Are Banks Required to Post Privacy Notices on Their Websites?

By Leslie Callaway, CRCM, CAFP; Mark Kruhm, CRCM, CAFP; and Rhonda Castaneda, CRCM

Q Are banks required to post their privacy notices on their websites?


A No. Until recently, banks could post their privacy notices as the “alternative delivery method” to mailing or otherwise providing the annual privacy notice.

In late 2015, Congress amended the Gramm-Leach-Bliley Act to eliminate the requirement to provide an annual privacy notice as long as (1) the bank only shares information on the limited basis as delineated in the statutory and regulatory exceptions (e.g., for processing consumer requested transactions, complying with a consumer’s request, protecting against fraud etc.), and (2) there were no changes in the bank’s privacy notice since it provided the last notice.
As a result, the Consumer Financial Protection Bureau revised Regulation P and eliminated the alternative delivery method for providing the annual privacy notice, thus eliminating the need to post that notice on the bank’s website.

However, while banks are not required to post their privacy notice on their website, they are encouraged to do so. Moreover, where the bank has agreed with certain customers to provide statements and other information through the bank’s website, posting the privacy notice is one way to deliver the privacy notice to those customers. (Response provided Nov. 2018.)

• • •

Q The Military Lending Act regulation §232.8(e) prohibits using postdated checks or generating remotely created checks. If a servicemember borrower has forgotten to make a payment and calls the bank to authorize a one-time payment, may the bank create a remotely created check?

A No. The answer to Question 18 of the December 2017 revised interpretive rule provides that lenders may not create remotely created checks to collect payments on covered credit. The Department of Defense rejected ABA’s request in its comment letter to allow servicemembers that option.
However, servicemember borrowers may authorize electronic payments, both one-time and recurring, provided that the lender complies with other laws, including the Electronic Fund Transfer Act and Regulation E. (Response provided Nov. 2018.)

• • •

Q What are the Home Mortgage Disclosure Act lobby signage requirements for a bank located in a metropolitan statistical area but not required to report because it did not originate enough covered loans?

A The bank is not obligated to post the HMDA notice under these circumstances. Section 1003.5(e) of Regulation C provides that a “financial institution” must post the HMDA notice in the home office and each branch located within a MSA (or metropolitan division). The term “financial institution” is limited to institutions that originated at least 25 non-excluded closed-end mortgage loans and at least 500 non-excluded open-end lines of credit in each of the two preceding calendar years. Therefore, if a bank does not meet the definition of “financial institution” due, for example, to the origination test, it is not required to post the notice. However, it appears that there is no prohibition against posting the HMDA notice even though it is not technically required. (Response provided Nov. 2018.)

Answers are provided by Leslie Callaway, CRCM, CAFP, director of compliance outreach and development; Mark Kruhm, CRCM, CAFP, senior compliance analyst; and Rhonda Castaneda, CRCM, senior compliance analyst, ABA Center for Regulatory Compliance. Answers do not provide, nor are they intended to substitute for, professional legal advice. Answers were current as of the response date shown at the end of each item.