Finally! The Annual Privacy Notice Exception Goes Final
Written by Elizabeth M. Young LaBerge, Senior Regulatory Compliance Counsel, NAFCU
If a comet or other projectile were to destroy the planet Saturn, it would take 767 days for gravity to pull its remains into the sun.
Coincidentally, that is also how long it took the Bureau to finalize the rule implementing the annual privacy notice exception.
While the wait might have been astronomical in duration, the substance of the amendment to Regulation P is, thankfully, not. In December 2015, Congress passed the Fixing America’s Surface Transportation Act (the FAST Act), section 75001 of which contained an amendment to the Gramm-Leach-Bliley Act (GLBA)’s Financial Privacy Rule. Specifically, it added paragraph 503(f) (codified at 15 U.S.C. 6803(f)) creating an exception to the requirement to send an annual privacy notice where certain requirements were met.
The Bureau’s proposed rule stayed pretty close to the text of the statute, but added some timing requirements for starting annual notices when credit unions fall out of the exception. It also asked for feedback about what to do with the alternative delivery method. NAFCU commented on the proposal in August 2016. While it took the Bureau quite a bit of time to push the final rule out, this hasn’t necessarily been an issue as both the Bureau and NCUA had indicated that they were treating the FAST Act amendment as being effective, regardless of the state of the implementing regulation. So the exception has been available for credit unions since December 2015.
The Exception As Finalized
New subsection 1016.5(e) essentially parallels the statute and the proposed regulation. Credit unions are not required to provide an annual notice if two conditions are present. First, if it only shares information in ways that do not trigger any opt-out requirement. In other words, if it only shares information under the exceptions in sections 1016.13, 1016.14 and 1016.15.
Second, the credit union cannot have changed the policies and practices it must disclosure under paragraphs 1016.6(a)(2)-(5) and (9) since its last notice. Broadly speaking, these paragraphs include disclosures of the categories of information disclosed to third parties, the categories of third parties disclosed to, the categories of information about former customers disclosed and to whom, the categories of information disclosed under joint marketing agreements and categories of the third parties involved, and broad categories of certain types of disclosures made under exceptions, for example “as permitted by law.” If a credit union makes a change to a policy or procedure that does not affect a disclosure under these specific paragraphs, it would not affect the credit union’s qualification for the exception.
Falling Out of the Exception
When a credit union no longer qualifies for the exception because it makes a change to its policies and practices, new subsection 1016.5(e)(2) specifies when the annual privacy notice must be sent again. The timeline differs depending on whether a revised privacy notice is triggered under section 1016.8.
A revised privacy notice is required prior to a credit union disclosing any nonpublic personal information to a nonaffiliated third party in a manner that differs from is prior notices. If the credit union is making a change that does trigger the revised privacy notice, new paragraph 1016.5(e)(2)(i) says that the revised notice should be provided under section 1016.8, and that revised notice would be treated as the annual notice for the present 12-month period. The credit union can resume providing annual notices at least once in each 12-month period as defined by the credit union going forward.
If a revised privacy notice not required, new paragraph 1016.5(e)(2)(ii) gives the credit union 100 days after the change to send the privacy notice. In the proposed rule, the Bureau indicated credit unions would have 60 days. After speaking with credit unions, NAFCU advised the Bureau that a 60 day period was insufficient and costly, as it would require a separate mailing outside of the quarterly statement. The Bureau stated that it found this argument persuasive, and extended the period to 100 days, to allow for time to process the change operationally, and have it sent with any quarterly mailings.
Sending this notice essentially restarts the credit union’s ability to qualify for the exception. If, in the following year, there have not been any further changes and information is not shared in a manner that triggers an opt-out, the credit union may requalify for the exception and not send out annual notices again until another change occurs. In new paragraph 1016.5(e)(2)(iii), the Bureau included illustrations of the timing requirements.
R.I.P. The Alternative Delivery Method
The alternative delivery method was effective October 28, 2014, and effective September 17, 2018, it will be removed from the code of federal regulations forever. The Bureau asked for feedback about the fate of the alternative delivery method and NAFCU asked that it be expanded to all privacy notices. However, the Bureau declined to do so, instead removing it altogether.
While the Bureau recognized in a footnote that there are some differences between the requirements for the alternative delivery method and the annual notice exception, it ultimately decided that these were negligible:
“Given that any financial institution that qualifies to use the alternative delivery method for its annual notices also meets the qualifications for the new annual notice exception, the Bureau believes that including the alternative delivery method in Regulation P is no longer useful.” 81 Fed. Reg. 44807.
The final rule will be effective 30 days after publication in the Federal Register, or on September 17, 2018. As credit unions have been relying on this exception since 2016, the most significant disruption stemming to this effective date may be your bookmarked links breaking.
Elizabeth M. Young LaBerge,