TOPICS

Thursday, February 17, 2022

Annual Privacy Disclosure Rules

QUESTION 

As a result of a banking examination, we found out that we failed to provide an annual privacy disclosure on our portfolio loans. These are closed-end, portfolio loans that we do not sell to the secondary market. 

We thought our privacy policy made sure this would not happen. That said, the regulator was not particularly thrilled with our privacy policy. 

In updating the policy, we would like some guidance to consider for the section devoted to the annual disclosure. 

What are some aspects of the annual privacy disclosure that are important to include in our policy? 

ANSWER 

As I have said multiple times, a policy is useless if not implemented. And if it is implemented but not monitored, it’s also meaningless. Just because you have a policy does not mean you have taken the appropriate compliance actions needed to both implement and monitor the requirements thereunder. A policy bereft of implementation and monitoring is no more than dysfunctional pontification. So, understand, even if you claim to be implementing, you must also be monitoring. 

Under the applicable regulations,[i] an institution must provide a disclosure of its privacy policy at least annually during the continuation of the customer relationship. 

An institution may define the 12-consecutive-month period however it wants, but the institution must apply it to the customer on a consistent basis. Consistency matters, and it will be determined in a banking examination. 

By “annually” is meant at least once in any period of 12 consecutive months during which that relationship exists. An institution is required to provide the annual disclosure only during the term of the customer relationship with the consumer and is not required to provide an annual notice to a customer with whom the institution no longer has a continuing relationship. 

So, when does a consumer no longer have a continuing relationship with an institution? When any of the following situations occur: 

·      In the case of a deposit, share, or share draft account, the account is considered inactive (i.e., dormant) under the institution’s rules. (Any state law test for dormancy does not apply in this situation; only the state law policy is used.) 

·      In the case of a closed-end loan, the consumer pays the loan in full, the institution charges off the loan, or the institution sells the loan without retaining servicing rights or transfers the servicing rights. 

·      In the case of a credit card relationship or other open-end credit relationship, the institution no longer provides any statements or notices to the consumer concerning that relationship, or the institution sells the credit card receivables without retaining servicing rights. 

·      For other types of relationships, the institution has not communicated with the consumer about the relationship for a period of 12 consecutive months, other than to provide annual notices of privacy policies and practices or other promotional materials. Therefore, the fact that the institution continues to send the consumer promotional material will not require that a privacy policy be sent annually if there is no communication with the customer about the customer relationship. 

·      In the case of a credit union, an individual is no longer a member as defined in its bylaws. 

And, of course, this is regulatory compliance, so there may be exceptions! For instance, you are not required to deliver an annual privacy notice if you: 

·     Provide nonpublic personal information to non-affiliated third parties only under the exceptions in these regulations:[ii] 

o   Exception to opt-out requirements for service providers and joint marketing [12 CFR § 1016.13]; 

o   Exceptions to notice and opt-out requirements for processing and servicing transactions [12 CFR § 1016.14]; and 

o   Other exceptions to notice and opt-out requirements [12 CFR § 1016.15]. 

·     Have not changed your policies and practices with respect to disclosing nonpublic personal information from the policies and practices that were disclosed to the customer under certain sections of 12 CFR § 1016.6 (Information to be included in Privacy Notices), specifically sections 1016.6(a)(2) through (5) and (9)[iii], since your most recent initial privacy notice provided to customers. 

Now, if you change your policies or practices so that you no longer meet the requirements for the exception, you must comply with one of the following, as applicable: 

·     Changes that required a revised privacy notice. 

If you no longer meet the requirements for the exception, and the change required you to issue a revised privacy notice under section 1016.8 of Regulation P (Revised Privacy Notices), you must provide an annual privacy notice by treating the date of the revised privacy notice as the initial privacy notice date. 

·     Changes not preceded by a revised privacy notice. 

If you no longer meet the requirements for the exception, but you are not required to provide a revised privacy notice, you must provide an annual privacy notice within 100 days of the change in your policies or practices that causes you to no longer meet the requirements of the exception. 

I realize this seems confusing. So, here’s an example. Let’s say you change your policies and practices in such a way that you no longer meet the requirements for the exception effective April 1 of year 1. Assuming you define the 12-consecutive-month annual notice period as a calendar year, if you were required to provide a revised privacy notice under section 1016.8 and you provided that notice on March 1 of year 1, you must provide an annual privacy notice by December 31 of year 2. If you were not required to provide a revised privacy notice under section 1016.8, you must provide an annual privacy notice by July 9 of year 1. 

The procedures should ensure that you change your policies and practices in such a way that you no longer meet the requirements for the exception and so provide an annual notice to your customers. After providing the annual notice to your customers, you once again meet the requirements for the exception to the annual notice requirement. You do not need to provide additional annual notices to your customers until such time as you again no longer meet the requirements for the exception.

Jonathan Foxx, Ph.D., MBA
Chairman & Managing Director
Lenders Compliance Group


[i] 12 CFR § 1016.5

[ii] See Title 12 - Banks and Banking, Chapter X, Bureau of Consumer Financial Protection, Part 1016, Privacy of Consumer Financial Information (Regulation P), Subpart C - Exceptions

[iii] See subsections (2) The categories of nonpublic personal information that you disclose; (3) the categories of affiliates and nonaffiliated third parties to whom you disclose nonpublic personal information, other than those parties to whom you disclose information under §§ 1016.14 and 1016.15; (4) the categories of nonpublic personal information about your former customers that you disclose and the categories of affiliates and nonaffiliated third parties to whom you disclose nonpublic personal information about your former customers, other than those parties to whom you disclose information under § 1016.14 and § 1016.15; (5) if you disclose nonpublic personal information to a nonaffiliated third party under § 1016.13 (and no other exception in § 1016.14 or § 1016.15 applies to that disclosure), a separate statement of the categories of information you disclose and the categories of third parties with whom you have contracted; (9) any disclosure that you make under § 1016.6(b) (regarding a description of nonaffiliated third parties subject to exceptions).