<img height="1" width="1" alt="" style="display:none" src="https://www.facebook.com/tr?id=1549346735328577&amp;ev=PixelInitialized">

I. In a Nutshell: What is the Privacy of Consumer Financial Information Rule?

The Privacy of Consumer Financial Information Rule, or Financial Privacy Rule for short, details the financial privacy provisions of the Gramm-Leach-Bliley Act that are to be followed by financial insitutions and enforced by the Federal Trade Commission (FTC).

The goal of the Financial Privacy Rule is to protect consumer financial privacy by:

  • Regulating how and with whom nonpublic personal information (NPI) can be shared
  • Requiring customer notification about which nonpublic personal information will be collected and shared
  • Allowing customers to opt-out of sharing certain nonpublic personal information

As a part of the GLBA, the Financial Privacy Rule went into effect on November 12, 1999. Businesses under regulation by the GLBA were required to be in full compliance by July 1, 2001.


Why does the Privacy of Consumer Financial Information Rule exist?

The Gramm-Leach-Bliley Act (GLBA) allowed for the merger between commercial banks, investment banks, securities firms, and insurance companies, which meant that the financial institution that resulted from the merger would be accountable for the use and storage of sensitive, nonpublic personal information (NPI) of their customers.

The size and amount of NPI housed within one financial institution would end up a security nightmare if it fell into the wrong hands, and so, legislators made sure to include provisions - the Privacy of Consumer Financial Information Rule aka the Financial Privacy Rule - that protected consumer financial privacy into the GLBA.

To learn more about the GLBA, please read our post here.


The Details: Privacy of Consumer Financial Information Rule Requirements & Compliance

The main requirement of the Financial Privacy Rule is that financial institutions need to have a clear, conspicuous, and reasonably understandable written privacy policy either on paper or online that must be given to their customers at the time a customer relationship is established. In addition, a copy of the full privacy notice must be given annually to all current customers.

If the privacy policy is given on paper, it may be delivered either by mail or by hand. Customers can be given online access to the privacy policy instead, if agreed upon by the customer. Online privacy policies are to be posted on the financial institution’s website and can require customers to acknowledge that they have received and read the privacy policy.

The purpose of this privacy notice is to accurately inform customers using plain language about your policies and procedures for collecting, disclosing, and protecting NPI of consumers, customers, and former customers.

Although not explicitly covered in the Financial Privacy Rule section of the GLBA, the Safeguard Rule and Pretexting Provisions sections of the GLBA requires that financial institutions are responsible for the safekeeping of customers’ NPI.

The privacy policy needs to include the following:

  • Sources from which NPI will be collected
    ∙ Ex: from an application an individual filled out or from a third party, such as a consumer reporting agency
  • Types of NPI that will be collected
    ∙ Ex: name, address, phone number, Social Security Number, account balances
  • With whom – an affiliated third-party or a non-affiliated third-party1 – the collected NPI will be shared
    ∙ Ex: financial service providers – such as mortgage brokers and insurance companies – and non-financial service providers – such as direct marketers and retailers
  • NPI that will be used and with which non-affiliated third-party the NPI will be shared for service/marketing provider services as detailed in Section 13
  • NPI that will be given and to which nonaffiliated third-parties the NPI will be given as allowed in Section 14 and 15
    ∙ For this inclusion, it needs to be stated that NPI given in this manner are given ‘as permitted by law’
  • NPI that will be given and to which nonaffiliated third-parties the NPI will be given outside of Sections 13, 14, and 15
    ∙ For this inclusion, it is required to give customers the ability to opt-out of sharing or disclosing NPI
  • NPI that needs to be disclosed under the Fair Credit Reporting Act2
  • Policies and practices that are used to protect NPI confidentiality and security

Pertaining to the list above, financial institutions do not have to include in their privacy policy any items on the list that do not apply to them. For example, if your financial institution does not disclose any NPI to third parties, affiliated or nonaffiliated, your privacy policy can simply state that the financial institution will only disclose NPI to nonaffiliated third parties ‘as permitted by law’, such as the issuance of a subpoena, to be in compliance with the Financial Privacy Rule.

The following discusses what information is considered NPI and what information is not considered NPI. Information that is not NPI is not regulated by the Financial Privacy Rule.

What is Nonpublic Personal Information (NPI)?

The type of consumer financial information that the Financial Privacy Rule deals with, as mentioned in the above section, is ‘nonpublic personal information’ or NPI for short. Specifically, NPI is understood as any personally identifiable financial information that is not publically available and is collected for providing a financial product or service, such as:

  • information given by an individual in order to receive a financial product or service; examples include:
    ∙ name
    ∙ address
    ∙ income
    ∙ Social Security number
  • information received from a transaction involving an individual and your financial product/service, such as:
    ∙ account numbers
    ∙ loan/deposit balances
    ∙ payment history
    ∙ credit/debit card purchases
  • information received on an individual by providing a financial product/service, such as:
    ∙ information found on court records
What is Nonpublic Personal Information (NPI)?

There are certain types of personal information that is not considered NPI due to the fact that there is a reasonable basis to believe that such information is ‘publicly available’. Publicly available information is information that is:

  • lawfully made available to the public, such as the information on white pages in a phone book
  • able to be made nonpublic, but the individual has chosen to not do so

The following describes personal information that is not considered NPI, and therefore, not covered under the Financial Privacy Rule:

  • personal information that is contained in federal, state, and local government records that are public, such as information that an individual has a mortgage loan through a particular financial institution
  • personal information that is found in widely distributed media, such as telephone books or websites, and is publically available on an unrestricted basis, even if a fee or password is required to obtain such information
What is Nonpublic Personal Information (NPI)?

