Transcription
VIII. Privacy — GLBAGramm-Leach-Bliley Act(Privacy of Consumer Financial Information)IntroductionTitle V, Subtitle A of the Gramm-Leach-Bliley Act(“GLBA”) 1 governs the treatment of nonpublic personalinformation about consumers by financial institutions. Section502 of the Subtitle, subject to certain exceptions, prohibits afinancial institution from disclosing nonpublic personalinformation about a consumer to nonaffiliated third parties,unless (i) the institution satisfies various notice and opt-outrequirements, and (ii) the consumer has not elected to opt outof the disclosure. Section 503 requires the institution toprovide notice of its privacy policies and practices to itscustomers. Section 504 authorizes the issuance of regulationsto implement these provisions.In 2000, the Board of Governors of the Federal ReserveSystem (“Board”), the Federal Deposit Insurance Corporation(“FDIC”), the National Credit Union Administration(“NCUA”), the Office of the Comptroller of the Currency(“OCC”), and the former Office of Thrift Supervision(“OTS”), published regulations implementing provisions ofGLBA governing the treatment of nonpublic personalinformation about consumers by financial institutions. 2Title X of the Dodd-Frank Act Wall Street Reform andConsumer Protection Act (“Dodd-Frank Act”) 3 grantedrulemaking authority for most provisions of Subtitle A ofTitle V of GLBA to the Consumer Financial ProtectionBureau (“CFPB”) with respect to financial institutions andother entities subject to the CFPB’s jurisdiction, exceptsecurities and futures-related companies and certain motorvehicle dealers. The Dodd-Frank Act also granted authorityto the CFPB to examine and enforce compliance with thesestatutory provisions and their implementing regulations withrespect to entities under CFPB jurisdiction. 4 In December2011 the CFPB recodified in Regulation P, 12 CFR Part1016, the implementing regulations that were previouslyissued by the Board, the FDIC, the Federal TradeCommission (“FTC”), the NCUA, the OCC, and the formerOTS. 5The regulation establishes rules governing duties of a financialinstitution to provide particular notices and limitations on itsdisclosure of nonpublic personal information, as summarizedbelow. A financial institution must provide notice of its privacypolicies and practices, and allow the consumer to opt outof the disclosure of the consumer’s nonpublic personal information to a nonaffiliated third party if the disclosure isoutside of the exceptions in sections 13, 14, or 15 of theregulation. If the financial institution provides the consumer’s nonpublic personal information to a nonaffiliatedthird party under the exception in section 13, it must provide notice of its privacy policies and practices to the consumer. Under the exception in section 13, the financialinstitution must also enter into a contractual agreementwith the third party that prohibits the third party from disclosing or using the information other than to perform services for the institution or functions on the institution’sbehalf, including use under an exception in sections 14 or15 in the ordinary course of business to carry out thoseservices or functions. If the financial institution complieswith these requirements, it is not required to provide anopt out notice. Regardless of whether a financial institution shares nonpublic personal information, the institution must providenotice of its privacy policies and practices to its customers. A financial institution generally may not disclose consumer account numbers to any nonaffiliated third partyfor marketing purposes. A financial institution must follow redisclosure and reuselimitations on any nonpublic personal information it receives from a nonaffiliated financial institution.In general, the privacy notice must describe a financialinstitution’s policies and practices with respect to collectingand disclosing nonpublic personal information about aconsumer to both affiliated and nonaffiliated third parties.Also, the notice must provide a consumer a reasonableopportunity to direct the institution generally not to sharenonpublic personal information about the consumer (that is, to“opt out”) with nonaffiliated third parties other than aspermitted by exceptions under the regulation (for example,sharing for everyday business purposes, such as processingtransactions and maintaining customers’ accounts, and inresponse to properly executed governmental requests). The115 U.S.C. Sections6801-6809.The NCUA published its final rule in the Federal Register on May 18, 2000(65 FR 31722). The Board, the FDIC, the OCC, and the former OTSjointly published their final rules on June 1, 2000 (65 FR 35162).3Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010, Pub.L. No. 111-203, Title X, 124 Stat. 1983 (2010).4 Dodd-Frank Act Sections 1002(12)(J), 1024(b)-(c), and 1025(b)-(c); 12U.S.C. Sections5481(12)(J), 5514(b)-(c), and 5515(b)-(c). Section1002(12)(J) of the Dodd-Frank Act, however, excluded financialinstitutions’ information security safeguards under GLBA section 501(b)from the CFPB’s rulemaking, examination, and enforcement authority.2FDIC Consumer Compliance Examination Manual — April 2021576 FR 79025 (Dec. 21, 2011). Pursuant to GLBA, the FTC retainsrulemaking authority over any financial institution that is a person described in12 U.S.C. Section5519 (with certain statutory exceptions, the FTC generallyretains rulemaking authority for motor vehicle dealers predominantly engagedin the sale and servicing of motor vehicles, the leasing and servicing of motorvehicles, or both).VIII–1.1
