Voglio sapere a riguardo di…

Federal Register / Vol. 86, No. 34 / Tuesday, February 23, 2021 / Rules and Regulations parent company to become a BHC
subject to regulation and supervision by the FRB.
However, it is important to note that each institution or company described in the comments was engaged in activities permissible for all Federal and State banks, BHCs, or financial holding companies, as evidenced by the ability to gain approval for the conversions to commercial banks and BHCs. Further, the types and degree of stress were also experienced by many other insured depository institutions and banking companies, some of which also sought participation in TLGP and/or TARP, failed, or pursued transactions to restructure the organization, merge, or raise capital to alleviate stress or avert failure. As such, the circumstances involving the companies highlighted in the comments were not dissimilar to those facing other banking companies, including companies subject to Federal consolidated supervision.
3. Consumer Protection Risks Commenters opposed to the proposed rule also argued that the growth in industrial banks poses broader consumer protection risks. They asserted that the parent companies of industrial banks are not subject to Federal financial privacy and information security requirements and the absence of these requirements creates risk for customers of the industrial banks, whether or not they also obtain products and services from the parent companies or nonfinancial affiliates. BHCs and SLHCs are limited in their use of consumer financial data for commercial purposes. These commenters asserted that industrial bank parent companies should be subject to the same restrictions.
While there is no general Federal regime covering how nonpublic personal information held in the U.S.
may be disclosed or how it must be secured, financial institutions, including industrial banks, are subject to Title V of the GLBA.77 The GLBA and its implementing regulations, cited by some commenters, impose a range of privacy obligations on financial 77 Subtitle A of Title V of the GLBA, captioned Disclosure of Nonpublic Personal Information, limits the instances in which a financial institution may disclose nonpublic personal information about a consumer to nonaffiliated third parties, and requires a financial institution to disclose certain information sharing practices. Nonpublic personal information is defined to mean any personally identifiable financial information that is provided by the consumer to the financial institution; results from any transaction with the consumer or service performed for the consumer; or is otherwise obtained by the financial institution, but which is not publicly available information. See 15 U.S.C.
680109.

VerDate Sep<11>2014

21:28 Feb 22, 2021

Jkt 253001

institutions, including industrial banks, that exceed those imposed on most other business types. Specifically, the GLBA and implementing rules 1
impose limitations on information sharing between financial institutions and nonaffiliated third parties and require disclosure of information sharing policies and practices to consumers and customers, and 2
require financial institutions to develop, implement, and maintain comprehensive information security programs.78 However, businesses that are not subject to the GLBA are not free from all privacy and data protection requirements. There are other Federal laws that address privacy and data protection that may apply to a Covered Company and its affiliates as well as financial institutions. As one example, the Fair Credit Reporting Act FCRA
establishes standards for collection and permissible purposes for dissemination of data by consumer reporting agencies and obligations on furnishers of information. As another example, section 5 of the Federal Trade Commission Act FTC Act provides broad authority to the FTC to pursue unfair and deceptive trade acts and practices against most businesses arising from privacy and data protection practices.79 Further, the Dodd-Frank Act granted the Consumer Financial Protection Bureau CFPB broad authority to enforce unfair, deceptive, and abusive acts and practices related to consumer financial products and services that may cover the activities of a Covered Company and its affiliates.80
Adding to the complexity at the Federal level, States have enacted laws governing the collection, use, protection, and disclosure of personal information. Many States have consumer protection and privacy laws as well as laws similar to the FTC Act that prohibit unfair or deceptive business practices.81
78 See, e.g., 12 CFR part 332, Privacy of Consumer Financial Information.
79 The FTC is empowered to seek injunctive relief and voluntary consent decrees that can result in FTC oversight of a company for a period of up to 20 years and may carry financial penalties for future violations. The Federal banking agencies enforce section 5 as to financial institutions under their supervision.
80 The CFPB has been active in the privacy area and recently issued an advanced notice of proposed rulemaking ANPR seeking input on the financial records access right granted by section 1033 of the Dodd-Frank Act pertaining to consumer information in the control or possession of consumer financial services providers. 85 FR 71003
Nov. 6, 2020.
81 For example, the California Consumer Privacy Act of 2018 serves as an omnibus law governing privacy rights. It was recently amended and expanded by the California Privacy Rights Act. 2020

PO 00000

Frm 00009

Fmt 4700

Sfmt 4700

10711

In the absence of a single, comprehensive Federal law regulating privacy and the collection use, processing, disclosure, security, and disposal of personal information, the FDIC will continue to supervise and examine industrial banks and enforce compliance with the GLBA and all other Federal consumer protection laws and regulations. In addition, and in response to the concerns expressed by commenters that a Covered Company and affiliates that are not engaged in financial services would not be covered by the GLBA, the FDIC is including in the final rule a requirement for a Covered Company to inform the FDIC
about its systems for protecting the security, confidentiality, and integrity of consumer and nonpublic personal information, as part of the Covered Companys commitment to submit an annual report to the FDIC. This reporting will provide the FDIC with a better understanding across all of a Covered Companys financial and nonfinancial affiliates and activities and provide the means to monitor for potential consumer protection risks.
The FDIC will evaluate privacy and data protection issues presented by a deposit insurance application, a change in control notice, or a merger application involving an industrial bank on a case-by-case basis. When appropriate, the FDIC may consider imposing heightened requirements specific to industrial banks and Covered Companies regarding the use of consumer financial data for commercial purposes. Decisions will be based on the size and complexity of the industrial bank, the nature and scope of its activities, the sensitivity of any customer information at issue, and the unique facts and circumstances of the filing before the FDIC.
Certain commenters expressed concerns about industrial bank and nonbank partnerships that the commenters believe have led to increased predatory lending.82 A major Cal. Legis. Serv. Prop. 24 2020. The Massachusetts Data Security Regulation includes State-level general data protection security requirements. 201
Mass. Code Regs. 17.00 et seq. The Act to Protect the Privacy of Online Consumer Information enacted by the Maine legislature is another example of a State law governing the privacy of consumer information. 35A M.R.S. section 9301. These examples underscore the fact that although a uniform Federal law has not been enacted, privacy is increasingly in the forefront of the public and legislators alike.
82 The concern appears to arise from perceived abuses of longstanding statutory authority rather than the proposed rule. Congress enacted section 27
of the FDI Act, 12 U.S.C. 1831d, in 1980, permitting State banks to charge interest at the rate permitted by the law of the State where the bank is located,
E:FRFM23FER1.SGM

Continued
23FER1