2018 Regulation P Amendments
This Compliance Clip (video) discusses the August 2018 amendments to Regulation P. This final rule does four things and Adam provides a summary of the changes, including the exemption to sending the annual privacy notice from qualifying institutions. Those institutions who provide a privacy notice only because of the FCRA opt-out should pay particular attention to this video, as the new amendments provide relief to certain institutions. The video also discusses the timing requirements for institutions who lose their exemption due to a change in their privacy policy. In a rare "reference moment," Adam ends this video with one of his favorite quotes from "The Truman Show."
Read an executive summary of the 2018 Regulation P amendments here and find a link to the applicable banking regulations here.
The following is a transcript of this video:
"This Compliance Clip is going to focus on the 2018 amendments to regulation P that were implemented by the CFPB in August of 2018. These changes, or amendments to regulation P, do four main things.
First, they finalized an exemption to sending the annual privacy notice which technically took place, by law, in December of 2015. We will talk about that in a minute. These amendments also provide timing requirements for sending the annual privacy notice when an institution was previously able to use the new exemption to not send the notice. The third thing it does is that it removes the alternative delivery option from regulation P that was previously there. The fourth thing that it does is to make a technical change to a definition found in Regulation P.
Let's take a look at each of these four changes.
The first change is that regulation P has finalized the exemption that was found in the 2015 law, known as the FAST act. This new exemption provides that financial institutions who do not share non-public financial information are not required to provide an annual privacy notice. Keep in mind that the initial privacy notice is still required, but the annual notice that used to be required every year is no longer required to be sent to customers if a financial institution does not share information.
In fact, there are two conditions to meet this exemption. The first condition is that the financial institution cannot share information which requires in opt out under the Gramm-Leach-Bliley Act (GLBA). The second condition in utilizing this exemption is that the policies and practices of the financial institution in regards to privacy cannot have changed. This is actually quite in-depth because the rule is technically found in 1016.6(a) where it says that your policies and practices in 1016.6(a) items 2 through 5 and item 9 cannot have changed, but the information in items 1, 6, 7, and 8 could have changed - and not triggered a new annual notice. The bottom line is that if your financial institution is going to make changes to your privacy policy, you might have to send a new privacy policy to your customers if the changes affect 1016.6(a) items 2 through 5 and item 9. I understand that this is a little complicated for a quick video ike this, but if you have a change in your privacy policy, keep that in mind.
The second change in the Regulation P amendments relates to timing requirements for financial institutions who were previously exempt and were not initially required to send the annual privacy notice. If an institution is initially exempt from Regulation P and the annual privacy notice delivery requirements because they didn’t share information, but how changes to their policy or practices, then there are some timing requirements for sending a new notice. In fact, there are two different acquirements: 1) before the change is made and 2) within 100 days after making the change.
The first requirement is before changes are made. This requirement applies to financial institutions who are losing their exemption altogether. For example, if you are now going to be sharing non-public personally identifiable information, you now have to provide a new annual notice before you make those changes, because you have to give the consumers a chance to opt-out before you make those changes. The bottom line is that you have to send a new notice before the change when you make a change that now requires an opt-out notice for your customers.
This second timing requirement is within 100 days of the change. This 100 day requirement applies to financial institutions who are not losing their exemption long-term, but are changing their policies or practices in a way that triggers a one-time disclosure. I just talked about that 1016.6(a) section regarding policies and practices - if that is changing on your privacy policy and you're not technically losing the exemption long term, you do have to send a one-time notice, but then you can maintain your exemption going forward. So, that is the second change; the timing requirements.
The third change to the Regulation P amendments relates to the removal of the alternative delivery exemption. This was an exemption that was implemented by the CFPB. It was implemented in 2014, and basically was the best they could do without a law change from Congress, where the CFPB was able to help provide some relief to Banks but it still required jumping through too many hoops. The bottom line is that the alternative delivery notice is no longer needed because this new exemption (found in the amendments) says you do not have to deliver an annual notice or do anything at all, where the alternative delivery notice required annual action from financial institutions. Therefore, the CFPB stated that all financial institutions will utilize the new exemption and nobody is going to utilize the alternative delivery option. Therefore, the alternative delivery exemption is being removed altogether from the rules.
The fourth and final change to the regulation P amendments was a technical change to the definition of “you” in regulation P. Long story short, the definition of “you” used to refer to both financial institutions and certain other institutions, but the amendments removed the other institutions so that the definition of you now only includes financial institutions. If you are a compliance person who does not work for a financial institution, you might want to take a look at this. I know I have some viewers who are in that case, so that might apply to you.
The effective date of this change is 30 days after the date of publication of the Federal Register. As of the date I'm recording this video, it has not yet been published in the Federal Register, but this really is not an issue for us since the FAST act went into effect several years ago and we can go ahead and follow these rules right away. "