Module 7: Financial Privacy Flashcards
Includes FCRA, GLBA, and other financial privacy rules
What are the 2 reasons financial records have traditionally been treated with high confidentiality levels?
- To encourage borrowers to report honestly to lenders about their debts and ability to pay
- To ensure security
Describe the main objectives of the FCRA
- FCRA regulates the consumer reporting industry and provides privacy rights in consumer reports
- It mandates accurate and relevant data collection
- It provides consumers with the ability to access and correct their information
- It limits the use of consumer reports to defined permissible purposes
- It regulates any CRA that furnishes a “consumer report”
Define the term Consumer Reporting Agency (CRA)
Any person or entity that compiles or evaluates personal information for the purpose of furnishing consumer reports to 3rd parties for a fee (i.e., Equifax, TransUnion)
Explain when the main obligations under the FCRA kick in
When the information provided for a credit report is used as a factor in determining a consumer’s eligibility for credit, insurance, employment, or other business purposes (consumers must be notified when adverse actions are taken)
Detail 3 enforcement mechanisms available under the FCRA
- Dispute Resolution (the consumer can file a request with the CRA to dispute accuracy of the information)
- Private Litigation
- Government Actions (violations can be brought by the FTC, CFPB, and state AGs)
Discuss the concept of an “adverse reaction” against a consumer
Adverse is defined very broadly to include all business, credit and employment actions negatively affecting consumers
Explain the restrictions on employers using consumer reports
- Prior written authorization must be obtained from the consumer
- The information cannot be used in violation of any federal or state equal opportunity law or regulation
- If any adverse action is to be taken based on the consumer report, a copy of the report and a summary of the consumer’s rights will be provided to the consumer
- For “Investigative Consumer Reports”, special rights under FCRA include:
- User of the report must disclose its use to the consumer
- Disclosure must be in writing and must be delivered to the consumer before (but NLT 3 days after) the date when the report was first requested
- Consumer must be informed of their rights
Describe the FACTA amendments related to state preemption
FACTA preempted stricter state laws in most areas, with some exceptions:
- States retain some powers to enact laws addressing identity theft
- States retain some powers related to credit scores (CA, CO)
- States retain some powers related to frequency of free credit reports (CO, GA, ME, MD, MA, NJ, VT)
Define the 2 rules related to privacy that came from the FACTA amendments
- The Disposal Rule: Requires any individual or entity that uses a consumer report for a business purpose to dispose of that info in a way that prevents unauthorized access and misuse of the data
- The Red Flags Rule: Requires certain financial entities to develop and implement written identity theft programs that can identify and respond to the “red flags” that signal possible identity theft
Discuss 2 major changes in the financial industry resulting from GLBA
- Eliminated legal barriers to affiliations among banks, securities firms, insurance companies and other financial services companies
- Added privacy restrictions requiring secure storage of personal financial info, notices of info sharing policies, and opt-out rights related to sharing some personal info
Describe those entities who have the power to enforce GLBA
- Federal financial regulators enforce GLBA for the institutions in their jurisdiction (i.e., Federal Reserve, Office of the Comptroller of the Currency)
- CFPB has authority for the GLBA Privacy and Safeguards Rules for institutions not under the Fed or Comptroller jurisdiction
- Stage AGs can enforce at the state level
Distinguish between a consumer and a customer under GLBA
- Consumers: Individuals who obtain financial products or services from a financial institution to be used primarily for personal, family, or household purposes. Must have an opportunity to opt-out before disclosure to 3rd parties
- Customers: Consumers with whom the organization has an ongoing relationship
List the requirements for the privacy notice under GLBA’s Privacy Rule
Financial institutions must provide initial and annual privacy notices to consumers. The privacy notice must include:
- what info the institution collects about its consumers and customers
- with whom it shares the info
- how it protects the info
- an explanation of how a consumer may opt-out (through a reasonable opt-out process)
Explain the 3 levels of security mentioned in GLBA’s Safeguards Rule
- Administrative: Program definition, management of workforce risks, employee training and vendor oversight
- Technical: Computer systems, networks and applications, access controls and encryption
- Physical: Facilities, environmental safeguards, business continuity, and disaster recovery
Explain the components of the system required by the NY Financial Regulation
The NY State Financial Rule (NYDFS) is a GDPR-like cybersecurity regulation for the NY financial industry. It has rules for:
- risk assessments
- documentation of security policies
- designation of a CISO
- limitations on data retention
- incident response plan
- audit trails
- notices to superintendent
