Ch. 9 - Financial Privacy Flashcards

Question 1

Q

What is the FCRA?

Answer

A

The Fair Credit and Reporting Act.

It mandates that accurate and relevant data collection, provides consumers with the ability to access and correct their information, and limits the use of consumer reports to defined permissible purposes.

Question 2

Q

Who does the FCRA regulate?

Answer

A

Any consumer reporting agency (CRA) that furnishes a consumer report.

Question 3

Q

Who is a CRA?

Answer

A

Credit Reporting Agency

Any person or entity that compiles or evaluates personal information for the purpose of furnishing consumer reports to 3rd parties for a fee.

Question 4

Q

What is a consumer report?

Answer

A

Any communication by a CRA related to an individual that pertains to the person’s:

Creditworthiness
Credit Standing
Credit Capacity
Character
General Reputation
Personal characteristics
Mode of living

and that is used as a factor in establishing a consumer’s eligibility for credit, insurance, employment or other business purpose.

Question 5

Q

What are the 4 main requirements under the FCRA that users of consumer reports must meet?

Answer

A

Third party data for substantive decision making must be appropriately accurate, current and complete
Consumers must receive notice when third-party data is used to make adverse decisions about them
Consumer reports may be used only for permissible purposes
Consumers must have access to their consumer reports and an opportunity to dispute them or correct any errors.

Question 6

Q

What obligations are CRAs required to provide notice of to users of consumer reports?

Answer

A

Users must have a permissible purpose.
Users must provide certifications.
Users must notify consumers when adverse actions are taken.

Question 7

Q

Gramm-Leach-Bliley Act of 1999

Answer

A

GLBA, AKA Title V of the Financial Services Modernization Act

any org that significantly engaged in US financial activities
Must have a program for customer PII, that includes: storage, notice, and opt-out.

FTC managed.

Question 8

Q

GLBA Opt-Out Policy

Answer

A

Opt out only-

you can choose not to have info shared to nonaffiliated 3rd parties, but no choice on data processors.

Question 9

Q

GLBA Privacy Rule

Answer

A

You must provide a privacy notice at relationship establishment and annually thereafter.

You have the right to opt out of sharing to 3rd parties.

If the policy changes, you must provide notice again.

Question 10

Q

GLBA Safeguards Rule

Answer

A

A formal infosec program must be in writing and in place.

Question 11

Q

Financial Institution Reform, Recovery, and Enforcement Act of 1989

Answer

A

FIRREA. If you violate GLBA, you face penalties under this. Admin’ed by CFPB (formerly FTC)

Question 12

Q

Bank Secrecy Act of 1970

Answer

A

BSA, AKA Currency and Foreign Transactions Reporting Act

Transactions over 10k must be reported to the IRS- name, address, SSN, amounts, currency

Suspicious Activity Reports (SARs)

any insider crime of any amount
$5k+ and can ID suspect
$25k+ and can’t ID suspect
$5k+ if potential money laundering

US Treasury and FinCEN

Question 13

Q

Right to Financial Privacy Act of 1978

Answer

A

RFPA- covers financial institutions, and says the Fed gov’t can’t access records of customers unless “reasonably described” and one of the following:

Customer consents
subpoena / warrant / summons
written formal request from gov’t authority

Treasury enforces.

Question 14

Q

Dodd-Frank Wall Street Reform Act of 2010

Answer

A

Title X created CFPB. Added “abusive acts and practices” to “unfair and deceptive” language.

Question 15

Q

CFPB now manages what acts?

Answer

A

FCRA
GLBA
Fair Debt Collections Act
FIRREA
ECOA

Question 16

Q

Fair and Accurate Credit Transactions Act of 2003

Answer

A

FACTA. Focuses on ID theft and prevention. Must truncate credit, debit card #s and gives right to free annual credit report from big 3.

Established Red Flags Rule and Disposal Rule.

Enforced by FTC, the Fed, and CFPB.

Question 17

Q

FACTA Preemption and Opt-Out

Answer

A

A handful of states were allowed to keep STRICTER laws, but otherwise this generally preempts states.

Federally mandated opt-out of sharing available.

Question 18

Q

FACTA- Red Flag and Disposal Rules

Answer

A

Red Flag- you must have a set of rules to detect, prevent, and mitigate ID theft, and the program must be written out.

Disposal- anyone using a consumer report must dispose of the info in a way that prevents unauthorized use.

