
(A)Identify all of the categories of nonpublic personal information that you disclose or reserve the right to disclose, and all of the categories of nonaffiliated third parties to which you disclose the information, as described in § 160.6(a)(2) and (3), and state that the consumer can opt out of the disclosure of that information; and
(B)Identify the financial products or services that the consumer obtains from you, either singly or jointly, to which the opt out direction would apply.
(ii)*Reasonable means to opt out.* You provide a reasonable means to exercise an opt out right if you:
(A)Designate check-off boxes in a prominent position on the relevant forms with the opt out notice;
(B)Include a reply form together with the opt out notice;
(C)Provide an electronic means to opt out, such as a form that can be sent via electronic mail or a process at your web site, if the consumer agrees to the electronic delivery of information; or
(D)Provide a toll-free telephone number that consumers may call to opt out.
(iii)*Unreasonable opt out means.* You *do not* provide a reasonable means of opting out if:
(A)The only means of opting out is for the consumer to write his or her own letter to exercise that opt out right; or
(B)The only means of opting out as described in any notice subsequent to the initial notice is to use a check-off box that you provided with the initial notice but did not include with the subsequent notice.
(iv)*Specific opt out means.* You may require each consumer to opt out through a specific means, as long as that means is reasonable for the consumer.
(b)*Same form as initial notice permitted.* You may provide the opt out notice together with or on the same written or electronic form as the initial notice you provide in accordance with § 160.4.
(c)*Initial notice required when opt out notice delivered subsequent to initial notice.* If you provide the opt out notice after the initial notice in accordance with § 160.4, you must also include a copy of the initial notice with the opt out notice in writing or, if the consumer agrees, electronically.
(d)*Joint relationships.*
(1)If two or more consumers jointly obtain a financial product or service from you, you may provide a single opt out notice. Your opt out notice must explain how you will treat an opt out direction by a joint consumer.
(2)Any of the joint consumers may exercise the right to opt out. You may either:
(i)Treat an opt out direction by a joint consumer as applying to all of the associated joint consumers; or
(ii)Permit each joint consumer to opt out separately.
(3)If you permit each joint consumer to opt out separately, you must permit one of the joint consumers to opt out on behalf of all of the joint consumers.
(4)You may not require *all* joint consumers to opt out before you implement *any* opt out direction.
(5)*Example.* If John and Mary have a joint trading account with you and arrange for you to send statements to John's address, you may do any of the following, but you must explain in your opt out notice which opt out policy you will follow:
(i)Send a single opt out notice to John's address, but you must accept an opt out direction from either John or Mary;
(ii)Treat an opt out direction by either John or Mary as applying to the entire account. If you do so, and John opts out, you may not require Mary to opt out as well before implementing John's opt out direction; or
(iii)Permit John and Mary to make different opt out directions. If you do so:
(A)You must permit John and Mary to opt out for each other.
(B)If both opt out, you must permit both to notify you in a single response (such as on a form or through a telephone call).
(C)If John opts out and Mary does not, you may only disclose nonpublic personal information about Mary, but not about John, and not about John and Mary jointly.
(e)*Time to comply with opt out.* You must comply with a consumer's opt out direction as soon as reasonably practicable after you receive it.
(f)*Continuing right to opt out.* A consumer may exercise the right to opt out at any time.
(g)*Duration of consumer's opt out direction.*
(1)A consumer's direction to opt out under this section is effective until the consumer revokes it in writing or, if the consumer agrees, electronically.
(2)When a customer relationship terminates, the customer's opt out direction continues to apply to the nonpublic personal information that you collected during or related to that relationship. If the individual subsequently establishes a new customer relationship with you, the opt out direction that applied to the former relationship does not apply to the new relationship.
(h)*Delivery.* When you are required to deliver an opt out notice by this section, you must deliver it according to § 160.9. § 160.8 Revised privacy notices.
(a)*General rule.* Except as otherwise authorized in this part, you must not, directly or through any affiliate, disclose any nonpublic personal information about a consumer to a nonaffiliated third party other than as described in the initial notice that you provided to that consumer under § 160.4, unless:
(1)You have provided to the consumer a clear and conspicuous revised notice that accurately describes your policies and practices;
(2)You have provided to the consumer a new opt out notice;
(3)You have given the consumer a reasonable opportunity, before you disclose the information to the nonaffiliated third party, to opt out of the disclosure; and
(4)The consumer does not opt out.
(b)*Examples.*
(1)Except as otherwise permitted by §§ 160.13, 160.14, and 160.15, you must provide a revised notice before you:
(i)Disclose a new category of nonpublic personal information to any nonaffiliated third party;
(ii)Disclose nonpublic personal information to a new category of nonaffiliated third party; or
(iii)Disclose nonpublic personal information about a former customer to a nonaffiliated third party, if that former customer has not had the opportunity to exercise an opt out right regarding that disclosure.
(2)A revised notice is not required if you disclose nonpublic personal information to a new nonaffiliated third party that you adequately described in your prior notice.
(c)*Delivery.* When you are required to deliver a revised privacy notice by this section, you must deliver it according to § 160.9. § 160.9 Delivering privacy and opt out notices.
(a)*How to provide notices.* You must provide any privacy notices and opt out notices, including short-form initial notices that this part requires so that each consumer can reasonably be expected to receive actual notice in writing or, if the consumer agrees, electronically. (b)(1) *Examples of reasonable expectation of actual notice.* You may reasonably expect that a consumer will receive actual notice if you:
(i)Hand-deliver a printed copy of the notice to the consumer;
(ii)Mail a printed copy of the notice to the last known address of the consumer; or
(iii)For the consumer who conducts transactions electronically, post the notice on the electronic site and require the consumer to acknowledge receipt of the notice as a necessary step to obtaining a particular financial service or product.
(2)*Examples of unreasonable expectation of actual notice.* You may not, however, reasonably expect that a consumer will receive actual notice of your privacy policies and practices if you:
(i)Only post a sign in your branch or office or generally publish advertisements of your privacy policies and practices; or
(ii)Send the notice via electronic mail to a consumer who does not obtain a financial product or service from you electronically.
(c)*Annual notices only.* You may reasonably expect that a consumer will receive actual notice of your annual privacy notice if:
(1)The customer uses your web site to access financial products and services electronically and agrees to receive notices at the web site and you post your current privacy notice continuously in a clear and conspicuous manner on the web site; or
(2)The customer has requested that you refrain from sending any information regarding the customer relationship, and your current privacy notice remains available to the customer upon request.
(d)*Oral description of notice insufficient.* You may not provide any notice required by this part solely by orally explaining the notice, either in person or over the telephone.
(e)*Retention or accessibility of notices for customers.*
(1)For customers only, you must provide the initial notice required by § 160.4(a)(1), the annual notice required by § 160.5(a), and the revised notice required by § 160.8, so that the customer can retain them or obtain them later in writing or, if the customer agrees, electronically.
(2)*Examples of retention or accessibility.* You provide a privacy notice to the customer so that the customer can retain it or obtain it later if you:
(i)Hand-deliver a printed copy of the notice to the customer;
(ii)Mail a printed copy of the notice to the last known address of the customer; or
(iii)Make your current privacy notice available on a web site (or a link to another web site) for the customer who obtains a financial product or service electronically and agrees to receive the notice at the web site.
(f)*Joint notice with other financial institutions.* You may provide a joint notice from you and one or more of your affiliates or other financial institutions, as identified in the notice, as long as the notice is accurate with respect to you and the other institutions.
(g)*Joint relationships.* If two or more customers jointly obtain a financial product or service from you, you may satisfy the initial, annual, and revised notice requirements of paragraph
(a)of this section by providing one notice to those customers jointly. Subpart B—Limits on Disclosures § 160.10 Limits on disclosure of nonpublic personal information to nonaffiliated third parties. (a)(1) *Conditions for disclosure.* Except as otherwise authorized in this part, you may not, directly or through any affiliate, disclose any nonpublic personal information about a consumer to a nonaffiliated third party unless:
(i)You have provided to the consumer an initial notice as required under § 160.4;
(ii)You have provided to the consumer an opt out notice as required in § 160.7;
(iii)You have given the consumer a reasonable opportunity, before you disclose the information to the nonaffiliated third party, to opt of the disclosure; and
(iv)The consumer does not opt out.
(2)*Opt out definition.* Opt out means a direction by the consumer that you not disclose nonpublic personal information about that consumer to a nonaffiliated third party, other than as permitted by §§ 160.13, 160.14 and 160.15.
(3)*Examples of reasonable opportunity to opt out.* You provide a consumer with a reasonable opportunity to opt out if:
(i)*By mail.* You mail the notices required in paragraph (a)(1) of this section to the consumer and allow the consumer to opt out by mailing a form, calling a toll-free telephone number, or any other reasonable means within 30 days after the day that the customer acknowledges receipt of the notices in conjunction with opening the account.
(ii)*By electronic means.* A customer opens an on-line account with you and agrees to receive the notices required in paragraph (a)(1) of this section electronically, and you allow the customer to opt out by any reasonable means within 30 days after the date that the customer acknowledges receipt of the notices in conjunction with opening the account.
(iii)*Isolated transaction with consumer.* For an isolated transaction with a consumer, you provide the consumer with a reasonable opportunity to opt out if you provide the notices required in paragraph (a)(1) of this section at the time of the transaction and request that the consumer decide, as a necessary part of the transaction, whether to opt out before completing the transaction.
(b)*Application of opt out to all consumers and all nonpublic personal information.*
(1)You must comply with this section, regardless of whether you and the consumer have established a customer relationship.
(2)Unless you comply with this section, you may not, directly or through any affiliate, disclose any nonpublic personal information about a consumer that you have collected, regardless of whether you have collected it before or after receiving the direction to opt out from the consumer.
(c)*Partial opt out.* You may allow a consumer to select certain nonpublic personal information or certain nonaffiliated third parties with respect to which the consumer wishes to opt out. § 160.11 Limits on redisclosure and reuse of information. (a)(1) *Information you receive under an exception.* If you receive nonpublic personal information from a nonaffiliated financial institution under an exception in §§ 160.14 or 160.15, your disclosure and use of that information is limited as follows:
(i)You may disclose the information to the affiliate of the financial institution from which you received the information;
(ii)You may disclose the information to your affiliates, but your affiliates may, in turn, disclose and use the information only to the extent that you may disclose and use the information; and
(iii)You may disclose and use the information pursuant to an exception in § 160.14 or 160.15 in the ordinary course of business to carry out the activity covered by the exception under which you received the information.
(2)*Example.* If you receive a customer list from a nonaffiliated financial institution in order to provide account-processing services under the exception in §§ 160.14(a), you may disclose that information under any exception in §§ 160.14 or 160.15 in the ordinary course of business in order to provide those services. You could also disclose that information in response to a properly authorized subpoena or in the ordinary course of business to your attorneys, accountants, and auditors. You could not disclose that information to a third party for marketing purposes or use that information for your own marketing purposes. (b)(1) *Information you receive outside of an exception.* If you receive nonpublic personal information from a nonaffiliated financial institution other than under an exception in §§ 160.14 or 160.15, you may disclose the information only:
(i)To the affiliates of the financial institution from which you received the information;
(ii)To your affiliates, but your affiliates may, in turn, disclose the information only to the extent that you can disclose the information; and
(iii)To any other person, if the disclosure would be lawful if made directly to that person by the financial institution from which you received the information.
(2)*Example.* If you obtain a customer list from a nonaffiliated financial institution outside of the exceptions in §§ 160.14 and 160.15:
(i)You may use that list for your own purposes;
(ii)You may disclose that list to another nonaffiliated third party only if the financial institution from which you purchased the list could have lawfully disclosed that list to that third party. That is, you may disclose the list in accordance with the privacy policy of the financial institution from which you received the list as limited by the opt out direction of each consumer whose nonpublic personal information you intend to disclose, and you may disclose the list in accordance with an exception in §§ 160.14 and 160.15, such as in the ordinary course of business to your attorneys, accountants, or auditors.
