Financial privacy laws in the United States
Financial privacy laws regulate the manner in which financial institutions handle the nonpublic financial information of consumers. In the United States, financial privacy is regulated through laws enacted at the federal and state level. Federal regulations are primarily represented by the Bank Secrecy Act, Right to Financial Privacy Act, the Gramm-Leach-Bliley Act, and the Fair Credit Reporting Act. Provisions within other laws like the Credit and Debit Card Receipt Clarification Act of 2007 as well as the Electronic Funds Transfer Act also contribute to financial privacy in the United States. State regulations vary from state to state. While each state approaches financial privacy differently, they mostly draw from federal laws and provide more stringent outlines and definitions. Government agencies like the Consumer Financial Protection Bureau and the Federal Trade Commission provide enforcement for financial privacy regulations.
Right to Financial Privacy Act
The Right to Financial Privacy Act of 1978 (RFPA) was passed in 1978 primarily as a response to the Supreme Court ruling on United States v. Miller 1976 and to supplement the Bank Secrecy Act. The act was put in place to limit the government's ability to freely access nonpublic financial records. The RFPA defines financial institutions as any institution that engages in activities regarding banking, credit cards, and consumer finance. It also defines financial records as any documentation of a consumer's relationship with a financial institution. The act required that the U.S. government deliver a legal notice to a customer or receive consent from a customer before they can legally access their financial information. Customers must also be informed that they have the ability to challenge the government when the government is actively trying to access their financial information. In the event that the government successfully gains access to a customer's information, the government is not allowed to transfer the information between government agencies without clarifying that the information in question is being used in the name of law enforcement. The customer must be notified immediately if conditions are met and their information is going to be transferred between agencies.
The Right to Financial Privacy Act included many exceptions to expedite federal investigations. Federal agencies can access any financial records if the records in question are connected to a law enforcement investigation. The act also gives any government department or agency the ability to request access to a customer's information.
- Grand jury subpoena
- Customer authorization giving consent
- Administrative summons
- Search warrant issued under the Federal Rules of Criminal Procedure
- Judicial subpoena
- Formal written request
Any preexisting rules regarding search warrants are applied to the exceptions. When a search warrant for a customer's financial information is issued, the government has 90 days to inform the customer of the existence of the search warrant. A consumer can give permission to the government through written approval which allows the government access for a maximum of three months. At any given time, the consumer can void the approval. If the government is given access via approval, the financial institution holding the information must document which government agencies are given access. In the event that financial records are requested using an administrative summons, a judicial subpoena, or a formal written request, the government must notify the customer of what specific records are being requested, why they are being requested, and the procedures used to access the records. Financial institutions must verify that all laws, regulations, and procedures were followed before any financial records that were requested can be handed over to federal agencies.
The RFPA was later amended to increase financial institutions' ability to help facilitate criminal investigations and prosecutions. Under the new amendments, financial institutions are allowed to disclose information to the government if they believe that a regulation has been violated. If an institution decides to share a customer's financial information this way, then the institution is only allowed to disclose information that identifies the suspect. The institution will also not be held liable for disclosing the information. The amendments also states that a court can compel a financial institution to notify a customer that their information has been subpoenaed.
Criticism has been directed at the written approval. The act never specifies if the customer is responsible for submitting the approval directly to the financial institution or if the government is responsible for only providing proof that a written approval has been submitted to them.
The Gramm-Leach-Bliley Act (GLBA) was enacted in 1999 to repeal the Glass-Steagall Act. The repeal of Glass-Steagall allowed mergers between different types of financial institutions to occur, which enabled increased efficiency in the dissemination of financial information. To promote consumer privacy, the Gramm-Leach-Bliley Act included regulations to limit the ways in which companies handled and shared financial data.
Protection of information is generally elaborated through three set rules in the act:
- Financial institutions must create privacy policies, if one was not already in place, and inform customers of their policy
- Financial institutions must specifically disclose to customers the conditions in which policy exceptions would allow financial information to be distributed to unaffiliated third parties
- Financial institutions must give customers an "opt-out" option to allow customers the ability to prevent private information to be disclosed
Despite the regulations put forth by GLBA, exceptions in the act allow financial institutions the ability to disclose financial information under certain conditions. If a financial product provided by a financial institution is owned by two or more parties, the institution is only required to notify one party. Financial institutions are also allowed to disclose information without ever notifying the customer if the information in question is used for an investigation regarding public safety.
