Regulation P Privacy of Consumer Financial Information

1 Regulation P. Privacy of Consumer Financial Information BACKGROUND AND OVERVIEW The Regulation establishes rules governing duties of a Financial institution to provide particular notices Title V, subtitle A of the Gramm-Leach-Bliley Act and limitations on its disclosure of nonpublic (GLBA)1 governs the treatment of nonpublic per- personal Information , as summarized below. sonal Information about consumers by Financial A Financial institution must provide notice of its institutions. Section 502 of the subtitle, subject to Privacy policies and practices and allow the certain exceptions, prohibits a Financial institution Consumer to opt out of the disclosure of the from disclosing nonpublic personal Information Consumer 's nonpublic personal Information to a about a Consumer to nonaffiliated third parties nonaffiliated third party if the disclosure is outside unless (1)

2 The institution satisfies various notice and of the exceptions in sections 13, 14, or 15 of the opt-out requirements and (2) the Consumer has not Regulation . If the Financial institution provides the elected to opt out of the disclosure. Section 503. Consumer 's nonpublic personal Information to a requires the institution to provide notice of its nonaffiliated third party under the exception in Privacy policies and practices to its customers. section 13, it must provide notice of its Privacy Section 504 authorizes the issuance of regulations policies and practices to the Consumer .

3 Under to implement these provisions. the exception in section 13, the Financial institu- In 2000, the Board of Governors of the Federal tion must also enter into a contractual agreement Reserve System (Board), the Federal Deposit with the third party that prohibits the third party Insurance Corporation (FDIC), the National Credit from disclosing or using the Information other Union Administration (NCUA), the Office of the than to perform services for the institution or Comptroller of the Currency (OCC), and the former functions on the institution's behalf, including use Office of Thrift Supervision (OTS), published regu- under an exception in sections 14 or 15 in the lations implementing provisions of GLBA governing ordinary course of business to carry out those the treatment of nonpublic personal Information services or functions.

4 If the Financial institution about consumers by Financial complies with these requirements, it is not Title X of the Dodd-Frank Act Wall Street Reform required to provide an opt-out notice. and Consumer Protection Act of 2010 (Dodd-Frank Regardless of whether a Financial institution Act)3 granted rulemaking authority for most provi- shares nonpublic personal Information , the insti- sions of subtitle A of title V of GLBA to the tution must provide notice of its Privacy policies Consumer Financial Protection Bureau (CFPB) with and practices to its customers.

5 Respect to Financial institutions and other entities A Financial institution generally may not disclose subject to the CFPB's jurisdiction, except securities Consumer account numbers to any nonaffiliated and futures-related companies and certain motor third party for marketing purposes. vehicle dealers. The Dodd-Frank Act also granted authority to the CFPB to examine and enforce A Financial institution must follow redisclosure compliance with these statutory provisions and and reuse limitations on any nonpublic personal their implementing regulations with respect to Information it receives from a nonaffiliated finan- entities under CFPB In December cial institution.

6 2011, the CFPB recodified in Regulation P, 12 CFR. In general, the Privacy notice must describe a part 1016, the implementing regulations that were Financial institution's policies and practices with previously issued by the Board, the FDIC, the respect to collecting and disclosing nonpublic Federal Trade Commission (FTC), the NCUA, the personal Information about a Consumer to both OCC, and the former affiliated and nonaffiliated third parties. Also, the notice must provide a Consumer a reasonable 1. 15 6801 6809.

7 Opportunity to direct the institution generally not to 2. The NCUA published its final rule in the Federal Register on May 18, 2000 (65 FR 31722). The Board, the FDIC, the OCC, and share nonpublic personal Information about the the former OTS jointly published their final rules on June 1, 2000 Consumer (that is, to opt out ) with nonaffiliated (65 FR 35162). third parties other than as permitted by exceptions 3. Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010, Pub. L. No. 111-203, Title X, 124 Stat.

8 1983 (2010). 4. Dodd-Frank Act 1002(12)(J), 1024(b)-(c), and 1025(b)- (c); 12 5481(12)(J), 5514(b)-(c), and 5515(b)-(c). retains rulemaking authority over any Financial institution that is a Section 1002(12)(J) of the Dodd-Frank Act, however, excluded person described in 12 5519 (with certain statutory Financial institutions' Information security safeguards under GLBA exceptions, the FTC generally retains rulemaking authority for section 501(b) from the CFPB's rulemaking, examination, and motor vehicle dealers predominantly engaged in the sale and enforcement authority.)

9 Servicing of motor vehicles, the leasing and servicing of motor 5. 76 FR 79025 (Dec. 21, 2011). Pursuant to GLBA, the FTC vehicles, or both). Consumer Compliance Handbook Reg. P 1 (12/16). Privacy of Consumer Financial Information : under the Regulation (for example, sharing for method is effectively excepted from delivering an everyday business purposes, such as processing annual Privacy notice. transactions and maintaining customers' accounts, and in response to properly executed governmen- Definitions and Key Concepts tal requests).

10 The Privacy notice must also provide, In discussing the duties and limitations imposed by where applicable under the Fair Credit Reporting the Regulation , a number of key concepts are used. Act (FCRA), a notice and an opportunity for a These concepts include Financial institution ; non- Consumer to opt out of certain Information sharing public personal Information ; nonaffiliated third among affiliates. party ; the opt-out right and the exceptions to that Section 728 of the Financial Services Regulatory right; and Consumer and customer.