Nonpublic Personal Information (NPI)

Financial Regulation

What Is Nonpublic Personal Information?

Nonpublic Personal Information (NPI) is any personally identifiable financial information that a financial institution collects about an individual in connection with providing a financial product or service, unless that information is otherwise publicly available.

Nonpublic Personal Information (NPI) creates a specific category of data privacy under United States federal law, specifically the Gramm-Leach-Bliley Act (GLBA). It refers to any personally identifiable financial information that a consumer provides to a financial institution to obtain a financial product or service, or information that results from any transaction involving the financial product or service. This also includes any information the institution otherwise obtains about the consumer in connection with providing the product or service. The critical distinction of "nonpublic" means the information is not generally available to the public. For instance, a phone number listed in a public directory is not NPI. However, if a customer gives their unlisted phone number to a bank for account verification, that number becomes NPI within the bank's records. This nuance is vital for data protection officers and compliance departments, as it determines which datasets must be encrypted, restricted, and monitored according to federal standards. NPI covers a broad range of data points, including: * Information on an application for a loan or credit card (name, address, income, Social Security number). * Account information (balances, payment history, credit card purchases). * Credit reports and scores obtained from third-party bureaus. * The fact that an individual is a customer of a particular financial institution. The regulation is designed to protect consumer privacy by restricting how financial institutions can share this sensitive data with third parties. It recognizes that in the digital age, a person's financial footprint is highly revealing and must be treated with the utmost care to prevent identity theft and financial fraud.

Key Takeaways

  • NPI includes sensitive data like Social Security numbers, account balances, transaction history, and credit scores.
  • The term is defined and regulated under the Gramm-Leach-Bliley Act (GLBA) of 1999.
  • Financial institutions must provide customers with a privacy notice explaining what NPI is collected and how it is shared.
  • Consumers generally have the right to "opt out" of having their NPI shared with non-affiliated third parties.
  • Information that is lawfully available to the general public (e.g., from government records or wide media distribution) is not considered NPI.
  • Protecting NPI is a core compliance requirement for banks, broker-dealers, and insurance companies.

How NPI Is Regulated

The handling of NPI is strictly governed by the "Financial Privacy Rule" of the GLBA. This rule requires financial institutions to provide each consumer with a privacy notice at the time the consumer relationship is established and annually thereafter. This notice must be clear, conspicuous, and easy for the average consumer to understand. It must explain: 1. The types of NPI the institution collects (e.g., from applications, transactions, or cookies). 2. The types of NPI the institution shares with other companies. 3. The types of third parties (affiliates and non-affiliates) with whom the NPI is shared. 4. How the institution protects the confidentiality and security of the NPI in its possession. Crucially, the regulation gives consumers the right to "opt out" of having their NPI shared with certain non-affiliated third parties. If a consumer opts out, the financial institution is prohibited from sharing that information, with some exceptions (such as for processing transactions, preventing fraud, or complying with a subpoena). This "opt-out" mechanism is the primary way consumers can exercise control over their personal data. Furthermore, the "Safeguards Rule" under the GLBA requires financial institutions to develop a written information security plan that describes their program to protect the confidentiality and integrity of customer information. This ensures that NPI is not just legally protected from sharing but also technically protected from data breaches and cyber threats. This plan must include administrative, technical, and physical safeguards tailored to the size and complexity of the institution.

Real-World Example: Opt-Out Right

Consider a consumer, John, who opens a checking account with "Bank A." During the account opening process, John provides his Social Security number, annual income, and employment history. All of this is Nonpublic Personal Information (NPI). A few months later, Bank A decides to partner with an unrelated insurance company to market life insurance products to its wealthy customers. Bank A plans to share a list of customers who maintain a balance over $50,000, along with their contact information.

