Yes, US federal law imposes privacy obligations on financial institutions, including foreign financial institutions with offices in the US, as outlined below.
Financial services firms must be aware of additional state requirements prior to conducting business out of a particular jurisdiction.
The Gramm-Leach-Bliley Act restricts financial institutions from disclosing certain "nonpublic personal information" ("NPPI") collected from or about individual "consumers" in connection with the provision of financial products and services to nonaffiliated third parties. NPPI includes information that a consumer or customer puts on an application; information about the individual from another source, such as a credit bureau; or information about transactions between the individual and the financial institution, such as an account balance. Indeed, even the fact that an individual is a consumer or customer of a particular financial institution is NPPI. A "consumer" is an individual who obtains or has obtained a financial product or service from a financial institution for personal, family or household reasons. Certain exceptions apply, including when disclosure is as follows:
The Office of the Comptroller of the Currency ("OCC") has adopted the Interagency Guidelines Establishing Information Security Standards at 12 C.F.R., Part 30, Appendix B. The Interagency Security Standards require a bank using a cloud service provider to address service provider information security before signing a contract, as part of the terms of the contract, and on an ongoing basis after establishing a service provider relationship.
The Federal Financial Institutions Examination Council ("FFIEC") has published a guidance booklet on outsourcing practices, and it states that financial institutions may outsource many areas of operations, including all or part of any service, process or system operation. However, the use of a subcontractor or, in this case, a cloud service provider does not diminish the responsibility of the financial institution's senior management to ensure that the subcontractor's activity is conducted in a safe manner and in compliance with applicable laws and regulations.
That same FFIEC guidance warns, however, that financial institutions must not share US regulatory examination reports or information contained therein with either foreign regulators or foreign-based service providers without the express written approval of the appropriate US regulatory authority. The FFIEC recently issued the "Security in a Cloud Computing Environment" bulletin, which addresses key risks in cloud computing. Although this bulletin does not contain new regulatory expectations, it highlights examples of risk management practices related to the safe use of cloud computing services, and directs financial institutions to also review the FFIEC's IT Handbook and other documents providing general information on best industry practices.
Regarding broker-dealers ("BDs") and investment advisers ("IAs"), Securities and Exchange Commission ("SEC") Regulation SP and Regulation S-ID apply to both BDs and IAs. However, Regulation SP and Regulation S-ID are not the sole privacy and data security requirements that BDs and IAs must comply with, as there are additional requirements beyond the scope of the securities laws (generally state law requirements). With regard to information security, cybersecurity and data privacy, BDs are subject to a wide-ranging regulatory framework, which includes SEC rules, Financial Industry Regulatory Authority guidance, and federal and state law requirements. IAs are subject to SEC rules, as well as federal and state law requirements.
Commodity Futures Trading Commission entities (other than swap dealers) are subject to similar consumer data privacy rules under the commission's Rule 160.1-3.