Your monthly compliance news roundup
On August 10, 2018, the Bureau of Consumer Financial Protection (the Bureau) issued a final rule amending Regulation P, which implements certain provisions of the Gramm-Leach-Bliley Act (GLBA). The amendments originated from a statutory change in the GLBA resulting from the December 2015 enactment of the Fixing America’s Surface Transportation Act (FAST Act). The amendment provides an exemption to the annual privacy notice requirement for institutions whose privacy practices meet certain criteria. Although the changes were technically effective upon enactment of the FAST Act, the amendments to Regulation P did not become effective until September 17, 2018.
The amendment provides an exemption to the annual privacy notice requirement for financial institutions meeting two criteria. First, the exemption is only applicable to institutions that do not share nonpublic personal information (NPI) about customers with nonaffiliated third parties in a manner that requires an opt-out notice be provided. Second, the financial institution must not have changed its policies and practices regarding disclosure of NPI from those disclosed in the privacy notice most recently sent. Whether or not a financial institution shares customer information with affiliated third parties under the Fair Credit Reporting Act does not affect applicability of the exemption.
In addition to providing an exemption to the annual privacy notice requirement, the changes to Regulation P also establish timing requirements for institutions that previously utilized the exemption but no longer qualify. The Bureau also removed the provision of Regulation P that allowed posting of the annual privacy notice on an institution’s website to constitute delivery under the regulation. This provision was eliminated since institutions that qualify for the alternative delivery method would now be entirely exempt from the annual privacy notice requirement.
In assessing whether they will qualify for the new annual notification exemption, a financial institution should still review annually its most recent privacy notice to determine whether it still accurately reflects its current policies and practices. Privacy change management processes, particularly those around sharing NPI with third parties, should include identification of triggers which might cause the institution to no longer qualify for the exemption, requiring resumed delivery on the timetable required by the regulation.
In January 2018, the U.S. Department of Justice rescinded the Cole Memo, which had provided guidance to U.S. attorneys and prosecutors concerning marijuana enforcement under the Controlled Substances Act. The Cole Memo, along with guidance issued in 2014 from the U.S. Treasury Department’s Financial Crimes Enforcement Network (FinCEN), provided depository institutions with a framework to provide banking services to marijuana-related businesses (MRBs). As a result, the number of depository institutions providing banking services to MRBs has steadily increased since 2014, reaching an all-time high in June 2018.
With the rescission of the Cole Memo, depository institutions have been left to speculate whether their MRB relationships will result in any action from federal prosecutors. To protect against the uncertainty resulting from the rescission of the Cole Memo and continued regulatory criticism related to know your customer (KYC) programs, depository institutions have been enhancing their customer due diligence processes, evaluating and implementing anti-money laundering and fraud-detection software, and hiring experienced investigators and analysts to perform due diligence activities.
In addition to the risk of banking known MRBs, depository institutions face the risk that they are banking unknown MRBs, as not all customers may self-disclose the true nature of their business during onboarding. Unknown MRBs more typically engage in unlicensed marijuana-related activity. To detect unlicensed marijuana-related activities of existing customers, institutions should look for activity such as businesses that are unable to, or refuse to, demonstrate a legitimate source of funds for their account activity; note frequent interstate transactions with third parties in high-risk jurisdictions; or conduct searches of publicly available sources to identify whether business owners, employees or other related parties have been involved in illegal drug purchases, violence or other criminal activity.
Depository institutions should also review their customer due diligence processes to determine whether they have effective methods for identifying and evaluating business customers for MRB activities. Institutions looking to enhance their customer due diligence process to identify MRBs should consider including MRB-specific questions in the onboarding/application process, on-site visits prior to account opening, and implementing adequate anti-money laundering and fraud software for the size and nature of business conducted at the institution.