Jump to Content
ABA: The American Bankers Association
Skip Section Navigation

Does the bank have to send its customers a revised annual privacy notice on the basis that the bank has changed its policies and practices with regard to disclosing nonpublic personal information?

My bank currently discloses in its privacy notice that it has an affiliated title company. The bank is planning to discontinue this affiliate relationship. Does the bank have to send its customers a revised annual privacy notice on the basis that the bank has changed its policies and practices with regard to disclosing nonpublic personal information?

No, the bank will not be required to provide a revised annual privacy notice.

There are two laws involved here: Gramm-Leach-Bliley Act (GLBA) and its implementing regulation, Regulation P, and the Fair Credit Reporting Act (FCRA), and its implementing regulation, Regulation V. GLBA requires banks to describe how they share customers’ (and other consumers’) information with non-affiliates. (§1016.1 of Regulation P) FCRA requires banks to provide notices about how information is shared with affiliates and consumers’ right to opt out of that sharing. One FCRA notice applies when information “other than transaction and experience” information is shared with affiliates. (§603(d)(2) of FCRA). A second FCRA notice applies when banks share any information (transaction and experience and “other” information) with affiliates for marketing purposes. (§1022.21 of Regulation V)

The GLBA notice must be provided annually (with some exceptions). In contrast, the FCRA notice is provided before the bank shares customer information with affiliates, which is typically going to be only once (unless the customer opts-out of having information shared for marketing purposes, in which case a notice might again be provided after that opt-out expires, i.e., after five years.) FCRA does not require banks to notify customers that they are discontinuing their practice of sharing information with an affiliate, for example, because the affiliate will no longer be an affiliate. However, if the bank plans to continue to sharing information with the title company after its disaffiliation, it would be required to update and send the annual GLBA notice, as this is a change in the GLBA sharing practices.

The confusion about whether to provide an updated annual privacy notice in this situation may lie with the fact that the GLBA and FCRA notices are combined, and the 2015 amendments to GLBA that allow banks to forego sending the annual GLBA notice if they: (1) do not share information with non-affiliated third parties; (2) do not share outside of the exceptions listed in the privacy regulation; and (3) have made no changes to their GLBA privacy sharing practices since they provided the last annual notice.

Some may be assuming that a change to the FCRA notice disqualifies the bank from the exemption from the annual GLBA notice requirement. However, it does not. Thus, if the only changes are discontinuing sharing information with the affiliate, now to be unaffiliated, the bank need not provide an annual privacy notice, assuming the other two conditions are met. (February 2020)

Compliance Hotline

Have a compliance-related question? We're here to help. Members, reach us by phone or email.