Gramm-Leach-Bliley Act (Privacy of Consumer Financial Information)
What does PII include?
1-any info a consumer provides to you to obtain a financial product or service 2-info about a consumer resulting form any transaction involving a financial product or service 3-info you otherwise obtain about a consumer in connection with providing a financial product or service to them.
Do you have to provide the annual privacy notice to consumers who didn't become customers? Former customers? What about current customers? Are there exceptions?
- Consumers who didn't become customers: NO - Former Customers: NO - Current Customers: YES, unless you only share nonpublic personal information in accordance with section 13, 14, or 15 AND you haven't changed your info sharing policies and practices.
GLBA section 502, 503, and 504 govern what about nonpublic personal information about consumers?
502 - prohibits a financial institution from disclosing nonpublic personal information about consumers to nonaffiliated third parties, unless 1-bank satisfies various opt-out requirements and 2-consumer hasn't elected to opt out. 503 - requires bank to provide notice of its privacy policies and practices to its customers 504 - authorizes the issuance of regulations to implement these provision.
Annual privacy notices have slightly different options for delivery that are more flexible. They can follow 1 of the 3 methods for delivery, or one of these two... name them.
For annual notices only: 1-for customers who use your website to access financial products and services electronically, and agree to receive notices at the website, and you post your current privacy notice continuously in a clear and conspicuous manner on the website, OR 2 - the customer has requested you don't send information regarding relationship and current privacy notice remains available to customer upon request.
When is someone considered a "consumer" and therefore rights under privacy rules apply?
A consumer is an individual who obtains or has obtained a financial product or service from a bank to be used primarily for personal, family, or household purposes. This includes individuals who apply for a service, but are denied. These individuals would be consumers, but not customers. Trust account customers and their beneficiaries are not "consumers.".
When do you have to provide the annual privacy notice?
Annually means at least once in any period of 12 consecutive months. However, you can define what 12-consecutive month period means. The example given is you will provide it once each calendar year. (i.e. customer applies Jan 1 2019, you could provide it up until December 31, 2020)
How are bank's expected to deliver any privacy notices and opt out notices, including short-form notices so that each consumer can reasonably be expected to receive the actual notice in writing, or if consumer agrees, electronically?
Bank has 4 options 1-hand-deliver a printed copy to the consumer 2-mail a printed copy to consumers last known address 3-post the notice on the electronic site and require consumer to acknowledge receipt of notice as a necessary step to obtain a financial product or service 4-for isolated transactions with customer (such as ATM transaction), post notice on ATM screen and require consumer to acknowledge as a step of obtaining financial product or service.
What is the definition of a non-affiliate third party?
Basically any person except your affiliates, or a person jointly employed by you and a nonaffiliated third party (but the nonaffiliated TP is still a nonaffiliated TP, just not the joint employee)
What is included on the short form notice?
Basically, its for non-customers and states that privacy notice is available upon request and how to request it. (i.e. a toll-free #) It must be delivered in accordance with 1016.9. ALSO, it must be provided with the opt-out notice too required by 1016.7
What is section 13 called?
Exception to opt out requirements for service providers and joint marketing.
What is section 14 called?
Exceptions ot notice and opt out requirements for processing and servicing transactions.
What does the exception to notice and opt out requirements for processing and servicing transactions (section 14) apply to?
If you disclose nonpublic personal information as necessary to effect, administer, or enforce a transaction that the consumer requires or authorizes in connection with 1-servicing or processing something the consumer requests 2- maintaining or servicing account as part of private label credit card program 3 - proposed or actual securitization **If you disclose information in this context, the opt-out requirements and initial notice requirements in 1016.7, 1016.10, 1016.13, and 1016.4(a)(2) don't apply.
A bank currently does not disclose any information to nonaffiliated third parties except under 14 and 15 exceptions. However, it plans to start doing so. What must it do now to start sharing nonpublic personal information? 4 things. (bonus question, what notices was it required to give before?)
