Bank Insurance Agency Management
Community Banks and Insurance
Compliance and Risk Management
Wealth Management
Insurance Product Marketing

Tuesday, August 30, 2016

Fewer Privacy Notices Required for Bank Insurance Licensees

Yesterday, the National Association of Insurance Commissioners (NAIC adopted a model bulletin to implement recent amendments to the Gramm-Leach-Bliley Act’s privacy provisions (the so-called “FAST Act,” which was enacted on December 4, 2015).

The FAST Act eliminates the requirement that financial institutions (including banks, insurance companies and insurance agencies, if applicable) provide annual privacy notices to their customers. Once a state adopts the NAIC’s model bulletin, insurance entities licensed in the state will no longer have to provide the annual privacy notices if they meet the following conditions:
  1. the privacy notice does not provide the customer with an opportunity to “opt out” of the disclosure of nonpublic personal information (NPI) to nonaffiliated third parties; and
  2. the insurance company or insurance agency (if applicable) has not revised its privacy notice with regard to disclosing NPI to a nonaffiliated third party since it issued its most recent privacy notice. The elimination of the requirement to provide an annual privacy notice would be available to an insurance company or an insurance agency that has a joint marketing agreement in place for the disclosure of customer NPI to a nonaffiliated bank.

    Note that in most cases, this relief will not be relevant to an insurance agency, which often is able to rely on an insurance company’s provision of privacy notices, instead of having to provide its own privacy notice.
This action is consistent with the Consumer Financial Protection Bureau’s (CFPB) recent proposal to modify Regulation P (12 C.F.R. Part 1016), which implements the Gramm-Leach-Bliley Act’s privacy provisions with respect to financial institutions regulated by the Federal prudential regulators, such as banks.

Given this action, here’s where we currently stand on the requirement that a financial institution provide annual privacy notices (assuming is satisfies the two requirements set forth in the first paragraph):
  1. Banks will no longer be required to provide annual privacy notices once the CFPB issues its final rule to amend Regulation P.
  2. Insurance companies, and insurance agencies that provide privacy notices, will no longer be required to provide annual privacy notices to their customers once a state adopts the NAIC’s model bulletin, with an important caveat: Some states may need to amend their regulations to effect the change in the regulatory requirement (a bulletin may not suffice), so insurance licensees should check with the their state regulators to determine what is, and is not, permitted.
  3. Financial institutions within a holding company that provide joint privacy notices (such as a bank that has a subsidiary insurance agency) will need to check both Regulation P and state insurance law before they stop jointly delivering annual privacy notices to customers of the various entities within the holding company.
If you have any question regarding this issue, please contact Sarah Ferman at