The GLB ACT - The Gramm-Leach-Bliley Act (Regulation P)
The Gramm-Leach-Bliley Act
Enacted to protect the privacy of consumer personal information.
NPI includes information such as
Name, SSN, or other information on a loan application.
Privacy notices must be delivered in writing by
mail, in person, or by posting on the institution's website, unless the consumer consents to electronic delivery; posting a privacy notice at an office does not satisfy the delivery requirements
A consumer who does not want to receive phone calls from telemarketers,
may submit his or her number to the national registry
If a consume requests that his or her number be placed on a company-specific list,
the company has 30 days in which to do so
PRIVACY NOTICE A privacy notice is a
"clear and conspicuous" written notice describing a financial institution's privacy policies and practices.
NPI also includes any information derived from the loan process, such as:
- Account Numbers, Payment history, loan balances, deposit balances, or credit card purchases - A credit report
In addition to the initial notice, customers must receive
an annual privacy notice as long as they are customers; the GLB Act provides that this may be delivered electronically via a webpage, provided that the institution complies with all requirements and restrictions for doing so
Consumer
an individual who has obtained an isolated financial product or service from a financial institution for personal, family, or household reasons, but does not have an ongoing relationship with the institution.
A financial institution must provide
and customers with an opportunity to "opt out" of information sharing with non-affiliates (i.e., direct the institution to refrain from sharing NPI) and instruction on how to do so. A company's policy should include a convenient method to opt out and a reasonable time to opt out before information is shared.
The Telemarketing Sales Rule (Do-Not-Call) Rule
authorized the creation of the Do-Not-Call Registry and establishment of do-not-call restrictions under the telemarketing sales rule.
Customer
a consumer with whom the institution has a continuing relationship.
Even if a consumer's phone number is on the Registry,
a seller or telemarketer may market them via the telephone with the clear, conspicuous written consent of the consumer
Companies must maintain
specific do-not-call lists.
A company may contact someone on the registry if
it has an established business relationship with the consumer
A phone number remains on the Registry until
it is removed or its service is discontinued
Safeguards Rule Security Plan Requirements The Safeguards Rule puts in place the document security requirements relating to NPI, as set forth in the GLB Act. Under the Rule, a financial institution must:
- Designate one or more employees to oversee the information security program - Identify and assess the risks to customer information in each relevant area of the company's operation and evaluate the effectiveness of the current safeguard program and regularly monitor and test it - Design and implement a safeguard program and regularly monitor and test it - Select appropriate service providers and require them to safeguard consumers' personal information - Evaluate and regularly update the program based on changing factors, including changes in the firm's business arrangements or operations or as a result of its monitoring of the program
The Rule covers telemarketers and third-party sellers. Exemptions from the requirements of the Rule include the following:
- Political calls, such as those from or on behalf of candidates running for political office - Charities calling on their own behalf to solicit charitable contributions - Calls to persons with whom a seller or telemarketer has an established business relationship - Calls to persons who have provided prior written consent for receipt of telemarketing calls - "Prior written consent" may include providing an electronic signature on the website of a seller or telemarketer
All customers must
be provided with a privacy notice that clearly discloses the institution's practices for sharing NPI with affiliates and with third parties and specifies what information will be shared and with whom; this notice is due at the time a customer relationship is established
A company that violates the telemarketing sales rule may be fined up to $42,530 per violation, and
each phone call is treated as a separate violation.
PRIVACY NOTICE REQUIREMENTS A privacy notice must include
- Categories of NPI collected and disclosed - Categories of affiliates and non-affiliated third parties to which the information is disclosed - Categories of information about former customers disclosed and to whom under the joint marketing/service provider exception (with the customer's permission) - If NPI is disclosed to non-affiliated third parties, the categories of information disclosed and the categories of third parties to which such information is disclosed - An explanation of the consumer's right to opt out of the disclosure of NPI to non-affiliated third parties - Disclosures required by the Fair Credit Reporting Act - The policies and practices used to protect the confidentiality and security of NPI
An established business relationship is a realtionship between a company and consumer in which the consumer:
- Purchased, rented, or leased goods and/or services from the seller or participated in a financial transaction with the seller within the 18 months preceding a telemarketing call, or - made an inquiry into the business of the seller within three months preceding a telemarketing call
Entities covered under the do-not-call rules may not call a phone number that is listed on the Registry. Companies are required to update their call lists by reviewing the Registry
every 31 days
All Consumers must receive a privacy notice if the institution intends to share the consumer's NPI with non-affiliated third parties, but
if the institution does not intend to share the information with non-affiliated entities, a privacy notice to consumers is not required.
Personally-Identifiable Financial Information
information provided to a financial institution by a consumer in connection with a credit transaction, or information secured by the financial institution in connection with such a transaction.
NONPUBLIC PERSONAL INFORMATION Nonpublic Personal Information:
is any personally-identifiable financial information that a financial institution obtains in connection with providing a financial product or service, unless that information is otherwise publicly available.
Enforcement of provisions of the GLB Act
is through the Consumer Financial Protection Bureau