There seems to be a lot of confusion surrounding the recent CFPB amendments to Regulation P and the Alternative Delivery Method. When the CFPB amended Regulation P to conform to the Fixing America's Surface Transportation Act (FAST Act) elimination of the Annual Privacy Notice requirement for certain financial institutions, it eliminated the Alternative Delivery Method. To understand why they did so, it may be helpful to discuss what the Alternative Delivery Method was, why it came about and why it is no longer necessary.
The Alternative Delivery Method was created in 2014 when the CFPB was trying to reduce the regulatory burden on certain financial institutions. If a financial institution did not share NPI (non-public information) in a way that required an opt-out, their privacy notice did not change from the last notice they provided. They used the Model Form for their privacy notices - a financial institution could use what was called the Alternative Delivery Method to deliver their annual privacy notice. To use the Alternative Delivery Method, a financial institution must do the following:
- Continuously post the annual privacy notice on their website
- Annually provide a notice on an account statement or disclosure that its annual privacy notice is available on their website, that it has not changed, and that it will mail a copy upon request
- Mail a copy of the privacy notice within 10 days of any request
While this saved financial institutions the hassle of sending the annual privacy notice, it really didn't reduce the regulatory burden since they still had to send the availability notice and it did nothing for customers who did not receive account statements at least annually, e.g. CD and safe deposit box customers. If the goal was to eliminate or reduce the regulatory burden on financial institutions that do not share their customers' NPI, why did it create this complicated alternative? What's the point? Why didn't the CFPB just get rid of the requirement? Well, unfortunately, an alternative method was the best that they could do under the pre-existing law.
To further explain, in 1999, the Gramm-Leach-Bliley Act (GLBA) was passed. Among other things, it required all financial institutions to provide an annual notice describing their privacy policies. In 2011, the CFPB sought comments on how to reduce the regulatory burden on financial institutions. One of the areas of which the CFPB received the most comments was the annual privacy notice. Many comments urged the CFPB to eliminate the requirement to send the notice altogether. Therefore, in 2014, the CFPB revised Regulation P and created the Alternative Delivery Method. In doing so, the CFPB explained that it was unable to eliminate the annual privacy notice requirements for these institutions entirely because the GLBA still required all financial institutions to provide an annual privacy notice and the Alternative Delivery Method was an attempt to still comply with that requirement while still reducing the regulatory burden.
Finally, in 2015, Congress amended the GLBA as part of the FAST Act. The FAST Act, among other things, provided that a financial institution does not need to provide an annual privacy notice if it does not share any NPI with a nonaffiliated third-party in a way that requires an opt-out and has not changed its sharing policies and practices since its last notice. In August, the CFPB finalized amendments to Regulation P to conform to this change. As a result, the CFPB eliminated the Alternative Delivery Method because it is no longer necessary. If you qualify for the exception, you do not to need to provide an annual privacy notice which includes the Alternative Delivery Method.
That's it, it's that easy. You do not need to post your privacy notice on your website. You can if you want to, but you do not have to. You do not need to include a message on an account statement at least annually. You can if you want to, but you do not have to. You do not need to use the Model Form. You can if you want to (and I highly recommend it), but you do not have to. If you meet the requirements for the exception, you do not have to do anything beyond provide your initial privacy notice.