In this Compliance Clip, Adam answers a question as to whether an annual notice is required to be provided on each periodic statement. This clip provides a great overview of the history of the privacy annual notice exemption and even the current exemption rules.

Video Transcript

This Compliance Clip is going to answer a question regarding the privacy notice being listed on a periodic statement. We get quite a few questions from time to time and we received this question a number of times over the last few years, so I figured I would address this. The question we received, specifically this week, was this: Are we required to put on our periodic statements annually that there are no changes to our privacy notice and that a privacy notice is available upon request. Our privacy notice is given at account opening and is available at all times on our website. My understanding is that this is just fine, unless there has been a change, but I just want to confirm this with somebody else. Most of the time we just want to make sure with somebody else that we're not crazy. I completely understand that. 

The answer to this is going to come from Regulation P, specifically in 1016.9. At least that's part of the answer that comes from regulation P and really it has to deal with the FAST Act. What's happened over the years is we had a privacy notice concern. Financial institutions over the years had to provide an annual privacy notice to their customers. Some financial institutions don't share any information and that means that there's nothing for customers to opt out of. So these financial institutions said, this is a waste of paper. It's a waste of our resources. We shouldn't have to send an annual notice to customers to tell them they can't do anything and to tell them what they already know. 

Over time it was agreed upon by the regulators and eventually by Congress that this was  unnecessary. There were a number of steps that took place to alleviate burden over time, but the final step was the FAST Act, where Congress implemented the new law, they that got rid of the annual privacy notice requirement. The prior requirement was something that the CFPB put in place to try to alleviate burdens of financial institutions. This prior requirement, it's no longer in effect, but the previous requirement required a couple of things. It required that, number one, an annual notice be provided on the periodic statement or similar document, telling the customers that there are privacy notices available to them upon request if they want it and are available on their website. They also, the prior requirement, required that the current privacy policy be posted on the financial institution’s website. Then if a customer did contact you, you have to provide them with your current privacy notice within 10 days of receiving that request. That was the prior rule that has gone away because the CFPB issued a final rule in August of 2018, which was effected on September 17, 2018. So these three pieces that were previously required are no longer required. Those requirements are gone. 

The final rule did say that it's okay to keep those pieces if you want to. Now why would you do that? Maybe to not upset the cart, maybe it costs money to change coding in your system. But I would probably remove them at this point because it's not required and it's just easier to follow the rules and be clear. Leaving them on your websites is definitely not a problem, but take it off your periodic statement if it's still there, because I've seen a number of financial institutions that have kept it on the periodic statement, but it's not required. This is no longer required. 

The new requirement is pretty simple. There's really just a couple of things. Two main conditions.

The first condition is that your financial institution, it comes down to this, you can't share non-public personally identifiable financial information to non-affiliated third parties. It's a mouthful, but that's what the requirement is. You can't share information that requires an opt out. If you have an opt out for third party sharing on your privacy policy, you cannot skip the annual notice. If you share information to non-affiliate third parties, you have to send an annual notice. That's your first condition. The second condition is that your policy and practices can not have changed since the last time you provided your notice. If they have changed, and it's very specific on what changed,, but if they have changed, that could trigger you to either provide a one-time annual notice to get customers up to speed with the new practices, or it could require you to send that annual notice going forward on a yearly basis. That's a little more complex in this short Compliance Clip, but that's the answer to this question. 

The original question was, do we have to send that notice on the periodic statement? And the answer is no, that is no longer required. You don't have to do it, but you can, if you choose to.

That's all I have for this Compliance Clip.