The FDIC and other federal regulators have issued new rules to inform consumers about their rights to financial privacy, including when and how they can prevent an institution from sharing personal information with other companies.
The rules will implement privacy-related sections of the Gramm-Leach-Bliley Act of 1999. With that law and the new rules, the federal government is trying to strike a balance between the individual's desire for privacy and the benefits to consumers in general from the free flow of information. "Many in the financial industry argue that the unrestricted flow of data results in cost efficiencies, convenience, competition and innovation in financial services," says Deanna Caldwell of the FDIC's Division of Compliance and Consumer Affairs. "The new privacy rules give individuals a voice and a choice in this debate for the first time."
The new law requires financial institutions to explain their privacy policies to customers when accounts are opened and at least once a year thereafter. These written notices must clearly describe the financial institution's practices and policies about collecting and sharing "nonpublic personal information." For example, a typical disclosure might explain that your bank shares information about your account balance, payment history and credit card purchases with non-financial companies, such as retailers, direct marketers and publishers.
Of special importance is a provision of the law that gives consumers the right to block an institution's disclosure of private information to companies not affiliated with that institution. This process is known as "opting out." Under the new rules, even people who are not technically customers of a financial institution—such as former customers or people who applied for but didn't obtain a loan or credit card—will have the right to opt out of information sharing with outside companies. This authority to opt out does not apply to all information sharing with outside firms. For example, the law allows the sharing of information with nonaffiliated third parties to market the institution's products, handle its data processing or mail account statements.
While the rule becomes effective November 13, 2000, compliance will be voluntary until July 1, 2001, primarily to give institutions extra time to prepare for the new privacy standards.
The rules were issued jointly by the FDIC, the Office of the Comptroller of the Currency, the Federal Reserve Board and the Office of Thrift Supervision. The National Credit Union Administration, the Federal Trade Commission and the Securities and Exchange Commission will have comparable rules for the institutions and companies they regulate that provide financial products or services. Under the FTC's rule, for example, credit bureaus are limited in their ability to sell nonpublic personal information to third parties such as direct mail and telemarketing companies.