Question 19

Q

Equal Credit Opportunity Act of 1974

Answer

A

ECOA- you can’t discriminate credit on the basis of race, color, religion, origin, age, sex, aid received, kids.

You can’t ask about marital status if applying “single” unless the state is a “community property” state.

If credit is denied, must notify within 30 days.

CFBP

Question 20

Q

Red Flag Clarification Act of 2010

Answer

A

narrowed definition of a creditor and when they’re covered, so related third parties (like attorneys and health care providers) aren’t covered by FACTA.

Question 21

Q

The executive agency responsible for promoting economic prosperity and ensuring the financial security of the United States:

Answer

A

The Treasury Department

Question 22

Q

The Chair and Vice Chair of the Board of Governors are appointed by ____________ from among the sitting Governors. They both serve a four-year term and they can be renominated as many times as the President chooses, until their terms on the Board of Governors expire.

Answer

A

the President

Question 23

Q

The Board of Governors of the Federal Reserve, an agency of the federal government that reports to and is directly accountable to _______, provides general guidance for the System and oversees the 12 Reserve Banks.

Answer

A

Congress,

Question 24

Q

The Board of the Federal Reserve is required to make an annual report of operations to

Answer

A

the Speaker of the House.

Question 25

Q

The Board of Governors, an agency of the federal government that reports to and is directly accountable to Congress, provides general guidance for the System and oversees

Answer

A

the 12 Reserve Banks.

Question 26

Q

What is the central bank of the United States?

Answer

A

The Federal Reserve System (sometimes called “The Fed”)

Question 27

Q

What does The Office of the Comptroller of the Currency do?

Answer

A

The Office of the Comptroller of the Currency charters, regulates, and supervises all national banks. It also supervises the federal branches and agencies of foreign banks.

Question 28

Q

Who insures deposits?

Answer

A

The Federal Deposit Insurance Corporation (FDIC) is an independent federal government agency which insures deposits in commercial banks and thrifts.

Question 29

Q

Under Gramm-Leach-Bliley privacy provisions, what are financial institutions required to do?

Answer

A

Store personal financial information in a secure manner.
Provide notice of their policies regarding the sharing of personal financial information.
Provide consumers with the choice to opt out of sharing some personal financial information.
Refrain from disclosing to any non-affiliated third party marketer, other than a CRA, an account number or access code to a consumer’s credit card, deposit or transaction account.

Question 30

Q

What is a financial institution under GLBA?

Answer

A

Any US company significantly engaged in financial activities. Includes banks, insurance providers, securities firms, payment settlement services, check cashing services, credit counselors and mortgage lenders, among others.

Question 31

Q

What is “nonpublic personal information” under GLBA?

Answer

A

Personally identifiable financial information:

Provided by a consumer to a financial institution,
Resulting from a transaction or service performed for the consumer, or
Otherwise obtained by the financial institution.

Question 32

Q

What is excluded from the definition of “nonpublic personal information” under GLBA?

Answer

A

Publicly available information

2. Any consumer list that is derived without using personally identifiable financial information.

Question 33

Q

Which agency has rule making power over the GLBA?

Answer

A

CFPB with limited exceptions for the SEC and Commodity Futures Trading Commission.

Question 34

Q

What are the possible penalties under GLBA?

Answer

A

Up to $5,500 for violations of law

Up to $27,500 if the violations are unsafe, unsound or reckless

Up to $1.1M for “knowing” violations.

Question 35

Q

Who has enforcement power under the GLBA?

Answer

A

Agencies have authority over institutions in their jursidiction such as:

Federal Reserve
Office of the Comptroller of the Currency
Federal Deposit Insurance Corporation
Securities and Exchange Commission
CFPB (for institutions not otherwise covered)
State Attorneys General

Question 36

Q

Does GLBA preempt state law?

Question 37

Q

Does GLBA have a private right of action?

Answer

A

No, but certain states may consider it a deceptive trade practice for failing to give notice.

Question 38

Q

Who is protected by GLBA?

Answer

A

Consumers or individuals who obtain financial products or services from a financial institution to be used primarily for personal, family or household purposes.

Question 39

Q

What are the requirements of the GLBA privacy notice?

Answer

A

What information the financial institution collects about its consumers and customers.
With whom is shares the information.
How it protects or safeguards the information.
An explanation of how a consumer may opt out of having his information shared through a reasonable opt-out process.

Question 40

Q

Can a financial institution share consumer information with affiliated companies and joint marketing partners?

Answer

A

Yes, so long as they have complied with the notice requirements.

