Banks and other financial institutions may be able to avoid costly manual mailings of annual privacy notices to customers and instead publish annual privacy notices on their websites under a new rule issued by the federal Consumer Financial Protection Bureau (CFPB).
Banks are required to give annual privacy notices to customers under the GrammLeach-Bliley Act (GLBA) and the CFPB’s Regulation P (12 CFR Part 1016). The new rule and Regulation P apply to certain non-bank financial institutions, as well.
The CFPB rule will take effect upon its pending publication date in the Federal Register.
The new rule allows banks and other financial institutions to use the website posting method only if certain conditions are met, including:
Also, for any financial institution that discloses customer information in a way that triggers “affiliate marketing” opt-out rights under FCRA, the financial institution must also do one of the following before it can use the new website method to disclose the annual privacy notice:
To use the website disclosure method for annual privacy notices, a financial institution must insert a clear and conspicuous statement at least once per year on an account statement, coupon book or any notice or disclosure required or expressly permitted under law, announcing that:
Also, in this statement, the customer must be provided with a specific web address that takes the customer directly to the page where the privacy notice is available, rather than requiring the customer to find that page via links on the website.
The financial institution must continuously post the annual privacy notice in a clear and conspicuous manner on a page of its website, without requiring a login, password or similar steps to access the notice. Also, the notice must be posted on a page of the website that contains only the notice.
In addition, to assist customers with limited or no access to the Internet, the financial institution must mail annual notices to customers who request them within 10 days of any such request.