Leer en español
Ler em português
Depending on which study you believe, and what industry you’re in, acquiring a new customer is anywhere from five to 25 times more expensive than retaining an existing one. It makes sense: you don’t have to spend time and resources going out and finding a new client — you just have to keep the one you have happy. If you’re not convinced that retaining customers is so valuable, consider research done by Frederick Reichheld of Bain & Company (the inventor of the net promoter score) that shows increasing customer retention rates by 5% increases profits by 25% to 95%.
The bottom line: keeping the right customers is valuable. One of the key metrics in understanding whether your company is retaining customers is customer churn rate. But what exactly is that? And how to do companies use it?
To better understand this key marketing concept, I talked with Jill Avery, a senior lecturer at Harvard Business School and an author of HBR’s Go To Market Tools.
What is customer churn rate?
“Customer churn rate is a metric that measures the percentage of customers who end their relationship with a company in a particular period,” says Avery. Typically the churn rate is measured by month, quarter, or year, depending on the industry and the product you’re selling. An annual rate is the default for most companies but any company that prices product on a monthly basis — think mobile phone service providers, gyms, and software as a service companies — looks at customer churn rate by month. Some other firms — those who have a faster churn rate or for whom losing customers is a big issue — will also look at it monthly.
Avery says that many executives prefer to monitor and report churn rate’s opposite: retention rate, or how many customers stay. Whether you prefer to look on the bright side or mourn your losses doesn’t matter — both figures look at the same thing. And Avery says she is seeing churn used more often these days.
It’s not just marketers who look at churn, however. Many investors will use the metric to evaluate the underlying health of a firm. The higher the churn rate, the more they question the company’s viability.
How do companies typically use it?
“If I’m interested in keeping customers, I’m interested in understanding how many leave and the underlying reasons why they are ending their relationship with me,” says Avery. Changes in a company’s churn rate could be a signal that something is working well (if the number goes down) or needs addressing (if the number goes up). The idea is that when you know that more customers or subscribers are cutting ties with your firm, you can work to adjust your marketing strategy or customer service approach. “Looking at churn rates by customer segment illuminates which types of customers are at risk and which may require an intervention. It’s a nice simple metric that tells us a lot about when and how to interact with customers,” says Avery.
Marketing managers will typically look at churn rate at a segment level — how many of our 18-25 year old customers left this month, for example. But sophisticated, data-rich firms are also starting to look at the number on an individual customer level. In fact, the rise of big data is making it possible for firms to act more expediently and precisely on churn rates. “I’ve seen a lot of firms use churn rate to not only understand what happened in the last period, but also to predict what’s going to happen in the next.”
Avery points to HubSpot, a Boston-based firm that provides “inbound marketing” software tools to small and medium-sized businesses to attract prospective customers to their websites, as one of the more “sophisticated churn managers”. The company’s software is available to customers through the cloud so it is able to track real-time customer usage of its tools and features. “Churn is really important to their profitability as a software-as-a-service business so the firm takes it seriously. When the economy crashed in 2008 and the company’s churn rate shot up, HubSpot delved deep into its churn data to see what it could find out about which customers were more likely to leave and when. Using that analysis, the firm targeted customers they suspected might cancel and offered services, like extra training on particular features, to convince them to stay. “They worked to eliminate road blocks to usage so that customers could unlock the value of the product,” says Avery.
How do you calculate it?
Since churn rate is simply the percent of customers who end their relationship with your company in a given period, calculating it is pretty straightforward. You take the total number of customers who left your company during that period divided by total customers at the beginning of the period. As you can see, this is a lagging indicator, meaning you can only look at what’s happened, which is one of the metric’s downsides.
What are common mistakes managers make when using it?
Avery says that there are four mistakes companies make when looking at their customer churn rate. The first is “taking churn rate as a given rather than as an opportunity,” she says. Jonah Lopin, HubSpot’s vice president of services, summed up this problem well in Avery’s HBS case on the company’s development of a Customer Happiness Index: “By the time you see an increase in your churn rate it is six or eight months after the point in time when you actually failed the customer. If churn is your only measure of customer happiness, then you’re always six months too late to influence your future.” HubSpot and many other firms have developed analytics and accompanying metrics to predict who is going to leave. “The most innovative firms are using churn rate analysis as an opportunity to get ahead of losing customers rather than just accept it,” says Avery.
The second mistake that companies make is to look at churn as simply a number or metric rather than as an indicator of behavior. The questions managers should be asking themselves are: What are we as a company doing to cause customer turnover? What are our customers doing that’s contributing to their leaving? How can we better manage our customer relationships to make sure it doesn’t happen? Dissecting what’s behind the number will help you determine what to do to change it.
Third, many marketers believe there is a magic number. “The truth is that what’s acceptable varies widely by business model and is largely dependent on how quickly and efficiently a company can acquire customers and how profitable customers are in the short and long term. Some business models thrive despite high churn rates and others rely on low,” says Avery. Instead of fixating on a certain number, the best managers look at what their churn was last year and ask themselves how they can do better. “It’s really a metric that shows how well you’re managing your customer relationships, and you can usually always improve your performance in that area.”
