Over two and a half years after the privacy laws were amended by Congress, the CFPB has finalized the revisions to Regulation P. This final rule affects financial institutions that do not share nonpublic information to third parties, though financial institutions who do share information will see little changes to their existing practices. The final rule was released on August 10, 2018 and will become effective 30 days after publication in the Federal Register.
This rule does four main things:
Finalizes the exemption from the annual notice requirements for financial institutions who don’t share nonpublic information.
Provides timing requirements for sending the annual notice for institutions who previously qualified for the exemption.
Removes the “alternative delivery” option from the rule.
Makes a technical change to a definition found in the regulation.
Annual Privacy Notice Exemption for Institutions Who Don’t Share
The first change in the final rule amends Regulation P to align with the December 2015 law found in the Fixing America’s Surface Transportation Act (FAST Act). The amendment in this law added a new subsection 503(f) to the Gramm Leach Bliley Act (GLBA) rules, which provides an exception where certain financial institutions - such as those who do not share non public personally identifiable information to third parties - are not required to provide an annual privacy notice to customer. This amendment aligns with the law change found in the FAST Act, and was technically effective in December of 2015.
In order to meet the new exemption found in 503(f) of GLBA rules, a financial institution must meet two conditions. First, the financial institution can only provide nonpublic personal information in accordance with the exceptions found in GLBA rules. In other words, they can’t share nonpublic information with nonaffiliated third parties. The second condition required to be exempt from the annual privacy notice is that the Financial institution must not have changed its “policies and practices with regard to disclosing nonpublic personal information” from the policies and practices that were disclosed in the most recent notice sent to consumers. One thing that is important to note regarding this condition is that not all changes to a financial institution’s privacy policy would keep them from qualifying for the exemption. Specifically, the “policies and practices” are actually limited to those that would be disclosed under sections 2 through 5 as well as item 9 of 1016.6(a). This means that changes to only items 1 (information collection) and 8 (confidentiality and security) will not trigger an annual disclosure requirement.
Annual Privacy Notice Timing Requirements for Institutions Who Previously Were Exempt
The second change to Regulation P is an addition of timing requirements for delivery of annual privacy notices in the event that a financial institution that originally qualified for the annual notice exception later changes its policies or practices in such a way that it no longer qualifies for the exception. The new timing requirements are fairly complex, but basically provide two options: to either provide an annual privacy notice reflecting changes 1) before the changes are made (for financial institutions who make policy/procedure changes and also lose the exemption going forward) or 2) within 100 calendar days of the change (when a financial institution changes it's policy/procedures, but does not lose the exemption going forward). The rules are fairly complex on the surface, so financial institutions looking to make a change that would trigger the loss of the exemption should review the rules in detail. The Bureau provided several examples to assist financial institutions in understanding the timing requirements for delivering an annual notice when they were previously exempt.
Removal of the “Alternative Delivery” Exemption from the Annual Privacy Notice
The next change the CFPB made to Regulation P was to remove the provision that allows for an alternative delivery method (i.e. website delivery) for the annual privacy notice. The Bureau states that this alternative delivery method will essentially be irrelevant and no longer used due to the exception that now allows applicable financial institutions to forgo the annual privacy notice altogether.
What the CFPB did in implementing this change was remove section 1016.9(c)(2) in entirety. This means that the following requirements to comply with the alternative delivery option are no longer required: 1) the requirement to provide an annual notice on a periodic statement (or other document like a coupon book); 2) the requirement to post the current privacy policy on a financial institutions website are now removed, and no longer required; 3) the requirement to provide the privacy notice within 10 days after a customer requests a copy by telephone. The preamble to the final rule makes it clear, however, that if a financial institution continues the activities required by the alternative delivery option - such as posting the notice on the website, notifying customers of the availability of the notice, and providing it upon request - that such activities are permitted and do not cause a financial institution to lose their exemption under the revised rules.
Technical Correction to a Definition in Regulation P
The final change to Regulation P in the final rule is a technical correction to one of the definitions found in the rule. The definition being amended is “You”, as found in 1016.3(s)(1). The definition previously included both financial institutions and “other persons for which the Bureau has rulemaking authority…” The Final rule limits “You” to financial institutions and removes the language of “other persons.” The bottom line with this change is that it will not apply to financial institutions who are clearly covered by this rule.
Timing Requirements for the Regulation P Amendments
The preamble to the final rule makes it clear that the statutory exemption to the annual notice requirement was effective when the law changed in December of 2015. The amendments to Regulation P, however, will be effective 30 days from the date of publication in the Federal Register.
The August 10, 2018 release from the CFPB can be found here.
The full final rule can be found here.
Watch our video explaining the 2018 Regulation P amendments here.