Over two and a half years after the privacy laws were amended by Congress, the CFPB has finalized the revisions to Regulation P. This final rule affects financial institutions that do not share nonpublic information to third parties, though financial institutions who do share information will see little changes to their existing practices. The final rule was released on August 10, 2018 and will become effective 30 days after publication in the Federal Register.
This rule does four main things:
Finalizes the exemption from the annual notice requirements for financial institutions who don’t share nonpublic information.
Provides timing requirements for sending the annual notice for institutions who previously qualified for the exemption.
Removes the “alternative delivery” option from the rule.
Makes a technical change to a definition found in the regulation.
Annual Privacy Notice Exemption for Institutions Who Don’t Share
The first change in the final rule amends Regulation P to align with the December 2015 law found in the Fixing America’s Surface Transportation Act (FAST Act). The amendment in this law added a new subsection 503(f) to the Gramm Leach Bliley Act (GLBA) rules, which provides an exception where certain financial institutions - such as those who do not share non public personally identifiable information to third parties - are not required to provide an annual privacy notice to customer. This amendment aligns with the law change found in the FAST Act, and was technically effective in December of 2015.
Annual Privacy Notice Timing Requirements for Institutions Who Previously Were Exempt
The second change to Regulation P is an addition of timing requirements for delivery of annual privacy notices in the event that a financial institution that originally qualified for the annual notice exception later changes its policies or practices in such a way that it no longer qualifies for the exception. The new timing requirements are fairly complex, but basically provide two options: to either provide an annual privacy notice reflecting changes 1) before the changes are made (for financial institutions who make policy/procedure changes and also lose the exemption going forward) or 2) within 100 calendar days of the change (when a financial institution changes it's policy/procedures, but does not lose the exemption going forward). The rules are fairly complex on the surface, so financial institutions looking to make a change that would trigger the loss of the exemption should review the rules in detail. The Bureau provided several examples to assist financial institutions in understanding the timing requirements for delivering an annual notice when they were previously exempt.
Removal of the “Alternative Delivery” Exemption from the Annual Privacy Notice
The next change the CFPB made to Regulation P was to remove the provision that allows for an alternative delivery method (i.e. website delivery) for the annual privacy notice. The Bureau states that this alternative delivery method will essentially be irrelevant and no longer used due to the exception that now allows applicable financial institutions to forgo the annual privacy notice altogether.
Technical Correction to a Definition in Regulation P
The final change to Regulation P in the final rule is a technical correction to one of the definitions found in the rule. The definition being amended is “You”, as found in 1016.3(s)(1). The definition previously included both financial institutions and “other persons for which the Bureau has rulemaking authority…” The Final rule limits “You” to financial institutions and removes the language of “other persons.” The bottom line with this change is that it will not apply to financial institutions who are clearly covered by this rule.
Timing Requirements for the Regulation P Amendments
The preamble to the final rule makes it clear that the statutory exemption to the annual notice requirement was effective when the law changed in December of 2015. The amendments to Regulation P, however, will be effective 30 days from the date of publication in the Federal Register.