You'll be able to limit the personal information that banks and other financial institutions provide to other companies. Here's help for you in deciding what's best.
Watch your mail. You'll soon be
receiving an important message from your bank and other financial institutions you've had dealings with over the years. It's a notice explaining that you, for the first time, can decide whether certain information these institutions have about you can be shared with or sold to other companies that are not part of the same parent organization.
The federal Gramm-Leach-Bliley Act of 1999 created this new opportunity for you as a way to balance your right to privacy with financial institutions' need to share information for normal business purposes. Some consumers don't object to information sharing—they want their names on mailing and telephone lists so they can easily find out about new products and services. But other consumers want fewer solicitations and more privacy. If you're in the latter category, you have some important new responsibilities if you want to take advantage of your new rights.
"You need to be observant," says Ken Baebel, Assistant Director of the FDIC's Division of Compliance and Consumer Affairs. "You need to look for these notices, which may come as part of a monthly statement or as a separate mailing. You also need to understand whether an institution intends to share personal information with other companies and, if so, what you can do to prevent information sharing, if that's what you want. Otherwise, it will be up to the institution to decide who gets details about you and your finances."
You can expect to receive a lot of these notices in the coming months because the new law applies to many types of financial institutions. The law covers banks, savings and loans, credit unions, insurance companies and securities firms. It even includes some retailers and automobile dealers that collect and share personal information about consumers to whom they extend or arrange credit. Also, while the rules from the FDIC and other federal agencies say these notices to consumers must be accurate, clear and conspicuous, we know there's a lot to consider before you decide what's best for you. That's why FDIC Consumer News has developed the following question-and-answer format to help you understand your new rights to financial privacy and what you need to do to exercise those rights.
What kinds of personal information do financial institutions collect and share with other businesses?
Many financial institutions collect information about their customers as a regular part of their business of providing products or services. Examples: When you apply for a loan, you provide your name, phone number, address, income, and details about your assets. When the institution is considering your application, it may collect additional details from other sources, such as credit reports prepared by credit bureaus. And as you use a financial product—a credit card, for example—your institution will have a record of how much you buy and borrow, where you like to shop, and whether you repay your balance on time. Some (but not all) financial institutions share this information with other entities—including completely unaffiliated companies such as retailers, telemarketers, airlines and non-profit organizations—to help them target consumers who might be interested in their products or programs.
How does the Gramm-Leach-Bliley Act protect my financial privacy?
First, the new law requires
each financial institution to tell
its customers about the kinds of information it collects and the types of businesses that may be provided that information.
This disclosure, called the
privacy notice, is intended to
help you decide whether you
are comfortable with that information-sharing arrangement. The notice has to be mailed to you by July 1, 2001, by any institution where you already have an account. If you open an account with a different institution after July 1, you must be given a copy of the privacy notice at that time. Financial institutions also are required to send a privacy notice to customers once a year.
Second, the law says that if your financial institution intends to share your information with anyone outside its corporate family, it also must give you the chance to "opt out" or say "no" to information sharing under certain circumstances. Even consumers who are not technically customers of a financial institution—such as former customers or people who unsuccessfully applied for a loan or credit card—will have the right to opt out of information sharing with outside companies.
Third, the law requires that financial institutions describe
how they will protect the confidentiality and security of your information.
When I receive a privacy notice, what should I look for?
We encourage you to read the entire notice carefully. You may, though, want to focus on your financial institution's descriptions of the following:
- The kind of information it shares with other parts of the same company, likely to be described as "members of our corporate family" or "our affiliates";
- The information it shares with other companies or organizations that are not part of the same corporate group as your financial institution, perhaps called "nonaffiliated third parties";
- What information you can prevent your financial institution from sharing with other companies or organizations; and
- How you go about opting out, if that's what you want to do.
Will the privacy notice list exactly what information the financial institution wants to share, and with whom?
No. The regulations say the privacy notice must describe the basic categories of information a financial institution collects and shares with other entities, and give examples. But a financial institution is not required to list every type of information it may gather or share, or tell you the names of specific companies or organizations that may buy or receive your information. If you have questions or concerns, contact your financial institution at the address or phone number listed in its privacy notice.
| "You need to look for these notices. You also need to understand whether an institution intends to share personal information with other companies."
Ken Baebel, FDIC consumer affairs expert |
What kind of information can I stop an institution from sharing?
You have a general right to block the sharing of non-public personal information with outside companies and organizations, but there are exceptions (as explained in the next question and answer). Also, your institution may remind you that a law passed several years ago, the Fair Credit Reporting Act, gives you limited rights to stop selected information-sharing with affiliates.
What information can't I prevent from being shared, even if I opt out?
Under the new law, you cannot bar an institution from providing personal information to outside companies and organizations if, for instance:
- The information is needed to help conduct normal business. Example: Your bank can send personal information to outside firms that help market the institution's products, handle its data processing (for your loan payments, checking account statements, electronic banking transactions or credit card purchases), or mail account statements.
- The information is needed to protect against fraud or unauthorized transactions, or is provided in response to a court order.
- The institution reasonably believes the information is "publicly available." Robert Patrick, an FDIC consumer law attorney in Washington, explains that publicly available information "includes your name, address, and telephone number as they appear in the telephone book, information about your home mortgage recorded in county records, or information that would be found on your driver's license if that information is available from your state's department of motor vehicles."
