Consumer Compliance Outlook > 2021 > Third Issue 2021

Consumer Compliance Outlook: Third Issue 2021

Overview of Federal Consumer Privacy and Security Laws for Financial Services

By Kenneth Benton, Principal Consumer Regulations Specialist, Federal Reserve Bank of Philadelphia

A recent Pew Research Center survey found that 79 percent of consumers are concerned about how companies use their personal data.¹ This concern is heightened as identity theft and large data breaches have proliferated in recent years. For example, the 2017 Equifax breach affected 147 million people and involved personal financial information that could be used for identity theft, including a Social Security number (SSN).²

To protect consumers’ privacy interests, several federal laws and regulations restrict the ways in which financial institutions can obtain and use information about their customers. This article provides an overview of certain financial services-related privacy and security requirements, including recent legislation and regulatory amendments.

PRIVACY NOTICES UNDER GRAMM‒LEACH‒BLILEY ACT AND REGULATION P

The Gramm‒Leach‒Bliley Act (GLBA) requires financial institutions to provide consumers with a privacy notice disclosing that a consumer’s nonpublic personal information (NPI) is shared with nonaffiliated third parties, describing the consumer’s ability to opt out of sharing practices in certain circumstances, and explaining how to exercise their right to opt out.³ The Consumer Financial Protection Bureau’s (Bureau) Regulation P, 12 C.F.R. Part 1016, implements the GLBA privacy provisions. Regulation P defines NPI as personally identifiable financial information and any list, description, or other grouping of consumers (and publicly available information pertaining to them) that is derived using any personally identifiable financial information that is not publicly available.⁴

Initial Notice

A financial institution must issue its GLBA privacy notice when it first establishes a customer relationship. This notice is provided annually thereafter, subject to an exception under the 2015 Fixing America’s Surface Transportation (FAST) Act discussed next.⁵ An institution generally must also issue a notice to its consumer customers before disclosing any NPI about them to any nonaffiliated third party⁶ and disclose the right to opt out of information sharing in the privacy notices.⁷ Certain exceptions apply, such as sharing information with nonaffiliated third parties to perform services or to conduct joint marketing, provided other requirements are satisfied.⁸

Each of these notices must provide information about the NPI the institution collects and discloses.⁹ This requirement applies to the information of both current and former customers.¹⁰ Model forms are available in the appendix to Regulation P.

Effect of Change in Privacy Practices

The regulation also addresses a financial institution’s obligations if it changes its privacy practices to disclose:

• a new category of NPI to a nonaffiliated third party;
• NPI to a new category of nonaffiliated third parties; or
• NPI about a former customer to a nonaffiliated third party, if the former customer had an opportunity to opt out of the disclosure.¹¹

For these changes, the institution cannot disclose the NPI unless it provides a revised privacy notice and opt-out opportunities.¹² An exception applies if a new nonaffiliated third party was adequately described in the prior notice.¹³

FAST Act Amendment to GLBA’s Annual Privacy Notice Requirements

Financial institutions expressed concern that providing the annual privacy notice to existing customers was burdensome and unnecessary if their privacy practices had not changed since the notice was last provided.¹⁴ In 2015, Congress addressed this issue by amending the GLBA in the FAST Act¹⁵ to eliminate the annual privacy notice requirement if a financial institution satisfies the following two conditions:

• it provides NPI only in accordance with applicable GLBA privacy provisions, and
• it has not changed its policies and practices for disclosing NPI since it provided the most recent notice to its customers.¹⁶

Because the statutory amendment was self-effectuating, it became effective on December 4, 2015, the date the law was enacted. In August 2018, the Bureau issued a final rule to amend Regulation P to conform to the FAST Act amendment.¹⁷

The rule also addresses the related issue of an institution’s obligations when it changes its privacy policy in a way that it no longer qualifies for the exception. The timing requirements to resume providing a privacy notice, and its contents, depend on the reason an institution no longer qualifies for the exception.¹⁸

PRIVACY REQUIREMENTS UNDER THE FAIR CREDIT REPORTING ACT

Several provisions of the Fair Credit Reporting Act (FCRA) affecting consumer privacy and security are discussed next.

