As a result of recent changes to federal privacy laws, financial institutions[1]—such as registered investment advisers, exempt reporting advisers, commodity trading advisers, registered broker-dealers and private funds—may no longer need to provide an annual privacy notice to their customers.[2] As explained below, financial institutions should review their privacy policies and practices to determine whether they meet the requirements for the exception from the annual delivery requirement or otherwise will need to send an updated privacy notice.

Financial institutions are required to develop privacy policies to protect their customers’ personal nonpublic information. Previously, the Gramm-Leach-Bliley Act (“GLBA”) required financial institutions to provide consumers with a privacy notices annually. The Fixing America’s Surface Transportation Act amended GLBA, effective December 4, 2015, by adding an exception to the annual privacy policy delivery requirement.

The exception to the annual delivery requirement is available to a financial institution that: 

1. provides nonpublic personal information only in accordance with the provisions of subsection (b)(2) or (e) of section 502 of GLBA[3] or the regulations prescribed under section 504(b) of GLBA[4]; and
2. has not changed its policies and practices with regard to disclosing nonpublic personal information from the most recent privacy notice it sent to consumers.

Otherwise, an annual notice is still required.

Notes:
[1] “Financial institutions” include, in part: registered investment advisers and broker-dealers, which must comply with Regulation S-P (17 C.F.R. pt. 248), which was adopted by the Securities Exchange Commission (the “SEC”); exempt reporting advisers and investment funds that rely on the section 3(c)(1) or 3(c)(7) exception from registration under the Investment Company Act of 1940, which must comply with the Regulation P (12 C.F.R. pt. 1016.1), which was adopted by the Federal Trade Commission; and funds and operators of funds that trade in derivatives and are not otherwise exempt from the Commodity Futures Trading Commission’s privacy rule (17 C.F.R. pt. 160). These agencies issued their privacy rules pursuant to Gramm-Leach-Bliley Act.

[2] Financial institutions are still required to provide an initial privacy notice to their customers, as set forth in the Gramm-Leach-Bliley Act and the regulations adopted thereunder, when a relationship with a customer is established.

[3] A financial institution may not disclose nonpublic personal information to non-affiliated third parties, unless, among other items, its customers have the right to opt-out to such disclosure, provided that this opt-out right is subject to certain exceptions. Subsections (b)(2) and (e) of section 502 describe the statutory exceptions to a customer’s opt-out rights.

[4] Section 504(b) authorizes the rulemaking agencies, such as the SEC, to issue additional exceptions to a customer’s opt-out rights that are not specifically identified in subsection (b)(2) and (e) of section 502.