You can limit the personal information that banks and other financial institutions provide to other companies. Here's help for you in deciding what's best.
The federal Gramm-Leach-Bliley Act of 1999 created a new opportunity for you to limit the transfer of your personal financial information. The law attempts to balance your right to privacy with financial institutions' need to share information for normal business purposes. Some consumers don't object to information sharing—they want their names on mailing and telephone lists so they can easily find out about new products and services. But other consumers want fewer solicitations and more privacy. If you're in the latter category, you have some important new responsibilities if you want to take advantage of your new rights.
It’s important that you read the mail you receive from your bank and other financial institutions. The law requires these companies to explain how they use and share your personal information. The law also allow you to stop or “opt out” of certain information sharing. "You need to be observant," says Ken Baebel, Assistant Director of the FDIC's Division of Compliance and Consumer Affairs. "You need to look for the privacy notices from your financial institutions, which may come as part of a monthly statement or as a separate mailing. You also need to understand whether an institution intends to share personal information with other companies and, if so, what you can do to prevent information sharing, if that's what you want. Otherwise, it will be up to the institution to decide who gets details about you and your finances."
The new law applies to many types of financial institutions. The law covers banks, savings and loans, credit unions, insurance companies and securities firms. It even includes some retailers and automobile dealers that collect and share personal information about consumers to whom they extend or arrange credit. Also, while the rules from the FDIC and other federal agencies say these notices to consumers must be accurate, clear and conspicuous, we know there's a lot to consider before you decide what's best for you. That's why FDIC Consumer News has developed the following question-and-answer format to help you understand your new rights to financial privacy and what you need to do to exercise those rights.
What kinds of personal information do financial institutions collect and share with other businesses?
Many financial institutions collect information about their customers as a regular part of their business of providing products or services. Examples: When you apply for a loan, you provide your name, phone number, address, income, and details about your assets. When the institution is considering your application, it may collect additional details from other sources, such as credit reports prepared by credit bureaus. And as you use a financial product—a credit card, for example—your institution will have a record of how much you buy and borrow, where you like to shop, and whether you repay your balance on time. Some (but not all) financial institutions share this information with other entities—including completely unaffiliated companies such as retailers, telemarketers, airlines and non-profit organizations—to help them target consumers who might be interested in their products or programs.
How does the Gramm-Leach-Bliley Act protect my financial privacy?
First, the law requires
each financial institution to tell
its customers about the kinds of information it collects and the types of businesses that may be provided that information.
This disclosure, called the
privacy notice, is intended to
help you decide whether you
are comfortable with that information-sharing arrangement. The law went into effect July 1, 2001, and you should have received a privacy notice from any financial institution where you already had an account. Anytime you open a new account with a different financial institution you must be given a copy of the privacy notice at that time. Financial institutions also are required to send a privacy notice to their customers once a year.
Second, the law says that if your financial institution intends to share your information with anyone outside its corporate family, it also must give you the chance to "opt out" or say "no" to information sharing under certain circumstances. Even consumers who are not technically customers of a financial institution—such as former customers or people who unsuccessfully applied for a loan or credit card—will have the right to opt out of information sharing with outside companies.
Third, the law requires that financial institutions describe
how they will protect the confidentiality and security of your information.
When I receive a privacy notice, what should I look for?
We encourage you to read the entire notice carefully. You may, though, want to focus on your financial institution's descriptions of the following:
- The kind of information it shares with other parts of the same company, likely to be described as "members of our corporate family" or "our affiliates";
- The information it shares with other companies or organizations that are not part of the same corporate group as your financial institution, perhaps called "nonaffiliated third parties";
- What information you can prevent your financial institution from sharing with other companies or organizations; and
- How you go about opting out, if that's what you want to do.
Will the privacy notice list exactly what information the financial institution wants to share, and with whom?
No. The regulations say the privacy notice must describe the basic categories of information a financial institution collects and shares with other entities, and give examples. But a financial institution is not required to list every type of information it may gather or share, or tell you the names of specific companies or organizations that may buy or receive your information. If you have questions or concerns, contact your financial institution at the address or phone number listed in its privacy notice.
| "You need to look for these notices. You also need to understand whether an institution intends to share personal information with other companies."
Ken Baebel, FDIC consumer affairs expert |
What kind of information can I stop an institution from sharing?
You have a general right to block the sharing of non-public personal information with outside companies and organizations, but there are exceptions (as explained in the next question and answer). Also, your institution may remind you that a law passed several years ago, the Fair Credit Reporting Act, gives you limited rights to stop selected information-sharing with affiliates.
What information can't I prevent from being shared, even if I opt out?
Under the new law, you cannot bar an institution from providing personal information to outside companies and organizations if, for instance:
- The information is needed to help conduct normal business. Example: Your bank can send personal information to outside firms that help market the institution's products, handle its data processing (for your loan payments, checking account statements, electronic banking transactions or credit card purchases), or mail account statements.
