Annual Privacy Disclosure Rules

QUESTION 

As a result of a banking examination, we found out that we failed to provide an annual privacy disclosure on our portfolio loans. These are closed-end, portfolio loans that we do not sell to the secondary market. 

We thought our privacy policy made sure this would not happen. That said, the regulator was not particularly thrilled with our privacy policy. 

In updating the policy, we would like some guidance to consider for the section devoted to the annual disclosure. 

What are some aspects of the annual privacy disclosure that are important to include in our policy? 

ANSWER 

As I have said multiple times, a policy is useless if not implemented. And if it is implemented but not monitored, it’s also meaningless. Just because you have a policy does not mean you have taken the appropriate compliance actions needed to both implement and monitor the requirements thereunder. A policy bereft of implementation and monitoring is no more than dysfunctional pontification. So, understand, even if you claim to be implementing, you must also be monitoring. 

Under the applicable regulations,[i] an institution must provide a disclosure of its privacy policy at least annually during the continuation of the customer relationship. 

An institution may define the 12-consecutive-month period however it wants, but the institution must apply it to the customer on a consistent basis. Consistency matters, and it will be determined in a banking examination. 

By “annually” is meant at least once in any period of 12 consecutive months during which that relationship exists. An institution is required to provide the annual disclosure only during the term of the customer relationship with the consumer and is not required to provide an annual notice to a customer with whom the institution no longer has a continuing relationship. 

So, when does a consumer no longer have a continuing relationship with an institution? When any of the following situations occur: 

·      In the case of a deposit, share, or share draft account, the account is considered inactive (i.e., dormant) under the institution’s rules. (Any state law test for dormancy does not apply in this situation; only the state law policy is used.) 

·      In the case of a closed-end loan, the consumer pays the loan in full, the institution charges off the loan, or the institution sells the loan without retaining servicing rights or transfers the servicing rights. 

·      In the case of a credit card relationship or other open-end credit relationship, the institution no longer provides any statements or notices to the consumer concerning that relationship, or the institution sells the credit card receivables without retaining servicing rights. 

·      For other types of relationships, the institution has not communicated with the consumer about the relationship for a period of 12 consecutive months, other than to provide annual notices of privacy policies and practices or other promotional materials. Therefore, the fact that the institution continues to send the consumer promotional material will not require that a privacy policy be sent annually if there is no communication with the customer about the customer relationship. 

·      In the case of a credit union, an individual is no longer a member as defined in its bylaws. 

And, of course, this is regulatory compliance, so there may be exceptions! For instance, you are not required to deliver an annual privacy notice if you: 

·     Provide nonpublic personal information to non-affiliated third parties only under the exceptions in these regulations:[ii] 

o   Exception to opt-out requirements for service providers and joint marketing [12 CFR § 1016.13]; 

o   Exceptions to notice and opt-out requirements for processing and servicing transactions [12 CFR § 1016.14]; and 

o   Other exceptions to notice and opt-out requirements [12 CFR § 1016.15]. 

·     Have not changed your policies and practices with respect to disclosing nonpublic personal information from the policies and practices that were disclosed to the customer under certain sections of 12 CFR § 1016.6 (Information to be included in Privacy Notices), specifically sections 1016.6(a)(2) through (5) and (9)[iii], since your most recent initial privacy notice provided to customers. 

Now, if you change your policies or practices so that you no longer meet the requirements for the exception, you must comply with one of the following, as applicable: 

·     Changes that required a revised privacy notice. 

If you no longer meet the requirements for the exception, and the change required you to issue a revised privacy notice under section 1016.8 of Regulation P (Revised Privacy Notices), you must provide an annual privacy notice by treating the date of the revised privacy notice as the initial privacy notice date. 

·     Changes not preceded by a revised privacy notice. 

If you no longer meet the requirements for the exception, but you are not required to provide a revised privacy notice, you must provide an annual privacy notice within 100 days of the change in your policies or practices that causes you to no longer meet the requirements of the exception. 

I realize this seems confusing. So, here’s an example. Let’s say you change your policies and practices in such a way that you no longer meet the requirements for the exception effective April 1 of year 1. Assuming you define the 12-consecutive-month annual notice period as a calendar year, if you were required to provide a revised privacy notice under section 1016.8 and you provided that notice on March 1 of year 1, you must provide an annual privacy notice by December 31 of year 2. If you were not required to provide a revised privacy notice under section 1016.8, you must provide an annual privacy notice by July 9 of year 1. 

The procedures should ensure that you change your policies and practices in such a way that you no longer meet the requirements for the exception and so provide an annual notice to your customers. After providing the annual notice to your customers, you once again meet the requirements for the exception to the annual notice requirement. You do not need to provide additional annual notices to your customers until such time as you again no longer meet the requirements for the exception.

Jonathan Foxx, Ph.D., MBA
Chairman & Managing Director
Lenders Compliance Group

---

[i] 12 CFR § 1016.5

[ii] See Title 12 - Banks and Banking, Chapter X, Bureau of Consumer Financial Protection, Part 1016, Privacy of Consumer Financial Information (Regulation P), Subpart C - Exceptions

[iii] See subsections (2) The categories of nonpublic personal information that you disclose; (3) the categories of affiliates and nonaffiliated third parties to whom you disclose nonpublic personal information, other than those parties to whom you disclose information under §§ 1016.14 and 1016.15; (4) the categories of nonpublic personal information about your former customers that you disclose and the categories of affiliates and nonaffiliated third parties to whom you disclose nonpublic personal information about your former customers, other than those parties to whom you disclose information under § 1016.14 and § 1016.15; (5) if you disclose nonpublic personal information to a nonaffiliated third party under § 1016.13 (and no other exception in § 1016.14 or § 1016.15 applies to that disclosure), a separate statement of the categories of information you disclose and the categories of third parties with whom you have contracted; (9) any disclosure that you make under § 1016.6(b) (regarding a description of nonaffiliated third parties subject to exceptions).

