CIPP/US Chapter 8 - Financial Privacy

GLBA regulates financial institution management of

"nonpublic personal information," defined as "personally identifiable financial information (i) provided by a consumer to a financial institution, (ii) resulting from a transaction or service performed for the consumer, or (iii) otherwise obtained by the financial institution." Excluded from the definition are publicly available information and any consumer list that is derived without using personally identifiable financial information.

Fines for SB-1 Stat damages per customer Cap per occurrence Wilfull noncompliance damage cap

$2500 $500,000 none

As of the writing of this book, civil penalties vary from ________________per day for federal consumer privacy law violations to ______________per day for reckless violations and _______________ for knowing violations.

$5,526 $27,631 $1,105,241

Suspicious Activity Report

Filed for any "suspicious activity" i.e., regularly making deposits of $9,999

8.7 Conclusion

Financial institutions are subject to a wide range of government regulations. The FCRA in 1970 was the first major national data privacy law in the United States, applying notably to credit reporting agencies, extensions of credit and purchases of insurance. The overhaul of the financial system in GBLA in 1999 included the GLBA privacy and safeguards requirements. FACTA accessed the credit reporting rules in 2003. These laws, taken together, mean that financial institutions today must carefully examine their practices with personal information, and ensure compliance. As shown by the anti-money-laundering laws, financial institutions at the same time are subject to requirements to retain personal information and disclose it under certain circumstances. T he potential complexity of complying with these multiple requirements suggests the usefulness of an overall information management plan for financial institutions, updated over time to meet changing market and regulatory requirements

8.5.1.2 Suspicious Activity Reports

Financial institutions must file a Suspicious Activity Report (SAR) in defined situations. The rationale is that SARs can alert government agencies to potentially suspicious transactions. A SAR must be filed with the U.S. Department of the Treasury's Financial Crimes Enforcement Network (FinCEN) in the following circumstances: (1) when a financial institution suspects that an insider is committing (or aiding the commission of) a crime, regardless of dollar amount; (2) when the entity detects a possible crime involving $5,000 or more and has a substantial basis for identifying a suspect; (3) when the entity detects a possible crime involving $25,000 or more (even if it has no substantial basis for identifying a suspect) and (4) when the entity suspects currency transactions aggregating $5,000 or more that involve potential money laundering or a violation of the act.

In addition, the CFPB has a new power to enforce against "abusive acts and practices." An abusive act or practice:

Materially interferes with the ability of a consumer to understand a term or condition of a consumer financial product or service or Takes unreasonable advantage of— A lack of understanding on the part of the consumer of the material risks, costs, or conditions of the product or service; The inability of the consumer to protect its interests in selecting or using a consumer financial product or service; or The reasonable reliance by the consumer on a covered person to act in the interests of the consumer.

Under GLBA's privacy provisions, financial institutions are required to

Store personal financial information in a secure manner Provide notice of their policies regarding the sharing of personal financial information Provide consumers with the choice to opt out of sharing some personal financial information

Pursuant to the Safeguards Rule, the administrative, technical and physical safeguards to be implemented must be reasonably designed to:

(1) ensure the security and confidentiality of customer information, (2)protect against any anticipated threats or hazards to the security or integrity of the information and (3) protect against unauthorized access to or use of the information that could result in substantial harm or inconvenience to any customer

Under the GLBA Safeguards Rule, a financial institution must provide the following three levels of security for consumer information ATP

1. Administrative security, which includes program definition, management of workforce risks, employee training and vendor oversight 2. Technical security, which covers computer systems, networks and applications in addition to access controls and encryption 3. Physical security, which includes facilities, environmental safeguards, business continuity and disaster recovery

The Safeguards Rule requires that certain basic elements be included in a security program. Each institution must:

1. Designate an employee to coordinate the safeguards 2. Identify and assess the risks to customer information in each relevant area of the company's operation and evaluate the effectiveness of the current safeguards for controlling those risks 3. Design and implement a safeguard program and regularly monitor and test it 4. Select appropriate service providers and enter into agreements with them to implement safeguards 5. Evaluate and adjust the program in light of relevant circumstances, including changes in business arrangements or operations, or the results of testing and monitoring of safeguards

Major components of the GLBA Privacy Rule provide that financial institutions must:

1. Prepare and provide to customers clear and conspicuous notice of the financial institution's information-sharing policies and practices. These notices must be provided when a customer relationship is established and annually thereafter. 2. Clearly provide customers the right to opt out of having their nonpublic personal information shared with nonaffiliated third parties (subject to significant exceptions, including for joint marketing and processing of consumer transactions). 3. Refrain from disclosing to any nonaffiliated third-party marketer, other than a consumer reporting agency, an account number or similar form of access code to a consumer's credit card, deposit or transaction account. 4. Comply with regulatory standards established by certain government authorities to protect the security and confidentiality of customer records and information, and protect against security threats and unauthorized access to or certain uses of such records or information.

