CIPP US Outline Financial Privacy
Dodd-Frank Wall Street Reform and Consumer Protection Act Violations
$5,526/day for federal consumer privacy law violations. $27,631/day for reckless violations. $1,105,241/day for knowing violations. State AG's can also bring civil actions in enforcement of law or regulations
The Fair and Accurate Credit Transactions Act (FACTA) Disposal Rule Scope
- Requires any individual or entity that uses a consumer report, or information derived from a consumer report, for a business purpose to dispose of that information in a way that prevents unauthorized access and misuse of the data. - State disposal rules may impose broader requirements
The Fair Credit Reporting Act (FCRA) Amendments
Amended by FACTA with provisions related to identity theft and other subjects
The Bank Secrecy Act of 1970 (BSA) exemptions
Certain funds transfer exempted from regulation including those governed by the Electronic Funds Transfer Act and those made through automated clearinghouses, ATM or point of sales systems.
Can a consumer access medical information to be used under FCRA?
Consumer must provide consent for any medical info to be used under FCRA
The Fair and Accurate Credit Transactions Act (FACTA) Disposal Rule Enforcement
FTC, the federal banking regulators, and the CFPB
The Fair Credit Reporting Act (FCRA) Preemption Rules
Generally, preempts state law (see FACTA) o Does not preempt states from creating stronger legislation in the area of employment credit history checks such as the California ICRAA
Gramm-Leach-Bliley Act (GLBA) Privacy Notices
Must Process opt outs within 30 days. Notice must contain: o What info the F.I collects o With whom it shares the info o How it protects/safeguards the info o Explanation of opt out policy
The International Money Laundering Abatement and Anti-Terrorist Financing Act of 2001
Part of the USA PATRIOT Act. Expanded the BSA reach. Gave U.S Treasury secretary the ability to promulgate broad rules to implement modified Know Your Customer requirements.
The Fair and Accurate Credit Transactions Act (FACTA) Red Flags Rule
Requires certain financial entities to develop and implement written identity theft detection programs that can identify and respond to the "red flags" that signal identity theft.
FACTA amended rules for obtaining an investigative report
an employer is no longer required to notify an employee that it is obtaining an investigative consumer report on the employee from an outside org in the context of an internal investigation.
The Bank Secrecy Act of 1970 (BSA) Applies to:
any entities subject to supervision by state or federal bank supervisory authority (banks, securities brokers, card clubs, casinos, etc)
The Fair and Accurate Credit Transactions Act (FACTA) Disposal Rule Violations
civil liability and may face federal and state enforcement actions
The Bank Secrecy Act of 1970 (BSA) Violations
civil penalties including fines up $25000 or the amount of the transaction (up to $100,000 max) as well as penalties for negligence ($500/violation). Additional penalties up to $5000 per day for failure to comply. Penalties up to $25000 for failure to comply with info sharing requirements of the USA PATRIOT Act. Penalties up to $1mil for failure to comply with due diligence requirements. Criminal penalties include up to $100,000 fine and/or 1 year imprisonment and up to $10,000 fine and or 5 year imprisonment.
The Fair Credit Reporting Act (FCRA) Violations
civil/criminal penalties. Statutory damages of at least $1000 per violation, and at least $3,756 for willful violations.
The Fair Credit Reporting Act (FCRA) Enforcement
dispute resolution, private litigation (private right to action), government actions (FTC, CFPB, State AGs)
Gramm-Leach-Bliley Act (GLBA) Enforcement
federal financial regulators for institutions in their jurisdiction (Federal Reserve, Office of the Comptroller of the Currency, Federal Deposit Insurance Corporation, and Securities and Exchange Commissions). Financial institutions not in the jurisdiction of the other agencies (FTC and now also CFPB). At the state level, state AGs can enforce.
Under the Gramm-Leach-Bliley Act (GLBA) Consumer cannot opt out if:
o F.I shares info with outside company that provides crucial services like data processing o Disclosure is legally required o F.I shares customer data with outside service providers that market the financial company's products or services
California Financial Information Privacy Act (California SB-1) Violations
negligent noncompliance is punishable with statutory damages of $2,500 per consumer, up to $500,000/occurrence. Willful non-compliance eliminates the $500,000 cap.
Enforcement authority of the Consumer Financial Protection Bureau (CFPB) Under the Dodd-Frank Wall Street Reform and Consumer Protection Act
o Ability to conduct investigations and issue subpoenas o Hold hearings and commence civil actions against offenders
The following are consumer rights for investigative consumer reports under FCRA
o Consumer must be informed than investigative consumer report may be obtained o Disclosure must be in writing and delivered to consumer some time before but not later than three days after the date which the report was first requested o Disclosure must include a statement informing the consumer of his or her right to request additional disclosures and a summary of consumer rights under FCRA o User must certify to the CRA that the required disclosures have been made o Upon written request of a consumer, the user must make a complete disclosure of the nature and scope of the investigation o Nature and scope disclosures must be made in a written statement that mailed or delivered to consumer no later than five days after the date on which the request was received from the consumer or the report was first requested (whichever later)
Gramm-Leach-Bliley Act (GLBA) Violations
o No private right to action, however, failure to comply with certain notice requirements may be considered a deceptive trade practice which some states give private right to action for. o subject to penalties under the Financial Institution Reform, Recovery, and Enforcement Act (FIRREA). FIRREA penalties range from up to $5,500 for violation of laws to a max of $27,500 if violations are unsafe, unsound, or reckless. $1mil for knowing violations.
