The Eliminate Privacy Notice Confusion Act & What it Means to Your Credit Union
Written by Steve Van Beek
First off, the title of the bill will not help with the confusion that compliance officers face with regard to privacy notices.  Instead, it is meant to address the confusion that faces members as they receive multiple privacy policies from multiple financial institutions and dutifully read them.
Summary. The bill - H.R. 5817 - was passed by the House on Wednesday and now awaits action in the Senate.
What will the bill do? The bill would remove the annual privacy notice requirement for certain financial institutions. Â
How do we find out if we would be one of these "certain" financial institutions? Â Ah, please join me as we wander down the rabbit hole called Regulatory & Legislative Complexity (the middle name is "&" for those keeping score at home). Â Â Â
The Start. Â The annual privacy notice requirement comes from Section 503 of Gramm-Leach-Bliley (15 USC 6803):"
"(a)Â Disclosure required
At the time of establishing a customer relationship with a consumer and not less than annually during the continuation of such relationship, a financial institution shall provide a clear and conspicuous disclosure to such consumer, in writing or in electronic form or other form permitted by the regulations prescribed under section 6804 of this title, of such financial institutionâÂÂs policies and practices with respect to..."  (emphasis added)."
The Bill. Â The bill would add subsection (f) to Section 503 of Gramm-Leach-Bliley:
âÂÂâÂÂ(f) EXCEPTION TO ANNUAL NOTICE REQUIREMENT.âÂÂA financial institution thatâÂÂ
âÂÂâÂÂ(1) provides nonpublic personal information only in accordance with the provisions of subsection (b)(2) or (e) of section 502 or regulations prescribed under section 504(b), and
âÂÂ(2) has not changed its policies and practices with regard to disclosing nonpublic personal information from the policies and practices that were disclosed in the most recent disclosure sent to consumers in accordance with this subsection, shall not be required to provide an annual disclosure under this subsection until such time as the financial institution fails to comply with any criteria described in paragraph (1) or (2)."
Ok - so there are two main prongs to obtaining this potential exception. Â We'll take them in reverse order.Â
Prong 2 - No Changes Since Your Last Privacy Policy. This is the easier prong.  If you've changed your privacy policy, you'd need to send the annual notice so that members are aware of your new sharing practices.   Â
Prong 1 - Shares Information Only in Accordance with Exceptions.  This one is where things get a bit dicey.  I'll spoil the ending by letting you know that if this bill becomes law - the CFPB should be amending Regulation P and will have a great opportunity to provide clarity to everyone (credit unions, banks, consumers, etc).   Â
In order to satisfy Prong 1, credit unions need to share nonpublic personal information about their members "only in accordance with the provisions of subsection (b)(2) or (e) of section 502 or regulations prescribed under section 504(b)." Â But, what does that mean? Â Â
These two provisions discuss the situations where credit unions can share nonpublic personal information with nonaffiliates without having to provide the member an opt-out. Â
Section 502(b)(2) - 15 USC 6802(b)(2). Â This provision outlines the exception for service providers and joint marketing agreements. Â It is implemented in 12 CFR 1016.13 of Regulation P. Â
Section 502(e) - 15 USC 6802(e). This provision contains the general exceptions to the opt-out requirements.  Credit unions can share information with nonaffiliated third parties in these situations - such as to service or process a transaction or at the member's request - without needing to provide the member an opportunity to opt-out.  These exceptions are outlined in 12 CFR 1016.14 & 12 CFR 1016.15 of Regulation P.  Â
***
Confused? The crux is that in order to satisfy Prong 1 your credit union would need to only share information with nonaffiliates in ways that do not trigger the requirement to provide members the right to opt-out.  Prong 2 is easier in that it will be met if you have had no changes to your privacy policy since your last mailing. Â
Your Homework? Â Check out whether your credit union's existing privacy policy requires you to provide members the right to opt-out because your credit union shares nonpublic personal information with nonaffiliated third parties. Â
Outcome 1: Â If you aren't currently required to provide the opt-out to members, this bill could provide some real regulatory relief as it could remove the requirement to send your privacy policy on an annual basis.
Outcome 2: Â If you currently share with nonaffiliated third parties (outside of the exceptions discussed above) and are required to provide members the opt-out, check how many nonaffiliated third parties you share with. Â How valuable are those relationships? Â How does that compare with the regulatory cost (and printing costs and mailing costs) of sending the annual privacy notice? Â
***
Reminder: Â Keep in mind that this bill still needs to work its way through the Senate. Â Additionally, the CFPB would need to amend Regulation P to implement these changes and provide clarity. Â
Lastly, let's take a minute to appreciate a 4-page bill. Â Considering we are fast approaching Dodd-Frank Implementation SeasonTM, any regulatory relief is a welcome sight (even if there is a need to wade through some legalese to get there). Â
Have a great weekend!Â