The Safeguards Rule was implemented into GLBA by the Federal Trade Commission (FTC) to set standards that financial institutions must follow when protecting financial information. The rule required that financial institutions create and implement a security program that is appropriate to the size of the institutions' operations. The program must keep information safe from any unauthorized access of information, unauthorized use of information, and threats to the safety of the information. Information systems that processes, stores, transmits, and destroys information must be used in the security program. The rule also states that institutions must dedicate employees to the development, implementation, and maintenance of the security program. There must be people trained to identity and respond to any security threats or data breaches.
The Gramm-Leach-Bliley Act has been the subject of much criticism as experts claim that the act provides weak protection due to its broad language. Without clear explanation and better defined language, the act is open to interpretation which will ultimately work against consumers. The privacy policies required by the act are also unhelpful, as many of the policies written by financial institutions are intentionally complex to prevent customer comprehension. There is also a lack of rules that punish financial institutions for any noncompliance. Criticism has also been targeted at the opt-out rule in the act. Former president of the Federal Reserve Bank of Richmond, Jeffrey M. Lacker argues that the opt-out option, provided by banks in their policies to customers, is ineffective due to a weak marketplace for financial information. Sharing financial information is not profitable enough to motivate financial institutions to pay for customer consent, so opt-out notifications are rarely distributed. In situations where customers are notified, only an estimated 5% respond. The low response rate is evidence that consumers do not seem to care about their financial privacy. With unconcerned customers and a weak market, the opt-out option is rendered ineffective.
Fair Credit Reporting Act
The FCRA attempts to limit the dissemination of information through five main rules:
- Credit reports and investigative reports must be differentiated so that any irrelevant is not mixed
- Reports can only be made available to those with "legitimate business needs"
- The subject of a report must be notified of any request for their information
- Agencies must give consumers access to their own files if they ever should request it
- A time limit is set for the retention of information on reports. Information that is seven years or older must be deleted while information regarding bankruptcies can be removed only after fourteen years
According to the FCRA, obsolete information may not be investigated and included on reports. Information found in reports can be contested in the event that a mistake is found. The credit agency must begin an investigation, and if a mistake is proven to exist, the information must be removed immediately. If a consumer if affected by the contents of their report, the user of the report must notify the consumer so that he or she can access their file and receive an explanation of the contents of their file from the agency. The FCRA also includes the Red Flag Rule, which was added by the Fair and Accurate Credit Transactions Act. A Change of Address Rule is also set in place so that government financial agencies must verify change of addresses.
The FRCA includes multiple measures to promote compliance. The act states that unauthorized access to a file or receiving a report under false pretext will result in a criminal offense. Reporting agencies and those using the reports are held liable for any noncompliance as well. The consumer is also entitled to reparations as a result of any damages from any misuse of their information.
The Fair Credit Reporting Act faced criticism over the strength of its regulations as the act only limits the distribution of information instead of the collection of it. The act is also written with broad language which invites open interpretation that may lead to loopholes. Some criticism has also been directly aimed at the vagueness in defining "accuracy." In the context of the act, "accuracy" can be interpreted as a credit report that is either correct or incomplete.
Fair and Accurate Credit Transactions Act
The Fair and Accurate Credit Transactions Act (FACTA) was passed by Congress in 2003 to amend the Fair Credit Reporting Act (FCRA). The amendments ensured that any state laws with stricter regulations than those outlined in the FCRA would be enforced first. State laws regarding credit scores, credit reports, and insurance that were to remain in effect as a result of the amendments were outlined within the act. Under the act, consumers received more rights to explanations of their credit scores and the right to a free credit report each year.
The Disposal Rule
The Disposal Rule set requirements under FACTA for how public and nonpublic entities have to destroy consumer reports in order to prevent unauthorized access to nonpublic consumer information. Under the act, disposal of physical information can be done through the burning, pulverization, and shredding of documents. Digital information can be disposed of by simply erasing electronic files. Information can also be destroyed by hiring contractors. Due diligence must be performed on documents to identify consumer information before they can be submitted to contractors for disposal. Any disposal of information must be done so in way that the documents cannot be reconstructed and read.