The final mistake is not seeing that often a high churn rate is the result of poor customer acquisition efforts. “Many firms are attracting the wrong kinds of customers. We see this in industries that promote price heavily up front. They attract deal seekers who then leave quickly when they find a better deal with another company,” she says. This was the problem many pointed out with Groupon’s business model. Those deals may have helped companies bring on new customers, but they were typically high-churning customers who didn’t stick around to make another purchase when a heavy discount wasn’t offered.
Before you assume you have a retention problem, consider whether you have an acquisition problem instead. “Think about the customers you want to serve up front and focus on acquiring the right customers. The goal is to bring in and keep customers who you can provide value to and who are valuable to you,” says Avery.
Start Preamble
Federal Trade Commission.
ACTION:
Final rule.
SUMMARY:
The Federal Trade Commission is amending its Privacy Rule to revise the rule's scope, to modify the rule's definitions of “financial institution” and “Federal functional regulator,” and to update the rule's annual customer privacy notice requirement. The amendments also remove certain examples in the rule that apply to financial institutions that now fall outside its scope. This action is necessary to conform the rule to the current requirements of the Gramm-Leach-Bliley Act (“GLBA”), as amended by the Dodd-Frank and FAST Acts, and the Commission's revisions to the Safeguards Rule, which are being announced simultaneously through a separate document published elsewhere in this issue of the Federal Register .
DATES:
The amendments are effective January 10, 2022.
Start Further InfoDavid Lincicum (202-326-2773), Division of Privacy and Identity Protection, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580.
End Further Info End Preamble Start Supplemental InformationSUPPLEMENTARY INFORMATION:
The GLBA was enacted in 1999.[1] The GLBA, among other things, requires that financial institutions provide their customers with initial and annual notices regarding their privacy practices, and allow their customers to opt out of sharing their information with certain nonaffiliated third parties.
Rulemaking authority to implement the GLBA's privacy provisions was initially spread among multiple agencies. The Federal Reserve Board (“the Fed”), the Office of Comptroller of the Currency (“OCC”), the Federal Deposit Insurance Corporation (“FDIC”), and the Office of Thrift Supervision (“OTS”) jointly adopted final rules to implement the notice and opt-out requirements of the GLBA in 2000.[2] The Commission, the National Credit Union Administration (“NCUA”), the Securities and Exchange Commission (“SEC”), and the Commodity Futures Trading Commission (“CFTC”) were part of the same interagency process, but each issued their rules separately.[3] In 2009, all those agencies jointly adopted a model form financial institutions could use to provide the required initial and annual privacy disclosures.[4]
As originally promulgated, the FTC's Privacy Rule covered a broad range of non-bank financial institutions such as payday lenders, mortgage brokers, check cashers, debt collectors, real estate appraisers, certain motor vehicle dealers, and remittance transfer providers. In 2010, the Dodd-Frank Act [5] transferred the majority of GLBA's privacy rulemaking authority from the Fed, NCUA, OCC, OTS, FDIC, and the Commission (in part) to the Consumer Financial Protection Bureau (“CFPB”). The CFPB then restated the implementing regulations in Regulation P, 12 CFR part 1016, in late 2011 (“Regulation P”).[6] However, under section 1029 of the Dodd-Frank Act, the Commission retained rulemaking authority for certain motor vehicle dealers.[7] Thus, in 2012, the Commission announced it was retaining the implementing regulations governing privacy notices for motor vehicle dealers at 16 CFR part 313.[8]
Despite the transfer of general rulemaking authority for the Privacy Rule to the CFPB, the Commission and other agencies retain their existing enforcement authority under the GLBA.[9] In addition, the SEC and CFTC retain rulemaking authority with respect to securities and futures-related companies, respectively.[10] Accordingly, as part of this rulemaking process, the Commission has consulted and coordinated, or offered to consult, with those agencies that have rulemaking and/or enforcement authority under the GLBA, including the CFPB, SEC, CFTC, and the National Association of Insurance Commissioners (“NAIC”).[11]
On December 4, 2015, Congress amended the GLBA as part of the FAST Act. This amendment, titled Eliminate Privacy Notice Confusion,[12] added GLBA subsection 503(f). This subsection Start Printed Page 70021 provides an exception under which financial institutions that meet certain conditions are not required to provide annual privacy notices to customers.
B. The Privacy Notice Requirements
As noted, the current Privacy Rule, as modified after Congress enacted the Dodd-Frank Act, requires motor vehicle dealers provide consumers with notices describing their privacy policies. Specifically, it requires covered entities to provide an initial notice of these policies,[13] and then “provide a clear and conspicuous notice to customers that accurately reflects [their] privacy policies and practices not less than annually during the continuation of the customer relationship.” [14]
The rule requires that initial and annual notices inform customers of their right to opt out of the sharing of nonpublic personal information with some types of nonaffiliated third parties.[15] For example, a customer has the right to opt out of allowing a motor vehicle dealer to sell her name and address to a nonaffiliated auto insurance company.[16] On the other hand, a motor vehicle dealer is not required to allow consumers to opt out of the dealer's sharing involving third-party service providers, joint marketing arrangements, maintenance and servicing of accounts, securitization, law enforcement and compliance, reporting to consumer reporting agencies, and certain other specified activities.[17] Accordingly, if a motor vehicle dealer limits its sharing to uses that do not trigger opt-out rights, it may provide an annual privacy notice to its customers that does not include information regarding opt-out rights.
