On December 12, 2001, the Board of Governors of the Federal Reserve System, together with staff from the other federal agencies that supervise banks, thrifts, and credit unions, issued frequently asked questions (FAQs) to assist financial institutions in complying with the privacy provisions of the Gramm-Leach-Bliley Act (GLBA) and the Board of Governors' Regulation P. These FAQs illustrate how certain provisions of the regulation apply to specific situations a financial institution may confront; however, they do not necessarily address all provisions that may apply to any given situation. Additionally, this guidance addresses a financial institution's obligations only under sections 502 through 509 of GLBA and Regulation P and does not address the applicability of the Fair Credit Reporting Act or any other federal or state law that may pertain to the questions and answers.
The following is an excerpt from the new FAQs document.
A.2. Q. I am a small financial institution with no affiliates. I do not disclose information about my customers or consumers to anyone, except as permitted by an exception under sections 216.14 and 216.15 of the Privacy Rule. Does the Privacy Rule apply to a small operation like mine?
A. Yes. You have responsibilities under the Privacy Rule regardless of your size, affiliate relationships, or information collection and disclosure practices. The Privacy Rule is focused not only on regulating the disclosure of financial information about customers and consumers, but also on requiring each financial institution to provide initial and annual notices of its policies to its customers. You may, however, provide notice in a simplified form, as illustrated by the notice described in Section 216.6(c)(5).
A.4. Q. I act as a custodian for Individual Retirement Arrangements (IRAs). Are the individuals who own the IRAs my customers?
A. Yes. An individual who establishes an IRA account for which you act as a custodian has obtained a financial product or service that is to be used primarily for personal, family, or household purposes; therefore, he or she is a consumer. When an individual selects you to act as custodian for his or her IRA, the individual enters into a continuing relationship with you and becomes your customer under the Privacy Rule. By contrast, an individual who is a participant or a beneficiary of an employee benefit plan that you sponsor or for which you act as trustee or fiduciary is not your customer because your relationship in that case is with the plan.
B.2. Q. I occasionally make business loans to sole proprietors. Do I have to provide them with a privacy notice?
A. Although a sole proprietor is an individual, if the sole proprietor obtains a loan from you for business purposes he or she is not a consumer for purposes of the Privacy Rule. Therefore, you do not have to provide any privacy notices to the sole proprietor.
The FAQs provide additional guidance on these and other topics, including:
The press release and the full report Frequently Asked Questions for the Privacy Regulation .
The views expressed in this article are those of the author and are not necessarily those of this Reserve Bank or the Federal Reserve System.