1 Regulation P. Privacy of Consumer Financial Information BACKGROUND AND OVERVIEW The Regulation establishes rules governing duties of a Financial institution to provide particular notices Title V, subtitle A of the Gramm-Leach-Bliley Act and limitations on its disclosure of nonpublic (GLBA)1 governs the treatment of nonpublic per- personal information, as summarized below. sonal information about consumers by Financial A Financial institution must provide notice of its institutions. Section 502 of the subtitle, subject to Privacy policies and practices and allow the certain exceptions, prohibits a Financial institution Consumer to opt out of the disclosure of the from disclosing nonpublic personal information Consumer 's nonpublic personal information to a about a Consumer to nonaffiliated third parties nonaffiliated third party if the disclosure is outside unless (1) the institution satisfies various notice and of the exceptions in sections 13, 14, or 15 of the opt-out requirements and (2) the Consumer has not Regulation .
2 If the Financial institution provides the elected to opt out of the disclosure. Section 503. Consumer 's nonpublic personal information to a requires the institution to provide notice of its nonaffiliated third party under the exception in Privacy policies and practices to its customers. section 13, it must provide notice of its Privacy Section 504 authorizes the issuance of regulations policies and practices to the Consumer . Under to implement these provisions. the exception in section 13, the Financial institu- In 2000, the Board of Governors of the Federal tion must also enter into a contractual agreement Reserve System (Board), the Federal Deposit with the third party that prohibits the third party Insurance Corporation (FDIC), the National Credit from disclosing or using the information other Union Administration (NCUA), the Office of the than to perform services for the institution or Comptroller of the Currency (OCC), and the former functions on the institution's behalf, including use Office of Thrift Supervision (OTS)
3 , published regu- under an exception in sections 14 or 15 in the lations implementing provisions of GLBA governing ordinary course of business to carry out those the treatment of nonpublic personal information services or functions. If the Financial institution about consumers by Financial complies with these requirements, it is not Title X of the Dodd-Frank Act Wall Street Reform required to provide an opt-out notice. and Consumer Protection Act of 2010 (Dodd-Frank Regardless of whether a Financial institution Act)3 granted rulemaking authority for most provi- shares nonpublic personal information, the insti- sions of subtitle A of title V of GLBA to the tution must provide notice of its Privacy policies Consumer Financial Protection Bureau (CFPB) with and practices to its customers.
4 Respect to Financial institutions and other entities A Financial institution generally may not disclose subject to the CFPB's jurisdiction, except securities Consumer account numbers to any nonaffiliated and futures-related companies and certain motor third party for marketing purposes. vehicle dealers. The Dodd-Frank Act also granted authority to the CFPB to examine and enforce A Financial institution must follow redisclosure compliance with these statutory provisions and and reuse limitations on any nonpublic personal their implementing regulations with respect to information it receives from a nonaffiliated finan- entities under CFPB In December cial institution.
5 2011, the CFPB recodified in Regulation P, 12 CFR. In general, the Privacy notice must describe a part 1016, the implementing regulations that were Financial institution's policies and practices with previously issued by the Board, the FDIC, the respect to collecting and disclosing nonpublic Federal Trade Commission (FTC), the NCUA, the personal information about a Consumer to both OCC, and the former affiliated and nonaffiliated third parties. Also, the notice must provide a Consumer a reasonable 1. 15 6801 6809. opportunity to direct the institution generally not to 2. The NCUA published its final rule in the Federal Register on May 18, 2000 (65 FR 31722).
6 The Board, the FDIC, the OCC, and share nonpublic personal information about the the former OTS jointly published their final rules on June 1, 2000 Consumer (that is, to opt out ) with nonaffiliated (65 FR 35162). third parties other than as permitted by exceptions 3. Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010, Pub. L. No. 111-203, Title X, 124 Stat. 1983 (2010). 4. Dodd-Frank Act 1002(12)(J), 1024(b)-(c), and 1025(b)- (c); 12 5481(12)(J), 5514(b)-(c), and 5515(b)-(c). retains rulemaking authority over any Financial institution that is a Section 1002(12)(J) of the Dodd-Frank Act, however, excluded person described in 12 5519 (with certain statutory Financial institutions' information security safeguards under GLBA exceptions, the FTC generally retains rulemaking authority for section 501(b) from the CFPB's rulemaking, examination, and motor vehicle dealers predominantly engaged in the sale and enforcement authority.)
7 Servicing of motor vehicles, the leasing and servicing of motor 5. 76 FR 79025 (Dec. 21, 2011). Pursuant to GLBA, the FTC vehicles, or both). Consumer Compliance Handbook Reg. P 1 (12/16). Privacy of Consumer Financial Information: under the Regulation (for example, sharing for method is effectively excepted from delivering an everyday business purposes, such as processing annual Privacy notice. transactions and maintaining customers' accounts, and in response to properly executed governmen- Definitions and Key Concepts tal requests). The Privacy notice must also provide, In discussing the duties and limitations imposed by where applicable under the Fair Credit Reporting the Regulation , a number of key concepts are used.
8 Act (FCRA), a notice and an opportunity for a These concepts include Financial institution ; non- Consumer to opt out of certain information sharing public personal information ; nonaffiliated third among affiliates. party ; the opt-out right and the exceptions to that Section 728 of the Financial Services Regulatory right; and Consumer and customer. Each con- Relief Act of 2006 required the four federal banking cept is briefly discussed below. A more complete agencies (the Board, the FDIC, the OCC, and the explanation of each appears in the Regulation . former OTS) and four additional federal regulatory agencies (the Commodity Futures Trading Commis- Financial Institution sion (CFTC), the FTC, the NCUA, and the Securities and Exchange Commission (SEC)) to develop a A Financial institution is any institution the busi- model Privacy form that Financial institutions may ness of which is engaging in activities that are rely on as a safe harbor to provide disclosures Financial in nature or incidental to such Financial under the Privacy rules.
9 Activities, as determined by section 4(k) of the Bank Holding Company Act of 1956. Financial institu- On December 1, 2009, the eight federal agen- tions can include banks, securities brokers and cies jointly released a voluntary model Privacy form dealers, insurance underwriters and agents, fi- designed to make it easier for consumers to nance companies, mortgage bankers, and travel understand how Financial institutions collect and share nonpublic personal The final rule adopting the model Privacy form was effective on December 31, 2009. Nonpublic Personal Information On October 28, 2014, the CFPB published a final Nonpublic personal information'' generally is any rule amending the requirements regarding Financial information that is not publicly available and that institutions' provision of their annual disclosures of a Consumer provides to a Financial institution to Privacy policies and practices to customers by obtain a Financial product or service from the creating an alternative delivery method that finan- institution.
10 Cial institutions can use under certain circum- The amendment was effective immedi- results from a transaction between the Consumer ately upon publication. The alternative delivery and the institution involving a Financial product or method allows a Financial institution to provide an service, or annual Privacy notice by posting the annual notice a Financial institution otherwise obtains about a on its website, if the Financial institution meets Consumer in connection with providing a Financial certain conditions. product or service As of December 4, 2015, section 75001 of the Information is publicly available if an institution has Fixing America's Surface Transportation Act8 ( FAST a reasonable basis to believe that the information is Act ) amended section 503 of GLBA to establish an lawfully made available to the general public