Click
here for complete GLB definitions
The GLB Act gives authority to eight federal
agencies and the states to administer and enforce
the Financial Privacy Rule and the Safeguards Rule.
These two regulations apply to "financial
institutions," which include not only banks,
securities firms, and insurance companies, but also
companies providing many other types of financial
products and services to consumers. Among these
services are lending, brokering or servicing any
type of consumer loan, transferring or safeguarding
money, preparing individual tax returns, providing
financial advice or credit counseling, providing
residential real estate settlement services,
collecting consumer debts and an array of other
activities. Such non-traditional "financial
institutions" are regulated by the FTC. For more
information on the types of financial activities
covered, click here.
The Financial Privacy Rule governs the collection
and disclosure of customers' personal financial
information by financial institutions. It also
applies to companies, whether or not they are
financial institutions, who receive such
information. For a summary overview of the Financial
Privacy Rule, see In Brief: The Financial Privacy
Requirements of the Gramm-Leach-Bliley Act.
The Safeguards Rule requires all financial
institutions to design, implement and maintain
safeguards to protect customer information. The
Safeguards Rule applies not only to financial
institutions that collect information from their own
customers, but also to financial institutions "such
as credit reporting agencies" that receive customer
information from other financial institutions.
The Pretexting provisions of the GLB Act protect
consumers from individuals and companies that obtain
their personal financial information under false
pretenses, a practice known as "pretexting."
The
Gramm-Leach-Bliley Act: The Financial Privacy Rule
The Commission's Financial Privacy Rule ("Privacy
Rule") was issued to satisfy one of the three main
requirements of the Gramm-Leach-Bliley Act (the
others: Safeguards and Pretexting). The Privacy Rule
applies to “financial institutions.” Under the FTC's
jurisdiction, such institutions include non-bank
companies that engage in a wide array of "financial
activities" such as: lending; brokering or servicing
any type of consumer loan; transferring or
safeguarding money; preparing individual tax
returns; providing financial advice or credit
counseling; providing residential real estate
settlement services; collecting consumer debts; and
various other activities. For a list of the covered
financial activities, please visit the Laws and
Rules section of this page.
The Financial Privacy Rule requires financial
institutions to give their customers privacy notices
that explain the financial institution’s information
collection and sharing practices. In turn, customers
have the right to limit some sharing of their
information. Also, financial institutions and other
companies that receive personal financial
information from a financial institution may be
limited in their ability to use that information.
The Federal Trade Commission is one of eight federal
agencies that, along with the states, are
responsible for developing a consistent regulatory
framework to administer and enforce the Financial
Privacy Rule. In December 2003, the eight federal
agencies issued an Advance Notice of Public
Rulemaking to consider the development of
alternative forms of privacy notices for consumers,
soliciting public comments on the feasibility,
design, and content for a short notice and
requesting applicable research.
The FTC, FRB, OCC, FDIC, SEC, and NCUA are currently
engaged in an interagency notice research project,
to develop through consumer testing alternative
forms of privacy notices for consumers. The agencies
anticipate that work on the project will continue
through the end of 2005.”
For a summary overview of the Financial Privacy
Rule, be sure to see In Brief: The Financial Privacy
Requirements of the Gramm-Leach-Bliley Act.
You will find the following information on the
Financial Privacy Rule here: the laws and
regulations, business education materials and staff
guidance on specific technical issues, consumer
education materials and information about GLB
Workshops. In addition, you will find information on
GLB Act preemption determination requests submitted
to the Commission.
The Financial
Privacy Requirements of the Gramm-Leach-Bliley Act
Financial Institutions
The GLB Act applies to "financial
institutions" - companies that offer financial
products or services to individuals, like loans,
financial or investment advice, or insurance. The
Federal Trade Commission has authority to enforce
the law with respect to "financial institutions"
that are not covered by the federal banking
agencies, the Securities and Exchange Commission,
the Commodity Futures Trading Commission, and state
insurance authorities. Among the institutions that
fall under FTC jurisdiction for purposes of the GLB
Act are non-bank mortgage lenders, loan brokers,
some financial or investment advisers, tax
preparers, providers of real estate settlement
services, and debt collectors. At the same time, the
FTC's regulation applies only to companies that are
"significantly engaged" in such financial
activities.
The law requires that financial
institutions protect information collected about
individuals; it does not apply to information
collected in business or commercial activities.
