March 31, 2000

The Proposed Rules to Protect the Privacy of Consumer Financial Information

  • Jay Cochran

Key materials
Contact us
To speak with a scholar or learn more on this topic, visit our contact page.

Rulemaking:

Privacy of Consumer Financial Information

Stated Purpose:

"This rule proposes to implement notice requirements and restrictions on a financial institution’s ability to disclose nonpublic personal information about consumers to nonaffiliated third parties."

Summary of RSP Comment:

On February 22, 2000, the Office of the Comptroller of the Currency (OCC), in conjunction with the Federal Reserve Board (FRB), Federal Deposit Insurance Corporation (FDIC), and the Office of Thrift Supervision (OTS) proposed regulations to:

. . . implement notice requirements and restrictions on a financial institution's ability to disclose nonpublic personal information about consumers to nonaffiliated third parties.

The authority for this proposed rulemaking comes from Title V of the Gramm-Leach-Bliley ("GLB") Act. Under the Act, Congress expressed its policy "that each financial institution has an affirmative and continuing obligation to protect the security and confidentiality of [its] customers' nonpublic personal information." The law contains four major requirements:

  1. All covered institutions must establish appropriate administrative, technical, and physical safeguards to protect customer records and information.
  2. Institutions must clearly and conspicuously disclose their privacy policies and practices to consumers in writing or electronic form.
  3. Consumers must be given the opportunity to "opt out" of any disclosures to nonaffiliated third parties before such disclosures take place; and
  4. Any nonaffiliated third party receiving nonpublic personal information may not subsequently reuse or re-disclose such information unless such disclosure would be lawful if performed by the original financial institution.

The law allows a number of exceptions to the general requirements. Key exceptions include disclosures necessary to carry out transactions on a customer's behalf, disclosures for law enforcement purposes, disclosures in connection with business combinations or mergers, and disclosures for auditing and insurance rating purposes.

The agencies' proposed regulations closely follow the requirements of the law. In particular, institutions covered by the rule may not disclose nonpublic information about a consumer to nonaffiliated third parties unless the institution satisfies disclosure and opt-out requirements, and the consumer has not opted out of disclosure.