PRIVACY OF CONSUMER FINANCIAL INFORMATION: TITLE V OF THE FINANCIAL MODERNIZATION ACT AND REGULATION P

I.        INTRODUCTION


Privacy provisions contained in the Gramm-Leach-Bliley Financial Modernization Act (P.L. 106-102, Title V, Subtitle A, 15 U.S.C. § 6801 et seq., hereinafter referred to as the “Act”) allow consumers to exercise an affirmative “opt-out” in order to prevent a financial institution from disclosing nonpublic personal information to third parties that are not affiliated with the financial institution. The Act also requires financial institutions to provide notice to customers about their privacy policies and practices. There is no restriction for a financial institution to disclose nonpublic personal information of consumers among affiliated companies or information about businesses and corporations.


The Act applies to any financial institution that is engaged in a financial activity, including banks, insurance companies, broker-dealers and finance companies. Federal banking regulators issued joint regulations to implement the privacy provisions. These regulations were effective November 13, 2000; however, compliance was voluntary until July 1, 2001, at which time all financial institutions must have provided initial privacy notices to all existing customers. The Federal Reserve Board assigned the rules implementing the Act to Regulation P (Part 230).


II.       EXECUTIVE SUMMARY OF REQUIREMENTS


There are three principal requirements regarding the privacy of consumer financial information in the Act. These are:


  • Financial institutions must give customers notices describing their privacy policies and practices, including their policies with respect to the disclosure of nonpublic personal information to their affiliates and to nonaffiliated third articles. The notices must be given at the time that the customer relationship is established and on an annual basis thereafter. The notices must be in writing (unless consumer agrees to electronic delivery) and must describe the types of nonpublic personal information collected and disclosed, the types of affiliated and nonaffiliated third parties with whom the information may be shared and the consumer’s right to opt out and therefore limit certain information sharing.
  • Unless specifically exempted, financial institutions generally must not, directly or through an affiliate, disclose nonpublic personal information regarding consumers to any nonaffiliated third party unless consumers are given a reasonable opportunity to direct that such information not be shared (referred to as an “opt-out”). The exceptions include, e.g., disclosure of information to third parties who provide services to the financial institution as the financial institution’s agent.
  • Financial institutions may not disclose customer account numbers (including credit card, deposit or transaction accounts) or similar forms of access numbers or access codes to any nonaffiliated third party for the purpose of marketing.

III.       DEFINITIONS


There are a number of key definitions that are important to refer to in order to fully understand the concepts of this law and regulation.


Affiliate – any company that controls, is controlled by, or is under common control with another company.


Clear and conspicuous –a notice that is reasonably understandable and designed to call attention to the nature and significance of the information in the notice.


A financial institution makes its notice reasonably understandable if it:


  • presents the information in the notice in clear, concise sentences, paragraphs, and sections;
  • uses short explanatory sentences or bullet lists whenever possible;
  • uses definite, concrete, everyday words and active voice whenever possible;
  • avoids multiple negatives;
  • avoids legal and highly technical business terminology whenever possible; and
  • avoids explanations that are imprecise and readily subject to different interpretations.

A financial institution designs its notice to call attention to the nature and significance of the information in it if the financial institution:


  • uses a plain-language heading to call attention to the notice;
  • uses a typeface and type size that are easy to read;
  • provides wide margins and ample line spacing;
  • uses boldface or italics for key words; and
  • in a form that combines the notice with other information, uses distinctive type size, style and graphic devices (e.g., shading or sidebars) when combining the notice with other information.

If a financial institution provides a notice on a web page, the financial institution designs its notice to call attention to the nature and significance of the information in it if the financial institution uses text or visual cues to encourage scrolling down the page if necessary to view the entire notice and ensure that other elements on the web site (such as text, graphics, hyperlinks or sound) do not distract attention from the notice and the financial institution either:


  • places the notice on a screen that consumers frequently access, such as a page on which transactions are conducted; or
  • places a link on a screen that consumers frequently access, such as a page on which transactions are conducted, which connects directly to the notice and is labeled appropriately to convey the importance, nature and relevance of the notice.

Collect – obtain information that a financial institution organizes or is able to retrieve by the name of an individual or by identifying number, symbol or other identifying particular assigned to the individual, irrespective of the source of the underlying information.


Consumer – an individual who obtains financial products or services for personal, family or household purposes. The term “financial services” includes a financial institution’s evaluation of a credit application. So even if an application is denied or withdrawn, the applicant is still considered a consumer. Note that the terms “consumers” and “customers” are separately defined.


If a financial institution intends to share nonpublic personal information about a consumer with nonaffiliated third parties, the financial institution must comply with the privacy regulations.


Examples


  • An individual who applies to a financial institution for credit for personal, family or household purposes is a consumer of a financial service, regardless of whether the credit is extended.

  • An individual who provides nonpublic personal information to a financial institution in order to obtain a determination about whether he or she may qualify for a loan to be used primarily for personal, family or household purposes is a consumer of a financial service, regardless of whether the loan is extended.

  • An individual who provides nonpublic personal information to a financial institution in connection with obtaining or seeking to obtain financial, investment, or economic advisory services is a consumer regardless of whether the financial institution establishes a continuing advisory relationship.

  • If a financial institution hold ownership or servicing rights to an individual’s loan that is used primarily for personal, family or household purposes, the individual is the financial institution’s consumer, even if the financial institution holding those rights in conjunction with one or more other institutions (the individual is also a consumer with respect to the other financial institutions involved). An individual who has a loan in which a financial institution has ownership or servicing rights is the financial institution’s consumer, even if the financial institution or another institution with those rights, hires an agent to collect on the loan.

  • An individual who is a consumer of another financial institution is not a financial institution’s consumer solely because the financial institution acts as agent for, or provides processing or other services to, that financial institution.

  • An individual is not a financial institution’s consumer solely because: he or she has designated the financial institution as trustee for a trust; he or she is a beneficiary of a trust for which the financial institution is a trustee; or he or she is a participant or a beneficiary of an employee benefit plan that the financial institution sponsors or for which it acts as a trustee or fiduciary.

  • An individual is not a financial institution’s consumer solely because he or she is a beneficiary of a trust for which the financial institution is a trustee.

  • An individual is not a financial institution’s consumer solely because he or she is a participant or a beneficiary of an employee benefit plan that the financial institution sponsors or for which the financial institution acts as a trustee or fiduciary.

Consumer reporting agency – the same as defined in § 603(f) of the Fair Credit Reporting Act [15 U.S.C. § 1681a(f)].


Customer – a consumer who has a customer relationship with the financial institution. Note that the terms “consumers” and “customers” are separately defined.


Customer relationship – a continuing relationship in which a financial institution provides a financial product or service that is to be used by a consumer primarily for personal, family or household purposes. E.g., a customer relationship is created when a deposit account is opened, a loan is originated or when the servicing rights of a mortgage are purchased.


Before establishing a relationship with a “customer,” the financial institution must disclose its privacy and information sharing policies. In addition, the financial institution must provide an annual privacy policy disclosure to all its “customers.”


Examples


Continuing relationship – A consumer has a continuing relationship with a financial institution if the consumer:


  • has a deposit or investment account with the financial institution;
  • obtains a loan from a financial institution;
  • has a loan for which the financial institution own the servicing rights;
  • purchases an insurance product from the financial institution;
  • holds an investment product through the financial institution, such as when a financial institution acts as a custodian for securities or for assets in an individual retirement arrangement;
  • enters into an agreement or understanding with the financial institution whereby the financial institution undertakes to arrange or broker a home mortgage loan for the consumer;
  • enters into a lease of personal property with the financial institution; or
  • obtains financial, investment, or economic advisory services from the financial institution for a fee.