Users of consumer reports must meet four main requirements under the FCRA

1. Third-party data for substantive decision making must be appropriately accurate, current and complete 2. Consumers must receive notice when third-party data is used to make adverse decisions about them 3. Consumer reports may be used only for permissible purposes 4. Consumers must have access to their consumer reports and an opportunity to dispute them or correct any errors

8.1.1 Notice Requirements Under FCRA (3)

1. Users must have a "permissible purpose." 2. Users must provide certifications. 3. Users must notify consumers when adverse actions are taken.

There are certain situations in which the consumer has no right to opt out. For example, a consumer cannot pt out if:

A financial institution shares information with outside companies that provide essential services like data processing or servicing accounts The disclosure is legally required A financial institution shares customer data with outside service providers that market the financial company's products or services

Suspicious Activity Report (SAR)

A report that must be filed whenever a firm suspects that transactions of $5000 or more may be related to illegal activities

Permissible Purpose

According to the Fair Credit Reporting Act, in order to pull a borrower's credit report, the creditor must have a purpose for doing so and permission from the borrower. For example, a borrower is applying for a refinance and give the lender permission to pull credit. In this instance the lender now has permissible purpose.

FCRA details a number of adverse actions (3)

Adverse actions based on information obtained from a CRA. Adverse actions based on information obtained from third parties that are not consumer reporting agencies. Adverse actions based on information obtained from affiliates.

Fair and Accurate Credit Transactions Act

An amendment to the Fair Credit Reporting Act that allows consumers to request and obtain a free credit report once each year from each of the three primary consumer credit reporting companies (Equifax, Experian, and TransUnion).

8.5.1.3 BSA Enforcement

As of the writing of this book, penalties for violations of the BSA and its regulations include the following: civil penalties, including fines up to the greater of $25,000 or the amount of the transaction (up to a $100,000 maximum) as well as penalties for negligence ($500 per violation); additional penalties up to $5,000 per day for failure to comply with regulations; penalties of up to $25,000 per day for failure to comply with the information-sharing requirements of the USA PATRIOT Act; and penalties up to $1 million against financial institutions that fail to comply with due diligence requirements. Criminal penalties include up to a $100,000 fine and/or one-year imprisonment and up to a $10,000 fine and/or five-year imprisonment

Examples of purposes for obtaining reports

As ordered by a court or a federal grand jury subpoena As instructed by the consumer in writing For the extension of credit as a result of an application from a consumer, or the review or collection of a consumer's account For employment purposes, including hiring and promotion decisions, where the consumer has given written permission For the underwriting of insurance as a result of an application from a consumer When there is a legitimate business need, in connection with a business transaction that is initiated by the consumer To review a consumer's account to determine whether the consumer continues to meet the terms of the account To determine a consumer's eligibility for a license or other benefit granted by a governmental instrumentality required by law to consider an applicant's financial responsibility or status For use by a potential investor or servicer, or current insurer, in a valuation or assessment of the credit or prepayment risks associated with an existing credit obligation For use by state and local officials in connection with the determination of child support payments, or modifications and enforcement thereof In addition, creditors and insurers may obtain certain consumer report information for the purpose of making "prescreened" unsolicited offers of credit or insurance (Section 604[c] of the FCRA)

8.5.2 The International Money-Laundering Abatement and Anti-Terrorist Financing Act of 2001

As part of the USA PATRIOT Act, the International Money Laundering Abatement and Anti-Terrorist Financing Act of 2001 expanded the reach of the BSA and made other significant changes to U.S. anti-money laundering laws. The act gave the U.S. treasury secretary the ability to promulgate broad rules to implement modified Know Your Customer requirements and to otherwise deter money laundering

