Regulators Shine a Light on New Consumer Privacy Rules

On May 10, 2000, the federal financial institution regulatory agencies issued final regulations implementing the consumer privacy provisions of the Gramm-Leach-Bliley Act. The regulations became effective on Nov. 13, 2000, but compliance is not mandatory until July 1, 2001.

The regulations issued by each agency are identical in all substantive respects. The Fed will implement these rules through its new Regulation P, "Privacy of Consumer Financial Information."

Regulation P imposes notice requirements and restrictions on a financial institution's ability to disclose "nonpublic personal information" about its customers to non-affiliated third parties. Generally, this would include any customer information a bank obtains while providing a financial product or service, such as account balances or payment histories. Even simple lists, such as the names and addresses of customers, are subject to disclosure restrictions if these lists are derived from loan or deposit accounts. The regulation also prohibits financial institutions from disclosing account numbers or access codes for a customer's credit card, deposit or transaction account to any non-affiliated third party for external marketing purposes.

There are three principal mandates under the regulations. Financial institutions must provide:

1. Initial notices to their customers describing the institution's privacy policies and practices whenever a customer relationship is established. The notices must describe the conditions under which the financial institution might disclose nonpublic personal information to any affiliate or unaffiliated third party. These notices must be accurate, clear and conspicuous.
2. Annual notices of their privacy policies to their current customers. These notices also must be accurate, clear and conspicuous. Additionally, whenever a financial institution makes a material change to its privacy policy or practices, it must provide a revised notice to its customers.
3. A reasonable method for "opting out" for any customers who choose not to have their nonpublic personal information disclosed to nonaffiliated third parties (for instance, offering the customer a tear-off form or a toll-free telephone number). The institution must allow customers the choice to opt out at any time and have systems and procedures in place to prevent accidentally disclosing information for those who choose to opt out.

Even those financial institutions that do not intend to share nonpublic personal information with their affiliates or unaffiliated third parties must provide initial and annual notices to their customers.

Over the past two months, the St. Louis Fed's Consumer Affairs Supervision staff has hosted outreach seminars covering privacy issues, with a special focus on the provisions of Regulation P, for District bankers. The final seminar will be held Thursday, Jan. 11, at the Radisson Hotel in Louisville. Those interested in attending the seminar or learning more about Regulation P should contact examiner Kevin Henry at (314) 444-8823.

During the first quarter of 2001, the Bank will also partner with the Federal Reserve Banks of Minneapolis, Kansas City and Dallas, and the regional offices of the Federal Deposit Insurance Corporation (FDIC), the Office of Thrift Supervision (OTS) and the Office of the Comptroller of the Currency (OCC), to present seminars on the privacy regulations. These seminars will cover both Regulation P and the Fair Credit Reporting Act. For more information regarding the prospective dates and locations of these seminars, contact senior examiner Allen North at (314) 444-8826.