Skip Header

Federal Deposit
Insurance Corporation

Each depositor insured to at least $250,000 per insured bank

Privacy Rule Handbook

Section One:

Overview of privacy rule requirements

The privacy rule governs when and how banks may share nonpublic personal information about consumers with nonaffiliated third parties.

The rule embodies two principles - notice and opt out. In summary:

A few key terms used throughout the privacy rule are critical to understanding the rule's scope and application. Refer to Section Four of this guide for an explanation of:

Exceptions to opt out: A consumer cannot opt out of all information sharing. First, the privacy rule does not govern information sharing among affiliated parties. Second, the rule contains exceptions to allow transfers of nonpublic personal information to unaffiliated parties to process and service a consumer's transaction, and to facilitate other normal business transactions. For example, consumers cannot opt out when nonpublic personal information is shared with a nonaffiliated third party to:

Applying exceptions: A bank may have to satisfy disclosure and other requirements to make the rule's opt out exceptions applicable. For example, the joint marketing exception requires a contractual agreement between two nonaffiliated financial institutions to:

  1. jointly offer, endorse, or sponsor the financial product or service, and
  2. limit further use or disclosure of the consumer information transferred

In addition, the bank must include a separate statment in the privacy notice disclosing the joint marketing agreement.

Prohibition on sharing account numbers: The privacy rule prohibits a bank from disclosing an account number or access code for credit card, deposit, or transaction accounts to any nonaffiliated third party for use in marketing. The rule contains two narrow exceptions to this general prohibition. A bank may share account numbers in conjunction with marketing its own products as long as the service provider is not authorized to directly initiate charges to the accounts. A bank may also disclose account numbers to a participant in a private label or affinity credit card program when the participants are identified to the customer. An account number does not include a number or code in encrypted form as long as the bank does not also provide a means to decode the number.

Limits on reuse and redisclosure: The privacy rule limits reuse and redisclosure of nonpublic personal information received from a nonaffiliated financial institution or disclosed to a nonaffiliated third party. The specific limitations depend on whether the information was received pursuant to or outside of the notice and opt out exceptions.

State Law: A provision under a State law that provides greater consumer protection than provided under the GLBA privacy provisions will supercede the Federal privacy rule. The bank will be obligated to comply with the provisions of that State law to the extent those provisions provide greater consumer protection than the Federal privacy rule. The Federal Trade Commission determines whether a particular State law provides greater protection.

Privacy Notices

Every bank must develop initial and annual privacy notices - even if the bank does not share information with nonaffiliated third parties.

Content of notices: The initial, annual, and revised notices include, as applicable:

A revised notice may be required when a bank changes its information sharing practices.

The following table reflects the rule's requirements for delivering initial, annual, and revised notices to consumers and customers.

This table reflects the rule's requirements for delivering initial, annual, and revised notices to consumers and customers.

Opt Out Notice

The final rule provides that an opt out notice is adequate if it:

The table below summarizes the rule's requirements for delivering an opt out notice.

This table gives a summary of the rule's requirements for delivering an opt out notice

The opt out right: If a bank intends to share nonpublic personal information outside the exceptions, it must also:

Delivering notices: The initial, annual, revised, and opt out notices may be delivered in writing or, if the consumer agrees, electronically. An oral description of the notice is not sufficient.

Section Two

Get Ready for July 1, 2001

A bank's strategy for achieving full compliance by July 1, 2001, will vary depending on the complexity of the bank and the progress it has already made in complying with the requirements of the rule. The level of effort a bank will expend depends in large part on:

Nearly all banks, however, can take the following four steps to create a comprehensive and effective privacy compliance strategy:

1. Establish a timeline for compliance

A timeline designating important checkpoints prior to July 1, 2001, is a good place to start and can be instrumental to ensuring timely compliance.

A timeline designating important checkpoints

A specific process for certifying completion of the various steps identified in the bank's privacy compliance strategy will help managers keep track of progress. When establishing due dates for specific activities, build in time to receive input and feedback from senior management and other stakeholders. Every bank should consider:

2. Develop privacy policies and notices

Use this opportunity to evaluate and establish institutional privacy objectives, and communicate to potential customers and consumers the bank's customer service philosophy.

Affiliates: If a bank has any affiliates, the inventory should include information-sharing practices with affiliates. Although the privacy rule does not place any restrictions on information sharing with affiliates, it does require disclosure of these practices in the initial and annual notices. Furthermore, the privacy rule requires the initial and annual notices to include applicable Fair Credit Reporting Act affiliate information sharing opt out notices.

When drafting privacy notices, consider:

Most likely, the initial and annual privacy notices will be identical. If required, the opt out notice may be combined with the initial and annual notices.

The Proposed Security Standards for Customer Information describe the agencies' expectations for implementing technical and physical safeguards to protect customer information. The Proposed Fair Credit Reporting Regulations cover the opt out provisions of the Fair Credit Reporting Act.

Both proposals will be finalized in the near future. When issued, the final rules will be available on the FDIC's Web site: www.fdic.gov. In the meantime, the proposals are posted on the Web site.

