Consumer Compliance Outlook >2021> Third edition 2021
Consumer Compliance Outlook: Third Edition 2021
Von Kenneth Benton, Principal Consumer Regulations Specialist, Federal Reserve Bank of Philadelphia
A recent Pew Research Center survey found that 79 percent of consumers are concerned about how companies are using their personal information.1This concern is compounded by the rise in identity theft and major data breaches in recent years. For example, the Equifax breach in 2017 affected 147 million people and involved personal financial information that could be used for identity theft, including a social security number (SSN).2
To protect the privacy interests of consumers, several federal laws and regulations restrict how financial institutions can obtain and use information about their customers. This article provides an overview of certain privacy and security requirements related to financial services, including recent legislative and regulatory changes.
GRAM‒LEACH‒BLILEY ACT AND REGULATION S. PRIVACY NOTICE
A financial institution must issue its GLBA privacy statement when it first establishes a customer relationship. This notice will be provided annually thereafter, subject to an exception under the 2015 Fixing America's Surface Transportation (FAST) Act, discussed next.5An institution is also generally required to provide notice to its consumer customers before disclosing NPI through them to unaffiliated third parties6and disclose the right to opt-out of sharing information in the privacy notice.7Certain exceptions apply, such as B. Sharing information with unaffiliated third parties to perform services or conduct joint marketing efforts, provided other requirements are met.8
Each of these communications must include information about the NPI that the institution collects and discloses.9This requirement applies to the information of both current and former customers.10Sample forms can be found in the appendix to Regulation P.
Impact of Changing Privacy Practices
The regulation also addresses a financial institution's obligations when it changes its privacy practices to disclose:
- anew category of NPIto an unaffiliated third party;
- NPI zu anew category of unaffiliated third parties; or
- NPI endsa former customerto an unaffiliated third party where the former customer has had an opportunity to opt-out of disclosure.11
For these changes, the institution cannot disclose the NPI unless it provides a revised privacy statement and opt-out opportunities.12An exception applies if a new, unaffiliated third party has been adequately described in the advance notice.13
FAST Act Amendment to GLBA's Annual Privacy Notice
Financial institutions expressed concern that providing the annual privacy notice to existing customers would be cumbersome and unnecessary if their privacy practices had not changed since the notice was last provided.14In 2015, Congress addressed this issue by amending the GLBA in the FAST ActfifteenEliminate the annual privacy statement requirement where a financial institution meets the following two conditions:
- It provides NPI only in accordance with applicable GLBA data protection regulations and
- it has not changed its NPI disclosure policies and practices since the last notice to its customers.16
Since the amendment to the law was self-effective, it went into effect on December 4, 2015, the effective date of the law. In August 2018, the Bureau issued a final rule amending Regulation P to align with the amendment to the FAST Act.17
FAIR CREDIT REPORTING ACT PRIVACY REQUIREMENTS
Next, several provisions of the Fair Credit Reporting Act (FCRA) that impact consumer privacy and security will be discussed.
FCRA §624 Affiliate Marketing Requirements
Similar to the GLBA, the FCRA, as implemented by Regulation V, restricts an institution's ability to use certain consumer information with an affiliate. Under Section 624, a person who receives consumer eligibility information from an affiliate generally may not use the information to solicit the consumer unless the consumer is clearly informed that the information is shared between the affiliates for the purpose the execution of such requests can be passed on, the consumer is offered the opportunity to opt out and the consumer does not object. The provisions do not apply if the institute has an existing business relationship19with a consumer and in other specific circumstances.20Regulation V contains model notices inAppendix C to 12 C.F.R. Part 1022.
