CFTC Eases Annual Privacy Notice Rules

Federal regulations require financial institutions to provide customers with a written disclosure of the institution’s privacy policy at the time a relationship is established and annually thereafter. This requirement has often been criticized as a nuisance for businesses with no meaningful benefit for consumers.

Effective May 28, 2019, the Commodity Futures Trading Commission (CFTC) is amending its rules to provide an exception from the requirement to distribute annual privacy policy notices. This amendment will eliminate an annual burden for many futures commission merchants, retail foreign exchange dealers, commodity trading advisors, commodity pool operators, introducing brokers, major swap participants, and swap dealers that are subject to the jurisdiction of the CFTC. Generally speaking, the exception applies as long as the registrant meets two requirements:

• First, with certain exceptions, the registrant must not share its customers’ nonpublic personal information with nonaffiliated third parties.

• Second, the registrant must not have changed its policies and practices regarding disclosing customer nonpublic personal information since its last disclosure to the customer.

In developing the new rule, the CFTC consulted and coordinated with the Bureau of Consumer Financial Protection (which adopted a similar rule in August 2018), the Securities and Exchange Commission, the Federal Trade Commission, and the National Association of Insurance Commissioners.

For many CFTC registrants, the annual privacy notice distribution requirement has been a trap for the unwary, resulting in adverse findings in National Futures Association or CME Group compliance examinations. For those registrants that qualify for the exception, the CFTC’s privacy regulation amendments are welcome relief. You should consult with an attorney to determine whether you or your business qualify for an exception from federal privacy notice requirements.  Also, businesses should regularly review and, if necessary, update their privacy policies, based on changes in operations as well as new applicable laws and regulations.