Skip to content

Sec. 1016.5 Annual privacy notice to customers required.

Sections 1016.5(a)(1) below is updated and subsection (e) is added under an amendment finalized by the Bureau of Consumer Financial Protection on August 10, 2018, and effective September 17, 2018.


(a)(1) General rule. Except as provided by paragraph (e) of this section, you must provide a clear and conspicuous notice to customers that accurately reflects your privacy policies and practices not less than annually during the continuation of the customer relationship. Annually means at least once in any period of 12 consecutive months during which that relationship exists. You may define the 12-consecutive-month period, but you must apply it to the customer on a consistent basis.

(2) Example. You provide a notice annually if you define the 12-consecutive-month period as a calendar year and provide the annual notice to the customer once in each calendar year following the calendar year in which you provided the initial notice. For example, if a customer opens an account on any day of year 1, you must provide an annual notice to that customer by December 31 of year 2.

(b)(1) Termination of customer relationship. You are not required to provide an annual notice to a former customer.

(2) Examples in the case of financial institutions other than credit unions and covered entities subject to FTC enforcement jurisdiction. For purposes of this paragraph (b)(2), “you” is limited to financial institutions other than credit unions and financial institutions described in §1016.3(l)(3). Your customer becomes a former customer when:

(i) In the case of a deposit account, the account is inactive under your policies;

(ii) In the case of a closed-end loan, the customer pays the loan in full, you charge off the loan, or you sell the loan without retaining servicing rights;

(iii) In the case of a credit card relationship or other open-end credit relationship, you no longer provide any statements or notices to the customer concerning that relationship or you sell the credit card receivables without retaining servicing rights; or

(iv) You have not communicated with the customer about the relationship for a period of 12 consecutive months, other than to provide annual privacy notices or promotional material.

(3) Examples in the case of covered entities subject to FTC enforcement jurisdiction. For purposes of this paragraph (b)(3), “you” is limited to financial institutions described in §1016.3(l)(3) of this part. Your customer becomes a former customer when:

(i) In the case of a closed-end loan, the customer pays the loan in full, you charge off the loan, or you sell the loan without retaining servicing rights;

(ii) In the case of a credit card relationship or other open-end credit relationship, you sell the receivables without retaining servicing rights;

(iii) In the case of credit counseling services, the customer has failed to make required payments under a debt management plan, has been notified that the plan is terminated, and you no longer provide any statements or notices to the customer concerning that relationship;

(iv) In the case of mortgage or vehicle loan brokering services, your customer has obtained a loan through you (and you no longer provide any statements or notices to the customer concerning that relationship), or has ceased using your services for such purposes;

(v) In the case of tax preparation services, you have provided and received payment for the service and no longer provide any statements or notices to the customer concerning that relationship;

(vi) In the case of providing real estate settlement services, at the time the customer completes execution of all documents related to the real estate closing, you have received payment, or you have completed all of your responsibilities with respect to the settlement, including filing documents on the public record, whichever is later; or

(vii) In cases where there is no definitive time at which the customer relationship has terminated, you have not communicated with the customer about the relationship for a period of 12 consecutive months, other than to provide annual privacy notices or promotional material.

(4) Examples in the case of a credit union. An individual becomes a former customer of a credit union when:

(i) The individual is no longer the credit union's member as defined in the credit union's bylaws;

(ii) In the case of a nonmember's share or share draft account, the account is inactive under the credit union's policies;

(iii) In the case of a nonmember's closed-end loan, the loan is paid in full, the credit union charges off the loan, or the credit union sells the loan without retaining servicing rights;

(iii) In the case of a credit card relationship or other open-end credit relationship with a nonmember, the credit union no longer provides any statements or notices to the nonmember concerning that relationship, or the credit union sells the credit card receivables without retaining servicing rights; or

(v) The credit union has not communicated with the nonmember about the relationship for a period of 12 consecutive months, other than to provide annual privacy notices or promotional material.

(c) Special rule for loans in the case of a financial institution other than a credit union. If a financial institution other than a credit union does not have a customer relationship with a consumer under the special rule for loans in §1016.4(c)(2) of this part, then it need not provide an annual notice to that consumer under this section.

(d) Delivery. When you are required to deliver an annual privacy notice by this section, you must deliver it according to §1016.9 of this part.

(e) Exception to annual privacy notice requirement. (1) When exception available. You are not required to deliver an annual privacy notice if you:

(i) Provide nonpublic personal information to nonaffiliated third parties only in accordance with the provisions of § 1016.13, § 1016.14, or § 1016.15; and

(ii) Have not changed your policies and practices with regard to disclosing nonpublic personal information from the policies and practices that were disclosed to the customer under § 1016.6(a)(2) through (5) and (9) in the most recent privacy notice provided pursuant to this part.

(2) Delivery of annual privacy notice after financial institution no longer meets requirements for exception. If you have been excepted from delivering an annual privacy notice pursuant to paragraph (e)(1) of this section and change your policies or practices in such a way that you no longer meet the requirements for that exception, you must comply with paragraph (e)(2)(i) or (e)(2)(ii) of this section, as applicable.

(i) Changes preceded by a revised privacy notice. If you no longer meet the requirements of paragraph (e)(1) of this section because you change your policies or practices in such a way that § 1016.8 requires you to provide a revised privacy notice, you must provide an annual privacy notice in accordance with the timing requirements in paragraph (a) of this section, treating the revised privacy notice as an initial privacy notice.

(ii) Changes not preceded by a revised privacy notice. If you no longer meet the requirements of paragraph (e)(1) of this section because you change your policies or practices in such a way that § 1016.8 does not require you to provide a revised privacy notice, you must provide an annual privacy notice within 100 days of the change in your policies or practices that causes you to no longer meet the requirements of paragraph (e)(1) of this section.

(iii) Examples. (A) You change your policies and practices in such a way that you no longer meet the requirements of paragraph (e)(1) of this section effective April 1 of year 1. Assuming you define the 12-consecutive-month period pursuant to paragraph (a) of this section as a calendar year, if you were required to provide a revised privacy notice under § 1016.8 and you provided that notice on March 1 of year 1, you must provide an annual privacy notice by December 31 of year 2. If you were not required to provide a revised privacy notice under § 1016.8, you must provide an annual privacy notice by July 9 of year 1.

(B) You change your policies and practices in such a way that you no longer meet the requirements of paragraph (e)(1) of this section, and so provide an annual notice to your customers. After providing the annual notice to your customers, you once again meet the requirements of paragraph (e)(1) of this section for an exception to the annual notice requirement. You do not need to provide additional annual notices to your customers until such time as you no longer meet the requirements of paragraph (e)(1) of this section.

Banker Tools View All

A collection of useful resources for various areas of the bank which have been developed by members of the BankersOnline staff or have been created and contributed by users of the BankersOnline site.

Banker Tools

Penalties View All

Search Regulations

View Regulations

CFPB Letter Classification

FRB Letter Classification