QUESTION
We
have read that the CFPB recently issued final rule revisions for Regulation P. What
we need to know is what happened. So, what was the revision? Are there new
disclosures? Is there an effective date, and, if so, when?
ANSWER
Regarding
the subject inquiry, I am going to answer as clearly as I can – hopefully not
too wonkishly! – however, some background is needed for this explication. The
revision you refer to is the CFPB’s amendment to Regulation P to include an
exception to the annual privacy notice obligation set forth in the Gramm-Leach-Bliley
Act (GLBA). The issuance date was August 17, 2018, and the effective compliance
date is September 17, 2018.
You
would need to go back almost three years ago, when the Fixing America’s Surface
Transportation Act (FAST Act or FAST) amended the GLBA to provide for such an
exception.[1] So, in
actuality, the amendment is simply the CFPB ensuring now that Regulation P is
consistent with the GLBA, as amended. I would note that although the effective
compliance date is September 17, 2018, FAST’s amendment has been in effect.
Therefore, financial institutions have been able to rely on the GLBA’s
statutory exception to the annual notice obligation.
Now
to dive into requirements of the notice itself. Under the GLBA, a financial
institution must provide each consumer customer with an annual notice of its
privacy policies and practices over the course of its relationship with the
customer.[2] FAST amended
the GLBA to provide an exception to the annual privacy notice requirement for
financial institutions that satisfy two conditions; specifically, a financial
institution is not required to provide an annual privacy notice to its
customers if:
(1)
the institution shares nonpublic personal information (NPI) about customers
with nonaffiliated third parties only to the extent permitted by exceptions in
the GLBA or Regulation P (i.e., the financial institution is not required to
provide an opt out for sharing with nonaffiliated third parties), and
(2)
the financial institution has not changed its policies and practices with
respect to disclosing NPI from those described in the most recent privacy
notice sent to customers.
Which brings us to Regulation P. In July 2016, the CFPB
published its Proposed Rule to amend Regulation P to implement the FAST
exception to the annual notice requirement. Therefore, the CFPB now adopts the
proposal, largely as originally proposed.
Specifically, the Final Rule provides that a financial
institution will not be required to deliver an annual privacy notice if:
(1) the institution discloses NPI only in accordance
with the Regulation P exceptions, and
(2) the institution has not changed its disclosure
policies and practices since the most recent privacy notice sent to customers.[3]
The Final Rule goes beyond FAST in the sense that it
provides additional details surrounding when a financial institution that no
longer qualifies for an exception must resume providing annual notices. Under
the final rule, if a financial institution changes its policies in such a way
that it is required to provide customers with a revised privacy (and no longer qualifies for the
exception),[4] the
financial institution will then be required to resume providing an annual
notice thereafter (i.e., treating the revised notice as an initial notice).[5]
If
the financial institution changes its policies but is not required to provide a
revised privacy notice (despite the fact that it no longer qualifies for the
exception), the financial institution will be required to deliver the annual
notice within 100 calendar days after the change.[6]
The
Final Rule eliminates the prior alternative delivery method for annual privacy
notices that had been set forth in Regulation P.[7]
Your
inquiry did not state whether you are a bank or non-bank and it did mention
your primary regulator. So, take note of this caveat: financial institutions
seeking to rely on the exception to the annual notice requirement should still
consider the extent to which they are subject to a state privacy laws that
would continue to impose an annual notice obligation or that would impose
additional conditions on the availability of the exception.
To
illustrate my point, I could go state by state, but, as an example, Vermont amended
its financial privacy rules in March of this year to include an exception
similar to the FAST Act.[8] Indeed, the
Vermont rules impose additional conditions on the availability of an exception
including that a financial institution does not disclose information to
affiliates in a manner that would require an opt in under the Vermont Fair
Credit Reporting Act and the financial institution posts its current privacy
notice continuously and in a clear and conspicuous manner on a page of its web
site on which the only content is the privacy notice.
Obviously, this is a regulatory mandate that requires very careful implementation protocol. If you need assistance in
understanding the requirements and/or guidance in procedures relating to
Regulation P, please contact us.
Managing Director
Lenders Compliance Group
[1] Pub. L. No.
114-94, 129 Stat 1312 (2015)
[2] 12 CFR §
1016.5(a)(1)
[3] To be
codified at 12 CFR. § 1016.5(e)(1)
[4] 12 CFR §
1016.8
[5] To be
codified at 12 CFR § 1016.5(e)(2)(i)
[6] To be
codified at 12 CFR § 1016.5(e)(2)(ii)
[7] This
alternative took effect in October 2015, but provided little practical utility
to financial institutions, particularly following the enactment of the FAST
Act. The CFPB stated in the supplementary information accompanying the Final
Rule that it removed the alternative delivery method because it believes it
“will no longer be used in light of the annual notice exception,” as an
institution that satisfied the conditions to use the alternative delivery
method will now qualify for the exception to the annual notice.
[8] It also
removed from the rules the alternative delivery exception that was originally
added in 2015 similar to the CFPB’s own updates to Regulation P.
