glba privacy notice requirements

corresponding official PDF file on govinfo.gov. [37] The documents posted on this site are XML renditions of published Federal The GLBA privacy rules, as enforced by the various regulators, generally require: Clear and conspicuous notice of the financial institution's information-sharing policies and practices, including what information it collects and with whom it shares the information. As A Consumer's Guide to Buying a Franchise explains, the FDD is just one of three critical documents you need to evaluate. Under the Paperwork Reduction Act of 1995 (PRA),[42] The GLB Act and the Commission's Privacy Rule, 16 CFR Part 313, require certain "financial institutions" to provide initial and annual privacy notices to their customers. You must give consumers and customers a "reasonable opportunity" to exercise their right to opt out, for example, 30 days, after you send the initial notice either on- or off-line, before you can share their information with nonaffiliated third parties outside the exceptions. (1) It does not matter whether or not you're a financial institution. These activities cover services offered by lenders, check cashers, wire transfer services, and sellers of money orders. daily Federal Register on FederalRegister.gov will remain an unofficial In addition, as discussed above, the Commission declines to change the language of examples retained in the final rule. Section 503 requires the institution to provide notice of its privacy policies and practices to its customers. cashing a check with a check-cashing company, applying for a loan, whether or not you actually obtain the loan, opening a credit card account with a financial institution, leasing an automobile from an auto dealer, using the services of a mortgage broker to secure financing, obtaining the services of a tax preparer or investment adviser, getting a loan from a mortgage lender or payday lender. These activities cover services offered by credit counselors, financial planners, tax preparers, accountants, and investment advisors. et seq. Whether or not you share customer NPI, you must give all your customers a privacy notice. Classification System Codes, 13 CFR 121.201 (available at: See Start Printed Page 70024 Accordingly, the Commission believes the rule will not have a significant economic impact on small entities. The Commission declines to modify existing examples in this manner. 2. (2) The GLB Act requires these disclosures to be made as part of any privacy policy you give to your consumers or customers. Gramm Leach Bliley Act Requirements and Achieving Compliance 12 U.S.C. There are a number of exceptions to the notice and opt-out requirements. This example states no continuing relationship is created when a consumer obtains a financial product or service from [the financial institution] only in isolated transactions, such as cashing a check with [the financial institution] or making a wire transfer through the financial institution. Examples. NADA (comment 9), at 5. Federal Register Section 313.18(a)(2) also provided an exception, stating this part is not effective as to any institution that is significantly engaged in activities that the Federal Reserve Board determines, after November 12, 1999 . An entity is a financial institution if its business is engaging in an activity that is financial in nature or incidental to such financial activities as described in section 4(k) of the Bank Holding Company Act of 1956, 12 U.S.C. Modifications to the Annual Privacy Notice To Reflect Statutory Changes Resulting From the FAST Act, C. Modifications to Scope and Definitions To Bring the Rule Into Accord With Regulation P, 1. You are not required to deliver an annual privacy notice if you: (i) Provide nonpublic personal information to nonaffiliated third parties only in accordance with the provisions of 313.13, 313.14, or 313.15; and. 32. 6802; 16 CFR 313.6(a)(6). includes each financial institution over which the Commission has rulemaking authority pursuant to section 504(a)(1)(C) of the Gramm-Leach-Bliley Act (15 U.S.C. There are three types of privacy notices defined in the regulations: an initial notice, an annual notice, and a revised notice. Amend 313.1 by revising paragraph (b) to read as follows: (b) The limits depend on how the information is disclosed to you. The Gramm-Leach-Bliley Act was enacted on November 12, 1999. Downloadable versions of the model privacy forms that are published in Regulation P. The resources listed below are provided by other federal agencies and may not represent the Bureaus views or interpretations. 3. provide that an affiliate of a motor vehicle dealer that receives certain information about a consumer from the dealer may not use that information for marketing purposes, unless the consumer is provided with an opportunity to opt out of that use. 20. to the courts under 44 U.S.C. The Federal Reserve Board, the Office of Thrift Supervision, the Office of the Comptroller of the Currency, and the Federal Deposit Insurance Corporation. better and aid in comparing the online edition to the print edition. For example, you may want to purchase a financial institution's customer list in order to market your own products to those individuals. This document has been published in the Federal Register. (The individual is also a consumer with respect to the other financial institutions involved.) . 