VIII. Privacy — GLBAprivacy notice must also provide, where applicable under theFair Credit Reporting Act (“FCRA”), a notice and anopportunity for a consumer to opt out of certain informationsharing among affiliates.Section 728 of the Financial Services Regulatory Relief Act of2006 required the four federal banking agencies (the Board,the FDIC, the OCC, and the former OTS) and four additionalfederal regulatory agencies (the Commodity Futures TradingCommission (“CFTC”), the FTC, the NCUA, and theSecurities and Exchange Commission (“SEC”)) to develop amodel privacy form that financial institutions may rely on as asafe harbor to provide disclosures under the privacy rules.On December 1, 2009, the eight federal agencies jointlyreleased a voluntary model privacy form designed to make iteasier for consumers to understand how financial institutionscollect and share nonpublic personal information. 6 The finalrule adopting the model privacy form was effective onDecember 31, 2009.On October 28, 2014, the CFPB published a final ruleamending the requirements regarding financial institutions’provision of their annual disclosures of privacy policies andpractices to customers by creating an alternative deliverymethod that financial institutions can use under certaincircumstances. 7 The amendment was effective immediatelyupon publication. The alternative delivery method allows afinancial institution to provide an annual privacy notice byposting the annual notice on its web site, if the financialinstitution meets certain conditions.As of December 4, 2015, section 75001 of the FixingAmerica’s Surface Transportation Act 8 (“FAST Act”)amended section 503 of GLBA to establish an exception to theannual privacy notice requirements whereby a financialinstitution that meets certain criteria is not required to providean annual privacy notice to customers. The amendment waseffective upon enactment.There are fewer requirements to qualify for the exception toproviding an annual privacy notice pursuant to the FAST ActGLBA amendments than there are to qualify to use theCFPB’s alternative delivery method; any institution that meetsthe requirements for using the alternative delivery method iseffectively excepted from delivering an annual privacy notice.Definitions and Key ConceptsIn discussing the duties and limitations imposed by theregulation, a number of key concepts are used. These conceptsinclude “financial institution”; “nonpublic personalinformation”; “nonaffiliated third party”; the “opt out” rightand the exceptions to that right; and “consumer” and“customer.” Each concept is briefly discussed below. A morecomplete explanation of each appears in the regulation.Financial Institution: A “financial institution” is anyinstitution the business of which is engaging in activities thatare financial in nature or incidental to such financial activities,as determined by section 4(k) of the Bank Holding CompanyAct of 1956. Financial institutions can include banks,securities brokers and dealers, insurance underwriters andagents, finance companies, mortgage bankers, and travelagents. 9Nonpublic personal information: “Nonpublic personalinformation” generally is any information that is not publiclyavailable and that: a consumer provides to a financial institution to obtain afinancial product or service from the institution; results from a transaction between the consumer and theinstitution involving a financial product or service; or a financial institution otherwise obtains about a consumerin connection with providing a financial product orservice.Information is publicly available if an institution has areasonable basis to believe that the information is lawfullymade available to the general public from government records,widely distributed media, or legally required disclosures to thegeneral public. Examples include information in a telephonebook or a publicly recorded document, such as a mortgage orsecurity interest filing.Nonpublic personal information may include individual itemsof information as well as lists of information. For example,nonpublic personal information may include names, addresses,phone numbers, social security numbers, income, credit score,and information obtained through Internet collection devices(i.e., cookies).There are special rules regarding lists. Publicly availableinformation would be treated as nonpublic if it were included67874 FR 62890.79 FR 64057.Fixing America’s Surface Transportation Act of 2015, Pub. L. No. 114-94(2015), 129 Stat. 1312 (2015).VIII–1.29Certain functionally regulated subsidiaries, such as brokers, dealers, andinvestment advisers, are subject to GLBA implementing regulations issuedby the SEC. Other functionally regulated subsidiaries, such as futurescommission merchants, commodity trading advisors, commodity pooloperators, and introducing brokers in commodities, are subject to GLBAimplementing regulations issued by the CFTC. Insurance entities may besubject to privacy regulations issued by their respective state insuranceauthorities.FDIC Consumer Compliance Examination Manual — April 2021
