I understand that a new law has impacted my bank’s annual notice requirements under the privacy law. Where can I find that information?
A: On Dec. 4, President Obama signed the Fixing America’s Surface Transportation Act. Included in the legislation—now Public Law No: 114-94—is Title 75, which creates a new exception to the annual privacy notice requirement under the Gramm-Leach-Bliley Act of 1999 (GLBA).Q: To what part of the GLBA does the FAST Act apply?
A: It applies to the requirement to send annual privacy notices to your customers. It does not affect the initial notice requirements under the GLBA or the regulation.
Q: When can I stop sending my annual privacy notices?
A: The FAST Act was signed on Dec. 4, 2015. This provision was effective immediately upon signing.
Q: Under what circumstances can I forego sending my annual privacy notice?
A: In order to take advantage of the change, your bank must meet two conditions. First, your financial institution must not have changed its policies and practices with respect to the disclosure of nonpublic personal information since its most recent privacy notice to customers. Second, your financial institution must only share information under one of the existing statutory or regulatory exceptions listed in §§1016.12-15 of Regulation P.
Q: Are there any customer notification requirements, such as the one mandated by the Consumer Financial Protection Bureau’s alternative delivery system? A: No.
Q: What is the difference between the CFPB’s 2014 regulatory changes regarding the alternative delivery system and the FAST Act provisions? A: Last year, the CFPB issued an amendment to the regulations that allowed a financial institution to post its privacy disclosure notice on its website once a series of conditions had been met. The regulatory change did not eliminate the requirement to provide an annual notice. Instead, the Bureau’s rule was an alternative way to deliver that notice.
The FAST Act, which is a simpler approach that ABA has long supported, eliminates the requirement to send annual privacy notices as long as two simple conditions are met. Under the FAST Act, if you haven’t changed your information sharing and you only share under one of the existing exceptions (see page 50), no notice at all must be delivered. Essentially, the FAST Act has made the Bureau’s alternative delivery mechanism no longer necessary.
Q: Regulation P still states that the annual notice is required. Will I be cited by my regulator if I stop sending my annual notices? A: Current regulations have not yet been amended and no guidance has been issued by the regulatory agencies. If a financial institution satisfies the two conditions in the FAST Act, it can elect not to send the annual notice. Technically, this does not comply with current regulations, but it is difficult to imagine an examiner citing the bank for a regulatory violation when the regulation is inconsistent with the law.
Q: The privacy notice contains information about my sharing practices with my affiliates. Did that change as well? A: While the law changes the annual notice requirement under GLBA, the FAST Act did not change the provisions that apply to information sharing with affiliates. Those disclosures are subject to the provisions of a different statute, the Fair Credit Reporting Act (FCRA).
Q: Which sections of the FCRA will impact my bank’s notice requirements?
A: There are two sections of the FCRA that impact information sharing with affiliates that are currently disclosed as part of the GLBA privacy notice. FCRA section 603 allows a financial institution to share a customer’s transaction and experience information with an affiliate in any instance and the customer does not have the right to opt out from that information sharing. Section 603 also allows an affiliate to share other customer information, including information about credit-worthiness, with another affiliate but only if the consumer is given notice and an opportunity to opt out.
FCRA Section 624 allows an affiliate to use the information it has obtained from another affiliate within the corporate family for marketing purposes only if the customer has been provided with a clear, conspicuous and concise notice and an opportunity to opt out from the sharing. Once a customer has elected against information sharing for marketing purposes, that election must be honored for five years.
Q: I share information with my affiliates that require an opt-out. Can I still take advantage of the new FAST Act provisions and forego my annual notice mailing? A: FCRA does not require an annual notice. The current model forms used to provide notice to consumers combine the GLBA and FCRA notices. If a bank used the model forms to provide the most recent annual notice, it has met the requirements under FCRA.
Since the FCRA notice on affiliate sharing is not subject to an annual requirement, the question is whether the most recent privacy notice section on affiliate sharing would be sufficient. It appears that it would, since it meets all current expectations.
Q: If I do not currently share with my affiliates and decide to do so in the future, must I send my annual privacy notice to my customers?
A: You can revise your privacy notice and send a new annual notice, or you can ensure that your customers are provided with a separate FCRA notice that informs them of your affiliate sharing practices and allows them the opportunity to opt out. Either way, you have to provide something.
Since the notice requirements of the two statutes are now separate, policies and procedures should be reviewed to be certain that the standards for meeting the notice and opt-out for affiliates are still in compliance. This would include a mechanism to ensure notice and an opportunity to opt out is provided to customers if and when information sharing with affiliates should change.
The sharing “exceptions” let financial institutions share information without notifying customers, or, in some cases, without providing customers an opportunity to opt-out from that information sharing. The current exceptions that permit a financial institution to share information without notice or without notice and opt-out right can be found at 12 CFR 1016.13, 1016.14 and 1016.15.
Section 1016.13 lets a financial institution share non-public personal information with a nonaffiliated third party, but it does require the customer be provided notice that information will be shared. However, the customer does not have the right to opt-out from the information sharing. This exception applies to information shared so that the third-party can perform services for the financial institution. This exception also applies to joint marketing agreements to market financial products and services, such as credit cards, annuities and insurance.
Sections 1016.14 and 1016.15 also create exceptions from the general prohibition against information sharing. Under these exceptions, non-public personal information can be shared without notice, and the consumer does not have the right to opt-out. These exceptions permit nonpublic personal information to be shared: to process transactions requested by the consumer; to effect, administer or enforce a transaction; with the consent of the consumer; to protect the confidentiality of records, to protect against fraud, to resolve customer disputes, or to persons holding a beneficial interest relating to the consumer or to persons acting on behalf of the consumer; to provide information to insurance rate advisory organizations, rating agencies, persons assessing the financial institution’s compliance with industry standards or the financial institution’s attorneys, accountants and auditors; to the extent specifically permitted by law; to a consumer reporting agency (credit bureau); in connection with a proposed or actual sale or merger of the financial institution; to comply with federal, state or local laws, properly authorized subpoenas or other official agencies with authority over the institution, such as regulatory examiners.
Answers are provided by Leslie Callaway, CRCM, director of compliance outreach and development, and Robert Rowe, VP and associate chief counsel, ABA Center for Regulatory Compliance. This information does not provide, nor is it intended to substitute for, professional legal advice.
