Federal Reserve Board Regulation P – Privacy of Consumer Financial Information – Overview & Summary of Requirements
The US Federal Reserve Board’s Regulation P or Privacy of Consumer Financial Information (12 CFR 216) regulates the use of nonpublic personal information about consumers by financial institutions.
What is nonpublic personal information?
Nonpublic personal information means:
- Personally identifiable financial information; and
- Any list, description, or other grouping of consumers (and publicly available information pertaining to them) that is derived using any personally identifiable financial information that is not publicly available.
Applicability
Regulation P covers those financial institutions for which the Federal Reserve Board has primary supervisory authority. Therefore any financial institution that provides financial products or services to consumers must comply with Regulation P requirements.
A financial institution is one which is involved in the following authorized activities:
- Lending, exchanging, transferring, investing for others, or safeguarding money or securities;
- Insuring, guaranteeing, or indemnifying against loss, harm, damage, illness, disability, or death, or providing and issuing annuities, either as principal, agent, or broker; and
- Providing financial advice, underwriting, dealing in, or making a market in securities.
Customers vs. Consumers
According to Regulation P, all customers are consumers but the reverse doesn’t apply.
Consumer: A consumer is an individual who obtains a financial product or service from a financial institution that is primarily for personal, family or household purposes.
Customer: A customer, as stated above, is a type of consumer – one who has an ongoing relationship with a financial institution, under which the institution provides a financial product or service.
The rule differentiates a financial institution’s responsibilities to customers and consumers. An institution that is governed by Regulation P:
- Must give all its customers initial privacy notices
- Must give initial notices (or short form notices) to consumers who are not its customers only if it intends to disclose nonpublic personal information about those consumers to nonaffiliated third parties
- Must give annual privacy notices to its customers as long as they remain its customers
- Is never required to send annual notices to consumers who are not its customers.
What is a customer relationship?
A consumer becomes an institution’s customer if a consumer does any of the following:
- Opens a credit card account with the institution
- Executes the contract to open a deposit account with the institutions, obtains credit from it, or purchases insurance from it;
- Agrees to obtain financial, economic, or investment advisory services from the institution for a fee; or
- Becomes an institution’s client for the purpose of receiving credit counseling or tax preparation services.
For existing customers, a financial institution need only provide a new privacy notice if the customer buys any new financial product or service that is not covered in the initial notice.
Types of Privacy Notices
Two types of privacy notices are covered by Regulation P:
|
Type
|
Regulatory Requirements
|
|
Initial Privacy Notice
|
A clear, conspicuous initial privacy notice listing all of a financial institution’s privacy policies and practices must be provided to:
An initial privacy notice need not be sent to a consumer if:
|
|
Annual Privacy Notice
|
Financial institutions must provide an annual privacy notice at least once in any 12 month period during the course of the relationship
|
Information to be included in privacy notices
All privacy notices – whether the initial or annual or revised notices must include the following information:
- Categories of nonpublic personal information that is collected by an institution
- Categories of nonpublic personal information that is disclosed by an institution
- The categories of affiliates and nonaffiliated third parties to the information is disclosed
- The categories of nonpublic personal information about former customers that that is disclosed and the categories of affiliates and nonaffiliated third parties to whom this is disclosed
- An explanation of the consumer’s right to opt out of disclosure
- Disclosures that are made under the Fair Credit Reporting Act
- Policies and practices to protect the confidentiality and security of nonpublic personal information
Limits on sharing account number information for marketing purposes
Financial institutions are prohibited from disclosing directly or through an affiliate, a consumer’s account number/ access number/ access code to his or her credit card account, deposit account or transaction account to any non-affiliated third party for any kind of marketing purpose.
Additional Resources
Compliance Trainings
Pregnancy in the Workplace: Strategies to Protect Your Organization from Pregnancy Discrimination Claims
By - Christopher W. Olmsted
On Demand Access Anytime
By - Christopher W. Olmsted
On Demand Access Anytime
How to Vet an IRB: Expose and Fix Problems Before They Threaten Your Trial
By - Madhavi Diwanji
On Demand Access Anytime
By - Madhavi Diwanji
On Demand Access Anytime
Compliance Standards
You Recently Viewed