(c)*Information you disclose under an exception.* If you disclose nonpublic personal information to a nonaffiliated third party under an exception in §§ 160.14 or 160.15, the third party may disclose and use that information only as follows:
(1)The third party may disclose the information to your affiliates;
(2)The third party may disclose the information to its affiliates, but its affiliates may, in turn, disclose and use the information only to the extent that the third party may disclose and use the information; and
(3)The third party may disclose and use the information pursuant to an exception in §§ 160.14 or 160.15 in the ordinary course of business to carry out the activity covered by the exception under which it received the information.
(d)*Information you disclose outside of an exception.* If you disclose nonpublic personal information to a nonaffiliated third party other than under an exception in §§ 160.14 or 160.15, the third party may disclose the information only:
(1)To your affiliates;
(2)To its affiliates, but its affiliates, in turn, may disclose the information only to the extent the third party can disclose the information; and
(3)To any other person, if the disclosure would be lawful if you made it directly to that person. § 160.12 Limits on sharing account number information for marketing purposes.
(a)*General prohibition on disclosure of account numbers.* You must not, directly or through an affiliate, disclose, other than to a consumer reporting agency, an account number or similar form of access number or access code for a consumer's credit card account, deposit account or transaction account to any nonaffiliated third party for use in telemarketing, direct mail marketing or other marketing through electronic mail to the consumer.
(b)*Exceptions.* Paragraph
(a)of this section does not apply if you disclose an account number or similar form of access number or access code:
(1)To your agent or service provider solely in order to perform marketing for your own services or products, as long as the agent or service provider is not authorized to directly initiate charges to the account; or
(2)To a participant in a private-label credit card program or an affinity or similar program where the participants in the program are identified to the customer when the customer enters into the program.
(c)*Example-Account number.* An account number, or similar form of access number or access code, does not include a number or code in an encrypted form, as long as you do not provide the recipient with a means to decode the number or code. Subpart C—Exceptions § 160.13 Exception to opt out requirements for service providers and joint marketing.
(a)*General rule.*
(1)The opt out requirements in §§ 160.7 and 160.10 do not apply when you provide nonpublic personal information to a nonaffiliated third party to perform services for you or functions on your behalf if you:
(i)Provide the initial notice in accordance with § 160.4; and
(ii)Enter into a contractual agreement with the third party that prohibits the third party from disclosing or using the information other than to carry out the purposes for which you disclosed the information, including use under an exception in §§ 160.14 or 160.15 in the ordinary course of business to carry out those purposes.
(2)*Example.* If you disclose nonpublic personal information under this section to a financial institution with which you perform joint marketing, your contractual agreement with that institution meets the requirements of paragraph (a)(1)(ii) of this section if it prohibits the institution from disclosing or using the nonpublic personal information except as necessary to carry out the joint marketing or under an exception in §§ 160.14 or 160.15 in the ordinary course of business to carry out that joint marketing.
(b)*Service may include joint marketing.* The services a nonaffiliated third party performs for you under paragraph
(a)of this section may include marketing of your own products or services or marketing of financial products or services offered pursuant to joint agreements between you and one or more financial institutions.
(c)*Definition of joint agreement.* For purposes of this section, *joint agreement* means a written contract pursuant to which you and one or more financial institutions jointly offer, endorse or sponsor a financial product or service. § 160.14 Exceptions to notice and opt out requirements for processing and servicing transactions.
(a)*Exceptions for processing and servicing transactions at consumer's request.* The requirements for initial notice in § 160.4(a)(2), for the opt out in §§ 160.7 and 160.10, and for initial notice in § 160.13 in connection with service providers and joint marketing, do not apply if you disclose nonpublic personal information as necessary to effect, administer, or enforce a transaction that a customer requests or authorizes, or in connection with:
(1)Processing or servicing a financial product or service that a consumer requests or authorizes;
(2)Maintaining or servicing the consumer's account with you, or with another entity as part of an extension of credit on behalf of such entity; or
(3)A proposed or actual securitization, secondary market sale or similar transaction related to a transaction of the consumer.
(b)*Necessary to effect, administer or enforce a transaction* means that the disclosure is:
(1)Required, or is one of the lawful or appropriate methods, to enforce your rights or the rights of other persons engaged in carrying out the financial transaction or providing the product or service; or
(2)Required, or is a usual, appropriate or acceptable method:
(i)To carry out the transaction or the product or service business of which the transaction is a part, and record, service or maintain the consumer's account in the ordinary course of providing the financial service or financial product;
(ii)To administer or service benefits or claims relating to the transaction or the product or service business of which it is a part;
(iii)To provide a confirmation, statement or other record of the transaction, or information on the status or value of the financial service or financial product to the consumer or the consumer's agent or broker;
(iv)To accrue or recognize incentives or bonuses associated with the transaction that are provided by you or any other party;
(v)In connection with:
(A)The authorization, settlement, billing, processing, clearing, transferring, reconciling or collection of amounts charged, debited or otherwise paid using a debit, credit or other payment card, check or account number, or by other payment means;
(B)The transfer of receivables, accounts or interests therein; or
(C)The audit of debit, credit or other payment information. § 160.15 Other exceptions to notice and opt out requirements.
(a)*Exceptions to notice and opt out requirements.* The requirements for initial notice in § 160.4(a)(2), for the opt out in §§ 160.7 and 160.10, and for initial notice in § 160.13 in connection with service providers and joint marketing do not apply when you disclose nonpublic personal information:
(1)With the consent or at the direction of the consumer, provided that the consumer has not revoked the consent or direction; (2)(i) To protect the confidentiality or security of your records pertaining to the consumer, service, product or transaction;
(ii)To protect against or prevent actual or potential fraud, unauthorized transactions, claims or other liability;
(iii)For required institutional risk control or for resolving consumer disputes or inquiries;
(iv)To persons holding a legal or beneficial interest relating to the consumer; or
(v)To persons acting in a fiduciary or representative capacity on behalf of the consumer;
(3)To provide information to insurance rate advisory organizations, guaranty funds or agencies, agencies that are rating you, persons that are assessing your compliance with industry standards, and your attorneys, accountants and auditors;
(4)To the extent specifically permitted or required under other provisions of law and in accordance with the Right to Financial Privacy Act of 1978, 12 U.S.C. 3401 *et seq.* , to law enforcement agencies (including a federal functional regulator, the Secretary of the Treasury, with respect to 31 U.S.C. Chapter 53, Subchapter II (Records and Reports on Monetary Instruments and Transactions) and 12 U.S.C. Chapter 21 (Financial Recordkeeping), a State insurance authority, with respect to any person domiciled in that insurance authority's state that is engaged in providing insurance, and the Federal Trade Commission), self-regulatory organizations, or for an investigation on a matter related to public safety; (5)(i) To a consumer reporting agency in accordance with the Fair Credit Reporting Act, 15 U.S.C. 1681 *et seq.* ; or
(ii)From a consumer report reported by a consumer reporting agency;
(6)In connection with a proposed or actual sale, merger, transfer or exchange of all or a portion of a business or operating unit if the disclosure of nonpublic personal information concerns solely consumers of such business or unit; or (7)(i) To comply with federal, state or local laws, rules and other applicable legal requirements;
(ii)To comply with a properly authorized civil, criminal or regulatory investigation, or subpoena or summons by federal, state or local authorities; or
(iii)To respond to judicial process or government regulatory authorities having jurisdiction over you for examination, compliance or other purposes as authorized by law.
(b)*Examples of consent and revocation of consent.*
(1)A consumer may specifically consent to your disclosure to a nonaffiliated mortgage lender of the value of the assets in the customer's account so that the lender can evaluate the consumer's application for a mortgage loan.
(2)A consumer may revoke consent by subsequently exercising the right to opt out of future disclosures of nonpublic personal information as permitted under § 160.7. Subpart D—Relation to Other Laws; Effective Date § 160.16 Protection of Fair Credit Reporting Act. Nothing in this part shall be construed to modify, limit or supersede the operation of the Fair Credit Reporting Act, 15 U.S.C. 1681 *et seq.* , and no inference shall be drawn on the basis of the provisions of this part regarding whether information is transaction or experience information under section 603 of that Act. § 160.17 Relation to state laws.
(a)*In general.* This part shall not be construed as superseding, altering or affecting any statute, regulation, order or interpretation in effect in any state, except to the extent that such state statute, regulation, order or interpretation is inconsistent with the provisions of this part, and then only to the extent of the inconsistency.
(b)*Greater protection under state law.* For purposes of this section, a state statute, regulation, order or interpretation is not inconsistent with the provisions of this part if the protection such statute, regulation, order or interpretation affords any consumer is greater than the protection provided under this part, as determined by the Federal Trade Commission, after consultation with the Commission, on the Federal Trade Commission's own motion, or upon the petition of any interested party. § 160.18 Effective date; compliance date; transition rule.
(a)*Effective date.* This part is proposed to be effective on June 21, 2001. In order to provide sufficient time for you to establish policies and systems to comply with the requirements for this part, the compliance date for this part is December 31, 2001. (b)(1) *Notice requirement for consumers who are your customers on the effective date.* By December 31, 2001, you must have provided an initial notice, as required by § 160.4, to consumers who are your customers on June 21, 2001.
(2)*Example.* You provide an initial notice to consumers who are your customers on December 31, 2001 if, by that date, you have established a system for providing an initial notice to all new customers and have mailed the initial notice to all your existing customers.
