Financial Privacy

• What to protect -

  • Banking Records

  • Financial records

• Restrictions

  • How financial services firms may collect, use and disclose personal information

8.1 The Fair Credit Reporting Act (FCRA 1970)

1. Enacted to

   1. Regulate the consumer reporting industry

   2. Provide privacy rights in consumer reports.

2. FCRA mandates

   1. Accurate and relevant data collection

   2. Provides consumer with the ability to access and correct their information

   3. Limits the use of consumer reports to defined permissible purposes.

   4. First federal law to regulate the use of personal information in private businesses.

3. FCRA amendments in 1996 strengthened consumer access and correction rights and included provisions for non-consumer-initiated transactions (“prescreening”).

• Prescreening

  • The process by which individual consumers are identified to receive firm offers of credit is based on a predetermined set of criteria used to prescreen those individuals for inclusion on a consumer list.

  • Prescreening is the only circumstance in which consumer report information may be used for marketing purposes, and one of the few circumstances in which consumer report information may be provided in the absence of a consumer-initiated transaction.

3. 1. FACTA further amended relating to identity theft and other subjects.

   2. FCRA regulates any “consumer reporting agency (CRA)” that furnishes a “consumer report.”

      1. Creditworthiness

      2. Credit standing

      3. Credit capacity

      4. Character

      5. General reputation

      6. Mode of living

4. Consumer Reporting Agency CRA

   1. Any person/entity that

      1. complies/evaluates PI for purposes of furnishing consumer reports to 3rd party for a fee (ex. Experian, Equifax and Transunion)

      2. Small CRAs that compile PI like

         1. criminal records

         2. Driving histories

         3. Background histories of pre-employment screening.

5. Consumer Report

   1. Consumer report is any communication by a CRA related to an individual that pertains to the person’s:

      1. Creditworthiness

      2. Credit standing

      3. Credit capacity

      4. Character

      5. General reputation

      6. Personal characteristics

      7. Mode of living

      8. Used in whole or in part for the purpose of serving as a factor in establishing a consumer’s eligibility for credit, insurance, employment or other business purpose.

6. Use of Consumer Reports - What’s a valid request under CFRA for users of CRD:

   1. 3rd-party data for substantive decision making must be appropriately accurate, current, and complete.

   2. Consumer must receive notice when 3rd party data is used to make adverse decision about them

   3. Consumer reports may be used only for permissible purposes

   4. Consumer must have access to their reports and an opportunity to dispute them or correct errors

   5. Additionally, record keeping, providing certifications to the CRAs and securely disposing of the CRD.

7. FRCA also requires CRAs to:

   1. Provide consumers access to information contained in their CRD and opportunity to dispute.

   2. Reasonable steps to ensure maximums accuracy of information iii. Not report outdated negative information – 7 years or bankruptcies of 10 years.

   3. Provide CRD only to entities that have permissible purpose

   4. Provide consumer assistance as required by FTC rules

   5. Enforcement of FCRA is through

      1. Dispute resolution

      2. Private litigation

      3. Government actions.

   6. In-house dispute with CRA, then private litigation – usually class action.

      1. It can be enforced by FTC, CFPB, and state attorneys’ general.

   7. Non Compliance with FCRA - Civil/Criminal penalties

      1. Government enforcement actions for violations of the FCRA can be brought by the FTC, the CFPB, and state a orneys general.

      2. At the federal level, both the FTC and the CFPB share responsibility to enforce the FCRA.

      3. State attorneys general are required to give notice to the FTC prior to filing suit, and the FTC retains the authority to intervene in the cases brought by the state attorneys general

8.1.1 FCRA Notice Requirements

1. CRA Users must have “permissible purpose”

   1. Order by court/federal grand jury subpoena

   2. Consumer written instruction

   3. Extension of credit via application of consumer / review or collection of consumer’s account

   4. Employment purposes with consumer permission

   5. Underwriting of insurance via application of consumer

   6. Legitimate business need initiated by consumer

   7. Review consumer’s account if consumer is meeting terms of account

   8. Consumer’s eligibility for a license or other benefit granted by governmental instrumentality

   9. Use by potential investor or servicer in a valuation of the credit or prepayment risk

   10. Use by state or local officials for child support payments

   11. Use for the purposes of making “prescreened” unsolicited offers of credit or insurance

2. Users must provide certifications

   1. FCRA 604(f) prohibits any person from obtaining a CRD from a CRA unless the person has certified to the CRA the permissible purpose for which the report is being obtained and certifies that the report will not be used for any other purpose.

3. FCRA Disclosure

   1. User must notify consumers when adverse actions are taken

   2. Requires disclosure by all persons who use credit scores in making or arranging loans secured by residential real property.

   3. In some instances, the person must provide a risk-based pricing notice to the consumer in accordance with the regulations jointly prescribed by the CFPB and the Federal Reserve Board.

