In December of 2015, President Obama signed the Fixing America's Surface Transportation (FAST) Act of 2015 (Public Law 114-94). Section 75001 of the FAST Act, amended Section 503 of the Gramm-Leach-Bliley Act (GLBA) creating an exception to the annual privacy notice delivery requirement for certain financial institutions. Financial institutions that qualified were as excited as kids on Christmas. But, like the Grinch, we had to spoil the fun. Because the Regulation implementing the GLBA's privacy provisions (Regulation P, 12 CFR Part 1016) still required annual privacy notices we took a conservative approach and advised our clients to continue to send the notice until the CFPB revised Regulation P to conform with the new law or they heard otherwise from their regulators.
In July 2016, the CFPB proposed amendments to Regulation P to implement the FAST Act exception. The rule was expected to be finalized in November 2016. Apparently, the election of President Trump has the folks at the CFPB preoccupied with other things and the rule still has not been finalized. It's been 18 months since the FAST Act became the law of the land and the CFPB still has not finalized the rule change. Well, what has changed? Fortunately, most of the regulators have published guidance that makes it clear that they believe the FAST Act was self-effectuating and will not enforce contradictory provisions of Reg. P. The NCUA was on the ball and released a letter to credit unions (16-CU-03) in January 2016 stating that "NCUA examiners have been notified that if your credit union meets the applicable requirements, you need not send annual privacy notices unless and until your credit union no longer meets those requirements." The FDIC, CFPB, and Federal Reserve Board were a little slower but between June and December 2016 the agencies released GLBA/Regulation P examination procedures that make it clear the agencies do not expect financial institutions that meet the requirements to send annual privacy notices. If the OCC examines you, you're not so lucky.
Now that this exception actually means something, let's take a closer look at it. The FAST Act provided that a financial institution does not need to provide an annual privacy notice if it:
- Provides nonpublic personal information only in accordance with the provisions of subsection (b)(2) or (e) of section 502 or regulations prescribed under section 504(b); and
- Has not changed its policies and practices with regard to disclosing nonpublic personal information from the policies and practices that were disclosed in the most recent disclosure sent to consumers in accordance with this section.
Huh!? What does that say in plain English? Well, let me break it down for you. Regulation P implements GLBA's privacy provisions, i.e. it is the regulation prescribed under section 504(b) of the GLBA. Section 1016.13 of Reg. P corresponds to section 502(b)(2) of GLBA and sections 1016.14 and 15 of Reg. P correspond to section 502(e) of GLBA. Simply put, if your bank only shares NPI with nonaffiliated third parties pursuant to an exception in sections 1016.13-15 of Reg. P and your policies have not changed since the last time you sent your privacy notice, you are not required to send an annual privacy notice. If, at any time, you fail to meet either condition, you must send an annual privacy notice.
You want it simpler than that? Well, pull out your privacy notice (assuming you're using the Model Notice). If you have a "No" in the middle column on, "For nonaffiliates to market to you" and your information sharing practices have not changed, you qualify for the exception. It's that simple. But what about affiliate marketing and affiliate's everyday business purposes? GLBA is not really concerned with sharing with your affiliates. Sure, there are a few provisions in Regulation P that require you to include your practices regarding sharing with affiliates. But the limitation on sharing with affiliates and opt-out requirements are found in the Fair Credit Reporting Act (FCRA).
Earlier I mentioned that you're not so lucky if the OCC is your regulator. The OCC has not released anything officially stating that they will not enforce Regulation P's annual privacy notice requirement for financial institutions that meet the FAST Act requirements. What are you to do? Well, the first thing you should do is contact the OCC and ask them their position. But, let's assume that either you do not hear back from them or they say "the rule is the rule" and you must send the annual privacy notice. What do you do then? You may be able to take advantage of the alternative delivery method for the annual privacy notice. Because there are fewer requirements to qualify for the FAST Act's exception to providing an annual privacy notice than there are to qualify to use the CFPB's alternative delivery method, not every financial institution that qualifies for the FAST Act exception will qualify for the alternative delivery method. If you are examined by the OCC and you do not qualify for the alternative delivery method, I recommend that you still send the annual privacy notice until you hear something to the contrary from the OCC and/or the CFPB finalizes the Regulation P changes.
We have discussed the alternative delivery method in detail in past articles, so I will be brief here. Financial institutions may use an alternative delivery method if:
- It does not share in a way that triggers an opt-out right under GLBA or under FCRA Section 603;
- The affiliate marketing opt-out notices required by section 624 FCRA and § 1022.21 of Regulation V have previously been provided;
- Certain information included in the annual privacy notice has not changed since the previous notice; and
- It uses the Model Privacy Form.
To use this alternative delivery method, a financial institution must:
- Include on an account statement, coupon book, or a notice or disclosure at least once a year that inform the customer that the annual privacy notice is available on the financial institution's website, that the institution will mail the notice to customers who request it by calling a specific telephone number, and that the notice has not changed;
- Post their privacy notice on its website on a page with just the privacy notice that does not require the customer to provide any information such as a login name or password or agree to any conditions to access the website; and
- Mail its current privacy notice to those customers who request it by telephone within 10 days of the request.