Yes, US federal law imposes privacy obligations on financial institutions, including foreign financial institutions with offices in the US, as outlined below.
Financial services firms must be aware of additional state requirements prior to conducting business out of a particular jurisdiction.
The Gramm-Leach-Bliley Act restricts financial institutions from disclosing certain "nonpublic personal information" ("NPPI") collected from or about individual "consumers" in connection with the provision of financial products and services to nonaffiliated third parties. NPPI includes information that a consumer or customer puts on an application; information about the individual from another source, such as a credit bureau; or information about transactions between the individual and the financial institution, such as an account balance. Indeed, even the fact that an individual is a consumer or customer of a particular financial institution is NPPI. A "consumer" is an individual who obtains or has obtained a financial product or service from a financial institution for personal, family or household reasons. Certain exceptions apply, including when disclosure is as follows:
The Federal Reserve Board, the Federal Deposit Insurance Corporation and the Office of the Comptroller of the Currency have each adopted the Interagency Guidelines Establishing Information Security Standards as an appendix to their privacy regulations. These guidelines require a bank's information security program to be designed to ensure the security and confidentiality of customer information in accordance with the Gramm-Leach Biley Act and other applicable privacy laws, protect against any anticipated threats or hazards to the security or integrity of this information, protect against unauthorized access to or use of this information that could result in substantial harm or inconvenience to any customer, and ensure the proper disposal of customer and consumer information. A bank using a cloud service provider is required to conduct appropriate due diligence regarding the provider's privacy practices and capabilities, include in the contract terms a requirement that the provider implement appropriate measures designed to meet the security standards, and monitor its provider in accordance with the bank's risk management program.
Securities and Exchange Commission ("SEC") Regulation SP and Regulation S-ID apply to both broker-dealers ("BDs") and investment advisers ("IAs"). However, Regulation SP and Regulation S-ID are not the sole privacy and data security requirements that BDs and IAs must comply with, as there are additional requirements beyond the scope of the securities laws (generally, state law requirements). With regard to information security, cybersecurity and data privacy, BDs are subject to a wide-ranging regulatory framework, which includes SEC rules, Financial Industry Regulatory Authority guidance, and federal and state law requirements. IAs are subject to SEC rules, as well as federal and state law requirements.
Commodity Futures Trading Commission entities (other than swap dealers) are subject to similar consumer data privacy rules under the commission's Rule 160.1-3.