13. Other exceptions to notice and opt out requirements. Notices given orally or posted in your office(s) don't comply with the rule. The regulation specifies when and to whom a bank is required to give each type of privacy notification. Except as provided by paragraph (e) of this section, you must provide a clear and conspicuous notice to customers that accurately reflects your privacy policies and practices not less than annually during the continuation of the customer relationship. Only official editions of the Explore guides to help you plan for big financial goals, Privacy of Consumer Financial Information (October 2011), Small Bank Compliance Guide (December 2001), Providing Equal Credit Opportunities (ECOA), Annual Percentage Rate Tables (Regulation Z). PDF Part 04 - Privacy Notices - Federal Financial Institutions Examination The section 15 exceptions apply to certain types of information-sharing, including disclosures for purposes of preventing fraud, responding to judicial process or a subpoena, or complying with federal, state, or local laws. 29. Start Printed Page 70027 If you were not required to provide a revised privacy notice under 313.8, you must provide an annual privacy notice by July 9 of year 1. Gramm-Leach-Bliley Act Privacy Notice - Securiti (4) An example of entities that are not significantly engaged in financial Consumers and customers who have the right to opt out may do so at any time. Before sharing sensitive information, make sure youre on a federal government site. [16] 1016.4 Initial privacy notice to consumers required. developer tools pages. (ii) An individual who provides nonpublic personal information to you in order to obtain a determination about whether he or she may qualify for a loan to be used primarily for personal, family, or household purposes is a consumer of a financial service, regardless of whether the loan is extended. 43. 5. A special rule defines the customer relationship when several financial institutions participate in a loan transaction. (2) Special rule for loans. It depends on why you receive it (see "LIMITS ON REUSE AND REDISCLOSURE OF NPI"). Gramm Leach Bliley Act (Reg P) - American Bankers Association Are You a Financial Institution? GLBA Law & Compliance See additional information about the GLB Act and the Privacy Rule. For example, if you don't share NPI with affiliates or nonaffiliated third parties except as permitted under sections 313.14 and 313.15, you can provide a simplified notice that: (1) describes your collection of NPI; (2) states that you only disclose NPI to nonaffiliated third parties "as permitted by law;" and (3)explains how you protect the confidentiality and security of NPI. Answer: Answer by Mary Beth Guard: The issue that the GLBA privacy provisions focus on is the SHARING of nonpublic customer information. https://www.federalregister.gov/documents/2012/04/13/2012-8748/rescission-of-rules . The Gramm-Leach-Bliley Act seeks to protect consumer financial privacy. 3. The Gramm-Leach-Bliley Act (GLBA) is a federal law that establishes various legal requirements for companies that qualify as "financial institutions" under the Act. Browse Supervisory Highlights Fall 2015 issue, Interagency guidance on privacy laws and reporting financial abuse of older adults. should verify the contents of the documents against a final, official Privacy & Mergers | Bankers Online They must receive the notice and have a reasonable opportunity to opt out before you can disclose their NPI to these nonaffiliated third parties. On December 9, 2021, the Federal Trade Commission (FTC) issued final regulations (Final Rule) to amend the Standards for Safeguarding Customer Information (Safeguards Rule), an important component of the Gramm-Leach-Bliley Act's (GLBA) requirements for protecting the privacy and personal information of consumers. 801 means any institution the business of which is engaging in an activity that is financial in nature or incidental to such financial activities as described in section 4(k) of the Bank Holding Company Act of 1956, 12 U.S.C. . Start Printed Page 70022 The Commission, the National Credit Union Administration (NCUA), the Securities and Exchange Commission (SEC), and the Commodity Futures Trading Commission (CFTC) were part of the same interagency process, but each issued their rules separately. Final Rule, 83 FR 40945 (August 17, 2018) available at (ii) Under the Rule, a "consumer" is someone who obtains or has obtained a financial product or service from a financial institution that is to be used primarily for personal, family, or household purposes, or that person's legal representative. (ii) Have not changed your policies and practices with regard to disclosing nonpublic personal information from the policies and practices that were disclosed to the customer under 313.6(a)(2) through (5) and (9) in the most recent privacy notice provided pursuant to this part. 6803(c)(4); 16 CFR 313.6(a)(7). When it comes to data security and privacy compliance requirements under the GLBA, there are three main sets of regulationseach called a Rule in regulation-speakthat IT needs to worry. As of December 4, 2015, section 75001 of the Fixing America's Surface Transportation Act (FAST Act) amended section 503 of GLBA to establish an exception to the annual privacy notice requirements whereby a financial institution that meets certain criteria is not required to provide an annual privacy notice to customers. 6804(a)(1)(C)). The Commission received no comments on the substance of this paragraph and adopts it without modification. Several other entities commented on the expansion of the definition of a financial institution in the Safeguards Rule. See A Rule by the Federal Trade Commission on 12/09/2021. However, under section 1029 of the Dodd-Frank Act, the Commission retained rulemaking authority for certain motor vehicle dealers. 