There are situations in which certain personal information may be publicly available, but still considered as NPI under the Financial Privacy Rules – situations such as:

  • phone numbers that individuals have chosen to make unlisted
  • customer phone numbers that are listed, but because a customer relationship exists between the individual and the financial institution, information obtained through this relationship would be considered NPI

As mentioned above, customers are given the right to opt-out of having certain NPI disclosed to nonaffiliated third parties. The right to opt-out needs to be included within the privacy policy.

Opt-Out Right and Exceptions

Customers have the right to be given the reasonable means and opportunity to opt-out of having their NPI disclosed with nonaffiliated third parties. Reasonable means and opportunity means:

  • customers have a reasonable amount of time to decide to opt-out before NPI is disclosed to non-affiliated third parties; for isolated, one-off transactions, the option to opt-out may need to be given before the transaction can be completed
  • customers have a reasonable method of opting-out, such as by calling a toll-free number or by mailing in a form with an opt-out authorization check-box

Customers have the right to opt-out at any time. Once a customer has exercised the right to opt-out, financial institutions are required to comply as soon as possible. The customer’s right of opting-out extends beyond their time as a customer at your financial institution; unless a former customer agrees, either in writing or electronically, to terminate the opt-out, financial institutions are required to honor the opt-out. If a former customer returns to establish a new customer relationship at a financial institution, the customer needs to renew the right to opt-out.

Although the GLBA does not explicitly require financial institutions to include this opt-out option in their privacy policy if they only share NPI affiliated third parties, the Fair Credit Reporting Act 2 does require the inclusion of the opt-out option and so, it must be included in privacy policies.

However, there are exceptions to which customers have the right to opt-out; these exceptions are detailed in Sections 13-15 of the GLBA:

  • Section 13: If initial notice is given and if the non-affiliated third party has, under contract, been prohibited from using or sharing NPI for anything else other than specified purposes, customers cannot opt-out of having NPI used by the non-affiliated third party to perform services for, or to function on behalf of, the financial institution; this exception almost always comes into play for marketing purposes
  • Section 14: NPI that is needed to conduct a transaction that is requested or authorized by a customer, such as the audit of credit information or the administration of a rewards program
  • Section 15: NPI that is needed to prevent/protect against fraud or to comply with legal requirements, such as responding to a subpoena

Regardless of whether or not a customer has opted-out of NPI disclosure and regardless of the three exceptions mentioned above, financial institutions may never disclose account numbers for marketing purposes; account numbers include numbers for:
• a credit card account
• a deposit account
• a transaction account

Compliance with the Financial Privacy Rule is enforced by the Federal Trade Commission (FTC) in conjunction with federal banking agencies, other federal regulatory authorities, and state insurance authorities. The FTC has the authority to enforce injunctive and ancillary equitable relief for violations of the Financial Privacy Rule.


Does the Privacy of Consumer Financial Information Rule Affect your Business?

If your business is a financial institution, the Privacy of Consumer Financial Information Rule does apply to your business, and therefore, is required to comply with the privacy notice regulations described in the section above.

A financial institution is a company that offers financial products or services to individuals, like loans, financial or investment advice, or insurance”; financial institutions include the following:

  • banks
  • non-bank mortgage lenders
  • real estate appraisers
  • loan brokers
  • financial or investment advisers
  • debt collectors
  • tax return preparers
  • real estate settlement service providers

If your business receives NPI from a non-affiliated financial institution, regardless of whether or not your business is a financial institution, the Privacy of Consumer Financial Information Rule does apply to your business, and therefore, you have to comply with the Financial Privacy Rule.

  • If you receive NPI under Section 14 or Section 15, your business may use the NPI only for the purpose for which it was received, which may involve the disclosure of NPI to others - who also fall under the Section 14 or Section 15 exceptions - in order to carry out the purpose. NPI received in this manner may be re-disclosed to your affiliates – who are also subject to the same NPI-use rules as your business – as well as affiliated of the originating financial institution
  • If you receive NPI outside of Section 14 or Section 15 - for example, by purchasing a customer marketing list from a financial institution – you may use the NPI for any internal purpose. However, this information can only be disclosed to entities that are allowed by the originating financial institution, per their privacy policy. NPI received in this manner may be re-disclosed to your affiliates – who are also subject to the same NPI-use rules as your business – as well as affiliated of the originating financial institution

If your business neither is a financial institution nor the recipient of nonpublic personal information from a financial institution that is not affiliated with your business, the Privacy of Consumer Financial Information Rule does not apply to your business, and therefore, you do not have to comply with the Financial Privacy Rule.

Any violations of the Federal Privacy Rule are subject to injunctive and ancillary equitable relief by the FTC.


Privacy of Consumer Financial Information Rule Resources

Although most of the details surrounding the Privacy of Consumer Financial Information Rule have been covered above, there are some nuances that have not been covered. To learn more about the Privacy of Consumer Financial Information Rule in detail, please use the following resources:

Financial Privacy Rule-Related Blog Posts

1 A non-affiliated third party is a person or company that does not control, is not controlled by, or not under common control with the financial institution in question.

2 While the Financial Privacy Rule of the GLBA regulates the collection, use and release, the Fair Credit Reporting Act (FCRA) regulates the collection, use, and release of consumer credit information in credit reports by consumer reporting agencies. The GLBA does not modify, limit, or supersede the FCRA.

EXPLORE FRAUD PREVENTION SOLUTIONS

Learn more about:

Want to protect your business from fraud?

Our team of fraud prevention specialists is here to guide and provide support for all your fraud prevention needs!

CONTACT OUR FRAUD PREVENTION TEAM