Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On July 1, the CFPB issued a proposed rule to amend Regulation P, which implements the Gramm-Leach-Bliley Act (GLBA) and requires, among other things, financial institutions to provide their customers with an annual notice that describes their privacy policies and procedures. The proposed amendment would implement a December 2015 statutory change in Section 75001 of the “Fixing America’s Surface Transportation Act” (FAST Act). Pursuant to the FAST Act, the GLBA was amended so that financial institutions meeting certain criteria no longer need to send annual privacy notices. The CFPB’s recently issued proposed rule would amend Regulation P to implement the GLBA amendment. The CFPB’s proposed rule would further amend Regulation P to (i) provide timing requirements for the delivery of annual privacy notices for a financial institution that may originally qualify for the annual notice exception but then later changes its policies or practices so that it no longer meets the exception criteria; (ii) remove the Regulation P provision that allows financial institutions to post privacy notices online because the CFPB “believes the alternative delivery method will no longer be used in light of the annual notice exception”; and (iii) make a technical correction to one of its definitions.
On December 4, President Obama signed into law H.R. 22, the “Fixing America’s Surface Transportation Act” (FAST Act). Although a transportation bill on its surface, the bill also contains various provisions that are intended to provide regulatory relief to community banks and improve the efficiency of state financial regulation. Significant provisions in the bill include: (i) establishing a process that allows parties, including banks and other stakeholders, to petition the CFPB for “rural” or “underserved” designations in certain areas for the purposes of the CFPB’s ability-to-repay rule; (ii) expanding the CFPB’s ability to exempt creditors serving rural or underserved areas from escrow requirements; (iii) granting greater flexibility to the CFPB in regards to treating a balloon loan as a qualified mortgage, if a community bank or creditor operating in a rural or underserved area extended the loan; (iv) increasing the threshold for 18-month exam cycles for well-capitalized banks from $500 million to $1 billion; and (v) authorizing the Nationwide Mortgage Licensing System – which state regulators use to license various nonbank financial services industries, such as money transmitters, payday lenders, and debt collectors – to process background checks for non-mortgage license applicants.
In addition, the act provides relief to all financial institutions meeting certain criteria from annual Gramm-Leach-Bliley privacy notice requirements. Pursuant the Gramm-Leach-Bliley Act (GLBA) and Regulation P, financial institutions were required to submit privacy notices, physically, or with consent electronically, to customers; in 2014, the CFPB amended Regulation P permitting institutions to post privacy notices online without customer consent, so long as certain criteria were met. The FAST Act’s statutory change in Section 75001 removes some of the criteria so that financial institutions do not have to send annual privacy notices so long as (i) their information sharing practices have not changed since its last notice; and (ii) they do not engage in information sharing that requires providing customers with an opt-out under the GLBA.
On May 7, the CFPB issued a proposed rule that would provide financial institutions an alternative method for delivering annual privacy notices. The Gramm-Leach-Bliley Act (GLBA) and Regulation P require financial institutions to, among other things, provide annual privacy notices to customers—either in writing or electronically with consumer consent. Industry generally has criticized the current annual notice requirement as ineffective and burdensome, with most financial institutions providing the notices by U.S. postal mail. The proposed rule would allow financial institutions, under certain circumstances, to comply with the GLBA annual privacy notice delivery requirements by (i) continuously posting the notice in a clear and conspicuous manner on a page of their websites, without requiring a login or similar steps to access the notice; and (ii) mailing the notices promptly to customers who request them by phone.
Specifically, under the CFPB’s proposal, a financial institution subject to the GLBA privacy notice requirements would be permitted to post annual notices online, provided the institution:
- Does not share the customer’s nonpublic personal information with nonaffiliated third parties in a manner that triggers GLBA opt-out rights;
- Does not include on its annual privacy notice a Fair Credit Reporting Act (FCRA) § 603(d)(2)(A)(iii) notice regarding the ability to opt out of information sharing with the institution’s affiliates;
- Does not use its annual privacy notice as the only notice provided to satisfy affiliate marketing opt-out notice requirements under section 624 of FCRA;
- Has not changed the information included in the privacy notice since the customer received the previous notice;
- Uses the model form provided in Regulation P; and
- Inserts a clear and conspicuous statement, at least once per year on a notice or disclosure the institution issues under any other provision of law, announcing that the annual privacy notice is available on the institution’s website, such notice has not changed since the previous notice, and a copy of such notice will be mailed to customers who request it by calling a toll-free telephone number.
