Learn Privacy Law for the Financial Services Industry
After completing this unit, you’ll be able to:
- List the types of financial services companies subject to federal privacy laws.
- Describe the provisions and obligations of financial services privacy laws.
Federal law strictly regulates what banks, financial advisors, and other businesses in the financial services industry can and cannot do with consumer information. In this unit, we take a look at some specific laws in this industry.
Before we begin, let’s define a few terms.
Consumer reporting agency (CRA)—A person or entity that, for a fee, assembles, maintains, or discloses information on an individual’s creditworthiness or general characteristics to create consumer reports for third parties
Consumer report—Any communication by a CRA related to an individual that pertains to the individual’s creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or lifestyle, and that is used to establish that individual’s eligibility for credit, insurance, employment, or some other business purpose
Investigative consumer report—A consumer report that contains information about an individual’s character, reputation, or mode of living that was obtained through personal interviews with the individual’s acquaintances
User—A person or entity that purchases a consumer report from a CRA
Furnisher—An entity that provides credit history or information to a CRA for use in a consumer report
FCRA imposes obligations on CRAs and users with regard to the creation and use of consumer reports. Both must take steps to ensure they use only accurate, current information, and they must properly secure and protect that information. They also must provide consumers with access to their consumer reports and an opportunity to dispute or correct them.
Users can obtain consumer reports only for specific enumerated purposes. Generally, those purposes are tied to the consumer’s consent or initiation of the transaction. For example, a user may purchase a consumer report if a consumer applied for a credit card, initiated a business transaction, or applied for a job (and gave written consent).
If a user makes an adverse decision regarding a consumer—for example, if a user denies a consumer’s credit card application—the user must notify the CRA and the consumer. The notice to the consumer must include the CRA’s contact information and explain the consumer’s right to access the CRA’s information and dispute its accuracy.
Under the FCRA, CRAs also must provide notice to users outlining the permissible purposes for a consumer report and the other requirements the users must satisfy.
In 2003, Congress made substantial amendments to FCRA through FACTA. These amendments created two new rules to further protect personal financial information: the Disposal Rule and the Red Flags Rule.
Under the Disposal Rule, users are required to dispose of consumer report information in a way that prevents unauthorized access and misuse of the data. For example, users can thoroughly delete electronic data or shred hard copies.
The Red Flags Rule requires agencies regulating financial entities to develop rules that mandate the detection, prevention, and mitigation of identity theft. The FTC and Securities and Exchange Commission have published versions of the Red Flags Rule that require financial institutions to implement a written program to detect and respond to potential identity theft red flags.
In 1999, Congress enacted the Gramm-Leach-Bliley Act (GLBA). Among other things, GLBA imposed requirements on financial institutions with regard to the use and disclosure of their customers’ nonpublic, personally identifiable financial information.
Under GLBA, nonpublic personal information is personally identifiable information of a financial nature that meets one of the following criteria:
- It was provided by a consumer to a financial institution
- It results from a transaction or service performed for the consumer
- It was otherwise obtained by a financial institution
Examples of nonpublic personal information include:
- Basic contact information
- Social Security number
- Account number
- Application information
- Internet cookie information
- Consumer report information obtained by the financial institution
- Whether a consumer is a customer of the financial institution
Under GLBA’s Safeguards Rule, financial institutions must develop, implement, and maintain a comprehensive information security program covering reasonable administrative, technical, and physical security controls to protect the confidentiality and integrity of their customers’ information. The financial institution must designate an employee who is responsible for the security program and ensure security and confidentiality of consumer information, protect against anticipated threats or hazards to security or integrity of consumer information, and protect against unauthorized access that can result in harm.
Some other specific requirements of the security program include employee training, information system risk management, detecting and managing information system failures, and selecting appropriate service providers and entering into agreements implementing safeguards.
With regard to the GLBA’s Safeguards Rule application to service providers, the financial institution must not only perform reasonable due diligence in selecting and retaining a service provider. They also must ensure that service providers can detect and respond to security breaches and maintain reasonable procedures to discover and respond to security failures. At the end of the day, financial institutions must have a contract with a service provider that appropriately safeguards the consumer information.
GLBA also has a Financial Privacy Rule. This rule requires financial institutions to provide initial and annual privacy notices to their customers, clearly explaining what information they collect, how they protect it, whom they share the information with, and how a customer may opt out of that sharing.
In 2017, the New York Department of Financial Services (NYDFS) issued Cybersecurity Regulations to protect financial institutions and their customers from the growing threat of cyber-attacks. These regulations overlap in part with GLBA’s requirements. However, the NYDFS regulations exceed existing federal standards in a few areas.
The NYDFS regulations apply to all companies subject to this agency’s authority. They require that such companies assess their cybersecurity practices and risks, establish a robust cybersecurity program, and report potentially harmful cyber events to the NYDFS.
Companies subject to the NYDFS regulations must have a chief information security officer and other personnel who develop and manage a cybersecurity program. The program must include risk assessments, written policies and procedures, and annual reports. Included among the policies must be ones covering the company’s response to breach incidents and to potential security issues with third-party service providers.
These New York regulations are an example of state law filling a gap in the federal privacy laws. In the next unit, we provide further examples of this.