No continuing relationship – A consumer does not, however, have a continuing relationship with the financial institution if:


  • the consumer obtains a financial product or service only in isolated transactions, such as using the financial institution’s ATM to withdraw cash from an account at another financial institution or purchasing a cashier’s check or money order;
  • the financial institution sells the consumer’s loan and does not retain the rights to service that loan; or
  • the financial institution sells the consumer airline tickets, travel insurance or traveler’s checks in isolated transactions.

Question:  When one financial institution sells a loan’s servicing right to another financial institution, do they both have a customer relationship with the borrower?


No. To avoid the situation where the borrower would be the customer of multiple financial institutions for a single product, the rule provides that the borrower is a customer of the loan servicer and not the originating lender. The borrower is considered however, a consumer by the originating lender.


Question:  A trust maintains a checking account at the financial institution. Is the beneficiary of a trust a customer, who must receive disclosures?


No. The trust itself is the actual financial institution customer. Because the trust is not an individual, the privacy rules do not apply.


Question:  Is a signed contract necessary to create a customer relationship?


No. Although a contract indicates that a customer relationship has been established, a contract is not necessary. For instance, a customer relationship is also created when a consumer receives financial advice from a financial institution, because an ongoing relationship is contemplated.


Financial institution – any institution, the business of which is engaging in activities that are financial in nature or incidental to such financial activities as described in § 4(k) of the Bank Holding Company Act of 1956 (12 U.S.C. § 1843(k)). The term “financial institution” does not include:


  • any person or entity with respect to any financial activity that is subject to the jurisdiction of the Commodity Futures Trading Commission under the Commodity Exchange Act (7 U.S.C. § 1 et seq.);
  • the Federal Agricultural Mortgage Corporation or any entity chartered and operating under the Farm Credit Act of 1971 (12 U.S.C. § 2001 et seq.); or
  • institutions chartered by Congress specifically to engage in securitizations, secondary market sales (including sales of servicing rights) or similar transactions related to a transaction of a consumer, as long as such institutions do not sell or transfer nonpublic personal information to a nonaffiliated third party.

Financial Product or Service – any product or service that a financial holding company could offer by engaging in an activity that is financial in nature or incidental to such a financial activity under section 4(k) of the Bank Holding Company Act of 1956 (12 U.S.C. § 1843(k)).


Financial Service – includes a financial institution’s evaluation or brokerage of information that a financial institution collects in connection with a request or an application from a consumer for a financial product or service.


Nonaffiliated Third Party – any person, except:


  • A financial institution’s affiliate; or
  • A person employed jointly by a financial institution and any company that is not the financial institution’s affiliate (but nonaffiliated third party includes the other company that jointly employs the person.)

A nonaffiliated third party includes any company that is an affiliate solely by virtue of a financial institution’s (or its affiliate’s) direct or indirect ownership or control of the company in conducting merchant banking or investment banking activities of the type described in § 4(k)(4)(H) or insurance company investment activities of the type described in § 4(k)(4)(l) of the Bank Holding Company Act of 1956 (12 U.S.C. § 1943(k)(4)(H) and (l).)


Nonpublic personal information – personally identifiable financial information; and any list, description, or other grouping of consumers (and publicly available information pertaining to them) that is derived using any personally identifiable financial information that is not publicly available. Nonpublic personal information does not include publicly available information, except as included on a list as described above; or any list, description or other grouping of consumers (and publicly available information pertaining to them) that is derived without using any personally identifiable financial information that is not publicly available.


Examples of lists:


  • Nonpublic personal information includes any list of individuals’ names and street addresses that is derived in whole or in part using personally identifiable financial information that is not publicly available, e.g., account numbers.
  • Nonpublic personal information does not include any list of individuals’ names and addresses that contains only publicly available information, is not derived in whole or in part using personally identifiable financial information that is not publicly available, and is not disclosed in a manner that indicates that any of the individuals on the list is a consumer of a financial institution.

Personally Identifiable Financial Information – any information that a consumer provides to a financial institution to obtain a financial product or service from the financial institution;


  • about a consumer resulting from any transaction involving a financial product or service between a financial institution and a consumer; or
  • the financial institution otherwise obtains about a consumer in connection with providing a financial product or service to that consumer.

Personally identifiable financial information includes:


  • information a consumer provides to a financial institution on an application to obtain a loan, credit card or other financial product or service;
  • account balance information, payment history, overdraft history and credit or debit card purchase information;
  • the fact that an individual is or has been one of the financial institution’s customers or has obtained a financial product or service from the financial institution;
  • any information about the financial institution’s consumer if it is disclosed in a manner that indicates that the individual is or has been the financial institution’s consumer;
  • any information that a consumer provides to the financial institution or that the financial institution or its agent otherwise obtains in connection with collecting on a loan or servicing a loan;
  • any information the financial institution collects through an internet “cookie” (an information collecting device from a web server); and
  • information from a consumer report.

Publicly Available Information – any information that a financial institution has a reasonable basis to believe is lawfully made available to the general public from:


  • federal, state or local government records;
  • widely distributed media; or
  • disclosures to the general public that are required to be made by federal, state or local law.

The financial institution has a reasonable basis to believe that information is lawfully made available to the general public if the financial institution has taken steps to determine:


  • that the information is of the type that is available to the general public; and
  • whether an individual can direct that the information not be made available to the general public and, if so, that the financial institution’s consumer has not done so.

Examples:


  • Government records. Publicly available information in government records includes information in government real estate records and security interest filings.
     
  • Widely distributed media. Publicly available information from widely distributed media includes information from a telephone book, a television or radio program, a newspaper or a web site that is available to the general public on an unrestricted basis. A web site is not restricted merely because an Internet service provider or a site operator requires a fee or a password, so long as access is available to the general public.

A financial institution has a reasonable basis to believe that mortgage information is lawfully made available to the general public if the financial institution has determined that the information is of the type included on the public record in the jurisdiction where the mortgage would be recorded.


In addition, a financial institution has a reasonable basis to believe that an individual’s telephone number is lawfully made available to the general public if the financial institution has located the telephone number in the telephone book or the consumer has informed the financial institution that the telephone number is not unlisted.


Nonpublic Personal Information – the Act (See, § 509) requires protection of personally identifiable financial information as nonpublic personal information if the information is not publicly available information. Information is considered to be “publicly available” and excluded from the definition of “nonpublic personal information” if a financial institution has a “reasonable basis to believe that the information is lawfully made available to the general public.” A financial institution has a “reasonable basis” for believing that such information is lawfully made available “if the bank has taken steps to determine that the information is of the type that is available to the general public and, if an individual could direct that the information not be made available to the general public, whether the individual has done so.”


Regulation P gives examples of protected information:


  • Information a consumer provides on an application to obtain a loan, credit card other financial product or service;
  • Account balance information, payment history, overdraft history and credit or debit card purchase information;
  • The fact that an individual is or has been a customer or has obtained a financial product or service from a financial institution;
  • Information about a consumer if it is disclosed in a manner that indicates that the individual is or has been a consumer at your financial institution;
  • Any information that a consumer provides or a financial institution or its agent otherwise obtains in connection with collecting on a loan or servicing a loan;
  • Any information a financial institution collects through an Internet “cookie”; and
  • Information from a consumer report.

IV.      COVERED AND EXEMPT INFORMATION


Regulation P applies only to nonpublic personal information about individuals who obtain financial products or services primarily for personal, family or household purposes. The privacy provisions do not apply to information about companies or about individuals who obtain financial products or services for business, commercial or agricultural purposes.