(c)*One-year grandfathering of service agreements.* Until December 31, 2002, a contract that you have entered into with a nonaffiliated third party to perform services for you or functions on your behalf satisfies the provisions of § 160.13(a)(2) even if the contract does not include a requirement that the third party maintain the confidentiality of nonpublic personal information, as long as you entered into the agreement on or before the effective date of this Part. §§ 160.19-160.29 [Reserved] § 160.30 Procedures to safeguard customer records and information. Every futures commission merchant, commodity pool operator, commodity trading advisor and introducing broker subject to the jurisdiction of the Commission must adopt policies and procedures that address administrative, technical and physical safeguards for the protection of customer records and information. These policies and procedures must be reasonably designed to:
(a)Insure the security and confidentiality of customer records and information;
(b)Protect against any anticipated threats or hazards to the security or integrity of customer records and information; and
(c)Protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer. Appendix to Part 160—Sample Clauses Financial institutions, including those that use a common privacy notice, may use the following sample clauses, if the clause is accurate for each institution that uses the notice. Note that disclosure of certain information, such as assets, income and information from a consumer reporting agency, may give rise to obligations under the Fair Credit Reporting Act, such as a requirement to permit a consumer to opt out of disclosures to affiliates or designation as a consumer reporting agency if disclosures are made to nonaffiliated third parties. A-1—Categories of Information You Collect (All Institutions) You may use this clause, as applicable, to meet the requirement of § 160.6(a)(1) to describe the categories of nonpublic personal information you collect. Sample Clause A-1 We collect nonpublic personal information about you from the following sources: • Information we receive from you on applications or other forms; • Information about your transactions with us, our affiliates or others; and • Information we receive from a consumer reporting agency. A-2—Categories of Information You Disclose (Institutions That Disclose Outside of the Exceptions) You may use one of these clauses, as applicable, to meet the requirement of § 160.6(a)(2) to describe the categories of nonpublic personal information you disclose. You may use these clauses if you disclose nonpublic personal information other than as permitted by the exceptions in §§ 160.13, 160.14 and 160.15. Sample Clause A-2, Alternative 1 We may disclose the following kinds of nonpublic personal information about you: • Information we receive from you on applications or other forms, such as [ *provide illustrative examples, such as “your name, address, social security number, assets and income”* ]; • Information about your transactions with us, our affiliates or others, such as [ *provide illustrative examples, such as “your account balance, payment history, parties to transactions and credit card usage”* ]; and • Information we receive from a consumer reporting agency, such as [ *provide illustrative examples, such as “your creditworthiness and credit history”* ]. Sample Clause A-2, Alternative 2 We may disclose all of the information that we collect, as described [ *describe location in the notice, such as “above” or “below”* ]. A-3—Categories of Information You Disclose and Parties to Whom You Disclose (Institutions That Do Not Disclose Outside of the Exceptions) You may use this clause, as applicable, to meet the requirements of §§ 160.6(a)(2),
(3)and
(4)to describe the categories of nonpublic personal information about customers and former customers that you disclose and the categories of affiliates and nonaffiliated third parties to whom you disclose. You may use this clause if you do not disclose nonpublic personal information to any party, other than as is permitted by the exceptions in §§ 160.14 and 160.15. Sample Clause A-3 We do not disclose any nonpublic personal information about our customers or former customers to anyone, except as permitted by law. A-4—Categories of Parties to Whom You Disclose (Institutions That Disclose Outside of the Exceptions) You may use this clause, as applicable, to meet the requirement of § 160.6(a)(3) to describe the categories of affiliates and nonaffiliated third parties to whom you disclose nonpublic personal information. You may use this clause if you disclose nonpublic personal information other than as permitted by the exceptions in §§ 160.13, 160.14 and 160.15, as well as when permitted by the exceptions in §§ 160.14 and 160.15. Sample Clause A-4 We may disclose nonpublic personal information about you to the following types of third parties: • Financial service providers, such as [ *provide illustrative examples, such as “mortgage bankers”* ]; • Non-financial companies, such as [ *provide illustrative examples, such as “retailers, direct marketers, airlines and publishers”* ]; and • Others, such as [ *provide illustrative examples, such as “non-profit organizations”* ]. We may also disclose nonpublic personal information about you to nonaffiliated third parties as permitted by law. A-5—Service Provider/Joint Marketing Exception You may use one of these clauses, as applicable, to meet the requirements of § 160.6(a)(5) related to the exception for service providers and joint marketers in § 160.13. If you disclose nonpublic personal information under this exception, you must describe the categories of nonpublic personal information you disclose and the categories of third parties with whom you have contracted. Sample Clause A-5, Alternative 1 We may disclose the following information to companies that perform marketing services on our behalf or to other financial institutions with which we have joint marketing agreements: • Information we receive from you on applications or other forms, such as [ *provide illustrative examples, such as “your name, address, social security number, assets and income”* ]; • Information about your transactions with us, our affiliates, or others, such as [ *provide illustrative examples, such as “your account balance, payment history, parties to transactions and credit card usage”* ]; and • Information we receive from a consumer reporting agency, such as [ *provide illustrative examples, such as “your creditworthiness and credit history”* ]. Sample Clause A-5, Alternative 2 We may disclose all of the information we collect, as described [ *describe location in the notice, such as “above” or “below”* ] to companies that perform marketing services on our behalf or to other financial institutions with which we have joint marketing agreements. A-6—Explanation of Opt Out Right (Institutions That Disclose Outside of the Exceptions) You may use this clause, as applicable, to meet the requirement of § 160.6(a)(6) to provide an explanation of the consumer's right to opt out of the disclosure of nonpublic personal information to nonaffiliated third parties, including the method(s) by which the consumer may exercise that right. You may use this clause if you disclose nonpublic personal information other than as permitted by the exceptions in §§ 160.13, 160.14 and 160.15. Sample Clause A-6 If you prefer that we not disclose nonpublic personal information about you to nonaffiliated third parties you may opt out of those disclosures; that is, you may direct us not to make those disclosures (other than disclosures permitted or required by law). If you wish to opt out of disclosures to nonaffiliated third parties, you may [ *describe a reasonable means of opting out, such as “call the following toll-free number: (insert number)”* ]. A-7—Confidentiality and Security (All Institutions) You may use this clause, as applicable, to meet the requirement of § 160.6(a)(8) to describe your policies and practices with respect to protecting the confidentiality and security of nonpublic personal information. Sample Clause A-7 We restrict access to nonpublic personal information about you to [ *provide an appropriate description, such as “those employees who need to know that information to provide products or services to you”* ]. We maintain physical, electronic and procedural safeguards that comply with federal standards to safeguard your nonpublic personal information. Dated: March 12, 2001. By the Commission. Catherine D. Dixon, Assistant Secretary. FR Doc. 01-6601 Filed 3-16-01; 8:45 am] BILLING CODE 6351-01-P 66 53 Monday, March 19, 2001 Rules and Regulations Part IV Environmental Protection Agency 40 CFR Part 81 Determination of Nonattainment as of November 15, 1996, and Reclassification of the St. Louis Ozone Nonattainment Area; States of Missouri and Illinois; Final Rule; Proposed Rule ENVIRONMENTAL PROTECTION AGENCY 40 CFR Part 81 [MO 061-0161a; IL 187-2; FRL-6955-4] Determination of Nonattainment as of November 15, 1996, and Reclassification of the St. Louis Ozone Nonattainment Area; States of Missouri and Illinois AGENCY: Environmental Protection Agency (EPA). ACTION: Final rule. SUMMARY: EPA is finalizing its finding that the St. Louis ozone nonattainment area (hereinafter referred to as the St. Louis area) failed to attain the 1-hour ozone national ambient air quality standard (NAAQS or standard) by November 15, 1996, the attainment date for moderate nonattainment areas set forth in the Clean Air Act (CAA or Act). By operation of law, the St. Louis area is to be reclassified from a moderate to a serious nonattainment area on the effective date of this rule. In addition, EPA is requiring Missouri and Illinois to submit State Implementation Plan
(SIP)revisions addressing the CAA's pollution control requirements for serious ozone nonattainment areas within 12 months of the effective date of this rule and establishing November 15, 2004, as the date by which the St. Louis area must attain the ozone NAAQS. In a separate document entitled “Proposed Effective Date Modification for Determination of Nonattainment as of November 15, 1996, and Reclassification of the St. Louis Ozone Nonattainment Area; States of Missouri and Illinois,” published elsewhere in today's **Federal Register** , EPA is proposing to delay the effective date of this rule until June 29, 2001. In that document, EPA also sets forth its intent to propose to withdraw this final determination and reclassification, if EPA grants the states an attainment date extension before the effective date of this reclassification rule. Missouri and Illinois are in the concluding stage of a process that could culminate in EPA final action on an attainment date extension. This extension, if granted, would allow the area to remain classified as a moderate nonattainment area. EPA is continuing to work to complete action on the extension request by June 29, 2001. If EPA takes final action to extend the attainment date during the pre-effective period of this rule, EPA intends to withdraw this final determination and reclassification prior to the time that they become effective. In an Order issued January 29, 2001, and amended on February 14, 2001, the United States District Court for the District of Columbia directed EPA to determine, by March 12, 2001, whether the St. Louis area had attained the applicable ozone standard under the CAA, and ordered EPA to publish the required notice, if any, that results from its determination by March 20, 2001. *Sierra Club* v. *Whitman,* No. 98-2733. The rulemaking issued today is intended to comply with the Court's Order. EPA informed the Court, in a Motion filed on March 8, 2001, of its proposed course of action to comply with the Order, including EPA's proposal to postpone the effective date of the determination until June 29, 2001, and EPA's intent to withdraw the determination if it approves an attainment date extension within the pre-effective period. The Court, in a limited review to determine whether EPA's planned course of action would contravene the Court's Order, indicated that EPA, by signing its determination by March 12, and publishing notice by March 20, would comply with the Court's Order. The Court observed that it was without jurisdiction to assess the propriety of the remainder of EPA's planned course of action. DATES: This rule is effective on May 18, 2001. ADDRESSES: Copies of the St. Louis area monitored air quality data analyses and other relevant materials are available for public inspection during normal business hours at the following addresses: United States Environmental Protection Agency, Region 5, Air and Radiation Division, 77 West Jackson Boulevard, Chicago, Illinois 60604 (please telephone Edward Doty at
(312)886-6057 before visiting the Region 5 office); United States Environmental Protection Agency, Region 7, Air, RCRA, and Toxics Division, 901 North 5th Street, Kansas City, Kansas 66101. FOR FURTHER INFORMATION CONTACT: Royan W. Teter, EPA Region 7,
(913)551-7609; or Edward Doty, EPA Region 5,
