Financial Privacy Regulation and – GLBA Compliance
This Financial Privacy Regulation Compliance Checklist should be used by practitioners and in-house counsel at financial institutions to ensure compliance with applicable federal privacy laws and regulations.
Financial institutions are required to comply with an array of federal privacy laws and regulations, including the Gramm-Leach-Bliley Act (GLBA) (15 U.S.C. §§ 6801–6809), the Fair Credit Reporting Act (FCRA) (15 U.S.C. § 1681 et seq.), the Right to Financial Privacy Act (RFPA) (12 U.S.C. §§ 3401–3422), and related federal consumer protection statutes. The goal of these laws and regulations is to promote financial privacy and consumer protection by regulating how institutions collect, use, and share sensitive information.
For more information regarding disclosure of NPA “nonpublic personal information”, see The Law of Financial Privacy § 9.01. For information regarding confidentiality of customer information under the GLBA and the FCRA, see The Law and Regulation of Financial Institutions § 18A.02.
Privacy Framework
A patchwork of state and federal laws and regulations govern the collection, use, and disclosure of consumer information, including specific laws and regulations that govern certain information and activities. As a result, users evaluating the applicability of laws should first carefully assess the:
• Type of entities involved (bank, bank holding company, financial technology company, etc.)
• Scope of information to be protected, and
• Specific activities
Practitioners should note that GLBA’s financial privacy rules were issued contemporaneously and pursuant to the same authority as the Interagency Guidelines Establishing Information Security Standards. While each may appear to address the same substantive considerations, interagency guidelines primarily address safeguard, protection, security, and disposal of confidential customer information. GLBA privacy rules focusing on the disclosure of nonpublic personal information to nonaffiliated third parties, as discussed in greater detail below.
Gramm-Leach-Bliley Act (GLBA)
The GLBA addresses disclosure of NPI “nonpublic personal information” of “customers” and “consumers” by “financial institutions” to nonaffiliated parties. 15 U.S.C. §§ 6801–6809. GLBA privacy rules generally apply to sharing information with persons not affiliated with a financial institution. Before sharing such information, an institution must provide the affected customer or consumer with notice of the sharing and an opportunity to “opt out” of the sharing, absent an exception applying. The federal bank regulatory agencies have developed a Model Privacy Notice Form that offers a compliance safe harbor for users. Pursuant to an amended rulemaking by the Consumer Financial Protection Bureau (CFPB), privacy notices may be delivered online to satisfy requirements that that notices annually took effect. 12 C.F.R. § 1016.9(c)(2).
Title X of the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank Act) granted rulemaking authority for many provisions of the GLBA to the CFPB regarding financial institutions and related entities subject to the CFPB’s jurisdiction (banks over $10 billion and other firms offering consumer financial products and services). The CFPB is empowered to examine and enforce compliance with these statutory provisions regarding the institutions it supervises, subject to exceptions applicable to securities and financial future-related companies, and motor vehicle dealers.
The GLBA does not preempt state privacy laws that are not inconsistent with its provisions (state laws providing greater protection to consumers than GLBA are generally not deemed to be inconsistent). 15 U.S.C. § 6507. The CFPB, however, has authority for determining which state laws and regulations are preempted by GLBA. Only specified federal agencies are empowered to enforce violations of the GLBA; there is no private cause of action for violations of the GLBA.
Who Must Comply with GLBA?
Privacy laws and regulations implemented under the GLBA apply to financial institutions that provide financial products or services to consumers (Financial products and services are provided to consumers if they are used primarily for personal, family, or household purposes).