Since the scope of the regulation is similar to that of the Truth in Lending Act and its implementing Regulation Z, a financial institution might refer to Regulation Z for guidance on covered transactions. A loan exempt from Regulation Z, because it is primarily a business, commercial or agricultural purpose loan, is also exempt from Regulation P.


A.        Business, Commercial and Agricultural Purposes


Regulation Z does not apply to an extension of credit primarily for a business or commercial purpose.


Q. If a partnership applies for a loan to buy a car for one of the partners, does the financial institution need to disclose its privacy policy?


A. No, a business entity is not considered a consumer regardless of the loan purpose.


Q. If an individual wished to open a checking account for a farm operation, are disclosures necessary?


A. No, disclosures are not necessary. The individual is not considered a “consumer” because the individual is not establishing the account primarily for personal, family or household purposes.


B.        Business Credit


In determining whether credit is primarily for business or commercial purposes, the following factors are considered: (1) relationship of the borrower’s primary occupation to the business; (2) degree to which the borrower personally manages the business; (3) ratio of income from the business to total income of the borrower; (4) size of the transaction; and (5) borrower’s statement of purpose for the loan.


C.        Business Credit – Rental Property


Regulation Z applies to rental property credit as follows:


Non-owner-occupied property

(Occupied for 14 or fewer days per year)

Purpose

Result

Acquire, improve or maintain

Business purpose

Other

Outcome based on purpose

 

 

 

Owner-occupied property

(Occupied for more than 14 or days per year)

Purpose

Number of Units

Results

Acquire

1 or 2

Consumer credit

Acquire

More than 2

Business credit

Improve or maintain

1 to 4

Consumer credit

Improve or maintain

More than 4

Business credit

D.        Agricultural Credit Exemption


Regulation Z does not apply to an extension of credit primarily for an agricultural purpose. Agricultural purpose includes the planting, nurturing, harvesting, catching, storing, exhibiting, marketing, transporting, processing or manufacturing of food, beverages (including alcoholic beverages), flowers, trees, livestock, poultry, bees, wildlife, fish or shellfish by a natural person engaged in farming, fishing or growing crops, flowers, trees, livestock, poultry, bees or wildlife.


V.       REQUIRED DISCLOSURES


A.        Initial Disclosures


Initial privacy disclosures must be clear and conspicuous and accurately reflect the financial institution’s privacy policy and practices. Consumers who are not customers must receive the privacy notice prior to disclosure of nonpublic personal information about the consumer to any nonaffiliated third party.


NOTE: If the financial institution shares information as authorized by § 332.14 (processing transactions at consumer’s request) and § 332.15 (consumer consent and other miscellaneous exceptions), then no notice is required.


Initial privacy disclosures must be provided to customers at a time a customer relationship is established. There are two exceptions to this rule: (1) notice may be provided after the customer relationship is established if it would otherwise substantially delay the consumer’s transaction and the consumer agrees to receive the notice at a later time; and (2) if the establishment of the consumer relationship is not the consumer’s choice, then the initial notice may be provided after the fact.


Question:  Must a privacy notice be given each time an existing customer opens a new type of account?


A:  No, as long as the privacy information the customer received previously is still accurate.


Question:  What if two or more people open an account jointly, do they each need to receive a privacy notice?


A:  No. Only one notice is required to be sent in connection with a joint account.


B.        Annual Privacy Notice


Except as provided at paragraph B, I, below, financial institutions must send annual notices to financial institution “customers” at least once during any period of twelve consecutive months during which a customer relationship exists. The notice must be clear and conspicuous and must accurately reflect the privacy practices currently in effect. Annual notices may be provided on an institution’s web site if the customer conducts electronic transactions and agrees to such disclosures. A financial institution may define the twelve-consecutive-month period, but the financial institution must apply it to the customer on a consistent basis.


Question:  Is the financial institution required to give an annual disclosure to a depositor whose account is dormant, or to a borrower who has paid off a loan?


No. A financial institution is not required to give an annual disclosure when a customer relationship has terminated. A deposit account relationship is considered terminated when a deposit account becomes inactive under the financial institution’s policies. A closed-end loan relationship is considered terminated when a customer pays off a loan, when the loan is charged off, or when the loan is sold without retaining servicing rights. An open-end loan relationship is considered terminated when the financial institution no longer provides statements or notices to the customer concerning the account. A customer also becomes a former customer when the financial institution has not communicated with the customer about the relationship for a period of twelve consecutive months, other than to provide annual privacy notices or promotional material.


Question:  If a customer opens an account on July 2, 2001, may the annual notice requirement be satisfied by providing notice to the customer by December 31 of 2002?


Yes, if the financial institution defines the twelve-consecutive-month period as a calendar year and provides the annual notice to the customer once in each calendar year following the calendar year in which the financial institution provided the initial notice.


1.         FAST Act


a.    Introduction


The FAST Act passed by Congress in 2015, eliminated the annual privacy notice requirements for a financial institution that (i) only shares consumer information within the Graham-Leach-Bliley Act (GLBA) listed exemptions (meaning the company does not give an opt-out right) and (ii) has not changed its information sharing practices from the most recent privacy notice.


A financial institution that meets the requirements for the annual notice exception will not be required to provide annual notices “until such time” as the financial institution fails to comply with the criteria set forth above.  A financial institution will no longer meet the requirements for the exception either by beginning to share nonpublic personal information in ways that trigger rights to opt-out notices under the GLBA and Regulation P, or by otherwise changing its policies and practices with regard to disclosing nonpublic personal information from the policies and practices that were disclosed to the customer in the most recent privacy notice the financial institution provided.


Financial institutions that no longer meet the conditions for the exception must provide customers with annual privacy notices. 


b.    Delivery of Annual Privacy Notice After Financial Institution No Longer Meets Requirements For Exceptions


(1) Changes preceded by a revised privacy notice:  If a financial institution no longer meets the conditions for the exception because it changed its policies or practices in such a way that it is required to provide a revised privacy notice, the financial institution is required to resume delivery of its subsequent regular annual privacy notices pursuant to the existing timing requirements governing delivery of annual notices generally.


Under the final rule, if a financial institution provides a revised notice on any day of year one in advance of changing its policies or practices such that it loses the exception, that revised notice would be treated as an analogous to an initial notice.  Assuming that the financial institution defines the 12-month period as the calendar year, the financial institution would have to provide the first annual notice after losing the exception by December 31 of year two. 


(2). Changes Not Preceded By a Revised Privacy Notice. 


If a financial institution no longer meets the conditions for the exception because it changed its policies or practices in such a way that it is not required to provide a revised privacy notice, the financial institution must provide an annual privacy notice within 100 days of the change in its policies or practices that caused it to no longer meet the conditions for the exception. 


If a financial institution changes its policies and practices in such a way that it no longer meets the conditions for the exception effective April 1, assuming the financial institution defines the 12-consecutive-month period as a calendar year, if the financial institution was not required to provide a revised privacy notice, it must provide an annual privacy notice by July 9 (100 days after April 1). 


(3). Discontinuance of Annual Privacy Notice


If, subsequent to providing an annual notice to customers after a financial institution no longer meets the conditions for the exception, the financial institution once again is eligible for the exception to the annual notice requirement, no additional annual notices must be sent to customers until such time as the financial institution no longer meets the requirements for the exception.


 2.         Alternative Delivery Method For Privacy Notices

In 2014, the CFPB issued an amendment to the regulations that allowed a financial institution to post its privacy disclosure notice on its website provided a series of conditions were satisfied.  The alternative delivery mechanism is still in place from the provisions adopted by Congress under the FAST Act.  However, no notice at all must be delivered to customers if a financial institution’s (a) privacy policies and practices with respect to disclosing nonpublic personal information have not changed from the policies and practices disclosed in the most recent privacy notice; and (b) the financial institution only shares nonpublic personal information with nonaffiliated third parties in a manner that does not require an opt-out right to be provided to customers.  As a result, the FAST Act has made the CFPBs alternative delivery mechanism no longer necessary.  