VIII. Privacy — GLBAon a list of consumers derived from nonpublic personalinformation. For example, a list of the names and addresses ofa financial institution’s depositors would be nonpublicpersonal information even though the same names andaddresses might be published in local telephone directories,because the list is derived from the fact that a person has adeposit account with an institution, which is not publiclyavailable information.However, if the financial institution has a reasonable basis tobelieve that certain customer relationships are a matter ofpublic record, then any list of these relationships would beconsidered publicly available information. For instance, a listof mortgage customers from public mortgage records wouldbe considered publicly available information. The institutioncould provide a list of such customers, and include on that listany other publicly available information it has about thosecustomers without having to provide notice or opt out.Nonaffiliated third party: A “nonaffiliated third party” is anyperson except a financial institution’s affiliate or a personemployed jointly by a financial institution and a company thatis not the institution’s affiliate. An “affiliate” of a financialinstitution is any company that controls, is controlled by, or isunder common control with the financial institution.Opt Out Right and Exceptions:The Right—Consumers must be given the right to “opt out”of, or prevent, a financial institution from disclosing nonpublicpersonal information about them to a nonaffiliated third partyunless an exception to that right applies. The exceptions aredetailed in sections 13, 14, and 15 of the regulation anddescribed below.As part of the opt out right, consumers must be given areasonable opportunity and a reasonable means to opt out.What constitutes a reasonable opportunity to opt out dependson the circumstances surrounding the consumer’s transaction,but a consumer must be provided a reasonable amount of timeto exercise the opt out right. For example, it would bereasonable if the financial institution allows 30 days from thedate of mailing a notice or 30 days after customeracknowledgement of an electronic notice for an opt outdirection to be returned. What constitutes a reasonable meansto opt out may include check-off boxes, a reply form, or a tollfree telephone number. It is not reasonable to require aconsumer to write his or her own letter as the only means toopt out.The ExceptionsExceptions to the opt out right are detailed in sections 13, 14,and 15 of the regulation. Financial institutions need notcomply with opt-out requirements if they limit disclosure ofnonpublic personal information:FDIC Consumer Compliance Examination Manual — April 2021 Section 13: To a nonaffiliated third party to performservices for the financial institution or to function on itsbehalf, including marketing the institution’s own productsor services or those offered jointly by the institution andanother financial institution. The exception is permittedonly if the financial institution provides an initial notice ofthese arrangements and by contract prohibits the thirdparty from disclosing or using the information for otherthan the specified purposes. However, if the service orfunction is covered by the exceptions in section 14 or 15(discussed below), the financial institution does not haveto comply with the disclosure and confidentialityrequirements of section 13. Section 14: As necessary to effect, administer, or enforce atransaction that a consumer requests or authorizes, orunder certain other circumstances relating to existingrelationships with customers. Disclosures under thisexception could be in connection with the audit of creditinformation, administration of a rewards program, orprovision of an account statement. Section 15: For specified other disclosures that a financialinstitution normally makes, such as to protect against orprevent actual or potential fraud; to the financialinstitution’s attorneys, accountants, and auditors; or tocomply with applicable legal requirements, such as thedisclosure of information to regulators.Consumer and Customer:The distinction between consumers and customers issignificant because financial institutions have additionaldisclosure duties with respect to customers. Under theregulation, all customers are consumers, but not all consumersare customers.A “consumer” is an individual, or that individual’s legalrepresentative, who obtains or has