Question 41

Q

Can a financial institution share consumer information with unaffiliated or this party marketing companies?

Answer

A

Yes, other than for defined exceptions, if they have disclosed the information sharing practice and provided opt out option.

Question 42

Q

What information sharing can’t a consumer opt out of under GLBA?

Answer

A

If financial institution shares information with outside companies that provide essential services like data processing or account servicing.
If the disclosure is legally required.
If the financial institution shares customer data with outside service providers that market the financial company’s products or services.

Question 43

Q

What does the GLBA Safeguards Rule require?

Answer

A

Financial institutions must establish a comprehensive information security program that contains administrative, technical and physical safeguards.

Question 44

Q

What are the requirements of the GLBA information security program?

Answer

A

Designated employee to coordinate the program.
Audit systems to determine risks.
Procedures to take with service providers to assure security.

Question 45

Q

What are the 3 levels of security under a GLBA Safeguards Program?

Answer

A

Administrative security, including program definition, management of workforce risks, employee training, vendor oversight.
Technical security, including computer systems, networks and applications in addition to access controls and encryption.
Physical security, including facilities, environmental safeguards, business continuity and disaster recovery.

Question 46

Q

GLBA

Answer

A

Also known as the Financial Services Modernization Act, the Gramm Leach Bliley Act (GLBA)

Question 47

Q

GLBA

Answer

A

applies to U.S financial institutions and governs the secure handling of non-public personal information including financial records and other personal information.

Question 48

Q

Section 501(b) of the Gramm-Leach-Bliley Act requires

Answer

A

financial institutions to protect the security, confidentiality and integrity of non-public customer information through “administrative, technical and physical safeguards”.

Question 49

Q

The Gramm-Leach-Bliley Act also requires each financial institution to implement a comprehensive

Answer

A

written information security program

that includes administrative, technical and physical safeguards appropriate to the size, complexity and scope of activities of the institution.

Question 50

Q

GLBA requires the (3)

Answer

A

(1) Ensuring the security and confidentiality of customer records and information
(2) Protecting against any anticipated threats or hazards to the security or integrity of such records
(3) Protecting against unauthorized access to or use of such records or information, which could result in substantial harm or inconvenience to any customer

Question 51

Q

The Gramm-Leach-Bliley privacy regulations, combined with referenced requirements under the Federal Deposit Insurance Act – section 36, result in the need to:

Answer

A

(1) Safeguard and monitor customer records and information

(2) Create and maintain effective risk assessments
Identify, implement and audit specific internal security controls that protect this data

Question 52

Q

The Gramm-Leach-Bliley Act specifies that a consumer must be given _________ to opt out before personal financial information is disclosed to a third party.

Answer

A

A reasonable opportunity.

Sec. 6802 (b)(1)(B) of the GLB Act specifies that “a financial institution may not disclose nonpublic personal information to a non-affiliated third party unless the consumer is given the opportunity before the time that such information is initially disclosed to direct that such information not be disclosed…”

Question 53

Q

Under the Gramm-Leach-Bliley Act, which of the following is considered nonpublic information?

Answer

A

A borrower’s current loan balances.

Information that can be obtained through public sources such as a phone book or courthouse public records is not subject to the GLB Act. Personal financial information such as that which could only be found in account records or on a credit report is subject to the Act’s provisions.

Question 54

Q

Postsecondary educational institutions entrusted with student financial aid information are continuing to develop ways to address cybersecurity threats and to strengthen their cybersecurity infrastructure.

Answer

A

under the Gramm-Leach-Bliley Act (15 U.S. Code § 6801),

Question 55

Q

Under their Program Participation Agreement (PPA) and the Gramm-Leach-Bliley Act (15 U.S. Code § 6801), they must protect

Answer

A

student financial aid information, with particular attention to information provided to institutions by the Department of Education or otherwise obtained in support of the administration of the Title IV Federal student financial aid programs authorized under Title IV of the Higher Education Act, as amended (the HEA). Summary information about the GLBA requirements is provided later in this letter; and

Question 56

Q

Basic GLBA privacy requirements

Answer

A

Store personal financial information in a secure manner
Provide notice of their policies regarding the sharing of personal financial information
Provide consumers with the choice to opt out of sharing some personal financial information

Question 57

Q

Non-personal information under GLBA

Answer

A

“personally identifiable financial information (i) provided by a consumer to a financial institution, (ii) resulting from a transaction or service performed for the consumer, or (iii) otherwise obtained by the financial institution.”

