CFPB Updates Regulation P Amending Gramm-Leach-Bliley Act

Regulation P To Implement Legislation Amending Gramm-Leach-Bliley Act

Changes Will Ease Burden on Financial Institutions and Reduce Risk of Consumer Confusion

The Bureau of Consumer Financial Protection (Bureau) today finalized amendments to implement legislation that allows financial institutions that meet certain requirements to be exempt from sending annual privacy notices to their customers.

The Gramm-Leach-Bliley Act (GLBA) generally requires that financial institutions send annual privacy notices to customers. These notices must describe the privacy practices of financial institutions, including whether and how they share customers’ nonpublic personal information. If the institution shares this information with unaffiliated third parties in ways other than specified by the GLBA, the institution typically must notify customers of their right to opt out of having their information shared and inform them how to do so.

In December 2015, Congress amended the GLBA as part of the Fixing America’s Surface Transportation Act (FAST Act). This amendment to the GLBA provides financial institutions that meet certain conditions an exemption to the requirement under the GLBA to deliver an annual privacy notice. A financial institution can use the annual notice exception if it limits its sharing of customer information so that the customer does not have the right to opt out, and has not changed its privacy notice from the one previously delivered to its customer. The rule issued by the Bureau today implements this legislation and establishes deadlines for institutions resuming annual privacy notices if their practices change and they therefore cease to qualify for the exemption.


Debt Relief Industry on Alternative Delivery Method for Providing Certain Annual Notices

The Bureau amended Regulation P in October 2014 to allow financial institutions that met certain criteria to deliver annual notices pursuant to the “alternative delivery method.” Because financial institutions that met the conditions in Regulation P to use the alternative delivery method will also meet the conditions for the statutory exception in section 503(f), the Bureau proposed to remove the alternative delivery method from Regulation P by removing § 1016.9(c)(2) and renumbering existing § 1016.9(c)(1) as § 1016.9(c).

Commenters generally expressed support for the proposed removal of the alternative delivery method. Ten commenters addressed the issue, with eight supporting the proposal and two opposing it.

Some commenters welcomed elimination of the alternative delivery method, asserting that the conditions associated with the 2014 provision deterred institutions from taking advantage of the intended relief. A debt collector organization stated that the alternative delivery method did not provide a solution for many debt collectors and consumers. This commenter asserted that the alternative delivery required model form created a significant risk of class action litigation because of claims that the language conflicts with the Fair Debt Collection Practices Act‘s prohibitions on third-party disclosure. A commenter representing several trade associations stated that the alternative delivery method requirement to post the notice online eliminated any benefits from the 2014 rule.


Amendment to the Annual Privacy Notice Requirement Under the Gramm-Leach-Bliley

Statutory Amendment to Regulation P and Proposed Rule

On July 15, 2016, the Bureau published a proposed rule to implement the FAST Act statutory amendment to the GLBA. The Bureau has considered the comments received on that proposed rule, and now issues this final rule based on it.

Effective Date

As discussed above, the statutory exception to the annual notice requirement is already effective. The amendments to Regulation P in this final rule will be effective 30 days from the date of publication in the Federal Register.

Regulation P Amendment Privacy Considerations

In developing this final rule, the Bureau considered its potential impact on consumer privacy. The rule will not affect the collection or use of consumers’ nonpublic personal information by financial institutions. The rule implements a new statutory exception to limit the circumstances under which financial institutions subject to Regulation P will be required to deliver annual privacy notices to their customers. Delivery of annual privacy notices is required under the rule if financial institutions make certain types of changes to their privacy policies or if the statute and Regulation P afford customers the right to opt out of financial institutions’ sharing of customers’ nonpublic personal information with nonaffiliated third parties. The statutory exception and this final rule do not affect the requirement to deliver an initial privacy notice, and all consumers will continue to receive such notices describing the privacy policies of any financial institutions with which they do business to the extent currently required.


Original press release first appeared at the The Bureau of Consumer Financial Protection website here.

The complete final rule issue with full background as well as Alternative Delivery Method  can be found here.

Share this post

Share on facebook
Share on google
Share on twitter
Share on linkedin
Share on pinterest
Share on print
Share on email