Search Penny Hill Press

Friday, February 15, 2013

Privacy Protection for Customer Financial Information

M. Maureen Murphy
Legislative Attorney

One effect of recent litigation challenging President Obama’s recess appointments, including that of Richard Cordray as Director of the Consumer Financial Protection Bureau (CFPB), is increased congressional focus on that agency, including how it discharges its regulatory and enforcement authority over financial institutions under P.L. 111-203, the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank). This would include its role in issuing regulations and taking enforcement actions under the two major federal statutes which specify conditions under which customer financial information may be shared by financial institutions: Title V of the Gramm-Leach-Bliley Act of 1999 (GLBA, P.L. 106-102) and the Fair Credit Reporting Act (FCRA). Possible topics for congressional oversight in the 113th Congress include (1) the transition of power from the financial institution prudential regulators and the Federal Trade Commission to the CFPB; (2) CFPB’s interaction with other federal regulators and coordination with state enforcement efforts; and (3) the CFPB’s success at issuing rules that adequately protect consumers without unreasonably increasing the regulatory burden on financial institutions.

GLBA prohibits financial institutions from sharing nonpublic personally identifiable customer information with non-affiliated third parties without providing customers an opportunity to opt out and mandates various privacy policy notices. It requires financial institutions to safeguard the security and confidentiality of customer information. FCRA regulates the credit reporting industry by prescribing standards that address information collected by businesses that provide data used to determine eligibility of consumers for credit, insurance, or employment and limits purposes for which such information may be disseminated. One of its provisions, which became permanent with the enactment of P.L. 108-159, permits affiliated companies to share non-public personal information with one another provided the customer does not choose to opt out. The creation of CFPB alters the regulatory landscape for these laws. It has primary enforcement authority over non-depository institutions (subject to certain exceptions) and over depository institutions with more than $10 billion in assets. For depository institutions with assets of $10 billion or less, the CFPB’s rules apply but enforcement authority remains with the banking regulators, subject to certain prerogatives of the CFPB.

The 112
th Congress considered but did not enact any legislation modifying the GLBA privacy regime. Other legislative proposals included at least one measure aimed at amending GLBA’s privacy provisions and three general financial privacy or data breach bills, reported by the Senate Committee on the Judiciary, that included proposals to provide safe harbors for entities subject to GLBA rules

For further information, see CRS Report R41338, The Dodd-Frank Wall Street Reform and Consumer Protection Act: Title X, The Consumer Financial Protection Bureau, by David H. Carpenter; CRS Report R41839, Limitations on the Secretary of the Treasury’s Authority to Exercise the Powers of the Bureau of Consumer Financial Protection, by David H. Carpenter; and, CRS Report RL31666, Fair Credit Reporting Act: Rights and Responsibilities, by Margaret Mikyung Lee.

Date of Report: February 4, 2013
Number of Pages: 11
Order Number: RS20185
Price: $29.95

To Order:

RS20185.pdf  to use the SECURE SHOPPING CART


Phone 301-253-0881

For email and phone orders, provide a Visa, MasterCard, American Express, or Discover card number, expiration date, and name on the card. Indicate whether you want e-mail or postal delivery. Phone orders are preferred and receive priority processing.