Search Penny Hill Press

Wednesday, January 25, 2012

Privacy Protection for Customer Financial Information


M. Maureen Murphy
Legislative Attorney

Implementation of P.L. 111-203, the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 (Dodd-Frank), may prompt legislative committees to review the federal regime that addresses how financial institutions protect confidential customer information. The major federal statutes which specify conditions under which customer financial information may be shared by financial institutions are Title V of the Gramm-Leach-Bliley Act of 1999 (GLBA, P.L. 106-102) and the Fair Credit Reporting Act (FCRA). The Consumer Financial Protection Act of 2010 (CFPA), Title X of Dodd-Frank, transfers much of the federal agency rulemaking and enforcement authority under these statutes to the newly created Consumer Financial Protection Bureau (CFPB). Originally, rulemaking and enforcement power was distributed among the federal banking and security regulators, the Federal Trade Commission (FTC), and state insurance regulators. Possible topics for congressional oversight include (1) the transition of power from the financial institution prudential regulators and the FTC to the CFPB; (2) the interaction between the federal regulators and state enforcement efforts; and (3) the CFPB’s success at issuing rules that adequately protect consumers without unreasonably increasing the regulatory burden on financial institutions.

GLBA prohibits financial institutions from sharing nonpublic personally identifiable customer information with non-affiliated third parties without providing customers an opportunity to opt out and mandates various privacy policy notices. It requires financial institutions to safeguard the security and confidentiality of customer information. FCRA regulates the credit reporting industry by prescribing standards that address information collected by businesses that provide data used to determine eligibility of consumers for credit, insurance, or employment and limits purposes for which such information may be disseminated. One of its provisions, which became permanent with the enactment of P.L. 108-159, permits affiliated companies to share non-public personal information with one another provided the customer does not choose to opt out.

CFPA alters the regulatory landscape for these laws. The newly created CFPB has responsibility for issuing rules under these privacy provisions. It has primary enforcement authority over nondepository institutions (subject to certain exceptions) and over depository institutions with more than $10 billion in assets. For depository institutions with assets of $10 billion or less, the CFPB’s rules apply but enforcement authority remains with the banking regulators, subject to certain prerogatives of the CFPB.

In the 112th Congress, there is at least one measure, H.R. 653, that is aimed at amending GLBA’s privacy provisions. There are also several general financial privacy or data breach bills that include proposals to provide safe harbors for entities subject to GLBA rules. Among the latter are H.R. 1707, H.R. 1841, H.R. 2577, S. 1151, S. 1207, S. 1408, and S. 1535, three of which, S. 1151, S. 1408, and S. 1535, were reported by the Senate Committee on the Judiciary during the first session of the 112th Congress.

This report will be updated to reflect action on major legislation. For further information, see CRS Report R41338, The Dodd-Frank Wall Street Reform and Consumer Protection Act: Title X, The Consumer Financial Protection Bureau, by David H. Carpenter; CRS Report R41839, Limitations on the Secretary of the Treasury’s Authority to Exercise the Powers of the Bureau of Consumer Financial Protection, by David H. Carpenter; and, CRS Report RL31666, Fair Credit Reporting Act: Rights and Responsibilities, by Margaret Mikyung Lee.



Date of Report: January 12, 2012
Number of Pages: 10
Order Number: RS20185
Price: $29.95

Follow us on TWITTER at
http://www.twitter.com/alertsPHP or #CRSreports

Document available via e-mail as a pdf file or in paper form.
To order, e-mail Penny Hill Press or call us at 301-253-0881. Provide a Visa, MasterCard, American Express, or Discover card number, expiration date, and name on the card. Indicate whether you want e-mail or postal delivery. Phone orders are preferred and receive priority processing.