Fredric J. Gooch – General Counsel, DocuTech Corporation
On December 1, 2009 the federal agencies responsible for administering the Graham-Leach-Bliley Act (“GLBA”) and the Fair Credit Reporting Act (“FCRA”) issued revised regulations that financial institutions may use to meet the privacy notice requirements under the Acts. The focus of the revised regulation is on a new Model Form that institutions may use to describe their privacy policy to their customers. The regulation provides a safe harbor provision for institutions that use the model form exactly as written.
The federal regulatory agencies had previously released regulations that set forth model clauses that lenders could use to describe their policy. The model clauses were considered by the agencies and consumer advocates to be confusing and difficult for consumers to understand. Following several years of testing and comment the agencies released the revised regulation. Financial institutions wishing to take advantage of the safe harbor provisions related to the new forms may start using the forms on December 1, 2009. Institutions that are currently relying on the safe harbor provisions from the previous model clauses should be aware that the safe harbor provision for those clauses expires December 31, 2010. The good news is that you have a year to review your privacy policy and see how it fits with the new model documents.
The model form is two pages long, page one has five different sections. The first section is the title of the document “What Does ABC Mortgage Do With Your Personal Information.” The second section contains introductory language called the “key frame.” It is designed to help the consumer understand the disclosures. The third section is the disclosure table that describes the types of sharing used by financial institutions that is allowable under federal law, whether the institution participates in these types of sharing and whether the consumer can limit or opt out of the sharing. The fourth section is only used if needed and it contains a box titled “To limit our sharing” for opt out information. The final section on page one contains the institutions customer service contact information. Page two of the model form contains additional information and definitions; this information ensures that the model form meets all of the requirements of the GLBA.
The drafters of the rule are aware that there are several states that have specific requirements related to privacy disclosures. For this reason they have incorporated a place on page two of the form entitled “Other important information.” This is the area where you would insert any state specific privacy language.
Use of the new model form is not required, but if institutions want to take advantage of the safe harbor protection they must use the new form by December 31, 2010. There has been a concern that the new model form may not be appropriate for institutions of varying sizes and complexity. Due to the broad applicability of the form and the varying degree of complexity in these institution’s privacy policies, institutions may continue to use a customized form as long as it meets all the requirements set forth in the regulations. The result is that institutions affected by the regulation must either adapt their privacy policies to work within the framework of the new model form or spend a considerable amount of time and resources customizing a form that will meet the requirements. Whenever possible it is advantageous to use the model form so your institution may take advantage of the safe harbor protection.
If you decide to develop a customized privacy form there are a few instructions given in the preamble to the rule that may guide you in this process. The preamble discourages the use of introductory language in a disclosure that assures the consumer that the financial institution takes privacy seriously or other generic introductory language. It also discourages the use of logos or any branding on the form. It also discourages providing information that attempts to show the benefits of sharing information. The writers of the preamble consider these types of information as confusing the borrower or discouraging them from reviewing the entire form. They also discourage the use of the titles “Privacy Notice” or “Privacy Policy.”
The safe harbor for the old sample privacy notices expires on December 31, 2010. It is important to review your privacy policy and see if the new model privacy notice will work for you before the deadline. If your institution has issues then you need to look into modifying your policy or developing a custom form to make sure that your organization is in compliance with the new requirements. For more information on the new requirements you can view the new rule at: http://www.occ.treas.gov/ftp/release/2009-142a.pdf.
The new Privacy Policy Notice will be available in ConformX starting November 20, 2010. In order to have the new document print in your packages you will need to have the lender specific information disclosed in the document entered into the new Privacy Policy Notice Defaults Administration screen inside ConformX. Once the defaults are entered into the admin screen the new privacy policy will print in your document packages. If you do not enter anything into the admin screen the prior privacy policy document will continue to print in your packages. Remember that in order to continue to have “safe harbor” under the new rules you need to upgrade to the new privacy policy before January 1, 2011. Please contact DocuTech customer support at 1-800-497-3584 option 3 to schedule a time to have your defaults set in the new Privacy Policy Admin Screen.