The CFPB cites the following benefits of the proposed rule:
- Provides consumers with constant access to privacy policies;
- Incentivizes financial institutions to limit their data sharing with unaffiliated third parties;
- Allows consumers who are concerned about their personal information to comparison shop before deciding which financial institution to use; and
- Reduces the cost for companies to provide annual privacy notices.
The proposed rule would provide some relief to industry, particularly where broader bipartisan legislative solutions have failed to gain substantial traction. Last year, the House passed legislation that would fully exempt a financial institution from the annual notice requirement if it (i) provides nonpublic personal information only in accordance with specified requirements, and (ii) has not changed its policies and practices with regard to disclosing nonpublic personal information from its most recent disclosure. A similar Senate bill introduced early last year has not moved forward, though its sponsor, Senator Sherrod Brown (D-OH), pressed the CFPB director about the issue during a hearing last fall.
The CFPB’s proposal will remain open for comment for 30 days following its publication in the Federal Register.
Recently, the CFTC’s Division of Swaps Oversight issued Staff Advisory No. 14-21, which recommends best practices for CFTC-regulated intermediaries to comply with applicable Gramm-Leach-Bliley (GLB) Act privacy requirements, consistent with the Division’s intention to focus more resources on GLB privacy compliance. The advisory states that its recommendations are generally consistent with guidelines and regulations issued by other federal financial regulators, and the majority of the specific best practices are supported with references to prior rules and guidance. A number of the best practices cite the Interagency Guidelines Establishing Standards for Safeguarding Customer Information and Rescission of Year 2000 Standards for Safety and Soundness and a parallel FTC rule. Notably, several of the recommendations rely on a rule proposed by the SEC in 2008 but which has not yet been finalized. For example, the CFTC recommends based on that SEC proposal and the Interagency Guidelines that covered entities establish a breach investigation and notice process to alert potentially impacted individuals and to notify the CFTC. In addition, without referencing any other federal rule or guidance the Staff Advisory recommends that covered entities engage at least once every two years an independent party to test and monitor the safeguards’ controls, systems, policies and procedures, maintaining written records of the effectiveness of the controls.
Federal Reserve Board Proposes To Repeal Duplicative Regulations Amend Identity Theft Red Flags Rule
On February 12, the Federal Reserve Board proposed to repeal its Regulation DD, which implements the TISA, and Regulation P, which implements Section 504 of the GLBA because the Dodd-Frank Act transferred rulemaking authority for those laws to the CFPB, and the CFPB has already issued interim final rules implementing them. The Board also proposed to amend the definition of “creditor” in its Identity Theft Red Flags rule, which implements Section 615 of the FCRA. Generally, the Indemnity Theft Red Flags rule requires each financial institution and creditor that holds any consumer account to develop and implement an identity theft prevention program. The proposed revision will exclude from the foregoing requirements businesses that do not regularly and in the ordinary course of business (i) obtain or use consumer reports in connection with a credit transaction; (ii) furnish information to consumer reporting agencies in connection with a credit transaction; or (iii) advance funds to or on behalf of a person. The Board will accept comments on the proposal for 60 days from publication in the Federal Register.
On November 22, the CFPB released findings of a study the Bureau conducted on the impact of certain deposit regulations on the day-to-day operations of banking institutions, focusing on compliance costs related to checking accounts, traditional savings accounts, debit cards, and overdraft programs. The study collected information from seven banks about activities related to compliance with regulations implementing the Truth in Savings Act, the Electronic Fund Transfer Act, the financial privacy requirements of the Gramm-Leach-Bliley Act, and the Fair Credit Reporting Act (Regulations DD, E, P, and V, respectively), as well as FCRA’s adverse action requirements, which are not implemented by regulation. According to the Bureau, compliance costs were concentrated in the Operations, Information Technology, Human Resources, Compliance, and Retail functions, and banks incurred the most substantial costs complying with rules related to authorization rights, error resolution requirements, disclosure mandates, and advertising standards.
