The Consumer Financial Protection Bureau has amended Regulation P to implement changes to the Gramm-Leach-Bliley Act regarding the conditions under which financial institutions—including credit unions—need not provide annual privacy notice to consumers.
The final rule provides an exception to the requirement to provide an annual notice to “customers,” as defined in Regulation P §1016.3(i), herein referred to as “members.” To qualify for the annual privacy notice exception, the following two conditions must be met:
- The credit union must not share nonpublic personal information about members, except as described in certain statutory exceptions that do not require an opt-out (i.e., §1016.13, §1016.14 and §1016.15); and
- The credit union must not have changed its policies and practices with regard to disclosing nonpublic personal information from those the institution disclosed under §1016.6(a)(2) through (5) and (9) in the most recent privacy notice it sent.
Credit unions that provide an opt-out on a voluntary basis for permitted sharing would still meet the exception. Additionally, any opt-out required under the Fair Credit Reporting Act that is contained in the privacy notice will have no bearing on the availability of the annual privacy notice exception.
However, credit unions that choose to take advantage of the annual notice exception must still provide any opt-out disclosures required under the FCRA, if applicable, though they are not required annually. Credit unions can provide these disclosures through other methods, for example, through their initial privacy notices in most circumstances.
When the Exception No Longer Applies
Under the final rule, when the exceptions are no longer met, an annual privacy notice must be provided. The timing of the required annual notice differs, depending on whether the change that causes the credit union to no longer qualify for the annual notice exception also triggers a requirement under Regulation P to deliver a revised notice.
Section 1016.8 requires credit unions to provide revised notices to members before nonpublic personal information is shared with a nonaffiliated third party if their sharing would be different from what was described in the initial notice delivered. After delivering the revised notice, the credit union must also give the member a “reasonable opportunity” to opt out of any new information sharing beyond the Regulation P exceptions before the new sharing occurs.
When an annual notice is required, it must be provided ‘‘at least once in any period of 12 consecutive months.’’ A credit union may define the 12-consecutive-month period but must apply it to the customer on a consistent basis.
When the annual notice requirement is triggered, credit unions must deliver the annual notice within 100 days after the change that caused the exception to be lost. The final rule provides an example for when a credit union must provide an annual notice after it no longer meets the exception.
The example assumes that a credit union changes its policies or practices effective April 1 of year one and defines the 12-consecutive-month period as a calendar year. The regulation states the credit union must provide an annual notice by December 31 of year two if the credit union was required to provide a revised notice prior to the change and provided that revised notice on March 1 of year one in advance of the change. The credit union must provide an annual notice by July 9 of year one if the credit union was not required to provide a revised notice prior to the change.
When the credit union once again meets the exception after having to provide annual notices, the annual notice would no longer be required.
Alternative Delivery Method Effectively Eliminated
Previously under Regulation P, credit unions using the alternative delivery method were required to mail annual notices to members who requested them by telephone. Credit unions were also required to include a clear and conspicuous statement of availability at least once a year on an account statement, coupon book, or a notice or disclosure the credit union issued under any provision of law.
The final rule has eliminated the alternative delivery method for providing the annual privacy notice. Credit unions that meet the conditions to use the alternative delivery method will also meet the conditions of the annual privacy notice exception.
Credit unions that qualify for the new annual notice exception may still choose to post privacy notices on their websites, and/or deliver privacy notices to members upon request. Such activities will not affect the eligibility for the new exception.
This final rule became effective on Sept. 17, 2018.