The Red Flags Rule
Credit and Debit Card Receipt Clarification Act
The Credit and Debit Card Receipt Clarification act was passed in 2007 as an amendment to the FCRA. The act required that account numbers printed on receipts have to be shortened to five digits in order to protect consumer privacy.
Bank Secrecy Act
The Bank Secrecy Act was enacted in 1970 to deter people from hiding income in foreign financial institutions and to prevent financial institutions' common practice of photocopying items used in criminal investigations. The act gave the United States Treasury clearance to consolidate bank records so that the information can effectively serve in legal proceedings. It also set a requirement for financial institutions to maintain consumer records, especially those with international transactions. Financial institutions are required to hold records for six years and are obligated to report any suspicious transactions.
Fair Debt Collection Practices Act
The Fair Debt Collection Practices Act (FDCPA) was passed in 1978 to give consumers rights and the ability to maintain accurate information when dealing with debt collection. Under the act, any consumer information regarding debt is protected. Requirements were set to outline the ways in which debt collectors are allowed to interact with a consumer when pursuing payment. Under the FDCPA, collectors are not allowed to publish a consumer's name and address on a bad debt list or reveal any information regarding the debt to unaffiliated third parties except the consumers' partner or attorney. If the collector is attempting to inquire about the whereabouts of the consumer, then they can disclose debt information to only neighbors and coworkers. Collectors are also not allowed disclose fraudulent information to credit reporting agencies in an attempt to collect the debt.
Electronic Funds Transfer Act
The Electronic Funds Transfer Act was passed by congress in 1978 to regulate the then growing use of electronic transfer of funds. The act implemented requirements so that banks have to notify their customers of any policies regarding electronic transfer of funds. A model statement is even included in the act in order to regulate the language in which policies would be presented to consumers. Banks are also held liable in the event that information is disclosed through telephone without consent. Also, banks would be held responsible for any damages that came as a result of unauthorized access to a consumer's information.
Dodd-Frank Wall Street Reform and Consumer Protection Act
The Dodd-Frank Wall Street Reform and Consumer Protection Act was enacted in 2010 to bring about reforms to the financial system after the 2008 financial crisis and to establish the Consumer Financial Protection Bureau.
California Consumer Privacy Act
The California Consumer Privacy Act was passed in 2018 to protect any and all California residents' nonpublic information.
The act set requirements that regulates and attempts to limit the sale of personal information. However, companies can justify their sale of information through contracts with business partners. Those contracts would be taken into consideration when a company is reviewed for compliance to the act.
If a company is unable to comply with provisions regarding the sale of information without disrupting their business, then they must receive consent through the opt-in option from minors under 16 years old or parental consent if the minor is under 13 years old. Companies must also give all other consumers the ability to opt-out of any disclosure of information through a webpage link that clearly and specifically says "Do Not Sell My Personal Information." In the event that a consumer does opt out, the company cannot approach the consumer with the option to opt in again until a year has passed since the consumer opted out.
Under the act, companies must notify consumers of their new rights regarding data access, disposal, and portability. The company must also provide a way for consumers to exercise their new rights and a way to verify any consumer requests to exercise their rights. Privacy policies must also be updated to reflect newly required information disclosures.
Companies can deny a consumer's request to erase personal information under 9 conditions:
- The information is needed to complete a transaction
- The information is needed to identify and protect from fraudulent activity as well as prosecute those responsible for such attacks
- The information is needed to identify and fix problems with functionality
- The information is needed to exercise free speech
- The information is needed to stay compliant with the California Communications Privacy Act
- The information is needed to conduct statistical research of public interest
- The information is needed to meet obligations with the consumer in question
- The information is needed to meet legal obligations
- The information is needed to meet the requirements in which the consumer initially provided the information
The act also regulates any employer-employee relationships regarding personal information. Under the act, employers must provide a way for their employees to exercise their rights outlined in the act. Employees also have the ability to opt out of any sale of information. A clear link that specifically says "Do Not Sell My Personal Information" must also be provided to employees under the employers' website to help facilitate any opt-out requests. Under the act, employees can request the disclosure of certain categories of information. If employers plan to collect information concerning their employees, then they must notify their employees of what information was collected, why it was collected, and under what conditions would the information be used. If the employers were to gather additional data, then another notification must be sent out to employees with the same aforementioned details. Employees have the ability to request that the employers erase their information. However, employers also have the right to deny the request if maintaining the information is necessary to meet certain obligations. Employees must also be notified if their employers are selling their information under the California Civic Code's definition of "business purposes."
