Gramm-Leach-Bliley Act
Security Program
--A designated company representative to coordinate the program --Identification of internal and external risks which affect the security of customer information --Regular testing, monitoring and adjustment of the security program --Oversight of service providers who have access to customer information
Customer relationship starts
As soon as application is filled out
GLB
Gramm-Leach-Bliley Act ensure that financial institutions, including mortgage brokers and lenders, protect nonpublic personal information of consumers.
How long do number stay on DNCL
Idefinetly
with full disclosure to the consumer and a contractual confidentiality agreement
a financial institution can provide nonpublic personal information to a nonaffiliated third party to perform services for it or perform functions on its behalf.
Regulatoy Agency
the CFPB shares enforcement authority for the Telemarketing Sales Rule w/ the FTC &FCC
Title V, Subtitle A of the Gramm-Leach-Bliley Act
A Federal law to protect the personal information of consumers. In an effort to balance the needs that consumers have for privacy protection and the interests of the marketplace in sharing information, the GLB Act does not absolutely prohibit the sharing of personal financial information but provides limitations and restrictions on the types of information that can be exchanged and the parties that can receive it.
Regulatory Agency
CFPB is responsible for implementation and enforcement of the law and the GLB Act regulations, which are known as Regulation P FTC retains rulemaking authority one rule under the Gramm-Leach-Bliley Act Gramm-Leach-Bliley Act Privacy Rule
Prohibited Disclosures
Financial institutions are prohibited from disclosing their customers' account numbers to nonaffiliated companies if the individuals have not opted out of sharing the information for marketing purposes.
Annual Privacy Notices
Financial institutions are required to send annual privacy notices to customers, and these notices must contain the same information that is included in the initial privacy notice, including notice of the right to opt-out and information on exercising the right to opt-out.
Exceptions to the Do-Not-Call Provisions
In the case of an established relationship, a mortgage professional is permitted to place calls to customers, even if their phone numbers are on the DNCL. Established business relationship between a seller and a consumer based on financial transaction that they have shared within the 18-month period. Additionally, mortgage professionals are permitted to contact consumers for a period of three months following a relationship that is based on an inquiry by the consumer.
Opt-Out (Mortgage Loan Originators)
Loan originators must provide consumers with an initial privacy notice as soon as they obtain personal financial information from them. Instead of the detailed notice required of financial institutions that share information, state-licensed mortgage loan originators may file an abbreviated notice
Opt-Out notice is Due
No specific timeframe is given under the law other than consumers must be provided with a reasonable opportunity to opt-out. The notice must include a description of the type of info that the financial institution may disclose, and "reasonable means" to opt-out, such as opt-out forms or toll-free telephone numbers to representatives who will accept the opt-out information. Note: The initial privacy document and opt-out notice can be included in one document.
The Do-Not-Call Implementation Act
Signed into law in 2003 as part of earlier legislation - the Telemarketing Consumer Fraud and Abuse Prevention Act and the Telemarketing Sales Rule. DNCIA authorized the FTC to implement and enforce the Do-Not-Call Registry. The FTC's authority covers interstate calls, while the FCC covers calls made to and from points within the same state.
Penalties for Violations of the GLB Act
The GLB Act does not include specific penalty provisions for violations of the law's privacy provisions. However, each of the regulatory agencies that are authorized to enforce the law has the authority to bring enforcement actions and to impose penalties. The Federal Trade Commission Act allows for penalties up to $10,000.
Safeguards Rule
The Safeguards Rule requires financial institutions to develop a written information security plan that describes how the company is prepared for, and plans to continue to protect clients' nonpublic personal information
Opt-Out (Financial Institutions)
The law also requires financial institutions to give consumers the opportunity to "opt out" of the sharing of personal information. Compliance with the law involves the filing of initial privacy notices, opt-out notices, annual privacy notices, adherence to the Act's prohibition on the sharing of account numbers, and the maintenance of an effective security system with the designation of one employee to oversee security. Loan servicers must send annual disclosures to customers and provide security safeguards for the privacy of their personal information for the entire term of a consumer's loan.
Nonpublic personal information
(NPI) is any personally identifiable financial information that a financial institution collects about an individual in connection with providing a financial product or service. It includes any information: provided by an individual to get financial product or service obtain about an induvidual from a transaction involving financial product or service information from court records
Violations of the Telemarketing Sales Rule
$16k for each violation
Initial privacy notice is due
The initial privacy notice to customers is due "...not later than when you establish a customer relationship...." The notice must specify the types of information shared and the types of affiliated and nonaffiliated parties that will receive the information.
Information Security Program Required
As part of its program, the financial institution must: assign one or more employees to oversee the program. conduct a risk assessment. put safeguards in place to control the risks identified in the assessment and regularly test and monitor them. require service providers, by written contract, to protect customers' personal information. periodically update its security program.
Practices Prohibited by the GLB Act
--Prohibition on the Sharing of Account Numbers --Limitations on the Re-disclosure and Reuse of Information
GLB Does not protect
Public Info
The Financial Privacy Rule of GLBA
governs the collection and disclosure of customers' personal financial information by financial institutions and other companies who receive such information. Customers are entitled to receive a privacy notice every year. The notice must be given to the customers or consumers by mail or in person. The privacy notice must be a clear, conspicuous, and accurate statement of the company's privacy practices. It should include what information the company collects about its consumers or customers, with whom the information is shared, and how it safeguards the information. The notice applies to the "nonpublic personal information" the company gathers and discloses about it customers and consumers. Customers and consumers have the right to "opt out" of having their information shared with certain third parties. The GLB Act does not give consumers the right to opt out when the financial institution shares other information with its affiliates.
Non public info protected by GLB
Information derived from a creidt report or provided with respect to loan application. (loan balances, unlisted phone numbers, non public personal info)
financial institution must provide a privacy notice to a consumer
before it or an affiliate discloses nonpublic personal information to a nonaffiliated third party
established business relationship
means a relationship between the company and a consumer based on the consumer's: purchase, rental or lease of the seller's goods or services or a financial transaction between the consumer and seller, within the 18 months immediately preceding the date of a telemarketing call; or inquiry or application regarding an offered product or service, within the three months immediately preceding the date of a telemarketing call.
Exceptions to the Opt-Out Notice Requirements
--Disclosures to a third party in order to complete a transaction requested by a consumer or customer (This exception would include disclosures made by mortgage brokers to settlement service providers in order to close a mortgage loan.) --Disclosures to financial institutions that share joint-marketing agreements
Prohibitions of the Telemarketing Sales Rule
--Threats, intimidation or profane language --calls to consumers before 8:00 a.m. or after 9:00 p.m --aking false or misleading statements --Requiring payment of a fee in advance of obtaining a loan or other extension of credit --Charging a consumer for goods or services without consent --Failing to transmit a telephone number so that it can be read by a call recipient's Caller ID -- Initiating a call to a consumer listed on the Do Not Call Registry
Must access the Do-Not-Call Registry every
31 Days (TSR)