Why it matters

A rule allowing financial institutions to post their annual privacy notices online (rather than having to mail them to customers individually) has been finalized by the Consumer Financial Protection Bureau (CFPB). While the CFPB estimates the change will save the industry $17 million, banks are not paper-free just yet. Financial institutions must still send a hard copy of the privacy policy if certain terms change or if a customer specifically requests a hard copy of the notice. The new alternative method for providing annual notices is available only if the financial institution does not include on its annual privacy notice an “opt out” under the Fair Credit Reporting Act (FCRA).

Detailed discussion

Under the Gramm-Leach-Bliley Act (GLBA), financial institutions are required to provide initial and annual notices to their customers regarding the institution’s privacy policy. In addition, if the institution shares nonpublic information about its consumer customers with third parties, both the GLBA and the FCRA require the bank to notify customers of that fact and, under some circumstances, provide an opportunity to opt out of the sharing.

Historically, the notice has been provided in an annual mailing.

Under the new rule, which largely tracks a proposal issued earlier this year, the CFPB established an alternative delivery method for annual privacy notices if certain requirements are met.

First, no opt-out rights can be triggered by the institution’s data-sharing practices or if required opt-out notices have already been provided; second, certain material information included in the privacy notice must not have changed since receipt of the prior notice; and finally, the financial institution must use the model form provided in Regulation P.

Additional requirements regarding availability of the notice include posting it “in a clear and conspicuous manner” on a page of the institution’s website without the need for a login or agreement to any conditions for access. To make customers aware that the annual privacy notice is available online, financial institutions “must insert a clear and conspicuous statement at least once per year on an account statement, coupon book, or a notice or disclosure the institution issues under any provision of law,” the CFPB said.

This statement must explain to customers that the annual privacy notice is available on the institution’s website, that a physical copy can be obtained by making a request (with phone number provided), and that the notice itself hasn’t changed. If a customer requests a hard copy by phone, it must be provided within 10 days.

When a financial institution changes its privacy notice or policy on information sharing triggering a customer opt-out right, then it must revert to the pre-rule delivery methods.

The CFPB characterized the final rule as a win-win for consumers and financial institutions, with consumers receiving 24/7 access to privacy policies, educating them about the various types of privacy policies and potentially limiting the amount of an institution’s data sharing with third parties to avoid having to send additional notices, while institutions benefit from reduced costs.

“Consumers need clear and accessible information about how their personal information is being used in the marketplace, but some of these requirements were redundant,” CFPB Director Richard Cordray said in a statement. “Posting privacy notices online will make it easier for consumers to access these important policies, while also making it cheaper for financial institutions to provide disclosures.”

To read the final rule, click here.