Companies that conduct business with California consumers must comply with the act if the company satisfies one of the three conditions stated under the act:
- If the company has annual gross revenues of $25 million or more
- If the company holds personal information of 50,000 or more California residents, households, and devices
- If the company generates greater than or equal to 50% of their revenue by selling California residents' information
Companies that are not physically located within California and conduct all of their business outside of the state may be exempt from the act. However, if such companies enter California or begin engaging in transactions with California residents online, then they would be expected to comply with the act.
California Privacy Act
The California Privacy Act is a state level privacy act that provides protection of consumer information. The act is described as a stricter version of the Gramm-Leach-Bliley Act. The California Privacy Act provides narrower definitions of some language found in the Gramm-Leach-Bliley Act. For example, financial institutions that are regulated under the act only include institutions that are "significantly engaged in financial activities." The act also provides an opt-in rule instead of opt-out which allows consumers more control over the situations in which financial institutions can handle information without consent. Financial information is also required to stay within one financial entity which means other institutions are not allowed access based on affiliation.
Punishment is also outlined in the act to deal with any institution that fails to comply. Violations to the act may result in a maximum penalty of $500,000. However, the fine can double in situations concerning identity theft.
Despite providing more stringent rules, the act also includes exceptions. Those who entered into contracts before the act was passed may still have their information shared if they do not manually opt out. Institutions that share the same regulator are allowed to exchange consumer information without notifying the customer. Customers also do not need to be notified that their information has been given out if the information is used for any legal proceedings.
California Consumer Credit Reporting Agencies Act
The California Consumer Credit Reporting Agencies Act (CCCRA) was passed in 1975 as the state's version of the federal Fair Credit Reporting Act. The act regulates consumer credit reporting agencies as well as any users of credit reports. The act also provides a narrower definition of "consumer credit report" as any information that falls within credit reports is protected by the act.
The CCCRA allows consumers to request a copy of their credit file with a thorough explanation of any codes used, credit score with related information, records of any third party requests made for the consumer's files, and the identifiable information of any party third party that has received the consumer's file. Any information requested by the consumer must be made available by a person, by mail, or by phone with a trained person who is able provide a comprehensive explanation of the information. Credit reports can be disclosed to third parties without notifying the consumer if the information is related to the party requesting the information, if it is to complete a court order, or if the party requesting it has legitimate use for the information.
Right to Financial Privacy Act
California passed its own Right to Financial Privacy Act two years before the federal government passed an act of the same name in 1976. The act regulated the state's government agencies' abilities to access nonpublic consumer information. As a result of the act, California's government agencies are not authorized to access financial records unless the consumer gives consent or if a subpoena or a search warrant is issued for the information.
As long as government agencies show proof of customer consent, a subpoena, or a search warrant, financial institutions are obligated to disclose the requested financial information. With proof, financial institutions do not have to verify that all laws were followed before handing over information.
Song-Beverly Credit Card Act
The Song-Beverly Credit Card Act was passed in 1971 to protect consumer information in credit card transactions. Under the act, companies may not collect personally identifiable information from consumers who purchase goods or services using credit cards. Companies cannot set conditions in which consumers must consent to sharing their information in order to use their credit cards for a transaction. However, consumer information can be requested in order to complete a credit card transactions as long as the information is never recorded. The act also set a redundant state level requirement that companies must shorten a consumer's credit and debit card information on receipts.
There are exceptions to the act as companies are still able to collect information from consumer who pay using debit card of cash. Under the act, companies can still collect consumer data if a credit card is being used to collect money in situations similar to damages and defaults. In the event of a consumer return or refund, companies are allowed to collect information to protect against fraud. Gas stations are also allowed to only collect a consumer's zip code information to protect themselves from fraud.
Regulation B-2018-01: Privacy of Consumer Financial and Health Information
Regulation B-2018-01: Privacy of Consumer Financial and Health Information was passed in Vermont to protect privacy of financial information. Financial privacy is defined by the first four articles in the regulation.
