Transportation Bill Modifies Annual Privacy Notice Requirement for Credit Unions; Programming Note and Happy New Year from NAFCU Blog!
Written by Shereefat Balogun, Regulatory Compliance Counsel
As we noted in last week's blog, on December 4, 2015, President Obama signed a transportation bill formally known as the Fixing America's Surface Transportation Act, or the FAST Act. Now, one would not typically expect to find anything pertaining to financial privacy in a transportation bill. However, buried in the 490 page bill is a significant amendment to the Gramm-Leach-Bliley Act's (GLBA) annual consumer privacy notice requirement. Specifically, the FAST Act amends the GLBA by adding an exemption to the requirement.
Section 503 of the GLBA, and Regulation P which implements the act, require that credit unions send annual privacy notices to their members. These notices must describe whether and how the credit union shares members nonpublic personal information. If the credit union discloses this information with nonaffiliated third parties, generally the credit union must notify members of their right to opt-out of the sharing.
The FAST Act's new amendment provides an exception to the annual privacy notice requirement for any credit union that satisfies the following two conditions:
- the credit union does not share nonpublic personal information with nonaffiliated third parties, except under certain exceptions enumerated in Regulation P, e.g., to service providers who perform services on behalf of the credit union pursuant to a joint agreement; or as necessary to administer or enforce a transaction requested or authorized by the member; and
- the credit union has not changed its privacy policies and practices with respect to disclosing nonpublic personal information since it last provided a privacy notice to its members.
Under the amended law, if a credit union meets both of these conditions, it is no longer required to provide privacy notices to individual members on an annual basis. Alternatively, if a credit union cannot meet both of these conditions, it must continue to provide a privacy notice annually. In other words, annual privacy notices are required if and when a credit union makes changes to data sharing or begins sharing member data in a way that would trigger an opt out right. Keep in mind that these kinds of changes often require a revised privacy notice under section 1016.8
If a credit union does not satisfy these conditions, and thus must provide annual privacy notices, it may post the privacy notice online rather than issue individual notices by mail pursuant to a final rule issued by the CFPB last fall. Note, however, that this online notice alternative is available if certain conditions are met, such as not sharing data in ways that would trigger members opt-out rights. NAFCU previously published a Compliance Monitor article that discusses last year's changes, including when an annual privacy notice may be provided online.
NAFCU has long advocated for regulatory relief in this area because our members have consistently communicated that their members find these disclosures more confusing than helpful. NAFCU hopes that these amendments will both reduce member confusion and lower credit unions administrative costs.
Note that the amendment to the GLBA became effective on December 4, 2015. Moreover, the CFPB recently confirmed with NAFCU that it will treat the FAST Act's amendment as controlling law. Specifically, the bureau stated that it is conveying to its supervision and enforcement staff that the law is effective immediately so that no financial institution is expected to comply with superseded regulatory requirements. It is anticipated that the CFPB will amend Regulation P to reflect the new exception sometime in the coming year.
Programming Note & Happy New Year From the NAFCU Blog
NAFCU will be closed on December 31st and January 1st for the holidays, but we will be back to blogging on Monday, January 4th. From everyone here, we wish you and yours a safe and happy holiday and a prosperous New Year!