16 CFR 313.10(a). If financial institutions share certain customer information with particular types of third parties, the institutions are also required to provide notice to Before you share NPI with nonaffiliated third parties outside of the exceptions described within (see "Exceptions"), you must give your non-customer consumers a privacy notice, including an opt-out notice. First, if you are a "financial institution," you are covered. (i) An individual who applies to you for credit for personal, family, or household purposes is a consumer of a financial service, regardless of whether the credit is extended. NPI does not include information that you have a reasonable basis to believe is lawfully made "publicly available." Given that this scenario is unlikely, modifying the definition of financial institution for purposes of the Privacy Rule has little practical effect. The Commission has not identified any such entities. providing financial, investment or economic advisory services. LIMITS ON REUSE AND REDISCLOSURE OF NPI, IV. The Commission proposed to amend 313.1(b) to include companies that engage in activities financial in nature or incidental to such financial activities in the scope of the rule. 13, 2012) available at Accordingly, as part of this rulemaking process, the Commission has consulted and coordinated, or offered to consult, with those agencies that have rulemaking and/or enforcement authority under the GLBA, including the CFPB, SEC, CFTC, and the National Association of Insurance Commissioners (NAIC).[11]. With this action, the Commission makes the current, narrow scope of the rule clearer. Table of Small Bus. The rule requires that initial and annual notices inform customers of their right to opt out of the sharing of nonpublic personal information with some types of nonaffiliated third parties. The Commission also proposed amending the rule to allow motor vehicle dealers to notify their customers that a privacy notice is available online, under circumstances identical to those that had been adopted by the CFPB. Second, if you receive "nonpublic personal information" from a financial institution with which you are not affiliated, you may be limited in your use of that information. It agreed the examples proposed for removal do not apply to motor vehicle dealers and supported their deletion. 21. Nevertheless, the Commission is modifying the definition for purposes of consistency with Regulation P and the Safeguards Rule. 6803; 16 CFR 313.4. the material on FederalRegister.gov is accurately displayed, consistent with 1. If you share information only under these sets of exceptions, you don't need to give your consumers a privacy notice, but you will need to give your customers a simplified initial and, if applicable, an annual privacy notice. The final rules implement these requirements of the Gramm-Leach-Bliley Act with respect to investment advisers registered with the Commission, brokers, dealers, and investment companies, which are the financial institutions subject to the Commission's jurisdiction under that Act. The FTC's "significantly engaged" standard is intended to exclude certain activities that might otherwise fall under the Privacy Rule. Projected Reporting, Recordkeeping, and Other Compliance Requirements, 5. Section 313.5(e) in turn sets forth the exception, which was taken from the FAST Act, and adopted by the CFPB in its amendments to Regulation P.[34] The Commission notes that while the term loan may not be applicable to all motor vehicle dealers' transactions with their customers, most extensions of credit or the arranging of credit will play the same role as loans for purposes of this amendment, and dealers may generally apply these examples accordingly. [2] DISCLOSURE OF ACCOUNT NUMBERS IS PROHIBITED. When exception available. The Commission adopts the proposed amendment without change. Even if your business is not a financial institution that has consumers or customers, the Privacy Rule may limit your use of NPI. https://www.federalregister.gov/documents/2009/12/01/E9-27882/final-model-privacy-form-under-the-gramm-leach-bliley-act;; see also On June 24, 2015, the Commission published a notice of proposed rulemaking (2015 NPRM) proposing revisions to the Privacy Rule. The authority citation for part 313 is revised to read as follows: Authority: Section 313.18 set forth the effective date for the rule and prescribed requirements for institutions' compliance with the rule as to customers who were already customers at the time the rule was first promulgated. Your ability to reuse and redisclose the information may be restricted if you receive NPI from a nonaffiliated financial institution. [39] Size Standards Matched to North American Indus. Estimate of Number of Small Entities To Which the Final Rule Will Apply, 4. The National Small Business Ombudsman and 10 Regional Fairness Boards collect comments from small businesses about federal compliance and enforcement activities. Therefore, the Commission does not believe any lending, exchanging, transferring, investing for others, or safeguarding money or securities. Rulemaking authority to implement the GLBA's privacy provisions was initially spread among multiple agencies. For example, nonpublic personal information obtained from an application or a third party such as a consumer reporting agency. An opt-out notice must be delivered with a privacy notice, and it can be part of the privacy notice. For example, a creditor's list of its borrowers' names and phone numbers is NPI even if the creditor has a