C.        Required Information

  

Both the initial and annual privacy notices must contain the following items of information, in addition to any other information the financial institution wishes to provide, that applies to the financial institution and to the consumers to whom the financial institution sends its privacy notice:


  1. The categories of non-public personal information that the financial institution collects;
  2. The categories of nonpublic personal information that the financial institution discloses;
  3. The categories of affiliates and nonaffiliated third parties to whom the financial institution discloses nonpublic personal information, other than those parties to whom the financial institution discloses information under §§ 332.14 and 332.15;
  4. The categories of nonpublic personal information about the financial institution’s former customers that the financial institution discloses and the categories of affiliates and nonaffiliated third parties to whom the financial institution discloses nonpublic personal information about the financial institution’s former customers, other than those parties to whom the financial institution discloses information under §§ 332.14 and 332.15;
  5. If a financial institution discloses nonpublic personal information to a nonaffiliated third party under § 332.13 (and no other exception in §§ 332.14 or 332.15 applies to that disclosure), a separate statement of the categories of information the financial institution discloses and the categories of third parties with whom the financial institution has contracted;
  6. An explanation of the consumer’s right to opt out of the disclosure of nonpublic personal information to nonaffiliated third parties, including the method(s) by which the consumer may exercise that right at that time;
  7. Any disclosures that the financial institution makes under the Fair Credit Reporting Act (that is, notices regarding the ability to opt out of disclosures of information among affiliates);
  8. The financial institution’s policies and practices with respect to protecting the confidentiality and security of nonpublic personal information; and
  9. Any disclosure that the financial institution makes regarding disclosures made under the exceptions of § 332.14 or § 332.15.

See, sample clauses included in Regulation P, Appendix A that illustrate some of the notice content requirements.


Question:  May a consumer receive a short-form initial notice and opt-out form if a customer relationship is never formed with the consumer?


Yes. The short-form notice must clearly and conspicuously state that the full privacy disclosure is available upon request.


Question:  What must a financial institution do if the financial institution wants to change its privacy policy?


Before disclosing nonpublic personal information about a customer in a way not accurately described in its existing policy, the financial institution must send the customer an accurate privacy disclosure and an opt out notice, and the financial institution must give the customer a reasonable opportunity to opt out.


1.  Description of Nonaffiliated Third Parties Subject to Exceptions


If a financial institution discloses nonpublic personal information to third parties as authorized under § 332.14 and § 332.15, the financial institution is not required to list those exceptions in the initial or annual privacy notices. When describing the categories with respect to those parties, the financial institution is required to state only that it makes disclosures to other nonaffiliated third parties as permitted by law.


 2.  Categories of Nonpublic Personal Information That the Financial Institution Collects


A financial institution satisfies the requirement to categorize the nonpublic personal information that the financial institution collects if the financial institution lists the following categories, as applicable:


a. Information from the consumer;


b. Information about the consumer’s transactions with the financial institution or its affiliates;


c. Information about the consumer’s transactions with nonaffiliated third parties; and


d. Information from a consumer reporting agency.


 3.   Categories of Nonpublic Personal Information a Financial Institution Discloses


A financial institution satisfies the requirement to categorize the nonpublic personal information that the financial institution discloses if the financial institution lists the categories described in paragraph (c)(1) of this section and a few examples to illustrate the types of information in each category.


If a financial institution reserves the right to disclose all of the nonpublic personal information about consumers that it collects, the financial institution may simply state that fact without describing the categories or examples of the nonpublic personal information the financial institution discloses.


4.   Categories of Affiliates and Nonaffiliated Third Parties to Whom a Financial Institution Discloses


A financial institution satisfies the requirement to categorize the affiliates and nonaffiliated third parties to whom a financial institution discloses nonpublic personal information if the financial institution lists the following categories, as applicable, and a few examples to illustrate the types of third parties in each category.


a. Financial service providers;


b. Non-financial companies; and


c. Others.


 5.   Disclosures Under Exception for Service Providers and Joint Marketers


If a financial institution discloses nonpublic personal information under the exception in § 332.14 to a nonaffiliated third party to market products or services that the financial institution offers alone or jointly with another financial institution, the financial institution satisfies the disclosure requirement of paragraph (a) (5) of this section if it:


a. Lists the categories of nonpublic personal information it discloses, using the same categories and examples the financial institution used to meet the requirements of paragraph (a) (2) of this section, as applicable; and


b. State whether the third party is:


(1) A service provider that performs marketing services on its behalf or on behalf of the financial institution and another financial institution; or


(2) A financial institution with whom the financial institution has a joint marketing agreement.


6.  Simplified Notices


If a financial institution does not disclose, and does not wish to reserve the right to disclose, nonpublic personal information about customers or former customers to affiliates or nonaffiliated third parties except as authorized under §§ 332.14 and 332.15, the financial institution may simply state that fact, in addition to the information it must provide under paragraphs (a)(1), (a)(8), (a)(9), and (b) of this section.


7.   Confidentiality and Security


A financial institution describes its policies and practices with respect to protecting the confidentiality and security of nonpublic personal information if it does both of the following:


a. Describes in general terms who is authorized to have access to the information; and


b. States whether the financial institution has security practices and procedures in place to ensure the confidentiality of the information in accordance with the financial institution’s policy. The financial institution is not required to describe technical information about the safeguards it uses.


8.  Short-Form Initial Notice with Opt Out Notice for Non-Customers


a. A financial institution may satisfy the initial notice for a consumer who is not a customer by providing a short-form initial notice at the same time as the financial institution delivers an opt out notice.


b. A short-form initial notice must:


(1) Be clear and conspicuous;


(2) State that the financial institution’s privacy notice is available upon request; and


(3) Explain a reasonable means by which the consumer may obtain that notice.


c. The financial institution must deliver its short-form initial notice according to § 332.9. The financial institution is not required to deliver its privacy notice with its short-form initial notice. The financial institution instead may simply provide the consumer a reasonable means to obtain its privacy notice. If a consumer who receives a financial institution’s short-form notice requests its privacy notice, the financial institution must deliver its privacy notice according to § 332.9.


d. Examples of obtaining privacy notice. A financial institution provides a reasonable means by which a consumer may obtain a copy of its privacy notice if the financial institution:


(1) Provides a toll-free telephone number that the consumer may call to request the notice; or


(2) For a consumer who conducts business in person at the financial institution’s office, maintain copies of the notice on hand that the financial institution provides to the consumer immediately upon request.


e. Future Disclosures. The financial institution’s notice may include:


(1) Categories of nonpublic personal information that the financial institution reserves the right to disclose in the future, but do not currently disclose; and


(2) Categories of affiliates or nonaffiliated third parties to whom the financial institution reserves the right in the future to disclose, but to whom the financial institution does not currently disclose, nonpublic personal information.


VI.       Opt-Out Notices

 

If a financial institution intends to share nonpublic personal information about a consumer, the financial institution must provide the consumer an initial privacy disclosure and an opt-out notice.  The opt-out notice must clearly and conspicuously explain the consumer’s right to opt-out and must give the consumer a reasonable means of exercising the opt-out right.

