The Financial Services Modernization Act of 1999 is commonly known as the “Gramm Leach Bliley Act” (GLBA) named for the members of Congress instrumental in its creation. GLBA included requirements for privacy of consumer financial information, including disclosures about collecting, maintaining, sharing, and using the information, and security of the information. ‘The Privacy Act,’ as it is commonly called, is codified in Regulation P – Privacy of Consumer Financial Information.
Regulation P requires financial institutions to provide notice to customers about its privacy policies and practices; describe the conditions under which a financial institution may disclose nonpublic personal information about consumers to nonaffiliated third parties; and, provide a method for consumers to prevent a financial institution from disclosing the information to most non-affiliated third parties by exercising the right to “opt out” of the disclosure.
For the purposes of Regulation P, definition of key terms is very important. Financial institution means any institution the business of which is engaging in financial activities, including, but not limited to: a retailer that extends credit by issuing its own credit card; a personal property or real estate appraiser; an automobile dealership; a check cashing, wire transfer, or money order sales business; an entity that provides real estate settlement services or mortgage broker services; or an investment advisor.
Nonpublic personal information means personally identifiable financial information and any list, description, or other grouping of consumers (and publicly available information pertaining to them) that is derived using any personally identifiable financial information that is not publicly available.
Although most in the financial services industry may have ignored the Fixing America’s Surface Transportation (FAST) Act that was signed into law in December 2015, it contained a privacy notice provision based on H.R. 604, the Eliminate Privacy Notice Confusion Act. The provision changed the annual privacy notification requirements to a requirement to send privacy notifications (subsequent to the initial notice) only when the privacy policy is changed. It was previously required every year, regardless if a change occurred or not. FAST changed the previous annual notification requirements; however, other requirements of the Privacy Act remain in effect.
It is important to recognize that this regulatory process has not yet been completed. The federal law was passed and signed by the president, and, in July 2016, the CFPB proposed amendments to Regulation P to correspond to the law. The rule was expected to be finalized in November 2016; however, the rule still has not been finalized, perhaps because of the conversion to a new administration and corresponding changes in Washington.
The NCUA, FDIC, CFPB, and Federal Reserve Board have made issuances to their institutions to make it clear the agencies do not expect financial institutions that meet the requirements to send annual privacy notices. The OCC has not yet issued formal guidance to its institutions (although, conceivably, they would be covered by the change to the interagency examination procedures), and, if your organization is under the OCC’s jurisdiction, it is prudent to confirm how this issue will be addressed with your regional examination office.
Regulation P can be found here, and the Federal Trade Commission (FTC) gives a plain language guide to Privacy Act requirements here.
Around the Industry:
Effective Now:
Where is your institution in HMDA implementation? See this.
On the Horizon:
OCC issues guidance on policies and procedures for violations of laws and regulations effective July 1, 2017.
MCM Q&A
Is it permissible to pull that credit report? See this.
Like Mortgage Compliance Magazine and the weekly “NewsLINES”? Tell your friends and colleagues about us! Send them this link for their free subscription.
