In our Federal Law Friday series, each week we review a different Federal law that should be covered by a finance company’s policies, procedures and compliance management system. This week, we review the Gramm-Leach-Bliley Privacy Rule.
Does your finance company share consumer information? Are you giving an accurate privacy notice?
Finance companies share information for many reasons. Some hire vendors like direct mail companies. Others give referrals to affiliated companies for marketing purposes. Many share when unrelated companies call asking questions about customers. Of course, there are also finance companies that do not share at all. In each of these cases, the law requires that finance companies provide customers with a privacy notice.
The Gramm-Leach-Bliley Act (GLBA), among other things, deals with a financial institution’s treatment of consumer nonpublic personal information. Title V, Subtitle A and its implementing regulations establish the GLBA Privacy Rule, specifically requiring financial institutions to give notice of information sharing practices. And, for certain types of information sharing, consumers have the right to “opt out” of such sharing. The CFPB took over enforcement of these rules in 2011.
Key provisions of the GLBA Privacy Rule provide:
- A finance company must provide its customers with an initial privacy notice when making a loan, regardless of whether information is shared. The regulations list what needs to be in the notice. Several years ago, the Federal agencies adopted the standard Model Privacy Form as the only safe-harbor for compliance. Finance companies should consider using the Model Privacy Form—consumers and regulators expect to see it.
- A privacy notice should accurately describe the information sharing practices of the company and give the right to opt out in certain circumstances. Specifically, a consumer can opt out of (i) the company sharing creditworthiness information with affiliates, (ii) the company’s affiliates using information to market to the consumer, and (iii) the company sharing with most nonaffiliated companies.
- If an opt-out notice is required, the company must give the consumer a “reasonable opportunity” (generally 30 days) to opt out before sharing.
- All customers who obtain loans must receive the privacy notice. But, if the company shares information about applicants who do not become customers, then all consumers (i.e., all applicants) may need to receive the privacy notice as well.
- In addition to the initial privacy notice, companies also need to provide an annual privacy notice for each year of the customer relationship (the initial notice counts for the first year) and revised notice if practices change.
Finance companies should be sure that privacy notices are accurate and up-to-date. Having a good privacy notice is the law and just good form.