They’ve done it with those bulky stock prospectuses, so why not cut back on mailings of annual privacy notices from financial institutions. After all, it could save the institutions a combined $17 million yearly.
There’s a good chance it might just happen. A really good chance.
Last week, the Consumer Financial Protection Bureau proposed a new rule designed to make privacy disclosures for financial institutions more effective, and less expensive and tedious. Instead of mailing out the notices each year to perhaps millions of customers, card issuers and other financial organizations within the bureau’s jurisdiction may post the notices online.
But they may only do so if they satisfy certain conditions, such as not sharing data in ways that would trigger consumers’ opt-out rights, according to the CFPB.
“Consumers need clear information about how their personal information is being used by financial institutions,” bureau Director Richard Cordray said in a statement. “This proposal would make it easier for consumers to find and access privacy policies, while also making it cheaper for industry to provide disclosures.”
The proposal would apply to both banks and those nonbanks that are within the CFPB’s jurisdiction. The bureau will make the proposal available for public comment for 30 days.
Under the Gramm-Leach-Bliley Act of 1999, financial institutions became required to send annual notices to their customers describing whether and how they share consumers’ nonpublic personal information, effective July 2001. If the institution shares this information with an unaffiliated third party, it typically must notify consumers of their right to opt out of the sharing and inform them of how to do so.
The act, however, does not stop an institution from providing personal information to outside companies and organizations, according to the Federal Deposit Insurance Corp. (FDIC). Such instances, for example, can be when the information is used to market the institution’s own products or services; promote certain products or services jointly with another financial institution; or enable a third party to help conduct normal business for the institution, such as handling data processing for accounts or mailing account statements, the FDIC says on its website.
In addition, the Fair Credit Reporting Act (FCRA) allows an institution to share with affiliates (other parts of the same corporate family) certain information based on customers’ transactions with the institution, and the customer may not have the option to opt out.
For example, according to the FDIC, a bank can tell an affiliated brokerage firm that a customer has a certificate of deposit about to mature, so it can offer the individual an investment alternative. The consumer’ bank, however, cannot provide an affiliate with personal information, such as from a credit report or loan application unless the individual is given a chance to opt out. That’s because that information is not based solely on transactions conducted with the bank.
The CFPB’s proposal would apply to both banks and those nonbanks that are within the bureau’s jurisdiction under the act. Institutions choosing to use the new method to deliver privacy notices would have to use the model disclosure form federal regulatory agencies developed in 2009.
Moreover, institution qualified for and wanting to rely on the online disclosure method would have to inform consumers annually about the availability of the disclosures. Currently, institutions must send consumers a separate communication about privacy disclosures.
But under the bureau’s proposed rule, they may insert the communication about online access to the privacy disclosures in regular consumer communication, such as a monthly billing statement for a credit card. They also must let them know they may receive the disclosure in a paper form by request at a toll-free telephone number.
Institutions choosing not to use the online disclosure method would simply continue to deliver annual privacy notices via mail to their customers.
As the CFPB sees it, its proposed rule offers several benefits:
- Constant access to privacy policies: Consumers whose financial institution chooses the proposed alternative delivery method would be able to view their institution’s privacy policies at any time, while still receiving notices through existing delivery methods if the policies’ terms changed. The online privacy notices would not require a login to view. For those customers with limited or no Internet access, financial institutions would have to mail annual notices promptly to customers who request them by phone.
- Limited data sharing: If an institution shares data with unaffiliated third parties in a way that triggers customers’ right to opt out of such sharing, then that institution generally would not be allowed to use the online-delivery method. For this reason, financial institutions would be motivated to limit their sharing to reduce their costs.
- Comparison shopping: If financial institutions’ privacy policies are posted openly on their websites, they must use the model disclosure form designed by federal regulators. In doing so, this would allow consumers concerned about their personal information to more easily comparison shop before deciding which financial institution to use.
- Cheaper for companies to notify consumers of privacy practices: The rule would potentially reduce the cost for companies to provide annual privacy notices. According to the bureau, the industry would save about $17 million annually choosing the proposed online disclosure method.