Consumer Compliance Outlook: Third Issue 2021

Overview of Federal Consumer Privacy and Security Laws for Financial Services

By Kenneth Benton, Principal Consumer Regulations Specialist, Federal Reserve Bank of Philadelphia

A recent Pew Research Center survey found that 79 percent of consumers are concerned about how companies use their personal data.1 This concern is heightened as identity theft and large data breaches have proliferated in recent years. For example, the 2017 Equifax breach affected 147 million people and involved personal financial information that could be used for identity theft, including a Social Security number (SSN).2

To protect consumers’ privacy interests, several federal laws and regulations restrict the ways in which financial institutions can obtain and use information about their customers. This article provides an overview of certain financial services-related privacy and security requirements, including recent legislation and regulatory amendments.


The GrammLeachBliley Act (GLBA) requires financial institutions to provide consumers with a privacy notice disclosing that a consumer’s nonpublic personal information (NPI) is shared with nonaffiliated third parties, describing the consumer’s ability to opt out of sharing practices in certain circumstances, and explaining how to exercise their right to opt out.3 The Consumer Financial Protection Bureau’s (Bureau) Regulation P, 12 C.F.R. Part 1016, implements the GLBA privacy provisions. Regulation P defines NPI as personally identifiable financial information and any list, description, or other grouping of consumers (and publicly available information pertaining to them) that is derived using any personally identifiable financial information that is not publicly available.4

Initial Notice

A financial institution must issue its GLBA privacy notice when it first establishes a customer relationship. This notice is provided annually thereafter, subject to an exception under the 2015 Fixing America’s Surface Transportation (FAST) Act discussed next.5 An institution generally must also issue a notice to its consumer customers before disclosing any NPI about them to any nonaffiliated third party6 and disclose the right to opt out of information sharing in the privacy notices.7 Certain exceptions apply, such as sharing information with nonaffiliated third parties to perform services or to conduct joint marketing, provided other requirements are satisfied.8

Each of these notices must provide information about the NPI the institution collects and discloses.9 This requirement applies to the information of both current and former customers.10 Model forms are available in the appendix to Regulation P.

Effect of Change in Privacy Practices

The regulation also addresses a financial institution’s obligations if it changes its privacy practices to disclose:

For these changes, the institution cannot disclose the NPI unless it provides a revised privacy notice and opt-out opportunities.12 An exception applies if a new nonaffiliated third party was adequately described in the prior notice.13

Privacy word map

FAST Act Amendment to GLBA’s Annual Privacy Notice Requirements

Financial institutions expressed concern that providing the annual privacy notice to existing customers was burdensome and unnecessary if their privacy practices had not changed since the notice was last provided.14 In 2015, Congress addressed this issue by amending the GLBA in the FAST Act15 to eliminate the annual privacy notice requirement if a financial institution satisfies the following two conditions:

Because the statutory amendment was self-effectuating, it became effective on December 4, 2015, the date the law was enacted. In August 2018, the Bureau issued a final rule to amend Regulation P to conform to the FAST Act amendment.17

The rule also addresses the related issue of an institution’s obligations when it changes its privacy policy in a way that it no longer qualifies for the exception. The timing requirements to resume providing a privacy notice, and its contents, depend on the reason an institution no longer qualifies for the exception.18


Several provisions of the Fair Credit Reporting Act (FCRA) affecting consumer privacy and security are discussed next.

FCRA §624 Affiliate Marketing Requirements

Similar to the GLBA, the FCRA, as implemented by Regulation V, restricts an institution’s ability to use certain consumer information with an affiliate. Generally, under §624, a person who receives consumer eligibility information from an affiliate may not use the information to solicit the consumer unless it is clearly and conspicuously disclosed to the consumer that the information may be communicated among the affiliates for purposes of making such solicitations, the consumer is provided an opportunity to opt out, and the consumer does not opt out. The provisions do not apply when the institution has a preexisting business relationship19 with a consumer and in other specified circumstances.20 Regulation V provides model notices in Appendix C to 12 C.F.R. Part 1022.

