- CBA on
- CBA Media
Joint Trades Letter to CFPB re Proposed Amendment to Regulation P
August 10, 2016
By electronic delivery to:
Monica Jackson, Office of the Executive Secretary
Bureau of Consumer Financial Protection
1700 G Street, NW Washington, D.C. 20552
Re: Amendment to the Annual Privacy Notice Requirement Under the Gramm-Leach- Bliley Act (Regulation P) – Docket No. CFPB-2016-0032
Dear Ms. Jackson:
The undersigned associations (Associations), the American Bankers Association (ABA), the Consumer Bankers Association (CBA), the Financial Services Roundtable (FSR), the Independent Community Bankers of America (ICBA) and the Securities and Industry Financial Markets Association (SIFMA)1 appreciate the opportunity to comment on the Bureau of Consumer Financial Protection’s (Bureau) proposed changes to Regulation P implementing the Gramm-Leach-Bliley Act of 1999 (GLBA).2 The proposal would implement the change adopted by Congress on December 4, 2015 in an amendment, titled “Eliminate Privacy Notice Confusion,”3 to the Fixing America’s Surface Transportation Act (FAST Act);4 that amendment added section 503(f) to GLBA.5
We Welcome Congress’ Simplified Approach
GLBA and its implementing regulation require financial institutions to furnish customers with an annual privacy notice.6 This mandate provides minimal consumer benefit, yet it imposes considerable cost to providers. For many years, the industry has supported steps that would simplify and streamline the annual privacy notice requirements.7 In fact, since the GLBA annual notice requirements were published in 2000, our members have reported that one of the least useful elements of the privacy notice requirements has been the annual privacy notice, especially for those companies that do not share information outside one of the statutory exceptions and that have not changed their information sharing practices since the last time a customer was given the disclosure.
To respond to these concerns, the Bureau amended Regulation P in 2014 to offer an alternative means for providers to comply with the statutory annual notice requirement. However, the Bureau’s final rule8 included a number of conditions and qualifications that significantly limited its use by financial institutions. For example, under the Bureau’s alternative delivery notice,9 a financial institution is required to post the notice online and annually notify consumers in a written or electronic form that the information is available online. These conditions eliminated any benefits from the 2014 proposal and deterred institutions from taking advantage of the intended relief.
Subsequently, the United States Congress amended GLBA to eliminate the annual notice requirement demonstrating its concurrence that these notices provide little perceived consumer benefit and, in fact, may contribute to consumer information overload. The FAST Act10 eliminated the annual privacy notice provided a financial institution meets two simple conditions. First, the financial institution can only share information within the parameters of one of GLBA’s statutory exceptions. Second, the institution may not have changed its information sharing practices since the last time the customer was provided with a privacy notice.
We supported this Congressional action and recommended a similar simplified approach to the Bureau in our 2014 comments.11 While the FAST Act provision is self-enacting and does not require regulatory implementation, the Associations contacted the Bureau last December to urge them to update Regulation P to be consistent with the revised GLBA statute. The current proposal would do just that.
We Appreciate the Bureau’s Clarifying Proposal
On Friday, July 1, 2016, the Bureau issued a proposal to conform Regulation P with the privacy notice FAST Act provision that was effective on December 4, 2015. The Federal Register notice was published on July 11, 2016 and opened a period of 30 days to comment.12
The proposal would codify the FAST Act amendment to GLBA to allow banks that satisfy the two simple statutory conditions to forgo sending customers annual privacy notices. As noted above, the first condition is that the financial institution only shares personal non-public information about a customer under one of the limited statutory exceptions.13 Second, the financial institution must not have changed its information sharing policies or practices since the last time a customer was provided the privacy notice.
We support this change because it is simpler than the alternative delivery method the Bureau adopted in 2014. Because a bank that satisfies the conditions for the alternative delivery also would meet the conditions of the statutory change, the Bureau recognizes that the statutory change makes it unlikely that banks will continue to use the 2014 alternative delivery method. Therefore, we support the Bureau’s proposal to eliminate the 2014 amendment to the rule14 for the following reasons:
- It is unlikely that consumers will even be aware they are no longer receiving yet another disclosure in their mail. In fact, they are likely to benefit from decreasing information overload;
- It is unlikely that financial institutions will continue to use a complex means of compliance when a simple one is available; and
- It eliminates the confusion generated by the differences between the rule and the statute governing the obligations for the annual privacy notice.
I. Fair Credit Reporting Act Requirements
The Associations also support the proposed clarifications about the Fair Credit Reporting Act (FCRA) notifications that may be included in the annual privacy notice. Under Regulation P, the model notice and the alternative delivery method also address disclosures about information sharing under FCRA and information shared with affiliates. The FAST Act amendment, however, only applies to the GLBA regulations on information sharing, not the FCRA disclosures. The Bureau’s proposal would address the two FCRA elements covered in Regulation P, a step the Associations believe is helpful.
The first FCRA provision15 addressed in Regulation P excludes from the definition of a credit report any information shared with an affiliate, including transaction and experience information. For any other information, a consumer must be notified and given an opportunity to opt out before the information can be shared. Similarly, another FCRA provision16 addressed in Regulation P requires that when non-public personal information is shared with an affiliate, a consumer must be notified and given a right to opt out before the information can be used by the affiliate for marketing purposes.