obtained a financial productor service from a financial institution that is to be usedprimarily for personal, family, or household purposes.A “financial service” includes, among other things, afinancial institution’s evaluation or brokerage of informationthat the institution collects in connection with a request or anapplication from a consumer for a financial product or service.For example, a financial service includes a lender’s evaluationof an application for a consumer loan or for opening a depositaccount even if the application is ultimately rejected orwithdrawn.Consumers who are not customers are entitled to an initialprivacy and opt out notice before the financial institutionshares nonpublic personal information with nonaffiliated thirdparties outside of the exceptions in sections 13, 14, and 15.Consumers who are not customers are entitled to an initialprivacy notice before the financial institution shares nonpublicpersonal information with a nonaffiliated third party under theVIII–1.3
VIII. Privacy — GLBAexception in section 13. Under the exception in section 13, thefinancial institution must also enter into a contractualagreement with the third party that prohibits the third partyfrom disclosing or using the information other than to performservices for the institution or functions on the institution’sbehalf, including use under an exception in sections 14 or 15in the ordinary course of business to carry out those services orfunctions. If a financial institution complies with theserequirements, it is not required to provide an opt out notice.A “customer” is a consumer who has a “customerrelationship” with a financial institution. A “customerrelationship” is a continuing relationship between a consumerand a financial institution under which the institution providesone or more financial products or services to the consumer thatare to be used primarily for personal, family, or householdpurposes.will have to provide opt out rights to their customers and toconsumers who are not customers. All financial institutionshave an obligation to provide initial and annual notices of theirprivacy policies and practices to their customers (unless anexception to the annual privacy notice requirement applies)and to provide an initial notice to consumers who are notcustomers before disclosing nonpublic personal information toa nonaffiliated third party other than under sections 14 and 15.All financial institutions must abide by the regulatory limits onthe disclosure of account numbers to nonaffiliated third partiesand on the redisclosure and reuse of nonpublic personalinformation received from nonaffiliated financial institutions.A brief summary of financial institution duties and limitationsappears below. A more complete explanation of each appearsin the regulation.Notice and Opt Out Duties to Consumers: For example, a customer relationship may be establishedwhen a consumer engages in one of the followingactivities with a financial institution: maintains a deposit or investment account; obtains a loan; enters into a lease of personal property; or obtains financial, investment, or economic advisoryservices for a fee.Customers are entitled to initial and annual privacy noticesregardless of the information disclosure practices of theirfinancial institution unless an exception to the annual privacynotice requirement applies.There is a special rule for loans. When a financial institutionsells the servicing rights to a loan to another financialinstitution, the customer relationship transfers with theservicing rights. However, any information on the borrowerretained by the institution that sells the servicing rights mustbe accorded the protections due any consumer. Note that isolated transactions alone will not cause aconsumer to be treated as a customer. For example, if anindividual purchases a bank check from a financialinstitution where the person has no account, the individualwill be a consumer but not a customer of that institutionbecause he or she has not established a customerrelationship. Likewise, if an individual uses the ATM of afinancial institution where the individual has no account,even repeatedly, the individual will be a consumer, but nota customer of that institution.Financial Institution DutiesThe regulation establishes specific duties and limitations for afinancial institution based on its activities. Financialinstitutions that intend to disclose nonpublic personalinformation outside the exceptions in sections 13, 14, and 15VIII–1.4Before a financial institution discloses nonpublic personalinformation about any of its consumers to a nonaffiliated thirdparty, and an exception in section 14 or 15 does not apply,then the financial institution must provide to the consumer: an initial notice of its privacy policies a
agents, finance companies, mortgage bankers, and travel agents. 9 . Nonpublic personal information: “ Nonpublic personal information” generally is any information that is not publicly available and that: a consumer provides to a financial institution to ob