Motor vehicle dealers also may include in the annual privacy notice information about certain consumer opt-out rights related to affiliate sharing under the Fair Credit Reporting Act (“FCRA”). First, section 603(d)(2)(A)(iii) of the FCRA allows the sharing of a consumer's information among affiliates, but only if the consumer is notified of such sharing and is given an opportunity to opt out.[18] Section 503(c)(4) of the GLBA and the Privacy Rule generally require motor vehicle dealers to incorporate any notifications and opt-out disclosures provided pursuant to section 603(d)(2)(A)(iii) of the FCRA into their initial and annual privacy notices.[19]
In addition, section 624 of the FCRA and the FTC's Affiliate Marketing Rule [20] provide that an affiliate of a motor vehicle dealer that receives certain information about a consumer from the dealer may not use that information for marketing purposes, unless the consumer is provided with an opportunity to opt out of that use.[21] This requirement governs the use of information by an affiliate, not the sharing of information among affiliates, and thus is distinct from the affiliate sharing opt-out discussed above. The Affiliate Marketing Rule permits (but does not require) motor vehicle dealers to incorporate any opt-out disclosures provided under section 624 of the FCRA and the Affiliate Marketing Rule into the initial and annual privacy notices required by the GLBA.[22]
Finally, § 313.6(a)(8) of the Privacy Rule requires the initial and annual notices briefly describe how motor vehicle dealers protect the nonpublic personal information they collect and maintain.[23]
II. Revision of the Privacy Rule
On April 4, 2019, the Commission issued a notice of proposed rulemaking [24] setting forth amendments to the Privacy Rule (the “Proposed Amendments”) proposing three types of changes to the Privacy Rule: (1) Technical changes to the rule to correspond to the reduced scope of the rule due to Dodd-Frank Act changes, which primarily consist of removing references that do not apply to motor vehicle dealers; (2) modifications to the annual privacy notice requirements to reflect the changes made to the GLBA by the FAST Act; and (3) a modification to the scope and definition of “financial institution” to include entities engaged in activities incidental to financial activities, which would bring the rule into accord with the CFPB's Regulation P. The Commission received four comments related to the proposed amendments, to which it responds below.[25]
A. Technical Changes To Correspond to Statutory Changes Resulting From the Dodd-Frank Act
(1) Section 313.1(b)
The proposed amendment to § 313.1(b) narrowed the description of the scope of the Privacy Rule to those entities set forth in the Dodd-Frank Act: [26] Those predominantly engaged in the sale and servicing of motor vehicles or the leasing and servicing of motor vehicles, excluding those dealers that directly extend credit to consumers and do not routinely assign the extensions of credit to an unaffiliated third party. It also removed the reference in the rule's scope to “other persons,” because the Commission no longer has rulemaking authority for the Privacy Rule over “other persons.” Finally, the Proposed Amendments eliminated from § 313.1(b) the note indicating (1) the Privacy Rule does not modify, limit, or supersede the standards under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), and (2) if a financial institution that is an institution of higher education is in compliance with the Federal Educational Rights and Privacy Act (“FERPA”) and its implementing regulations, such institution shall be deemed in compliance with the Privacy Rule.
The Commission received two comments on these proposed changes. One commenter asked why the rule would not cover dealers that directly extend credit to consumers.[27] In response, the Commission notes the Dodd-Frank Act excludes these dealers from the Commission's rulemaking authority under the GLBA. The Commission continues to have enforcement authority over these dealers under Regulation P.
Another commenter, the National Association of Automobile Dealers Start Printed Page 70022 (“NADA”), supported eliminating the references to HIPAA and FERPA, agreeing that these provisions would not apply to automobile dealers.[28] Given that it received no other substantive comments, the Commission adopts the changes as proposed.
(2) Section 313.3
To help companies understand whether and how the rule applies to them, the current rule includes examples of financial institutions in § 313.3(k)(2), examples of consumers in § 313.3(e)(2), examples of what would constitute establishing a customer relationship in § 313.3(i)(2)(i), and examples of what is not a customer relationship in § 313.2(i)(2)(ii). The Proposed Amendments to § 313.3 removed examples not likely to apply in the context of motor vehicle dealers.
NADA was the only commenter who opined on this issue. It agreed the examples proposed for removal do not apply to motor vehicle dealers and supported their deletion. Accordingly, the final rule deletes these examples as proposed.
