In December, President Barack Obama signed into law the Fixing America’s Surface Transportation Act. Buried on page 476 of this 490-page bill is an amendment to the consumer privacy provisions of the Gramm-Leach-Bliley Act (the GLBA) that eliminates the annual privacy notice requirement for certain financial institutions, as further described below. The amendment became effective immediately.
By way of background, the GLBA, as implemented by Securities and Exchange Commission Regulation S-P, Part 160 of the Commodity Futures Trading Commission’s Regulations and other federal agency regulations, requires certain financial institutions, among them investment advisers, registered investment companies, broker-dealers, futures commission merchants, commodity pool operators, commodity trading advisors and private funds, to provide an initial notice to consumers describing their privacy policies and practices regarding the disclosure of nonpublic personal information (NPI) to third parties at the time that the customer relationship is established. Thereafter, it also requires financial institutions to provide such notices at least annually during the relationship (the annual notice requirement).
The amendment eliminates the annual notice requirement for financial institutions that satisfy both of the following conditions:
- The financial institution does not disclose NPI in a manner that triggers a consumer’s right to “opt-out” of such disclosure under the GLBA.1 The kinds of disclosure of NPI that do not trigger the consumer “opt-out” right include, but are not limited to, disclosure to nonaffiliated service providers to perform services for the financial institution, subject to certain requirements; disclosure to service providers as necessary to effect, administer or enforce a transaction requested or authorized by the consumer or in connection with maintaining or servicing the consumer’s account; disclosure to protect the confidentiality or security of the financial institution’s records pertaining to the consumer, to protect against fraud and for institutional risk control purposes; and disclosure as specifically permitted or required by law.
- The financial institution has not changed its policies and practices with respect to the disclosure of NPI to non-affiliated third parties that were disclosed in its most recent privacy notice to consumers.
Accordingly, financial institutions that do not disclose NPI to anyone (other than in connection with servicing consumer accounts or administering financial products) generally will no longer need to deliver annual privacy notices if the financial institution has not changed its policies and practices with respect to the disclosure of NPI since it most recent privacy notice to consumers. However, each financial institution’s ability to avoid delivering annual notices will be based on the particular facts and circumstances, including its practices regarding the disclosure of NPI.
Because the amendment became effective immediately, no implementing rulemaking is required to make the changes to the annual notice requirement effective. The amendment should help to reduce the compliance burdens on certain financial institutions associated with providing annual privacy notices to consumers (e.g., investors in private funds). However, the amendment does not eliminate the requirement for such financial institutions to provide the initial privacy notice to consumers under the GLBA.
Financial institutions seeking to avoid the annual notice requirement should confirm that they satisfy the two conditions of the amendment. Those financial institutions that can take advantage of the amendment should also consider amending their privacy notice policies and procedures accordingly.