How Aprio Cloud, an outsourced accounting firm, automated accounting, and financial documents requests. Alex also shares her tips for better business...
10 Most Common Types of Personally Identifiable Financial Information
Financial institutions must understand personally identifiable financial information in order to prevent disclosing it. Here are some of the common types.
In 2021, IBM’s annual Cost of a Data Breach report evaluated that the average financial loss associated with a data breach rose from $3.86 million in 2020 to $4.24 million in 2021, marking the single highest year-over increase in the 17-year history of the report. With personally identifiable information being the target in 67% of criminal attempts to breach data, this trend has captured even the attention of Congress.
In June 2022, representatives introduced draft legislation that aimed to modernize existing regulations for the handling of personal financial information to realign industry practices with “our evolving technological landscape.” As the financial risks involved in data breaches continue to rise against a background of potentially enhanced legal liabilities for organizations entrusted with sensitive information, financial service institutions should prioritize understanding personally identifiable financial information and the best practices to protect against disclosing it.
What Is Personally Identifiable Financial Information?
Personally identifiable financial information (PIFI) is a subset of personally identifiable information (PII) and refers specifically to any information consumers or clients provide to a financial institution that should not be disclosed publicly and accessed only by authorized users within the institution. As with PII generally, PIFI does not comprise a specifically enumerated list of information types. Rather, financial institutions consider PIFI to be any information that could – as a single data point or in combination with other data – enable the identification of an individual.
PIFI includes both the personal information individuals disclose to financial institutions to validate their identities and information financial institutions create such as account numbers, IDs, and pins.
10 Most Common Types of PIFI
Neither the financial industry nor any applicable regulation specifies the limits of what may constitute PIFI. Nevertheless, the 10 most common types consist of the information an individual would likely have to disclose to create accounts with a financial institution and – subsequently – the information contained in and associated with those accounts.
- Names: full, maiden, mother’s maiden names, and other aliases
- Personal identification numbers: Social Security, passport, driver’s license, and taxpayer identification numbers
- Personal contact information: home addresses, email, phone numbers, and corresponding work information
- Personal characteristic or biometric data: photographs, fingerprints, signatures, retina scans, and voice recordings
- Personal property information: VINs and title numbers
- Asset information such as internet protocol (IP) addresses and media access control (MAC) addresses reliably linked to a specific individual
- Bank account numbers
- Credit card numbers
- Account IDs
3 Tips for Managing Personally Identifiable Financial Information
The current U.S. regulation most applicable to PIFI – the Gramm-Leach-Bliley Act – states that financial institutions must inform their customers of any changes to their existing privacy policies and avoid disclosing customers’ nonpublic personal information without expressed consent. Nevertheless, the law does not specify – beyond privacy policies – exactly what steps are required for institutions to fulfill their obligations.
In practice, due diligence in avoiding unauthorized disclosures of PIFI involves the following:
1. Being Transparent to Customers Through Privacy Policies
Privacy policies are a kind of documentation financial institutions must provide customers. These policies must disclose how the institution uses PIFI and must also give customers options to restrict that use.
The law requires institutions to use privacy policies to ensure that customer consent controls the use of PIFI. Additionally, privacy policies include instructions to customers on how to access and delete their PIFI when terminating accounts with an institution.
2. Securing Internal Practices Through PII Policies
While privacy policies cover a financial institution’s external agreements with customers, PII policies focus on how organizations handle PIFI internally, regardless of individual customer consent. PII policies specify how staff who have access to customer PIFI can store and transmit information to minimize the risk of unauthorized exposure. Although the details of any particular PII policy will depend partially on the technologies and applications an organization uses, common best practices will minimally include the following stipulations:
- Staff must not store PIFI on any publicly accessible email or web server.
- Staff must only store PIFI on databases configured for industry-standard access and authentication regulations
- Throughout the organization, there must be oversight of all online data and document collection, retrieval, and application requests on PIFI.
- In-house IT and security staff are responsible for identifying and removing any applications and data handling methods that risk PIFI exposure.
3. Using Best Practices for Securing PIFI
Privacy and PII policies regulate activities to protect PIFI. Beyond observing these policies, organizations can further mitigate the risk of PIFI exposure by taking advantage of the most current technologies. In the financial industry, document collection processes often represent a significant weak point in secure data handling.
Many institutions still rely on ad hoc collection methods involving email, paper documents, and digital documents uploaded through different applications. Adopting an integrated document collection platform with secure client portals for all submissions eliminates nearly all the risks associated with these processes while simultaneously reducing the time and effort involved for staff.
PIFI and Secure Document Collection with FileInvite
FileInvite gives your clients access to a single, secure document portal for documentation, making the collection process for loan applications both easier and safer. Running on bank-grade, SOC 2 Type 2 security, FileInvite radically improves loan processing efficiency while giving you the peace of mind that your clients’ PIFI is thoroughly protected.