The regulation provides this example to illustrate the requirements of Section 624:
A consumer has taken out home contents insurance with an insurance company. The insurance company provides its affiliated lender with consumer eligibility information. Based on this eligibility information, the lender wants to prompt the consumer about their home equity loan products. The lender has no pre-existing relationship with the consumer and none of the other exceptions apply.The lender is prohibited from using eligibility information obtained from its insurance company to make inquiries to the consumer about its home equity products unless the consumer receives notice and an opportunity to opt out, and the consumer does not object.21
If a consumer chooses to opt out, the choice must be effective for at least five years unless the consumer revokes it.22Upon expiration, the solicitation limitation will continue to apply unless the consumer has been provided with an opt-out renewal notice and a reasonable renewal period and does not renew.23
INTERFACE OF GLBA AND FCRA REQUIREMENTS
Combined Opt-Out Notice
As previously noted, both the GLBA and FCRA require institutions to provide consumers with opt-out notices about the disclosure or use of information in certain circumstances. To reduce regulatory burden, Regulation V allows an institution to consolidate the required opt-notices for both acts into a single privacy statement.24
Impact of FCRA requirements on exemption from an annual privacy statement
In the preamble to the 2018 final rule, the Bureau clarified thisGLBA §503(f)(1)does not exclude financial institutions providing NPI pursuant toFCRA §603(d)(2)(A)(iii)or§624from qualifying for the annual privacy notice exception.25
FCRA FIXED CREDIT OR INSURANCE OFFER
The FCRA permits an entity to collect consumer reports without consumer consent using certain criteria (e.g., all Pennsylvania consumers with credit scores of 750 or greater) for the purpose of obtaining credit or insurance if the collection meets the requirements of abinding offer of credit or insurance. The FCRA defines this term as “any offer of credit or insurance made to a consumer that is accepted if the consumer is determined, based on information in a consumer report about the consumer, to meet the specific criteria used to select the consumer for the offer have been used”, except that the offer may be further conditioned based on certain criteria.26
Because these consumer reports can be obtained without consumer consent, the FCRA requires clear and conspicuous disclosure of the following information in the solicitation:27
- the information used by the transaction in the consumer's consumer report;
- the offer was extended because the consumer met credit or insurability criteria;
- the credit or insurance may not be granted if the consumer, after responding to the offer, does not meet the criteria or applicable criteria relating to creditworthiness or insurability or fails to provide the required collateral;
- the consumer has the right to opt out of credit or insurance offers; and
- the procedure for the consumer to opt-out.
Sample forms are available inAppendix D to Rule V.
OTHER FEDERAL PRIVACY AND SECURITY LAWS
GLBA exception for reporting suspected elder abuse
Several federal agencies haveInteragency guidance on privacy laws and
Reporting Financial Abuse of Older Adultsin 2013 to clarify when financial institutions can report suspected elder abuse to the appropriate local, state, or federal agencies, where the Federal Reserve debatedCA Letter 13-14. The guidance listed four exceptions to the GLBA notice and opt-out requirements that could allow disclosure of NPIs for the purpose of reporting alleged elder financial abuse without violating the GLBA28and notes that the "general" disclosure of non-public personal information to local, state, or federal agencies for the purpose of reporting alleged elder financial abuse falls under at least one of the exceptions described in the GLBA.29
The following four exceptions could apply to suspected elder abuse:
- to protect against actual or potential fraud, unauthorized transactions, claims or other liability;
- for disclosure to law enforcement agencies, self-regulatory organizations, or for an investigation into a matter related to public safety. to the extent expressly permitted or required under the Right to Financial Privacy Act or other applicable laws;
- to comply with federal, state, or local laws, such as B. State laws that require financial institutions to report suspected abuse; or
- to respond to a civil, criminal, or governmental investigation, subpoena or subpoena from a government agency, or to respond to a judicial process or government regulatory agency.30
The Inter-Agency Guidance also clarifies that disclosure of NPIs for purposes of reporting suspected financial abuse is permitted under the fraud exception, for example, where the financial institution (1) reports incidents that result in the taking of an older adult's funds without actual consent or (2) reports of incidents involving the obtaining of consent from an older adult for the transfer of assets where the intent of the transaction was misrepresented.31
Senior Safe Act
In May 2018, the Economic Growth, Regulatory Relief, and Consumer Protection Act (EGRRCPA) came into force.32Section 303 of the EGRRCPA (the Elderly Protection Act) grants legal immunity to an individual who has served as a supervisor or in a compliance or legal function for certain financial institutions and reports suspected exploitation of a senior to certain government agencies and law enforcement agencies, provided the individual has previously received specific training and disclosed the information in good faith and belief and with reasonable care.33The EGRRCPA also grants immunity to certain financial institutions where the individuals are employed or affiliated, provided the individuals have received the appropriate training.outlook summarizedthe Senior Safe Act in Issue 1 2020.