3. Deliver notices

Opt out notices for joint account holders: The privacy rule allows banks to provide a single privacy and opt out notice when two or more consumers jointly obtain a financial product or service. However, any of the joint consumers may exercise the right to opt out. The opt out notice provided to joint account holders must explain how the bank will treat an opt out direction by a joint consumer and must give one joint consumer the ability to opt out on behalf of all the joint consumers.

4. Prepare to respond to consumers

Section Three:

Maintaining Compliance Beyond
July 1, 2001

The following activities can help a bank achieve and maintain compliance with the privacy rule.

The interagency exam procedures will be mailed directly to insured depository institutions as soon as they are finalized. The procedures will also be available on the FDIC's Web site at www.fdic.gov when complete.

Section Four:

Learn the Lingo

Learning the lingo will help you understand and comply with the privacy rule. This section provides an explanation of key terminology.

Who must comply with the FDIC's privacy rule?

The FDIC's privacy rule refers to financial institutions that must comply with the rule as "you." For example, when the rule states that "you must provide a notice" it means all entities subject to this rule must provide a notice. The following definition of "you" explains the types of entities subject to the rule:

You: The banks that must comply with the FDIC's rule are -

Although the FDIC's rule only applies to certain banks and some of their subsidiaries, all financial institutions must comply with similar privacy rules adopted by their supervisory agencies. For example, although securities subsidiaries of FDIC-supervised banks do not have to comply with the FDIC's privacy rule, they do have to comply with a similar privacy rule adopted by the Securities and Exchange Commission.

Who is protected by the privacy rule?

The privacy rule protects "consumers." All consumers receive the same privacy protections.

However, a subset of consumers defined as customers must receive certain disclosures, such as an annual privacy notice, that need not be provided to consumers who are not customers.

Thus, it is important to know the distinction between consumers and customers to understand the different disclosure requirements under the privacy rule.

Consumer: Any individual who is seeking to obtain or has obtained a financial product or service from a bank for personal, family, or household purposes is a consumer of that bank. The definition of consumer includes individuals who:

Customer: As the following diagram reflects, customers are a subset of consumers. A customer is a consumer with whom a bank has a continuing relationship. Although the rule does not define "continuing relationship," it provides examples of transactions that are and are not considered continuing relationships. Consumers who have a deposit account, obtain a loan, or obtain an investment advisory service are considered customers. See Section 332.3(i).

A diagram displaying two concentric circles. The larger circle represents consumers and a smaller circle within the larger circle shows customers as a subset of consumers.

Additional guidance regarding the customer relationship can be found in the Supplemental Information (the preamble) of the rule, which notes that a continuing relationship is established "where a consumer typically would receive some measure of continued service following, or in connection with, a transaction." See page 35168, Federal Register, Vol. 65, No. 106.

The next diagram depicts the relationship between all individuals who do business with a bank and those who meet the regulatory definitions for consumers and customers. As the diagram shows, only a portion of the individuals who conduct business with a bank are consumers under the privacy rule. For example, individuals are not considered consumers under this rule if they are commercial clients, grantors or beneficiaries of trusts for which the bank is trustee, or participants in an employee benefit plan that the banks sponsors.

A diagram depicting the relationship between all individuals who do business with a bank and those who meet the regulatory definitions for consumers and customers.

What type of information is protected by the privacy rule?

The rule identifies three primary categories of information:

Nonpublic personal information is the category of information protected by the privacy rule. The definitions for publicly available information and personally identifiable financial information work together to describe and define nonpublic personal information.

Personally identifiable financial information also includes any information that "is disclosed in a manner that indicates that the individual is or has been your consumer." See Section 332.3(o)(2)(i)(D). Thus, the very fact that an individual is a consumer of a bank is personally identifiable financial information.

A list is considered nonpublic personal information if it is generated based on customer relationships, loan balances, or other personally identifiable financial information that is not publicly available. A list is also considered nonpublic personal information if it contains any nonpublic personal information.

For example, in jurisdictions where mortgage documents are public records, the names and address of all individuals for whom a bank held a mortgage would not be nonpublic personal information since it was generated using publicly available information and contained only publicly available information. The list would become nonpublic personal information, however, if it contained current loan balances or if it was generated using only those customers with current mortgage loan balances in excess of a certain amount.

The two categories of nonpublic personal information are depicted in the following diagram.

Personally Identifiable Financial Information- Nonpublic personal information are depicted

Who are nonaffiliated third parties?

The privacy rule restricts information sharing with nonaffiliated third parties. The rule defines nonaffiliated third parties as persons or entities except affiliates and persons jointly employed by a bank and a nonaffiliated third party. Affiliates generally include a bank's subsidiaries, its holding company, and any other subsidiaries of the holding company. See Section 332.3(a), Section 332.3(d), and Section 332.3(g).

The privacy rule does not impose limitations on information sharing with affiliates. It does, however, require disclosure of such information sharing policies and practices. (Note: The rules governing the sharing of information between a bank and its affiliates are set forth in the Fair Credit Reporting Act.)

Although the privacy rule most commonly uses the term "nonaffiliated third parties," there are some instances in which a distinction is made between nonaffiliated financial institutions and all other nonaffiliated third parties. Readers should pay particular attention to these distinctions. See Section 332.13.

Other Resources

A variety of resources are available to help banks understand the privacy rule and related issues. Some of the most significant are listed below. All FDIC material can be found at www.fdic.gov.