Locking Down Non-Public Data

© Can Stock Photo / cookiecutter

The Gramm-Leach-Bliley (GLB) Act – enacted in 2001 – limits when a “financial institution” may disclose a consumer’s non-public personal information (NPI) to non-affiliated third parties.

The law covers a broad range of financial institutions, including many companies not traditionally considered to be financial institutions because they engage in certain “financial activities.” Financial institutions must notify their customers about their information-sharing practices and tell consumers of their right to “opt-out” if they don’t want their information shared with certain non-affiliated third parties.

In addition, any entity that receives consumer financial information from a financial institution may be restricted in its reuse and re-disclosure of that information.

Financial institutions have become quite adept at complying with these guidelines. But partners who are outside the “moat of protection” may not be up-to-speed on the GLB Act details and can unknowingly cause breaches in NPI protection.  If you are an auto lender, it is in your best interest to educate your partners on handling NPI.

What is non-public personal information?

  • Any information an individual gives you to get a financial product or service (for example, name, address, income, Social Security number, or other information on an application).
  • Any information you get about an individual from a transaction involving your financial product(s) or service(s) (for example, the fact that an individual is your consumer or customer, account numbers, payment history, loan or deposit balances, and credit or debit card purchases).
  • Any information you get about an individual in connection with providing a financial product or service (for example, information from court records or from a consumer report).

Clearly, the process of securing an auto loan includes non-public personal information. Often, the information is obtained at the dealership and transmitted to the lender in the process of securing the loan. This transactional step raises the question of consumer vs. customer. How is a consumer or customer defined at the dealership – or at the lending institution? Does the definition change when working with third party partners?

Do you have consumers or customers?

According to the Federal Trade Commission, a financial institution’s obligations depend on whether your clients are “customers” or “consumers.” In brief, the Privacy Rule requires you to give notice to all of your “customers” about your privacy practices, and, if you share their information in certain ways, to your “consumers” as well.

Under the Rule, a “consumer” is someone who obtains or has obtained a financial product or service from a financial institution that is to be used primarily for personal, family, or household purposes, or that person’s legal representative. The term “consumer” does not apply to commercial clients, like sole proprietorships. Therefore, where your client is not an individual, or is an individual seeking your product or service for a business purpose, the Privacy Rule does not apply to you.

The Privacy Rule includes a special rule that offers guidance on customer relationships and loan transactions. A financial institution establishes a customer relationship with an individual when it originates a loan. If the financial institution sells the loan but maintains the servicing rights, it continues to have a customer relationship with the individual. If the financial institution transfers the servicing rights but retains an ownership interest in the loan, the individual is a “consumer” of that institution and a “customer” of the institution with the servicing rights. If other institutions hold an ownership interest in the loan (but not the servicing rights), the individual is their consumer, too.

While these details may seem complex, it is vitally important that your partners in the retail automotive space are well versed in the requirements – and comply with them at all times. Take the opportunity to review the regulations and ask about their processes to secure NPI. Inquire about their privacy notices and confirm security measures when transmitting data. As a highly regulated lender, it’s in your best interest to properly vet your partners when it relates to NPI. And, working with like-minded partners who understand the significance of these regulations can equal a consumer gold star rating.

With more than 40 years innovating consumer protection products that enhance profitability and customer retention, EFG Companies knows how to help lenders maintain long-term customer relationships. Contact us today to get started.

  Like This Post