On December 4, 2015, President Obama signed HR 22 into law (now Public Law 114-94). Although HR 22’s official name is Fixing America’s Surface Transportation Act (“FAST Act”), the 490-page law contains some provisions of particular importance to banks and other financial institutions, including providing an exception to the annual privacy notice requirement under the Gramm-Leach-Bliley Act (“GLB Act”).
As most people with a customer relationship with a wide range of financial institutions (banks, insurance companies, broker-dealers, etc.) know, the financial institution must provide to the customer an annual notice regarding the collection, use and sharing of the customer’s nonpublic personal information (such as the customer’s credit card purchases or bank account information). Generally, if the financial institution shares a customer’s nonpublic personal information with nonaffiliates of the financial institution, it must give its customer the ability to opt out of such sharing.
However, the GLB Act’s statutory requirements on privacy notices, and the regulations issued by the Consumer Financial Protection Bureau (“CFPB”), Commodity Futures Trading Commission, Securities and Exchange Commission and Federal Trade Commission, contain a range of exceptions to the requirement that customers be given the ability to opt out of the financial institution’s sharing of his or her nonpublic personal information with nonaffiliates.
Section 75001 of the FAST Act adds a new exception to this annual privacy notice requirement. Under the new exception, a financial institution will not be required to provide the annual notice if it provides non-public personal information to third parties only in accordance with the statutory or regulatory exceptions, such as sharing for purposes of completing a transaction ordered by the customer, for fraud prevention, or to a service provider performing services for, or it functions on behalf of, the financial institution pursuant to a contractual requirement that the third party keep the information confidential. If the financial institution changes its privacy policies on sharing nonpublic personal information with nonaffiliates beyond those contained in the GLB Act and its regulations since the time the last disclosure was sent to the customer, then this new exception is not available until there has been no change since the last disclosure.
This statutory exception builds on CFPB regulations finalized last year that give financial institutions subject to the CFPB’s jurisdiction (such as banks and credit unions) under certain circumstances the ability to deliver the annual privacy notice through posting it clearly and conspicuously on the institution’s web site instead of mailing it to each customer.