(312)886-6057. SUPPLEMENTARY INFORMATION: Throughout this document whenever “we, us, or our” is used, we mean EPA. This section provides additional information by addressing the following questions: What are the national ambient air quality standards? What is the NAAQS for ozone? What is a SIP? What is the St. Louis ozone nonattainment area? What does this action do? What does the CAA say about determinations of nonattainment and reclassifications, and how does it apply to the St. Louis area? Why did EPA defer making a determination regarding the St. Louis area's attainment status beyond the time frame prescribed by the CAA? Why is this action necessary? What progress have Missouri and Illinois made toward meeting the requirements of the attainment date extension policy? What other actions have Illinois and Missouri taken to improve air quality in the St. Louis area? What is the area's new classification? What is the new attainment date for the St. Louis area? When must Missouri and Illinois submit SIP revisions fulfilling the requirements for serious ozone nonattainment areas? What comments were received on the proposed determination of nonattainment and reclassification, and how has EPA responded? Background What Are the National Ambient Air Quality Standards? Since the CAA's inception in 1970, EPA has set NAAQS for six common air pollutants: Carbon monoxide, lead, nitrogen dioxide, ozone, particulate matter, and sulfur dioxide. The CAA requires that these standards be set at levels that protect public health and welfare with an adequate margin of safety. These standards present state and local governments with the air quality levels they must meet to achieve clean air. Also, these standards allow the American people to assess whether or not the air quality in their communities is healthful. What Is the NAAQS For Ozone? The NAAQS for ozone is expressed in two forms which are referred to as the 1-hour and 8-hour standards. Table 1 summarizes the ozone standards. Table 1.—Summary of Ozone Standards Standard Value Type a Method of compliance 1-hour 0.12 ppm Primary and Secondary Must not be exceeded, on average, more than one day per year over any three-year period at any monitor within an area 8-hour 0.08 Primary and secondary The average of the annual fourth highest daily maximum 8-hour average ozone concentration measured at each monitor over any three-year period a Primary standards are designed to protect public health and secondary standards are designed to protect public welfare and the environment. The 1-hour ozone standard of 0.12 parts per million
(ppm)was promulgated in 1979. The 1-hour ozone standard continues to apply to St. Louis and it is the classification of the St. Louis area with respect to the 1-hour ozone standard that is addressed in this document. What Is a SIP? Section 110 of the CAA requires states to develop air pollution regulations and control strategies to ensure that state air quality meets the NAAQS established by EPA. These ambient standards are established under section 109 of the CAA, and they currently address six criteria pollutants: carbon monoxide, nitrogen dioxide, ozone, lead, particulate matter, and sulfur dioxide. Each state must submit these regulations and control strategies to us for approval and incorporation into the Federally enforceable SIP. Each Federally approved SIP protects air quality primarily by addressing air pollution at its point of origin. These SIPs can be extensive. They may contain state regulations or other enforceable documents and supporting information such as emission inventories, monitoring networks, and modeling demonstrations. What Is the St. Louis Ozone Nonattainment Area? The St. Louis ozone nonattainment area is an interstate area which includes Madison, Monroe, and St. Clair Counties in Illinois; and Franklin, Jefferson, St. Charles, St. Louis Counties and the City of St. Louis in Missouri. Under section 107(d)(1)(C) of the CAA, each ozone area designated nonattainment for the 1-hour ozone standard prior to enactment of the 1990 CAA Amendments, such as the St. Louis area, was designated nonattainment by operation of law upon enactment of the 1990 Amendments. In addition, under section 181(a) of the Act, each area designated nonattainment under section 107(d) was classified as “marginal,” “moderate,” “serious,” “severe,” or “extreme,” depending on the severity of the area's air quality problem. The design value for an area, i.e., the highest of the fourth highest 1-hour daily maximums in a given three-year period, characterizes the severity of the air quality problem. Table 2 provides the design value ranges for each nonattainment classification. Ozone nonattainment areas with design values between 0.138 and 0.160 ppm, such as the St. Louis area (which had a design value of 0.156 ppm in 1989), were classified as moderate. These nonattainment designations and classifications were initially codified in 40 CFR Part 81 (see 56 FR 56694, November 6, 1991). Table 2.—Ozone Nonattainment Classifications Area class Design value
(ppm)Attainment date Marginal 0.121 up to 0.138 November 15, 1993. Moderate 0.138 up to 0.160 November 15, 1996. Serious 0.160 up to 0.180 November 15, 1999. Severe 0.180 up to 0.280 November 15, 2005. Extreme 0.280 and above November 15, 2010. In addition, under section 182(b)(1)(A) of the CAA, states containing areas that were classified as moderate nonattainment were required to submit SIPs to provide for certain air pollution controls, to show progress toward attainment of the ozone standard through incremental emissions reductions, and to provide for attainment of the ozone standard as expeditiously as practicable, *but no later than November 15, 1996* . SIP requirements for moderate areas are listed primarily in section 182(b) of the CAA. What Does This Action Do? On March 18, 1999, EPA proposed (64 FR 13384) its finding that the St. Louis area did not attain the 1-hour ozone NAAQS by November 15, 1996, as required by the CAA. The proposed finding was based on 1994-1996 air quality data which indicated the area's air quality violated the standard and the area did not qualify for an attainment date extension under the provisions of section 181(a)(5). 1 1 Section 181(a)(5) specifies that a state may request, and EPA may grant, up to two one-year attainment date extensions. EPA may grant an extension if:
(1)the state has complied with the requirements and commitments pertaining to the applicable implementation plan for the area, and
(2)the area has measured no more than one exceedance of the ozone standard at any monitoring site in the nonattainment area in the year in which attainment is required. Although the area was not eligible for an attainment date extension under section 181(a)(5), our March 18, 1999, proposal included a notice of the St. Louis area's potential eligibility for an attainment date extension, pursuant to EPA's July 16, 1998, “Guidance on Extension of Air Quality Attainment Dates for Downwind Transport Areas” (hereinafter referred to as the extension policy), signed by Richard D. Wilson, Acting Assistant Administrator for Air and Radiation. The extension policy, published in a March 25, 1999, **Federal Register** notice (64 FR 14441), applies where pollution from upwind areas interferes with the ability of a downwind area to attain the 1-hour ozone standard by its attainment date. EPA proposed to finalize its action on the determination of nonattainment and reclassification of the St. Louis area only after the area had received an opportunity to qualify for an attainment date extension under the extension policy. On January 29, 2001, the U.S. District Court for the District of Columbia ordered EPA to make a determination, no later than March 12, 2001, whether the St. Louis nonattainment area attained the requisite ozone standards. ( *Sierra Club * v. *Whitman,* No. 98-2733 (CKK)). Given the Court's Order and the current status of certain submissions from the states, EPA is unable to grant an attainment date extension under this policy at this time. This action finalizes our finding that the St. Louis area failed to attain the 1-hour ozone NAAQS by November 15, 1996, as prescribed in section 181 of the CAA, and fulfills EPA's nondiscretionary duty pursuant to section 182(b)(2)(A) of the Act. In addition, this action sets the dates by which Missouri and Illinois must submit SIP revisions addressing the CAA's pollution control requirements for serious ozone nonattainment areas and attain the 1-hour NAAQS for ozone. EPA's rulemaking actions are to be effective 60 days from publication of this rule, unless the effective date is delayed as set forth below. In a separate document entitled “Proposed Effective Date Modification for the Determination of Nonattainment and Reclassification of the St. Louis Ozone Nonattainment Area; States of Missouri and Illinois,” published elsewhere in today's **Federal Register** , EPA is proposing to delay the effective date of this rule until June 29, 2001. EPA believes that, if St. Louis is reclassified, the proposed additional extension is necessary to allow regulated entities in St. Louis time to prepare for the new requirements that would become applicable in the area upon the effective date of the nonattainment determination and reclassification. During the period prior to the delayed effective date, EPA and the states would also continue to work towards completing a separate rulemaking on the issue of whether St. Louis should be granted an extension of its attainment date pursuant to EPA's Guidance on “Extension of Air Quality Attainment Dates for Downwind Transport Areas,” published March 25, 1999 (64 FR 14441). In its proposed action to modify the effective date of the determination and reclassification, EPA also states its intent to withdraw this final determination and reclassification, if EPA grants the states an attainment date extension before the effective date of the determination of nonattainment and reclassification. On March 8, 2001, EPA informed the District Court in *Sierra Club,* supra., of the actions that EPA intends to take, in response to the Court's Order, which included reaching a final determination on whether the area had attained by November 15, 1996, as required by the Court's Order, but proposing to postpone the date on which the determination (and consequent reclassification) would take effect until June 29, 2001. EPA also advised the Court that, if it approved an attainment date extension within the pre-effective period, it would withdraw today's determination and reclassification. In an Order dated March 9, 2001, the Court, indicating that its review was limited to whether EPA's planned course of action would contravene the Court's January 29 Order, as amended, noted that “EPA is required to reach a final determination by March 12, 2001, and to publish notice, if necessary under the CAA, by March 20, 2001. Under its alternative proposal, EPA will comply with these two elements.” Thus, EPA is today fully complying with the Court's Order while continuing to work with Missouri and Illinois to make progress towards final rulemaking action on an attainment date extension request for the St. Louis area. The states and EPA are in the final stages of completing the actions necessary for a final rule, and EPA believes that it is in the public interest to move forward to complete that rulemaking. Completion of the rulemaking prior to the effective date of today's action would allow EPA to assess and take into consideration the role of transported pollution in St. Louis' nonattainment problems, and to provide for an equitable distribution of responsibility for achieving attainment of the ozone standard in the area. In addition, concluding a rulemaking on the attainment date extension would allow EPA to make available to the St. Louis area the attainment date extension policy that EPA has applied in other areas affected by transport. Recently EPA issued three final rulemakings granting requests for attainment date extensions based on its policy in three ozone nonattainment areas: Washington, D.C., Greater Connecticut, and Springfield, Massachusetts. 66 FR 586 (January 3, 2001); 66 FR 634 (January 3 2001); 66 FR 666 (January 3, 2001). In addition, EPA has proposed granting attainment date extensions to Louisville, Kentucky, and Beaumont, Texas. 64 FR 27734 (May 21, 1999); 64 FR 12,854 (April 16, 1999); 65 FR 81,786 (December 27, 2000). Thus, EPA's rulemaking actions today should be viewed in the context of complying with the Court's Order in *Sierra Club* v. *Whitman* while continuing to conduct rulemaking on its nationwide program to address the role of transported air pollutants in ozone nonattainment areas. What Does the CAA Say About Determinations of Nonattainment and Reclassifications, and How Does it Apply to the St. Louis Area? Section 181(b)(2)(A) of the Act specifies that: Within 6 months following the applicable attainment date (including any extension thereof) for an ozone nonattainment area, the Administrator shall determine, based on the area's design value (as of the attainment date), whether the area attained the standard by that date. Except for any Severe or Extreme area, any area that the Administrator finds has not attained the standard by that date shall be reclassified by operation of law in accordance with table 1 of subsection
(a)to the higher of—
(i)the next higher classification for the area, or
(ii)the classification applicable to the area's design value as determined at the time of the notice required under subparagraph (B). No area shall be reclassified as Extreme under clause (ii). Pursuant to section 181(a)(5) of the CAA, a state may request, and EPA may grant, up to two one-year attainment date extensions if:
(1)The state has complied with the requirements and commitments pertaining to the applicable implementation plan for the area; and
(2)the area has measured no more than one exceedance of the ozone standard at any monitoring site in the nonattainment area in the year in which attainment is required. On October 2, 1996, Missouri submitted a request for a one-year extension of the attainment date. However, eight exceedances of the 1-hour ozone standard occurred in the St. Louis area in 1996 (refer to Table 4). Two of these exceedances occurred at the Alton monitoring site in Illinois. Although this was the only monitoring site recording more than one exceedance in 1996, under section 181(a)(5) of the Act, the St. Louis area failed to qualify for an attainment date extension based on 1996 air quality data. Table 3.—Ozone Exceedances in the St. Louis Area—1996 Site ID a Site Type b Date PPM Missouri Sites: Arnold—29-099-0012 SPM June 20, 1996 0.133 West Alton—29-183-1002 NAMS June 13, 1996 0.135 Orchard Farms—29-183-1004 SLAMS June 28, 1996 0.147 S. Lindbergh—29-189-0001 SLAMS June 20, 1996 0.130 S. Broadway—29-510-0007 SLAMS June 20, 1996 0.131 Illinois Sites: North Walcott—17-119-3007 SLAMS June 13, 1996 0.135 Alton—17-119-0008 SLAMS June 13, 1996 0.128 Alton—17-119-0008 SLAMS June 14, 1996 0.127 a The sequence of numbers in this column denote the monitoring sites' identification numbers within the Aerometric Information Retrieval System (AIRS). b SPM stands for Special Purpose Monitor. NAMS stands for National Air Monitoring Station. SLAMS stands for State and Local Air Monitoring Station. Once EPA determines an area has failed to attain the NAAQS and is not eligible for an attainment date extension under the provisions of section 181(a)(5), section 181(b)(2)(B) of the Act stipulates: The Administrator shall publish a notice in the **Federal Register** , no later than 6 months following the attainment date, identifying each area that the Administrator has determined under subparagraph