      1. Risk-based pricing occurs when lenders offer different interest rates and loan terms to borrowers, based on individual creditworthiness.

      2. The Risk-Based Pricing Rule requires you to notify consumers if they are getting worse terms because of information in their credit report.

      3. An alternative way of complying with the Rule is to give a credit score disclosure notice to all customers, regardless of the terms on which you granted them credit (“credit score disclosure exception” notice).

      4. The Federal Trade Commission, the Consumer Financial Protection Bureau, and the federal banking agencies each have published a Risk-Based Pricing Rule. The substance of the rules is identical.

4. Consumer Reports and Employment – Additional obligations:

   1. Make a clear conspicuous written notification to the consumer before the report is obtained, that a CRD may be obtained by the employer.

   2. Obtain prior written consumer authorization in order to obtain a CRD.

   3. Certify to the CRA that the above steps have been followed, that the information being obtained will not be used in violation of law.

   4. Before taking an adverse action, provided a copy of the report to the consumer and summary of rights from the CRA.

   5. Employee Investigations – investigations of suspected misconduct by an employee.

   6. These investigations are not treated as CRD if:

      1. Employer complies with procedures;

      2. No credit information is used;

      3. A summary describing the nature and scope is provided to the employee if an adverse action is taken based on the investigation.

5. Investigative Consumer Reports

   1. contains consumer’s character, general reputation, personal characteristics and mode of living.

   2. Gathered through interviews by CRA.

6. Disclosures under FCRA

   1. Disclosure is required if intended to be used.

   2. Consumer must be informed by writing and delivered to consumer not later than 3 days after the report was requested

   3. Must contain summary of consumer rights required by FCRA; user must certify to CRA that required disclosure has been made; user must make disclosure of the nature and score of the investigation (written + delivered).

7. Medical Information under FCRA

   1. FCRA limits medical information obtained from CRAs, other than payment information that appears in a coded form and does not identify the medical provider.

   2. Consumer must provide consent if medical information is to be used for insurance purpose or it must be coded.

   3. If it is used for employment purposes, written consent is needed.

8. “Prescreened” Lists

   1. FCRA permits creditors/insurers to obtain limited CRI for use in unsolicited offers of credit or insurance under conditions.

   2. If using prescreened lists:

      1. Before offer is made, establish criteria of offer/grant credit/insurance;

      2. Maintain criteria on file for 3 years

      3. Plus include written solicitation letter.

8.2 The Fair and Accurate Credit Transactions Act

1. Fair and Accurate Credit Transactions Act (FACTA)

   1. Passed in 2003 that made amendments to FCRA.

   2. Stricter state laws are preempted in most areas, although they retained some powers to enact laws addressing identity theft

   3. Pertaining to frequency of free credit reports, the federal law permitted state laws in Colorado, Georgia, Maine, Maryland, Mass, New Jersey, and Vermont to remain in effect.

   4. FACTA identified specific state laws that remain in effect

      1. CA/CO – laws about credit scores and insurance laws

      2. CO/GA and others, free credit reports

   5. It enacted a number of consumer protections

      1. Truncation of credit/debit cards

      2. Right to request free annual credit report

      3. Other identity theft protections

      4. Required regulators to promulgate a Disposal Rule and Red Flags Rule.

2. Disposal Rule

   1. Requires user of consumer report for business purpose to “reasonably” dispose of it in a way preventing unauthorized access and misuse.

   2. Includes CRA, lenders, employers, insurers, landlords, car dealers, attorneys, debt collectors, and government agencies

   3. Enforced by the FTC, the federal banking regulators, and CFPB.

3. Red Flags Rule

   1. Requires entities to develop a set of rules to mandate the detection, prevention and mitigation of identity theft.

   2. The rule requires to develop and implement written identity theft detection programs that can identify and respond to the “red flags” that signal identity theft.

   3. Scope: Financial Institutions - Bank, Savings, Loans, & Credit Unions.

8.3 Gramm-Leach-Bliley Act Title 5 of Financial Services Modernization Act

1. Background

   1. General framework for confidentiality of records in the financial services sector.

   2. Major legislation that codified the consolidation of the US banking, securities, and insurance industries in the late 1990s that promulgated “Privacy Rule” and “Safeguards Rule.”

   3. Storage, Notice, and Opt Out Choice

2. US Bancorp

   1. One of the most prominent cases involved US Bancorp and the telemarketing form MemberWorks.

   2. that resulted in $3 million settlement for allegations that the bank had sent detailed customer information that enabled the marketer to directly withdraw funds from the customer account.

   3. This case focused popular and regulatory attention on the prevalence of data-sharing relationships between banks and 3rd-party marketers.

   4. marketers.

   5. Congress responded with GLBA with significant privacy and security.

3. GLBA Purpose

   1. Eliminated legal barriers to affiliations among banks, securities firms, insurance companies and other financial services companies.

