Shostack + Friends Blog Archive


Financial Privacy Regulations, 5 Years Behind?

The American Banker has a long story about how some regulations from GLB are now five years behind schedule:

Ironically, both bankers and consumer advocates panned the agencies when they
proposed guidelines on identity theft prevention in August 2003.

The 25-page guidelines were based on Section 501 of the Gramm-Leach-Bliley Act
of 1999, which required financial companies to have safeguards in place to
protect nonpublic personal data.

Now, nearly 18 months later, the Federal Reserve Board, Federal Deposit
Insurance Corp., Office of the Comptroller of the Currency, and Office of Thrift
Supervision are on the verge of issuing a final version of the guidelines.

Regulators are also working to implement the Fair and Accurate Credit
Transactions Act, a December 2003 update of the Fair Credit Reporting Act.

The agencies have polished off rules granting free credit reports and making it
easier for consumers to opt out of prescreened credit offers. But the FACT Act
required seven rules relating to identity theft, and only three have been
[None of the FACT rules would require disclosure.]

Legislative reform that attempts to rein in information brokers like ChoicePoint
could have a spillover effect on financial services companies. For example, some
lawmakers want the FTC to restrict the types of companies that may access and
sell data such as Social Security numbers. Many financial institutions are also
customers of these information brokers, using their reports to check the
accuracy of credit applications or to verify a customer’s identity.