Privacy Q&As Archive

Nonpublic Personal Information

Question: During a recent seminar, an attorney recommended that we do not include the customer's social security number on a UCC filing due to privacy concerns. What is your opinion?

Answer: Under Gramm-Leach-Bliley (GLB) an exception to the initial notice to consumers and opt-out rules exists under XXX.14 for processing transactions at a consumer's request. However, a disclosure must be given to customers notifying them that the financial institution shares information "as permitted by law." In sum, nothing in GLB specifically addresses social security numbers.

Although there is a space for the SSN on the UCC form, in many states, it is not required to be completed. Section 9-502 states that for a UCC to be complete the name of the Debtor, the name of the secured party, and the collateral must be described. Under Section 9-516, the filing may be rejected for a specified number of reasons, none of which is failure to include a SSN. With this in mind, lenders should consult with their legal counsel and appropriate filing office to determine whether to include the SSN on the UCC-1 financing statement form. (posted 7/16/02)

Question: Each year we attempt to promote use of outstanding home equity lines by mailing out promotional checks to our customers.  We submit a tape to our check vendor that includes, name, address, and account number.  The vendor makes no solicitation on its' own.  Would this program need to be outlined in the disclosure?

Answer: Yes, sharing of your customer's nonpublic personal information (NPI) must be disclosed to your customers in the initial privacy notice which must be provided at the time the customer relationship is established. (CCH Inc. Para 1052) (posted 4/18/02)

Question: If an employee discloses a customer's nonpublic personal information without the customers consent, does this subject the employee to civil liability? What damages can be imposed for violations of G-L-B?

Answer: Under the Gramm-Leach-Bliley Act, the banking regulators are authorized to use the full range of their enforcement powers in case of violations.  This was underscored during deliberations of the final version of the GLB Act.  In a floor statement then- House Banking Committee Chairman James Leach stated that: "In terms of enforcement, the Act subjects financial institutions that violate the new consumer privacy protections to a wide range of possible sanctions, including: termination of FDIC insurance; implementation of Cease and Desist Orders barring policies or practices deemed violations of the Act's privacy provisions; removal of institution-affiliated parties, including bank directors and officers, from their positions, and permanent exclusion of such parties from further employment in the banking industry; and civil money penalties of up to $1,000,000 for an individual or the lesser of $1,000,000 or 1% of the total assets of the financial institution.

* Damages are sought typically in a civil action brought against a defendant by an injured party. Although the regulator of a financial institution that violates the provisions of GLB or the Privacy Rule may impose regulatory sanctions and penalties, neither the GLB Act nor the Privacy Rule provide for any specific sanction, penalty or damages for violations.  Any compensation for damages suffered by a consumer or a customer would be awarded by a court in a civil action.  Subtitle B of the GLB Act, which relates to Fraudulent Access to Financial Information, does provide for criminal penalties, but it also does not specifically authorize civil damages to be sought. (posted 2/22/02)

Question: Does having a borrower's social security number on a mortgage document raise any privacy issues?

Answer: No.  The social security number is part of a transaction that the consumer requested, and therefore raises no privacy concerns. (posted 1/4/02)

Question: Can you tell me what nonpublic personal information is?

Answer: The Gramm-Leach-Bliley Act, in Section 509, defines nonpublic personal information to mean personally identifiable financial information provided by a consumer to a financial institution or resulting from any transaction with the consumer or service performed for the consumer, or information otherwise obtained by the financial institution.  Nonpublic personal information does not include publicly available information as that term is defined in the rules issued by the regulators.

Section 509 further states that nonpublic personal information includes any list, description or other grouping of consumers (and publicly available information pertaining to them) that is derived using any nonpublic personal information other than publicly available information.  The statute provides that the statutory definition of nonpublic personal information does not encompass any list, description, or other grouping of consumers (and publicly available information pertaining to them) that is derived without using any nonpublic personal information. (posted 12/24/01)

Question: Can we tell a third party if a customer has a deed of trust with us?

Answer: We believe not,  Non-public information is covered under Regulation P.  Personally indentifiable financial information is non-public information.  According to 216.3 (o) (2) (i) (C) personally indentifiable information includes:  "The fact that an individual is or has been one of your customers or has obtained a financial product service from you;"  We would suggest you consult your counsel before you decide to release such information. (posted 12/3/01)

Question: Would "nonpublic personal information" include "any list, description, or other grouping of consumers" that is derived using any "personally identifiable financial information" that is publicly available (e.g. public bankruptcy records)?

