It can be daunting for Fintechs, money services businesses (MSBs), and other non-bank entities operating in the consumer financial products and services space to navigate privacy legislation and determine which provisions of the various federal and state laws apply (and how). Federal law has taken a relatively narrow approach to privacy legislation, limiting coverage of consumer protections primarily to financial products and services. Moreover, such laws were written with traditional banks, credit unions, and other financial institutions (FIs) in mind and have not been significantly amended to account for the growing digital and decentralized online financial services sector dominated by Fintechs. Subsequently, there has been a rise in state privacy laws that aim to provide consumers with more comprehensive privacy rights and protections.
To make things a little easier to navigate, here is a guide to assist non-bank financial service providers in establishing if and how each major U.S. privacy law may apply, including an overview of the Consumer Financial Protection Bureau’s Proposed Personal Financial Data Rights Rule, as well as a summary of what to consider regarding state privacy laws.
Gramm-Leach-Bliley Act and the Disclosure of Consumer Information to Nonaffiliated Third Parties
The consumer privacy provisions of the Gramm-Leach-Bliley Act (GLBA) as implemented by Regulation P set specific requirements for FIs regarding how they share consumer and customer information to nonaffiliated third parties. The Regulation requires covered institutions to provide disclosures to consumers explaining how their information will be used and shared with nonaffiliated third parties and provides consumers with the right to opt out of certain information-sharing practices.
Often entities in the financial services space assume that serving consumer customers immediately requires full GLBA compliance, but there are additional criteria that should be considered and determined as relevant prior to taking on such obligations.
FIs that serve consumers or establish customer relationships with consumers may be required to disclose their information-sharing practices. The Regulation’s definition of FIs is broader than most consumer protection regulations and can include but is not limited to banks, savings associations, credit unions, certain MSBs, businesses that extend credit or service loans, non-bank mortgage lenders, and insurance underwriters and agents.
What to Consider: Regulation P applies specifically to covered institutions in relation to how they share consumer and customer data with nonaffiliated third parties in the performance of offering consumer-purpose financial products and services. There are key terms defined within the Regulation that can aid an entity in determining the level and extent to which the GLBA may apply:
- Consumer – This refers to any natural person who obtains a financial product or service for personal, family, or household purposes from a covered institution. An example of this would be when a person cashes a check drawn on a bank where they do not have an account. A covered institution is required to provide a GLBA-compliant privacy notice only if that entity intends to share the consumer’s data with a nonaffiliated third party so that they, the third party, can market their products and services to the consumer.
- Customer – This refers to a consumer who establishes a continuing relationship with a covered institution.2 Examples of a customer relationship include but are not limited to those where a consumer holds a deposit or other transaction account, line of credit, or installment loan with an FI. A Regulation P-compliant privacy notice must be provided at the time the customer relationship is established (i.e., when the consumer opens their account), on an annual basis thereafter, or anytime the covered FI’s information-sharing practices change.
- Affiliate – This refers to a company that controls, is controlled by, or is under common control with another company.3 This can include an entity’s parent company or any subsidiaries. Information sharing between affiliates does not fall within the scope of Regulation P, but instead the Fair Credit Reporting Act (keep reading to learn more about why that is).
- Nonaffiliated Third Party – A person or entity that is not a company’s affiliate.4 Examples include but are not limited to vendors and other third-party service providers, banking partners and sponsor banks, and third-party marketing firms. Under the GLBA, such information sharing is prohibited unless mandatory privacy notices are provided in accordance with the Regulation’s timing and content requirements.
When assessing the impact of Regulation P impact, an entity can look at its products and services to first determine if it is an FI under the Regulation, if it serves consumers, and/or establishes customer relationships with consumers. The entity can then inventory what types of consumer and customer information will be collected, what types of nonaffiliated third parties will receive such information, and for what purpose. It should be noted that the Regulation has defined certain exceptions that permit entities to disclose consumer information to nonaffiliated third parties where consumers cannot limit that activity. These exceptions include joint marketing agreements with other FIs,5 facilitating a consumer-requested transaction/providing a consumer-requested service,6 and for risk management purposes (i.e., to protect against fraud/identity theft, to respond to a subpoena or law enforcement request, etc.7).