reasonable basis to believe that those phone numbers are publicly available, because the existence of the customer relationships between the borrowers and the creditor is NPI. 15 U.S.C. No continuing relationship. See more information about the FCRA and how it applies to your information sharing practices. When you provide the notice and what you say depend on what you do with the information. Gramm-Leach-Bliley Act (GLBA) - Microsoft Compliance The OFR/GPO partnership is committed to presenting accurate and reliable The section 14 exceptions apply to various types of information-sharing that are necessary for processing or administering a financial transaction requested or authorized by a consumer. Nonetheless, as discussed above, these amendments will not add any additional burdens on any covered small businesses. The amendments do not modify or add to information collection requirements previously approved by OMB. Examples. Likewise, it proposed amending the definition of financial institution in 313.3(k), to include any institution the business of which is engaging in an activity that is financial in nature or incidental to such financial activities. 16 CFR 680.1-680.28. As discussed above, the Commission's Privacy Rule applies only to motor vehicle dealers and so would apply only to finders that are also motor vehicle dealers. First, most of the changes effectuate statutory changes from the Dodd-Frank Act and the FAST Act. The regulations required all covered businesses to be in full compliance by July 1, 2001. Search the Legal Library instead. A. activities is a motor vehicle dealer is not a financial institution merely because it accepts payment in the form of cash, checks, or credit cards that it did not issue. Track enforcement and policy developments from the Commissions open meetings. But a list derived even partially from NPI is still considered NPI. 7. This action is necessary to conform the rule to the current requirements of the Gramm-Leach-Bliley Act (GLBA), as amended by the Dodd-Frank and FAST Acts, and the Commission's revisions to the Safeguards Rule, which are being announced simultaneously through a separate document published elsewhere in this issue of the any information you get about an individual in connection with providing a financial product or service (for example, information from court records or from a consumer report). An individual who has a loan in which you have ownership or servicing rights is your consumer, even if you, or another institution with those rights, hire an agent to collect on the loan. Find legal resources and guidance to understand your business responsibilities and comply with the law. (NADA), supported eliminating the references to HIPAA and FERPA, agreeing that these provisions would not apply to automobile dealers. (B) You change your policies and practices in such a way that you no longer meet the requirements of paragraph (e)(1) of this section, and so provide an annual notice to your customers. 65 FR 33654. 16 CFR 313.6(a)(8). 26. 17 CFR 248.4 - Initial privacy notice to consumers required. David Lincicum (202-326-2773), Division of Privacy and Identity Protection, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580. Here's what you need to know about the Gramm-Leach-Bliley Act (GLBA) Privacy Notice requirements and the best way to fulfill them. We work to advance government policies that protect consumers and promote competition. One commenter asked why the rule would not cover dealers that directly extend credit to consumers. (e) (i) provide legal notice to the public or judicial notice to the courts. [21] You may also disclose the information to your affiliates, who are limited in their reuse and redisclosure of the information in the same way as you are, and to affiliates of the originating financial institution. 1681a(d)(2)(A)(iii). For example, a customer has the right to opt out of allowing a motor vehicle dealer to sell her name and address to a nonaffiliated auto insurance company. This provision does not prohibit the sharing of an encrypted account number, if the third party receiving the information has no way to decode it. An institution that is significantly engaged in financial activities, or significantly engaged in activities incidental to such financial activities, is a financial institution. (j) Anyone who uses this Guide should also review the Privacy Rule, found at 16 C.F.R. ), to law To exercise your rights or if you wish to have a more detailed explanation of our information practices required by your state, please submit a written request by email to: [email protected] Additional information concerning our privacy policies can be found here or call 1.800.888.2461. means: (1) The Board of Governors of the Federal Reserve System; (2) The Office of the Comptroller of the Currency; (3) The Board of Directors of the Federal Deposit Insurance Corporation; (4) The National Credit Union Administration Board; and. means at least once in any period of 12 consecutive months during which that relationship exists. The Commission believes that is precisely the type of appraisal suggested by the example. 