Answer: The terms "personally identifiable financial information" or "publicly available information" are not defined by the Act. The Privacy Rule however provides that publicly available information means any information that you have a reasonable basis to believe is lawfully made available to the general public from Federal, State, or local government records. ____.3(p)(1) If the information is derived from public bankruptcy records, it would deemed publicly available information and not be considered nonpublic personal information. ____.3(n)(2) (posted 07/27/01)

Question: Verification of funds over the phone is still a gray area. Has anything further been decided as to whether or not this is something financial institutions may continue doing?

Answer: Proceed with caution when verifying funds. If the request is legitimate, the activity can fall under the exception to opt out under __14. To minimize privacy implications, reveal no more than absolutely necessary in response to the request. Take adequate precautions to verify the identity of the caller and the legitimacy of the basis for the caller's request. Failure to do so could be deemed a breach of your duty to safeguard customer information. (posted 06/19/01)

Question: If an individual provides nonpublic personal information in conjunction with a business loan transaction, can the NPI be shared within the bank and its affiliates for cross selling purposes without providing an opt-out notice?

Answer: The information may be shared within the bank and its affiliates and even with non-affiliated third parties. The G-L-B- privacy protections apply only to individuals who are obtaining a financial product or service primarily for a personal, family or household purpose. The Rule provides it does not apply to information about companies or about individuals who obtain financial products or services for business, commercial, or agricultural purposes. (emphasis added) _______.1(b) (posted 12/11/00)

Question: If a non-customer comes in to our bank to cash a check drawn on of our customer's accounts, a teller asks for identification and records the information on the back of the check. Can we continue this practice or we deemed to be sharing nonpublic personal information with a nonaffiliated third party?

Answer: You should be able to continue the practice of recording the consumer's identification information on the back of the check without violating any provision of G-L-B. The non-customer may not even be considered a consumer under the Act if the check is not being cashed for primarily a personal, family, or household purpose. If the non-customer is not a consumer the provisions of the Act do not apply.

If the non-customer is a consumer, the institution is required to give the privacy notices only if it intends to share nonpublic personal information (NPI) with a nonaffiliated third party. In addition an exception to the notice requirement applies if the NPI is shared in order to protect against or prevent actual or potential fraud, unauthorized transactions, claims, or other liability. See ______.15(a)(2)(ii).

In this situation after the NPI was recorded on the back of the check, the check would be processed through normal bank channels and the check itself or an image thereof returned to the maker of the check, the bank's customer. Even if the customer is deemed a nonaffiliate of the bank for the purposes of the transaction and the return of the check with the identification information on the back of the item was deemed the sharing of NPI, the anti-fraud exception would apply and the initial notice and opt out notice requirements do not apply.(posted 11/13/00)

Question: Our interpretation of "personally identifiable financial information" does not include such items as discount points or an appraised value that might be shared with a non-affiliated third party. Is this interpretation correct?

Answer: Your interpretation is correct as long as the shared information does not identify the consumer. If the information does contain personal identifiers that would allow the non-affiliated third party to learn the identity of the consumer, the information would be considered "personally identifiable financial information." ______.3(o)(1) For example, if the appraisal contains a legal description which in turn identifies the consumer as the owner of the property and the appraisal was obtained by the institution as the result of a loan transaction, any information relating to the appraisal would be considered "personally identifiable financial information." (posted 12/08/00)

Question: Our bank employs an individual who sells insurance for the bank. The individual also owns a small insurance agency on his own that is not affiliated with the bank. We do not intentionally share information with the individual. Since he does have access to nonpublic personal information through his bank activities is the bank "in fact" sharing the information with a nonaffiliated third party?

Answer: The bank is not deemed to have shared nonpublic personal information with a nonaffiliated third party if the "sharing" is as a result of one individual serving as a joint employee of both entities. The Regulators were requested in a comment to the proposed Rule to state that a disclosure to a joint employee would be deemed to have been disclosed to both parties. They rejected this concept and indicated it was appropriate to deem the information given to the institution that was providing the service or product in question. For example if employee sold a life insurance policy to a customer through the insurance agency, the nonpublic personal information received by the employee in connection with the sale would be deemed received by the insurance agency not the bank. (posted 11/08/00)

Question: If we share a list of customer information without the names of the customers, do we need to disclose that practice to our customers and provide an opt out?

Answer:No. If the list contains only aggregate information or blind data and does not identify a consumer by any other personal identifier such as an account number or address, the information is not considered "personally identifiable information" and can be disclosed. ___.3(o)(2)(ii)(B)
(posted 10/25/00)

Question: Is there any limit to the information I can disclose to an affiliate? If so, where is this limit referenced in the Regulation?