Irrespective of whether information is shared within the constraints of the exceptions or outside of them, the entity will be required to provide a privacy notice to customers at the start of their relationship with the FI, and to certain non-customer consumers.8 However, identifying the purpose of the information sharing is especially important in that it will enable the entity to determine the applicable content, timing, and frequency of its required privacy notices, as well as whether opt-out notices that inform consumers of their right to restrict the FI from engaging in certain information sharing practices (i.e., sharing consumer data with nonaffiliated third parties for their marketing purposes) are needed.
Regarding the actual privacy notice, it is also important to note that in general, the requirement to furnish a Regulation P-compliant privacy notice is not satisfied by most online privacy notices that address the usage of cookies and online data analytics as the scope of such notices includes any person who visits the Company’s website or other online properties, rather than consumers or customer who actually use the entity’s financial products and services. Entities with GLBA impact should make sure to embed the mandatory regulatory notice within their existing online privacy notice under a separate heading indicating the company’s practices related to Regulation P compliance. Also, and when applicable, GLBA notices can be combined with certain notices required by the Fair Credit Reporting Act.
Fair Credit Reporting Act and the Disclosure of Consumer Information to Affiliates
While the Fair Credit Reporting Act (FCRA) is most commonly associated with regulating the usage of consumer credit reports and furnishing consumer information to the credit bureaus (which will not be covered in this article), the FCRA’s main aim is to ensure that consumer information is used in an appropriate manner and kept confidential. As such, the FCRA also governs activity related to sharing consumer data between affiliates and requires certain notices to be provided to the consumer.
Any person or entity that shares consumer information with and/or receives such information from their affiliates. It is important to note that these requirements pertain to the sharing of any consumer information, not just credit reports. Therefore, any transaction or other account data collected about a consumer that is shared with an affiliate is covered activity. Similar to the GLBA, the FCRA defines an affiliate as any company that is related by common ownership or common corporate control with another company.9
What to Consider: When a covered institution shares consumer information with or receives consumer information from its affiliates for everyday business purposes or for marketing or solicitation purposes, this fact should be disclosed in the company’s GLBA privacy notice as part of its information-sharing activity. It is because of this that many wonder why sharing data with affiliates is governed by the FCRA and not the GLBA – but remember, the FCRA is primarily concerned with regulating consumer credit reports and entities involved in obtaining them.
In cases where a covered institution receives consumer data from an affiliate, the entity sharing the information is behaving like a consumer reporting agency and the receiving entity is behaving like a user of consumer reports under the FCRA. Therefore, the sharing institution must inform the consumer of this practice, and when applicable, notify them of their right to limit this type of information sharing via an opt-out notice (which again can be combined with a GLBA notice). In cases where the consumer has the right to limit sharing, the entity receiving the information cannot use the data until the consumer has had a reasonable amount of time to opt out and has not done so.
CFPB Proposed Personal Financial Data Rights Rule
In October 2023, the Consumer Financial Protection Bureau (CFPB or Bureau) released a notice of proposed rulemaking to implement section 1033 of the Consumer Financial Protection Act of 2010 (CFPA). The proposed rule intends to address the rising consumer data privacy risks associated with open banking – the practice of allowing third-party service providers to leverage application programming interfaces (APIs) to access banking, transaction, and other financial information about consumers from banks and non-bank FIs. In particular, the proposed rule seeks to ensure that third-party service providers do not use consumer data for unauthorized purposes and instead act in the interest of the consumers whose data they obtain.
