Financial institutions collect and use many types of personal information to conduct everyday business activities and to market products and services. This information can then be used to create bank statements, monitor for fraud and determine credit eligibility. This also means that banks occasionally share customer information with third party vendors. It’s a highly-regulated process of information sharing that includes customer interaction to insure that private data is being handled properly and according to the customer’s wishes.
The primary law that governs how banks can share personal information about consumers is the Gramm-Leach-Bliley (GLB) Act of 1999 which prohibits the disclosure of certain private information like Social Security numbers, income, and some outstanding debt. The Act, which is federally-mandated, consists of three sections: the Financial Privacy Rule which regulates the collection and disclosure of private information; the Safeguards Rule requires financial institutions to enact security programs to protect personal information; and the Pretexting provisions that prohibit the access of private information under false pretenses.
The main purpose of the GLB Act is to insure that personal information of customers is protected according to strict guidelines. The Act obliges financial institutions to respect their customers’ privacy and securely protect their sensitive personal information against unauthorized access.
One mandate of the Act requires banks to develop privacy practices and policies that detail how they collect, sell, reuse, and share personal information. This policy must be disclosed to the customer along with the option to decide which information can be retained for future use.
The GLB Act also determines what information can be shared and with whom. Information that is publicly available like phone numbers or addresses can be shared. Information that cannot be shared is called “personally identifiable financial information” which is not publicly available. It includes data provided on a loan application, credit card information, account balance, payment history, purchase information, Social Security data and birth dates, and even the institution where they bank.
The third-party vendors that banks often share personal information with typically for business and marketing purposes are also regulated. They include mortgage bankers, securities dealers and insurance agents; retailers, magazine publishers and direct marketers; service providers, government agencies and non-profits.
A financial institution that fails to comply with the GLB Act can face harsh financial and personal consequences that can involve fines, incarceration, and loss of customer confidence.
The House Financial Services Committee recently introduced a bill that would create a national privacy standard that provides consumers with more control over the use of their personal data. Items included in the bill involve more disclosures to consumers, more access to and control of their data by consumers, and an expansion of the definition of “financial institution” and “nonpublic information”.