GrammLeachBliley Act Privacy Requirements

1
Gramm-Leach-Bliley Act Privacy Requirements

• Tom Levandowski
• Vice President Assistant General Counsel
• First Union Corporation/Educaid

2
Privacy Provisions of the Gramm-Leach-Bliley Act

• Law Gramm-Leach Bliley Act signed into law in
  November 1999.
• Regulation Privacy regulations issued by federal
  agencies. Compliance required as of of 7/1/01
• Scope Regulates the sharing of
• (1) nonpublic personal information about
  individuals
• (2) who obtain financial products or services
• (3) from financial institutions primarily for
  personal, family or household purposes.

3
Gramm-Leach-Bliley Privacy Rules

• Applicable to FFELP Activities?
• NPI NPI is collected to make education loans
  (e.g., NPI information collected on Loan App)
• Financial Product Education Loan financial
  product under the GLB privacy rules
• Financial Institution Lenders secondary markets,
  schools, guarantors, 3rd-party servicers,
  origination/disbursement subcontractors, and
  collection agencies are financial institutions
  by virtue of their typical activities in
  offering, processing or administering education
  loans.

4
Gramm-Leach-Bliley Privacy Rules

• Social Policy
• Place information about the privacy policies and
  practices of financial institutions in the hands
  of consumers so consumers can use that
  information to select the financial
  institutions they want to receive financial
  products and services from.
• Give consumers control - - via opt-out right - -
  over how financial institutions use and share the
  consumers nonpublic personal information with
  nonaffiliated 3rd parties.

5
Gramm-Leach-Bliley Privacy Rules

• GLBA Privacy Requirements protect Consumers
  and Customers
• Consumer an individual who receives a financial
  product/service.
• Review of loan application information
• Student who applies for, but does not receive, a
  loan (app denied or withdrawn)
• Includes individuals who submit preapproval
  request but are not preapproved
• Customer consumer who establishes continuing
  relationship with financial institution
• Student or parent who receives a loan

6
GLB Privacy Rules - Who has the Customer
Relationship?

• Special Rule for Loans A loan transaction
• gives rise to only one customer relationship.
• Many entities touch an education loan
• E.g. Lender, school, secondary market holder,
  guarantor/Insurer, disbursement/origination
  Agent, 3rd Party Servicer
• E.g. DOE (Title IV Loans only)
• E.g. Collection Firm, billing service
  subcontractor (e.g, Perkins Loan)
• Who has the customer relationship with respect to
  the education loan??

7
GLB Privacy Rules - Who has the Customer
Relationship?

• At the time an education loan is disbursed, the
  lender that funds the loan has the customer
  relationship.
• A customer relationship is not established by
  the
• school when it certifies a students eligibility
  for a FFELP loan
• guarantor/insurer when it issues its
  guarantee/insurance on the loan
• origination/disbursement agent when it performs
  loan origination and/or disbursement functions on
  the lenders behalf.

8
GLB Privacy Rules - Who has the Customer
Relationship?

• Loan Sales. When a loan holder sells the whole
  loan to a purchasing party, the customer
  relationship transfers to the loan purchaser.
• Secondary market transactions
• Recourse events
• Payment of default claim by guarantor/insurer
• Servicer purchase obligation for servicing errors
• Exercise of Loan sale put-back
• Sale of Servicing Rights

9
GLB Privacy Rules - Privacy Notices

• Privacy Notices. Financial institutions must
  provide customers a (1) clear and conspicuous
  notice that accurately reflects its privacy
  policies and practices, and (2) when applicable,
  a reasonable opportunity to opt-out.
• Existing Customer Notices
• New Customer Notices
• Timing requirements for paper vs. electronic
  delivery
• Impact on lender, guarantor, 3rd party servicer
  relationships

10
GLB Privacy Rules - Privacy Notices

• Annual Customer Notices
• Timing requirements for paper vs. electronic
  delivery
• Impact on lender, guarantor, 3rd party servicer
  relationships
• Former customers
• Revised Customer Notices
• Notices on Joint Accounts
• Joint Notices

11
GLB Privacy Rules - Privacy Notices

• Notices on Joint Accounts
• examples
• single notice okay
• conditions
• Joint Notices
• permitted among affiliates and nonaffiliates
• must be accurate to all parties for joint product

12
GLB Privacy Rules - Privacy Notices

• Content of Privacy Notice
• Detailed Requirements
• Explanation of opt-out right. Must
• identify all NPI categories that will be
  disclosed to nonaffiliated 3rd parties
• describe how the consumer can opt out of
  information-sharing not covered by an exception
  (if applicable)
• provide a reasonable method (e.g. toll-free no.)
  for the consumer to opt out.

13
GLB Privacy Rules - Privacy Notices

• Processing opt-out elections
• Must give reasonable opportunity (e.g. 30 days
  for notices sent by mail or electronically) for
  the consumer to opt out.
• If opt-out is received before the initial opt-out
  period elapses, must act immediately.

14
GLB Privacy Rules - Privacy Notices

• Processing opt-out elections (cont.)
• If opt-out is received after the initial opt out
  period elapses, must comply with opt out
  direction as soon as reasonably practicable.
• Must comply with the opt out direction until
  revoked in writing by the consumer.

15
GLB Privacy Rules - Privacy Notices

• Notices to Consumers vs. Customers
• Notices to Consumers - Not automatic like notices
  to customers. For consumers, no notices required
  unless and until the consumers NPI will actually
  be shared.
• Important Reminder Notice to customer is
  necessary even if customer NPI is only shared
  under the exceptions.

16
GLB Privacy Rules - Privacy Notices

• Good News The customary gathering and sharing of
  consumer/customer information to facilitate
  education lending falls under numerous exceptions
  to the notice and opt-out requirements.

