We have read that the CFPB recently issued final rule revisions for Regulation P. What we need to know is what happened. So, what was the revision? Are there new disclosures? Is there an effective date, and, if so, when?
Regarding the subject inquiry, I am going to answer as clearly as I can – hopefully not too wonkishly! – however, some background is needed for this explication. The revision you refer to is the CFPB’s amendment to Regulation P to include an exception to the annual privacy notice obligation set forth in the Gramm-Leach-Bliley Act (GLBA). The issuance date was August 17, 2018, and the effective compliance date is September 17, 2018.
You would need to go back almost three years ago, when the Fixing America’s Surface Transportation Act (FAST Act or FAST) amended the GLBA to provide for such an exception. So, in actuality, the amendment is simply the CFPB ensuring now that Regulation P is consistent with the GLBA, as amended. I would note that although the effective compliance date is September 17, 2018, FAST’s amendment has been in effect. Therefore, financial institutions have been able to rely on the GLBA’s statutory exception to the annual notice obligation.
Now to dive into requirements of the notice itself. Under the GLBA, a financial institution must provide each consumer customer with an annual notice of its privacy policies and practices over the course of its relationship with the customer. FAST amended the GLBA to provide an exception to the annual privacy notice requirement for financial institutions that satisfy two conditions; specifically, a financial institution is not required to provide an annual privacy notice to its customers if:
(1) the institution shares nonpublic personal information (NPI) about customers with nonaffiliated third parties only to the extent permitted by exceptions in the GLBA or Regulation P (i.e., the financial institution is not required to provide an opt out for sharing with nonaffiliated third parties), and
(2) the financial institution has not changed its policies and practices with respect to disclosing NPI from those described in the most recent privacy notice sent to customers.
Which brings us to Regulation P. In July 2016, the CFPB published its Proposed Rule to amend Regulation P to implement the FAST exception to the annual notice requirement. Therefore, the CFPB now adopts the proposal, largely as originally proposed.
Specifically, the Final Rule provides that a financial institution will not be required to deliver an annual privacy notice if:
(1) the institution discloses NPI only in accordance with the Regulation P exceptions, and
(2) the institution has not changed its disclosure policies and practices since the most recent privacy notice sent to customers.
The Final Rule goes beyond FAST in the sense that it provides additional details surrounding when a financial institution that no longer qualifies for an exception must resume providing annual notices. Under the final rule, if a financial institution changes its policies in such a way that it is required to provide customers with a revised privacy (and no longer qualifies for the exception), the financial institution will then be required to resume providing an annual notice thereafter (i.e., treating the revised notice as an initial notice).
If the financial institution changes its policies but is not required to provide a revised privacy notice (despite the fact that it no longer qualifies for the exception), the financial institution will be required to deliver the annual notice within 100 calendar days after the change.
The Final Rule eliminates the prior alternative delivery method for annual privacy notices that had been set forth in Regulation P.
Your inquiry did not state whether you are a bank or non-bank and it did mention your primary regulator. So, take note of this caveat: financial institutions seeking to rely on the exception to the annual notice requirement should still consider the extent to which they are subject to a state privacy laws that would continue to impose an annual notice obligation or that would impose additional conditions on the availability of the exception.
To illustrate my point, I could go state by state, but, as an example, Vermont amended its financial privacy rules in March of this year to include an exception similar to the FAST Act. Indeed, the Vermont rules impose additional conditions on the availability of an exception including that a financial institution does not disclose information to affiliates in a manner that would require an opt in under the Vermont Fair Credit Reporting Act and the financial institution posts its current privacy notice continuously and in a clear and conspicuous manner on a page of its web site on which the only content is the privacy notice.
Obviously, this is a regulatory mandate that requires very careful implementation protocol. If you need assistance in understanding the requirements and/or guidance in procedures relating to Regulation P, please contact us.
Lenders Compliance Group
 Pub. L. No. 114-94, 129 Stat 1312 (2015)
 12 CFR § 1016.5(a)(1)
 To be codified at 12 CFR. § 1016.5(e)(1)
 12 CFR § 1016.8
 To be codified at 12 CFR § 1016.5(e)(2)(i)
 To be codified at 12 CFR § 1016.5(e)(2)(ii)
 This alternative took effect in October 2015, but provided little practical utility to financial institutions, particularly following the enactment of the FAST Act. The CFPB stated in the supplementary information accompanying the Final Rule that it removed the alternative delivery method because it believes it “will no longer be used in light of the annual notice exception,” as an institution that satisfied the conditions to use the alternative delivery method will now qualify for the exception to the annual notice.
 It also removed from the rules the alternative delivery exception that was originally added in 2015 similar to the CFPB’s own updates to Regulation P.