An amendment creating an exception to the annual privacy notice delivery requirement for financial institutions has been signed into law by President Obama as part of the “Fixing America’s Surface Transportation Act” (FAST Act).

Section 75001 of the FAST Act, signed into law on December 4, 2015, amends Section 503 of the Gramm-Leach-Bliley Act (GLBA) to add an exception to the annual notice delivery requirement for any financial institution that (1) only shares nonpublic personal information (NPI) as permitted by the GLBA without providing consumers with notice and opt-out rights, and (2) has not changed its policies and practices with regard to disclosing NPI since its most recent disclosure sent to consumers.

Since the CFPB (as well as other federal agencies including the FTC) have issued GLBA regulations, those regulations will need to be amended to reflect the exception created by the FAST Act.  Nevertheless, the exception created by the amendment is effective immediately.

For more on the amendment, see our legal alert.

A new lawsuit filed by the CFPB in a California federal district court alleges that the defendants, a company and its individual owner, are engaged in a nationwide student financial aid scam.  In addition to injunctive relief, the complaint seeks redress for harmed consumers and civil money penalties.

According to the CFPB’s complaint, the defendants contacted students and their families using letters and envelopes with images intended to create the false impression that the defendants were affiliated with the federal government or a college.  The letters were accompanied by a form to be completed by the student or the student’s family to apply for financial aid and returned to the defendants with a processing fee.  (The CFPB claims that the form looked visually similar to the Department of Education’s Free Application for Federal Student Aid and used similar terms.)

The defendants allegedly promised to use the information provided on the form to conduct extensive searches to match students with financial aid opportunities.  The CFPB claims that, in exchange for sending the form and fee, consumers received “absolutely nothing” or received only “a generic booklet that is not tailored to the consumers’ circumstances.”  It also claims that the defendants created an artificial sense of urgency by telling consumers that they would lose their opportunity to receive student financial aid unless they returned the form and paid the fee by a specified deadline.

The CFPB alleges that the defendants’ conduct violated the CFPA’s UDAAP prohibition.  It also alleges that by accepting a fee from a consumer, the defendants established a customer relationship that triggered the obligation to send an initial privacy notice under Regulation P but failed to provide such notice.


The Office of the Inspector General (OIG) has released the “2015 list of major management challenges” faced by the CFPB that the OIG believes will hamper the CFPB’s ability to accomplish the CFPB’s strategic objectives.  Like the 2014 list, one of the challenges identified by the OIG is the need to ensure that the CFPB has an effective information security program.  Due to the advanced persistent threats faced by the federal government, the OIG concluded that the CFPB needs to strengthen its defenses against attacks from outside governments, organized groups, and other threats.  The OIG identified four high-priority security risk areas for CFPB improvement:

  • Continuous monitoring to assess security controls and system configurations
  • Configuration management of CFPB systems
  • Role-based security training for individuals with significant security responsibilities
  • Incident response and reporting

The OIG applauded the CFPB’s efforts to build out its Cybersecurity Program Management Office, but the OIG recommended that the CFPB should continue improving its information security program, overseeing the security of contractor-operated information systems, transitioning IT resources from the Treasury Department, and ensuring that personally identifiable information (PII) is properly protected, including the PII that the CFPB receives from consumer complaints about credit card accounts, mortgage loans, and other consumer financial products and services.

The FTC recently proposed amendments to its Gramm-Leach-Bliley Act (GLBA) rules requiring motor vehicle dealers to send their customers an annual privacy notice.  The amendments would allow motor vehicle dealers to notify their customers that a privacy policy is available on their website, subject to certain conditions.  Comments on the proposal are due on or before August 31, 2015.

While Dodd-Frank transferred primary jurisdiction over the GLBA to the CFPB, the FTC retained authority over motor vehicle dealers predominantly engaged in the sale and servicing of motor vehicles, the leasing and servicing of motor vehicles, or both.  The FTC’s proposal  closely reflects the final rule issued last year by the CFPB for financial institutions subject to the CFPB’s GLBA rulemaking authority.

For more on the FTC’s proposal, see our legal alert.

Democrats on the Senate Banking Committee have released a regulatory relief bill intended to be an alternative to the bill released by Senator Richard Shelby.  While Senator Shelby’s bill is entitled the “Financial Regulatory Improvement Act of 2015,” the alternative bill is entitled the “Community Financial Institution Regulatory Relief and Consumer Protection Act of 2015.”

The bill released by Democrats includes the same provision as Senator Shelby’s bill directed at the annual financial privacy notice required by the Gramm-Leach-Bliley Act (GLBA).  Like Senator Shelby’s bill, the alternative bill would amend the GLBA to create an exception under which a financial institution would not have to deliver an annual financial privacy notice if it satisfied certain conditions. Key among such conditions is that the institution has not changed its policies and practices with respect to sharing nonpublic personal information from those disclosed in its most recent annual financial privacy notice.

The alternative version would also amend the Consumer Financial Protection Act to add various provisions of the Servicemembers Civil Relief Act to the “enumerated consumer laws” that can be enforced by the CFPB.  In addition, it would amend the TILA ability to repay provision by creating a safe harbor for mortgage loans that meet certain conditions and are held in portfolio by banks and credit unions with less than $10 billion in assets.  This safe harbor is substantially narrower than the safe harbor that Senator Shelby’s bill would create.

Senator Shelby’s bill is scheduled for markup on May 21, 2015.

In addition to the numerous mortgage-related provisions in Senator Shelby’s regulatory reform bill entitled the “Financial Regulatory Improvement Act of 2015,” the bill contains a provision directed at the annual financial privacy notice required by the Gramm-Leach-Bliley Act (GLBA), which is implemented by Regulation P.  In October 2014, a CFPB amendment to Regulation P became effective that allows financial institutions that meet certain requirements to deliver annual financial privacy notices to their customers using an alternative online delivery method.

