WASHINGTON–The CFPB has proposed to implement recent Congressional legislation that allows financial institutions that meet certain requirements to be exempt from sending annual privacy notices to their customers.
The Gramm-Leach-Bliley Act (GLBA) generally requires that financial institutions send annual privacy notices to customers. These notices must describe whether and how the financial institution shares customers’ nonpublic personal information. If the institution shares this information with unaffiliated third parties in ways other than specified by the statute, the institution typically must notify customers of their right to opt out of sharing and inform them of how to do so, the CFPB explained.
In December 2015, Congress amended the GLBA as part of the Fixing America’s Surface Transportation Act (FAST Act).
“This amendment provides financial institutions that meet certain conditions an exemption to the requirement under the GLBA to deliver an annual privacy notice. A financial institution can use the annual notice exception if it limits its sharing of customer information so that the customer does not have the right to opt out and has not changed its privacy notice from the one previously delivered to its customer,” the CFPB said.
The proposed amendment would implement this legislation. The proposal would also establish deadlines for institutions resuming annual privacy notices if their practices change and cease to qualify for the exemption.
In 2014 the CFPB amended the federal regulation that implements the GLBA to establish an alternative delivery method for annual privacy notices. This enabled companies that limit sharing of their customers’ information and meet other requirements to post annual privacy notices online rather than delivering them to customers individually.
“Under today’s proposal, any financial institution that meets the criteria for this alternative delivery method would also meet the requirements for the new annual notice exception. In light of this, the Bureau is proposing today to also remove the alternative delivery method,” the CFPB said.
NAFCU welcomed the CFPB proposal, saying the trade association has long sought the change.
“We appreciated CFPB’s assurance in January that it would follow the spirit of this statutory change, but today’s proposal is a step in the right direction toward streamlining and providing credit unions clarity on their privacy notification obligations,” said NAFCU Director of Regulatory Affairs Alexander Monterrubio. “NAFCU will continue to evaluate the proposal and work closely with the Bureau during the rulemaking process. We also continue to urge the Bureau to more effectively exercise its authority under Section 1022 of the Dodd-Frank Act to exempt credit unions from its rules.”
The proposed amendment to the rule is available here.