(A)as having failed to attain and identifying the reclassification, if any, described under subparagraph (A). Table 4 lists the average number of days when ambient ozone concentrations exceeded the 1-hour ozone standard at each monitoring site in the St. Louis area for the period 1994-1996. The ozone design value for each monitor is also listed for the same period. A complete listing of the ozone exceedances for each monitoring site, as well as EPA's calculations of the design values, can be found in the docket file. The data in Table 3 show that for 1994-1996, seven monitoring sites in the St. Louis area averaged more than one exceedance day per year. Therefore, pursuant to section 181(b)(2)(A) of the CAA, EPA is here making a final determination that the St. Louis area did not attain the 1-hour standard by the November 15, 1996, deadline. Note the air quality data in Table 4 were available for comment in our March 18, 1999, proposed finding of the area's failure to attain the ozone NAAQS. We received no comments pertaining to the accuracy of these data. Table 4.—Air Quality Monitoring Data for the St. Louis Area (1994-1996) Site Number of expected days over standard (1994-1996) Average number of expected exceedance days per year Site design value
(ppm)Missouri Sites: Arnold—29-099-0012 5.0 a 1.7 0.126 West Alton—29-183-1002 9.9 a 3.3 b 0.136 Orchard Farms—29-183-1004 3.6 a 1.2 0.133 South Lindbergh—29-189-0001 3.0 1.0 0.124 Queeny Park—29-189-0006 6.1 a 2.0 0.129 55 Hunter—29-189-3001 3.0 1.0 0.123 3400 Pershall—29-189-5001 3.0 1.0 0.118 Rock Road—29-189-7002 5.0 a 1.7 0.125 South Broadway—29-510-0007 1.0 0.3 0.108 River DesPeres c —29-510-0062 1.0 1.0 0.101 1122 Clark—29-510-0072 0.0 0.0 0.089 Newstead—29-510-0080 1.0 0.3 0.108 Illinois Sites: Alton—17-119-0008 4.0 a 1.3 0.127 West Division—17-119-1009 2.0 0.7 0.110 Poag Road—17-119-2007 3.1 1.0 0.124 North Walcott—17-119-3007 4.0 a 1.3 0.125 East St. Louis—17-163-0010 1.0 0.3 0.108 a In accordance with 40 CFR part 50, appendix H, a violation occurs when the average number of expected exceedances is greater than 1.05. b Represents the 1996 design value for the St. Louis area. c Site discontinued at end of 1995 ozone season. Why Did EPA Defer Making a Determination Regarding the St. Louis Area's Attainment Status Beyond the Timeframe Prescribed by the CAA? For some time, EPA has recognized that pollutant transport can impair an area's ability to meet air quality standards. In March 1995 a collaborative, Federal-state process to assess the ozone transport problem began. Through a two-year effort known as the Ozone Transport Assessment Group (OTAG), EPA worked in partnership with the 37 easternmost states and the District of Columbia, industry representatives, academia, and environmental groups to develop recommended strategies to address transport of ozone and ozone-forming pollutants across state boundaries. On November 7, 1997, EPA acted on OTAG's recommendations and issued a proposal (the proposed oxides of nitrogen (NO <sup>X</sup> ) SIP call, 62 FR 60318) requiring 22 states and the District of Columbia to submit state plans addressing the regional transport of ozone. These state plans, or SIPs, will decrease the transport of ozone across state boundaries in the eastern half of the United States by reducing emissions of nitrogen oxides (a precursor to ozone formation known as NO <sup>X</sup> ). EPA took final action on the NO <sup>X</sup> SIP call on October 27, 1998 (63 FR 57356). EPA expects the final NO <sup>X</sup> SIP call will assist many areas in attaining the 1-hour ozone standard. On July 16, 1998, in consideration of these factors and the realization that many areas are unable to meet the CAA-mandated attainment dates due to transport, EPA issued an attainment date extension policy. Under this policy, the attainment date for an area may be extended provided that the following criteria are met:
(1)The area is identified as a downwind area affected by transport from either an upwind area in the same state with a later attainment date, or an upwind area in another state that significantly contributes to downwind nonattainment (by “affected by transport,” EPA means an area whose air quality is affected by transport from an upwind area to a degree that affects the area's ability to attain);
(2)an approvable attainment demonstration is submitted along with any necessary, adopted local measures and with an attainment date that shows that the area will attain the 1-hour standard no later than the date that the reductions are expected from upwind areas under the final NO <sup>X</sup> SIP call and/or the statutory attainment date for upwind nonattainment areas, i.e., assuming the boundary conditions reflecting those upwind reductions;
(3)the area has adopted all applicable local measures required under the area's current classification and any additional measures necessary to demonstrate attainment, assuming the reductions occur as required in the upwind areas; and
(4)the area provides it will implement all adopted measures as expeditiously as practicable, but no later than the date by which the upwind reductions needed for attainment will be achieved (64 FR 14441, March 25, 1999). EPA contemplated that when it acted to approve such an area's attainment demonstration, it would, as necessary, extend that area's attainment date to a date appropriate for that area in light of the schedule for achieving the necessary upwind reductions. As a result, the area would no longer be subject to reclassification or “bump-up” for failure to attain by its original attainment date under section 181(b)(2). EPA's final NO <sup>X</sup> SIP call specifically noted that St. Louis' ability to meet the 1-hour ozone standard is impaired by pollutants transported from upwind areas. Therefore, EPA believes that the first of the transport criteria has been satisfied. However, before the St. Louis area could qualify for an attainment date extension under the extension policy, the remainder of the criteria specified in the extension policy would have to be met. In October 1998, EPA notified the Governors of Missouri and Illinois of the availability of the extension policy. EPA also requested that, if they wished to demonstrate their eligibility for the extension policy, the Governors respond to EPA with letters committing their respective states to meet the requirements necessary to qualify for an attainment date extension under the policy by November 15, 1999. On November 23, 1998, Missouri submitted a letter to EPA providing a commitment to meet the requirements of the extension policy. Similarly, on December 15, 1998, Illinois submitted a letter to EPA providing a commitment to meet the requirements of the extension policy. (EPA's letters notifying the Missouri and Illinois Governors of the extension policy, and the respective responses are included in the docket for this rulemaking.) As previously noted, on March 18, 1999, EPA proposed (64 FR 13384) its finding that the St. Louis area failed to attain the 1-hour ozone NAAQS by its attainment date and announced the area's potential eligibility for an attainment date extension under the extension policy. The area's eligibility was dependent in part, on EPA's approval of an attainment demonstration. On April 17, 2000, EPA proposed two alternative actions (65 FR 20404) with respect to the Illinois and Missouri 1-hour ozone attainment demonstration SIPs for the St. Louis area. Our proposed actions described the conditions that EPA anticipated would lead to final action on both alternatives. EPA proposed to approve the plans, with final approval contingent upon the states making certain additional submissions in accordance with a specified schedule. If these additional submissions were approved after further notice and comment, EPA would extend the St. Louis area's attainment date to a date consistent with the approved attainment demonstration. Under these circumstances, the area would retain its moderate nonattainment status. In other words, EPA proposed to defer the attainment determination required under section 181(b)(2)(B) of the Act until such time as the new, extended attainment date had passed. Alternatively, EPA proposed to disapprove the attainment demonstration SIPs if Illinois and Missouri did not make certain additional submissions in accordance with the specified schedule or such submissions were deemed unapprovable after notice and comment. Why Is This Action Necessary? In November 1998, the Sierra Club and the Missouri Coalition for the Environment filed a complaint in the United States District Court for the District of Columbia against EPA ( *Sierra Club* v. *Browner* (now *Sierra Club* v. *Whitman,* No. 98-2733 (CKK)) alleging that EPA failed to publish notice of the reclassification of the St. Louis area to “serious” nonattainment, and alleging failure of EPA to act on a number of SIP revisions submitted by Missouri to control ozone precursors. The states of Missouri and Illinois and a group of Missouri industry associations intervened in the litigation. With respect to the reclassification issue, EPA acknowledged that it had a duty to make a determination on the attainment status of the area by May 15, 1997, and that it had not made a determination. EPA asked the Court for a schedule for a final resolution of the reclassification which would allow the states to make the necessary submissions, and for EPA to determine whether the area could qualify for an attainment date extension. The Court dismissed all of the claims relating to failure of EPA to act on the Missouri SIP revisions. On the reclassification issue, the Court in an opinion and Order filed January 29, 2001, rejected the Sierra Club request that the Court order EPA to publish a particular determination (that the area failed to attain the standard) and rejected Sierra Club's request to make the determination retroactive to May 1997. However, the Court noted that the Act required that EPA make an attainment determination and that the determination was to have been made by May 15, 1997. The Court also noted that a “determination of nonattainment” would result in a higher classification by operation of law. The Court stated that it would require EPA to “reach its statutorily required determination promptly,” and ordered EPA to make its determination, no later than March 12, 2001, “whether the St. Louis NAA attained the requisite ozone standards.” It also ordered EPA to publish notice of the determination, as required by the Act, by March 12, 2001. EPA subsequently requested and the Court granted an extension to March 20, 2001, for publishing notice. Our final determination and this notice are in direct response to the Court's Order. What Progress Have Missouri and Illinois Made Towards Meeting the Requirements of the Attainment Date Extension Policy? Missouri and Illinois have met most of the requirements of the extension policy. Both states submitted and EPA has approved regulations or negative declarations fully addressing volatile organic compound
(VOC)reasonably available control technology
(RACT)controls for major VOC sources. Missouri submitted and EPA approved a regulation addressing NO <sup>X</sup> RACT within the Missouri portion of the nonattainment area (65 FR 31482) and utility NO <sup>X</sup> emissions across the state (65 FR 82285). Illinois has submitted a draft statewide NO <sup>X</sup> regulation addressing utility emissions and is on schedule to submit it in final form in April of this year. 2 Finally, Missouri and Illinois submitted a joint attainment demonstration as required. However, an August 31, 2000, decision rendered by the United States Court of Appeals for the D.C. Circuit, discussed later in this notice, necessitated further revisions to the attainment demonstration. Missouri has submitted its final attainment demonstration and Illinois is expected to submit a final attainment demonstration by April 2001. 2 In addition, Illinois is required to comply with the NO <sup>X</sup> SIP call. Missouri is not currently subject to the SIP call. The D.C. Circuit remanded to EPA the issue of the extent to which Missouri should be covered, and EPA has not yet responded to that remand. What Other Actions Have Illinois and Missouri Taken To Improve Air Quality in the St. Louis Area? EPA has approved, and Illinois has implemented, VOC emission reductions as part of the state's 15 percent Rate-of-Progress Plan (ROPP or 15 percent plan) (see 62 FR 66279). Illinois has implemented VOC controls including:
(1)Requiring the lowering of Reid Vapor Pressure of gasoline to 7.2 pounds per square inch (decreased volatility);
(2)transportation control measures;
(3)automobile refinishing emission control regulations;
(4)marine vessel loading emission control regulations;
(5)tightened RACT standards and emission cutoffs for various industrial source categories;
(6)underground gasoline storage tank breathing emission controls;
(7)organic chemical batch process RACT regulations; and
(8)expansion of basic vehicle inspection and maintenance (I/M) area coverage. Illinois has implemented an enhanced vehicle I/M program and cold-cleaner degreasing regulations, which should further reduce VOC emissions in the Illinois portion of the St. Louis area. Illinois has adopted and implemented a contingency plan resulting in additional VOC control measures. The state of Missouri has also taken a number of actions to improve air quality in the St. Louis area. As part of its approved 15 percent ROPP (65 FR 31485), 3 the state adopted many of the same VOC RACT regulations as Illinois. Missouri has also adopted and implemented a contingency plan which included additional VOC control measures. In July 1998, the Governor of Missouri chose to participate in the Federal reformulated gasoline
