CHANGES TO THE ANNUAL NOTICE REQUIREMENT
Title V of the GLBA requires financial institutions—including depository institutions, registered investment companies, U.S. private funds, registered investment advisers and securities broker-dealers—to protect the nonpublic personal information (NPI) that they receive and to disclose their policies for collecting, using and disclosing NPI. Under the GLBA, financial institutions generally must provide their customers with: (1) an initial privacy notice with appropriate disclosures, at the time of establishing a customer relationship and (2) Annual Notices thereafter.1
The FAST Act eliminates the Annual Notice requirement, provided two conditions are met:
- First, the financial institution must only share NPI within the GLBA-listed exceptions that do not trigger the opt-out right. If the information sharing practice falls under one of these exceptions, the financial institution need not provide consumers the right to “opt-out” of such information sharing. Among the GLBA-listed information sharing arrangement exceptions are the following:
- With non-affiliated third parties for the purposes of performing services for or functions on behalf of the financial institution;
- As necessary to effect, administer or enforce a transaction requested or authorized by the consumer;
- To protect the confidentiality or security of the financial institution’s records against fraud and for institutional risk control purposes;
- To provide information to insurance rate advisory organizations, ratings agencies, the institution’s attorneys, accountants and auditors or others determining compliance with industry standards;
- To consumer reporting agencies; and
- To comply with applicable federal, state or local laws or rules.
- Second, the financial institution must not have changed its policies or procedures with respect to the disclosure of NPI since the last privacy notice was provided to its consumers.
Thus, a financial institution would only be required to provide an Annual Notice if it changes its privacy policies or discloses NPI to non-affiliated third parties in a manner that triggers an opt-out right.
COMPARISON TO THE CFPB’S MODIFICATION OF REGULATION P
The changes in Regulation P are likely to be supplanted by the FAST Act exception, given that the FAST Act allows firms to avoid Annual Notices altogether and given that the FAST Act’s changes apply to all financial institutions and not exclusively those subject to the CFPB’s Regulation P.