The term financial institution broadly includes insured depository institutions (IDIs), such as national banks and federal savings associations, and other entities “significantly engaged in financial activities.” This term includes entities that engage in enumerated activities outlined in Section 4(k) of the Bank Holding Company Act of 1956, as amended, and its implementing regulations, including Regulation Y. 12 U.S.C. § 1843(k); 12 C.F.R. § 225.86. These activities include, among other things:
• Lending, exchanging, transferring, investing for others, or safeguarding money or securities
• Insuring, guaranteeing, or indemnifying against loss, harm, damage, illness, disability, or death, or providing and issuing annuities, as either principal, agent, or broker –and–
• Providing financial advice, underwriting, dealing in, or making a market in securities
Each of the federal bank regulatory agencies (Board of Governors of the Federal Reserve System (Federal Reserve), Office of the Comptroller of the Currency (OCC), and Federal Deposit Insurance Corporation (FDIC)), the CFPB, and the Federal Trade Commission (FTC) have each issued roughly identical regulations to implement the GLBA. These regulations are applicable to entities under each agency’s respective supervision. 12 C.F.R. § 216.3(k)(1) (Federal Reserve); 12 C.F.R. § 40.13(k)(1) (OCC); 12 C.F.R. § 332.3(k)(1) (FDIC); 12 C.F.R. § 1016.3(1) (CFPB); 16 C.F.R. § 313.3(k)(1) (FTC). These regulations generally govern circumstances under which financial institutions must provide consumers with notice concerning privacy policies and practices.
Federal bank regulatory agencies and the National Credit Union Administration (NCUA) issued a series of Frequently Asked Questions (FAQs) addressing various aspects of federal privacy laws and regulations. Sample FAQs can be found here and address, among other things:
• When financial institutions must deliver required notices
• Limits applicable to the use and disclosure of customer information received from an unrelated financial institution
• Limits applicable to the disclosure of customer account numbers –and–
• How to comply with the exception for disclosures under a joint marketing agreement with an unrelated financial institution
What Is a meaning of “Financial Institution” under GLBA?
Under the GLBA, a “financial institution” includes:
• Mortgage lenders
• Mortgage brokers
• Check cashers
• Payday lenders
• Credit counseling service providers
• Financial advisers
• Medical service providers with long-term payment plans that involve interest charges
• Tax planning and preparation services
• Auto dealers that lease or finance
• Collection agency services
• Relocation services assisting in financing or mortgages
• Sale of money orders, savings bonds, or traveler’s checks
• Debt collection agencies
• Real estate appraising entities
• Government entities providing financial products
Who Are Customers and Consumers?
The term customer means a consumer who has a customer relationship with a financial institution. See e.g., 12 C.F.R. § 216.3(h). A customer is a type of consumer, specifically, an individual who maintains an ongoing relationship with a financial institution. All customers must receive initial privacy notices.
A consumer, in turn, is defined as an individual who obtains or has obtained a financial product or service from a financial institution that is to be used primarily for personal, family, or household purposes, or such individual’s legal representative. See e.g., 12 C.F.R. § 216.3(e)(1).
As a rule of thumb, all customers are consumers; however, not all consumers are customers. Neither a business nor an individual who obtains a financial product or service for business purposes qualifies as a customer or consumer under the GLBA. If a sole proprietor obtains a loan for business purposes, he or she is not a “consumer” for purposes of the GLBA as there is no obligation to provide privacy notices to sole proprietors.
What Is NPA – “Nonpublic Personal Information”?
The GLBA defines “nonpublic personal information” as information that is not publicly available and that:
• A consumer provides to a financial institution to obtain a financial product or service from the institution
• Results from a transaction between the consumer and the institution involving a financial product or service –or–
• A financial institution otherwise obtains about a consumer related to providing financial products or services
Information is publicly available if an institution has a reasonable basis to believe that the information is lawfully made available to the public from government records, widely distributed media, or legally required disclosures to the public. Examples include information in a telephone book or a publicly recorded document, such as a mortgage or security interest filing. Nonpublic personal information may include individual items of information, as well as lists of information, such as names, addresses, phone numbers, social security numbers, credit scores, and information obtained through Internet collection devices (i.e., cookies). Note that publicly available information would be treated as nonpublic if it were included on a list of consumers derived from nonpublic personal information. For example, a list of names and addresses of a financial institution’s depositors would be nonpublic personal information even though the same names and addresses might be published in local telephone directories and publicly available as the list itself was derived from the fact that a person has a deposit account with an institution, which is not publicly available information.
All consumers are entitled to the same protection from disclosures of nonpublic personal information regardless of whether they are customers of the financial institution. As a result, it is imperative that the financial institution not disclose nonpublic personal information of any consumer or any customer to any nonaffiliated third party beyond the enumerated exceptions to the GLBA and in implementing regulations (12 C.F.R. §§ 216.13–216.15), unless a privacy notice and reasonable opportunity to opt out is provided, and the consumer or customer does not opt out.
