17 CFR § 248.5 - Annual privacy notice to customers required.
(a)
(1) General rule. Except as provided by paragraph (e) of this section, you must provide a clear and conspicuous notice to customers that accurately reflects your privacy policies and practices not less than annually during the continuation of the customer relationship. Annually means at least once in any period of 12 consecutive months during which that relationship exists. You may define the 12-consecutive-month period, but you must apply it to the customer on a consistent basis.
(2) Example. You provide a notice annually if you define the 12-consecutive-month period as a calendar year and provide the annual notice to the customer once in each calendar year following the calendar year in which you provided the initial notice. For example, if a customer opens an account on any day of year 1, you must provide an annual notice to that customer by December 31 of year 2.
(b)
(1) Termination of customer relationship. You are not required to provide an annual notice to a former customer.
(2) Examples. Your customer becomes a former customer when:
(i) The individual's brokerage account is closed;
(ii) The individual's investment advisory contract is terminated;
(iii) You are an investment company and the individual is no longer the record owner of securities you have issued; or
(iv) You are an investment company and your customer has been determined to be a lost securityholder as defined in 17 CFR 240.17a-24(b).
(c) Special rule for loans. If you do not have a customer relationship with a consumer under the special provision for loans in § 248.4(c)(2), then you need not provide an annual notice to that consumer under this section.
(d) Delivery. When you are required to deliver an annual privacy notice by this section, you must deliver it according to § 248.9.
(e) Exception to annual privacy notice requirement—(1) When exception available. You are not required to deliver an annual privacy notice if you:
(i) Provide nonpublic personal information to nonaffiliated third parties only in accordance with § 248.13, § 248.14, or § 248.15; and
(ii) Have not changed your policies and practices with regard to disclosing nonpublic personal information from the policies and practices that were disclosed to the customer under § 248.6(a)(2) through (5) and (9) in the most recent privacy notice provided pursuant to this part.
(2) Delivery of annual privacy notice after financial institution no longer meets the requirements for exception. If you have been excepted from delivering an annual privacy notice pursuant to paragraph (e)(1) of this section and change your policies or practices in such a way that you no longer meet the requirements for that exception, you must comply with paragraph (e)(2)(i) or (ii) of this section, as applicable.
(i) Changes preceded by a revised privacy notice. If you no longer meet the requirements of paragraph (e)(1) of this section because you change your policies or practices in such a way that § 248.8 requires you to provide a revised privacy notice, you must provide an annual privacy notice in accordance with the timing requirement in paragraph (a) of this section, treating the revised privacy notice as an initial privacy notice.
(ii) Changes not preceded by a revised privacy notice. If you no longer meet the requirements of paragraph (e)(1) of this section because you change your policies or practices in such a way that § 248.8 does not require you to provide a revised privacy notice, you must provide an annual privacy notice within 100 days of the change in your policies or practices that causes you to no longer meet the requirement of paragraph (e)(1) of this section.
(iii) Examples.
(A) You change your policies and practices in such a way that you no longer meet the requirements of paragraph (e)(1) of this section effective April 1 of year 1. Assuming you define the 12-consecutive-month period pursuant to paragraph (a) of this section as a calendar year, if you were required to provide a revised privacy notice under § 248.8 and you provided that notice on March 1 of year 1, you must provide an annual privacy notice by December 31 of year 2. If you were not required to provide a revised privacy notice under § 248.8, you must provide an annual privacy notice by July 9 of year 1.
(B) You change your policies and practices in such a way that you no longer meet the requirements of paragraph (e)(1) of this section, and so provide an annual notice to your customers. After providing the annual notice to your customers, you once again meet the requirements of paragraph (e)(1) of this section for an exception to the annual notice requirement. You do not need to provide additional annual notice to your customers until such time as you no longer meet the requirements of paragraph (e)(1) of this section.