NADA advocated for removal or modification of additional terms or examples that it asserted would not apply in the motor vehicle context. The Commission declines to make the changes suggested by NADA, for the reasons described below.
a. Loans
NADA argued the examples in the final rule should not include the word “loans” because motor vehicle dealers “do not generally issue `loans,'” but instead provide financing assistance or enter into retail installment sale contracts or leases. NADA suggested the term “loan” be replaced with “financing,” or “finance or lease contract.” [29] The Commission declines to modify existing examples in this manner. It believes the Privacy Rule should be substantively identical to Regulation P so financial institutions within the Commission's enforcement authority are subject to the same requirements, regardless of whether they are subject to Regulation P or the Privacy Rule. Although the Commission recognizes some examples it has retained may not apply well to the motor vehicle context,[30] changing the language of an example, as opposed to completely removing it, could be read as a change to the substance of the rule. Accordingly, the Commission declines to change an existing term in the final rule.[31]
b. Examples of Continuing Relationships
NADA suggested removing the term “investment accounts” from the example of a continuing relationship § 313.3(i)(2)(i)(A), as such accounts are not offered by motor vehicle dealers. As discussed above, however, the Commission declines to modify existing examples and does not adopt this change in the final rule. NADA also took issue with § 313.3(i)(2)(i)(D), which states a consumer has a continuing relationship with a financial institution when the consumer enters into an “agreement or understanding” with the financial institution in which the financial institution undertakes “to arrange credit to purchase a vehicle for the consumer.” NADA noted when motor vehicle dealers arrange credit for a consumer, they then assign that agreement to a third party and do not continue the relationship with the consumer.
Although motor vehicle dealers may transfer the credit agreement to another financial institution, a continuing relationship is formed by the agreement and persists for as long as the motor vehicle dealer retains the agreement. The continuing relationship between the motor vehicle dealer and the consumer will end upon the transfer of the agreement, but until that transfer occurs, the consumer is the motor vehicle dealer's customer for purposes of the Privacy Rule. Accordingly, the Commission declines to remove this example from the final rule.
NADA also argued the term “understanding” in paragraph (i)(2)(i)(D) is confusing because it is not clear what an “understanding” would mean in this context, and motor vehicle dealers do not enter into informal relationships to arrange credit for consumers. The Commission believes, however, while informal understandings may be unusual for motor vehicle dealers, it is possible some dealers may engage in such practices and the example should continue to make clear that such arrangements create continuing relationships. In addition, as discussed above, the Commission declines to change the language of examples retained in the final rule.
c. Examples of No Continuing Relationships
NADA argued the example in § 313.3(i)(2)(ii)(A) does not apply to motor vehicle dealers. This example states no continuing relationship is created when a “consumer obtains a financial product or service from [the financial institution] only in isolated transactions, such as cashing a check with [the financial institution] or making a wire transfer through” the financial institution. NADA argued motor vehicle dealers generally do not engage in these activities, and while “it is theoretically possible that a dealer somewhere may offer, under unique circumstances, to cash a check for a customer, [NADA] is not aware of that service being offered by dealers and the possibility is attenuated at best.” [32] The Commission does not agree that this example should be removed. Although check cashing and wire transfer transactions may be unlikely at motor vehicle dealerships, these are helpful examples of the types of isolated transactions that do not create an ongoing relationship and, even for motor vehicle dealers that do not engage in these particular activities, they illustrate the principle well. The final rule retains this example.
NADA also questioned the inclusion of § 313.3(i)(2)(ii)(C), which states a continuing relationship is not created when a “consumer obtains one-time personal appraisal services from” the financial institution. NADA asked whether this would apply when a motor vehicle dealer appraises a consumer's used vehicle for trade-in value. The Commission believes that is precisely the type of appraisal suggested by the example. NADA also questioned how “such appraisal activity by a dealer could, as an initial matter be deemed to create a Customer relationship.” [33] The Commission believes, however, negative examples are useful to clarify the definition and, therefore, the final rule retains this example.
Start Printed Page 70023B. Modifications to the Annual Privacy Notice To Reflect Statutory Changes Resulting From the FAST Act
The Commission also proposed changing the Privacy Rule provisions governing how motor vehicle dealers should deliver annual privacy notices.
Section 313.5(e)
The proposed change to § 313.5(a)(1) added a statement that § 313.5(e) provides an exception to the general rule requiring the delivery of annual notices. Section 313.5(e) in turn sets forth the exception, which was taken from the FAST Act, and adopted by the CFPB in its amendments to Regulation P.[34] It stated the annual notice need not be provided if (1) the financial institution has shared nonpublic personal information only in accordance with the provisions of §§ 313.13, 313.14, and 313.15, none of which require an opt-out opportunity be provided to customers; and (2) the financial institution's disclosure policies and practices remain unchanged from the most recent privacy notice.
Proposed § 313.5(e)(2) set forth the timing for resuming delivery of the annual notice if a financial institution no longer met requirements for the exception.
