Nonpublic Personal Information (NPI)

Financial Regulation

What Is Nonpublic Personal Information?

Nonpublic Personal Information (NPI) is any personally identifiable financial information that a financial institution collects about an individual in connection with providing a financial product or service, unless that information is otherwise publicly available.

Nonpublic Personal Information (NPI) creates a specific category of data privacy under United States federal law, specifically the Gramm-Leach-Bliley Act (GLBA). It refers to any personally identifiable financial information that a consumer provides to a financial institution to obtain a financial product or service, or information that results from any transaction involving the financial product or service. This also includes any information the institution otherwise obtains about the consumer in connection with providing the product or service. The critical distinction of "nonpublic" means the information is not generally available to the public. For instance, a phone number listed in a public directory is not NPI. However, if a customer gives their unlisted phone number to a bank for account verification, that number becomes NPI within the bank's records. NPI covers a broad range of data points, including: * Information on an application for a loan or credit card (name, address, income, Social Security number). * Account information (balances, payment history, credit card purchases). * Credit reports and scores. * The fact that an individual is a customer of a particular financial institution. The regulation is designed to protect consumer privacy by restricting how financial institutions can share this sensitive data with third parties.

Key Takeaways

  • NPI includes sensitive data like Social Security numbers, account balances, transaction history, and credit scores.
  • The term is defined and regulated under the Gramm-Leach-Bliley Act (GLBA) of 1999.
  • Financial institutions must provide customers with a privacy notice explaining what NPI is collected and how it is shared.
  • Consumers generally have the right to "opt out" of having their NPI shared with non-affiliated third parties.
  • Information that is lawfully available to the general public (e.g., from government records or wide media distribution) is not considered NPI.
  • Protecting NPI is a core compliance requirement for banks, broker-dealers, and insurance companies.

How NPI Is Regulated

The handling of NPI is strictly governed by the "Financial Privacy Rule" of the GLBA. This rule requires financial institutions to provide each consumer with a privacy notice at the time the consumer relationship is established and annually thereafter. This notice must explain: 1. The types of NPI the institution collects. 2. The types of NPI the institution shares. 3. The types of third parties (affiliates and non-affiliates) with whom the NPI is shared. 4. How the institution protects the confidentiality and security of the NPI. Crucially, the regulation gives consumers the right to "opt out" of having their NPI shared with certain non-affiliated third parties. If a consumer opts out, the financial institution is prohibited from sharing that information, with some exceptions (such as for processing transactions or preventing fraud). Furthermore, the "Safeguards Rule" under the GLBA requires financial institutions to develop a written information security plan that describes their program to protect the confidentiality and integrity of customer information. This ensures that NPI is not just legally protected from sharing but also technically protected from data breaches and cyber threats.

Real-World Example: Opt-Out Right

Consider a consumer, John, who opens a checking account with "Bank A." During the account opening process, John provides his Social Security number, annual income, and employment history. All of this is Nonpublic Personal Information (NPI). A few months later, Bank A decides to partner with an unrelated insurance company to market life insurance products to its wealthy customers. Bank A plans to share a list of customers who maintain a balance over $50,000, along with their contact information.

1Step 1: Before sharing the list, Bank A must send John a privacy notice.
2Step 2: The notice states that Bank A shares NPI with non-affiliated insurance companies for marketing purposes.
3Step 3: The notice provides a method for John to "opt out" (e.g., a toll-free number or a checkbox on a form).
4Step 4: John reads the notice and decides he does not want his information shared. He calls the number to opt out.
5Step 5: Bank A must now remove John's name and data from the list it sends to the insurance company.
Result: Because John exercised his right to opt out, Bank A is legally prohibited from sharing his NPI with the third-party insurer. If Bank A had shared it anyway, they would be in violation of the GLBA.

NPI vs. Public Information

It is important to understand the boundary between NPI and public information. Information is generally considered "public" if a financial institution has a reasonable basis to believe that it is lawfully made available to the general public from: * Federal, state, or local government records (e.g., property tax records, mortgage liens). * Widely distributed media (e.g., telephone books, newspapers, public websites). * Disclosures to the general public that are required to be made by federal, state, or local law. However, even if a piece of information is publicly available (like a home address), it can become NPI depending on the context. For example, a list of all people who live on Main Street is public information. But a list of "Bank A customers who live on Main Street and have a mortgage" is NPI, because it reveals the existence of a customer relationship and financial product usage.

Important Considerations for Consumers

Consumers should carefully read the privacy notices they receive from their banks, credit card companies, and other financial service providers. These notices are the primary way to understand how your data is being used and to exercise your rights. While you can opt out of sharing with non-affiliated third parties for marketing, you generally cannot opt out of: * Sharing with affiliates (other companies owned by the same parent bank). * Sharing necessary to process your transactions (e.g., the bank sending your data to a check printer). * Sharing for legal or compliance reasons (e.g., reporting to credit bureaus or responding to a subpoena). * Joint marketing agreements where the bank partners with another financial institution to offer a bundled product.

FAQs

Generally, no. NPI specifically refers to financial information. Medical information is protected under a different law called HIPAA (Health Insurance Portability and Accountability Act). However, if you provide medical information to a life insurer for underwriting purposes, that specific data held by the insurer is subject to strict privacy rules, often overlapping with state insurance laws.

No. The GLBA protections for Nonpublic Personal Information apply only to "consumers"—individuals who obtain financial products or services primarily for personal, family, or household purposes. Information about businesses or commercial accounts is not considered NPI under this regulation.

Financial institutions can face significant penalties for violating the GLBA. Enforcement is handled by various federal agencies, including the Federal Trade Commission (FTC), the Consumer Financial Protection Bureau (CFPB), and banking regulators. Penalties can include fines for the institution and, in severe cases, imprisonment for officers who knowingly violate the law.

Yes, your credit score and the information contained in your credit report are considered Nonpublic Personal Information when held by a financial institution. This is why lenders must have a "permissible purpose" to access your credit report and must protect that data once they have it.

No. You cannot opt out of sharing that is essential for the bank to conduct its business, such as processing your payments, preventing fraud, or complying with the law. You also typically cannot opt out of the bank sharing information about its own transactions and experiences with you (like your payment history) with its own affiliates.

The Bottom Line

Nonpublic Personal Information (NPI) is a cornerstone concept in financial privacy, defining the boundary between what institutions must keep private and what is public domain. Grounded in the Gramm-Leach-Bliley Act, NPI regulations ensure that the sensitive financial data you entrust to banks and lenders—from your income to your account numbers—cannot be sold or shared willy-nilly without your knowledge or consent. While the "privacy notices" we receive in the mail may seem like boilerplate legalese, they are the legal mechanism that empowers consumers to control their digital financial footprint. Understanding NPI helps you recognize your rights to privacy and the obligations your financial providers must meet to keep your financial life secure.

Related Terms

Anti Money Laundering AmlIdentity Theft

More in Financial Regulation

Agricultural Marketing Service (AMS)Annuity DisclosureAnti-Money Laundering (AML)Anti-Money Laundering (AML)AssociationBackground Check (Financial)Bank Capital RequirementsBank CapitalBank RegulationBank Secrecy Act (BSA)
Back to GlossaryBrowse All Financial Regulation

Key Takeaways

  • NPI includes sensitive data like Social Security numbers, account balances, transaction history, and credit scores.
  • The term is defined and regulated under the Gramm-Leach-Bliley Act (GLBA) of 1999.
  • Financial institutions must provide customers with a privacy notice explaining what NPI is collected and how it is shared.
  • Consumers generally have the right to "opt out" of having their NPI shared with non-affiliated third parties.