 

A.     Adequate Opt-Out Notice

 

A financial institution provides adequate notice that the consumer can opt-out of the disclosure of nonpublic personal information to a nonaffiliated third party if the financial institution:

 

  1. Identifies all of the categories of nonpublic personal information that it discloses or reserves the right to disclose, and all of the categories of nonaffiliated third parties to which the financial institution discloses the information, and states that the consumer can opt-out of the disclosure of that information; and

 

  1. Identifies the financial products or services that the consumer obtains from the financial institution, either singly or jointly, to which the opt-out direction would apply.

 

B.     Reasonable Opt-Out Means

 

A financial institution provides a reasonable means to exercise an opt-out right if it:

 

  1. Designates check-off boxes in a prominent position on the relevant forms with the opt-out notice;

 

  1. Includes a reply form together with the opt-out notice;

 

  1. Provides an electronic means to opt-out, such as a form that can be sent via electronic mail or a process at the financial institution’s web site, if the consumer agrees to the electronic delivery of information; or

 

  1. Provides a toll-free telephone number that consumers may call to opt out.

 

C.                 Unreasonable Opt-Out Means

 

A financial institution does not provide a reasonable means of opting out if:

 

  1. The only means of opting out is for the consumer to write his or her own letter to exercise that opt-out right; or

 

  1. The only means of opting out as described in any notice subsequent to the initial notice is to use a check-off box that the financial institution provided with the initial notice but did not include with the subsequent notice.

 

D.    Specific Opt-Out Means

 

A financial institution may require each consumer to opt out through a specific means, as long as that means is reasonable for that consumer.

 

E.     Same Form as Initial Notice Permitted

 

A financial institution may provide the opt-out notice together with or on the same written or electronic form as the initial notice.

 

F.        Initial Notice Required When Opt-Out Notice Delivered Subsequent to Initial Notice

 

If a financial institution provides the opt-out notice later than required for the initial notice, the financial institution must also include a copy of the initial notice with the opt-out notice in writing or, if the consumer agrees, electronically.

 

G.        Joint Relationships

 

If two or more consumers jointly obtain a financial product or service from a financial institution, the financial institution may provide a single opt-out notice.  The financial institution’s opt-out notice must explain how the financial institution will treat an opt-out direction by a joint consumer.

 

EXAMPLE:  If John and Mary have a joint checking account with a financial institution and arrange for the financial institution to send statements to John’s address, the financial institution may do any of the following, but the financial institution must explain in its opt-out notice which opt-out policy the financial institution will follow:

 

  1. Send a single opt-out notice to John’s address, but the financial institution must accept an opt-out direction from either John or Mary.

 

  1. Treat an opt-out direction by either John or Mary as applying to the entire account.  If the financial institution does so, and John opts out, the financial institution may not require Mary to opt out as well before implementing John’s opt-out direction.

 

  1. Permit John and Mary to make different opt-out directions.  If the financial institution does so:

 

  1. The financial institution must permit John and Mary to opt-out for each other;

 

  1. If both opt-out, the financial institution must permit both to notify the financial institution in a single response (such as on a form or through a telephone call); and

 

  1. If John opts out and Mary does not, the financial institution may only disclose nonpublic personal information about Mary, but not about John and not about John and Mary jointly.

 

H.                Joint Relationships Opt-Out Options

 

Any of the joint consumers may exercise the right to opt out.  The financial institution may either:

 

  1. Treat an opt-out direction by a joint consumer as applying to all of the associated joint consumers; or

 

  1. Permit each joint consumer to opt-out separately.

 

NOTE:  If a financial institution permits each joint consumer to opt-out separately, the financial institution must permit one of the joint consumers to opt out on behalf of all of the joint consumers.

 

NOTE:  A financial institution may not require all joint consumers to opt-out before it implements any opt-out direction.

 

I.       Time to Comply with Opt-Out

 

A financial institution must comply with a consumer’s opt-out direction as soon as reasonably practicable after the financial institution receives it.

 

J.      Continuing Right to Opt-Out

 

A consumer may exercise the right to opt-out at any time.

 

K.     Duration of Consumer’s Opt-Out Direction

 

A consumer’s direction to opt-out under this section is effective until the consumer revokes it in writing or, if the consumer agrees, electronically.

 

When a customer relationship terminates, the customer’s opt-out direction continues to apply to the nonpublic personal information that the financial institution collected during or related to that relationship.  If the individual subsequently establishes a new customer relationship with the financial institution, the opt-out direction that applied to the former relationship does not apply to the new relationship.

 

L.     Revised Privacy Notices

 

Except as otherwise authorized in the privacy provisions, a financial institution must not, directly or through any affiliate, disclose any nonpublic personal information about a consumer to a nonaffiliated third party other than as described in the initial notice, unless:

 

  1. The financial institution has provided to the consumer a clear and conspicuous revised notice that accurately describes its policies and practices;

 

  1. The financial institution has provided to the consumer a new opt-out notice;

 

  1. The financial institution has given the consumer a reasonable opportunity, before the financial institution discloses the information to the nonaffiliated third party, to opt-out of the disclosure; and

 

  1. The consumer does not opt-out.

 

EXAMPLES:  Except as otherwise permitted by §§ 332.13, 332.14 and 332.15, a financial institution must provide a revised notice before it:

 

  1. Discloses a new category of nonpublic personal information to any nonaffiliated third party;

 

  1. Discloses nonpublic personal information to a new category of nonaffiliated third party; or

 

  1. Disclose nonpublic personal information about a former customer to a nonaffiliated third party, if that former customer has not had the opportunity to exercise an opt-out right regarding that disclosure.

 

NOTE:  A revised notice is not required if the financial institution discloses nonpublic personal information to a new nonaffiliated third party that the financial institution adequately described in its prior notice.

 

M.   Forms of Delivery

 

Initial privacy notices and opt-out notices must be provided so that each consumer can be reasonably expected to receive the notice in writing, or if the consumer agrees, electronically.  Some examples of reasonable means of delivery include hand-delivery, mail, and for consumers who conduct electronic transactions, the notice may be posted on the web site if it requires the consumer to acknowledge receipt of the notice.  For isolated transactions with consumers, such as ATM transactions, the notice may appear on the ATM screen and require the consumer to acknowledge the notice.

 

A financial institution may not, however, reasonably expect that the consumer will receive actual notice of it privacy policies and practices if it:  (1) only posts a sign in its branch or office or generally publishes advertisements of its privacy policies and practices or (2) sends the notice via electronic mail to a consumer who does not obtain a financial product or service from the financial institution electronically.

 

N.    Annual Notices Only

 

A financial institution may reasonably expect that a customer will receive actual notice of the financial institution’s annual privacy notice if:

 

  1. The customer uses the financial institution’s web site to access financial products and services electronically and agrees to receive notices at the web site and the financial institution posts its current privacy notice continuously in a clear and conspicuous manner on the web site; or

 

  1. The customer has requested that the financial institution refrain from sending any information regarding the customer relationship, and the financial institution’s current privacy notice remains available to the customer upon request.

 

O.                Oral Description of Notice Insufficient

 

A financial institution may not provide any notice required by the privacy provisions solely by orally explaining the notice, either in person or over the telephone.

 

P.     Retention or Accessibility of Notices for Customers

 

For customers only, a financial institution must provide the initial notice, the annual notice, and the revised notice so that the customer can retain them or obtain them later in writing or, if the customer agrees, electronically.

 

EXAMPLES - Retention or Accessibility.  A financial institution provides a privacy notice to the customer so that the customer can retain it or obtain it later if the financial institution:

 

  1. Hand-delivers a printed copy of the notice to the customer;

 

  1. Mails a printed copy of the notice to the last known address of the customer; or

 

  1. Makes its current privacy notice available on a web site (or a link to another web site) for the customer who obtains a financial product or service electronically and agrees to receive the notice at the web site.