8.5.1.1 Record Retention Requirements

As part of the overall anti-money-laundering strategy, financial institutions are required to retain categories of records for use in investigations or enforcement actions. Financial institutions are required to maintain records of all extensions of credit in excess of $10,000, but this does not include credit secured by real property. Not all records must be maintained—only those with a "high degree of usefulness."6 Records that are maintained must include the borrower's name and address, credit amount, purpose of credit and date of credit. Such records must be maintained for five years. As to deposit account records, a financial institution must keep the depositor's taxpayer identification number, signature cards, and checks exceeding $100 that are drawn or issued and payable by the bank. With regard to certificates of deposit, the financial institution must obtain the customer name and address, a description of the CD and the date of the transaction. For wire transfers or direct deposits, a financial institution must maintain all deposit slips or credit tickets for transactions exceeding $100.63 Additionally, the BSA includes detailed rules regarding information that banks must retain in connection with payment orders.

Along with numerous other reforms, Title X of the act created the ____________________as an independent bureau within the Federal Reserve

CFPB

As discussed in multiple places in this book, the FTC and state attorneys general have long had the power to enforce against unfair and deceptive acts and practices. The ________________also can now bring enforcement actions for unfairness and deception

CFPB

As with the rest of the FCRA and FACTA, the _____________has now gained rule-making and enforcement authority.

CFPB

The FCRA regulates any

CRA - consumer reporting agency that furnishes a consumer report, which is used primarily for assisting in establishing consumer's eligibility for credit.

An example of CFPB enforcement is the case of

Clarity Services, Inc. The CFPB alleged that the company failed to properly investigate consumers who attempted to dispute information on their credit reports and obtained credit reports without a permissible purpose. As a result, Clarity Services agreed to pay an $8 million civil penalty

CFPB

Consumer Financial Protection Bureau

8.3.4 California SB-1 California SB-1, also known as the California Financial Information Privacy Act, __________________the financial privacy protections afforded under GLBA.

Expands

3 main reporting agencies - EET

Experian Equifax Transunion

Three examples of FCRA

Experian, Equifax, and Transunion

8.1.5 Medical Information Under FCRA

FCRA limits the use of medical information obtained from CRAs, other than payment information that appears in a coded form and does not identify the medical provider

8.1.6 "Prescreened" Lists

FCRA permits creditors and insurers to obtain limited consumer report information for use in connection with firm unsolicited offers of credit or insurance, under certain circumstances and conditions. This practice is known as prescreening and typically involves obtaining from a CRA a list of consumers who meet certain preestablished criteria. If any person intends to use prescreened lists, that person must: (1) before the offer is made, establish the criteria that will be relied upon to make the offer and to grant credit or insurance and (2) maintain such criteria on file for a three-year period beginning on the date on which the offer is made to each consumer.

Government enforcement actions for violations of the FCRA can be brought by (3)

FTC CFPB State attorneys general

FCRA

Fair Credit Reporting Act

8.3.1 Scope and Enforcement of GLBA

GLBA applies to "financial institutions," which are defined broadly as any U.S. companies that are "significantly engaged" in financial activities. Financial institutions include entities such as banks, insurance providers, securities firms, payment settlement services, check-cashing services, credit counselors and mortgage lenders, among others.

GLBA

Gramm-Leach-Bliley Act

Adverse actions based on information obtained from third parties that are not consumer reporting agencies.

If a person denies (or increases the charge for) credit for personal, family or household purposes based either wholly or partly upon information from a person other than a CRA, and the information is the type covered by the FCRA, Section 615(b)(1) requires that the user clearly and accurately disclose to the consumer his or her right to be informed of the nature of the information that was relied upon, if the consumer makes a written request within 60 days of notification. The user must then provide the disclosure within a reasonable period of time following the consumer's written request.

Adverse actions based on information obtained from affiliates

If a person takes an adverse action involving insurance, employment or a credit transaction initiated by the consumer based on the type of information covered by the FCRA, and this information was obtained from an entity affiliated with the user of the information by common ownership or control, Section 615(b)(2) requires the user to notify the consumer of the adverse action.

