Companies, accounting firms, and financial institutions that sell financial products and services will need to ensure they’re doing so in line with the Graham-Leach-Bliley Act (GLBA). The GLBA, which is enforced by the Federal Trade Commission (FTC), describes the numerous disclosure requirements, security measures, and information sharing restrictions that certain companies and institutions substantially involved in the financial sector must follow when collecting and handling sensitive customer and consumer data. The FTC Privacy of Consumer Information Rule is one of several laws the FTC relies on to enforce the GLBA’s requirements. This FTC rule allows the agency to take action against companies that improperly or fail to inform current and prospective clients about their data collection and sharing activities.
This rule impacts all financial products and service providers that the GLBA considers to be substantially engaged in selling financial products and services to customers. The GLBA uses an all-encompassing definition of “financial service provider” that covers not only traditional financial institutions such as banks and loan issuers, but also accountants, tax preparers, investment advisors, debt collectors, finance-specific career counselors, tax law firms, and real estate settlement agencies. In addition, these providers must be offering financial products and services to customers as opposed to consumers. The types of sensitive information that the FTC rule wants organizations to provide disclosures about is also fairly broad. They include individuals’ names, contact information, and other data they’d normally supply on a financial product or service application. They also cover any credit and debit card payment history data, deposit balances, account records and payment records. Customers of a provider are entitled to receive a privacy notice regardless of whether the provider shares their information with third parties.
The act mandates different notice requirements for customers and consumers of a financial service provider. Clients who have ongoing relationships with financial institutions are considered customers, such as when they open credit cards with the institution or secure a loan from a bank. Consumers, on the other hand, are non-business entity clients or prospective clients who share their data with the institution for occasional or one-time transactions, such as depositing checks or submitting loan applications. This distinction is important because while customers are entitled to receive at least an annual privacy notice even if their data won’t be shared to nonaffiliated business partners, consumers aren’t entitled to the same unless the provider does share their data with other parties. The privacy notice itself must include information about what sensitive information you collect and disclose, along with the categories of affiliated and outside business partners you share this information with. Providers will also need to identify what data provide to marketers and service providers, provide additional information about their opt-out procedures, and include mandatory Fair Credit Reporting Act disclosures. All providers, however, must include detailed information about the safeguards they’re using to protect customer data regardless of whether they actually share or sell it to other third-party organizations.
To ensure compliance with federal data collection disclosure rules, you’ll need to be report that you’re making efforts to protect your clients’ and consumers’ data. Moving and storing this sensitive information in an encrypted cloud-hosted environment is one efficient, cost-effective option to do this. Contact us to see how Abacus Private Cloud can help you meet your data collection notice requirements.