By J. Preston Carter, J.D., LL.M.
Trade associations are sending comment letters to the
Consumer Financial Protection Bureau in support of the eased privacy notice
requirements in the bureau’s proposed amendment to Regulation P. One letter was
sent by the American Bankers Association, Consumer Bankers Association,
Financial Services Roundtable, Independent Community Bankers of America, and
Securities Industry and Financial Markets Association. Another came from the American
Bankers Insurance Association.
CFPB proposal. The
CFPB’s proposal would implement a December 2015 statutory amendment to the
Gramm-Leach-Bliley Act providing an exception to the annual privacy notice
requirement for financial institutions that: (1) provide nonpublic personal
information about customers to nonaffiliated third parties only in a way that
does not require affording customers an opt-out; and (2) have not changed
information sharing policies or practices since the last time a customer was
provided the privacy notice.
Alternative method
delivery. The associations represented in the first letter support the exception to the annual notice requirement, and they also support the
bureau’s proposal to eliminate the alternative online delivery method that was
adopted in 2014. The proposed exception to the annual privacy notice
requirement is simpler than the alternative method, according to the
associations, and a bank that satisfies the conditions for the alternative
delivery also would meet the conditions of proposed exception.
FCRA requirements.
In addition, the associations support the CFPB’s proposed clarifications about
the Fair Credit Reporting Act notifications that may be included in the annual
privacy notice. The bureau’s proposal does not condition eligibility for
elimination of the annual privacy notice on FCRA opt-out requirements. Also
under the proposal, the FCRA notification requirement is satisfied if a
financial institution includes information about the information sharing with
affiliates required by the FCRA in its initial privacy notice, because the FCRA
does not require an annual notice as long as the financial institution
continues to meet the necessary requirements under FCRA.
Changes to
information sharing practices. The letter notes that one of the conditions
that a financial institution must meet in order to eliminate the annual privacy
notice is that it must not have changed its information sharing practices. The
associations agree with the CFPB’s determination that since the statutory
changes address information sharing, changes to the categories of information
collected or changes to data security practices do not affect whether a bank
can eliminate the annual privacy notice. Given the current incidence of cyber
security threats, the letter says, the emphasis should be on encouraging
institutions to update and enhance information security.
ABIA letter. The ABIA stated that the privacy notice "mandate provides minimal consumer benefit, yet it imposes considerable cost to providers." The
presence or absence of "opt out" disclosures in an institution’s
privacy notice should not be a factor in the availability of the exemption from
the annual notice requirement, according to the ABIA. Its letter also agreed
that the exemption should be available to a financial institution that changes
its privacy policy as to information sharing with, or use for marketing
purposes by, affiliates, pursuant to the FCRA.
For more information about financial privacy law, subscribe to the Banking and Finance Law Daily.
