News Release 2000-5 | February 3, 2000

OCC Proposes Rules to Implement Gramm-Leach-Bliley Act Privacy Provisions

WASHINGTON — The Office of the Comptroller of the Currency is seeking comments on a proposed rule to implement the privacy provisions of the Gramm-Leach-Bliley Act.

The proposal was developed by an interagency working group that included the OCC, the Federal Reserve Board, the Federal Deposit Insurance Corporation, the Office of Thrift Supervision, the National Credit Union Administration, the Federal Trade Commission, and the Securities and Exchange Commission. Similar rules are being proposed by those agencies.

"Our goal is to ensure that the final rule protects the interests of consumers, both by assuring that their personal information is safeguarded and by giving financial institutions the flexibility to serve the needs of their customers," said Comptroller of the Currency John D. Hawke, Jr.

The new financial modernization law requires banks to notify consumers about their privacy policies and to give them an opportunity to "opt-out," or prevent the bank from sharing "nonpublic personal information" about them with nonaffiliated third parties.

The proposal seeks comment on two alternate definitions of "nonpublic personal information," which differ on the treatment of information that is available both from public sources and from a national bank's files.

The first treats as nonpublic personal information any information provided by a consumer in order to obtain a product or service, or which is obtained as a result of a transaction with a bank involving a financial product or service. The information would be classified as nonpublic personal information, even if it is also available from a public source.

The second proposed definition is similar, but would exclude any information that is publicly available, regardless of whether the information was obtained from a transaction with the bank.

Both alternatives protect personally identifiable financial information, as well as lists, descriptions or other groupings of consumers that are derived using personally identifiable financial information. For example, if a bank prepares a customer list, both definitions would cover all the information on the list because the list and information would be derived using the fact that the individuals listed have accounts with the bank.

The proposed regulation requires national banks to disclose their privacy policies to consumers before they are contractually obligated for a product or service. As a result, consumers would have the opportunity to evaluate the bank's privacy policy before making a final decision to become a customer. The approach also minimizes burden on national banks by allowing them to make privacy disclosures at the same time they make other disclosures required under consumer protection laws.

The proposal also requires banks to provide a convenient means for a consumer to opt out of the sharing of their information with unaffiliated third parties. The proposal provides examples of convenient means of opting out, such as the bank providing self-addressed, stamped envelopes or giving consumers the ability to opt out on the institution's website. The proposed regulation allows customers to opt out at any time.

The proposed rule also requires that notices be provided in a way that recipients can reasonably expect to receive them. For example, a bank can reasonably expect that a consumer will receive its privacy notice if it is hand-delivered or mailed to the individual's last-known address. For consumers who conduct transactions electronically, national banks can employ a system that requires the individual to acknowledge receipt of the notice as a necessary step to receiving the service.

The rule describes what disclosures must be included in a privacy notice. Among the items that must be included are categories of non-public information collected; categories of nonpublic information disclosed; categories of third parties to whom the information is disclosed; information disclosed to service providers and joint marketers; a description of the consumer's opt-out right; and a description of the institution's practices for maintaining the confidentiality and security of customer data.

Comments on the proposal, which is available on the OCC's Internet site at, must be received by March 31, 2000.

Media Contact

Robert M. Garsson
(202) 874-5770