Adverse Actions based on information obtained by the CRA

If a user takes any type of adverse action, the FCRA requires notice to the consumer that includes: Adverse actions based on information obtained from a CRA. If a user takes any type of adverse action (as defined by the FCRA, action that is based, even in part, on information contained in a consumer report), the FCRA requires the user to notify the consumer. The notification may be done in writing, orally or by electronic means. It must include the following elements: The name, address and telephone number of the CRA (including a toll-free telephone number, if it is a nationwide CRA) that provided the report A statement that the CRA did not make the adverse decision and is not able to explain why the decision was made A statement setting forth the consumer's right to obtain a free disclosure of the consumer's file from the CRA if the consumer makes a request within 60 days A statement setting forth the consumer's right to dispute directly with the CRA the accuracy or completeness of any information provided by the CRA

TeleCheck Services, Inc., and TRS Recovery Services

In 2014, these companies agreed to pay $3.5 million to settle FTC charges that they violated FCRA. The FTC alleged that TeleCheck, as a CRA, did not comply with dispute procedures for consumers whose checks were denied based on information provided by the business. TRS, a company that handles consumer debt taken on by TeleCheck, was alleged to have violated requirements of the FTC's Furnisher Rule, which requires entities furnishing information to CRAs to ensure the accuracy and integrity of the information provided.1 The settlement was part of a broader initiative by the FTC to target the practices of data brokers that sell information to companies making decisions about consumers.

Key US PATRIOT Act

Information Sharing Know your customer Money laundering programs BSA record keeping and reporting

For covered financial services companies, the major USA PATRIOT Act compliance issues can be grouped into the following categories:

Information-sharing regulations and participation in the cooperative efforts to deter money laundering, as required by Section 314 Know Your Customer rules, including the identification of beneficial owners of accounts— procedures required by Section 326 Development and implementation of formal money-laundering programs as required by Section 352 Bank Secrecy Act expansions, including new reporting and record-keeping requirements for different industries (such as broker-dealers) and currency transactions

8.1.4 Investigative Consumer Reports

Investigative consumer reports contain information about a consumer's character, general reputation, personal characteristics and mode of living. This information is obtained through personal interviews by an entity or person that is a CRA.

FACTA enacted a number of consumer protections

It required truncation of credit and debit card numbers, so that receipts do not reveal the full credit or debit card number. It gave consumers new rights to an explanation of their credit scores. It also gave individuals the right to request a free annual credit report from each of the three national consumer credit agencies—Equifax, Experian and TransUnion. Along with other identity theft protections, FACTA required regulators to promulgate a Disposal Rule and a Red Flags Rule.

8.4 Dodd-Frank Wall Street Reform and Consumer Protection Act Signed into law in _________________

June 2010

8.6 Online Banking and Mobile Banking For consumers, privacy and security concerns can be addressed by measures including:

Letting customers know the type of authentication methods the financial institution has in place Informing customers of the dangers of using public Wi-Fi connections Empowering customers with information on mobile antivirus and malware detection software Creating a mobile privacy policy and having it certified by a reputable third party Fostering trust with customers by enabling them to decide which data to share and allowing them to opt out of mobile ad targeting74

Red Flags Rule

Promulgated under FACTA, the Red Flags Rule requires certain financial entities to develop and implement identity theft detection programs to identify and respond to "red flags" that signal identity theft.

The FCRA also specifically requires CRAs to:

Provide consumers with access to the information contained in their consumer reports, as well as the opportunity to dispute any inaccurate information Take reasonable steps to ensure the maximum possible accuracy of information in the consumer report Not report negative information that is outdated; in most cases this means account data more than seven years old or bankruptcies more than 10 years old Provide consumer reports only to entities that have a permissible purpose under the FCRA Maintain records regarding entities that received consumer reports Provide consumer assistance as required by FTC rules

Certification required to obtain report

Section 604(f) of the FCRA prohibits any person from obtaining a consumer report from a CRA unless the person has certified to the CRA the permissible purpose(s) for which the report is being obtained and certifies that the report will not be used for any other purpose.

An example of FTC enforcement is the case against

TeleCheck Services, Inc., and TRS Recovery Services

BSA

The Bank Secrecy Act of 1970

8.1.3 Employee Investigations

The FCRA provides special procedures for investigations of suspected misconduct by an employee or for compliance with federal, state or local laws and regulations or the rules of a self-regulatory organization, and compliance with written policies of the employer. These investigations are not treated as consumer reports as long as (1) the employer or its agent complies with the procedures set forth in the act, (2) no credit information is used and (3) a summary describing the nature and scope of the inquiry is provided to the employee if an adverse action is taken based on the investigation.