The Commission received no comments on the substance of this paragraph and adopts it without modification.[35]
C. Modifications to Scope and Definitions To Bring the Rule Into Accord With Regulation P
The Proposed Amendments changed the scope of the Privacy Rule and its definition of a “financial institution” in order to bring the Commission's rule into accord with Regulation P. As explained in the NPRM, when first promulgating the Privacy Rule, the Commission determined companies engaged in activities “incidental to financial activities” would not be considered “financial institutions.” [36] The Commission was the only agency to adopt this restrictive definition in its Privacy Rule, while the other agencies included incidental activities. In addition, the Commission decided activities determined to be financial in nature after the enactment of the GLBA would not be automatically included in its Privacy Rule; rather, the Commission would have to take additional action to include them.[37] The effect of these two decisions was to limit the activities covered by the Commission's rules to those set out in 12 CFR 225.28 as it existed in 1999, and to exclude any activities later determined by the Fed to be financial activities or incidental to those activities.[38]
The Commission proposed modifying the definition of “financial institution” to harmonize the Privacy Rule with other agencies' rules. The Commission proposed to amend § 313.1(b) to include companies that engage in activities financial in nature or incidental to such financial activities in the scope of the rule. Likewise, it proposed amending the definition of “financial institution” in § 313.3(k), to include any institution the business of which is engaging in an activity that is financial in nature or incidental to such financial activities. The effect of this proposed amendment would be to cause “finders” to be included in this definition, thereby bringing the Privacy Rule into harmony with the scope of entities covered by other agencies under Regulation P.
The Commission received only two comments that addressed this proposed change in the Privacy Rule.[39] NADA asked whether the proposed rule would apply to finders acting for a motor vehicle dealer.[40] As discussed above, the Commission's Privacy Rule applies only to motor vehicle dealers and so would apply only to finders that are also motor vehicle dealers. If a finder is not itself a motor vehicle dealer then the rule does not apply, even if the finder is acting to connect motor vehicle dealers with potential customers. Given that this scenario is unlikely, modifying the definition of “financial institution” for purposes of the Privacy Rule has little practical effect. Nevertheless, the Commission is modifying the definition for purposes of consistency with Regulation P and the Safeguards Rule.
An individual consumer asked how often an entity must engage in an incidental activity to be considered a financial institution.[41] As with other financial activities under the existing rule, an entity is a financial institution only if it is “significantly engaged” in the incidental activities.
The Commission adopts the proposed amendment without change.
Section 313.15(a)(4)
Finally, the Commission proposed to amend § 313.15(a)(4) to add the CFPB to the list of law enforcement agencies to which financial institutions are permitted to share information to the extent permitted by law. The Commission received no comments on this change and adopts it as proposed.
Section 313.18
Section 313.18 set forth the effective date for the rule and prescribed requirements for institutions' compliance with the rule as to customers who were already customers at the time the rule was first promulgated. The relevant dates have long since passed. Section 313.18(a)(2) also provided an exception, stating this “part is not effective as to any institution that is significantly engaged in activities that the Federal Reserve Board determines, after November 12, 1999 . . . are activities that a financial holding company may engage in, until the Commission so determines.” As discussed above, the Commission has determined herein that this rule applies to financial institutions that engage in activities financial in nature or incidental to such financial activities, including entities significantly engaged in activities the Federal Reserve Board has determined, after November 12, 1999, are activities a financial holding company may engage in. Accordingly, the final rule removes § 313.18 in its entirety.
III. Paperwork Reduction Act
Under the Paperwork Reduction Act of 1995 (“PRA”),[42] Federal agencies are generally required to seek Office of Management and Budget (“OMB”) approval for information collection requirements prior to implementation. Under the PRA, the Commission may not conduct or sponsor, and, notwithstanding any other provision of law, a person is not required to respond to an information collection, unless the information collection displays a valid control number assigned by OMB.
This amendment modifies 16 CFR part 313. The collections of information related to the Privacy Rule and the Start Printed Page 70024 FAST Act statutory exceptions to the rule's annual notice requirement have been previously reviewed and approved by OMB in accordance with the PRA.[43]
Under the existing clearance, the FTC has attributed to itself the estimated burden regarding all motor vehicle dealers and shares equally the remaining estimated PRA burden with the CFPB for other types of financial institutions for which both agencies have enforcement authority regarding the GLBA Privacy Rule.[44]
The amendments do not modify or add to information collection requirements previously approved by OMB. First, the Commission anticipates the expansion of the definition of “financial institution” to include entities engaged in activities incidental to financial activities will have little to no effect. It is not clear any finders that are also motor vehicle dealers are not already covered by the rule through their activities as motor vehicle dealers.
Second, the removal of certain examples provided in the rule that are not applicable to motor vehicle dealers will have no impact on existing information collection requirements.
Therefore, the Commission does not believe the amendments substantially or materially modify any “collections of information” as defined by the PRA.
The Commission sought comment on whether there are any finders in existence that would be covered by the proposed rule and are not covered by the current rule. The Commission received no comments that suggested such entities exist.
IV. Regulatory Flexibility Act
The Regulatory Flexibility Act (“RFA”), as amended by the Small Business Regulatory Enforcement Fairness Act of 1996, requires an agency to either provide an Initial Regulatory Flexibility Analysis (“IRFA”) with a proposed rule, or certify that the proposed rule will not have a significant impact on a substantial number of small entities.[45] The Commission does not believe this amendment to the Privacy Rule has the threshold impact on small entities. First, most of the changes effectuate statutory changes from the Dodd-Frank Act and the FAST Act. Second, the Commission does not expect the amendment to impose costs on small motor vehicle dealers because the amendments are primarily for clarification purposes and should not result in any increased burden on any motor vehicle dealer. Thus, a small entity that complies with current law need not take any different or additional action under the final rule.