17
GLB Privacy Rules - Privacy Notices

• Result Customer cannot opt-out of sharing of
  NPI undertaken to certify, process, make,
  guarantee, administer or service an education
  loan.
• Result Notice does not need to detail sharing
  that falls within the exceptions (sufficient to
  say we share your customer information with
  third party companies as permitted by law) nor
  an opt-out right with respect to such sharing.

18
GLB Privacy Rules - Privacy Notices

• Some Notice Opt-Out Exceptions
• Catch-all. Disclosures made
• As necessary to effect, administer, or enforce a
  student loan that a consumer requests or
• In connection with
• Servicing or processing a student loan the
  consumer requests
• Maintaining or servicing a student loan account
• A proposed or actual securitization, secondary
  market sale, or similar transaction related to a
  student loan.
• -

19
GLB Privacy Rules - Privacy Notices

• Some Notice Opt-Out Exceptions (cont.)
• Legal requirements, judicial process, or
  regulatory compliance.
• Consent.
• Rating or Guaranty agencies.
• Credit bureaus.
• Sale or merger.
• Antifraud

20
GLB Privacy Rules - Reuse Redisclosure

• Reuse/redisclosure obligations apply to all
  entities who receive NPI of education loan
  borrowers but who do not have the customer
  relationship.
• E.g. Guarantor/Insurer, Origination/Disbursement
  Agent, or 3rd party servicer who receives
  Customer-NPI on a Lender-held Loan

21
GLB Privacy Rules - Reuse Redisclosure

• Generally, a 3rd party can only use and disclose
  borrower information to carry out the activity
  that the financial institution hired it to
  perform. 3rd party can disclose to
• the financial institutions affiliates without
  limitation
• its affiliates, but its affiliates can only use
  and disclose such information to the extent the
  3rd party can.

22
GLB Privacy Rules - Reuse Redisclosure

• Parties who receive NPI from a School must comply
  with FERPAs reuse/redisclosure requirements and
  stand in schools shoes.
• Financial Institutions are not required to
  monitor the use of NPI by nonaffiliated 3rd
  parties to whom it properly (in accordance with
  notice and applicable opt-out requirements)
  discloses such information.

23
GLB Privacy Rules - Information Security Program

• Final Banking Agency guidelines effective 7/1/01
• FTC Proposed Rule (comment deadline was 10/9/01).
  Must implement an information security program
  not later than one year from the date on which a
  final rule is issued.
• 2 Sets of Requirements Largely Identical
  Require financial institutions to develop,
  implement, and maintain administrative,
  technical, and physical safeguards to protect the
  security, confidentiality, and integrity of
  customer information.

24
GLB Privacy Rules - Information Security Program

• Financial institutions must establish an
  Information Security Program that
• ensures the security and confidentiality of
  customer information
• protects against any anticipated threats or
  hazards to the security or integrity of such
  information and
• protects against unauthorized access to or use of
  such information that could result in substantial
  harm or inconvenience to any customer or (Banking
  Agencies Guidelines only) risk to the safety and
  soundness of the financial institution.

25
GLB Privacy Rules - Information Security Program

• Information Security Programs must contain
  certain basic elements
• identify and assess the risks that may threaten
  customer information (FTC mandates review of 3
  core areas of operations)
• develop a written plan containing policies and
  procedures to manage and control these risks

26
GLB Privacy Rules - Information Security Program

• Information Security Programs (cont.)
• implement and regularly test plan effectiveness
  and
• adjust the plan on a continuing basis to account
  for material changes to the financial
  institutions business (e.g. changes in
  technology, the sensitivity of customer
  information, operations or business arrangements,
  and internal or external threats to information
  security).

27
GLB Privacy Rules - Information Security Program

• 3rd-Party Oversight. Financial Institutions
  must
• select and retain appropriate service providers
• enter into contracts requiring service providers
  to maintain appropriate safeguards for protecting
  customer information
• exercise due diligence to monitor whether service
  providers are maintaining effective information
  security programs that protect customer
  information and customer information systems.

28
GLB Privacy Rules - Information Security Program

• 3rd-Party Oversight (cont.)
• Banking Agency Guidelines
• All service provider contracts entered into after
  3/5/01 must address ISP requirements
• Service Provider contracts entered into on or
  before 3/5/01 must be amended by 7/1/03 to
  contain provisions delineating the servicers
  duties and responsibilities to protect customer
  information in accordance with Banking Agency
  Guidelines.

29
GLB Privacy Rules Do Not

• Prohibit financial institutions from soliciting
  or otherwise communicating with its borrowers
• market its own financial products or services
• market financial products or services that it
  offers with another entity (joint marketing)
• Limit information-sharing
• among affiliates for cross-selling purposes
• as necessary with affiliates or 3rd parties to
  process and service transactions the consumer
  requests or to facilitate normal business
  transactions

30
GLB Privacy Rules - Gotchas

• Marketing exception must be described in notice
  and requires a contractual agreement between two
  nonaffiliated financial institutions to
• jointly offer, endorse, or sponsor the financial
  product or service, and
• limit further use or disclosure of the consumer
  information transferred
• Fact of consumer/customer relationship is NPI
  even if other data isnt.

31
GLB Privacy Rules - Gotchas

• Database purchaser must continue to monitor
  opt-outs if it re-discloses (rights to use are
  derivative).
• Customer Lists. A list is considered NPI if it
  is generated based on customer relationships,
  loan balances, or other personally identifiable
  financial information that is not publicly
  available. A list is also considered nonpublic
  personal information if it contains any NPI.

32
GLB Privacy Rules

• Questions??