IBA Compliance Connection

Your go to source for compliance!

Does the 2015 amendment to the Gramm-Leach-Bliley Act (GLBA), eliminating the annual privacy notice requirement in certain circumstances, take precedence over Regulation P, which has not yet been amended to implement the change?

by

admin

Yes, the GLBA amendment takes precedence over Regulation P. Your primary regulator (the Federal Reserve Board) has adopted interagency examination procedures reflecting the GLBA amendment, and we expect that the CFPB eventually will finalize its proposed rules implementing the GLBA amendment in Regulation P. If your bank meets the requirements for the annual privacy notice exemption (no changes to your privacy notice in the last year and no sharing of information that triggers a customer’s opt-out rights), your bank will not be required to mail an annual privacy notice.

For resources related to our guidance, please see:

  • Gramm-Leach-Bliley Act, 15 USC 6803(f) (Creates an exception to the annual privacy notice requirement for any financial institution that “(1) provides nonpublic personal information only in accordance with the provisions of subsection (b)(2) or (e) of section 6802 of this title or regulations prescribed under section 6804(b) of this title, and (2) has not changed its policies and practices with regard to disclosing nonpublic personal information from the policies and practices that were disclosed in the most recent disclosure sent to consumers in accordance with this section . . .”)
  • FRB Consumer Compliance Handbook, Regulation P, pages 10–11 (June 2016 revision) (“As of December 4, 2015, pursuant to the FAST Act’s GLBA amendment, a financial institution is not required to provide an annual privacy notice to its customers if it: (1) solely shares nonpublic personal information in accordance with the provisions of GLBA sections 502(b)(2) (corresponding to Regulation P section 1016.13) or 502(e) (corresponding to Regulation P sections 1016.14 and .15) or regulations prescribed under GLBA section 504(b); and (2) has not changed its policies and practices with regard to disclosing nonpublic personal information since its most recent disclosure to its customers that was made in accordance with GLBA section 503. An institution that at any time fails to comply with either of the criteria is not eligible for the exception and is required to provide an annual privacy notice to its customers.”)