Congress Eliminates Annual Privacy Notice Requirement for Certain Financial Institutions
President Obama signed into law on December 4, 2015 a bill1 that amended Section 503 in Title V of the Gramm-Leach-Bliley Act (G-L-B Act), with the result that financial institutions – including investment companies and investment advisers – will be able to forego providing their customers with an annual privacy notice under certain circumstances (Amendment). The Amendment is effective immediately.
This OnPoint explains the conditions that investment companies, investment advisers and other financial institutions must meet in order to take advantage of the Amendment’s exception to the annual privacy notice requirement. This OnPoint also explains that the nature of their businesses and the nature of the nonpublic customer information (NPI) they share with non-affiliated third parties, makes it likely that many funds and investment advisers will be able to meet the conditions set forth in the Amendment, meaning that they may no longer need to provide privacy notices to their shareholders or clients on an annual basis.
The G-L-B Act: A Brief Refresher
Summary of Current Requirements
The G-L-B Act requires financial institutions to provide their customers with a privacy notice at the outset of the customer relationship and on an annual basis thereafter.2 The privacy notice must disclose: the categories of NPI that the financial institution collects from its customers; how it shares NPI with non-affiliated third parties; and how it safeguards and protects that information. The G-L-B Act also requires financial institutions to provide customers with the opportunity to “opt out” of some, but not all, types of information sharing. For example, if a financial institution were to share information about a customer’s creditworthiness with a non-affiliated third party so the third party could market to the customer, the financial institution would need to give its customer an opportunity to “opt out” of having that information shared.
However, the G-L-B also provides exceptions to the “opt out” requirement, including, for example, when a customer’s NPI is shared with non-affiliated third parties only for the financial institution’s everyday business purposes, such as processing the customer’s transactions or maintaining the customer’s accounts. When a financial institution only shares a customer’s NPI in a way that is covered by the exceptions, the financial institution does not need to provide its customers with an opportunity to “opt out” of having their NPI shared. The financial institution would still need to deliver a privacy notice to its customers at the beginning of the customer relationship and annually thereafter that sets out the categories of NPI it collects and the ways in which it shares NPI; the customer simply would not have the right to “opt out” of that information sharing.
The Amendment removes a financial institution’s obligation to provide an annual privacy notice to its customers when two conditions are met. First, the financial institution may share NPI only pursuant to certain exempt categories, including: (i) with a nonaffiliated third party with which the financial institution performs joint marketing pursuant to a contractual agreement (this category has certain additional requirements); (ii) in order to effect, administer or enforce a transaction that a consumer requests or authorizes (such as with a non-affiliated transfer agent for an investment company); or (iii) as required by law.3 Second, the financial institution cannot have changed its policies and practices with respect to how it shares NPI from the policies and practices that were disclosed in the most recent disclosure sent to consumers. Note that all financial institutions would continue to be obligated to provide an initial privacy notice to consumers.
The Amendment does not remove all obligations of financial institutions to deliver an annual privacy notice to their customers, but to the extent a given financial institution can meet the two conditions laid out in the Amendment, the financial institution no longer needs to do so. Due to the fact that many funds and investment advisers do not share NPI in ways that require them to provide their customers with an “opt out” notice, and also do not frequently change the ways in which they share NPI, many funds and investment advisers will be able to forego delivering an annual privacy notice to their customers. It is important to note, however, that the decision to forego delivering an annual privacy notice is not a one-time consideration. Instead, financial institutions may want to make the decision on an annual basis after confirming that they do not share NPI in a way that requires them to provide an “opt out” notice, and that they have not changed their sharing practices since they last provided their customers with a privacy notice. Furthermore, it should be noted that the Amendment in no way eliminates a financial institution’s obligation to provide its customers with an updated privacy notice prior to sharing customer information in way that is contrary to the information disclosed in its most recently delivered privacy notice.
1) The bill, entitled the Surface Transportation Reauthorization and Reform Act of 2015, includes the Eliminate Privacy Notice Confusion Act of 2015.
2) The G-L-B Act directs certain government agencies that regulate financial institutions, including the Securities and Exchange Commission (SEC), Federal Trade Commission (FTC) and Commodity Futures Trading Commission (CFTC), to implement regulations to carry out the provisions of the G-L-B Act and to enforce those regulations. Pursuant to the G‑L-B Act, the SEC adopted Regulation S-P (Reg. S-P), which applies to investment advisers, broker-dealers and investment companies registered with the SEC, the FTC adopted its Privacy of Consumer Financial Information Rule (FTC Privacy Rule), which applies to various other financial institutions (including non-registered advisers and certain investment companies that are exempt from SEC registration) and the CFTC adopted CFTC Reg. 160 (CFTC Privacy Rule), which applies to all futures commission merchants, retail foreign exchange dealers, commodity trading advisors, commodity pool operators, introducing brokers, major swap participants and swap dealers that are subject to the jurisdiction of the CFTC. Reg. S-P, the FTC Privacy Rule and the CFTC Privacy Rule each have an annual privacy notice requirement. The SEC, FTC and CFTC have not yet updated Reg. S-P, the FTC Privacy Rule or the CFTC Privacy Rule respectively, to account for the Amendment. Nonetheless, the Amendment is effective immediately.
3) See Sections 502(b) and 502(e) of Title V of the Gramm-Leach-Bliley Act of 1999, available here, which, among other exceptions, does not prohibit the disclosure of NPI in order to “comply with Federal, State or local laws” or “respond to judicial process or government regulatory authorities having jurisdiction over the financial institution.”