Privacy Policy Compliance for Financial Institutions
Table of Contents
I. In a Nutshell: What is the Privacy of Consumer Financial Information Rule?
II. Why does the Privacy of Consumer Financial Information Rule exist?
III. The Details: Privacy of Consumer Financial Information Rule Requirements & Compliance
IV. Does the Privacy of Consumer Financial Information Rule affect your business?
V. Privacy of Consumer Financial Information Rule Resources
The Privacy of Consumer Financial Information Rule, or Financial Privacy Rule for short, details the financial privacy provisions of the Gramm-Leach-Bliley Act that are to be followed by financial insitutions and enforced by the Federal Trade Commission (FTC).
The goal of the Financial Privacy Rule is to protect consumer financial privacy by:
As a part of the GLBA, the Financial Privacy Rule went into effect on November 12, 1999. Businesses under regulation by the GLBA were required to be in full compliance by July 1, 2001.
The Gramm-Leach-Bliley Act (GLBA) allowed for the merger between commercial banks, investment banks, securities firms, and insurance companies, which meant that the financial institution that resulted from the merger would be accountable for the use and storage of sensitive, nonpublic personal information (NPI) of their customers.
The size and amount of NPI housed within one financial institution would end up a security nightmare if it fell into the wrong hands, and so, legislators made sure to include provisions - the Privacy of Consumer Financial Information Rule aka the Financial Privacy Rule - that protected consumer financial privacy into the GLBA.
To learn more about the GLBA, please read our post here.
The main requirement of the Financial Privacy Rule is that financial institutions need to have a clear, conspicuous, and reasonably understandable written privacy policy either on paper or online that must be given to their customers at the time a customer relationship is established. In addition, a copy of the full privacy notice must be given annually to all current customers.
If the privacy policy is given on paper, it may be delivered either by mail or by hand. Customers can be given online access to the privacy policy instead, if agreed upon by the customer. Online privacy policies are to be posted on the financial institution’s website and can require customers to acknowledge that they have received and read the privacy policy.
The purpose of this privacy notice is to accurately inform customers using plain language about your policies and procedures for collecting, disclosing, and protecting NPI of consumers, customers, and former customers.
Although not explicitly covered in the Financial Privacy Rule section of the GLBA, the Safeguard Rule and Pretexting Provisions sections of the GLBA requires that financial institutions are responsible for the safekeeping of customers’ NPI.
The privacy policy needs to include the following:
Pertaining to the list above, financial institutions do not have to include in their privacy policy any items on the list that do not apply to them. For example, if your financial institution does not disclose any NPI to third parties, affiliated or nonaffiliated, your privacy policy can simply state that the financial institution will only disclose NPI to nonaffiliated third parties ‘as permitted by law’, such as the issuance of a subpoena, to be in compliance with the Financial Privacy Rule.
The following discusses what information is considered NPI and what information is not considered NPI. Information that is not NPI is not regulated by the Financial Privacy Rule.
The type of consumer financial information that the Financial Privacy Rule deals with, as mentioned in the above section, is ‘nonpublic personal information’ or NPI for short. Specifically, NPI is understood as any personally identifiable financial information that is not publically available and is collected for providing a financial product or service, such as:
There are certain types of personal information that is not considered NPI due to the fact that there is a reasonable basis to believe that such information is ‘publicly available’. Publicly available information is information that is:
The following describes personal information that is not considered NPI, and therefore, not covered under the Financial Privacy Rule:
There are situations in which certain personal information may be publicly available, but still considered as NPI under the Financial Privacy Rules – situations such as:
As mentioned above, customers are given the right to opt-out of having certain NPI disclosed to nonaffiliated third parties. The right to opt-out needs to be included within the privacy policy.
Customers have the right to be given the reasonable means and opportunity to opt-out of having their NPI disclosed with nonaffiliated third parties. Reasonable means and opportunity means:
Customers have the right to opt-out at any time. Once a customer has exercised the right to opt-out, financial institutions are required to comply as soon as possible. The customer’s right of opting-out extends beyond their time as a customer at your financial institution; unless a former customer agrees, either in writing or electronically, to terminate the opt-out, financial institutions are required to honor the opt-out. If a former customer returns to establish a new customer relationship at a financial institution, the customer needs to renew the right to opt-out.
Although the GLBA does not explicitly require financial institutions to include this opt-out option in their privacy policy if they only share NPI affiliated third parties, the Fair Credit Reporting Act 2 does require the inclusion of the opt-out option and so, it must be included in privacy policies.
However, there are exceptions to which customers have the right to opt-out; these exceptions are detailed in Sections 13-15 of the GLBA:
Regardless of whether or not a customer has opted-out of NPI disclosure and regardless of the three exceptions mentioned above, financial institutions may never disclose account numbers for marketing purposes; account numbers include numbers for:
• a credit card account
• a deposit account
• a transaction account
Compliance with the Financial Privacy Rule is enforced by the Federal Trade Commission (FTC) in conjunction with federal banking agencies, other federal regulatory authorities, and state insurance authorities. The FTC has the authority to enforce injunctive and ancillary equitable relief for violations of the Financial Privacy Rule.
If your business is a financial institution, the Privacy of Consumer Financial Information Rule does apply to your business, and therefore, is required to comply with the privacy notice regulations described in the section above.
A financial institution is a company that offers financial products or services to individuals, like loans, financial or investment advice, or insurance”; financial institutions include the following:
If your business receives NPI from a non-affiliated financial institution, regardless of whether or not your business is a financial institution, the Privacy of Consumer Financial Information Rule does apply to your business, and therefore, you have to comply with the Financial Privacy Rule.
If your business neither is a financial institution nor the recipient of nonpublic personal information from a financial institution that is not affiliated with your business, the Privacy of Consumer Financial Information Rule does not apply to your business, and therefore, you do not have to comply with the Financial Privacy Rule.
Any violations of the Federal Privacy Rule are subject to injunctive and ancillary equitable relief by the FTC.
Although most of the details surrounding the Privacy of Consumer Financial Information Rule have been covered above, there are some nuances that have not been covered. To learn more about the Privacy of Consumer Financial Information Rule in detail, please use the following resources:
1 A non-affiliated third party is a person or company that does not control, is not controlled by, or not under common control with the financial institution in question.
2 While the Financial Privacy Rule of the GLBA regulates the collection, use and release, the Fair Credit Reporting Act (FCRA) regulates the collection, use, and release of consumer credit information in credit reports by consumer reporting agencies. The GLBA does not modify, limit, or supersede the FCRA.
Our team of fraud prevention specialists is here to guide and provide support for all your fraud prevention needs!
CONTACT OUR FRAUD PREVENTION TEAM
1743 S. Grand Ave., Glendora, CA 91740
(800) 883-8822
FraudFighter by UVeritech. Copyright 2024.
All Rights Reserved