On October 20, 2014, the Consumer Financial Protection Bureau (“CFPB”) announced that it had finalized a rule that alters the way that financial institutions provide privacy policies to their customers. Under the Gramm-Leach-Bliley Act of 1999 (“GLBA”), financial institutions are required under Regulation P to provide their customers with initial and annual notices regarding their privacy policies. The financial institutions are further required to provide notice and an opportunity to opt-out of information sharing where certain categories of customer information are shared with particular types of third parties. The Final Rule announced by the CFPB seeks to streamline the notification process by permitting financial institutions to post their privacy policies online, rather than providing paper copies annually, if the mandatory opt-out notifications are not required.
With the passage of the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2011, the CFPB was formed to centralize the rulemaking authority and enforcement of financial institutions. Under Dodd-Frank, the CFPB took over the rulemaking authority under the GLBA for all financial institutions, with the exception of securities and futures-related companies under the jurisdiction of the Securities and Exchange Commission and the Commodity Futures Trading Commission, and certain motor vehicle dealers under the jurisdiction of the Federal Trade Commission. Upon establishment, the CFPB inherited regulations from other federal agencies, and in December 2011 issued a Request for Information seeking comments and suggestions on opportunities for streamlining, particularly noting the annual privacy notice requirement as a potential opportunity. Industry members and consumer protection groups agreed, and following the publication of a Proposed Rule in May 2014 and a subsequent comment period, the CFPB has now adopted its Final Rule, creating an alternative delivery method for privacy policies where certain criteria are met.
The CFPB’s Final Rule permits a financial institution to adopt the alternative delivery method if:
- “It does not disclose the customer’s nonpublic personal information to nonaffiliated third parties in a manner that triggers GLBA opt-out rights;
- It does not include on its annual privacy notice an opt-out notice under section 603(d)(2)(A)(iii) of the Fair Credit Reporting Act (FCRA);
- The requirements of section 624 of the FCRA and the Affiliate Marketing Rule, if applicable, have been satisfied previously or the annual privacy notice is not the only notice provided to satisfy such requirements;
- The information included in the privacy notice has not changed since the customer received the previous notice (subject to an exception); and
- It uses the model form provided in the GLBA’s implementing Regulation P.”
Final Rule at p. 66. With this Final Rule, the CFPB is intentionally incentivizing financial institutions to limit the sharing of nonpublic personal information with third parties. However, not all sharing of consumer information triggers an opt-out notification requirement. For example, “financial institutions are not required to allow consumers to opt out of the institutions’ sharing involving third-party service providers, joint marketing arrangements, maintaining and servicing accounts, securitization, law enforcement and compliance, [or] reporting to consumer reporting agencies.” Final Rule at p. 6. Thus, the CFPB is not attempting to end all sharing of consumer information with third parties, but rather is attempting to limit those categories it deems to pose the greatest potential harm for consumers.
- “Convey[ing] in a clear and conspicuous manner not less than annually on an account statement, coupon book, or a notice or disclosure the institution issues under any provision of law that its privacy notice is available on its website, it will be mailed to customers who request it by telephone, and it has not changed;
- Post[ing] its current privacy notice in a continuous and clear and conspicuous manner on a page of its website on which the only content is the privacy notice, without requiring a login name or similar steps or agreeing to any conditions to access the page; and
- Mail[ing] its current privacy notice to customers who request it by telephone within ten days of the request.”
Final Rule at p. 66.
The CFPB touts this Final Rule as a benefit to both financial institutions and consumers. The CFPB estimates that the Final Rule will reduce costs for financial institutions overall by about $17 million annually, further noting that some commenters to the Proposed Rule suggest that the burden reduction might be considerably greater. Additionally, the CFPB anticipates that providing privacy policies on financial institutions’ websites in this manner will benefit consumers by ensuring constant access to the policies and by enabling consumers to better understand the policies through use of the model disclosure form. Customers won’t be waiting long for this change to take place, as the Final Rule will be effective immediately upon publication in the Federal Register. Therefore, financial institutions should consider their current procedures with respect to annual disclosure requirements, as they may be in a position to cut costs and streamline their policies.