1338 (1999). NADA asked whether the proposed rule would apply to finders acting for a motor vehicle dealer. A financial institution establishes a customer relationship with an individual when it originates a loan. The Regulatory Flexibility Act (RFA), as amended by the Small Business Regulatory Enforcement Fairness Act of 1996, requires an agency to either provide an Initial Regulatory Flexibility Analysis (IRFA) with a proposed rule, or certify that the proposed rule will not have a significant impact on a substantial number of small entities. (1) General rule. A consumer has a continuing relationship with you if the consumer: (A) Has a credit or investment account with you; (C) Purchases an insurance product from you; (D) Enters into an agreement or understanding with you whereby you undertake to arrange or broker a home mortgage loan, or credit to purchase a vehicle, for the consumer; (E) Enters into a lease of personal property on a non-operating basis with you; or. No substantial delay of customer's transaction. The notice should use plain language, be easy to read, and be distinctive in appearance. You may also disclose the information to your affiliates, whose redisclosure is limited in the same way as you, and to affiliates of the originating financial institution. The Commission also proposed changing the Privacy Rule provisions governing how motor vehicle dealers should deliver annual privacy notices. For example, if the originating financial institution's privacy notice informed its consumers and customers that it would only share their NPI with "nonfinancial institutions, such as charitable organizations," you may redisclose the NPI to charitable institutions as well. The amendments do not impose any new or substantively revised collections of information, as defined by the PRA. Exceptions to the Notice and Opt-Out Requirements, Exception to the Opt-Out Requirement: Service Providers and Joint Marketing. Second, the Commission does not expect the amendment to impose costs on small motor vehicle dealers because the amendments are primarily for clarification purposes and should not result in any increased burden on any motor vehicle dealer. [19], In addition, section 624 of the FCRA and the FTC's Affiliate Marketing Rule[20] The Commission received two comments on these proposed changes. NADA also argued the term understanding in paragraph (i)(2)(i)(D) is confusing because it is not clear what an understanding would mean in this context, and motor vehicle dealers do not enter into informal relationships to arrange credit for consumers. The section 13 exception also applies to marketing financial products or services offered through a "joint agreement" with one or more other financial institutions. an "opt-out" notice explaining the individual's right to direct you not to share her NPI with a nonaffiliated third party; a reasonable amount of time to opt out before you disclose her NPI. Section 248.5 Annual privacy notice to customers required. Second, the removal of certain examples provided in the rule that are not applicable to motor vehicle dealers will have no impact on existing information collection requirements. Financial Privacy Rule | Federal Trade Commission If you no longer meet the requirements of paragraph (e)(1) of this section because you change your policies or practices in such a way that 313.8 requires you to provide a revised privacy notice, you must provide an annual privacy notice in accordance with the timing requirement in paragraph (a) of this section, treating the revised privacy notice as an initial privacy notice. The FTC may bring enforcement actions for violations of the Privacy Rule. For purposes of your obligations under the Privacy Rule, a former customer is considered to be a consumer. NADA also took issue with 313.3(i)(2)(i)(D), which states a consumer has a continuing relationship with a financial institution when the consumer enters into an agreement or understanding with the financial institution in which the financial institution undertakes to arrange credit to purchase a vehicle for the consumer. NADA noted when motor vehicle dealers arrange credit for a consumer, they then assign that agreement to a third party and do not continue the relationship with the consumer. PRA Notice, 82 FR 48081 (Oct. 16, 2017) available at In that case, her phone number would not be "publicly available.". Annually 5519. 24. See As a result of recent changes to federal privacy laws, financial institutions [1] such as registered investment advisers, exempt reporting advisers, commodity trading advisers, registered broker-dealers and private fundsmay no longer need to provide an annual privacy notice to their customers. In 2010, the Dodd-Frank Act[5] Reg. (iii) If the FCRA currently requires that you make clear and conspicuous disclosures to your consumers regarding your sharing of certain information (such as consumer report and application information) with your affiliates, you must continue to do so. The section 13 exception covers disclosures to third party service providers whose services for you do not fall within the section 14 exceptions. The FTC can bring actions to enforce the Privacy Rule in federal district court, where it may seek the full scope of injunctive and ancillary equitable relief. The Privacy Rule applies to businesses that are "significantly engaged" in "financial activities" as described in section 4(k) of the Bank Holding Company Act. These markup elements allow the user to see how the document follows the GLBA Privacy Policy | SecurityBenefit.com The Gramm-Leach-Bliley Act required the Federal Trade Commission (FTC) and other government agencies that regulate financial institutions to implement regulations to carry out the Act's financial privacy provisions (GLB Act). 12/08/2021 at 8:45 am. (q) If you have a question about the Bureaus rules and the statutes we implement, please first review the regulations and official interpretations (commentary) as well as the available guidance and compliance resources. NADA was the only commenter who opined on this issue.