Regulation P’s Revision

QUESTION

We have read that the CFPB recently issued final rule revisions for Regulation P. What we need to know is what happened. So, what was the revision? Are there new disclosures? Is there an effective date, and, if so, when?

ANSWER

Regarding the subject inquiry, I am going to answer as clearly as I can – hopefully not too wonkishly! – however, some background is needed for this explication. The revision you refer to is the CFPB’s amendment to Regulation P to include an exception to the annual privacy notice obligation set forth in the Gramm-Leach-Bliley Act (GLBA). The issuance date was August 17, 2018, and the effective compliance date is September 17, 2018.

You would need to go back almost three years ago, when the Fixing America’s Surface Transportation Act (FAST Act or FAST) amended the GLBA to provide for such an exception.[1] So, in actuality, the amendment is simply the CFPB ensuring now that Regulation P is consistent with the GLBA, as amended. I would note that although the effective compliance date is September 17, 2018, FAST’s amendment has been in effect. Therefore, financial institutions have been able to rely on the GLBA’s statutory exception to the annual notice obligation.

Now to dive into requirements of the notice itself. Under the GLBA, a financial institution must provide each consumer customer with an annual notice of its privacy policies and practices over the course of its relationship with the customer.[2] FAST amended the GLBA to provide an exception to the annual privacy notice requirement for financial institutions that satisfy two conditions; specifically, a financial institution is not required to provide an annual privacy notice to its customers if:

(1) the institution shares nonpublic personal information (NPI) about customers with nonaffiliated third parties only to the extent permitted by exceptions in the GLBA or Regulation P (i.e., the financial institution is not required to provide an opt out for sharing with nonaffiliated third parties), and

(2) the financial institution has not changed its policies and practices with respect to disclosing NPI from those described in the most recent privacy notice sent to customers.

Which brings us to Regulation P. In July 2016, the CFPB published its Proposed Rule to amend Regulation P to implement the FAST exception to the annual notice requirement. Therefore, the CFPB now adopts the proposal, largely as originally proposed.

Specifically, the Final Rule provides that a financial institution will not be required to deliver an annual privacy notice if:

(1) the institution discloses NPI only in accordance with the Regulation P exceptions, and

(2) the institution has not changed its disclosure policies and practices since the most recent privacy notice sent to customers.[3]

The Final Rule goes beyond FAST in the sense that it provides additional details surrounding when a financial institution that no longer qualifies for an exception must resume providing annual notices. Under the final rule, if a financial institution changes its policies in such a way that it is required to provide customers with a revised privacy (and no longer qualifies for the exception),[4] the financial institution will then be required to resume providing an annual notice thereafter (i.e., treating the revised notice as an initial notice).[5]

If the financial institution changes its policies but is not required to provide a revised privacy notice (despite the fact that it no longer qualifies for the exception), the financial institution will be required to deliver the annual notice within 100 calendar days after the change.[6]

The Final Rule eliminates the prior alternative delivery method for annual privacy notices that had been set forth in Regulation P.[7]

Your inquiry did not state whether you are a bank or non-bank and it did mention your primary regulator. So, take note of this caveat: financial institutions seeking to rely on the exception to the annual notice requirement should still consider the extent to which they are subject to a state privacy laws that would continue to impose an annual notice obligation or that would impose additional conditions on the availability of the exception.

To illustrate my point, I could go state by state, but, as an example, Vermont amended its financial privacy rules in March of this year to include an exception similar to the FAST Act.[8] Indeed, the Vermont rules impose additional conditions on the availability of an exception including that a financial institution does not disclose information to affiliates in a manner that would require an opt in under the Vermont Fair Credit Reporting Act and the financial institution posts its current privacy notice continuously and in a clear and conspicuous manner on a page of its web site on which the only content is the privacy notice.

Obviously, this is a regulatory mandate that requires very careful implementation protocol. If you need assistance in understanding the requirements and/or guidance in procedures relating to Regulation P, please contact us.

Jonathan Foxx

Managing Director

Lenders Compliance Group

---

[1] Pub. L. No. 114-94, 129 Stat 1312 (2015)

[2] 12 CFR § 1016.5(a)(1)

[3] To be codified at 12 CFR. § 1016.5(e)(1)

[4] 12 CFR § 1016.8

[5] To be codified at 12 CFR § 1016.5(e)(2)(i)

[6] To be codified at 12 CFR § 1016.5(e)(2)(ii)

[7] This alternative took effect in October 2015, but provided little practical utility to financial institutions, particularly following the enactment of the FAST Act. The CFPB stated in the supplementary information accompanying the Final Rule that it removed the alternative delivery method because it believes it “will no longer be used in light of the annual notice exception,” as an institution that satisfied the conditions to use the alternative delivery method will now qualify for the exception to the annual notice.

[8] It also removed from the rules the alternative delivery exception that was originally added in 2015 similar to the CFPB’s own updates to Regulation P.