The regulation provides this example to illustrate §624’s requirements:

A consumer has a homeowner’s insurance policy with an insurance company. The insurance company furnishes eligibility information about the consumer to its affiliated creditor. Based on that eligibility information, the creditor wants to make a solicitation to the consumer about its home equity loan products. The creditor does not have a preexisting business relationship with the consumer and none of the other exceptions apply. The creditor is prohibited from using eligibility information received from its insurance affiliate to make solicitations to the consumer about its home equity loan products unless the consumer is given a notice and opportunity to opt out and the consumer does not opt out.21

If a consumer elects to opt out, the election must be effective for at least five years, unless the consumer revokes it.22 After it expires, the solicitation restriction still applies unless the consumer has been provided an opt-out renewal notice, a reasonable period to renew, and does not renew.23


Combined Opt-out Notice

As previously discussed, both the GLBA and the FCRA require institutions to provide consumers with opt-out notices of information sharing or use in certain circumstances. To reduce regulatory burden, Regulation V permits an institution to combine the required opt-notices for both laws into a single privacy notice.24

Effect of FCRA Requirements on the Exception to an Annual Privacy Notice

In the preamble to the 2018 final rule, the Bureau clarified that GLBA §503(f)(1) does not preclude financial institutions that provide NPI in accordance with FCRA §603(d)(2)(A)(iii) or §624 from qualifying for the annual privacy notice exception.25


The FCRA permits an institution to obtain consumer reports without consumers’ permission using specified criteria (e.g., all consumers in Pennsylvania with credit scores of 750 or higher) for purposes of soliciting credit or insurance if the solicitation satisfies the requirements of a firm offer of credit or insurance. The FCRA defines this term as “any offer of credit or insurance to a consumer that will be honored if the consumer is determined, based on information in a consumer report on the consumer, to meet the specific criteria used to select the consumer for the offer,” except that the offer may be further conditioned based on specified criteria.26

Because these consumer reports can be obtained without a consumer’s permission, the FCRA requires clear and conspicuous disclosure of the following information in the solicitation:27

Model forms are available in Appendix D to Regulation V.


GLBA Exception for Reporting Suspected Elder Abuse

Several federal agencies issued the “Interagency Guidance on Privacy Laws and

Reporting Financial Abuse of Older Adults” in 2013 to clarify when financial institutions could report suspected elder abuse to appropriate local, state, or federal agencies, which the Federal Reserve discussed in CA letter 13-14. The guidance cited four exceptions to the GLBA notice and opt-out requirements that could permit disclosing NPI for the purpose of reporting suspected elder financial abuse without violating the GLBA28 and notes that “generally” disclosing nonpublic personal information to local, state, or federal agencies for the purpose of reporting suspected elder financial abuse will fall within at least one of the exemptions outlined in the GLBA.29

The following four exceptions could apply to suspected elder abuse:

The interagency guidance further clarifies that disclosing NPI for the purpose of reporting suspected financial abuse is permissible under the fraud exemption when, for example, the financial institution is (1) reporting incidents that result in taking an older adult’s funds without actual consent or (2) reporting incidents of obtaining an older adult’s consent to sign over assets where the intent of the transaction has been misrepresented.31

Senior Safe Act

In May 2018, the Economic Growth, Regulatory Relief, and Consumer Protection Act (EGRRCPA) was signed into law.32 Section 303 of the EGRRCPA (the Senior Safe Act) provides legal immunity to an individual who served as a supervisor or in a compliance or legal function for certain financial institutions and reports suspected exploitation of a senior citizen to certain agencies and law enforcement, provided the individual previously received specified training and disclosed the information in good faith and with reasonable care.33 The EGRRCPA also provides immunity to specified financial institutions by which the individuals are employed or associated, provided the individuals received the appropriate training. Outlook summarized the Senior Safe Act in Issue 1 2020.