The Bank Secrecy Act of 1970 (BSA) Record Retention Rules
o Only those with "high degree of usefulness" o Must include: ▪ Borrower's name and address ▪ Credit amount ▪ Purpose and date of credit o Such records may be maintained for five years o For deposit account records: ▪ Depositor's taxpayer ID ▪ Signature cards ▪ Checks exceeding $100
Permissible purposes for employment checks under FCRA Include
o Pre-employee screening for the purpose of evaluating the candidate for employment o Determining if an existing employee qualifies for promotion, reassignment, or retention
Gramm-Leach-Bliley Act (GLBA) Privacy Rule Components
o Prepare and provide to customers clear and conspicuous notice of F.I's info sharing policies o Clearly provided customers the right to opt out of having their nonpublic personal info shared with nonaffiliated third parties (subject to exceptions such as joint marketing and transaction processing) o Refrain from disclosing to any nonaffiliated third-party marketer an account number or similar form of access code to a consumer's credit card, deposit or transaction account o Comply with regulations to protect the security and confidentiality of customer records and info. Protect against security threats and unauthorized access.
Gramm-Leach-Bliley Act (GLBA) Regulates financial institution management of "nonpublic personal information" defined as "personally identifiable financial information":
o Provided by the consumer to a financial institution o Resulting from a transaction or service performed for the consumer or o Otherwise obtained by the financial institution o Name of a financial institution's customer is considered non-public personal info and must be protected under GLBA
The GLBA Safeguards Rule
o Requires F.I to maintain security controls to protect the confidentiality and integrity of personal consumer info, including both electronic and paper records. o F.I must develop an info sec program that addresses "administrative, technical, and physical safeguards."
Gramm-Leach-Bliley Act (GLBA) Privacy Provisions
o Store personal financial info in a secure manner o Provide notice of their policies regarding the sharing of personal financial info o Provide consumers with the choice to opt out of sharing some personal financial info
Employee investigation not treated as a consumer report under FCRA as long as:
o The employer or its agent complies with the procedures set forth in FCRA o No credit info is used o A summary describing the nature and scope of the inquiry is provided to the employee if an adverse action is taken
Under The Bank Secrecy Act of 1970 (BSA), Financial Institutions must keep records and file reports on certain financial transactions if:
o currency transactions in excess of $10,000 (does not include credit secured by real property) o bank checks, drafts, cashier's checks, money orders, travelers checks for $3000 or more in currency
The Bank Secrecy Act of 1970 (BSA) Scope
• Aka "The Currency and Foreign Transaction Reporting Act" authorizes the U.S treasury secretary to issue regulations that impose extensive record-keeping and reporting requirements on F.I's • Anti-money laundering and fraud effort
FACTA Changed the definition of consumer report under FCRA to exclude communications relating to employee investigations from the definition if three requirements are met:
• Communication is made to an employer in connection with the investigation of: o Suspected misconduct relating to employment o Compliance with federal, state, local laws • Communication is not made for the purpose of investigating a consumer's creditworthiness, credit standing or credit capacity and does not include info pertaining to those factors • Communication is not provided to any person except o The employer or agent of employer o A federal or state officer, agency, or department o Self-regulating org with authority over the activities of the employer or employee o As otherwise required by law o Pursuant to 15 U.S.C 1681f which addresses disclosures to gov agencies ▪ If adverse action is taken, employers must disclose a summary of the nature and substance of the communication or report to the employee
The following are permissible purposes for a user to obtain and provide notice to a consumer under the FCRA
• Court order • Instructed by consumer in writing • Extension of credit as a result of application by consumer • Employment purposes where consumer has given written consent • Underwriting of insurance initiated by consumer • To review consumer's account to determine if account needs are met • Determine consumer's eligibility for license or other benefit granted by government • For use by potential investor/servicer/current insurer in a valuation assessment • For use by state and local officials in connection with child support payments • Creditors and insurers may obtain certain consumer report info for the purpose of making prescreened unsolicited offers of credit or insurance
Dodd-Frank Wall Street Reform and Consumer Protection Act
• Created the Consumer Financial Protection Bureau (CFPB) as an independent bureau within the Federal Reserve • CFPB can bring enforcement actions for unfairness and deception in addition to abusive acts and practices.
