Compliance Blog

Jul 22, 2016
Categories: Privacy

There is a Pokémon Gym at my Credit Union! Annual Privacy Notice Rule Proposal

Written by Stephanie Lyon, Regulatory Compliance Counsel

Thousands of people downloaded the Pokemon Go app this month and inadvertently granted the app full access to their Gmail accounts. Several Reports indicate that people did not read the information gathering clause found in the app's Terms of Privacy. The extensive permissions could have allowed the app to obtain non-public information for the financial benefit of Niantic (if it hadn't been for meddling kids calling attention to this glitch). Why is this relevant to financial institutions? These kinds of blanket permissions found in many terms of privacy highlight the public policy reason for the implementation of privacy regulations, such as the Privacy of Consumer Financial Information rule (Regulation P), which implements requirements under the Gramm-Leach-Bliley Act (GLBA). Generally, Regulation P requires credit unions to provide new members with Annual Privacy Notices and send updated notices during the term of the financial relationship. 12 C.F.R. Pt. 1016. The notice is meant to alert members the manner in which their non-public information is used by the credit union and gives them an opportunity to opt-out from certain information sharing practices. See, 12 C.F.R.  1016.1.

Regulation P requires credit unions to provide an initial notice of its privacy policies when a member joins the credit union, every year the financial relationship continues, and whenever the credit union changes its privacy policy to being sharing nonpublic personal information with nonaffiliated third parties. See,  1016.5(a)(1) & 1016.8(a)(1)-(4). In 2014, the CFPB adopted a rule to allow financial institutions to use an alternative delivery method by posting the notices on their websites if certain conditions were met. See,  1016.9(c)(2)(ii)(B).

On December 2015, GLBA was amended as part of the FAST Act. The amendment added a section that relived financial institutions from having to mail Annual Privacy Notices to consumers if they meet certain requirements. For more in-depth information regarding the December 2015 GLBA amendment, read Annual Privacy Notices: Can You Keep It To Yourself? (NAFCU log-in required). The statutory amendment became effective upon enactment for GLBA, but Regulation P must also be amended to formally implement the statutory changes. Hence, the CFPB is proposing to amend Regulation P to implement the 2015 GLBA amendment. The CFPB's rule proposal would implement a new regulatory exception to limit the circumstances under which credit unions will be required to deliver annual privacy notices to their members, among other technical revisions.

The rule proposal has three main parts. The first part proposes the implementation of GLBA's section 503(f):

(i) financial institution must not share nonpublic personal information about customers except as described in certain statutory exceptions, and

(ii) financial institution must not have changed its policies and practices with regard to disclosing nonpublic personal information from those that the institution disclosed in the most recent privacy notice it sent.

See, GLBA section 503(f)(i)-(ii), codified at 15 U.S.C. 6803(f). The proposal also sets timeframes for delivery of notices for credit unions that fall out of the exception at some point.

The second part eliminates the ability of credit unions to post their Annual Privacy Notice onto their website as the 2014 amendment allowed. The CFPB stated in their proposal that the alternative delivery method would become unnecessary as credit unions which qualify for the alternative delivery method would no longer be required to send annual privacy notices, as the requirements are essentially the same. Hence, the CFPB argues that eliminating this requirement will create less work for credit unions and streamline the regulation.

And finally, the CFPB want to make a technical revision to a definition. Currently, Regulation P's substantive requirements, including the requirement to deliver privacy notices, are generally imposed upon entities that meet the definition of You found in 1016.3(s)(1). That provision defines You as a financial institution or other person for which the Bureau has rulemaking authority under section 504(a)(1)(A) of the GLBA. The Bureau however, does not have rulemaking authority over financial institutions in that section but rather in section 504(a)(1)(A). Hence the CFPB would correct this definition to ensure the correct section is quoted in Regulation P. Comments on the proposal are due August 10, 2016. Please let NAFCU know how this proposal could affect your credit union.

Annual Privacy Notices are an important component of keeping members informed and in control of the use of their nonpublic personal information. The proposed rule aims to streamline Regulation P by implementing the 2015 GLBA amendment.

Here is a picture of Peppermint (left), my 5 year old furry child, helping me catch Pokemons. Her brother, Chewbacca (right), doesn't seem to share her sixth sense though.



PEPPERIMG_0076