When drafting the initial Regulation P, the regulatory agencies responsible for implementation, with the support of industry, included provisions on affiliate information sharing to streamline the notice requirements. It seemed logical – and convenient for consumers – to coordinate the notices provided to consumers about how information about them was collected and shared on one document, even though the requirements that applied to that information came from two different statutes.
As a result, the first provision on affiliate information sharing was included in the model notice and required to be included in the annual privacy notice by Regulation P. Although not mandatory, the notice and opt-out for marketing purposes could be included in the annual privacy notice voluntarily and many financial institutions took advantage of the streamlined, combined notice to consumers. However, it is important to recognize that even though the FCRA notices were incorporated into the annual privacy notice, FCRA does not require its disclosures to be sent annually.
Under the Bureau’s 2014 amendment to Regulation P, a financial institution was not eligible to use the alternative delivery method if it was required to give consumers the right to opt out, including the opt-outs under FCRA. Although the Associations urged the Bureau to adopt a more flexible approach,17 the Bureau finalized the alternative delivery provision, which ultimately prevented a significant number of financial institutions from eliminating their annual privacy notice mailing.
Since many institutions could not utilize this much needed relief, we were pleased the FAST Act and subsequent Bureau proposal did not condition eligibility for elimination of the annual privacy notice on FCRA opt-out requirements.
We support a streamlined approach that permits a bank to take advantage of the relief by simply satisfying the two conditions set forth in the statute. This welcome change will clear up much confusion. We also agree with the Bureau that the FCRA notification requirement is satisfied if a financial institution includes information about the information sharing with affiliates required by FCRA in its initial privacy notice, because the FCRA does not require an annual reminder, and as long as the financial institution continues to meet the necessary requirements under FCRA.
II. Changes to Information Sharing Practices
One of the conditions that a financial institution must meet in order to eliminate the annual privacy notice is that it must not have changed its information sharing practices. However, the privacy notice currently includes two other specific disclosures: (1) information about the categories of nonpublic information that a financial institution collects and (2) the data security practices in place to protect customer information. Although these are not information sharing provisions, they are part of the annual privacy notice.
The Bureau has determined that since the statutory changes address information sharing, changes to the categories of information collected or changes to data security practices do not affect whether a bank can eliminate the annual privacy notice. In other words, a change to a bank’s data security program is not a change that would require issuance of the annual privacy notice.
The Associations agree that the sole focus should be on information sharing. Perhaps the most beneficial aspect to this approach is that it eliminates questions about whether changes to data security practices might prevent a financial institution from taking advantage of the exception. Given the current incidence of cyber security threats, the emphasis should be on encouraging institutions to update and enhance information security. Assurances that the adoption of improved security practices does not eliminate the availability of the annual privacy notice exception advances that goal.
III. Delivery of a Privacy Notice After a Financial Institution No Longer Qualifies for the Exception
Recognizing that there will be occasions when a bank no longer qualifies for the annual privacy notice exemption, the proposal addresses how and when a bank must send a privacy notice following the institution’s policy change. The proposal adopts a two-tiered approach regarding the timing of the notice.
The first tier addresses situations in which the change would require notice to be provided to the customer before information can be shared.18 The Bureau would treat this the same as an initial privacy notice where the notice about the change is considered to have been sent in year one. Following that notice, the institution is required to send an annual notice by December 31 in the following year.
Under the second tier, where advance notice to the consumer is not required, a privacy notice would be required within 60 days after the change takes effect. Although there are no examples of what type of information would be covered, the Bureau believes this would be a one-time notice since further changes would not be anticipated. Presumably, then, the bank could take advantage of the exception in future years, absent other changes.
IV. Coordination with other Agencies
Originally, under Section 504 of GLBA rulewriting authority was conferred on the federal banking agencies, the National Credit Union Administration (NCUA), the Secretary of the Treasury, the Securities and Exchange Commission (SEC), and the Federal Trade Commission (FTC).19
Since 1999, there have been changes to the statute, and the Dodd–Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank Act)20 transferred rulewriting authority from the federal banking agencies and the NCUA to the Bureau but not the SEC or the FTC. However, the agencies are still required to consult with each other to ensure that, to the extent possible, the regulations are coordinated.21
Many of our members are also subject to regulations of the SEC and its implementing rule, Regulation S-P.22 Although the SEC did not amend its rule to provide an alternative delivery mechanism similar to the Bureau’s 2014 final rule, the Associations strongly encourage the Bureau to coordinate the disclosure requirements with the other affected agencies because it is critical the agencies maintain consistency and minimize confusion, and provide clarity for consumers and for the affected industries.
The Associations appreciate the Bureau requesting comment on this proposal and believe, if adopted as proposed, it will streamline regulatory requirements, coordinate statutory and regulatory mandates, and clarify several questions about the coordination between GLBA and FCRA notices. The Associations believe there are additional opportunities that would serve consumers by facilitating information sharing between affiliates, particularly to take advantage of new technologies. We look forward to a continuing dialogue with the Bureau so that we can serve our customers in the most efficient and effective ways possible. We thank you for the opportunity to comment and welcome any questions or feedback.
Robert G. Rowe, III
Vice President & Associate Chief Counsel, Regulatory Compliance
American Bankers Association
Kate Larson Regulatory
Consumer Bankers Association
Senior Vice President & Senior Counsel for Regulatory and Legal Affairs
Financial Services Roundtable
Vice President & Senior Regulatory Counsel
Independent Community Bankers of America
Managing Director & Associate General Counsel
Securities Industry and Financial Markets Association