Summary: Proposed Rule

Consumer Financial Protection Bureau
Amendment to the Annual Privacy Notice Requirement under Gramm-Leach-Bliley


Prepared by NASCUS Legislative and Regulatory Affairs Department
July, 2016


 

The Consumer Financial Protection Bureau (CFPB) is proposing to amend Regulation P, which requires, among other things, that financial institutions provide an annual notice describing their privacy policies and practices to their customers.  The proposal would implement a December 2015 statutory amendment to the Gramm-Leach-Bliley Act (GLBA) providing an exception to this annual notice requirement for financial institutions that meet certain conditions.

Regulation P, which implements GLBA, requires financial institutions provide their customers with annual privacy policy notices.  Financial institutions that share certain consumer information with particular types of third parties are required to provide customers with an opportunity to opt out of this information sharing via the annual notice.  Regulation P also provides for delivery requirements for annual privacy notices.  In December 2015, GLBA was amended by the Fixing America’s Surface Transportation Act (FAST Act). Under the amendments, a new Section 503 was added to GLBA. The CFPB is proposing to amend GLBA to incorporate Section 503 and also eliminate the alternative annual notice delivery option now available to financial institutions.

The complete proposed rule may be found here.

Comments must be received by the CFPB within 30 days of the proposal’s publication in the Federal Register.

Summary

Exception to Annual Privacy Notice Requirement

Proposed Section 1016.5(e)(1) of Regulation P (which implements new Section 503 of GLBA) would provide an exception from the annual privacy notice requirement for financial institutions that meet certain conditions.

  • 1016.5(e)(1)(i) notes that in order for a financial institution to qualify for the Section 503 exception to annual privacy notice requirements, the financial institution must not share nonpublic personal information about customers except as otherwise provided.
  • 1016.5(e)(1)(ii) states that in order for a financial institution to qualify for the Section 503 exception to annual privacy notice requirements, the financial institution must not have changed its policies and practices with regard to disclosing nonpublic personal information from those that the institution disclosed in the most recent privacy notice sent.

Alternative Delivery Method for Providing Certain Annual Notices

Currently, Regulation P provides for an “alternative delivery method” that allows financial institutions that meet certain conditions to provide an annual privacy notice to customers electronically instead of by U.S. Postal mail.

The Bureau has proposed to eliminate the alternative delivery method option because financial institutions that satisfy the requirements for the alternative delivery method would also satisfy the requirements for the annual privacy notice exception.  The Bureau believes that in those instances, a financial institution will opt to take advantage of the exception from the notice requirement.