- The information is used as part of a "joint marketing agreement." That's a situation in which two or more financial institutions—say, a bank and insurance company—agree to jointly offer, endorse or sponsor the same products or services.
In addition, the Fair Credit Reporting Act says an institution has a right to give an affiliate any information obtained from your transactions with that institution. Example: Your bank can give an affiliated insurance company details about your deposit accounts. This could be useful information if, say, the insurer wants to offer you an annuity as an investment when one of your CDs is about to mature. Even though you cannot prevent this information from being shared, the bank still must tell you about these practices in its privacy notice.
How do I know if I should opt out?
It depends on how the information is shared... and it depends on your viewpoint. If a financial institution widely shares your personal information with other businesses, you'll get more mail, phone calls or other unsolicited promotions than if you decide to opt out. Some consumers see information sharing as a plus because it helps them shop from home or find out about new products and services, including potentially good deals on a new loan, insurance policy or investment. Other consumers say they don't want so many solicitations from telemarketers and mail advertisers, and they don't want a lot of other businesses and people knowing about their finances or spending habits. You must decide what's best for you.
"If you opt out, your bank will still be able to share personal information about you with outside entities in certain circumstances, but you will be putting a limit on at least some information sharing," adds the FDIC's Patrick. "If you don't opt out, your bank can sell information about you to any business or person, and there are few restrictions on how that information might be used."
The FDIC's Baebel suggests that you review your institution's privacy notice and "ask yourself if you're comfortable with the types of businesses receiving your personal information, and with what they are likely to do with the information." If you have questions or concerns, he says, contact your institution. "Banks and other financial institutions are interested in maintaining good customer relations," Baebel adds. "They should be more than willing to explain how they use your information, how they protect that information, and the circumstances in which they share information with other businesses or people."
You can also get general guidance by contacting the government agencies listed in
"For More Help or Information Regarding Your Rights to Financial Privacy".
Before I decide whether to opt out, am I entitled to a copy of the information my bank might share with other companies, and will I have a chance to correct errors?
The Gramm-Leach-Bliley Act doesn't require your bank to give you access to the information it collects or a chance to make changes. However, if you have concerns, you can ask your bank if it will voluntarily let you see your personal records and comment on their accuracy. Banks do let customers review their personal information under certain circumstances.
How much time will I have to decide whether to opt out?
Federal regulations didn't set strict deadlines. The rules instead say that a consumer must be given a reasonable opportunity to opt out. You'll probably have about 30 days to reply to an opt-out notice delivered by mail. In limited instances, though, such as when you're using another bank's ATM machine, you may be asked to make a decision about opting out right then and there. If an institution doesn't get a response from you by its deadline, it can assume that you have decided not to opt out.
| "If you opt out, your bank
will still be able to share information about you with outside entities in certain circumstances, but you will be putting a limit on at least
some information sharing."
Robert Patrick, FDIC attorney |
If I decide to opt out, do I have to notify the institution in a certain way?
Yes, most likely. That's because the institution can establish a procedure that everyone must use to opt out, provided that it is reasonable. So, be sure to check the instructions that come with your privacy notice. For example, your bank may require you to call a certain telephone number, not just any number at the bank. Or, it may require you to complete a form and mail it to a specific address. Patrick adds that "even if you call the bank to opt out, it's a good idea to also notify it in writing and to keep a copy of your written notice for your records."
What if I decide against opting out now but I later change my mind, or what if I forget to opt out by the due date?
You can always opt out, even months or years from now. But, be aware that any opt-out request only covers the sharing of information in the future. There is no requirement that a financial institution contact the organizations it has already shared your information with and tell them they cannot use that information any more.
If I have an account at a bank jointly with other people, do we all need to agree on whether to opt out?
If the bank sends separate notices to each account holder, each person can choose for himself or herself. However, because the rules allow banks to provide a single opt-out notice when two or more customers have a joint account, it's important to pay attention to what the bank says about opt-out requests. If, for example, the bank sends separate notices to two owners of a joint account and only one of them responds, the bank may continue sharing the other person's information. "If you receive an opt-out notice from a bank where you have a joint account, be sure to discuss that information with the other people who share that account with you," Patrick says. "That way, if any of you decide to opt out, you can do so properly."
Final Thoughts
Your right to financial privacy is important. And thanks to the new privacy law, you now have more of a say in how much of your information financial institutions may share with other companies. It's up to you to take advantage of these protections. Watch for the privacy notices from your financial institutions, read them carefully and follow the instructions if you decide to exercise your right to opt out. If you have questions, contact your financial institution or one of the federal regulatory agencies on our "For More Help..." and "For More Information" pages. We hope that the information we've provided here will help you understand your rights... and help you make decisions that are right for you.
You'll be able to limit the personal information that banks and other financial institutions provide to other companies. Here's help for you in deciding what's best.
Do you have your own questions about how financial institutions may collect and share customer information or what you can do to protect your financial privacy? Please send them to us. The best questions—and the answers—may appear in an upcoming issue of our newsletter. Write to: FDIC Consumer News, 550 17th Street, NW, Washington, DC 20429. You also can send an e-mail to