Practitioners should be aware of applicable exceptions to the notice and opt-out requirement for certain types of information sharing, such as sharing to process a transaction specifically required by a consumer, sharing with law enforcement authorities. 12 C.F.R. § 40.15 (OCC); 12 C.F.R. § 216.15 (FRB); 12 C.F.R. § 332.15 (FDIC); 12 C.F.R. § 1016.15 (CFPB). Opt out is not required for sharing pursuant to qualifying joint marketing agreements, or to obtain services from the financial institution itself; however, notice to affected consumers of such sharing must still be provided.
Exceptions to GLBA Requirements
Exceptions to GLBA’s notice and opt-out requirements are categorized as follows:
1 Joint marketing exceptions. These generally apply to third party service providers delivering or fulfilling services for the financial institution. These may occur subject to a joint marketing agreement, or similar agreement, with another financial institution. Reliance on this exception requires that consumers still receive notice prior to sharing information. However, no opt out is required. See, e.g., 12 C.F.R. § 216.13.
2 Exceptions for processing transactions (requested by consumer). These cover several purposes for sharing to carry out transactions a consumer has requested, including sharing necessary to process rewards or incentives. If this applies, neither notice nor opt out is required. See, e.g., 12 C.F.R. § 216.14.
3 Related exceptions. These exceptions address several circumstances, primarily those involving a one-time need for sharing, rather than ongoing agreement or commitment to share information. These include disclosures to comply with requests from law enforcement or other authorized subpoenas. In such cases, neither notice nor opt out is required. See, e.g., 12 C.F.R. § 216.15.
Abbreviated GLBA Checklist for Financial Institutions
- Is the entity in question a financial institution within the definition provided by the GLBA?
- Does the entity provide a financial product or service to customers?
- Does the entity provide an initial, or short form, privacy notice not later than when the customer relationship is established?
- All financial institution customers must receive initial (or short form) privacy notices
- Initial notices (or short form notices) must be provided to consumers who are not customers, only if the financial institution intends to disclose nonpublic personal information about those consumers to nonaffiliated third parties (absent an exception in 12 C.F.R. §§ 216.14 or 216.15 such that no initial notice is required prior to disclosure)
- Annual privacy notices must be provided to customers so long as they remain customers of the financial institution (annual notices to consumers who are not customers are never required)
- Does the entity provide an opt-out notice, in appropriate circumstances not subject to exceptions under GLBA, prior to sharing nonpublic information with nonaffiliated third parties? Are customers afforded a “reasonable opportunity” to opt out?
- Are applicable notices provided to joint accountholders and guarantors of loans or other extensions of credit?
- As a best practice, is an annual privacy notice provided to customers? (Note: the Fixing America’s Surface Transportation Act (FAST Act) eliminated annual notice requirements for IDIs that do not share nonpublic personal information with third parties in a way that triggers GLBA opt-out rights and if the IDI had not changed its sharing practices since its last GLBA notice was provided to consumers.) See, e.g., 12 C.F.R. § 40.15.
- Do the initial and the annual notices each contain:
- Clearly and accurately explain a customer’s right to opt out?
- Disclosures required by the FCRA?
- Required categories of nonpublic personal information collected and disclosed?
- Required categories of affiliates and nonaffiliated third parties to whom nonpublic personal information is disclosed?
- Does the entity change privacy practices and, if so, does it provide new revised privacy and opt-out notices?
- Are all notices (1) “clear and conspicuous” as required by the GLBA and applicable regulatory requirements, and (2) reasonably understandable?
- Has the entity confirmed that applicable notices and opt-out provisions will be provided for sharing or disclosure of information to nonaffiliated persons?
- Does the entity have detailed policies and procedures concerning the protection, maintenance, and security of nonpublic personal information?
- Does the entity have a written information security program maintained and administered by key personnel?
- Does the entity conduct periodic risk assessments regarding security, confidentiality, and integrity of customer information?
