In 2021, IBM’s annual Cost of a Data Breach report evaluated that the average financial loss associated with a data breach rose from $3.86 million in 2020 to $4.24 million in 2021, marking the single highest year-over increase in the 17-year history of the report. With personally identifiable information being the target in 67% of criminal attempts to breach data, this trend has captured even the attention of Congress.
In June 2022, representatives introduced draft legislation that aimed to modernize existing regulations for the handling of personal financial information to realign industry practices with “our evolving technological landscape.” As the financial risks involved in data breaches continue to rise against a background of potentially enhanced legal liabilities for organizations entrusted with sensitive information, financial service institutions should prioritize understanding personally identifiable financial information and the best practices to protect against disclosing it.
Personally identifiable financial information (PIFI) is a subset of personally identifiable information (PII) and refers specifically to any information consumers or clients provide to a financial institution that should not be disclosed publicly and accessed only by authorized users within the institution. As with PII generally, PIFI does not comprise a specifically enumerated list of information types. Rather, financial institutions consider PIFI to be any information that could – as a single data point or in combination with other data – enable the identification of an individual.
PIFI includes both the personal information individuals disclose to financial institutions to validate their identities and information financial institutions create such as account numbers, IDs, and pins.
Neither the financial industry nor any applicable regulation specifies the limits of what may constitute PIFI. Nevertheless, the 10 most common types consist of the information an individual would likely have to disclose to create accounts with a financial institution and – subsequently – the information contained in and associated with those accounts.
In the United States, the federal government has enacted several laws that protect personally identifiable financial information that is collected by companies. The most significant of these laws is the Gramm-Leach-Bliley Act (GLBA), which was enacted in 1999.
The GLBA requires financial institutions to protect the privacy of their customers' personal and financial information. While requirements vary depending on the type of financial institution, in general the GLBA requires financial institutions to:
While the GLBA is specific to financial institutions, here are a number of tips for organizations to follow - even if they are not a financial institution.
The current U.S. regulation most applicable to PIFI – the Gramm-Leach-Bliley Act – states that financial institutions must inform their customers of any changes to their existing privacy policies and avoid disclosing customers’ nonpublic personal information without expressed consent. Nevertheless, the law does not specify – beyond privacy policies – exactly what steps are required for institutions to fulfill their obligations.
In practice, due diligence in avoiding unauthorized disclosures of PIFI involves the following:
Privacy policies are a kind of documentation financial institutions must provide customers. These policies must disclose how the institution uses PIFI and must also give customers options to restrict that use.
The law requires institutions to use privacy policies to ensure that customer consent controls the use of PIFI. Additionally, privacy policies include instructions to customers on how to access and delete their PIFI when terminating accounts with an institution.
While privacy policies cover a financial institution’s external agreements with customers, PII policies focus on how organizations handle PIFI internally, regardless of individual customer consent. PII policies specify how staff who have access to customer PIFI can store and transmit information to minimize the risk of unauthorized exposure. Although the details of any particular PII policy will depend partially on the technologies and applications an organization uses, common best practices will minimally include the following stipulations:
Privacy and PII policies regulate activities to protect PIFI. Beyond observing these policies, organizations can further mitigate the risk of PIFI exposure by taking advantage of the most current technologies. In the financial industry, document collection processes often represent a significant weak point in secure data handling.
There are several best practices that organizations should follow in order to protect personally identifiable financial information. These include:
Many institutions still rely on ad hoc collection methods involving email, paper documents, and digital documents uploaded through different applications. Adopting an integrated document collection platform with secure client portals for all submissions eliminates nearly all the risks associated with these processes while simultaneously reducing the time and effort involved for staff.
FileInvite gives your clients access to a single, secure document portal for documentation, making the collection process for loan applications both easier and safer. Running on bank-grade, SOC 2 Type 2 security, FileInvite radically improves loan processing efficiency while giving you the peace of mind that your clients’ PIFI is thoroughly protected.
To learn more and request a demo, visit FileInvite today.