FCRA §624 Affiliate Marketing Requirements

Similar to the GLBA, the FCRA, as implemented by Regulation V, restricts an institution’s ability to use certain consumer information with an affiliate. Generally, under §624, a person who receives consumer eligibility information from an affiliate may not use the information to solicit the consumer unless it is clearly and conspicuously disclosed to the consumer that the information may be communicated among the affiliates for purposes of making such solicitations, the consumer is provided an opportunity to opt out, and the consumer does not opt out. The provisions do not apply when the institution has a preexisting business relationship¹⁹ with a consumer and in other specified circumstances.²⁰ Regulation V provides model notices in Appendix C to 12 C.F.R. Part 1022.

The regulation provides this example to illustrate §624’s requirements:

A consumer has a homeowner’s insurance policy with an insurance company. The insurance company furnishes eligibility information about the consumer to its affiliated creditor. Based on that eligibility information, the creditor wants to make a solicitation to the consumer about its home equity loan products. The creditor does not have a preexisting business relationship with the consumer and none of the other exceptions apply. The creditor is prohibited from using eligibility information received from its insurance affiliate to make solicitations to the consumer about its home equity loan products unless the consumer is given a notice and opportunity to opt out and the consumer does not opt out.²¹

If a consumer elects to opt out, the election must be effective for at least five years, unless the consumer revokes it.²² After it expires, the solicitation restriction still applies unless the consumer has been provided an opt-out renewal notice, a reasonable period to renew, and does not renew.²³

INTERSECTION OF THE GLBA AND FCRA REQUIREMENTS

Combined Opt-out Notice

As previously discussed, both the GLBA and the FCRA require institutions to provide consumers with opt-out notices of information sharing or use in certain circumstances. To reduce regulatory burden, Regulation V permits an institution to combine the required opt-notices for both laws into a single privacy notice.²⁴

Effect of FCRA Requirements on the Exception to an Annual Privacy Notice

In the preamble to the 2018 final rule, the Bureau clarified that GLBA §503(f)(1) does not preclude financial institutions that provide NPI in accordance with FCRA §603(d)(2)(A)(iii) or §624 from qualifying for the annual privacy notice exception.²⁵

FCRA FIRM OFFER OF CREDIT OR INSURANCE

The FCRA permits an institution to obtain consumer reports without consumers’ permission using specified criteria (e.g., all consumers in Pennsylvania with credit scores of 750 or higher) for purposes of soliciting credit or insurance if the solicitation satisfies the requirements of a firm offer of credit or insurance. The FCRA defines this term as “any offer of credit or insurance to a consumer that will be honored if the consumer is determined, based on information in a consumer report on the consumer, to meet the specific criteria used to select the consumer for the offer,” except that the offer may be further conditioned based on specified criteria.²⁶

Because these consumer reports can be obtained without a consumer’s permission, the FCRA requires clear and conspicuous disclosure of the following information in the solicitation:²⁷

• the transaction used information in the consumer’s consumer report;
• the offer was extended because the consumer satisfied the criteria for creditworthiness or insurability;
• the credit or insurance may not be extended if, after the consumer responds to the offer, the consumer does not meet the criteria or any applicable criteria bearing on creditworthiness or insurability or does not furnish required collateral;
• the consumer has a right to opt out of offers of credit or insurance; and
• the procedure for the consumer to opt out.

Model forms are available in Appendix D to Regulation V.

