No, under the FAST Act’s amendment of the Gramm-Leach-Bliley Act (GLBA), your bank is exempt from the annual privacy notice requirement for all customers, even those who do not receive periodic statements.
The GLBA requires financial institutions to re-disclose their privacy policy annually, either by mailing a full annual privacy notice or through certain alternative delivery methods. However, in December 2015, the FAST Act amended the GLBA to create an exception to the annual privacy notice requirements for financial institutions that have not changed their privacy policy since their most recent disclosure and do not share information in a way that triggers a consumer’s opt-out rights. The CFPB has proposed a rule to amend Regulation P to reflect this amendment.
In this case, your policy has not changed in the past year, which meets the first prong of the exemption. In addition, based on the facts you have provided, you do not share information in a way that triggers a consumer’s opt-out rights. Because your bank qualifies for exemption from the annual privacy notice requirement, you are not required to provide the annual notice to any of your customers.
For resources related to our guidance, please see:
- Gramm-Leach-Bliley Act, 15 USC 6803(a) (Requires initial and annual privacy policy disclosures)
- Gramm-Leach-Bliley Act, 15 USC 6803(f) (Creates an exception to the annual privacy notice requirement for any financial institution that “(1) provides nonpublic personal information only in accordance with the provisions of subsection (b)(2) or (e) of section 6802 of this title or regulations prescribed under section 6804(b) of this title, and (2) has not changed its policies and practices with regard to disclosing nonpublic personal information from the policies and practices that were disclosed in the most recent disclosure sent to consumers in accordance with this section . . .”)