Question 58

Q

Current GLBA rulemakers and enforcers

Answer

A

Rulemaking: CFPB, with exceptions for SEC and CFTC.

Enforcers: Privacy and Safeguards Rules enforced by CFPB. State AGs (stricter state laws not pre-empted)

Question 59

Q

PROA under GLBA?

Question 60

Q

GLBA customers vs. consumers

Answer

A

Consumers are those who obtain financial services.

Customers are those who financial institution has ongoing rel. with (notice given to these).

Question 61

Q

Major components of GLBA Privacy Rule

Answer

A

Prepare and provide to customers clear and conspicuous notice of the financial institution’s information-sharing policies and practices. These notices must be provided when a customer relationship is established and annually thereafter.
Clearly provide customers the right to opt out of having their nonpublic personal information shared with nonaffiliated third parties (subject to significant exceptions, including for joint marketing and processing of consumer transactions).
Refrain from disclosing to any nonaffiliated third-party marketer, other than a consumer reporting agency, an account number or similar form of access code to a consumer’s credit card, deposit or transaction account. [regardless of opt out in 2 above]
Comply with regulatory standards established by certain government authorities to protect the security and confidentiality of customer records and information, and protect against security threats and unauthorized access to or certain uses of such records or information.

Question 62

Q

GLBA Privacy Notice

Answer

A

Given when account established and annually thereafter.
9 categories of information
-Opt out of further disclosures (process within 30 days).
Notice must include:
• What information the financial institution collects about its consumers and customers
• With whom it shares the information
• How it protects or safeguards the information
• An explanation of how a consumer may opt out of having his or her information shared through a reasonable opt-out process

Question 63

Q

GLBA opt-out rules

Answer

A

If notice given, then can share info with affiliated companies and joint marketing partners (no opt out necessary).
May share with nonaffiliated companies and other 3d parties only after notice and opt-out provided and declined (with exceptions)
Can’t provide consumer account numbers at all for purposes of telemarketing and direct mail marketing.
No right to opt-out if:
A financial institution shares information with outside companies that provide essential services like data processing or servicing accounts
The disclosure is legally required
A financial institution shares customer data with outside service providers that market the financial company’s products or services

Question 64

Q

GLBA Safeguards Rule: Levels of security

Answer

A

Administrative security, which includes program definition, management of workforce risks, employee training and vendor oversight
Technical security, which covers computer systems, networks and applications in addition to access controls and encryption
Physical security, which includes facilities, environmental safeguards, business continuity and disaster recovery

Answer 63

A

Designate an employee to coordinate the safeguards
Identify and assess the risks to customer information in each relevant area of the company’s operation and evaluate the effectiveness of the current safeguards for controlling those risks
Design and implement a safeguard program and regularly monitor and test it
Select appropriate service providers and enter into agreements with them to implement safeguards
Evaluate and adjust the program in light of relevant circumstances, including changes in business arrangements or operations, or the results of testing and monitoring of safeguards

Answer 64

A

The CFPB oversees the relationship between consumers and providers of financial products and services.
It holds broad authority to examine, write regulations and bring enforcement actions concerning businesses that provide financial products or services, including service providers.
The CFPB has assumed rule-making authority for specific existing laws related to financial privacy and other consumer issues, such as the FCRA, GLBA and Fair Debt Collection Practices Act.
It has enforcement authority over
- all nondepository financial institutions,
- all depository institutions with more than $10 billion in assets.
- For depository institutions with assets of $10 billion or less, CFPB promulgates rules but enforcement power remains with banking regulators.

Answer 65

A

An abusive act or practice:
• Materially interferes with the ability of a consumer to understand a term or condition of a consumer financial product or service or
• Takes unreasonable advantage of—
o A lack of understanding on the part of the consumer of the material risks, costs, or conditions of the product or service;
o The inability of the consumer to protect its interests in selecting or using a consumer financial product or service; or
o The reasonable reliance by the consumer on a covered person to act in the interests of the consumer

Answer 66

A

Financial institutions must keep records and file reports on certain financial transactions, including currency transactions in excess of $10,000, which may be relevant to criminal, tax or regulatory proceedings
The BSA contains regulations relating to reporting of currency transactions, transportation of monetary instruments and the purchase of currency-like instruments
As part of the overall anti-money-laundering strategy, financial institutions are required to retain categories of records for use in investigations or enforcement actions
Financial institutions must file a Suspicious Activity Report (SAR) in defined situations. The rationale is that SARs can alert government agencies to potentially suspicious transactions.

