Final Rule Updates Regulation P With Exemptions From Annual Notice Requirements
The Bureau of Consumer Financial Protection (the “Bureau”) is amending its Regulation P requirements governing annual notices that financial institutions must provide to their customers describing their privacy policies and practices. These long-awaited amendments implement 2015 amendments to the Gramm-Leach-Bliley Act (GLBA) that permit financial institutions that meet specified criteria to be exempted from the annual notice obligation. The final rule will take effect on September 17, 2018.
As a general rule, the GLBA requires financial institutions to send annual privacy notices to all customers, describing the institution’s privacy practices and permitting customers to opt out of the institution’s practice of sharing with third parties certain nonpublic personal information (NPPI). In December 2015, Congress amended the GLBA to permit financial institutions satisfying specified criteria to be exempt from the annual notice requirement. In particular, if a financial institution restricts its sharing of information such that it does not trigger a customer’s right to opt out, and has not changed its privacy notice from the one previously delivered to its customers, the GLBA exempts the institution from the requirement to keep sending annual notices. Although the statutory exemption from the annual notice requirement became effective in December 2015, the newly promulgated amendments to Regulation P will now implement that statutory amendment. It also establishes deadlines for institutions required to resume providing annual privacy notices after their practices change from their most recent privacy notice.
Under the revised Regulation P, financial institutions are not required to deliver the annual privacy notice to customers if the institution satisfies both of these criteria:
- The institution only shares NPPI with nonaffiliated third parties only under one of the GLBA statutory safe harbors that do not trigger a customer’s right to opt out of such sharing; and
- The institution has not changed its NPPI disclosure policies and practices from the policies and practices in the institution’s most recent annual notice to customers.
Note that neither the 2015 GLBA amendments nor Regulation P exempt financial institutions from all disclosure obligations. To the extent that the Fair Credit Reporting Act (FCRA) separately requires an opt-out disclosure be provided, each institution must continue to comply with that obligation regardless of the changes to the GLBA and Regulation P. The Bureau indicates that the following does not constitute a change to the institution’s NPPI policies and practices that would require issuance of a new annual notice under the GLBA: (a) making changes to a financial institution’s FCRA disclosures, or (b) making changes to voluntary disclosures and opt-outs that were provided in the institution’s most recent privacy notice. In particular, “the Bureau has determined that disclosures describing sharing with affiliates under FCRA section 624 or voluntary disclosures and opt-outs will not affect a financial institution’s eligibility for the annual privacy notice exception” under the GLBA amendments and revised Regulation P.
The Bureau also noted that the GLBA already requires that financial institutions provide a revised notice to consumers before implementing certain types of changes, whereas in other cases the law simply requires that the content of the next regular annual notice provided to customers must be updated. Consistent with this approach, the timing requirements in the revised Regulation P differ depending on whether the change that causes the institution to no longer satisfy the conditions for the exception also trigger a requirement under existing Regulation P to deliver a revised notice. In particular, Regulation P already requires a financial institution to provide revised notices before it begins to share NPPI with a nonaffiliated third party if that sharing would be different from what was described in the initial privacy notice delivered to the customer. Under the revised Regulation P, institutions that lose the exemption for reasons that would trigger this prior notice requirement will also be required to resume providing the annual notices before implementing the change. Otherwise, the institution must resume sending the annual notices within 100 days after making the change.