Consumer Privacy:

Better Disclosures Needed on Information Sharing by Banks and Credit Unions

GAO-21-36: Published: Oct 22, 2020. Publicly Released: Nov 23, 2020.

Multimedia:

  • PODCAST: Consumer Protection--When Banks Share Your Information with Other Vendors

    If you've ever applied for a loan, you know that banks and credit unions collect a lot of personal financial information, like on your income and credit history. And it's not uncommon for customers--after applying or getting a loan--to receive advertisements in the mail for products from other vendors. While collecting this information is important for banks in conducting everyday business, it can also potentially expose consumers to unwanted solicitations from outside vendors, as well as other risks. We talk with two GAO experts about a new report on how banks collect and share your personal information and the role the federal government plays in overseeing this use.

    View the transcript

Additional Materials:

Contact:

Alicia Puente Cackley
(202) 512-8678
CackleyA@gao.gov

 

Nick Marinos
(202) 512-9342
MarinosN@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

We reviewed personal information banks and credit unions collect on consumers and share with others, and what they tell consumers about this.

Some institutions collect information on credit card transactions, social media and browsing activity, and more. The law allows for sharing this information with retailers, marketers, government agencies, and others.

We found the form institutions use to provide privacy notices to consumers does not give a complete picture of the information collected and shared. We recommended that the Consumer Financial Protection Bureau update the privacy notice form and consider including additional information.

Person using an ATM machine.

Multimedia:

  • PODCAST: Consumer Protection--When Banks Share Your Information with Other Vendors

    If you've ever applied for a loan, you know that banks and credit unions collect a lot of personal financial information, like on your income and credit history. And it's not uncommon for customers--after applying or getting a loan--to receive advertisements in the mail for products from other vendors. While collecting this information is important for banks in conducting everyday business, it can also potentially expose consumers to unwanted solicitations from outside vendors, as well as other risks. We talk with two GAO experts about a new report on how banks collect and share your personal information and the role the federal government plays in overseeing this use.

    View the transcript

Additional Materials:

Contact:

Alicia Puente Cackley
(202) 512-8678
CackleyA@gao.gov

 

Nick Marinos
(202) 512-9342
MarinosN@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

What GAO Found

Banks and credit unions collect, use, and share consumers' personal information—such as income level and credit card transactions—to conduct everyday business and market products and services. They share this information with a variety of third parties, such as service providers and retailers.

The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to provide consumers with a privacy notice describing their information-sharing practices. Many banks and credit unions elect to use a model form—issued by regulators in 2009—which provides a safe harbor for complying with the law (see figure). GAO found the form gives a limited view of what information is collected and with whom it is shared. Consumer and privacy groups GAO interviewed cited similar limitations. The model form was issued over 10 years ago. The proliferation of data-sharing since then suggests a reassessment of the form is warranted. Federal guidance states that notices about information collection and usage are central to providing privacy protections and transparency. Since Congress transferred authority to the Consumer Financial Protection Bureau (CFPB) for implementing GLBA privacy provisions, the agency has not reassessed if the form meets consumer expectations for disclosures of information-sharing. CFPB officials said they had not considered a reevaluation because they had not heard concerns from industry or consumer groups about privacy notices. Improvements to the model form could help ensure that consumers are better informed about all the ways banks and credit unions collect and share personal information.

Excerpts of the Gramm-Leach-Bliley Act Model Privacy Form Showing Reasons Institutions Share Personal Information

Excerpts of the Gramm-Leach-Bliley Act Model Privacy Form Showing Reasons Institutions Share Personal Information

Federal regulators examine institutions for compliance with GLBA privacy requirements, but did not do so routinely in 2014–2018 because they found most institutions did not have an elevated privacy risk. Before examinations, regulators assess noncompliance risks in areas such as relationships with third parties and sharing practices to help determine if compliance with privacy requirements needs to be examined. The violations of privacy provisions that the examinations identified were mostly minor, such as technical errors, and regulators reported relatively few consumer complaints.

Why GAO Did This Study

Banks and credit unions maintain a large amount of personal information about consumers. Federal law requires that they have processes to protect this information, including data shared with certain third parties. GAO was asked to review how banks and credit unions collect, use, and share such information and federal oversight of these activities. This report examines, among other things, (1) what personal information banks and credit unions collect, and how they use and share the information; (2) the extent to which they make consumers aware of the personal information they collect and share; and (3) how regulatory agencies oversee such collection, use, and sharing.

GAO reviewed privacy notices from a nongeneralizable sample of 60 banks and credit unions with a mix of institutions with asset sizes above and below $10 billion. GAO also reviewed federal privacy laws and regulations, regulators' examinations in 2014–2018 (the last 5 years available), procedures for assessing compliance with federal privacy requirements, and data on violations. GAO interviewed officials from banks, industry and consumer groups, academia, and federal regulators.

What GAO Recommends

GAO recommends that CFPB update the model privacy form and consider including more information about third-party sharing. CFPB did not agree or disagree with the recommendation but said they would consider it, noting that it would require a joint rulemaking with other agencies.

For more information, contact Alicia Puente Cackley at (202) 512-8678 or CackleyA@gao.gov or Nick Marinos at (202) 512-9342 or MarinosN@gao.gov.

Recommendation for Executive Action

  1. Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: The Director of CFPB, in consultation with the other federal financial regulators, should update the model privacy form and, in doing so, consider whether it is feasible to include more comprehensive information about third parties with whom financial institutions share consumer personal information. (Recommendation 1)

    Agency Affected: Consumer Financial Protection Bureau

 

Explore the full database of GAO's Open Recommendations »

Looking for more? Browse all our products here