OTHER FEDERAL PRIVACY AND SECURITY LAWS

GLBA Exception for Reporting Suspected Elder Abuse

Several federal agencies issued the “Interagency Guidance on Privacy Laws and

Reporting Financial Abuse of Older Adults” in 2013 to clarify when financial institutions could report suspected elder abuse to appropriate local, state, or federal agencies, which the Federal Reserve discussed in CA letter 13-14. The guidance cited four exceptions to the GLBA notice and opt-out requirements that could permit disclosing NPI for the purpose of reporting suspected elder financial abuse without violating the GLBA²⁸ and notes that “generally” disclosing nonpublic personal information to local, state, or federal agencies for the purpose of reporting suspected elder financial abuse will fall within at least one of the exemptions outlined in the GLBA.²⁹

The following four exceptions could apply to suspected elder abuse:

• to protect against actual or potential fraud, unauthorized transactions, claims, or other liability;
• to disclose to law enforcement agencies, self-regulatory organizations, or for an investigation on a matter related to public safety. to the extent it is specifically permitted or required under the Right to Financial Privacy Act or other applicable laws;
• to comply with federal, state, or local laws, such as state laws that require financial institutions to report suspected abuse; or
• to respond to a civil, criminal, or regulatory investigation, subpoena, or summons from authorities, or to respond to judicial process or government regulatory authorities.³⁰

The interagency guidance further clarifies that disclosing NPI for the purpose of reporting suspected financial abuse is permissible under the fraud exemption when, for example, the financial institution is (1) reporting incidents that result in taking an older adult’s funds without actual consent or (2) reporting incidents of obtaining an older adult’s consent to sign over assets where the intent of the transaction has been misrepresented.³¹

Senior Safe Act

In May 2018, the Economic Growth, Regulatory Relief, and Consumer Protection Act (EGRRCPA) was signed into law.³² Section 303 of the EGRRCPA (the Senior Safe Act) provides legal immunity to an individual who served as a supervisor or in a compliance or legal function for certain financial institutions and reports suspected exploitation of a senior citizen to certain agencies and law enforcement, provided the individual previously received specified training and disclosed the information in good faith and with reasonable care.³³ The EGRRCPA also provides immunity to specified financial institutions by which the individuals are employed or associated, provided the individuals received the appropriate training. Outlook summarized the Senior Safe Act in Issue 1 2020.

Synthetic Identity Theft and the Social Security Verification Service

Section 215 of the EGRRCPA required the Social Security Administration (SSA) to modify or develop a database for accepting and comparing fraud protection data provided electronically by a permitted entity, which is defined as a financial institution, service provider, subsidiary, affiliate, agent, subcontractor, or assignee of a financial institution.³⁴ The purpose of this provision was to reduce the prevalence of synthetic identity fraud, which disproportionally affects vulnerable populations, such as minors and recent immigrants. In response, the SSA created the Electronic Consent Based Social Security Number Verification (eCBSV) service.³⁵ With the written consent of the Social Security number holder, the system allows permitted entities to verify if the holder’s name, date of birth, and number match the SSA’s records. The eCBSV returns a match verification of yes or no. If the database shows the SSN holder is deceased, the system returns a death indicator. The SSA began an initial rollout in 2019 with 10 permitted entities. In July 2021, the SSA expanded the rollout. Additional information is available on the eCBSV website.³⁶

Interagency Guidance on GLBA Security and Customer Notification Requirements

Section 501(b) of the GLBA³⁷ directed the prudential banking agencies to establish standards for financial institutions they regulate relating to safeguards to (1) ensure the security and confidentiality of customer information; (2) protect against any anticipated threats or hazards to the security or integrity of such information; and (3) protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer. In response to this directive, the agencies issued the “Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice,” which they subsequently renamed the “Interagency Guidelines Establishing Information Security Standards.”³⁸ The guidance addresses when a security incident requires an institution to notify its customers and the notice requirements.