Synthetic Identity Theft and the Social Security Verification Service
Section 215 of the EGRRCPArequired the Social Security Administration (SSA) to modify or develop a database to accept and compare fraud protection data provided electronically by an accredited entity, defined as aFinancial institution, service provider, subsidiary, affiliate, agent, subcontractor, or assignee of a financial institution.34The purpose of this provision was to reduce the prevalence of synthetic identity fraud, which disproportionately affects vulnerable populations such as minors and recent immigrants. In response, the SSA created the Electronic Consent Based Social Security Number Verification (eCBSV) service.35With the written consent of the Social Security Number holder, the system allows accredited agencies to verify that the holder's name, date of birth, and number match SSA records. The eCBSV returns a match check of yes or no. If the database shows that the SSN holder is deceased, the system returns a death indicator. The SSA began 2019 with an initial rollout with 10 approved units. In July 2021, the SSA expanded the rollout. Visit the eCBSV website for more information.36
Interagency guidance on GLBA security and customer notification requirements
Section 501(b) of the GLBA37directed banking regulators to establish standards for the financial institutions they regulate with respect to safeguards to (1) ensure the security and confidentiality of customer information; (2) protection from anticipated threats or dangers to the security or integrity of such information; and (3) protecting against unauthorized access to or use of such information that could cause significant harm or inconvenience to customers. In response to this policy, the agencies issued the Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice, which they subsequently renamed the Interagency Guidelines Establishing Information Security Standards.38The guidelines address when a security incident requires an organization to notify its customers and the notification requirements.
Under the direction of when an institution learns of an incident involving unauthorized access to confidential customer information,It should conduct an appropriate investigation to determine without undue delay the likelihood that the information has been or is being misused. If misuse of this information has occurred or is reasonably possible, the institution should notify the affected clients. The guide definessensitive customer informationas a name, address, or telephone number in conjunction with the customer's social security number, driver's license number, bank account number, credit or debit card number, or a personal identification number or password that allows access to the customer's account. The term also includes any combination of components of customer information that would enable someone to log into or access the customer's account, such as B. Username and password or password and account number.39
If the institution can only identify those customers whose information has been misused or who could reasonably be misused, it can limit the notification to only those customers. However, if the institution is unable to identify the specific clients whose information has been accessed and there is a reasonable possibility that the information could be misused, it should notify all clients in the group.
A notice should be given in a clear and conspicuous manner and contain the following information:
- general description of the incident, including the type of customer information retrieved or used;
- contact number for further information or support;
- List of measures taken to prevent further unauthorized access; and
- Reminding customers to remain vigilant for potential identity theft and to report such incidents to the financial institution over the next 12 to 24 months, including the following actions:
- Recommend customer review bank statements for suspicious activity;
- describe the ability to create a fraud alert in the customer's consumer report;
- Suggest customers regularly check their credit reports from each of the three national credit bureaus and advise that they can check them for free;
- Disclose the FTC's online resources to protect against identity theft and the ability to report an incident to the FTC.
Finally, the Guidelines state that notices should be delivered in a manner that ensures a customer has a reasonable expectation of receiving them.40For example, this may be done by telephone or post, or by email for customers with a valid email address and consent to receive communications electronically.
Financial Privacy Right Act
Congress passed the Right to Financial Privacy Act (RFPA) in 1978.41to protect the privacy of customers' financial records by limiting the circumstances in which government agencies can access those records. In addition to establishing procedures that federal agencies must follow when requesting a customer's financial records,42The RFPA also imposes requirements on financial institutions before they are allowed to release this information.43
Before the RFPA came into effect, bank customers were not notified when their financial records were disclosed to a government agency. in theUnited States vs. Miller, 425 U.S. 435 (1976), the Supreme Court ruled that a bank customer could not restrict government access to their financial records because they were considered the bank's business records and not the private property of the individual. Congress passed the RFPA in response to theMüllerDecision.44
The RFPA states that a governmental agency cannot access a consumer's financial records from a financial institution unless they are obtained in accordance with one of the following:45
- Power of attorney from the customer, which contains the date and the signature of the customer, an authorization to obtain information for a period of no more than three months, a declaration that the customer can revoke this at any time prior to the disclosure of the recordings, an identification of the recordings to be transmitted, the purposes, to whom the information may be disclosed and Customer's rights under the RFPA;
- a subpoena;
- a governmental subpoena or subpoenas;
- a search warrant; or
- a formal written request from the governmental agency (to be used where no governmental subpoena or subpoena is available).
