CFPB’s Online Privacy Disclosure Option Promises Big Saving but May Fall Short for Prepaid Providers (May 15, 2014)

The Consumer Financial Protection Bureau (CFPB) wants to reward banks and nonbanks under its jurisdiction with online privacy disclosures instead of paper, if those companies don’t disclose customer information to unaffiliated third parties. GPR and payroll providers, in particular, may be eager to take advantage of what the CFPB estimates will be $17 million in annual saving across the financial services industry. The proposed rule, however, may not be a real option for prepaid providers.

On the face of it, the rule seems like a positive approach—taking advantage of the Internet to help institutions save money and administrative headaches of printing and mailing out paper privacy disclosures to every customer. The CFPB says the rule is also good for consumers because it will limit data sharing and help consumers comparison shop.

While the industry welcomes a chance to move from paper to electronic delivery, there is some concern around how institutions qualify for the online privacy disclosures under the rule. Companies would be required to use the model disclosure form developed by federal regulatory agencies in 2009 under the Gramm-Leach-Bliley Act (GLBA). These notices must describe whether and how the financial institution shares consumers’ nonpublic personal information. If the institution does share this information with an unaffiliated third party, it typically must notify consumers of their right to opt out of the sharing and inform them of how to do so. Under this proposal, if an institution shares data with unaffiliated third parties in a way that triggers a customer’s right to opt out, then that institution generally would not be allowed to use the online delivery method, according to the CFPB.

In addition, online delivery would not be allowed if a financial institution has changed its privacy policy in the last year. And, of particular concern to prepaid, is the provision that institutions would be required to notify their customers, presumably by mail, that the online privacy disclosures are available and will be mailed to customers upon request. For prepaid providers—most of which don’t mail out regular statements—it seems they will not be able to take advantage of the primary benefit of the proposed rule, which is avoiding the expense of mailing out annual privacy notices.

“While we applaud the efforts of the CFPB to reduce unnecessary expenses of mailing annual privacy notices when they haven’t changed, unfortunately the proposed rule wasn’t drafted to address the unique needs of the prepaid market,” says Brad Fauss, executive vice president and general counsel of Brightwell Payments, a payroll card provider. “Prepaid products are designed as a low-cost alternative to bank accounts and other financial services products. As a result, prepaid providers rarely mail any information directly to cardholders but instead make information, such as transaction history, available online and through other electronic means, such as emails and text messages. Hopefully, the CFPB will address the issue in the final rule.”

Some experts also suggest that clarification is needed around the model disclosure form, as most institutions have tailored the form in some way. It’s unclear whether the CFPB would allow any modifications under the proposal. In fact, one of the selling points the CFPB is touting is that the rule would enable consumers to comparison shop because financial institutions would be using the same form.

Following the CFPB’s proposal, Senators Sherrod Brown (D-Ohio) and Jerry Moran (R-Kan.) called on the Senate to pass their Privacy Notice Modernization Act (US S 635), which would require banks to alert customers only to changes in their privacy policies, rather than mailing the entire policy each year as required by the GLBA. The senators believe mailing the entire policy each year is duplicative and encourages consumers to ignore the disclosure.

Meanwhile, the White House announced plans to take steps to increase privacy safeguards after its Privacy Working Group published a report analyzing the benefits and risks of “Big Data” (i.e., the technological ability to capture, aggregate and process data). The report outlined several policy recommendations, including a consumer privacy bill of rights, national data breach legislation and limiting usage of students’ personal data to educational purposes only.

The interplay between consumer privacy and reducing regulatory burdens presents a new twist for banks and may better align priorities between consumers and the banking industry.