The Financial Privacy Requirements of the Gramm-Leach-Bliley
Act
Protecting the privacy of consumer information held
by "financial institutions" is at the heart of the financial privacy
provisions of the Gramm-Leach-Bliley Financial Modernization Act of
1999. The GLB Act (GLBA) requires companies to give consumers
privacy notices that explain the institutions' information-sharing
practices. In turn, consumers have the right to limit some - but not
all - sharing of their information.
Here's a brief
look at the basic financial privacy requirements of the law.
Financial
Institutions?
The GLB Act
applies to "financial institutions" - companies that
significantly engage in "financial
activities" or that offer financial
products or services to individuals
. The Federal Trade Commission has
authority to enforce the law with respect to "financial
institutions" that are not covered by the federal banking agencies,
the Securities and Exchange Commission, the Commodity Futures
Trading Commission, and state insurance authorities. Among the
institutions that fall under FTC jurisdiction for purposes of the
GLB Act are:
- non-bank
mortgage lenders
- loan
brokers
- real
estate settlement services
- real
estate brokers
-
financial or investment advisers
- tax
preparers
- debt collectors
- check
cashing services
- billing services that pay
directly to individuals
- credit counseling
- credit repair
- local government (certain
aid/grants to individuals programs)**
- funds transfer services
- accountants (for
individuals)
- payroll processing services
- outsourced HR services
|
- pawn brokers (loans)
- bail bonds
- new and used auto / boat /
RV / motorcycle / aircraft / farm and heavy equipment
dealers (financing & leasing)
- leasing (rental) companies
- insurance companies
- insurance agents
- retirement funds and
accounts
- select healthcare providers*
- entities that offer direct
grants to individuals
- property management (rental
property)
- attorneys (trust accounts)
- medical savings accounts
- non-bank consumer credit
|
* Businesses that engage in
substantial financing or leasing activities are typically covered
under GLBA.
** Within local government, the GLBA
covered functions typically found are: Social Services
assistance direct to individuals; Veteran's Services facilitating VA
loans; Clerk of Courts where the Clerk's office acts as financial
services department for a county making payments to individuals;
other agencies offering direct financial activity to or from
consumers.
Note that banks are also covered
under GLBA, but not subject to the FTC enforcement.
The law requires
that financial institutions protect information collected about
individuals; it does not apply to information collected from
business or commercial entities - in other words business to
business relationships.
Are you a "Financial Institution"?
Click the following link to determine if you are a covered entity
under GLBA:
Affected Organizations
Consumers
and Customers
A company's
obligations under the GLB Act depend on whether the company has
consumers or customers who obtain its services.
- A consumer
is an individual who obtains or has obtained a financial product or
service from a financial institution for personal, family or
household reasons.
- A customer
is a consumer with a continuing relationship with a financial
institution.
Generally, if the
relationship between the financial institution and the individual is
significant and/or long-term, the individual is a customer of the
institution. For example, a person who gets a mortgage from a lender
or hires a broker to get a personal loan is considered a customer of
the lender or the broker, while a person who uses a check-cashing
service is a consumer of that service.
Why is the
difference between consumers and customers so important? Because
only customers are entitled to receive a financial institution's
privacy notice automatically. Consumers are entitled to receive a
privacy notice from a financial institution only if the company
shares the consumers' information with companies not affiliated with
it, with some exceptions. Customers must receive a notice every year
for as long as the customer relationship lasts.
The privacy
notice must be given to individual customers or consumers by mail or
in-person delivery; it may not, say, be posted on a wall. Reasonable
ways to deliver a notice may depend on the type of business the
institution is in: for example, an online lender may post its notice
on its website and require online consumers to acknowledge receipt
as a necessary part of a loan application.
The
Privacy Notice
The privacy
notice must be a clear, conspicuous, and accurate statement of the
company's privacy practices; it should include what information the
company collects about its consumers and customers, with whom it
shares the information, and how it protects or safeguards the
information. The notice applies to the "nonpublic personal
information" the company gathers and discloses about its consumers
and customers; in practice, that may be most - or all - of the
information a company has about them. For example, nonpublic
personal information could be information that a consumer or
customer puts on an application; information about the individual
from another source, such as a credit bureau; or information about
transactions between the individual and the company, such as an
account balance. Indeed, even the fact that an individual is a
consumer or customer of a particular financial institution is
nonpublic person information. But information that the company has
reason to believe is lawfully public - such as mortgage loan
information in a jurisdiction where that information is publicly
recorded - is not restricted by the GLB Act.
Opt-Out
Rights
Consumers and
customers have the right to opt out of - or say no to - having their
information shared with certain third parties. The privacy notice
must explain how - and offer a reasonable way - they can do that.
For example, providing a toll-free telephone number or a detachable
form with a pre-printed address is a reasonable way for consumers or
customers to opt out; requiring someone to write a letter as the
only way to opt out is not.
The privacy
notice also must explain that consumers have a right to say no to
the sharing of certain information - credit report or application
information - with the financial institution's affiliates. An
affiliate is an entity that controls another company, is controlled
by the company, or is under common control with the company.
Consumers have this right under a different law, the Fair Credit
Reporting Act. The GLB Act does not give consumers the right to opt
out when the financial institution shares other information with its
affiliates.
The GLB Act
provides no opt-out right in several other situations: For example,
an individual cannot opt out if:
- a financial
institution shares information with outside companies that provide
essential services like data processing or servicing accounts;
- the disclosure
is legally required;
- a financial
institution shares customer data with outside service providers
that market the financial company's products or services.
Receiving
Nonpublic Personal Information
The GLB Act puts
some limits on how anyone that receives nonpublic personal
information from a financial institution can use or re-disclose the
information. Take the case of a lender that discloses customer
information to a service provider responsible for mailing account
statements, where the consumer has no right to opt out: The service
provider may use the information for limited purposes - that is, for
mailing account statements. It may not sell the information to other
organizations or use it for marketing.
However, it's a
different scenario when a company receives nonpublic personal
information from a financial institution that provided an opt-out
notice -- and the consumer didn't opt out. In this case, the
recipient steps into the shoes of the disclosing financial
institution, and may use the information for its own purposes or
re-disclose it to a third party, consistent with the financial
institution's privacy notice. That is, if the privacy notice of the
financial institution allows for disclosure to other unaffiliated
financial institutions - like insurance providers - the recipient
may re-disclose the information to an unaffiliated insurance
provider.
Other
Provisions
Other important
provisions of the GLB Act also impact how a company conducts
business. For example, financial institutions are prohibited from
disclosing their customers' account numbers to non-affiliated
companies when it comes to telemarketing, direct mail marketing or
other marketing through e-mail, even if the individuals have not
opted out of sharing the information for marketing purposes.
Another provision
prohibits "pretexting" - the practice of obtaining customer
information from financial institutions under false pretenses. The
FTC has brought several cases against information brokers who engage
in pretexting.
Also required now
is compliance with the Safeguards regulation!
More
Information
The FTC is one of
eight federal regulatory agencies that has the authority to enforce
the financial privacy law, along with the state insurance
authorities. The federal banking agencies, the Securities and
Exchange Commission and the Commodity Futures Trading Commission
have jurisdiction over banks, thrifts, credit unions, brokerage
firms and commodity traders.
Complaints
If you would like
to know how easy it is for your customers to complain to the FTC
about your GLBA compliance, click the following link:
File a Complaint
It's online, quick, and very easy for
your customers to make you the focus of an FTC investigation! |
