What Is Regulation P?
Regulation P (Privacy of Consumer Financial Information) is one of the regulations set forth by the Federal Reserve—the central banking system in the U.S. It governs the treatment of consumers’ private and personal information by banks and other financial institutions. It does not apply to publicly available information. Regulation P was first enacted in 1999.
- Regulation P governs the treatment of consumers’ private information by the financial institutions and banks they conduct their business with.
- The regulation only protects against the misuse of private, non-public information.
- Regulation P was amended in 2015 to allow certain exemptions for financial institutions that meet certain requirements.
- If the exemptions are not met, financial institutions are required to send out an annual notice of privacy practices and policies to their customers.
- There are no specific penalties for violations outlined under the regulation, but the most common repercussions violators have faced are monetary penalties and court actions.
How Regulation P Works
Under Regulation P, financial institutions are required to give their customers notice of privacy practices and policies affecting them, so that consumers understand how their financial institutions are using their private information. Regulation P also provides consumers the right to opt-out of the disclosure of their private information, preventing the financial institutions with which they do business from disclosing their financial information without their permission. Regulation P applies only to the U.S. offices of financial institutions and banks under its supervisory authority.
Regulation P says that if a financial institution discloses its customers’ private information in a manner inconsistent with the policies and practices described in its annual privacy notice, it must issue a revised notice. There aren’t any specific penalties listed under the regulation for violations made by financial institutions. However, violators may find themselves subject to monetary penalties, court actions, and exposure for “unfair or deceptive acts or practices” under applicable Federal Trade Commission statutes.
In 2015, changes were made to Regulation P via amendments to the consumer privacy protections afforded under the Gramm-Leach-Bliley Act. The amendments were made to implement exemptions from sending annual privacy notices if financial institutions had met certain requirements. They were written to help ease the burden on financial institutions that were acting ethically and to help reduce the risk of confusion in the consumers. We will talk more about these exemptions in the “Special Considerations” section.
Regulation P offers protection for both financial institutions and consumers, which is incredibly important in today’s technology-based world where privacy lines are often skewed in one way or another.
Under the new Regulation P rules, a financial institution may be exempt from the requirement to provide its customers with an annual notice of privacy policies if it meets two conditions. The first condition is that it must only disclose the private information of its customers in ways that do not require the customers’ consent under Regulation P. And the second is that the financial institution cannot have changed its privacy policies and practices from those disclosed in the most recent annual notice. If the institution changes its privacy policies or practices, it must issue a revised notice under Regulation P. These exemptions were part of the 2015 amendments to the regulation.
Unless the financial institution has met these two requirements, they will typically send out an annual privacy notice each year via mail, email, or secure message. It is always a good idea to read through them as they come in so that you are aware of any changes.
Requirements of Regulation P
In order to be compliant with Regulation P, a financial institution’s annual privacy notice must include:
- Information on whether the financial institution shares its customers’ private information, and if it does, how it does so;
- A description of how the institution protects its customers’ private, non-public information; and
- Information on the customer’s right to opt-out of some types of sharing of private information.