Banks and other financial institutions may be able to avoid costly manual mailings of annual privacy notices to customers and instead publish annual privacy notices on their websites under a new rule issued by the federal Consumer Financial Protection Bureau (CFPB).
Banks are required to give annual privacy notices to customers under the Gramm- Leach-Bliley Act (GLBA) and the CFPB’s Regulation P (12 CFR Part 1016). The new rule and Regulation P apply to certain non-bank financial institutions, as well.
The CFPB rule will take effect upon its pending publication date in the Federal Register.
The new rule allows banks and other financial institutions to use the website posting method only if certain conditions are met, including:
- the financial institution uses the model form provided by the CFPB in Regulation P for its privacy notice;
- the information included in the privacy notice has not changed since the customer received the previous notice (with limited exceptions); and
- the financial institution does not share the customer’s nonpublic personal information with:
- nonaffiliated third parties in a manner that triggers GLBA opt-out rights; or
- affiliates in a manner that triggers certain opt-out rights under the Fair Credit Reporting Act (FCRA).
Also, for any financial institution that discloses customer information in a way that triggers “affiliate marketing” opt-out rights under FCRA, the financial institution must also do one of the following before it can use the new website method to disclose the annual privacy notice:
- have already provided the required FCRA “affiliate marketing” opt-out disclosures before the annual privacy notice is disclosed using the new website method, or
- use a channel other than the website disclosure to provide the required FCRA “affiliate marketing” opt-out right disclosures.
To use the website disclosure method for annual privacy notices, a financial institution must insert a clear and conspicuous statement at least once per year on an account statement, coupon book or any notice or disclosure required or expressly permitted under law, announcing that:
- the annual privacy notice is available on the financial institution’s website;
- the notice has not changed; and
- the notice will be mailed to customers who request it by calling a telephone number provided in this statement.
Also, in this statement, the customer must be provided with a specific web address that takes the customer directly to the page where the privacy notice is available, rather than requiring the customer to find that page via links on the website.
The financial institution must continuously post the annual privacy notice in a clear and conspicuous manner on a page of its website, without requiring a login, password or similar steps to access the notice. Also, the notice must be posted on a page of the website that contains only the notice.
In addition, to assist customers with limited or no access to the Internet, the financial institution must mail annual notices to customers who request them within 10 days of any such request.