Privacy & Security

10 Most Common Types of Personally Identifiable Financial Information

Financial institutions must understand personally identifiable financial information in order to prevent disclosing it. Here are some of the common types.

In 2021, IBM’s annual Cost of a Data Breach report evaluated that the average financial loss associated with a data breach rose from $3.86 million in 2020 to $4.24 million in 2021, marking the single highest year-over increase in the 17-year history of the report. With personally identifiable information being the target in 67% of criminal attempts to breach data, this trend has captured even the attention of Congress. 

In June 2022, representatives introduced draft legislation that aimed to modernize existing regulations for the handling of personal financial information to realign industry practices with “our evolving technological landscape.” As the financial risks involved in data breaches continue to rise against a background of potentially enhanced legal liabilities for organizations entrusted with sensitive information, financial service institutions should prioritize understanding personally identifiable financial information and the best practices to protect against disclosing it. 

What Is Personally Identifiable Financial Information?

Personally identifiable financial information (PIFI) is a subset of personally identifiable information (PII) and refers specifically to any information consumers or clients provide to a financial institution that should not be disclosed publicly and accessed only by authorized users within the institution. As with PII generally, PIFI does not comprise a specifically enumerated list of information types. Rather, financial institutions consider PIFI to be any information that could – as a single data point or in combination with other data – enable the identification of an individual.

PIFI includes both the personal information individuals disclose to financial institutions to validate their identities and information financial institutions create such as account numbers, IDs, and pins. 


Download the Guide 3 Ways to Protect Your Clients' Personal Information


10 Most Common Types of PIFI

Neither the financial industry nor any applicable regulation specifies the limits of what may constitute PIFI. Nevertheless, the 10 most common types consist of the information an individual would likely have to disclose to create accounts with a financial institution and – subsequently – the information contained in and associated with those accounts. 

Disclosed PIFI

  • Names: full, maiden, mother’s maiden names, and other aliases
  • Personal identification numbers: Social Security, passport, driver’s license, and taxpayer identification numbers
  • Personal contact information: home addresses, email, phone numbers, and corresponding work information
  • Personal characteristic or biometric data: photographs, fingerprints, signatures, retina scans, and voice recordings
  • Personal property information: VINs and title numbers
  • Asset information such as internet protocol (IP) addresses and media access control (MAC) addresses reliably linked to a specific individual

Institution-Generated PIFI

  • Bank account numbers
  • Credit card numbers
  • Account IDs
  • PINs

3 Tips for Managing Personally Identifiable Financial Information

The current U.S. regulation most applicable to PIFI – the Gramm-Leach-Bliley Act – states that financial institutions must inform their customers of any changes to their existing privacy policies and avoid disclosing customers’ nonpublic personal information without expressed consent. Nevertheless, the law does not specify – beyond privacy policies – exactly what steps are required for institutions to fulfill their obligations.

In practice, due diligence in avoiding unauthorized disclosures of PIFI involves the following:

1. Being Transparent to Customers Through Privacy Policies

Privacy policies are a kind of documentation financial institutions must provide customers. These policies must disclose how the institution uses PIFI and must also give customers options to restrict that use.

The law requires institutions to use privacy policies to ensure that customer consent controls the use of PIFI. Additionally, privacy policies include instructions to customers on how to access and delete their PIFI when terminating accounts with an institution. 

2. Securing Internal Practices Through PII Policies

While privacy policies cover a financial institution’s external agreements with customers, PII policies focus on how organizations handle PIFI internally, regardless of individual customer consent. PII policies specify how staff who have access to customer PIFI can store and transmit information to minimize the risk of unauthorized exposure. Although the details of any particular PII policy will depend partially on the technologies and applications an organization uses, common best practices will minimally include the following stipulations:

  • Staff must not store PIFI on any publicly accessible email or web server.
  • Staff must only store PIFI on databases configured for industry-standard access and authentication regulations 
  • Throughout the organization, there must be oversight of all online data and document collection, retrieval, and application requests on PIFI. 
  • In-house IT and security staff are responsible for identifying and removing any applications and data handling methods that risk PIFI exposure. 

3. Using Best Practices for Securing PIFI

Privacy and PII policies regulate activities to protect PIFI. Beyond observing these policies, organizations can further mitigate the risk of PIFI exposure by taking advantage of the most current technologies. In the financial industry, document collection processes often represent a significant weak point in secure data handling

Many institutions still rely on ad hoc collection methods involving email, paper documents, and digital documents uploaded through different applications. Adopting an integrated document collection platform with secure client portals for all submissions eliminates nearly all the risks associated with these processes while simultaneously reducing the time and effort involved for staff. 

PIFI and Secure Document Collection with FileInvite

FileInvite gives your clients access to a single, secure document portal for documentation, making the collection process for loan applications both easier and safer. Running on bank-grade, SOC 2 Type 2 security, FileInvite radically improves loan processing efficiency while giving you the peace of mind that your clients’ PIFI is thoroughly protected. 

Sign up for a trial - FileInvite - Document collection that closes 34% more loans

Related Posts:

Similar posts

Gather all the documents, signatures, and data you require up to 80% faster.

Eliminate the monotony of back-and-forth emails and inefficient systems when gathering client information. Get hours back each week as FileInvite handles the most time-consuming work for you.

Get started in as little as 5 minutes.

Stay in-the-loop. Subscribe here to receive the latest from FileInvite.