Synthetic Identity Theft and the Social Security Verification Service

Section 215 of the EGRRCPA required the Social Security Administration (SSA) to modify or develop a database for accepting and comparing fraud protection data provided electronically by a permitted entity, which is defined as a financial institution, service provider, subsidiary, affiliate, agent, subcontractor, or assignee of a financial institution.34 The purpose of this provision was to reduce the prevalence of synthetic identity fraud, which disproportionally affects vulnerable populations, such as minors and recent immigrants. In response, the SSA created the Electronic Consent Based Social Security Number Verification (eCBSV) service.35 With the written consent of the Social Security number holder, the system allows permitted entities to verify if the holder’s name, date of birth, and number match the SSA’s records. The eCBSV returns a match verification of yes or no. If the database shows the SSN holder is deceased, the system returns a death indicator. The SSA began an initial rollout in 2019 with 10 permitted entities. In July 2021, the SSA expanded the rollout. Additional information is available on the eCBSV website.36

Interagency Guidance on GLBA Security and Customer Notification Requirements

Section 501(b) of the GLBA37 directed the prudential banking agencies to establish standards for financial institutions they regulate relating to safeguards to (1) ensure the security and confidentiality of customer information; (2) protect against any anticipated threats or hazards to the security or integrity of such information; and (3) protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer. In response to this directive, the agencies issued the “Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice,” which they subsequently renamed the “Interagency Guidelines Establishing Information Security Standards.”38 The guidance addresses when a security incident requires an institution to notify its customers and the notice requirements.

Under the guidance, when an institution learns of an incident of unauthorized access to sensitive customer information, it should conduct a reasonable investigation to promptly determine the likelihood that the information has been or will be misused. If misuse of that information has occurred or is reasonably possible, the institution should notify the affected customers. The guidance defines sensitive customer information as name, address, or telephone number in conjunction with 'the customer’s Social Security number, driver’s license number, account number, credit or debit card number, or a personal identification number or password allowing access to the customer’s account. The term also includes any combination of components of customer information that would allow someone to log onto or access the customer’s account, such as user name and password or password and account number.39

If the institution can identify only the customers whose information was misused or it is reasonably possible could be misused, it may limit notice to just those customers. However, if the institution is unable to identify the specific customers whose information has been accessed, and misuse of the information is reasonably possible, it should notify all customers in the group.

A notice should be provided in a clear and conspicuous manner and provide the following information:

Finally, the guidance states that notices should be delivered in any manner designed to ensure a customer can reasonably be expected to receive it.40 This can include, for example, by telephone or mail, or by email for customers with valid email address and who have agreed to receive communications electronically.

Right to Financial Privacy Act

Congress enacted the Right to Financial Privacy Act (RFPA) in 197841 to protect the privacy of customers’ financial records by limiting the circumstances in which government agencies can access these records. In addition to establishing procedures that federal government authorities must follow when requesting a customer’s financial records,42 the RFPA also imposes requirements on financial institutions before they may release this information.43

Before the RFPA was enacted, bank customers were not informed when their financial records were disclosed to a government authority. In United States v. Miller, 425 U.S. 435 (1976), the Supreme Court held that a bank customer could not limit government access to his financial records because they were considered business records of the bank and not the private property of the individual. Congress passed the RFPA in response to the Miller decision.44

The RFPA stipulates that a government authority cannot access a consumer’s financial records from a financial institution unless it is obtained in accordance with one of the following:45

The RFPA also generally requires that the requesting government authority provide the customer with a copy of the request on or before the date the request is made to the financial institution. The notice must include a description of the procedures that the customer should follow if he or she does not wish the records to be made available; specific disclosure language is provided in the RFPA.46 A financial institution is prohibited from releasing a consumer’s personal financial records unless the government authority certifies in writing that it has complied with the requirements of the RFPA.47


In the age of digital banking, proliferating data breaches, and consumer concerns about the privacy of their information, it is important that financial institutions comply with federal laws and regulations designed to protect the privacy and security of a consumer’s data. Specific issues or questions should be discussed with your primary regulator.


