Skip to main content

Current Important Topics

Privacy Notices Under Gramm-Leach-Bliley Act and Regulation P


The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to provide  consumers with a privacy notice disclosing that a consumer’s nonpublic personal  information (NPI) is shared with nonaffiliated third parties, describing the consumer’s  ability to opt out of sharing practice in certain circumstances, and explaining how to  exercise their right to opt out. 

Reference: Gramm-Leach-Bliley Act, Publication 1, 106-102, 113 stat. 1338 (1999)

Initial Notice

A financial institution must issue its GLBA privacy notice when it first establishes a  customer relationship. This notice is provided annually thereafter, subject to an  exception under the 2015 Fixing American’s Surface Transportation (FAST) Act. 

Each of these notices must provide information about the NPI the institution collects  and disclosed.  

Emerging Issues

Cyber Incident Reporting Act S. 2875

09/28/21 – Introduced in the Senate by Gary Peters 

10/06/21 – Passed the Senate Homeland Security and Governmental Affairs Committee

Key Provisions:

  • Require companies to report cyber incidents within 72 hours and ransom  payments within 24 hours. 
  • Require critical infrastructure owners and operator to report to the Cybersecurity and Infrastructure Security Agency (CISA) with 72 hours if they are expecting a  substantial cyber-attack. 
  • Require other organizations, including businesses, nonprofit, and state and local government, to notify the federal government within 24 hours if they make a  ransom payment. 
  • Would direct federal agencies that are notified of attacks to provide that  information to CISA and creates a Cybersecurity Incident Reporting Council to coordinate federal reporting requirements.
  • There are another 6 additional requirements associated with this bill. To review the entire bill, refer to Senate Bill 2875.

Questions & Answers

Question: Is a bank required to notify customer of a deposited check being returned? 

Answer: Yes, regulation requires providing notice to a customer of a check being returned by midnight of the banking day following the banking day on which the bank received notice of the check either being returned or nonpayment.

Question: How often must bank management review the bank’s electronic banking policies and what criteria should be evaluated? 

Answer: The Federal Financial Institutions Examination Council (FFIEC) Booklet addresses electronic banking. Under guidance, once an institution implements its e-banking strategy, the board and management should periodically evaluate the strategy’s effectiveness.

This review should include: 

  • Revenue Generated 
  • Website availability percentages 
  • Customer service volume 
  • Number of customers actively using e-banking services 
  • Percentage of accounts signed up for e-banking services 
  • The number and cost per item of bill payments generated 

Reference: FFIEC IT Examination Manual (E-Banking): banking/risk-managment-of-e-banking-activities/board-and-management-oversight/monitoring-and accountability.aspx.