(RFG)program. EPA established an implementation date for RFG based on the Governor's request in a **Federal Register** notice published on March 3, 1999 (64 FR 10366). In addition, the state of Missouri has implemented an upgraded I/M program for motor vehicles which EPA approved on May 18, 2000 (65 FR 31480). This program is a major part of the 15 percent ROPP and will result in a significant reduction in emissions when fully implemented in the coming years. EPA also notes that Missouri implemented a Stage II vapor recovery program in the 1980s to reduce emissions which occur during the refueling of gasoline-powered vehicles. 3 A petition for review of EPA's approval of the 15 percent ROPP is currently pending in the 8th Circuit Court of Appeals (Sierra Club, et al. v. USEPA, No. 00-2744). What Is the Area's New Classification? Section 181(b)(2)(A) of the Act requires that, when an area is reclassified for failure to attain, its reclassification be the higher of the next higher classification or the classification applicable to the area's ozone design value at the time the notice of reclassification is published in the **Federal Register** . The design value for the St. Louis area for 1994-1996, i.e., the period on which the Act prescribes the area's attainment status must be judged, was 0.136 ppm. The design value of the St. Louis area at the time of the proposed finding of failure to attain was based on air quality monitoring data from 1996 through 1998. The design value for the most recent compliance period, 1998-2000, is 0.127 ppm. This design value of 0.127 ppm falls within the range linked to classification of “marginal” nonattainment. By contrast, the next higher classification for the St. Louis area is “serious” nonattainment. Since “serious” is a higher nonattainment classification than “marginal,” under the statutory scheme prescribed by the Act, the area is reclassified to serious nonattainment on the effective date of this rule. Refer to Tables 5 and 6 below. Table 5.—Air Quality Monitoring Data for the ST. Louis Area (1996-1998) Site Number of expected days over standard (1996-1998) Average number of expected exceedance days per year Site design value
(ppm)Missouri Sites: Arnold 29-099-0012 3.0 1.0 0.118 West Alton 29-183-1002 4.0 a 1.3 b 0.131 Orchard Farms 29-183-1004 2.1 0.7 0.118 Bonne Terre c 29-186-0005 1.0 0.3 0.106 South Lindberg 29-189-0001 3.2 a 1.1 0.119 Queeny Park 29-189-0006 1.0 0.3 0.110 55 Hunter 29-189-3001 1.0 0.3 0.109 3400 Pershall 29-189-5001 2.0 0.7 0.117 Rock Road 29-189-7002 1.0 0.3 0.116 South Broadway 29-510-0007 2.0 0.7 0.107 1122 Clark 29-510-0072 1.0 0.3 0.094 Newstead 29-510-0080 0.0 0.0 0.107 Illinois Sites: Alton 17-119-0008 2.0 0.7 0.116 West Division 17-119-1009 0.0 0.0 0.110 Poag Road 17-119-2007 1.0 0.3 0.118 North Walcott 17-119-3007 2.0 0.7 0.117 East St. Louis 17-163-0010 1.0 0.3 0.101 a A violation occurs when the average number of expected exceedances is greater than 1.05. b Represents the 1996-1998 design value for the St. Louis Area. c Site initiated sampling at the beginning of ozone season (April 1) 1996. Table 6.—Air Quality Monitoring Data for the ST. Louis Area (1998-2000) Site Number of expected days over standard (1998-2000) Average number of expected exceedance days per year Site design value
(ppm)Missouri Sites: Arnold 29-099-0012 2.0 0.7 0.122 West Alton 29-183-1002 6.2 a 2.1 b 0.127 Orchard Farms 29-183-1004 3.1 1.0 0.124 Bonne Terre 29-186-0005 0.0 0.0 0.114 South Lindberg 29-189-0001 1.2 0.4 0.116 Queeny Park 29-189-0006 2.0 0.7 0.116 55 Hunter 29-189-3001 2.0 0.7 0.110 3400 Pershall 29-189-5001 2.0 0.7 0.118 Rock Road 29-189-7002 2.0 0.7 0.122 South Broadway 29-510-0007 1.0 0.3 0.107 1122 Clark 29-510-0072 2.0 0.7 0.105 Newstead c 29-510-0080 0.0 0.0 0.112 Margaretta d 29-510-0086 0.0 0.0 0.107 Illinois Sites: Alton 17-119-0008 1.0 0.3 0.112 West Division 17-119-1009 0.0 0.0 0.113 Poag Road 17-119-2007 0.0 0.0 0.114 North Walcott 17-119-3007 1.0 0.3 0.112 East St. Louis 17-163-0010 1.0 0.3 0.110 a A violation occurs when the average number of expected exceedances is greater than 1.05. b Represents the 1998-2000 design value for the St. Louis Area. c Site discontinued at end of 1999 ozone season. d Site initiated sampling at the beginning of ozone season (April 1) 2000. What Is the New Attainment Date for the St. Louis Area? Under section 181(a)(1) of the Act, the new attainment deadline for moderate ozone nonattainment areas reclassified to serious under section 181(b)(2) would generally be as expeditious as practicable but no later than the date applicable to the new classification, i.e., November 15, 1999. However, for the reasons given above, EPA did not finalize the determination and reclassification prior to November 15, 1999. As the Court acknowledged in its opinion, it is too late for the area to demonstrate attainment by that date. In our March 18, 1999, proposal, we recognized that November 1999, would not be a realistic attainment date and expressed our belief that we need to establish an appropriate attainment date (later than November 1999) for the area in the event of a reclassification. Thus, we discussed and invited comment regarding options for establishing a new attainment date. These options were based on our belief that the new attainment date should be as expeditious as practicable, taking into account any pertinent factors. Section 182(i) states that the Administrator may adjust applicable deadlines (other than attainment dates) to the extent such adjustment is necessary or appropriate to ensure consistency for submission of the new requirements 4 applicable to an area which has been reclassified. Where an attainment date has already passed and is therefore impossible to meet, EPA reasoned that the Administrator may establish an attainment date later than the date that has passed since it is impossible to achieve attainment by that date. EPA also noted another provision of the Act, section 110(k)(5), pertaining to findings of SIP inadequacy, which allows the Administrator to adjust attainment dates when such dates have passed. Although this latter provision is not directly applicable to a reclassification, EPA believes that the provision illustrates a recognition by Congress of limited instances in which it becomes necessary to adjust attainment dates, particularly where it is otherwise impossible to meet the statutory date. When making such adjustments, EPA believes that it must establish a new date in accordance with the principle that attainment must be achieved as expeditiously as practicable. 4 An area reclassified to serious is required to submit SIP revisions addressing the serious area requirements for the 1-hour ozone standard listed in section 182(c) of the CAA. One option, as discussed in the proposal, is to construct a schedule consistent with recent reclassifications of other areas. EPA reclassified other moderate ozone nonattainment areas, including Phoenix, Arizona; Santa Barbara, California; and Dallas-Fort Worth, Texas; on November 6, 1997, December 10, 1997, and February 18, 1998, respectively (62 FR 60001, 62 FR 65025, and 63 FR 8128). In these cases, the new attainment date was November 15, 1999. The most recent reclassification was for the Dallas-Fort Worth area. EPA published the notice reclassifying this area on February 18, 1998, thereby providing approximately 21 months for the area to attain the standard. EPA thus proposed that an approach consistent with that of the Dallas-Fort Worth area might constitute an adequate period for a moderate nonattainment area to attain the standard where the new attainment date had not yet lapsed but where there was less time remaining than the Act had contemplated. EPA thus suggested, as one option, an attainment date in keeping with the time frame allowed for the Dallas-Fort Worth area, i.e., 21 months from publication of the final reclassification notice. Another option discussed in the proposal allowed for the consideration of the impacts of pollutant transport. In other words, the new attainment date would coincide with the date set for upwind area reductions under the NO <sup>X</sup> SIP call, which at the time was 2003. 5 In proposing this option, EPA reasoned that Congress did not intend to impose on a nonattainment area the entire responsibility for the transported pollution the nonattainment area receives. This solution imposes more stringent controls on local sources, but allows upwind controls to come into place prior to attainment. In the NO <sup>X</sup> SIP call rulemaking, EPA found that, overall, 17 percent of the ozone nonattainment in St. Louis comes from emissions in upwind states (Air Quality Modeling Technical Support Document
(TSD)for the NO <sup>X</sup> SIP Call, Docket Item VI-B-11, electronically available at www.epa.gov/ttn/oarpg/otag/aqtsd). In terms of individual upwind states, EPA found that emissions from Kentucky make a significant contribution to 1-hour ozone nonattainment in the St. Louis nonattainment area. The magnitude, frequency, and relative amount of contributions from Kentucky to St. Louis are described in the TSD for each of the two modeling techniques relied on for the NO <sup>X</sup> SIP call rulemaking. As an example, based on source apportionment modeling, Kentucky contributes 5 parts per billion (ppb), to 14 percent of the 1-hour exceedances predicted in St. Louis. Also, the highest daily average 1-hour contribution from Kentucky to St. Louis is 5 ppb which is 4 percent of the average 1-hour ozone concentration >=125 ppb in St. Louis on that day. Based on independent technique, Kentucky contributes at least 2 ppb to 36 percent of the 1-hour exceedances in St. Louis with a maximum contribution of 4 ppb. EPA received comments on the appropriate attainment date for the area. The comments and EPA's responses can be found in a separate section of this document. 5 On August 30, 2000, the United States Court of Appeals for the D.C. Circuit issued an Order ( *Michigan* v. *EPA,* No. 98-1497, August 30, 2000) extending the compliance date for the NO <sup>X</sup> SIP call from May 1, 2003, to May 31, 2004. (The merits of the NO <sup>X</sup> SIP call rule were addressed, and the rule generally upheld, in *Michigan* v. *EPA,* 213F.3d663 (D.C. Cir. 2000), cert. Den., 532 U.S. _ (2001)). The effect of this ruling is that the regional NO <sup>X</sup> emission reductions relied on in the attainment demonstration cannot be assumed to occur before the Court-ordered compliance date. Upon consideration of the comments, EPA has decided that an attainment date which is as expeditiously as practicable and accounts for the upwind reductions associated with the NO <sup>X</sup> SIP call is the most appropriate. Therefore, we are establishing November 15, 2004, as the next applicable attainment date for the St. Louis area. Doing so ensures that the next determination with respect to the area's attainment status will be based on air quality data that reflect improvements that result both from local control measures and implementation of the NO <sup>X</sup> SIP call, which now has a compliance date of May 31, 2004. When Must Missouri and Illinois Submit SIP Revisions Fulfilling the Requirements for Serious Ozone Nonattainment Areas? In addition to establishing a new attainment date, EPA must also address the schedule by which Illinois and Missouri are required to submit SIP revisions meeting the CAA's pollution control requirements for serious areas. An option on which EPA invited comments (64 FR 13384), is to require that the states submit SIP revisions fulfilling all of the serious area requirements, no later than one year after final action on the reclassification. The measures required by section 182(c) of the CAA include, but are not limited to, the following:
(1)Attainment and reasonable further progress demonstrations;
(2)enhanced vehicle I/M programs;
(3)clean-fuel vehicle programs;
(4)the major source threshold being defined as 50 tons per year;
(5)more stringent new source review requirements;
(6)an enhanced air monitoring program; and
(7)contingency provisions. Illinois submitted a comment supporting a deadline of 12 months for submittal of the SIP revisions meeting the CAA's pollution control requirements for serious areas and EPA received no adverse comments on the 12-month option. EPA believes that a submittal deadline of 12 months after the effective date of the determination and reclassification will give the states adequate time to adopt and submit the additional serious area requirements. EPA also notes that the 12-month deadline is consistent with the time given to other areas (such as Dallas-Fort Worth, Phoenix, and Santa Barbara) which were reclassified from moderate to serious. Therefore, EPA is requiring Missouri and Illinois to submit SIP revisions addressing the Act's pollution control requirements for serious ozone nonattainment areas within 12 months of the effective date of this rule. What Comments Were Received on the Proposed Determination of Nonattainment and Reclassification, and How Has EPA Responded? EPA received comments on the proposed Clean Air Reclassification and Notice of Potential Eligibility for Attainment Date Extension, Missouri and Illinois, dated March 18, 1999 (64 FR 13384). Comments were submitted by Lewis C. Green and Douglas R. Williams on behalf of the Sierra Club and the Missouri Coalition for the Environment, by the Illinois Environmental Protection Agency, and by the Missouri Department of Natural Resources. EPA also received comments on the proposed approval of the Illinois and Missouri attainment demonstration and request for attainment date extension dated April 17, 2000 (65 FR 20404). Comments on the latter notice were submitted by Lewis C. Green on behalf of the Sierra Club and the Missouri Coalition for the Environment (which also incorporated comments dated March 20, 2000, submitted in response to EPA's proposed rulemaking on Missouri's ROPP, 65 FR 8083, February 17, 2000), by the St. Louis Regional Chamber and Growth Association, and by the Illinois Environmental Protection Agency. Although the April 17, 2000, proposal includes some issues beyond the scope of the March 18, 1999, proposed reclassification (and EPA is not acting on that proposal in this action), some of the comments are relevant to the March 18, 1999, proposal. Therefore, in this action EPA is addressing the relevant comments on the March 18, 1999, proposal and the relevant comments on the April 17, 2000, proposal. A summary of the comments, and EPA's responses to the comments, is provided below. Comments Relating to Necessity and Scope of a Reclassification *Comment 