It must now: 1-provide a revised notice accurately describing information sharing practices 2-provide consumer a new opt-out notice 3-give them reasonable opportunity to opt-out 4-if they don't opt out, you can share info. -It was required to give the initial notice to all CUSTOMERS. It wouldn't have to give initial notice to just "consumers" that don't become customers.
Can a consumer opt-out of you providing information under section 13, 14, or 15?
No. They can't opt out of those, but must be notified still.
What are the 7 general times you can disclose nonpublic personal information under section 15 exception? If it is under one of these circumstances, does the consumer have the right to opt out?
The circumstances are as follows: 1-consumer consents or directs the sharing, and has not revoked consent 2-to protect confidentiality or security, protect against fraud, to persons acting in fiduciary duty, or has legal interest relating to consumer 3-to provide information to insurance rate advisory orgs, attorney, accountants, auditors, etc. 4-under RFPA 5-to a CRA 6-in connection with sale or merger (only can share the accounts applicable) 7-to comply with laws, subpoenas, etc.
What does Title V of the GLBA govern?
The treatment of nonpublic personal information about consumer by financial institutions.
Are cookies PII?
YES interestingly.
Who must you provide initial notices to? When isn't an initial notice required?
You must provide initial notices to all CUSTOMERS and CONSUMERS before you establish a relationship or before you disclose any nonpublic personal info. A notice is required for "consumers" when you don't disclose any nonpublic personal information other than section 14 and 15 exceptions AND you don't have a relationship with the consumer. AKA, you don't have to disclose anything to consumers who don't become customers if you only share info for exceptions 14 and 15.
Consumers must be provided a reasonable opportunity to opt-out. Depending on how the privacy/opt-out notices are provided (3 ways), depends on how long and what ways a consumer can opt out. Explain them.
You provide a consumer reasonable opportunity to opt out if you: 1-by mail and you allow them to opt out by mailing a form, calling a number, or other reasonable means within 30 days from date notices are sent in mail 2-by electronic means. Customer opens account online and agrees to receive information electronically. You must allow opt-out by any reasonable means within 30 days after customer acknowledges receipt of the notices 3 - isolated transaction with consumer (i.e. ATM or cashier check): you have to provide notice at time of transaction and make them decide to opt-out before completing transaction
what does "nonpublic personal information" mean per Reg P?
1 - personally identifiable financial information 2 - any list, description, or grouping of consumers (and publicly available info pertaining to them) that is derived using any personally identifiable financial information that is not publicly available. (this excludes publicly available information (except when a list is made as described above) and any list that is derived without using PII)
You have to provide initial privacy notices and opt-out notices (and reasonable opt-out time period) not later than when a customer relationship is established, or before you disclose non-public info about consumer (unless its section 14 or 15). There are two exceptions to this, what are they?
1 - when establishing the customer relationship is not at the customer's election (i.e. servicing rights are sold, or you acquire deposit account relationship) 2 - When providing the notice not later than when you establish a customer relationship would substantially delay the customer's transactions and customer agrees to receive the notice at a later time. (i.e. credit cards opened over telephone)
Do the privacy rules (reg P) apply to consumers? Businesses?
It only applies to consumers. Bank's don't have to disclose, re-disclose, or provide opt-out to business customer, or individuals getting credit on behalf of a business.
With respect to joint accounts, do you have to provide an opt-out notice to each customer?
No, one can be provided per joint account. However, you must explain how you will treat an opt out direction by a joint customer. (i.e. if one person opts out, do both opt out? You can opt everyone out when one person does. However, you can't require both to opt out to not share any info, can't share joint info if one has opted out but not another, and must allow one customer to opt-out for both.)
If you're a bank, and you adequately disclosed to customers you would share their info in joint-marketing purposes with nonaffiliated TPs. At that time, you marketed with insurance agency A. That relationship got terminated due to fraud. Now you've replace insurance agency A with insurance agency B. DO you have to provide a revised notice to customers about the info sharing now?
