Consumer Privacy: Better Disclosures Needed on Information Sharing by Banks and Credit Unions
We reviewed personal information banks and credit unions collect on consumers and share with others, and what they tell consumers about this.
Some institutions collect information on credit card transactions, social media and browsing activity, and more. The law allows for sharing this information with retailers, marketers, government agencies, and others.
We found the form institutions use to provide privacy notices to consumers does not give a complete picture of the information collected and shared. We recommended that the Consumer Financial Protection Bureau update the privacy notice form and consider including additional information.
What GAO Found
Banks and credit unions collect, use, and share consumers' personal information—such as income level and credit card transactions—to conduct everyday business and market products and services. They share this information with a variety of third parties, such as service providers and retailers.
The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to provide consumers with a privacy notice describing their information-sharing practices. Many banks and credit unions elect to use a model form—issued by regulators in 2009—which provides a safe harbor for complying with the law (see figure). GAO found the form gives a limited view of what information is collected and with whom it is shared. Consumer and privacy groups GAO interviewed cited similar limitations. The model form was issued over 10 years ago. The proliferation of data-sharing since then suggests a reassessment of the form is warranted. Federal guidance states that notices about information collection and usage are central to providing privacy protections and transparency. Since Congress transferred authority to the Consumer Financial Protection Bureau (CFPB) for implementing GLBA privacy provisions, the agency has not reassessed if the form meets consumer expectations for disclosures of information-sharing. CFPB officials said they had not considered a reevaluation because they had not heard concerns from industry or consumer groups about privacy notices. Improvements to the model form could help ensure that consumers are better informed about all the ways banks and credit unions collect and share personal information.
Excerpts of the Gramm-Leach-Bliley Act Model Privacy Form Showing Reasons Institutions Share Personal Information
Federal regulators examine institutions for compliance with GLBA privacy requirements, but did not do so routinely in 2014–2018 because they found most institutions did not have an elevated privacy risk. Before examinations, regulators assess noncompliance risks in areas such as relationships with third parties and sharing practices to help determine if compliance with privacy requirements needs to be examined. The violations of privacy provisions that the examinations identified were mostly minor, such as technical errors, and regulators reported relatively few consumer complaints.
Why GAO Did This Study
Banks and credit unions maintain a large amount of personal information about consumers. Federal law requires that they have processes to protect this information, including data shared with certain third parties. GAO was asked to review how banks and credit unions collect, use, and share such information and federal oversight of these activities. This report examines, among other things, (1) what personal information banks and credit unions collect, and how they use and share the information; (2) the extent to which they make consumers aware of the personal information they collect and share; and (3) how regulatory agencies oversee such collection, use, and sharing.
GAO reviewed privacy notices from a nongeneralizable sample of 60 banks and credit unions with a mix of institutions with asset sizes above and below $10 billion. GAO also reviewed federal privacy laws and regulations, regulators' examinations in 2014–2018 (the last 5 years available), procedures for assessing compliance with federal privacy requirements, and data on violations. GAO interviewed officials from banks, industry and consumer groups, academia, and federal regulators.
GAO recommends that CFPB update the model privacy form and consider including more information about third-party sharing. CFPB did not agree or disagree with the recommendation but said they would consider it, noting that it would require a joint rulemaking with other agencies.
Recommendations for Executive Action
|Consumer Financial Protection Bureau||The Director of CFPB, in consultation with the other federal financial regulators, should update the model privacy form and, in doing so, consider whether it is feasible to include more comprehensive information about third parties with whom financial institutions share consumer personal information. (Recommendation 1)||
CFPB said it is committed to ensuring that financial institutions' disclosures to consumers accomplish their consumer protection and transparency goals and that it will consider GAO's recommendation but has not yet taken any action on it. In May 2021, CFPB noted that any changes to the model privacy form would likely require a joint rulemaking with other agencies including FTC, SEC, and CFTC and such a rulemaking is not currently on its rulemaking agenda. In October 2022, CFPB initiated a rulemaking on personal financial data rights. While not directly related to the model privacy form, this rulemaking could impact how financial institutions provide information to consumers on data shared with third parties. As of January 2023, CFPB has not taken any actions to change the model privacy form. We will continue to monitor CFPB's rulemaking efforts related to consumer privacy.