California Financial Information Privacy Act (California SB-1) Scope
• Expands privacy protections afforded under GLBA and increases disclosure requirements of F.I's. Grants consumers rights with regards to info sharing. • Must opt in for FI to share data with nonaffiliated parties • Grants consumers opt out for info sharing between the FI and affiliates not in the same line of business
The Fair and Accurate Credit Transactions Act (FACTA) scope
• Made substantial amendments to FCRA • CFPB (Consumer Financial Protection Bureau) is rule-making and enforcement authority • Stricter state laws are preempted -states retain some powers to enact laws addressing identity theft • Required truncation of debit and credit card numbers so receipts do not reveal in full • Requires more detailed "know your customer" documentation for both domestic and foreign financial institutions. • Gave consumers rights to explanation of their credit scores and the right to request a free annual credit report • Promulgated Disposal Rule and Red Flags Rule
The Fair Credit Reporting Act (FCRA) Scope
• Mandates accurate and relevant data collection, provides consumers with the ability to access and correct their information, and limits the use of consumer reports to defined permissible purposes. • Regulates use of consumer reports obtained from CRAs in reference checking and background checks of employees • Companies that extend credit to consumers must implement "Red Flag" program to deter identity theft • applies to nontraditional providers of background check information (like social media aggregators)
When an user notifies a consumer of an adverse action they must include the following per the FCRA
• Name, address, telephone number of the CRA • Statement that the CRA did not make the adverse action and cannot explain why it was made • Statement setting forth the consumer's right to obtain a free disclosure of the consumer's file from the CRA if the consumer makes a request within 60 days • Statement setting forth consumer's right to dispute directly with the CRA the accuracy and completeness of any info provided by CRA ▪ Adverse Action based on non-CRA: must inform consumer their right to be informed of the nature of the info that was relied upon if request is made within 60 days of notification. ▪ Adverse Action based on affiliates: must inform consumer that they may obtain disclosure of the nature of the info relied upon by making a written request within 60 days of notification. The user must disclose no later than 30 days after receiving the request.
Gramm-Leach-Bliley Act (GLBA) Scope
• Promulgated a Privacy Rule and Safeguards Rule. Sets the privacy framework for modern banking. Financial institutions must protect consumers' nonpublic personal info • Stricter state laws are not preempted • prohibits F.Is from disclosing info to nonaffiliated parties. F.I must ensure that service providers will not use provided consumer data for anything other than the intended purpose. • Permits disclosure for an investigation on a matter related to public safety (National Security Act)
Under The Fair and Accurate Credit Transactions Act (FACTA) Red Flags rule, Each entity is required to define their own list of red flags. FTC recommends:
▪ Alerts from CRA ▪ Suspicious identification documents ▪ Suspicious personal identifying data ▪ Unusual use of a covered account
Consumer report is any communication by a Consumer Reporting Agency (CRA) that pertains to:
▪ Creditworthiness ▪ Credit Standing ▪ Credit Capacity ▪ Character ▪ General Reputation ▪ Personal Characteristics ▪ Mode of Living
Under the GLBA Safeguards Rule, Each Financial Institution must:
▪ Designate an employee to coordinate safeguards ▪ Identify and assess risks to customer info ▪ Design and implement a safeguard program and regularly monitor and test ▪ Select appropriate service providers and enter into agreements with them ▪ Evaluate and adjust the program in light of relevant circumstances
The Red Flags Program Clarification Act of 2010 narrows the previously broad definition of creditor to not implicate entities that extend credit only for "expenses incidental to a service." Applies to:
▪ Obtain or use of consumer reports in connection with a credit transaction ▪ Furnish information to CRA ▪ Advance funds to or on behalf of someone, except for expenses incidental to a service provided by the creditor to that person
Under the FCRA, CRAs must
▪ Provide consumers with access to info in report and the opportunity to dispute/correct errors ▪ Ensure maximum possible accuracy of report ▪ Not report negative info that is outdated (account data more than seven years old, bankruptcies older than 10 years) ▪ Provide reports only to entities that have permissible purpose ▪ Maintain records regarding entities that received reports ▪ Provide consumer assistance as required by FTC
Users of consumer reports under FCRA must meet:
▪ Third party data for decision making must be accurate, current, and complete ▪ Consumers must receive notice when third party data is used to make adverse decisions ▪ May only be used for permissible purposes ▪ Consumers must have access to their consumer reports and an opportunity to dispute or correct errors
Notice Provided by CRA's To Users rules per the FCRA
▪ Users must have a "permissible purpose" ▪ Users must provide certifications of permissible purpose ▪ Users must notify consumers when adverse actions are taken
Under The Bank Secrecy Act of 1970 (BSA), Suspicious Activity Reports (SAR) Must be filed with the U.S Department of Treasury's Financial Crimes Enforcement Network in the following circumstances:
▪ When an FI suspects an insider committing a crime regardless of dollar amount ▪ When entity detects crime involving $5000 and has substantial basis for identifying suspect ▪ When entity detects crime involving $25000 (no need for suspect) ▪ When entity detects currency transactions aggregating $5000 or more that involve potential money laundering