Under the guidance, when an institution learns of an incident of unauthorized access to sensitive customer information, it should conduct a reasonable investigation to promptly determine the likelihood that the information has been or will be misused. If misuse of that information has occurred or is reasonably possible, the institution should notify the affected customers. The guidance defines sensitive customer information as name, address, or telephone number in conjunction with 'the customer’s Social Security number, driver’s license number, account number, credit or debit card number, or a personal identification number or password allowing access to the customer’s account. The term also includes any combination of components of customer information that would allow someone to log onto or access the customer’s account, such as user name and password or password and account number.³⁹

If the institution can identify only the customers whose information was misused or it is reasonably possible could be misused, it may limit notice to just those customers. However, if the institution is unable to identify the specific customers whose information has been accessed, and misuse of the information is reasonably possible, it should notify all customers in the group.

A notice should be provided in a clear and conspicuous manner and provide the following information:

• description of the incident in general terms including the type of customer information accessed or used;
• contact number for further information or assistance;
• list of actions taken to prevent further unauthorized access; and
• reminder to customers to remain vigilant for the next 12 to 24 months for potential identity theft and report such incidents to the financial institution, including the following actions:
  • recommend the customer review account statements for suspicious activity;
  • describe the ability to create a fraud alert on the customer’s consumer report;
  • suggest customers periodically review their credit report from each of the three nationwide credit bureaus and note their ability to review them at no charge;
  • disclose the FTC’s online resources to protect against identity theft and the ability to report an incident to the FTC.

Finally, the guidance states that notices should be delivered in any manner designed to ensure a customer can reasonably be expected to receive it.⁴⁰ This can include, for example, by telephone or mail, or by email for customers with valid email address and who have agreed to receive communications electronically.

Right to Financial Privacy Act

Congress enacted the Right to Financial Privacy Act (RFPA) in 1978⁴¹ to protect the privacy of customers’ financial records by limiting the circumstances in which government agencies can access these records. In addition to establishing procedures that federal government authorities must follow when requesting a customer’s financial records,⁴² the RFPA also imposes requirements on financial institutions before they may release this information.⁴³

Before the RFPA was enacted, bank customers were not informed when their financial records were disclosed to a government authority. In United States v. Miller, 425 U.S. 435 (1976), the Supreme Court held that a bank customer could not limit government access to his financial records because they were considered business records of the bank and not the private property of the individual. Congress passed the RFPA in response to the Miller decision.⁴⁴

The RFPA stipulates that a government authority cannot access a consumer’s financial records from a financial institution unless it is obtained in accordance with one of the following:⁴⁵

• authorization from the customer, which includes the date and customer’s signature, an authorization for disclosure for a period of no longer than three months, a statement that the customer may revoke at any time before the records are disclosed, an identification of the records to be disclosed, the purposes for which the information may be disclosed, and the customer’s rights under the RFPA;
• a judicial subpoena;
• an administrative subpoena or summons;
• a search warrant; or
• a formal written request from the government authority (to be used if no administrative summons or subpoena authority is available).

The RFPA also generally requires that the requesting government authority provide the customer with a copy of the request on or before the date the request is made to the financial institution. The notice must include a description of the procedures that the customer should follow if he or she does not wish the records to be made available; specific disclosure language is provided in the RFPA.⁴⁶ A financial institution is prohibited from releasing a consumer’s personal financial records unless the government authority certifies in writing that it has complied with the requirements of the RFPA.⁴⁷

CONCLUSION

In the age of digital banking, proliferating data breaches, and consumer concerns about the privacy of their information, it is important that financial institutions comply with federal laws and regulations designed to protect the privacy and security of a consumer’s data. Specific issues or questions should be discussed with your primary regulator.

ENDNOTES

¹ See Brooke Auxier et al., “Americans and Privacy: Concerned, Confused and Feeling Lack of Control Over Their Personal Information,” Pew Research Center, November 2019.

² See Federal Trade Commission “Equifax Data Breach Settlement,” January 2020.

³ See the Gramm‒Leach‒Bliley Act, Pub L. 106–102, 113 Stat. 1338 (1999). The GLBA’s privacy provisions are codified at 15 U.S.C. §§6801‒6809 (as amended).

⁴ See 12 C.F.R. §1016.3(p).

