On August 9, 2018, the Bureau of Consumer Financial Protection (“CFPB”) issued a final rule implementing section 503(f) (15 USC § 6803(f)) of the Gramm-Leach-Bliley Act (“GLBA”), which provides an exception from the requirement to deliver annual privacy notice to customers. The final rule also prescribes the timing requirement for the delivery of an annual privacy notice in the event a financial institution no longer meets the requirement for the exception. The final rule will become effective within 30 days after publication in the federal register.
The final rule adds section 1016.5(e) to Regulation P to govern the implementation of the exception from the requirement to deliver annual privacy notice. Specifically, section 1016.5(e)(1) clarifies that the exception from the requirement to deliver annual privacy notice applies if the financial institution: (i) discloses nonpublic personal information (“NPI”) to nonaffiliated third parties only in accordance with the exceptions specified in sections 1016.13 (relating to third party service providers and joint marketing arrangements), 1016.14 (relating to processing, maintaining or servicing financial products and services or securitizing, secondary market transactions of financial assets) or 1016.15 (general exceptions), and (ii) has not changed its privacy policies or practices regarding NPI that were most recently disclosed to the customer in accordance with section 1016.6(a)(2) through (5) and (9).
Section 1016.5(e)(2) prescribes the timing requirement for providing an annual privacy notice if the financial institution previously was excepted from the requirement but no longer meets the criteria for the exception. Under the new rule, the timing requirement for providing an annual privacy notice after the loss of the exception depends on whether the financial institution’s change of its NPI disclosure policies or practices triggers a requirement to provide a revised privacy notice to the customer under Regulation P. If the change in policies requires a revised disclosure, the delivery of the revised disclosure is treated like a delivery of an initial disclosure and upon making disclosure, the an annual privacy notice would be required by the end of the 12-month period following the 12 months period in which the revised disclosure was provided. For example, if the financial institution defined the 12-month period as the calendar year, and provided the revised disclosure was made in year 1 after losing the exception, as required by the regulation, the financial institution would have to provide the first annual privacy notice by December 31 of year 2.
If, on the other hand, the change in policies or practices did not trigger a requirement to provide a revised disclosure, the financial institution must provide an annual privacy notice to the customer within 100 days of the date of change in the policies or practices that caused it to lose eligibility for the exception.
Once annual privacy policy is provided to the customer, the financial institution could again avail itself of the exception from the requirement to provide annual privacy notice, if it meets the criteria in section 1016.5(e)(1).
Finally, the final rule revised the definition of “you” in the Regulation P to mean only financial institutions for which the CFPB has rulemaking authority. It also removed the alternative delivery method provision in section 1016.9(c)(2) and renumbered section 1016.9(c)(1) as section 1016.9(c).
If you have any question regarding this final rule, please reach out to our contact attorney.
Download Related Document