From the U.S. Government Accountability Office, www.gao.gov Transcript for: Consumer Protection--When Banks Share Your Information with Other Vendors Description: If you've ever applied for a loan, you know that banks and credit unions collect a lot of personal financial information, like on your income and credit history. And it's not uncommon for customers--after applying or getting a loan--to receive advertisements in the mail for products from other vendors. While collecting this information is important for banks in conducting everyday business, it can also potentially expose consumers to unwanted solicitations from outside vendors, as well as other risks. We talk with two GAO experts about a new report on how banks collect and share your personal information and the role the federal government plays in overseeing this use. Related GAO Work: GAO-21-36, Consumer Privacy: Better Disclosures Needed on Information Sharing by Banks and Credit Unions Released: November 2020 [Intro Music] [Alicia Puente Cackley:] It's important for customers to be well informed about the ways that their personal information is collected and shared by financial institutions. [Holly Hobbs:] Hi and welcome to GAO's Watchdog Report, your source for news and information from the U.S. Government Accountability Office-- I'm Holly Hobbs. If you've ever applied for a loan, you know that banks and credit unions collect a lot of personal financial information, like on your income and credit history. And it's not uncommon for customers--after applying or getting a loan--to receive advertisements in the mail for products from other vendors, like insurance companies. While collecting this information is important for banks in conducting everyday business, it can also potentially expose consumers to unwanted solicitations from outside vendors, as well as other risks. Today we talk with two GAO experts about a new report on how banks collect and share your personal information and the role the federal government plays in overseeing this use. Joining us are: - Alicia Puente Cackley, an expert on consumer protection issues and a director in our Financial Markets and Community Investment Team, and - Nick Marinos, an expert on cybersecurity and privacy issues, and a director in our Information Technology and Cybersecurity team. Thank you for joining us, Alicia and Nick! [Alicia Puente Cackley:] Happy to be here. [Nick Marinos:] Thanks Holly. [Holly Hobbs:] So, Alicia, let's start with a basic question. What kinds of personal information are banks and credit unions collecting, and why do they share it with other vendors? [Alicia Puente Cackley:] Well, banks and credit unions collect a range of personal information about their customers that includes identifying information like date of birth and address. It can be financial information like credit histories and account statements. And even employment histories and information like citizenship and marital status. The banks and credit unions share that personal information with other vendors for a couple of reasons--for business purposes, such as providing customer services, and for marketing purposes. [Holly Hobbs:] And Alicia, are banks required to ask permission or tell customers about how they're going to use personal information? [Alicia Puente Cackley:] Yes, with some exceptions, the Gramm-Leach-Bliley Act prohibits financial institutions from disclosing a customer's non-public personal information to other companies unless the institutions, first, has provided the customer with notice and an opportunity to opt out of that disclosure. However, we found that the model privacy form that banks and credit unions have generally used is 10 years old and relies heavily on standardized language. And it requires financial institutions to disclose only a small amount of information about what they collect, what they use, and what they share, so that customers are not necessarily aware of how their non-public personal information is being shared with other companies. [Holly Hobbs:] So Nick, if banks are collecting all this data, and sharing it, there's got to be some concerns about data breaches or cyberattacks, right? [Nick Marinos:] Yeah, there are Holly. I mean, banks and credit unions are under constant threat of cyberattacks. Like other organizations, they apply a range of cybersecurity protections to their systems. But there is always a chance that an attacker could find a way in and gain access to personal information. And in fact, we did see this happen last year. For example, when personal information was compromised of about 100 million individuals who were customers of Capital One. These included folks that were credit card customers of Capital One, as well as folks that were applying for a Capital One credit card. And actually, after this happened the company was cited by the government for not properly securing its IT systems, which had recently been moved to an internet-based work environment or the Cloud. So breaches do sometimes occur and undoubtedly they will continue to occur in the future. [Holly Hobbs:] Does sharing consumers' information with outside vendors increase the risk of data breaches? [Nick Marinos:] The more information that's shared the more chances it could be compromised. Think of it this way--think of writing your Social Security number, your credit card number, and your bank account information in a text message and that you send off to ten of your friends. You're now depending on all ten of them to protect that information as well as you would yourself. And it's the same with banks. Every time a bank shares your data with a vendor, there's a risk that vendor might not protect that information as well as they should, and a data breach might occur. So the less sharing, the better in terms of privacy. [Music plays] [Holly Hobbs:] So, it sounds like banks and credit unions are collecting more and more personal information from consumers. And that they are allowed to share this information with other vendors, which could potentially increase the risk of data breaches. But that sharing this information also raises concerns about personal privacy. [Holly Hobbs:] Nick, are banks and credit unions required to take any steps to protect the data? [Nick Marinos:] Yeah, they are. And there are also regulatory guidelines that require banks to design a risk-based cybersecurity program for protecting customer information, and they may use security measures such as IT access controls, physical security checks, vulnerability testing, and procedures for actually reporting security breaches when they occur. [Holly Hobbs:] Alicia, how does the federal government monitor banks and credit unions to ensure they aren't oversharing people's information? [Alicia Puente Cackley:] So, the federal regulators of banks and credit unions have the authority to examine for compliance with the privacy requirements under the Gramm-Leach-Bliley Act and they do that. But they generally have not performed exams that are targeting financial privacy specifically because they basically have found it to be an area of low compliance risk. So they build it into their more general risk compliance examinations instead. [Holly Hobbs:] And Alicia, last question--what's the bottom line of this report? [Alicia Puente Cackley:] It's important for customers to be well informed about the ways that their personal information is collected and shared by financial institutions. And what we found is that, by improving and updating its model privacy notice, the Consumer Financial Protection Bureau could improve customers' ability to know what information is shared and how to opt out of that. [Holly Hobbs:] That was GAO's Alicia Puente Cackley and Nick Marinos talking about a new report about information sharing by banks and credit unions. Thank you for your time, team! [Alicia Puente Cackley:] You're very welcome. [Nick Marinos:] Thanks Holly. Good talking with you. [Holly Hobbs:] And thank you for listening to the Watchdog Report. To hear more podcasts, subscribe to us on Apple Podcasts. And make sure you leave a rating and review to let others know about the work we're doing. For more from the congressional watchdog, the U.S. Government Accountability Office, visit us at GAO.gov.