Data privacy and security
7. Are there any data privacy and/or data security laws that would apply?

Yes, US federal law imposes privacy obligations on financial institutions, including foreign financial institutions with offices in the US, as outlined below.

Financial services firms must be aware of additional state requirements prior to conducting business out of a particular jurisdiction.

The Gramm-Leach-Bliley Act restricts financial institutions from disclosing certain "nonpublic personal information" ("NPPI") collected from or about individual "consumers" in connection with the provision of financial products and services to nonaffiliated third parties. NPPI includes information that a consumer or customer puts on an application; information about the individual from another source, such as a credit bureau; or information about transactions between the individual and the financial institution, such as an account balance. Indeed, even the fact that an individual is a consumer or customer of a particular financial institution is NPPI. A "consumer" is an individual who obtains or has obtained a financial product or service from a financial institution for personal, family or household reasons. Certain exceptions apply, including when disclosure is as follows:

  • With the customer's or consumer's consent
  • To process the customer's transactions
  • To maintain the customer account(s)
  • To comply with civil, criminal or regulatory investigations, or subpoenas or summons by federal, state or local authorities
  • To respond to judicial processes or government regulatory authorities with jurisdiction over the financial institution for examination, compliance or other purposes as authorized by law
  • For required institutional risk controls or for resolving disputes or inquiries
  • In connection with a proposed or actual sale, merger, transfer or exchange of all or a portion of a business or operating unit if the disclosure of NPPI concerns solely consumers of that business or unit
  • For specified other disclosures that a financial institution normally makes, such as to protect against or prevent actual or potential fraud; to the financial institution's attorneys, accountants and auditors; or to comply with applicable legal requirements, such as know-your-customer requirements and the disclosure of information to regulators

The Federal Reserve Board, the Federal Deposit Insurance Corporation and the Office of the Comptroller of the Currency have each adopted the Interagency Guidelines Establishing Information Security Standards as an appendix to their privacy regulations. These guidelines require a bank's information security program to be designed to ensure the security and confidentiality of customer information in accordance with the Gramm-Leach Biley Act and other applicable privacy laws, protect against any anticipated threats or hazards to the security or integrity of this information, protect against unauthorized access to or use of this information that could result in substantial harm or inconvenience to any customer, and ensure the proper disposal of customer and consumer information. A bank using a cloud service provider is required to conduct appropriate due diligence regarding the provider's privacy practices and capabilities, include in the contract terms a requirement that the provider implement appropriate measures designed to meet the security standards, and monitor its provider in accordance with the bank's risk management program.

Securities and Exchange Commission ("SEC") Regulation SP and Regulation S-ID apply to both broker-dealers ("BDs") and investment advisers ("IAs"). However, Regulation SP and Regulation S-ID are not the sole privacy and data security requirements that BDs and IAs must comply with, as there are additional requirements beyond the scope of the securities laws (generally, state law requirements). With regard to information security, cybersecurity and data privacy, BDs are subject to a wide-ranging regulatory framework, which includes SEC rules, Financial Industry Regulatory Authority guidance, and federal and state law requirements. IAs are subject to SEC rules, as well as federal and state law requirements.

Commodity Futures Trading Commission entities (other than swap dealers) are subject to similar consumer data privacy rules under the commission's Rule 160.1-3.