Search Penny Hill Press

Thursday, January 20, 2011

Privacy Protection for Customer Financial Information

M. Maureen Murphy
Legislative Attorney

Implementation of P.L. 111-203, the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 (Dodd-Frank), may prompt legislative committees to review the federal regime that addresses how financial institutions protect confidential customer information. The major federal statutes which specify conditions under which customer financial information may be shared by financial institutions are Title V of the Gramm-Leach-Bliley Act of 1999 (GLBA, P.L. 106-102) and the Fair Credit Reporting Act (FCRA). The Consumer Financial Protection Act of 2010 (CFPA), Title X of Dodd-Frank, transfers much of the federal agency rulemaking and enforcement authority under these statutes to the newly created Consumer Financial Protection Bureau (CFPB). Originally, rulemaking and enforcement power was distributed among the federal banking and security regulators, the Federal Trade Commission (FTC), and state insurance regulators. It is, thus, possible that Congress may wish to monitor: (1) the transition of power from the financial institution prudential regulators and the FTC to the CFPB; (2) the interaction between the federal regulators and state enforcement efforts; and (3) the CFPB’s success at issuing rules that adequately protect consumers without unreasonably increasing the regulatory burden on financial institutions.

GLBA prohibits financial institutions from sharing nonpublic personally identifiable customer information with non-affiliated third parties without providing customers an opportunity to opt out and mandates various privacy policy notices. It requires financial institutions to safeguard the security and confidentiality of customer information. FCRA regulates the credit reporting industry by prescribing standards that address information collected by businesses that provide information used to determine eligibility of consumers for credit, insurance, or employment and limits purposes for which such information may be disseminated. One of its provisions, which became permanent with the enactment of P.L. 108-159, permits affiliated companies to share nonpublic personal information with one another provided the customer does not choose to opt out.

CFPA alters the regulatory landscape for these laws. The newly created CFPB will have responsibility for issuing rules under these privacy provisions, and it will have primary enforcement authority over non-depository institutions (subject to certain exceptions) and over depository institutions with more than $10 billion in assets. Depository institutions with assets of $10 billion or less will be subject to the CFPB’s rules; the banking regulators, however, will enforce these rules, subject to certain prerogatives of the CFPB.

This report will be updated to reflect action on major legislation. For further information, see CRS Report R41338, The Dodd-Frank Wall Street Reform and Consumer Protection Act: Title X, The Consumer Financial Protection Bureau, by David H. Carpenter; CRS Report RS22374, Data Security: Federal and State Laws, by Gina Stevens; and CRS Report RL31666, Fair Credit Reporting Act: Rights and Responsibilities, by Margaret Mikyung Lee.

Date of Report: January 4, 2011
Number of Pages: 8
Order Number: RS20185
Price: $19.95

Follow us on TWITTER at or #CRSreports

Document available via e-mail as a pdf file or in paper form.
To order, e-mail
Penny Hill Press  or call us at 301-253-0881. Provide a Visa, MasterCard, American Express, or Discover card number, expiration date, and name on the card. Indicate whether you want e-mail or postal delivery. Phone orders are preferred and receive priority processing.