Answer: The new G-L-B privacy regulations do not impose restrictions on information sharing between affiliates. The Fair Credit Reporting Act does, however, address information disclosures to an affiliate, and while it does not limit the information that can be disclosed per se, it does impose restrictions/conditions on certain disclosures.. If a company shares data with an affiliate that solely contains information on transactions or experiences between the consumer and the company making the report, there are no additional obligations. On the other hand, if information about a consumer is shared with an affiliate that goes beyond the scope of "information on transactions or experiences," a disclosure must be given to the consumer to alert the consumer to the information sharing and the consumer must be given the opportunity, before the time the information is initially communicated, to direct that such information not be communicated to such persons. (posted 9/14/00)

Question: If we only disclose NPI to service providers and/or joint marketers, and there is an exception to the prohibition against disclosing NPI to such entities, do we even have to deal with describing that information sharing in our disclosures?

Answer: Yes, you do. If you disclose nonpublic personal information under the exception for service providers and joint marketers, you must describe the categories of nonpublic personal information you disclose and the categories of third parties with whom you have contracted. See Sample Clause A-5 for details. (posted 8/14/00)

Question: What exposure does the bank have if a bank employee sent a portion of the borrower's application (highlighting the area relating to gift funds) to a donor requesting a gift letter or verification?

Answer: Examine your application form to determine what the customer may have authorized. If the application form, which the customer presumably signed, contains language broadly authorizing the bank to contact third parties to the extent necessary to verify information on the application, that language could possibly protect you from liability, depending upon what you actually released to the donor. If the portion of the application sent to the donor revealed information about the amount and type of credit being applied for, or showed income information or debt information, the bank may have gone too far. Those revelations would not have been necessary to elicit the gift confirmation and they thus would have eroded the customer's financial privacy. (posted 8/01/00)

Question: If a car dealer calls for a loan payoff balance, does the bank have to receive written permission from the customer before we can release the information?

Answer:You will want to check your state law to see if it addresses this issue. In the absence of a state statute or judicial decision, the generally accepted banking practice is to release the information only if you have the customer's permission. You need to be assured your customer has authorized the information to be released to the dealer. This can be done by speaking to the customer, and making a notation in your records that the customer orally authorized the release, or by obtaining the customer's written authorization. The written authorization may consist of the customer's signature on an application form to the dealer containing a clause authorizing the dealer to procure payoff information on the vehicle, or could be, for example, a short signed fax from the customer directing you to tell the dealer the payoff balance. If a dispute arises over whether the dealer should have been given the information, think about how you would be able to demonstrate to the court that the release was authorized. That thought should guide your documentation efforts.(posted 6/22/00)

Question: If we do not share nonpublic personal information (NPI) with nonaffiliated third parties, other than under the exceptions, do we need to provide an opt-out option?

Answer: If you do not share NPI with nonaffiliated third parties, the Gramm-Leach-Bliley opt-out requirements are not triggered. See Reg. P, Section 10(a)(1). (None of the three of the Reg. P information-sharing exceptions requires an opt-out notice. See Sections 13, 14 and 15.) Note that if the institution does disclose NPI to a nonaffiliated third party, other than as allowed by the exceptions, it must provide an initial privacy notice to the consumer, in addition to the opt-out notice, prior to the disclosure.

The initial privacy notice is not required to be given to consumers if NPI is not shared with nonaffiliated third parties." See Reg. P, Sections 4 and 5.

Also, keep in mind that information sharing among affiliates may trigger the Fair Credit Reporting Act opt-out notice requirements. 15 U.S.C. Section 1681a(d)(2)(A)(iii).(posted 6/14/00)

Question: After giving the opt-out notice, how long must we wait before disclosing nonpublic personal information to a nonaffiliated third party?

Answer: The regulation avoids setting a mandatory waiting period that would be applicable in all cases. It does, however, talk in terms of it being reasonable to give the consumer a 30-day time frame from the date the notice was mailed to opt out, so that provides some guidance on the waiting period. Where it is an isolated transaction, such as an ATM transaction, where electronic notice is given and the consumer has a convenient electronic method to opt out, the time period could be much shorter. (posted 5/31/00)

Question: What is the difference between "nonpublic personal information" ("NPI") and "publicly available information"?

Answer: The privacy rules govern the treatment of NPI. NPI does not include publicly available information. Thus, publicly available information is not protected by the law.

Again, NPI does not include publicly available information. Publicly available information is information that the financial institution has a reasonable basis to believe is lawfully made available to the general public from one of three sources: government records (such as real estate records or security interest filings), "widely distributed media" (such as a telephone book or newspaper), or legally required disclosures to the general public. Reg. P, Section 3(p).(posted 5/31/00)