On October 20th of 2014, the CFPB made public their final rule on updating Regulation P, the reg that requires banks to annually snailmail those clunky Privacy Policy notices to customers, where the only words we likely understand are FACTS, WHY, WHAT, and HOW. Many expected that the updated ruling would allow banks to substitute website-based Privacy Policy display for snailmail notification, and would give banks latitude and guidance to provide clearer, more specific, more understandable privacy information to customers.
So how did those expectations work out? Will customers be better informed under the new rule?
Maybe. It's complicated.
Under the new rule, banks are indeed now enabled to post Privacy Policies on websites provided that they comply with each of 9 detailed requirements. Although these details may seem limiting, we believe that a large percentage of institutions will qualify and will switch to e-posting for the best of reasons: Customers will have continual access to up-to-date bank privacy policy. (The fact that banks will likely save printing and mailing expense will be a contributing motive.)
Happy customer, happy bank ... life is good. But there's a kicker in the rule. All of this works if and only if:
§1016.9(c)(2)(i)(E) You use the model privacy form in the appendix to this part for your annual privacy notice.
Yes, it's the same old same old model privacy form designed by a large committee in 2009 and printed on millions of trash-bound mailers since 2010!
Huh? The privacy boilerplate I haven't understood for years on my mailer will now be available continuously online for me to not understand as I view it on my desktop? My iPad? My smartphone? This is progress?
Actually, yes this is indeed progress. The silver lining to the Regulation P revision is this: Given that a bank e-posts the compliant Model Form, nothing prohibits the additional availability and one-click access to modern, special purpose "layers" of privacy information optimized for customer focus and understanding.
Because it's cleared the way for innovative and effective digital privacy communication for masses of Americans, the revised Reg P is a great win for banking customers, and a giant step forward for consumer privacy.
Next blog, we'll explore the many new opportunities facilitated by e-delivery and a "layered" approach to privacy notification.
Previously, we've pointed out that under existing US banking rules, most financial institutions are required by law to annually mail a printed privacy notice to you, their customer.
A change to that rule is coming soon in that the CFPB has stated its intention to amend Regulation P. They plan to update it, and modify the rules covering how customers receive notice of what banks do with the personal information they gather.
The actual changes that CFPB has proposed are available here. They are complex, but here are some highlights of what might be expected when Reg P gets its makeover:
Many banks that are currently required to mail the annual privacy notice will now be able to post it electronically for your examination using your smartphone, tablet, laptop, or desktop computer.
When posted electronically, it will be available on a webpage that contains only the privacy notice, displayed continuously in a clear and conspicuous manner.
When posted electronically, the customer will not be required to first provide any information such as login name or password, or to agree to any conditions for access.
When will this be happening? The CFPB published notice of their proposal to update Reg P on May 13, 2014, requesting public comments. That public comment period ended on July 14, 2014, with 126 public comments having been submitted. Presumably, the Bureau is now in their final rulemaking stage.
While the timing of next action is not clear, we commend the CFPB on their initiative in enhancing consumers' privacy awareness and understanding. In today's world of hacks, breaches, and ID thefts, consumer attention is focused on privacy issues like never before. We eagerly await the final rule so that actual implementation of the new enhancements can begin.
The Consumer Financial Protection Bureau (CFPB) is currently in the process of updating Regulation P ... that's the federal rule requiring American financial institutions to snail mail a privacy notice to you at least once each year.
This is good news for financial institutions in that under the updated rule, banks will likely be able to stop direct mailing the annual notice to you, but instead they'll be allowed to post it on a website for you to view electronically using your computer. Think of the savings in paper, printing, stuffing, and postage! Life is good for bankers!
And life looks good for you, too because soon you'll be able to view any bank's privacy notice on the big, fat screen of your desktop or laptop computer. View it when you want it ... ignore it until you need it.
Just one little detail is troubling. Earlier this week, a CFPB presentation contained the following statement:
"One study by the Federal Reserve found that one-third of cell phone users and more than half of smartphone owners are using mobile banking services. And according to one independent researcher, approximately 74,000 consumers per day began using mobile banking services last year."
As we see and acknowledge this trend towards doing our banking business on mobile devices, here's the troubling detail: The proposed Regulation P update provides no information or guidance relating to how privacy notices will be delivered on the diminutive screens of smartphones, tablets, and phablets.
As the new Reg P rule is finalized, it's our hope and expectation that the rulemakers will recognize this as an opportunity to leverage technology to bring readable, understandable, timely privacy information to each and every banking customer.
Do you recognize this document? If you’re an American with an account at nearly any financial institution, you receive at least one of these printed notices in your snail mail every year. If you're like most of us, you glance at it, scratch your head in bewilderment; then drop it into the trash.
What is it? It is your Annual Regulation P Privacy Notice sent to you by your financial institution. It tells you what they do with personal information they collect from you.
What personal information? Stuff like your name, your social security number, your income, your account balances, your payment history, your transaction history, your credit history, etc. Lawyers call this your nonpublic personal information, or NPI.
Why should you care? In a perfect world, perhaps you needn't pay much attention. But in today’s connected society, knowing what others do with your personal information is becoming vitally important. Your personal identity and privacy are yours to lose … having someone steal or misuse it can ruin your whole day.
But this notice is so confusing and boring ... and why do all these notices basically look the same? A federal law called Regulation P sets forth a model format for this disclosure. Most banks use the model form to ensure that they fully comply with their disclosure obligation to you under the law. CYA for them ... headscratcher for you.
Whose law is this? Your financial privacy used to be protected by an alphabet soup of federal agencies (FRB, OCC, FDIC, OTS, GLBA, NCUA, FTC, SEC, and CFTC). Most recently, it is administered by the Consumer Financial Protection Bureau (CFPB).
So ... what's the point? Simply this ... good privacy news is on the way. CFPB is currently in the process of updating this law, and has suggested a number of changes to make it easier and more convenient for you to know and understand what banks do with your NPI. Next blog, we'll review the changes and improvements that have been proposed as Reg P (12 CFR 1016.9(c)) is revised.
