In December 2011, the Consumer Financial Protection Bureau (CFPB) published a Federal Register (FR) notice [76 FR 75825] on “Streamlining Inherited Regulations.” These regulations consist of federal consumer financial laws that were transferred to CFPB authority under the Dodd-Frank Wall Street Reform and Consumer Protection Act from seven other federal agencies. Among the regulations that were identified as opportunities for “streamlining” was the annual privacy notice required by Regulation P (“Privacy of Consumer Financial Information”) issued by the Federal Reserve [12 CFR Part 216]. In its fall 2013 “Statement of Regulatory Priorities,” the Bureau continued the process by stating its intent to publish a notice of proposed rulemaking “to explore whether to modify certain requirements under the Gramm-Leach-Bliley Act's implementing Regulation P to which financial institutions provide annual notices regarding their data sharing practices.”
The CFPB issued its proposed rule (“Amendment to the Annual Privacy Notice Requirement Under the Gramm-Leach-Bliley Act (Regulation P)”) on May 13, 2014 [79 FR 27214]. The amendment describes an “alternate delivery method” for the annual disclosure that financial institutions could use in specified situations. These circumstances are consistent with the purpose of section 503 of the Gramm-Leach-Bliley Act (GLBA), which requires financial institutions to provide initial notice upon entering into a relationship with a customer, and then annually thereafter.
A financial institution may (but is not required to) use the alternate delivery method if its practices satisfy five criteria:
- It does not share customer nonpublic personal information with nonaffiliated third parties in a manner that would trigger opt-out rights under GLBA. Financial institutions are not required to provide opt-out rights to customers when sharing information with third-party service providers, pursuant to joint marketing agreements or in response to a formal law enforcement request. However, using an example mentioned in the notice, a bank would be required to provide such rights to its mortgage customers whose personal information it intends to sell to an unaffiliated home insurance company. In this latter situation, the new alternative notice process would not be available.
- It does not include in its annual notice the separate opt-out notice required under section 603(d)(2)(A)(III) of the Fair Credit Reporting Act (FCRA) if a financial institution shares information about a consumer with its affiliates. Such activity is excluded from the definition of a consumer report” in FCRA, but notice to the consumer and an opportunity to opt out is required. Financial institutions are required to include this disclosure in the annual privacy notice. Therefore, if a financial institution does share such information internally, and does not provide a separate disclosure, it may not take advantage of the “alternate delivery method.”
- The annual notice is not the only notice used to satisfy the Affiliate Marketing Rule in section 624 of FCRA. Financial institutions are not required to include this opt-out notice in the annual privacy notice, but many do. If a financial institution shares information about a consumer with an affiliate for marketing purposes, it may use the new delivery process only if it independently satisfies the section 624 disclosure requirement.
- The information contained in the prior year’s notice (e.g., information sharing practices) has not changed.
- The institution uses the Model Privacy Form Under the Gramm-Leach-Bliley Act published in 2009 [74 FR 62890] for its annual privacy notice.
Financial institutions that satisfy the above criteria may discontinue mailing the annual privacy notice if they provide notice by other means described in the proposed rule. Institutions using the alternate delivery method will be required to post the privacy notice continuously and conspicuously on their website, deliver an annual reminder on another notice or disclosure of the availability and location of the notice, and provide a toll-free telephone number for customers to request that a paper copy of the notice be mailed to them. While GLBA and Regulation P provide for notice in written or electronic form, most financial institutions mail the notices at substantial cost. This action by the CFPB is intended to balance the cost considerations with the benefit to consumers of the annual notice and the potential for confusion where an institution’s practices have not changed. And small financial institutions, which are less likely to share customer information in a way that triggers customer opt-out rights, would benefit from the cost savings with no harm to the customer.
In the proposed rule, the CFPB requested comment and information regarding the practical aspects of the changes, such as the number of financial institutions that change their policies, deliver notices electronically, or combine the FCRA and privacy notices. The initial rule provided only 30 days to comment, but this has been extended to July 14, 2014 [79 FR 30485] in response to requests from several financial services industry groups. This initiative by the CFPB seems to have more velocity than similar efforts in Congress, where bills in the House (Eliminate Privacy Notice Confusion Act -H.R. 749) and Senate (Privacy Notice Modernization Act of 2013 - S. 635) are languishing. Financial institutions should at least be aware of this development and evaluate whether they will benefit from the proposed revisions.