⁵ See 12 C.F.R. §1016.4(a) and §1016.5(a).

⁶ See 12 C.F.R. §1016.4(a).

⁷ See 12 C.F.R. §1016.6(a)(6), §1016.10.

⁸ The exceptions, and any applicable requirements to qualify, are set forth in 12 C.F.R. §§1016.13, 14, and 15.

⁹ See 12 C.F.R. §1016.6.

¹⁰ See 12 C.F.R. §1016.6(a)(4).

¹¹ See 12 C.F.R. §1016.8(b)(1).

¹² See 12 C.F.R. §1016.8(b).

¹³ See 12 C.F.R. §1016.8(b)(2).

¹⁴ The Bureau partly addressed this issue in a 2014 amendment to Regulation P. 79 Federal Register 64057 (October 28, 2014). The FAST Act amendment went further than this amendment to reduce regulatory burden when an institution’s privacy practices have not changed.

¹⁵ See Fixing America’s Surface Transportation Act, Pub. L. No. 114-94, 129 Stat. 1312 (2015).

¹⁶ See §75001 of the FAST Act, adding §503(f) to the GLBA (codified at 15 U.S.C. §6803(f)).

¹⁷ See 83 Federal Register 40945 (August 17, 2018). The FAST Act amendment is implemented at 12 C.F.R. §1016.5(e).

¹⁸ See 12 C.F.R. §1016.5(e)(2).

¹⁹ Regulation V illustrates the preexisting relationship exception with an example to clarify its application in §1022.21(d)(1).

²⁰ See 15 U.S.C. §1681s-3(a)(4).

²¹ See 12 C.F.R. §1022.21(a)(2)(emphasis added).

²² See 15 U.S.C. §1681s-3(a)(3)(A).

²³ See 12 C.F.R. §1022.27(a).

²⁴ See 12 C.F.R. §1022.23(b).

²⁵ See 83 Federal Register at 40949.

²⁶ See 15 U.S.C. §1681a(l).

²⁷ See 15 U.S.C. §1681m(d).

²⁸ See 15 U.S.C. §6802(e).

²⁹ See Interagency Guidance at p. 4.

³⁰ See Interagency Guidance at pp. 3‒4.

³¹ See Interagency Guidance at p. 3.

³² See Pub. L. 115–174, 132 Stat 1296 (2018).

³³ The Senior Safe Act is codified at 12 U.S.C. §3423.

³⁴ See EGRRCPA §215(b)(4) (codified at 42 U.S.C. §405B((b)4)).

³⁵ See https://www.ssa.gov/dataexchange/eCBSV/.

³⁶ See https://www.ssa.gov/dataexchange/eCBSV/.

³⁷ See 15 U.S.C. §6801(b).

³⁸ See 70 Federal Register 15736 (March 29, 2005). The agencies have also codified the guidance into their implementing regulations. For state member banks, the Federal Reserve has codified the guidance as app. D-2 to Regulation H, Subpart K, 12 C.F.R. Part 208; for bank holding companies, see 12 C.F.R. Part 225, app. F; for OCC-regulated institutions, see 12 C.F.R. Part 30, app. B; and for FDIC-regulated institutions, see 12 C.F.R. part 364, app. B.

³⁹ See 70 Federal Register at 15752.

⁴⁰ See 70 Federal Register at 15753.

⁴¹ See 12 U.S.C. §§3401 et seq.

⁴² See 12 U.S.C. §3402.

⁴³ See 12 U.S.C. §3403.

⁴⁴ H.R. Rep. 95-1383 at p. 34 (July 20, 1978) (“The [RFPA] is a Congressional response to the Supreme Court decision in United States v. Miller which held that a customer of a financial institution has no standing under the Constitution to contest government access to financial records.”)

⁴⁵ See 12 U.S.C. §3402.

⁴⁶ See 12 U.S.C. §3408(4).

⁴⁷ See 12 U.S.C. §3403(b).