Accordingly, the Commission believes the rule will not have a significant economic impact on small entities. The final rule would add requirements only to motor vehicle dealers that function as finders and do not already engage in other financial activities that would cause them to be financial institutions under the rule. The Commission has not identified any such entities. Therefore, the Commission certifies the rule will not have a significant economic impact on a substantial number of small businesses.
In this document, the Commission adopts the amendments proposed in its NPRM with only minimal modifications. In its Initial Regulatory Flexibility Analysis (“IRFA”), the Commission determined the proposed rule would not have a significant impact on small entities because there were no small businesses that were being subjected to new burdens as a result of the amendments. Although the Commission certifies under the RFA that the rule will not have a significant impact on a substantial number of small entities, and hereby provides notice of that certification to the Small Business Administration, the Commission nonetheless has determined publishing a final regulatory flexibility analysis (“FRFA”) is appropriate to ensure the impact of the rule is fully addressed. Therefore, the Commission has prepared the following analysis:
1. Need for and Objectives of the Final Rule
To address the Dodd-Frank Act and FAST Act changes the amendments change the Privacy Rule's scope and definition of “financial institution”; change the annual notice requirement; and remove certain examples provided in the rule that are not applicable to motor vehicle dealers. With this action, the Commission makes the current, narrow scope of the rule clearer. Additionally, the modification of the definition of “financial institution” to cover motor vehicle dealers engaged in “activities incidental to financial activities” harmonizes the Privacy Rule with other agencies' rules.
2. Significant Issues Raised in Public Comments in Response to the IRFA
The Commission did not receive any comments that addressed the burden on small entities. In addition, the Commission did not receive any comments filed by the Chief Counsel for Advocacy of the Small Business Administration (“SBA”).
3. Estimate of Number of Small Entities To Which the Final Rule Will Apply
The Commission anticipates many covered motor vehicle dealers may qualify as small businesses according to the applicable SBA size standards.[46] As explained in the IRFA, however, determining a precise estimate of the number of small entities—including newly covered entities under the modified definition of financial institution—is not readily feasible. No commenters addressed this issue. Nonetheless, as discussed above, these amendments will not add any additional burdens on any covered small businesses.
4. Projected Reporting, Recordkeeping, and Other Compliance Requirements
The amendments do not impose any new or substantively revised “collections of information,” as defined by the PRA.
5. Description of Steps Taken To Minimize Significant Economic Impact, if Any, on Small Entities, Including Alternatives
The Commission did not propose any specific small entity exemption or other significant alternatives because the amendment is not expected to increase reporting requirements and will not impose any new requirements or compliance costs. The Commission anticipates the amendments will reduce the burden for many covered entities associated with the Privacy Rule annual notice. The amendments retain the flexibility already present in the existing rule, which allows notices to be provided in a variety of ways, including electronically in some circumstances. As to the core requirements of the rule, they come from GLBA itself, as amended by the Dodd-Frank and the FAST Act. The statute prescribes the definition of financial institutions to be covered by the rule and sets forth the specific requirements, which the Commission cannot modify to ease burdens on small entities. Therefore, the Commission does not believe any Start Printed Page 70025 alternatives for small entities are required or appropriate.
V. Other Matters
Pursuant to the Congressional Review Act (5 U.S.C. 801 et seq. ), the Office of Information and Regulatory Affairs designated this rule as not a “major rule,” as defined by 5 U.S.C. 804(2).
Start List of SubjectsList of Subjects in 16 CFR Part 313
End List of SubjectsFor the reasons stated above, the Federal Trade Commission amends 16 CFR part 313 as follows:
Start PartPART 313—PRIVACY OF CONSUMER FINANCIAL INFORMATION
End Part Start Amendment Part1. The authority citation for part 313 is revised to read as follows:
End Amendment Part Start Authority15 U.S.C. 6801 et seq., 12 U.S.C. 5519.
End Authority Start Amendment Part2. Amend § 313.1 by revising paragraph (b) to read as follows:
End Amendment Part
Purpose and scope.
* * * * *
(b) Scope. This part applies only to nonpublic personal information about individuals who obtain financial products or services primarily for personal, family or household purposes from the institutions listed below. This part does not apply to information about companies or about individuals who obtain financial products or services for business, commercial, or agricultural purposes. This part applies to those “financial institutions” over which the Federal Trade Commission (“Commission”) has rulemaking authority pursuant to section 504(a)(1)(C) of the Gramm-Leach-Bliley Act. An entity is a “financial institution” if its business is engaging in an activity that is financial in nature or incidental to such financial activities as described in section 4(k) of the Bank Holding Company Act of 1956, 12 U.S.C. 1843(k), which incorporates activities enumerated by the Federal Reserve Board in 12 CFR 225.28 and 225.86. The “financial institutions” subject to the Commission's rulemaking authority are any persons described in 12 U.S.C. 5519 that are predominantly engaged in the sale and servicing of motor vehicles, the leasing and servicing of motor vehicles, or both. They are referred to in this part as “You.” Excluded from the coverage of this part are motor vehicle dealers described in 12 U.S.C. 5519(b) that directly extend to consumers retail credit or retail leases involving motor vehicles in which the contract governing such extension of retail credit or retail leases is not routinely assigned to an unaffiliated third party finance or leasing source.