If implemented as proposed, the rule will establish basic standards for access to consumer data, require impacted entities to make certain consumer data available to consumers and third parties, create standards and obligations (including privacy protections) for third parties who access such consumer data and foster fair, open, and inclusive industry standards and practices. Barring certain exceptions defined within, the rule would apply to account and transaction activity related to covered asset accounts subject to Regulation E and credit cards subject to Regulation Z as well as payment transactions facilitated from such asset accounts and credit cards (including mortgage, automobile, and student loan payments). All consumer-facing entities involved in such activities would be subject to the requirements of the proposed rule.10
What to Consider: While the rule has not been finalized yet (the comment period ended on December 29, 2023), consumer-facing entities involved in open banking should begin to prepare for the publication of a final rule by considering how their existing business activities may be affected and developing a regulatory change management action plan. In particular, potentially impacted entities should familiarize themselves with the core objectives of the rule and start to develop strategies for how to implement its requirements, especially any provisions that will require the development of new or enhanced systems.
State Privacy Laws
From a consumer protection standpoint, many consumer advocates do not believe that the privacy provisions of existing federal privacy laws are enough. As a result, many states have enacted their own consumer privacy laws that extend beyond the scope and coverage of federal legislation. The start of this regulatory trend was the passing of the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), which provide much more comprehensive privacy rights and protections to consumers irrespective of the product or service they are obtaining. So, while the GLBA and FCRA govern specific activities related to consumer reporting and financial products and services, any business collecting and using the data of California-based consumers is required to comply with the CCPA and CPRA.
Many states have followed in California’s footsteps including Colorado, Connecticut, Utah, and Virginia – all of which have enacted privacy laws that are currently in effect. Delaware, Indiana, Iowa, Kentucky, Maryland, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Tennessee, and Texas have all also enacted privacy laws that go into effect in late 2024, 2025, or 2026, while many other states have active bills that may be passed in the near future.11
Although the nuts and bolts of these privacy laws will vary from jurisdiction to jurisdiction, many state privacy laws extend additional rights to consumers including but not limited to the right to access, correct, or delete their information. Impacted businesses are generally held to higher standards of transparency than what federal law requires and are expressly prohibited from discriminating against consumers who elect to exercise their rights.
What to Consider: State privacy laws are much more complicated than the federal requirements and often require the involvement of legal counsel to fully determine impact. For example, many state privacy laws have carved out exceptions to coverage for GLBA and FCRA-impacted institutions. However, some states (like California), only allow an exemption for GLBA- and FCRA-impacted activity. Therefore, entities operating in states with privacy laws in effect should seek a legal analysis of their products, services, and business activities as well as their consumer data collection sharing practices to ensure full compliance with applicable requirements.
Conclusion
While U.S. consumer privacy legislation can be complicated, this guide should enable entities to better understand the scope and coverage of these rules and how they may apply. However, it is best practice and highly recommended that any entity concerned about their consumer privacy impact engage an attorney who specializes in privacy legislation to fully determine their obligations at both the federal and state levels.
To stay up to date on the latest in financial regulatory compliance, financial crime prevention, and risk management, sign up for our newsletter: Compass
SOURCES
1. https://www.consumerfinance.gov/rules-policy/regulations/1016/3/#e
2. https://www.consumerfinance.gov/rules-policy/regulations/1016/3/#i
3. https://www.consumerfinance.gov/rules-policy/regulations/1016/3/#a
4. https://www.consumerfinance.gov/rules-policy/regulations/1016/3/#o
5. https://www.consumerfinance.gov/rules-policy/regulations/1016/13/
6. https://www.consumerfinance.gov/rules-policy/regulations/1016/14/
7. https://www.consumerfinance.gov/rules-policy/regulations/1016/15/
8. https://www.consumerfinance.gov/rules-policy/regulations/1016/4/
9. https://www.consumerfinance.gov/rules-policy/regulations/1022/3
10. https://files.consumerfinance.gov/f/documents/cfpb-1033-nprm-fr-notice_2023-10.pd
11. https://iapp.org/resources/article/us-state-privacy-legislation-tracker/#enacted-laws
© Copyright 2024. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.