1Step 1: Before sharing the list, Bank A must send John a privacy notice.
2Step 2: The notice states that Bank A shares NPI with non-affiliated insurance companies for marketing purposes.
3Step 3: The notice provides a method for John to "opt out" (e.g., a toll-free number or a checkbox on a form).
4Step 4: John reads the notice and decides he does not want his information shared. He calls the number to opt out.
5Step 5: Bank A must now remove John's name and data from the list it sends to the insurance company.
Result: Because John exercised his right to opt out, Bank A is legally prohibited from sharing his NPI with the third-party insurer. If Bank A had shared it anyway, they would be in violation of the GLBA and subject to heavy fines.

NPI vs. Public Information

It is important to understand the boundary between NPI and public information. Information is generally considered "public" if a financial institution has a reasonable basis to believe that it is lawfully made available to the general public from: * Federal, state, or local government records (e.g., property tax records, mortgage liens, or bankruptcy filings). * Widely distributed media (e.g., telephone books, newspapers, or authorized public websites). * Disclosures to the general public that are required to be made by federal, state, or local law. However, even if a piece of information is publicly available (like a home address), it can become NPI depending on the context. For example, a list of all people who live on Main Street is public information. But a list of "Bank A customers who live on Main Street and have a mortgage" is NPI, because it reveals the existence of a customer relationship and specific financial product usage. This contextual sensitivity is a hallmark of modern data privacy law. Financial institutions must also be careful with "derived data." If a bank uses public data to create a proprietary profile of a customer's spending habits or creditworthiness, that derived profile is typically considered NPI and must be protected as such. The goal is to ensure that any data that links an identifiable individual to their private financial life is shielded from unauthorized exposure.

Important Considerations for Consumers

Consumers should carefully read the privacy notices they receive from their banks, credit card companies, and other financial service providers. While these documents can be long, they are the primary way to understand how your data is being used and to exercise your rights under the law. While you can opt out of sharing with non-affiliated third parties for marketing, you generally cannot opt out of: * Sharing with affiliates (other companies owned by the same parent bank, such as a mortgage subsidiary). * Sharing necessary to process your transactions (e.g., the bank sending your data to a check printer or a payment processor). * Sharing for legal or compliance reasons (e.g., reporting to credit bureaus or responding to a court order). * Joint marketing agreements where the bank partners with another financial institution to offer a bundled product, such as a co-branded credit card. In the event of a data breach involving NPI, financial institutions are required by various state and federal laws to notify affected consumers. john and other consumers should monitor their credit reports and account statements regularly to identify any unauthorized activity that might result from the exposure of their NPI. Taking proactive steps like placing a credit freeze or setting up fraud alerts can provide an additional layer of security beyond the legal protections of the GLBA.

FAQs

Generally, no. NPI specifically refers to financial information. Medical information is protected under a different law called HIPAA (Health Insurance Portability and Accountability Act). However, if you provide medical information to a life insurer for underwriting purposes, that specific data held by the insurer is subject to strict privacy rules, often overlapping with state insurance laws and the GLBA.

No. The GLBA protections for Nonpublic Personal Information apply only to "consumers"—individuals who obtain financial products or services primarily for personal, family, or household purposes. Information about businesses, corporations, or commercial accounts is not considered NPI under this specific regulation, though other data protection laws may apply.

Financial institutions can face significant penalties for violating the GLBA. Enforcement is handled by various federal agencies, including the Federal Trade Commission (FTC), the Consumer Financial Protection Bureau (CFPB), and banking regulators like the OCC. Penalties can include massive fines for the institution and, in severe cases, imprisonment for officers who knowingly violate the law.

Yes, your credit score and the information contained in your credit report are considered Nonpublic Personal Information when held by a financial institution. This is why lenders must have a "permissible purpose" to access your credit report and must protect that data once they have it. Even the fact that you have a certain credit score is considered sensitive data.

No. You cannot opt out of sharing that is essential for the bank to conduct its business, such as processing your payments, preventing fraud, or complying with the law. You also typically cannot opt out of the bank sharing information about its own transactions and experiences with you (like your payment history) with its own affiliates. You can only opt out of sharing with non-affiliated third parties for marketing purposes.

