Defining Data: Federal Reserve proposes rules on financial privacy
The Federal Reserve Board last month unveiled a comprehensive new regulation implementing the privacy provisions of the Financial Services Modernization Act.
The proposal contains a number of measures designed to clarify the requirements of the act. For example, it defines “non-public personal information,” “consumer” and “customer” and provides guidance on the timing of notices to customers and the means by which consumers can exercise their opt-out rights.
Non-public data – or data that can’t be used without notice and choice – is defined as names and addresses that have been provided by the consumer in the course of a transaction, even if the information is available from other sources such as telephone directories.
“What [the board] literally did was determine that any time the information comes from the relationship between the consumer and the financial institution, it is non-public,” says Marty Abrams, Experian’s vice president for information policy and privacy.
A consumer is defined as an individual who obtains financial products or services that are to be used primarily for personal, family or household purposes. A customer is described as a consumer who has a continuing relationship with a financial institution.
The regulation also details various methods individuals can use to exercise their opt-out rights, while including penalties for violations of the rules.
The board is taking public comment on the regulation until March 31.
The Financial Services Modernization Act, signed into law last November, overhauls the nation’s financial industry by permitting banks, financial institutions, insurance and securities firms to merge and offer competing products and services. But it also makes it tougher for the industry to share personal data by enabling consumers to prevent a financial institution from disclosing non-public personal information to third parties that are not affiliated with the financial institution without written permission.
In addition, the act allows consumers to opt out of having personal information shared with anyone and requires the holder of that data to annually provide consumers with a written copy of its privacy policy and a list of the companies or organizations with which it shares that information.
Abrams says the act removes a lot of flexibility. “You have to give a very explicit notice of data you’re gathering, and who you will share it with,” he says. “And if you’re going to share it with a new class of users, you have to give a new notice [to the consumer], and then wait 30 days before using it.”
The proposed regulation – Privacy of Consumer Financial Information – was jointly developed with the Office of the Comptroller of the Currency, the Federal Deposit Insurance Corp., the Treasury Department and other government agencies.
