As I have said multiple times, a policy is useless if not implemented. And if it is implemented but not monitored, it’s also meaningless. Just because you have a policy does not mean you have taken the appropriate compliance actions needed to both implement and monitor the requirements thereunder. A policy bereft of implementation and monitoring is no more than dysfunctional pontification. So, understand, even if you claim to be implementing, you must also be monitoring.
Under the applicable regulations, an institution must provide a disclosure of its privacy policy at least annually during the continuation of the customer relationship.
An institution may define the 12-consecutive-month period however it wants, but the institution must apply it to the customer on a consistent basis. Consistency matters, and it will be determined in a banking examination.
By “annually” is meant at least once in any period of 12 consecutive months during which that relationship exists. An institution is required to provide the annual disclosure only during the term of the customer relationship with the consumer and is not required to provide an annual notice to a customer with whom the institution no longer has a continuing relationship.