Start Amendment Part3. Amend § 313.3 by revising paragraphs (e), (i), (j), (k), and (q) to read as follows:
Definitions.
* * * * *
(e)(1) Consumer means an individual who obtains or has obtained a financial product or service from you that is to be used primarily for personal, family, or household purposes, or that individual's legal representative.
(2) For example:
(i) An individual who applies to you for credit for personal, family, or household purposes is a consumer of a financial service, regardless of whether the credit is extended.
(ii) An individual who provides nonpublic personal information to you in order to obtain a determination about whether he or she may qualify for a loan to be used primarily for personal, family, or household purposes is a consumer of a financial service, regardless of whether the loan is extended.
(iii) If you hold ownership or servicing rights to an individual's loan that is used primarily for personal, family, or household purposes, the individual is your consumer, even if you hold those rights in conjunction with one or more other institutions. (The individual is also a consumer with respect to the other financial institutions involved.) An individual who has a loan in which you have ownership or servicing rights is your consumer, even if you, or another institution with those rights, hire an agent to collect on the loan.
(iv) An individual who is a consumer of another financial institution is not your consumer solely because you act as agent for, or provide processing or other services to, that financial institution.
(v) An individual is not your consumer solely because he or she is a participant or a beneficiary of an employee benefit plan that you sponsor or for which you act as a trustee or fiduciary.
* * * * *
(i)(1) Customer relationship means a continuing relationship between a consumer and you under which you provide one or more financial products or services to the consumer that are to be used primarily for personal, family, or household purposes.
(2) For example:
(i) Continuing relationship. A consumer has a continuing relationship with you if the consumer:
(A) Has a credit or investment account with you;
(B) Obtains a loan from you;
(C) Purchases an insurance product from you;
(D) Enters into an agreement or understanding with you whereby you undertake to arrange or broker a home mortgage loan, or credit to purchase a vehicle, for the consumer;
(E) Enters into a lease of personal property on a non-operating basis with you; or
(F) Has a loan for which you own the servicing rights.
(ii) No continuing relationship. A consumer does not, however, have a continuing relationship with you if:
(A) The consumer obtains a financial product or service from you only in isolated transactions, such as cashing a check with you or making a wire transfer through you;
(B) You sell the consumer's loan and do not retain the rights to service that loan; or
(C) The consumer obtains one-time personal appraisal services from you.
(j) Federal functional regulator means:
(1) The Board of Governors of the Federal Reserve System;
(2) The Office of the Comptroller of the Currency;
(3) The Board of Directors of the Federal Deposit Insurance Corporation;
(4) The National Credit Union Administration Board; and
(5) The Securities and Exchange Commission.
(k)(1) Financial institution means any institution the business of which is engaging in an activity that is financial in nature or incidental to such financial activities as described in section 4(k) of the Bank Holding Company Act of 1956, 12 U.S.C. 1843(k). An institution that is significantly engaged in financial activities, or significantly engaged in activities incidental to such financial activities, is a financial institution.
(2) An example of a financial institution is an automobile dealership that, as a usual part of its business, leases automobiles on a nonoperating basis for longer than 90 days is a financial institution with respect to its leasing business because leasing personal property on a nonoperating basis where the initial term of the lease is at least 90 days is a financial activity listed in 12 CFR 225.28(b)(3) and referenced in section 4(k)(4)(F) of the Bank Holding Company Act.
(3) Financial institution does not include entities that engage in financial activities but that are not significantly engaged in those financial activities.
(4) An example of entities that are not significantly engaged in financial Start Printed Page 70026 activities is a motor vehicle dealer is not a financial institution merely because it accepts payment in the form of cash, checks, or credit cards that it did not issue.
* * * * *
(q) You includes each “financial institution” over which the Commission has rulemaking authority pursuant to section 504(a)(1)(C) of the Gramm-Leach-Bliley Act (15 U.S.C. 6804(a)(1)(C)).
Start Amendment Part4. Amend § 313.4 by adding a heading for paragraph (c)(3) and revising paragraphs (c)(3)(i) and (e) to read as follows:
End Amendment Part
Initial privacy notice to consumers required.
* * * * *
(c) * * *
(3) Examples —(i) Examples of establishing a customer relationship. You establish a customer relationship when the consumer:
(A) Executes the contract to obtain credit from you or purchase insurance from you; or
(B) Executes the lease for personal property with you.
* * * * *
(e) Exceptions to allow subsequent delivery of notice —(1) General. You may provide the initial notice required by paragraph (a)(1) of this section within a reasonable time after you establish a customer relationship if:
(i) Establishing the customer relationship is not at the customer's election; or
(ii) Providing notice not later than when you establish a customer relationship would substantially delay the customer's transaction and customer agrees to receive the notice at a later time.
(2) Examples of exceptions —(i) Substantial delay of customer's transaction. Providing notice not later than when you establish a customer relationship would substantially delay the customer's transaction when you and the individual agree over the telephone to enter into a customer relationship involving prompt delivery of the financial product or service.
