IBA Compliance Connection

Your go to source for compliance!

Our bank shares nonpublic personal information with nonaffiliated financial companies pursuant to a joint marketing agreement and also reports credit information to a credit bureau. Our privacy policy has not changed for three years. What are our privacy notice obligations under the Gramm-Leach-Bliley Act (GLBA)?

by

admin

You must provide initial privacy policy disclosures, including that you share customer information with nonaffiliated third parties pursuant to a joint marketing agreement. However, you are exempt from GLBA’s annual privacy notice requirement, subject to the discussion below.

The GLBA requires financial institutions to provide initial privacy policy disclosures to new customers and re-disclose their privacy policy annually. However, in December 2015, the FAST Act amended GLBA to create an exception to the annual privacy notice requirements for financial institutions that have not changed their privacy policy since their most recent disclosure and do not share information in a way that triggers a consumer’s opt-out rights.

In this case, your policy has not changed in three years, which meets the first prong of the exemption. In addition, based on the facts you have provided, you do not appear to share information in a way that triggers a consumer’s opt-out rights.

First, you may disclose nonpublic personal information to a consumer reporting agency in accordance with the Fair Credit Reporting Act without triggering a customer’s opt-out rights. In addition, the GLBA permits you to share nonpublic personal information with nonaffiliated third parties pursuant to joint marketing agreements — such as the one you described — without providing customers with the right to opt out. However, you must disclose the information sharing arrangement with your customers and enter into a confidentiality agreement with the third party.

Finally in addition to the GLBA, we note that you also must comply with the Fair Credit Reporting Act, which requires you to provide notice and the opportunity to opt out before you share customer information with your affiliates, and the Illinois Banking Act, which requires that customers “opt-in” before you share their information with either affiliates or nonaffiliates.

For resources related to our guidance, please see:

  • Gramm-Leach-Bliley Act, 15 USC 6803(a) (Requires initial and annual privacy policy disclosures)
  • Public Law 114-94, Title LXXV — Eliminate Privacy Notice Confusion (Creates an exception to the annual privacy notice requirement for any financial institution that “(1) provides nonpublic personal information only in accordance with the provisions of subsection (b)(2) or (e) of section 502 or regulations prescribed under section 504(b), and (2) has not changed its policies and practices with regard to disclosing nonpublic personal information from the policies and practices that were disclosed in the most recent disclosure sent to consumers in accordance with this section…”)
  • Gramm-Leach-Bliley Act, 15 USC 6802(b)(2) (Financial institutions may share nonpublic personal information to a nonaffiliated third party for marketing purposes “pursuant to joint agreements … that comply with the requirements imposed by the regulations prescribed under section 6804 of this title, if the financial institution fully discloses the providing of such information and enters into a contractual agreement with the third party that requires the third party to maintain the confidentiality of such information.”)
  • Regulation P, 12 CFR 1016.15 (“The requirements for initial notice in § 1016.4(a)(2), for the opt out in §§ 1016.7 and 1016.10, and for service providers and joint marketing in § 1016.13 do not apply when you disclose nonpublic personal information: 5)(i) To a consumer reporting agency in accordance with the Fair Credit Reporting Act (15 U.S.C. 1681 et seq.); or (ii) From a consumer report reported by a consumer reporting agency…”)
  • Fair Credit Reporting Act, 15 USC 1681s-3(a) (Requires that a bank may share marketing information among affiliates only if “(A) it is clearly and conspicuously disclosed to the consumer that the information may be communicated among such persons for purposes of making such solicitations to the consumer; and (B) the consumer is provided an opportunity” to opt-out.)
  • Illinois Banking Act, 205 ILCS 5/48.1(c) (Prohibits a bank from disclosing financial records or financial information unless a customer consents or opts in to the disclosure)