1:* In a multistate area, EPA should consider severing the area for reclassification purposes if one state is attaining the standard. In addition, where one state has “complied with all statutory requirements,” EPA should use the provisions of the Act “to address recalcitrance prior to imposing a reclassification that affects compliant states as well as recalcitrant states.” *Response 1:* As required by section 181(b)(2)(A) and consistent with the Court's Order (Memorandum Opinion, p. 20, discussing EPA's duty to determine whether the St. Louis nonattainment area failed to attain by November 15, 1996), EPA must determine the attainment status of the St. Louis nonattainment area as of the statutory attainment date, based on the air quality data for the area. The provisions of the Act relating to failure to attain refer to the “ozone nonattainment area” (section 181(b)(2)(A)) which, for St. Louis, includes geographic areas in Missouri and Illinois (see 40 CFR 81.326 and 81.314). The reclassification provision is silent with respect to treatment of multistate ozone nonattainment areas. As explained in the proposal (p. 13,386, Table 3), the 1994-1996 data (on which the attainment determination for 1996 is based) show violations at area monitors in both Missouri and Illinois. Therefore, the data do not support dividing the nonattainment area for reclassification, even if there were a policy and legal basis for doing so. At this time, EPA does not believe there is either a policy or legal basis which justifies dividing a nonattainment area for reclassification purposes. The commenter did not specify any particular instance of “recalcitrance” or indicate how that factor could be considered in making a determination under section 181(b)(2)(A) of the Act. The Act does contain a mechanism, in section 182(j)(2), by which one state in a multistate area can be relieved of liability for sanctions under section 179 of the Act for failure to demonstrate attainment, if it can show that its failure is based on a failure of another state to adopt all controls required of the area under section 182. However, the Act does not contain any express link between section 182(j)(2) and section 181(b)(2)(A). Even if there were an implicit link, EPA does not believe that allegations of “recalcitrance” should influence its attainment determination for the St. Louis area, and has not considered that factor in its final decision. *Comment 2:* The “serious” area controls are unnecessary for attainment, unduly burdensome on business and economic growth in the area, and will not result in attainment any sooner in the St. Louis area. *Response 2:* Under section 181(b)(2)(A), the attainment determination is made solely on the basis of air quality data, and any reclassification is by operation of law. If an area is reclassified to “serious,” the requirements of 182(c) apply regardless of whether some of the requirements are not “necessary” for attainment. EPA notes that Illinois and Missouri are in the process of developing and finalizing their attainment demonstrations, and Illinois is finalizing regulations for the attainment demonstration control strategy for the area (see 65 FR 8083, April 17, 2000, for a description of the specific revisions to the attainment demonstration and control strategy which EPA has identified as necessary for a final decision on the attainment demonstration). No final determinations have been made by EPA concerning whether the currently planned and adopted control measures are adequate. Therefore, even if the Act allowed EPA to assess the need, or lack thereof, for additional local measures (which it does not), it is premature to conclude that the additional “serious area” control measures are unnecessary for attainment. With respect to the perceived burden imposed on industry by the serious area requirements, EPA notes that the serious area planning requirements are imposed by section 182(c) of the CAA and the economic impact of a reclassification is not a consideration in making the attainment determination under section 181(b)(2) of the Act. It is, however, appropriate for the states to consider specific economic impacts in meeting the planning requirements of section 182(c) and in developing specific regulatory requirements for specific sources. *Comment 3:* EPA should grant an attainment date extension to the St. Louis area, based on EPA's transport-based attainment date extension guidance. *Response 3:* EPA was in the process of working with the states of Missouri and Illinois to undertake the actions necessary for the area to qualify for the attainment date extension when the United States District Court for the District of Columbia issued its Order in *Sierra Club* v. *Whitman,* requiring EPA to make a determination of attainment or nonattainment by March 12, 2001. EPA's request to the Court for additional time to allow the area an opportunity to qualify for the attainment date extension was pending when the Court ruled that EPA must make its determination of attainment. EPA cannot finalize the attainment date extension by the time the Court has ordered EPA to act. Despite the efforts of the states and the substantial progress made to date, some submissions necessary for approval of the attainment date extension, including an approvable attainment demonstration, will not be submitted for final EPA approval prior to the time that EPA must act pursuant to the Court's Order. Because EPA is unable to authorize an attainment date extension that meets the criteria set forth in its guidance prior to the deadline set by the Court to make a determination of attainment or nonattainment, EPA must abide by the existing deadline for attainment in making the Court-ordered determination. EPA, in its Court filings, repeatedly sought to obtain additional time for the states to qualify for the attainment date extension, and regrets that this avenue is not open to the states and the Agency prior to the time that EPA must make its determination. However, as explained above, in a separate **Federal Register** document EPA is proposing to delay the effective date of today's determination of nonattainment and reclassification to June 29, 2001. EPA today announces its intent to propose to withdraw today's determination of nonattainment and reclassification if EPA approves an attainment date extension before the effective date of today's action. *Comment 4:* A commenter argued that EPA had previously determined that St. Louis failed to attain the 1-hour ozone standard by its attainment date of 1996, and that the area has already been reclassified “by operation of law” to a serious ozone nonattainment area pursuant to section 181(b)(2)(a). The commenter also contended that EPA “has no authority to ‘propose’ findings conditional upon the happening of other events.” *Response 4:* Commenters presented these arguments in *Sierra Club* v. *Whitman,* where EPA addressed them in detail in memoranda filed with that Court. The Court in its Opinion of January 29, 2001, rejected these arguments. The Court ruled, contrary to commenters' contentions, that EPA had not previously made a determination of nonattainment, cognizable under the statutory provisions regarding reclassification, that the area had not previously been reclassified, and that any determination made by EPA in the future should not apply retroactively. See Slip Opinion at 13-31. The Court further upheld EPA's view that the reclassification provisions of the CAA call for public notice and comment rulemaking. EPA believes that EPA's public filings and the ruling of the Court in *Sierra Club* v. *Whitman* address these comments and show that the arguments advanced by the commenters do not undermine EPA's actions in this rulemaking. *Comment 5:* Sierra Club and the Missouri Coalition for the Environment submitted comments on EPA's transport-based attainment date extension policy, published March 25, 1999. Many of them were critical of the policy and its legal bases. *Response 5:* Because EPA is not applying the attainment date extension policy here, EPA need not address those comments. However, responses to comments received on the policy can be found in the rulemakings approving attainment date extensions for Washington, DC, Greater Connecticut, and Springfield, Massachusetts, published January 3, 2001 (66 FR 586, 66 FR 634, 66 FR 666, respectively). Comments Relating to the Attainment Date Upon Reclassification Summary of Proposal In the March 18, 1999, proposed reclassification, EPA took comment on what the attainment date should be if the area is reclassified. EPA noted that the statutory attainment date for serious areas was November 15, 1999, but explained that, since it would be impossible for the states to meet that date, EPA was proposing options for later dates (see 64 FR 13390 for a more detailed explanation of this issue). One option was to set an attainment date which was 21 months after the effective date of the reclassification, based on the amount of time provided for attainment in EPA's most recent reclassification of a moderate ozone nonattainment area. Another option was to set a date based on the recognition that the St. Louis area is affected by transport, and establish the attainment date consistent with the compliance date for EPA's NO <sup>X</sup> SIP call rule (which, at the time of the March 18, 1999, proposal was 2003). No comments were submitted on the impossibility of attaining by 1999 or on the need to set an attainment date after 1999 for the reclassified area. Comments were received regarding what date after 1999 would be appropriate. *Comment:* Both states submitted comments supporting an attainment date which considers transport, stating that the attainment date for the reclassified area should be no sooner than the compliance date for the NO <sup>X</sup> SIP call. Both states also commented that the alternative attainment date of 21 months was insufficient to allow adequate time to adopt and implement the required local measures, and also did not allow time for implementation of the controls needed to resolve the transport problem. Illinois also recommended an attainment date at least three years after implementation of all controls (including transport controls) needed for attainment, consistent with the three-year averaging period through the attainment year for determining attainment of the ozone standard. *Response:* In response to the Illinois recommendation that the attainment date should be 2005, or three years after implementation of all controls needed for attainment, EPA has decided not to accept the recommendation. An attainment date three years after implementation of all control measures would not be consistent with past practice of EPA in setting attainment dates. Most recently, in establishing attainment dates for the Washington D.C., Greater Connecticut, and Springfield, Massachusetts, areas (in the January 3, 2001, rules cited above), EPA set attainment dates based on when the NO <sup>X</sup> controls would be in place, rather than a later date along the lines recommended by Illinois. In addition, section 181(a)(5) provides a mechanism to obtain no more than two one-year extensions of the attainment date under certain conditions if the area does not have the requisite three years of air quality data showing attainment in the attainment year. An extension would be available under this provision upon a showing that all local SIP controls have been implemented and no more than one exceedance of the ozone standard has been recorded in the attainment year. After considering the comments, EPA has determined that it is appropriate to establish an attainment date which takes into account the impact of transport on the area. As proposed, this date will coincide with the date by which sources will be required to comply with the NO <sup>X</sup> SIP call. In the proposal, EPA indicated that this date is in 2003, consistent with the NO <sup>X</sup> SIP call compliance date at the time of the March 1999 proposal. However, subsequent to the proposal, the SIP call compliance date was extended by the Court of Appeals for the D.C. Circuit ( *Michigan* v. *EPA,* No. 98-1497, D.C. Cir. August 30, 2000) to May 31, 2004. Consistent with the rationale in the proposal, EPA has determined that the attainment date for the St. Louis area should be as expeditious as practicable but no later than November 15, 2004. 6 This is also consistent with the District Court's Opinion in the *Sierra Club* case. In its Opinion, the Court noted that a retroactive reclassification, “* * * would carry with it a battery of new requirements, * * * including a new inflexible, and expired attainment date of November 15, 1999 [citation omitted].” By possibly imposing a new classification that carries with it a deadline that has already expired, the Court could potentially expose the state of Missouri to a variety of sanctions for failing to comply promptly and adequately [citation omitted].” (Opinion at page 29.) 6 The latest date could extend to November 2004 to allow time for the NO <sup>X</sup> emissions reductions mandated by the NO <sup>X</sup> SIP call to produce their ozone-reducing effect during the 2004 summer ozone season before assessing whether attainment-level reductions have occurred. Those reductions are required to begin no later than May 31, 2004. Therefore, EPA is establishing an attainment date which must be as expeditious as practicable, but no later than November 15, 2004. If the submissions by Missouri and Illinois required as a result of the reclassification indicate that the area can practicably attain sooner than November 2004, EPA would adjust the date to reflect the earlier date, consistent with section 181(a)(1) of the Act. Comments Relating to the SIP Submission Date *Comment:* One state commenter supported EPA's proposal to set a submission date 12 months after the effective date of the reclassification. No other comments were submitted regarding this issue. *Response:* As previously explained, EPA is establishing a 12-month deadline for submission of the serious area requirements because it provides a reasonable amount of time for the submissions and is consistent with previous reclassifications. Administrative Requirements A. Executive Order 12866 Under Executive Order 12866 (58 FR 51735 (October 4, 1993)), EPA is required to determine whether regulatory actions are significant and therefore should be subject to Office of Management and Budget
