We would typically qualify for the FAST Act GLBA exception; however, in 2016 the privacy policy changed. 1016.5(e)(2)(i) seems to indicate that after a redisclosure required under 1016.8, the annual notice requirements of 1016.5(a) would apply. It appears that the requirement to provide the notice in 2017 would be subject to 1016.9 which seems to indicate that since we do not meet 1016.9(c)(2)(i)(D) we would be subject to 1016.5(a)(1) – to send in writing or if agreed electronically.

Do you agree that we must provide an annual privacy notice in 2017?

Where are you seeing 1016.5(e)(2)(i)? Is it an old source?

https://www.ecfr.gov/cgi-bin/text-idx?SI...15&rgn=div8

Sorry...I guess that's from the proposed rules. I was applying them because even though the rule isn't final, the law regarding the exception had been passed.

https://www.bankersonline.com/regulations/12-1016-005

I'm not sure anyone can really confirm this for you as the FAST Act changes to 1016.5 are only proposed at this point. The conservative approach is to just send the notice in 2017. If you want to avoid sending it, I would contact your primary regulator for their opinion. If they give you the green light to not send it, get it in writing and cross your fingers that a later examiner doesn't disagree.

The problem in answering your question is that the FAST Act language seems fairly general, but the preamble in the proposed changes to Regulation P (1016.5) goes into quite a bit of detail on different scenarios (such as changes to the FCRA part of the privacy policy) on what actually triggers an institution to not qualify for the exemption. In fact, several of the details were not proposed by the CFPB, but rather, were requested for comment.

The full proposal can be found here: https://www.federalregister.gov/document...ct-regulation-p

Interagency exam procedures, read carefully, reflect current compliance requirements.

Congress amended the statute. As the current regulations are conflict with the statute, their requirements are moot. The annual notice is no longer required. Without regard to what proposed regulations may or may not say, if you amend your policy notice is required.

...is the key here. Again, the conservative approach is to just send the notice.

No. The OP has no choice but to send notice of the change. For others, mailing the "annual notice" is just a waste of time and money. It could and should draw a third party reviewer's criticism based on a lack of understanding of compliance requirements.

Ken, I agree with you that the OP has no choice but to send notice of the change. However, I was thinking the question was whether they had to continue sending an annual notice after sending a revised notice as the OP referenced the proposed 1016.5(e)(2)(i) which is the section for when a bank now shares information and provides an opt-out, which was confusing as they also said that they would typically qualify for the FAST Act GLBA exception. They either qualify for the exemption going forward or they don't, which is why they might want to contact their regulator if the are unsure. If they don't share information under 1016.8, then the proper citation would have been 1016.5(e)(2)(ii) of the proposal as 1016.5(e)(2)(i) applies when you are now sharing information.

So to answer the original question:


If they revised their policies and now share information and have an opt-out, proposed 1016.5(e)(2)(i) would apply and require ongoing annual notices.

If they revised their policies but still no longer share information and don't have an opt-out, proposed 1016.5(e)(2)(ii) would apply and does not require an ongoing annual notice. The pre-amble to 1016.5(e)(2)(ii) makes this clear: "Specifically, after providing the one annual notice, the financial institution would once again meet both of the conditions for the exception—it would not be sharing other than as described in a Regulation P exception and its policies and practices would not have changed since it provided the annual notice. Because the financial institution would once again meet the conditions for the exception, it would not be required to provide future annual notices. In other words, these financial institutions would likely lose the exception for only a single year."

All that said, this is probably pointless as this is only a proposal and the final rule will likely have changes.

The whole point is to ensure that all of your affected customers learn of the change in policy. Once that is accomplished, you are good to go back to no annual notice.