- Does the entity comply with appropriate recordkeeping requirements and related responsibilities mandated by the appropriate federal supervisory authorities?
- Do each of the above protocols comply with Interagency Guidelines Establishing Information Security Standards?
Overview of Relevant Fair Credit Reporting Act (FCRA) Considerations
While privacy considerations under the GLBA primarily apply to sharing information with third-party nonaffiliates, the FCRA and related laws generally govern the sharing of information among an institution’s affiliates. 15 U.S.C. 1681a(d)(2)(iii).
The “affiliate marketing rule” under FCRA provides that an affiliate cannot use “eligibility information” for marketing solicitation unless the affected consumer has first been provided with notice and an opportunity to opt out. The FCRA defines eligibility information as:
• Transaction information, which is information regarding an institution’s transactions or experience with a consumer (for example, account balance, loan, or related information) –or–
• Other specified information contained on a “consumer report,” subject to enumerated exclusions under the FCRA
15 U.S.C. § 1681a(d)(2)(A)(iii).
Much of the law and regulation of FCRA centers on the definition of consumer report.
A consumer report is generally defined as any written, oral, or other communication of any information by a “consumer reporting agency” that bears on a consumer’s creditworthiness, credit standing, character, reputation, personal characteristics, or mode of living used or collected to serve as a factor in establishing his or her eligibility for credit or insurance for personal, family, or household purposes, employment, or other permissible purposes. 15 U.S.C. § 1681a(d). A consumer reporting agency is defined broadly to include any person who, for compensation or otherwise, engages in the practice of assembling or evaluating consumer credit information. 15 U.S.C. § 1681a(f).
The broad definitions of consumer report and consumer reporting agency impact sharing by any person of information that may be considered a consumer report, and therefore raises the risk that such persons are considered consumer reporting agencies, subject to stringent sharing requirements, and heightened regulatory obligations, including additional notices, procedural safeguards, and related restrictions. Unlike GLBA, FCRA provides a private right of action for violations of certain provisions. Private rights of action apply to requirements imposed on “covered entities” related to consumers. 15 U.S.C. § 1681m(h)(8).
Overview of Right to Financial Privacy Act (RFPA) Considerations
The RFPA was enacted to protect institutions customers’ rights of financial privacy and the requirement for law enforcement authorities to obtain financial records as part of legitimate investigations.
To obtain a customer’s financial records, government authorities must satisfy one of the following requirements:
• Procure a search warrant supported by probable cause
• Obtain consent of the customer –or–
• Adhere to specified procedures such as service of a subpoena on a customer
12 U.S.C. § 3402.
Abbreviated RFPA Checklist for Financial Institutions
• Does the institution maintain policies and procedures developed to achieve compliance with the RFPA?
• Has the institution developed procedures to implement policies used to govern how it will comply with specific requirements of RFPA and how it will respond to requests under the RFPA?
• Have procedures been reviewed, documented, and approved by its board of directors?
• Do procedures set parameters regarding disclosure of customer information?
• Do procedures identify the types of information bank employees may disclose, as well as the mediums through which they may disclose it?
• Has the institution developed procedures that govern implementation of the RFPA to limit coverage to requests from federal agencies, except the Internal Revenue Service, for financial information regarding individuals and partnerships with five or fewer people?
• Do procedures governing implementation of RFPA state that the institution will not honor requests for customer information that are not in compliance with the RFPA?
• Are there sufficient internal controls to ensure that only information requested is provided?
• Do procedures governing implementation of the RFPA:
• State that the institution will not honor any request for customer information that does not comply with the RFPA?
• Establish a stringent set of internal protocols and controls to ensure that only the information requested is provided?
• Do procedures prohibit employees from providing information contained in a credit application or consumer report that may divulge a consumer’s creditworthiness, credit standing, capacity, character, general reputation, personal characteristics, or mode of living?
• Do procedures further require that the institution comply with related consumer protection laws and regulations, including the GLBA, FCRA, and other requirements?
Q: Does your router, firewall have latest firmware. Most of the equipment do not have latest firmware and often configured with open access from internet.
- Q: Do your employee have access to data they need? Almost Half of Employees Have Access To More Data Than They Need
How do you respond to a data breach?