Regulation P and Annual Privacy Notice

Issue/Inquiry

The Bank’s understanding is that there is no longer a requirement to send an annual privacy notice if the Bank has not made any changes to its privacy policy or does not share information, as well as if such notice is available on the Bank’s website. The Bank also understands that even though the law has changed to this effect, there are no final rules issued by the banking regulatory agencies implementing such. Is the Bank’s understanding correct? The Bank includes a message in periodic statements indicating that the privacy notice is available on the Bank’s website. Is the message on the periodic statement still required?

Response Summary

The FAST Act amendment to the GLBA provides an exception to the annual privacy notice requirements, which states that a financial institution is not required to provide an annual privacy notice to its customers if it does not share nonpublic personal information, except as permitted, and if it has not changed the information in its privacy notice since it was last provided to its customers. The CFPB proposed a rule revising Regulation P to implement these provisions, but a final rule has yet to be issued. While FFIEC had already developed interagency examination procedures, it is indicated that financial institutions qualifying for the annual privacy notice exception of the FAST Act amendment to the GLBA are not required to provide annual privacy notices to their customers. These procedures have been adopted by the FRB, FDIC, OCC, and CFPB. Consequently, the Bank should not be cited for failing to provide an annual privacy notice if it qualifies for the exception.

Response Detail

Under the present requirements of Regulation P, a financial institution is required to provide an annual privacy notice at least once during any 12-month period while a customer relationship exists. A “customer relationship” is a continuing relationship between a consumer and the financial institution in which the institution provides one or more financial products or services to the consumer that are to be used primarily for personal, family, or household purposes. A “consumer” is an individual who obtains or has obtained a financial product or service from the Bank that is to be used primarily for personal, family, or household purposes, or the individual’s legal representative.12 CFR §1016.3(e)(1),(j)(1);5(a)(1).

Regulation P also allows a financial institution to satisfy the annual privacy notice requirement by posting the notice on its website, provided that the institution does not share nonpublic personal information (except as permitted by the regulation), there is no right of opt-out, the information on the privacy notice has not changed since it was last disclosed to the customers, and the customers have been notified (i.e., through a message on the account statement) of the availability of the privacy notice on the website, that such has not changed, and that a paper copy is available upon request. 12 CFR §1016.9(c)(2).

On December 4, 2015, the Fixing America’s Surface Transportation Act (“FAST Act”) (Pub. L. No. 114-94) was signed into law, going into effect immediately. Among other things, the FAST Act amended the Gramm-Leach-Bliley Act (“GLBA”) so that a financial institution is no longer required to provide an annual privacy notice to its customers if the institution:

• Solely shares public information in accordance with GLBA sections 502(b)(2) or 502(e), or regulations prescribed pursuant to section 504(b)
• Has not changed its policies or practices with regards to sharing nonpublic personal information as of its most recent disclosure to its customers, pursuant to GLBA section 503

The exceptions to GLBA restrictions with respect to sharing nonpublic personal information, as per the referenced sections above, include sharing:

• With third-party providers performing services for the institution or on its behalf, such marketing products of the institution, or those offered jointly with the provided, so long as there is a confidentiality agreement prohibiting the provider from using or disclosing the information, except for the specified purposes
• With the consent or authorization of the customer
• For certain other purposes normally taken by a financial institution, such as protecting against or preventing actual or potential fraud; providing information to the institution’s auditors, attorneys, or accountants; or to comply with applicable legal requirements, such as disclosing information to regulators

If a financial institution satisfies these restrictions on sharing and has not made any changes to its privacy policy as of the institution’s latest disclosure of the policy made to its customers, it does not have to provide an annual notice. The notice requirement for the Regulation P alternative delivery method is not found in the statute, as amended. If the institution fails, at any time, to meet the two criteria, then it must subsequently provide an annual privacy notice to its customers.

On July 11, 2016, the Consumer Financial Protection Bureau (“CFPB”) published proposed rules giving effect to the FAST Act amendment to the GLBA, providing timing requirements for the delivery of an annual privacy notice for institutions no longer qualifying for the annual privacy notice exception, and removing the alternative annual privacy notice delivery method, as the CFPB did not believe that financial institutions would use this method in light of the annual privacy notice exception. 76 Federal Register 44801, 44802. However, the CFPB has not yet issued a final rule, leaving the present alternative delivery method in place prescribed by Regulation P for the annual privacy notice.

Prior to the issuance of the CFPB’s proposed rule, the Federal Financial Institutions Examination Council (“FFIEC”) had already developed interagency Regulation P examination procedures, incorporating the FAST Act amendment to the GLBA. These examination procedures were adopted by the Federal Reserve Board (“FRB”), Federal Deposit Insurance Corporation (“FDIC”), Office of the Comptroller of the Currency (“OCC”), and CFPB.

The Regulation P examination procedures of the current FDIC Compliance Examination Manual state that, “[a]s of December 4, 2015, pursuant to the FAST Act’s GLBA amendment, a financial institution is not required to provide an annual privacy notice to its customers,” followed by a restatement of the conditions for the exception. FDIC, Compliance Examination Manual, VIII – 1.5.

The examination procedures of the CFPB are the same and do not refer to the pending revision of Regulation P. It also confirms that the FAST Act amendment to GLBA was effective upon enactment. CFPB, Supervision and Examination Process, GLBA Privacy 3,10.

In issuing the new FFIEC procedures, the Federal Reserve Board noted that:

Beginning on December 4, 2015, if a financial institution meets these conditions, it is not required to provide an annual privacy notice to its customers and, accordingly, should not be cited either for failing to provide an annual privacy notice or for providing an annual privacy notice using an improper delivery method. FRB, CA 16-3: Revised Interagency Examination Procedures for Regulation P, June 8, 2016.

We have found no similar statement issued by the FDIC. Nevertheless, the statement indicated in its examination procedures concerning the effect of the FAST Act amendment on the GLBA that a financial institution overseen by such would not be cited for failing to provide an annual privacy in accordance with current Regulation P requirements, if the institution qualified for the annual privacy notice exception.

Consequently, we conclude that the Bank does not have to provide an annual privacy notice if it qualifies for the annual privacy notice exception of the FAST Act amendment to the GLBA.

This entry was posted on Monday, April 2nd, 2018 at 9:15 am.