GLBA Privacy (Reg P) and Information Security

We enter the bank-operations material with privacy. The Gramm-Leach-Bliley Act, GLBA, at fifteen U-S-C sixty-eight-oh-one, has two compliance halves. The privacy half, implemented by Regulation P at twelve C-F-R part ten sixteen, governs how a bank may share a consumer's nonpublic personal information with nonaffiliated third parties.

The security half, the Safeguards Rule, requires the bank to protect that information from unauthorized access. Both are tested. The privacy rule centers on notices and opt-outs; the security rule centers on an information-security program.

Let's separate them cleanly, because candidates blur them, and then connect Reg P to the affiliate-sharing rules under the Fair Credit Reporting Act.

Reg P requires a bank to give consumers a privacy notice describing what nonpublic personal information it collects, with whom it shares that information, and how it protects it. An initial notice generally goes out when the customer relationship begins. An annual notice was historically required for the life of the relationship, though an exception now lets banks skip the annual notice if their sharing practices haven't changed and they don't share in ways that trigger opt-out rights.

The notices must be clear and conspicuous. On the exam, know the initial-notice timing and the annual-notice exception. The notice is the vehicle through which the consumer learns about sharing and their right to limit it.

The core consumer right under Reg P is the opt-out. Before sharing a consumer's nonpublic personal information with a nonaffiliated third party, the bank generally must give the consumer notice and a reasonable opportunity to opt out of that sharing. But there are important exceptions where no opt-out is required, sharing with service providers under contract, for joint marketing arrangements with appropriate safeguards, or to process and service the consumer's own transactions.

So not all sharing triggers an opt-out. The exam tests whether a particular sharing scenario requires an opt-out or fits an exception. When the bank shares to get its own work done, an exception usually applies; when it shares to let an outside firm market its own products, opt-out rights attach.

A related distinction the exam tests is consumer versus customer. Under Reg P, a consumer is anyone who obtains a financial product or service for personal purposes, while a customer is a consumer with an ongoing relationship. Customers get the full notice regime, including the initial and, where applicable, annual notices; mere consumers who never become customers get notice only if the bank intends to share their information in a way that triggers opt-out rights.

That definitional split decides who's entitled to which notice, so read carefully for whether the person has an ongoing relationship with the bank.

Two adjacent pieces complete the picture. First, sharing information among affiliates, companies under common control, is governed less by Reg P and more by the Fair Credit Reporting Act, which gives consumers an affiliate-marketing opt-out before an affiliate uses shared eligibility information to market to them. Keep that straight: nonaffiliated sharing is Reg P; affiliate sharing leans on FCRA.

Second, the GLBA Safeguards Rule requires the bank to maintain a written information-security program, with a risk assessment, administrative, technical, and physical controls, regular testing, employee training, and oversight of service providers. The F-F-I-E-C information-security guidance fleshes this out for examiners. The exam may test the affiliate-versus-nonaffiliate distinction or the elements of an information-security program.

Information security includes responding when something goes wrong. Interagency guidance sets expectations for incident response and for notifying affected customers when sensitive information is compromised in a way that could lead to misuse. This dovetails with the FCRA Red Flags identity-theft program we covered and with UDAAP, weak data protection that harms consumers can become an unfair practice.

So treat privacy and security as one connected risk area: collect and share information lawfully under Reg P and FCRA, protect it under the Safeguards Rule, and respond responsibly to breaches. The exam may present a data-incident scenario and ask about notification obligations. Approach it as a privacy-plus-security problem, not just one rule.

The Safeguards Rule also expects specific governance: a designated qualified individual responsible for the information-security program, a written risk assessment, access controls and encryption where appropriate, regular testing or monitoring, training, and oversight of service providers through contracts and periodic review. Notice how closely that mirrors the structure of a B-S-A program and a broader compliance management system, a named owner, a risk assessment, controls, testing, and vendor oversight. That recurring architecture is not a coincidence; regulators favor it across domains, and recognizing it helps you answer program-design questions wherever they appear.

Recap of privacy and security. Regulation P, at twelve C-F-R ten sixteen, governs sharing nonpublic personal information with nonaffiliated third parties, requiring privacy notices and an opt-out, subject to exceptions like service-provider and joint-marketing sharing. Affiliate sharing is governed mainly by the Fair Credit Reporting Act, with its affiliate-marketing opt-out.

And the GLBA Safeguards Rule requires a written information-security program with risk assessment, controls, testing, and oversight, plus breach response. Go test yourself, then we cover insider lending and affiliate transactions.