The Government Accountability Office (GAO) published a report which said that the current privacy model form gives consumers only a limited understanding of financial institutions’ information sharing. The GAO recommended that the CFPB update the form and consider adding more information about third party sharing.
The increasing amounts of and changing ways in which industry collects and shares consumer personal information—including from online activities—highlights the importance of clearly disclosing practices for collection, sharing, and use. However, our work shows that banks and credit unions generally used the model form, which was created more than 10 years ago, to make disclosures required under GLBA. As a result, the disclosures often provided a limited view of how banks and credit unions collect, use, and share personal information. We recognize that the model form is required to be succinct, comprehensible to consumers, and allow for comparability across institutions. But, as information practices continue to change or expand, consumer insights into those practices may become even more limited. Improvements and updates to the model privacy form could help ensure that consumers are better informed about all the ways that banks and credit unions collect, use, and share personal information. For instance, in online versions of privacy notices, there may be opportunities for readers to access additional details—such as through hyperlinks—in a manner consistent with statutory requirements.
The GAO report stated that CFPB did not agree or disagree with the recommendations to update the model form but the bureau said it would consider doing so, adding that it would require a joint rulemaking with other agencies.
As part of the preparation for the report, the GAO reviewed examples of Regulation P examination violations and identified the following violations:
- Bank had a broken hyperlink for a privacy notice, which resulted in failure of bank to provide notices to consumers.
- Bank’s initial privacy disclosure did not contain the language required by the regulation, and in some instances, contained incorrect language.
- Bank incorrectly stated in privacy notices that the bank can collect and share checking account information with nonaffiliated third parties, but this is prohibited by regulation.
- Some bank customers who opted out of personal information sharing with a nonaffiliated third party were still included in the third party’s marketing programs.
- Bank failed to provide an accurate initial privacy notice before disclosing nonpublic personal information to a nonaffiliated third party. Bank had a lapse in oversight of the joint marketing agreement with the third party, contributing to a release of customer account numbers to the third party.
- Credit union sold nonpublic information for joint marketing purposes with a third-party insurance company, and this was not communicated to the membership by way of adequate privacy disclosure and option to opt out.
- Credit union’s privacy notice did not align with its current procedures. The notice stated that the credit union shares information
with affiliates, but it did not have any affiliates and did not share information in practice.
Please be advised that CSG provides financial services compliance audit and consulting services to our clients. The services that we provide include certain tasks that may be characterized as “law-related services” under Rule 5.7 of the Rules of Professional Conduct governing lawyers. Since some of our employees are lawyers with an active bar license but are NOT engaged in the private practice of law, that Rule requires us to make disclosures clarifying that the services we perform may be law-related services, but they are not legal services. Because they are not legal services, those services and our relationship will not be governed by the Rules of Professional Conduct that guide the client-lawyer relationship, such as rules applicable to privileged communications and prohibitions of conflicts of interest. Notwithstanding this disclaimer, we will continue to govern our relationship with you using reasonable ethical and professional standards that are expected to meet your expectations.