8.1.2 Disclosures Under FCRA

The FCRA requires disclosure by all persons who use credit scores in making or arranging loans secured by residential real property

8.3.2 GLBA and Privacy Notices

The GLBA Privacy Rule establishes a standard for privacy notices under which a financial institution must provide initial and annual privacy notices to consumers on nine categories of information, and must process opt-outs within 30 days. The privacy notice itself must be a clear, conspicuous and accurate statement of the company's privacy practices and must include the following: What information the financial institution collects about its consumers and customers With whom it shares the information How it protects or safeguards the information An explanation of how a consumer may opt out of having his or her information shared through a reasonable opt-out process

U.S. Bancorp / MemberWorks

The Minnesota attorney general's office brought suit in 1999, as Congress was considering GLBA. The suit resulted in a $3 million settlement for allegations that the bank had sent detailed customer information to the telemarketing firm, including account numbers and related information that enabled the marketer to directly withdraw funds from the customer account. The allegations also stated that the marketing firm was using a "negative option," where customers were charged automatically for services unless they later sent a specific request not to be billed. The U.S. Bancorp/MemberWorks case focused popular and regulatory attention on the prevalence of data-sharing relationships between banks and third-party marketers. A group of 25 attorneys general brought additional actions against major financial institutions in an attempt to address these practices. Congress responded to these events by including significant privacy and security protections for consumers in GLBA and mandating further rulemaking on privacy and security by the FTC, federal banking regulators and state insurance regulators. Financial institutions were required to substantially comply with GLBA's requirements in 2001

8.5 Required Disclosure Under Anti-Money-Laundering Laws

The privacy and security rules discussed above typically restrict uses and disclosures of personal information. Financial institutions are also subject to a variety of requirements to retain records and, in some instances, disclose personal financial information to the government. In recent decades, anti-money-laundering laws have become a major additional basis for record retention and mandatory disclosure to the government

Actions by state attorneys general can brought by individual states or collectively by multiple states.20 An example from 2015 involved more than 30 state attorneys general offices that entered into a settlement with

The three main reporting agencies: Experian, Equifax

Most prominent cases for GLBA

U.S. Bancorp and telemarking firm MemberWorks

The BSA regulates certain _______________________, including funds transfers and transmittals of funds by financial institutions.

Wire transfers Certain funds transfers are exempted from the regulation, however, including funds transfers governed by the Electronic Funds Transfer Act and those made through an automated clearinghouse, ATM or point-of-sale system

Consumer Reports

any written, oral, or other communication of information by a consumer reporting agency about a consumer's - credit worthiness - credit standing - credit capacity -character -general reputation -personal characteristics -mode of living s

8.2.2 The Red Flags Rule also authorizes regulations that apply the rule to

businesses whose accounts should be "subject to a reasonably foreseeable risk of identity theft.

The CFPB oversees the relationship between

consumers and providers of financial products and services

Adverse Action

defined very broadly to include all business, credit and employment actions affecting consumers that can be considered to have a negative impact, such as denying or canceling credit or insurance, or denying employment or promotion.

8.3.3 The GLBA Safeguards Rule The GLBA Safeguards Rule requires financial institutions to

develop and implement a comprehensive "information security program," which is defined as a program that contains "administrative, technical and physical safeguards" to protect the security, confidentiality and integrity of customer information

SB-1 increases the ________________________ of financial institutions and grants consumers increased rights with regard to the sharing of information

disclosure requirements

The Bank Secrecy Act of 1970 (BSA), also known as the Currency and Foreign Transaction Reporting Act of 1970, authorizes the U.S. treasury secretary to

issue regulations that impose extensive record-keeping and reporting requirements on financial institutions.61 Specifically, financial institutions must keep records and file reports on certain financial transactions, including currency transactions in excess of $10,000, which may be relevant to criminal, tax or regulatory proceedings.

For example, the Foreign Account Tax Compliance Act of 2010 (FATCA) seeks to target

non-compliance with U.S. tax laws for U.S. taxpayers with foreign accounts. To deter tax evasion and require greater withholding of income to these taxpayers, FATCA requires more detailed "know your customer" documentation for both domestic and foreign financial institutions

Gramm-Leach-Bliley Act (1999)

requires financial institutions to ensure the security and confidentiality of customer data

One potentially important innovation in the act is a change in the usual language about "____________________________" acts or practices

unfair and deceptive