The US Consumer Financial Protection Bureau, after liaising with the SEC and CFTC, is to let some banks and other financial institutions to post their privacy policies online rather than having to send them off in the post every year.

Under
the US Gramm–Leach–Bliley Act 1999, every financial
institution must provide each client with a privacy notice that
describes the information it gathers about him and states how it
safeguards and/or shares this information and with whom. The bank (or
mortgage broker, insurance carrier or other 'covered institution')
must hand this privacy notice to the client before it can obtain his
formal agreement to begin doing business with him. It must then do so
annually thereafter.

Now,
once a rule (RIN 3170-AA39) issued by the Consumer Financial
Protection Bureau appears in the Federal Register, some banks and
other financial institutions will be allowed to post their privacy
policies online rather than having to send them off in the post every
year. In exchange, the financial institution can only use the
alternative delivery method if:

(1)
it does not disclose the customer’s nonpublic personal information
to non-affiliated third parties in a manner that triggers GLBA
opt-out rights;

(2)
it does not include on its annual privacy notice an opt-out notice
under s603(d)(2)(A)(iii) Fair Credit Reporting Act;

(3)
the requirements of s624 FCRA and the Affiliate Marketing
Rule, if applicable, have been satisfied previously or the annual
privacy notice is not the only notice provided to satisfy such
requirements;

(4)
the information included in the privacy notice has not changed since
the customer received the previous notice (subject to an exception);
and

(5)
it uses the model form provided in the G-L-B Act’s
implementing Regulation P.

Under
the alternative delivery method, the financial institution would have
to:

(1)
convey in a clear and conspicuous manner not less than annually on an
account statement, coupon book, or a notice or disclosure the
institution issues under any provision of law that its privacy notice
is available on its website, it will be mailed to customers who
request it by telephone, and it has not changed;

(2)
post its current privacy notice in a continuous and clear and
conspicuous manner on a page of its website on which the only content
is the privacy notice, without requiring a login name or similar
steps or agreeing to any conditions to access the page; and

(3)
mail its current privacy notice to customers who request it by
telephone within ten days of the request.