November 24, 2020

GAO to CFPB: Update FIs' privacy disclosures

regulationThe Government Accountability Office (GAO) found that "the form institutions use to provide privacy notices to consumers does not give a complete picture of the information collected and shared" following its review of the personal information financial institutions collect on consumers and share with other entities, and how these details are disclosed to consumers.

NAFCU met with the GAO earlier this year as it began work on this report and others, including one released in September on law enforcement agencies' access to Bank Secrecy Act (BSA) reports.

Financial institutions are required by the Gramm-Leach-Bliley Act (GLBA) to provide consumers with a privacy notice disclosing their information sharing practices. The GAO's report noted that many banks and credit unions use the model form that was issued by regulators in 2009 and provides a safe harbor for complying with the law.

The GAO determined that the model form "gives a limited view of what information is collected and shared," and, given the expanded data sharing that goes on today compared to 10 years ago, "a reassessment of the form is warranted."

To address these concerns, the GAO recommended the CFPB – which has the authority to implement GLBA privacy provisions – update the model privacy form and consider including more information about third-party sharing.

NAFCU sent a letter earlier this year recommending ways the bureau can "alleviate regulatory burdens, improve access for consumers, and mitigate ambiguities," which included comments on privacy disclosures. The association has said if GLBA requirements are to be strengthened, merchants and other institutions should be held to the same standards.

"The call for new privacy protections from consumers is not the result in the insufficiency of the GLBA, it is the outcome of the law’s limited application to 'financial institutions' and the even more limited number of financial institutions which are examined for compliance with the GLBA’s requirements," NAFCU wrote. "... Instituting further privacy protections under the GLBA or the FCRA without subjecting merchants, fintech companies and other non-financial institution organizations to the same requirements only serves to burden small and mid-sized credit unions without actually improving the outcome for consumers.

"Ultimately, the only solution to this problem is a single, comprehensive, federal principles-based standard that encompasses existing federal privacy standards, such as the GLBA, and allows for the examination of organizations which are currently not held accountable for their practices," NAFCU argued.

NAFCU has advocated for data privacy principles to protect consumers' personal financial information; read the association's white paper here. NAFCU will monitor the CFPB's efforts should it decide to reevaluate the form and ensure credit unions are not subject to additional compliance burdens.