No. If the nonaffiliated party changed, but the info you disclose, and the category of nonaffiliated TP didn't change, then there is no obligation to provide a revised notice.
If a customer has a deposit account with you that is classified as "inactive" per your standards, do you still have to provide annual privacy notices?
No. You don't have to provide notices to former customers. An "inactive" deposit account customer is considered a former customer as well as customers who paid off their loan, had it charged off, or had it sold (including servicing right), or you stop providing statements to credit card customers, or you have not communicated with customer about the relationship for a period of 12 consecutive months (other than to provide annual notice or other promotional materials.)
With respect to opt-out notices, what are the 4 "reasonable" opt-out means, and the 2 "unreasonable" opt-out means?
Reasonable opt-out means: 1-designate check-off boxes on relevant forms with opt-out notice 2-include a reply form with the opt out notice 3-provide electronic means to opt out if consumer agrees to electronic delivery of info 4-provide toll-free telephone number Unreasonable opt-out means: 1-when the only means of opting out is for consumer to write his or her own letter 2-you opt out by checking off boxes that was provided with initial notice (but you didn't include with subsequent notice)
What is the difference between a "consumer" and a "customer"?
The main difference is the customer has a continuing relationship with you. The reg spells out specifically that a containing relationship includes having a deposit or investment account, a loan with you, a loan where you own servicing rights, a customer purchases insurance from you, a customer holds investment products through you, enters into an agreement whereby you broker a home mortgage loan for consumer, you have a lease with consumer, or they obtain investment advice from you for a fee.
If you purchase the loan servicing rights, do you now have a "continuing relationshiP" with that customer?
YES, servicing rights constitute a customer relationship. This applies until servicing rights are sold.
Can you give the opt-out notice to customers on the same form as the initial notice?
Yes
When does an exception apply to the account number sharing rule?
You can share account numbers in two cases... 1-its your agent and it is solely to perform marketing for your own products or services, as long as agent can't initiate charges to account. 2-to a participant in a private label credit card program or similar where participants in program are identified to the customer when customer entered relationship. *these don't include encrypted info.
What is the rule for sharing account number information?
You must not disclose, other than to a CRA, an account number or similar from of accesses to a consumer's credit card, deposit, share, or transaction account to any nonaffiliated third party for use in 1-TELEMARKETING 2-DIRECT MAIL MARKETING or 3-ELECTRONIC MAIL to the consumer. Unless an exception applies.
What is a short-form initial notice, and who can it be provided to?
This covers the initial notice, and opt-out notice requirements for NON-CUSTOMERS. You have to provide the short-form notice AND the opt-out notice at the same time.
Under section 13, when do you not have to provide an opt-out notice? Would you still have to provide initial notices?
You don't have to provide an opt-out notice when you provide nonpublic personal info to a nonaffiliated third party TO PERFORM SERVICES or function FOR YOU, IF: 1 - you provided the initial notice and 2 - you have a contract with TP to prohibit TP from disclosing or using info other than to carry out the purpose for which you disclosed info
If you have a current ongoing customer relationship, and that customer gets a new financial product with you, are you required to provide your initial notice again?
You have two choices. 1. provide a revised privacy notice that covers the new product or 2. if the initial, revised, or annual notice you most recently sent is accurate with respect to the new product, you don't have to do anything.
If a consumer opts-out, how long does the opt-out apply for? How long does a bank have to comply with a customer's opt-out request?
Basically, once a consumer opts out, that request has to be honored until consumer opts-in again. A consumer can opt-out at ANY time. If a consumer relationship is terminated, and later another one starts, the opt-out request on old relationship doesn't apply. A bank has a to comply with an opt-out request as "soon as reasonably practicable"
What is section 15 called?
Other exceptions to notice and opt out requirements.