Sensitive & Confidential Information Policy for Financial Professionals

Nancy Flynn, Founder and Executive Director, The ePolicy Institute™

Financial institutions and financial services firms are obligated to protect the privacy of their businesses, employees, customers, consumers, suppliers, and other internal and external parties. To that end, best practices call for the establishment of a Confidential & Sensitive Information Policy, governing the acquisition, use, disclosure, retention, and deletion of critical information and business records. Policy should apply to hard-copy documents, verbal conversations, and electronic communications conducted via employer-provided and personally owned systems, sites, accounts, and devices.

Three Types of Confidential & Sensitive Information

The financial industry is obligated to comply with federal and state laws and industry and government regulations governing the handling of three types of information:

  1. Nonpublic personal information (NPI).
  2. Personally identifiable information (PII).
  3. Business records.

GLBA Demands the Protection of Consumer and Customer NPI

Nonpublic personal information (NPI) is defined by law as sensitive financial information that is: (1) Collected by a financial institution while providing products or services; (2) can identify an individual; and (3) is not publicly available. Examples of NPI are names, account numbers and balances, loan applications, and credit card or debit card applications.

Under the Gramm-Leach-Bliley Act (GLBA) Safeguards Rule, financial institutions—companies that offer financial products or services like loans, financial guidance, investment advice, or insurance—must protect the sensitive NPI of customers and consumers. Don’t assume your employees know the difference between a consumer and a customer. Provide clear definitions that leave no room for individual interpretation.

  • Consumers – The Federal Trade Commission, which enforces GLBA, defines a consumer as anyone who obtains a financial product or service from a financial company for personal, family, or household purposes. Consumers are individuals, not commercial clients.
  • Customers – A customer is a consumer who has a continuing relationship with a financial company. Individuals who use ATMs at financial institutions where they do not have accounts are consumers. Individuals who open credit card accounts with financial institutions are customers.

State Law Governs PII

Personally identifiable information (PII) is sensitive information that, when used alone or in combination with other relevant data, can identify an individual (customer, consumer, employee, job applicant, or vendor). PII includes names, birthdates, phone numbers, and Social Security numbers among other personal information that could harm one if disclosed to the wrong people. Data breach notification laws in all 50 states, the District of Columbia, Puerto Rico, and the U.S. Virgin Islands require the financial industry to protect PII from data breaches and theft.

Use Confidential & Sensitive Information Policy, supported by employee education and technology solutions, to help ensure the privacy of individuals and the integrity of sensitive NPI and PII.

Business Records Keep Financial Companies Up & Running

Business records are confidential information that financial institutions and financial services firms are obligated to manage effectively. Business records provide evidence of business-related activities, events, and transactions. Business records are retained according to their ongoing business, legal, operational, and historic value. Business records focus on content—the value and future use of information—not format or storage mechanism.

Business records are critical to day-to-day activities including decision making, financial planning, customer relations, human resources management, and legal compliance. Business records can take the form of traditional hard-copy letters, proposals, contracts, and other information we typically think of as paper records. Business records can include electronic messages, posts, and publications generated by email, text messages, instant messages, social media, and other electronic communications tools.

Distinguish Between Records and Non-Records

The ability to accurately distinguish between business records and non-records (nonessential, purely personal, or otherwise insignificant non-business-related information) could have an enormous impact on your financial organization in the event of a lawsuit or regulatory audit. Not every electronic message created, acquired, used, or retained is a business record. Messages that are unrelated to business are non-records.

Here’s the difference:

  • Business Record – An email from HR to employees, announcing staff layoffs and spelling out terms, would be a business record. It memorializes—provides evidence of—a business event that impacts your organization, employees, and future. As a business record, the layoff email could be used as evidence in unemployment compensation claims, severance package negotiations, age discrimination lawsuits, or other legal actions. As a business record, it must be preserved, protected, produced, and purged in accordance with your Record Retention Policy.
  • Non-Record – An email from one employee to another, announcing a child’s college graduation, would be a non-record. A purely personal communication between work friends, this email does not provide evidence of business-related activities, events, or transactions. It does not have ongoing business, legal, operational, or historic value. It does not need to be retained or relinquished to the court in response to a subpoena.
Adopt the 3Es of Confidential & Sensitive Information Management

Legal and regulatory compliance requires the financial industry to shield NPI, PII, and business records from unauthorized exposure, alteration, or destruction.

To help reduce risks and increase compliance, employers in the financial arena should adopt the 3Es of confidential and sensitive information management:

  1. Establish best practices-based Confidential & Sensitive Information Policy and Record Retention Policy, as well as a record retention and deletion schedule.
  2. Educate employees about record risks, organizational rules, and individual roles. Define confidential and sensitive information. Teach employees to distinguish between business records and non-records. Ensure that each type of information is handled in compliance with up-to-date policies and procedures.
  3. Enforce policies through a combination of disciplinary action, workforce training, and best-in-class technology solutions designed to manage content, use, and records.

Nancy Flynn is the founder of The ePolicy Institute, the world’s leading electronic policy writing and training firm. Trusted for her knowledge and integrity, Nancy Flynn is a go-to media source who serves as an expert witness in policy-related litigation. Visit to learn more.