 

Q.    Joint Notice with Other Financial Institutions

 

A financial institution may provide a joint notice from it and one or more of its affiliates or other financial institutions, as identified in the notice, as long as the notice is accurate with respect to the financial institution and the other institutions.

 

VII.     Limits on Disclosures

 

A.     Conditions for Disclosure

 

Except as otherwise authorized in the privacy provisions, a financial institution may not, directly or through any affiliate, disclose any nonpublic personal information about a consumer to a nonaffiliated third party unless:

 

  1. The financial institution has provided to the consumer an initial notice;

 

  1. The financial institution has provided to the consumer an opt-out notice;

 

  1. The financial institution has given the consumer a reasonable opportunity, before it discloses the information to the nonaffiliated third party, to opt-out of the disclosure; and

 

  1. The consumer does not opt-out.

 

B.     Opt-Out

 

Opt out means a direction by the consumer that the financial institution not disclose nonpublic personal information about that consumer to a nonaffiliated third party, other than as permitted by §§ 332.13, 332.14 and 332.15.

 

C.     Examples of Reasonable Opportunity to Opt-Out

 

A financial institution provides a consumer with a reasonable opportunity to opt-out if:

 

1.                  By Mail

 

The financial institution mails the initial and opt-out notices to the consumer and allows the consumer to opt-out by mailing a form, calling a toll-free telephone number, or any other reasonable means within 30 days from the date the financial institution mailed the notices.

 

2.                  By Electronic Means

 

A customer opens an on-line account with a financial institution and agrees to receive the initial and opt-out notices electronically, and the financial institution allows the customer to opt-out by any reasonable means within 30 days after the date that the customer acknowledges receipt of the notices in conjunction with opening the account.

 

3.                  Isolated Transaction with Consumer

 

For an isolated transaction, such as the purchase of a cashier’s check by a consumer, a financial institution provides the consumer with a reasonable opportunity to opt-out if the financial institution provides the initial and opt-out notices at the time of the transaction and requests that the consumer decide, as a necessary part of the transaction, whether to opt-out before completing the transaction.

 

D.                Application of Opt-Out to All Consumers and All Nonpublic Personal Information

 

A financial institution must comply with this section, regardless of whether the financial institution and the consumer have established a customer relationship.

 

NOTE:  Unless a financial institution complies with this section, the financial institution may not, directly or through any affiliate, disclose any nonpublic personal information about a consumer that the financial institution has collected, regardless of whether the financial institution collected it before or after receiving the direction to opt-out from the consumer.

 

E.     Partial Opt-Out

 

A financial institution may allow a consumer to select certain nonpublic personal information or certain nonaffiliated third parties with respect to which the consumer wishes to opt-out.

 

F.                 Limits on Redisclosure and Reuse of Information

 

The regulation includes rules limiting the reuse of information.  Third parties that receive information from a financial institution or its affiliate must comply with the same disclosure and use restrictions applicable to the financial institution.  A third party that receives information from a financial institution can redisclose that information to the financial and its affiliates.  Affiliates can disclose and reuse the information to the same extent permissible for the third party.

 

EXAMPLE:  If a financial institution receives a customer list from a nonaffiliated financial institution in order to provide account processing services under the exception in § 332.14(a), the financial institution may disclose that information under any exception in §§ 332.14 or 332.15 in the ordinary course of business in order to provide those services.  For example, the financial institution could disclose the information in response to a properly authorized subpoena or to its attorneys, accountants, and auditors.  The financial institution could not disclose that information to a third party for marketing purposes or use that information for its own marketing purposes.

 

G.                Information a Financial Institution Receives Outside of an Exception

 

If a financial institution receives nonpublic personal information from a nonaffiliated financial institution other than under an exception in §§ 332.14 or 332.15 of the privacy provisions, the financial institution may disclose the information only:

 

  1. To the affiliates of the financial institution from which the financial institution received the information;

 

  1. To its affiliates, but its affiliates may, in turn, disclose the information only to the extent that the financial institution can disclose the information; and

 

  1. To any other person, if the disclosure would be lawful if made directly to that person by the financial institution from which the financial institution received the information.

 

EXAMPLE:  If a financial institution obtains a customer list from a nonaffiliated financial institution outside of the exceptions in §§ 332.14 and 332.15:

 

  1. The financial institution may use that list for its own purposes; and

 

  1. The financial institution may disclose that list to another nonaffiliated third party only if the financial institution from which the financial institution purchased the list could have lawfully disclosed the list to that third party.  That is, the financial institution may disclose the list in accordance with the privacy policy of the financial institution from which the financial institution received the list, as limited by the opt-out direction of each consumer whose nonpublic personal information the financial institution intends to disclose and the financial institution may disclose the list in accordance with an exception in §§ 332.14 or 332.14, such as to the financial institution’s attorneys or accountants.

 

H.                Information a Financial Institution Discloses Under an Exception

 

If a financial institution discloses nonpublic personal information to a nonaffiliated third party under an exception in §§ 332.14 or 332.15 of the privacy provisions, the third party may disclose and use that information only as follows:

 

  1. The third party may disclose the information to the financial institution’s affiliates;

 

  1. The third party may disclose the information to its affiliates, but its affiliates may, in turn, disclose and use the information only to the extent that the third party may disclose and use the information; and

 

  1. The third party may disclose and use the information pursuant to an exception in §§ 332.14 or 332.15 in the ordinary course of business to carry out the activity covered by the exception under which it received the information.

 

I.                   Information a Financial Institution Discloses Outside of an Exception

 

If a financial institution discloses nonpublic personal information to a nonaffiliated third party other than under an exception in §§ 332.14 or 332.15 of the privacy provisions, the third party may disclose the information only:

 

  1. To the financial institution’s affiliates;

 

  1. To the third party’s affiliates, but the third party’s affiliates, in turn, may disclose the information only to the extent the third party can disclose the information; and

 

  1. To any other person, if the disclosure would be lawful if the financial institution made it directly to that person.

 

VIII.    Limits on Sharing Account Number Information for Marketing Purposes

 

The final rule prohibits financial institutions from sharing account numbers or similar forms of access numbers or access codes for a consumer’s credit card account, deposit account, or transaction account to any nonaffiliated third party telemarketers unless the information consists of encrypted account numbers where the recipient does not have the key.  A transfer of account numbers to third-party marketers who handle the financial institution’s own products are exempted and are accounts numbers in affinity or private-label credit card programs.

 

EXAMPLES:

 

Account Number.  An account number or similar form of access number or access code, does not include a number or code in an encrypted form, as long as the financial institution does not provide the recipient with a means to decode the number or code.

 

Transaction Account.  A transaction account is an account other than a deposit account or a credit card account.  A transaction account does not include an account to which third parties cannot initiate charges.

 

IX.       MODEL PRIVACY NOTICE FORM

 

A.        Introduction

 

The joint federal agencies have released a final model privacy notice form that is designed to make it easier for consumers to understand how financial institutions collect and share their personal information.  Under the Gramm-Leach-Bliley Act (GLBA), institutions must notify consumers of their information-sharing practices and inform consumers of the right to opt out of certain sharing practices.  Financial institutions that choose to provide the model privacy form to their customers will be deemed to be in compliance with the privacy provisions of GLBA.

 

B.        Model Privacy Form

 

While the model form provides a legal safe harbor, institutions may continue to use other types of notices that vary from the model form so long as these notices comply with the privacy rule.  For example, an institution could continue to use a simplified notice if it does not have affiliates and does not intend to share nonpublic personal information with nonaffiliated third parties outside of the exceptions provided in sections __.14 and __.15.  Likewise, while the Agencies are eliminating the Sample Clauses and related safe harbor (or, for the SEC, guidance), institutions may continue to use notices containing these clauses, so long as these notices comply with the privacy rule.  To reiterate, use of the model form is voluntary; institutions are not required to use it.