(ii) No substantial delay of customer's transaction. Providing notice not later than when you establish a customer relationship would not substantially delay the customer's transaction when the relationship is initiated in person at your office or through other means by which the customer may view the notice, such as through a website.
* * * * *
Start Amendment Part5. Amend § 313.5 by adding a heading for paragraph (a), revising paragraphs (a)(1) and (b)(2), and adding paragraph (e) to read as follows:
End Amendment Part
Annual privacy notice to customers required.
(a) In general —(1) General rule. Except as provided by paragraph (e) of this section, you must provide a clear and conspicuous notice to customers that accurately reflects your privacy policies and practices not less than annually during the continuation of the customer relationship. Annually means at least once in any period of 12 consecutive months during which that relationship exists. You may define the 12-consecutive-month period, but you must apply it to the customer on a consistent basis.
* * * * *
(b) * * *
(2) Examples. Your customer becomes a former customer when:
(i) In the case of a closed-end loan, the customer pays the loan in full, you charge off the loan, or you sell the loan without retaining servicing rights.
(ii) In the case of mortgage or vehicle loan brokering services, your customer has obtained a loan through you (and you no longer provide any statements or notices to the customer concerning that relationship), or has ceased using your services for such purposes.
(iii) In cases where there is no definitive time at which the customer relationship has terminated, you have not communicated with the customer about the relationship for a period of 12 consecutive months, other than to provide annual privacy notices or promotional material.
* * * * *
(e) Exception to annual privacy notice requirement —(1) When exception available. You are not required to deliver an annual privacy notice if you:
(i) Provide nonpublic personal information to nonaffiliated third parties only in accordance with the provisions of § 313.13, § 313.14, or § 313.15; and
(ii) Have not changed your policies and practices with regard to disclosing nonpublic personal information from the policies and practices that were disclosed to the customer under § 313.6(a)(2) through (5) and (9) in the most recent privacy notice provided pursuant to this part.
(2) Delivery of annual privacy notice after financial institution no longer meets requirements for exception. If you have been excepted from delivering an annual privacy notice pursuant to paragraph (e)(1) of this section and change your policies or practices in such a way that you no longer meet the requirements for that exception, you must comply with paragraph (e)(2)(i) or (ii) of this section, as applicable.
(i) Changes preceded by a revised privacy notice. If you no longer meet the requirements of paragraph (e)(1) of this section because you change your policies or practices in such a way that § 313.8 requires you to provide a revised privacy notice, you must provide an annual privacy notice in accordance with the timing requirement in paragraph (a) of this section, treating the revised privacy notice as an initial privacy notice.
(ii) Changes not preceded by a revised privacy notice. If you no longer meet the requirements of paragraph (e)(1) of this section because you change your policies or practices in such a way that § 313.8 does not require you to provide a revised privacy notice, you must provide an annual privacy notice within 100 days of the change in your policies or practices that causes you to no longer meet the requirement of paragraph (e)(1).
(iii) Examples. (A) You change your policies and practices in such a way that you no longer meet the requirements of paragraph (e)(1) of this section effective April 1 of year 1. Assuming you define the 12-consecutive-month period pursuant to paragraph (a) of this section as a calendar year, if you were required to provide a revised privacy notice under § 313.8 and you provided that notice on March 1 of year 1, you must provide an annual privacy notice by December 31 of year 2. If you were not required to provide a revised privacy notice under § 313.8, you must provide an annual privacy notice by July 9 of year 1.
(B) You change your policies and practices in such a way that you no longer meet the requirements of paragraph (e)(1) of this section, and so provide an annual notice to your customers. After providing the annual notice to your customers, you once again meet the requirements of paragraph (e)(1) of this section for an exception to the annual notice requirement. You do not need to provide additional annual notice to your customers until such time as you no longer meet the requirements of paragraph (e)(1) of this section.
Start Amendment Part6. Amend § 313.15 by revising paragraph (a)(4) to read as follows:
End Amendment Part
Other exceptions to notice and opt out requirements.
(a) * * *
(4) To the extent specifically permitted or required under other provisions of law and in accordance with the Right to Financial Privacy Act of 1978 (12 U.S.C. 3401 et seq. ), to law Start Printed Page 70027 enforcement agencies (including the Consumer Financial Protection Bureau, a federal functional regulator, the Secretary of the Treasury, with respect to 31 U.S.C. Chapter 53, Subchapter II (Records and Reports on Monetary Instruments and Transactions) and 12 U.S.C. Chapter 21 (Financial Recordkeeping), a State insurance authority, with respect to any person domiciled in that insurance authority's State that is engaged in providing insurance, and the Federal Trade Commission), self-regulatory organizations, or for an investigation on a matter related to public safety;
* * * * *
Start Amendment Part7. Remove § 313.18.
End Amendment Part Start Signature
By direction of the Commission.
April J. Tabor,
Acting Secretary.
End Signature End Supplemental Information
[FR Doc. 2021-25735 Filed 12-8-21; 8:45 am]
BILLING CODE 6750-01-P