- The information is needed to protect against fraud or unauthorized transactions, or is provided in response to a court order.
- The institution reasonably believes the information is "publicly available." Robert Patrick, an FDIC consumer law attorney in Washington, explains that publicly available information "includes your name, address, and telephone number as they appear in the telephone book, information about your home mortgage recorded in county records, or information that would be found on your driver's license if that information is available from your state's department of motor vehicles."
- The information is used as part of a "joint marketing agreement." That's a situation in which two or more financial institutions—say, a bank and insurance company—agree to jointly offer, endorse or sponsor the same products or services.
In addition, the Fair Credit Reporting Act says an institution has a right to give an affiliate any information obtained from your transactions with that institution. Example: Your bank can give an affiliated insurance company details about your deposit accounts. This could be useful information if, say, the insurer wants to offer you an annuity as an investment when one of your CDs is about to mature. Even though you cannot prevent this information from being shared, the bank still must tell you about these practices in its privacy notice.
How do I know if I should opt out?
It depends on how the information is shared... and it depends on your viewpoint. If a financial institution widely shares your personal information with other businesses, you'll get more mail, phone calls or other unsolicited promotions than if you decide to opt out. Some consumers see information sharing as a plus because it helps them shop from home or find out about new products and services, including potentially good deals on a new loan, insurance policy or investment. Other consumers say they don't want so many solicitations from telemarketers and mail advertisers, and they don't want a lot of other businesses and people knowing about their finances or spending habits. You must decide what's best for you.
"If you opt out, your bank will still be able to share personal information about you with outside entities in certain circumstances, but you will be putting a limit on at least some information sharing," adds the FDIC's Patrick. "If you don't opt out, your bank can sell information about you to any business or person, and there are few restrictions on how that information might be used."
The FDIC's Baebel suggests that you review your institution's privacy notice and "ask yourself if you're comfortable with the types of businesses receiving your personal information, and with what they are likely to do with the information." If you have questions or concerns, he says, contact your institution. "Banks and other financial institutions are interested in maintaining good customer relations," Baebel adds. "They should be more than willing to explain how they use your information, how they protect that information, and the circumstances in which they share information with other businesses or people."
You can also get general guidance by contacting the government agencies listed in
"For More Help or Information Regarding Your Rights to Financial Privacy".
Before I decide whether to opt out, am I entitled to a copy of the information my bank might share with other companies, and will I have a chance to correct errors?
The Gramm-Leach-Bliley Act doesn't require your bank to give you access to the information it collects or a chance to make changes. However, if you have concerns, you can ask your bank if it will voluntarily let you see your personal records and comment on their accuracy. Banks do let customers review their personal information under certain circumstances.
| "If you opt out, your bank
will still be able to share information about you with outside entities in certain circumstances, but you will be putting a limit on at least
some information sharing."
Robert Patrick, FDIC attorney |
If I decide to opt out, do I have to notify the institution in a certain way?
Yes, most likely. That's because the institution can establish a procedure that everyone must use to opt out, provided that it is reasonable. So, be sure to check the instructions that come with your privacy notice. For example, your bank may require you to call a certain telephone number, not just any number at the bank. Or, it may require you to complete a form and mail it to a specific address. Patrick adds that "even if you call the bank to opt out, it's a good idea to also notify it in writing and to keep a copy of your written notice for your records."
What if I decide against opting out now but I later change my mind, or what if I forget to opt out by the due date?
You can always opt out, even months or years from now. But, be aware that any opt-out request only covers the sharing of information in the future. There is no requirement that a financial institution contact the organizations it has already shared your information with and tell them they cannot use that information any more.
If I have an account at a bank jointly with other people, do we all need to agree on whether to opt out?
If the bank sends separate notices to each account holder, each person can choose for himself or herself. However, because the rules allow banks to provide a single opt-out notice when two or more customers have a joint account, it's important to pay attention to what the bank says about opt-out requests. If, for example, the bank sends separate notices to two owners of a joint account and only one of them responds, the bank may continue sharing the other person's information. "If you receive an opt-out notice from a bank where you have a joint account, be sure to discuss that information with the other people who share that account with you," Patrick says. "That way, if any of you decide to opt out, you can do so properly."
Final Thoughts
Your right to financial privacy is important. And thanks to the privacy law, you now have more of a say in how much of your information financial institutions may share with other companies. It's up to you to take advantage of these protections. Watch for the privacy notices from your financial institutions, read them carefully and follow the instructions if you decide to exercise your right to opt out. If you have questions, contact your financial institution or one of the federal regulatory agencies on our "For More Help..." and "For More Information" pages. We hope that the information we've provided here will help you understand your rights... and help you make decisions that are right for you.
Reprinted from FDIC Consumer News.