 

The General Instructions to the Model Privacy Form require that no additional information – other than what is specifically permitted – may be included in the model form in order to obtain the benefit of the safe harbor.

 

Institutions may incorporate the model form into another document, but they must do so in a way that meets all the requirements of the privacy rule and the model form instructions, including that:  The model form must be presented in a way that is clear and conspicuous; it must be intact so that the customer can retain the content of the model form; and it must retain the same page orientation, content, format, and order as provided for in this Rule.

 

The format of the final model form is standardized.  It consists of two pages, and may be printed on a single piece of paper.  The Agencies are not mandating a specific paper size in the final model form as long as the paper is in portrait orientation and sufficient to accommodate minimum font size, spacing, and content requirements.  Financial institutions may include corporate logos in the form, so long as they do not interfere with the readability or space constraints.

 

The first page of the final model form has five parts:  (1) a title; (2) an introductory section, which provides context to help the consumer understand the purpose of the notice; (3) a disclosure table that describes the types of sharing possible for all financial institutions, which of those types of sharing the institution providing the notice actually engages in, and whether the consumer can opt out of any of the institution’s sharing; (4) if applicable, information for the consumer on how to opt out; and (5) the institution’s customer service contact information.

 

The second page provides additional explanatory information that, in combination with the first page, ensures that the notice includes all the elements required by GLBA and the Agencies’ privacy rules.  Supplemental information about the financial institution and what it does with personal information is found at the top of the second page, with key definitions below.  Space is also provided at the bottom of the second page for financial institutions to (1) discuss state and/or international privacy laws; and/or (2) include an

acknowledgement of receipt.  The instructions that accompany the form require that no additional information – other than what is specifically permitted – may be included in the model form in order to obtain the benefit of the compliance safe harbor.

 

The model privacy form, along with the various “opt-out” alternatives, and the general instructions for the model privacy forms can be found by going to www.fdic.gov and searching for “Appendix A to Part 1016—Model Privacy Form.”   

 

C.        Transition Rules

 

The Appendix to Part 332 of the FDIC’s Rules and Regulations currently contains model language (called Sample Clauses) that institutions may use in their privacy notices and, if so, they are deemed to be in compliance with the privacy provisions of GLBA.  The rule removes, after a transition period, these Sample Clauses and the associated compliance safe harbor.  Thus, financial institutions will not be able to rely on the safe harbor for the Sample Clauses incorporated into notices that are delivered to consumers on or after January 1, 2011.  The Sample Clauses will be removed entirely from Part 332 on January 1, 2012.  To obtain a compliance safe harbor after the Sample Clauses are removed, financial institutions may use the new model privacy notice form.

 

D.        Additional Privacy Rule Amendment

 

The Agencies are also amending the section of their privacy rules concerning the information that financial institutions, which choose not use the model form, must include in their privacy notices.  The rules currently provide that if a financial institution shares information with third party non-affiliates in a manner that does not require an opt out, the institution is only required to include a statement in its privacy notice that it engages in such sharing as permitted by law.  The joint federal agencies are revising their rules to allow, as an alternative, a statement that the institution shares such information for its everyday business purposes, including a list of all applicable examples, such as to process transactions, maintain account(s), respond to court orders and legal investigations, or report to credit bureaus.

 

E.        Effective Date

 

The final rule became effective on December 31, 2009, except for the provisions relating to the elimination of the safe harbor permitted for notices based on the Sample Clauses and removal of the Sample Clauses from the privacy rule, which are effective January 1, 2012.

 

X.        MODEL CONSUMER PRIVACY NOTICE ONLINE FORM BUILDER

 

The federal banking regulators have released an Online Form Builder that financial institutions can download and use to develop and print customized versions of a model consumer privacy notice.  The Online Form Builder, based on the model form regulation published in the Federal Register on December 1, 2009, under the Gramm-Leach-Bliley Act, is available with several options.  Easy-to-follow instructions for the form builder will guide an institution to select the version of the model form that fits its practices, such as whether the institution provides an opt-out for consumers.

 

To obtain a legal “safe harbor” and so satisfy the law’s disclosure requirements, institutions must follow the instructions in the model form regulation when using the Online Form Builder.  The Online Form Builder is available at: http://www.federalreserve.gov/bankinforeg/privacy_notice_instructions.pdf

 

Partial instructions for using the online form builder are:

 

1.  Select your form, based on (1) whether you provide an opt out and (2) whether you include affiliate marketing:

 

  • If you provide an opt out and you want to include affiliate marketing, use Form 1.

 

  • If you provide an opt out and you do not want to include affiliate marketing, use Form 2.

 

  • If you do not provide an opt out and you want to include affiliate marketing, use Form 3.

 

  • If you do not provide an opt out and you do not want to include affiliate marketing, use Form 4.

 

XI.       Exceptions to Opt-Out Notice Requirements

 

A.        Overview of Exceptions §§ 332.13, 332.14, 332.15

 

 

 

 

 

 

 

The indicated exceptions apply if the financial institution discloses nonpublic personal information:

No Initial Notice to Consumers*

No Opt Out Notice

No 3rd Party Privacy Agreement

To a nonaffiliated third party to perform marketing services for the financial institution, if the financial institution:

  • Provides the initial notice; and
  • Enters into a third party privacy agreement.

 

X

 

As necessary to effect, administer, or enforce a transaction that a consumer requests or authorizes, or in connection with:

 

 

 
  • Servicing or processing a financial product or service;

X

X

X
  • Maintaining or servicing the consumer’s account with a financial institution, or with another entity as part of a private label credit card program or other extension of credit on behalf of such entity; or

X

X

X
  • A proposed or actual securitization, secondary market sale (including sales of Servicing rights), or similar transaction related to a transaction of the consumer.

X

X

X

With the consent or at the direction of the consumer, provided that the consumer has not revoked the consent or direction;

X

X

X

To protect the confidentiality or security of a financial institution’s records pertaining to the consumer, service, product, or transaction;

X

X

X

To protect against or prevent actual or potential fraud, unauthorized transactions, claims, or other liability;

X

X

X

For required institutional risk control or for resolving consumer disputes or inquires;

X

X

X

To persons holding a legal or beneficial interest relating to the consumer; or

X

X

X

To persons acting in a fiduciary or representative capacity on behalf of the consumer;

X

X

X

To provide information to insurance rate advisory organizations, guaranty funds or agencies, agencies that are rating a financial institution, persons that are assessing the financial institution’s compliance with industry standards, and the financial institution’s attorneys, accountants, and auditors;

X

X

X

* An initial disclosure is required for Customer relationships.

 

 

 

B.        Overview of Exceptions §§ 332.13, 332.14, 332.15

 

 

 

 

 

 

 

The indicated exceptions apply if the financial institution discloses nonpublic personal information:

No Initial Notice to Consumers*

No Opt Out Notice

No 3rd Party Privacy Agreement

To the extent specifically permitted or required under other provisions of law and in accordance with the Right to Financial Privacy Act of 1978, to law enforcement agencies, self-regulatory organizations, or for an investigation on a matter related to public safety;

 

X

X

X

To a consumer reporting agency in accordance with the Fair Credit Reporting Act or from a consumer report reported by a consumer reporting agency;

 

X

X

X

In connection with a proposed or actual sale, merger, transfer or exchange of all or a portion of a business or operating unit if the disclosure of nonpublic personal information concerns solely consumers of such business or unit; or

 

X

X

X

To comply with Federal, State, or local laws, rules and other applicable legal requirements;

 

X

X

X

To comply with a properly authorized civil, criminal, or regulatory investigation, or subpoena or summons by Federal, State, or local authorities; or

 

X

X

X

To respond to judicial process or government regulatory authorities having jurisdiction over a financial institution for examination, compliance, or other purposes as authorized by law.

 

X

X

X

* An initial disclosure is required for Customer relationships.

 

 

 

 

C.        Exception to Opt-Out Requirements for Service Provider and Joint Marketing

 

If a financial institution discloses nonpublic personal information under this section to a financial institution with which the financial institution performs joint marketing, the financial institution’s contractual agreement with that institution meets the requirements

of this section if it prohibits the institution from disclosing or using the nonpublic personal information except as necessary to carry out the joint marketing or under an exception in § 332.14 or § 332.15 in the ordinary course of business to carry out that joint marketing.

 

The services a nonaffiliated third party performs for a financial institution may include marketing of the financial institution’s own products or services or marketing of financial products or services offered pursuant to joint agreements between the financial institution and one or more financial institutions.  A joint agreement means a written contract pursuant to which a financial institution and one or more financial institutions jointly offer, endorse, or sponsor a financial product or service.

 

Example of Consent and Revocation of Consent:

 

A consumer may specifically consent to a financial institution’s disclosure to a nonaffiliated insurance company of the fact that the consumer has applied to the financial institution for a mortgage so that the insurance company can offer homeowner’s insurance to the consumer.

 

NOTE:  A consumer may revoke consent by subsequently exercising the right to opt-out of future disclosures of nonpublic personal information.

 

XII.     EFFECTIVE DATES AND RULES OF CONSTRUCTION

 

The privacy regulations were effective November 13, 2000, and compliance was optional until July 1, 2001.  “Guidelines for Safeguarding Customer Information” are a necessary adjunct to the privacy provisions.  Assurances that an institution is in compliance with such Guidelines is a required disclosure.  As a result, the safeguards on customer information must be in place prior to making the privacy disclosure, since it is not possible to implement a privacy program prior to implementing the safeguards.

 

A.        Notice Requirement for Consumers Who Are Customers on the Effective Date

 

By July 1, 2001, a financial institution had to provide an initial notice to consumers who were the financial institution’s customers on July 1, 2001.  If a financial institution intends to share the type of information covered by the regulation after July 1, opt-out notices were sent to all of its existing customers and the customers had a reasonable period in which to opt-out of the information sharing prior to the disclosure of such information.

 

B.        Grandfathering of Service Agreements

 

Until July 1, 2002, a contract that a financial institution has entered into with a nonaffiliated third party to perform services for the financial institution or functions on the financial institution’s behalf is exempted from the opt-out requirements, even if the contract does not include a requirement that the third party maintain the confidentiality of

nonpublic personal information, as long as the financial institution entered into the agreement on or before July 1, 2000.

 

C.        Rules of Construction

 

Examples contained within the privacy provisions and the sample clauses in Appendix A of the privacy regulations are not exclusive, however, compliance with an example or use of a sample clause, to the extent applicable, constitutes compliance with the privacy provisions.

 

NOTE:  Sample forms, policies and procedures contained within the regulatory section entitled “Implementing A Compliance Program” are not models and their use does not necessarily constitute compliance with the privacy provisions nor would they be accurate for any particular institution.

 

XIV.    PRIVACY EXAMINATION PROCEDURES AND Guidelines for Safeguarding Customer Information

 

Compliance with Regulation P is monitored in compliance examinations.  The guidelines for safeguarding consumer information are monitored in safety and soundness examinations.  These reviews begin in July of 2001.

 

Section 501 of the Act requires the regulatory agencies to establish appropriate standards for supervised institutions to follow in relation to administrative, technical and physical safeguards for customer records and information.  Each of the federal bank regulatory agencies, acting through the Federal Financial Institutions Examination Council (FFIEC) has developed, approved and issued (1) FFIEC Compliance Examination Procedures for the regulation on “Privacy of Consumer Financial Information and (2) standards that are referred to as the Interagency Guidelines Establishing Standards for Safeguarding Customer Information (hereinafter referred to as the “Guidelines”).  The Guidelines set forth standards for developing and implementing administrative, technical and physical safeguards to protect the security, confidentiality and integrity of customer information.  The Guidelines also establish rules relating to the safeguarding of customer information as well as elements in policies and procedures that a financial institution must adopt to address identifiable threats to confidentiality of such information or its unauthorized use.
 
XV.     COMPARISONS: PRIVACY ACT AND THE FAIR CREDIT REPORTING ACT
 
Although the Privacy Act (the Act) and the Fair Credit Reporting Act (FCRA) each address the issue of disclosure of consumer information by financial institutions, the laws and regulations differ in scope of coverage as well as the treatment of such information.  Just because a financial institution believes it is in compliance with one regulation does not equate compliance with another.  The following comparisons between of the Act and the FCRA illustrate the differences between the two:
 
Privacy Act
 
FCRA
 
 
Information Covered
 
Applies to “nonpublic personal information” – covers any information provided to a financial institution by a consumer to obtain a financial product or service, that results from a transaction with a financial institution involving a financial product or service or that is otherwise obtained by a financial institution in connection with providing a financial product or service to a consumer.  Under certain conditions, “publicly available” information may also be considered “nonpublic personal information.”
 
Applies to disclosure of “consumer reports” containing information on a consumer’s credit worthiness, standing or capacity, character, general reputation, personal characteristics or mode of living.
 
 
 
Disclosures Covered
 
Disclosures restricted to nonaffiliated third parties.
 
Disclosures restricted to affiliates and nonaffiliated third parties.

 

Information Disclosure Restrictions

 

Nonpublic personal information may not be disclosed by a financial institution to nonaffiliated third parties unless the institution has given consumers a privacy notice and an opportunity to opt-out of such information sharing.
 
A financial institution may become a consumer reporting agency if it (1) disclosed consumer report information to its affiliates without giving consumers notice of the disclosure with an opportunity to opt-out or (2) if it disclosed consumer reports to nonaffiliated third parties.  The FCRA has no notice or opt-out provisions allowing an institution to share consumer reports with nonaffiliated third parties without becoming a consumer reporting agency.

 

Consumer’s Opt-Out Rights

 
The right to opt-out allows a consumer to limit a financial institution’s sharing of nonpublic person information with nonaffiliated third parties.
 
The right to opt-out allows a consumer to limit a financial institution’s sharing of information that would otherwise be a “consumer report” with affiliates.
 
 

Exceptions

 

There are a number of specifically listed exceptions to the consumer’s right to opt-out.
 
Allows a financial institution to freely share only such information that  relates solely to transactions or experiences between the financial institution and the customer
 
 
Additional information regarding the scope and details of the FCRA may be found in the NBA Compliance Handbook, Volume III, Lending section, “Credit Reports: Fair Credit Reporting Act” article.
 
XVI.    CONCLUSION
 

The information provided in this article, accompanied by sample policies and procedures are intended to assist you in understanding and in assessing your level of compliance with the regulations involved.  The article is designed to apply to a wide range of banks.  As such, certain issues or procedures described in the text may not apply to smaller or less complex institutions.  You should take these factors into consideration during your review of this information.  As such, the commentary should be used as a guide and a supplement to, rather than a substitute for the actual reading of the law, regulations and interpretations.

 

 

Compliance Handbook Search

STAY CONNECTED

Nebraska Bankers Association

233 South 13th Street, Suite 700
Lincoln, NE 68508
402-474-1555
​Digital Millennium Copyright Act Policy