Basic GLBA privacy requirements
- Store personal financial information in a secure manner
- Provide notice of their policies regarding the sharing of personal financial information
- Provide consumers with the choice to opt out of sharing some personal financial information
Non-personal information under GLBA
“personally identifiable financial information (i) provided by a consumer to a financial institution, (ii) resulting from a transaction or service performed for the consumer, or (iii) otherwise obtained by the financial institution.”
Current GLBA rulemakers and enforcers
Rulemaking: CFPB, with exceptions for SEC and CFTC.
Enforcers: Privacy and Safeguards Rules enforced by CFPB. State AGs (stricter state laws not pre-empted)
PROA under GLBA?
No
GLBA customers vs. consumers
Consumers are those who obtain financial services.
Customers are those who financial institution has ongoing rel. with (notice given to these).
Major components of GLBA Privacy Rule
- Prepare and provide to customers clear and conspicuous notice of the financial institution’s information-sharing policies and practices. These notices must be provided when a customer relationship is established and annually thereafter.
- Clearly provide customers the right to opt out of having their nonpublic personal information shared with nonaffiliated third parties (subject to significant exceptions, including for joint marketing and processing of consumer transactions).
- Refrain from disclosing to any nonaffiliated third-party marketer, other than a consumer reporting agency, an account number or similar form of access code to a consumer’s credit card, deposit or transaction account. [regardless of opt out in 2 above]
- Comply with regulatory standards established by certain government authorities to protect the security and confidentiality of customer records and information, and protect against security threats and unauthorized access to or certain uses of such records or information.
GLBA Privacy Notice
- Given when account established and annually thereafter.
- 9 categories of information
-Opt out of further disclosures (process within 30 days). - Notice must include:
• What information the financial institution collects about its consumers and customers
• With whom it shares the information
• How it protects or safeguards the information
• An explanation of how a consumer may opt out of having his or her information shared through a reasonable opt-out process
GLBA opt-out rules
- If notice given, then can share info with affiliated companies and joint marketing partners (no opt out necessary).
- May share with nonaffiliated companies and other 3d parties only after notice and opt-out provided and declined (with exceptions)
- Can’t provide consumer account numbers at all for purposes of telemarketing and direct mail marketing.
- No right to opt-out if:
- A financial institution shares information with outside companies that provide essential services like data processing or servicing accounts
- The disclosure is legally required
- A financial institution shares customer data with outside service providers that market the financial company’s products or services
GLBA Safeguards Rule: Levels of security
- Administrative security, which includes program definition, management of workforce risks, employee training and vendor oversight
- Technical security, which covers computer systems, networks and applications in addition to access controls and encryption
- Physical security, which includes facilities, environmental safeguards, business continuity and disaster recovery
GLBA Safeguards Rule Must contain
- Designate an employee to coordinate the safeguards
- Identify and assess the risks to customer information in each relevant area of the company’s operation and evaluate the effectiveness of the current safeguards for controlling those risks
- Design and implement a safeguard program and regularly monitor and test it
- Select appropriate service providers and enter into agreements with them to implement safeguards
- Evaluate and adjust the program in light of relevant circumstances, including changes in business arrangements or operations, or the results of testing and monitoring of safeguards
CFPB Overview
- The CFPB oversees the relationship between consumers and providers of financial products and services.
- It holds broad authority to examine, write regulations and bring enforcement actions concerning businesses that provide financial products or services, including service providers.
- The CFPB has assumed rule-making authority for specific existing laws related to financial privacy and other consumer issues, such as the FCRA, GLBA and Fair Debt Collection Practices Act.
- It has enforcement authority over
- all nondepository financial institutions,
- all depository institutions with more than $10 billion in assets.
- For depository institutions with assets of $10 billion or less, CFPB promulgates rules but enforcement power remains with banking regulators.
CFPB Abusive Acts and Practices Standard
An abusive act or practice:
• Materially interferes with the ability of a consumer to understand a term or condition of a consumer financial product or service or
• Takes unreasonable advantage of—
o A lack of understanding on the part of the consumer of the material risks, costs, or conditions of the product or service;
o The inability of the consumer to protect its interests in selecting or using a consumer financial product or service; or
o The reasonable reliance by the consumer on a covered person to act in the interests of the consumer
Bank Secrecy Act
- Financial institutions must keep records and file reports on certain financial transactions, including currency transactions in excess of $10,000, which may be relevant to criminal, tax or regulatory proceedings
- The BSA contains regulations relating to reporting of currency transactions, transportation of monetary instruments and the purchase of currency-like instruments
- As part of the overall anti-money-laundering strategy, financial institutions are required to retain categories of records for use in investigations or enforcement actions
- Financial institutions must file a Suspicious Activity Report (SAR) in defined situations. The rationale is that SARs can alert government agencies to potentially suspicious transactions.
International Money Laundering Abatement and Terrorist Financing Act of 2001
For covered financial services companies, the major USA PATRIOT Act compliance issues can be grouped into the following categories:
• Information-sharing regulations and participation in the cooperative efforts to deter money laundering, as required by Section 314
• Know Your Customer rules, including the identification of beneficial owners of accounts—procedures required by Section 326
• Development and implementation of formal money-laundering programs as required by Section 352
• Bank Secrecy Act expansions, including new reporting and record-keeping requirements for different industries (such as broker-dealers) and currency transactions67