(OMB)review, economic analysis, and the requirements of the Executive Order. The Executive Order defines a “significant regulatory action” as one that is likely to result in a rule that may meet at least one of the four criteria identified in section 3(f), including, under paragraph (1), that the rule may “have an annual effect on the economy of $100 million or more or adversely affect, in a material way, the economy, a sector of the economy, productivity, competition, jobs, the environment, public health or safety, or state, local or tribal governments or communities.” The Agency has determined that the determination of nonattainment would result in none of the effects identified in section 3(f) of the Executive Order. Under section 181(b)(2) of the CAA, determinations of nonattainment are based upon air quality considerations and the resulting reclassifications must occur by operation of law. They do not, in and of themselves, impose any new requirements on any sectors of the economy. In addition, because the statutory requirements are clearly defined with respect to the differently classified areas, and because those requirements are automatically triggered by classifications that, in turn, are triggered by air quality values, determinations of nonattainment and reclassification cannot be said to impose a materially adverse impact on state, local, or tribal governments or communities. B. Executive Order 13045 Executive Order 13045, Protection of Children from Environmental Health Risks and Safety Risks (62 FR 19885, April 23, 1997), applies to any rule that:
(1)Is determined to be economically significant as defined under Executive Order 12866, and
(2)concerns an environmental health or safety risk that EPA has reason to believe may have a disproportionate effect on children. If the regulatory action meets both criteria, the Agency must evaluate the environmental health or safety effects of the planned rule on children, and explain why the planned regulation is preferable to other potentially effective and reasonably feasible alternatives considered by the Agency. This action is not subject to Executive Order 13045 because this is not an economically significant regulatory action as defined by Executive Order 12866. C. Executive Order 13175 On November 6, 2000, the President issued Executive Order 13175 (65 FR 67249) entitled “Consultation and Coordination with Indian Tribal Governments.” Executive Order 13175 took effect on January 6, 2001, and revokes Executive Order 13084 (Tribal Consultation) as of that date. EPA developed this final rule, however, during the period when Executive Order 13084 was in effect; thus, EPA addressed tribal considerations under Executive Order 13084. Under Executive Order 13084, Consultation and Coordination with Indian Tribal Governments, EPA may not issue a regulation that is not required by statute, that significantly or uniquely affects the communities of Indian tribal governments, and that imposes substantial direct compliance costs on those communities, unless the Federal Government provides the funds necessary to pay the direct compliance costs incurred by the tribal governments, or EPA consults with those governments. If EPA complies by consulting, Executive Order 13084 requires EPA to provide OMB, in a separately identified section of the preamble to the rule, a description of the extent of EPA's prior consultation with representatives of affected tribal governments, a summary of the nature of their concerns, and a statement supporting the need to issue the regulation. In addition, Executive Order 13084 requires EPA to develop an effective process permitting elected officials and other representatives of Indian tribal governments to provide meaningful and timely input in the development of regulatory policies on matters that significantly or uniquely affect their communities. Today's finding of failure to attain does not significantly or uniquely affect the communities of Indian tribal governments. Accordingly, the requirements of section 3(b) of Executive Order 13084 do not apply to this finding of failure to attain. D. Regulatory Flexibility Act The Regulatory Flexibility Act
(RFA)generally requires an agency to conduct a regulatory flexibility analysis of any rule subject to notice and comment rulemaking requirements unless the agency certifies that the rule will not have a significant economic impact on a substantial number of small entities. Small entities include small businesses, small not-for-profit enterprises, and small governmental jurisdictions. Determinations of nonattainment and the resulting reclassification of nonattainment areas by operation of law under section 181(b)(2) of the CAA do not in and of themselves create any new requirements. Instead, this rulemaking only makes a factual determination, and does not directly regulate any entities. See 62 FR 60001, 60007-8, and 60010 (November 6, 1997) for additional analysis of the RFA implications of attainment determinations. Therefore, pursuant to 5 U.S.C. 605(b), I certify that today's final action does not have a significant impact on a substantial number of small entities within the meaning of those terms for RFA purposes. E. Unfunded Mandates Reform Act Under section 202 of the Unfunded Mandates Reform Act of 1995 (UMRA), signed into law on March 22, 1995, EPA must prepare a budgetary impact statement to accompany any proposed or final rule that includes a Federal mandate that may result in estimated annual costs to state, local, or tribal governments in the aggregate, or to the private sector, of $100 million or more. Under section 205, EPA must select the most cost-effective and least burdensome alternative that achieves the objectives of the rule and is consistent with statutory requirements. Section 203 requires EPA to establish a plan for informing and advising any small governments that may be significantly or uniquely impacted by the rule. EPA believes, as discussed above, that the finding of nonattainment is a factual determination based upon air quality considerations and that the resulting reclassification of the area must occur by operation of law. Thus, the finding does not constitute a Federal mandate, as defined in section 101 of the UMRA, because it does not impose an enforceable duty on any entity. F. Executive Order 13132 Executive Order 13132, entitled Federalism (64 FR 43255, August 10, 1999) requires EPA to develop an accountable process to ensure “meaningful and timely input by state and local officials in the development of regulatory policies that have federalism implications.” “Policies that have federalism implications” is defined in the Executive Order to include regulations that have “substantial direct effects on the states, on the relationship between the national government and the states, or on the distribution of power and responsibilities among the various levels of government.” Under Executive Order 13132, EPA may not issue a regulation that has federalism implications, that imposes substantial direct compliance costs, and that is not required by statute, unless the Federal Government provides the funds necessary to pay the direct compliance costs incurred by state and local governments, or EPA consults with state and local officials early in the process of developing the proposed regulation. EPA also may not issue a regulation that has federalism implications and that preempts state law unless the Agency consults with state and local officials early in the process of developing the proposed regulation. This determination of nonattainment and the resulting reclassification of a nonattainment area by operation of law will not have substantial direct effects on the states, on the relationship between the national government and the states, or on the distribution of power and responsibilities among the various levels of government, as specified in Executive Order 13132 (64 FR 43255, August 10, 1999), because this action does not, in and of itself, impose any new requirements on any sectors of the economy, and does not alter the relationship or the distribution of power and responsibilities established in the CAA. Thus, the requirements of section 6 of the Executive Order do not apply to these actions. G. National Technology Transfer and Advancement Act Section 12(d) of the National Technology Transfer and Advancement Act of 1995 (NTTAA), Public Law 104-113, section 12(d) (15 U.S.C. 272 note) directs EPA to use voluntary consensus standards in its regulatory activities unless to do so would be inconsistent with applicable law or otherwise impractical. Voluntary consensus standards are technical standards (e.g., materials specifications, test methods, sampling procedures, and business practices) that are developed or adopted by voluntary consensus standards bodies. The NTTAA directs EPA to provide Congress, through OMB, explanations when the Agency decides not to use available and applicable voluntary consensus standards. This action does not involved technical standards. Therefore, EPA did not consider the use of any voluntary consensus standards. H. Submission to Congress and Comptroller General The Congressional Review Act, 5 U.S.C. 801 *et seq.* , as added by the Small Business Regulatory Enforcement Fairness Act of 1996, generally provides that before a rule may take effect, the agency promulgating the rule must submit a rule report, which includes a copy of the rule, to each House of the Congress and to the Comptroller General of the United States. EPA will submit a report containing this rule and other required information to the United States Senate, the United States House of Representatives, and the Comptroller General of the United States prior to publication of the rule in the **Federal Register** . A major rule cannot take effect until 60 days after it is published in the **Federal Register** . This action is not a “major rule” as defined by 5 U.S.C. 804(2). I. Petitions for Judicial Review Under section 307(b)(1) of the CAA, petitions for judicial review of this action must be filed in the United States Court of Appeals for the appropriate circuit by May 18, 2001. Filing a petition for reconsideration by the Administrator of this final rule does not affect the finality of this rule for the purposes of judicial review nor does it extend the time within which a petition for judicial review may be filed, and shall not postpone the effectiveness of such rule or action. This action may not be challenged later in proceedings to enforce its requirements. See CAA section 307(b)(2). List of Subjects in 40 CFR Part 81 Environmental protection, Air pollution control, National parks, Wilderness areas. Dated: March 12, 2001. William Rice, Acting Regional Administrator, Region 7. Accordingly, 40 CFR part 81 is amended as follows: PART 81—[AMENDED] 1. The authority citation for part 81 continues to read as follows: Authority: 42 U.S.C. 7401, *et seq.* 2. Section 81.314 is amended by revising the ozone table entry for the St. Louis Area to read as follows: § 81.314 Illinois. Illinois—Ozone (1-Hour Standard) Designated area Designation Date 1 Type 2 Classification Date 1 Type * * * * * * * St. Louis Area: Madison County May 18, 2001 Nonattainment May 18, 2001 Serious Monroe County May 18, 2001 Nonattainment May 18 2001 Serious St. Clair County May 18, 2001 Nonattainment May 18, 2001 Serious * * * * * * * 1 This date is October 18, 2000, unless otherwise noted. 3. Section 81.326 is amended by revising the ozone table entry for the St. Louis area to read as follows: § 81.326 Missouri. Missouri—Ozone (1-Hour Standard) Designated area Designation Date 1 Type 2 Classification Date 1 Type * * * * * * * St. Louis Area: Franklin County May 18, 2001 Nonattainment May 18, 2001 Serious Jefferson County May 18, 2001 Nonattainment May 18, 2001 Serious St. Charles County May 18, 2001 Nonattainment May 18, 2001 Serious St. Louis May 18, 2001 Nonattainment May 18, 2001 Serious St. Louis County May 18, 2001 Nonattainment May 18, 2001 Serious * * * * * * * 1 This date is October 18, 2000, unless otherwise noted. [FR Doc. 01-6621 Filed 3-16-01; 8:45 am]
Connectionstraces to 32
Traces to 32 documents
U.S. Code
- Short title§ 1
- Monopolizing trade a felony; penalty§ 2
- Jurisdiction of Commission; liability of principal for act of agent; Commodity Futures Trading Commission; transaction in interstate commerce§ 2
- Definitions§ 1320d
- Use of mails or other means or instrumentalities of interstate commerce by commodity trading advisors and commodity pool operators; relation to other law§ 6m
- Records maintained on individuals§ 552a
- Definitions; rules of construction§ 1681a
- Interests in nonbanking organizations§ 1843
- Purposes§ 3501
- Public information collection activities; submission to Director; approval and delegation§ 3507
- Definitions§ 601
- Protection of nonpublic personal information§ 6801
- DEFINITIONS.§ 2001
- Definitions§ 3401
- Congressional findings and statement of purpose§ 1681
- Avoidance of duplicative or unnecessary analyses§ 605
- Establishment, functions, and activities§ 272
- SHORT TITLE.§ 801
- EXPEDITED PROCESSING OF REQUESTS FOR JAPANESE IMPERIAL GOVERNMENT RECORDS.§ 804
- Congressional findings and declaration of purpose§ 7401
CFR
- Exemption from registration as a commodity pool operator.§ 4.13
- Exemption from registration as a commodity trading advisor.§ 4.14
- Definitions.§ 248.3
- What activities are permissible for any financial holding company?§ 225.86
- Required delivery of pool Disclosure Document.§ 4.21
- Required delivery of Disclosure Document to prospective clients.§ 4.31
- Limits on sharing account number information for marketing purposes.§ 248.12
18 references not yet in our index
- 17 CFR 160
- Pub. L. 106-102
- 113 Stat. 1338
- 15 USC 6801-6809
- Pub. L. 106-554
- 114 Stat. 2763
- 17 CFR 248
- 12 CFR 40.3(b)
- 17 CFR 4
- 11 USC 761-766
- Pub. L. 104-121
- 110 Stat. 857
- 5 CFR 1320.11
- 7 USC 7g
- 40 CFR 81
- 40 CFR 50
- 40 CFR 81.326
- Pub. L. 104-113
Citation graph
cites case law
Rules and Regulations
Proposed rules
Cite17 CFR 160
Pub. L.Pub. L. 106-102
Stat.113 Stat. 1338
Cites 50 · showing 12Cited by 0 across 0 sources