Privacy Act Implementation Rules

AGENCY:

Bureau of Consumer Financial Protection.

ACTION:

Final rule.

SUMMARY:

The Bureau of Consumer Financial Protection (Bureau or CFPB) makes limited revisions to its regulations that establish the procedures used by the public to obtain records from the Bureau under the Privacy Act of 1974 (Privacy Act). The revisions will change the definition of “Chief Privacy Officer” in order to align the Chief Privacy Officer's authorities and responsibilities identified in the regulation to those of the Bureau's designated Senior Agency Official for Privacy. The revisions will also facilitate electronic or remote identity proofing and authentication by creating an additional method for a requester to verify their identity when submitting a Privacy Act request to the Bureau.

DATES:

This rule is effective September 1, 2021.

FOR FURTHER INFORMATION CONTACT:

David Snyder, Senior Counsel, Legal Division, 202-435-7758. If you require this document in an alternative electronic format, please contact CFPB_Accessibility@cfpb.gov.

SUPPLEMENTARY INFORMATION:

I. Background

The Bureau first published its Privacy Act implementation rules, located in subpart E of part 1070, in an interim final rule in July 2011. See 76 FR 45371 (July 28, 2011). This was followed by a final rule in February 2013. See 78 FR 11483 (Feb. 15, 2013). The Bureau subsequently proposed revisions to its rules in a notice of proposed rulemaking in August 2016, followed by a final rule that adopted these revisions in September 2018. See 81 FR 58310 (Aug. 24, 2016); 83 FR 46075 (Sept. 12, 2018). The Bureau now makes limited revisions to its Privacy Act implementation rules in order to (1) align the authorities and responsibilities of the “Chief Privacy Officer” identified in the rules with the authorities and responsibilities of the Bureau's Senior Agency Official for Privacy; and (2) facilitate electronic or remote identity proofing and authentication in accordance with the Creating Advanced Streamlined Electronic Services for Constituents (CASES) Act of 2019, Public Law 116-50, 133 Stat. 1073 (2019), and the Office of Management and Budget's implementing guidance, M-21-04, “Modernizing Access to and Consent for Disclosure of Records Subject to the Privacy Act” (Nov. 12, 2020).

II. Summary of the Rule

The Bureau makes two revisions to subpart E of part 1070, which establishes the Bureau's rule implementing the Privacy Act. First, the Bureau revises the definition of “Chief Privacy Officer” to align the authorities and responsibilities in the regulation to those of its designated Senior Agency Official for Privacy. Second, to facilitate electronic or remote identity proofing and authentication, the Bureau adds an additional method for a requester to verify their identity when submitting a Privacy Act request to the Bureau.

III. Legal Authority

The Bureau is issuing this rule pursuant to its authority under title X of the Dodd-Frank Act, 12 U.S.C. 5481 et seq., and the Privacy Act of 1974, 5 U.S.C. 552a.

IV. Section-by-Section Analysis of the Proposed Rule

Part 1070—Disclosure of Records and Information

Subpart E—The Privacy Act

Section 1070.50 Purpose and Scope; Definitions

Subparagraph 1070.50(b)(1) defines the term “Chief Privacy Officer,” whose authorities and responsibilities are established in subpart E. The Bureau revises the definition to mean “the Senior Agency Official for Privacy of the CFPB or any CFPB employee to whom the Senior Agency Official for Privacy has delegated authority to act under this part.”

The Bureau originally defined the term to mean “the Chief Information Officer of the CFPB” or their delegee in order to reflect the agency's earlier organizational structure, in which the Bureau's Chief Information Officer oversaw its Privacy Program. The Bureau has since reorganized its Operations Division and located its Privacy Program under the oversight of its Chief Data Officer. The Chief Data Officer has been designated the Bureau's Senior Agency Official for Privacy in accordance with Office of Management and Budget, M-16-24, “Role and Designation of Senior Agency Officials for Privacy” (Sept. 15, 2016).

The Bureau revises the definition to reflect its reorganization and align the privacy-related authorities and responsibilities assigned to the Chief Privacy Officer in subpart E with the authorities and responsibilities of its Senior Agency Official for Privacy. The Bureau defines the term to mean “Senior Agency Official for Privacy” instead of “Chief Data Officer” (currently the same Bureau official) to ensure that subpart E remains aligned with the Bureau Privacy Program's structure in the event of any future reorganizations or re-designations of the Senior Agency Official for Privacy.

Section 1070.53 Request for Access to Records

Section 1070.53(c) Verification of Identity

Section 1070.53(c) requires that members of the public provide proof of their identity in order to obtain access to Bureau records pursuant to the Privacy Act. Paragraph 1070.53(c)(1), in turn, provides three methods that will be considered adequate proof of a requester's identity. The Bureau adds an additional method of identity verification, permitting verification via successful completion of a third-party's identity verification process, designated by the Bureau, where that process meets the requirements of Identity Assurance Level 2 (IAL2) as described by the National Institute of Standards and Technology.

The Bureau makes this revision in order to facilitate electronic or remote identity proofing and authentication in accordance with the CASES Act of 2019, Public Law 116-50, 133 Stat. 1073 (2019), and the Office of Management and Budget's implementing guidance, M-21-04, “Modernizing Access to and Consent for Disclosure of Records Subject to the Privacy Act” (Nov. 12, 2020). The Bureau intends to use a third-party identify verification process, available via login.gov, to facilitate electronic identity verification; successful completion of that process will be sufficient for verifying a requester's identity pursuant to paragraph 1070.53(c)(1). The Bureau proposes to use generic language in the regulation's description of this process in order to retain flexibility to use other identity-verification products in the future as needed. Only a third-party identity verification process that is designated by the Bureau will be deemed a sufficient method of identity verification for purposes of paragraph 1070.53(c)(1).

V. Procedural Requirements

No notice of proposed rulemaking is required under the Administrative Procedure Act (APA) because this rule relates solely to agency procedure and practice. 5 U.S.C. 553(b). Because no notice of proposed rulemaking is required, the Regulatory Flexibility Act does not require an initial or final regulatory flexibility analysis. 5 U.S.C. 603, 604.

Finally, the Bureau has determined that this rule does not impose any new recordkeeping, reporting, or third-party disclosure requirements on members of the public that would be collections of information requiring approval under the Paperwork Reduction Act, 44 U.S.C. 3501 et seq.

VI. Signing Authority

The Acting Director of the Bureau, David Uejio, having reviewed and approved this document, is delegating the authority to electronically sign this document to Laura Galban, a Bureau Federal Register Liaison, for purposes of publication in the Federal Register.

List of Subjects in 12 CFR Part 1070

• Confidential business information; Consumer protection; Freedom of information; Privacy

Authority and Issuance

For the reasons set forth in the preamble, the Bureau amends 12 CFR part 1070 to read as follows:

PART 1070—DISCLOSURE OF RECORDS AND INFORMATION

1. The authority citation continues to read as follows:

Authority: 12 U.S.C. 5481 et seq.; 5 U.S.C. 552; 5 U.S.C. 552a; 18 U.S.C. 1905; 18 U.S.C. 641; 44 U.S.C. ch. 31; 44 U.S.C. ch. 35; 12 U.S.C. 3401 et seq.

Subpart E—Privacy Act

2. Revise § 1070.50(b)(1) to read as follows:

3. Revise § 1070.53(c) to read as follows: