Subtitle A of Title V of the Gramm-Leach-Bliley Act (GLB Act), captioned “Disclosure of Nonpublic Personal Information,” limits the instances in which a financial institution may disclose nonpublic personal information about a consumer to nonaffiliated third parties and requires financial institutions to provide certain privacy notices to their consumers and customers. Prior to July 21, 2011, rulemaking authority for the privacy provisions of the GLB Act was shared by eight Federal agencies: the Board of Governors of the Federal Reserve System (Board), the Federal Deposit Insurance Corporation (FDIC), the Federal Trade Commission (FTC), the National Credit Union Association (NCUA), the Office of the Comptroller of the Currency (OCC), the Office of Thrift Supervision (OTS), the Securities Exchange Commission (SEC), and the Commodity Futures Trading Commission (CFTC). Each of the agencies issued rules (which were consistent and comparable) to implement the GLB Act’s privacy provisions.
The Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank Act) transferred rulemaking authority for most of the privacy provisions of the GLB Act, with respect to financial institutions, from the Board, FDIC, FTC, NCUA, OCC, and OTS (collectively, the transferor agencies) to the Consumer Financial Protection Bureau (CFPB), effective July 21, 2011. Pursuant to the GLB Act, the FTC retains rulemaking authority over any financial institution that is a person described in 12 U.S.C. 5519. The SEC and the CFTC, which are not transferor agencies, also retain rulemaking authority over certain institutions described in sections 504(a)(1)(A)-(B) of the GLB Act. Pursuant to the Dodd-Frank Act and the GLB Act, as amended, the CFPB is publishing for public comment an interim final rule establishing a new Regulation P (Privacy of Consumer Financial Information), 12 CFR Part 1016, implementing those privacy provisions of the GLB Act for which the CFPB has rulemaking authority.
The CFPB’s new Regulation P makes only certain non-substantive, technical, formatting, and stylistic changes. To minimize any potential confusion, the CFPB is substantially preserving the numbering of the Board’s Regulation P, other than the new part number. The interim final rule does not impose any new substantive obligations on regulated entities.
Appendix B, which listed sample clauses for privacy notices and provided a safe harbor for privacy notices issued with those sample clauses before January 1, 2011, has been removed, as have any internal cross-references to it. Appendix B was scheduled to be eliminated from each of the transferor agencies’ privacy regulations on January 1, 2012. Financial institutions that delivered annual notices to consumers on or before December 31, 2010 were entitled to rely on the safe harbor for one additional year until their next annual notice was due. The removal of Appendix B by this interim final rule as of December 30, 2011 does not nullify the validity of privacy notices issued before January 1, 2011 using Appendix B’s sample clauses, including during the intervening two days of December 30 and 31, 2011.
To the extent the transferor agencies’ rules substantively differed from one another, the interim final rule contains separate provisions for the financial institutions previously subject to the respective transferor agencies’ rulemaking authority. For example, special rules related to joint relationships and loans were applicable to credit unions under the NCUA’s privacy regulation. To preserve those special rules applicable to credit unions, the interim final rule contains separate sections for “joint relationships in the case of credit unions” and “special rule for loans in the case of credit unions.” Similarly, the FTC’s privacy regulation defined “financial institution” more narrowly than the other transferor agencies’ privacy regulations. The interim final rule therefore contains a separate definition of “financial institution” for entities subject to the FTC’s enforcement jurisdiction. The interim final rule also incorporates specific examples from the NCUA and FTC’s privacy rules.
Many of the Dodd-Frank Act changes represent a painful expansion of federal regulations. This change is a pleasant and significant reduction of over a hundred pages of federal regulations. It is just a few drops of rain, in the midst of a 18-month drought.
A copy of revised Regulation P is located at: https://mycomplianceresource.com/CFPB-Reg-P-Privacy-of-Consumer-Financial-Information.html. The Federal Register copy is available at: https://mycomplianceresource.com/CFPB-The-Inherited-Regulations.html.