The Gramm-Leach-Bliley Act (“GLBA”) was amended by the Fixing America’s Surface Transportation Act (“FAST Act”) to provide a new exception to GLBA’s annual privacy notice requirement. The amendment, which went into effect December 4, 2015, removes the requirement that financial institutions provide their customers annual privacy notices if they meet certain criteria. The CFPB has revised its GLBA examination procedures to take into account this new exception.
The FAST Act established an exception to the annual privacy notice requirement if financial institutions meet certain criteria. First, the institution must only provide nonpublic personal information (“NPI”) to a nonaffiliated third party consistent with the exceptions in GLBA and Regulation P, including, but not limited to, marketing of its own products and services, products and services offered pursuant to a joint agreement, or disclosures that are, among other things, necessary to administer or enforce a transaction authorized by a consumer. Second, the institution must not have changed its practices and procedures with regard to disclosing NPI from those that were most recently disclosed.
The new examination checklist released by the CFPB reflects this exemption by asking whether the institution has provided the annual privacy notice, unless they qualify for one of the exceptions prescribed under GLBA. If not, the institution is still required to provide a clear and conspicuous notice accurately reflecting their privacy policies.
The full GLBA privacy examination procedures may be found here: https://s3.amazonaws.com/files.consumerfinance.gov/f/documents/102016_cfpb_GLBAExamManualUpdate.pdf.