Section 101 of the regulatory relief bill would go a step further by amending the GLBA to create an exception under which a financial institution would not have to deliver an annual financial privacy notice if it (1) does not share nonpublic personal information (NPPI) with nonaffiliated third parties in a manner that triggers GLBA opt-out rights, (2) has not changed its policies and practices with respect to sharing NPPI from those disclosed in the most recent annual privacy notice, and (3) otherwise provides customers access to the institution’s most recent annual privacy notice in electronic or other form permitted by regulations.

Earlier this week, the House of Representatives, in bipartisan votes, passed the following regulatory reform bills:

  • The “Eliminate Privacy Notice Confusion Act, H.R. 601, would create an exemption from the Gramm-Leach-Bliley Act’s annual notice requirement for institutions that have not changed their privacy policies since their most recent annual notice and only share personal information within the statutory exceptions.  In October 2014, the CFPB issued a final rule that amended Regulation P to allow a financial institution that meets certain requirements, including generally having no change in its most recent privacy notice, to deliver annual privacy notices to their customers using an alternative online delivery method.  The bill would eliminate the annual notice requirement entirely for institutions that qualify for the exemption.
  • The “Helping Expand Lending Practices in Rural Communities Act,” H.R. 1259, would direct the CFPB to establish an application process to apply for an area to be designated as a rural area if the CFPB has not already been designated it as such.  The CFPB has created exemptions from certain mortgage rules, including the qualified mortgage rule, for small banks that operate primarily in rural or undeserved areas.
  • The “Federal Advisory Committee Act,” H.R. 1265, would apply the requirements of the Federal Advisory Committee Act to the CFPB.  While the CFPB reversed its closed-door policy to make meetings of its advisory boards and councils open to the public, the bill would mandate that such meetings be open to the public, subject only to the exceptions allow by the FACA.
  • The ‘‘SAFE Act Confidentiality and Privilege Enhancement Act,’’ H.R. 1480, would amend the S.A.F.E. Mortgage Licensing Act of 2008 to allow information provided to the Nationwide Mortgage Licensing System and Registry to be shared with state and federal regulatory officials with financial services oversight authority (such as the Fed) without  loss of privilege or confidentiality protections provided by federal and state laws.  Currently, the privilege and confidentiality protections only apply to information shared with state and federal regulatory officials with mortgage industry oversight authority.

All of the bills were supported by the American Bankers Association.

Nearly three years after identifying the Gramm-Leach-Bliley Act (GLBA) annual privacy notice requirement as a candidate for streamlining, the CFPB issued a final rule earlier this week to allow financial institutions that meet certain requirements to deliver such notices using an alternative online delivery method.  The rule will be effective immediately upon its publication in the Federal Register.

Financial institutions have typically mailed these notices.  Under the CFPB’s final rule, a financial institution that meets the rule’s requirements will be able to save on mailing costs by posting its annual privacy notice on its website.  While offering potential benefits to banks and nonbanks, the CFPB’s final rule does not amend separate GLBA regulations that have been issued by the SEC, CFTC or FTC.  This means the CFPB’s final rule will not apply to an entity that is subject to the GLBA regulations of these other agencies.  For example, auto dealers for whom the FTC has GLBA rulewriting authority would not be able to take advantage of the CFPB’s final rule.

While industry is generally pleased with the CFPB’s issuance of the final rule, the CFPB’s progress on streamlining has been limited.  The GLBA annual privacy notice requirement was one of nine specific potential opportunities for streamlining regulations identified by the CFPB in the notice it published in December 2012.  In the notice, the CFPB also sought input from commenters on other streamlining opportunities.  Although two of the other specific opportunities identified by the CFPB have been addressed (the ATM sticker notice which was eliminated by Congress in 2012 and the credit card independent ability-to-pay requirement for applicants who are 21 or older which the CFPB eliminated last year), other streamlining opportunities identified by the CFPB and commenters continue to await the CFPB’s attention.  In the December 2012 notice, the CFPB suggested that it would focus on streamlining once it had completed the mortgage-related rulemaking required by Dodd-Frank.  Now that such rulemaking is nearly completed, we hope the CFPB will make streamlining a priority.

For a discussion of the rule’s requirements for using the alternative online delivery method, see our legal alert.

The CFPB is extending the comment period on its proposed rule that would amend Regulation P to allow financial institutions that satisfy certain conditions to deliver annual privacy notices to their customers using an alternative online delivery method. 

In a notice to be published in tomorrow’s Federal Register, the CFPB states that it is extending the deadline for comments to be filed from June 12, 2014 to July 14, 2014.  According to the notice, the CFPB received “a coordinated request from banking and financial service provider trade associations” asking for the comment period to be extended from 30 to 90 days.  The CFPB determined that only a 30-day extension was appropriate.

The CFPB has published a proposed rule that would amend Regulation P to allow financial institutions that satisfy certain conditions to deliver annual privacy notices to their customers using an alternative online delivery method. 

Under the Gramm-Leach-Bliley Act, financial institutions must provide initial and annual privacy notices that inform customers about the sharing of their nonpublic personal information with third parties.  Financial institutions have typically provided the annual privacy notice through direct mailings, but the proposed rule could potentially save some financial institutions the costs of mailing by posting the annual privacy notice in a clear and conspicuous manner on the institutions’ websites and directing customers to the notice via a statement message or other communication at least once annually. 

For a detailed summary of the proposal, see our legal alert.