Who is Covered by the Privacy Rule in the Gramm-Leach-Bliley Act?

Who is Covered by the Privacy Rule in the Gramm-Leach-Bliley Act?

There are two ways that the Privacy Rule might cover you. First, if you are a "financial institution," you are covered. Parts I and II of this guide describe your obligations if you collect "nonpublic personal information" from your "customers" or "consumers" and define these terms. Second, if you receive "nonpublic personal information" from a financial institution with which you are not affiliated, you may be limited in your use of that information. Part III of this guide discusses your obligations as a recipient of such protected information.

Are you a "financial institution"?

The Privacy Rule applies to businesses that are "significantly engaged" in "financial activities" as described in section 4(k) of the Bank Holding Company Act. Your activities determine whether you are a "financial institution" under the Privacy Rule. According to the Bank Holding Company Act provision and regulations established by the Federal Reserve Board, "financial activities" include:

  • lending, exchanging, transferring, investing for others, or safeguarding money or securities. These activities cover services offered by lenders, check cashers, wire transfer services, and sellers of money orders.

  • providing financial, investment or economic advisory services. These activities cover services offered by credit counselors, financial planners, tax preparers, accountants, and investment advisors.

  • brokering loans.

  • servicing loans.

  • debt collecting.

  • providing real estate settlement services.

  • career counseling (of individuals seeking employment in the financial services industry).

These examples are taken from the section 4(k) provisions and regulations on financial activities.

Under the Privacy Rule, only an institution that is "significantly engaged" in financial activities is considered a financial institution. You need to take into account all the facts and circumstances of your financial activities to determine if you are "significantly engaged" in such activities. The FTC's "significantly engaged" standard is intended to exclude certain activities that might otherwise fall under the Privacy Rule. Two factors are particularly important in determining whether you are "significantly engaged" in a financial activity. First, is there a formal arrangement? A storeowner or bartender who "runs a tab" for customers is not considered to be significantly engaged in financial activities, but a retailer that offers credit directly to consumers by issuing its own credit card would be covered. Second, how often does the business engage in a financial activity? A retailer that lets some consumers make payments through an occasional lay-away plan is not "significantly engaged" in a financial activity. In contrast, a business that regularly wires money to and from consumers is significantly engaged in a financial activity.

 

Do you have consumers or customers?

If you are a financial institution, your obligations depend on whether your clients are "customers" or "consumers." In brief, the Privacy Rule requires you to give notice to all of your "customers" about your privacy practices, and, if you share their information in certain ways, to your "consumers" as well.

Under the Rule, a "consumer" is someone who obtains or has obtained a financial product or service from a financial institution that is to be used primarily for personal, family, or household purposes, or that person's legal representative. The term "consumer" does not apply to commercial clients, like sole proprietorships. Therefore, where your client is not an individual, or is an individual seeking your product or service for a business purpose, the Privacy Rule does not apply to you.

Examples of "consumer" relationships:

  • cashing a check with a check-cashing company

  • making a wire transfer

  • applying for a loan, whether or not you actually obtain the loan

"Customers" are a subclass of consumers who have a continuing relationship with a financial institution. It's the nature of the relationship - not how long it lasts - that defines your customers. Even if an individual repeatedly uses your services for unrelated transactions, she may not be your "customer." For example, if an individual uses the ATM at a bank where she does not have an account, those isolated transactions, no matter how frequent, do not make her that bank's customer. She would still be a "consumer" of that bank, however.

A former customer "has obtained" a financial product or service from a financial institution but no longer has a continuing relationship with it. For purposes of your obligations under the Privacy Rule, a former customer is considered to be a consumer.

 

Examples of "customer" relationships:

  • opening a credit card account with a financial institution

  • leasing an automobile from an auto dealer

  • using the services of a mortgage broker to secure financing

  • obtaining the services of a tax preparer or investment adviser

  • getting a loan from a mortgage lender or payday lender

 

A Word About Customer Relationships and Loans

A special rule defines the customer relationship when several financial institutions participate in a loan transaction. A financial institution establishes a customer relationship with an individual when it originates a loan. If the financial institution sells the loan but maintains the servicing rights, it continues to have a customer relationship with the individual. If the financial institution transfers the servicing rights but retains an ownership interest in the loan, the individual is a "consumer" of that institution and a "customer" of the institution with the servicing rights. If other institutions hold an ownership interest in the loan (but not the servicing rights), the individual is their consumer, too.

 

What information is covered?

The Privacy Rule protects a consumer's "nonpublic personal information" (NPI). NPI is any "personally identifiable financial information" that a financial institution collects about an individual in connection with providing a financial product or service, unless that information is otherwise "publicly available."

 

NPI is:

  • any information an individual gives you to get a financial product or service (for example, name, address, income, Social Security number, or other information on an application);

  • any information you get about an individual from a transaction involving your financial product(s) or service(s) (for example, the fact that an individual is your consumer or customer, account numbers, payment history, loan or deposit balances, and credit or debit card purchases); or

  • any information you get about an individual in connection with providing a financial product or service (for example, information from court records or from a consumer report).

NPI does not include information that you have a reasonable basis to believe is lawfully made "publicly available." In other words, information is not NPI when you have taken steps to determine:

  • that the information is generally made lawfully available to the public; and

  • that the individual can direct that it not be made public and has not done so.

For example, while telephone numbers are listed in a public telephone directory, an individual can elect to have an unlisted number. In that case, her phone number would not be "publicly available."

 

Publicly Available Information Includes:

  • federal, state, or local government records made available to the public, such as the fact that an individual has a mortgage with a particular financial institution.

  • information that is in widely distributed media like telephone books, newspapers, and websites that are available to the general public on an unrestricted basis, even if the site requires a password or fee for access.

Information in a list form may be NPI, depending on how the list is derived. For example, a list is not NPI if it is drawn entirely from publicly available information, such as a list of a lender's mortgage customers in a jurisdiction that requires that information to be publicly recorded. Also, it is not NPI if the list is taken from information that isn't related to your financial activities, for example, a list of individuals who respond to a newspaper ad promoting a non-financial product you sell.

But a list derived even partially from NPI is still considered NPI. For example, a creditor's list of its borrowers' names and phone numbers is NPI even if the creditor has a reasonable basis to believe that those phone numbers are publicly available, because the existence of the customer relationships between the borrowers and the creditor is NPI.

 

Putting It All Together:

Examples of Nonpublic Personal Information (in list form)

  • list of a retailer's credit card customers

  • list of a payday lender's customers

  • list of auto loan customers merged with list of car magazine subscribers

 

Businesses That Receive NPI from Nonaffiliated Financial Institutions.

Even if your business is not a financial institution that has consumers or customers, the Privacy Rule may limit your use of NPI. Your ability to reuse and redisclose the information may be restricted if you receive NPI from a nonaffiliated financial institution. It depends on why you receive it (see "LIMITS ON REUSE AND REDISCLOSURE OF NPI").

 

For more information, see here:  https://www.ftc.gov/tips-advice/business-center/guidance/how-comply-privacy-consumer-financial-information-rule-gramm

 

These materials were obtained directly from the Federal Government public websites and are posted here for your review and reference only.  No Claim to Original U.S. Government Works.  This may not be the most recent version.  The U.S. Government may have more current information.  We make no guarantees or warranties about the accuracy or completeness of this information, or the information linked to.  Please check the linked sources directly.