The changes are as follows:

1. We would like to share “information about your transactions and experience” with our affiliate (ABC Financial Advisors)
2. We would like to share “information about your creditworthiness” with our affiliate (ABC Financial Advisors).
3. “For our affiliates to market to you.”

Reasons we can share your personal information Does ABC Bank Share? Can You Limit Sharing
For our affiliates’ everyday business purpose- information about your transactions and experiences Yes No
For our affiliates’ everyday business purpose- information about your creditworthiness Yes Yes
For our affiliates' to market to you Yes Yes

Note: When looking at the preview, the responses to "Does ABC Bank Share?" and Can You Limit Sharing" did not line up correctly. The yes and no columns should be under these captions - not sure how it will actually post..

Before we can share we must send out the new Privacy Notice to all customers and have a process to document "opt out" submissions. We can begin sharing information 30 days after the mailing. Under FRCA guidance, the bank will not share the credit report on file. On the deposit side we would access and share the customers total relationship with our affiliate ABC Financial Services.

Question: The Privacy Officer says because we want to allow "our affiliates' to market to you" we would have to send the Privacy Notice Annually. Is this correct?

Great question, 2old2care. The trick here is that you have requirements of both 1) GLBA/Reg P and 2) FCRA/Reg V. Under GLBA/Reg P, you will be required to provide a one-time notice (under 1016.5(e)(ii) but will not be required to send an annual notice going forward as you are not sharing non-public personal information to nonaffiliated third parties under 1016.5(e)(i).

The FCRA and Reg V require the opt-out for sharing of information with affiliates. These rules, however, do not require an annual notice. The trick with these rules is that you have the option of only permitting the opt-out to last 5 years. If you do this, you would need to give each customer who's opt-out is expiring a chance to renew the opt-out. This could be accomplished through an annual notice under GLBA/Reg P. If, however, you permit your FCRA opt-outs to last through the relationship (or until the customer tells you otherwise), then you wouldn't need to worry about the 5 year renewal option.

In other words, if you only offer an affiliate opt-out, you will be required to send a one-time notice (like you said), but won't need to send an annual notice going forward (assuming you allow your opt-out to last for the entire relationship).

(NOTE: At one point, the rules were different that basically said that if you had an FCRA opt-out you couldn't qualify for the annual notice exemption. Fortunately, that requirement does not exist under the current version of the rule.)

Thank you so much. The process should be simple, after all it is a Privacy Notice. The hard part is when more than one regulation is in play. Your response is very clear an concise. I so appreciate you taking the time to respond.

If you change your Privacy Notice because you've entered into a joint marketing agreement with another financial company (Elan), do you need to disclose to all customers and provide an opt-out?

If you previously did not share information for joint marketing with other financial companies and you now intend to, then you would have to provide an updated Privacy Notice and opportunity to opt-out, as well as provide a reasonable amount of time for opt-outs prior to sharing the information.

Section 1016.8

Section 1016.8 doesn't apply because they would fall under the 1016.13 exemption for joint marketing, assuming they have a compliant joint marketing agreement. There is no opt-out for non-affiliated joint marketing.

I believe in this case, if you haven't already disclosed joint marketing agreements on your initial privacy policy disclosure, you just lose your exemption for the annual disclosure under 1016.5.

(e) Exception to annual privacy notice requirement. (1) When exception available. You are not required to deliver an annual privacy notice if you:
(i) Provide nonpublic personal information to nonaffiliated third parties only in accordance with the provisions of § 1016.13, § 1016.14, or § 1016.15; and
(ii) Have not changed your policies and practices with regard to disclosing nonpublic personal information from the policies and practices that were disclosed to the customer under § 1016.6(a)(2) through (5) and (9) in the most recent privacy notice provided pursuant to this part.

If you changed your privacy notice in regards to 1016.13 (joint marketing), then you have to provide a one-time redisclosure under 1016.5(e)(2) but still do not need an annual notice going forward (after the one-time notice) and don't need an opt-out - assuming no other changes are made.

For a quick citation, as this can be confusing, we look at the exceptions to the annual notice in 1016.5(e)(1)(ii) that says you do not need to send an annual notice if you: "(ii) Have not changed your policies and practices with regard to disclosing nonpublic personal information from the policies and practices that were disclosed to the customer under § 1016.6(a)(2) through (5) and (9) in the most recent privacy notice provided pursuant to this part."

For clarification, 1016.6(5) says this: "(5) If you disclose nonpublic personal information to a nonaffiliated third party under §1016.13 (and no other exception in §1016.14 or §1016.15 applies to that disclosure), a separate statement of the categories of information you disclose and the categories of third parties with whom you have contracted;

The example in 1016.5(e)(2)(iii)(B) applies in your situation: "(B) You change your policies and practices in such a way that you no longer meet the requirements of paragraph (e)(1) of this section, and so provide an annual notice to your customers. After providing the annual notice to your customers, you once again meet the requirements of paragraph (e)(1) of this section for an exception to the annual notice requirement. You do not need to provide additional annual notices to your customers until such time as you no longer meet the requirements of paragraph (e)(1) of this section."

To follow-up on this string, if a Bank changes their sharing practices for marketing purposes and provides customers with an updated privacy policy via a statement insert, is an additional message/letter required to alert the customers of the change?

No. There is no requirement to send an additional message/letter since you provided an updated privacy policy, but you certainly could do so for PR/customer relations purposes.

I have a similar problem with our Privacy Notice. We have not sent annual notices since the last regulatory change that relieved us from doing so. We have had no changes with sharing. The changes we do have now include:

A bank logo change
A name change of an affiliate
The exclusion of a joint marketing partner

None of these changes seem to require a redisclosure under either GLBA or FCRA. However, when we make these changes on our initial combined model notice, must the (1) Date last revised (upper right-hand corner) be updated? An examiner corrected me for changing that date years ago when we still sent out annual notices with absolutely no changes!