The report identifies the compliance-related activities that entailed the highest costs across business functions and suggests that “authorization rights” (i.e., opt-ins and opt-outs) and error-resolution requirements are the most costly to administer. The report also discusses the potential for the study—which the Bureau characterizes as representing “some of the most rigorous information currently available” on compliance costs—to advance research on the cost of compliance, influence the ultimate understanding of regulatory impacts on consumers and markets, and inform the CFPB’s ongoing efforts to avoid unnecessary compliance costs. The Bureau states that estimating the operational effects of consumer financial services regulation alone has “limited value to policymaking” and is mainly helpful in determining the impact of a specific regulation on product pricing and availability or market structure and competition. The Bureau concluded that research on the effects of regulations will remain an ongoing priority, but it will nevertheless continue to address problems observed in the marketplace — “mindful that, whatever the costs of regulation, the costs of not regulating adequately can be even larger.”
The full report, Understanding the Effects of Certain Deposit Regulations on Financial Institutions' Operations: Findings on Relative Costs for Systems, Personnel, and Processes at Seven Institutions, is available here.
On September 23, eight federal agencies, including the Federal Reserve Board, the CFPB, the OCC, and the FDIC, issued interagency guidance to clarify the applicability of Gramm-Leach Bliley Act privacy provisions to reporting suspected financial exploitation of older adults. The guidance states that although the Act generally prohibits a financial institution from disclosing nonpublic personal information about a consumer to any nonaffiliated third party without notifying the consumer and providing an opportunity to opt-out of the disclosure, the Act contains several exemptions that generally allow for the reporting of suspected elder financial abuse, either at the request of a local, state, or federal agency or on the financial institution’s own initiative.
On June 7, the FTC announced two new cases (and simultaneous settlements), one against a debt collector and the other against an auto dealer, alleging privacy and data violations based on the use of peer-to-peer file sharing software. In both cases, the FTC claims that the firms allowed file-sharing software to be installed on company computers, thereby allowing files containing personal customer information to be accessed by any other person using a networked computer. Both companies, according to the FTC, (i) did not have adequate security plans, (ii) did not use reasonable measures to enforce compliance with existing security policies, (iii) did not adequately train employees, (iv) did not use reasonable methods to prevent, detect and investigate unauthorized access to personal information on its networks, and (v) failed to assess risk to consumers. For the debt collector, the FTC alleges that the failures constituted an unfair act or practice in violation of the FTC Act. The FTC claims that the auto dealer also violated the FTC Act and, for the first time, charges an auto dealer with violations of certain Gramm-Leach-Bliley (GLB) Act rules. The settlement orders with both companies bar misrepresentations regarding the privacy, security, confidentiality, and integrity of any personal information and require that the firms establish comprehensive information security programs that will be audited every other year for 20 years. The auto dealer also is barred from violating the GLB rules at issue.
- Sherry-Maria Safchuk to discuss UDAAP at an American Bar Association webinar
- Jeffrey P. Naimon to discuss "What to expect: The new administration and regulatory changes" at the Mortgage Bankers Association Legal Issues and Regulatory Compliance Conference
- Jonice Gray Tucker to discuss “The future of fair lending” at the Mortgage Bankers Association Legal Issues and Regulatory Compliance Conference
- Steven R. vonBerg to discuss "LO comp challenges" at the Mortgage Bankers Association Legal Issues and Regulatory Compliance Conference
- Michelle L. Rogers to discuss "Major litigation" at the Mortgage Bankers Association Legal Issues and Regulatory Compliance Conference
- Michelle L. Rogers to discuss “The False Claims Act today” at the Federal Bar Association Qui Tam Section Roundtable