The obvious trouble with banking rules regarding consumer privacy (governed in relevant (to this posting) part by Title V of the Gramm Bliley Leach Act ("GBL")) is the compliance costs. FN1 Less obvious is the problem of being a bank and not knowing it.FN2
The advent of the Internet is recent enough that the law with respect to online financial services is still a little unsure of itself. This creates opportunity and legal exposure for early movers.
The definition of a bank according to the GBL (in final promulgation) includes any companies that are "significantly engaged" in providing financial products/services (like loans, financial or investment advice, or insurance). FN3 Thus, certain companies not traditionally thought of as "banks," like certain institutions of higher learning (if they offer loans and at least with respect to "security" of consumer data FN4), auto dealers (if they finance), tax preparers, providers of real estate settlement services, and debt collectors are deemed banks for the purposes of the rule.
Further, because the "significant engagement" definition requires a fact-based determination in an rapidly evolving industry, there remains uncertainty regarding the level of financial activity that is required for a company to become subject to GLB. Do, for example, certain payment service providers (e.g., Paypal FN5) qualify (probably - although it may turn on whether the PSP "holds" onto funds)? Peer-to-peer lending companies (such as Prosper, Lending Club, and Zopa) (quite likely)? Gift card applications (like the mobile ones offered by Starbucks or Target)? Mobile ticketing platforms (e.g., BART)? Nonprofits issuing charitable gift annuities? Providing long-term payment plans subject to interest (for any product)?
A useful short-hand (and oblique low-brow cultural reference) is this: if you're in the business of linking a customer to a bank account, you might be a financial institution.FN6
FN1. The business of providing banking services (online or otherwise) demands careful observance of federal and state rules with respect to the protection of consumer's non-public financial information. The rules are niche and multitudinous (turning in part on whether the bank has an on-going (like a personal loan service) or one-off transactional (like with a check cashing service)) relationship with the customer (only the former are entitled to receive a financial institution's privacy notice automatically; the latter must receive a privacy notice only if such consumer's information is being shared with non-affiliated third parties (with some exceptions)) but, in brief, they require the following: a) disclosure of information collected and distributed to affiliated and non affiliated third parties, b) opt-out procedures, c) annual notices and d) the implementation of an information security program. You can go here for a more detailed run down on the application of these requirements.
FN2. Among the penalties for non-compliance with GLB is up to five years in prison.
FN3. Definition at 16 CFR 313.3(k)(1).
FN4. The GLB governs acts beyond the disclosure of privacy practices, including the requirements for safeguarding the security of private data and the prevention of scams to get customer data ("pretexting").
FN5. Many commentators have found it noteworthy that Paypal distributed an annual, GLB-compliant, privacy disclosure to its users.
FN6. We can probably go further and say that if you receive or transmit bank account information from your customers (even if you don't hold any of the customer's funds, even for a moment) you should seriously consider whether your subject to the GLB.
No comments:
Post a Comment