As the current privacy policy model form used as the safe harbor under Regulation P has been around for nearly a decade now, it is easy to just assume that all the kinks with the implementation of that model form have been worked out and your privacy policy is in compliance. While this is the case the majority of times, sometimes certain things get lost over time.
When the rules for the current privacy policy model form first became available, most went to extreme efforts to comply with the rules (as should be the case). The problem is that, over time, some of those diligent efforts may have been lost as financial institutions have updated the platforms that generate their privacy notices. Other times, financial institutions have changed their privacy practices and thus had to recreate a new notice. (NOTE: Changes to your privacy notice may trigger a disclosure to customers based on the recent Regulation P amendments.)
Whatever the reason for creating a new privacy notice, we have seen a few issues relating to the technical requirements when using the privacy policy model form.
For example, the instructions for completing the privacy policy require that the customized space that each financial institution must complete below the responses to the three definitions on page two of the privacy policy must be in italics.
Yes, italics.
Specifically, the bullet points on the right column of the “Definitions” section of page 2 of the privacy policy must be listed in italicized lettering. The rules explain the reason for this being that the italicized lettering (which describes the financial institution's practices) helps to set apart this information from the standardized definitions.
In fact, the rule states this:
(b) General Instructions for the Definitions. The financial institution must customize the space below the responses to the three definitions in this section. This specific information must be in italicized lettering to set off the information from the standardized definitions.
Of course, this is a very, very-low risk issue, but it is something that should be easy to get right. In fact, while writing this article I decided to pull up a few privacy policies from community banks in my state to see if the applicable sentences in the privacy policy were listed in italics. Believe it or not, the very first one I pulled up was wrong.
So, you might just want to double check your privacy policy to make sure the bullets in the definition section of page 2 of your privacy policy are listed in italics.
Now, the real question is whether or not updating the privacy policy to include italics is considered a change to the institution's “policy or procedures” which would require a new privacy policy to be delivered to all customers. Fortunately, the answer is no - this change would not require an updated privacy policy to be sent to all customers.
The full instructions for completing the privacy policy can be found here: