On August 10, 2018 the Consumer Financial Protection Bureau (CFPB) issued a final rule adopting changes to Regulation P to bring the regulation into conformity with its authorizing statute, the Gramm-Leach-Bliley Act, 15 U.S.C. § 6801 et seq. (GLBA). The rule, which was enacted to reduce regulatory burden on financial institutions covered by the GLBA, also provides new clarity on when and how institutions that lose their exempted status under the rule should resume making the borrower notifications the rule requires.
The GLBA and Regulation P require financial institutions to provide consumers with notices describing whether and how the institutions share consumers’ nonpublic personal information with other entities, and how the institutions protect such information that they collect and maintain. Institutions are required to provide an initial notice when a consumer relationship is established, and generally are required to provide annual notices to consumers thereafter.
On December 4, 2015, Congress enacted a new section of the GLBA, section 503(f), which provides that an institution is not required to provide customers with annual notices if (1) the institution only discloses consumer information under certain circumstances which do not trigger consumer opt-out rights (and which would require disclosure to consumers), and (2) the institution has not changed its policies and practices concerning disclosing consumer information since its most recent notice sent to consumers. The CFPB proposed amendments to Regulation P to align the regulation with this new statutory exception in July 2016, and it issued the final rule, largely adopting the rule as-proposed, on August 10, 2018.
In addition to providing the changes required by the GLBA amendment, the final rule sets out timing requirements for the delivery of annual privacy notices if an institution that had not been providing annual notices under the new exception later changes it policies and practices in a way that makes it ineligible for the exception. First, for changes in policy or practice that trigger an obligation to send a revised notice prior to the change (i.e., before the institution shares nonpublic personal consumer information with nonaffiliated third parties if the sharing would differ with what had been described in the initial notice), the institution must provide that revised notice and then resume regular delivery of annual notices as the general delivery rules require. 12 CFR § 1016.5(e)(2)(i). Second, for changes in policy or practice that cause a financial institution to lose its notice exception but that do not trigger the obligation to provide a revised notice, the institution must provide the annual notice within 100 days of the change. 12 CFR § 1016.5(e)(2)(ii).
Finally, the amendment to Regulation P removes the provision allowing for alternative delivery of annual privacy notices by posting a copy of the annual notice on the institution’s website under certain circumstances. The conditions under which the alternative delivery method could be used partially overlap with the conditions that now qualify institutions not to have to provide annual notices at all, so the CFPB believes that, given the new exception to the annual notice requirement, the prior alternative delivery method would no longer be used.
The final rule’s amendments of Regulation P were widely expected and largely uncontroversial. All the same, financial institutions should review the rule to take advantage of the new notice exception and to ensure that their processes comply with the other minor changes included in the amendment.