   2. Under GLBA privacy, financial institutions are required:

      1. store information in a secure manner;

      2. Provide notice of their policies;

      3. Provide opt out choice of sharing information.

4. Scope and Enforcement of GLBA

   1. Applies to

      1. “financial institutions” that are “significantly engaged” in financial activities banks, insurance providers, securities firms, payment settlement services, check-cashing services, credit counselors, mortgage lenders).

   2. Regulates

      1. Financial institution management of “nonpublic personal information” – Personal Identifiable Financial Information.

      2. Example: Home Email address

   3. GLBA and Privacy Notices

      1. Standard for privacy notices where initial and annual privacy notices to consumers on 9 categories of information, and must process opt-out within 30 days.

      2. The privacy notices must include:

         1. What information is collected about its consumer;

         2. With whom it’s shared;

         3. How it is protected;

         4. An explanation of how to opt-out.

      3. Provided this notice standard is met, a financial institution may share any information with its affiliated companies (CRA?)

      4. Note: GLBA prohibits disclosure of consumer account numbers to non-affiliated companies for marketing purposes even if consumer did not opt- out.

      5. Consumer cannot opt out if:

         1. Information is shared with outside companies that provide essential services like data processing

         2. Disclosure is legally required;

         3. Customer date is shared with outside providers that market the financial company’s products/services.

   4. GLBA Safeguards Rule

      1. Requires security controls to protect the confidentiality and integrity of personal consumer information (electronic and paper records).

      2. It requires implementation of a comprehensive “information security program” that contains “administrative, technical, and physical safeguards” to protect the security, confidentiality and integrity of customer information.

      3. It must contain certain elements, including a designated employee to coordinate the program, audit systems to determine risk, and certain procedures to take with service providers to ensure that the security of the information is maintained.

      4. It must provide:

         1. Administrative security;

         2. Technical security;

         3. Physical security.

5. California SB-1 (CA Financial Information Privacy Act)

   1. Purpose.

      1. Expands the financial privacy of GLBA.

      2. It increases the disclosure requirements and grants consumer increased rights with regard to the sharing of information.

      3. Statutory damages of $2,500 up to $500k per occurrence.

   2. Opt-in/Opt-out

      1. Written opt-in is required to share personal information with nonaffiliated 3rd parties.

      2. Opt-in must be titled “Important Privacy Choices for Consumers.”

      3. SB-1 grants consumers the ability to opt out of information sharing between their financial institutions and affiliates not in the same line of business.

      4. BUT, a financial institution need not obtain consent in order to share non- medical information with its wholly owned subsidiaries engaged in the same line of business

         1. insurance, banking, securities

         2. if they are regulated by the same functional regulator.

8.4 Dodd-Frank Wall Street Reform and Consumer Protection Act

1. Why.

   1. 2008 response to financial crisis

2. Purpose.

   1. It created the CFPB as an independent bureau within the Federal Reserve

   2. CFRB oversees the relationship between consumers and providers of financial products and services.

   3. CFRB assumed rule-making authority for specific existing laws related to financial privacy (FCRA, GLBA, and Fair Debt Collection Practices Act).

      1. Exception of

         1. Section 615(e) red flag guidelines and regulation

         2. Section 628 disposal of records

   4. CFPB can bring actions for “unfairness and deception.”

   5. CFPB has a new power to enforce against “abusive acts and practices” – materially interferes with the ability to understand terms or conditions or takes unreasonable advantages.

   6. CFPB - Part of the Federal Reserve

   7. Head of CFPB - President Appointed/Senate Approval

8.5 Required Disclosure Under Anti-Money-Laundering Laws

1. Goal

   1. The fundamental goal of AML laws is to “follow the money.”

   2. The idea of thorough record keeping is that it will help detect illegal activity, and provide evidence for proving illegality.

2. The Bank Secrecy Act (BSA) of 1970

   1. Authorizes US Treasury secretary to issue regulations that:

      1. Impose extensive record-keeping

      2. Reporting requirements on financial institutions.

         1. They must keep records and file reports on certain financial transactions, including currency transactions in excess of $10,000, which may be relevant to criminal, tax, or regulatory proceedings.

      3. Regulates certain wire transfers, including fund transfers and transmittals of funds by financial institutions.

      4. Record Retention Requirements - more than $10k

      5. Suspicious Activity Reports – must file SAR that can alert government agencies to potential suspicious transactions.

3. The International Money-Laundering Abatement and Anti-Terrorist Financing Act of 2001

   1. Expanded the reach of BSA and made other significant changes to US anti money laundering laws.

   2. Part of US Patriot act

8.6 Online Banking and Mobile Banking

1. Measures to address online and banking

   1. Financial institutions

      1. Careful use of software

      2. Education of consumer

   2. Consumers

      1. Proper browser selection

      2. Proper use of patching

8.7 Conclusion