The RFPA also generally requires that the requesting government agency provide the customer with a copy of the request on or before the date of the request to the financial institution. The notice must include a description of the procedures the customer should follow if he or she does not wish the recordings to be made available; A specific disclosure language is provided in the RFPA.46A financial institution is prohibited from releasing a consumer's personal financial records unless the government agency certifies in writing that it has complied with the requirements of the RFPA.47
In the age of digital banking, increasing data breaches, and consumer concerns about the confidentiality of their information, it is important that financial institutions comply with federal laws and regulations protecting the privacy and security of consumer information. Specific issues or questions should be discussed with your primary regulator.
1See Brooke Auxier et al., "Americans and Privacy: Concerned, confused, and feeling like they have no control over their personal information“, Pew Research Center, November 2019.
2See federal tradeKommission „Equifax Data Breach Settlement“, 1June 2020.
4See 12 C.F.R. §1016.3(p).
5See 12 C.F.R. §1016.4(a) and §1016.5(a).
6See 12 C.F.R. §1016.4(a).
7See 12 C.F.R. §1016.6(a)(6), §1016.10.
8The exceptions and any applicable qualification requirements are set forth in 12 C.F.R. §§1016.13, 14 and 15.
9See 12 C.F.R. §1016.6.
10See 12 C.F.R. §1016.6(a)(4).
11See 12 C.F.R. §1016.8(b)(1).
12See 12 C.F.R. §1016.8(b).
13See 12 C.F.R. §1016.8(b)(2).
14The Bureau addressed this issue in part in a 2014 amendment to Regulation P.79federal register64057(October 28, 2014). The FAST Act amendment went beyond this change to reduce the regulatory burden when an institution's privacy practices have not changed.
fifteenSeeEstablishment of the American Surface Transportation Act, Pub. L. No. 114-94, 129 Stat. 1312 (2015).
16See Section 75001 of the FAST Act, which adds Section 503(f) to the GLBA (codified at15 USC §6803(f)).
18See 12 C.F.R. §1016.5(e)(2).
19Regulation V provides an example of the pre-existing relationship exception to clarify its application in §1022.21(d)(1).
20See 15 U.S.C. §1681s-3(a)(4).
21See 12 C.F.R. §1022.21(a)(2) (emphasis added).
22See15 USC §1681s-3(a)(3)(A).
23See 12 C.F.R. §1022.27(a).
24See 12 C.F.R. §1022.23(b).
25See 83federal registerat 40949.
26See 15 U.S.C. §1681a(l).
27See 15 U.S.C. §1681m(d).
28See 15 U.S.C. §6802(e).
29See Interinstitutional Guide on p. 4.
30See Inter-Agency Guide on pages 3-4.
31See Interinstitutional Guide on p. 3.
32SeePub. L. 115–174, 132 Stat. 1296 (2018).
33The Senior Safe Act is codified at12 USC §3423.
34See EGRRCPA §215(b)(4) (codified at42 USC §405B((b)4)).
37See15 USC §6801(b).
38See70federal register15736(March 29, 2005). The agencies have also codified the guidelines in their implementing regulations. For state member banks, the Federal Reserve has codified the guidelines asApp. D-2to Regulation H, Subpart K, 12 C.F.R. part 208; for bank holding companies, see 12 C.F.R. part 225,App. F; for OCC-regulated entities, see 12 C.F.R. part 30,App. B; and for FDIC-regulated entities, see 12 C.F.R. part 364,App. B.
39See 70federal registerat 15752.
40See 70federal registerat 15753.
41See 12 U.S.C. Sections 3401 et seq.
42See 12 U.S.C. §3402.
43See 12 U.S.C. §3403.
44HR Rep. 95-1383 at p. 34 (July 20, 1978) ("The [RFPA] is a Congressional response to the Supreme Court decision inUnited States vs. Millerwhich determined that a customer of a financial institution does not have constitutional authority to challenge government access to financial records.")
45See 12 U.S.C. §3402.
46See 12 U.S.C. §3408(4).
47See 12 U.S.C. §3403(b).