Recently, the Consumer Financial Protection Bureau (the “CFPB”) issued proposed rules (the “Proposed Rules”) to update the CFPB’s prior guidance concerning Regulation P, which requires, among other things, that financial institutions provide an annual notice describing their privacy policies and practices to their customers. Under the Proposed Rules, certain financial institutions would be exempt from the annual privacy notice requirements upon meeting certain conditions.

Background

Under the privacy provisions of the Gramm-Leach-Bliley Act (the “GLBA”), implemented by Regulation P, a financial institution is required to provide an initial notice of its privacy policies and practices when a customer relationship is established and to provide an annual notice to customers every year while the customer relationship continues to exist. If a financial institution chooses to disclose nonpublic personal information about a consumer in a manner other than as described in its initial notice, the institution is also required to deliver a revised notice. Each of the several different notices has identical content and must provide the following:

  • whether and how the financial institution shares consumers’ nonpublic personal information with other entities;
  • a brief description of how the financial institution protects the nonpublic personal information it collects and maintains; and
  • information concerning the customer’s right to opt out of certain types of sharing of nonpublic personal information.

On December 4, 2015, Congress amended the GLBA as part of the Fixing America’s Surface Transportation Act (the “FAST Act”) to establish an exception to the annual privacy notice requirements, whereby a financial institution that meets certain criteria is not required to provide an annual privacy notice to customers. The amendment was effective upon enactment of the FAST Act. The Proposed Rules would update the CFPB’s prior regulatory guidance concerning Regulation P.

Proposed Rules

Under the Proposed Rules, Regulation P would be updated to state that a financial institution would be exempt from providing an annual notice if it meets the following two conditions:

  1. Permitted disclosures. The financial institution must disclose nonpublic personal information only in accordance with those provisions of Regulation P that do not require customer consent. Under Regulation P, a financial institution may, without triggering notice requirements, disclose nonpublic personal information to a nonaffiliated third party (i) to perform services for, or on behalf of, the financial institution (e.g., marketing of the financial institution’s own products or services) or (ii) to promote financial products or services offered pursuant to joint agreements between two or more financial institutions that otherwise comply with all regulatory requirements.
  2. No change in the financial institution’s privacy policies. A financial institution must not have changed its policies and practices with regard to disclosing nonpublic personal information from the policies that were disclosed to the customer in the financial institution’s most recently provided privacy notice.

A financial institution that meets these two requirements for the annual notice exemption will not be required to provide annual notices until such time as that financial institution no longer complies with the above stated conditions.

Conclusion

If adopted, the Proposed Rules would bring Regulation P into conformance with the GLBA by updating the CFPB’s regulatory guidance. Although the Proposed Rules have not yet been finalized, the law has already been made effective with the enactment of the FAST Act. A financial institution would be well advised to review its privacy policies and practices for compliance under Regulation P and the Proposed Rules. In so doing, a financial institution may find that it can avoid the cost of the annual disclosure required under Regulation P.

To view the full text of the CFPB’s Proposed Rules, click here.