The first article in the regulation is used define what the regulation is in general. As stated in the article, the purpose of the regulation is regulate the handling of any private information connected to financial institutions.
The regulation defines financial institutions through nine conditions:
- Financial institutions defined by the Vermont statues
- Licensed or registered individuals engaging in financial activities defined by the Bank Holding Company Act of 1956
- Mortgage brokers, mortgage loan originators, lenders, and sales finance companies
- Independent trust companies
- Money service providers
- Debt adjusters
- Loan service providers
- Foreign financial institutions
- Subsidiaries of any of the above
- Privacy notifications must include the nine points of information outlined by the regulation:
- What information the financial institution collects
- What information the financial institution chooses to share
- Categories which affiliated and nonaffiliated parties the financial institutions disclose information to fall into
- The categories of information regarding former customers that the financial institution has shared, and to which parties the information has been shared with
- Whether a financial institution has shared information with a nonaffiliated third party under an exception
- A outline of the methods in which a customer can exercise their right to opt-in
- If any private financial information has been shared under the Fair Credit Reporting Act, federal implementing regulations, and the Vermont Fair Credit Reporting Act
- The financial institution's policies regarding protecting consumer financial information
- If any information has been shared using exceptions authorized under the regulation
- Notifications must be delivered to customers in writing unless the customer has given consent to receiving the notifications electronically
- Consumers have the ability to partially opt-in, which means that they can pick and choose what information they give consent to the financial institution to share
- If a financial institution receives information form another, unaffiliated party, the institution is allowed to re-disclose the information if it is to parties affiliated to the unaffiliated party they received the information from, if it is to their own affiliated parties, of if they receive permission from the consumer
- Unless the financial institution is disclosing information to a consumer reporting agency, the institution is not allowed to share account information to parties that would use the information for marketing purposes
- Financial institutions can share their customers' financial information with unaffiliated third parties if the third parties are using the information to carry out services for the institution or if the third parities are acting on behalf of the institution
- Financial institutions can disclose a customer information if it is in the interest of enforcing a transaction that the customer authorized or is in connection to
Consumer Financial Protection Bureau (CFPB)
The Consumer Financial Protection Bureau is an independent regulatory agency within the United States Federal Reserve. The CFPB promotes fair practice by regulating consumer interactions with financial institutions. It has complete authority over institutions that do not hold consumer deposits. For institutions that hold consumer deposits with $10 million or less in assets, the CFPB only has rule making authority, as authority over enforcement remains with other financial regulators. As part of its enforcement powers, the CFPB can initiate investigations, issue subpoenas, hold hearings, and hand out fines of over a million dollars for violations. The bureau also has the ability to enforce and make rules regarding any existing federal financial privacy laws.
Federal Trade Commission (FTC)
The Federal Trade Commission is an independent regulatory agency responsible for protecting consumers and competition. In 1995, the FTC became involved with privacy regulation. At the beginning, the agency promoted self regulation as they encouraged companies to produce their own privacy policies that the FTC would help enforce. The FTC believed that simply backing companies' policies would help legitimize the policies and give the policies credibility and importance in the eyes of consumers. However, as privacy became an increasingly prevalent problem, the FTC evolved into the de facto authority over consumer privacy. Although it was never explicitly stated that the FTC would have power over consumer privacy regulations, Congress allowed the FTC more and more responsibilities beginning in the late 1990s. Settlements that the agency made would also become considered as de facto common law. Eventually the FTC, in general, gained the power to create privacy regulations and implement protections against fraudulent activities.
The FTC deals with noncompliance through civil litigation, criminal litigation, and administrative enforcement actions. Enforcement actions begin with complaints or claims against a company. The FTC has power to conduct investigations and can issue subpoenas as well as compel companies to provide reports under oath. The agency also has the power to issue fines for violations. The FTC only uses its full enforcement powers if any violations they discover are considered major. For most minor violations, the FTC will likely help companies identity and fix any problems contributing to noncompliance.
