August 13, 2018

Bureau adopts NAFCU-backed privacy notice changes

bureauThe Bureau of Consumer Financial Protection (formally the CFPB) on Friday finalized rule changes to codify 2015 Gramm-Leach-Bliley Act (GLBA) revisions on private notice requirements. Accepting many of NAFCU's recommendations, the final rule is a win for the credit union industry.

These GLBA revisions were part of a 2015 transportation authorization bill. The law clarified that consumers will receive privacy notices after opening a new account and when their providers' privacy policies change – a change from the previous annual-notice requirement.

NAFCU had expressed concerns to the bureau over its proposed elimination of the alternative delivery method and the 60-day notification requirement for revised annual notices. The final rule gets rid of the alternative delivery method while making clear that a financial institution that qualifies for the new exemption "may still choose to post privacy notices on their websites, deliver privacy notices to consumers who request them, and notify consumers of the notices' availability" without affecting their eligibility for the new exception.

In direct response to NAFCU's concerns, the final rule grants a 100-day delivery requirement for revised annual privacy notices. The rule cites NAFCU's concerns regarding cost burdens associated with additional mailings and that sending out the revised notice with quarterly statements would be best.

The final rule has a 30-day effective date once published in the Federal Register.