Answer 67

A

For covered financial services companies, the major USA PATRIOT Act compliance issues can be grouped into the following categories:
• Information-sharing regulations and participation in the cooperative efforts to deter money laundering, as required by Section 314
• Know Your Customer rules, including the identification of beneficial owners of accounts—procedures required by Section 326
• Development and implementation of formal money-laundering programs as required by Section 352
• Bank Secrecy Act expansions, including new reporting and record-keeping requirements for different industries (such as broker-dealers) and currency transactions67

Answer 68

A

Summary:

Limits permissible uses of credit reports
Requires fair and accurate information reporting
Provides right to access and dispute information
Requires notification of adverse actions

Detail:
Mandates that accurate and relevant data collection, give consumers the ability to access and correct their information, and limit the use of consumer reports for permissible purposes, such as employment and extension of credit or insurance

Answer 69

A

Written, oral, or other communication that communicates:

Creditworthiness
Credit standing
Credit capacity
Character
General reputation
Personal characteristics
Mode of living

Answer 70

A

Only Consumer Reporting Agencies

Answer 71

A

Responding to a court order
Acting upon written permission of the consumer
Can use without consent if:
o Facilitating credit transactions
o Making employment decisions
o Underwriting insurance policies
o Issuing licenses and government benefits
o Other business need
Users of credit reports must provide certification of their intended use
Reports must contain fair and accurate information

Answer 72

A

Consumer disputes about the accuracy of information must be resolved within 30 days

Answer 73

A

o Contact information for a credit reporting agency
o Statement that the CRA did not make the decision
o Notice of the right to access report
o Notice of right to dispute report
o Any credit score used in decision

Answer 74

A

o Actual damages
o Punitive damages
o Legal costs

Answer 75

A

Summary:

Consumers may obtain free copies of their credit reports annually
Consumers may place 90-day fraud alerts on their credit files. Identify theft victims may extend these alerts for seven years.
Receipts may contain no more than five digits of credit and debit card numbers
Red Flags Rule
Disposal Rule

Detail:
Expansion of FCRA. Mandates that credit reporting agencies allow consumers to obtain a free credit report once every 12 months. Additionally, it allows consumers to request alerts when a creditor suspects identity theft and gave the FTC authority to promulgate rules to prevent identity theft.

Answer 76

A

o Written identity theft protection program
o Address change validation
o Notification of address discrepancies

Answer 77

A

o Reasonable and appropriate destruction
o Burn, pulverize or shred paper records
o Destroy or erase electronic records

Answer 78

A

Re-organized financial services regulation in the US and applies broadly to any company that is “significantly engaged” in financial activities in the US. Established two key rules:

Privacy
Safeguards

Answer 79

A

Banks
Non-bank lenders
Financial Advisors
Check-cashing services
Payday lenders
Real estate appraisers
Tax prepares
Mortgage brokers
ATM operators
Colleges and universities.

Answer 80

A

Limits how financial institutions may collect and share nonpublic personal information

Answer 81

A

requires that financial institutions develop a written information security plan to protect consumer data

Answer 82

A

Provided to customers annually
Describe privacy policies and practices
Disclose third-party information sharing
Describe information security policies and practices

Answer 83

A

Individuals who engage in transactions with a financial institution

Answer 84

A

Consumers who have an ongoing relationship with the institution. Customers must receive the institution’s full privacy notice.

Answer 85

A

Reshaped the US regulatory systems in a number of areas including but not limited to consumer protection, trading restrictions, credit ratings, regulation of financial products, corporate governance and disclosure and transparency.

The Dodd-Frank Act established the Consumer Financial Protection Bureau (CFPB) and granted it the power to regulate unfair, deceptive, or abusive acts and practices.

Answer 86

A

Created by the Dodd-Frank Act, CFPB intended to consolidate the oversight of the financial industry. It is an independent bureau within the Federal Reserve and when it was created CFPB took rule-making authority to take action against “abusive acts and practices” as specified by the Dodd-Frank Act

Answer 87

A

Must:

Designate one or more responsible employees
Identify and assess risks
Evaluate safeguard effectiveness
Monitor and test safeguards
Use secure service providers
Evaluate and adjust the program

Brainscape's Knowledge GenomeTM

Ch. 9 - Financial Privacy Flashcards

Brainscape's Knowledge Genome^TM