Consumers and Customers
A company's obligations under the
GLB Act depend on whether the company has consumers
or customers who obtain its services. A consumer
is an individual who obtains or has obtained a
financial product or service from a financial
institution for personal, family or household
reasons. A customer is a consumer with a
continuing relationship with a financial
institution. Generally, if the relationship between
the financial institution and the individual is
significant and/or long-term, the individual is a
customer of the institution. For example, a person
who gets a mortgage from a lender or hires a broker
to get a personal loan is considered a customer of
the lender or the broker, while a person who uses a
check-cashing service is a consumer of that service.
Why is the difference between
consumers and customers so important? Because only
customers are entitled to receive a financial
institution's privacy notice automatically.
Consumers are entitled to receive a privacy notice
from a financial institution only if the company
shares the consumers' information with companies not
affiliated with it, with some exceptions. Customers
must receive a notice every year for as long as the
customer relationship lasts.
The privacy notice must be given to
individual customers or consumers by mail or
in-person delivery; it may not, say, be posted on a
wall. Reasonable ways to deliver a notice may depend
on the type of business the institution is in: for
example, an online lender may post its notice on its
website and require online consumers to acknowledge
receipt as a necessary part of a loan application.
The Privacy Notice
The privacy notice must be a clear,
conspicuous, and accurate statement of the company's
privacy practices; it should include what
information the company collects about its consumers
and customers, with whom it shares the information,
and how it protects or safeguards the information.
The notice applies to the "nonpublic personal
information" the company gathers and discloses about
its consumers and customers; in practice, that may
be most - or all - of the information a company has
about them. For example, nonpublic personal
information could be information that a consumer or
customer puts on an application; information about
the individual from another source, such as a credit
bureau; or information about transactions between
the individual and the company, such as an account
balance. Indeed, even the fact that an individual is
a consumer or customer of a particular financial
institution is nonpublic person information. But
information that the company has reason to believe
is lawfully public - such as mortgage loan
information in a jurisdiction where that information
is publicly recorded - is not restricted by the GLB
Act.
Opt-Out Rights
Consumers and customers have the
right to opt out of - or say no to - having their
information shared with certain third parties. The
privacy notice must explain how - and offer a
reasonable way - they can do that. For example,
providing a toll-free telephone number or a
detachable form with a pre-printed address is a
reasonable way for consumers or customers to opt
out; requiring someone to write a letter as the only
way to opt out is not.
The privacy notice also must explain
that consumers have a right to say no to the sharing
of certain information - credit report or
application information - with the financial
institution's affiliates. An affiliate is an entity
that controls another company, is controlled by the
company, or is under common control with the
company. Consumers have this right under a different
law, the Fair Credit Reporting Act. The GLB Act does
not give consumers the right to opt out when the
financial institution shares other information with
its affiliates.
The GLB Act provides no opt-out
right in several other situations: For example, an
individual cannot opt out if:
-
a financial institution shares
information with outside companies that provide
essential services like data processing or
servicing accounts;
-
the disclosure is legally
required;
-
a financial institution shares
customer data with outside service providers
that market the financial company's products or
services.
Receiving Nonpublic Personal
Information
The GLB Act puts some limits on how
anyone that receives nonpublic personal information
from a financial institution can use or re-disclose
the information. Take the case of a lender that
discloses customer information to a service provider
responsible for mailing account statements, where
the consumer has no right to opt out: The service
provider may use the information for limited
purposes - that is, for mailing account statements.
It may not sell the information to other
organizations or use it for marketing.
However, it's a different scenario
when a company receives nonpublic personal
information from a financial institution that
provided an opt-out notice -- and the consumer
didn't opt out. In this case, the recipient steps
into the shoes of the disclosing financial
institution, and may use the information for its own
purposes or re-disclose it to a third party,
consistent with the financial institution's privacy
notice. That is, if the privacy notice of the
financial institution allows for disclosure to other
unaffiliated financial institutions - like insurance
providers - the recipient may re-disclose the
information to an unaffiliated insurance provider.
Other Provisions
Other important provisions of the
GLB Act also impact how a company conducts business.
For example, financial institutions are prohibited
from disclosing their customers' account numbers to
non-affiliated companies when it comes to
telemarketing, direct mail marketing or other
marketing through e-mail, even if the individuals
have not opted out of sharing the information for
marketing purposes.
Another provision prohibits "pretexting"
- the practice of obtaining customer information
from financial institutions under false pretenses.
The FTC has brought several cases against
information brokers who engage in pretexting.