- Background check
- Bank regulation in the United States
- Bank secrecy
- Credit rating agency
- Customer Identification Program
- Consumer protection
- Electronic funds transfer
- Financial regulation
- FTC fair information practice
- FTC regulation of behavioral advertising
- Identity theft in the United States
- Information broker
- Know your customer
- Privacy law
- Privacy laws of the United States
- Tenant screening
- Doheny Sr., Donald A.; Forrer, John Graydon (1992). "Electronic Access to Account Information and Financial Privacy". Banking Law Journal. 109: 436–455.
- Green, Mary Catherine (1989). "The Bank Secrecy Act and the Common Law: In Search of Financial Privacy". Arizona Journal of International and Comparative Law. 7: 261–286.
- Kirschner, Nancy M. (1979). "The Right to Financial Privacy Act of 1978 - The Congressional Response to United States v. Miller: A Procedural Right to Challenge Government Access to Financial Records". University of Michigan Journal of Law Reform. 13: 10–52.
- Jones, Sarah Elizabeth (1988). "Right to Financial Privacy: Emerging Standards of Bank Compliance". Banking Law Journal. 105: 37–51.
- Hickerson, Kristina (2001). "CONSUMER PRIVACY PROTECTION: A CALL FOR REFORM IN AN ERA OF FINANCIAL SERVICES MODERNIZATION". Administrative Law Review. 53: 781–801.
- Cuaresma, Jolina (2002). "The Gramm-Leach-Bliley Act". Berkeley Technology Law Journal. 17: 497–517.
- Benoit, Michael A.; Munro, Nicole (2001). "Recent federal privacy initiatives affecting the electronic delivery of financial services". The Business Lawyer. 56: 1143–1156.
- "eCFR — Code of Federal Regulations". www.ecfr.gov. Retrieved 2018-11-01.
- Lacker, Jeffrey M. (2002). "The economics of financial privacy: To opt out or opt in?". Economic Quarterly - Federal Reserve Bank of Richmond. 88: 1–16.
- "The Fair Credit Reporting Act: Are Business Credit Reports Regulated?". Duke Law Journal. 6: 1229–1251. 1972.
- Garon, Lenore Cooper (1972). "Protecting privacy in credit reporting [contends that the Fair credit reporting act makes insufficient provisions for the protection of individual privacy]". Stanford Law Review. 24: 550–567. doi:10.2307/1227952. JSTOR 1227952.
- Swire, Peter; Kennedy-Mayo, DeBrae (2018). U.S. Private-Sector Privacy. 75 Rochester Ave., Suite 4, Portsmouth, NH 03801, United States of America: International Association of Privacy Professionals (IAPP). ISBN 978-0-9983223-6-0.CS1 maint: location (link)
- McCorkell, Peter L. (2009). "Fair Credit Reporting Act Update-2008". The Business Lawyer. 64: 579–792.
- Vanderwoude, Neil (2009). "The Fair Credit Reporting Act: Fair for Consumers, Fair for Credit Reporting Agencies". Southwestern Law Review. 39: 395–412.
- Tim, Mahoney (2008-06-03). "H.R.4008 - 110th Congress (2007-2008): Credit and Debit Card Receipt Clarification Act of 2007". www.congress.gov. Retrieved 2018-11-08.
- Determan, Lothar (2018). California Privacy Law Practical Guide and Commentary U.S. Federal and California Law. 75 Rochester Ave., Suite 4, Portsmouth, NH 03801, United States of America: International Association of Privacy Professionals. ISBN 978-0-9983223-8-4.CS1 maint: location (link)
- Determan, Lothar (2018). California Privacy Law Supplement to 3rd Edition. 75 Rochester Ave., Suite 4, Portsmouth, NH 03801, United States of America: International Association of Privacy Professionals (IAPP).CS1 maint: location (link)
- Huber, Elizabeth A.; Lovoy, Elena A. (2004). "Update on State Consumer Financial Privacy Legislation and Regulation". The Business Lawyer. 59: 1227–1240.
- "Regulation B-2018-01 Privacy of Consumer Financial and Health Information Regulation" (PDF). Vermont Department of Financial Regulation. March 15, 2018. Retrieved October 31, 2018.
- "What We Do". Federal Trade Commission. 2013-06-07. Retrieved 2018-11-08.
- Solove, Daniel J.; Hartzog, Woodrow (2014). "The FTC and the New Common Law of Privacy". Columbia Law Review. 114: 583–676.