The Bottom Line

Nonpublic Personal Information (NPI) is a cornerstone concept in modern financial privacy, defining the critical boundary between what institutions must keep strictly private and what is considered part of the public domain. Grounded in the Gramm-Leach-Bliley Act of 1999, NPI regulations ensure that the sensitive financial data you entrust to banks and lenders—from your annual income and Social Security number to your account balances and transaction history—cannot be sold, shared, or otherwise disclosed to non-affiliated third parties without your explicit knowledge and, in many cases, your consent. While the "privacy notices" we receive in the mail may seem like boilerplate legalese, they are the vital legal mechanism that empowers consumers to control their digital financial footprint in an increasingly connected world. Protecting NPI is not just a legal requirement for financial institutions; it is a fundamental component of building and maintaining customer trust. Understanding NPI helps you recognize your rights to privacy and the significant obligations your financial providers must meet to keep your financial life secure from unauthorized access and exploitation.

Related Terms

Anti Money Laundering AmlIdentity TheftKnow Your CustomerComplianceEncryption

More in Financial Regulation

Agricultural Marketing Service (AMS)Annuity DisclosureAnti-Money Laundering (AML)Anti-Money Laundering (AML)AssociationBackground Check (Financial)Bank Capital RequirementsBank CapitalBank RegulationBank Secrecy Act (BSA)
Back to GlossaryBrowse All Financial Regulation

Key Takeaways

  • NPI includes sensitive data like Social Security numbers, account balances, transaction history, and credit scores.
  • The term is defined and regulated under the Gramm-Leach-Bliley Act (GLBA) of 1999.
  • Financial institutions must provide customers with a privacy notice explaining what NPI is collected and how it is shared.
  • Consumers generally have the right to "opt out" of having their NPI shared with non-affiliated third parties.

Congressional Trades Beat the Market

Members of Congress outperformed the S&P 500 by up to 6x in 2024. See their trades before the market reacts.

2024 Performance Snapshot

23.3%
S&P 500
2024 Return
31.1%
Democratic
Avg Return
26.1%
Republican
Avg Return
149%
Top Performer
2024 Return
42.5%
Beat S&P 500
Winning Rate
+47%
Leadership
Annual Alpha

Top 2024 Performers

D. RouzerR-NC
149.0%
R. WydenD-OR
123.8%
R. WilliamsR-TX
111.2%
M. McGarveyD-KY
105.8%
N. PelosiD-CA
70.9%
BerkshireBenchmark
27.1%
S&P 500Benchmark
23.3%

Cumulative Returns (YTD 2024)

0%50%100%150%2024
Sign Up Free — Track Their Trades

Closed signals from the last 30 days that members have profited from. Updated daily with real performance.

Top Closed Signals · Last 30 Days

NVDA+10.72%

BB RSI ATR Strategy

$118.50$131.20 · Held: 2 days

AAPL+7.88%

BB RSI ATR Strategy

$232.80$251.15 · Held: 3 days

TSLA+6.86%

BB RSI ATR Strategy

$265.20$283.40 · Held: 2 days

META+6.00%

BB RSI ATR Strategy

$590.10$625.50 · Held: 1 day

AMZN+5.14%

BB RSI ATR Strategy

$198.30$208.50 · Held: 4 days

GOOG+4.76%

BB RSI ATR Strategy

$172.40$180.60 · Held: 3 days

Hold time is how long the position was open before closing in profit.

Explore Our Strategies

See What Wall Street Is Buying

Track what 6,000+ institutional filers are buying and selling across $65T+ in holdings.

Where Smart Money Is Flowing

Top stocks by net capital inflow · Q3 2025

APP$39.8BCVX$16.9BSNPS$15.9BCRWV$15.9BIBIT$13.3BGLD$13.0B

Institutional Capital Flows

Net accumulation vs distribution · Q3 2025

DISTRIBUTIONACCUMULATIONNVDA$257.9BAPP$39.8BMETA$104.8BCVX$16.9BAAPL$102.0BSNPS$15.9BWFC$80.7BCRWV$15.9BMSFT$79.9BIBIT$13.3BTSLA$72.4BGLD$13.0B
Sign Up Free — Follow Smart Money