CFPB Final Rule Codifies Legal Exemption for Annual Privacy Notice Requirements

The Consumer Financial Protection Bureau today issued its long-awaited final rule amending Regulation P to incorporate a new legal exception to the requirement for banks to send annual privacy notices to their customers. Under a law passed by Congress in 2015, banks are no longer required to send an annual privacy notice if they have not changed their policies and practices about how they share customer information since the previous notice was sent, provided they only share nonpublic personal information with third parties as permitted by one of the statutory or regulatory exceptions.

While the statutory provisions took effect on enactment, today’s final rule formally codifies that change in regulation, clarifying lingering confusion about compliance. The final rule also establishes deadlines for resuming annual privacy notices in the event that an institution no longer qualifies for an exemption; under the rule, banks that change their privacy policies and procedures and lose the exemption have 100 days to provide customers with an updated copy of the notice. Additionally, the CFPB removed a provision of Reg P that allows for use of an alternative delivery method, noting that the alternative delivery method created by the bureau will likely no longer be necessary as a result of the annual notice exception.

The American Bankers Association has long advocated for changes that would streamline regulatory requirements around the timing and delivery of privacy notices and provided comments to the bureau throughout the rulemaking process.